Intel® vPro™ Expert Center

A Community of Practice for Intel® vPro™ technology serving Customers, ISV's, OEM's & the general IT Community.

Up to Resources in Intel® vPro™ Expert Center

Known Issues, Best Practices, and Workarounds

VERSION 64 Published

Created on: Nov 12, 2007 9:34 AM by josh.hilliker - Last Modified:  Jul 30, 2008 6:08 PM by michelegartner

Check back often -- I'll be adding more content to this wiki on a weekly basis, at minimum. Don't see what you need? Send your wishlist to Michele Gartner.

Table of Contents

Best Practices

BIOS

Client Drivers

Infrastructure

ISV

Altiris*
LANDesk
Microsoft* SCCM

Management Engine

Microsoft Systems Management Server* (SMS) Add-on for Intel AMT

OEM

BIOS

Platform: Averill

Profiles

SCS

Setup and Configuration Service


USB Provisioning

Best Practices


Automatically disabling the Intel AMT Privacy Notification window

PROBLEM A Privacy Notification window automatically displays when each user logs into the Intel AMT system.
RESOLUTION End users can disable this window by selecting the "Do not display this message" checkbox.
However, you can also disable the Privacy Notification window and still keep the application running by modifying a registry key.

To modify the registry key:

  1. Open the registry and locate this key: HKEY_LOCAL_MACHINE\Software\Intel\Network_Services\atchk
  2. Create a new dword value named +MinimizePrivacyIconAtStart +and set it to 00000001.

11.9.2007

Changing Terminal Emulation Type


PROBLEM Some vendor BIOS versions only support the display of specific emulation types. Using this command, specific ISVs will be able to redirect and emulate without issue.
RESOLUTION This command only applies to users running Altiris, HP Openview, and Microsoft SMS.

On the console machine:

  1. At the Start menu, select Run.
  2. In the Open field, enter CMD and click OK. A command window opens.
  3. At the command prompt, type telnet and press Enter.
  4. In the telnet session, type set term ansi or set term vt100 and press Enter.
  5. Type quit and press Enter.

Your terminal emulation type is now set to ANSI or VT100, depending on what you entered. You can re-enter the telnet session at anytime and type d to verify the emulation type.

NOTE: If you do not properly quit the telnet session, the setting will not be saved.

6.11.2008


Customizing the Intel(R) AMT Status dialog box

You can view the status of Intel AMT on a machine by double-clicking the system tray icon and choosing Status. This dialog box displays whether Intel AMT is enabled or disabled. It also has a hyperlink that allows the user to visit a site for more information about Intel AMT. You can customize this hyperlink to go to any site you wish. For example, you may want to modify it to point to your organization’s help desk page or to the Intel® vPro™ Expert Center (http://www.intel.com/go/vproexpert).

This procedure applies to Intel® AMT 2.5 and greater. See the readme file, included in the download, for more information.

  1. Download the files to modify the registry. The files are located here: http://communities.intel.com/docs/DOC-1797
    1. Save the OemUrlRegistry.zip file to your desktop.
    2. Extract the files: oementry.re_ and readme.txt.
  2. Customize the hyperlink.
    1. Open oementry.re_ in a text editor.
    2. Edit the destination hyperlink. The default entry is: "OemUrl"="http://www.intel.com/vpro"
    3. Rename oementry.re_ to oementry.reg.
  3. Run the *.reg file to modify the registry.
    1. Double-click oementry.reg.
    2. A cautionary dialog box displays. Click OK.
    3. An information dialog box displays that the registry was modified. Click OK.
  4. Restart the computer.

BIOS


F10 does not exit BIOS on HP clients

PROBLEM During a SOL session to an HP client, pressing F10 does not exit BIOS.
RESOLUTION Press ESC and 0 (zero) at the same time as an alternative to exit BIOS.

1.30.2008

Client Drivers


Using Intel vPro technology and Linux

PROBLEM Where can I find more information about Intel vPro technology on Linux?
RESOLUTION Information about Linux support is available at the Open Source Intel AMT Drivers and Tools\ site.

10.11.2007


Linux-based wireless drivers

PROBLEM Where can I find the most recent Linux drivers for an Intel vPro system?
RESOLUTION Visit http://www.intellinuxwireless.org/ to download Intel wireless drivers.

11.9.2007


Wireless management does not work when the operating system is running

PROBLEM Wireless management does not work when the operating system is running.
RESOLUTION Check if there are missing or faulty Intel AMT drivers (HECI & LMS/SOL) in Microsoft Windows*. Get the latest drivers from the OEM's web site and install them. Once the drivers are installed, the Intel(R) Management Engine should work properly with the wireless connection.

1.30.2008

Infrastructure


Is an IDE-R recommended over a WAN?

PROBLEM Is there a performance hit for IDE-R over a WAN?
RESOLUTION We do not recommend using an IDE-R session to boot large CD-ROM images over a WAN. Instead, we recommend using a stripped down IDE-R image that can load up a network stack on the AMT client. The network stack can be used to access local shares at the branch that have the tools you need to either rebuild the OS or diagnose problems.

