Hi,

I am trying to use SCS addon 2.0 for SCCM. It looks like AMT is provisioned, but can not control it from SCCM.

At first, I installed SCCM 2012 SP1 and SCS 9.0 to the separate server. SCS is configured for Database mode I can provision AMT client(8.1 at this moment), with kerberos auth and tls, and can see AMT information from SCS console.I used remote configuration.  I do not use Digest Master Password, so I define one Kerberos User. and on the system settings, I set up one admin password for all system. Then started Add-on installation.

I followed the document for SCCM 2012. Addon is isntalled  RCS integration mode.

At the section 5.2.3, I was little bit confused. after enabling task sequence, what should I do?

Any way, I enabled Remote Discovery, and Assign that task to AMT clients. After a while client were listed under Not Configure collection. Then I enabled Remote Configure task and assign it to that collection, wait for a while I have confirmed AMT is configured by looking at IMSS message. I gather hadware inventory from each client AMT Status on SCCM console is now "Detected", and those AMT machine is moved to Configured collection. At this moment I can't do ant AMT related operation other than management controller discovery.  How can I make AMT client to be enabled for SCC

Hi,

I've recently installed the Intel SCS Add-on for SCCM 2012 and was curious what the best practice is for deploying vPro.

I had planned on pushing out the System Discovery (SystemDiscovery.exe) script, then target the vPro machines with the Intel AMT Management component package & the configurator package.  However, I see that SCS Add-on includes some task sequences which might be useful.  One of these is System Discovery but it uses the ACUConfig.exe executable, which requires the machine to already have a record in SCS Database so that it can update some of the details.  So, does this mean I should run both, SystemDiscovery.exe & ACUConfig.exe for system discovery??

Can anyone recommend a best method for deployment?

Thanks,

J

I am trying to set up vPro on our corporate network for the first time and had a cert question. In order to remotely configure the computers (we will be working with over 10,000 Windows 7 computers running AMT 7 or higher) is a public certificate that matches one of the ones hard coded into the vPro chipset required? We are looking at having a zero touch configuration that will allow for KVM control over the computer (probably with RealVNC+) without any user consent. We will be using Active Directory Integration and adding groups for the ACL for access. The database and server will be running on Server 2008 R2. I am kinda new at this so let me know if I am missing any information for an answer. We will also be using SCCM 2012 for our deployment more than likely. Thanks.

Hi Guys,

I'm getting a weird error message from SCCM 2012 when I installed the Intel Vpro add in.

The error message is:

Microsoft SQL Server reported SQL message 2627, severity 14: [23000][2627][Microsoft][SQL Server Native Client 11.0][SQL Server]Violation of UNIQUE KEY constraint 'GroupMap_AK2'. Cannot insert duplicate key in object 'dbo.GroupMap'. The duplicate key value is (INTEL_AMT_CONFIGURATIONINFO_AMTNETWORKSETTINGS_DATA).

Please refer to your Configuration Manager documentation, SQL Server documentation, or the Microsoft Knowledge Base for further troubleshooting information.

I have been trying to get vPro working with SCCM 2012 for a few weeks now. I have installed a previous version on the sgs add on. I don't know if that's effecting it or not though... Any help would be much appreciated.

-M

I am trying to set up vPro on our corporate network for the first time and had a cert question. In order to remotely configure the computers (we will be working with over 10,000 Windows 7 computers running AMT 7 or higher) is a public certificate that matches one of the ones hard coded into the vPro chipset required? We are looking at having a zero touch configuration that will allow for KVM control over the computer (probably with RealVNC+) without any user consent. We will be using Active Directory Integration and adding groups for the ACL for access. The database and server will be running on Server 2008 R2. I am kinda new at this so let me know if I am missing any information for an answer. We will also be using SCCM 2012 for our deployment more than likely. Thanks.

