PROBLEM

A Privacy Notification window automatically displays when each user logs into the Intel® AMT system.

RESOLUTION

End users can disable this window by selecting the "Do not display this message" checkbox.

However, you can also disable the Privacy Notification window and still keep the application running by modifying a registry key.

To modify the registry key:

1. Open the registry and locate this key: HKEY_LOCAL_MACHINE\Software\Intel\Network_Services\atchk

   
   
   
   
   
   
   

2. Create a new dword value named +MinimizePrivacyIconAtStart +and set it to 00000001.

   
   
   
   
   
   
   

PROBLEM

Some vendor BIOS versions only support the display of specific emulation types. Using this command, specific ISVs will be able to redirect and emulate without issue.

RESOLUTION

This command only applies to users running Altiris, HP Openview, and Microsoft SMS.

On the console machine:

1. At the Start menu, select Run.

   
   
   
   
   
   
   

2. In the Open field, enter CMD and click OK. A command window opens.

   
   
   
   
   
   
   

3. At the command prompt, type telnet and press Enter.

   
   
   
   
   
   
   

4. In the telnet session, type set term ansi or set term vt100 and press Enter.

   
   
   
   
   
   
   

5. Type quit and press Enter.

   
   
   
   
   
   
   

Your terminal emulation type is now set to ANSI or VT100, depending on what you entered. You can re-enter the telnet session at anytime and type d to verify the emulation type.

NOTE: If you do not properly quit the telnet session, the setting will not be saved.

PROBLEM

Some users need to move a PC between several networks.  For example, a support technician may support multiple clients that require different client certificates.

RESOLUTION

Users may install up to 8 client certificates.

PROBLEM

If the administrator forgets the MEBx password, the only way to clear the password is to remove the CMOS battery.

RESOLUTION

**This URL to a non-Intel® web site is provided for the reader's convenience. This is not an endorsement or recommendation by Intel® of the site or products.

WARNING: To avoid personal injury or property damage, follow the manufacturer's safety instructions that apply henever accessing the inside of the product.

CAUTION: There is the danger of explosion if the battery is incorrectly replaced. When replacing the battery, use only the battery recommended by the equipment manufacturer and follow the manufacturer's instructions. Electrostatic Discharge ESD) can damage disk drives, boards, and other parts. We recommend that you perform all procedures at an ESD workstation.

PROBLEM

Intel® AMT is incompatible with a 4096-bit PKI if Intel® AMT systems need to validate a certificate chain containing this key size. For example, in 802.1X networks.

SOLUTION

If a customer already has a PKI with a 4096-bit root certificate, you can work around this issue by adding a 2048-bit root CA and then using this to issue certain certificate (for example, RADIUS).

SOLUTION

To hide the IMSS system tray icon, delete the key at the following registry location:
HKLM\Software\Microsoft\WindowsCurrentVersion\Run\Picon\"C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe"

PROBLEM

To successfully upgrade your ME firmware, follow the guidelines listed below.

SOLUTION

Version number format for ME firmware

Rules for successful upgrades

PROBLEM

For an example of this problem, if a SoL session is active from the Microsoft* SCCM Out of Band console, then the Intel® AMT firmware will not process a collection-based power control command from the console.

SOLUTION

PROBLEM

The password policy is configured by the OEM during manufacturing. The primary setting allows a one-time chagne from Admin/admin to a unique password and to have both the remote and local access synched-up. If you changed the password on the remote client you will have two passwords. This is intended to allow customers to have a unique password for local access and to allow the user to change it randomly to ensure the security of the system.

SOLUTION

PROBLEM

Question 1: Is KVM Remote Control supported using Fast Call For Help?
Question 2: Does Fast Call For Help use Kerberos authentication?
Question 3: Does Microsoft* ConfigMgr support Fast Call For Help?

SOLUTION

PROBLEM

Intel® AMT does not support fully qualified domain names (FQDNs) ending in "_" or "-".

SOLUTION

PROBLEM

During a SoL session to an HP* client, pressing F10 does not exit BIOS.

RESOLUTION

Press ESC and 0 (zero) at the same time as an alternative to exit BIOS.

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

RESOLUTION

RESOLUTION

RESOLUTION

RESOLUTION

PROBLEM

Where can I find more information about Intel® vPro™ technology on Linux?

RESOLUTION

Information about Linux support is available at the Open Source Intel® AMT Drivers and Tools\ site.

PROBLEM

Where can I find the most recent Linux drivers for an Intel® vPro™ capable system?

RESOLUTION

Visit http://www.intellinuxwireless.org/ to download Intel® wireless drivers.

PROBLEM

Wireless management does not work when the operating system is running.

RESOLUTION

Check if there are missing or faulty Intel® AMT drivers (HECI & LMS/SOL) in Microsoft Windows*. Get the latest drivers from the OEM's web site and install them. Once the drivers are installed, the Intel® Management Engine should work properly with the wireless connection.

PROBLEM

If  the path to the LMS/SOL driver setup.exe contains square brackets, then  the driver will be installed but the privacy icon will not be  installed. For example, setup will fail with this path:  c:\drivers\[HP]\lms_sol\setup.exe.

RESOLUTION

This issue is expected to be fixed in Intel® AMT 4.2.

PROBLEM

The hosts file has the following section:
# localhost name  resolution is handled with DNS itself
# 127.0.0.1 localhost
# ::1  localhost
127.0.0.1 mysystem.vprodemo.com #LMS GENERATED LINE

RESOLUTION

PROBLEM

Is there a performance hit for IDE-R over a WAN?

RESOLUTION

We do not recommend using an IDE-R session to boot large CD-ROM images over a WAN. Instead, we recommend using a stripped down IDE-R image that can load up a network stack on the AMT client. The network stack can be used to access local shares at the branch that have the tools you need to either rebuild the OS or diagnose problems.

PROBLEM

The wired LAN NICs are not recognized by the Intel® AMT management consoles. They do show up in the DHCP listings. Only the wireless NICs were discovered as Intel® AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs.

When the firewalls are turned off, the Intel® AMT consoles can communicate with the LAN NICs.

RESOLUTION

Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests.

PROBLEM

When configuring Intel® AMT in basic (formerly SMB) mode during boot up, some values for the secondary DNS server IP address make the configuration fail.

If a secondary DNS server's last octet value is 223 or higher, the configuration fails.

RESOLUTION

This is a known issue in the Intel® Management Engine and will be fixed in the next release. The current workaround is to change the secondary DNS server's IP address, or to not use the secondary DNS server at all in the configuration.

PROBLEM

When you reboot the system and enter a SoL/IDER session, the ME NIC will remain in the lowest negotiated speed setting and half duplex mode if the SoL/IDER session remains connected during boot. The NIC does not renegotiate to the highest available speed or full duplex mode after the operating system boots.

RESOLUTION

To force the ME NIC to renegotiate to full speed/full duplex mode, disconnect the SoL/IDER session then reconnect.

PROBLEM

The Intel® WS-MAN translator package used with Microsoft* SCCM 2007 SP1 generates some errors due to scripting language changes introduced in Windows* Vista.
The scripts will not run correctly on Microsoft* Vista and Microsoft* Server 2008 operating systems. Also, wired 802.1X scripts produced by GenScript only execute properly the first time they are run.

RESOLUTION

PROBLEM

An incompatibility exists between Intel® Active Management Technology (Intel® AMT) and Locally Administered Address (LAA) environments. As a result, Intel® AMT enabled systems configured to work in LAA environments might encounter LAN disconnects.

