Wednesday 19 December 2012

Intel(R) AMT connection error 0xc000520d: A Soap Fault occurred. (0xc000520d)

Hi everyone,

When you try to configure a system running the ACU configurator you may receive the following error:

Intel(R) AMT connection error  0xc000520d: A Soap Fault occurred.  (0xc000520d).


When you run the ACU configurator again it succeeds. The only way to reproduce the error again on the same system is to run a full unconfiguration, delete it from SCS and run the ACU Configurator again.  

The issue occurred for me when I had selected home domain's but did not include the DNS Suffix that option 15 returned. I assumed it only required the domain.


Now alot of people will not have this issue because 90% of the time Option 15 will be set to your domain. 

Hope this helps



Monday 3 December 2012

Additional Steps to Customise your Intel MPS Solution

Hi All,

If you need help setting up Intel's Management Presence Server (MPS) then look no further. Intel have a video blog which is located here.

I recently followed these instructions for a client and I thought I would share the additional steps I used to create a seamless solution.

The client wanted to support their employees over the internet, by remote controlling their systems, the solution I provided is geared around this outcome. 

To make the solution easy and seamless, I did not want the support team changing proxy settings and checking services. I wanted the support team to click one button to control the end users system. To do this I created a dedicated server for MPS and support services. 

It goes like this:
  • Employee calls for help
  • Support team member logs onto MPS server, clicks one button
  • That button checks to ensure all required services are running and if they are not they are started. 
  • Once all the services are running VNC Plus opens and the support team member, can type in the computer name to remote control the system.

Below are the additional steps to make this happen.
  • Modify the SCS profile to include your MPS Server 
  • Changed the Internet Explorer Proxy Settings (If you want to get to the AMT Web GUI) 
  • Allow port 12345 into your DMZ and forward it to your MPS server  
  • Add the proxy settings to VNC plus
  • Add the proxy settings to your customised application (If you want it to work with your MPS server)
  • Add the proxy setting to KVM View (If you want it to work with your MPS server)
  • Streamline the support process

1. Modify the SCS profile to include your MPS Server

1.1 Modify your SCS profile to include Home Domains, Remote Access, and WiFi Connection



1.2. Add all of you internal domains. This is so the Intel system knows when it's internal or external to your domain. Also tick the option All Intel(r) AMT functionality via VPN. 


1.3 Now you need to add a Management Presence Server and a Remote Access Policy. Click on the Add button.


1.4 Management Presence Server

  • IP Address: Your external IP address and port number. The port number is the port number you set in the second video for stunnel. The default is 12345
  • Server Authentication: The Root CA you created from the first video
  • Common Name: FQDN of your MPS server 
  • System Authentication: The username and password that will be used to authenticate.
 1.5 Remote Access Policy

  • Policy Name: Call it whatever you like.
  • Options: Fast Call for All, OS and BIOS Interface
  • Preferred Server: The MPS Server you created from section 3.1

1.6 If you don't already have WiFi support please add it. 


2. Changed the Internet Explorer Proxy Settings 

2.1 To access the Web GUI of your client you will need to point Internet Explorer to your MPS server. The port used is whatever you assigned to Apache (httpd.conf) and your MPS Server (mps.config)


3. Allow port 12345 into your DMZ and forward it to your MPS server 

3.1 You will need allow and forward the port you set in stunnel.conf to your MPS Server. In this example it is 12345.


4. Add the proxy settings to VNC plus

4.1 To remote control the system you will need to add the proxy settings to your VNC plus connection. 
  • HTTP Proxy: The port you assigned in Apache (httpd.conf) and your MPS server (mps.config)
  • SOCKS 5 Proxy: The port you assigned to SOAP to the MPS server (mps.config) and your Proxy Socks port for Apache in (httpd.conf)
  • Username and Password: Not required.
5. Add the proxy settings to your customised application

5.1 If you created your own customised application as I did here you will need to added the HTTP and SOCKS proxy settings as you did for VNC Plus. 

6. Add the proxy setting to KVM View 

6.1 To remote control the system using KVM View you will need to add the proxy settings to your KVM View connection. 
  • HTTP Proxy: The port you assigned in Apache (httpd.conf) and your MPS server (mps.config)
  • Redirection Proxy: The port you assigned to SOAP to the MPS server (mps.config) and your Proxy Socks port for Apache in (httpd.conf)
  • Auto proxy include list: The system you want to remote control


7. Streamline the support process

My idea was to make the solution as seamless as possible. If a user called for support, help desk would log onto the MPS Server, click on one icon and then would be controlling the users system.

For this to happen complete the following:
  • Install VNC Plus onto your MPS server
  • Create a new root directory called MPS_Services and copy the contents from the SDK directory AMT8.1.4198\Windows\Intel_AMT\Bin\MPS into it.
  • Copy MPSNotification.exe from AMT8.1.4198\Windows\Intel_AMT\Bin to C:\MPS_Services

  • Create a bat file called (MPS.Bat with the following command)
  • Create a bat file called (MPSNotification.bat with the following command). Change the IP address to your MPS Server and the port to what you set in NotificationList.config too.