Hi Guys,

I need to uninstall SCS add on for SCCM 2012 but can't figure out where or how to do it. Any help would be much appreciated.

Cheers,

-M

Hi Guys,

I need to uninstall SCS add on for SCCM 2012 but can't figure out where or how to do it. Any help would be much appreciated.

Cheers,

-M

Hello,

We have a godaddy provisioning AMTcertificate that was issued to server A. Now we have new hardware with a different name. Do I need to "upgrade" my certificate to work with the new server ? How ?

Sorry if my question is trivial, I'm not certificate specialist.

Michel

Hello, I am attempting to install the SCS add-on for SCCM 2012 and see a configuration setting in the setup that I do not understand.  My question is related to the dialog box that asks for "User Account Settings".  According the documentation it says this is for specifying a different user account for running the SCS packages through SCCM other than "the SCCM client".  What does this mean?

The SCCM client by default runs packages under the local SYSTEM account when I runs a package on a client.  Can I just leave this "User Account Settings" dialog box blank and not specify a "different user account"?  It kind of implies this is an optional setting.  If I do leave it blank and just use the default, are there any configuration settings I need to do to account for this?  There is a chart in the documentation that specifies the permissions that are needed for the account that runs the packages, such as permissions to the ADOU and Intel_RCS/Intel_RCS_Editor namespaces.  How do I (or do I need to) setup these permissions when the packages runs on a client as the local SYSTEM account.

After upgrading to V9.0 I am able to pull system details in the console however all profile data fails to load. I am also unable to create new profiles as the same error is presented. Was able to find a DB entry in dbo.global_settings that indicated the upgrade was "in_progress". I restored the DB and ran the database utility upgrade command that completed successfully however provided the following errors in the log. After the restore and manual upgrade I seem to have the same issue.

17:10:53,113 - INFO : DatabaseUtils.Logging.Log(:0),  - Starting: UpgradeDB

17:10:53,113 - INFO : DatabaseUtils.Logging.Log(:0),  - Creating encryption key for database...

17:10:55,968 - INFO : DatabaseUtils.Logging.LogFileOnly(:0),  - Start Upgrading Database...

17:10:55,968 - INFO : DatabaseUtils.Logging.Log(:0),  - Checking if database exists and in the right version...

17:10:55,968 - INFO : DatabaseUtils.Logging.LogFileOnly(:0),  - Enter DBExists

17:10:55,984 - INFO : DatabaseUtils.Logging.LogFileOnly(:0),  - Enter Connect

17:10:56,015 - ERROR: DatabaseUtils.Logging.LogFileOnlyError(:0),  - Invalid object name 'dbo.csti_configuration'.

17:10:56,015 - ERROR: DatabaseUtils.Logging.LogFileOnlyError(:0),  - Invalid object name 'dbo.csti_global_settings'.

17:10:56,030 - INFO : DatabaseUtils.Logging.Log(:0),  - Attempting to upgrade the database to version 9.0...

17:10:56,030 - INFO : DatabaseUtils.Logging.LogFileOnly(:0),  - Parsing file: UpgradeDB8.1to9.0.sql

17:10:56,030 - INFO : DatabaseUtils.Logging.LogFileOnly(:0),  - Executing file: UpgradeDB8.1to9.0.sql

17:10:56,030 - INFO : DatabaseUtils.Logging.Log(:0),  - Creating new tables...

17:10:56,030 - INFO : DatabaseUtils.Logging.Log(:0),  - Create Platform Capabilities Discovery table

17:10:56,030 - INFO : DatabaseUtils.Logging.Log(:0),  - Migrating AMT discovery data.

17:10:56,030 - INFO : DatabaseUtils.Logging.Log(:0),  - This can take several hours.

17:10:56,030 - INFO : DatabaseUtils.Logging.Log(:0),  - Please be patient.

