There are widespread reports in various linux fora about errors with the mei module along the lines of:

[  286.232029] mei_me 0000:00:03.0: timer: connect/disconnect timeout.

[  286.232038] mei_me 0000:00:03.0: unexpected reset: dev_state = ENABLED

(These are pastes from a DQ35JO system - This uses AMT 3.2)

AMT is enabled and I can access the web interface on this board, so my suspicion is that the MEI module doesn't talk to older AMT firmware.

Can anyone confirm?

If this is true, what is the _oldest_ version of AMT supported by mei?

Directly related: On vPro chipsets such as the Q35, lm-sensors cannot access any information relating to fan speeds, motherboard temperature, PSU/ram/core voltages, etc.

Given that lm-sensors is _the_ linux standard for onboard environmental monitoring (there are extensions for IPMI access), this really needs addressing properly (ie: if the informatio is available via mei then a lm-sensors extension should be worked on)

Thanks

Alan

Hi,

I've been tinkering with AMT lately and thinking about using it in our environment. I've made a little test environment just to try out host-based provisioning, but I'm having some weirdness and was hoping someone could explain this behavior.

One thing I can't figure out is how to get into the MEBx after I've provisioned the device. I can log into the WebUI remotely using the Digest admin username and new password, but the MEBx doesn't seem to use this password...? I thought it was the same thing, however I've tried it multiple times and can't seem to get back into MEBx. Any ideas?

Another weird issue I was having was that I could log into the WebUI only through Firefox and Chrome -- Internet Explorer (11) would prompt me for credentials but would not take them... similar to how MEBx seems to be responding. However, I managed to eventually get IE to do this right by using the FQDN in the address bar instead of the IP address.

The reason I'm trying to get back into MEBx is to see if the settings I imported into it from ACUConfig all took. Obviously some portion of them did because the WebUI is up, the ME service said it was provisioned, the ACUConfig log said it was successful, and so on.

The reason I'm wondering if something is not-right is because I can't seem to do any Remote Control (toggle power) with the machine in any state. The WebUI seems to send the command but nothing happens. I also tried Manageability Commander Tool ME and when I try sending it a power off or reset it returns me an "INTERNAL_ERROR" response.

So that's where I am so far. Let me know if you guys have any insight to the behavior I'm experiencing. Here's some of the information on my test machine:

Dell Latitude E6520
Intel AMT ver. 7.1
Windows 8.1
Intel SCS 9.1.1.125b

I'm confused about this mysterious port that isn't open after I provision a computer into CCM. In my provisioning profile, I enable KVM and all the other redirection options, and set an RFB password but apparently this is still half-baked after a provision. For example, if I try to connect to the machine via UltraVNC I get this:

I don't get a prompt for a password or anything. Just a failed to connect error.

But here's the thing. If I go into the Manageability Commander, I see this:

If I click into this I get an option to enable the "standard port" 5900 for RFB. Once that is done, I can use UltraVNC Viewer to connect to the machine and get to the user consent screen.

So why is this not enabled when I specify in the profile to enable KVM? I killed the firewall and I still couldn't access the machine so it doesn't seem like a networking port. What exactly is the port this is referring to... something on the AMT device itself?

How do I open this "port" at provision-time? I'd rather not have to open Manageability Commander (whose issues are worthy of another thread) after the fact for every computer I need to connect to. I feel I should just be able to open UltraVNC viewer and type in the hostname::port and be set.

It’s been a while since the last Meshcentral report, so I wanted to give people a status update before I head over on a week vacation. The team’s been hard at work on all sorts of improvements and new features. In this report, I want to focus on just a few core improvements.

