- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got a lab system with a locked down Windows Server 2019 OS installed, specifically the Secure Host Baseline image. I've got all the necessary drivers and programs loaded for Intel AMT (the Management Engine Components, and the Security Status application)
I've also got the IntelVPro cmdlets loaded, as well as the assemblies from the needed dlls.
When I run commands that query the status of the AMT configuration, I get an unauthorized error.
Like in the Get-AMTSetup command, it fails at when discover() is invoked:
Add-Type -Path "C:\PowershellModules\IntelvProModule\Bin\IntelvPro\Intel.Wsman.Scripting.dll"
$me = new-Object 'Intel.Management.Mei.MeDevice'
$result = new-Object 'System.Object'
$MeEnabled=$me.Enable()
$me.Discover()
Exception calling "Discover" with "0" argument(s): "Unauthorized"
At C:\Users\xAdministrator\Desktop\AMTtesting.ps1:9 char:1
+ $me.Discover()
+ ~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WsmanUnauthorizedException
Other "Get" commands produce similar Unauthorized messages.
I've been able to run the exact same commands on fresh installations of Windows Server 2019 on the same hardware and do not get these errors.
I've also copied over the Local Security Policies and Local Group Policies from the fresh installation to the Locked Down Image, and still receive the same error messages.
Does anyone have any ideas or guidance where to look next? I believe it's either got to be permissions somewhere, or some dependency that's locked down that I'm not able to find.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Maynman28,
Thank you for joining the Intel community
Are you using any kind of script? Is this script authenticated? Please take a look at the SCS userguide section 6.18.7 and let me know if it applies to you: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=161
I will look forward for your comments
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Jose, the issue came to light when I was using Powershell to call all cmdlets included in the VPro SDK provided by Intel. I was running the commands locally on the workstation itself from a elevated command prompt so authentication shouldn't be a factor.
I did some further digging and found the problem: in the local Security Settings, the commands do not work if the following local policy is enabled:
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
If I set that setting to disabled, then reboot the system, I no longer receive the errors.
I don't know if that is a bug, or an incompatibility, or an accepted constraint, but it may be worth lo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Maynman28,
This indeed looks like a possible bug. I will let our senior team know to see if they have any previous reports of this.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Maynman28,
Could you please run a systemdiscovery and attach the output to the case. For more details you can check here: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=10
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Maynman28,
I am just following up to double check if you were able to gather the requested information. Otherwise let us know if you require more time to accomplish this. I will try to reach you back on next Monday 1st.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have attached the requested XML file. Although I'm not sure how it will help given the issue was that FIPS was enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Maynman28,
Thank you for the file provided. We will proceed to analyze it and will let you know our findings soon
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Maynman28,
Thank you for providing the details of how you were able to resolve the issue. For the question of if it's a bug with the SDK, I can say that AMT version 11.6.0.1102 and newer are compliant. Here are a couple of links that detail this:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2720
Can you confirm the version of the firmware of the system having the issue?
Regards,
Michael

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page