Check back often -- I'll be adding more content to this wiki on a weekly basis, at minimum. Don't see what you need? Send your wishlist to Michele Gartner.
PROBLEM | A Privacy Notification window automatically displays when each user logs into the Intel® AMT system. |
RESOLUTION | End users can disable this window by selecting the "Do not display this message" checkbox. However, you can also disable the Privacy Notification window and still keep the application running by modifying a registry key.
To modify the registry key:
|
11.9.2007
PROBLEM | Some vendor BIOS versions only support the display of specific emulation types. Using this command, specific ISVs will be able to redirect and emulate without issue. |
RESOLUTION | This command only applies to users running Altiris, HP Openview, and Microsoft SMS.
On the console machine:
Your terminal emulation type is now set to ANSI or VT100, depending on what you entered. You can re-enter the telnet session at anytime and type d to verify the emulation type.
NOTE: If you do not properly quit the telnet session, the setting will not be saved. |
6.11.2008
You can view the status of Intel AMT on a machine by double-clicking the system tray icon and choosing Status. This dialog box displays whether Intel AMT is enabled or disabled. It also has a hyperlink that allows the user to visit a site for more information about Intel AMT. You can customize this hyperlink to go to any site you wish. For example, you may want to modify it to point to your organization’s help desk page or to the Intel® vPro™ Expert Center (http://www.intel.com/go/vproexpert).
This procedure applies to Intel® AMT 2.5 and greater. See the readme file, included in the download, for more information.
PROBLEM | Some users need to move a PC between several networks. For example, a support technician may support multiple clients that require different client certificates. |
RESOLUTION | Users may install up to 8 client certificates. |
2.24.2009 QA1312
PROBLEM | If the administrator forgets the MEBx password, the only way to clear the password is to remove the CMOS battery. |
RESOLUTION | To remove the CMOS battery on a Lenovo* ThinkPad* T400 you must remove the keyboard to get to the battery. The battery is located under the palm rest. Please refer to the Lenovo* instructions at the following URL**: HTTP://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-71484. **This URL to a non-Intel web site is provided for the reader's convenience. This is not an endorsement or recommendation by Intel of the site or products.
Note for Intel(R) Anti-Theft (Intel AT) Technology users: if your PC is enrolled in an Intel AT service, and you remove the CMOS battery, the ME may detect this as tampering and lock the system. You will then need the Intel AT passphrase to unlock the system after you reboot.
WARNING: To avoid personal injury or property damage, follow the manufacturer's safety instructions that apply henever accessing the inside of the product. CAUTION: There is the danger of explosion if the battery is incorrectly replaced. When replacing the battery, use only the battery recommended by the equipment manufacturer and follow the manufacturer's instructions. Electrostatic Discharge ESD) can damage disk drives, boards, and other parts. We recommend that you perform all procedures at an ESD workstation. |
3.9.2009 QA1330
PROBLEM | Intel(R) AMT is incompatible with a 4096-bit PKI if Intel(R) AMT systems need to validate a certificate chain containing this key size. For example, in 802.1X networks. |
SOLUTION | If a customer already has a PKI with a 4096-bit root certificate, you can work around this issue by adding a 2048-bit root CA and then using this to issue certain certificate (for example, RADIUS). |
4.2.2009 QA1341
SOLUTION | To hide the IMSS system tray icon, delete the key at the following registry location: |
4.2.2009 QA1342
PROBLEM | To successfully upgrade your ME firmware, follow the guidelines listed below. |
SOLUTION | Version number format for ME firmware Intel(R) AMT firmware versions use the following format: W.X.Y.ZZZZ W = platform X = major version Y = minor version ZZZZ = build number Rules for successful upgrades (1) The platform number (W) of the update must match the existing firmware. (2) The major number (X) of the update must be the same, or higher, than the existing firmware. The only two exceptions are: 2.0 can only be upgraded to 2.1 or 2.2; version 2.5 can only be upgraded to 2.6. (3) The minor version (Y) for the update must be greater than, or equal to, the minor version for the existing version if the major version is unchanged (for example, 3.0.0 to 3.0.1). (4) Always use the FWUPDLCL utility from the upgrade toolkit. (5) ME Firmware Local Updates must be enabled in the MEBx, or the Local FWU Override Counter and Local Firmware Override Qualifier must be set appropriately to allow an override. TIP: Run MEInfoWin.exe against the platform, or log-on to the MEBx (on the local machine) to check, or change, the ME Firmware Local Update setting. You can also check or change the status of the FWU Override Counter and FWU Override Qualifier settings. |
9.11.2009 QA1359
PROBLEM | For an example of this problem, if a SoL session is active from the Microsoft* SCCM Out of Band console, then the Intel® AMT firmware will not process a collection-based power control command from the console. |
SOLUTION | Intel® AMT firmware will ignore a second command if it is still processing an active command. This is a security feature. |
9.11.2009 QA1327
PROBLEM | During a SoL session to an HP* client, pressing F10 does not exit BIOS. |
RESOLUTION | Press ESC and 0 (zero) at the same time as an alternative to exit BIOS. |
1.30.2008
PROBLEM | Current tools from Intel do not control the TCP/IP DHCP Mode setting. Additionally, only an un-provisioned platform will give you the option to set this option locally. Disabling TCP/IP DHCP Mode requires an onsite physical touch to either do a clear CMOS, or from MEBx, to do a full unprovision. All tools related to remote provisioning, un-provisioning, or updating/modifying Intel® AMT firmware settings require that TCP/IP already be enabled. There is also no known in-band solution using ISV applications. If the TCP/IP DHPC Mode setting is set to NONE, then the IP address is 0.0.0.0 and the ME cannot receive or execute any commands. |
RESOLUTION | When purchasing a system, customers should verify that their OEM has a tool to remotely turn on the TCP/IP setting before deploying systems with the TCP/IP setting disabled. In some cases where the DHCP Mode setting in the MEBx is Enabled, but the user is not ready to provision the systems already deployed, they will see heavy DHCP network traffic. To avoid heavy network traffic on the DHCP server caused by the hello packets from numerous unprovisioned systems, set the Manageability Feature Selection setting to NONE and keep the TCP/IP DHCP Mode setting enabled. If the systems with the TCP/IP DHCP Mode disabled are already deployed, and the OEM doesn't have a tool to remotely enable this setting, the administrator must go to each system and either clear CMOS, or do a full unprovision from MEBx. |
3.3.2009 QA1309
PROBLEM | Is a "Clear CMOS" required after a full image flash? |