RESOLUTION

A Locally Administered Address (LAA) is an option allowing users to set their own MAC address on the platform and thus bypass the Burned-in address (BIA) MAC. Intel® AMT was not designed to support LAA environments and there are no plans to add this capability in the near future.

Intel® recommends avoiding usage of LAA together with Intel® AMT technology to avoid this issue.

PROBLEM

RESOLUTION

No solution is available.

RESOLUTION

PROBLEM

RESOLUTION

• Use a non-IANA reserved port for host WOL magic packet traffic.
  
  
  
  
  
• Use port 68 with TCP protocol (rather than UDP) for host WOL magic packet traffic. Note that port 68 TCP is an IANA reserved port, which could be affected by future changes in network infrastructure or Intel® products.
  
  
  
  
  

PROBLEM

RESOLUTION

RESOLUTION

PROBLEM

RESOLUTION

RESOLUTION

PROBLEM

DHCP Option 0 (Padding) is incompatible with Intel® AMT. DHCP Option 0 is a rarely used option that pads the DHCP option records so that they align on word boundaries.

RESOLUTION

PROBLEM

If the customer has many different DHCP Option 15 (DNS Domain Name) settings that do not follow the rules for Remote Configuration Certificate domain suffix matching, it will not be possible to use the PKI DNS Suffix profile in the MEBx to override the respective DHCP Option 15 setting of the DHCP server. The PKI DNS suffix profile can only be used to substitute for Option 15 authentication when DHCP Option 15 is not set.

Please refer to the Intel® AMT Remote Configuration Certificate Selection white paper (here) for assistance in choosing the correct remote configuration (RCFG) certificate for your remote provisioning needs.

RESOLUTION

If you can't use remote configuration due to this DHCP Option 15 issue, you must use one-touch provisioning.

PROBLEM

This issue occurs when Kerberos authentication is enabled in the Intel® ME firmware and Kerberos authentication for the currently logged-in user to the management console fails while trying to initiate a SOL or IDER session.

The issue is related to the authentication back-off mechanism in Intel® AMT. In Intel® AMT versions prior to 6.0.30.1197 the firmware allows for three login attempts before the system will deny the connection. Kerberos and Digest Authentication will use 2 authentication attempts each. Basic authentication will use a single attempt.

If Kerberos is enabled on the Intel® AMT platform, the IMRSDK.DLL library will attempt to perform Kerberos authentication. If Kerberos authentication fails then the library will fall-back to Basic authentication.

Starting in the Intel® AMT 6.0 SDK (around Sprint 10), there was a change in the IMRSDK.DLL library that would instead fall-back to Digest authentication instead of Basic. This update can cause the Digest attempt to trigger the back-off mechanism in the Intel® AMT firmware and cause the entire authentication attempt to fail.

This failure is exhibited with a Connection Timeout, or Connection Closed error from IMRSDK.DLL.

Intel® ME FW 6.0.0.1184 was the AMT 6.0 original PV version. There are several Intel® AMT firmware versions between 1184 and 1197 that are being shipped by OEMs that could encounter this issue.
To compound this issue, the IMRSDK.DLL library has not had its version stepped during the build process.

Notes on the potential impact on ISVs:
Altiris*--Can be configured to use Digest or Kerberos.
LANDesk*--Uses Digest only.
Microsoft* ConfigMgr--Uses Digest for some actions and Kerberos for others. (Not configurable.)

Status:

In order to support Digest authentication after a failed Kerberos authentication, the retry count in the Intel® ME firmeare was increased from three retries to four retries. This was included into the Intel® ME firmware starting in version 6.0.30.1197.

Here are the known impacted versions and the MD5 hashes of each release.
Known to use Digest fallback:
MD5SUM cc66c511352e428569f83d07525d14ce v1.1.3.0 *imrsdk(1472).dll [Sprint 14]
Unknown/Untested:
MD5SUM 3204a528f624bf6117238aa899a961f6 v1.1.3.0 *imrsdk(1360).dll [Sprint 13]
MD5SUM 3204a528f624bf6117238aa899a961f6 v1.1.3.0 *imrsdk(1276).dll [Sprint 12]
MD5SUM 7fc08a282494137324bf1556470984da v1.1.3.0 *imrsdk(1130).dll [Sprint 11]
MD5SUM 39687b9d3361ae5ddd1adbb59b098959 v1.1.3.0 *imrsdk(945).dll [Sprint 10]
Known to use Basic fallback:
MD5SUM 8091b69094f0c08e13ad2509a75b0f6a v1.1.3.0 *imrsdk(750).dll [Sprint 9]
MD5SUM 8091b69094f0c08e13ad2509a75b0f6a v1.1.3.0 *imrsdk(519).dll [Sprint 8]

RESOLUTION

There are three potential workarounds:

• Upgrade to Intel® AMT firmware version 6.0.30.1197 or later
  
  
  
  
• If not using TLS, connect to the Intel® AMT machine with the client's IP address instead of a FQDN
  
  
  
  
• Replace the IMRSDK.DLL with a previous version

PROBLEM

Using the default settings, the timeout period doesn't allow enough time for the OS to authenticate during PXE booting. The following whitepaper describes the Intel® AMT architecture used to support PXE boot.
Next-Generation Streaming Clients, Based on Intel® vPro™ Technology

RESOLUTION

RESOLUTION

RESOLUTION

RESOLUTION

PROBLEM

DNS configuration issues display when configuring Altiris.

RESOLUTION

Use these troubleshooting tips to help resolve DNS configuration issues with Altiris:

• Verify that the Altiris host has fully qualified records in the DNS infrastructure. This would constitute an A record for forward lookups and a PTR record for reverse lookups.

  
  
  
  
  
  
  

• Make sure the Intel® Setup and Configuration Service (SCS) is up and running on the box.

  
  
  
  
  
  
  

• Upgrade the SCS Console to the current version. This process is not supported by Altiris and is only for troubleshooting.

  
  
  
  
  
  
  

• IMPORTANT: When you upgrade, only install the console. DO NOT upgrade the entire SCS application.

   

  To upgrade to the current version:

  
  
  
  
  
  
  

PROBLEM

Can Intel® AMT firmware be reconfigured to change the default 'provisionserver' naming convention to a value of a customer's choosing?

RESOLUTION

The provisionserver value is hard-coded and cannot be changed. The detected DNS context is added to this default value (for example, provisionserver.mycompany.com).  It is recommended that the customer set up a second ALIAS record or a CNAME record in the DNS that points the provisionserver.yourdomain.com to the ISV server.

In environments where it is best not to use the default name, the customer can use the Intel® vPro™ Technology Activator Wizard (link) to direct the configuration attempts.

PROBLEM

Altiris* has a complete Server and Client inventory application/service that is independent of Intel® AMT features. An agent is required to obtain this level of support in Altiris* products.

RESOLUTION

PROBLEM

A  customer is using Altiris* in an environment without Microsoft* Active  Directory and wants to know if they can activate Intel® vPro™ clients  using either Altiris* RTSM (with the Intel® SCS backend), or, if they  decide to switch consoles, HP OOBM.

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

SOLUTION

No drivers are required for bare-metal provisioning of an Intel® AMT client. The system administrator will, however, need to pre-populate the provisioning server database with the client configuration information (UUID, FQDN, OU if Active Directory is used, Profile). Refer to the LANDesk documentation for information on how to enter the client configuration information into LDMS 8.8. The Intel® AMT client will send out a hello packet as soon as the network and power cables are plugged in. If the provisioning server is found, and the client configuration information is in the provisioning database, then the client will be provisioned.

