Currently Being Moderated

Known Issues, Best Practices, and Workarounds

 

 

 

 

 

 

 

 

 

 

Best Practices

Automatically disabling the Intel® AMT Privacy Notification window

PROBLEM

A Privacy Notification window automatically displays when each user logs into the Intel® AMT system.

RESOLUTION

End users can disable this window by selecting the "Do not display this message" checkbox.

However, you can also disable the Privacy Notification window and still keep the application running by modifying a registry key.

 

To modify the registry key:

 

  1. Open the registry and locate this key: HKEY_LOCAL_MACHINE\Software\Intel\Network_Services\atchk

  2. Create a new dword value named +MinimizePrivacyIconAtStart +and set it to 00000001.

11.9.2007

 

 

Changing Terminal Emulation Type

PROBLEM

Some vendor BIOS versions only support the display of specific emulation types. Using this command, specific ISVs will be able to redirect and emulate without issue.

RESOLUTION

This command only applies to users running Altiris, HP Openview, and Microsoft SMS.

 

On the console machine:

 

  1. At the Start menu, select Run.

  2. In the Open field, enter CMD and click OK. A command window opens.

  3. At the command prompt, type telnet and press Enter.

  4. In the telnet session, type set term ansi or set term vt100 and press Enter.

  5. Type quit and press Enter.

 

Your terminal emulation type is now set to ANSI or VT100, depending on what you entered. You can re-enter the telnet session at anytime and type d to verify the emulation type.

 

NOTE: If you do not properly quit the telnet session, the setting will not be saved.

6.11.2008

Customizing the Intel® AMT Status dialog box

You can view the status of Intel® AMT on a machine by double-clicking the system tray icon and choosing Status. This dialog box displays whether Intel® AMT is enabled or disabled. It also has a hyperlink that allows the user to visit a site for more information about Intel® AMT. You can customize this hyperlink to go to any site you wish. For example, you may want to modify it to point to your organization’s help desk page or to the Intel® vPro™ Expert Center (http://www.intel.com/go/vproexpert).

 

This procedure applies to Intel® AMT 2.5 and greater. See the readme file, included in the download, for more information.

  1. Download the files to modify the registry.
  2. The files are located here: http://communities.intel.com/docs/DOC-1797
    1. Save the OemUrlRegistry.zip file to your desktop.
    2. Extract the files: oementry.re_ and readme.txt.
  3. Customize the hyperlink.
    1. Open oementry.re_ in a text editor.
    2. Edit the destination hyperlink. The default entry is: "OemUrl"=http://www.intel.com/vpro.
    3. Rename oementry.re_ to oementry.reg.
  4. Run the *.reg file to modify the registry.
    1. Double-click oementry.reg.
    2. A cautionary dialog box displays. Click OK.
    3. An information dialog box displays that the registry was modified. Click OK.
  5. Restart the computer.

Intel® AMT platform may have up to 8 client certificates that can define different 802.1x profiles

 

PROBLEM

Some users need to move a PC between several networks.  For example, a support technician may support multiple clients that require different client certificates.

RESOLUTION

Users may install up to 8 client certificates.

 

 

2.24.2009 QA1312

 

Root certificate size limit is 2048-bits

PROBLEM

Intel® AMT is incompatible with a 4096-bit PKI if Intel® AMT systems need to validate a certificate chain containing this key size. For example, in 802.1X networks.

SOLUTION

If a customer already has a PKI with a 4096-bit root certificate, you can work around this issue by adding a 2048-bit root CA and then using this to issue certain certificate (for example, RADIUS).

4.2.2009 QA1341

How to hide the Intel® Management & Security Status (IMSS) tool system tray icon

 

SOLUTION

To hide the IMSS system tray icon, delete the key at the following registry location:
HKLM\Software\Microsoft\WindowsCurrentVersion\Run\Picon\"C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe"

 

4.2.2009 QA1342

 

Password issue causes WebUI to report "The system may be under attack" in the event log

 

 

PROBLEM

The password policy is configured by the OEM during manufacturing. The primary setting allows a one-time chagne from Admin/admin to a unique password and to have both the remote and local access synched-up. If you changed the password on the remote client you will have two passwords. This is intended to allow customers to have a unique password for local access and to allow the user to change it randomly to ensure the security of the system.

SOLUTION

The system was working as designed. The local MEBx password and the WebUI remote passwords may be different if the user has changed the MEBx password on the local machine.

 

11.12.2009 QA1389

Fast Call For Help Q&A

 

PROBLEM

Question 1: Is KVM Remote Control supported using Fast Call For Help?
Question 2: Does Fast Call For Help use Kerberos authentication?
Question 3: Does Microsoft* ConfigMgr support Fast Call For Help?

SOLUTION

Answer 1: Yes, you can use KVM Remote Control after you establish a Fast Call For Help connection.
Answer 2: No, Fast Call For Help only supports Digest authentication.
Answer 3: No, Microsoft ConfigMgr does not support Fast Call For Help at this time.

 

02.19.2010 QA141

 

Intel® AMT technology does not support certain characters in FQDN

 

PROBLEM

Intel® AMT does not support fully qualified domain names (FQDNs) ending in "_" or "-".

SOLUTION

Avoid using these 3-character strings at the end of the FQDN.

 

05.13.2010 QA1394

Intel® AMT Event log includes Platform Event Traps from the BIOS

 

PROBLEM

Some events listed in the Intel® AMT event log are generated by the BIOS and simply passed through to the Intel® AMT event log. For example, if the system fails to boot using the PXE option, you may see a "System boot failure" event in the log. The source may say Intel® AMT only because it was passed by the BIOS to the Intel® AMT firmware.

RESOLUTION

No solution is required. This is expected behavior.

 

 

6.1.2009 QA1345

VeriSign* certificates with MD2RSA signature algorithm for authentication of RADIUS servers

 

PROBLEM

The MD2RSA signature algorithm is not supported by the Intel® AMT firmware. VeriSign* updated their SSL certificates to use a 1024-bit, SHA-1 root in 2009.
Refer to VeriSign* advisory AD146, updated 12/04/2009, for details on how to upgrade your certificates. (link)

RESOLUTION

Update the older VeriSign* signing certificates to chain up to the new SHA-1 root. You do not need to update the VeriSign* RADIUS server certificate (leaf certificate).

 

 

10.13.2010 QA1423

Simultaneous IDER and KVM remote control sessions cause errors on Lenovo T410

 

 

PROBLEM

If you start a SOL/IDER session first, then start a KVM remote control session with VNC+, the keyboard and mouse are lost in the KVM remote control session.

RESOLUTION

Update to the latest VNC+ viewer and Lenovo BIOS and firmware stack. For Lenovo systems, update to package 1.21-1.10 or later. For other OEMs, contact the OEM.

 

 

10.13.2010 QA1457

 

SOL/IDER on Intel® AMT 6.0 platforms fails with some management consoles

 

PROBLEM

In Intel® AMT 6.0, the redirection listener for SOL/IDER is turned off by default. This can cause a failute in management consoles that do not open the redirection listener during the initiation of the SOL/IDER session. The default state of the listerner can be changed using a MEBX setting (AMT Legacy Redirection Mode), but it cannot be changed from Intel® SCS 5.4 or 6.0.

RESOLUTION

To use SOL/IDER with a management console that doesn't send the commands to open the redirection listener, go to the client and change the AMT Legacy Redirection Mode setting in the MEBX.

 

10.13.2010 QA1450

UTF-8 emulation BIOS support required for displaying Portuguese  characters in SOL session

 

RESOLUTION

To correctly display Portuguese in a SOL session, select UTF-8  emulation in the Intel® AMT section of the BIOS. The OEM must provide UTF-8  support in the BIOS. Customers should contact their OEM for support.

 

12.13.2010 QA1435

How to change a client previously set to SMB mode without a  hostname to Enterprise mode

 

PROBLEM

A customer manually set SMB mode, but did not enter the client  host name. The customer wants to remotely provision the client using Enterprise  mode (PKI).

RESOLUTION

Run ZTCLocalAgent.exe -Activate as administrator on the client.  This command will set the provisioning mode to Enterprise. The utility is  available in the Intel® AMT SDK.

 

12.13.2010 QA1431

 

Unconfigured Intel® AMT system causes unwanted network traffic  in 802.1x environment

 

PROBLEM

In an uprovisioned state, whenever the 802.1x networks puts the  system on a remediation VLAN, the Intel® ME causes undesirable
network  chatter if the remediation VLAN doesn't have a DHCP server.

RESOLUTION

Contact your OEM to determine if a firmware update is  available.

 

03.09.2011 QA1448

No video during KVM remote control session on Lenovo* T410 with  switchable graphics

 

PROBLEM

The  screen will go blank when the user  switches from the  Nvidia* graphics  to the Intel® HD integrated graphics  on a Lenovo* T410 with  switchable  graphics. The KVM remote control  session initiated after the user  switches to the integrated graphics  will also show a blank screen. This  issue is caused by a long delay in the Nvidia*  graphics  driver when  it  switches between the Nvidia graphics and the  Intel® HD  graphics.

RESOLUTION

The following Use Case Reference Design discusses updating  firmware and drivers and provides an example of how to do it in Microsoft*  ConfigMgr.
Automatic Remote Firmware Update, http://communities.intel.com/docs/doc-4078

 

03.21.2011 QA1462

ZTCLocalAgent fails to activate systems

 

RESOLUTION

The  version of the ZTCLocalAgent must match the Intel® AMT version. For  example, use the ZTCLocalAgent from the Intel® AMT SDK v5.0 for Intel® AMT  5.0  systems. Alternatively, you can use the latest Activator utility  from the Intel  SCS package (this should be backward compatible with all  previous versions of  Intel® AMT that support remote configuration).

 

03.21.2011 QA1481

Support for intermediate certificates from Juniper* Steel Belted  Radius Server with Intel® AMT 802.1X authentication

RESOLUTION

Juniper*  Steel-Belted Radius v6.10 Global Enterprise software (with a VeriSign root certificate) can be configured to issue intermediate certificates  for  802.1X authentication of Intel® AMT clients. Customers should  contact Juniper*  for setup instructions.

 

04.20.2011 QA1490

Unable to use IDER on Lenovo* T400 with Computrace* by Absolute  software

RESOLUTION

Customers should contact Lenovo if they are seeing IDER failures on a Lenovo  T400 with Computrace by Absolute Software.

 

04.20.2011 QA1472

Power down option is not available in KVM Remote Control Session

 

RESOLUTION

The Intel®: AMT firmware does not support power-down operations  when any re-direction session is in operation. Power-up and reset operations are  permitted.

 

10.18.2011 QA1532

Does Intel® Standard Manageability support KVM Remote Control?

 

RESOLUTION

No. KVM Remote Control is only supported on platforms when Intel® AMT has been  setup and configured to support KVM Remote Control. All other configurations, including DASH 1.1, Intel® Standard Manageability platforms, or  platforms with Intel® Core™ i3 processors are unsupported.

 

11.02.2011 QA1529

Client Drivers

Using Intel® vPro™ technology and Linux

PROBLEM

Where can I find more information about Intel® vPro™ technology on Linux?

RESOLUTION

Information about Linux support is available at the Open Source Intel® AMT Drivers and Tools\ site.

10.11.2007

Linux-based wireless drivers

PROBLEM

Where can I find the most recent Linux drivers for an Intel® vPro™ capable system?

RESOLUTION

http://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers/

11.9.2007

Wireless management does not work when the operating system is running

PROBLEM

Wireless management does not work when the operating system is running.

