We're packaging the Intel ME firmware for deployment to our laptops/desktops. We noticed that the firmware updates whether the system is vulnerable or not, and since we're including the firmware as part of our build process we wanted to avoided continuously rewriting firmware, so we included the INTEL-SA-00086 command-line tool as a pre-check. If the tool returns an error code saying the system is vulnerable then we run the firmware update and restart, if the system comes back as patched or non-vulnerable then we return success.
With some systems we've been getting errors when running the INTEL-SA-00086, one of which is "The signature of the file HeciWrapper64.dll cannot be validated." We tried installing the Intel ME Components driver and restarting which fixed the issue on some systems, but not all.
On one system we were even able to run the firmware update but the INTEL-SA-00086 tool still failed, and running the Intel ME Components driver didn't fix the issue. What was odd was that the command-line tool failed, and while the command-line session was still open we ran the GUI version which succeeded, and then the command-line version succeeded when run again.
Is there something the GUI version of the INTEL-SA-00086 does that would affect the command-line version of the tool or was this a coincidence?
How can we ensure the command-line tool works consistently?
I understand that you are currently experiencing problems with the Intel ® Management Engine firmware update and the SA-00086 command-line tool.
Regarding this, I will need some more information in order to find and see what the problem can be, first, let me know if the systems you have built are the same processor-wise or perhaps the configuration, are they the same or do they differ from each other?
Let me know so we can start an investigation about this problem.
Thanks for responding.
We've seen the issue multiple times on three different models of machine. Each model has a standard hardware and software build. We're currently running HP Elitebook 820 and 850 laptops (both G1 and G2) in our environment, as well as HP Prodesk 600 G1 workstations.
This latest issue that I mentioned was on an 850 G1 laptop.
Thank you for your response.
What I can recommend you to do in this case is to refer to the link below:
This has a list of the different manufacturers who are addressing the problem. Normally if you have the latest BIOS version the patch for the Intel ® SA-00086 should be applied. They should also have a list of the different devices affected, we have provided all of the information necessary to the different manufacturers in order to address the issue.
I apologize for any inconvenience.
We had actually reached out to HP for assistance, and they has us reach out to Intel regarding the INTEL-SA-00086 command-line tool since it's an Intel tool.
I'm really just trying to determine if the GUI version of the tool does anything to the system that would affect the operation of the command-line tool. The command-line started working for us after we ran the GUI tool.
Does the GUI tool do anything different from the command-line tool?
Thank you for trying it out.
The GUI tool works on most systems for us as well, but we have a few where it fails. On the last system the command-line tool failed but the GUI tool succeeded, which seemed to fix the command-line tool.
We're just trying to find out if the GUI tool would do something that would fix the command-line tool or if it was a coincidence.