PROBLEM

In the default configuration, the LANDesk root certificate is not trusted by the Microsoft* CA.  Users are then unable to use the WebUI unless they select the "trust this site" radio button each time they use the WebUI.

SOLUTION

1. Open Microsoft* Internet Explorer.
   
   
   
   
   
   
2. Choose Tools->Internet Options.
   
   
   
   
   
   
3. Click on the Content tab.
   
   
   
   
   
   
4. Click on the Certificates tab.
   
   
   
   
   
   
5. Under the Trusted Root Certificates tab, import the root certificates.
   
   
   
   
   
   
6. Under the Intermediate Certificate Authorities tab, import the intermediate certificates.
   
   
   
   
   
   
7. Verify that the certificate used can be traced back to the root.
   
   
   
   
   
   

PROBLEM

After provisioning, the in-band network connection on some Intel® AMT systems may shut down. The LANDesk console will then place the systems in remediation. These Intel® AMT systems can, however, still be managed with LANDesk* OOB tools and the Intel® AMT Web GUI. This is an intermittent issue. The time between provisioning the system and the loss of in-band connectivity ranges from a few minutes to about an hour.

SOLUTION

PROBLEM

The RootCA and the SubCA directories must be deleted repeatedly to enable provisioning to continue.

SOLUTION

PROBLEM

Microsoft WinRM v1.x scripts require certificates to contain CDP information. This is an issue when you provision clients to use Transport Layer Security (TLS) with LANDesk*. WinRM scripts fail with certificates generated by the LANDesk* internal CA because the certificates do not contain Certificate Revocation List (CRL) data (the CRL Distribution Point or CDP data is part of the CRL information).
WinRM v2.0 resolves this issue (see the solution below for details).

SOLUTION

1. Install Microsoft* WinRM 2.0 (see Microsoft* Knowledge Base Article KB968930).
   
   
   
   
   
   
2. In the 802.1X script file produced by GenScript, modify this block:
   
   
   
   
   
   

   sFlags=sFlags Or
   WSMan.SessionFlagSkipCACheck Or
   WSMan.SessionFlagSkipCNCheck
To read as follows:

   sFlags=sFlags Or
   WSMan.SessionFlagSkipCACheck Or
   WSMan.SessionFlagSkipCNCheck Or
   WSMan.SessionFlagSkipRevocationCheck

PROBLEM

When  the LANDesk SP2 agent is installed on the HP DC7800 client, the factory  installed PSK key is ignored and the client attempts PKI provisioning.  When the LANDesk agent is removed from the client, the client uses PSK  provisioning.

SOLUTION

PROBLEM

This issue is seen on Windows* XP clients. The customer will  notice very long boot times (it may take hours to boot).

SOLUTION

Customers should contact LANDesk and request a hotfix for this  issue. This hotfix will be included in the next service pack for LANDesk  8.8and 9.0. The customer should also update to the latest OEM-supplied  Intel® AMT driver package. (The driver package typically includes the UNS,  LMS, and SOL/IDER drivers).

Dell 755

Click here.

Lenovo M57p

Click here.

HP DC7800

Click here.

PROBLEM

When discovering Intel® vPro™ systems via a console that has a virtual adapter enabled with an IP address assigned, such as Microsoft SCCM, the discovery process may fail if the virtual adapter IP address is used for the discovery process.

RESOLUTION

Before performing the discovery, disable any virtual adapters that were created by software such as VMWare.*

PROBLEM

When the Microsoft* SCCM management console is run on a Microsoft* Vista* SP1 operating system, all Intel® AMT based objects and functionality is missing.

RESOLUTION

No solution is available at this time.

PROBLEM

Microsoft* System Center Configuration Manager 2007 Service Pack 1 (SP1) hotfix roll-up KB960804 includes KB959040 (a fix to enable PKI provisioning with Intel® AMT 2.2 and 2.6.) The original description of the roll-up incorrectly omitted the KB959040 hotfix.

RESOLUTION

To get KB959040 hotfix, users may download the KB960804 hotfix roll-up.

Refer to the Micorsoft* support website for more information about the hotfix packages. The Microsoft* URL** is: http://support.microsoft.com/kb/960804

**This URL is provided for the reader's convenience. It is not an endorsement of products or services by Intel® Corporation.

PROBLEM

SoL and IDER fails using Microsoft* SCCM in an environment with a Root CA and a Subordinate Issuing CA.

RESOLUTION

This issue has been fixed by a hotfix for Microsoft* SCCM 2007 SP1. URL for hotfix** HTTP://support.microsoft.com/hotfix/kbHotfix.aspx?kbnum=960804

**This URL is provided for the reader's convenience. It is not an endorsement of products or services by Intel® Corporation.

PROBLEM

In a Microsoft* SCCM hierarchy with a central site and a primary child site, power control operations from the central site work for some clients and fail for others. The same power control operations work correctly from the child site.

RESOLUTION

Not all client settings are being transferred up the Microsoft SCCM hierarchy to the central database. This issue will be resolved in the Microsoft SCCM SP2. Alternatively, system administrators may change the TlsMode setting in the dbo.AMT_MachineProperties table in the SCCM site database, it should be set to "1" for each client.

PROBLEM

The HP* DC7700 with Intel® AMT firmware build 2.2.10.1039 has a date/time stamp issue with the certificates that prevents remote provisioning. The Microsoft ConfigMgr logfile AMTOPMGR.LOG shows error 0x80090308 that indicates a problem with the certificate.

RESOLUTION

Update the firmware to to 2.2.20 or later. The firmware is available on the HP* website.

PROBLEM

A customer with Microsoft* ConfigMgr SP2 was unable to provision a Dell* OptiPlex 755. By default, the OOB management properties are set to not allow out of band provisioning.

RESOLUTION

Enable OOB provisioning in Microsoft* ConfigMgr.

1. In Microsoft* ConfigMgr SP2, go to Site Settings-->Component Configuration.
   
   
   
   
   
   
2. From the Out of Band Management Properties tab, choose Allow Out of Band Provisioning checkbox.
   
   
   
   
   
   

RESOLUTION

Microsoft* ConfigMgr has a known issue that causes it to fail when it validates the certificate chain unless the intermediate certificates are placed in the trusted root certificate store (instead of the intermediate certificate store).

RESOLUTION

PROBLEM

Microsoft* ConfigMgr uses Telnet for SOL and therefore only supports VT100 and ANSI emulation modes. The corruption is because Acer* firmware version 3.2.1 uses VT100+ emulation.

RESOLUTION

PROBLEM

After unprovisioning the Microsoft* ConfigMgr client without removing the ConfigMgr agent, the platform is shown as "detected" instead of "Not Provisioned" and cannot be reprovisioned.

RESOLUTION

PROBLEM

What is the best known method to unprovision an Intel® AMT client that is managed by Microsoft ConfigMgr(SP1 or later)? Using the wrong procedure to unprovision the client and remove the record from the Microsoft* ConfigMgr server may block later reprovisioning of the system. Microsoft* has posted the two articles listed below to the Microsoft* TechNet site to guide you.
Note that you will no longer be able to use out of band management with the Intel® AMT client after you unprovision it.

RESOLUTION

PROBLEM

The Intel® ME seems to close the network port early after a PXE boot. The Microsoft* System Center Configuration Manager 2007 setting "Keep session open after PXE boot (minutes)" is actually in seconds.