2.8.2008

ISV

Altiris


Troubleshooting DNS when configuring Altiris

PROBLEM DNS configuration issues display when configuring Altiris.
RESOLUTION Use these troubleshooting tips to help resolve DNS configuration issues with Altiris:

  • Verify that the Altiris host has fully qualified records in the DNS infrastructure. This would constitute an A record for forward lookups and a PTR record for reverse lookups.
  • Make sure the Intel Setup and Configuration Service (SCS) is up and running on the box.
  • Upgrade the SCS Console to the current version. This process is not supported by Altiris and is only for troubleshooting.
  • IMPORTANT: When you upgrade, only install the console. DO NOT upgrade the entire SCS application.

    To upgrade to the current version:
  1. Download the SCS package at http://softwarecommunity.intel.com/articles/eng/1025.htm.
  2. When the download is complete, open the ZIP file and double-click 3.1.0.7.zip.
  3. Double-click AMTConsole.zip and run AMTConsole.exe.The console will prompt you to use the fully qualified domain name. An SSL session may be necessary to connect to it, depending on the server configuration. The console client works like a web browser and a URL is required to connect to the SCS, for example: http://server.something.com/atmscs or https://server.something.com/atmscs.

12.20.2007


Can the Default 'provisionserver' naming conventions be changed?

PROBLEM Can Intel AMT firmware be reconfigured to change the default 'provisionserver' naming convention to a value of a customer's choosing?
RESOLUTION The provisionserver value is hard coded and cannot be changed. It is recommended that the customer set up a second A record or a CNAME record in the DNS that points the provisionserver.yourdomain.com to the ISV server.

2.8.2008

LANDesk


No drivers required for bare metal provisioning

PROBLEM A customer with LANDesk* LDMS 8.8 or similar provisioning server does not need to load drivers or an OS image on the Intel(R) AMT clients to perform bare-metal provisioning.
SOLUTION No drivers are required for bare-metal provisioning of an Intel(R) AMT client. The system administrator will, however, need to pre-populate the provisioning server database with the client configuration information (UUID, FQDN, OU if Active Directory is used, Profile). Refer to the LANDesk documentation for information on how to enter the client configuration information into LDMS 8.8. The Intel AMT client will send out a hello packet as soon as the network and power cables are plugged in. If the provisioning server is found, and the client configuration information is in the provisioning database, then the client will be provisioned.


7.28.2008

Microsoft SCCM


Enabling native (no translation required) support within Microsoft SCCM SP1

A BIOS update is available to provide native support within Microsoft SCCM SP1 for Dell 755, HP DC7800, and Lenovo M57p computers.

OEM Model Link to BIOS Update
Dell 755 http://support.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R185551&SystemID=PLX_PNT_P4_755&servicetag=&os=WLH&osl=en&deviceid=15256&devlib=0&typecnt=0&vercnt=6&catid=-1&impid=-1&formatcnt=1&libid=1&fileid=253423
Lenovo M57p http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-69827
HP DC7800 http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=12454&prodSeriesId=3459241&prodNameId=3459245&swEnvOID=2105&swLang=13&mode=2&taskId=135&swItem=vc-59639-1


7.23.2008


Virtual adapters may cause network discovery to fail

PROBLEM When discovering vPro systems via a console that has a virtual adapter enabled with an IP address assigned, such as Microsoft SCCM, the discovery process may fail if the virtual adapter IP address is used for the discovery process.
RESOLUTION Before performing the discovery, disable any virtual adapters that were created by software such as VMWare.*


7.30.2008

Management Engine


Maximum number of agents that can be monitored simultaneously

PROBLEM How many agents can the Intel Management Engine monitor at one time?
RESOLUTION This data is undocumented, however, testing shows that Intel AMT 2.0 can monitor up to sixteen agents.

NOTE: The number of agents that can be monitored depends on how the ISV is implementing agent presence.

12.20.2007


Hewlett-Packard 6910P returns UUID=00000 during activation

PROBLEM HP 6910p returns a hello packet of UUID=00000 during activation.
RESOLUTION This is a known issue with the firmware and will be fixed when the 2008 platform is released.

Meanwhile, your customers can request a BIOS update from HP to work around this issue.

12.20.2007


Running virtual machines and DHCP can cause Intel AMT to be inaccessible

PROBLEM Using DHCP in a virtual machine can cause Intel AMT to become inaccessible when you close the virtual machine session. This is because your computer and Intel AMT will now have different IP addresses.
RESOLUTION To work around this issue, exit the virtual machine session(s) and then do one of the following:
  • Reboot your system.

OR

  • Release and renew the IP address as follows:
    1. Click Start and choose Run.
    2. Enter cmd and click OK.
    3. At the command prompt, type:
ipconfig /release and press Enter.
ipconfig /renew and press Enter.
This is a known issue and will be updated as more information is available.

1.24.2008


Wildcard certificates are currently not supported for remote configuration

PROBLEM When provisioning enterprises with multiple domains via remote configuration, individual certificates are required for each domain that needs to communicate with the Management Console. Wildcard certificates are currently not supported.
RESOLUTION Wildcard certificate support is a feature request for AMT 3.2 (Weybridge) and AMT 2.6 (Centrino).
Meanwhile, you can workaround this issue by deploying an SCS server and a certificate for each domain.
MORE INFORMATION This issue will be updated as more information becomes available.