  • Create a VBS script called StartMps.vbs and send the short cut to the desktop for all users. This is what the support team will run that will perform all the necessary check and start VNC Plus.
Set WshShell = WScript.CreateObject ("WScript.Shell")
Set colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")
'==============================================================================================

Dim vFoundApacheMonitor,vFoundstunnel,vFoundmps,vFoundMPSNotification 

'Check if Apache is running
Const strServiceName = "Apache2.2"
Set oShell = CreateObject("Shell.Application")

If Not oShell.IsServiceRunning(strServiceName) Then
  oShell.ServiceStart strServiceName, False
  Msgbox "Starting Apache2.2 service",, "Service Apache Starting"
End If

For Each objProcess in colProcessList
'check to see if ApacheMonitor.exe is running 
    If objProcess.name = "ApacheMonitor.exe" then
            vFoundApacheMonitor = True
    End if
    If objProcess.name = "stunnel.exe" then
            vFoundstunnel = True
    End if
    If objProcess.name = "MPS.exe" then
            vFoundmps= True
    End if
    If objProcess.name = "MPSNotification.exe" then
            vFoundMPSNotification = True
    End if
Next
If vFoundApacheMonitor = "" Then 
    WshShell.Run """C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe"""
    msgbox "Starting Apache Monitoring",, "Apache Monitoring Starting"
end if
If vFoundstunnel = "" Then 
    WshShell.Run """C:\Program Files\stunnel\stunnel.exe"""
    msgbox "Starting stunnel",, "Stunnel Starting"
end if
If vFoundmps  = "" Then 
    WshShell.Run "C:\MPS_Services\MPS.bat"
    msgbox "Starting MPS",, "MPS Starting"
end if
If vFoundMPSNotification  = "" Then 
    WshShell.Run "C:\MPS_Services\MPSNotification.bat"
    msgbox "Starting MPS Notification",, "MPS Notification Starting"
end if

Response = Msgbox ("All services are running that are required for Call For Help. Would you like to open VNC Viewer?",4,"Services Are Started")
If Response = 6 then
   WshShell.Run """C:\Program Files\RealVNC\VNCViewerPlus\vncviewerplus.exe"""
End if

Now all they need to do is click on one file and they are controlling the users desktop.

Monday 19 November 2012

Preferred command when provisioning vPro systems using SCS

Hi All,

When I set-up SCS and provision a fleet of vPro systems I like to see the systems in the the SCS Database.


To see them in the database, when you export the XML profile, be sure to tick the last option Put locally configured device in Admin Control Mode. I also put the systems in admin control mode because I want to leverage from the features that are only available in admin control mode. Check the difference out here 

Below is an example of the command that can be used to to configure the systems:

ACUConfig.exe /verbose /lowsecurity configAMT Profile.xml /decryptionpassword P@ssw0rd

When you export the profile be sure to tick the last option to ensure the device goes into admin control mode and shows up in the SCS Database



Cannot establish a handle to the Intel(R) Management Engine Interface driver. Access is denied. (5)

Hi All,

If you are receiving the following error when you try to provision a vpro system using SCS and ACUConfig.exe, it will most likely be due to the fact the UAC is on and you are not running the command as an administrator.

 ACU Configurator, Category: Exit Source: Src\ActivatorMain.cpp : wmain Line: 1096: ***********Exit with code 83 - The Intel(R) Management Engine Interface driver is not installed or cannot be accessed. 


When I deploy the package from SCCM I use a task sequence that allows you to use the Run As feature


WMI Access Denied error when provisioning a vPro system with SCS and ACUConfig.exe

Hi all,

If you are receiving the following error when you try to provision a vpro system it will most likely be due to WMI permissions.

2012-11-20 12:19:25: Thread:1584(ERROR) : ACU Configurator , Category: ConnectServer Source: Src\WMIAccess.cpp : ConnectToNamespace Line: 146: A call to this function has failed - (0xc000278b) (Access denied-2147217405)


The command I am using to configure the system is as follows:


ACUConfig.exe /verbose /lowsecurity ConfigViaRCSOnly IPAddressofServer Profile  /WMIuser domain\useraccount /WMIuserpassword P@ssw0rd

You can verify that it is a WMI permissions issue by logging onto the system with the account you are trying to configure the system with and performing a WMI Test
  • Run Wbemtest by going to Start => Wbemtest 
  • Click on Connect
  • Type in \\Your_Server\root\intel_RCS in the NameSpace location. Change Your Server to your SCS server 

If you get the above access denied error you have a WMI permissions issue.