RESOLUTION

PROBLEM

Microsoft* ConfigMgr uses 32 character passwords when generating AMT objects. A third-party password policy that limits the maximum length to 8 characters will cause an error when ConfigMgr attempts to provision the Intel® AMT system and create the AMT object.

RESOLUTION

To workaround this issue, change the password policy to allow 32 character passwords.

PROBLEM

After the Intel® ME stops sending "Hello" packets, you may be able to provision some, but not all, Dell* OptiPlex 755 and 760 systems with Microsoft* ConfigMgr. The unprovisioned systems show up as either Unknown, Not Supported, or Detected in Microsoft* ConfigMgr.

Notes:

• When systems are plugged into AC power and on the network for more than 24 hours before ConfigMgr attempts to run a discovery on them.
• After the initial 24 hours, the ports used to query Intel® AMT systems are closed and ConfigMgr will not be able to communicate with the device.
• Activator re-activates the Intel® AMT systems and re-opens the ports that ConfigMgr needs.

RESOLUTION

PROBLEM

Setup and configuration on the client systems fail because Microsoft ConfigMgr shows the systems as "Not Supported."

RESOLUTION

PROBLEM

Microsoft* System Center Configuration Manager (ConfigMgr) can provision an Intel® AMT client in two different capacities: Bare metal and Agent Initiated.

Bare metal provisioning begins with the Intel® AMT client sending a "hello packet" to the Microsoft* ConfigMgr Out of Band Service Point; if the Intel® AMT client is approved and authorized to be provisioned, Microsoft* ConfigMgr will initiated the provisioning process. Agent-initiated provisioning begins with the Microsoft* ConfigMgr Client Agent pulling down the "Automatic Provisioning" policy from the Microsoft* ConfigMgr Policy Server; if the Microsoft* ConfigMgr Client Agent receives the policy, the Agent will negotiated a One Time Password (OTP) with the Intel® AMT ME firmware and send the provisioning request along with the OTP to the Out of Band Service point to begin the provisioning process.

The article by Matt Royer (see the link listed below) lists the requirements and tools for succesful provisioning.

RESOLUTION

PROBLEM

RESOLUTION

PROBLEM

RESOLUTION

RESOLUTION

RESOLUTION

PROBLEM

How many agents can the Intel® Management Engine monitor at one time?

RESOLUTION

This data is undocumented, however, testing shows that Intel® AMT 2.0 can monitor up to sixteen agents.

NOTE: The number of agents that can be monitored depends on how the ISV is implementing agent presence.

PROBLEM

HP 6910p returns a hello packet of UUID=00000 during activation.

RESOLUTION

This is a known issue with the firmware and will be fixed when the 2008 platform is released.

Meanwhile, your customers can request a BIOS update from HP to work around this issue.

PROBLEM

Using DHCP in a virtual machine can cause Intel® AMT to become inaccessible when you close the virtual machine session. This is because your computer and Intel® AMT will now have different IP addresses.

RESOLUTION

To work around this issue, exit the virtual machine session(s) and then do one of the following:

• Reboot your system.

  
  
  
  
  

OR

• Release and renew the IP address as follows:

  
  

  1. Click Start and choose Run.

  2. Enter cmd and click OK.

  3. At the command prompt, type:
     
     
     
     

ipconfig /release and press Enter.
ipconfig /renew and press Enter.

This is a known issue and will be updated as more information is available.

PROBLEM

When provisioning enterprises with multiple domains via remote configuration, individual certificates are required for each domain that needs to communicate with the Management Console. Wildcard certificates are currently not supported.

RESOLUTION

Wildcard certificate support is a feature request for AMT 3.2 (Weybridge) and AMT 2.6 (Centrino).

Meanwhile, you can workaround this issue by deploying an SCS server and a certificate for each domain.

MORE INFORMATION

This issue will be updated as more information becomes available.

PROBLEM

Inventory data does not appear after provisioning an Intel® AMT client, even though the provisioning process was successful and without errors.

RESOLUTION

POST needs to occur for the data transfer to take place. The inventory data resides within the BIOS SMI tables and cannot be successfully transferred to the Intel® Management Engine and viewed by the WebUI or retrieved programmatically. The BIOS and ME handshake must occur during POST to transfer data. Make sure the system has run through POST, so that the inventory data is transferred from BIOS into ME.

PROBLEM

Currently shipping non-provisioned Intel® vPro(TM) or Intel® AMT PCs on some Weybridge configurations may report a network disconnect/reconnect on five minute cycles when the 24 hour provisioning period expires while in a low power state. An unused security feature of Intel® AMT triggers the network disconnect and then resets the network connection on 5 minute cycles.

RESOLUTION

This issue has been resolved in the A09 BIOS release from Dell for the Optiplex 755. The BIOS release is available at the following URL:

http://support.us.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R181510&formatcnt=1&libid=0&fileid=247483

Click here for the update.\

PROBLEM

Is there an automated way to synchronize the operating system and Intel® AMT hostname?

RESOLUTION

The Intel® AMT Reflector tool\ is now available on the Intel® vPro(TM) Expert Center.

See the Tools wiki\ for more helpful Intel® vPro™ technology tools.

PROBLEM

A single Intel® vPro™ machine can be accessed via WebUI, but does not appear in DNS. Its name does not get resolved in NSLookup?

RESOLUTION

NSLookup does not use the standard client resolver routines but uses similar routines of its own. If true, this means a valid name-IP record could be cached on the client and being used by IE to resolve the name even though NSLookup fails to resolve the name and there is no DNS record.

To determine this, do the following:

1. In the command prompt program, enter ipconfig /displaydns to inspect the cache for the dns record.

   
   
   
   
   
   
   

2. Enter ipconfig /flushdns to clean out records and retry (it should fail if there is no DNS record).

   
   
   
   
   
   
   

PROBLEM

In an EAC*-enabled network, where a NAC or NAP server is deployed and configured to request “posture” or SoH, Intel® AMT connectivity may be lost to clients that are not in H0 state if the server configuration is modified to work with 802.1x only.

RESOLUTION

If the NAC/NAP server configuration is changed to work with 802.1x only, then do one of the following:

• Restart LAN switch ports, or

  
  
  
  
  
  
  

• Restart the clients.

  
  
  
  
  
  
  

PROBLEM

Intel® AMT wireless connectivity is not available when the operating system is running and the user is not logged in.

RESOLUTION

To work around this issue, configure the Single Sign On (SSO) driver to maintain a wireless connection. Once the SSO properties are set according to the table below, Intel® AMT will be able to connect to the wireless profile using Microsoft* Windows  credentials before the user actually logs on.

SSO Properties

• Pre-logon. This feature is identified with the “SSO” term. It allows you to connect to a  wireless profile using the Windows credentials entered by the user before the actual Windows log-in.

  
  
  
  
  
  
  

• Persistent. This feature allows you to connect to a wireless profile that doesn’t require user credentials (but alternatively requires “system credentials”), in case the user is not logged on (either after reboot or after log-off). In order to use it, the IT admin has to configure such a profile that doesn’t rely on user credentials.

  
  
  
  
  
  
  

• Security. Profiles for pre-logon and persistent connect are stored securely on the machine, cryptographically bound to the machine so that it cannot be transferred to another machine. The profiles are shared across all users on the machine, but certain user-based credentials such as PACs are stored on a per-user basis.

  
  
  
  
  
  
  

NOTES

• Microsoft Windows XP users: Using persistent connection adds a service to handle establishing connections when users are not logged on.