RESOLUTION | No, the "clear CMOS" is not required, but is recommended on systems with legacy BIOS code (as opposed to UEFI) if problems arise after full image flash (i.e., the Clear CMOS can be used as a "fix" for post-flash issues). Also, it is recommended that you use an image tool with full erase, program, and reboot steps; perform an update on a duplicate/test environment first; use defaults, then compare updated file to source file BEFORE rebooting (should be 100% compare). After reboot, go into BIOS and set optimal defaults. |
6.1.2009 QA1355
PROBLEM | When using AMT Commander to perform a remote BIOS update using SOL/IDE-R, AMT Commander does not display the text of the BIOS update files; it only displays the bootable ISO files. |
RESOLUTION | Problem is likely with terminal emulation between remote system running AMT Commander and target system where BIOS update is to be performed. AMT Commander (part of AMT SDK) contains many terminal emulators, not just the common vt100 or PC ANSI. Ensure that the AMT Commander terminal emulation matches the target system's terminal emulation (contact target system OEM if necessary). Also, some OEM's supply a local keyboard lockout feature during remote SOL/IDE-R sessions. This can get corrupted so that the remote keyboard is locked out, not the local one. If this happens, the target system OEM must supply an update for the corrupt feature. AMT Commander contains a control for local keyboard lock; make sure this is set to off. |
5.27.2009 QA1356
PROBLEM | Some events listed in the Intel(R) AMT event log are generated by the BIOS and simply passed through to the Intel(R) AMT event log. For example, if the system fails to boot using the PXE option, you may see a "System boot failure" event in the log. The source may say Intel(R) AMT only because it was passed by the BIOS to the Intel(R) AMT firmware. |
RESOLUTION | No solution is required. This is expected behavior. |
6.1.2009 QA1345
PROBLEM | Where can I find more information about Intel vPro technology on Linux? |
RESOLUTION | Information about Linux support is available at the Open Source Intel AMT Drivers and Tools\ site. |
10.11.2007
PROBLEM | Where can I find the most recent Linux drivers for an Intel vPro system? |
RESOLUTION | Visit http://www.intellinuxwireless.org/ to download Intel wireless drivers. |
11.9.2007
PROBLEM | Wireless management does not work when the operating system is running. |
RESOLUTION | Check if there are missing or faulty Intel AMT drivers (HECI & LMS/SOL) in Microsoft Windows*. Get the latest drivers from the OEM's web site and install them. Once the drivers are installed, the Intel(R) Management Engine should work properly with the wireless connection. |
1.30.2008
PROBLEM | If the path to the LMS/SOL driver setup.exe contains square |
RESOLUTION | This issue is expected to be fixed in Intel® AMT 4.2. To workaround the issue, remove the square brackets from the path. |
4.2.2009 QA1333
PROBLEM | Is there a performance hit for IDE-R over a WAN? |
RESOLUTION | We do not recommend using an IDE-R session to boot large CD-ROM images over a WAN. Instead, we recommend using a stripped down IDE-R image that can load up a network stack on the AMT client. The network stack can be used to access local shares at the branch that have the tools you need to either rebuild the OS or diagnose problems. |
2.8.2008
PROBLEM | The wired LAN NICs are not recognized by the Intel® AMT management consoles. They do show up in the DHCP listings. Only the wireless NICs were discovered as Intel® AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs. When the firewalls are turned off, the Intel® AMT consoles can communicate with the LAN NICs. |
RESOLUTION | Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests. |
11.25.2008
PROBLEM | When configuring Intel® AMT in basic (formerly SMB) mode during boot up, some values for the secondary DNS server IP address make the configuration fail. If a secondary DNS server's last octet value is 223 or higher, the configuration fails. |
RESOLUTION | This is a known issue in the Intel® Management Engine and will be fixed in the next release. The current workaround is to change the secondary DNS server's IP address, or to not use the secondary DNS server at all in the configuration. |
11.25.2008
PROBLEM | When you reboot the system and enter a SoL/IDER session, the ME NIC will remain in the lowest negotiated speed setting and half duplex mode if the SoL/IDER session remains connected during boot. The NIC does not renegotiate to the highest available speed or full duplex mode after the operating system boots. |
RESOLUTION | To force the ME NIC to renegotiate to full speed/full duplex mode, disconnect the SoL/IDER session then reconnect. |
11.25.2008
PROBLEM | The Intel® WS-MAN translator package used with Microsoft* SCCM 2007 SP1 generates some errors due to scripting language changes introduced in Windows* Vista. |
RESOLUTION | An updated version of the WSMAN translator is available. |
3.3.2009 QA1322
PROBLEM | An incompatibility exists between Intel(R) Active Management Technology (Intel(R) AMT) and Locally Administered Address (LAA) environments. As a result, Intel AMT enabled systems configured to work in LAA environments might encounter LAN disconnects. |
RESOLUTION | A Locally Administered Address (LAA) is an option allowing users to set their own MAC address on the platform and thus bypass the Burned-in address (BIA) MAC. Intel AMT was not designed to support LAA environments and there are no plans to add this capability in the near future. |
5.18.2009 QA1350
PROBLEM | DNS configuration issues display when configuring Altiris. |
RESOLUTION | Use these troubleshooting tips to help resolve DNS configuration issues with Altiris:
|
12.20.2007
PROBLEM | Can Intel AMT firmware be reconfigured to change the default 'provisionserver' naming convention to a value of a customer's choosing? |
RESOLUTION | The provisionserver value is hard coded and cannot be changed. It is recommended that the customer set up a second A record or a CNAME record in the DNS that points the provisionserver.yourdomain.com to the ISV server. |
2.8.2008
PROBLEM | A customer with LANDesk* LDMS 8.8 or similar provisioning server does not need to load drivers or an OS image on the Intel(R) AMT clients to perform bare-metal provisioning. |
SOLUTION | No drivers are required for bare-metal provisioning of an Intel(R) AMT client. The system administrator will, however, need to pre-populate the provisioning server database with the client configuration information (UUID, FQDN, OU if Active Directory is used, Profile). Refer to the LANDesk documentation for information on how to enter the client configuration information into LDMS 8.8. The Intel AMT client will send out a hello packet as soon as the network and power cables are plugged in. If the provisioning server is found, and the client configuration information is in the provisioning database, then the client will be provisioned. |
7.28.2008
PROBLEM | In the default configuration, the LANDesk root certificate is not trusted by the Microsoft* CA. The user is then unable to use the WebUI. |
SOLUTION | From Microsoft* Internet Explorer, add the LANDesk* root certificate to the list of trusted certificates.