1.24.2008


No inventory data available

PROBLEM Inventory data does not appear after provisioning an Intel AMT client, even though the provisioning process was successful and without errors.
RESOLUTION POST needs to occur for the data transfer to take place. The inventory data resides within the BIOS SMI tables and cannot be successfully transferred to the Intel Management Engine and viewed by the WebUI or retrieved programmatically. The BIOS and ME handshake must occur during POST to transfer data. Make sure the system has run through POST, so that the inventory data is transferred from BIOS into ME.

1.30.2008


Weybridge issue causing network disconnects; impacting Dell Optiplex 755

PROBLEM Currently shipping non-provisioned Intel(R) vPro(TM) or Intel(R) AMT PCs on some Weybridge configurations may report a network disconnect/reconnect on five minute cycles when the 24 hour provisioning period expires while in a low power state. An unused security feature of Intel(R) AMT triggers the network disconnect and then resets the network connection on 5 minute cycles.
RESOLUTION This issue has been resolved in the A09 BIOS release from Dell for the Optiplex 755. The BIOS release is available at the following URL:

http://support.us.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R181510&formatcnt=1&libid=0&fileid=247483

Click here for the update.\


2.27.2008


Synchronizing the operating system and the Intel AMT hostname.

PROBLEM Is there an automated way to synchronize the operating system and Intel(R) AMT hostname?
RESOLUTION The Intel(R) AMT Reflector tool\ is now available on the Intel(R) vPro(TM) Expert Center.

See the Tools wiki\ for more helpful vPro tools.



Best Practices: Setting up application servers and Internet Explorer* for Intel(R) AMT Kerberos support

  • Verify that your Internet Explorer settings are correct for pass through authentication.
    • Open Internet Explorer and choose Tools > Internet Options > Advanced Tab.
    • Select Enable Integrated Windows Authentication. Exit and restart Internet Explorer before attempting to access the Intel AMT device.
  • Install these Kerberos patches on the system you will use to access the Intel(R) AMT device.
    • WindowsServer2003-KB899900-X86-ENU.exe
    • WindowsServer2003-KB908209-X86-ENU.exe
    • WindowsServer2003-KB899900-X86-ENU.reg
  • If you are using Windows XP* as the operating system for the computer used to access the Intel AMT web interface, then install these patches:
    • WindowsXP-KB899900-X86-ENU.exe
    • WindowsXP-KB908209-X86-ENU.exe
    • WindowsXP-KB899900-X86-ENU.reg
  • Ensure that the time settings for the Intel AMT client(s), domain controllers, and the application server are synchronized.
  • Before provisioning:
    • Create an AMT OU on the domain controller existing on the domain on which your Intel(R) AMT devices reside. For example, if your device exists on child.parent.com, and your provisioning server (or Intel SCS) resides on parent.com, then create an OU for AMT objects on child.parent.com.
IMPORTANT: If there are multiple domains, then add an OU to each domain.
    • Ensure that the user accessing the AMT OU has permissions to add and delete objects to the OU. In our case, we used PARENT\administrator, which by default has the add and delete permissions. According to the Intel SCS documentation, you need to delegate the OU to the user (PARENT\Administrator).
    • Confirm that the Kerberos (PARENT\administrator) user ACL is in the Provision profiles before you provision machines.
    • Confirm that the Intel SCS is pointing to the right OU. You may need to type it in manually, as the SCS show OUs in the immediate domain and may not show the OUs in the child domain.
  • Provision your Intel AMT client.

5.30.2008


Network issues with NS Lookup

PROBLEM A single vPro machine can be accessed via WebUI, but does not appear in DNS. Its name does not get resolved in NSLookup?
RESOLUTION NSLookup does not use the standard client resolver routines but uses similar routines of its own. If true, this means a valid name-IP record could be cached on the client and being used by IE to resolve the name even though NSLookup fails to resolve the name and there is no DNS record.

To determine this, do the following:

  1. In the command prompt program, enter ipconfig /displaydns to inspect the cache for the dns record.
  2. Enter ipconfig /flushdns to clean out records and retry (it should fail if there is no DNS record).


6.13.2008


Does Intel AMT 3.0 support Windows 2000 Active Directory?

For support of Windows 2000 Active Directory, AMT 3.2 is required. Intel AMT 3.2 was released to the OEMs during Q1 2008. Please contact your OEM to find out when the update will be publically available.

6.13.2008


Switching from NAC to 802.1x results in loss of connectivity

PROBLEM In an EAC*-enabled network, where a NAC or NAP server is deployed and configured to request “posture” or SoH, Intel® AMT connectivity may be lost to clients that are not in H0 state if the server configuration is modified to work with 802.1x only.
RESOLUTION If the NAC/NAP server configuration is changed to work with 802.1x only, then do one of the following:
  • Restart LAN switch ports, or
  • Restart the clients.


6.25.2008


Using Intel(R) AMT wirelessly without user intervention

PROBLEM Intel AMT wireless connectivity is not available when the operating system is running and the user is not logged in.
RESOLUTION To work around this issue, configure the Single Sign On (SSO) driver to maintain a wireless connection. Once the SSO properties are set according to the table below, Intel® AMT will be able to connect to the wireless profile using Microsoft* Windows credentials before the user actually logs on.

SSO Properties
  • Pre-logon. This feature is identified with the “SSO” term. It allows you to connect to a wireless profile using the Windows credentials entered by the user before the actual Windows log-in.