17:10:56,155 - INFO : DatabaseUtils.Logging.Log(:0),  - Create DMP table

17:10:56,155 - INFO : DatabaseUtils.Logging.Log(:0),  - Create Platform Capabilities Summary table

17:10:56,171 - INFO : DatabaseUtils.Logging.Log(:0),  - Create update platform capabilities summary procedure

17:10:56,171 - INFO : DatabaseUtils.Logging.Log(:0),  - Succeeded.

17:10:56,171 - INFO : DatabaseUtils.Logging.LogFileOnly(:0),  - Password was printed to console output

17:10:56,171 - INFO : DatabaseUtils.Logging.LogFileOnly(:0),  - Enter Disconnect

17:10:56,171 - INFO : DatabaseUtils.Logging.Log(:0),  - Completed Successfully.

Hi.

I have some serious issues when upgrading to latest SCS. While the upgrade process itself performed good (also the database upgrade completed without errors) I have 2 huge issues:

1. SCS Console cannot read my profile anymore. It shows the error "Failed to get list of Profiles. File decryption failed. Failed to decrypt profile data (0xc000028f).

2. I am unable to view my provisioned systems. When I go to Monitoring -> Systems, right click on "All Systems" and select "Show Systems" nothing happens. Tested on SCS Console local and remotely:

I downgraded and upgraded again without success. Rolling back to old version now...Any help would be kindly appreciated.

To give a sense of what I am trying to do:

We have over 2000 machines that are all vpro capable and provisioned.  At the end of their life cycle (4 years) in our department we phase them out and they go to a surplus group at our or organization that then offers up these "new to you" machines to other groups/departments within our organization at essentially no cost.  As vPro has matured and become the standard in our machines we have been passing down machines for about 6 years that are now capable of remote management.

What we are being asked is if we can wipe/reset the Management Engine password.   Having reviewed this forum I have found that it is not possible without entry in to the machine.  Our "Plan B" is to set the ME password to something other than what we normally use and then provide that as a mutually shared password.

Herein lies the problem.  I have been working with the ACUCONFIG.EXE program and its command line option to try to accomplish this task.

There are two commands, MaintainAMT and a MaintainviaRCSOnly that each have a task within them that state they can "RenewAdminPassword"

To define that directive:

RenewAdminPassword – Changes the password of the default Digest admin user in the Intel AMT device according to the password setting defined in the profile.

The command lines I have tried are:

acuconfig.exe MaintainAMT WIPE_AMT_PROFILE.xml RenewAdminPassword /AdminPassword XXXXXXX  <-- tried with and without the last switch for password

acuconfig.exe MaintainViaRCSOnly vpro.xxxxxxxxxxx.tamu.edu WIPE_AMT_PROFILE RenewAdminPassword

In either case the return result is error 50 which in the users guide for SCS read: The Intel AMT device is in a state that does not support the Maintenance command

Clearly it understands I am issuing a maintenance command and has no fault with the syntax.  The error indicates it is the machines AMT module that is unwilling to process the command.

We were also wanting to deprovision the machine and I found the unconfigure command for ACUCONFIG and it works just fine.  It makes little sense that I can remove provisioning but not set a password?! 

All this is being done via a WinPE 8 (SCCM 2012 R2) image we PXE boot the machine to when preparing it for our surplus division.  It currently wipes the machines drive but we need it to set the password to the one we will hand out and then perform the unprovision I mentioned above having figured out.

If anyone else has any experience with the maintenance command and can point me in the correct direction it would be appreciated.

I am trying to install Windows Server 2012 R2 using AMT/VPro technology. I insert the DVD with Windows Server on the local machine and redirect the DVD to the remote machine. Currently when I am attempting to install the operating system getting the error "A media driver your computer needs is missing.  This could be a DVD, USB, or Hard disk driver.  If you have a CD, DVD, or USB flash drive with the driver on it, please insert it now. Note: If the installation media for Windows is in the DVD drive or on a USB drive, you can safely remove it for this step.".

