Known Issues, Best Practices, and Workarounds

     

     

     

     

     

     

     

     

     

     

    Best Practices

    Automatically disabling the Intel® AMT Privacy Notification window

    PROBLEM

    A Privacy Notification window automatically displays when each user logs into the Intel® AMT system.

    RESOLUTION

    End users can disable this window by selecting the "Do not display this message" checkbox.

    However, you can also disable the Privacy Notification window and still keep the application running by modifying a registry key.

     

    To modify the registry key:

     

    1. Open the registry and locate this key: HKEY_LOCAL_MACHINE\Software\Intel\Network_Services\atchk







    2. Create a new dword value named +MinimizePrivacyIconAtStart +and set it to 00000001.







    11.9.2007

     

     

    Changing Terminal Emulation Type

    PROBLEM

    Some vendor BIOS versions only support the display of specific emulation types. Using this command, specific ISVs will be able to redirect and emulate without issue.

    RESOLUTION

    This command only applies to users running Altiris, HP Openview, and Microsoft SMS.

     

    On the console machine:

     

    1. At the Start menu, select Run.







    2. In the Open field, enter CMD and click OK. A command window opens.







    3. At the command prompt, type telnet and press Enter.







    4. In the telnet session, type set term ansi or set term vt100 and press Enter.







    5. Type quit and press Enter.







     

    Your terminal emulation type is now set to ANSI or VT100, depending on what you entered. You can re-enter the telnet session at anytime and type d to verify the emulation type.

     

    NOTE: If you do not properly quit the telnet session, the setting will not be saved.

    6.11.2008

    Customizing the Intel® AMT Status dialog box

    You can view the status of Intel® AMT on a machine by double-clicking the system tray icon and choosing Status. This dialog box displays whether Intel® AMT is enabled or disabled. It also has a hyperlink that allows the user to visit a site for more information about Intel® AMT. You can customize this hyperlink to go to any site you wish. For example, you may want to modify it to point to your organization’s help desk page or to the Intel® vPro™ Expert Center (http://www.intel.com/go/vproexpert).

     

    This procedure applies to Intel® AMT 2.5 and greater. See the readme file, included in the download, for more information.

    1. Download the files to modify the registry.





    2. The files are located here: http://communities.intel.com/docs/DOC-1797
      1. Save the OemUrlRegistry.zip file to your desktop.





      2. Extract the files: oementry.re_ and readme.txt.





    3. Customize the hyperlink.
      1. Open oementry.re_ in a text editor.





      2. Edit the destination hyperlink. The default entry is: "OemUrl"=http://www.intel.com/vpro.





      3. Rename oementry.re_ to oementry.reg.





    4. Run the *.reg file to modify the registry.
      1. Double-click oementry.reg.





      2. A cautionary dialog box displays. Click OK.





      3. An information dialog box displays that the registry was modified. Click OK.





    5. Restart the computer.





     

    Intel® AMT platform may have up to 8 client certificates that can define different 802.1x profiles

     

    PROBLEM

    Some users need to move a PC between several networks.  For example, a support technician may support multiple clients that require different client certificates.

    RESOLUTION

    Users may install up to 8 client certificates.

     

     

    2.24.2009 QA1312

     

    How To Remove the CMOS Battery on a Lenovo* ThinkPad* T400

     

    PROBLEM

    If the administrator forgets the MEBx password, the only way to clear the password is to remove the CMOS battery.

    RESOLUTION

    To remove the CMOS battery on a Lenovo* ThinkPad* T400 you must remove the keyboard to get to the battery. The battery is located under the palm rest. Please refer to the Lenovo* instructions at the following URL**: HTTP://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-71484.

    **This URL to a non-Intel® web site is provided for the reader's convenience. This is not an endorsement or recommendation by Intel® of the site or products.

     

    Note for Intel® Anti-Theft (Intel® AT) Technology users: if your PC is enrolled in an Intel® AT service, and you remove the CMOS battery, the ME may detect this as tampering and lock the system.  You will then need the Intel® AT passphrase to unlock the system after you reboot.

     

    WARNING: To avoid personal injury or property damage, follow the manufacturer's safety instructions that apply henever accessing the inside of the product.

     

    CAUTION: There is the danger of explosion if the battery is incorrectly replaced. When replacing the battery, use only the battery recommended by the equipment manufacturer and follow the manufacturer's instructions. Electrostatic Discharge ESD) can damage disk drives, boards, and other parts. We recommend that you perform all procedures at an ESD workstation.

    3.9.2009 QA1330

    Root certificate size limit is 2048-bits

    PROBLEM

    Intel® AMT is incompatible with a 4096-bit PKI if Intel® AMT systems need to validate a certificate chain containing this key size. For example, in 802.1X networks.

    SOLUTION

    If a customer already has a PKI with a 4096-bit root certificate, you can work around this issue by adding a 2048-bit root CA and then using this to issue certain certificate (for example, RADIUS).

    4.2.2009 QA1341

    How to hide the Intel® Management & Security Status (IMSS) tool system tray icon

     

    SOLUTION

    To hide the IMSS system tray icon, delete the key at the following registry location:
    HKLM\Software\Microsoft\WindowsCurrentVersion\Run\Picon\"C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe"

     

    4.2.2009 QA1342

     

    Tips on ME firmware updates

     

    PROBLEM

    To successfully upgrade your ME firmware, follow the guidelines listed below.

    SOLUTION

    Version number format for ME firmware

    Intel® AMT firmware versions use the following format:
    W.X.Y.ZZZZ
    W = platform
    X = major version
    Y = minor version
    ZZZZ = build number

    Rules for successful upgrades

    (1) The platform number (W) of the update must match the existing firmware.
    (2) The major number (X) of the update must be the same, or higher, than the existing firmware. The only two exceptions are: 2.0 can only be upgraded to 2.1 or 2.2; version 2.5 can only be upgraded to 2.6.
    (3) The minor version (Y) for the update must be greater than, or equal to, the minor version for the existing version if the major version is unchanged (for example, 3.0.0 to 3.0.1).
    (4) Always use the FWUPDLCL utility from the upgrade toolkit.
    (5) ME Firmware Local Updates must be enabled in the MEBx, or the Local FWU Override Counter and Local Firmware Override Qualifier must be set appropriately to allow an override.
    TIP: Run MEInfoWin.exe against the platform, or log-on to the MEBx (on the local machine) to check, or change, the ME Firmware Local Update setting. You can also check or change the status of the FWU Override Counter and FWU Override Qualifier settings.

     

     

     

    9.11.2009 QA1359

     

    Intel® AMT does not allow multiple simultaneous commands

     

     

    PROBLEM

    For an example of this problem, if a SoL session is active from the Microsoft* SCCM Out of Band console, then the Intel® AMT firmware will not process a collection-based power control command from the console.

    SOLUTION

    Intel® AMT firmware will ignore a second command if it is still processing an active command. This is a security feature.

     

     

     

    9.11.2009 QA1327

     

    Password issue causes WebUI to report "The system may be under attack" in the event log

     

     

    PROBLEM

    The password policy is configured by the OEM during manufacturing. The primary setting allows a one-time chagne from Admin/admin to a unique password and to have both the remote and local access synched-up. If you changed the password on the remote client you will have two passwords. This is intended to allow customers to have a unique password for local access and to allow the user to change it randomly to ensure the security of the system.

    SOLUTION

    The system was working as designed. The local MEBx password and the WebUI remote passwords may be different if the user has changed the MEBx password on the local machine.

     

    11.12.2009 QA1389

    Fast Call For Help Q&A

     

    PROBLEM

    Question 1: Is KVM Remote Control supported using Fast Call For Help?
    Question 2: Does Fast Call For Help use Kerberos authentication?
    Question 3: Does Microsoft* ConfigMgr support Fast Call For Help?

    SOLUTION

    Answer 1: Yes, you can use KVM Remote Control after you establish a Fast Call For Help connection.
    Answer 2: No, Fast Call For Help only supports Digest authentication.
    Answer 3: No, Microsoft ConfigMgr does not support Fast Call For Help at this time.

     

    02.19.2010 QA141

     

    Intel® AMT technology does not support certain characters in FQDN

     

    PROBLEM

    Intel® AMT does not support fully qualified domain names (FQDNs) ending in "_" or "-".

    SOLUTION

    Avoid using these 3-character strings at the end of the FQDN.

     

    05.13.2010 QA1394

    BIOS

    F10 does not exit BIOS on HP clients

    PROBLEM

    During a SoL session to an HP* client, pressing F10 does not exit BIOS.

    RESOLUTION

    Press ESC and 0 (zero) at the same time as an alternative to exit BIOS.

    1.30.2008

     

    The TCP/IP DHCP Mode setting in MEBx must be enabled for remote control of an Intel® AMT platform

     

    PROBLEM

    Current tools from Intel® do not control the TCP/IP DHCP Mode setting. Additionally, only an un-provisioned platform will give you the option to set this option locally.

    Disabling TCP/IP DHCP Mode requires an onsite physical touch to either do a clear CMOS, or from MEBx, to do a full unprovision. All tools related to remote provisioning, un-provisioning, or updating/modifying Intel® AMT firmware settings require that TCP/IP already be enabled. There is also no known in-band solution using ISV applications.

    If the TCP/IP DHPC Mode setting is set to NONE, then the IP address is 0.0.0.0 and the ME cannot receive or execute any commands.

    RESOLUTION

    When purchasing a system, customers should verify that their OEM has a tool to remotely turn on the TCP/IP setting before deploying systems with the TCP/IP setting disabled.

    In some cases where the DHCP Mode setting in the MEBx is Enabled, but the user is not ready to provision the systems already deployed, they will see heavy DHCP network traffic. To avoid heavy network traffic on the DHCP server caused by the hello packets from numerous unprovisioned systems, set the Manageability Feature Selection setting to NONE and keep the TCP/IP DHCP Mode setting enabled.

    If the systems with the TCP/IP DHCP Mode disabled are already deployed, and the OEM doesn't have a tool to remotely enable this setting, the administrator must go to each system and either clear CMOS, or do a full unprovision from MEBx.

     

     

     

    3.3.2009 QA1309

     

    After reflashing a full image, is a "clear CMOS" required?

     

     

    PROBLEM

    Is a "Clear CMOS" required after a full image flash?

    RESOLUTION

    No, the "clear CMOS" is not required, but is recommended on systems with legacy BIOS code (as opposed to UEFI) if problems arise after full image flash (i.e., the Clear CMOS can be used as a "fix" for post-flash issues).

    Also, it is recommended that you use an image tool with full erase, program, and reboot steps; perform an update on a duplicate/test environment first; use defaults, then compare updated file to source file BEFORE rebooting (should be 100% compare). After reboot, go into BIOS and set optimal defaults.

     

    6.1.2009 QA1355

     

     

    Remote BIOS update with AMT Commander does not see BIOS update files

     

     

    PROBLEM

    When using AMT Commander to perform a remote BIOS update using SOL/IDE-R, AMT Commander does not display the text of the BIOS update files; it only displays the bootable ISO files.

    RESOLUTION

    Problem is likely with terminal emulation between remote system running AMT Commander and target system where BIOS update is to be performed. AMT Commander (part of AMT SDK) contains many terminal emulators, not just the common vt100 or PC ANSI. Ensure that the AMT Commander terminal emulation matches the target system's terminal emulation (contact target system OEM if necessary).

    Also, some OEM's supply a local keyboard lockout feature during remote SOL/IDE-R sessions. This can get corrupted so that the remote keyboard is locked out, not the local one. If this happens, the target system OEM must supply an update for the corrupt feature. AMT Commander contains a control for local keyboard lock; make sure this is set to off.

     

    5.27.2009 QA1356

    Intel® AMT Event log includes Platform Event Traps from the BIOS

     

     

     

    PROBLEM

    Some events listed in the Intel® AMT event log are generated by the BIOS and simply passed through to the Intel® AMT event log. For example, if the system fails to boot using the PXE option, you may see a "System boot failure" event in the log. The source may say Intel® AMT only because it was passed by the BIOS to the Intel® AMT firmware.

    RESOLUTION

    No solution is required. This is expected behavior.

     

     

     

     

    6.1.2009 QA1345

    VeriSign* certificates with MD2RSA signature algorithm for authentication of RADIUS servers

     

     

     

    PROBLEM

    The MD2RSA signature algorithm is not supported by the Intel® AMT firmware. VeriSign* updated their SSL certificates to use a 1024-bit, SHA-1 root in 2009.
    Refer to VeriSign* advisory AD146, updated 12/04/2009, for details on how to upgrade your certificates. (link)

    RESOLUTION

    Update the older VeriSign* signing certificates to chain up to the new SHA-1 root. You do not need to update the VeriSign* RADIUS server certificate (leaf certificate).

     

     

     

     

    10.13.2010 QA1423

    Simultaneous IDER and KVM remote control sessions cause errors on Lenovo T410

     

     

    PROBLEM

    If you start a SOL/IDER session first, then start a KVM remote control session with VNC+, the keyboard and mouse are lost in the KVM remote control session.

    RESOLUTION

    Update to the latest VNC+ viewer and Lenovo BIOS and firmware stack. For Lenovo systems, update to package 1.21-1.10 or later. For other OEMs, contact the OEM.

     

     

     

     

    10.13.2010 QA1457

     

    SOL/IDER on Intel® AMT 6.0 platforms fails with some management consoles

     

    PROBLEM

    In Intel® AMT 6.0, the redirection listener for SOL/IDER is turned off by default. This can cause a failute in management consoles that do not open the redirection listener during the initiation of the SOL/IDER session. The default state of the listerner can be changed using a MEBX setting (AMT Legacy Redirection Mode), but it cannot be changed from Intel® SCS 5.4 or 6.0.

    RESOLUTION

    To use SOL/IDER with a management console that doesn't send the commands to open the redirection listener, go to the client and change the AMT Legacy Redirection Mode setting in the MEBX.