  • Persistent. This feature allows you to connect to a wireless profile that doesn’t require user credentials (but alternatively requires “system credentials”), in case the user is not logged on (either after reboot or after log-off). In order to use it, the IT admin has to configure such a profile that doesn’t rely on user credentials.

  • Security. Profiles for pre-logon and persistent connect are stored securely on the machine, cryptographically bound to the machine so that it cannot be transferred to another machine. The profiles are shared across all users on the machine, but certain user-based credentials such as PACs are stored on a per-user basis.
NOTES
  • Microsoft Windows XP users: Using persistent connection adds a service to handle establishing connections when users are not logged on.

  • Microsoft Vista users: The persistent connection is enabled on a per profile basis if the configured EAP (Extensible Authentication Protocol) method supports authentication with machine credentials.


7.16.2008

Microsoft Systems Management Server (SMS) Add-on


Fix available: Microsoft System Management Server (SMS) Add-on V3.0 has local echo when using Serial over LAN (SoL)

PROBLEM When performing SOL/IDER with SMS Console V3.0, the SOL console screen is set for local echo to be on and it cannot be disabled.
RESOLUTION This issue is fixed in version 3.1 of the SMS Add-on, which you can download at http://softwarecommunity.intel.com/articles/eng/1356.htm.

Updated 2.8.2008

Fix available: Using the Intel AMT add-on for Microsoft SMS 2003 on a Dell 755 returns a UUID error

PROBLEM Using the Intel AMT add-on for Microsoft SMS 2003 on a Dell 755 returns this error:

Current system UUID is different from last discovered UUID. Please rediscover the system.
RESOLUTION An Intel AMT add-on for Microsoft SMS 3.0 hot fix 3 is available online at http://www.intel.com/software/sms-add-on.
This hot fix removes the continuity check between the SMBIOS and the Digest UUID, which was determined to be an unnecessary check.
MORE INFORMATION Click here to download the hot fix\.
Please review the release notes\ and the Read Me\ file to learn more.

12.20.2007


Fix available: The Intel AMT Add-on for Microsoft SMS is unable to communicate with the SCS over a standard HTTP connection.

PROBLEM The Intel AMT Add-on for SMS will communicate with the SCS over an HTTPS/SSL connection, however it will not communicate over an insecure HTTP/non-SSL connection, even if TCP port 80 is defined in the Intel AMT Add-on configuration.
RESOLUTION Upgrading to version 3.1 of the Intel AMT Add-on for SMS resolves this issue. The update can be obtained from: http://softwarecommunity.intel.com/articles/eng/1356.htm

2.8.2008


Do management workstations running the SMS console and SMS Add-on require patches as outlined in the documentation for the Intel(R) AMT Add-on for Microsoft SMS*?

PROBLEM The SMS Add-on documentation states that two hot fixes and registry patches are required. Are these patches/hot fixes required on the workstations that are running the Microsoft SMS console and Intel AMT add-on only?

Are they required only if the end user from that workstation is planning to use the web interface?

Are they required for the SMS add-on to function properly?
RESOLUTION These patches are required on a management workstation if you wish to access the web interface on vPro clients.

5.8.2008

OEM

BIOS


Lenovo* M55p returns UUID=00000 during activation

PROBLEM Lenovo M55p systems return a hello packet of UUID 00000 during activation. This problem occurs on machines that shipped with factory-default BIOS of 36 or less.
RESOLUTION A firmware update to version AMT2.1.0.1032 is available from Lenovo to resolve this problem. Contact your Lenovo representative if you need this update.

A BIOS update is not required, but is recommended. Visit the Lenovo web site and navigate to the Support & downloads section of the site to find BIOS 37a.

10.19.2007


Dell 755 returns a duplicate UUID during activation

PROBLEM Dell 755 returns a duplicate UUID 00000 during activation.
RESOLUTION A BIOS update (version A04) resolves this issue and is available on Dell's web site.
Click here to download the A04 BIOS update.\
Note: If you are using the Intel AMT add-on for Microsoft SMS 2003, then you also need to download Hot fix 3. See Using the Intel AMT add-on for Microsoft SMS 2003 on a Dell 755 returns a UUID error\ for instructions.

1.24.2008


Ctrl + P prompt missing when CMOS battery unplugged

PROBLEM When the CMOS battery is unplugged from the HP 7800p, the Ctrl+P command for accessing the Intel Management Engine is missing.
When SCS is opened and the refresh button is selected, the Intel AMT device does not appear.
RESOLUTION Use the following steps to the resolve this issue:
  1. Press F-10, when prompted during the boot, to access the BIOS on the system.
  2. In the BIOS choose the advanced menu -> Power-On Options and select the “MEBx Setup Prompt”
  3. Use the right arrow key to cycle it to “Displayed.”
  4. Press F-10 to accept the change.
  5. Go to the file menu and select Save Changes and Exit.
  6. The Ctrl-P prompt will reappear.

2.7.2008


When Intel AMT is disabled, there is a HECI driver problem in the HP* dc7800

PROBLEM In vPro-capable HP dc7800 systems, when Intel AMT is turned on, everything works fine. When the Intel AMT driver is turned off in the Intel Management engine, the Intel HECI driver in the operating system causes an error to occur in the device manager: "device cannot start".
RESOLUTION Follow these steps to correct this problem:
  1. Boot the client and press Ctrl + P to access the AMT/ME configuration settings.
  2. Go to the Intel ME Configuration and press Enter.
  3. Type Y to continue.
  4. Select Intel ME Features Control and press Enter.
  5. Select Manageability Feature Selection and press Enter.
  6. Select None and press Enter.
  7. Press ESC to go back to the main screen.
  8. The system will reboot.
  9. Go into device manager and verify that there are no failed devices.