RESOLUTION

Check if there are missing or faulty Intel® AMT drivers (HECI & LMS/SOL) in Microsoft Windows*. Get the latest drivers from the OEM's web site and install them. Once the drivers are installed, the Intel® Management Engine should work properly with the wireless connection.

1.30.2008

LMS generated line in hosts file

 

PROBLEM

The hosts file has the following section:
# localhost name  resolution is handled with DNS itself
# 127.0.0.1 localhost
# ::1  localhost
127.0.0.1 mysystem.vprodemo.com #LMS GENERATED LINE

RESOLUTION

LMS generates this line when there is a mismatch between the OS  FQDN and the Intel® ME FQDN. This can happen, for example, when you swap hard drives between computers.

 

03.21.2011 QA1479

 

Infrastructure

PROBLEM

Is there a performance hit for IDE-R over a WAN?

RESOLUTION

We do not recommend using an IDE-R session to boot large CD-ROM images over a WAN. Instead, we recommend using a stripped down IDE-R image that can load up a network stack on the AMT client. The network stack can be used to access local shares at the branch that have the tools you need to either rebuild the OS or diagnose problems.

2.8.2008

 

Secondary DNS IP makes Intel® AMT configuration fail in basic (formerly SMB) mode

PROBLEM

When configuring Intel® AMT in basic (formerly SMB) mode during boot up, some values for the secondary DNS server IP address make the configuration fail.

If a secondary DNS server's last octet value is 223 or higher, the configuration fails.

RESOLUTION

This is a known issue in the Intel® Management Engine and will be fixed in the next release. The current workaround is to change the secondary DNS server's IP address, or to not use the secondary DNS server at all in the configuration.

11.25.2008

ME NIC remains at lowest negotiated speed and half duplex mode after booting

PROBLEM

When you reboot the system and enter a SoL/IDER session, the ME NIC will remain in the lowest negotiated speed setting and half duplex mode if the SoL/IDER session remains connected during boot. The NIC does not renegotiate to the highest available speed or full duplex mode after the operating system boots.

RESOLUTION

To force the ME NIC to renegotiate to full speed/full duplex mode, disconnect the SoL/IDER session then reconnect.

11.25.2008

 

Usage of Locally Administered Address on Intel® Active Management Technology enabled systems

PROBLEM

An incompatibility exists between Intel® Active Management Technology (Intel® AMT) and Locally Administered Address (LAA) environments. As a result, Intel® AMT enabled systems configured to work in LAA environments might encounter LAN disconnects.

RESOLUTION

A Locally Administered Address (LAA) is an option allowing users to set their own MAC address on the platform and thus bypass the Burned-in address (BIA) MAC. Intel® AMT was not designed to support LAA environments and there are no plans to add this capability in the near future.

 

Intel® recommends avoiding usage of LAA together with Intel® AMT technology to avoid this issue.

 

5.18.2009 QA1350

 

ICMP Router Discovery Protocol (IRDP) is not supported

 

 

PROBLEM

ICMP turned on by DHCP Option 31. ICMP is not supported by Intel® AMT technology.

RESOLUTION

No solution is available.

 

11.25.2009 QA1377

 

VeriSign* SSL Certificates

 

RESOLUTION

VeriSign* SSL certificates moved to a new 1024-bit SHA-1 root on May 17, 2009. The new root CA "Class 3 Public Primary Certification Authority--G2" is already embedded in today's browsers. For Intel® vPro(TM) Technology customers, no updates or changes are required until thier current certificates expire.

 

About the VeriSign* Certificates. VeriSign* sells "Secure Site Pro (SSP)" and "Premium SSL" certificates that previously included the G1 root, and are now re-signed to include the G1.5 root. Secure Site Pro and Premium SSL are two names for the same VeriSign product. The "Standard SSL" certificates previously had the G1 root, and now contain the new G2 root.

 

Installation or Upgrades. Users should follow the VeriSign* installation instructions each time they install new VeriSign* certificates. Customers can use the VeriSign* tools to verify that they have the latest Intermediate CA.

 

For more information, visit the VeriSign* website for Intel® vPro™ Technology: here

 

02.19.2010 QA1398

 

Clients not waking when host Wake On LAN (WOL) magic packet is sent on UDP port 68

PROBLEM

Client platforms are not waking up when host Wake On LAN (WOL) magic packet is sent on UDP port 68 on Intel® vPro platforms with Intel® Active Management Technology (AMT) enabled. This issue has been observed on platforms running Intel® AMT 5.1 and 5.2 firmware, but not on platforms running Intel® AMT 5.0 firmware.

RESOLUTION

This issue has been confirmed by Intel® as a side effect of a change introduced in AMT 5.1 firmware and will be fixed in future firmware revisions (5.2.20 & later).  Please contact your OEM for more detailed information on when this update will be available.

 

Two temporary workarounds may be employed:
  • Use a non-IANA reserved port for host WOL magic packet traffic.
  • Use port 68 with TCP protocol (rather than UDP) for host WOL magic packet traffic. Note that port 68 TCP is an IANA reserved port, which could be affected by future changes in network infrastructure or Intel® products.

02.22.2010

GoDaddy* certificate has incorrect OU value in the subject field

 

PROBLEM

In some instances, the OU value in the Subject field was incorrectly set with a space between the word Intel® and the (R) symbol: "Intel® (R) Client Setup Certificate".

RESOLUTION

Customers should contact GoDaddy to have a new certificate issued without the extra space character.

 

05.11.2010 QA1429

Intel® vPro™ technology management network controller uses DHCP option 249 Classless Static Routes

 

RESOLUTION

To set the default gateway, set the DHCP option 249 (Classless Static Routes) setting. Option 33 (Static Route) option is now obsolete. Option 249 is classless, that is, each entry in the routing table includes a subnet mask.

 

05.12.2010 QA1384

 

Intel® AMT fails to connect when DHCP Option 0 is set

 

 

PROBLEM

DHCP Option 0 (Padding) is incompatible with Intel® AMT. DHCP Option 0 is a rarely used option that pads the DHCP option records so that they align on word boundaries.

RESOLUTION

There is no solution at this time.

 

05.13.2010 QA1358

 

PKI DNS Suffix profile setting does not override DHCP Option 15

 

 

PROBLEM

If the customer has many different DHCP Option 15 (DNS Domain Name) settings that do not follow the rules for Remote Configuration Certificate domain suffix matching, it will not be possible to use the PKI DNS Suffix profile in the MEBx to override the respective DHCP Option 15 setting of the DHCP server. The PKI DNS suffix profile can only be used to substitute for Option 15 authentication when DHCP Option 15 is not set.

Please refer to the Intel® AMT Remote Configuration Certificate Selection white paper (here) for assistance in choosing the correct remote configuration (RCFG) certificate for your remote provisioning needs.

RESOLUTION

If you can't use remote configuration due to this DHCP Option 15 issue, you must use one-touch provisioning.

 

 

05.13.2010 QA1363

Authentication failure during SOL/IDE-R on Intel® AMT 6.0 platforms

 

PROBLEM

This issue occurs when Kerberos authentication is enabled in the Intel® ME firmware and Kerberos authentication for the currently logged-in user to the management console fails while trying to initiate a SOL or IDER session.

 

The issue is related to the authentication back-off mechanism in Intel® AMT. In Intel® AMT versions prior to 6.0.30.1197 the firmware allows for three login attempts before the system will deny the connection. Kerberos and Digest Authentication will use 2 authentication attempts each. Basic authentication will use a single attempt.

 

If Kerberos is enabled on the Intel® AMT platform, the IMRSDK.DLL library will attempt to perform Kerberos authentication. If Kerberos authentication fails then the library will fall-back to Basic authentication.

 

Starting in the Intel® AMT 6.0 SDK (around Sprint 10), there was a change in the IMRSDK.DLL library that would instead fall-back to Digest authentication instead of Basic. This update can cause the Digest attempt to trigger the back-off mechanism in the Intel® AMT firmware and cause the entire authentication attempt to fail.

 

This failure is exhibited with a Connection Timeout, or Connection Closed error from IMRSDK.DLL.

 

Intel® ME FW 6.0.0.1184 was the AMT 6.0 original PV version. There are several Intel® AMT firmware versions between 1184 and 1197 that are being shipped by OEMs that could encounter this issue.
To compound this issue, the IMRSDK.DLL library has not had its version stepped during the build process.

 

Notes on the potential impact on ISVs:
Altiris*--Can be configured to use Digest or Kerberos.
LANDesk*--Uses Digest only.
Microsoft* ConfigMgr--Uses Digest for some actions and Kerberos for others. (Not configurable.)

Status:

In order to support Digest authentication after a failed Kerberos authentication, the retry count in the Intel® ME firmeare was increased from three retries to four retries. This was included into the Intel® ME firmware starting in version 6.0.30.1197.

 

Here are the known impacted versions and the MD5 hashes of each release.
Known to use Digest fallback:
MD5SUM cc66c511352e428569f83d07525d14ce v1.1.3.0 *imrsdk(1472).dll [Sprint 14]
Unknown/Untested:
MD5SUM 3204a528f624bf6117238aa899a961f6 v1.1.3.0 *imrsdk(1360).dll [Sprint 13]
MD5SUM 3204a528f624bf6117238aa899a961f6 v1.1.3.0 *imrsdk(1276).dll [Sprint 12]
MD5SUM 7fc08a282494137324bf1556470984da v1.1.3.0 *imrsdk(1130).dll [Sprint 11]
MD5SUM 39687b9d3361ae5ddd1adbb59b098959 v1.1.3.0 *imrsdk(945).dll [Sprint 10]
Known to use Basic fallback:
MD5SUM 8091b69094f0c08e13ad2509a75b0f6a v1.1.3.0 *imrsdk(750).dll [Sprint 9]
MD5SUM 8091b69094f0c08e13ad2509a75b0f6a v1.1.3.0 *imrsdk(519).dll [Sprint 8]

RESOLUTION

There are three potential workarounds:

  • Upgrade to Intel® AMT firmware version 6.0.30.1197 or later
  • If not using TLS, connect to the Intel® AMT machine with the client's IP address instead of a FQDN
  • Replace the IMRSDK.DLL with a previous version

 

 

05.13.2010 QA1422

 

WS-MAN settings for 802.1x PXE boot

 

 

PROBLEM

Using the default settings, the timeout period doesn't allow enough time for the OS to authenticate during PXE booting. The following whitepaper describes the Intel® AMT architecture used to support PXE boot.
Next-Generation Streaming Clients, Based on Intel® vPro™ Technology

RESOLUTION

The following sample WS-MAN settings workaround this issue:

AMT_8021xProfile
ActiveInS0 = true
AuthenticationProtocol = 2
ClientCertificate Address = default
ReferenceParameters
ResourceURI
SelectorSet
Domain = vprolab
ElementName = Intel® AMT 802.1x
Profile Enabled = true
InstanceID = Intel® AMT 802.1x Profile 0
PxeTimeout = 10800
ServerCertificateIssuer
Address = HTTP://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters
ResourceURI = HTTP://intel.com/wbem/wscim/1/amt-schema/1/AMT_PublicKeyCertificate
SelectorSet
Selector: InstanceID = Intel® AMT Certificate: Handle: 1
Username = Hostname$iME

These settings for the Intel® ME do the following:
  • The client actively participate in 802.1X authentication even when the client is in S0 state (power-on)
  • The protocol is EAP-PEAP. Intel® AMT supports other EAP protocols that can be used depending on the network requirements
  • No client certificate (because we use MS-CHAPv2)
  • The domain is VPROLAB (a sample NetBIOS domain name)
  • Profile is enabled
  • PXETimeout is the time (in seconds) which Intel® AMT will continue to keep the network port open after the client has been powered on or reset. This time period should only be long enough to allow Operating System software to be booted using PXE under normal networking conditions. After this time period expires Intel® AMT will close the network port and Operating System software must perform 802.1X authentication to re-open the network port. If the Intel® MEI driver loads before this time period expires, Intel® AMT will close the network port.
  • Using this workaround, Intel® AMT will open the network port regardless of the client boot source. Therefore, the user is advised to evaluate the risk to their network if the client boots from unauthorized local media instead of PXE and, if necessary, to take specific steps to prevent this happening. Such steps could include the following: setting PXETimeout to 0 when not using PXE boot; (ii) using Intel® AMT to remotely disable boot devices that accept removable media when PXE booting is required; (iii) using Intel® AMT to lock the local keyboard to prevent local override of the boot device when PXE booting is required.