  
  
  
  
  
  
  

• Microsoft Vista users: The persistent connection is enabled on a per profile basis if the configured EAP (Extensible Authentication Protocol) method supports authentication with machine credentials.

  
  
  
  
  
  
  

PROBLEM

Cannot provision a system that uses an underscore in the host name.

SOLUTION

Special characters cannot be used in host names. DNS host names may only contain dash "-", letters or numbers. Underscores and other special characters are not supported by the RFC's that define host name conventions. Some DNS servers, including Microsoft's, can support host names outside of the RFC specifications. See the links below for more information.

MORE INFORMATION

Microsoft KB article 909264: http://support.microsoft.com/kb/909264

RFC 952: http://www.ietf.org/rfc/rfc952.txt

RCF 1123: http://www.ietf.org/rfc/rfc1123.txt

SOLUTION

The CRL does not automatically update on the clients. It needs to be pushed down from the SCS, by pushing it to individual AMT clients via the Operations screen, or to all clients via the Global Operations screen in the SCS Console.

MORE INFORMATION

The Certificate Revocation List contains the revoked certificates maintained by a CA. It is used when Intel® AMT clients are configured to use Mutual TLS (MTLS) authentication.

PROBLEM

The wired LAN NICs are not recognized by the Intel® AMT management consoles. They do show up in the DHCP listings in the Microsoft SMS* and Altiris* demos. Only the wireless NICs were discovered as Intel® AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs.

When the firewalls are turned off, the Intel® AMT consoles can communicate with the LAN NICs.

SOLUTION

Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests.

SOLUTION

ASF Sensor Events

• Temperature

  
  
  
  
  
  
  

• Voltage

  
  
  
  
  
  
  

• Fan

  
  
  
  
  
  
  

• Chassis Intrusion

  
  
  
  
  
  
  

• System FW Error (descriptor codes and descriptions are in the ASF spec 2.0) Examples:

  Unrecoverable hard disk/ATAPI/IDE device failure

  No video device detected

  FW ROM corruption detected

  
  
  
  
  
  
  

BIOS Events

• System Boot Failure

  
  
  
  
  
  
  

• BIOS errors

  
  
  
  
  
  
  

OS Events

• OS Hangs

  
  
  
  
  
  
  

DESCRIPTION

SOLUTION

Customers should work with their OEM to develop a custom firmware image, then run a small pilot program to test it. Clear the CMOS and then try to reprovision the systems.

PROBLEM

For a system runing a Hypervisor on a platform with Intel® AMT 4.x or 5.x, the mismatch between the IP address assigned to the physical hardware and the guest operating system will prevent the manageability software from communicating with the Intel® ME.

RESOLUTION

1. Modify the configuration settings so that Dom0 is configured to use the virtual MAC address.
   
   
   
   
   
   
2. Assign #1 Guest operating system with the physical MAC address of the Intel® ME NIC.
   
   
   
   
   
   

1. The hardware initialization then the VMM and Dom0 will be brought-up.
   
   
   
   
   
   
2. Dom0 will provide the physical MAC address to the #1 Guest operating system, and virtual MAC addresses for each subsequent guest operating system.
   
   
   
   
   
   
3. The #1 Guest operating system will initiate a DHCP request with the physical MAC address.
   
   
   
   
   
   
4. The management console will now be able to communicate with the Intel® ME using the IP address assigned to #1 Guest operating system.
   
   
   
   
   
   

PROBLEM

When the Intel® Management Engine and host software are both configured to obtain IP addresses using DHCP, the Intel® Management Engine snoops DHCP transactions from the PC's host software (the PC's OS) in order to capture and share an IP address with the PC host (the OS). If the host software contains more than one source of DHCP requests (for example, if the host is running VMWare* with multiple virtual machines which use DHCP) then the Intel® Management Engine ends up sharing an IP address with the source of the last DHCP request for an IP address, instead of sharing the IP address for the host OS. This can lead to confusion -- which IP address is the ME using? What hostname is the ME contactable on? And so on.

How to Reproduce:
When the ME and host software are both configured to obtain IP addresses using DHCP the ME snoops DHCP transactions from the platform software in order to capture and share an IP address with the PC's host (the host OS).

RESOLUTION

For an IPv4 environment, this issue has been resolved in Intel® ME firmware releases 2.2.21 (Averill platform), 2.6.30 (Santa Rosa platform), and 3.2.20 (Weybridge platform), and 4.0 and later releases. Check with your OEM for availability of this release. In a virtualized environment with the updated firmware, Dom0 is configured to use a virtual MAC address and Guest #1 VM is configured to use the physical MAC address (this is same MAC address as the Intel® ME).  The result of the fix is that the IP address for Guest #1 and the Intel® ME are identical so the management console can communicate with the platform

In an IPv6 environment, the issue resolves itself, since the Intel® Management Engine will have its own IP address (even when using DHCP).

PROBLEM

When configuring ME wireless profile using host 802.1x, with the ME configured on same network with same encryption but with different inner method, the ME will behave differently in the following scenarios:

• When the host is connected along with ME, the ME will respond.
  
  
  
  
  
  
• When the ME has the active profile (the host is down) and admin will try to connect, the ME might not respond because it may fail to authenticate due to the different inner method (RADIUS-dependent).
  
  
  
  
  
  
• When the host is up, the ME will report a profile is configured and active over WS-MAN/SOAP.
  
  
  
  
  
  

RESOLUTION

RESOLUTION

RESOLUTION

PROBLEM

When performing SOL/IDER with SMS Console V3.0, the SOL console screen is set for local echo to be on and it cannot be disabled.

RESOLUTION

This issue is fixed in version 3.1 of the SMS Add-on, which you can download at http://softwarecommunity.intel.com/articles/eng/1356.htm.

PROBLEM

Using the Intel® AMT add-on for Microsoft* SMS 2003 on a Dell 755 returns this error:

Current system UUID is different from last discovered UUID. Please rediscover the system.

RESOLUTION

An Intel® AMT add-on for Microsoft* SMS 3.0 hot fix 3 is available online at http://www.intel.com/software/sms-add-on.
This hot fix removes the continuity check between the SMBIOS and the Digest UUID, which was determined to be an unnecessary check.

MORE INFORMATION

Click here to download the hot fix\.
Please review the release notes\ and the Read Me\ file to learn more.

PROBLEM

The Intel® AMT Add-on for SMS will communicate with the SCS over an HTTPS/SSL connection, however it will not communicate over an insecure HTTP/non-SSL connection, even if TCP port 80 is defined in the Intel® AMT Add-on configuration.

RESOLUTION

Upgrading to version 3.1 of the Intel® AMT Add-on for SMS resolves this issue. The update can be obtained from: http://softwarecommunity.intel.com/articles/eng/1356.htm

PROBLEM

The SMS Add-on documentation states that two hot fixes and registry patches are required. Are these patches/hot fixes required on the workstations that are running the Microsoft SMS console and Intel® AMT add-on only?

Are they required only if the end user from that workstation is planning to use the web interface?

Are they required for the SMS add-on to function properly?

RESOLUTION

These patches are required on a management workstation if you wish to access the web interface on Intel® vPro™ clients.

PROBLEM

Lenovo M55p systems return a hello packet of UUID 00000 during activation. This problem occurs on machines that shipped with factory-default BIOS of 36 or less.

RESOLUTION

A firmware update to version AMT2.1.0.1032 is available from Lenovo to resolve this problem. Contact your Lenovo representative if you need this update.

A BIOS update is not required, but is recommended. Visit the Lenovo web site and navigate to the Support & downloads section of the site to find BIOS 37a.

