Community
cancel
Showing results for 
Search instead for 
Did you mean: 
SZier
Beginner
4,785 Views

Intel VPro AMT 12 Configurations Problems

Hi there

We got the new HP Elitedesk 800 G4 DM 65W for testing purposes, the Machine has ME 12.0.2.1087 and our SCS has Version 12.0.0.129. We try to Provisiion the Machines in 2 Steps:

1. OneTouch-Provision with USB-Stick (set Adminpassword, our Certificate-Authorities Hash, DNS-Suffix and Configurationserver Adress).

2. We use the SCCM Tasksequences from the Addon to move the Machines to ACM and Remoteconfiguration

We updated the Tools for the Remoteconfiguration to version 12 as well.

We successfully can provision all the old Workstations like Elitedesk 800 G1 SFF, Elitedesk 800 G2 SFF and Elitedesk 800 G3 DM 35W.

Something very curious was that we had to shorten the password for the OneTouch-Provisioning from 29 Characters to 19 Characters that it would work with the HP 800 G4.

At first we thought it could have something to do with TLS but we disabled and uninstalled even the support for that on our SCS - As told all the old machines work, only the New HP doesn't.

Any advice would be deeply appreciated.

Below the Log of the Remote Configuration attempt:

2018-07-24 07:45:28: Thread:11272(INFO) : ACU Configurator , Category: HandleOutPut Source: CmdUtils.cpp : Cmd::HandleOutput Line: 79: Starting log 2018-07-24 07:45:28

2018-07-24 07:45:28: Thread:11272(DETAIL) : ACU.dll, Category: SetCompatibilityMode Source: ACUDll.cpp : SetCompatibilityMode Line: 196: 12.0.0.129

2018-07-24 07:45:28: Thread:11272(DETAIL) : ACU.dll, Category: SetCompatibilityMode Source: ACUDll.cpp : SetCompatibilityMode Line: 228: Set compatibility mode to 10.0.

2018-07-24 07:45:28: Thread:11272(INFO) : ACU Configurator, Category: Source: Src\ActivatorMain.cpp : wmain Line: 372: ACUConfig 12.0.0.129

2018-07-24 07:45:28: Thread:11272(INFO) : ACU Configurator, Category: -Unknown Operation- Source: Src\ActivatorMain.cpp : wmain Line: 414: WS-FD99-005.kt.ur.ch: Starting to configure AMT via RCS...

2018-07-24 07:45:28: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : CheckAMT Line: 85: Entering

2018-07-24 07:45:28: Thread:11272(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 12.0.0.2021

2018-07-24 07:45:28: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : FWUpdateData Line: 46: Entering

2018-07-24 07:45:28: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : FWUpdateData Line: 64: Exiting

2018-07-24 07:45:28: Thread:11272(INFO) : ACU Configurator , Category: AMT Mode Source: HECIDiscovery.cpp : CheckAMT Line: 426: Intel(R) AMT in PROVISIONING_MODE_ENTERPRISE

2018-07-24 07:45:28: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetPKIDNSSuffix Line: 960: Entering

2018-07-24 07:45:28: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetPKIDNSSuffix Line: 989: Exiting

2018-07-24 07:45:28: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : CheckAMT Line: 548: Exiting

2018-07-24 07:45:30: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetAmtFQDN Line: 1448: Entering

2018-07-24 07:45:30: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetAmtFQDN Line: 1529: Exiting

2018-07-24 07:45:31: Thread:11272(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 432: Calling function Discovery...

2018-07-24 07:45:31: Thread:11272(INFO) : ACU Configurator , Category: Local System Account Source: HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 217: Calling function GetLocalSystemAccount over MEI...

2018-07-24 07:45:31: Thread:11272(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 12.0.0.2021

2018-07-24 07:45:31: Thread:11272(INFO) : ACU Configurator , Category: Local System Account Source: HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 255: Function GetLocalSystemAccount over MEI ended successfully

2018-07-24 07:45:31: Thread:11272(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 479: Host Based Setup is supported

2018-07-24 07:45:31: Thread:11272(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 518: Current Control Mode: 2 (Admin)

2018-07-24 07:45:31: Thread:11272(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 557: Allowed Control Modes: 2 (Admin) and 1 (Client)

2018-07-24 07:45:31: Thread:11272(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 561: Function Discovery ended successfully

2018-07-24 07:45:33: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : UuidDiscovery Line: 1536: Entering

2018-07-24 07:45:33: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : UuidDiscovery Line: 1554: Exiting