2.14.2008


What does the Intel AMT status application dialog box signify?

PROBLEM On brand new vPro systems, the Intel AMT Status Application dialog box displays the Intel AMT Status as "Enabled" even though Intel AMT has not been configured. Are OEMs shipping systems with Intel AMT enabled (provisioned)?
RESOLUTION The Intel AMT status application is designed to show if the Intel AMT is or is not enabled in the Intel Management Engine. It does not reflect if a system has been provisioned/configured. Even when Intel AMT is disabled in the Intel Management Engine, the Intel Management Engine can still be accessed. OEMs do not ship provisioned systems unless that service is requested and purchased by the customer.

2.14.2008


Are there DLLs in the operating system that access vPro?

PROBLEM Are there DLLs, in the operating system, that access vPro?
RESOLUTION Individual OEMs manage the Microsoft Windows drivers that use Intel vPro technology. To access current drivers for clients, visit the OEM’s website.

2.14.2008


Unattended install of Intel(R) AMT client software/drivers not working properly on Microsoft Windows*

PROBLEM Command line switches are not working properly to enable a silent install with the Intel AMT drivers.
RESOLUTION The issue is that the wrong hyphen/dash character is being used. If the code is copied from an MS Word* document, the regular hyphen is replaced with another hyphen-like character which causes the command line options to work incorrectly.

Typing the command, rather than copy and paste, solves this problem.

2.27.2008


SoL/IDER does not work with the Lenovo* X61 Tablet

PROBLEM The SoL/IDER sessions do not work on the X61 tablet.
RESOLUTION This issue is resolved using the 1.07 BIOS release.

Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 1.07.

2.27.2008


SoL/IDER can’t be disabled on Lenovo* M55p

PROBLEM Unchecking SoL and IDER, under the network tab, isn’t disabling the feature on the Lenovo M55p.
RESOLUTION Update the BIOS to version 37a or newer versions. Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 37a or later.

3.4.2008


BIOS password screen unavailable on HP systems during SOL session

This problem occurs when the Terminal Emulation Mode is not set correctly in the BIOS.

Here is the screen when Terminal Emulation Mode is set to VT100 through BIOS:

Altiris_uisng_SOL_with_HP_VT100.JPG

How to switch Terminal Emulation Mode:

  1. Open the HP ProtectTools Security Manager, click BIOS Configuration, and then select System Configuration.
  2. In the AMT Options section, change Terminal Emulation Mode to ANSI.
  3. Click OK.

HP_BIOS_changed_to_ANSI_mode.JPG

The BIOS Password screen is now available during SOL sessions.

Altiris_uisng_SOL_with_HP_ANSI.JPG

4.25.2008

Platform: Averill


Are the Weybridge SoL and HECI drivers backward-compatible with Averill?

PROBLEM Are the Weybridge SoL and/or HECI drivers backward-compatible with Averill? Can they be used and supported on an Averill platform?
RESOLUTION Backward compatibility depends on the OEM and if they choose to support the drivers and platforms. For instance, HP does support the same drivers for 7700's, 7800's and 6910p, but other OEMs may not support the same drivers.

2.27.2008

Profiles

SCS


Intel SCS returns an error during a partial unprovision

PROBLEM Partial unprovisioning of a system fails. The SCS log reports the following messages: "SOAP Failure (21): cannot partially unprovision AMT" or "SOAP Failure(21): cannot GetLowAccuracyTimeSync"
RESOLUTION The partial un-provision command requires a FQDN to work. Accurate client DNS records are required to provide an FQDN for this functionality.

2.27.2008


Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment

PROBLEM Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment
RESOLUTION This issue is scheduled to be resolved in Intel(R) AMT SCS 5.0, to be released by the end of Q2.

2.27.2008

Setup and Configuration Service


GoDaddy requires High-Assurance SSL certificates

PROBLEM The standard domain-only validation SSL certificates from the GoDaddy Certificate Authority are not suitable for Intel AMT remote configuration. These types of certificates do not contain the OU information required by the firmware to accept them.
RESOLUTION If GoDaddy is used as the CA, then request a High-Assurance SSL certificate, which should include the OU information required by the Intel AMT client.
For more information, see the Intel AMT SCS Installation and User Manual\, Chapter 3, section “Preparing Intel AMT for Future Configuration.”

1.25.2008


Using static IP addresses and Basic (formerly known as SMB) mode

PROBLEM Intel AMT functionality works in DHCP IP with Enterprise mode and SMS. However, SMS does not find asset information from the vPro machine when using Static IP with Basic mode.
RESOLUTION Static IP addresses are not recommended. If they must be used, then the Intel Management Engine and the operating system will each need their own static IP address in order for AMT to function properly.

1.25.2008


Error displays when provisioning HP 6910p

PROBLEM Setup and Configuration Service (SCS) reports an error when provisioning Hewlett-Packard (HP) 6910p computers when using Wake on LAN (WoL) power policies 4 and 5.
RESOLUTION This error occurs for all HP platforms shipped in 2007 and there is no workaround. HP does not support these power policies and the SCS is accurately reporting that they are unsupported.
Escalate this known issue to your HP sales representative.