     

    10.13.2010 QA1450

    UTF-8 emulation BIOS support required for displaying Portuguese  characters in SOL session

     

    RESOLUTION

    To correctly display Portuguese in a SOL session, select UTF-8  emulation in the Intel® AMT section of the BIOS. The OEM must provide UTF-8  support in the BIOS. Customers should contact their OEM for support.

     

    12.13.2010 QA1435

    How to change a client previously set to SMB mode without a  hostname to Enterprise mode

     

    PROBLEM

    A customer manually set SMB mode, but did not enter the client  host name. The customer wants to remotely provision the client using Enterprise  mode (PKI).

    RESOLUTION

    Run ZTCLocalAgent.exe -Activate as administrator on the client.  This command will set the provisioning mode to Enterprise. The utility is  available in the Intel® AMT SDK.

     

    12.13.2010 QA1431

     

    WinPE image sent over IDER doesn't initialize the keyboard and  mouse on HP* 6930p

     

    PROBLEM

    Some OEMs have BIOS settings that can lock-out the local  keyboard and mouse when an IDE-R SOL session occurs. In the case of the HP*  6930p, the local keyboard and mouse are locked.

    RESOLUTION

    Microsoft* ConfigMgr and LANDesk* management consoles now allow  the lock-out settings to be controlled from the management console. To solve  this issue, choose the option to unlock the keyboard and mouse during IDE-R and  SOL sessions.

     

    03.09.2011 QA1383

    Unconfigured Intel® AMT system causes unwanted network traffic  in 802.1x environment

     

    PROBLEM

    In an uprovisioned state, whenever the 802.1x networks puts the  system on a remediation VLAN, the Intel® ME causes undesirable
    network  chatter if the remediation VLAN doesn't have a DHCP server.

    RESOLUTION

    Contact your OEM to determine if a firmware update is  available.

     

    03.09.2011 QA1448

    No video during KVM remote control session on Lenovo* T410 with  switchable graphics

     

    PROBLEM

    The  screen will go blank when the user  switches from the  Nvidia* graphics  to the Intel® HD integrated graphics  on a Lenovo* T410 with  switchable  graphics. The KVM remote control  session initiated after the user   switches to the integrated graphics  will also show a blank screen. This   issue is caused by a long delay in the Nvidia*  graphics   driver when  it  switches between the Nvidia graphics and the  Intel® HD   graphics.

    RESOLUTION

    The following Use Case Reference Design discusses updating  firmware and drivers and provides an example of how to do it in Microsoft*  ConfigMgr.
    Automatic Remote Firmware Update, http://communities.intel.com/docs/doc-4078

     

    03.21.2011 QA1462

    Tips on updating firmware and HECI driver

     

    PROBLEM

    In  general, you should update the ME firmware first, then  update the HECI  driver. Note that some OEMs package the ME firmware update with  the  system BIOS update. Use the tool provided by the OEM and following the   instructions provided with the update package.

    RESOLUTION

    Wait 30 seconds for the switch to occur.

    Check with Lenovo* for a driver, BIOS, or firmware fix to this  issue.

     

    03.09.2011 QA1452

    ZTCLocalAgent fails to activate systems

     

    RESOLUTION

    The  version of the ZTCLocalAgent must match the Intel® AMT version. For   example, use the ZTCLocalAgent from the Intel® AMT SDK v5.0 for Intel® AMT  5.0  systems. Alternatively, you can use the latest Activator utility  from the Intel  SCS package (this should be backward compatible with all  previous versions of  Intel® AMT that support remote configuration).

     

    03.21.2011 QA1481

    Support for intermediate certificates from Juniper* Steel Belted  Radius Server with Intel® AMT 802.1X authentication

    RESOLUTION

    Juniper*  Steel-Belted Radius v6.10 Global Enterprise software (with a VeriSign root certificate) can be configured to issue intermediate certificates  for  802.1X authentication of Intel® AMT clients. Customers should  contact Juniper*  for setup instructions.

     

    04.20.2011 QA1490

    Unable to use IDER on Lenovo* T400 with Computrace* by Absolute  software

    RESOLUTION

    Customers should contact Lenovo if they are seeing IDER failures on a Lenovo  T400 with Computrace by Absolute Software.

     

    04.20.2011 QA1472

    Power down option is not available in KVM Remote Control Session

     

    RESOLUTION

    The Intel®: AMT firmware does not support power-down operations  when any re-direction session is in operation. Power-up and reset operations are  permitted.

     

    10.18.2011 QA1532

    Does Intel® Standard Manageability support KVM Remote Control?

     

    RESOLUTION

    No. KVM Remote Control is only supported on platforms when Intel® AMT has been  setup and configured to support KVM Remote Control. All other configurations, including DASH 1.1, Intel® Standard Manageability platforms, or  platforms with Intel® Core™ i3 processors are unsupported.

     

    11.02.2011 QA1529

    Client Drivers

    Using Intel® vPro™ technology and Linux

    PROBLEM

    Where can I find more information about Intel® vPro™ technology on Linux?

    RESOLUTION

    Information about Linux support is available at the Open Source Intel® AMT Drivers and Tools\ site.

    10.11.2007

    Linux-based wireless drivers

    PROBLEM

    Where can I find the most recent Linux drivers for an Intel® vPro™ capable system?

    RESOLUTION

    Visit http://www.intellinuxwireless.org/ to download Intel® wireless drivers.

    11.9.2007

    Wireless management does not work when the operating system is running

    PROBLEM

    Wireless management does not work when the operating system is running.

    RESOLUTION

    Check if there are missing or faulty Intel® AMT drivers (HECI & LMS/SOL) in Microsoft Windows*. Get the latest drivers from the OEM's web site and install them. Once the drivers are installed, the Intel® Management Engine should work properly with the wireless connection.

    1.30.2008

    LMS/SOL driver setup program fails to install privacy icon if installation path includes square brackets

     

    PROBLEM

    If  the path to the LMS/SOL driver setup.exe contains square brackets, then  the driver will be installed but the privacy icon will not be  installed. For example, setup will fail with this path:  c:\drivers\[HP]\lms_sol\setup.exe.

    RESOLUTION

    This issue is expected to be fixed in Intel® AMT 4.2.

    To workaround the issue, remove the square brackets from the
    path.

     

    4.2.2009 QA1333

    LMS generated line in hosts file

     

    PROBLEM

    The hosts file has the following section:
    # localhost name  resolution is handled with DNS itself
    # 127.0.0.1 localhost
    # ::1  localhost
    127.0.0.1 mysystem.vprodemo.com #LMS GENERATED LINE

    RESOLUTION

    LMS generates this line when there is a mismatch between the OS  hostname and the Intel® ME hostname.?This can happen, for example, when you swap  hard drives between computers.

     

    03.21.2011 QA1479

     

    Infrastructure

    PROBLEM

    Is there a performance hit for IDE-R over a WAN?

    RESOLUTION

    We do not recommend using an IDE-R session to boot large CD-ROM images over a WAN. Instead, we recommend using a stripped down IDE-R image that can load up a network stack on the AMT client. The network stack can be used to access local shares at the branch that have the tools you need to either rebuild the OS or diagnose problems.

    2.8.2008

    Firewalls may not let Intel® AMT clients communicate with management consoles

    PROBLEM

    The wired LAN NICs are not recognized by the Intel® AMT management consoles. They do show up in the DHCP listings. Only the wireless NICs were discovered as Intel® AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs.

    When the firewalls are turned off, the Intel® AMT consoles can communicate with the LAN NICs.

    RESOLUTION

    Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests.

    11.25.2008

    Secondary DNS IP makes Intel® AMT configuration fail in basic (formerly SMB) mode

    PROBLEM

    When configuring Intel® AMT in basic (formerly SMB) mode during boot up, some values for the secondary DNS server IP address make the configuration fail.

    If a secondary DNS server's last octet value is 223 or higher, the configuration fails.

    RESOLUTION

    This is a known issue in the Intel® Management Engine and will be fixed in the next release. The current workaround is to change the secondary DNS server's IP address, or to not use the secondary DNS server at all in the configuration.

    11.25.2008

    ME NIC remains at lowest negotiated speed and half duplex mode after booting

    PROBLEM

    When you reboot the system and enter a SoL/IDER session, the ME NIC will remain in the lowest negotiated speed setting and half duplex mode if the SoL/IDER session remains connected during boot. The NIC does not renegotiate to the highest available speed or full duplex mode after the operating system boots.

    RESOLUTION

    To force the ME NIC to renegotiate to full speed/full duplex mode, disconnect the SoL/IDER session then reconnect.

    11.25.2008

     

    GenScript produces errors on Windows* Vista OS, Windows* Server 2008, and clients with 802.1x profiles

     

    PROBLEM

    The Intel® WS-MAN translator package used with Microsoft* SCCM 2007 SP1 generates some errors due to scripting language changes introduced in Windows* Vista.
    The scripts will not run correctly on Microsoft* Vista and Microsoft* Server 2008 operating systems. Also, wired 802.1X scripts produced by GenScript only execute properly the first time they are run.

    RESOLUTION

    An updated version of the WSMAN translator is available.

    3.3.2009 QA1322

     

    Usage of Locally Administered Address on Intel® Active Management Technology enabled systems

    PROBLEM

    An incompatibility exists between Intel® Active Management Technology (Intel® AMT) and Locally Administered Address (LAA) environments. As a result, Intel® AMT enabled systems configured to work in LAA environments might encounter LAN disconnects.

    RESOLUTION

    A Locally Administered Address (LAA) is an option allowing users to set their own MAC address on the platform and thus bypass the Burned-in address (BIA) MAC. Intel® AMT was not designed to support LAA environments and there are no plans to add this capability in the near future.

    Intel® recommends avoiding usage of LAA together with Intel® AMT technology to avoid this issue.

     

    5.18.2009 QA1350

     

    ICMP Router Discovery Protocol (IRDP) is not supported

     

     

    PROBLEM

    ICMP turned on by DHCP Option 31. ICMP is not supported by Intel® AMT technology.

    RESOLUTION

    No solution is available.

     

     

     

    11.25.2009 QA1377

     

    VeriSign* SSL Certificates

     

    RESOLUTION

    VeriSign* SSL certificates moved to a new 1024-bit SHA-1 root on May 17, 2009. The new root CA "Class 3 Public Primary Certification Authority--G2" is already embedded in today's browsers. For Intel® vPro(TM) Technology customers, no updates or changes are required until thier current certificates expire.

     

    About the VeriSign* Certificates. VeriSign* sells "Secure Site Pro (SSP)" and "Premium SSL" certificates that previously included the G1 root, and are now re-signed to include the G1.5 root. Secure Site Pro and Premium SSL are two names for the same VeriSign product. The "Standard SSL" certificates previously had the G1 root, and now contain the new G2 root.

     

    Installation or Upgrades. Users should follow the VeriSign* installation instructions each time they install new VeriSign* certificates. Customers can use the VeriSign* tools to verify that they have the latest Intermediate CA.

     

    For more information, visit the VeriSign* website for Intel® vPro™ Technology: here

     

    02.19.2010 QA1398

     

    Clients not waking when host Wake On LAN (WOL) magic packet is sent on UDP port 68

    PROBLEM

    Client platforms are not waking up when host Wake On LAN (WOL) magic packet is sent on UDP port 68 on Intel® vPro platforms with Intel® Active Management Technology (AMT) enabled. This issue has been observed on platforms running Intel® AMT 5.1 and 5.2 firmware, but not on platforms running Intel® AMT 5.0 firmware.

    RESOLUTION

    This issue has been confirmed by Intel® as a side effect of a change introduced in AMT 5.1 firmware and will be fixed in future firmware revisions (5.2.20 & later).  Please contact your OEM for more detailed information on when this update will be available.

    Two temporary workarounds may be employed:
    • Use a non-IANA reserved port for host WOL magic packet traffic.




    • Use port 68 with TCP protocol (rather than UDP) for host WOL magic packet traffic. Note that port 68 TCP is an IANA reserved port, which could be affected by future changes in network infrastructure or Intel® products.




    02.22.2010

     

    GoDaddy* certificate has incorrect OU value in the subject field

     

    PROBLEM

    In some instances, the OU value in the Subject field was incorrectly set with a space between the word Intel® and the (R) symbol: "Intel® (R) Client Setup Certificate".

    RESOLUTION

    Customers should contact GoDaddy to have a new certificate issued without the extra space character.

     

    05.11.2010 QA1429

    Intel® vPro™ technology management network controller uses DHCP option 249 Classless Static Routes

     

     

    RESOLUTION

    To set the default gateway, set the DHCP option 249 (Classless Static Routes) setting. Option 33 (Static Route) option is now obsolete. Option 249 is classless, that is, each entry in the routing table includes a subnet mask.

     

     

     

    05.12.2010 QA1384

     

    Operating system clock gradually drifting

     

     

    PROBLEM

    The operating system clock has been observed to drift in small increments until it was about two hours fast. The time was always reset to the correct time at each reboot. The clock setting was set by a network time server and therefore could not be changed by the user.

    RESOLUTION

    There is no solution at this time.

     

     

    05.12.2010 QA1336

    Email and contract phone numbers for Certificate Authorities used in Intel® AMT firmware

     

     

    RESOLUTION

    VeriSign
    (650) 426-5112
    (866) 893-6565
    contact info
    GoDaddy
    (480) 505-8877email
    Comodo Group, Inc.
    525 Washington Blvd.
    Jersey City, NJ 07310
    (888) 266-6361
    (703) 581-6361
    Fax: (201) 963-9003
    email
    Starfield Technologies, Inc.
    14455 N. Hayden Road
    Scottsdale, AZ 85260
    (480) 624-2500email

     

     

     

    05.13.2010 QA1411

    Intel® AMT fails to connect when DHCP Option 0 is set

     

     

    PROBLEM

    DHCP Option 0 (Padding) is incompatible with Intel® AMT. DHCP Option 0 is a rarely used option that pads the DHCP option records so that they align on word boundaries.

    RESOLUTION

    There is no solution at this time.