 

 

 

05.13.2010 QA1420

More information on the Wireless Profile Sync feature in Intel® AMT 6

 

 

RESOLUTION

Intel® AMT firmware versions 6.0 and higher include the Wireless Profile Synchronization feature. This feature synchronizes the wireless profile set in the OS with the wireless profile set in the Intel® ME. This feature requires Intel® ProSet. When the user sets changes the wireless profile in the OS, Intel® ProSet will prompt the user to change the Intel® ME wireless profile to match the OS wireless profile.

 

 

 

 

09.22.2010 QA1456

Intel® AMT support for WEP in Fast Call For Help wireless profiles

 

RESOLUTION

Intel®  AMT 6.0 and later versions support Open, WEP, and PSK encryption  methods?in the wireless profiles for Fast Call for Help and RPAT.

 

10.13.2010 QA1459

 

DHCP Option 15 domain suffix match to certificate  CN

 

PROBLEMWhen the Intel® ME compares a Domain value returned by DHCP  Option 15 of, in this example, sub1.mycompany.com to the certificate CN of  provisionserver.mycompany.com, will it find a match?

RESOLUTION

Yes, it is a match.  This is a comparison between an FQDN and a  suffix, i.e. between a CN/SAN/Provisioning server FQDN and a  secure/non-secure DNS suffix / DHCP Option 15. In this case the DNS suffix must  be the literal suffix of the FQDN. This document provides more  details:

Domain Suffix Guide for vPro Remote Configuration  ProcessHTTP://communities.intel.com/docs/DOC-4903

 

11.10.2011 QA1527

Intel® AMT support for Cybertrust* certificates

 

RESOLUTION

The Cybertrust (now Verizon* Business) certificate hash has been added as one of  the default certificate hashes to Intel® AMT 2.6.40, 3.2.40, 4.2.40, 5.2.40, 6.1.20, 7.0.0 and 7.1.14. Customers can also manually add the hash in  the MEBx, or ask the OEM to use the Intel Firmware Integration Tools to add the  hash to a custom firmware image.

 

  • 11.16.2011 QA1491

 

ISV

Altiris

Troubleshooting DNS when configuring Altiris

PROBLEM

DNS configuration issues display when configuring Altiris.

RESOLUTION

Use these troubleshooting tips to help resolve DNS configuration issues with Altiris:

 

  • Verify that the Altiris host has fully qualified records in the DNS infrastructure. This would constitute an A record for forward lookups and a PTR record for reverse lookups.

  • Make sure the Intel® Setup and Configuration Service (SCS) is up and running on the box.

  • Upgrade the SCS Console to the current version. This process is not supported by Altiris and is only for troubleshooting.

  • IMPORTANT: When you upgrade, only install the console. DO NOT upgrade the entire SCS application.

     

    To upgrade to the current version:

  1. Download the SCS package at http://softwarecommunity.intel.com/articles/eng/1025.htm.
  2. When the download is complete, open the ZIP file and double-click 3.1.0.7.zip.
  3. Double-click AMTConsole.zip and run AMTConsole.exe.The console will prompt you to use the fully qualified domain name. An SSL session may be necessary to connect to it, depending on the server configuration. The console client works like a web browser and a URL is required to connect to the SCS, for example: http://server.something.com/atmscs or https://server.something.com/atmscs.

12.20.2007

Can the Default 'provisionserver' naming conventions be changed?

PROBLEM

Can Intel® AMT firmware be reconfigured to change the default 'provisionserver' naming convention to a value of a customer's choosing?

RESOLUTION

The provisionserver value is hard-coded and cannot be changed. The detected DNS context is added to this default value (for example, provisionserver.mycompany.com).  It is recommended that the customer set up a second ALIAS record or a CNAME record in the DNS that points the provisionserver.yourdomain.com to the ISV server.

In environments where it is best not to use the default name, the customer can use the Intel® vPro™ Technology Activator Wizard (link) to direct the configuration attempts.

2.8.2008 (updated 12.14.2009) QA1052

Hardware inventory on Altiris* console requires Altiris* inventory solution

 

 

PROBLEM

Altiris* has a complete Server and Client inventory application/service that is independent of Intel® AMT features. An agent is required to obtain this level of support in Altiris* products.

RESOLUTION

Refer to the following URL**: HTTP://www.symantec.com/business/inventory-solution (servers), or http://www.symantec.com/business/solutions/projects/projectdetail.jsp?solid=sol_infrastruct_op&solfid=sol_client_management&projectid=client_discovery_inventory (clients).
**This URL is provided for the reader's convenience.?It should not be construed as an endorsement by Intel® of the products or services on the web site.

 

 

 

 

11.25.2009 QA1338

Can Altiris* RTSM or HP* OOBM activate clients without Microsoft* Active Directory?

 

PROBLEM

A  customer is using Altiris* in an environment without Microsoft* Active  Directory and wants to know if they can activate Intel® vPro™ clients  using either Altiris* RTSM (with the Intel® SCS backend), or, if they  decide to switch consoles, HP OOBM.

RESOLUTION

This  is supported with Altiris.  For further information on how to  configure Intel® vPro™ Technology in an Altiris environment, please refer  to http://www.vproexpert.com/E24VZ/Altiris7/index.html

 

11.08.2010 QA1419

 

Altiris* does not support Non-TLS Fast Call for Help  connections

 

PROBLEM

Attempting to manage a non-TLS client using Fast Call for Help  will fail. Altiris displays the following error message: Invalid  Credentials.

RESOLUTION

This behavior is by design for Altiris management software. Provision and  manage clients in TLS mode if they will be using Fast Call for Help outside the  enterprise network.


 

04.20.2011 QA1478

 

LANDesk*

No drivers required for bare metal provisioning

PROBLEM

A customer with LANDesk* LDMS 8.8 or similar provisioning server does not  need to load drivers or an OS image on the Intel® AMT clients to perform  bare-metal provisioning.

SOLUTION

No drivers are required for bare-metal provisioning of an Intel® AMT client. The system administrator will, however, need to pre-populate the provisioning server database with the client configuration information (UUID, FQDN, OU if Active Directory is used, Profile). Refer to the LANDesk documentation for information on how to enter the client configuration information into LDMS 8.8. The Intel® AMT client will send out a hello packet as soon as the network and power cables are plugged in. If the provisioning server is found, and the client configuration information is in the provisioning database, then the client will be provisioned.

 

7.28.2008

Need to set LANDesk* root certificate as trusted certificate

 

PROBLEM

In the default configuration, the LANDesk root certificate is not trusted by the Microsoft* CA.  Users are then unable to use the WebUI unless they select the "trust this site" radio button each time they use the WebUI.

SOLUTION

From Microsoft* Internet Explorer, add the LANDesk* root certificate to the list of trusted certificates.

  1. Open Microsoft* Internet Explorer.
  2. Choose Tools->Internet Options.
  3. Click on the Content tab.
  4. Click on the Certificates tab.
  5. Under the Trusted Root Certificates tab, import the root certificates.
  6. Under the Intermediate Certificate Authorities tab, import the intermediate certificates.
  7. Verify that the certificate used can be traced back to the root.

 

 

 

9.10.2009 (updated 12.3.2009)  QA1370

LANDesk* Management Suite 8.8 SP2 patch fixes loss of in-band connectivity

 

PROBLEM

After provisioning, the in-band network connection on some Intel® AMT systems may shut down. The LANDesk console will then place the systems in remediation. These Intel® AMT systems can, however, still be managed with LANDesk* OOB tools and the Intel® AMT Web GUI. This is an intermittent issue. The time between provisioning the system and the loss of in-band connectivity ranges from a few minutes to about an hour.

SOLUTION

If you have LANDesk* Management Suite 8.8 SP2, and you have lost in-band connectivity, but you can still access the remote systems using OOB tools, try the following patch or upgrade to a later LANDesk* service pack (SP3 or later). The URL** for the patch is: HTTP://community.landesk.com/downloads/ServicePack/LD-88-AMT-CR20525-88.zip

**This URL to a third-party site is provided for the reader's convienience.  This should not be construed as a recommendation by Intel® for the products or services provided by the third party.

 

 

 

9.11.2009  QA1344

LANDesk* 8.8 SP2 console requires repeated deletion of two directories when provisioning

 

PROBLEM

The RootCA and the SubCA directories must be deleted repeatedly to enable provisioning to continue.

SOLUTION

The issue is fixed in v8.8 SP3. Apply SP3 to the LANDesk* Core Server and LANDesk* Client Agents.  A reboot must be performed on the core server and the client PCs after the update.

 

 

 

10.09.2009 (updated 12.3.2009) QA1349

LANDesk* generated certificates fail with WinRM v1.x scripts

 

 

PROBLEM

Microsoft WinRM v1.x scripts require certificates to contain CDP information. This is an issue when you provision clients to use Transport Layer Security (TLS) with LANDesk*. WinRM scripts fail with certificates generated by the LANDesk* internal CA because the certificates do not contain Certificate Revocation List (CRL) data (the CRL Distribution Point or CDP data is part of the CRL information).
WinRM v2.0 resolves this issue (see the solution below for details).

SOLUTION

If you plan to use WinRM 1.x scripts to work-around any missing Intel® AMT feature support in LANDesk, then do not provision clients to use TLS. To use WinRM 2.0 scripts with LANDesk* clients provisioned with TLS, do the following:
  1. Install Microsoft* WinRM 2.0 (see Microsoft* Knowledge Base Article KB968930).
  2. In the 802.1X script file produced by GenScript, modify this block:

  sFlags=sFlags Or
  WSMan.SessionFlagSkipCACheck Or
  WSMan.SessionFlagSkipCNCheck

To read as follows:

  sFlags=sFlags Or
  WSMan.SessionFlagSkipCACheck Or
  WSMan.SessionFlagSkipCNCheck Or
  WSMan.SessionFlagSkipRevocationCheck

 

 

 

 

 

12.08.2009 QA1397

LANDesk 8.8 SP2 provisioning fails with factory installed PSK key

 

PROBLEM

When  the LANDesk SP2 agent is installed on the HP DC7800 client, the factory  installed PSK key is ignored and the client attempts PKI provisioning.  When the LANDesk agent is removed from the client, the client uses PSK  provisioning.

SOLUTION

 

To solve this issue, update to LANDesk 8.8 SP3.

 

 

10.07.2010 QA1437

LANDesk* 8.8 client agent creating thousands of registry  entries

 

PROBLEM

This issue is seen on Windows* XP clients. The customer will  notice very long boot times (it may take hours to boot).

SOLUTION

Customers should contact LANDesk and request a hotfix for this  issue. This hotfix will be included in the next service pack for LANDesk  8.8and 9.0. The customer should also update to the latest OEM-supplied  Intel® AMT driver package. (The driver package typically includes the UNS,  LMS, and SOL/IDER drivers).

