1 2 Previous Next 20 Replies Latest reply on Jun 27, 2013 12:09 PM by MrGadget

    vPro not consistent/working & Intel KVM displays blank screen

    Apprentice

      We are running LANDesk 9.0 SP2 (with all current available MCPs).  I have set a strong password and enabled vPro, purchased a GoDaddy SSL cert, and placed it on the LANDesk core.

       

      I haven't created a CNAME to provisionserver.fqdn yet.  Is this absolutely essential at this level?  I assumed if the clients that already have LANDesk Agents on have vPro then they will provision correctly?   For example, most machines now that are vPro capable will display Intel vPro menu options.

      vprocontextmenu.jpg

      vprogeneral.jpg

       

      I just started testing vPro in our environment and I've having lots of trouble getting any sort of reliability.   What am I missing here?  Certain models appear to work (for example, Optiplex 980s) and I can use most of the vPro options, can do IDE-R directions, Power On/Off the machine.

       

      I've tried testing with laptops, Latitude E6510, Latitude E6400. Both show all vPro options in LANDesk console but none of the functionality is working at all.

       

      For other computers with vPro, I can see the vPro context menus in LANDesk but none of the functions work and will freeze the LANDesk console until the AMT process times out. None of the functions work with these models.

       

      In one such case where I was finally making progress, I was able to get OptiPlex 980s working somewhat (vPro context menus are working) but the Intel KVM but the display comes up blank.  (Tried this directly from the core and on my remote console).   I can actually control the computer and type commands to the remote computer but the display comes up black.

       

      intelkvmdisplay.jpg

       

      Any ideas?

       

       

       

      The AMTProvMgr2.log is also inconsitent, some machines seem to provision fine, while others get lots of errors.

      Example:

       