2018-07-24 07:45:33: Thread:11272(DETAIL) : ACU Configurator , Category: Returned data Source: ACUDll.cpp : GetHostAndMEInfo Line: 4479: GetHostAndMEInfo output data: IsAMT:True, isEnterpriseMode:True, configurationMode:2, isRemoteConfigEnabled:True, AMTversion:12.0.2.1087, isMobile:False, provisioningTlsMode:2, uuid:B54BA79A-72EE-D24B-3C30-33CB3687ABDA, isClientConfigEnabled:True, hostBasedSupport:True, configurationState:2, FQDN:WS-FD99-005.kt.ur.ch, embeddedConfigurationAllowed:False. isLANLessPlatform:False. PKIDNSSuffix:kt.ur.ch

2018-07-24 07:45:33: Thread:11272(DETAIL) : ACU Configurator , Category: -Start- Source: ACUDll.cpp : RemoteConfiguration Line: 3581: ***** Start RemoteConfiguration ******

2018-07-24 07:45:35: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : TcpIpDiscovery Line: 1561: Entering

2018-07-24 07:45:35: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : TcpIpDiscovery Line: 1680: Exiting

2018-07-24 07:45:37: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetAmtFQDN Line: 1448: Entering

2018-07-24 07:45:37: Thread:11272(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetAmtFQDN Line: 1529: Exiting

2018-07-24 07:45:37: Thread:11272(DETAIL) : ACU.dll, Category: GetNetworkSettings Source: ACUDllWin.cpp : LoadNetworkSettings Line: 996: RCSaddress=srv-sccm01.kt.ur.ch, RCSWMIUser=, RCSProfileName=KVUFullWS

2018-07-24 07:45:37: Thread:11272(DETAIL) : NetworkSettingClass, Category: LoadSourceForAMTName Source: NetworkSettingsClass.cpp : NetworkSettings::NetworkSettingClass::LoadSourceForAMTName Line: 576: WS-FD99-005.kt.ur.ch

2018-07-24 07:45:37: Thread:11272(DETAIL) : ACU.dll, Category: Configure AMT Source: ACUDllWin.cpp : MI_ConfigAMT Line: 655: RCSaddress=srv-sccm01.kt.ur.ch, RCSWMIUser=, UUID=B54BA79A-72EE-D24B-3C30-33CB3687ABDA, ConfigMode=3, PID=, RCSProfileName=KVUFullWS, AMTVersion=12.0.2.1087, OldADOU=, Configure AMT Name= True. Configure AMT IPv4= True. AMT Name= Host Name- WS-FD99-005 Domain Name- kt.ur.ch . Source For AMT Name= Host Name- WS-FD99-005 Domain Name- kt.ur.ch . Default OS Name= Host Name- WS-FD99-005 Domain Name- kt.ur.ch . Host IPv4= IPv4 Address- 10.41.99.15 IPv4 SubNet- 255.255.255.0 IPv4 Gateway- 10.41.99.254 IPv4 Primary DNS- 10.40.254.100 IPv4 Secondary DNS- 10.40.254.101 . Configure AMT IPv4 to DHCP mode= True. AMT IPv4= IPv4 Address- 10.41.99.15 .

2018-07-24 07:45:37: Thread:11272(INFO) : ACU Configurator , Category: WMI Access Layer Source: WMIAccess.cpp : WMI_IsRcsBusy Line: 683: Success. (0) (retry set to = 3)

2018-07-24 07:45:37: Thread:11272(INFO) : ACU Configurator , Category: WMI Access Layer Source: WMIAccess.cpp : WMI_IsRcsBusy Line: 759: Success. (0) (RCS not busy.)

...

0 Kudos
20 Replies
idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

Thanks for joining the community.

 

 

This issue you describe its certainly particular. At this moment were you able to provision all machines (older and new ones) using the 19 character pass? Are you only provisioning older machines using the 29 character pass?

 

 

On the logs there are some Kerberos related error messages. Are you integrating SCS with Active Directory?

 

 

Have you contacted HP to ask about available Management Engine (ME) firmware updates?

 

 

Regards

 

 

Jose A.
DJard1
Beginner
398 Views

I am having very similar (if not the same) logs being generated.

In my environment, we have not yet provisioned any systems in ACM with remote provisioning (we just had setup the SCS server). We plan to eventually integrate with SCCM using either Intel/Dell's Integration pack.

When testing without TLS and just active directory, the logs suggested that our PKI SSL certificate was valid. However when attempting with TLS, an 'valid SSL certificate not found', or the logs display failing to set kerberos settings as below. The logs indicate WS-MAN errors, which may be due to Intel ME drivers or WinRM (just a guess), yet this doesn't seem to be a common problem online.

My organization is in the initial phase of testing with an IntelSCS server, and are only working with AMT version 12 right now.

Let me know if more specific information is needed.

idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

You want to make sure both the Management Engine Interface (MEI) driver and the Local Manageability Service (LMS.exe) are installed and running. You can check for the device specific driver at downloadcenter.intel.com: https://downloadcenter.intel.com/download/27733/Intel-Management-Engine-Driver-for-Windows-7-8-1-and... https://downloadcenter.intel.com/download/27733/Intel-Management-Engine-Driver-for-Windows-7-8-1-and...