 

 

03.021.2011 QA1466

BIOS Wake-on-Timer and remote desktop viewing from LANDesk* failed  on Lenovo* ThinkPad M57, M58, and M59p

PROBLEM

The customer faced two issues: the Wake-on-Timer function  didn't work, and the LANDesk* remote desktop view produced only a blank screen.  For the remote desktop viewer, Windows* 7 platforms worked correctly while  Windows* XP platforms failed with LANdesk but worked with Intel® RDP software. 

SOLUTION

To fix the Wake on Timer issue, upgrade to the latest Lenovo BIOS.
To fix the LANDesk remote viewer with the blank screen issue, use the  following workaround from LANDesk:
  1. Put client into an S3 sleep state and wait 2 minutes.
  2. Using LANDesk Management Console, wake the client through the Intel  vPro Options.
  3. Verify that the system is awake but the monitor is off
  4. Using LANDesk Management Console, right-click on the target client and  select Remote Control-->Remote Control. A black window will  pop up.In the Run line at the top of the window, type in  C:\wakemonitor.exe. (Use the path you selected in step  1.)
  5. From the LANDesk* Management Console, browse to c:\program  Files\LANDesk\ManagementSuite and copy the  WakeMonitor.exe file to the target client. (This example uses  C:\.)

 


 

11.14.2011 QA1528

 

Microsoft ConfigMgr (see also: http://communities.intel.com/openport/docs/DOC-1627#cf)

Enabling native (no translation required) support within Microsoft ConfigMgr SP1

A BIOS update is available to provide native support within Microsoft ConfigMgr SP1 for Dell 755, HP DC7800, and Lenovo M57p computers.

 

OEM Model

Link to BIOS Update

Dell 755

Click here.

Lenovo M57p

Click here.

HP DC7800

Click here.

 

7.23.2008

Virtual adapters may cause network discovery to fail

PROBLEM

When discovering Intel® vPro™ systems via a console that has a virtual adapter enabled with an IP address assigned, such as Microsoft SCCM, the discovery process may fail if the virtual adapter IP address is used for the discovery process.

RESOLUTION

Before performing the discovery, disable any virtual adapters that were created by software such as VMWare.*

 

7.30.2008

Microsoft* SCCM unable to use Intel® AMT features when run on Microsoft* Vista* Operating System

PROBLEM

When the Microsoft* SCCM management console is run on a Microsoft* Vista* SP1 operating system, all Intel® AMT based objects and functionality is missing.

RESOLUTION

No solution is available at this time.

 

1.29.2009 (QA1304)

 

 

Microsoft* SCCM 2007 SP1 hotfix roll-up KB960804 includes KB959040

 

PROBLEM

Microsoft* System Center Configuration Manager 2007 Service Pack 1 (SP1) hotfix roll-up KB960804 includes KB959040 (a fix to enable PKI provisioning with Intel® AMT 2.2 and 2.6.) The original description of the roll-up incorrectly omitted the KB959040 hotfix.

RESOLUTION

To get KB959040 hotfix, users may download the KB960804 hotfix roll-up.

 

Refer to the Micorsoft* support website for more information about the hotfix packages. The Microsoft* URL** is: http://support.microsoft.com/kb/960804

 

**This URL is provided for the reader's convenience. It is not an endorsement of products or services by Intel® Corporation.

 

 

2.24.2009 QA1323

 

SoL/IDER fails on Microsoft SCCM 2007 SP1 with two-tiered PKI model

 

PROBLEM

SoL and IDER fails using Microsoft* SCCM in an environment with a Root CA and a Subordinate Issuing CA.

RESOLUTION

This issue has been fixed by a hotfix for Microsoft* SCCM 2007 SP1. URL for hotfix** HTTP://support.microsoft.com/hotfix/kbHotfix.aspx?kbnum=960804

 

**This URL is provided for the reader's convenience. It is not an endorsement of products or services by Intel® Corporation.

 

2.24.2009 QA1319

 

Failure of collection-based power control in Microsoft* SCCM SP1

 

 

PROBLEM

In a Microsoft* SCCM hierarchy with a central site and a primary child site, power control operations from the central site work for some clients and fail for others. The same power control operations work correctly from the child site.

RESOLUTION

Not all client settings are being transferred up the Microsoft SCCM hierarchy to the central database. This issue will be resolved in the Microsoft SCCM SP2. Alternatively, system administrators may change the TlsMode setting in the dbo.AMT_MachineProperties table in the SCCM site database, it should be set to "1" for each client.

 

10.09.2009 QA1362

Cannot provision HP* DC7700 using Microsoft* ConfigMgr SP1 and PKI method

 

 

PROBLEM

The HP* DC7700 with Intel® AMT firmware build 2.2.10.1039 has a date/time stamp issue with the certificates that prevents remote provisioning. The Microsoft ConfigMgr logfile AMTOPMGR.LOG shows error 0x80090308 that indicates a problem with the certificate.

RESOLUTION

Update the firmware to to 2.2.20 or later. The firmware is available on the HP* website.

 

 

 

11.16.2009 QA1364

 

Microsoft* ConfigMgr unable to perform SOL or IDE-R due to certificate issue

 

 

RESOLUTION

Microsoft* ConfigMgr has a known issue that causes it to fail when it validates the certificate chain unless the intermediate certificates are placed in the trusted root certificate store (instead of the intermediate certificate store).

 

02.19.2010 QA1400

Tips on moving Microsoft* ConfigMgr to new operating system and hardware

 

RESOLUTION

To avoid the need to unprovision all the Intel® AMT clients in the Microsoft* ConfigMgr database, keep the same host name, then do a Microsoft* ConfigMgr database backup and recovery.  The IP address for the new hardware doesn't need to match the old IP address.
See the following Microsoft* TechNet articles:

05.11.2010 QA1385

Microsoft* ConfigMgr SOL display corruption on Acer* Veriton S661

 

PROBLEM

Microsoft* ConfigMgr uses Telnet for SOL and therefore only supports VT100 and ANSI emulation modes. The corruption is because Acer* firmware version 3.2.1 uses VT100+ emulation.

RESOLUTION

Upgrade to Acer* firmware version 3.2.11 or later.

 

 

5.12.2010 QA1416

 

Unable to reprovision after unprovisioning Microsoft* ConfigMgr client

 

 

PROBLEM

After unprovisioning the Microsoft* ConfigMgr client without removing the ConfigMgr agent, the platform is shown as "detected" instead of "Not Provisioned" and cannot be reprovisioned.

RESOLUTION

To unprovision and then reprovision a Microsoft* ConfigMgr client, uninstall the ConfigMgr agent and remove the Microsoft* ConfigMgr record for the client before you unprovision the client.

For more information, see the following Microsoft* TechNet articles:

5.12.2010 QA1361

BKM on unprovisioning Intel® AMT clients managed by Microsoft* ConfigMgr

 

 

PROBLEM

What is the best known method to unprovision an Intel® AMT client that is managed by Microsoft ConfigMgr(SP1 or later)? Using the wrong procedure to unprovision the client and remove the record from the Microsoft* ConfigMgr server may block later reprovisioning of the system. Microsoft* has posted the two articles listed below to the Microsoft* TechNet site to guide you.
Note that you will no longer be able to use out of band management with the Intel® AMT client after you unprovision it.

RESOLUTION

Refer to the following Microsoft* TechNet articles:

 

 

5.12.2010 QA1379

 

PXE Timeout value shown in minutes Microsoft* System Center Configuration Manager 2007 is actually seconds

 

 

 

PROBLEM

The Intel® ME seems to close the network port early after a PXE boot. The Microsoft* System Center Configuration Manager 2007 setting "Keep session open after PXE boot (minutes)" is actually in seconds.

RESOLUTION

To set the timeout value in minutes, multiply the desired value by 60 and enter it in Microsoft* System Center Configuration Manager 2007.

 

 

5.12.2010 QA1365

 

Third-party password policy limit of a maximum 8 characters conflicts with Microsoft* ConfigMgr default of 32 characters

 

PROBLEM

Microsoft* ConfigMgr uses 32 character passwords when generating AMT objects. A third-party password policy that limits the maximum length to 8 characters will cause an error when ConfigMgr attempts to provision the Intel® AMT system and create the AMT object.

RESOLUTION

To workaround this issue, change the password policy to allow 32 character passwords.

 

 

5.13.2010 QA1430

 

 

Unable to provision Dell* OptiPlex 755 and 760 systems with Microsoft* ConfigMgr

 

 

PROBLEM

After the Intel® ME stops sending "Hello" packets, you may be able to provision some, but not all, Dell* OptiPlex 755 and 760 systems with Microsoft* ConfigMgr. The unprovisioned systems show up as either Unknown, Not Supported, or Detected in Microsoft* ConfigMgr.

Notes:

  • When systems are plugged into AC power and on the network for more than 24 hours before ConfigMgr attempts to run a discovery on them.
  • After the initial 24 hours, the ports used to query Intel® AMT systems are closed and ConfigMgr will not be able to communicate with the device.
  • Activator re-activates the Intel® AMT systems and re-opens the ports that ConfigMgr needs.

RESOLUTION

Run Activator and then reboot the Intel® AMT system before provisioning again. The reboot is required.

 

 

 

5.13.2010 QA1412

 

Microsoft* ConfigMgr agent-initiated provisioning on Intel® AMT 2.x

 

 

PROBLEM

Microsoft* System Center Configuration Manager (ConfigMgr) can provision an Intel® AMT client in two different capacities: Bare metal and Agent Initiated.

 

Bare metal provisioning begins with the Intel® AMT client sending a "hello packet" to the Microsoft* ConfigMgr Out of Band Service Point; if the Intel® AMT client is approved and authorized to be provisioned, Microsoft* ConfigMgr will initiated the provisioning process. Agent-initiated provisioning begins with the Microsoft* ConfigMgr Client Agent pulling down the "Automatic Provisioning" policy from the Microsoft* ConfigMgr Policy Server; if the Microsoft* ConfigMgr Client Agent receives the policy, the Agent will negotiated a One Time Password (OTP) with the Intel® AMT ME firmware and send the provisioning request along with the OTP to the Out of Band Service point to begin the provisioning process.

 

The article by Matt Royer (see the link listed below) lists the requirements and tools for succesful provisioning.

RESOLUTION

 

 

 

 

5.13.2010 QA1378

Microsoft* ConfigMgr failed to provision and logged "failed to decrypt" error

 

 

PROBLEM

This error is produced when you attempt to provision from the Microsoft* Configuration Manager 2007 Central Site.

RESOLUTION

With Microsoft Configuration Manager 2007, you must provision Intel? AMT clients from the Primary Site. For more information on Microsoft* Configuration Manager 2007 site assignment, see the following Microsoft* TechNet article: About Client Site Assignment in Configuration Manager.

 

10.07.2010 QA1421

Microsoft* ConfigMgr only supports PSK provisioning for Intel® AMT versions less than 3.2.1

 

 

PROBLEM

The TLS PSK provisioning mode is not natively supported in Microsoft* ConfigMgr, therefore Microsoft* ConfigMgr must use the WS-MAN translator for PSK provisioning. Microsoft* ConfigMgr only uses the MS-MAN translator for Intel® AMT versions below 3.2.1.

RESOLUTION

There is no solution for Intel® AMT firmware versions 3.2.1 or higher.

 

 

 

10.07.2010 QA1418

 

Microsoft* ConfigMgr does not support provisioning Intel® AMT systems in disjointed namespaces

 

PROBLEMOne common issue is that the CA was installed as a "Stand-Alone  Root CA" rather than an "Enterprise Root CA". Ensure that the CA is installed as  an Enterprise Root Certificate Authority (not a Stand-Alone Root Certificate  Authority).

