Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Missing Boot Options on AMT WebUI

UScho
Beginner
2,976 Views

Hello everyone

I have a strange behavior with my IPC system. After unprovisioning the system I can not enable boot options any more. The boot option "Boot from local hard drive" is lost.

See screen-shots. A second SSD is installed.

Would be great if anybody could support her.

AMT Fw: 9.1.41.3024

 

Processor: i7-6822EQ, QM87

 

MEI: 9.5.10.1538

WebUI before unprovision

I used the function from ACUWizard.

And after reconfiguration the boot options are lost.

0 Kudos
17 Replies
idata
Employee
1,774 Views

Hello,

 

 

I'm assuming that you re-provisioned after unconfiguring AMT. What I'm seeing from the screen shots looks to be a permissions issue. Are you using the same account for both scenario's? If so, have any permissions been changed? If not, please try logging in with the account you used for the first screen shot. Alternatively, if you were to give the account PT Administrator, do you still see the same thing?

 

 

Regards,

 

Michael
0 Kudos
UScho
Beginner
1,774 Views

Hello

I can confirm that I re-provisioned the system after unconfiguring.

Both scenarios came up with "admin" account. No other accounts were ever used nor created on the system.

Can the permissions of the build in account "admin" been changed?

0 Kudos
UScho
Beginner
1,774 Views

Hello

I found the following resource https://software.intel.com/en-us/node/632113 Set SOL/Storage Redirection and other Boot Options | Intel® Software that describes my missing boot options.

 

It seems that it is possibel to configure the options with ps scriptings. I would rather expect to do that over the WebUI.

 

But, I do not understand why did the boot options disapear after unprivisioning.
0 Kudos
idata
Employee
1,774 Views

Hi,

 

 

Can you provide me the make and model of the system? We'd like to try to reproduce this issue and have been unsuccessful with our systems. Right now, do not have an answer as to why the boot options disappear after unprovisioning.

 

 

Regards,

 

Intel Customer Support
0 Kudos
UScho
Beginner
1,774 Views

Hello,

we use Adlink MXE-5401 and MXE-5501. Both behave identical.

0 Kudos
idata
Employee
1,774 Views

Hi Musketier,

 

 

We were able to reproduce what you are seeing. The way we were able to reproduce it was, initially, the system was in admin control mode, then unprovisioned, then using ACUWizard, assuming this is how you performed it, this puts the system in Client Control Mode (CCM), where those options will not appear. This link explains it a little further:

 

 

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/userconsent1.htm

 

 

CIM_BootConfigSetting.

 

 

To fix, put the system in Admin Control Mode (ACM).

 

 

Regards,

 

Intel Customer Support
0 Kudos
UScho
Beginner
1,774 Views

Hallo,

ok, I think I have understood some things about AMT and ACM mode.

I did some investigations. My experience is to switch from CCM to ACM is not easy.

From my point of view is the best way for us to enable ACM is EHBC.

Our manufacturer have to enable ACM mode over BIOS by default right?

Can we update a system BIOS in field that has ACM enabled?

0 Kudos
UScho
Beginner
1,774 Views

Hello,

some more information about my results.

Now I have set system to ACM see screen shot. The ACUWizard tells Configued Admin Control Mode).

But when I connect over WebUI the controls ae still missing.

a

0 Kudos
idata
Employee
1,774 Views

Hi Musketier,

Apologies for the delay in response as I've been away on vacation. Your result is interesting as we were able to duplicate what you were seeing. There are a couple more things. First, I notice that the AMT version is updated for SA-00075. What version was this running before that?

Second is something I'd like to confirm. I know that you are in Admin Control Mode but need to see if "User Consent" is enabled. An easy way to check this is to download and install Intel Manageability Commander, located here:

https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander

configure for the system you are connecting to, connect and on the "System Status" screen, there is an item "User Consent". Can you tell me what it is set to?

It should look like this:

Regards

 

Intel Customer Support
0 Kudos
UScho
Beginner
1,774 Views

Hello

Yes, I can confirm that SA-00075 is installed. The previous firmware was 9.0.13.1402.

I installed the Intel Manageability Commander.

System Status:

Now I changed the "User Consent" from "Always Required" to "Not Required"

and voila the controls are there!

Ok. Seems 2018 starts better than expected.

My problem is now: It sees that "User Consent" setting is enabled by default. Now I need a workflow how to set up a system with the wished

AMT settings for mass deployment?

