1 Reply Latest reply on Jun 3, 2013 3:34 PM by Alan Alderson

    KVM user consent question

    Samuel Lysinger

      I am fairly new to vpro.  I've got all my old testlab PCs configured manually so I can go to their webguis and turn them off and on

      I purchased an Optiplex 7010 and played with it until I discovered with the SCSDiscovery tool that the remote KVM feature was disabled in the BIOS

      I sold it soon after, shame on big manufacturers for only enabling this feature in their laptops.

       

      I've got my frontdesk PC (ASUS P8Q77-M) working with vncviewer plus and I can remote into it mount virtual CD-roms, boot off of them, etc.

      I configured it in the BIOS manually and did an update configuration with the ACUwizard.

       

      My problem is this:

      I always get prompted for the 6 digit code to access the PC

      For the life of me, I cannot get the user consent prompt to disable

      That's great when someone is at the office, not so great when no one is at the office

      I need the consent feature disabled so that I can upgrade my ESX server motherboard with this board.

       

      I discovered that VNC Viewer Plus will change the user consent setting whenever it connects to a system, so I unchecked the box.

      This allows me to log in once, input the 6 digit code, and log in again one time without getting prompted for a user consent code.

      Then it's back to square 1 asking me for a code again.

       

      I am sure I am doing something wrong or need to learn more.

       

      I did notice that there is no user consent option in the ASUS MEBx AMT menus anywhere.  Am I stuck, or is there another way to disable this?

       

      All help is appreciated,

       

      Below is the scsconfig output file if that helps.

       