     

    05.13.2010 QA1358

     

    PKI DNS Suffix profile setting does not override DHCP Option 15

     

     

    PROBLEM

    If the customer has many different DHCP Option 15 (DNS Domain Name) settings that do not follow the rules for Remote Configuration Certificate domain suffix matching, it will not be possible to use the PKI DNS Suffix profile in the MEBx to override the respective DHCP Option 15 setting of the DHCP server. The PKI DNS suffix profile can only be used to substitute for Option 15 authentication when DHCP Option 15 is not set.

    Please refer to the Intel® AMT Remote Configuration Certificate Selection white paper (here) for assistance in choosing the correct remote configuration (RCFG) certificate for your remote provisioning needs.

    RESOLUTION

    If you can't use remote configuration due to this DHCP Option 15 issue, you must use one-touch provisioning.

     

     

     

    05.13.2010 QA1363

    Authentication failure during SOL/IDE-R on Intel® AMT 6.0 platforms

     

    PROBLEM

    This issue occurs when Kerberos authentication is enabled in the Intel® ME firmware and Kerberos authentication for the currently logged-in user to the management console fails while trying to initiate a SOL or IDER session.

    The issue is related to the authentication back-off mechanism in Intel® AMT. In Intel® AMT versions prior to 6.0.30.1197 the firmware allows for three login attempts before the system will deny the connection. Kerberos and Digest Authentication will use 2 authentication attempts each. Basic authentication will use a single attempt.

    If Kerberos is enabled on the Intel® AMT platform, the IMRSDK.DLL library will attempt to perform Kerberos authentication. If Kerberos authentication fails then the library will fall-back to Basic authentication.

    Starting in the Intel® AMT 6.0 SDK (around Sprint 10), there was a change in the IMRSDK.DLL library that would instead fall-back to Digest authentication instead of Basic. This update can cause the Digest attempt to trigger the back-off mechanism in the Intel® AMT firmware and cause the entire authentication attempt to fail.

    This failure is exhibited with a Connection Timeout, or Connection Closed error from IMRSDK.DLL.

    Intel® ME FW 6.0.0.1184 was the AMT 6.0 original PV version. There are several Intel® AMT firmware versions between 1184 and 1197 that are being shipped by OEMs that could encounter this issue.
    To compound this issue, the IMRSDK.DLL library has not had its version stepped during the build process.

    Notes on the potential impact on ISVs:
    Altiris*--Can be configured to use Digest or Kerberos.
    LANDesk*--Uses Digest only.
    Microsoft* ConfigMgr--Uses Digest for some actions and Kerberos for others. (Not configurable.)

    Status:

    In order to support Digest authentication after a failed Kerberos authentication, the retry count in the Intel® ME firmeare was increased from three retries to four retries. This was included into the Intel® ME firmware starting in version 6.0.30.1197.

    Here are the known impacted versions and the MD5 hashes of each release.
    Known to use Digest fallback:
    MD5SUM cc66c511352e428569f83d07525d14ce v1.1.3.0 *imrsdk(1472).dll [Sprint 14]
    Unknown/Untested:
    MD5SUM 3204a528f624bf6117238aa899a961f6 v1.1.3.0 *imrsdk(1360).dll [Sprint 13]
    MD5SUM 3204a528f624bf6117238aa899a961f6 v1.1.3.0 *imrsdk(1276).dll [Sprint 12]
    MD5SUM 7fc08a282494137324bf1556470984da v1.1.3.0 *imrsdk(1130).dll [Sprint 11]
    MD5SUM 39687b9d3361ae5ddd1adbb59b098959 v1.1.3.0 *imrsdk(945).dll [Sprint 10]
    Known to use Basic fallback:
    MD5SUM 8091b69094f0c08e13ad2509a75b0f6a v1.1.3.0 *imrsdk(750).dll [Sprint 9]
    MD5SUM 8091b69094f0c08e13ad2509a75b0f6a v1.1.3.0 *imrsdk(519).dll [Sprint 8]

    RESOLUTION

    There are three potential workarounds:

    • Upgrade to Intel® AMT firmware version 6.0.30.1197 or later



    • If not using TLS, connect to the Intel® AMT machine with the client's IP address instead of a FQDN



    • Replace the IMRSDK.DLL with a previous version

     

     

     

    05.13.2010 QA1422

     

    WS-MAN settings for 802.1x PXE boot

     

     

    PROBLEM

    Using the default settings, the timeout period doesn't allow enough time for the OS to authenticate during PXE booting. The following whitepaper describes the Intel® AMT architecture used to support PXE boot.
    Next-Generation Streaming Clients, Based on Intel® vPro™ Technology

    RESOLUTION

    The following sample WS-MAN settings workaround this issue:

    AMT_8021xProfile
    ActiveInS0 = true
    AuthenticationProtocol = 2
    ClientCertificate Address = default
    ReferenceParameters
    ResourceURI
    SelectorSet
    Domain = vprolab
    ElementName = Intel® AMT 802.1x
    Profile Enabled = true
    InstanceID = Intel® AMT 802.1x Profile 0
    PxeTimeout = 10800
    ServerCertificateIssuer
    Address = HTTP://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    ReferenceParameters
    ResourceURI = HTTP://intel.com/wbem/wscim/1/amt-schema/1/AMT_PublicKeyCertificate
    SelectorSet
    Selector: InstanceID = Intel® AMT Certificate: Handle: 1
    Username = Hostname$iME

    These settings for the Intel® ME do the following:
    • The client actively participate in 802.1X authentication even when the client is in S0 state (power-on)



    • The protocol is EAP-PEAP. Intel® AMT supports other EAP protocols that can be used depending on the network requirements
    • No client certificate (because we use MS-CHAPv2)
    • The domain is VPROLAB (a sample NetBIOS domain name)
    • Profile is enabled
    • PXETimeout is the time (in seconds) which Intel® AMT will continue to keep the network port open after the client has been powered on or reset. This time period should only be long enough to allow Operating System software to be booted using PXE under normal networking conditions. After this time period expires Intel® AMT will close the network port and Operating System software must perform 802.1X authentication to re-open the network port. If the Intel® MEI driver loads before this time period expires, Intel® AMT will close the network port.



    • Using this workaround, Intel® AMT will open the network port regardless of the client boot source. Therefore, the user is advised to evaluate the risk to their network if the client boots from unauthorized local media instead of PXE and, if necessary, to take specific steps to prevent this happening. Such steps could include the following: (i) setting PXETimeout to 0 when not using PXE boot; (ii) using Intel® AMT to remotely disable boot devices that accept removable media when PXE booting is required; (iii) using Intel® AMT to lock the local keyboard to prevent local override of the boot device when PXE booting is required.

     

     

     

    05.13.2010 QA1420

    More information on the Wireless Profile Sync feature in Intel® AMT 6

     

     

    RESOLUTION

    Intel® AMT firmware versions 6.0 and higher include the Wireless Profile Synchronization feature. This feature synchronizes the wireless profile set in the OS with the wireless profile set in the Intel® ME. This feature requires Intel® ProSet. When the user sets changes the wireless profile in the OS, Intel® ProSet will prompt the user to change the Intel® ME wireless profile to match the OS wireless profile.

     

     

     

     

    09.22.2010 QA1456

    Intel® AMT support for WEP in Fast Call For Help wireless profiles

     

    RESOLUTION

    Intel®  AMT 6.0 and later versions support Open, WEP, and PSK encryption  methods?in the wireless profiles for Fast Call for Help and RPAT.

     

    10.13.2010 QA1459

     

    Intel® AMT 2.6.20 clients returning error during  provisioning

     

    PROBLEMWSMAN Translator Build 570 with Intel® AMT 2.6.20 clients  return error "CommitChanges()=2057" during provisioning.

    RESOLUTION

    Update to WSMAN Translator build 571 or later. The latest build  is available from the Intel® vPro™ Expert Center: HTTP://software.intel.com/en-us/articles/intel-ws-management-translator/

     

    04.20.2010 QA1469

    ISV

    Altiris

    Troubleshooting DNS when configuring Altiris

    PROBLEM

    DNS configuration issues display when configuring Altiris.

    RESOLUTION

    Use these troubleshooting tips to help resolve DNS configuration issues with Altiris:

     

    • Verify that the Altiris host has fully qualified records in the DNS infrastructure. This would constitute an A record for forward lookups and a PTR record for reverse lookups.







    • Make sure the Intel® Setup and Configuration Service (SCS) is up and running on the box.







    • Upgrade the SCS Console to the current version. This process is not supported by Altiris and is only for troubleshooting.







    • IMPORTANT: When you upgrade, only install the console. DO NOT upgrade the entire SCS application.

       

      To upgrade to the current version:







    1. Download the SCS package at http://softwarecommunity.intel.com/articles/eng/1025.htm.





    2. When the download is complete, open the ZIP file and double-click 3.1.0.7.zip.





    3. Double-click AMTConsole.zip and run AMTConsole.exe.The console will prompt you to use the fully qualified domain name. An SSL session may be necessary to connect to it, depending on the server configuration. The console client works like a web browser and a URL is required to connect to the SCS, for example: http://server.something.com/atmscs or https://server.something.com/atmscs.





    12.20.2007

    Can the Default 'provisionserver' naming conventions be changed?

    PROBLEM

    Can Intel® AMT firmware be reconfigured to change the default 'provisionserver' naming convention to a value of a customer's choosing?

    RESOLUTION

    The provisionserver value is hard-coded and cannot be changed. The detected DNS context is added to this default value (for example, provisionserver.mycompany.com).  It is recommended that the customer set up a second ALIAS record or a CNAME record in the DNS that points the provisionserver.yourdomain.com to the ISV server.

    In environments where it is best not to use the default name, the customer can use the Intel® vPro™ Technology Activator Wizard (link) to direct the configuration attempts.

    2.8.2008 (updated 12.14.2009) QA1052

    Hardware inventory on Altiris* console requires Altiris* inventory solution

     

     

    PROBLEM

    Altiris* has a complete Server and Client inventory application/service that is independent of Intel® AMT features. An agent is required to obtain this level of support in Altiris* products.

    RESOLUTION

    Refer to the following URL**: HTTP://www.symantec.com/business/inventory-solution (servers), or http://www.symantec.com/business/solutions/projects/projectdetail.jsp?solid=sol_infrastruct_op&solfid=sol_client_management&projectid=client_discovery_inventory (clients).
    **This URL is provided for the reader's convenience.?It should not be construed as an endorsement by Intel® of the products or services on the web site.

     

     

     

     

    11.25.2009 QA1338

    Can Altiris* RTSM or HP* OOBM activate clients without Microsoft* Active Directory?

     

    PROBLEM

    A  customer is using Altiris* in an environment without Microsoft* Active  Directory and wants to know if they can activate Intel® vPro™ clients  using either Altiris* RTSM (with the Intel® SCS backend), or, if they  decide to switch consoles, HP OOBM.

    RESOLUTION

    This  is supported with Altiris.   For further information on how to  configure Intel® vPro™ Technology in an Altiris environment, please refer  to http://www.vproexpert.com/E24VZ/Altiris7/index.html

     

    11.08.2010 QA1419

     

    Altiris* does not support Non-TLS Fast Call for Help  connections

     

    PROBLEM

    Attempting to manage a non-TLS client using Fast Call for Help  will fail. Altiris displays the following error message: Invalid  Credentials.

    RESOLUTION

    This behavior is by design for Altiris management software. Provision and  manage clients in TLS mode if they will be using Fast Call for Help outside the  enterprise network.


     

    04.20.2011 QA1478

     

    LANDesk

    No drivers required for bare metal provisioning

    PROBLEM


    A customer with LANDesk* LDMS 8.8 or similar provisioning server does not  need to load drivers or an OS image on the Intel® AMT clients to perform  bare-metal provisioning.

    SOLUTION

    No drivers are required for bare-metal provisioning of an Intel® AMT client. The system administrator will, however, need to pre-populate the provisioning server database with the client configuration information (UUID, FQDN, OU if Active Directory is used, Profile). Refer to the LANDesk documentation for information on how to enter the client configuration information into LDMS 8.8. The Intel® AMT client will send out a hello packet as soon as the network and power cables are plugged in. If the provisioning server is found, and the client configuration information is in the provisioning database, then the client will be provisioned.

     

    7.28.2008

    Need to set LANDesk* root certificate as trusted certificate

     

    PROBLEM

    In the default configuration, the LANDesk root certificate is not trusted by the Microsoft* CA.  Users are then unable to use the WebUI unless they select the "trust this site" radio button each time they use the WebUI.

    SOLUTION

    From Microsoft* Internet Explorer, add the LANDesk* root certificate to the list of trusted certificates.

    1. Open Microsoft* Internet Explorer.





    2. Choose Tools->Internet Options.





    3. Click on the Content tab.





    4. Click on the Certificates tab.





    5. Under the Trusted Root Certificates tab, import the root certificates.





    6. Under the Intermediate Certificate Authorities tab, import the intermediate certificates.





    7. Verify that the certificate used can be traced back to the root.





     

     

     

    9.10.2009 (updated 12.3.2009)  QA1370

    LANDesk* Management Suite 8.8 SP2 patch fixes loss of in-band connectivity

     

    PROBLEM

    After provisioning, the in-band network connection on some Intel® AMT systems may shut down. The LANDesk console will then place the systems in remediation. These Intel® AMT systems can, however, still be managed with LANDesk* OOB tools and the Intel® AMT Web GUI. This is an intermittent issue. The time between provisioning the system and the loss of in-band connectivity ranges from a few minutes to about an hour.

    SOLUTION

    If you have LANDesk* Management Suite 8.8 SP2, and you have lost in-band connectivity, but you can still access the remote systems using OOB tools, try the following patch or upgrade to a later LANDesk* service pack (SP3 or later). The URL** for the patch is: HTTP://community.landesk.com/downloads/ServicePack/LD-88-AMT-CR20525-88.zip

    **This URL to a third-party site is provided for the reader's convienience.  This should not be construed as a recommendation by Intel® for the products or services provided by the third party.

     

     

     

    9.11.2009  QA1344

    LANDesk* 8.8 SP2 console requires repeated deletion of two directories when provisioning

     

    PROBLEM

    The RootCA and the SubCA directories must be deleted repeatedly to enable provisioning to continue.

