WsmanUnauthorizedException with Powershell Commands

Maynman28 · ‎02-11-2021

I've got a lab system with a locked down Windows Server 2019 OS installed, specifically the Secure Host Baseline image. I've got all the necessary drivers and programs loaded for Intel AMT (the Management Engine Components, and the Security Status application)

I've also got the IntelVPro cmdlets loaded, as well as the assemblies from the needed dlls.

When I run commands that query the status of the AMT configuration, I get an unauthorized error.

Like in the Get-AMTSetup command, it fails at when discover() is invoked:

Add-Type -Path "C:\PowershellModules\IntelvProModule\Bin\IntelvPro\Intel.Wsman.Scripting.dll"

$me = new-Object 'Intel.Management.Mei.MeDevice'
$result = new-Object 'System.Object'

$MeEnabled=$me.Enable()

$me.Discover()

Exception calling "Discover" with "0" argument(s): "Unauthorized"
At C:\Users\xAdministrator\Desktop\AMTtesting.ps1:9 char:1
+ $me.Discover()
+ ~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WsmanUnauthorizedException

Other "Get" commands produce similar Unauthorized messages.

I've been able to run the exact same commands on fresh installations of Windows Server 2019 on the same hardware and do not get these errors.

I've also copied over the Local Security Policies and Local Group Policies from the fresh installation to the Locked Down Image, and still receive the same error messages.

Does anyone have any ideas or guidance where to look next? I believe it's either got to be permissions somewhere, or some dependency that's locked down that I'm not able to find.

JoseH_Intel · ‎02-11-2021

Hello Maynman28,

Thank you for joining the Intel community

Are you using any kind of script? Is this script authenticated? Please take a look at the SCS userguide section 6.18.7 and let me know if it applies to you: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=161...

I will look forward for your comments

Regards

Jose A.

Intel Customer Support Technician

Maynman28 · ‎02-12-2021

Hello Jose, the issue came to light when I was using Powershell to call all cmdlets included in the VPro SDK provided by Intel. I was running the commands locally on the workstation itself from a elevated command prompt so authentication shouldn't be a factor.

I did some further digging and found the problem: in the local Security Settings, the commands do not work if the following local policy is enabled:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

If I set that setting to disabled, then reboot the system, I no longer receive the errors.

I don't know if that is a bug, or an incompatibility, or an accepted constraint, but it may be worth lo

JoseH_Intel · ‎02-14-2021

Hello Maynman28,

This indeed looks like a possible bug. I will let our senior team know to see if they have any previous reports of this.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎02-21-2021

Hello Maynman28,

Could you please run a systemdiscovery and attach the output to the case. For more details you can check here: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=10

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎02-25-2021

Hello Maynman28,

I am just following up to double check if you were able to gather the requested information. Otherwise let us know if you require more time to accomplish this. I will try to reach you back on next Monday 1st.

Regards

Jose A.

Intel Customer Support Technician

Maynman28 · ‎02-26-2021

I have attached the requested XML file. Although I'm not sure how it will help given the issue was that FIPS was enabled.

JoseH_Intel · ‎02-28-2021

Hello Maynman28,

Thank you for the file provided. We will proceed to analyze it and will let you know our findings soon

Regards

Jose A.

Intel Customer Support Technician