PROBLEM

A Privacy Notification window automatically displays when each user logs into the Intel® AMT system.

RESOLUTION

End users can disable this window by selecting the "Do not display this message" checkbox.

However, you can also disable the Privacy Notification window and still keep the application running by modifying a registry key.

To modify the registry key:

1. Open the registry and locate this key: HKEY_LOCAL_MACHINE\Software\Intel\Network_Services\atchk

2. Create a new dword value named +MinimizePrivacyIconAtStart +and set it to 00000001.

PROBLEM

Some vendor BIOS versions only support the display of specific emulation types. Using this command, specific ISVs will be able to redirect and emulate without issue.

RESOLUTION

This command only applies to users running Altiris, HP Openview, and Microsoft SMS.

On the console machine:

1. At the Start menu, select Run.

2. In the Open field, enter CMD and click OK. A command window opens.

3. At the command prompt, type telnet and press Enter.

4. In the telnet session, type set term ansi or set term vt100 and press Enter.

5. Type quit and press Enter.

Your terminal emulation type is now set to ANSI or VT100, depending on what you entered. You can re-enter the telnet session at anytime and type d to verify the emulation type.

NOTE: If you do not properly quit the telnet session, the setting will not be saved.

PROBLEM

Some users need to move a PC between several networks.  For example, a support technician may support multiple clients that require different client certificates.

RESOLUTION

Users may install up to 8 client certificates.

PROBLEM

If the administrator forgets the MEBx password, the only way to clear the password is to remove the CMOS battery.

RESOLUTION

**This URL to a non-Intel web site is provided for the reader's convenience. This is not an endorsement or recommendation by Intel of the site or products.

WARNING: To avoid personal injury or property damage, follow the manufacturer's safety instructions that apply henever accessing the inside of the product.

CAUTION: There is the danger of explosion if the battery is incorrectly replaced. When replacing the battery, use only the battery recommended by the equipment manufacturer and follow the manufacturer's instructions. Electrostatic Discharge ESD) can damage disk drives, boards, and other parts. We recommend that you perform all procedures at an ESD workstation.

PROBLEM

Intel(R) AMT is incompatible with a 4096-bit PKI if Intel(R) AMT systems need to validate a certificate chain containing this key size. For example, in 802.1X networks.

SOLUTION

If a customer already has a PKI with a 4096-bit root certificate, you can work around this issue by adding a 2048-bit root CA and then using this to issue certain certificate (for example, RADIUS).

SOLUTION

To hide the IMSS system tray icon, delete the key at the following registry location:
HKLM\Software\Microsoft\WindowsCurrentVersion\Run\Picon\"C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe"

PROBLEM

To successfully upgrade your ME firmware, follow the guidelines listed below.

SOLUTION

Version number format for ME firmware

Rules for successful upgrades

PROBLEM

For an example of this problem, if a SoL session is active from the Microsoft* SCCM Out of Band console, then the Intel® AMT firmware will not process a collection-based power control command from the console.

SOLUTION

PROBLEM

During a SoL session to an HP* client, pressing F10 does not exit BIOS.

RESOLUTION

Press ESC and 0 (zero) at the same time as an alternative to exit BIOS.

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

Where can I find more information about Intel vPro technology on Linux?

RESOLUTION

Information about Linux support is available at the Open Source Intel AMT Drivers and Tools\ site.

PROBLEM

Where can I find the most recent Linux drivers for an Intel vPro system?

RESOLUTION

Visit http://www.intellinuxwireless.org/ to download Intel wireless drivers.

PROBLEM

Wireless management does not work when the operating system is running.

RESOLUTION

Check if there are missing or faulty Intel AMT drivers (HECI & LMS/SOL) in Microsoft Windows*. Get the latest drivers from the OEM's web site and install them. Once the drivers are installed, the Intel(R) Management Engine should work properly with the wireless connection.

PROBLEM

If the path to the LMS/SOL driver setup.exe contains square
brackets, then the driver will be installed but the privacy
icon will not be installed. For example, setup will fail with
this path: c:\drivers\[HP]\lms_sol\setup.exe.

RESOLUTION

This issue is expected to be fixed in Intel® AMT 4.2.

PROBLEM

Is there a performance hit for IDE-R over a WAN?

RESOLUTION

We do not recommend using an IDE-R session to boot large CD-ROM images over a WAN. Instead, we recommend using a stripped down IDE-R image that can load up a network stack on the AMT client. The network stack can be used to access local shares at the branch that have the tools you need to either rebuild the OS or diagnose problems.

PROBLEM

The wired LAN NICs are not recognized by the Intel® AMT management consoles. They do show up in the DHCP listings. Only the wireless NICs were discovered as Intel® AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs.

When the firewalls are turned off, the Intel® AMT consoles can communicate with the LAN NICs.

RESOLUTION

Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests.

PROBLEM

When configuring Intel® AMT in basic (formerly SMB) mode during boot up, some values for the secondary DNS server IP address make the configuration fail.

If a secondary DNS server's last octet value is 223 or higher, the configuration fails.