    SOLUTION

    The issue is fixed in v8.8 SP3. Apply SP3 to the LANDesk* Core Server and LANDesk* Client Agents.  A reboot must be performed on the core server and the client PCs after the update.

     

     

     

    10.09.2009 (updated 12.3.2009) QA1349

    LANDesk* generated certificates fail with WinRM v1.x scripts

     

     

    PROBLEM

    Microsoft WinRM v1.x scripts require certificates to contain CDP information. This is an issue when you provision clients to use Transport Layer Security (TLS) with LANDesk*. WinRM scripts fail with certificates generated by the LANDesk* internal CA because the certificates do not contain Certificate Revocation List (CRL) data (the CRL Distribution Point or CDP data is part of the CRL information).
    WinRM v2.0 resolves this issue (see the solution below for details).

    SOLUTION

    If you plan to use WinRM 1.x scripts to work-around any missing Intel® AMT feature support in LANDesk, then do not provision clients to use TLS. To use WinRM 2.0 scripts with LANDesk* clients provisioned with TLS, do the following:
    1. Install Microsoft* WinRM 2.0 (see Microsoft* Knowledge Base Article KB968930).





    2. In the 802.1X script file produced by GenScript, modify this block:





       sFlags=sFlags Or
       WSMan.SessionFlagSkipCACheck Or
       WSMan.SessionFlagSkipCNCheck

    To read as follows:

       sFlags=sFlags Or
       WSMan.SessionFlagSkipCACheck Or
       WSMan.SessionFlagSkipCNCheck Or
       WSMan.SessionFlagSkipRevocationCheck

     

     

     

     

     

    12.08.2009 QA1397

    LANDesk 8.8 SP2 provisioning fails with factory installed PSK key

     

    PROBLEM

    When  the LANDesk SP2 agent is installed on the HP DC7800 client, the factory  installed PSK key is ignored and the client attempts PKI provisioning.  When the LANDesk agent is removed from the client, the client uses PSK  provisioning.

    SOLUTION

     

    To solve this issue, update to LANDesk 8.8 SP3.

     

     

    10.07.2010 QA1437

    LANDesk* 8.8 client agent creating thousands of registry  entries

     

    PROBLEM

    This issue is seen on Windows* XP clients. The customer will  notice very long boot times (it may take hours to boot).

    SOLUTION

    Customers should contact LANDesk and request a hotfix for this  issue. This hotfix will be included in the next service pack for LANDesk  8.8and 9.0. The customer should also update to the latest OEM-supplied  Intel® AMT driver package. (The driver package typically includes the UNS,  LMS, and SOL/IDER drivers).

     

     

    03.021.2011 QA1466

     

     

    Microsoft ConfigMgr (see also: http://communities.intel.com/openport/docs/DOC-1627#cf)

    Enabling native (no translation required) support within Microsoft SCCM SP1

    A BIOS update is available to provide native support within Microsoft SCCM SP1 for Dell 755, HP DC7800, and Lenovo M57p computers.

     

    OEM Model

    Link to BIOS Update

    Dell 755

    Click here.

    Lenovo M57p

    Click here.

    HP DC7800

    Click here.

     

    7.23.2008

    Virtual adapters may cause network discovery to fail

    PROBLEM

    When discovering Intel® vPro™ systems via a console that has a virtual adapter enabled with an IP address assigned, such as Microsoft SCCM, the discovery process may fail if the virtual adapter IP address is used for the discovery process.

    RESOLUTION

    Before performing the discovery, disable any virtual adapters that were created by software such as VMWare.*

     

    7.30.2008

    Microsoft* SCCM unable to use Intel® AMT features when run on Microsoft* Vista* Operating System

    PROBLEM

    When the Microsoft* SCCM management console is run on a Microsoft* Vista* SP1 operating system, all Intel® AMT based objects and functionality is missing.

    RESOLUTION

    No solution is available at this time.

     

    1.29.2009 (QA1304)

     

     

    Microsoft* SCCM 2007 SP1 hotfix roll-up KB960804 includes KB959040

     

    PROBLEM

    Microsoft* System Center Configuration Manager 2007 Service Pack 1 (SP1) hotfix roll-up KB960804 includes KB959040 (a fix to enable PKI provisioning with Intel® AMT 2.2 and 2.6.) The original description of the roll-up incorrectly omitted the KB959040 hotfix.

    RESOLUTION

    To get KB959040 hotfix, users may download the KB960804 hotfix roll-up.

     

    Refer to the Micorsoft* support website for more information about the hotfix packages. The Microsoft* URL** is: http://support.microsoft.com/kb/960804

    **This URL is provided for the reader's convenience. It is not an endorsement of products or services by Intel® Corporation.

     

     

    2.24.2009 QA1323

     

    SoL/IDER fails on Microsoft SCCM 2007 SP1 with two-tiered PKI model

     

    PROBLEM

    SoL and IDER fails using Microsoft* SCCM in an environment with a Root CA and a Subordinate Issuing CA.

    RESOLUTION

    This issue has been fixed by a hotfix for Microsoft* SCCM 2007 SP1. URL for hotfix** HTTP://support.microsoft.com/hotfix/kbHotfix.aspx?kbnum=960804

    **This URL is provided for the reader's convenience. It is not an endorsement of products or services by Intel® Corporation.

     

    2.24.2009 QA1319

     

    Failure of collection-based power control in Microsoft* SCCM SP1

     

     

    PROBLEM

    In a Microsoft* SCCM hierarchy with a central site and a primary child site, power control operations from the central site work for some clients and fail for others. The same power control operations work correctly from the child site.

    RESOLUTION

    Not all client settings are being transferred up the Microsoft SCCM hierarchy to the central database. This issue will be resolved in the Microsoft SCCM SP2. Alternatively, system administrators may change the TlsMode setting in the dbo.AMT_MachineProperties table in the SCCM site database, it should be set to "1" for each client.

     

    10.09.2009 QA1362

    Cannot provision HP* DC7700 using Microsoft* ConfigMgr SP1 and PKI method

     

     

    PROBLEM

    The HP* DC7700 with Intel® AMT firmware build 2.2.10.1039 has a date/time stamp issue with the certificates that prevents remote provisioning. The Microsoft ConfigMgr logfile AMTOPMGR.LOG shows error 0x80090308 that indicates a problem with the certificate.

    RESOLUTION

    Update the firmware to to 2.2.20 or later. The firmware is available on the HP* website.

     

     

     

    11.16.2009 QA1364

     

    Unable to provision Dell* OptiPlex 755

    PROBLEM

    A customer with Microsoft* ConfigMgr SP2 was unable to provision a Dell* OptiPlex 755. By default, the OOB management properties are set to not allow out of band provisioning.

    RESOLUTION

    Enable OOB provisioning in Microsoft* ConfigMgr.

    1. In Microsoft* ConfigMgr SP2, go to Site Settings-->Component Configuration.





    2. From the Out of Band Management Properties tab, choose Allow Out of Band Provisioning checkbox.





     

    02.19.2010 QA1393

     

    Microsoft* ConfigMgr unable to perform SOL or IDE-R due to certificate issue

     

     

    RESOLUTION

    Microsoft* ConfigMgr has a known issue that causes it to fail when it validates the certificate chain unless the intermediate certificates are placed in the trusted root certificate store (instead of the intermediate certificate store).

     

    02.19.2010 QA1400

    Tips on moving Microsoft* ConfigMgr to new operating system and hardware

     

    RESOLUTION

    To avoid the need to unprovision all the Intel® AMT clients in the Microsoft* ConfigMgr database, keep the same host name, then do a Microsoft* ConfigMgr database backup and recovery.  The IP address for the new hardware doesn't need to match the old IP address.
    See the following Microsoft* TechNet articles:

    05.11.2010 QA1385

    Microsoft* ConfigMgr SOL display corruption on Acer* Veriton S661

     

    PROBLEM

    Microsoft* ConfigMgr uses Telnet for SOL and therefore only supports VT100 and ANSI emulation modes. The corruption is because Acer* firmware version 3.2.1 uses VT100+ emulation.

    RESOLUTION

    Upgrade to Acer* firmware version 3.2.11 or later.

     

     

    5.12.2010 QA1416

     

    Unable to reprovision after unprovisioning Microsoft* ConfigMgr client

     

     

    PROBLEM

    After unprovisioning the Microsoft* ConfigMgr client without removing the ConfigMgr agent, the platform is shown as "detected" instead of "Not Provisioned" and cannot be reprovisioned.

    RESOLUTION

    To unprovision and then reprovision a Microsoft* ConfigMgr client, uninstall the ConfigMgr agent and remove the Microsoft* ConfigMgr record for the client before you unprovision the client.

    For more information, see the following Microsoft* TechNet articles:

    5.12.2010 QA1361

    BKM on unprovisioning Intel® AMT clients managed by Microsoft* ConfigMgr

     

     

    PROBLEM

    What is the best known method to unprovision an Intel® AMT client that is managed by Microsoft ConfigMgr(SP1 or later)? Using the wrong procedure to unprovision the client and remove the record from the Microsoft* ConfigMgr server may block later reprovisioning of the system. Microsoft* has posted the two articles listed below to the Microsoft* TechNet site to guide you.
    Note that you will no longer be able to use out of band management with the Intel® AMT client after you unprovision it.

    RESOLUTION

    Refer to the following Microsoft* TechNet articles:

     

     

    5.12.2010 QA1379

     

    PXE Timeout value shown in minutes Microsoft* System Center Configuration Manager 2007 is actually seconds

     

     

     

    PROBLEM

    The Intel® ME seems to close the network port early after a PXE boot. The Microsoft* System Center Configuration Manager 2007 setting "Keep session open after PXE boot (minutes)" is actually in seconds.

    RESOLUTION

    To set the timeout value in minutes, multiply the desired value by 60 and enter it in Microsoft* System Center Configuration Manager 2007.

     

     

    5.12.2010 QA1365

     

    Third-party password policy limit of a maximum 8 characters conflicts with Microsoft* ConfigMgr default of 32 characters

     

    PROBLEM

    Microsoft* ConfigMgr uses 32 character passwords when generating AMT objects. A third-party password policy that limits the maximum length to 8 characters will cause an error when ConfigMgr attempts to provision the Intel® AMT system and create the AMT object.

    RESOLUTION

    To workaround this issue, change the password policy to allow 32 character passwords.

     

     

    5.13.2010 QA1430

     

     

    Unable to provision Dell* OptiPlex 755 and 760 systems with Microsoft* ConfigMgr

     

     

    PROBLEM

    After the Intel® ME stops sending "Hello" packets, you may be able to provision some, but not all, Dell* OptiPlex 755 and 760 systems with Microsoft* ConfigMgr. The unprovisioned systems show up as either Unknown, Not Supported, or Detected in Microsoft* ConfigMgr.

    Notes:

    • When systems are plugged into AC power and on the network for more than 24 hours before ConfigMgr attempts to run a discovery on them.
    • After the initial 24 hours, the ports used to query Intel® AMT systems are closed and ConfigMgr will not be able to communicate with the device.
    • Activator re-activates the Intel® AMT systems and re-opens the ports that ConfigMgr needs.

    RESOLUTION

    Run Activator and then reboot the Intel® AMT system before provisioning again. The reboot is required.

     

     

     

    5.13.2010 QA1412

     

    Microsoft* ConfigMgr shows Dell* OptiPlex 960 systems as "Not Supported"

    PROBLEM

    Setup and configuration on the client systems fail because Microsoft ConfigMgr shows the systems as "Not Supported."

    RESOLUTION

    To workaround the provisioning issue, do the following:
    1. Update to latest Intel® AMT firmware.
    2. Run Activator on the client machines.
    3. Reboot the clients.
    4. Initiate discovery of the client machine.
    5. Update the collection to ensure client is placed in UnProvisioned collection with Auto-Provision enabled.
    6. Have the clients check-in.
    7. Verify that the client machines are provisioned.

     

     

     

    5.13.2010 QA1401

    Microsoft* ConfigMgr agent-initiated provisioning on Intel® AMT 2.x

     

     

    PROBLEM

    Microsoft* System Center Configuration Manager (ConfigMgr) can provision an Intel® AMT client in two different capacities: Bare metal and Agent Initiated.

     

    Bare metal provisioning begins with the Intel® AMT client sending a "hello packet" to the Microsoft* ConfigMgr Out of Band Service Point; if the Intel® AMT client is approved and authorized to be provisioned, Microsoft* ConfigMgr will initiated the provisioning process. Agent-initiated provisioning begins with the Microsoft* ConfigMgr Client Agent pulling down the "Automatic Provisioning" policy from the Microsoft* ConfigMgr Policy Server; if the Microsoft* ConfigMgr Client Agent receives the policy, the Agent will negotiated a One Time Password (OTP) with the Intel® AMT ME firmware and send the provisioning request along with the OTP to the Out of Band Service point to begin the provisioning process.

     

    The article by Matt Royer (see the link listed below) lists the requirements and tools for succesful provisioning.

    RESOLUTION

     

     

     

     

    5.13.2010 QA1378

    Microsoft* ConfigMgr failed to provision and logged "failed to decrypt" error

     

     

    PROBLEM

    This error is produced when you attempt to provision from the Microsoft* Configuration Manager 2007 Central Site.

    RESOLUTION

    With Microsoft Configuration Manager 2007, you must provision Intel? AMT clients from the Primary Site. For more information on Microsoft* Configuration Manager 2007 site assignment, see the following Microsoft* TechNet article: About Client Site Assignment in Configuration Manager.

     

    10.07.2010 QA1421

    Microsoft* ConfigMgr only supports PSK provisioning for Intel® AMT versions less than 3.2.1

     

     

    PROBLEM

    The TLS PSK provisioning mode is not natively supported in Microsoft* ConfigMgr, therefore Microsoft* ConfigMgr must use the WS-MAN translator for PSK provisioning. Microsoft* ConfigMgr only uses the MS-MAN translator for Intel® AMT versions below 3.2.1.

    RESOLUTION

    There is no solution for Intel® AMT firmware versions 3.2.1 or higher.