|
9.10.2009 QA1370
PROBLEM | After provisioning, the in-band network connection on some Intel(R) AMT systems may shut down. The LANDesk console will then place the systems in remediation. These Intel(R) AMT systems can, however, still be managed with LANDesk* OOB tools and the Intel(R) AMT Web GUI. This is an intermittent issue. The time between provisioning the system and the loss of in-band connectivity ranges from a few minutes to about an hour. |
SOLUTION | If you have LANDesk* Management Suite 8.8 SP2, and you have lost in-band connectivity, but you can still access the remote systems using OOB tools, try the following patch or upgrade to a later LANDesk* service pack (SP3 or later). The URL** for the patch is: HTTP://community.landesk.com/downloads/ServicePack/LD-88-AMT-CR20525-88.zip **This URL to a third-party site is provided for the reader's convienience. This should not be construed as a recommendation by Intel for the products or services provided by the third party. |
9.11.2009 QA1344
PROBLEM | The RootCA and the SubCA directories must be deleted repeatedly to enable provisioning to continue. |
SOLUTION | No solution exists at this time. The issue is expected to be fixed in v8.8 SP3. |
10.09.2009 QA1349
A BIOS update is available to provide native support within Microsoft SCCM SP1 for Dell 755, HP DC7800, and Lenovo M57p computers.
OEM Model | Link to BIOS Update |
|---|---|
Dell 755 | |
Lenovo M57p | |
HP DC7800 |
7.23.2008
PROBLEM | When discovering vPro systems via a console that has a virtual adapter enabled with an IP address assigned, such as Microsoft SCCM, the discovery process may fail if the virtual adapter IP address is used for the discovery process. |
RESOLUTION | Before performing the discovery, disable any virtual adapters that were created by software such as VMWare.* |
7.30.2008
PROBLEM | When the Microsoft* SCCM management console is run on a Microsoft* Vista* SP1 operating system, all Intel® AMT based objects and functionality is missing. |
RESOLUTION | No solution is available at this time. |
1.29.2009 (QA1304)
PROBLEM | Microsoft* System Center Configuration Manager 2007 Service Pack 1 (SP1) hotfix roll-up KB960804 includes KB959040 (a fix to enable PKI provisioning with Intel® AMT 2.2 and 2.6.) The original description of the roll-up incorrectly omitted the KB959040 hotfix. |
RESOLUTION | To get KB959040 hotfix, users may download the KB960804 hotfix roll-up.
Refer to the Micorsoft* support website for more information about the hotfix packages. The Microsoft* URL** is: http://support.microsoft.com/kb/960804 |
2.24.2009 QA1323
PROBLEM | SoL and IDER fails using Microsoft* SCCM in an environment with a Root CA and a Subordinate Issuing CA. |
RESOLUTION | This issue has been fixed by a hotfix for Microsoft* SCCM 2007 SP1. URL for hotfix** HTTP://support.microsoft.com/hotfix/kbHotfix.aspx?kbnum=960804 |
2.24.2009 QA1319
PROBLEM | In a Microsoft* SCCM hierarchy with a central site and a primary child site, power control operations from the central site work for some clients and fail for others. The same power control operations work correctly from the child site. |
RESOLUTION | Not all client settings are being transferred up the Microsoft SCCM hierarchy to the central database. This issue will be resolved in the Microsoft SCCM SP2. Alternatively, system administrators may change the TlsMode setting in the dbo.AMT_MachineProperties table in the SCCM site database, it should be set to "1" for each client. |
10.09.2009 QA1362
PROBLEM | How many agents can the Intel Management Engine monitor at one time? |
RESOLUTION | This data is undocumented, however, testing shows that Intel AMT 2.0 can monitor up to sixteen agents.
NOTE: The number of agents that can be monitored depends on how the ISV is implementing agent presence. |
12.20.2007
PROBLEM | HP 6910p returns a hello packet of UUID=00000 during activation. |
RESOLUTION | This is a known issue with the firmware and will be fixed when the 2008 platform is released.
Meanwhile, your customers can request a BIOS update from HP to work around this issue. |
12.20.2007
PROBLEM | Using DHCP in a virtual machine can cause Intel AMT to become inaccessible when you close the virtual machine session. This is because your computer and Intel AMT will now have different IP addresses. |
RESOLUTION | To work around this issue, exit the virtual machine session(s) and then do one of the following:
OR
This is a known issue and will be updated as more information is available. |
1.24.2008
PROBLEM | When provisioning enterprises with multiple domains via remote configuration, individual certificates are required for each domain that needs to communicate with the Management Console. Wildcard certificates are currently not supported. |
RESOLUTION | Wildcard certificate support is a feature request for AMT 3.2 (Weybridge) and AMT 2.6 (Centrino). Meanwhile, you can workaround this issue by deploying an SCS server and a certificate for each domain. |
MORE INFORMATION | This issue will be updated as more information becomes available. |
1.24.2008
PROBLEM | Inventory data does not appear after provisioning an Intel AMT client, even though the provisioning process was successful and without errors. |
RESOLUTION | POST needs to occur for the data transfer to take place. The inventory data resides within the BIOS SMI tables and cannot be successfully transferred to the Intel Management Engine and viewed by the WebUI or retrieved programmatically. The BIOS and ME handshake must occur during POST to transfer data. Make sure the system has run through POST, so that the inventory data is transferred from BIOS into ME. |
1.30.2008
PROBLEM | Currently shipping non-provisioned Intel(R) vPro(TM) or Intel(R) AMT PCs on some Weybridge configurations may report a network disconnect/reconnect on five minute cycles when the 24 hour provisioning period expires while in a low power state. An unused security feature of Intel(R) AMT triggers the network disconnect and then resets the network connection on 5 minute cycles. |
RESOLUTION | This issue has been resolved in the A09 BIOS release from Dell for the Optiplex 755. The BIOS release is available at the following URL:
|
2.27.2008
PROBLEM | Is there an automated way to synchronize the operating system and Intel(R) AMT hostname? |
RESOLUTION | The Intel(R) AMT Reflector tool\ is now available on the Intel(R) vPro(TM) Expert Center.