RESOLUTION

This is a known issue in the Intel® Management Engine and will be fixed in the next release. The current workaround is to change the secondary DNS server's IP address, or to not use the secondary DNS server at all in the configuration.

PROBLEM

When you reboot the system and enter a SoL/IDER session, the ME NIC will remain in the lowest negotiated speed setting and half duplex mode if the SoL/IDER session remains connected during boot. The NIC does not renegotiate to the highest available speed or full duplex mode after the operating system boots.

RESOLUTION

To force the ME NIC to renegotiate to full speed/full duplex mode, disconnect the SoL/IDER session then reconnect.

PROBLEM

The Intel® WS-MAN translator package used with Microsoft* SCCM 2007 SP1 generates some errors due to scripting language changes introduced in Windows* Vista.
The scripts will not run correctly on Microsoft* Vista and Microsoft* Server 2008 operating systems. Also, wired 802.1X scripts produced by GenScript only execute properly the first time they are run.

RESOLUTION

PROBLEM

An incompatibility exists between Intel(R) Active Management Technology (Intel(R) AMT) and Locally Administered Address (LAA) environments. As a result, Intel AMT enabled systems configured to work in LAA environments might encounter LAN disconnects.

RESOLUTION

A Locally Administered Address (LAA) is an option allowing users to set their own MAC address on the platform and thus bypass the Burned-in address (BIA) MAC. Intel AMT was not designed to support LAA environments and there are no plans to add this capability in the near future.

Intel recommends avoiding usage of LAA together with Intel AMT technology to avoid this issue.

PROBLEM

DNS configuration issues display when configuring Altiris.

RESOLUTION

Use these troubleshooting tips to help resolve DNS configuration issues with Altiris:

• Verify that the Altiris host has fully qualified records in the DNS infrastructure. This would constitute an A record for forward lookups and a PTR record for reverse lookups.

• Make sure the Intel Setup and Configuration Service (SCS) is up and running on the box.

• Upgrade the SCS Console to the current version. This process is not supported by Altiris and is only for troubleshooting.

• IMPORTANT: When you upgrade, only install the console. DO NOT upgrade the entire SCS application.

   

  To upgrade to the current version:

PROBLEM

Can Intel AMT firmware be reconfigured to change the default 'provisionserver' naming convention to a value of a customer's choosing?

RESOLUTION

The provisionserver value is hard coded and cannot be changed. It is recommended that the customer set up a second A record or a CNAME record in the DNS that points the provisionserver.yourdomain.com to the ISV server.

PROBLEM

A customer with LANDesk* LDMS 8.8 or similar provisioning server does not need to load drivers or an OS image on the Intel(R) AMT clients to perform bare-metal provisioning.

SOLUTION

No drivers are required for bare-metal provisioning of an Intel(R) AMT client. The system administrator will, however, need to pre-populate the provisioning server database with the client configuration information (UUID, FQDN, OU if Active Directory is used, Profile). Refer to the LANDesk documentation for information on how to enter the client configuration information into LDMS 8.8. The Intel AMT client will send out a hello packet as soon as the network and power cables are plugged in. If the provisioning server is found, and the client configuration information is in the provisioning database, then the client will be provisioned.

PROBLEM

In the default configuration, the LANDesk root certificate is not trusted by the Microsoft* CA. The user is then unable to use the WebUI.

SOLUTION

1. Open Microsoft* Internet Explorer.
2. Choose Tools->Internet Options.
3. Click on the Content tab.
4. Click on the Certificates tab.
5. Under the Trusted Root Certificates tab, import the root certificates.
6. Under the Intermediate Certificate Authorities tab, import the intermediate certificates.
7. Verify that the certificate used can be traced back to the root.

PROBLEM

After provisioning, the in-band network connection on some Intel(R) AMT systems may shut down. The LANDesk console will then place the systems in remediation. These Intel(R) AMT systems can, however, still be managed with LANDesk* OOB tools and the Intel(R) AMT Web GUI. This is an intermittent issue. The time between provisioning the system and the loss of in-band connectivity ranges from a few minutes to about an hour.

SOLUTION

PROBLEM

The RootCA and the SubCA directories must be deleted repeatedly to enable provisioning to continue.

SOLUTION

Dell 755

Click here.

Lenovo M57p

Click here.

HP DC7800

Click here.

PROBLEM

When discovering vPro systems via a console that has a virtual adapter enabled with an IP address assigned, such as Microsoft SCCM, the discovery process may fail if the virtual adapter IP address is used for the discovery process.

RESOLUTION

Before performing the discovery, disable any virtual adapters that were created by software such as VMWare.*

PROBLEM

When the Microsoft* SCCM management console is run on a Microsoft* Vista* SP1 operating system, all Intel® AMT based objects and functionality is missing.

RESOLUTION

No solution is available at this time.

PROBLEM

Microsoft* System Center Configuration Manager 2007 Service Pack 1 (SP1) hotfix roll-up KB960804 includes KB959040 (a fix to enable PKI provisioning with Intel® AMT 2.2 and 2.6.) The original description of the roll-up incorrectly omitted the KB959040 hotfix.