     

     

     

    10.07.2010 QA1418

     

    Microsoft* ConfigMgr does not support provisioning Intel® AMT systems in disjointed namespaces

     

    PROBLEMOne common issue is that the CA was installed as a "Stand-Alone  Root CA" rather than an "Enterprise Root CA". Ensure that the CA is installed as  an Enterprise Root Certificate Authority (not a Stand-Alone Root Certificate  Authority).

    A second common issue is that the Enterprise Root Certificate  Authority permissions are not set correctly.

    RESOLUTION

    Install the CA as an Enterprise Root Certificate Authority. Microsoft*  ConfigMgr does not support Standalone Root Certificate Authority.

    Refer to slides 38 to 44 in the attached training presentation for help on  setting the permissions.
    This information applies to ConfigMgr SP1 and SP2.

    /click.jspa?searchID=834172&objectType=38&objectID=12459

     

    03.09.2011 QA1380

    Problem creating provisioning certificate for Microsoft* ConfigMgr  2007

     

    RESOLUTION

     

    10.07.2010 QA1455

    Management Engine

    Maximum number of agents that can be monitored simultaneously

    PROBLEM

    How many agents can the Intel® Management Engine monitor at one time?

    RESOLUTION

    This data is undocumented, however, testing shows that Intel® AMT 2.0 can monitor up to sixteen agents.

     

    NOTE: The number of agents that can be monitored depends on how the ISV is implementing agent presence.

    12.20.2007

    Hewlett-Packard 6910P returns UUID=00000 during activation

    PROBLEM

    HP 6910p returns a hello packet of UUID=00000 during activation.

    RESOLUTION

    This is a known issue with the firmware and will be fixed when the 2008 platform is released.

     

    Meanwhile, your customers can request a BIOS update from HP to work around this issue.

    12.20.2007

    Running virtual machines and DHCP can cause Intel® AMT to be inaccessible

    PROBLEM

    Using DHCP in a virtual machine can cause Intel® AMT to become inaccessible when you close the virtual machine session. This is because your computer and Intel® AMT will now have different IP addresses.

    RESOLUTION

    To work around this issue, exit the virtual machine session(s) and then do one of the following:

    • Reboot your system.





     

    OR

     

    • Release and renew the IP address as follows:


      1. Click Start and choose Run.

      2. Enter cmd and click OK.

      3. At the command prompt, type:



    ipconfig /release and press Enter.
    ipconfig /renew and press Enter.

    This is a known issue and will be updated as more information is available.

    1.24.2008

    Wildcard certificates are currently not supported for remote configuration

    PROBLEM

    When provisioning enterprises with multiple domains via remote configuration, individual certificates are required for each domain that needs to communicate with the Management Console. Wildcard certificates are currently not supported.

    RESOLUTION

    Wildcard certificate support is a feature request for AMT 3.2 (Weybridge) and AMT 2.6 (Centrino).

    Meanwhile, you can workaround this issue by deploying an SCS server and a certificate for each domain.

    MORE INFORMATION

    This issue will be updated as more information becomes available.

    1.24.2008

    No inventory data available

    PROBLEM

    Inventory data does not appear after provisioning an Intel® AMT client, even though the provisioning process was successful and without errors.

    RESOLUTION

    POST needs to occur for the data transfer to take place. The inventory data resides within the BIOS SMI tables and cannot be successfully transferred to the Intel® Management Engine and viewed by the WebUI or retrieved programmatically. The BIOS and ME handshake must occur during POST to transfer data. Make sure the system has run through POST, so that the inventory data is transferred from BIOS into ME.

    1.30.2008

    Weybridge issue causing network disconnects; impacting Dell Optiplex 755

    PROBLEM

    Currently shipping non-provisioned Intel® vPro(TM) or Intel® AMT PCs on some Weybridge configurations may report a network disconnect/reconnect on five minute cycles when the 24 hour provisioning period expires while in a low power state. An unused security feature of Intel® AMT triggers the network disconnect and then resets the network connection on 5 minute cycles.

    RESOLUTION

    This issue has been resolved in the A09 BIOS release from Dell for the Optiplex 755. The BIOS release is available at the following URL:

     

    http://support.us.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R181510&formatcnt=1&libid=0&fileid=247483

     

    Click here for the update.\

     

    2.27.2008

    Synchronizing the operating system and the Intel® AMT hostname.

    PROBLEM

    Is there an automated way to synchronize the operating system and Intel® AMT hostname?

    RESOLUTION

    The Intel® AMT Reflector tool\ is now available on the Intel® vPro(TM) Expert Center.

     

    See the Tools wiki\ for more helpful Intel® vPro™ technology tools.

    Best Practices: Setting up application servers and Internet Explorer* for Intel® AMT Kerberos support

    • Verify that your Internet Explorer settings are correct for pass through authentication.

      • Open Internet Explorer and choose Tools > Internet Options > Advanced Tab.







      • Select Enable Integrated Windows Authentication. Exit and restart Internet Explorer before attempting to access the Intel® AMT device.







    • Install these Kerberos patches on the system you will use to access the Intel® AMT dev


      • WindowsServer2003-KB899900-X86-ENU.exe







      • WindowsServer2003-KB908209-X86-ENU.exe







      • WindowsServer2003-KB899900-X86-ENU.reg







    • If you are using Windows XP* as the operating system for the computer used to access the Intel® AMT web interface, then install these patches:

      • WindowsXP-KB899900-X86-ENU.exe







      • WindowsXP-KB908209-X86-ENU.exe







      • WindowsXP-KB899900-X86-ENU.reg







    • Ensure that the time settings for the Intel® AMT client(s), domain controllers, and the application server are synchronized.







    • Before provisioning:

      • Create an AMT OU on the domain controller existing on the domain on which your Intel® AMT devices reside. For example, if your device exists on child.parent.com, and your provisioning server (or Intel® SCS) resides on parent.com, then create an OU for AMT objects on child.parent.com.







    IMPORTANT: If there are multiple domains, then add an OU to each domain.

    • Provision your Intel® AMT client.







     

    5.30.2008

    Network issues with NS Lookup

    PROBLEM

    A single Intel® vPro™ machine can be accessed via WebUI, but does not appear in DNS. Its name does not get resolved in NSLookup?

    RESOLUTION

    NSLookup does not use the standard client resolver routines but uses similar routines of its own. If true, this means a valid name-IP record could be cached on the client and being used by IE to resolve the name even though NSLookup fails to resolve the name and there is no DNS record.

     

    To determine this, do the following:

     

    1. In the command prompt program, enter ipconfig /displaydns to inspect the cache for the dns record.







    2. Enter ipconfig /flushdns to clean out records and retry (it should fail if there is no DNS record).







     

    6.13.2008

    Does Intel® AMT 3.0 support Windows 2000 Active Directory?

    For support of Windows 2000 Active Directory, AMT 3.2 is required. Intel® AMT 3.2  was released to the OEMs during Q1 2008. Please contact your OEM to find out when the update will be publically available.

     

    6.13.2008

    Switching from NAC to 802.1x results in loss of connectivity

    PROBLEM

    In an EAC*-enabled network, where a NAC or NAP server is deployed and configured to request “posture” or SoH, Intel® AMT connectivity may be lost to clients that are not in H0 state if the server configuration is modified to work with 802.1x only.

    RESOLUTION

    If the NAC/NAP server configuration is changed to work with 802.1x only, then do one of the following:

    • Restart LAN switch ports, or







    • Restart the clients.







     

    6.25.2008

    Using Intel® AMT wirelessly without user intervention

    PROBLEM

    Intel® AMT wireless connectivity is not available when the operating system is running and the user is not logged in.

    RESOLUTION

    To work around this issue, configure the Single Sign On (SSO) driver to maintain a wireless connection. Once the SSO properties are set according to the table below, Intel® AMT will be able to connect to the wireless profile using Microsoft* Windows  credentials before the user actually logs on.

     

    SSO Properties

    • Pre-logon. This feature is identified with the “SSO” term. It allows you to connect to a  wireless profile using the Windows credentials entered by the user before the actual Windows log-in.







     

    • Persistent. This feature allows you to connect to a wireless profile that doesn’t require user credentials (but alternatively requires “system credentials”), in case the user is not logged on (either after reboot or after log-off). In order to use it, the IT admin has to configure such a profile that doesn’t rely on user credentials.







     

    • Security. Profiles for pre-logon and persistent connect are stored securely on the machine, cryptographically bound to the machine so that it cannot be transferred to another machine. The profiles are shared across all users on the machine, but certain user-based credentials such as PACs are stored on a per-user basis.







    NOTES

    • Microsoft Windows XP users: Using persistent connection adds a service to handle establishing connections when users are not logged on.







     

    • Microsoft Vista users: The persistent connection is enabled on a per profile basis if the configured EAP (Extensible Authentication Protocol) method supports authentication with machine credentials.







     

    7.16.2008

    Cannot provision a system that uses an underscore in the host name

     

    PROBLEM

    Cannot provision a system that uses an underscore in the host name.

    SOLUTION

    Special characters cannot be used in host names. DNS host names may only contain dash "-", letters or numbers. Underscores and other special characters are not supported by the RFC's that define host name conventions. Some DNS servers, including Microsoft's, can support host names outside of the RFC specifications. See the links below for more information.

    MORE INFORMATION

    Microsoft KB article 909264: http://support.microsoft.com/kb/909264

     

    RFC 952: http://www.ietf.org/rfc/rfc952.txt

     

     

    RCF 1123: http://www.ietf.org/rfc/rfc1123.txt

     

    9.5.2008

    Does the Intel® SCS automatically push updates to the CRL (Certificate Revocation List) to clients?

     

    SOLUTION

    The CRL does not automatically update on the clients. It needs to be pushed down from the SCS, by pushing it to individual AMT clients via the Operations screen, or to all clients via the Global Operations screen in the SCS Console.

    MORE INFORMATION

    The Certificate Revocation List contains the revoked certificates maintained by a CA. It is used when Intel® AMT clients are configured to use Mutual TLS (MTLS) authentication.

     

    9.5.08

    Firewalls may not let Intel® AMT clients communicate with management consoles

    PROBLEM

    The wired LAN NICs are not recognized by the Intel® AMT management consoles. They do show up in the DHCP listings in the Microsoft SMS* and Altiris* demos. Only the wireless NICs were discovered as Intel® AMT devices. IPCONFIG on each notebook shows IP addresses assigned to both WLAN and LAN NICs.

     

    When the firewalls are turned off, the Intel® AMT consoles can communicate with the LAN NICs.

    SOLUTION

    Firewalls can prevent clients from registering an FQDN (fully qualified domain name), which prevents them from being discovered by the console. Verify that the firewall is not configured to block these kinds of requests.

     

    9.5.08

     

    Cisco ACS Certificate Configuration for Intel® AMT

    See this article to find specific configuration information.

     

    10.15.08

    What are some common hardware issues that are tracked by Intel® AMT?

     

    SOLUTION

    ASF Sensor Events

    • Temperature







    • Voltage







    • Fan







    • Chassis Intrusion







    • System FW Error (descriptor codes and descriptions are in the ASF spec 2.0) Examples:

      Unrecoverable hard disk/ATAPI/IDE device failure

      No video device detected

      FW ROM corruption detected







    BIOS Events

    • System Boot Failure







    • BIOS errors







    OS Events

    • OS Hangs







     

    12.4.08

     

    Q&A on customized Intel® AMT firmware

     

     

    DESCRIPTION

    Scenario: a customer would like to have an OEM deliver systems with custom Intel® AMT firmware settings and client certificate.

     

    QUESTION 1: Will the customized firmware force the customer to use only customized firmware or BIOS updates for future releases?
    ANSWER 1: The custom settings and client certificate will be preserved across firmware or BIOS updates if the OEM inserts the customized bits before the descriptor region manufacturing bit is locked.

     

    QUESTION 2: Can an OEM customize all the Intel® AMT management engine settings?
    ANSWER 2: Yes. All the features seen on the web GUI can be customized by an OEM.

     

    QUESTION 3: Does Intel® have a list of default settings for each OEM?
    ANSWER 3: No. Customers should contact their OEM for the latest available information.

     

    Caution: The custom settings and client certificate will not be preserved across updates if the OEM programmed the firmware after setting the descriptor manufacturing bit. This will require users to reinstall the client certificates before the systems can be managed.

    SOLUTION

    Customers should work with their OEM to develop a custom firmware image, then run a small pilot program to test it. Clear the CMOS and then try to reprovision the systems.

     

     

     

    2.13.09 QA1308

    Wrong IP address for Intel® ME on Lenovo M58p using Hypervisor

     

    PROBLEM

    For a system runing a Hypervisor on a platform with Intel® AMT 4.x or 5.x, the mismatch between the IP address assigned to the physical hardware and the guest operating system will prevent the manageability software from communicating with the Intel® ME.

    RESOLUTION

    To sync-up the IP addresses, do the following:

     

    1. Modify the configuration settings so that Dom0 is configured to use the virtual MAC address.





    2. Assign #1 Guest operating system with the physical MAC address of the Intel® ME NIC.





     

    This soluton will produce the following result:

     

    1. The hardware initialization then the VMM and Dom0 will be brought-up.





    2. Dom0 will provide the physical MAC address to the #1 Guest operating system, and virtual MAC addresses for each subsequent guest operating system.





    3. The #1 Guest operating system will initiate a DHCP request with the physical MAC address.





    4. The management console will now be able to communicate with the Intel® ME using the IP address assigned to #1 Guest operating system.





    9.11.2009  QA1366

    Virtual machines can share the wrong IP address on some Averill and Weybridge systems

     

    PROBLEM

    When the Intel® Management Engine and host software are both configured to obtain IP addresses using DHCP, the Intel® Management Engine snoops DHCP transactions from the PC's host software (the PC's OS) in order to capture and share an IP address with the PC host (the OS). If the host software contains more than one source of DHCP requests (for example, if the host is running VMWare* with multiple virtual machines which use DHCP) then the Intel® Management Engine ends up sharing an IP address with the source of the last DHCP request for an IP address, instead of sharing the IP address for the host OS. This can lead to confusion -- which IP address is the ME using? What hostname is the ME contactable on? And so on.

