Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2917 Discussions

Trouble Using the IntelvPro Module with Powershell for TLS Connection with IntelVpro 18.0.1.1

mansee
Beginner
1,373 Views

While I am using the Vpro Module with Powershell for a TLS Connection which I am trying to poweroff remotely, it's not working and connection isn't getting established. This is what I am using with username and credential with Contents having the IP address of the local PC

$AMTCredential = New-Object System.Management.Automation.PSCredential ($username,$password)
Get-Content contents.txt | Invoke-AMTPowerManagement -Operation:PowerOff -credential $AMTCredential -Port '16993'  -TLS

 

The error I am getting is 

ComputerName : myPCName
Port :
Operation :
Status : Cannot connect
Reason : Exception calling "Get" with "0" argument(s): "TrustFailure"

 

IntelvProModule_18.0.1.1 is the version I am using. Please help me if I am using anything wrong here

0 Kudos
15 Replies
Vipin_Singh1
Moderator
1,329 Views

Hi Inesh, we would like to inform you that we are routing your query to the dedicated team for further assistance.


0 Kudos
Suneesh
Employee
1,275 Views

Hello Mansee,


Greetings of the day.

 

We suggest using the sample commands available at the Intel vPro Technology Module for Windows PowerShell Installation and User Guide.pdf included in the Intel vPro® Technology Module for Windows* PowerShell* zip file v18.0.1.1.

 

Section 6.1 Intel® AMT Power Management gives the command to turn off the system.

https://www.intel.com/content/www/us/en/download/704395/intel-vpro-technology-module-for-windows-powershell.html


Regards,

Suneesh


0 Kudos
mansee
Beginner
1,262 Views

Hi Suneesh,

 

As I mentioned above I was trying the sample commands from the User Guide but it isn't helping. Before when we didn't had the TLS connection, the below command was working fine

$AMTCredential = New-Object System.Management.Automation.PSCredential ($username,$password)
Get-Content contents.txt | Invoke-AMTPowerManagement -Operation:PowerOff -credential $AMTCredential 

Now for the newer PCs which requires TLS connection, this doesn't work anymore. Can you please help me if there is something wrong that I am doing in the command?

0 Kudos
Suneesh
Employee
1,223 Views

Hello Mansee,

 

Greetings of the day.

 

We want to let you know that example 4 of this section 6.1.1 gives the script for powering the system off (Endpoints with TLS support only, port 16992 closed).

 

renditionDownload (2).jpg

 

Regards,

Suneesh

 

0 Kudos
mansee
Beginner
1,211 Views

Hi @Suneesh ,

 

Please see the below for Error i mentioned before that i am getting when i try with the TLS

mansee_0-1724978844537.png

 

0 Kudos
Suneesh
Employee
1,154 Views

Subject: Update on Your Issue


Hello Mansee,


Good day.


We are currently checking on the issue and will provide an update as soon as possible.


Regards,  

Suneesh


0 Kudos
mansee
Beginner
1,021 Views

Hi @Suneesh ,

 

Any update on the issue?

 

Thanks,

Inesh

0 Kudos
Suneesh
Employee
992 Views

Hello Mansee,


Good day.


The Engineering team is currently working on the issue and will provide an update soon.


Best regards,

Suneesh


0 Kudos
mansee
Beginner
870 Views

Hi @Suneesh ,

 

Have we got any update on this yet? 

 

Thanks

0 Kudos
vij1
Employee
841 Views

Hello Mansee,

 

To begin troubleshooting the issue, please verify that you can communicate with port 16993 by using either test-netconnection or telnet. We need to ensure that there isn't a networking or system obstacle preventing direct communication with AMT.

 

Additionally, it appears that the steps in the documentation are not being followed. Below is the relevant script from the vPro PS module SDK to properly encrypt the credentials. You can find this information in the documents, encapsulated in the SDK, located on page 8.

 

Write-AmtCredential Function Code

 

powershell

Function Write-AmtCredential {

  <#

  .Synopsis

  Writes an Intel Active Management Technology credential from secure string storage

  .Description

  Writes an Intel Active Management Technology (AMT) credential to System.Security.SecureString in the default user path.