• Intel AMT Control Mode. This is a long overdue improvement, Meshcentral now displays the currently configured Intel AMT control mode for Intel AMT 6.1 and above. This feature is new with Mesh Agent v1.82. This will help people determine how to make best use of Intel AMT for each machine.
• EHBC detection. I don’t have a screen shot below, but starting with Mesh Agent v1.81, if a machine is un-provisioned and supports EHBC (Embedded Host Based Provisioning), this will show on the Intel AMT status line of Meshcentral.com. It helps determine if HBP can be used to go directly into admin mode. If Intel AMT supports EHBC, doing HBP with Meshcentral will automatically make the remote machine go in admin mode.
• Internalization & French Localization. For the past few weeks, I have been working nights on making the Meshcentral web site internationalizable to other languages (which is most of the work) and did much progress on localization to French. Internalization work is about 75% done, localization to French is 65% done. If you change your browser to French and go on Meshcentral.com, you will see the site show up in French!
• Performance improvements. As the load of the web site keeps increasing, we keep finding ways to improve the sites performance. In the last week, me made significant improvements to how and when Meshcentral makes database access, significantly improving the overall performance of the site. This said, there is still more work to do done in this area. Meshcentral is peaking at nearly 6000 machines connected at the same time each day.

Comments and feedback appreciated,
Ylian Saint-Hilaire
meshcentral.com/info

I am trying to use the Intel® vPro™ Platform Solution Manager to connect to a machine. 

I enter all the machine data including IP address, username, and password, but when I press connect(or let it autoconnect) I see the following error and the program crashes.



Exception: Object reference not set to an instance of an object.

     Source: HLAPI

Stack Trace:    at HLAPI.Wireless.WirelessWSMAN.GetLinkPolicy()

   at HLAPI.Wireless.WirelessManager.GetWiFiLinkPolicy()

   at HLAPI.GeneralInfo.GeneralInfoManager.RemoveWirelessIfNotSupported(List`1& supportedFeatures)

   at HLAPI.GeneralInfo.GeneralInfoManager.GetSupportedFeatures()

   at Intel.Manageability.Impl.AMTInstanceManager.get_SupportedFeatures()

   at Intel.Ucrd.vProPlatformSolutionManager.Controls.CtrlSystem.<>c__DisplayClasse.<ConnectEx>b__9()

I have not modified the source code, nor do I intend to. This is from a fresh download and install.  I have .NET 3.5 and 4.1 installed and enabled. In fact I am meeting all the requirements listed here  https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=HTMLDocuments%2Fintelvproplatformsolutionmanager.htm

I have configured AMT and tested with both the web-ui-control panel and remotely logging in via VNCplus.

I cannot figure out why the manager keeps crashing.

Thanks,

George

Hi,

Today I installed vPSM_1.0.0.11634 and tried to connect to a vPro 9 client. I got the following error:

  Exception: Object reference not set to an instance of an object.

     Source: HLAPI

Stack Trace:    at HLAPI.Wireless.WirelessWSMAN.GetLinkPolicy()

   at HLAPI.Wireless.WirelessManager.GetWiFiLinkPolicy()

   at HLAPI.GeneralInfo.GeneralInfoManager.RemoveWirelessIfNotSupported(List`1& supportedFeatures)

   at HLAPI.GeneralInfo.GeneralInfoManager.GetSupportedFeatures()

   at Intel.Manageability.Impl.AMTInstanceManager.get_SupportedFeatures()

   at Intel.Ucrd.vProPlatformSolutionManager.Controls.CtrlSystem.<>c__DisplayClasse.<ConnectEx>b__9()

Details:

• Management station is a non-vPro Thinkpad using wired Ethernet. My WiFi reports "hardware radio switch is off."
• Client is a Lenovo M58p with vPro firmware version 9.0.2-build 1345. It's set up in small business mode or whatever the super-simple mode is called (no certificates). I can connect fine through the web interface.
• I am connecting across a router-based VPN. I used an IP address when trying to connect. I chose to connect using digest authentication and without TLS.
• I was successfully connecting to this machine a few months ago using vPSM_1.0.0.8980. When that aborted this time, I downloaded the latest (11634) but it still aborts.

I tried connecting to a couple other devices over the same VPN to the same remote network:

• Lenovo TS140 server, also running firmware version: 9.0.2-build 1345:  crashes with "Max Retry attemps (sic) reached"
• Dell Optiplex 960 running firmware version: 5.2.40-build 1037:  connects without issues

So it only seems to fail to connect to vPro 9 machines. Any suggestions on how to connect to these machines? Also, it would be nice the if the entire program didn't crash when a connection to a machine fails...