    How to Reproduce:
    When the ME and host software are both configured to obtain IP addresses using DHCP the ME snoops DHCP transactions from the platform software in order to capture and share an IP address with the PC's host (the host OS).

    RESOLUTION

    For an IPv4 environment, this issue has been resolved in Intel® ME firmware releases 2.2.21 (Averill platform), 2.6.30 (Santa Rosa platform), and 3.2.20 (Weybridge platform), and 4.0 and later releases. Check with your OEM for availability of this release. In a virtualized environment with the updated firmware, Dom0 is configured to use a virtual MAC address and Guest #1 VM is configured to use the physical MAC address (this is same MAC address as the Intel® ME).  The result of the fix is that the IP address for Guest #1 and the Intel® ME are identical so the management console can communicate with the platform

    In an IPv6 environment, the issue resolves itself, since the Intel® Management Engine will have its own IP address (even when using DHCP).

    05.12.2010  QA1153

    Intel® AMT Wireless Configuration with 802.1x Authentication

     

     

    PROBLEM

    When configuring ME wireless profile using host 802.1x, with the ME configured on same network with same encryption but with different inner method, the ME will behave differently in the following scenarios:

    • When the host is connected along with ME, the ME will respond.





    • When the ME has the active profile (the host is down) and admin will try to connect, the ME might not respond because it may fail to authenticate due to the different inner method (RADIUS-dependent).





    • When the host is up, the ME will report a profile is configured and active over WS-MAN/SOAP.





    RESOLUTION

    Configure the ME wireless profile to use the same 802.1x encryption and inner method as that of the host 802.1x wireless profile.

    12.21.2009  QA1357

    KVM remote control session inactivity timer set to about two minutes in Real* VNC viewer

     

     

    RESOLUTION

    The inactivity timer in the Real VNC viewer is preset to about two minutes. No methods are currently available to adjust this timer.

     

     

     

     

     

    07.19.2010 QA1445

    "Bare Metal" provisioning not supported on most Intel® AMT 6.0 systems

     

    RESOLUTION

    For Intel® AMT 6, Intel's reference firmware sets the factory default for the Intel® ME network interface timer to 0. Most, if not all, tier 1 OEMs for Intel® AMT 6.0 systems have followed this recommendation. Users must use tools such as Activator or an ISV agent to send hello packets.

    This setting disables "bare metal" provisioning because the Intel® ME will no longer send out hello packets when the system is first connected to the network. This also has the added benefit of preventing a storm of hello packets when a large number of Intel® vPro™ systems are first connected to the network.

     

    10.13.2010 QA1458

    Microsoft* Systems Management Server (SMS) Add-on

    Fix available: Microsoft* System Management Server (SMS) Add-on V3.0 has local echo when using Serial over LAN (SoL)

    PROBLEM

    When performing SOL/IDER with SMS Console V3.0, the SOL console screen is set for local echo to be on and it cannot be disabled.

    RESOLUTION

    This issue is fixed in version 3.1 of the SMS Add-on, which you can download at http://softwarecommunity.intel.com/articles/eng/1356.htm.

    Updated 2.8.2008

    Fix available: Using the Intel® AMT add-on for Microsoft* SMS 2003 on a Dell 755 returns a UUID error

    PROBLEM

    Using the Intel® AMT add-on for Microsoft* SMS 2003 on a Dell 755 returns this error:

     

    Current system UUID is different from last discovered UUID. Please rediscover the system.

    RESOLUTION

    An Intel® AMT add-on for Microsoft* SMS 3.0 hot fix 3 is available online at http://www.intel.com/software/sms-add-on.
    This hot fix removes the continuity check between the SMBIOS and the Digest UUID, which was determined to be an unnecessary check.

    MORE INFORMATION

    Click here to download the hot fix\.
    Please review the release notes\ and the Read Me\ file to learn more.

    12.20.2007

    Fix available: The Intel® AMT Add-on for Microsoft* SMS is unable to communicate with the SCS over a standard HTTP connection.

    PROBLEM

    The Intel® AMT Add-on for SMS will communicate with the SCS over an HTTPS/SSL connection, however it will not communicate over an insecure HTTP/non-SSL connection, even if TCP port 80 is defined in the Intel® AMT Add-on configuration.

    RESOLUTION

    Upgrading to version 3.1 of the Intel® AMT Add-on for SMS resolves this issue. The update can be obtained from: http://softwarecommunity.intel.com/articles/eng/1356.htm

    2.8.2008

    Do management workstations running the SMS console and SMS Add-on require patches as outlined in the documentation for the Intel® AMT Add-on for Microsoft SMS*?

    PROBLEM

    The SMS Add-on documentation states that two hot fixes and registry patches are required. Are these patches/hot fixes required on the workstations that are running the Microsoft SMS console and Intel® AMT add-on only?

     

    Are they required only if the end user from that workstation is planning to use the web interface?

     

    Are they required for the SMS add-on to function properly?

    RESOLUTION

    These patches are required on a management workstation if you wish to access the web interface on Intel® vPro™ clients.

    5.8.2008

     

    OEM

    BIOS

    Lenovo* M55p returns UUID=00000 during activation

    PROBLEM

    Lenovo M55p systems return a hello packet of UUID 00000 during activation. This problem occurs on machines that shipped with factory-default BIOS of 36 or less.

    RESOLUTION

    A firmware update to version AMT2.1.0.1032 is available from Lenovo to resolve this problem. Contact your Lenovo representative if you need this update.

     

    A BIOS update is not required, but is recommended. Visit the Lenovo web site and navigate to the Support & downloads section of the site to find BIOS 37a.

    10.19.2007

    Dell* 755 returns a duplicate UUID during activation

    PROBLEM

    Dell 755 returns a duplicate UUID 00000 during activation.

    RESOLUTION

    A BIOS update (version A04) resolves this issue and is available on Dell's web site.

    Click here to download the A04 BIOS update.\

    Note: If you are using the Intel® AMT add-on for Microsoft SMS 2003, then you also need to download Hot fix 3. See Using the Intel® AMT add-on for Microsoft SMS 2003 on a Dell 755 returns a UUID error\ for instructions.

    1.24.2008

    Ctrl + P prompt missing when CMOS battery unplugged

    PROBLEM

    When the CMOS battery is unplugged from the HP 7800p, the Ctrl+P command for accessing the Intel® Management Engine is missing.

    When SCS is opened and the refresh button is selected, the Intel® AMT device does not appear.

    RESOLUTION

    Use the following steps to the resolve this issue:

    1. Press F-10, when prompted during the boot, to access the BIOS on the system.







    2. In the BIOS choose the advanced menu -> Power-On Options and select the “MEBx Setup Prompt”







    3. Use the right arrow key to cycle it to “Displayed.”







    4. Press F-10 to accept the change.







    5. Go to the file menu and select Save Changes and Exit.







    6. The Ctrl-P prompt will reappear.







    2.7.2008

    When Intel® AMT is disabled, there is a HECI driver problem in the HP* dc7800

    PROBLEM

    In vPro-capable HP dc7800 systems, when Intel® AMT is turned on, everything works fine. When the Intel® AMT driver is turned off in the Intel® Management engine, the Intel® HECI driver in the operating system causes an error to occur in the device manager: "device cannot start".

    RESOLUTION

    Follow these steps to correct this problem:

    1. Boot the client and press Ctrl + P to access the AMT/ME configuration settings.







    2. Go to the Intel® ME Configuration and press Enter.







    3. Type Y to continue.







    4. Select Intel® ME Features Control and press Enter.







    5. Select Manageability Feature Selection and press Enter.







    6. Select None and press Enter.







    7. Press ESC to go back to the main screen.







    8. The system will reboot.







    9. Go into device manager and verify that there are no failed devices.







    2.14.2008

    What does the Intel® AMT status application dialog box signify?

    PROBLEM

    On brand new Intel® vPro™ systems, the Intel® AMT Status Application dialog box displays the Intel® AMT Status as "Enabled" even though Intel® AMT has not been configured. Are OEMs shipping systems with Intel® AMT enabled (provisioned)?

    RESOLUTION

    The Intel® AMT status application is designed to show if the Intel® AMT is or is not enabled in the Intel® Management Engine. It does not reflect if a system has been provisioned/configured. Even when Intel® AMT is disabled in the Intel® Management Engine, the Intel® Management Engine can still be accessed. OEMs do not ship provisioned systems unless that service is requested and purchased by the customer.

    2.14.2008

    Are there DLLs in the operating system that access vPro?

    PROBLEM

    Are there DLLs, in the operating system, that access vPro?

    RESOLUTION

    Individual OEMs manage the Microsoft Windows drivers that use Intel® vPro™ technology. To access current drivers for clients, visit the OEM’s website.

    2.14.2008

    Unattended install of Intel® AMT client software/drivers not working properly on Microsoft Windows*

    PROBLEM

    Command line switches are not working properly to enable a silent install with the Intel® AMT drivers.

    RESOLUTION

    The issue is that the wrong hyphen/dash character is being used. If the code is copied from an MS Word* document, the regular hyphen is replaced with another hyphen-like character which causes the command line options to work incorrectly.

     

    Typing the command, rather than copy and paste, solves this problem.

    2.27.2008

    SoL/IDER does not work with the Lenovo* X61 Tablet

    PROBLEM

    The SoL/IDER sessions do not work on the X61 tablet.

    RESOLUTION

    This issue is resolved using the 1.07 BIOS release.

     

    Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 1.07.

    2.27.2008

    SoL/IDER can’t be disabled on Lenovo* M55p

    PROBLEM

    Unchecking SoL and IDER, under the network tab, isn’t disabling the feature on the Lenovo M55p.

    RESOLUTION

    Update the BIOS to version 37a or newer versions. Visit the Lenovo web site and navigate to the Support & Downloads section of the site to find BIOS 37a or later.

    3.4.2008

    BIOS password screen unavailable on HP* systems during SoL session

    This problem occurs when the Terminal Emulation Mode is not set correctly in the BIOS.

     

    Here is the screen when Terminal Emulation Mode is set to VT100 through BIOS:

     

     

    How to switch Terminal Emulation Mode:

     

    1. Open the HP ProtectTools Security Manager, click BIOS Configuration, and then select System Configuration.







    2. In the AMT Options section, change Terminal Emulation Mode to ANSI.







    3. Click OK.







     

     

    The BIOS Password screen is now available during SOL sessions.

     

     

    4.25.2008

    Dell* D630c laptops reboot when sent a shutdown command via Intel® AMT

    PROBLEM

    Sending the "power down" command to the Dell* D630c notebook immediately shuts it down, but then it automatically re-boots.

    RESOLUTION

    This issue is resolved in BIOS version A02 for the Dell* D630c. You can download the BIOS update package from Dell at the following URL**:

    Click here.


    **This Wiki contains links to other Internet sites. Such links are not endorsements of any products or services in such

    sites, and no information in such site has been endorsed or approved by Intel, Inc.

    11.25.2008

     

    The look of the BIOS Setup screens using SoL depends on OEM support for terminal emulation modes

     

    PROBLEM

    Intel® AMT supports several terminal emulation modes. These are used to display the BIOS Setup GUI when using SoL. The look and feel may vary between manufacturers. Intel® AMT supports VT52, VT100, VT100+, and ANSI terminal emulation modes.

    RESOLUTION

    Check your OEM BIOS documentation for information about the supported terminal emulation modes and how to select the mode. Usually, the terminal emulation mode option will be in the Intel® AMT section of the BIOS Setup utility. Use ANSI mode for a more graphical looking display.

     

     

     

    3.3.2009 QA1332

     

    Control-P not used to enter MEBx on Lenovo* ThinkPad T400 notebook PC

     

     

    RESOLUTION

    To enter the MEBx, reboot and press F12 during the OEM screen to enter the Boot Menu.? From the Boot Menu, choose .

     

     

     

     

     

    5.13.2010 QA1413

     

    Is there a list of all possible MEBX settings?

     

     

     

    RESOLUTION

    The MEBX options and their respective default settings are determined by the OEM. For the reference code that Intel® provides to the OEMs, all the settings are described in the following document: Intel® Management Engine BIOS Extension (MEBX) User Guide. See Appendix B: List of Intel® MEBX Options.

    The latest MEBx User Guide is posted on the Intel® vPro™ Expert Center.

     

     

     

    5.13.2010 QA1402

    SOL/IDER fails on Dell* Latitude E6410 system with BIOS A01

     

    PROBLEM

    The SOL screen goes blank and no further Intel® AMT communications is possible. The Dell client system must be manually powered off to restore the system.

    RESOLUTION

    A firmware update to version AMT2.1.0.1032 is available from Lenovo to resolve this problem. Contact your Lenovo representative if you need this update.

     

    Update to the A03 or later Dell system BIOS.

     

     

    07.16.2010 QA1446

    PXE boot timeout on Dell 755 and E6400 systems with Intel® AMT 802.1X configuration

     

    PROBLEM

    The Dell PXE option ROM ignores the PXETimeout value and will disconnect from the network after five minutes if the system has not booted to the operating system, or if the operating system LAN drivers have not been loaded. This issue has been seen on Dell 755 and E6400 notebooks.

    RESOLUTION

    Dell posted a new BIOS on 6/21/10 to fix this issue. Install the latest Dell BIOS.

     

     

    07.16.2010 QA1442

    Dell* Latitude E6500 Notebook BIOS update failed due to "SKU mismatch"

     

    PROBLEM

    The customer updated the Dell E6500 notebook PC with Dell BIOS A19. The update failed and reported the following error:

    ME update failed!
    Error 8704
    SKU Mismatch

    RESOLUTION

    Contact Dell for a new BIOS update for your SKU. To find your SKU, check the Dell* Service Tag on the bottom or side of your PC, or run the Dell System Profiler tool on the PC to identify the SKU. The Dell System Profiler tool is available from the Dell website: here.

