The Task Server contains AMT function tasks that give you the ability to integrate AMT functionality into Task Server Jobs. This allows you to use AMT in conjunction with Software Delivery, Scripting, and any other Task Server supported function. Understanding how to troubleshoot the AMT side of a Task Server job will help resolve issues so that AMT can be utilized. This includes the following technologies:
System Defense - Network Filtering
Reliable Power Management
IDE redirect for boot redirection
This is the concluding article for the series: Troubleshooting the Altiris Manageability Toolkit for vPro Technology. The first four articles covered the setup and configuration of AMT systems, while parts 5 and 6 covered RTCI and RTSM respectively. This final article discusses troubleshooting the AMT integration into Task Server when issues arise.
As an introduction, the actual SOAP or API calls made to the AMT system is invoked through Real-Time Console Infrastructure, the same as when they are invoked through the Real-Time tab for RTSM. Though the calls are from the same place, how those calls are made differ. The following subjects will be covered:
Determining Cause of Failure
AMT Detection Issues
Determining Cause of Failure
Often you'll known the general symptom that tells you a job or task in Task Server didn't execute as expected. For example a power management task may have shown as run but the AMT system never woke up. A failure is not shown except deep within a series of status windows.
To determine the returned error, use the following steps. Task Server's actual failure code is buried deep in a series of status windows, as shown in the screenshot after the steps.
Under the Task or Job that failed, double-click on the general status row for the specific execution attempt.
If within a job, double-click on the line that represents the task or AMT function that failed.
Note the numbers of successes versus failures. Click the ‘View Report' link.
Now you'll get a grid with the status of the Task, including the status and return code, if present.
AMT Detection Issues
When Task Server reaches a Task that involves AMT, it makes direct calls to AMT in those systems targeted in the task or job. Detecting AMT and subsequently executing the scheduled function requires success at both junctures. The following sections discuss potential issues and solutions in this process.
Power State Unknown
One common problem we see is when a power management task fails due to the failure message: Generic error, FromState detected as unknown:14. This will cause the power action to fail. The causes vary, but the following list contains the most common:
System unreachable - The target system is not available on the network
AMT failed to be detected - See the subsequent section ‘AMT not detected'
Authentication failed - See the subsequent section ‘Authentication Troubleshooting'
AMT is unavailable - If a system is not provisioned, or AMT is not functioning on that system
Use the following process to determine what the issue is:
If RTSM is available, try connecting to the target system using RTSM, specifying the same credential profile.
If that fails, try manually putting in credentials until you find one that works.
If Step 1 succeeds, try creating a different connection profile with only AMT functions provided.
If no RTSM is available, still try the profile with only AMT functions to see if it works.
Try other AMT functions, such as Collect Intel AMT Inventory to see if they succeed.
If other functions succeed, try using another method to reboot the system to reset the power state stored in the Intel ME. One way to accomplish this is using the Task Server Power Management Agent to send down a standard reboot command to the PC.
If no other AMT functions are successful, AMT might not be properly setup on this system. Ask the question: Has this system gone through the provisioning process?
If unknown, use the Out of Band Discovery Task to see if AMT is available and to identify what state it is in. See the steps provided under the ‘AMT Not Detected' section following.
If all else fails (generally this is on a system-by-system basis, rarely do a collection of systems encounter this level of this issue) try reprovisioning the system by fully unprovisioning and going through the provisioning process again.
AMT Not Detected
Normally a non-vPro system will receive the return code that AMT was not detected. This is accurate, but when it happens to valid managed vPro systems, the issue must be troubleshot to determine why the applying Task Server cannot detect AMT on the system. Out of Band Discovery is a great way to determine what state the system is in. Use the following steps to take stock of the systems:
In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Out of Band Discovery > and select the ‘Out of Band Discovery' policy.
Enable the policy if it is not yet enabled. If it is enabled, set a schedule to run the discovery again so you have updated information on your systems.
On the AMT system in question, go to the Altiris Agent and bring up the Agent UI by double-clicking on the system tray icon or by launching C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe.
Highlight the ‘Out of Band Discovery Package.
Click the ‘Out of Band Discovery' link under Application Tasks.
Once completed, now check back at the server and double-click the system within a collection to bring up Resource Manager.
Click on the Inventory tab and browse to Out of Band Management, and select the data class OOB Capability. This will give you the details of AMT.
If AMT is disabled, it needs to be enabled in the BIOS. A BIOS update from the vendor may provide you a remote way to enable AMT, by using Software Delivery for example. If it is all enabled, next check the provisioning status. Provision as necessary.
As with RTSM, Task Server uses the same basic authentication method when executing against a computer. Task Server also includes another option to add additional credentials to the execution to be used when contacting the protocol, which is AMT in this case.
Since RTCI controls the authentication, much of the same method is used whether the execution of an AMT command is issues from the Real-Time console or from Task Server, however there are some differences.
Runtime Profile - The Runtime profile contains he following information:
All known good credentials used to connect via RTSM to a system
The Intel SCS AMT password sent to systems when provisioning occurs
Previously successfully used credentials from past RTSM sessions
Previously successfully used credentials from a Task that succeeded
User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:
WMI digest or Domain account
AMT digest or Kerberos-authenticated user
ASF digest or Domain account
SNMP community strings
Task-specified Credentials - When a user setups up a job or task, the user can specify specific credentials to be used when executing AMT-related functions through the profile interface. This option is per job or task, and applies to all AMT functions invoked during the job or task. The Interface allows this as shown in the following screenshot:
The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with Task Server.
First, how do you determine if your task or job is failing due to authentication? Use the previous section under Introduction labeled ‘Determining Cause of Failure'.
In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles, or in the Task click the ‘Run Now', and on the subsequent page click on the pencil icon next to the credential profile being used.
Where does the green checkmark fall? This is the default profile that will be used when connecting via a Task Server task.
Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
Supply the admin user credentials set when the managed vPro systems were provisioned.
Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
Give the profile a name and then save it.
Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile, or if you are in a job interface select the profile to be used for the run. Note that this does not require you to make it the default profile, allowing another profile to remain the default credentials.
Run the task or job to see if the authentication failure has been resolved.
If it is not, try rerunning with the Runtime Profile. This contains all known good authentication attempts to the system from either Task Server or RTSM.
In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed. If your Task or Job does not contain any of the other protocols, this is recommended.
This concludes the Troubleshooting article series for the Altiris Manageability Toolkit for Intel vPro Technology, version 6. While this doesn't cover all issues, it should resolve most of the common issues we've seen.