Thanks,

Mark

It’s been a while since the last Meshcentral announcement, but we are making it up today with a powerful new feature. We are announcing: Meshcentral cloud Intel® AMT IDE Redirect. Allowing administrators to remotely reboot a mesh enabled Intel AMT computer anywhere on the Internet with a recovery OS that is located on the MeshCentral server. This opens the door for powerful remote computer recovery, OS check, backup, re-install and more. Along with Hardware KVM, it’s one of the most powerful features of Intel AMT and a significant value to administrators… but there is more, much more.

As with any Intel AMT feature implemented in Meshcentral, we take it to the next level. When the administrator decides to launch a recovery boot using mesh, the mesh server generates on the fly a new remote boot OS image. That is right, each boot is made using a fully constructed single-use OS image. A tiny Linux based image is built for the target platform with the right settings, hostname, check hashes, mesh policy, MEI driver, network drivers and more. Once booted, the recovery OS makes a set of HTTP calls to the Mesh server to stop the IDE-R session, download & check the latest mesh agent and launch it. A recovery mesh agent then connects back to the server for full control over the session, built-in LMS support in the mesh agent is used to provide local Intel AMT access.

In addition to all this, the new Meshcentral server now supports recovery agents that show up on the devices page only for the duration of the connection, along with improvements in CIRA connection handling and much more, this new feature makes it easier than ever to use IDE-R. Just select and click a button, Meshcentral does the rest.

This new feature is one of the easiest and most powerful ways to make use of Intel® vPro. We are testing the feature on Meshcentral.com and will be rolling out cloud IDE-R to mesh customers and other mesh server instances in the next few weeks. We posted on Youtube a full demonstration of Meshcentral performing IDE-R.

Questions and feedback appreciated,
Ylian Saint-Hilaire
meshcentral.com/info

The inner working of this new feature are quite complex, involving updates to every major component of Meshcentral.

From the administrator’s perspective, this would not be easier. A few clicks triggers the IDE-R feature.

We posted on Youtube a full demonstration of Meshcentral performing IDE-R.

Hi,

can someone please explain me, how to do remote configuration of Intel AMT PC, integrating it into Active Directory?

Is it possible to do such a configuration with Intel SCS or Open MDTK?

Thank you in advance!

Alex.

I am happy to announce that Meshcentral is going global with the web site launching in a total of 11 languages. It’s always been the goal of Meshcentral to be a universal cloud management web site that cuts across devices, operating systems, architectures and form factors, highlighting and utilizing Intel unique features when available. Now, we also cut across languages. Supported languages are: English, German, French, Italian, Japanese, Korean, Portuguese, Russian, Chinese (China), Chinese (Taiwan).

If your browser is set with your correct language preference, Meshcentral.com will automatically show up in the most preferred language that is supported. The translations have been done using a combination of machine and human translations systems. Since I personally only speak English and French, we are looking for feedback and corrections. This is just a start, we will continue to improve the quality of the internalization and localizations moving forward.

Meshcentral makes it easier than ever to make use of Intel technologies and Internalization of Meshcentral is an important step to bring Intel unique usages, technologies and value to a global audience. Early next week, all 11 languages will be pushed out to all other instances of Meshcentral (Amazon AWS and self-hosted servers).

Questions and feedback appreciated,
Ylian Saint-Hilaire
meshcentral.com/info

Meshcentral.com is going global with an impressive set of language support.

Hello!

we are a physics department at a large German university where we deploy several hundred desktop PCs running both Windows and Linux. We use Intel AMT to perform maintenance and administration of these computers since it helps to minimize the amount of sneaker networking we have to do.

All desktop PCs are DELL OptiPlex machines, ranging from 745 series machine through 755, 760, 760, 780 and up to current machines like the OptiPlex 9080, all these machines support Intel AMT.

Now, in order to use AMT, we have to enable it on these machines first which is currently quite a chore. Someone, usually a student assistant, has to walk to the machine, reboot it, enter the MBEx menu and enable AMT. Then they need to plug in a USB device holding the configuration, load it and finally reboot the machine. Quite a lot of sneaker networking with just alone over 200 Linux desktops.