1.25.2008


Will PKI-CH consistently support wildcard certificates across Intel(R) AMT versions?

PROBLEM Will the PKI-CH implementation currently available in Intel AMT 2.2, Intel AMT 2.6, and Intel AMT 3.0 consistently support wildcard RCFG certificates?
Intel AMT 2.6 supports wildcards; but Intel AMT 2.2 and 3.0 do not. Will Intel AMT 2.2 and 3.0 will support wildcard certificates?
RESOLUTION There are no plans to enable support for wildcard certificates in Intel AMT 2.2 or any future updates for that generation of hardware. There are plans to support wildcard certificates in the future release of Intel AMT 3.2

3.4.2008


SCS service crashes due to excessive logs

PROBLEM The SCS service crashes repeatedly due to excessive logs. In the SCS Win Log, the OLE database error for timeout is displayed.
RESOLUTION Reduce the database logs to a reasonable size, based on available processes.

2.27.2008


Network Load Balancing of SCS Servers

PROBLEM Are there any known issues or limitations in pointing provisionserver.company.com to a Network Load Balancing address that balances between two or more SCS servers (all are in the same domain)?
RESOLUTION The SCS support team confirmed that this is a supported configuration, provided all the SCS servers point back to a single SCS database.

2.27.2008


Is SNMP Trap Service required for SCS?

PROBLEM Is the Microsoft Windows* SNMP trap service required in the latest SCS version?
RESOLUTION The SNMP trap service is not required for installing or using SCS, but it is required for the Intel® AMT Add-on for SMS* V3.0 to receive PET alerts from Intel AMT clients per the SMS manual.
It is used as a receiver for platform trap events. Clients can be configured to send platform traps to an SNMP service. Since the Intel AMT Add-on is capable of configuring clients, an SNMP trap service is required during installation for a complete solution.

3.4.2008


Intel(R) AMT Active Directory error message

PROBLEM After setting the properties for the Intel AMT system, the status goes to InProvisioning, but nothing changes. The logs contain the following message: Cannot create AD AMT Object: Failed on CreateDSObject with ht-73207ty, - Process Delayed.
RESOLUTION This error message normally occurs for the following reasons:
  1. The AD schema extension has not been applied
  2. The Schema extension has been applied, but the SCS service user does not have necessary permissions to AD OU to create and manage Intel AMT ME objects.
If the extension for the AD schema is not needed, then uncheck the Active directory Integration checkbox in the SCS General Settings screen to prevent SCS from trying to create AD objects during provisioning.

3.4.2008


Organizational Unit Field in Configuration Parameters must be populated to complete provisioning

PROBLEM SCS cannot complete provisioning of a system if the Configuration Parameters do not have a value specified in the OU column, even if the SCS is not using the Integrated with Active Directory option. Users must either manually add a value (during the manual process) or define a value when using remote tools like the RCT.
RESOLUTION This is a known issue with SCS and it is slated to be corrected in SCS 5.0.

3.4.2008


Unable to access web interface using Kerberos authentication

PROBLEM The web interface cannot be accessed using Kerberos authentication. When the Firefox web browser was used, Admin authentication could be accessed, but the https digest could not be accessed. Internet Explorer* cannot access either Admin authentication or Https digest.
RESOLUTION If the AD schema is not extended, the Kerberos user authentication will not work. Using digest users resolves this issue.

3.21.2008


Is Static IP addressing possible in Enterprise Mode?

PROBLEM What is the technical limitation of having static IP addresses in an Enterprise Mode environment and what would be workarounds that would allow a customer to use both? Since DHCP dynamically updates DNS, if you manually entered DNS suffix in Intel(R) Management Engine and maintained DNS manually then would that allow customers to use static IP addresses with enterprise mode?
RESOLUTION While this is not recommended, the DNS entries can be maintained as described in the question. Multiple computer entries, in the management console, will be needed for managing clients that use Static IP.

3.21.2008


Is it possible to have an operating system with static IP address and Intel® Management Engine in DHCP mode?

PROBLEM Is it possible to have an operating system setup with static IP address and Intel Management Engine setup for DHCP mode? Can the IP address of the operating system and Intel Management Engine be on different subnets? Or do they need to be on same subnet?
RESOLUTION This scenario is not supported and has not been tested.

3.21.2008


Cannot log into SCS Console with Enterprise Admin account

PROBLEM The SCS console can only be logged into using the initial setup account that is provided during SCS installation. Any attempts to log in with a user account that has enterprise admin rights and has been added to SCS Users and Groups fail. The error message received is: Login Failed and the reason is: The remote server returned an error: (502) Bad Gateway.
RESOLUTION The root cause is that the customer has an Internet Explorer* configuration that uses a proxy. On the https connection, both the SCS console login and the SCS service uses the same proxy settings and that causes it to fail with error 502 bad gateway. Un-checking the use of the proxy in Internet Explorer solves the problem.

3.21.2008


Using international keyboards to create MEBx passwords via Setup and Configuration Service (SCS)

PROBLEM When creating a MEBx password via SCS and deploying to client machines located in different countries, IT administrators are advised that international keyboards may have different layouts for Latin characters. This may result in password failures as a result of entering the same password on two different keyboards supporting different languages.