See the Tools wiki\ for more helpful vPro tools. |
Verify that your Internet Explorer settings are correct for pass through authentication.
Open Internet Explorer and choose Tools > Internet Options > Advanced Tab.
Select Enable Integrated Windows Authentication. Exit and restart Internet Explorer before attempting to access the Intel AMT device.
Install these Kerberos patches on the system you will use to access the Intel(R) AMT device.
WindowsServer2003-KB899900-X86-ENU.exe
WindowsServer2003-KB908209-X86-ENU.exe
WindowsServer2003-KB899900-X86-ENU.reg
If you are using Windows XP* as the operating system for the computer used to access the Intel AMT web interface, then install these patches:
WindowsXP-KB899900-X86-ENU.exe
WindowsXP-KB908209-X86-ENU.exe
WindowsXP-KB899900-X86-ENU.reg
Ensure that the time settings for the Intel AMT client(s), domain controllers, and the application server are synchronized.
Before provisioning:
Create an AMT OU on the domain controller existing on the domain on which your Intel(R) AMT devices reside. For example, if your device exists on child.parent.com, and your provisioning server (or Intel SCS) resides on parent.com, then create an OU for AMT objects on child.parent.com.
IMPORTANT: If there are multiple domains, then add an OU to each domain.
Provision your Intel AMT client.
5.30.2008
PROBLEM | A single vPro machine can be accessed via WebUI, but does not appear in DNS. Its name does not get resolved in NSLookup? |
RESOLUTION | NSLookup does not use the standard client resolver routines but uses similar routines of its own. If true, this means a valid name-IP record could be cached on the client and being used by IE to resolve the name even though NSLookup fails to resolve the name and there is no DNS record.
To determine this, do the following:
|
6.13.2008
For support of Windows 2000 Active Directory, AMT 3.2 is required. Intel AMT 3.2 was released to the OEMs during Q1 2008. Please contact your OEM to find out when the update will be publically available.
6.13.2008
PROBLEM | In an EAC*-enabled network, where a NAC or NAP server is deployed and configured to request “posture” or SoH, Intel® AMT connectivity may be lost to clients that are not in H0 state if the server configuration is modified to work with 802.1x only. |
RESOLUTION | If the NAC/NAP server configuration is changed to work with 802.1x only, then do one of the following:
|
6.25.2008
PROBLEM | Intel AMT wireless connectivity is not available when the operating system is running and the user is not logged in. |
RESOLUTION | To work around this issue, configure the Single Sign On (SSO) driver to maintain a wireless connection. Once the SSO properties are set according to the table below, Intel® AMT will be able to connect to the wireless profile using Microsoft* Windows credentials before the user actually logs on.
SSO Properties
|
NOTES |
|
7.16.2008
PROBLEM | Cannot provision a system that uses an underscore in the host name. |
SOLUTION | Special characters cannot be used in host names. DNS host names may only contain dash "-", letters or numbers. Underscores and other special characters are not supported by the RFC's that define host name conventions. Some DNS servers, including Microsoft's, can support host names outside of the RFC specifications. See the links below for more information. |
MORE INFORMATION | Microsoft KB article 909264: http://support.microsoft.com/kb/909264
RFC 952: http://www.ietf.org/rfc/rfc952.txt
RCF 1123: http://www.ietf.org/rfc/rfc1123.txt |
9.5.2008
SOLUTION | The CRL does not automatically update on the clients. It needs to be pushed down from the SCS, by pushing it to individual AMT clients via the Operations screen, or to all clients via the Global Operations screen in the SCS Console. |
MORE INFORMATION | The Certificate Revocation List contains the revoked certificates maintained by a CA. It is used when Intel AMT clients are configured to use Mutual TLS (MTLS) authentication. |
9.5.08
PROBLEM | The wired LAN NICs are not recognized by the Intel AMT management consoles. They do show up in the DHCP listings in the Microsoft SMS* and Altiris* demos. Only the wireless NICs were discovered as Intel AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs.
When the firewalls are turned off, the Intel AMT consoles can communicate with the LAN NICs. |
SOLUTION | Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests. |
9.5.08
See this article to find specific configuration information.
10.15.08
SOLUTION | ASF Sensor Events
BIOS Events
OS Events
|
12.4.08
DESCRIPTION | Scenario: a customer would like to have an OEM deliver systems with custom Intel® AMT firmware settings and client certificate.
QUESTION 1: Will the customized firmware force the customer to use only customized firmware or BIOS updates for future releases? ANSWER 1: The custom settings and client certificate will be preserved across firmware or BIOS updates if the OEM inserts the customized bits before the descriptor region manufacturing bit is locked.
QUESTION 2: Can an OEM customize all the Intel® AMT management engine settings? ANSWER 2: Yes. All the features seen on the web GUI can be customized by an OEM.
QUESTION 3: Does Intel have a list of default settings for each OEM? ANSWER 3: No. Customers should contact their OEM for the latest available information.