I am therefore currently looking into the possibilty to enable and configure AMT completely remotely. I read through the SCS User Guide and several documents provided by Intel, but none of these mentions any possibility. The 200 Linux desktops run Debian Wheezy or Jessie. I tried using ACUConfig which is unfortunately very buggy (at least on Linux) and it took me several hours to get it to compile cleanly (the pre-compiled version from Intel doesn't work since it does a version check which will prevent it to work on most machines; the manual recommends to recompile the code with the version check commented out). The makefiles needed a lot of patching (for example, gcc refused to compile many sources without -fpermissive, so I had to add it to the compiler flags in many makefiles) and some of the C sources required to have some #include directives removed or added since it tried to use headers which exist on Windows machines only. I could eventually get the code compile with my additional patching and by using an old Debian Squeeze installation as a build host (the gcc version on Debian Wheezy or Jessie seems to be too new for the ACUConfig sources).

After finally having a version of ACUConfig on Linux which seems to work, I tried to generate a configuration profle using the "ACU Wizard" on a Windows machine. I made the necessary adjustments for AMT and exported the configuration to an encrypted XML file. I then tried to load the XML configuration on a Linux machine using ACUConfig:

root@smart2:~> ACUConfig -Verbose ConfigAMT /net/space/physik.xml --DecryptionPassword mypassword

738. (-DecryptionPassword)

Starting log 2014-06-27 13:41:47

Command:     ConfigAMT

Description: Configures/Reconfigures Intel AMT systems

Syntax:      ACUConfig [global options] ConfigAMT <filename>

             [-DecryptionPassword <password>] [-AbortOnFailure]

             [-AdminPassword <password>] [-NetworkSettingsFile <file>]

Parameters:

<filename>: The xml file containing the configuration parameters

-DecryptionPassword <password>: Performs decryption of encrypted files

-AbortOnFailure: If configuration fails, puts the Intel AMT device in the

                 "Not Provisioned" mode

-AdminPassword <password>: Current admin user password in the Intel AMT device

-NetworkSettingsFile <file>: Gets the IP and/or the FQDN from a dedicated

                             network settings file

***********

101098 - 10114

Details: 738(-DecryptionPassword)

root@smart2:~>

Trying the same command with a small, handwritten XML file which is unencrypted:

root@smart2:~> ACUConfig -Verbose ConfigAMT /net/space/physik2.xml

Connected to HECI driver, version: 218.146.27.32514

Size of guid = 16

max_message_length 5120

protocol_version 1

Connected to HECI driver, version: 3.0.0.2

Size of guid = 16

max_message_length 5120

protocol_version 1

Segmentation fault

root@smart2:~>

Apparently, the ACUConfig utility is currently broken and not really usable on Linux which is an unlucky situation. Furthermore, I think the current method of installation of the ACUConfig utility on Linux is way too cumbersome and error-prone and most people will probably fail trying to get it running.

I would therefore like to get in touch with any of the original developers of the ACUConfig utility and help them to clean up the code such that it will build on any Linux machine with any version of gcc without any heavy patching. Also, since I am a Debian Developer, I would also be happy to help to get Intel's ACUConfig packaged for Debian. If end users could just install those utilities on Debian-based systems (Debian, Ubuntu, Linux Mint etc) with a simple "apt-get install intel-amt-tools", the whole use AMT on Linux would be much easier and simpler.

Cheers,

Adrian

Site Links

Main site: meshcentral.com
Information site: info.meshcentral.com
Developer blog:intel.com/software/ylian

Overview
Meshcentral is an open source project under Apache 2.0 license that allows administrators to remotely manage computers over the Internet using a single web portal. You have to download and install a mesh agent on all your devices, but once installed the agent is self-upgrading and makes the device available for management on the web portal. There are a few things that set Meshcentral apart from other solutions. It's open source and so, anyone can freely setup their own instance of Meshcentral on their own server. Meshcentral manages a very wide array of devices: Windows, OSX, Android, Linux, XEN and more. You can use the same solution to manage big servers and Intel® Galileo devices.