 

 

Besides that please attach the following:

 

1. Screen shot of the certificate, specifically the values under Enhanced Key Usage.

 

2. Screen shot of the Certificate's Certification path

 

3. Screen shot of the RCSService in services. Include the account the service is running as.

 

4. Need a copy of the RCSLog.log file from the RCS server.

 

5. Confirmation that the certificate is in the personal certificate store of the account running the RCSServer service.

 

 

We will look forward for your updates.

 

 

Regards.

 

 

Jose A.
SZier
Beginner
398 Views

Hello Jose A.

Thanks for Reply

We tried the Remoteconfiguration with the from HP supported ME-Driver Version 1813.12.0.1123 as well with a newer one we found elsewere (Version 1828.12.01151).

LMS Service was installed and running on both versions.

We are running the RCS Server Service as defined Useraccount (named RCSAdmin) and had imported the Provisioning Certificate to the User-Certificatestore.

The Remoteconfiguration-Tasksequence runs under the above Useraccount too and the Account has local Adminstratorrights on our Clientsystems

You find the needed Information in the attached ZIP.

I Also escaleted the Problem to our HP Contact but for now i only got the Feedback that they had to contact a Technical Consultant.

The actual Configuration works like i wrote before for all older HP Workstations with lower Management Engine then Version 12 - Unfortunately the new HP Elitedesk 800 G4 is the only Client i have with Management Engine 12 Version for the Moment. The used Mobile Systems (EliteBook x360 1030 G2 and ProBook 650 G4) still have an Version 11 Management Engine but they work with the Remoteconfiguration like a Charm.

The 29 Character Admin-Password worked on Version 6 to 11 without a Problem as it does now with the 19 Characters Password the Only System who wouldn't take it was the new Testmachine from HP with Version 12.

If HP even had the installed ME-Firmwareversion placed on their Website i would have tried to flash it again.

The newest Firmware i found for V12 was 12.0.6.1120 and that way i hope HP can organize some newer ME-Firmware for the Modell.

Regards

Sascha Zieri

idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

Thanks for the updates. We will doublecheck with our engineering department. We will keep you posted.

 

 

Regards

 

 

Jose A.
idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

The problem appears to be related to trying to setup Kerberos authentication. Please go ahead and create a profile that does not include Kerberos ACL's and try to configure with that profile. This will help narrow down the problem. If this configuration works then we can dive into what might be the issue with Kerberos.

 

 

Jose A.
idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

Do you have any updates, questions or comments in regards to this issue?

 

 

Please do not hesitate to contact us back.

 

 

If you consider the issue to be completed please let us know so we can proceed to mark this thread as resolved.

 

 

Regards

 

 

Jose A.
DJard1
Beginner
398 Views

Jose A.,

I am still having issues with remote configuration. However, it appears that any kerberos authentication to a configured system with Active Directory integration. Are there any specific known issues other than token bloat to be the problem?

-David

idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

No issues that we are aware of, at least so far. The purpose to not use Kerberos is to be able to narrow down the problem because of some error message found in the logs. We will consult with engineering.

 

 

The following are the Kerberos/active directory integration rules:

 

 

Do you want to integrate Intel AMT with Active Directory (AD)?

 

If your network uses AD, you can integrate Intel AMT with your AD. Intel AMT supports

 

the Kerberos authentication method. This means that Intel SCS and management

 

consoles can authenticate with the Intel AMT device using "Kerberos" users. The users

 

are defined in the Intel AMT device using the Access Control List.

 

If integration is enabled, during configuration Intel SCS creates an AD object for the

 

Intel AMT device. Some of the entries in this object define parameters used in Kerberos

 

tickets.

 

Before you can integrate Intel AMT with your AD, you must:

 

• Create an Organizational Unit (OU) in AD to store objects containing information

 

about the Intel AMT systems. In a multiple domain environment, Intel recommends

 

that you create an OU for each domain.

 

• Give Create/Delete permissions in the OU you created to the user account running

 

the Intel SCS component doing the configuration

 

After the OU is created, you must define it in the configuration profile (see Defining

 

Active Directory Integration on page 95). https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf

 

 

Regards.

 

 

Jose A.
idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

Do you have any updates, questions or comments in regards to this issue?

 

 

Please do not hesitate to contact us back.

 

 

If you consider the issue to be completed please let us know so we can proceed to mark this thread as resolved.

 

 

Regards

 

 

Jose A.
SZier
Beginner
398 Views

Hello Jose A.

Sorry i was very busy with other stuff in the last two weeks but we finaly made some progress with the AMT Provision Problems. We had contact with a technical consultant from HP.