PROBLEM

Dell 755 returns a duplicate UUID 00000 during activation.

RESOLUTION

A BIOS update (version A04) resolves this issue and is available on Dell's web site.

Click here to download the A04 BIOS update.\

Note: If you are using the Intel® AMT add-on for Microsoft SMS 2003, then you also need to download Hot fix 3. See Using the Intel® AMT add-on for Microsoft SMS 2003 on a Dell 755 returns a UUID error\ for instructions.

PROBLEM

When the CMOS battery is unplugged from the HP 7800p, the Ctrl+P command for accessing the Intel® Management Engine is missing.

When SCS is opened and the refresh button is selected, the Intel® AMT device does not appear.

RESOLUTION

Use the following steps to the resolve this issue:

1. Press F-10, when prompted during the boot, to access the BIOS on the system.

   
   
   
   
   
   
   

2. In the BIOS choose the advanced menu -> Power-On Options and select the “MEBx Setup Prompt”

   
   
   
   
   
   
   

3. Use the right arrow key to cycle it to “Displayed.”

   
   
   
   
   
   
   

4. Press F-10 to accept the change.

   
   
   
   
   
   
   

5. Go to the file menu and select Save Changes and Exit.

   
   
   
   
   
   
   

6. The Ctrl-P prompt will reappear.

   
   
   
   
   
   
   

PROBLEM

In vPro-capable HP dc7800 systems, when Intel® AMT is turned on, everything works fine. When the Intel® AMT driver is turned off in the Intel® Management engine, the Intel® HECI driver in the operating system causes an error to occur in the device manager: "device cannot start".

RESOLUTION

Follow these steps to correct this problem:

1. Boot the client and press Ctrl + P to access the AMT/ME configuration settings.

   
   
   
   
   
   
   

2. Go to the Intel® ME Configuration and press Enter.

   
   
   
   
   
   
   

3. Type Y to continue.

   
   
   
   
   
   
   

4. Select Intel® ME Features Control and press Enter.

   
   
   
   
   
   
   

5. Select Manageability Feature Selection and press Enter.

   
   
   
   
   
   
   

6. Select None and press Enter.

   
   
   
   
   
   
   

7. Press ESC to go back to the main screen.

   
   
   
   
   
   
   

8. The system will reboot.

   
   
   
   
   
   
   

9. Go into device manager and verify that there are no failed devices.

   
   
   
   
   
   
   

PROBLEM

On brand new Intel® vPro™ systems, the Intel® AMT Status Application dialog box displays the Intel® AMT Status as "Enabled" even though Intel® AMT has not been configured. Are OEMs shipping systems with Intel® AMT enabled (provisioned)?

RESOLUTION

The Intel® AMT status application is designed to show if the Intel® AMT is or is not enabled in the Intel® Management Engine. It does not reflect if a system has been provisioned/configured. Even when Intel® AMT is disabled in the Intel® Management Engine, the Intel® Management Engine can still be accessed. OEMs do not ship provisioned systems unless that service is requested and purchased by the customer.

PROBLEM

Are there DLLs, in the operating system, that access vPro?

RESOLUTION

Individual OEMs manage the Microsoft Windows drivers that use Intel® vPro™ technology. To access current drivers for clients, visit the OEM’s website.

PROBLEM

Command line switches are not working properly to enable a silent install with the Intel® AMT drivers.

RESOLUTION

The issue is that the wrong hyphen/dash character is being used. If the code is copied from an MS Word* document, the regular hyphen is replaced with another hyphen-like character which causes the command line options to work incorrectly.

Typing the command, rather than copy and paste, solves this problem.

PROBLEM

The SoL/IDER sessions do not work on the X61 tablet.

RESOLUTION

This issue is resolved using the 1.07 BIOS release.

Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 1.07.

PROBLEM

Unchecking SoL and IDER, under the network tab, isn’t disabling the feature on the Lenovo M55p.

RESOLUTION

Update the BIOS to version 37a or newer versions. Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 37a or later.

PROBLEM

Sending the "power down" command to the Dell* D630c notebook immediately shuts it down, but then it automatically re-boots.

RESOLUTION

This issue is resolved in BIOS version A02 for the Dell* D630c. You can download the BIOS update package from Dell at the following URL**:

Click here.

**This Wiki contains links to other Internet sites. Such links are not endorsements of any products or services in such

sites, and no information in such site has been endorsed or approved by Intel, Inc.

PROBLEM

RESOLUTION

Check your OEM BIOS documentation for information about the supported terminal emulation modes and how to select the mode. Usually, the terminal emulation mode option will be in the Intel® AMT section of the BIOS Setup utility. Use ANSI mode for a more graphical looking display.

RESOLUTION

RESOLUTION

PROBLEM

The SOL screen goes blank and no further Intel® AMT communications is possible. The Dell client system must be manually powered off to restore the system.

RESOLUTION

A firmware update to version AMT2.1.0.1032 is available from Lenovo to resolve this problem. Contact your Lenovo representative if you need this update.

Update to the A03 or later Dell system BIOS.

PROBLEM

The Dell PXE option ROM ignores the PXETimeout value and will disconnect from the network after five minutes if the system has not booted to the operating system, or if the operating system LAN drivers have not been loaded. This issue has been seen on Dell 755 and E6400 notebooks.

RESOLUTION

Dell posted a new BIOS on 6/21/10 to fix this issue. Install the latest Dell BIOS.

PROBLEM

The customer updated the Dell E6500 notebook PC with Dell BIOS A19. The update failed and reported the following error:

RESOLUTION

PROBLEM

A  reset command from a WebUI console to an HP EliteBook 8440p Notebook PC  during a KVM remote control session will cause the keyboard on the  remote console to locked-out at the Windows* Error Recovery Screen. HP  has fixed this issue and has posted a new BIOS release.

RESOLUTION

PROBLEM

When the system is in a sleep state, the BIOS will receive a  wake-up event after the Intel® ME sends out an ARP request. The expected behavior  is for the BIOS to then re-arm and go back into the previous sleep state. Some  systems go into a sleep state but never wake-up after the wake-up timer  expires.

RESOLUTION

PROBLEM

Are the Weybridge SoL and/or HECI drivers backward-compatible with Averill? Can they be used and supported on an Averill platform?

RESOLUTION

Backward compatibility depends on the OEM and if they choose to support the drivers and platforms. For instance, HP does support the same drivers for 7700's, 7800's and 6910p, but other OEMs may not support the same drivers.

PROBLEM

Partial unprovisioning of a system fails. The SCS log reports the following messages: "SOAP Failure (21): cannot partially unprovision AMT" or "SOAP Failure(21): cannot GetLowAccuracyTimeSync"

RESOLUTION

The partial un-provision command requires a FQDN to work. Accurate client DNS records are required to provide an FQDN for this functionality.

PROBLEM

Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment

RESOLUTION

This issue is scheduled to be resolved in Intel® AMT SCS 5.0, to be released by the end of Q2.

PROBLEM

The standard domain-only validation SSL certificates from the GoDaddy Certificate Authority are not suitable for Intel® AMT remote configuration. These types of certificates do not contain the OU information required by the firmware to accept them.

RESOLUTION

If GoDaddy is used as the CA, then request a High-Assurance SSL certificate, which should include the OU information required by the Intel® AMT client.

For more information, see the Intel® AMT SCS Installation and User Manual\, Chapter 3, section “Preparing Intel® AMT for Future Configuration.”