      <?xml version="1.0" encoding="UTF-8" standalone="no" ?>

      - <SystemDiscovery>

      - <GeneralInfo>

        <SystemDataVersion>8.1.0</SystemDataVersion>

        <LastTimeUpdated>2013-06-02 20:23:43</LastTimeUpdated>

        <SCSVersion>8.1.4.16</SCSVersion>

        <BIOSVersion>1002</BIOSVersion>

        <MEPlatformSKUs>Corporate; Desktop;</MEPlatformSKUs>

        <UUID>55A639C0-D7DA-11DD-8EE4-50465D6FDFA1</UUID>

        <Manufacturer>System manufacturer</Manufacturer>

        <Model>System Product Name</Model>

        <SMBIOSAssetTagData>Asset-1234567890</SMBIOSAssetTagData>

        <Chassis>Desktop</Chassis>

        <MachineSerialNumber>System Serial Number</MachineSerialNumber>

        </GeneralInfo>

      - <ManageabilityInfo>

        <AMTSKU>Intel(R) Full AMT Manageability</AMTSKU>

        <AMTversion>8.1.0</AMTversion>

        <FWVersion>8.1.0.1265</FWVersion>

        <PingConfigurationServer>False</PingConfigurationServer>

      - <Capabilities>

        <IsAMTSupported>True</IsAMTSupported>

        <IsCILASupported>True</IsCILASupported>

        <IsAMTKVMSupported>True</IsAMTKVMSupported>

        <IsTLSSupported>True</IsTLSSupported>

        <IsCCMSupported>True</IsCCMSupported>

        <IsHBPSupported>True</IsHBPSupported>

        <IsKVMEnabledInBIOS>True</IsKVMEnabledInBIOS>

        <IsKVMSupportedInBIOS>True</IsKVMSupportedInBIOS>

        <IsAntiTheftSupported>True</IsAntiTheftSupported>

        <IsSOLSupportedInBIOS>True</IsSOLSupportedInBIOS>

        <IsIDERSupportedInBIOS>True</IsIDERSupportedInBIOS>

        <IsAMTEnabledInBIOS>True</IsAMTEnabledInBIOS>

        <IsSOLEnabledInBIOS>True</IsSOLEnabledInBIOS>

        <IsIDEREnabledInBIOS>True</IsIDEREnabledInBIOS>

        <CRLStoreSize>1424</CRLStoreSize>

        <RootCertificatesMaxSize>1500</RootCertificatesMaxSize>

        <RootCertificatesMaxInstances>4</RootCertificatesMaxInstances>

        <FQDNSuffixMaxEntries>4</FQDNSuffixMaxEntries>

        <FQDNSuffixMaxLength>63</FQDNSuffixMaxLength>

        <CertificateChainMaxSize>4100</CertificateChainMaxSize>

      - <SupportedCertificatesKeyLengths>

        <SupportedCertificateKeyLength>1024</SupportedCertificateKeyLength>

        <SupportedCertificateKeyLength>1536</SupportedCertificateKeyLength>

        <SupportedCertificateKeyLength>2048</SupportedCertificateKeyLength>

        </SupportedCertificatesKeyLengths>

        </Capabilities>

      - <ManagementSettings>

        <AMTConfigurationMode>Enterprise Mode</AMTConfigurationMode>

        <AMTState>Post Provisioning</AMTState>

        <IsAMTConfigured>True</IsAMTConfigured>

        <AMTConfigurationState>PKI</AMTConfigurationState>

        <IsZTCEnabled>True</IsZTCEnabled>

        <CertificateHashes>VeriSign Class 3 Primary CA-G1, 742c3192e607e424eb4549542be1bbc53e6174e2, Enabled, Default; VeriSign Class 3 Primary CA-G3, 132d0d45534b6997cdb2d5c339e25576609b5cc6, Enabled, Default; Go Daddy Class 2 CA, 2796bae63f1801e277261ba0d77770028f20eee4, Enabled, Default; Comodo AAA CA, d1eb23a46d17d68fd92564c2f1f1601764d8e349, Enabled, Default; Starfield Class 2 CA, ad7e1c28b064ef8f6003402014c3d0e3370eb58a, Enabled, Default; VeriSign Class 3 Primary CA-G2, 85371ca6e550143dce2803471bde3a09e8f8770f, Enabled, Default; VeriSign Class 3 Primary CA-G1.5, a1db6393916f17e4185509400415c70240b0ae6b, Enabled, Default; VeriSign Class 3 Primary CA-G5, 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5, Enabled, Default; GTE CyberTrust Global Root, 97817950d81c9670cc34d809cf794431367ef474, Enabled, Default; Baltimore CyberTrust Root, d4de20d05e66fc53fe1a50882c78db2852cae474, Enabled, Default; Cybertrust Global Root, 5f43e5b1bff8788cac1cc7ca4a9ac6222bcc34c6, Enabled, Default; Verizon Global Root, 912198eef23dcac40939312fee97dd560bae49b1, Enabled, Default; Entrust.net CA (2048), 503006091d97d4f5ae39f7cbe7927d7d652d3431, Enabled, Default; Entrust Root CA, b31eb1b740e36c8402dadc37d44df5d4674952f9, Enabled, Default; VeriSign Universal Root CA, 3679ca35668772304d30a5fb873b0fa77bb70d54, Enabled, Default;</CertificateHashes>