RESOLUTION

To get KB959040 hotfix, users may download the KB960804 hotfix roll-up.

Refer to the Micorsoft* support website for more information about the hotfix packages. The Microsoft* URL** is: http://support.microsoft.com/kb/960804

**This URL is provided for the reader's convenience. It is not an endorsement of products or services by Intel Corporation.

PROBLEM

SoL and IDER fails using Microsoft* SCCM in an environment with a Root CA and a Subordinate Issuing CA.

RESOLUTION

This issue has been fixed by a hotfix for Microsoft* SCCM 2007 SP1. URL for hotfix** HTTP://support.microsoft.com/hotfix/kbHotfix.aspx?kbnum=960804

**This URL is provided for the reader's convenience. It is not an endorsement of products or services by Intel Corporation.

PROBLEM

In a Microsoft* SCCM hierarchy with a central site and a primary child site, power control operations from the central site work for some clients and fail for others. The same power control operations work correctly from the child site.

RESOLUTION

Not all client settings are being transferred up the Microsoft SCCM hierarchy to the central database. This issue will be resolved in the Microsoft SCCM SP2. Alternatively, system administrators may change the TlsMode setting in the dbo.AMT_MachineProperties table in the SCCM site database, it should be set to "1" for each client.

PROBLEM

How many agents can the Intel Management Engine monitor at one time?

RESOLUTION

This data is undocumented, however, testing shows that Intel AMT 2.0 can monitor up to sixteen agents.

NOTE: The number of agents that can be monitored depends on how the ISV is implementing agent presence.

PROBLEM

HP 6910p returns a hello packet of UUID=00000 during activation.

RESOLUTION

This is a known issue with the firmware and will be fixed when the 2008 platform is released.

Meanwhile, your customers can request a BIOS update from HP to work around this issue.

PROBLEM

Using DHCP in a virtual machine can cause Intel AMT to become inaccessible when you close the virtual machine session. This is because your computer and Intel AMT will now have different IP addresses.

RESOLUTION

To work around this issue, exit the virtual machine session(s) and then do one of the following:

• Reboot your system.

OR

• Release and renew the IP address as follows:

  1. Click Start and choose Run.

  2. Enter cmd and click OK.

  3. At the command prompt, type:

ipconfig /release and press Enter.
ipconfig /renew and press Enter.

This is a known issue and will be updated as more information is available.

PROBLEM

When provisioning enterprises with multiple domains via remote configuration, individual certificates are required for each domain that needs to communicate with the Management Console. Wildcard certificates are currently not supported.

RESOLUTION

Wildcard certificate support is a feature request for AMT 3.2 (Weybridge) and AMT 2.6 (Centrino).

Meanwhile, you can workaround this issue by deploying an SCS server and a certificate for each domain.

MORE INFORMATION

This issue will be updated as more information becomes available.

PROBLEM

Inventory data does not appear after provisioning an Intel AMT client, even though the provisioning process was successful and without errors.

RESOLUTION

POST needs to occur for the data transfer to take place. The inventory data resides within the BIOS SMI tables and cannot be successfully transferred to the Intel Management Engine and viewed by the WebUI or retrieved programmatically. The BIOS and ME handshake must occur during POST to transfer data. Make sure the system has run through POST, so that the inventory data is transferred from BIOS into ME.

PROBLEM

Currently shipping non-provisioned Intel(R) vPro(TM) or Intel(R) AMT PCs on some Weybridge configurations may report a network disconnect/reconnect on five minute cycles when the 24 hour provisioning period expires while in a low power state. An unused security feature of Intel(R) AMT triggers the network disconnect and then resets the network connection on 5 minute cycles.

RESOLUTION

This issue has been resolved in the A09 BIOS release from Dell for the Optiplex 755. The BIOS release is available at the following URL:

http://support.us.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R181510&formatcnt=1&libid=0&fileid=247483

Click here for the update.\

PROBLEM

Is there an automated way to synchronize the operating system and Intel(R) AMT hostname?

RESOLUTION

The Intel(R) AMT Reflector tool\ is now available on the Intel(R) vPro(TM) Expert Center.

See the Tools wiki\ for more helpful vPro tools.

PROBLEM

A single vPro machine can be accessed via WebUI, but does not appear in DNS. Its name does not get resolved in NSLookup?

RESOLUTION

NSLookup does not use the standard client resolver routines but uses similar routines of its own. If true, this means a valid name-IP record could be cached on the client and being used by IE to resolve the name even though NSLookup fails to resolve the name and there is no DNS record.

To determine this, do the following:

1. In the command prompt program, enter ipconfig /displaydns to inspect the cache for the dns record.

2. Enter ipconfig /flushdns to clean out records and retry (it should fail if there is no DNS record).

PROBLEM

In an EAC*-enabled network, where a NAC or NAP server is deployed and configured to request “posture” or SoH, Intel® AMT connectivity may be lost to clients that are not in H0 state if the server configuration is modified to work with 802.1x only.