Features

Meshcentral features can be seperated into in-band and out-of-band features. In-band features are available on all devices, out-of-band features are only available on computer with Intel® AMT.

• Remote desktop (in-band and Intel® AMT hardware KVM)
• Remote terminal access (in-band and Intel® AMT serial-over-lan)
• Remote file access
• Remote web access
• Remote power control (in-band and Intel® AMT power control)
• General monitoring
• Video chat with Android

Tutorial Videos

To help, we have a YouTube playlist with a set of tutorial videos covering many aspects of using Meshcentral.  The first two videos "Getting Started" and "Basic Features" are probably the best way to get a quick initiation to Meshcentral.

Compatible Tools

Most people using Meshcentral will only use the web portal, which is feature rich and works on any device with a browser. But in addition to the web portal, we have applications and tools that are compatible with Meshcentral. So, if you are already using these tools, you can easily take advantage of remote management for the Internet.

• Intel System Defense Utility (ISDU)
• Open Manageability Developer Tool Kit (MDTK)
• Mesh Manageability Tools

Hi,

I'm just trying to create Alarm Clock with wsman utility, but I couldn't figure out how to do it, can somebody help me?

Trying to execute this command:

root$ wsman put -k ElementName"DefAlert" -k StartTime="2014-07-15T22:00:00Z"-k Interval="PT12M" -k DeleteOnCompletion="true"http://intel.com/wbem/wscim/1/ips-schema/1/IPS_AlarmClockOccurrence?Inst..."DefAlert" --port 16992 -h 192.168.0.14 --username admin -p "Admin44$" -V -v

I get such response:

<?xml version="1.0" encoding="UTF-8"?>

<a:Envelope xmlns:g="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:f="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:e="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:d="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:c="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:b="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:a="http://www.w3.org/2003/05/soap-envelope" xmlns:h="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:i="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex..." xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <a:Header>

    <b:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</b:To>

    <b:RelatesTo>uuid:1e82a3fe-fe28-1e28-8002-e6b2e3bae690</b:RelatesTo>

    <b:Action a:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</b:Action>

    <b:MessageID>uuid:00000000-8086-8086-8086-00000000075B</b:MessageID>

  </a:Header>

  <a:Body>

    <a:Fault>

      <a:Code>

        <a:Value>a:Sender</a:Value>

        <a:Subcode>

          <a:Value>b:DestinationUnreachable</a:Value>

        </a:Subcode>

      </a:Code>

      <a:Reason>

        <a:Text xml:lang="en-US">No route can be determined to reach the destination role defined by the WSAddressing To.</a:Text>

      </a:Reason>

      <a:Detail>

        <e:FaultDetail>http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/InvalidResourceUR...

      </a:Detail>

    </a:Fault>

  </a:Body>

</a:Envelope>

Connection failed. response code = 400

 

 What am I doing wrong?

This week brings another big feature to Meshcentral. I am very happy to announce that the latest version of the Mesh Agent v184 now has local built-in web based management! You now can use both Meshcentral.com to manage all your devices over the cloud and access the local HTTPS web page on port 16990 of any meshed device on the local network. The local management site offers Mesh Agent status along with WebRTC based Remote Desktop and Remote Terminal. So, once setup you can take control of a remote device on the same network even without Internet connectivity.

This feature is very useful for checking on the mesh agent status, but even more useful in cases where you need to remotely manage embedded,  headless or IoT devices like the Intel® Galileo. You can just hit the local web site of the device, login and access the remote management features. More than ever Mesh offers increasing flexibility in how devices are managed. The local management site has many settings, so administrators can configure if and how it works and what credentials are accepted. It’s all configured by meshcentral.com. For now, each device’s local administration page much be set independently.

Take a look at our Youtube video demonstration. The new agents v184 started rolling out a few minutes ago and the mesh server updates will be rolled out over the next few days.

Questions and feedback appreciated,
Ylian Saint-Hilaire
info.meshcentral.com

Along with Meshcentral, the latest mesh agent servers a full remote management web site.
You can now manage your devices using the cloud site and the local site hosted by the device itself.

The new local web site offers general information, login, remote desktop and remote terminal.
The site operations and credentials can be setup by the administrator using meshcentral.com.