  .Link

  http://vproexpert.com

  http://www.intel.com/vpro

  http://www.intel.com

  .Example

  Write-AmtCredential

  .Example

  $AMTCredential = Write-AmtCredential (will assume the digest account "admin")

  .Example

  $AMTCredential = Get-Credential

  Write-AmtCredential –Username $AMTCredential.Username –Password $AMTCredential.Password

  .Example

  Write-AMTCredential [[-FilePath] <String>] [[-Key] <String>] [[-Hint] <String>] [[-AsPlainText]] [[-Force]] [[-Username] <String>] [-Password] <SecureString> [<CommonParameters>]

  #>

  [CmdletBinding()]

  Param (

    [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true, position=0, HelpMessage="Path to Credential File")]

    [string] $FilePath,

    [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=1, HelpMessage="An ASCII Key of 128,196, or 256 Length")]

    [string] $Key,

    [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=2, HelpMessage="Password Hint")]

    [string] $Hint,

    [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=3, HelpMessage="Save password as plain text")]

    [System.Management.Automation.SwitchParameter] $AsPlainText,

    [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=3, HelpMessage="Force")]

    [System.Management.Automation.SwitchParameter] $Force

  )

}

 

Example:

 

powershell

 

PS C:\WINDOWS\system32> $password = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force

PS C:\WINDOWS\system32> $AMTCred = New-Object System.Management.Automation.PSCredential ("admin", $password)

 

Lastly, please note that the **FQDN** matching your certificate needs to be used for this process. Using an IP address will not match the certificate and thus won’t be trusted.

 

Please let me know if this resolves the issue or if further assistance is needed.

 

Best regards,  

Vijay N

 

 

0 Kudos
mansee
Beginner
826 Views

Hi @vij1 ,

 

Thanks for the response. I did a Test-NetConnection test on port 16993 which returned true 

mansee_0-1725927935155.png

After this, for the page 8 document you mentioned, I have followed all of those and did only share the last 2 lines of the script. I have the username and password step followed as mentioned in the document. 

Previously for the older PC models we used 16992 port and no TLS authentication was required. For those, we didn't have any issue with this script that we are using. This issue only started with the new PCs with updated Bios version with image below

 

mansee_2-1725929837522.png

 

On previous bios version it looks fine. They don't need a TLS connection for this.

mansee_3-1725929864991.png

Lastly, I am not sure what the FQDN Certificate you meant, as we didn't require it previously for non-TLS connection. We have been doing this only with IP address before. 

0 Kudos
vij1
Employee
775 Views

Hello Mansee,

 

We understand the frustration you're experiencing and would like to provide clarity on the changes related to Intel AMT connections starting from the Intel® 13th Gen and Intel® 12th Gen Core™ Processors.

 

As of the Alder Lake platforms (Intel CSME 16.1 firmware) and Raptor Lake CPUs, remote connections to Intel AMT unsecure TCP/IP ports (16992, 16994, 623) are no longer supported. To ensure secure communications, connections must now be established using TLS over the following ports:

 

16993 for AMT web interface (HTTPS)

16995 for redirection

664 for secure redirection (Intel AMT).

Additionally, with the Intel CSME 19 firmware on Arrow Lake platforms, all connections to Intel AMT, including local, must use these secure TLS ports. Non-TLS connections are no longer supported under any circumstances.

 

Steps to Check and Troubleshoot:

Connection Check: Please ensure the correct connection settings are used, such as:

Example: https://<endpoint_IP_address>:16993

(e.g., https://192.168.xxx.xxx:16993 – note: IP partially hidden for security)

Proxy and Firewall Verification: Ensure the required ports (16993, 16995, 664) are open and not blocked by any firewall or proxy settings.

BIOS Configuration: Verify that Intel AMT is enabled in the system BIOS, and that your machine has been configured with an administrator password using the Ctrl+P configuration interface.

FQDN and Certificates: When managing an Intel vPro technology-enabled client over TLS (port 16993), ensure the computer name matches the Fully Qualified Domain Name (FQDN) in the issued TLS certificate.

 

Intel® AMT SDK Implementation and Reference Guide

Please review of section 2.1.3 from attached guide for Intel vPro® Technology Module for Microsoft* Windows* PowerShell* : Cmdlet and Function Communication Encryption

 

If the Intel vPro technology enabled client is configured to use Transport Layer Security (TLS) by having a web server certificate issued to the Intel Management Engine, the –TLS switch must be passed to the cmdlet. When managing an Intel vPro technology enabled client over TLS (port 16993), it is mportant that the computer name match the primary subject name of the issued TLS certificate. This is typically the Fully Qualified Domain Name (FQDN).

 

Best regards,

Vijay N.

 

 

0 Kudos
vij1
Employee
453 Views

Hello Mansee,


Greetings!!


I am following up on the case and wondering if I can help you with anything else. Look forward to your response.

 

Regards,

Vijay N.



0 Kudos
vij1
Employee
399 Views


Hello Mansee,


Greetings!!


If further assistance is necessary, do not hesitate to reply.


Regards,

Vijay N.


0 Kudos
mansee
Beginner
346 Views

Hi @vij1 @Suneesh ,

 

Sorry was busy with other stuff. I tried getting the AMT Self Signed Certificate and installed in both the PC as well as the Server from where we are going to use the IntelAMTPower Management Powershell script but it still ended up saying trust failure. I am still checking if there are any solutions for this issue.

 

Thanks

0 Kudos
Reply