I am able to install Windows using the local DVD on the machine. I am also unable to install Windows 7 using the same method.

Please guide me what may be done here.

Hi,

I've recently installed the Intel SCS Add-on for SCCM 2012 and was curious what the best practice is for deploying vPro.

I had planned on pushing out the System Discovery (SystemDiscovery.exe) script, then target the vPro machines with the Intel AMT Management component package & the configurator package.  However, I see that SCS Add-on includes some task sequences which might be useful.  One of these is System Discovery but it uses the ACUConfig.exe executable, which requires the machine to already have a record in SCS Database so that it can update some of the details.  So, does this mean I should run both, SystemDiscovery.exe & ACUConfig.exe for system discovery??

Can anyone recommend a best method for deployment?

Thanks,

J

I'm hoping someone can provide me a bit of guidance about how AMT (and the Manageability Commander toolkit, in particular) goes about selecting client certificates when using TLS with mutual authentication.

I started by creating a self-signed root, using the "Certificate & CRL Store" facility in the Manageability Commander tool, then created a server cert signed by that root. Both certs used SHA-384 signature hashing with 2048-bit RSA keys. These appear to be correctly installed on the AMT target host: the "Certificates" panel in the Certificate Store dialog of Manageability Commander shows an "AMThost.subdomain.tld/myCA (TLS)" certificate and the "Trusted Roots" panel shows the "myCA" cert (the names have been changed here, but none of the actual text uses non-alphabetic characters).

My problems arise, I suspect, because the machine hosting the management console is not part of the Windows domain that will ultimately be used by the AMT target host (by which I mean that the target AMT host is being configured in an off-site lab), so there are DNS issues for both address resolution (I simply added "AMThost.subdomain.tld" to the workstation's etc/hosts file to provide "fake" DNS) and certificate selection. I used the Manageability Director tool to create a client cert using just the host name of the management box (i.e., "mgthost"). This certificate was created with all permissions enabled and appears in the Windows certificate store, as expected.

After enabling TLS in the Manageability Commander tool using the "AMThost.subdomain.tld/myCA" cert, I can connect to the target AMT host and manage it just fine. A lock icon appears next to the hostname on the connection tab to indicate that the server end of the connection has been verified, and SOL and console redirection work as expected.

If, however, I then add the remote authentication option, using a CN list with just "mgthost" in it (i.e., without a DNS suffix), the console reconnects to the AMT target machine and loads all parameters without incident, but, for reasons I have not been able to determine, SOL and the redirection ports no longer work. Any attempt to use them results in an instant failure (not a time-out). A "stack" trace of the call appears uneventful until local certificate selection is attempted, at which point the following log entries appear:

(information) RedirectionAlt:LocalCertificateSelection, targethost=AMThost.subdomain.tld

(error) RedirectionAlt:OpenSink failed, conID=0

(error) System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The certificate chain was issued by an authority that is not trusted ...

Why is it that I can connect to the ME with this certificate set-up, but cannot use SOL or redirection? Everything else works just fine: I can even remotely change the TLS configuration back to server-only without going through an unprovision cycle at the AMT host.

Ciao a tutti,

se posseggo un server o un pc desktop con processori Intel vPRO, posso monitorare con questo tutti i pc (Mac, Linux, Pentium 4, AMD Athlon) e gli apparati di rete (Switch e firewall)? Che tipo di monitoring si può fare con Intel vPRO? Ad esempio, rischio a valutare lo stato di cpu e ram di un pc o server? Riesco a capire lo stato di salute di uno switch o firewall?

In our environment WOL is inconsistent and unreliable for a number of reasons, mostly uncontrollable networking issues.  We need the ability to reliably wake machines up on demand and on a schedule.  This is all we need from AMT, nothing more.

• We are willing to touch every machine to set up AMT.
• We'd like to avoid certificates (lack of experience + Network team manages certificates).
• We'd like to be able to wake up machines for both SCCM and Altiris, using integrated commands, or some external mechanism.