Use Meshcentral to setup how the local web site works and what credentials should be accepted.
The new feature is going to be deployed across all Mesh supported platforms.

Hi All,

We have recently started the testing before the roll out of AMT across our fleet. We are using SCS in database mode to gain admin and integrated with SCCM. The provisioning of the devices goes well with power and the out of band console working however when I try and connect to a device via the intel KVM tool it prompts for a password. Its as if its displaying a password on the users end as it would in 'user' mode however no password is displayed and the AMT advises KVM is connected. On the other hand if I use the VNC alternative it opens up a full session with no password required.

Does anyone have a idea why this would be the case?   

Hi All,

SCCM 2012 was set up in our environment for some time and was provisioning machines that had the correct version of amt but due the hit and miss way it was working we have decided to move to SCS in database mode. I recently got SCS up and running and with help from this forum it is working to provision all test machines targeted. My problem stems from a  number of devices (around half) at our test site that were provisioned by sccm. I figured it would be as easy as selecting to select 'Remove Provisioning Data' from sccm before proceeding with SCS to re provision but that has not been the case. Checking the logs on the OOB service point I get the following logs: (I have attached the only bit that seems relevant)

ERROR: Invoke(get) failed: 80020009argNum = 0

Description: A security error occurred

Error: Failed to get AMT_SetupAndConfigurationService instance.

Error: Can NOT get provisioning state from target device. (MachineId = 16781530)

Is this maybe occurring due to the install of SCS and its integration with SCCM prior to removing the provisioning data from sccm? 

Any help or insights would be great :)

Christian. 

Hello all,

I'm not sure if this is the bet place to post this, so forgive me if this belongs elsewhere. I did actually find similar issues mentioned in this forum, but none of the solutions suggested seemed to work for me. Rather than bump an old thread, I thought it best to start a new one. 

Anyway, I recently built a rig using a ASRock z97 board. I've updated all drivers but have found that the Intel Management Engine device is not functioning (listed with a big yellow bang in my device manager with a message that says it cannot start and code 10). I've downloaded the drivers from ASRock's own site. In this case, the driver was version 10.0.0.1204. I also searched for a compatible driver on Intel's site and came up empty handed. All the drivers for this device that I could find here proved incompatible.

I was speaking with a more tech savvy friend who suggested this might also be related to a problem I am having with Sleep Mode. My PC seems to crash anytime it enters into Sleep Mode (or fail to wake up). There has been no BSOD though.

Other things I have tried include uninstalling and reinstalling the driver (with system restarts between of course), downloading Kernel-Mode Driver Framework version 1.11, making sure my INF is also up to date, and even checking the RAM (I had read somewhere that this issue was sometimes caused by faulty RAM). I should also like to note that my BIOS is the latest version as listed on the manufacture's website. I've already contacted the manufacturer about this issue and their best solution was to do a fresh install of windows. So now I come here in hopes of other insights.

A short list of my system's specifications are below, but if any further information is needed, please let me know.

GPU: MSI NVIDIA GeForce GTX 760 4GB GDDR5

CPU: Intel Core i5-4670K Quad-Core Desktop Processor 3.4 GHZ

SSD (for boot): Kingston 120gb

HDD: Western Digital 1TB

ODD: Asus CD/DVD RW

PSU: Seasonic 520W

RAM: 2x Corsair 4GB

OS: Windows 7 64bit

And of course

Motherboard: ASRock z79 Extreme4

Any help would be greatly appreciated!

Meshcentral continues to lead the way in cloud based security usages. Thanks to work from Jacob Gauthier, Meshcentral can now securely boot a trusted Linux operating system using Intel® AMT IDE-R and perform a AV scan of all attached disks on a remote system over the cloud. That is right, we now extended the Intel AMT IDE redirect feature of Meshcentral so that you could use it to trigger a trusted remote AV scan. Why is this interesting?