RESOLUTION

If the NAC/NAP server configuration is changed to work with 802.1x only, then do one of the following:

• Restart LAN switch ports, or

• Restart the clients.

PROBLEM

Intel AMT wireless connectivity is not available when the operating system is running and the user is not logged in.

RESOLUTION

To work around this issue, configure the Single Sign On (SSO) driver to maintain a wireless connection. Once the SSO properties are set according to the table below, Intel® AMT will be able to connect to the wireless profile using Microsoft* Windows  credentials before the user actually logs on.

SSO Properties

• Pre-logon. This feature is identified with the “SSO” term. It allows you to connect to a  wireless profile using the Windows credentials entered by the user before the actual Windows log-in.

• Persistent. This feature allows you to connect to a wireless profile that doesn’t require user credentials (but alternatively requires “system credentials”), in case the user is not logged on (either after reboot or after log-off). In order to use it, the IT admin has to configure such a profile that doesn’t rely on user credentials.

• Security. Profiles for pre-logon and persistent connect are stored securely on the machine, cryptographically bound to the machine so that it cannot be transferred to another machine. The profiles are shared across all users on the machine, but certain user-based credentials such as PACs are stored on a per-user basis.

NOTES

• Microsoft Windows XP users: Using persistent connection adds a service to handle establishing connections when users are not logged on.

• Microsoft Vista users: The persistent connection is enabled on a per profile basis if the configured EAP (Extensible Authentication Protocol) method supports authentication with machine credentials.

PROBLEM

Cannot provision a system that uses an underscore in the host name.

SOLUTION

Special characters cannot be used in host names. DNS host names may only contain dash "-", letters or numbers. Underscores and other special characters are not supported by the RFC's that define host name conventions. Some DNS servers, including Microsoft's, can support host names outside of the RFC specifications. See the links below for more information.

MORE INFORMATION

Microsoft KB article 909264: http://support.microsoft.com/kb/909264

RFC 952: http://www.ietf.org/rfc/rfc952.txt

RCF 1123: http://www.ietf.org/rfc/rfc1123.txt

SOLUTION

The CRL does not automatically update on the clients. It needs to be pushed down from the SCS, by pushing it to individual AMT clients via the Operations screen, or to all clients via the Global Operations screen in the SCS Console.

MORE INFORMATION

The Certificate Revocation List contains the revoked certificates maintained by a CA. It is used when Intel AMT clients are configured to use Mutual TLS (MTLS) authentication.

PROBLEM

The wired LAN NICs are not recognized by the Intel AMT management consoles. They do show up in the DHCP listings in the Microsoft SMS* and Altiris* demos. Only the wireless NICs were discovered as Intel AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs.

When the firewalls are turned off, the Intel AMT consoles can communicate with the LAN NICs.

SOLUTION

Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests.

SOLUTION

ASF Sensor Events

• Temperature

• Voltage

• Fan

• Chassis Intrusion

• System FW Error (descriptor codes and descriptions are in the ASF spec 2.0) Examples:

  Unrecoverable hard disk/ATAPI/IDE device failure

  No video device detected

  FW ROM corruption detected

BIOS Events

• System Boot Failure

• BIOS errors

OS Events

• OS Hangs

DESCRIPTION

SOLUTION

Customers should work with their OEM to develop a custom firmware image, then run a small pilot program to test it. Clear the CMOS and then try to reprovision the systems.

PROBLEM

For a system runing a Hypervisor on a platform with Intel(R) AMT 4.x or 5.x, the mismatch between the IP address assigned to the physical hardware and the guest operating system will prevent the manageability software from communicating with the Intel ME.

RESOLUTION

1. Modify the configuration settings so that Dom0 is configured to use the virtual MAC address.
   
2. Assign #1 Guest operating system with the physical MAC address of the Intel ME NIC.

1. The hardware initialization then the VMM and Dom0 will be brought-up.
   
2. Dom0 will provide the physical MAC address to the #1 Guest operating system, and virtual MAC addresses for each subsequent guest operating system.
   
3. The #1 Guest operating system will initiate a DHCP request with the physical MAC address.
   
4. The management console will now be able to communicate with the Intel ME using the IP address assigned to #1 Guest operating system.

PROBLEM

When performing SOL/IDER with SMS Console V3.0, the SOL console screen is set for local echo to be on and it cannot be disabled.

RESOLUTION

This issue is fixed in version 3.1 of the SMS Add-on, which you can download at http://softwarecommunity.intel.com/articles/eng/1356.htm.

PROBLEM

Using the Intel AMT add-on for Microsoft SMS 2003 on a Dell 755 returns this error:

Current system UUID is different from last discovered UUID. Please rediscover the system.

RESOLUTION

An Intel AMT add-on for Microsoft SMS 3.0 hot fix 3 is available online at http://www.intel.com/software/sms-add-on.
This hot fix removes the continuity check between the SMBIOS and the Digest UUID, which was determined to be an unnecessary check.

MORE INFORMATION

Click here to download the hot fix\.
Please review the release notes\ and the Read Me\ file to learn more.

