7 Replies Latest reply on Jul 12, 2016 10:34 AM by Madoll

    Problems while, PXE Booting on INTEL AMT provisioned machines

    zeglory

      Hi guys,

      We have configured an environment with Intel SCS and intel vpro enabled clients. We have successfully created policies and have distributed these to our clients. All of the funtions/settings are working as expected, we are using the following policy

       

       

       

      Profile Name: KerberosProfile

       

      Profile Type: Intel AMT

       

       

      Network Settings

           FQDN will be the same as the Primary DNS FQDN

           IP will be taken from DHCP

       

      Active Directory Integration

           Active Directory OU:OU=AMT Objects,DC=Demo,DC=local

      Access Control List (ACL)      

           User 1: administrator

                User Type: Digest

                User has both remote and local access to the realms listed below

                Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control

                

           User 2: Demo.LOCAL\AMT-Admins

                User Type: Active Directory

                User has both remote and local access to the realms listed below

                Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control

                

           User 3: adminkvm

                User Type: Digest

                User has both remote and local access to the realms listed below

                Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control

                

           User 4: Demo.LOCAL\Domain Users

                User Type: Active Directory

                User has local access to the realms listed below

                Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader

         

      Transport Layer Security (TLS)

           Server authentication used for remote interface

           Server Authentication Certificate Properties:      

                Certificate Authority: TEMPCA-IntelSCS.Demo.local\Demo Temp CA

                Certificate Template: IntelTLSaccesscertificate

                Common Names (CNs) in certificate: DNS Host Name (FQDN), Host Name, SAM Account Name, User Principal Name, UUID

       

      Network Configuration  

           WiFi

           Do not enable synchronization of Intel® AMT with host platform WiFi profiles

       

      Wired 802.1x

      802.1x setup: 802.1x Setup1

      Protocol: EAP-TLS

      Root Certificate Authority: Demo Temp CA, Demo, local      

                Certificate Authority: TEMPCA-IntelSCS.demo.local\Demo Temp CA

      Certificate Template: IntelSCSprovisioningcert

      Common Names (CNs) in certificate: DNS Host Name (FQDN), Host Name, SAM Account Name, User Principal Name, UUID

      Do not allow roaming identity

      Do not verify RADIUS server certificate subject name

      Enable 802.1x for Intel® AMT even if host is not authorized for 802.1x

      Keep 802.1x session after boot to allow PXE boot for 60 minutes

       

      Trusted Root Certificates

      Below are the trusted root certificates used in this profile:

                Root certificate 1: Demo Temp CA, Demo, local

       

      System Settings 

           Enabled Management Interfaces:

      • Web UI

      RFB password set

       

      Power Management Settings: Always On (S0-S5), Timeout if idle: 0 minutes

      The Intel® AMT clock will be synchronized with the operating system clock

      Intel® AMT set to respond to ping requests

      Fast Call for Help (within the enterprise network) is Disabled

       

       

      Problem statement

      Now since Intel AMT has been configured we can focus on the problem area:

       

      We use PXE boot on a non 802.1x network to initially install machines. And during the install process machines are provisioned using Intel SCS, with the configuration described as above. When machine is running in full windows we are able to perform all actions like remote control, power feature like shutdown and cold reboot etc.

       

      But if we now try to reinstall the machine the process fails.

       

      Machines, where intel AMT has now been configured they can no longer PXE boot, neither on 802.1x enabled network nor on network without 802.1x. What we are seeing is that machines are able to PXE boot, but during the transfer of WINPE. The PXE boot process stards, boot.sdi is downloaded and then starts the process where WINPE is downloaded. This download fails randomly between 30%-70%. We are using IP helper, and have tried placing the machines on the SAME VLAN as the server, but we get Errorcode 1460 on WDS which indicated TFTP timeout. Just for the sake of testing, we have also tried to set DHCP options 66 and 67. But I must emphasize that, the SAME machine works just fine if we delete the Intel Vpro configuration from BIOS.

       

      Conclusion:

      We think that this problem is related to Intel AMT intercepting network communication. But what we find odd is that the problem occurs both on 802.1x enabled and network without 802.1x, why is PXE boot process being effected by enabling/configuring INTEL AMT? Has anyone seen this problem or anything like this? I am wondering if there can be something in the policy that we have attached.  During testing, we have also tried to remove the following

           Enable 802.1x for Intel® AMT even if host is not authorized for 802.1x

      Keep 802.1x session after boot to allow PXE boot for 60 minutes

      1. Because we are still struggling to get this to work on a non 802.1x network. Any help, pointer and tips is much appreciated as we have exhausted most of our options regarding testing J

       

      Thanking you all in advance for your contribution.

       

      Best regards,
      Sean