In most cases, anti-virus software run on the same operating system that is the target of viruses and malware. A better way to go is to boot a separate trusted operating system that would then scan the drives. The operating system would have to be sent over a trusted channel and use a set of tools that are downloaded and integrity checked. Today, we are announcing that we did just that. We use Intel AMT IDE Redirect feature as a way to remotely boot a trusted operating system, we then download ClamAV an open source anti-virus software that then automatically runs on all attached drives. This new feature builds on top of the Meshcentral cloud IDE-R support we announced a few weeks ago. The trusted Linux operating system is built on-the-fly into a single use ISO image that is then sent over the cloud to the target machine. Intel AMT is required to make all this work.

Jacob Gauthier built an innovative “package stuffing” system. Once the basic recovery OS is running, we want to try to limit IDE-R data transfer to boost boot speed. The recovery OS will check local disk storage or HTTP or IDE-R to get required application packages. The recovery OS checks the package hashes and pushes packages into local storage for future use. As a result, you always get the fastest possible boot speed over the cloud with the remote computer locally caching much of the data.

Check out our video demonstration and talk on this new feature:

    Youtube: Overview of Meshcentral support for IDE-R (6 minutes)

With this release, Meshcentral continues blaze the path forward for innovative security usages. With just a few clicks, administrators can remotely run fully secure AV scans on machines. Intel AMT IDE-R session works over CIRA or agent relay making it easier than ever to perform an out-of-band AV scan over the cloud.

Questions and feedback appreciated,
Ylian Saint-Hilaire
info.meshcentral.com

In this YouTube video, Jacob Gauthier and myself demonstrate and talk about
Meshcentral Intel® AMT IDE-R feature and the new package stuffing system for accelerated boot.

Performing a trusted AV scan on a remote machine over the cloud has never been easier. With just a few
clicks you can remotely boot and launch a the scan using a fully verified trusted recovery OS.

Meshcentral uses an innovative “package stuffing” system to keep the IDE-R session fast.
Usage packages like anti-virus and others are pulled from local disk, HTTP or IDER-R and hash checked.
If downloaded & validated, they are pushed back into local storage for future use.

Back in the old days, one only needed to think about ME (Intel^® Manageability Engine) Firmware if one was using Intel^® Active Management Technology (AMT) on Intel^® vPro^TM Technology systems.  But some form of ME is now found on most Intel client architecture based systems including the need for an interface driver between the OS and the hardware (previously called HECI, now called the MEI (Manageability Engine Interface) driver.)  You can check the version of your MEI driver under Device Manager > System Devices > Intel Management Engine > right click Properties and look at the driver tab.

But don't let the name fool you, ME Firmware does a lot more than manageability.  

For this blog, I want to mention a few recent features and which versions provide them. The features I'll mention are: 

• Windows* Connected Standby (CS) - aka Instant Go*
• Intel ME FW Power Gating (PG)

Microsoft Connected Standby exists to save power while maintaining network connectivity. It can be triggered by closing the lid, pressing the power button or when a system goes idle. The user sees the screen go off and software is throttled or suspended, but connectivity is maintained. The power requirement for certification is that the battery drop less than 5% over 16 hours in CS state. To maintain connectivity, the network adapter (wired or wireless) must accept ARP requests without waking the host. (For the technically curious, the CS power states are called SOi (1-3) and are a combination of Cx (cpu state) and RTDx (device state)).  All Windows* 8.x client versions support CS but require the BIOS be configured for CS. Intel ME firmware support for CS is limited to ME 9.5 and ME 10 on Windows 8.1 (64-bit) in the consumer SKU although power gating is already available in both consumer and corporate (pre AMT enabled) SKUs.  FPrior to Windows CS, Intel had a similar feature called Intel® Smart Connect Technology, (does not coexist on a system with CS). CS systems maintain network connectivity while Smart Connect systems would wake and check periodically. 

Now we know that for Intel AMT, ME has it's own power states outside of the OS so that it can be managed/contacted out of band; and since the OS does not control the ME states, they are handled as S0 states. Plus we must remember that wired and wireless are handled differently by ME for that OOB connectivity. Wired adapters have two drivers used - one for the OS and another for the ME. But with wireless, the OS and ME share a driver, which cannot be used simultaneously by both.  So in AMT 9.x and 10.0, the CS power requirement cannot be met when AMT is enabled, something that will change in some future versions. Part of enabling AMT while using CS comes from the Intel ME Power Gating feature, which as you might have guessed, currently works with consumer firmware and non configured AMT corporate firmware. Note: SOL is hidden from the OS when AMT is not provisioned. The driver is usually preinstalled, but SOL won't be seen until the system is provisioned and rebooted. 