PROBLEM

The Intel AMT Add-on for SMS will communicate with the SCS over an HTTPS/SSL connection, however it will not communicate over an insecure HTTP/non-SSL connection, even if TCP port 80 is defined in the Intel AMT Add-on configuration.

RESOLUTION

Upgrading to version 3.1 of the Intel AMT Add-on for SMS resolves this issue. The update can be obtained from: http://softwarecommunity.intel.com/articles/eng/1356.htm

PROBLEM

The SMS Add-on documentation states that two hot fixes and registry patches are required. Are these patches/hot fixes required on the workstations that are running the Microsoft SMS console and Intel AMT add-on only?

Are they required only if the end user from that workstation is planning to use the web interface?

Are they required for the SMS add-on to function properly?

RESOLUTION

These patches are required on a management workstation if you wish to access the web interface on vPro clients.

PROBLEM

Lenovo M55p systems return a hello packet of UUID 00000 during activation. This problem occurs on machines that shipped with factory-default BIOS of 36 or less.

RESOLUTION

A firmware update to version AMT2.1.0.1032 is available from Lenovo to resolve this problem. Contact your Lenovo representative if you need this update.

A BIOS update is not required, but is recommended. Visit the Lenovo web site and navigate to the Support & downloads section of the site to find BIOS 37a.

PROBLEM

Dell 755 returns a duplicate UUID 00000 during activation.

RESOLUTION

A BIOS update (version A04) resolves this issue and is available on Dell's web site.

Click here to download the A04 BIOS update.\

Note: If you are using the Intel AMT add-on for Microsoft SMS 2003, then you also need to download Hot fix 3. See Using the Intel AMT add-on for Microsoft SMS 2003 on a Dell 755 returns a UUID error\ for instructions.

PROBLEM

When the CMOS battery is unplugged from the HP 7800p, the Ctrl+P command for accessing the Intel Management Engine is missing.

When SCS is opened and the refresh button is selected, the Intel AMT device does not appear.

RESOLUTION

Use the following steps to the resolve this issue:

1. Press F-10, when prompted during the boot, to access the BIOS on the system.

2. In the BIOS choose the advanced menu -> Power-On Options and select the “MEBx Setup Prompt”

3. Use the right arrow key to cycle it to “Displayed.”

4. Press F-10 to accept the change.

5. Go to the file menu and select Save Changes and Exit.

6. The Ctrl-P prompt will reappear.

PROBLEM

In vPro-capable HP dc7800 systems, when Intel AMT is turned on, everything works fine. When the Intel AMT driver is turned off in the Intel Management engine, the Intel HECI driver in the operating system causes an error to occur in the device manager: "device cannot start".

RESOLUTION

Follow these steps to correct this problem:

1. Boot the client and press Ctrl + P to access the AMT/ME configuration settings.

2. Go to the Intel ME Configuration and press Enter.

3. Type Y to continue.

4. Select Intel ME Features Control and press Enter.

5. Select Manageability Feature Selection and press Enter.

6. Select None and press Enter.

7. Press ESC to go back to the main screen.

8. The system will reboot.

9. Go into device manager and verify that there are no failed devices.

PROBLEM

On brand new vPro systems, the Intel AMT Status Application dialog box displays the Intel AMT Status as "Enabled" even though Intel AMT has not been configured. Are OEMs shipping systems with Intel AMT enabled (provisioned)?

RESOLUTION

The Intel AMT status application is designed to show if the Intel AMT is or is not enabled in the Intel Management Engine. It does not reflect if a system has been provisioned/configured. Even when Intel AMT is disabled in the Intel Management Engine, the Intel Management Engine can still be accessed. OEMs do not ship provisioned systems unless that service is requested and purchased by the customer.

PROBLEM

Are there DLLs, in the operating system, that access vPro?

RESOLUTION

Individual OEMs manage the Microsoft Windows drivers that use Intel vPro technology. To access current drivers for clients, visit the OEM’s website.

PROBLEM

Command line switches are not working properly to enable a silent install with the Intel AMT drivers.

RESOLUTION

The issue is that the wrong hyphen/dash character is being used. If the code is copied from an MS Word* document, the regular hyphen is replaced with another hyphen-like character which causes the command line options to work incorrectly.

Typing the command, rather than copy and paste, solves this problem.

PROBLEM

The SoL/IDER sessions do not work on the X61 tablet.

RESOLUTION

This issue is resolved using the 1.07 BIOS release.

Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 1.07.

PROBLEM

Unchecking SoL and IDER, under the network tab, isn’t disabling the feature on the Lenovo M55p.

RESOLUTION

Update the BIOS to version 37a or newer versions. Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 37a or later.

PROBLEM

Sending the "power down" command to the Dell* D630c notebook immediately shuts it down, but then it automatically re-boots.

RESOLUTION

This issue is resolved in BIOS version A02 for the Dell* D630c. You can download the BIOS update package from Dell at the following URL**:

Click here.

**This Wiki contains links to other Internet sites. Such links are not endorsements of any products or services in such

sites, and no information in such site has been endorsed or approved by Intel, Inc.

