- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While I am using the Vpro Module with Powershell for a TLS Connection which I am trying to poweroff remotely, it's not working and connection isn't getting established. This is what I am using with username and credential with Contents having the IP address of the local PC
$AMTCredential = New-Object System.Management.Automation.PSCredential ($username,$password)
Get-Content contents.txt | Invoke-AMTPowerManagement -Operation:PowerOff -credential $AMTCredential -Port '16993' -TLS
The error I am getting is
ComputerName : myPCName
Port :
Operation :
Status : Cannot connect
Reason : Exception calling "Get" with "0" argument(s): "TrustFailure"
IntelvProModule_18.0.1.1 is the version I am using. Please help me if I am using anything wrong here
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Inesh, we would like to inform you that we are routing your query to the dedicated team for further assistance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mansee,
Greetings of the day.
We suggest using the sample commands available at the Intel vPro Technology Module for Windows PowerShell Installation and User Guide.pdf included in the Intel vPro® Technology Module for Windows* PowerShell* zip file v18.0.1.1.
Section 6.1 Intel® AMT Power Management gives the command to turn off the system.
Regards,
Suneesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Suneesh,
As I mentioned above I was trying the sample commands from the User Guide but it isn't helping. Before when we didn't had the TLS connection, the below command was working fine
$AMTCredential = New-Object System.Management.Automation.PSCredential ($username,$password)
Get-Content contents.txt | Invoke-AMTPowerManagement -Operation:PowerOff -credential $AMTCredential
Now for the newer PCs which requires TLS connection, this doesn't work anymore. Can you please help me if there is something wrong that I am doing in the command?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mansee,
Greetings of the day.
We want to let you know that example 4 of this section 6.1.1 gives the script for powering the system off (Endpoints with TLS support only, port 16992 closed).
Regards,
Suneesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Suneesh ,
Please see the below for Error i mentioned before that i am getting when i try with the TLS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subject: Update on Your Issue
Hello Mansee,
Good day.
We are currently checking on the issue and will provide an update as soon as possible.
Regards,
Suneesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mansee,
Good day.
The Engineering team is currently working on the issue and will provide an update soon.
Best regards,
Suneesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mansee,
To begin troubleshooting the issue, please verify that you can communicate with port 16993 by using either test-netconnection or telnet. We need to ensure that there isn't a networking or system obstacle preventing direct communication with AMT.
Additionally, it appears that the steps in the documentation are not being followed. Below is the relevant script from the vPro PS module SDK to properly encrypt the credentials. You can find this information in the documents, encapsulated in the SDK, located on page 8.
Write-AmtCredential Function Code
powershell
Function Write-AmtCredential {
<#
.Synopsis
Writes an Intel Active Management Technology credential from secure string storage
.Description
Writes an Intel Active Management Technology (AMT) credential to System.Security.SecureString in the default user path.
.Link
.Example
Write-AmtCredential
.Example
$AMTCredential = Write-AmtCredential (will assume the digest account "admin")
.Example
$AMTCredential = Get-Credential
Write-AmtCredential –Username $AMTCredential.Username –Password $AMTCredential.Password
.Example
Write-AMTCredential [[-FilePath] <String>] [[-Key] <String>] [[-Hint] <String>] [[-AsPlainText]] [[-Force]] [[-Username] <String>] [-Password] <SecureString> [<CommonParameters>]
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true, position=0, HelpMessage="Path to Credential File")]
[string] $FilePath,
[Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=1, HelpMessage="An ASCII Key of 128,196, or 256 Length")]
[string] $Key,
[Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=2, HelpMessage="Password Hint")]
[string] $Hint,
[Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=3, HelpMessage="Save password as plain text")]
[System.Management.Automation.SwitchParameter] $AsPlainText,
[Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=3, HelpMessage="Force")]
[System.Management.Automation.SwitchParameter] $Force
)
}
Example:
powershell
PS C:\WINDOWS\system32> $password = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
PS C:\WINDOWS\system32> $AMTCred = New-Object System.Management.Automation.PSCredential ("admin", $password)
Lastly, please note that the **FQDN** matching your certificate needs to be used for this process. Using an IP address will not match the certificate and thus won’t be trusted.
Please let me know if this resolves the issue or if further assistance is needed.
Best regards,
Vijay N
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vij1 ,
Thanks for the response. I did a Test-NetConnection test on port 16993 which returned true
After this, for the page 8 document you mentioned, I have followed all of those and did only share the last 2 lines of the script. I have the username and password step followed as mentioned in the document.
Previously for the older PC models we used 16992 port and no TLS authentication was required. For those, we didn't have any issue with this script that we are using. This issue only started with the new PCs with updated Bios version with image below
On previous bios version it looks fine. They don't need a TLS connection for this.
Lastly, I am not sure what the FQDN Certificate you meant, as we didn't require it previously for non-TLS connection. We have been doing this only with IP address before.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mansee,
We understand the frustration you're experiencing and would like to provide clarity on the changes related to Intel AMT connections starting from the Intel® 13th Gen and Intel® 12th Gen Core™ Processors.
As of the Alder Lake platforms (Intel CSME 16.1 firmware) and Raptor Lake CPUs, remote connections to Intel AMT unsecure TCP/IP ports (16992, 16994, 623) are no longer supported. To ensure secure communications, connections must now be established using TLS over the following ports:
16993 for AMT web interface (HTTPS)
16995 for redirection
664 for secure redirection (Intel AMT).
Additionally, with the Intel CSME 19 firmware on Arrow Lake platforms, all connections to Intel AMT, including local, must use these secure TLS ports. Non-TLS connections are no longer supported under any circumstances.
Steps to Check and Troubleshoot:
Connection Check: Please ensure the correct connection settings are used, such as:
Example: https://<endpoint_IP_address>:16993
(e.g., https://192.168.xxx.xxx:16993 – note: IP partially hidden for security)
Proxy and Firewall Verification: Ensure the required ports (16993, 16995, 664) are open and not blocked by any firewall or proxy settings.
BIOS Configuration: Verify that Intel AMT is enabled in the system BIOS, and that your machine has been configured with an administrator password using the Ctrl+P configuration interface.
FQDN and Certificates: When managing an Intel vPro technology-enabled client over TLS (port 16993), ensure the computer name matches the Fully Qualified Domain Name (FQDN) in the issued TLS certificate.
Intel® AMT SDK Implementation and Reference Guide
Please review of section 2.1.3 from attached guide for Intel vPro® Technology Module for Microsoft* Windows* PowerShell* : Cmdlet and Function Communication Encryption
If the Intel vPro technology enabled client is configured to use Transport Layer Security (TLS) by having a web server certificate issued to the Intel Management Engine, the –TLS switch must be passed to the cmdlet. When managing an Intel vPro technology enabled client over TLS (port 16993), it is mportant that the computer name match the primary subject name of the issued TLS certificate. This is typically the Fully Qualified Domain Name (FQDN).
Best regards,
Vijay N.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mansee,
Greetings!!
I am following up on the case and wondering if I can help you with anything else. Look forward to your response.
Regards,
Vijay N.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mansee,
Greetings!!
If further assistance is necessary, do not hesitate to reply.
Regards,
Vijay N.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry was busy with other stuff. I tried getting the AMT Self Signed Certificate and installed in both the PC as well as the Server from where we are going to use the IntelAMTPower Management Powershell script but it still ended up saying trust failure. I am still checking if there are any solutions for this issue.
Thanks
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page