Caution: The custom settings and client certificate will not be preserved across updates if the OEM programmed the firmware after setting the descriptor manufacturing bit. This will require users to reinstall the client certificates before the systems can be managed. |
SOLUTION | Customers should work with their OEM to develop a custom firmware image, then run a small pilot program to test it. Clear the CMOS and then try to reprovision the systems. |
2.13.09 QA1308
PROBLEM | For a system runing a Hypervisor on a platform with Intel(R) AMT 4.x or 5.x, the mismatch between the IP address assigned to the physical hardware and the guest operating system will prevent the manageability software from communicating with the Intel ME. |
RESOLUTION | To sync-up the IP addresses, do the following:
This soluton will produce the following result:
|
9.11.2009 QA1366
PROBLEM | When performing SOL/IDER with SMS Console V3.0, the SOL console screen is set for local echo to be on and it cannot be disabled. |
RESOLUTION | This issue is fixed in version 3.1 of the SMS Add-on, which you can download at http://softwarecommunity.intel.com/articles/eng/1356.htm. |
Updated 2.8.2008
PROBLEM | Using the Intel AMT add-on for Microsoft SMS 2003 on a Dell 755 returns this error:
Current system UUID is different from last discovered UUID. Please rediscover the system. |
RESOLUTION | An Intel AMT add-on for Microsoft SMS 3.0 hot fix 3 is available online at http://www.intel.com/software/sms-add-on. |
MORE INFORMATION | Click here to download the hot fix\. |
12.20.2007
PROBLEM | The Intel AMT Add-on for SMS will communicate with the SCS over an HTTPS/SSL connection, however it will not communicate over an insecure HTTP/non-SSL connection, even if TCP port 80 is defined in the Intel AMT Add-on configuration. |
RESOLUTION | Upgrading to version 3.1 of the Intel AMT Add-on for SMS resolves this issue. The update can be obtained from: http://softwarecommunity.intel.com/articles/eng/1356.htm |
2.8.2008
PROBLEM | The SMS Add-on documentation states that two hot fixes and registry patches are required. Are these patches/hot fixes required on the workstations that are running the Microsoft SMS console and Intel AMT add-on only?
Are they required only if the end user from that workstation is planning to use the web interface?
Are they required for the SMS add-on to function properly? |
RESOLUTION | These patches are required on a management workstation if you wish to access the web interface on vPro clients. |
5.8.2008
PROBLEM | Lenovo M55p systems return a hello packet of UUID 00000 during activation. This problem occurs on machines that shipped with factory-default BIOS of 36 or less. |
RESOLUTION | A firmware update to version AMT2.1.0.1032 is available from Lenovo to resolve this problem. Contact your Lenovo representative if you need this update.
A BIOS update is not required, but is recommended. Visit the Lenovo web site and navigate to the Support & downloads section of the site to find BIOS 37a. |
10.19.2007
PROBLEM | Dell 755 returns a duplicate UUID 00000 during activation. |
RESOLUTION | A BIOS update (version A04) resolves this issue and is available on Dell's web site. Click here to download the A04 BIOS update.\ Note: If you are using the Intel AMT add-on for Microsoft SMS 2003, then you also need to download Hot fix 3. See Using the Intel AMT add-on for Microsoft SMS 2003 on a Dell 755 returns a UUID error\ for instructions. |
1.24.2008
PROBLEM | When the CMOS battery is unplugged from the HP 7800p, the Ctrl+P command for accessing the Intel Management Engine is missing. When SCS is opened and the refresh button is selected, the Intel AMT device does not appear. |
RESOLUTION | Use the following steps to the resolve this issue:
|
2.7.2008
PROBLEM | In vPro-capable HP dc7800 systems, when Intel AMT is turned on, everything works fine. When the Intel AMT driver is turned off in the Intel Management engine, the Intel HECI driver in the operating system causes an error to occur in the device manager: "device cannot start". |
RESOLUTION | Follow these steps to correct this problem:
|
2.14.2008
PROBLEM | On brand new vPro systems, the Intel AMT Status Application dialog box displays the Intel AMT Status as "Enabled" even though Intel AMT has not been configured. Are OEMs shipping systems with Intel AMT enabled (provisioned)? |
RESOLUTION | The Intel AMT status application is designed to show if the Intel AMT is or is not enabled in the Intel Management Engine. It does not reflect if a system has been provisioned/configured. Even when Intel AMT is disabled in the Intel Management Engine, the Intel Management Engine can still be accessed. OEMs do not ship provisioned systems unless that service is requested and purchased by the customer. |
2.14.2008
PROBLEM | Are there DLLs, in the operating system, that access vPro? |
RESOLUTION | Individual OEMs manage the Microsoft Windows drivers that use Intel vPro technology. To access current drivers for clients, visit the OEM’s website. |
2.14.2008
PROBLEM | Command line switches are not working properly to enable a silent install with the Intel AMT drivers. |
RESOLUTION | The issue is that the wrong hyphen/dash character is being used. If the code is copied from an MS Word* document, the regular hyphen is replaced with another hyphen-like character which causes the command line options to work incorrectly.
Typing the command, rather than copy and paste, solves this problem. |
2.27.2008
PROBLEM | The SoL/IDER sessions do not work on the X61 tablet. |
RESOLUTION | This issue is resolved using the 1.07 BIOS release.
Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 1.07. |
2.27.2008
PROBLEM | Unchecking SoL and IDER, under the network tab, isn’t disabling the feature on the Lenovo M55p. |
RESOLUTION | Update the BIOS to version 37a or newer versions. Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 37a or later. |
3.4.2008
This problem occurs when the Terminal Emulation Mode is not set correctly in the BIOS.
Here is the screen when Terminal Emulation Mode is set to VT100 through BIOS:
How to switch Terminal Emulation Mode:
Open the HP ProtectTools Security Manager, click BIOS Configuration, and then select System Configuration.
In the AMT Options section, change Terminal Emulation Mode to ANSI.
Click OK.
The BIOS Password screen is now available during SOL sessions.