PROBLEM

Intel® AMT functionality works in DHCP IP with Enterprise mode and SMS. However, SMS does not find asset information from the Intel® vPro™ machine when using Static IP with Basic mode.

RESOLUTION

Static IP addresses are not recommended. If they must be used, then the Intel® Management Engine and the operating system will each need their own static IP address in order for AMT to function properly.

PROBLEM

Setup and Configuration Service (SCS) reports an error when provisioning Hewlett-Packard (HP) 6910p computers when using Wake on LAN (WoL) power policies 4 and 5.

RESOLUTION

This error occurs for all HP platforms shipped in 2007 and there is no workaround. HP does not support these power policies and the SCS is accurately reporting that they are unsupported.

Escalate this known issue to your HP sales representative.

PROBLEM

Will the PKI-CH implementation currently available in Intel® AMT 2.2, Intel® AMT 2.6, and Intel® AMT 3.0 consistently support wildcard RCFG certificates?

Intel® AMT 2.6 supports wildcards; but Intel® AMT 2.2 and 3.0 do not. Will Intel® AMT 2.2 and 3.0 will support wildcard certificates?

RESOLUTION

There are no plans to enable support for wildcard certificates in Intel® AMT 2.2 or any future updates for that generation of hardware. There are plans to support wildcard certificates in the future release of Intel® AMT 3.2

PROBLEM

The SCS service crashes repeatedly due to excessive logs. In the SCS Win Log, the OLE database error for timeout is displayed.

RESOLUTION

Reduce the database logs to a reasonable size, based on available processes.

PROBLEM

Are there any known issues or limitations in pointing provisionserver.company.com to a Network Load Balancing address that balances between two or more SCS servers (all are in the same domain)?

RESOLUTION

The SCS support team confirmed that this is a supported configuration, provided all the SCS servers point back to a single SCS database.

PROBLEM

Is the Microsoft Windows* SNMP trap service required in the latest SCS version?

RESOLUTION

The SNMP trap service is not required for installing or using SCS, but it is required for the Intel® AMT Add-on for SMS* V3.0 to receive PET alerts from Intel® AMT clients per the SMS manual.

It is used as a receiver for platform trap events. Clients can be configured to send platform traps to an SNMP service. Since the Intel® AMT Add-on is capable of configuring clients, an SNMP trap service is required during installation for a complete solution.

PROBLEM

After setting the properties for the Intel® AMT system, the status goes to InProvisioning, but nothing changes. The logs contain the following message: Cannot create AD AMT Object: Failed on CreateDSObject with ht-73207ty, - Process Delayed.

RESOLUTION

This error message normally occurs for the following reasons:

1. The AD schema extension has not been applied

   
   
   
   
   
   
   

2. The Schema extension has been applied, but the SCS service user does not have necessary permissions to AD OU to create and manage Intel® AMT ME objects.

   
   
   
   
   
   
   

If the extension for the AD schema is not needed, then uncheck the Active directory Integration checkbox in the SCS General Settings screen to prevent SCS from trying to create AD objects during provisioning.

PROBLEM

SCS cannot complete provisioning of a system if the Configuration Parameters do not have a value specified in the OU column, even if the SCS is not using the Integrated with Active Directory option. Users must either manually add a value (during the manual process) or define a value when using remote tools like the RCT.

RESOLUTION

This is a known issue with SCS and it is slated to be corrected in SCS 5.0.

PROBLEM

The web interface cannot be accessed using Kerberos authentication. When the Firefox web browser was used, Admin authentication could be accessed, but the https digest could not be accessed. Internet Explorer* cannot access either Admin authentication or Https digest.

RESOLUTION

If the AD schema is not extended, the Kerberos user authentication will not work. Using digest users resolves this issue.

PROBLEM

What is the technical limitation of having static IP addresses in an Enterprise Mode environment and what would be workarounds that would allow a customer to use both? Since DHCP dynamically updates DNS, if you manually entered DNS suffix in Intel® Management Engine and maintained DNS manually then would that allow customers to use static IP addresses with enterprise mode?

RESOLUTION

While this is not recommended, the DNS entries can be maintained as described in the question. Multiple computer entries, in the management console, will be needed for managing clients that use Static IP.

PROBLEM

Is it possible to have an operating system setup with static IP address and Intel® Management Engine setup for DHCP mode? Can the IP address of the operating system and Intel® Management Engine be on different subnets? Or do they need to be on same subnet?

RESOLUTION

This scenario is not supported and has not been tested.

PROBLEM

The SCS console can only be logged into using the initial setup account that is provided during SCS installation. Any attempts to log in with a user account that has enterprise admin rights and has been added to SCS Users and Groups fail. The error message received is: Login Failed and the reason is: The remote server returned an error: (502) Bad Gateway.

RESOLUTION

The root cause is that the customer has an Internet Explorer* configuration that uses a proxy. On the https connection, both the SCS console login and the SCS service uses the same proxy settings and that causes it to fail with error 502 bad gateway. Un-checking the use of the proxy in Internet Explorer solves the problem.

PROBLEM

RESOLUTION

Before the Intel® AMT system is provisioned, changing the Intel® MEBX password from the local console will also change the remote admin password.  After the system is provisioned, changing the local Intel® MEBX password will not change the remote admin password.  During provisioning, the Intel® MEBX password and the remote admin password can be set.

PROBLEM

When creating a MEBx password via SCS and deploying to client machines located in different countries, IT administrators are advised that international keyboards may have different layouts for Latin characters. This may result in password failures as a result of entering the same password on two different keyboards supporting different languages.

As an example, a multi-national company headquartered in France may deploy a client to one employee in France and Japan. Because the keyboard layouts are different, the passwords may be inadvertently different and may fail when entered on a different keyboard.

Below is a comparison of different language keyboards.

Japanese keyboard

US English keyboard

RESOLUTION

When creating your password, use character keys that are common between all keyboards and follow the guidelines below. These guidelines assume that the password is user-defined. In high security instances, the password will be auto-generated and you will need to compare the keyboard layout diagrams to help determine your MEBx password.

• The following is a list of keyboard keys that are common keys for all keyboard types: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, B, C, D, E, F, G, H, I, J, K, L, N, O, P, R, S, T, U, V, X

  
  
  
  
  
  
  

EXCEPTION: These keys are not common between Japanese and US keyboards: 2, 8, and 9. Be sure to use the illustrations above to verify common keys when creating passwords.

Note: Passwords can be created using characters generated by the Key and Shift Key

• MEBx passwords require special characters to ensure security. Use SHIFT+N, where N equals 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9, to include special characters in your password.

  
  
  
  
  
  
  

For example, if your strong password is JOK&F49!, you would relay this password to international users as: 

• Passwords using the A,M,Q,W,Y and Z keys can cause problems and are not recommended.

  
  
  
  
  
  
  

PROBLEM

The Intel® AMT Systems screen of the Intel® SCS web console has a column titled Authorized. All the systems that are provisioned show up as False. What does this column mean?

RESOLUTION

The Authorized column signifies systems that can be provisioned that have not been authorized to complete the process.

PROBLEM

When attempting to use the latest SCS with RCT 3.3 with a Remote Config Cert from GoDaddy, this error displays in SCS: Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL error - SSL authentication failed in tcp_connect(): check password, key file, and CA file.

RESOLUTION

The remote config certificate needs to be in the personal store of the SCS service account.