A word about versioning here. Intel has been striving to make firmware versions backward compatible and also split the firmware into 2 sizes. There's a small version for consumer systems and a larger version for corporate systems. The corporate larger AMT SKU can be paired with Intel vPro Technology Core processors for all the vPro technology features.  However AMT features can exist in client and/or corporate, but tend to vary across OS. 

Likewise is previous versions, the ME FW version number was usually one integer higher than the chipset version. Intel 8 series chipsets used ME 9.0. But in moving to backward compatibility as well as addressing the socket sharing between CPU generations, this versioning scheme was modified. The 9 series (2 chip) chipsets used 9.1 firmware  with 9.0 being field upgradable to 9.1. And then came 9.5 and 10.0.  Starting with 9.0, each release should be applicable to any ME 8.x or later system. (One installer will determine which features to install). I checked my versions and on my Intel 7 series chipset system ,I am running the 9.5 MEI driver.

Important Note: ALWAYS use the ME firmware supplied by your motherboard manufacturer and the MEI driver supplied.

You can check for Instant On support by typing powercfg /a at the command prompt.

While Intel did not release an Intel® vPro^TM Technology desktop with  ME (Intel® Manageability Engine) Firmware v10, the later versions of firmware are backwards compatible as early as Intel^®  7 series chipsets (ME 8.x originally). Intel^®  Active Management Technology (AMT) is part of the corporate (larger) version of ME firmware and provides most of the manageability functions of of Intel® vPro^TM Technology, so let's look at what's new in AMT 10.

Important Note: ALWAYS use the ME firmware and MEI driver supplied by your motherboard manufacturer.

The most important change:   OpenSSL is now implemented with no heartbeat flag. So on systems being upgraded to AMT10, please revoke and reissue the certificates and change passwords. 

Other Improvements: 

• Provisioning using the secured FQDN is now supported in both Admin and Client Control Modes  

• Screen Blanking (of the remote client console screen) can be used while performing administrative KVM activities. (Available in the HLAPI and KVM app tools)

• Graceful power shutdown is supported on Windows* Vista, 7 and 8 for 32 and 64-bit platforms, including Windows 8 Connected Standby*.
  The graceful power events will generate UNS events.  
   
• Systems can be woken from Windows Connected Standby and Instant Go, although there is no implementation to put the system INTO CS/Instant Go.  
  • Use IPS_PowerManagementService.OSPowerSavingState to get the standby state.
  • Use IPS_PowerManagementService.RequestOSPowerSavingsState to wake the system
     
• The length of the root certificate can now be up to 2500 bytes
   
• CILA alerts now provide the generating hostname and the reason for the UI connection. 
   
• The Real VNC* version is now 1.2.5

. 

I'm setting up SCS with Remotly configuration. Now I want to configure a client but get the following error. I didn't have installed a PKI cert, don't know if that is the issue.

2014-09-23 09:10:20:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2014-09-23 09:10:20
2014-09-23 09:10:41:(INFO) : ACU Configurator, Category: -ConfigViaRCSOnly-: :Starting Remote configuration...
2014-09-23 09:11:08:(WARN) : ACU.dll, Category: Remote Profile Configuration: Intel(R) AMT Operation completed with warnings: A Soap Fault occurred. Failed while calling WS-Management call SetKVMSettings (IPS_KVMRedirectionSettingData.Put): A SOAP FAULT was received. : FaultSubCode: e:AccessDenied
2014-09-23 09:11:08:(WARN) : ACU Configurator, Category: Exit: ***********Exit with code 32. Details: Intel(R) AMT Operation completed with warnings: A Soap Fault occurred. Failed while calling WS-Management call SetKVMSettings (IPS_KVMRedirectionSettingData.Put): A SOAP FAULT was received. : FaultSubCode: e:AccessDenied