PROBLEM

RESOLUTION

Check your OEM BIOS documentation for information about the supported terminal emulation modes and how to select the mode. Usually, the terminal emulation mode option will be in the Intel® AMT section of the BIOS Setup utility. Use ANSI mode for a more graphical looking display.

PROBLEM

Are the Weybridge SoL and/or HECI drivers backward-compatible with Averill? Can they be used and supported on an Averill platform?

RESOLUTION

Backward compatibility depends on the OEM and if they choose to support the drivers and platforms. For instance, HP does support the same drivers for 7700's, 7800's and 6910p, but other OEMs may not support the same drivers.

PROBLEM

Partial unprovisioning of a system fails. The SCS log reports the following messages: "SOAP Failure (21): cannot partially unprovision AMT" or "SOAP Failure(21): cannot GetLowAccuracyTimeSync"

RESOLUTION

The partial un-provision command requires a FQDN to work. Accurate client DNS records are required to provide an FQDN for this functionality.

PROBLEM

Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment

RESOLUTION

This issue is scheduled to be resolved in Intel(R) AMT SCS 5.0, to be released by the end of Q2.

PROBLEM

The standard domain-only validation SSL certificates from the GoDaddy Certificate Authority are not suitable for Intel AMT remote configuration. These types of certificates do not contain the OU information required by the firmware to accept them.

RESOLUTION

If GoDaddy is used as the CA, then request a High-Assurance SSL certificate, which should include the OU information required by the Intel AMT client.

For more information, see the Intel AMT SCS Installation and User Manual\, Chapter 3, section “Preparing Intel AMT for Future Configuration.”

PROBLEM

Intel AMT functionality works in DHCP IP with Enterprise mode and SMS. However, SMS does not find asset information from the vPro machine when using Static IP with Basic mode.

RESOLUTION

Static IP addresses are not recommended. If they must be used, then the Intel Management Engine and the operating system will each need their own static IP address in order for AMT to function properly.

PROBLEM

Setup and Configuration Service (SCS) reports an error when provisioning Hewlett-Packard (HP) 6910p computers when using Wake on LAN (WoL) power policies 4 and 5.

RESOLUTION

This error occurs for all HP platforms shipped in 2007 and there is no workaround. HP does not support these power policies and the SCS is accurately reporting that they are unsupported.

Escalate this known issue to your HP sales representative.

PROBLEM

Will the PKI-CH implementation currently available in Intel AMT 2.2, Intel AMT 2.6, and Intel AMT 3.0 consistently support wildcard RCFG certificates?

Intel AMT 2.6 supports wildcards; but Intel AMT 2.2 and 3.0 do not. Will Intel AMT 2.2 and 3.0 will support wildcard certificates?

RESOLUTION

There are no plans to enable support for wildcard certificates in Intel AMT 2.2 or any future updates for that generation of hardware. There are plans to support wildcard certificates in the future release of Intel AMT 3.2

PROBLEM

The SCS service crashes repeatedly due to excessive logs. In the SCS Win Log, the OLE database error for timeout is displayed.

RESOLUTION

Reduce the database logs to a reasonable size, based on available processes.

PROBLEM

Are there any known issues or limitations in pointing provisionserver.company.com to a Network Load Balancing address that balances between two or more SCS servers (all are in the same domain)?

RESOLUTION

The SCS support team confirmed that this is a supported configuration, provided all the SCS servers point back to a single SCS database.

PROBLEM

Is the Microsoft Windows* SNMP trap service required in the latest SCS version?

RESOLUTION

The SNMP trap service is not required for installing or using SCS, but it is required for the Intel® AMT Add-on for SMS* V3.0 to receive PET alerts from Intel AMT clients per the SMS manual.

It is used as a receiver for platform trap events. Clients can be configured to send platform traps to an SNMP service. Since the Intel AMT Add-on is capable of configuring clients, an SNMP trap service is required during installation for a complete solution.

PROBLEM

After setting the properties for the Intel AMT system, the status goes to InProvisioning, but nothing changes. The logs contain the following message: Cannot create AD AMT Object: Failed on CreateDSObject with ht-73207ty, - Process Delayed.

RESOLUTION

This error message normally occurs for the following reasons:

1. The AD schema extension has not been applied

2. The Schema extension has been applied, but the SCS service user does not have necessary permissions to AD OU to create and manage Intel AMT ME objects.

If the extension for the AD schema is not needed, then uncheck the Active directory Integration checkbox in the SCS General Settings screen to prevent SCS from trying to create AD objects during provisioning.

PROBLEM

SCS cannot complete provisioning of a system if the Configuration Parameters do not have a value specified in the OU column, even if the SCS is not using the Integrated with Active Directory option. Users must either manually add a value (during the manual process) or define a value when using remote tools like the RCT.

RESOLUTION

This is a known issue with SCS and it is slated to be corrected in SCS 5.0.

PROBLEM

The web interface cannot be accessed using Kerberos authentication. When the Firefox web browser was used, Admin authentication could be accessed, but the https digest could not be accessed. Internet Explorer* cannot access either Admin authentication or Https digest.