1. Log into your server with the SCS service account.

   
   
   
   
   
   
   

2. Launch MMC.

   
   
   
   
   
   
   

3. Select File > Add/Remote Snap-in.

   
   
   
   
   
   
   

4. Select Certificates from the snap in menu and click Add.

   
   
   
   
   
   
   

5. When prompted, select My user account and click Finish.

   
   
   
   
   
   
   

6. Click the Close button to close the snap-in selection window.

   
   
   
   
   
   
   

7. Click OK to close the snap-in Add/Remove menu.

   
   
   
   
   
   
   

8. Open Certificates, then open Personal.

   
   
   
   
   
   
   

9. Right-click the Personal folder, select All Tasks and then Import.

   
   
   
   
   
   
   

10. Use the wizard to import your remote configuration certificate into personal store of your SCS service account.

    
    
    
    
    
    
    

PROBLEM

If environment detection is not configured, Intel® AMT VPN connection cannot be enabled even though there is no direct relationship between these two.

RESOLUTION

Define the DNS suffix in the environment detection list with one which matches with the host's list of DNS suffixes.

To define the suffix:

1. Open the Intel® SCS Console.

   
   
   
   
   
   
   

2. Expand the Configuration Service Settings branch.

   
   
   
   
   
   
   

3. Select Profiles. The Profiles screen displays.

   
   
   
   
   
   
   

4. Select the profile to be modified.

   
   
   
   
   
   
   

5. Click Edit. The Profile Configuration dialog box displays.

   
   
   
   
   
   
   

6. Display the Network tab.

   
   
   
   
   
   
   

7. Click Environment Detection.

   
   
   
   
   
   
   

8. In the Environment Detection dialog, click Add.

   
   
   
   
   
   
   

Enter up to five domain suffixes that define permitted domains within the enterprise network. The Intel® AMT device uses this list to determine whether the platform is operating inside or outside the enterprise network. Management consoles can define the behavior of the device when it is outside the enterprise, including setting a policy that will block network traffic.

9. Click OK.

PROBLEM

Error code 998 displays when trying to remove a wireless profile in the SCS, indicating that the profile is in use.

RESOLUTION

This error is generated if the wireless profile you are using is assigned to a system profile within the SCS. In order to delete the wireless profile, first remove it from any system profiles.

PROBLEM

The client machine logs errors related to setting the time when time synchronization is enabled in Intel® SCS 3.x and the OS is also using Active Directory to synchronize system time.

PROBLEM

What are the minimum security requirements required for the account which is installing SCS?

RESOLUTION

The account needs to be a member of the local administrators group and an administrator on the SQL server.

PROBLEM

SCS 5.0 does not support 64-bit operating systems. Customers using 64-bit operating systems need to use SCS 5.1 or later.

At this time there is no workaround for SCS 5.0 to support 64-bit operating systems. This issue is not documented in the SCS 5.0 documentation.

SOLUTION

SCS 5.1 supports 64-bit operating systems.

PROBLEM

The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function.

SOLUTION

This issue was fixed in SCS 5.0.

PROBLEM

Remote configuration fails consistently when attempting to provision clients with SCS. The error message in the SCS log is 'Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL_ERROR_SSLerror:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error - SSL connect failed in tcp_connect()'

The provisioning server has the correct (non-wildcard) RCFG certificate and certificate chains from the signing Certificate Authority. The client domain name from the DHCP server (option 15) matches the domain in the RCFG certificate and the SCS domain. The server also correctly provisions clients using the TLS-PSK method.

The Clients can also be correctly provisioned using RCFG when connected to a separate test network.

SOLUTION

PROBLEM

How often does the SCS purge log files and can the retention date be configured?

SOLUTION

There are maintenance procedures that SCS executes once every five minutes: cspi_cleanRequestStatus and cspi_cleanLog. These procedures did not execute automatically in SCS 3.3 and earlier.

This was fixed in SCS 3.3. Both procedures will execute automatically. The default value of cspi_cleanRequestStatus is five days.

SOLUTION

PROBLEM

The USBFile version 2 utility was used to create PID/PPS pairs, but the SCS console cannot import the setup.bin file. It displays an error message indicating the supplied setup.bin has an incorrect file format.

SOLUTION

PROBLEM

The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function.

SOLUTION

This is a known issue and will be fixed in SCS 5.0.

SOLUTION

The user installing Intel® SCS must be a member of the local
administrators group and a SQL administrator. The user
installing the software does not need to be a domain
administrator.

SOLUTION

Check future versions of Intel® SCS to determine if it is supported on non-English versions of Microsoft* Windows* Server 2008.

PROBLEM

The Intel® AMT log shows the following error after a provisioning attempt:

Failed to apply all changes - SCS Code:637 - Operation: Setting system data

SOLUTION

SOLUTION

PROBLEM

USB provisioning failed after multiple attempts.

RESOLUTION

This is by design. USB provisioning only works on a "factory new" system, meaning that it has never been provisioned. Once Intel® AMT is provisioned, the one-touch USB method will not work again until the CMOS battery is pulled and reset.

Acer

TravelMate 6592

1.53

Not supported

Not supported

Not supported

Not supported

Dell

Latitude D630c

A09

Yes

Yes

Yes

Yes

FSC

LifeBook E8410

1.16

Not supported

Not supported

Not supported

Not supported

HP

2510p

F.0D

Yes

Yes

Yes

Yes

HP

6910p

F.16

Yes

Yes

Yes

Yes

Lenovo

ThinkPad T61

7LETB9WW(2.24)

No

Yes

No

No

Lenovo

ThinkPad X61 Tablet

7SET31WW(1.19)

No

Yes

No

No

Lenovo

ThinkPad X300

7TUJ05US (1.08)

No

Yes

No

No

Samsung

NP-P55

07AY

Not supported

Not supported

Not supported

Not supported

Toshiba

Protege M700

1.40

Not supported

Not supported

Not supported

Not supported

Toshiba

Tecra M9

1.90

Not supported

Not supported

Not supported

Not supported

PROBLEM

Customers activating a high number of systems using One Touch/USB provisioning may run into performance degradation attempting to import these keys in a management console.

RESOLUTION

There is no theoretical limit to how many PID/PPS pairs can be on a USB key, but there may be a threshold above which the performance degrades significantly.  At this time, the largest known deployment using USB provisioning was with a 30,000 PID/PPS pair.  Altiris* was unable to process this setup.bin file, however the Intel® SCS Console was able to import these keys despite the timeout error that the console indicated.

List all available parameters

AMTUSBFile.exe –h

Generate X number of pairs

AMTUSBFile.exe –c current ME password new ME password –n number of pairs

For example, to generate 625 records would take ~1 second:

AMTUSBFile.exe –c admin Landesk1! –n 625

Import the keys from the generated setup.bin to the LANDesk database

AMTUSBFile.exe –i

Note: LANDesk uses an encrypted string when saving credentials to the database. Sometimes, this encrypted string is invalid to databases, such as Oracle. If this occurs, you may need to run the command several times before the keys are added. Records already imported will not be imported again.

Verify the list of records in the database

AMTUSBFile.exe –g

PROBLEM

HP* 8730w is unable to boot from a USB provisioning key created by Intel® SCS Console. The system hangs and the screen goes blank. This is a known issue for BIOS versions F.10 and earlier.

SOLUTION

Upgrade to BIOS F.11.

PROBLEM

The Lenovo* BIOS must be updated to use USBFILE 2.1 with USB provisioning on the Lenovo* M58p.

SOLUTION

Update your Lenovo* M58p BIOS to the latest BIOS available on the Lenovo website (posted 7/27/09).

RESOLUTION