4.25.2008
PROBLEM | Sending the "power down" command to the Dell* D630c notebook immediately shuts it down, but then it automatically re-boots. |
RESOLUTION | This issue is resolved in BIOS version A02 for the Dell* D630c. You can download the BIOS update package from Dell at the following URL**: **This Wiki contains links to other Internet sites. Such links are not endorsements of any products or services in such sites, and no information in such site has been endorsed or approved by Intel, Inc. |
11.25.2008
PROBLEM | Intel® AMT supports several terminal emulation modes. These are used to display the BIOS Setup GUI when using SoL. The look and feel may vary between manufacturers. Intel® AMT supports VT52, VT100, VT100+, and ANSI terminal emulation modes. |
RESOLUTION | Check your OEM BIOS documentation for information about the supported terminal emulation modes and how to select the mode. Usually, the terminal emulation mode option will be in the Intel® AMT section of the BIOS Setup utility. Use ANSI mode for a more graphical looking display. |
3.3.2009 QA1332
PROBLEM | Are the Weybridge SoL and/or HECI drivers backward-compatible with Averill? Can they be used and supported on an Averill platform? |
RESOLUTION | Backward compatibility depends on the OEM and if they choose to support the drivers and platforms. For instance, HP does support the same drivers for 7700's, 7800's and 6910p, but other OEMs may not support the same drivers. |
2.27.2008
PROBLEM | Partial unprovisioning of a system fails. The SCS log reports the following messages: "SOAP Failure (21): cannot partially unprovision AMT" or "SOAP Failure(21): cannot GetLowAccuracyTimeSync" |
RESOLUTION | The partial un-provision command requires a FQDN to work. Accurate client DNS records are required to provide an FQDN for this functionality. |
2.27.2008
PROBLEM | Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment |
RESOLUTION | This issue is scheduled to be resolved in Intel(R) AMT SCS 5.0, to be released by the end of Q2. |
2.27.2008
PROBLEM | The standard domain-only validation SSL certificates from the GoDaddy Certificate Authority are not suitable for Intel AMT remote configuration. These types of certificates do not contain the OU information required by the firmware to accept them. |
RESOLUTION | If GoDaddy is used as the CA, then request a High-Assurance SSL certificate, which should include the OU information required by the Intel AMT client. For more information, see the Intel AMT SCS Installation and User Manual\, Chapter 3, section “Preparing Intel AMT for Future Configuration.” |
1.25.2008
PROBLEM | Intel AMT functionality works in DHCP IP with Enterprise mode and SMS. However, SMS does not find asset information from the vPro machine when using Static IP with Basic mode. |
RESOLUTION | Static IP addresses are not recommended. If they must be used, then the Intel Management Engine and the operating system will each need their own static IP address in order for AMT to function properly. |
1.25.2008
PROBLEM | Setup and Configuration Service (SCS) reports an error when provisioning Hewlett-Packard (HP) 6910p computers when using Wake on LAN (WoL) power policies 4 and 5. |
RESOLUTION | This error occurs for all HP platforms shipped in 2007 and there is no workaround. HP does not support these power policies and the SCS is accurately reporting that they are unsupported. Escalate this known issue to your HP sales representative. |
1.25.2008
PROBLEM | Will the PKI-CH implementation currently available in Intel AMT 2.2, Intel AMT 2.6, and Intel AMT 3.0 consistently support wildcard RCFG certificates? Intel AMT 2.6 supports wildcards; but Intel AMT 2.2 and 3.0 do not. Will Intel AMT 2.2 and 3.0 will support wildcard certificates? |
RESOLUTION | There are no plans to enable support for wildcard certificates in Intel AMT 2.2 or any future updates for that generation of hardware. There are plans to support wildcard certificates in the future release of Intel AMT 3.2 |
3.4.2008
PROBLEM | The SCS service crashes repeatedly due to excessive logs. In the SCS Win Log, the OLE database error for timeout is displayed. |
RESOLUTION | Reduce the database logs to a reasonable size, based on available processes. |
2.27.2008
PROBLEM | Are there any known issues or limitations in pointing provisionserver.company.com to a Network Load Balancing address that balances between two or more SCS servers (all are in the same domain)? |
RESOLUTION | The SCS support team confirmed that this is a supported configuration, provided all the SCS servers point back to a single SCS database. |
2.27.2008
PROBLEM | Is the Microsoft Windows* SNMP trap service required in the latest SCS version? |
RESOLUTION | The SNMP trap service is not required for installing or using SCS, but it is required for the Intel® AMT Add-on for SMS* V3.0 to receive PET alerts from Intel AMT clients per the SMS manual. It is used as a receiver for platform trap events. Clients can be configured to send platform traps to an SNMP service. Since the Intel AMT Add-on is capable of configuring clients, an SNMP trap service is required during installation for a complete solution. |
3.4.2008
PROBLEM | After setting the properties for the Intel AMT system, the status goes to InProvisioning, but nothing changes. The logs contain the following message: Cannot create AD AMT Object: Failed on CreateDSObject with ht-73207ty, - Process Delayed. |
RESOLUTION | This error message normally occurs for the following reasons:
If the extension for the AD schema is not needed, then uncheck the Active directory Integration checkbox in the SCS General Settings screen to prevent SCS from trying to create AD objects during provisioning. |
3.4.2008
PROBLEM | SCS cannot complete provisioning of a system if the Configuration Parameters do not have a value specified in the OU column, even if the SCS is not using the Integrated with Active Directory option. Users must either manually add a value (during the manual process) or define a value when using remote tools like the RCT. |
RESOLUTION | This is a known issue with SCS and it is slated to be corrected in SCS 5.0. |
3.4.2008
PROBLEM | The web interface cannot be accessed using Kerberos authentication. When the Firefox web browser was used, Admin authentication could be accessed, but the https digest could not be accessed. Internet Explorer* cannot access either Admin authentication or Https digest. |
RESOLUTION | If the AD schema is not extended, the Kerberos user authentication will not work. Using digest users resolves this issue. |
3.21.2008
PROBLEM | What is the technical limitation of having static IP addresses in an Enterprise Mode environment and what would be workarounds that would allow a customer to use both? Since DHCP dynamically updates DNS, if you manually entered DNS suffix in Intel(R) Management Engine and maintained DNS manually then would that allow customers to use static IP addresses with enterprise mode? |
RESOLUTION | While this is not recommended, the DNS entries can be maintained as described in the question. Multiple computer entries, in the management console, will be needed for managing clients that use Static IP. |
3.21.2008
PROBLEM | Is it possible to have an operating system setup with static IP address and Intel Management Engine setup for DHCP mode? Can the IP address of the operating system and Intel Management Engine be on different subnets? Or do they need to be on same subnet? |
RESOLUTION | This scenario is not supported and has not been tested. |
3.21.2008
PROBLEM | The SCS console can only be logged into using the initial setup account that is provided during SCS installation. Any attempts to log in with a user account that has enterprise admin rights and has been added to SCS Users and Groups fail. The error message received is: Login Failed and the reason is: The remote server returned an error: (502) Bad Gateway. |
RESOLUTION | The root cause is that the customer has an Internet Explorer* configuration that uses a proxy. On the https connection, both the SCS console login and the SCS service uses the same proxy settings and that causes it to fail with error 502 bad gateway. Un-checking the use of the proxy in Internet Explorer solves the problem. |
3.21.2008
PROBLEM | Changing the Intel® MEBX password from the local console will not change the Web UI or remote admin passwords. |
RESOLUTION | Before the Intel® AMT system is provisioned, changing the Intel MEBX password from the local console will also change the remote admin password. After the system is provisioned, changing the local Intel MEBX password will not change the remote admin password. During provisioning, the Intel MEBX password and the remote admin password can be set. |
04.28.2009
5.7.2008
PROBLEM | The Intel(R) AMT Systems screen of the SCS web console has a column titled Authorized. All the systems that are provisioned show up as False. What does this column mean? |
RESOLUTION | The Authorized column signifies systems that can be provisioned that have not been authorized to complete the process. |
5.8.2008
PROBLEM | When attempting to use the latest SCS with RCT 3.3 with a Remote Config Cert from GoDaddy, this error displays in SCS: Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL error - SSL authentication failed in tcp_connect(): check password, key file, and CA file. |
RESOLUTION | The remote config certificate needs to be in the personal store of the SCS service account.