As an example, a multi-national company headquartered in France may deploy a client to one employee in France and Japan. Because the keyboard layouts are different, the passwords may be inadvertently different and may fail when entered on a different keyboard.

Below is a comparison of different language keyboards.

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/102-1247-51-1348/CommonKeys.gif

Japanese keyboard

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/102-1247-51-1349/keyboard_japanese.gif

US English keyboard

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/102-1247-51-1386/Keyboard-US.GIF
RESOLUTION When creating your password, use character keys that are common between all keyboards and follow the guidelines below. These guidelines assume that the password is user-defined. In high security instances, the password will be auto-generated and you will need to compare the keyboard layout diagrams to help determine your MEBx password.

  • The following is a list of keyboard keys that are common keys for all keyboard types: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, B, C, D, E, F, G, H, I, J, K, L, N, O, P, R, S, T, U, V, X

EXCEPTION: These keys are not common between Japanese and US keyboards: 2, 8, and 9. Be sure to use the illustrations above to verify common keys when creating passwords.

Note: Passwords can be created using characters generated by the Key and Shift Key

  • MEBx passwords require special characters to ensure security. Use SHIFT+N, where N equals 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9, to include special characters in your password.

For example, if your strong password is JOK&F49!, you would relay this password to international users as: http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/102-1247-51-1355/password.gif

  • Passwords using the A,M,Q,W,Y and Z keys can cause problems and are not recommended.


5.7.2008


What is the Authorized column in SCS?

PROBLEM The Intel(R) AMT Systems screen of the SCS web console has a column titled Authorized. All the systems that are provisioned show up as False. What does this column mean?
RESOLUTION The Authorized column signifies systems that can be provisioned that have not been authorized to complete the process.

5.8.2008


SOAP error (0xCFFF06AC) when attempting remote configuration

PROBLEM When attempting to use the latest SCS with RCT 3.3 with a Remote Config Cert from GoDaddy, this error displays in SCS: Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL error - SSL authentication failed in tcp_connect(): check password, key file, and CA file.
RESOLUTION The remote config certificate needs to be in the personal store of the SCS service account.
  1. Log into your server with the SCS service account.
  2. Launch MMC.
  3. Select File > Add/Remote Snap-in.
  4. Select Certificates from the snap in menu and click Add.
  5. When prompted, select My user account and click Finish.
  6. Click the Close button to close the snap-in selection window.
  7. Click OK to close the snap-in Add/Remove menu.
  8. Open Certificates, then open Personal.
  9. Right-click the Personal folder, select All Tasks and then Import.
  10. Use the wizard to import your remote configuration certificate into personal store of your SCS service account.


6.13.2008


Local Manageability Service (LMS) does not allow host VPN traffic when environment detection is not defined

PROBLEM If environment detection is not configured, Intel AMT VPN connection cannot be enabled even though there is no direct relationship between these two.
RESOLUTION Define the DNS suffix in the environment detection list with one which matches with the host's list of DNS suffixes.

To define the suffix:

  1. Open the Intel SCS Console.
  2. Expand the Configuration Service Settings branch.
  3. Select Profiles. The Profiles screen displays.
  4. Select the profile to be modified.
  5. Click Edit. The Profile Configuration dialog box displays.
  6. Display the Network tab.
  7. Click Environment Detection.
  8. In the Environment Detection dialog, click Add.

Enter up to five domain suffixes that define permitted domains within the enterprise network. The Intel AMT device uses this list to determine whether the platform is operating inside or outside the enterprise network. Management consoles can define the behavior of the device when it is outside the enterprise, including setting a policy that will block network traffic.

9. Click OK.


7.18.2008


Unable to remove wireless profiles in Intel SCS

PROBLEM Error code 998 displays when trying to remove a wireless profile in the SCS, indicating that the profile is in use.
RESOLUTION This error is generated if the wireless profile you are using is assigned to a system profile within the SCS. In order to delete the wireless profile, first remove it from any system profiles.


7.18.2008


Time synchronization errors using Intel(R) SCS 3.x and Active Directory

PROBLEM The client machine logs errors related to setting the time when time synchronization is enabled in Intel SCS 3.x and the OS is also using Active Directory to synchronize system time.
RESOLUTION Disable time synchronization in SCS 3.x.


7.28.2008


SCS Installation Account Security Requirements

PROBLEM What are the minimum security requirements required for the account which is installing SCS?
RESOLUTION The account needs to be a member of the local administrators group and an administrator on the SQL server.


7.28.2008

USB Provisioning

USB provisioning only effective on "factory new" systems

PROBLEM USB provisioning failed after multiple attempts.
RESOLUTION This is by design. USB provisioning only works on a "factory new" system, meaning that it has never been provisioned. Once Intel(R) AMT is provisioned, the one-touch USB method will not work again until the CMOS battery is pulled and reset.

11.9.2007

USB Key Configuration Guidelines

Use these criteria when preparing a key for USB provisioning:

  • Keys should only be formatted with Intel SCS. Keys should be formatted as a FAT16 device with a null volume label.
  • Setup.bin must be the first file on the key. If the file is overwritten, or erased and then re-added, it may no longer be the first file on the key. Always reformat the key before a new setup.bin file is copied to it.
  • Keys should be 2GB or less. FAT16 cannot address more than 2GB on these devices.
  • Purchased keys should not have any preinstalled software on them.
  • Keys should only be used for USB key provisioning and not for any other purpose.
  • Keys should never have been created as a bootable device.
  • BIOS settings can impact USB provisioning. If you experience problems, load the manufacturer's default BIOS settings before doing USB provisioning.