     

     

    07.16.2010 QA1441

    Keyboard on KVM remote control console locked-out on HP* 8440p after power-reset command

     

    PROBLEM

    A  reset command from a WebUI console to an HP EliteBook 8440p Notebook PC  during a KVM remote control session will cause the keyboard on the  remote console to locked-out at the Windows* Error Recovery Screen. HP  has fixed this issue and has posted a new BIOS release.

    RESOLUTION

     

    07.16.2010 QA1440

    ACPI wake-up timer failed on Lenovo* and HP*  systems

     

    PROBLEM

    When the system is in a sleep state, the BIOS will receive a  wake-up event after the Intel® ME sends out an ARP request. The expected behavior  is for the BIOS to then re-arm and go back into the previous sleep state. Some  systems go into a sleep state but never wake-up after the wake-up timer  expires.

    RESOLUTION

    Update the Lenovo*, HP* DC7800, or HP* DC7900 BIOS, when  available.

     

    03.121.2011 QA1460

     

    Platform: Averill

    Are the Weybridge SoL and HECI drivers backward-compatible with Averill?

    PROBLEM

    Are the Weybridge SoL and/or HECI drivers backward-compatible with Averill? Can they be used and supported on an Averill platform?

    RESOLUTION

    Backward compatibility depends on the OEM and if they choose to support the drivers and platforms. For instance, HP does support the same drivers for 7700's, 7800's and 6910p, but other OEMs may not support the same drivers.

    2.27.2008

     

    Profiles

    SCS

    Intel® SCS returns an error during a partial unprovision

    PROBLEM

    Partial unprovisioning of a system fails. The SCS log reports the following messages: "SOAP Failure (21): cannot partially unprovision AMT" or "SOAP Failure(21): cannot GetLowAccuracyTimeSync"

    RESOLUTION

    The partial un-provision command requires a FQDN to work. Accurate client DNS records are required to provide an FQDN for this functionality.

    2.27.2008

    Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment

    PROBLEM

    Validation of SCS service users takes over 30 minutes when installed in a large Active Directory environment

    RESOLUTION

    This issue is scheduled to be resolved in Intel® AMT SCS 5.0, to be released by the end of Q2.

    2.27.2008

     

    Setup and Configuration Service

    GoDaddy* requires High-Assurance SSL certificates

    PROBLEM

    The standard domain-only validation SSL certificates from the GoDaddy Certificate Authority are not suitable for Intel® AMT remote configuration. These types of certificates do not contain the OU information required by the firmware to accept them.

    RESOLUTION

    If GoDaddy is used as the CA, then request a High-Assurance SSL certificate, which should include the OU information required by the Intel® AMT client.

    For more information, see the Intel® AMT SCS Installation and User Manual\, Chapter 3, section “Preparing Intel® AMT for Future Configuration.”

    1.25.2008

    Using static IP addresses and Basic (formerly known as SMB) mode

    PROBLEM

    Intel® AMT functionality works in DHCP IP with Enterprise mode and SMS. However, SMS does not find asset information from the Intel® vPro™ machine when using Static IP with Basic mode.

    RESOLUTION

    Static IP addresses are not recommended. If they must be used, then the Intel® Management Engine and the operating system will each need their own static IP address in order for AMT to function properly.

    1.25.2008

    Error displays when provisioning HP* 6910p

    PROBLEM

    Setup and Configuration Service (SCS) reports an error when provisioning Hewlett-Packard (HP) 6910p computers when using Wake on LAN (WoL) power policies 4 and 5.

    RESOLUTION

    This error occurs for all HP platforms shipped in 2007 and there is no workaround. HP does not support these power policies and the SCS is accurately reporting that they are unsupported.

    Escalate this known issue to your HP sales representative.

    1.25.2008

    Will PKI-CH consistently support wildcard certificates across Intel® AMT versions?

    PROBLEM

    Will the PKI-CH implementation currently available in Intel® AMT 2.2, Intel® AMT 2.6, and Intel® AMT 3.0 consistently support wildcard RCFG certificates?

    Intel® AMT 2.6 supports wildcards; but Intel® AMT 2.2 and 3.0 do not. Will Intel® AMT 2.2 and 3.0 will support wildcard certificates?

    RESOLUTION

    There are no plans to enable support for wildcard certificates in Intel® AMT 2.2 or any future updates for that generation of hardware. There are plans to support wildcard certificates in the future release of Intel® AMT 3.2

    3.4.2008

    SCS service crashes due to excessive logs

    PROBLEM

    The SCS service crashes repeatedly due to excessive logs. In the SCS Win Log, the OLE database error for timeout is displayed.

    RESOLUTION

    Reduce the database logs to a reasonable size, based on available processes.

    2.27.2008

    Network Load Balancing of SCS Servers

    PROBLEM

    Are there any known issues or limitations in pointing provisionserver.company.com to a Network Load Balancing address that balances between two or more SCS servers (all are in the same domain)?

    RESOLUTION

    The SCS support team confirmed that this is a supported configuration, provided all the SCS servers point back to a single SCS database.

    2.27.2008

    Is SNMP Trap Service required for SCS?

    PROBLEM

    Is the Microsoft Windows* SNMP trap service required in the latest SCS version?

    RESOLUTION

    The SNMP trap service is not required for installing or using SCS, but it is required for the Intel® AMT Add-on for SMS* V3.0 to receive PET alerts from Intel® AMT clients per the SMS manual.

    It is used as a receiver for platform trap events. Clients can be configured to send platform traps to an SNMP service. Since the Intel® AMT Add-on is capable of configuring clients, an SNMP trap service is required during installation for a complete solution.

    3.4.2008

    Intel® AMT Active Directory error message

    PROBLEM

    After setting the properties for the Intel® AMT system, the status goes to InProvisioning, but nothing changes. The logs contain the following message: Cannot create AD AMT Object: Failed on CreateDSObject with ht-73207ty, - Process Delayed.

    RESOLUTION

    This error message normally occurs for the following reasons:

    1. The AD schema extension has not been applied







    2. The Schema extension has been applied, but the SCS service user does not have necessary permissions to AD OU to create and manage Intel® AMT ME objects.







    If the extension for the AD schema is not needed, then uncheck the Active directory Integration checkbox in the SCS General Settings screen to prevent SCS from trying to create AD objects during provisioning.

    3.4.2008

    Organizational Unit Field in Configuration Parameters must be populated to complete provisioning

    PROBLEM

    SCS cannot complete provisioning of a system if the Configuration Parameters do not have a value specified in the OU column, even if the SCS is not using the Integrated with Active Directory option. Users must either manually add a value (during the manual process) or define a value when using remote tools like the RCT.

    RESOLUTION

    This is a known issue with SCS and it is slated to be corrected in SCS 5.0.

    3.4.2008

    Unable to access web interface using Kerberos authentication

    PROBLEM

    The web interface cannot be accessed using Kerberos authentication. When the Firefox web browser was used, Admin authentication could be accessed, but the https digest could not be accessed. Internet Explorer* cannot access either Admin authentication or Https digest.

    RESOLUTION

    If the AD schema is not extended, the Kerberos user authentication will not work. Using digest users resolves this issue.

    3.21.2008

    Is Static IP addressing possible in Enterprise Mode?

    PROBLEM

    What is the technical limitation of having static IP addresses in an Enterprise Mode environment and what would be workarounds that would allow a customer to use both? Since DHCP dynamically updates DNS, if you manually entered DNS suffix in Intel® Management Engine and maintained DNS manually then would that allow customers to use static IP addresses with enterprise mode?

    RESOLUTION

    While this is not recommended, the DNS entries can be maintained as described in the question. Multiple computer entries, in the management console, will be needed for managing clients that use Static IP.

    3.21.2008

    Is it possible to have an operating system with static IP address and Intel® Management Engine in DHCP mode?

    PROBLEM

    Is it possible to have an operating system setup with static IP address and Intel® Management Engine setup for DHCP mode? Can the IP address of the operating system and Intel® Management Engine be on different subnets? Or do they need to be on same subnet?

    RESOLUTION

    This scenario is not supported and has not been tested.

    3.21.2008

    Cannot log into SCS Console with Enterprise Admin account

    PROBLEM

    The SCS console can only be logged into using the initial setup account that is provided during SCS installation. Any attempts to log in with a user account that has enterprise admin rights and has been added to SCS Users and Groups fail. The error message received is: Login Failed and the reason is: The remote server returned an error: (502) Bad Gateway.

    RESOLUTION

    The root cause is that the customer has an Internet Explorer* configuration that uses a proxy. On the https connection, both the SCS console login and the SCS service uses the same proxy settings and that causes it to fail with error 502 bad gateway. Un-checking the use of the proxy in Internet Explorer solves the problem.

    3.21.2008

    Intel® MEBX, Web UI, and remote admin passwords are not automatically synchronized

     

    PROBLEM

    Changing the Intel® MEBX password from the local console will not change the Web UI or remote admin passwords.

    RESOLUTION

    Before the Intel® AMT system is provisioned, changing the Intel® MEBX password from the local console will also change the remote admin password.  After the system is provisioned, changing the local Intel® MEBX password will not change the remote admin password.  During provisioning, the Intel® MEBX password and the remote admin password can be set.

     

     

     

    04.28.2009

    Using international keyboards to create MEBx passwords via Setup and Configuration Service (SCS)

    PROBLEM

    When creating a MEBx password via SCS and deploying to client machines located in different countries, IT administrators are advised that international keyboards may have different layouts for Latin characters. This may result in password failures as a result of entering the same password on two different keyboards supporting different languages.

     

    As an example, a multi-national company headquartered in France may deploy a client to one employee in France and Japan. Because the keyboard layouts are different, the passwords may be inadvertently different and may fail when entered on a different keyboard.

     

    Below is a comparison of different language keyboards.

     

     

    Japanese keyboard

     

     

    US English keyboard

     

    RESOLUTION

    When creating your password, use character keys that are common between all keyboards and follow the guidelines below. These guidelines assume that the password is user-defined. In high security instances, the password will be auto-generated and you will need to compare the keyboard layout diagrams to help determine your MEBx password.

     

    • The following is a list of keyboard keys that are common keys for all keyboard types: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, B, C, D, E, F, G, H, I, J, K, L, N, O, P, R, S, T, U, V, X







     

    EXCEPTION: These keys are not common between Japanese and US keyboards: 2, 8, and 9. Be sure to use the illustrations above to verify common keys when creating passwords.

     

    Note: Passwords can be created using characters generated by the Key and Shift Key

     

    • MEBx passwords require special characters to ensure security. Use SHIFT+N, where N equals 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9, to include special characters in your password.







     

    For example, if your strong password is JOK&F49!, you would relay this password to international users as: 

     

    • Passwords using the A,M,Q,W,Y and Z keys can cause problems and are not recommended.







     

    5.7.2008

    What is the Authorized column in Intel® SCS?

    PROBLEM

    The Intel® AMT Systems screen of the Intel® SCS web console has a column titled Authorized. All the systems that are provisioned show up as False. What does this column mean?

    RESOLUTION

    The Authorized column signifies systems that can be provisioned that have not been authorized to complete the process.

    5.8.2008

    SOAP error (0xCFFF06AC) when attempting remote configuration

    PROBLEM

    When attempting to use the latest SCS with RCT 3.3 with a Remote Config Cert from GoDaddy, this error displays in SCS: Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL error - SSL authentication failed in tcp_connect(): check password, key file, and CA file.

    RESOLUTION

    The remote config certificate needs to be in the personal store of the SCS service account.

    1. Log into your server with the SCS service account.







    2. Launch MMC.







    3. Select File > Add/Remote Snap-in.







    4. Select Certificates from the snap in menu and click Add.







    5. When prompted, select My user account and click Finish.







    6. Click the Close button to close the snap-in selection window.







    7. Click OK to close the snap-in Add/Remove menu.







    8. Open Certificates, then open Personal.







    9. Right-click the Personal folder, select All Tasks and then Import.







    10. Use the wizard to import your remote configuration certificate into personal store of your SCS service account.







     

    6.13.2008

    Local Manageability Service (LMS) does not allow host VPN traffic when environment detection is not defined

    PROBLEM

    If environment detection is not configured, Intel® AMT VPN connection cannot be enabled even though there is no direct relationship between these two.

    RESOLUTION

    Define the DNS suffix in the environment detection list with one which matches with the host's list of DNS suffixes.

     

    To define the suffix:

     

    1. Open the Intel® SCS Console.







    2. Expand the Configuration Service Settings branch.







    3. Select Profiles. The Profiles screen displays.







    4. Select the profile to be modified.







    5. Click Edit. The Profile Configuration dialog box displays.







    6. Display the Network tab.







    7. Click Environment Detection.







    8. In the Environment Detection dialog, click Add.







     

    Enter up to five domain suffixes that define permitted domains within the enterprise network. The Intel® AMT device uses this list to determine whether the platform is operating inside or outside the enterprise network. Management consoles can define the behavior of the device when it is outside the enterprise, including setting a policy that will block network traffic.

     

    9. Click OK.

     

    7.18.2008

    Unable to remove wireless profiles in Intel® SCS

    PROBLEM

    Error code 998 displays when trying to remove a wireless profile in the SCS, indicating that the profile is in use.

    RESOLUTION

    This error is generated if the wireless profile you are using is assigned to a system profile within the SCS. In order to delete the wireless profile, first remove it from any system profiles.

     

    7.18.2008

    Time synchronization errors using Intel® SCS 3.x and Microsoft* Active Directory

    PROBLEM

    The client machine logs errors related to setting the time when time synchronization is enabled in Intel® SCS 3.x and the OS is also using Active Directory to synchronize system time.

    |RESOLUTION|Disable time synchronization in SCS 3.x.|

     

    7.28.2008

    SCS Installation Account Security Requirements

    PROBLEM

    What are the minimum security requirements required for the account which is installing SCS?

    RESOLUTION

    The account needs to be a member of the local administrators group and an administrator on the SQL server.

     

    7.28.2008

    SCS 5.0 Does Not Support 64-bit Operating Systems

    PROBLEM

    SCS 5.0 does not support 64-bit operating systems. Customers using 64-bit operating systems need to use SCS 5.1 or later.