A second common issue is that the Enterprise Root Certificate  Authority permissions are not set correctly.

RESOLUTION

Install the CA as an Enterprise Root Certificate Authority. Microsoft*  ConfigMgr does not support Standalone Root Certificate Authority.

Refer to slides 38 to 44 in the attached training presentation for help on  setting the permissions.
This information applies to ConfigMgr SP1 and SP2.

/click.jspa?searchID=834172&objectType=38&objectID=12459

 

03.09.2011 QA1380

Problem creating provisioning certificate for Microsoft* ConfigMgr  2007

 

RESOLUTION

 

10.07.2010 QA1455

Remote setup and configuration using TLS fails with Microsoft* ConfigMgr

 

PROBLEMThe Microsoft ConfigMgr database did not include the FQDN of the  Intel® AMT clients (only the IP address). OOB setup and configuration failed when  the client attempted to establish the TLS connection to the provisioning server. 

RESOLUTION

TLS setup and configuration requires an FQDN and will fail if only the IP  address is used.


 

11.09.2011 QA1531

Management Engine

 

Hewlett-Packard 6910P returns UUID=00000 during activation

PROBLEM

HP 6910p returns a hello packet of UUID=00000 during activation.

RESOLUTION

This is a known issue with the firmware and will be fixed when the 2008 platform is released.

 

Meanwhile, your customers can request a BIOS update from HP to work around this issue.

12.20.2007

 

No inventory data available

PROBLEM

Inventory data does not appear after provisioning an Intel® AMT client, even though the provisioning process was successful and without errors.

RESOLUTION

POST needs to occur for the data transfer to take place. The inventory data resides within the BIOS SMI tables and cannot be successfully transferred to the Intel® Management Engine and viewed by the WebUI or retrieved programmatically. The BIOS and ME handshake must occur during POST to transfer data. Make sure the system has run through POST, so that the inventory data is transferred from BIOS into ME.

1.30.2008

Weybridge issue causing network disconnects; impacting Dell Optiplex 755

PROBLEM

Currently shipping non-provisioned Intel® vPro(TM) or Intel® AMT PCs on some Weybridge configurations may report a network disconnect/reconnect on five minute cycles when the 24 hour provisioning period expires while in a low power state. An unused security feature of Intel® AMT triggers the network disconnect and then resets the network connection on 5 minute cycles.

RESOLUTION

This issue has been resolved in the A09 BIOS release from Dell for the Optiplex 755. The BIOS release is available at the following URL:

 

http://support.us.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R181510&formatcnt=1&libid=0&fileid=247483

 

Click here for the update.\

 

2.27.2008

Synchronizing the operating system and the Intel® AMT hostname.

PROBLEM

Is there an automated way to synchronize the operating system and Intel® AMT hostname?

RESOLUTION

The Intel® AMT Reflector tool\ is now available on the Intel® vPro(TM) Expert Center.

 

See the Tools wiki\ for more helpful Intel® vPro™ technology tools.

Best Practices: Setting up application servers and Internet Explorer* for Intel® AMT Kerberos support

  • Verify that your Internet Explorer settings are correct for pass through authentication.

    • Open Internet Explorer and choose Tools > Internet Options > Advanced Tab.

    • Select Enable Integrated Windows Authentication. Exit and restart Internet Explorer before attempting to access the Intel® AMT device.

  • Install these Kerberos patches on the system you will use to access the Intel® AMT dev

    • WindowsServer2003-KB899900-X86-ENU.exe

    • WindowsServer2003-KB908209-X86-ENU.exe

    • WindowsServer2003-KB899900-X86-ENU.reg

  • If you are using Windows XP* as the operating system for the computer used to access the Intel® AMT web interface, then install these patches:

    • WindowsXP-KB899900-X86-ENU.exe

    • WindowsXP-KB908209-X86-ENU.exe

    • WindowsXP-KB899900-X86-ENU.reg

  • Ensure that the time settings for the Intel® AMT client(s), domain controllers, and the application server are synchronized.

  • Before provisioning:

    • Create an AMT OU on the domain controller existing on the domain on which your Intel® AMT devices reside. For example, if your device exists on child.parent.com, and your provisioning server (or Intel® SCS) resides on parent.com, then create an OU for AMT objects on child.parent.com.

IMPORTANT: If there are multiple domains, then add an OU to each domain.

  • Provision your Intel® AMT client.

 

5.30.2008

Network issues with NS Lookup

PROBLEM

A single Intel® vPro™ machine can be accessed via WebUI, but does not appear in DNS. Its name does not get resolved in NSLookup?

RESOLUTION

NSLookup does not use the standard client resolver routines but uses similar routines of its own. If true, this means a valid name-IP record could be cached on the client and being used by IE to resolve the name even though NSLookup fails to resolve the name and there is no DNS record.

 

To determine this, do the following:

 

  1. In the command prompt program, enter ipconfig /displaydns to inspect the cache for the dns record.

  2. Enter ipconfig /flushdns to clean out records and retry (it should fail if there is no DNS record).

 

6.13.2008

Intel® AMT 3.0 support Windows 2000 Active?

For support of Windows 2000 Active Directory, AMT 3.2 is required. Intel® AMT 3.2  was released to the OEMs during Q1 2008. Please contact your OEM to find out when the update will be publically available.

 

6.13.2008

Switching from NAC to 802.1x results in loss of connectivity

PROBLEM

In an EAC*-enabled network, where a NAC or NAP server is deployed and configured to request “posture” or SoH, Intel® AMT connectivity may be lost to clients that are not in H0 state if the server configuration is modified to work with 802.1x only.

RESOLUTION

If the NAC/NAP server configuration is changed to work with 802.1x only, then do one of the following:

  • Restart LAN switch ports, or

  • Restart the clients.

 

6.25.2008

Using Intel® AMT wirelessly without user intervention

PROBLEM

Intel® AMT wireless connectivity is not available when the operating system is running and the user is not logged in.

RESOLUTION

To work around this issue, configure the Single Sign On (SSO) driver to maintain a wireless connection. Once the SSO properties are set according to the table below, Intel® AMT will be able to connect to the wireless profile using Microsoft* Windows  credentials before the user actually logs on.

 

SSO Properties

  • Pre-logon. This feature is identified with the “SSO” term. It allows you to connect to a  wireless profile using the Windows credentials entered by the user before the actual Windows log-in.

 

  • Persistent. This feature allows you to connect to a wireless profile that doesn’t require user credentials (but alternatively requires “system credentials”), in case the user is not logged on (either after reboot or after log-off). In order to use it, the IT admin has to configure such a profile that doesn’t rely on user credentials.

 

  • Security. Profiles for pre-logon and persistent connect are stored securely on the machine, cryptographically bound to the machine so that it cannot be transferred to another machine. The profiles are shared across all users on the machine, but certain user-based credentials such as PACs are stored on a per-user basis.

NOTES

  • Microsoft Windows XP users: Using persistent connection adds a service to handle establishing connections when users are not logged on.

 

  • Microsoft Vista users: The persistent connection is enabled on a per profile basis if the configured EAP (Extensible Authentication Protocol) method supports authentication with machine credentials.

 

7.16.2008

Cannot provision a system that uses an underscore in the host name

 

PROBLEM

Cannot provision a system that uses an underscore in the host name.

SOLUTION

Special characters cannot be used in host names. DNS host names may only contain dash "-", letters or numbers. Underscores and other special characters are not supported by the RFC's that define host name conventions. Some DNS servers, including Microsoft's, can support host names outside of the RFC specifications. See the links below for more information.

MORE INFORMATION

Microsoft KB article 909264: http://support.microsoft.com/kb/909264

 

RFC 952: http://www.ietf.org/rfc/rfc952.txt

 

 

RCF 1123: http://www.ietf.org/rfc/rfc1123.txt

 

9.5.2008

Does the Intel® SCS automatically push updates to the CRL (Certificate Revocation List) to clients?

 

SOLUTION

The CRL does not automatically update on the clients. It needs to be pushed down from the SCS, by pushing it to individual AMT clients via the Operations screen, or to all clients via the Global Operations screen in the SCS Console.

MORE INFORMATION

The Certificate Revocation List contains the revoked certificates maintained by a CA. It is used when Intel® AMT clients are configured to use Mutual TLS (MTLS) authentication.

 

9.5.08

Firewalls may not let Intel® AMT clients communicate with management consoles

PROBLEM

The wired LAN NICs are not recognized by the Intel® AMT management consoles. They do show up in the DHCP listings in the Microsoft SMS* and Altiris* demos. Only the wireless NICs were discovered as Intel® AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs.

 

When the firewalls are turned off, the Intel® AMT consoles can communicate with the LAN NICs.

SOLUTION

Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests.

 

9.5.08

 

Cisco ACS Certificate Configuration for Intel® AMT

See this article to find specific configuration information.

 

10.15.08

What are some common hardware issues that are tracked by Intel® AMT?

 

SOLUTION

ASF Sensor Events

  • Temperature

  • Voltage

  • Fan

  • Chassis Intrusion

  • System FW Error (descriptor codes and descriptions are in the ASF spec 2.0) Examples:

    Unrecoverable hard disk/ATAPI/IDE device failure

    No video device detected

    FW ROM corruption detected

BIOS Events

  • System Boot Failure

  • BIOS errors

OS Events

  • OS Hangs

 

12.4.08

 

Q&A on customized Intel® AMT firmware

 

 

DESCRIPTION

Scenario: a customer would like to have an OEM deliver systems with custom Intel® AMT firmware settings and client certificate.

 

QUESTION 1: Will the customized firmware force the customer to use only customized firmware or BIOS updates for future releases?
ANSWER 1: The custom settings and client certificate will be preserved across firmware or BIOS updates if the OEM inserts the customized bits before the descriptor region manufacturing bit is locked.

 

QUESTION 2: Can an OEM customize all the Intel® AMT management engine settings?
ANSWER 2: Yes. All the features seen on the web GUI can be customized by an OEM.

 

QUESTION 3: Does Intel® have a list of default settings for each OEM?
ANSWER 3: No. Customers should contact their OEM for the latest available information.

 

Caution: The custom settings and client certificate will not be preserved across updates if the OEM programmed the firmware after setting the descriptor manufacturing bit. This will require users to reinstall the client certificates before the systems can be managed.

SOLUTION

Customers should work with their OEM to develop a custom firmware image, then run a small pilot program to test it. Clear the CMOS and then try to reprovision the systems.

 

 

 

2.13.09 QA1308

Wrong IP address for Intel® ME on Lenovo M58p using Hypervisor

 

PROBLEM

For a system runing a Hypervisor on a platform with Intel® AMT 4.x or 5.x, the mismatch between the IP address assigned to the physical hardware and the guest operating system will prevent the manageability software from communicating with the Intel® ME.

RESOLUTION

To sync-up the IP addresses, do the following:

 

  1. Modify the configuration settings so that Dom0 is configured to use the virtual MAC address.
  2. Assign #1 Guest operating system with the physical MAC address of the Intel® ME NIC.

 

This soluton will produce the following result:

 

  1. The hardware initialization then the VMM and Dom0 will be brought-up.
  2. Dom0 will provide the physical MAC address to the #1 Guest operating system, and virtual MAC addresses for each subsequent guest operating system.
  3. The #1 Guest operating system will initiate a DHCP request with the physical MAC address.
  4. The management console will now be able to communicate with the Intel® ME using the IP address assigned to #1 Guest operating system.