1)     With that in mind, what is the least complex (not quickest) method to configure AMT?

2)     Can vPro work independently while integrated with SCCM?

3)     Will AMT simply not work at all in SCCM if certificates aren't used?

I recently setup and configured Intel AMT in our environment and am training staff on how to use it. We would like to deploy images to PC using IDE-r and VNC KVM remote control. I have created a working iFast boot ISO that points to a network share with some commonly used ISO's. The problem that I am having and have not been able to remedy is that once I select the ISO to be booted it needs some keyboard input and VNC doesn't seem to be passing the key strokes to the remote PC.

Examples: Boot to ifast that points to a network share, boot to Win7PE.iso. After the ISO loads it prompts "Press any key to boot to CD/DVD..." No key strokes are able to be passed to actually continue the boot to the selected ISO and boot resumes to the OS.

I have tested this with Kaspersky's rescue cd that needs an input to boot to the menu and give you a 10 second count timer. No input seems to be passed to continue booting to this. Have even tried clicking the "Ctrl+alt+del" button inside VNC's console.

I also have tested this with a modified version of Hirens boot cd and once it is booted to the menu you are unable to make a selection. I even set the timeout on the menu for an extended time and it never took input.

I have checked the settings inside of VNC and keyboard strokes are check to be passed to the connected PC. The option to use KVM for the ifast.ISO was selected when creating it. I can't think of anything else to do except having to go back and modify the actual ISO's so that they load directly into them without any extra input which would be difficult for some like Hirens as it would have to be broken into several pieces.

I should also note that if a computer is booted to the "Launch Start up Repair or Start up Normally" prompt screen I am also unable to choose between the two which would indicate that any keyboard input during the boot process isn't processed. Through VCN I am able to pass key during the BIOS splash screen time to specify to boot to the BIOS or change boot order.

When trying to set the AMT Alarm clock on a 5.2 system, using an SCCM task sequence, I receive the following error.  This task sequence works fine on AMT 6.0 and above systems.  I have been struggling with this for weeks.... please help

ComputerName     : xxxxxx
Port             : 16993
Status           : Failed
NextAlarmTime    : [Error]
PeriodicInterval : [Error]

Exception calling "Get" with "0" argument(s): "The sender was not authorized to
access the resource."
At C:\Program Files\Intel Corporation\PowerShell\Modules\IntelvPro\set-AMTAlarm
Clock.ps1:171 char:56
+         $AlarmClockService = $AlarmClockService_EPR.Get <<<< ()
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Hi!

I'm currently trying to get a test SCS up and running using my non-vPro desktop as the server for the SCS and SQL-server and a single Latitude E6530 as the vPro machine. I got this running (Laptop configured succesfully and connected to the SCS) once after a bit of fiddling with the configuration creation, but after completely unconfiguring the system and then trying to configure it with a new, similar config, not much seems to be working. During the configuration attempt I get error TCP-errors about the SCS being unreachable (pings do go through both ways, from the desktop i can telnet to the vPro machine on 16992, but not the other way around; there are no firewalls in the way, neither software nor hardware). Interestingly, from opening the WebUI on the vPro laptop locally i saw a lot of 'system lockup or power interruption' happening every 2 minutes or so while the machine is running. Furthermore, I see a 'certificate revoked' for every wake and boot.

The machine does show up in the SCS console, but it is permanently disconnected and marked as configuration failed.

For testing purposes, I disabled both computers' windows firewalls and connected them to the same mini switch which does not filter ports but is connected to the company network so DNS and DHCP keeps working. I am unsure whether the SCS is supposed to be responsive on 16992.

I find it weird that the WebUI tells me my correct internal Wireless IP, but says IP is 0.0.0.0.  That probably refers to the wired NIC.

I'm not sure what other information is necessary to diagnose this, so ask away.