     

    At this time there is no workaround for SCS 5.0 to support 64-bit operating systems. This issue is not documented in the SCS 5.0 documentation.

    SOLUTION

    SCS 5.1 supports 64-bit operating systems.

     

    9.25.2008

    The SCS Console Operator role does not appear to give users the right to access the security keys

    PROBLEM

    The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function.

    SOLUTION

    This issue was fixed in SCS 5.0.

     

    11.25.2008

    Consistent RCFG failure with SCS

     

    PROBLEM

    Remote configuration fails consistently when attempting to provision clients with SCS. The error message in the SCS log is 'Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL_ERROR_SSLerror:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error - SSL connect failed in tcp_connect()'

    The provisioning server has the correct (non-wildcard) RCFG certificate and certificate chains from the signing Certificate Authority. The client domain name from the DHCP server (option 15) matches the domain in the RCFG certificate and the SCS domain. The server also correctly provisions clients using the TLS-PSK method.

    The Clients can also be correctly provisioned using RCFG when connected to a separate test network.

    SOLUTION

     

    Intel® AMT supports a maximum encryption key length of 2048-bits.

     

    12.4.2008

    How often are log files purged in Intel® SCS?

     

    PROBLEM

    How often does the SCS purge log files and can the retention date be configured?

    SOLUTION

    There are maintenance procedures that SCS executes once every five minutes: cspi_cleanRequestStatus and cspi_cleanLog. These procedures did not execute automatically in SCS 3.3 and earlier.

    This was fixed in SCS 3.3. Both procedures will execute automatically. The default value of cspi_cleanRequestStatus is five days.

     

    12.4.2008

    Is the Intel® SCS supported on  Intel® 64 architecture versions of Microsoft Windows* Server?

     

    SOLUTION

    The 3.x versions of Intel® SCS are not supported on Intel® 64 architecture versions of Windows* Server. SCS versions 5.x and later are supported in 32-bit mode on Intel® 64 architecture-enabled versions of Windows* Server.

     

    12.4.2008 (updated 12.3.2009) QA1119

    Can't import setup.bin made with USBFILE2.EXE into the SCS

     

    PROBLEM

    The USBFile version 2 utility was used to create PID/PPS pairs, but the SCS console cannot import the setup.bin file. It displays an error message indicating the supplied setup.bin has an incorrect file format.

    SOLUTION

    USBFILE2's file format is not supported by the SCS at this time. Use the -v 1 switch with USBFILE2 to force it to create a v1 file, or use the original USBFILE utility.

     

    12.4.2008

    The SCS Console Operator role does not appear to give users the right to access the security keys

     

    PROBLEM

    The SCS Console Operator role does not appear to give users the right to access the security keys, which conflicts with the documentation and is a pre-requisite for an operator performing a pre-provisioning function.

    SOLUTION

    This is a known issue and will be fixed in SCS 5.0.

    11.25.2008

    Minimum security requirements for installing Intel® SCS

     

    SOLUTION

    The user installing Intel® SCS must be a member of the local
    administrators group and a SQL administrator. The user
    installing the software does not need to be a domain
    administrator.

    4.2.2009 QA1326

    Intel® SCS is only supported on English versions of Windows* Server 2008

     

     

    SOLUTION

    Check future versions of Intel® SCS to determine if it is supported on non-English versions of Microsoft* Windows* Server 2008.

     

     

    9.18.2009 QA1381

    Intel® SCS error code 637 means that the one-time password is missing

     

     

     

    PROBLEM

    The Intel® AMT log shows the following error after a provisioning attempt:

    Failed to apply all changes - SCS Code:637 - Operation: Setting system data

    SOLUTION

    The error is the result of a missing one-time password in the Intel® SCS profile. To fix this problem, either uncheck the OTP checkbox in the profile, or keep the OTP option checked and supply a password.
    Refer to the Intel® SCS User Guide for more information on the OTP option.

     

     

     

     

    07.19.2010 QA1444

    Intel® SCS Console communication with workgroup-based clients requires host file entries for each client

     

     

    SOLUTION

    In a workgroup environment, all the Intel® AMT clients must be listed in the host file on the Intel® SCS Console system. The host file is a simple list of each client's FQDN and IP address. This file must be updated each time the IP address changes. Refer to your Windows* documentation for more information on this file.

     

     

    09.22.2010 QA1434

     

    USB Provisioning

     

    USB provisioning only effective on "factory new" systems

    PROBLEM

    USB provisioning failed after multiple attempts.

    RESOLUTION

    This is by design. USB provisioning only works on a "factory new" system, meaning that it has never been provisioned. Once Intel® AMT is provisioned, the one-touch USB method will not work again until the CMOS battery is pulled and reset.

    11.9.2007

     

    USB Key Configuration Guidelines

    Use these criteria when preparing a key for USB provisioning:

     

    • Keys should only be formatted with Intel® SCS. Keys should be formatted as a FAT16 device with a null volume label.







    • Setup.bin must be the first file on the key. If the file is overwritten, or erased and then re-added, it may no longer be the first file on the key. Always reformat the key before a new setup.bin file is copied to it.







    • Keys should be 2GB or less. FAT16 cannot address more than 2GB on these devices.







    • Purchased keys should not have any preinstalled software on them.







    • Keys should only be used for USB key provisioning and not for any other purpose.







    • Keys should never have been created as a bootable device.







    • BIOS settings can impact USB provisioning. If you experience problems, load the manufacturer's default BIOS settings before doing USB provisioning.







     

    12.20.2007

    USB Compatibility Matrix for Intel® Centrino® with Intel® vPro™ Technology (Intel® AMT 2.5)

    The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

     

    System

    Model

    BIOS

    SanDisk 1GB

    Cruzer Micro

    SDCZ61024A10

    Kingston 1GB

    DT1001GBKR

    Sony 1GB

    Micro Vault
    Classic

    USM1GJ

    PNY 2GB Optima

    Pro Attached

    Enhanced for

    Windows ReadyBoost

    PFD02GHSPFS

    Acer

    TravelMate 6592

    1.53

    Not supported

    Not supported

    Not supported

    Not supported

    Dell

    Latitude D630c

    A09

    Yes

    Yes

    Yes

    Yes

    FSC

    LifeBook E8410

    1.16

    Not supported

    Not supported

    Not supported

    Not supported

    HP

    2510p

    F.0D

    Yes

    Yes

    Yes

    Yes

    HP

    6910p

    F.16

    Yes

    Yes

    Yes

    Yes

    Lenovo

    ThinkPad T61

    7LETB9WW(2.24)

    No

    Yes

    No

    No

    Lenovo

    ThinkPad X61 Tablet

    7SET31WW(1.19)

    No

    Yes

    No

    No

    Lenovo

    ThinkPad X300

    7TUJ05US (1.08)

    No

    Yes

    No

    No

    Samsung

    NP-P55

    07AY

    Not supported

    Not supported

    Not supported

    Not supported

    Toshiba

    Protege M700

    1.40

    Not supported

    Not supported

    Not supported

    Not supported

    Toshiba

    Tecra M9

    1.90

    Not supported

    Not supported

    Not supported

    Not supported

     

    *Fujitsu-Siemens Corporation (FSC) and Toshiba do not support USB provisioning on their Intel® Centrino® Pro processor technology platform.

    04.23.09

     

    USB Compatibility Matrix for Intel® vPro™ Technology (Intel® AMT 3.x)

    The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

     

     

     

     

    System

    Model

    BIOS

    SanDisk 1GB

    Cruzer Micro

    SDCZ61024A10

    Kingston 1GB

    DT1001GBKR

    Sony 1GB

    Micro Vault
    Classic

    USM1GJ

    PNY 2GB Optima

    Pro Attached

    Enhanced for

    Windows ReadyBoost

    PFD02GHSPFS

    Intel® Desktop Board

    DQ35JO

    86.A.0954.2008.0922.2331

    Yes

    Yes

    Yes

    Yes

    FSC

    Esprimo P5925

    6.00 R1.15.2584.A1

    Yes

    No

    Yes

    No

    Dell

    Optiplex 755

    A11

    Yes

    Yes

    Yes

    Yes

    HP

    dc7800

    01.24

    Yes

    Yes

    Yes

    Yes

    Lenovo

    ThinkCentre M57p

    2RKT57AUS

    Yes

    No

    Yes

    No

    04.23.09

    USB Compatibility Matrix for Intel® vPro™ Technology (Intel® AMT 4.x)

    The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

     

    System

    Model

    BIOS

    SanDisk 1GB

    Cruzer Micro

    SDCZ61024A10

    Kingston 1GB

    DT1001GBKR

    Sony 1GB

    Micro Vault
    Classic

    USM1GJ

    PNY 2GB Optima

    Pro Attached

    Enhanced for

    Windows ReadyBoost

    PFD02GHSPFS

    Acer

    TravelMate 6493

    v1.02

    Yes

    Yes

    Yes

    Yes

    Dell

    Latitude E6400

    A11

    Yes

    Yes

    Yes

    Yes

    Fujitsu

    LifeBook 8420

    v1.06

    Yes

    Yes

    Yes

    Yes

    HP

    EliteBook 6930P

    68PCU ver F.0E

    Yes

    Yes

    Yes

    Yes

    Lenovo

    T400

    7UET43WW (1.15)

    Yes

    Yes

    Yes

    Yes

    LenovoX2006DET30WW (1.07)YesYesYesYes
    ToshibaTecra A101.90YesYesYesYes

    04.23.09

    USB Compatibility Matrix for Intel® vPro™ Technology (Intel® AMT 5.x)

    The keys marked YES are acceptable for USB provisioning. The keys marked NO are not recommended for USB provisioning. New keys were used in these tests.

     

    System

    Model

    BIOS

    SanDisk 1GB

    Cruzer Micro

    SDCZ61024A10

    Kingston 1GB

    DT1001GBKR

    Sony 1GB

    Micro Vault
    Classic

    USM1GJ

    PNY 2GB Optima

    Pro Attached

    Enhanced for

    Windows ReadyBoost

    PFD02GHSPFS

    Lenovo

    M58p

    5CKT40AUS

    Yes

    No

    Yes

    No

    HPdc7900786G1 v01.11YesYesYesYes
    DellOptiPlex 960A01YesYesYesYes

    04.23.09

     

    USB Provisioning Tips for Lenovo T61

    Use these tips when provisioning a Lenovo T61 notebook:

    • Don't attempt to USB provision after a forced power off (holding the power button for 5 seconds).  Only attempt a USB provision after a normal shutdown or restart.







    • If the USB key fails to provision, load the factory BIOS defaults and try again. If this does not resolve the issue, then do the following:





     

    1. Disable Intel® AMT from the BIOS.







    2. Boot the system with the USB key.







    3. Re-enable Intel® AMT from the BIOS.







    4. Provision the system using the USB key.







     

    2.12.2008

     

    What is the maximum number of PID/PPS pairs that can be used during USB provisioning?

    PROBLEM

    Customers activating a high number of systems using One Touch/USB provisioning may run into performance degradation attempting to import these keys in a management console.

    RESOLUTION

    There is no theoretical limit to how many PID/PPS pairs can be on a USB key, but there may be a threshold above which the performance degrades significantly.  At this time, the largest known deployment using USB provisioning was with a 30,000 PID/PPS pair.  Altiris* was unable to process this setup.bin file, however the Intel® SCS Console was able to import these keys despite the timeout error that the console indicated.

    4.29.2008

    Automating PID/PPS key generation using LANDesk utility

     

    There is a utility available in your LANDesk installation that allows you to quickly generate a specific numbers of PID/PPS pairs for USB provisioning. Follow these instructions; the steps represent a standard installation.

     

    1. Open Windows Explorer and navigate to your LANDesk program files.







    2. Open the managementsuite folder and locate AMTUSBFile.exe.







    3. Open a command window and navigate to the path where AMTUSBFile.exe resides. Use the table below to run the utility.







     

    To do this...

    Then type this and press Enter...

    List all available parameters

    AMTUSBFile.exe –h

    Generate X number of pairs

    AMTUSBFile.exe –c current ME password new ME password –n number of pairs

     

    For example, to generate 625 records would take ~1 second:

     

    AMTUSBFile.exe –c admin Landesk1! –n 625

    Import the keys from the generated setup.bin to the LANDesk database

    AMTUSBFile.exe –i

     

     

    Note: LANDesk uses an encrypted string when saving credentials to the database. Sometimes, this encrypted string is invalid to databases, such as Oracle. If this occurs, you may need to run the command several times before the keys are added. Records already imported will not be imported again.

    Verify the list of records in the database

    AMTUSBFile.exe –g

    6.27.2008

     

    HP* 8730w is unable to boot from USB provisioning key created by Intel® SCS Console

     

    PROBLEM

    HP* 8730w is unable to boot from a USB provisioning key created by Intel® SCS Console. The system hangs and the screen goes blank. This is a known issue for BIOS versions F.10 and earlier.

    SOLUTION

    Upgrade to BIOS F.11.

    05.11.2010  QA1432

     

    Firmware update needed to provision Lenovo* M58p with USB key using USBFILE 2.1 utility

     

     

    PROBLEM

    The Lenovo* BIOS must be updated to use USBFILE 2.1 with USB provisioning on the Lenovo* M58p.

    SOLUTION

    Update your Lenovo* M58p BIOS to the latest BIOS available on the Lenovo website (posted 7/27/09).

     

     

    05.11.2010  QA1367

    USBFile.exe syntax to enable both SOL and IDER

     

     

    RESOLUTION

    The default setting in Intel® AMT firmware is to enable both SOL and IDER. To provision a system with both SOL and IDER enabled using the USBFile.exe utility, simply omit the -redir option from the command line.

     

    For example:

     

    usbfile.exe -create setup.bin admin P@ssw0rd -amt
    For more information, see: Local Setup and Configuration Using a USB Flash Drive (http://communities.intel.com/docs/DOC-4354)

     

     

     

     

    5.13.2010  QA1427

     

     

    *Other names and brands may be claimed as the property of others.