To resolve the issue follow the steps below:
  • Log onto your SCS Server and load wmimgmt.msc. Right click on WMI Control (Local) and select properties

  • Select the Security Tab 

  • Make sure the account you are using to run ACUConfig.exe has the following permissions on all four namespaces.
    • Execute Methods
    • Full Write
    • Remote Enable



Intel has documented the required permissions in the SCS user guide on page 46

Sunday 21 October 2012

Error when enabling the PXE support on a SCCM 2012 Distribution Point

Hi All,

Recently when I enabled PXE support for clients on a SCCM 2012 Distribution Point I received the following error in the SMSPXE.log located in C:\Program Files\SMS_CCM\Logs

failed to copy C:\RemoteInstall\SMSTempBootFiles\BAM00001\WINDOWS\Boot\PXE\pxeboot.com to C:\RemoteInstall\SMSBoot\x86\pxeboot.com
InstallBootFilesForImage failed. 0x80070003
Warning: Failed to copy the needed boot binaries from the boot image C:\RemoteInstall\SMSImages\BAM00001\boot.BAM00001.wim.
The operation completed successfully. (Error: 00000000; Source: Windows)
Failed adding image C:\RemoteInstall\SMSImages\BAM00001\boot.BAM00001.wim. Will Retry..
The system cannot find the path specified. (Error: 80070003; Source: Windows)



I found that C:\RemoteInstall\SMSBoot\x64 and C:\RemoteInstall\SMSBoot\x86 were also empty. 

Looking further into the log I could see that the boot images were been mounted and closed without doing anything.


The solution for me was to mount and unmount the images and then restart the WDS service. Everything worked like a charm. It must be a bug with the intial deployment

dism /Mount-Wim /WimFile:C:\RemoteInstall\SMSImages\BAM00004\boot.BAM00004.wim /index:1 /MountDir:C:\RemoteInstall\SMSTempBootFiles\BAM00004

dism /Mount-Wim /WimFile:C:\RemoteInstall\SMSImages\BAM00001\boot.BAM00001.wim /index:1 /MountDir:C:\RemoteInstall\SMSTempBootFiles\BAM00001

dism /unmount-Wim /MountDir:C:\RemoteInstall\SMSTempBootFiles\BAM00001 /commit
dism /unmount-Wim /MountDir:C:\RemoteInstall\SMSTempBootFiles\BAM00004 /commit

Thursday 20 September 2012

Modifying The Intel® Core™ vPro™ processor add-on for System Center Configuration Manager 2012

Hi All,

From the following link you will find the instructions to get the add-on running on your SCCM 2012 server.

I thought I would put together a step-by-step process to make it a little easier.

Below the the instructions you can use to get this on your SCCM 2012 server.



1. Install the add-on. 

The following error kept occurring when I tried to install it on my SCCM 2012 server. I decided to install the add-on on my Windows 7 PC and just copy the contents from my Windows 7 PC to my SCCM 2012 Server. 



From your Windows 7 PC copy the contents from C:\Program Files\Intel Corporation\Intel Core vPro processor add-on for System Center Configuration Manager 2007 to the same location on the SCCM 2012 server. 

2. Create the Right Click Action

Create the following folders if they don't already exists. I already had them because I am using the right click tools for SCCM 2012

C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions\3fd01cd1-9e01-461e-92cd-94866b8d1f39

C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions\ed9dee86-eadd-4ac8-82a1-7234a4646e62

3. Create a new file called IntelvProExt.xml in each folder and paste the following code in it.

ActionDescription Class="Group" DisplayName="Intel vPro" MnemonicDisplayName="Mnemonic" Description="Contains commands for Intel vPro hardware" SqmDataPoint="53">
<ShowOn>
    <string>ContextMenu</string>
</ShowOn>
  <ActionGroups>
    <ActionDescription Class="Executable" DisplayName="Start KVM" MnemonicDisplayName="Start KVM" Description="Starts a KVM session with Intel hardware">
       <ShowOn>
         <string>ContextMenu</string>
      </ShowOn>
      <Executable>
        <FilePath>C:\Program Files\Intel Corporation\Intel Core vPro processor add-on for System Center Configuration Manager 2007\kvmview.exe</FilePath>
        <Parameters>-host ##SUB:Name## -dns</Parameters> 
      </Executable>
      <ActionStateAssembly>
        <Assembly>.\AdminUI.CollectionMenuActions.dll</Assembly>
        <Type>Microsoft.ConfigurationManagement.AdminConsole.CollectionMenuActions.LaunchUtilities</Type>
        <Method>IsAMTPowerControlAndOOBConsoleEnabled</Method>
      </ActionStateAssembly>
    </ActionDescription>

    <ActionDescription Class="Executable" DisplayName="Set Alarm Clock" MnemonicDisplayName="Set Alarm Clock" Description="Schedules a time for Intel hardware to power on">
      <ShowOn>
         <string>ContextMenu</string>
      </ShowOn>
      <ActionStateAssembly>
        <Assembly>.\AdminUI.CollectionMenuActions.dll</Assembly>
        <Type>Microsoft.ConfigurationManagement.AdminConsole.CollectionMenuActions.LaunchUtilities</Type>
        <Method>IsAMTPowerControlAndOOBConsoleEnabled</Method>
      </ActionStateAssembly>
      <Executable>
        <FilePath>C:\Program Files\Intel Corporation\Intel Core vPro processor add-on for System Center Configuration Manager 2007\AlarmExt.exe</FilePath>
        <Parameters>-host ##SUB:Name## -tls -dns</Parameters> 
      </Executable>
    </ActionDescription>

  </ActionGroups>
</ActionDescription>
Christoph von Wittich has provided the files from the above link if you want to download them 


Regards,

Blair