|
6.13.2008
PROBLEM | If environment detection is not configured, Intel AMT VPN connection cannot be enabled even though there is no direct relationship between these two. |
RESOLUTION | Define the DNS suffix in the environment detection list with one which matches with the host's list of DNS suffixes.
To define the suffix:
Enter up to five domain suffixes that define permitted domains within the enterprise network. The Intel AMT device uses this list to determine whether the platform is operating inside or outside the enterprise network. Management consoles can define the behavior of the device when it is outside the enterprise, including setting a policy that will block network traffic.
9. Click OK. |
7.18.2008
PROBLEM | Error code 998 displays when trying to remove a wireless profile in the SCS, indicating that the profile is in use. |
RESOLUTION | This error is generated if the wireless profile you are using is assigned to a system profile within the SCS. In order to delete the wireless profile, first remove it from any system profiles. |
7.18.2008
PROBLEM | The client machine logs errors related to setting the time when time synchronization is enabled in Intel SCS 3.x and the OS is also using Active Directory to synchronize system time. |
|RESOLUTION|Disable time synchronization in SCS 3.x.|
7.28.2008
PROBLEM | What are the minimum security requirements required for the account which is installing SCS? |
RESOLUTION | The account needs to be a member of the local administrators group and an administrator on the SQL server. |
7.28.2008
PROBLEM | SCS 5.0 does not support 64-bit operating systems. Customers using 64-bit operating systems need to use SCS 5.1 or later.
At this time there is no workaround for SCS 5.0 to support 64-bit operating systems. This issue is not documented in the SCS 5.0 documentation. |
SOLUTION | SCS 5.1 supports 64-bit operating systems. |
9.25.2008
PROBLEM | The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function. |
SOLUTION | This issue was fixed in SCS 5.0. |
11.25.2008
PROBLEM | Remote configuration fails consistently when attempting to provision clients with SCS. The error message in the SCS log is 'Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL_ERROR_SSLerror:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error - SSL connect failed in tcp_connect()' |
SOLUTION |
Intel® AMT supports a maximum encryption key length of 2048-bits. |
12.4.2008
PROBLEM | How often does the SCS purge log files and can the retention date be configured? |
SOLUTION | There are maintenance procedures that SCS executes once every five minutes: cspi_cleanRequestStatus and cspi_cleanLog. These procedures did not execute automatically in SCS 3.3 and earlier. |
12.4.2008
SOLUTION | The 3.x versions of the SCS are not supported on EMT64 versions of Windows Server. SCS 5.0 is supported in 32-bit mode on EMT64 enabled versions of Windows* Server. Download SCS 5.0 at http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs |
12.4.2008
PROBLEM | The USBFile version 2 utility was used to create PID/PPS pairs, but the SCS console cannot import the setup.bin file. It displays an error message indicating the supplied setup.bin has an incorrect file format. |
SOLUTION | USBFILE2's file format is not supported by the SCS at this time. Use the -v 1 switch with USBFILE2 to force it to create a v1 file, or use the original USBFILE utility. |
12.4.2008
PROBLEM | The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function. |
SOLUTION | This is a known issue and will be fixed in SCS 5.0. |
11.25.2008
SOLUTION | The user installing Intel® SCS must be a member of the local |
4.2.2009 QA1326
SOLUTION | Check future versions of Intel SCS to determine if it is supported on non-English versions of Microsoft* Windows* Server 2008. |
9.18.2009 QA1381
PROBLEM | USB provisioning failed after multiple attempts. |
RESOLUTION | This is by design. USB provisioning only works on a "factory new" system, meaning that it has never been provisioned. Once Intel(R) AMT is provisioned, the one-touch USB method will not work again until the CMOS battery is pulled and reset. |
11.9.2007
Use these criteria when preparing a key for USB provisioning:
Keys should only be formatted with Intel SCS. Keys should be formatted as a FAT16 device with a null volume label.
Setup.bin must be the first file on the key. If the file is overwritten, or erased and then re-added, it may no longer be the first file on the key. Always reformat the key before a new setup.bin file is copied to it.
Keys should be 2GB or less. FAT16 cannot address more than 2GB on these devices.
Purchased keys should not have any preinstalled software on them.
Keys should only be used for USB key provisioning and not for any other purpose.
Keys should never have been created as a bootable device.
BIOS settings can impact USB provisioning. If you experience problems, load the manufacturer's default BIOS settings before doing USB provisioning.
12.20.2007
The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.