        <IsMoveToInProvisionPossible>False</IsMoveToInProvisionPossible>

        <AMTControlMode>Client Control Mode</AMTControlMode>

        <IsTLSEnabled>False</IsTLSEnabled>

        <IsHWCryptoEnabled>True</IsHWCryptoEnabled>

        <IsNetworkInterfaceEnabled>True</IsNetworkInterfaceEnabled>

        <IsAMTFWUpdateEnabled>False</IsAMTFWUpdateEnabled>

        <IsAMTEACEnabled>False</IsAMTEACEnabled>

        <AMTDigestRealm>Digest:C9EC0000000000000000000000000000</AMTDigestRealm>

        </ManagementSettings>

        </ManageabilityInfo>

      - <OSInfo>

        <MEIVersion>8.1.0.1263</MEIVersion>

        <IsMEIEnabled>True</IsMEIEnabled>

        <OSDomainName>WORKGROUP</OSDomainName>

        <OSHostName>FRONTDESK</OSHostName>

        <OperatingSystem>Microsoft Windows 7 Ultimate</OperatingSystem>

        <LMSVersion>8.1.0.1281</LMSVersion>

        </OSInfo>

      - <NetworkInfo>

      - <OSNetwork>

        <OSDNSHostName>Frontdesk</OSDNSHostName>

      - <OSWired>

        <OSIP>192.168.11.99</OSIP>

        <OSSubnet>255.255.255.0</OSSubnet>

        <OSDHCPEnabled>False</OSDHCPEnabled>

        <OSDNS>192.168.11.1, 4.2.2.2</OSDNS>

        <OSGateway>192.168.11.1</OSGateway>

        </OSWired>

        </OSNetwork>

        </NetworkInfo>

      - <ConfigurationInfo>

        <AMTClock>2013-06-02 20:25:42</AMTClock>

      - <AMTNetworkSettings>

        <SharedFQDN>True</SharedFQDN>

        <DynamicDNSUpdate>False</DynamicDNSUpdate>

        <AMTFQDN>USERHOM-4SU0HTE</AMTFQDN>

        <AMTHostName>USERHOM-4SU0HTE</AMTHostName>

        <DHCPOption81Enabled>False</DHCPOption81Enabled>

        <SharedStaticIP>False</SharedStaticIP>

        <IPSyncEnabled>False</IPSyncEnabled>

      - <AMTWiredNetworkAdapter>

        <DHCPEnabled>False</DHCPEnabled>

        <IsLinkStatusUp>True</IsLinkStatusUp>

        <MACAddress>50-46-5d-6f-df-a1</MACAddress>

        <LinkPolicy>On S0 in AC; On SX in AC;</LinkPolicy>

      - <IPv4IPSettings>

        <IP>192.168.11.11</IP>

        <Subnet>255.255.255.0</Subnet>

        <Gateway>192.168.11.1</Gateway>

        <DNS>192.168.15.1</DNS>

        <SecondaryDNS>4.2.2.2</SecondaryDNS>

        </IPv4IPSettings>

        </AMTWiredNetworkAdapter>

        </AMTNetworkSettings>

      - <EnabledInterfaces>

        <EnableSOL>True</EnableSOL>

        <EnableIDER>True</EnableIDER>

        <EnableWebUI>True</EnableWebUI>

        <EnablePingResponse>True</EnablePingResponse>

        </EnabledInterfaces>

      - <KVMOptions>

        <EnableKVM>True</EnableKVM>

        <EnableUserConsent>True</EnableUserConsent>

        <UserConsentTimeout>300</UserConsentTimeout>

        </KVMOptions>

      - <TLSSettings>

        <NetworkTLSAuthentication>No Authentication</NetworkTLSAuthentication>

        <LocalTLSAuthentication>No Authentication</LocalTLSAuthentication>

        </TLSSettings>

      - <Certificates>

        <NextCertExpiryDate />

        </Certificates>

      - <ADIntegration>

        <EnableADIntegration>False</EnableADIntegration>

        </ADIntegration>

        </ConfigurationInfo>

        </SystemDiscovery>

        • 1. Re: KVM user consent question
          Alan Alderson

          Hey Samuel,

           

          The reason you keep getting the 6 digit user consent prompt is because your vPro computer is configured in what's called Client Control Mode. In this mode the user consent prompt is mandatory. An easy fix for this is to provision your vPro computer with a USB drive. Using USB provisioning will configure the vPro computer into what's called Admin Control Mode.

           

          Configure AMT via USB drive

           

           

          1. Plug in a USB drive. Note: Your USB drive is formatted during this process so make sure you've backed up any data you want to keep.
          2. Right-Click ACUWizard.exe and select Run as administrator.
          3. Click Configure/Unconfigure this System.
          4. Select Unconfigure.
          5. Click Next.
          6. Select Unconfigure this system using admin password.
          7. Type in your admin password and click Unconfigure.
          8. Click Back.
          9. Click Back.
          10. Click Create Settings to Configure Multiple Systems.
          11. Click the Tools drop down menu.
          12. Click Prepare a USB Key for Manual Configuration...
          13. Select either Mobile Systems or Desktop Systems depending on which type of systems will be configured.
          14. For compatibility reasons keep All systems are Intel AMT 6.0 and higher selected.
          15. The default AMT password is admin
          16. Click OK.
          17. Click Yes.
          18. This will create a Setup.bin file on the USB drive.
          19. Plug this USB drive into the vPro computer you want to provision.
          20. Either change the boot order to boot the USB drive first, or use the one time boot to select the USB drive.
          21. There will be a prompt to Continue with Auto Provisioning (Y/N) ?
          22. Hit Y
          23. After the computer has been provisioned, unplug the USB drive and reboot the computer.
          24. Enter in the vPro computer’s information
            1. AMT Server: IP address of the computer you are trying to connect to
            2. Encryption: None
            3. Connection Mode: Intel(r) AMT KVM
          25. Click Connect


          That should do it...


          -Alan