12.20.2007

USB Compatibility Matrix for Intel vPro Technology Averill

The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

System Model BIOS Version Cruzer 2GB Cruzer 512MB Sony 512MB Team 1GB PNY 256MB Geek 2MB Kingston 512MB
Lenovo M55p 2MKT37AUS YES YES YES YES YES YES YES

4.24.2008

USB Compatibility Matrix for Intel Centrino with vPro technology Santa Rosa

The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

System Model BIOS Version Cruzer 2GB Cruzer 512MB Sony 512MB Team 1GB PNY 256MB Geek 2MB Kingston 512MB
Acer TravelMate 6592 v1.41 NO NO NO NO NO NO NO
Dell D 630C A02 NO NO NO NO NO NO NO
FSC* E8410 1.12 NO NO NO NO NO NO NO
HP HP Compaq 6910p 68MCD Ver.F.13 YES YES YES YES YES YES YES
Lenovo T61 2.1 YES YES NO NO NO YES NO
Lenovo X61 1.1 YES YES YES NO NO YES NO
Samsung NP-P55 04AY NO NO NO NO NO NO NO
Toshiba* Tecra M9-S5514 1.8 NO NO NO NO NO NO NO

4.24.2008

*Fujitsu-Siemens Corporation (FSC) and Toshiba do not support USB provisioning on their Intel® Centrino® Pro processor technology platform.

USB Compatibility Matrix for Intel vPro technology (2007) Weybridge

The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

System Model BIOS Version Cruzer 2GB Cruzer 512MB Sony 512MB Team 1GB PNY 256MB Geek 2MB Kingston 512MB
Dell Optiplex 755 A04 YES YES YES YES YES YES YES
FSC ESPRIMO P5925 R1.09.2584.A1 YES YES YES YES YES YES YES
HP HP Compaq dc7800 786F1 v01.04 YES YES YES YES YES YES YES
Johannesburg DQ3510J JOQ3510J.86A.0677.2007.0831.0433 NO NO NO NO NO NO NO
Lenovo M57p 2RKT38A YES YES YES YES YES YES YES

4.24.2008

USB Provisioning Tips for Lenovo T61

Use these tips when provisioning a Lenovo T61 notebook:
  • Don't attempt to USB provision after a forced power off (holding the power button for 5 seconds). Only attempt a USB provision after a normal shutdown or restart.

  • If the USB key fails to provision, load the factory BIOS defaults and try again. If this does not resolve the issue, then do the following:

  1. Disable Intel(R) AMT from the BIOS.
  2. Boot the system with the USB key.
  3. Re-enable Intel AMT from the BIOS.
  4. Provision the system using the USB key.

2.12.2008

What is the maximum number of PID/PPS pairs that can be used during USB provisioning?

PROBLEM Customers activating a high number of systems using One Touch/USB provisioning may run into performance degradation attempting to import these keys in a management console.
RESOLUTION There is no theoretical limit to how many PID/PPS pairs can be on a USB key, but there may be a threshold above which the performance degrades significantly. At this time, the largest known deployment using USB provisioning was with a 30,000 PID/PPS pair. Altiris* was unable to process this setup.bin file, however the Intel SCS Console was able to import these keys despite the timeout error that the console indicated.

4.29.2008


Automating PID/PPS key generation using LANDesk utility


There is a utility available in your LANDesk installation that allows you to quickly generate a specific numbers of PID/PPS pairs for USB provisioning. Follow these instructions; the steps represent a standard installation.

  1. Open Windows Explorer and navigate to your LANDesk program files.
  2. Open the managementsuite folder and locate AMTUSBFile.exe.
  3. Open a command window and navigate to the path where AMTUSBFile.exe resides. Use the table below to run the utility.

To do this... Then type this and press Enter...
List all available parameters AMTUSBFile.exe –h
Generate X number of pairs AMTUSBFile.exe –c current ME password new ME password –n number of pairs

For example, to generate 625 records would take ~1 second:

AMTUSBFile.exe –c admin Landesk1! –n 625
Import the keys from the generated setup.bin to the LANDesk database AMTUSBFile.exe –i

Note: LANDesk uses an encrypted string when saving credentials to the database. Sometimes, this encrypted string is invalid to databases, such as Oracle. If this occurs, you may need to run the command several times before the keys are added. Records already imported will not be imported again.
Verify the list of records in the database AMTUSBFile.exe –g

6.27.2008

*Other names and brands may be claimed as the property of others.

Tags: usb_provisioning, linux, amt, lenovo, uuid, hp, centrino_pro, vpro, altiris, sms, usb, scs, tools, troubleshoot
Average User Rating
(1 rating)
Comments (2)
Mar 26, 2008 4:39 PM Click to view Simple's profile Simple  says:

Dell Optiplex 755 A04 YES YES NO YES YES YES YES YES
Вы в этом уверены?
+++++++++++++++++++
buy cheap mp3,

Aug 1, 2008 2:54 AM Click to view Simple's profile Simple  says:

Уже уверен ))
_______________
ipod

Actions

Incoming Links

More by josh.hilliker

View josh.hilliker's profile