      Fri, 23 Mar 2012 08:52:59 LANDesk Intel AMT Provisioning Manager
      Fri, 23 Mar 2012 08:52:59 IP: ip.address.removed UUID: 44454C4C-5300-1057-8032-C2C04F4C5331
      Fri, 23 Mar 2012 08:52:59 FQDN hostname form DNS: hostname.removed.esting (host.name.removed)
      Fri, 23 Mar 2012 08:52:59 Host Name: MACHINE_NAME_REMOVED
      Fri, 23 Mar 2012 08:52:59 PID: No
      Fri, 23 Mar 2012 08:53:00 user cert 1 exists
      Fri, 23 Mar 2012 08:53:00 soap_ssl_client_context() return: 0
      Fri, 23 Mar 2012 08:53:00 Action: getCoreVersion
      Fri, 23 Mar 2012 08:53:00 GetCoreVersion passed
      Fri, 23 Mar 2012 08:53:00 Action: setProvisioningPeriodDuration
      Fri, 23 Mar 2012 08:53:00 setProvisioningPeriodDuration passed
      Fri, 23 Mar 2012 08:53:00 Action: GetPasswordModel
      Fri, 23 Mar 2012 08:53:00 GetPasswordModel passed
      Fri, 23 Mar 2012 08:53:00 Action: GetAdminAclEntryStatus
      Fri, 23 Mar 2012 08:53:00 GetAdminAclEntryStatus passed
      Fri, 23 Mar 2012 08:53:00 GetAdminAclEntryStatus: default, reset it now
      Fri, 23 Mar 2012 08:53:00 Action: GetAdminAclEntryStatus
      Fri, 23 Mar 2012 08:53:00 GetAdminAclEntryStatus passed
      Fri, 23 Mar 2012 08:53:00 Action: SetMEBxPassword
      Fri, 23 Mar 2012 08:53:01 SetMEBxPassword passed
      Fri, 23 Mar 2012 08:53:01 Action: GetAdminNetAclEntryStatus
      Fri, 23 Mar 2012 08:53:01 GetAdminNetAclEntryStatus passed
      Fri, 23 Mar 2012 08:53:01 GetAdminNetAclEntryStatus: default, reset it now
      Fri, 23 Mar 2012 08:53:01 Action: GetDigestRealm
      Fri, 23 Mar 2012 08:53:01 GetDigestRealm passed
      Fri, 23 Mar 2012 08:53:01 Action: SetAdminAclEntryEx
      Fri, 23 Mar 2012 08:53:01 SetAdminAclEntryEx passed
      Fri, 23 Mar 2012 08:53:01 Action: getHostname
      Fri, 23 Mar 2012 08:53:01 GetHostName passed
      Fri, 23 Mar 2012 08:53:01 AMT hostname is not set in bios. Set it to: [MACHINE_NAME_REMOVED]
      Fri, 23 Mar 2012 08:53:01 Action: setHostname
      Fri, 23 Mar 2012 08:53:01 SetHostName passed
      Fri, 23 Mar 2012 08:53:01 Action: setDomainname
      Fri, 23 Mar 2012 08:53:01 SetDomainName passed
      Fri, 23 Mar 2012 08:53:01 Action: SetEnabledInterfaces
      Fri, 23 Mar 2012 08:53:01 SetEnabledInterfaces passed
      Fri, 23 Mar 2012 08:53:01 Action: GetEnabledInterfaces
      Fri, 23 Mar 2012 08:53:01 GetEnabledInterfaces passed
      Fri, 23 Mar 2012 08:53:01 Both SOL and IDE-R are enabled in MEBX
      Fri, 23 Mar 2012 08:53:01 Action: SetRedirectionListenerState
      Fri, 23 Mar 2012 08:53:01 GetRedirectionListenerState passed
      Fri, 23 Mar 2012 08:53:01 Current RedirectionListenerState: Disabled. Enable it now
      Fri, 23 Mar 2012 08:53:01 SetRedirectionListenerState passed
      Fri, 23 Mar 2012 08:53:01 Action: setActivePowerPackage
      Fri, 23 Mar 2012 08:53:01 EnumeratePowerPackages passed
      Fri, 23 Mar 2012 08:53:01 SetActivePowerPackage passed
      Fri, 23 Mar 2012 08:53:01 Action: setPowerIdleWakeTimeout
      Fri, 23 Mar 2012 08:53:01 setPowerIdleWakeTimeout passed
      Fri, 23 Mar 2012 08:53:01 Action: enumerateInterfaces
      Fri, 23 Mar 2012 08:53:01 EnumerateInterfaces passed
      Fri, 23 Mar 2012 08:53:01 Action: setInterfaceSettings
      Fri, 23 Mar 2012 08:53:01 SetInterfaceSettings passed
      Fri, 23 Mar 2012 08:53:01 Action: setNetworkTime
      Fri, 23 Mar 2012 08:53:01 GetLowAccuracyTimeSynch passed
      Fri, 23 Mar 2012 08:53:01 SetHighAccuracyTimeSynch passed
      Fri, 23 Mar 2012 08:53:01 Action: EnumerateTrustedRootCertificates
      Fri, 23 Mar 2012 08:53:01 EnumerateTrustedRootCertificates passed
      Fri, 23 Mar 2012 08:53:01 No trusted root certificates exist
      Fri, 23 Mar 2012 08:53:01 Action: clear CertStore
      Fri, 23 Mar 2012 08:53:01 Action: clear CertStore ok
      Fri, 23 Mar 2012 08:53:01 Action: setCertificateStore
      Fri, 23 Mar 2012 08:53:01 CertStoreAddCert passed
      Fri, 23 Mar 2012 08:53:01 CertStoreAddKey passed
      Fri, 23 Mar 2012 08:53:01 To generate keys and certificate
      Fri, 23 Mar 2012 08:53:03 Success to generate keys and certificate
      Fri, 23 Mar 2012 08:53:03 CertStoreAddCert passed
      Fri, 23 Mar 2012 08:53:03 CertStoreAddKey passed
      Fri, 23 Mar 2012 08:53:04 CertStoreAddCert passed
      Fri, 23 Mar 2012 08:53:04 Action: setTLSCredentials
      Fri, 23 Mar 2012 08:53:04 SetTLSCredentials passed
      Fri, 23 Mar 2012 08:53:04 Action: AddTrustedRootCertificate
      Fri, 23 Mar 2012 08:53:04 AddTrustedRootCertificate passed
      Fri, 23 Mar 2012 08:53:04 Action: SetTlsOptions
      Fri, 23 Mar 2012 08:53:04 SetTlsOptions passed
      Fri, 23 Mar 2012 08:53:04 Action: CommitChanges
      Fri, 23 Mar 2012 08:53:04 CommitChanges passed
      Fri, 23 Mar 2012 08:53:04 Provisioning/Unprovisioning process completed successfuly

       

       

      Fri, 23 Mar 2012 08:55:05 Error: input parameters are not well formatted, fail!!!

       

      Fri, 23 Mar 2012 08:55:05 Error: input parameters are not well formatted

      Fri, 23 Mar 2012 08:55:05 Error: input parameters are not well formatted, fail!!!

       

      Fri, 23 Mar 2012 08:55:05 Error: input parameters are not well formatted

      Fri, 23 Mar 2012 09:06:26 Error: input parameters are not well formatted, fail!!!