 

After checking the installed Drivers (they are indeed up to date) I asked the Consultant about a newer AMT 12 Firmware as i saw on my internet searches.

As HP doesn't have any newer Firmware and not even the installed one V12.0.2.1087 for download on the HP-Support-Website for the EliteDesk 800 G4 Series.

 

I finaly asked if it could be possible to flash a newer Firmware for testing when i got one. He confirmed the possibility to flash a newer release if it was from a trustwordy Source.

 

So i made a Backup of the installed Firmware and took the Firmware version 12.0.6.1120 from the Lenovo Support Site and flashed it on the HP Machine. I also installed the newer Intel Management Engine Driver Version 1828.12.0.1151.

At first with the new Firmware it didn't work too to provision the System but after making a full reset over the HP Biossettings and trying again i could provision the System for the first time successfully.

Now we have the following situation:

1. AMT Provision works on HP EliteDesk 800 G4 with AMT Firmware 12.0.6.1120 and Driver Version 1828.12.0.1151 and SCS 12.0.0

 

2. Connection works with the Intel Manageability Commander 2.0.245 but only from our SCCM / SCS Server - Connections from any other System with the installed Commander were refused. That situation stands for ME12 and every lower Version.

 

3. the Software VNC Viewer Plus Version 2.11 we would normaly use to make KVM-Connections to AMT Machines refuse Connections to the ME 12 Machines (even when startet on the SCS Server) probably due incompability to TLS higher then 1.0 (workes perfectly on every lower ME-Version than 12.

 

4. Even when the Kerberos related Errors are in the Remote Configuration Log we can connect to AMT and KVM with the defined AD-Useraccounts and the AD-Computerobject ist generated also the Kerberos Errors only appear on ME 12 Systems none of that Errors on lower ME versions.

Probably there is not so much information at all about ME12 Problems cause there is nearly no Hardware available - With the Research made We only found the HP EliteDesk 800 G4, one Dell and probably two Lenovo Devices.

idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

I am glad to hear that a good progress has been done and that we are closer to get this issue fully resolved, if possible, because it seems to me that there could be some compatibility issue with ME12.

 

About the connections refused from any other machine other than the SCCM/SCS Server I think it could be related to where the certificate is stored. I think it could be worth to try an open source equivalent http://www.meshcommander.com/meshcommander Mesh Commander.

 

 

We will double-check for any ME12 specific issues with our engineering dept. We will keep you posted

 

 

Jose A.
idata
Community Manager
398 Views

Hello Sascha Zieri,

 

 

We have received updated info from our engineering department. It was possible to replicate the issue and they found a workaround for it.

 

 

During configuration they got an error stating there was an internal error when trying to get AMT_KerberosSettingData. They tried configuring against the profile a couple of times and continued to get that error. So decided to configure against a profile that didn't include Active Directory integration and that configuration went through without and issue. Then without unconfiguring AMT configured it against the profile with AD integration and Kerberos ACLs, this time and every time since it's configured without throwing any errors. This was tested even after pulling the CMOS battery to full reset it back to factory defaults.

Engineering will bring this issue up to HP, but until the issue is corrected the workaround seems to be configure the computer against a very basic profile first, and then follow that up with their full profile.

 

 

Please let us know if this works.

 

 

Jose A.
DJard1
Beginner
398 Views

Jose A.,

Upon initial testing, applying a delta profile with AD/ACLS after an initial basic profile is configured did not work. My environment contains the newest Dell systems with Intel ME 12 (latest version) installed.

Any update from the engineering dept. for a fix?

-David

idata
Community Manager
398 Views

Hello David,

 

 

We will check with engineering. The workaround was tested on a HP Elitedesk 800 G4's where it was possible to replicate the issue but not a Dell. Could you please detail the exact model of these Dell systems for our testing purposes?

 

 

Jose A.
DJard1
Beginner
398 Views

Jose A.,

I have been testing on an Optiplex 7060 and 7050.

Thanks,

David

idata
Community Manager
398 Views

Hello David,

 

 

Thanks for the update. We will let you know if we are able to replicate the issue and if any solutions or workarounds are found.

 

 

Jose A.
idata
Community Manager
398 Views

Hello David,

 

 

Could you please provide the following few items. Let's get a System Discovery for each model, an ACUConfig configuration output for each model, and the RCSLog.log from the RCS server.

 

 

These items will help us in the investigation.

 

 

Jose A.
idata
Community Manager
398 Views

Hello David,

 

 

Do you have any updates, questions or comments in regards to this issue?

 

 

Please do not hesitate to contact us back.

 

 

If you consider the issue to be completed please let us know so we can proceed to mark this thread as resolved.

 

 

Regards

 

 

Jose A.
Reply