0 Kudos
idata
Employee
1,774 Views

Hi Musketier,

I'm assuming you mean "User Consent"...

For mass deployment, if you already have a profile created, you can modify that profile by launching the ACUWizard, under System Settings, KVM Settings, unselect "User Consent required before beginning KVM Session" and then push the updated profile out.

 

Regards,

 

Intel Customer Support
0 Kudos
UScho
Beginner
1,780 Views

Hello,

sorry, yes "User Consent" is correct.

I would like to go back to your answer from 13.12.2017. Where you explain switching from CCM to ACM.

The documentation explains ACM mode. We have no access to BIOS because systems are headless. We have only remote access over remote desktop.

How could we switch from CCM to ACM in such a situation?

0 Kudos
idata
Employee
1,780 Views

Hi Musketier,

 

 

I'm going to assume you are using SCS as a deployment method for provisioning your headless systems. When you provision remotely, this will put AMT on the system you are running ACUConfig on in Admin Control Mode.

 

 

Please reference the SCS User Guide for remote configuration of your devices. Also reference the following site for remote certificate provisioning for AMT:

 

https://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.html

Let me know by posting if you have more questions after looking through the document.

 

 

Regards,

 

Michael
0 Kudos
UScho
Beginner
1,780 Views

Hello Michael,

I'm afraid. I can not use SCS. We have remote access over VPN/RDP to the single systems. I do not have direct access to the customer corporate network.

This means I do not have access to the the dedicated AMT Ethernet port. Please correct me if I am wrong.

From my point of view I would rather use EHBC with disabled "User Consent". This should be preset in BIOS by our BIOS vendor.

Since we need a solution for mass deployment in production and upgrade in field. All produced devices should be ready for AMT in field.

Is that possible? Can we enable ACM in BIOS by default?

0 Kudos
idata
Employee
1,780 Views

Hi Musketier,

 

 

I'm copying your post here so I can respond inline:

 

I'm afraid. I can not use SCS. We have remote access over VPN/RDP to the single systems. I do not have direct access to the customer corporate network.

 

Just throwing out this option here. Is there any way you can have the customer set up a server (you'll probably need to have SQL installed on it and configure based on remote configuration in the SCS User Guide or Deployment Guide) you can vpn/rdp into, Install SCS and then manage the clients that way? Once you are tunneled in and on a server that has rights for the client systems, this should be do-able.

This means I do not have access to the the dedicated AMT Ethernet port. Please correct me if I am wrong.

 

I need clarification on what you mean here...because if you are doing a direct VPN/RDP to single target host system, then yes, you would have access to the AMT Ethernet port as you are on the system though, correct, you still would not be able to manage it from any other system within your network. If you have the server setup as mentioned above, then, yes.

From my point of view I would rather use EHBC with disabled "User Consent". This should be preset in BIOS by our BIOS vendor.

 

Definitely, this is an option.

Since we need a solution for mass deployment in production and upgrade in field. All produced devices should be ready for AMT in field.

Is that possible? Can we enable ACM in BIOS by default?

 

My assumption when imagining what you are trying to do, taking in solution for mass deployment in production and upgrade in field, I'm thinking that you are about to do a major refresh, will be receiving the systems in a central location, configuring, possibly imaging, preparing to be sent out to the field. In this case, yes, you can enable ACM through MEBx, so long as you are local to the system. Most systems allow access to the MEBx, through CTRL-P on bootup, though some OEM's integrate it into BIOS. You will need to understand how to access based on your system.Hope this helps and don't hesitate if you have more questions.

 

 

Regards,

 

Michael
0 Kudos
UScho
Beginner
1,780 Views

Hello Michael,

I understand that AMT and its funcionality is a security sensitive technology. On the other hand we need a may to enable AMT if we need it.

 

If we enable AMT than it should be enabled with our predefined settings.

As mentioned in one of my earlier posts. The systems are headless. No way for MEBx with keyboard and display. Nobody can pres CTRL-P.

My question if we could enable ACM by BIOS is a bit misleadinng. I rather think on a BIOS update because this is possible over remote and Windows.

I would update BIOS that has ACM enabled and User Consens disabled by default.

What do you think? Would that work?

0 Kudos
idata
Employee
1,780 Views

Hi Musketier...Sending an e-mail to you.

 

 

Regards,

 

Michael
0 Kudos
Reply