       

      Fri, 23 Mar 2012 09:06:26 Error: input parameters are not well formatted

      Fri, 23 Mar 2012 09:06:26 Error: input parameters are not well formatted, fail!!!

       

      Fri, 23 Mar 2012 09:06:26 Error: input parameters are not well formatted

      Fri, 23 Mar 2012 09:12:54 LANDesk Intel AMT Provisioning Manager

      Fri, 23 Mar 2012 09:12:54 IP: ip.address.removed UUID: 44454C4C-4D00-104C-8033-C6C04F355331

       

      Fri, 23 Mar 2012 09:12:54 No FQDN hostname from DNS, use default

      Fri, 23 Mar 2012 09:12:55 Host Name: HOSTNAME.REMOVED

      Fri, 23 Mar 2012 09:12:55 PID: No

       

      Fri, 23 Mar 2012 09:12:55 user cert 1 exists

       

      Fri, 23 Mar 2012 09:12:55 soap_ssl_client_context() return: 0

      Fri, 23 Mar 2012 09:12:55 Action: getCoreVersion

      Fri, 23 Mar 2012 09:13:45 Error: GetCoreVersion failed (status: 0x0000, res: 0x0018)

      Fri, 23 Mar 2012 09:13:45 SOAP 1.1 fault: SOAP-ENV:Client [no subcode]

      Fri, 23 Mar 2012 09:13:45 "Timeout"

      Detail: connect failed in tcp_connect()

       

      Fri, 23 Mar 2012 09:13:45 Current password failed, use default credentials (PKI mode, res: 0x18)

      Fri, 23 Mar 2012 09:13:45 Action: getCoreVersion

      Fri, 23 Mar 2012 09:14:27 LANDesk Intel AMT Provisioning Manager

      Fri, 23 Mar 2012 09:14:27 IP: ip.address.removed UUID: 33A80B01-50D8-11CB-BD84-972230A220ED

       

      Fri, 23 Mar 2012 09:14:27 FQDN hostname form DNS: hostname.removed. (hostname.removed)

      Fri, 23 Mar 2012 09:14:27 Host Name: HOSTNAME.REMOVED

      Fri, 23 Mar 2012 09:14:27 PID: No

       

      Fri, 23 Mar 2012 09:14:27 user cert 1 exists

       

      Fri, 23 Mar 2012 09:14:27 soap_ssl_client_context() return: 0

      Fri, 23 Mar 2012 09:14:27 Action: getCoreVersion

      Fri, 23 Mar 2012 09:14:35 Error: GetCoreVersion failed (status: 0x0000, res: 0x0018)

      Fri, 23 Mar 2012 09:14:35 SOAP 1.1 fault: SOAP-ENV:Client [no subcode]

      Fri, 23 Mar 2012 09:14:35 "Timeout"

      Detail: connect failed in tcp_connect()

       

      Fri, 23 Mar 2012 09:14:35 Protocol https fails(URL: https://ip.address.removed16993), use http

       

      Fri, 23 Mar 2012 09:14:35 Action: getCoreVersion

      Fri, 23 Mar 2012 09:15:17 Error: GetCoreVersion failed (status: 0x0000, res: 0x0018)

      Fri, 23 Mar 2012 09:15:17 SOAP 1.1 fault: SOAP-ENV:Client [no subcode]

      Fri, 23 Mar 2012 09:15:17 "Timeout"

      Detail: connect failed in tcp_connect()

        • 1. Re: vPro not consistent/working & Intel KVM displays blank screen
          LANDeskWizrd SSMMVPGroup

          I am pretty certian that having provisionserver DNS entry is essential to vPro machines provisioning. Not sure if having the LANDesk agent only will provision the machines since the provisionserver doesn't have to be the core server. It's been a while since I setup mine but the DNS entry is a must.

          • 2. Re: vPro not consistent/working & Intel KVM displays blank screen
            Apprentice

            Any idea then why some machines appear to provision fine in the logs and some vPro functionality is working.

             

            I am waiting for our network team to setup the CNAME for me so hopefully it will solve some of my issues.

            • 3. Re: vPro not consistent/working & Intel KVM displays blank screen
              LANDeskWizrd SSMMVPGroup

              Not really sure why some look like they work. Could they have been manually provisioned by someone else? Is the PC vendor involved in pre-configuring the machines before they arrive? It is possible that the LANDesk agent is able to activate some of the vPro actions but again not sure.