RESOLUTION

If the AD schema is not extended, the Kerberos user authentication will not work. Using digest users resolves this issue.

PROBLEM

What is the technical limitation of having static IP addresses in an Enterprise Mode environment and what would be workarounds that would allow a customer to use both? Since DHCP dynamically updates DNS, if you manually entered DNS suffix in Intel(R) Management Engine and maintained DNS manually then would that allow customers to use static IP addresses with enterprise mode?

RESOLUTION

While this is not recommended, the DNS entries can be maintained as described in the question. Multiple computer entries, in the management console, will be needed for managing clients that use Static IP.

PROBLEM

Is it possible to have an operating system setup with static IP address and Intel Management Engine setup for DHCP mode? Can the IP address of the operating system and Intel Management Engine be on different subnets? Or do they need to be on same subnet?

RESOLUTION

This scenario is not supported and has not been tested.

PROBLEM

The SCS console can only be logged into using the initial setup account that is provided during SCS installation. Any attempts to log in with a user account that has enterprise admin rights and has been added to SCS Users and Groups fail. The error message received is: Login Failed and the reason is: The remote server returned an error: (502) Bad Gateway.

RESOLUTION

The root cause is that the customer has an Internet Explorer* configuration that uses a proxy. On the https connection, both the SCS console login and the SCS service uses the same proxy settings and that causes it to fail with error 502 bad gateway. Un-checking the use of the proxy in Internet Explorer solves the problem.

PROBLEM

RESOLUTION

Before the Intel® AMT system is provisioned, changing the Intel MEBX password from the local console will also change the remote admin password.  After the system is provisioned, changing the local Intel MEBX password will not change the remote admin password.  During provisioning, the Intel MEBX password and the remote admin password can be set.

PROBLEM

When creating a MEBx password via SCS and deploying to client machines located in different countries, IT administrators are advised that international keyboards may have different layouts for Latin characters. This may result in password failures as a result of entering the same password on two different keyboards supporting different languages.

As an example, a multi-national company headquartered in France may deploy a client to one employee in France and Japan. Because the keyboard layouts are different, the passwords may be inadvertently different and may fail when entered on a different keyboard.

Below is a comparison of different language keyboards.

Japanese keyboard

US English keyboard

RESOLUTION

When creating your password, use character keys that are common between all keyboards and follow the guidelines below. These guidelines assume that the password is user-defined. In high security instances, the password will be auto-generated and you will need to compare the keyboard layout diagrams to help determine your MEBx password.

• The following is a list of keyboard keys that are common keys for all keyboard types: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, B, C, D, E, F, G, H, I, J, K, L, N, O, P, R, S, T, U, V, X

EXCEPTION: These keys are not common between Japanese and US keyboards: 2, 8, and 9. Be sure to use the illustrations above to verify common keys when creating passwords.

Note: Passwords can be created using characters generated by the Key and Shift Key

• MEBx passwords require special characters to ensure security. Use SHIFT+N, where N equals 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9, to include special characters in your password.

For example, if your strong password is JOK&F49!, you would relay this password to international users as: 

• Passwords using the A,M,Q,W,Y and Z keys can cause problems and are not recommended.

PROBLEM

The Intel(R) AMT Systems screen of the SCS web console has a column titled Authorized. All the systems that are provisioned show up as False. What does this column mean?

RESOLUTION

The Authorized column signifies systems that can be provisioned that have not been authorized to complete the process.

PROBLEM

When attempting to use the latest SCS with RCT 3.3 with a Remote Config Cert from GoDaddy, this error displays in SCS: Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL error - SSL authentication failed in tcp_connect(): check password, key file, and CA file.

RESOLUTION

The remote config certificate needs to be in the personal store of the SCS service account.

1. Log into your server with the SCS service account.

2. Launch MMC.

3. Select File > Add/Remote Snap-in.

4. Select Certificates from the snap in menu and click Add.

5. When prompted, select My user account and click Finish.

6. Click the Close button to close the snap-in selection window.

7. Click OK to close the snap-in Add/Remove menu.

8. Open Certificates, then open Personal.

9. Right-click the Personal folder, select All Tasks and then Import.

10. Use the wizard to import your remote configuration certificate into personal store of your SCS service account.

PROBLEM

If environment detection is not configured, Intel AMT VPN connection cannot be enabled even though there is no direct relationship between these two.

RESOLUTION

Define the DNS suffix in the environment detection list with one which matches with the host's list of DNS suffixes.

To define the suffix:

1. Open the Intel SCS Console.

2. Expand the Configuration Service Settings branch.

3. Select Profiles. The Profiles screen displays.

4. Select the profile to be modified.

5. Click Edit. The Profile Configuration dialog box displays.

6. Display the Network tab.

7. Click Environment Detection.

8. In the Environment Detection dialog, click Add.

Enter up to five domain suffixes that define permitted domains within the enterprise network. The Intel AMT device uses this list to determine whether the platform is operating inside or outside the enterprise network. Management consoles can define the behavior of the device when it is outside the enterprise, including setting a policy that will block network traffic.