9.11.2009  QA1366

Virtual machines can share the wrong IP address on some Averill and Weybridge systems

 

PROBLEM

When the Intel® Management Engine and host software are both configured to obtain IP addresses using DHCP, the Intel® Management Engine snoops DHCP transactions from the PC's host software (the PC's OS) in order to capture and share an IP address with the PC host (the OS). If the host software contains more than one source of DHCP requests (for example, if the host is running VMWare* with multiple virtual machines which use DHCP) then the Intel® Management Engine ends up sharing an IP address with the source of the last DHCP request for an IP address, instead of sharing the IP address for the host OS. This can lead to confusion -- which IP address is the ME using? What hostname is the ME contactable on? And so on.

 

How to Reproduce:
When the ME and host software are both configured to obtain IP addresses using DHCP the ME snoops DHCP transactions from the platform software in order to capture and share an IP address with the PC's host (the host OS).

RESOLUTION

For an IPv4 environment, this issue has been resolved in Intel® ME firmware releases 2.2.21 (Averill platform), 2.6.30 (Santa Rosa platform), and 3.2.20 (Weybridge platform), and 4.0 and later releases. Check with your OEM for availability of this release. In a virtualized environment with the updated firmware, Dom0 is configured to use a virtual MAC address and Guest #1 VM is configured to use the physical MAC address (this is same MAC address as the Intel® ME).  The result of the fix is that the IP address for Guest #1 and the Intel® ME are identical so the management console can communicate with the platform

In an IPv6 environment, the issue resolves itself, since the Intel® Management Engine will have its own IP address (even when using DHCP).

05.12.2010  QA1153

Intel® AMT Wireless Configuration with 802.1x Authentication

 

 

PROBLEM

When configuring ME wireless profile using host 802.1x, with the ME configured on same network with same encryption but with different inner method, the ME will behave differently in the following scenarios:

  • When the host is connected along with ME, the ME will respond.
  • When the ME has the active profile (the host is down) and admin will try to connect, the ME might not respond because it may fail to authenticate due to the different inner method (RADIUS-dependent).
  • When the host is up, the ME will report a profile is configured and active over WS-MAN/SOAP.

RESOLUTION

Configure the ME wireless profile to use the same 802.1x encryption and inner method as that of the host 802.1x wireless profile.

12.21.2009  QA1357

KVM remote control session inactivity timer set to about two minutes in Real* VNC viewer

 

RESOLUTION

The inactivity timer in the Real VNC viewer is preset to about two minutes. No methods are currently available to adjust this timer.

 

07.19.2010 QA1445

 

Intel® vPro platform in AC mode does not enter Deep Sx if Intel® ME is in Power Policy 2 (PP2)

 

ISSUE

In systems with Intel® ME firmware versions 7.x and 8.x, if the Intel ME is in Power Policy 2 (whether provisioned or not),   the system in AC mode will not enter Deep Sx--even after the Intel ME has transitioned to M-off.


RESOLUTION

This is expected behavior.  In Power Policy 2, Intel ME WOL is enabled so that the Intel ME can respond to ARP/neighbor solicitation events.  This prevents a system in AC mode from entering the Deep Sx state, and therefore the system will stay in the Sx power state.  If the Intel ME power policy is set back to PP1, the system will enter Deep Sx after transitioning to Sx.

 

The following conditions or actions will cause the Intel ME to be in PP2:

  • Factory default
  • User configuration
  • After cycling from a provisioned state to an unprovisioned state

08.24.2012

 

Microsoft* Systems Management Server (SMS) Add-on

 

OEM

BIOS

 

Ctrl + P prompt missing when CMOS battery unplugged

PROBLEM

When the CMOS battery is unplugged from the HP 7800p, the Ctrl+P command for accessing the Intel® Management Engine is missing.

When SCS is opened and the refresh button is selected, the Intel® AMT device does not appear.

RESOLUTION

Use the following steps to the resolve this issue:

  1. Press F-10, when prompted during the boot, to access the BIOS on the system.

  2. In the BIOS choose the advanced menu -> Power-On Options and select the “MEBx Setup Prompt”

  3. Use the right arrow key to cycle it to “Displayed.”

  4. Press F-10 to accept the change.

  5. Go to the file menu and select Save Changes and Exit.

  6. The Ctrl-P prompt will reappear.

2.7.2008

 

What does the Intel® AMT status application dialog box signify?

PROBLEM

On brand new Intel® vPro™ systems, the Intel® AMT Status Application dialog box displays the Intel® AMT Status as "Enabled" even though Intel® AMT has not been configured. Are OEMs shipping systems with Intel® AMT enabled (provisioned)?

RESOLUTION

The Intel® AMT status application is designed to show if the Intel® AMT is or is not enabled in the Intel® Management Engine. It does not reflect if a system has been provisioned/configured. Even when Intel® AMT is disabled in the Intel® Management Engine, the Intel® Management Engine can still be accessed. OEMs do not ship provisioned systems unless that service is requested and purchased by the customer.

2.14.2008

 

SoL/IDER does not work with the Lenovo* X61 Tablet

PROBLEM

The SoL/IDER sessions do not work on the X61 tablet.

RESOLUTION

This issue is resolved using the 1.07 BIOS release.

 

Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 1.07.

2.27.2008

SoL/IDER can’t be disabled on Lenovo* M55p

PROBLEM

Unchecking SoL and IDER, under the network tab, isn’t disabling the feature on the Lenovo M55p.

RESOLUTION

Update the BIOS to version 37a or newer versions. Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 37a or later.

3.4.2008

BIOS password screen unavailable on HP* systems during SoL session

This problem occurs when the Terminal Emulation Mode is not set correctly in the BIOS.

 

Here is the screen when Terminal Emulation Mode is set to VT100 through BIOS:

 

 

How to switch Terminal Emulation Mode:

 

  1. Open the HP ProtectTools Security Manager, click BIOS Configuration, and then select System Configuration.

  2. In the AMT Options section, change Terminal Emulation Mode to ANSI.

  3. Click OK.

 

 

The BIOS Password screen is now available during SOL sessions.

 

 

4.25.2008

Dell* D630c laptops reboot when sent a shutdown command via Intel®

PROBLEM

Sending the "power down" command to the Dell* D630c notebook immediately shuts it down, but then it automatically re-boots.

RESOLUTION

This issue is resolved in BIOS version A02 for the Dell* D630c. You can download the BIOS update package from Dell at the following URL**:

Click here.


**This Wiki contains links to other Internet sites. Such links are not endorsements of any products or services in such

sites, and no information in such site has been endorsed or approved by Intel, Inc.

11.25.2008

 

The look of the BIOS Setup screens using SoL depends on OEM support for terminal emulation modes

 

PROBLEM

Intel® AMT supports several terminal emulation modes. These are used to display the BIOS Setup GUI when using SoL. The look and feel may vary between manufacturers. Intel® AMT supports VT52, VT100, VT100+, and ANSI terminal emulation modes.

RESOLUTION

Check your OEM BIOS documentation for information about the supported terminal emulation modes and how to select the mode. Usually, the terminal emulation mode option will be in the Intel® AMT section of the BIOS Setup utility. Use ANSI mode for a more graphical looking display.

 

 

 

3.3.2009 QA1332

 

Control-P not used to enter MEBx on Lenovo* ThinkPad T400 notebook PC

 

 

RESOLUTION

To enter the MEBx, reboot and press F12 during the OEM screen to enter the Boot Menu.? From the Boot Menu, choose .

 

 

 

 

 

5.13.2010 QA1413

 

Is there a list of all possible MEBX settings?

 

 

 

RESOLUTION

The MEBX options and their respective default settings are determined by the OEM. For the reference code that Intel® provides to the OEMs, all the settings are described in the following document: Intel® Management Engine BIOS Extension (MEBX) User Guide. See Appendix B: List of Intel® MEBX Options.

The latest MEBx User Guide is posted on the Intel® vPro™ Expert Center.

 

 

 

5.13.2010 QA1402

SOL/IDER fails on Dell* Latitude E6410 system with BIOS A01

 

PROBLEM

The SOL screen goes blank and no further Intel® AMT communications is possible. The Dell client system must be manually powered off to restore the system.

RESOLUTION

A firmware update to version AMT2.1.0.1032 is available from Lenovo to resolve this problem. Contact your Lenovo representative if you need this update.

 

Update to the A03 or later Dell system BIOS.

 

 

07.16.2010 QA1446

PXE boot timeout on Dell 755 and E6400 systems with Intel® AMT 802.1X configuration

 

PROBLEM

The Dell PXE option ROM ignores the PXETimeout value and will disconnect from the network after five minutes if the system has not booted to the operating system, or if the operating system LAN drivers have not been loaded. This issue has been seen on Dell 755 and E6400 notebooks.

RESOLUTION

Dell posted a new BIOS on 6/21/10 to fix this issue. Install the latest Dell BIOS.

 

 

07.16.2010 QA1442

 

Keyboard on KVM remote control console locked-out on HP* 8440p after power-reset command

 

PROBLEM

A  reset command from a WebUI console to an HP EliteBook 8440p Notebook PC  during a KVM remote control session will cause the keyboard on the  remote console to locked-out at the Windows* Error Recovery Screen. HP  has fixed this issue and has posted a new BIOS release.

RESOLUTION

 

07.16.2010 QA1440

ACPI wake-up timer failed on Lenovo* and HP*  systems

 

PROBLEM

When the system is in a sleep state, the BIOS will receive a  wake-up event after the Intel® ME sends out an ARP request. The expected behavior  is for the BIOS to then re-arm and go back into the previous sleep state. Some  systems go into a sleep state but never wake-up after the wake-up timer  expires.

RESOLUTION

Update the Lenovo*, HP* DC7800, or HP* DC7900 BIOS, when  available.

 

03.121.2011 QA1460

 

Profiles

SCS

Intel® SCS returns an error during a partial unprovision

PROBLEM

Partial unprovisioning of a system fails. The SCS log reports the following messages: "SOAP Failure (21): cannot partially unprovision AMT" or "SOAP Failure(21): cannot GetLowAccuracyTimeSync"

RESOLUTION

The partial un-provision command requires a FQDN to work. Accurate client DNS records are required to provide an FQDN for this functionality.

2.27.2008

Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment

PROBLEM

Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment

RESOLUTION

This issue is scheduled to be resolved in Intel® AMT SCS 5.0, to be released by the end of Q2.

2.27.2008

 

Setup and Configuration Service

 

Using static IP addresses and Basic (formerly known as SMB) mode

PROBLEM

Intel® AMT functionality works in DHCP IP with Enterprise mode and SMS. However, SMS does not find asset information from the Intel® vPro™ machine when using Static IP with Basic mode.

RESOLUTION

Static IP addresses are not recommended. If they must be used, then the Intel® Management Engine and the operating system will each need their own static IP address in order for AMT to function properly.

1.25.2008

 

SCS service crashes due to excessive logs

PROBLEM

The SCS service crashes repeatedly due to excessive logs. In the SCS Win Log, the OLE database error for timeout is displayed.

RESOLUTION

Reduce the database logs to a reasonable size, based on available processes.

2.27.2008

Network Load Balancing of SCS

PROBLEM

Are there any known issues or limitations in pointing provisionserver.company.com to a Network Load Balancing address that balances between two or more SCS servers (all are in the same domain)?

RESOLUTION

The SCS support team confirmed that this is a supported configuration, provided all the SCS servers point back to a single SCS database.

2.27.2008

SNMP Trap Service required for SCS?

PROBLEM

Is the Microsoft Windows* SNMP trap service required in the latest SCS version?

RESOLUTION

The SNMP trap service is not required for installing or using SCS, but it is required for the Intel® AMT Add-on for SMS* V3.0 to receive PET alerts from Intel® AMT clients per the SMS manual.