              • 4. Re: vPro not consistent/working & Intel KVM displays blank screen
                Apprentice

                None have been manually provisioned (well a couple have that I tested but wasnt working either) and the vendor is not involved.    I have the CNAME alias change happening soon so I'll report back if this fixes any issues.

                 

                Right now the vPro functionality is pretty much broken.  Menu context show up but doesnt work on 90% of machines.  Freezes LANDesk console for 1-5 minutes before timing out.

                • 5. Re: vPro not consistent/working & Intel KVM displays blank screen
                  Apprentice

                  Even with valid CNAME for ProvisionServer pointed to LANDesk core I still can't vPro functionality to work correcty.

                   

                  For example, I have a machine (Optiplex 755) that says it's configured for vPro. I can access it using https://ip.address:16993/index.htm using the username: admin and the vPro password I setup in LANDesk however I can't access any of the vPro context menus in LANDesk.

                   

                  I tried a full unprovision and reprovisioning it.

                  • 6. Re: vPro not consistent/working & Intel KVM displays blank screen
                    LANDeskWizrd SSMMVPGroup

                    How did you install the GoDaddy cert on the core?

                    • 7. Re: vPro not consistent/working & Intel KVM displays blank screen
                      Apprentice

                      Following the instructions provided on here.

                       

                      It was placed in certStore\cert_1

                       

                      certstore.png

                      • 8. Re: vPro not consistent/working & Intel KVM displays blank screen
                        LANDeskWizrd SSMMVPGroup

                        When I did it, it was more involved than just placing a few files in a subdirectory. I used this document from Intel http://www.intel.com/en_US/Assets/PDF/general/guide_godaddy_LANDesk.pdf. It's written for 8.8 and server 2003 but many steps still apply. Look at that and see if you performed any of those steps.

                        • 9. Re: vPro not consistent/working & Intel KVM displays blank screen
                          Apprentice

                          That is essentially the guide I used.

                           

                          Machines are provisioning correctly so I am assuming the certificate is working fine. I just cant use any of the vPro functionality in LANDesk.

                          • 10. Re: vPro not consistent/working & Intel KVM displays blank screen
                            MrGadget Expert

                            Welcome to the headaches of Vpro.

                            I have had many problems with vpro provisioning. I have had to manually go into the MEBX menu and unprovision (Full) several computers to get them where Landesk will reprovision them and they'll work all functions.

                            Here's the second kicker if Landesk has a second computer (by a different name) registered but has the same IP then you will get these problems.

                            When you have a computer that won't work on the vpro functions do a search in Landesk using its IP address and see if more then the one computer shows up.

                            One other thing can cause it, your Domain Controllers DNS. GO into or have someone look at the DNS in Active Directory and see in the Computer IP Address is listed multiple times with different computer names.

                            Good Luck.....

                            1 of 1 people found this helpful
                            • 11. Re: vPro not consistent/working & Intel KVM displays blank screen
                              Tanner Lindsay SupportEmployee

                              Couple quick notes.

                              The vPro menu will appear in the console if, when the LANDesk agent was installed, we thought the machines was vPro capable. We are only able to determine that if the vPro drivers are installed properly in the OS. This can sometimes be wrong because I have personally found that a machine that "doesn't" have vPro actually does, it has just been disabled by the OEM. Found that on a consumer laptop.

                               

                              However, that does not take into consideration if the machines have been provisioned or setup yet. If they are not provisioned and configured to function with LANDesk, you might be able to click options, but stuff won't go. Also, some versions of vPro/AMT are incredibly slow. Like 10 seconds per request, even if you are sitting next to it. That can cause some of the tools to time out or hang the console. You can modify the timeout value in Configure | Intel vPro options | General configuration.

                               

                              As to setup of the Core, it is as simple as dropping the files in the folder as long as those files are correct and after you go through the ringer to get a certificate from GoDaddy.

                               

                              If you feel like a machine should have vPro options and doesn't, I would recommend that you make sure the vPro driver is installed, then re-install the LANDesk agent. You can also look at the lddetectsystem.log file in the ldclient directory and it will tell you if we were able to detect the vPro features.

                               

                              EDIT - 24 Apr 2013, 4:32 pm:

                              So, I forgot the first part. This thread started with the blank screen in KVM. I don't know if this is what you are running into, but vPro will only work with the built-in Intel graphics card. If you have a separate graphics card, KVM won't work.

                              • 12. Re: vPro not consistent/working & Intel KVM displays blank screen
                                MrGadget Expert

                                I have been troubleshooting my vpro for 8 months and consistent and easy provisioning it is not. As the discussion title says not consistent\not working.