9. Click OK.

PROBLEM

Error code 998 displays when trying to remove a wireless profile in the SCS, indicating that the profile is in use.

RESOLUTION

This error is generated if the wireless profile you are using is assigned to a system profile within the SCS. In order to delete the wireless profile, first remove it from any system profiles.

PROBLEM

The client machine logs errors related to setting the time when time synchronization is enabled in Intel SCS 3.x and the OS is also using Active Directory to synchronize system time.

PROBLEM

What are the minimum security requirements required for the account which is installing SCS?

RESOLUTION

The account needs to be a member of the local administrators group and an administrator on the SQL server.

PROBLEM

SCS 5.0 does not support 64-bit operating systems. Customers using 64-bit operating systems need to use SCS 5.1 or later.

At this time there is no workaround for SCS 5.0 to support 64-bit operating systems. This issue is not documented in the SCS 5.0 documentation.

SOLUTION

SCS 5.1 supports 64-bit operating systems.

PROBLEM

The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function.

SOLUTION

This issue was fixed in SCS 5.0.

PROBLEM

Remote configuration fails consistently when attempting to provision clients with SCS. The error message in the SCS log is 'Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL_ERROR_SSLerror:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error - SSL connect failed in tcp_connect()'

The provisioning server has the correct (non-wildcard) RCFG certificate and certificate chains from the signing Certificate Authority. The client domain name from the DHCP server (option 15) matches the domain in the RCFG certificate and the SCS domain. The server also correctly provisions clients using the TLS-PSK method.

The Clients can also be correctly provisioned using RCFG when connected to a separate test network.

SOLUTION

PROBLEM

How often does the SCS purge log files and can the retention date be configured?

SOLUTION

There are maintenance procedures that SCS executes once every five minutes: cspi_cleanRequestStatus and cspi_cleanLog. These procedures did not execute automatically in SCS 3.3 and earlier.

This was fixed in SCS 3.3. Both procedures will execute automatically. The default value of cspi_cleanRequestStatus is five days.

SOLUTION

PROBLEM

The USBFile version 2 utility was used to create PID/PPS pairs, but the SCS console cannot import the setup.bin file. It displays an error message indicating the supplied setup.bin has an incorrect file format.

SOLUTION

PROBLEM

The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function.

SOLUTION

This is a known issue and will be fixed in SCS 5.0.

SOLUTION

The user installing Intel® SCS must be a member of the local
administrators group and a SQL administrator. The user
installing the software does not need to be a domain
administrator.

SOLUTION

Check future versions of Intel SCS to determine if it is supported on non-English versions of Microsoft* Windows* Server 2008.

PROBLEM

USB provisioning failed after multiple attempts.

RESOLUTION

This is by design. USB provisioning only works on a "factory new" system, meaning that it has never been provisioned. Once Intel(R) AMT is provisioned, the one-touch USB method will not work again until the CMOS battery is pulled and reset.

Acer

TravelMate 6592

1.53

Not supported

Not supported

Not supported

Not supported

Dell

Latitude D630c

A09

Yes

Yes

Yes

Yes

FSC

LifeBook E8410

1.16

Not supported

Not supported

Not supported

Not supported

HP

2510p

F.0D

Yes

Yes

Yes

Yes

HP

6910p

F.16

Yes

Yes

Yes

Yes

Lenovo

ThinkPad T61

7LETB9WW(2.24)

No

Yes

No

No

Lenovo

ThinkPad X61 Tablet

7SET31WW(1.19)

No

Yes

No

No

Lenovo

ThinkPad X300

7TUJ05US (1.08)

No

Yes

No

No

Samsung

NP-P55

07AY

Not supported

Not supported

Not supported

Not supported

Toshiba

Protege M700

1.40

Not supported

Not supported

Not supported

Not supported

Toshiba

Tecra M9

1.90

Not supported

Not supported

Not supported

Not supported

PROBLEM

Customers activating a high number of systems using One Touch/USB provisioning may run into performance degradation attempting to import these keys in a management console.

RESOLUTION

There is no theoretical limit to how many PID/PPS pairs can be on a USB key, but there may be a threshold above which the performance degrades significantly.  At this time, the largest known deployment using USB provisioning was with a 30,000 PID/PPS pair.  Altiris* was unable to process this setup.bin file, however the Intel SCS Console was able to import these keys despite the timeout error that the console indicated.

List all available parameters

AMTUSBFile.exe –h

Generate X number of pairs

AMTUSBFile.exe –c current ME password new ME password –n number of pairs

For example, to generate 625 records would take ~1 second:

AMTUSBFile.exe –c admin Landesk1! –n 625

Import the keys from the generated setup.bin to the LANDesk database

AMTUSBFile.exe –i

Note: LANDesk uses an encrypted string when saving credentials to the database. Sometimes, this encrypted string is invalid to databases, such as Oracle. If this occurs, you may need to run the command several times before the keys are added. Records already imported will not be imported again.

Verify the list of records in the database

AMTUSBFile.exe –g