It is used as a receiver for platform trap events. Clients can be configured to send platform traps to an SNMP service. Since the Intel® AMT Add-on is capable of configuring clients, an SNMP trap service is required during installation for a complete solution.

3.4.2008

Intel® AMT Active Directory error

PROBLEM

After setting the properties for the Intel® AMT system, the status goes to InProvisioning, but nothing changes. The logs contain the following message: Cannot create AD AMT Object: Failed on CreateDSObject with ht-73207ty, - Process Delayed.

RESOLUTION

This error message normally occurs for the following reasons:

  1. The AD schema extension has not been applied

  2. The Schema extension has been applied, but the SCS service user does not have necessary permissions to AD OU to create and manage Intel® AMT ME objects.

If the extension for the AD schema is not needed, then uncheck the Active directory Integration checkbox in the SCS General Settings screen to prevent SCS from trying to create AD objects during provisioning.

3.4.2008

Unit Field in Configuration Parameters must be populated to complete provisioning

PROBLEM

SCS cannot complete provisioning of a system if the Configuration Parameters do not have a value specified in the OU column, even if the SCS is not using the Integrated with Active Directory option. Users must either manually add a value (during the manual process) or define a value when using remote tools like the RCT.

RESOLUTION

This is a known issue with SCS and it is slated to be corrected in SCS 5.0.

3.4.2008

Unable to access web interface using Kerberos authentication

PROBLEM

The web interface cannot be accessed using Kerberos authentication. When the Firefox web browser was used, Admin authentication could be accessed, but the https digest could not be accessed. Internet Explorer* cannot access either Admin authentication or Https digest.

RESOLUTION

If the AD schema is not extended, the Kerberos user authentication will not work. Using digest users resolves this issue.

3.21.2008

Is Static IP addressing possible in Enterprise Mode?

PROBLEM

What is the technical limitation of having static IP addresses in an Enterprise Mode environment and what would be workarounds that would allow a customer to use both? Since DHCP dynamically updates DNS, if you manually entered DNS suffix in Intel® Management Engine and maintained DNS manually then would that allow customers to use static IP addresses with enterprise mode?

RESOLUTION

While this is not recommended, the DNS entries can be maintained as described in the question. Multiple computer entries, in the management console, will be needed for managing clients that use Static IP.

3.21.2008

Is it possible to have an operating system with static IP address and Intel® Management Engine in DHCP mode?

PROBLEM

Is it possible to have an operating system setup with static IP address and Intel® Management Engine setup for DHCP mode? Can the IP address of the operating system and Intel® Management Engine be on different subnets? Or do they need to be on same subnet?

RESOLUTION

This scenario is not supported and has not been tested.

3.21.2008

Cannot log into SCS Console with Enterprise Admin account

PROBLEM

The SCS console can only be logged into using the initial setup account that is provided during SCS installation. Any attempts to log in with a user account that has enterprise admin rights and has been added to SCS Users and Groups fail. The error message received is: Login Failed and the reason is: The remote server returned an error: (502) Bad Gateway.

RESOLUTION

The root cause is that the customer has an Internet Explorer* configuration that uses a proxy. On the https connection, both the SCS console login and the SCS service uses the same proxy settings and that causes it to fail with error 502 bad gateway. Un-checking the use of the proxy in Internet Explorer solves the problem.

3.21.2008

Intel® MEBX, Web UI, and remote admin passwords are not automatically synchronized

 

PROBLEM

Changing the Intel® MEBX password from the local console will not change the Web UI or remote admin passwords.

RESOLUTION

Before the Intel® AMT system is provisioned, changing the Intel® MEBX password from the local console will also change the remote admin password.  After the system is provisioned, changing the local Intel® MEBX password will not change the remote admin password.  During provisioning, the Intel® MEBX password and the remote admin password can be set.

 

 

 

04.28.2009

Using international keyboards to create MEBx passwords via Setup and Configuration Service (SCS)

PROBLEM

When creating a MEBx password via SCS and deploying to client machines located in different countries, IT administrators are advised that international keyboards may have different layouts for Latin characters. This may result in password failures as a result of entering the same password on two different keyboards supporting different languages.

 

As an example, a multi-national company headquartered in France may deploy a client to one employee in France and Japan. Because the keyboard layouts are different, the passwords may be inadvertently different and may fail when entered on a different keyboard.

 

Below is a comparison of different language keyboards.

 

 

Japanese keyboard

 

 

US English keyboard

 

RESOLUTION

When creating your password, use character keys that are common between all keyboards and follow the guidelines below. These guidelines assume that the password is user-defined. In high security instances, the password will be auto-generated and you will need to compare the keyboard layout diagrams to help determine your MEBx password.

 

  • The following is a list of keyboard keys that are common keys for all keyboard types: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, B, C, D, E, F, G, H, I, J, K, L, N, O, P, R, S, T, U, V, X

 

EXCEPTION: These keys are not common between Japanese and US keyboards: 2, 8, and 9. Be sure to use the illustrations above to verify common keys when creating passwords.

 

Note: Passwords can be created using characters generated by the Key and Shift Key

 

  • MEBx passwords require special characters to ensure security. Use SHIFT+N, where N equals 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9, to include special characters in your password.

 

For example, if your strong password is JOK&F49!, you would relay this password to international users as: 

 

  • Passwords using the A,M,Q,W,Y and Z keys can cause problems and are not recommended.

 

5.7.2008

Is the Authorized column in Intel® SCS?

PROBLEM

The Intel® AMT Systems screen of the Intel® SCS web console has a column titled Authorized. All the systems that are provisioned show up as False. What does this column mean?

RESOLUTION

The Authorized column signifies systems that can be provisioned that have not been authorized to complete the process.

5.8.2008

SOAP error (0xCFFF06AC) when attempting remote configuration

PROBLEM

When attempting to use the latest SCS with RCT 3.3 with a Remote Config Cert from GoDaddy, this error displays in SCS: Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL error - SSL authentication failed in tcp_connect(): check password, key file, and CA file.

RESOLUTION

The remote config certificate needs to be in the personal store of the SCS service account.

  1. Log into your server with the SCS service account.

  2. Launch MMC.

  3. Select File > Add/Remote Snap-in.

  4. Select Certificates from the snap in menu and click Add.

  5. When prompted, select My user account and click Finish.

  6. Click the Close button to close the snap-in selection window.

  7. Click OK to close the snap-in Add/Remove menu.

  8. Open Certificates, then open Personal.

  9. Right-click the Personal folder, select All Tasks and then Import.

  10. Use the wizard to import your remote configuration certificate into personal store of your SCS service account.

 

6.13.2008

Local Manageability Service (LMS) does not allow host VPN traffic when environment detection is not defined

PROBLEM

If environment detection is not configured, Intel® AMT VPN connection cannot be enabled even though there is no direct relationship between these two.

RESOLUTION

Define the DNS suffix in the environment detection list with one which matches with the host's list of DNS suffixes.

 

To define the suffix:

 

  1. Open the Intel® SCS Console.

  2. Expand the Configuration Service Settings branch.

  3. Select Profiles. The Profiles screen displays.

  4. Select the profile to be modified.

  5. Click Edit. The Profile Configuration dialog box displays.

  6. Display the Network tab.

  7. Click Environment Detection.

  8. In the Environment Detection dialog, click Add.

 

Enter up to five domain suffixes that define permitted domains within the enterprise network. The Intel® AMT device uses this list to determine whether the platform is operating inside or outside the enterprise network. Management consoles can define the behavior of the device when it is outside the enterprise, including setting a policy that will block network traffic.

 

9. Click OK.

 

7.18.2008

To remove wireless profiles in Intel® SCS

PROBLEM

Error code 998 displays when trying to remove a wireless profile in the SCS, indicating that the profile is in use.

RESOLUTION

This error is generated if the wireless profile you are using is assigned to a system profile within the SCS. In order to delete the wireless profile, first remove it from any system profiles.

 

7.18.2008

Synchronization errors using Intel® SCS 3.x and Microsoft* Active Directory

PROBLEM

The client machine logs errors related to setting the time when time synchronization is enabled in Intel® SCS 3.x and the OS is also using Active Directory to synchronize system time.

|RESOLUTION|Disable time synchronization in SCS 3.x.|

 

7.28.2008

SCS Installation Account Security Requirements

PROBLEM

What are the minimum security requirements required for the account which is installing SCS?

RESOLUTION

The account needs to be a member of the local administrators group and an administrator on the SQL server.

 

7.28.2008

SCS 5.0 Does Not Support 64-bit Operating Systems

PROBLEM

SCS 5.0 does not support 64-bit operating systems. Customers using 64-bit operating systems need to use SCS 5.1 or later.

 

At this time there is no workaround for SCS 5.0 to support 64-bit operating systems. This issue is not documented in the SCS 5.0 documentation.

SOLUTION

SCS 5.1 supports 64-bit operating systems.

 

9.25.2008

SCS Console Operator role does not appear to give users the right to access the security keys

PROBLEM

The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function.

SOLUTION

This issue was fixed in SCS 5.0.

 

11.25.2008

Consistent RCFG failure with SCS

 

PROBLEM

Remote configuration fails consistently when attempting to provision clients with SCS. The error message in the SCS log is 'Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL_ERROR_SSLerror:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error - SSL connect failed in tcp_connect()'

 

The provisioning server has the correct (non-wildcard) RCFG certificate and certificate chains from the signing Certificate Authority. The client domain name from the DHCP server (option 15) matches the domain in the RCFG certificate and the SCS domain. The server also correctly provisions clients using the TLS-PSK method.

 

The Clients can also be correctly provisioned using RCFG when connected to a separate test network.

SOLUTION

 

Intel® AMT supports a maximum encryption key length of 2048-bits.

 

12.4.2008

Often are log files purged in Intel® SCS?

 

PROBLEM

How often does the SCS purge log files and can the retention date be configured?

SOLUTION

There are maintenance procedures that SCS executes once every five minutes: cspi_cleanRequestStatus and cspi_cleanLog. These procedures did not execute automatically in SCS 3.3 and earlier.

 

This was fixed in SCS 3.3. Both procedures will execute automatically. The default value of cspi_cleanRequestStatus is five days.

 

12.4.2008

Is the Intel® SCS supported on  Intel® 64 architecture versions of Microsoft Windows* Server?

 

SOLUTION

The 3.x versions of Intel® SCS are not supported on Intel® 64 architecture versions of Windows* Server. SCS versions 5.x and later are supported in 32-bit mode on Intel® 64 architecture-enabled versions of Windows* Server.

 

12.4.2008 (updated 12.3.2009) QA1119

Import setup.bin made with USBFILE2.EXE into the SCS

 

PROBLEM

The USBFile version 2 utility was used to create PID/PPS pairs, but the SCS console cannot import the setup.bin file. It displays an error message indicating the supplied setup.bin has an incorrect file format.

SOLUTION

USBFILE2's file format is not supported by the SCS at this time. Use the -v 1 switch with USBFILE2 to force it to create a v1 file, or use the original USBFILE utility.

 

12.4.2008

The SCS Console Operator role does not appear to give users the right to access the security

 

PROBLEM

The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function.

SOLUTION

This is a known issue and will be fixed in SCS 5.0.

11.25.2008

 

Intel® SCS is only supported on English versions of Windows* Server

 

 

SOLUTION

Check future versions of Intel® SCS to determine if it is supported on non-English versions of Microsoft* Windows* Server 2008.

 

 

9.18.2009 QA1381

Intel® SCS error code 637 means that the one-time password is missing

 

 

 

PROBLEM

The Intel® AMT log shows the following error after a provisioning attempt:

 

Failed to apply all changes - SCS Code:637 - Operation: Setting system data

SOLUTION

The error is the result of a missing one-time password in the Intel® SCS profile. To fix this problem, either uncheck the OTP checkbox in the profile, or keep the OTP option checked and supply a password.
Refer to the Intel® SCS User Guide for more information on the OTP option.