System | Model | BIOS | SanDisk 1GB Cruzer Micro SDCZ61024A10 | Kingston 1GB DT1001GBKR | Sony 1GB Micro Vault USM1GJ | PNY 2GB Optima Pro Attached Enhanced for Windows ReadyBoost PFD02GHSPFS |
|---|---|---|---|---|---|---|
Acer | TravelMate 6592 | 1.53 | Not supported | Not supported | Not supported | Not supported |
Dell | Latitude D630c | A09 | Yes | Yes | Yes | Yes |
FSC | LifeBook E8410 | 1.16 | Not supported | Not supported | Not supported | Not supported |
HP | 2510p | F.0D | Yes | Yes | Yes | Yes |
HP | 6910p | F.16 | Yes | Yes | Yes | Yes |
Lenovo | ThinkPad T61 | 7LETB9WW(2.24) | No | Yes | No | No |
Lenovo | ThinkPad X61 Tablet | 7SET31WW(1.19) | No | Yes | No | No |
Lenovo | ThinkPad X300 | 7TUJ05US (1.08) | No | Yes | No | No |
Samsung | NP-P55 | 07AY | Not supported | Not supported | Not supported | Not supported |
Toshiba | Protege M700 | 1.40 | Not supported | Not supported | Not supported | Not supported |
Toshiba | Tecra M9 | 1.90 | Not supported | Not supported | Not supported | Not supported |
*Fujitsu-Siemens Corporation (FSC) and Toshiba do not support USB provisioning on their Intel® Centrino® Pro processor technology platform.
04.23.09
The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.
System | Model | BIOS | SanDisk 1GB Cruzer Micro SDCZ61024A10 | Kingston 1GB DT1001GBKR | Sony 1GB Micro Vault USM1GJ | PNY 2GB Optima Pro Attached Enhanced for Windows ReadyBoost PFD02GHSPFS |
|---|---|---|---|---|---|---|
Intel Desktop Board | DQ35JO | 86.A.0954.2008.0922.2331 | Yes | Yes | Yes | Yes |
FSC | Esprimo P5925 | 6.00 R1.15.2584.A1 | Yes | No | Yes | No |
Dell | Optiplex 755 | A11 | Yes | Yes | Yes | Yes |
HP | dc7800 | 01.24 | Yes | Yes | Yes | Yes |
Lenovo | ThinkCentre M57p | 2RKT57AUS | Yes | No | Yes | No |
04.23.09
The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.
System | Model | BIOS | SanDisk 1GB Cruzer Micro SDCZ61024A10 | Kingston 1GB DT1001GBKR | Sony 1GB Micro Vault USM1GJ | PNY 2GB Optima Pro Attached Enhanced for Windows ReadyBoost PFD02GHSPFS |
|---|---|---|---|---|---|---|
Acer | TravelMate 6493 | v1.02 | Yes | Yes | Yes | Yes |
Dell | Latitude E6400 | A11 | Yes | Yes | Yes | Yes |
Fujitsu | LifeBook 8420 | v1.06 | Yes | Yes | Yes | Yes |
HP | EliteBook 6930P | 68PCU ver F.0E | Yes | Yes | Yes | Yes |
| Lenovo | T400 | 7UET43WW (1.15) | Yes | Yes | Yes | Yes |
| Lenovo | X200 | 6DET30WW (1.07) | Yes | Yes | Yes | Yes |
| Toshiba | Tecra A10 | 1.90 | Yes | Yes | Yes | Yes |
04.23.09
The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.
System | Model | BIOS | SanDisk 1GB Cruzer Micro SDCZ61024A10 | Kingston 1GB DT1001GBKR | Sony 1GB Micro Vault USM1GJ | PNY 2GB Optima Pro Attached Enhanced for Windows ReadyBoost PFD02GHSPFS |
|---|---|---|---|---|---|---|
| Lenovo | M58p | 5CKT40AUS | Yes | No | Yes | No |
| HP | dc7900 | 786G1 v01.11 | Yes | Yes | Yes | Yes |
| Dell | OptiPlex 960 | A01 | Yes | Yes | Yes | Yes |
04.23.09
Use these tips when provisioning a Lenovo T61 notebook:
Don't attempt to USB provision after a forced power off (holding the power button for 5 seconds). Only attempt a USB provision after a normal shutdown or restart.
Disable Intel(R) AMT from the BIOS.
Boot the system with the USB key.
Re-enable Intel AMT from the BIOS.
Provision the system using the USB key.
2.12.2008
PROBLEM | Customers activating a high number of systems using One Touch/USB provisioning may run into performance degradation attempting to import these keys in a management console. |
RESOLUTION | There is no theoretical limit to how many PID/PPS pairs can be on a USB key, but there may be a threshold above which the performance degrades significantly. At this time, the largest known deployment using USB provisioning was with a 30,000 PID/PPS pair. Altiris* was unable to process this setup.bin file, however the Intel SCS Console was able to import these keys despite the timeout error that the console indicated. |
4.29.2008
There is a utility available in your LANDesk installation that allows you to quickly generate a specific numbers of PID/PPS pairs for USB provisioning. Follow these instructions; the steps represent a standard installation.
Open Windows Explorer and navigate to your LANDesk program files.
Open the managementsuite folder and locate AMTUSBFile.exe.
Open a command window and navigate to the path where AMTUSBFile.exe resides. Use the table below to run the utility.
To do this... | Then type this and press Enter... |
|---|---|
List all available parameters | AMTUSBFile.exe –h |
Generate X number of pairs | AMTUSBFile.exe –c current ME password new ME password –n number of pairs
For example, to generate 625 records would take ~1 second:
AMTUSBFile.exe –c admin Landesk1! –n 625 |
Import the keys from the generated setup.bin to the LANDesk database | AMTUSBFile.exe –i
Note: LANDesk uses an encrypted string when saving credentials to the database. Sometimes, this encrypted string is invalid to databases, such as Oracle. If this occurs, you may need to run the command several times before the keys are added. Records already imported will not be imported again. |
Verify the list of records in the database | AMTUSBFile.exe –g |
6.27.2008
*Other names and brands may be claimed as the property of others.
There are no comments on this document