 

 

 

 

07.19.2010 QA1444

Intel® SCS Console communication with workgroup-based clients requires host file entries for each client

 

 

SOLUTION

In a workgroup environment, all the Intel® AMT clients must be listed in the host file on the Intel® SCS Console system. The host file is a simple list of each client's FQDN and IP address. This file must be updated each time the IP address changes. Refer to your Windows* documentation for more information on this file.

 

 

09.22.2010 QA1434

 

USB Provisioning

 

USB provisioning only effective on "factory new" systems

PROBLEM

USB provisioning failed after multiple attempts.

RESOLUTION

This is by design. USB provisioning only works on a "factory new" system, meaning that it has never been provisioned. Once Intel® AMT is provisioned, the one-touch USB method will not work again until the CMOS battery is pulled and reset.

11.9.2007

 

USB Key Configuration Guidelines

Use these criteria when preparing a key for USB provisioning:

 

  • Keys should only be formatted with Intel® SCS. Keys should be formatted as a FAT16 device with a null volume label.

  • Setup.bin must be the first file on the key. If the file is overwritten, or erased and then re-added, it may no longer be the first file on the key. Always reformat the key before a new setup.bin file is copied to it.

  • Keys should be 2GB or less. FAT16 cannot address more than 2GB on these devices.

  • Purchased keys should not have any preinstalled software on them.

  • Keys should only be used for USB key provisioning and not for any other purpose.

  • Keys should never have been created as a bootable device.

  • BIOS settings can impact USB provisioning. If you experience problems, load the manufacturer's default BIOS settings before doing USB provisioning.

 

12.20.2007

USB Compatibility Matrix for Intel® Centrino® with Intel® vPro™ Technology (Intel® AMT 2.5)

The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

 

System

Model

BIOS

SanDisk 1GB

Cruzer Micro

SDCZ61024A10

Kingston 1GB

DT1001GBKR

Sony 1GB

Micro Vault
Classic

USM1GJ

PNY 2GB Optima

Pro Attached

Enhanced for

Windows ReadyBoost

PFD02GHSPFS

Acer

TravelMate 6592

1.53

Not supported

Not supported

Not supported

Not supported

Dell

Latitude D630c

A09

Yes

Yes

Yes

Yes

FSC

LifeBook E8410

1.16

Not supported

Not supported

Not supported

Not supported

HP

2510p

F.0D

Yes

Yes

Yes

Yes

HP

6910p

F.16

Yes

Yes

Yes

Yes

Lenovo

ThinkPad T61

7LETB9WW(2.24)

No

Yes

No

No

Lenovo

ThinkPad X61 Tablet

7SET31WW(1.19)

No

Yes

No

No

Lenovo

ThinkPad X300

7TUJ05US (1.08)

No

Yes

No

No

Samsung

NP-P55

07AY

Not supported

Not supported

Not supported

Not supported

Toshiba

Protege M700

1.40

Not supported

Not supported

Not supported

Not supported

Toshiba

Tecra M9

1.90

Not supported

Not supported

Not supported

Not supported

 

*Fujitsu-Siemens Corporation (FSC) and Toshiba do not support USB provisioning on their Intel® Centrino® Pro processor technology platform.

04.23.09

 

USB Compatibility Matrix for Intel® vPro™ Technology (Intel® AMT 3.x)

The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

 

 

 

 

System

Model

BIOS

SanDisk 1GB

Cruzer Micro

SDCZ61024A10

Kingston 1GB

DT1001GBKR

Sony 1GB

Micro Vault
Classic

USM1GJ

PNY 2GB Optima

Pro Attached

Enhanced for

Windows ReadyBoost

PFD02GHSPFS

Intel® Desktop Board

DQ35JO

86.A.0954.2008.0922.2331

Yes

Yes

Yes

Yes

FSC

Esprimo P5925

6.00 R1.15.2584.A1

Yes

No

Yes

No

Dell

Optiplex 755

A11

Yes

Yes

Yes

Yes

HP

dc7800

01.24

Yes

Yes

Yes

Yes

Lenovo

ThinkCentre M57p

2RKT57AUS

Yes

No

Yes

No

04.23.09

USB Compatibility Matrix for Intel® vPro™ Technology (Intel® AMT 4.x)

The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

 

System

Model

BIOS

SanDisk 1GB

Cruzer Micro

SDCZ61024A10

Kingston 1GB

DT1001GBKR

Sony 1GB

Micro Vault
Classic

USM1GJ

PNY 2GB Optima

Pro Attached

Enhanced for

Windows ReadyBoost

PFD02GHSPFS

Acer

TravelMate 6493

v1.02

Yes

Yes

Yes

Yes

Dell

Latitude E6400

A11

Yes

Yes

Yes

Yes

Fujitsu

LifeBook 8420

v1.06

Yes

Yes

Yes

Yes

HP

EliteBook 6930P

68PCU ver F.0E

Yes

Yes

Yes

Yes

Lenovo

T400

7UET43WW (1.15)

Yes

Yes

Yes

Yes

LenovoX2006DET30WW (1.07)YesYesYesYes
ToshibaTecra A101.90YesYesYesYes

04.23.09

USB Compatibility Matrix for Intel® vPro™ Technology (Intel® AMT 5.x)

The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

 

System

Model

BIOS

SanDisk 1GB

Cruzer Micro

SDCZ61024A10

Kingston 1GB

DT1001GBKR

Sony 1GB

Micro Vault
Classic

USM1GJ

PNY 2GB Optima

Pro Attached

Enhanced for

Windows ReadyBoost

PFD02GHSPFS

Lenovo

M58p

5CKT40AUS

Yes

No

Yes

No

HPdc7900786G1 v01.11YesYesYesYes
DellOptiPlex 960A01YesYesYesYes

04.23.09

 

 

Is the maximum number of PID/PPS pairs that can be used during USB provisioning?

PROBLEM

Customers activating a high number of systems using One Touch/USB provisioning may run into performance degradation attempting to import these keys in a management console.

RESOLUTION

There is no theoretical limit to how many PID/PPS pairs can be on a USB key, but there may be a threshold above which the performance degrades significantly.  At this time, the largest known deployment using USB provisioning was with a 30,000 PID/PPS pair.  Altiris* was unable to process this setup.bin file, however the Intel® SCS Console was able to import these keys despite the timeout error that the console indicated.

4.29.2008

PID/PPS key generation using LANDesk utility

 

There is a utility available in your LANDesk installation that allows you to quickly generate a specific numbers of PID/PPS pairs for USB provisioning. Follow these instructions; the steps represent a standard installation.

 

  1. Open Windows Explorer and navigate to your LANDesk program files.

  2. Open the managementsuite folder and locate AMTUSBFile.exe.

  3. Open a command window and navigate to the path where AMTUSBFile.exe resides. Use the table below to run the utility.

 

To do this...

Then type this and press Enter...

List all available parameters

AMTUSBFile.exe –h

Generate X number of pairs

AMTUSBFile.exe –c current ME password new ME password –n number of pairs

 

For example, to generate 625 records would take ~1 second:

 

AMTUSBFile.exe –c admin Landesk1! –n 625

Import the keys from the generated setup.bin to the LANDesk database

AMTUSBFile.exe –i

 

 

Note: LANDesk uses an encrypted string when saving credentials to the database. Sometimes, this encrypted string is invalid to databases, such as Oracle. If this occurs, you may need to run the command several times before the keys are added. Records already imported will not be imported again.

Verify the list of records in the database

AMTUSBFile.exe –g

6.27.2008

 

HP* 8730w is unable to boot from USB provisioning key created by Intel® SCS

 

PROBLEM

HP* 8730w is unable to boot from a USB provisioning key created by Intel® SCS Console. The system hangs and the screen goes blank. This is a known issue for BIOS versions F.10 and earlier.

SOLUTION

Upgrade to BIOS F.11.

05.11.2010  QA1432

 

Firmware update needed to provision Lenovo* M58p with USB key using USBFILE 2.1 utility

 

 

PROBLEM

The Lenovo* BIOS must be updated to use USBFILE 2.1 with USB provisioning on the Lenovo* M58p.

SOLUTION

Update your Lenovo* M58p BIOS to the latest BIOS available on the Lenovo website.

 

 

05.11.2010  QA1367

USBFile.exe syntax to enable both SOL and IDER

 

 

RESOLUTION

The default setting in Intel® AMT firmware is to enable both SOL and IDER. To provision a system with both SOL and IDER enabled using the USBFile.exe utility, simply omit the -redir option from the command line.

 

For example:

 

usbfile.exe -create setup.bin admin P@ssw0rd -amt
For more information, see: Local Setup and Configuration Using a USB Flash Drive (http://communities.intel.com/docs/DOC-4354)

 

 

 

 

5.13.2010  QA1427

 

Microsoft Windows* 8

 

IMSS notifications are missing on legacy systems running Microsoft* Windows 8*

 

PROBLEM

For users who are upgrading legacy systems Intel® Management Engine Interface (Intel®  ME) 4/5/6/7 to Microsoft* Windows 8 Operating System, please be aware that, when the user is working in Windows* 8 UI, the user will not receive system update notifications from Intel® Management Security Status (IMSS).  This is a potential loss of privacy notice. 

SOLUTION

When in Windows* 8 UI, the user will still see a request to initiate a KVM (Keyboard, Video, Mouse) connection.  A yellow and red flashing and a blinking icon frame will be present once the KVM session has been connected.

In Intel ME 8.1, when users are working in Windows* 8 UI, IMSS will send a toast notification to users of various system events.  These notifications will not be available on Windows* 8 UI to users on legacy platforms.

 

08.23.2012

 

IDE-R Emulation Presence Issue

 

PROBLEM

The following issue has been detected on legacy vPro platforms (Intel® Active Management Technology 7 and earlier) when running Windows* 8: “The CD or DVD device is not visible during an IDER session”.

This is due to changes in functionality of Windows* 8 compared to earlier versions.

The following Firmware versions include a workaround for this issue:

SOLUTION

 

ChipsetsFirmware MilestoneFirmware version
Mobile Intel® 4 SeriesIntel® AMT 4.x (2009 MB Platforms)Intel® AMT 4.2.60 MR
Intel® Q45, Q43, B43Intel® AMT 5.x (2009 DT Platforms)Intel® AMT 5.2.70 MR
Intel® 5 SeriesIntel® ME 6.x (2010 Platforms)Intel® ME 6.2.20 MR
Intel® 6 SeriesIntel® ME 7.x (2011 Platforms)Intel® ME 7.1.40 MR

There is a second option available via the Registry Key:

The user may use a registry key that Microsoft* has made available and assign it the necessary value. This will cause Windows* 8 to revert to pre-Windows* 8 behavior, enabling the CD or DVD device for use during the redirection session.

Note that this will also cause loss of a Windows* 8 performance enhancement.  If the platform has an additional IDE controller with only 1 device, or an IDE-emulated SATA controller, using this option will lengthen the platform's boot time by 1.5 seconds compared to regular Windows* 8 boot without the registry key.

Name:EnumDevice1
Type: REG_DWORD
Path: HKLM\System\CurrentControlSet\Services\atapi\Controller0
Value: To avoid the issue, the key should be assigned any non-zero value
Description: Valid for Microsoft* Windows 8 Operating System and up.
Valid for all devices connected to PATA/IDE controllers.
Note that this registry value has system wide effect.


08.23.2012

Comments

Delete Document

Are you sure you want to delete this document?