                                Here's what I've found.

                                I have about 600 laptops, same model. out of 3000 that have mostly all zeros in the amt info in thier inventory. Unprovisioning does no good. Running a scsdiscovery grabs the same info out of the AMT firmware chip and puts it into the registry. I have concluded the manufacture did not turn these chips on. As a note I have some older computers with Vpro not turned on that give the same info in the amt inventory.

                                 

                                Also laptops that run wireless and wired give varying results when provisioning. If the computer is running wireless and Landesk has it registered under the wired ip you'll see in the log that it trys the wireless ip and fails. If the wireless is turned off then it will provision if the DNS server has deleted the wireless IP.  And then theres DNS. In the DHCP registrations you'll see usually both wired and wireless IPs registered but in DNS there may be only one, it could be the wired or wireless ip. Sometimes I get them to provision by adding in the IP in DNS of the IP that is missing on both the DNS server at the site and the one my remote console gets its dns from, otherwise you have to wait for replication among the sites.

                                 

                                I have seen in the log where when i click the Setup and configure for computer X under the vpro options it trys provisioning computer Y. This I found was due to (my theory) when I looked in the computer X's registry in the Hklm\software\intel\scs7\scsdiscovery  a ip is listed that matches Computer Y  (Note the IP in the landesk console for Computer X is the correct one). Why does this happen? The only time I know of that a scsdiscovery is run (this grabs info from vpro chip and populates a registry file) is when the agent is installed.(Or in 9.5 selecting the vpro option Setup and Configure)

                                So at that time when the computer had the agent installed the IP of Computer Y did belong to this computer and must have been populated into some amt section of its Landesk database.

                                What I have have to do is since I already ran the setup and configure option which repopulated the registry with the right ip I then run a full inventory scan which copys that info from the registry to the database with the correct IP. So now run Setup and Configure again and it usually provisions.

                                 

                                I also recommend NOT using TLS On. Why, because I started that way and now I have several thousand computers that got a expired certificate so when you go to https://computer:16993 you can't get in. Another note here is my IE9 refuses any https://computername:16993. After googling I found out not all browsers act the same with secure urls. I had to download Firefox to get into any Https://computername:16993 that didn't get the bad certificate. So because of this I recommend not turning on TLS.

                                I want to add that I have had only one certificate in my cert store so I have no idea how this bad certificate happened. Firefox lets me view the certificate and it has little info and a expired date.

                                The few computers I have got my hands on with this problem I tryed manual unprovisioning and it went back the same way it was after re-provisioning.

                                Yesterday I was able to get another computer with this problem and it successfully unprovisioned and re-provisioned so I am scratching my head at this problem.

                                UPdate 5-17 2013

                                This last problem was due to someone in my server department putting our outside domain in option 15 on the DHCP Server at 6 or 7 sites. This causes a computer to first serach there then in the inside Domain second. Apparently this only bothered Vpro Provisioning and maybe made things a little slower at those sites.

                                How I found this was I brought a computer that wouldn't provision back to my site and it provisioned fine. I thought that was a fluke so I got another and it vpro provisioned ok.  I went to the Intel site and downloaded a Vpro Diagnostic Utility. In the Zip file was a command line diagnostic utility and a Gui one. I ran the Gui on a computer at the bad site. It tells all about the Amt drivers and if they are loaded but in the DNS test it failed. I saw where it was looking for Provisionserver.xxx.com which is the outside domain. That made me start looking in DNS, Wins and DHCP then I noticed in Option 15 on the DHCP sever it had the wrong address.

                                • 13. Re: vPro not consistent/working & Intel KVM displays blank screen
                                  Rookie

                                  Hi MrGadget, I've been reading your message, specifically I am interesting in this point:

                                  "I also recommend NOT using TLS On. Why, because I started that way and now I have several thousand computers that got a expired certificate so when you go to https://computer:16993 you can't get in. ".

                                   

                                  -In my configuration, I've started with NOT using TLS On, Goddady certificate and LD 9.0..  now I have 1400 devices provisioned with Zero touch method.  Goddady certificate was purchased for 1 year.  So, if I change now in LD management console to TLS On, what about those 1400 devices provisioned?
                                  they are going to be reprovisioned in TLS or they will continue with Non-TLS?

                                   

                                  -When you say that got a expired certificate, you mean Godaddy certificate ? so when Godday certificate expires all devices provisioned with this certificate are going to be not  accesible from LD management console (kvm, Intel vPro Status, etc) or only they leave to be accesible from https://computer:16993 ?

                                   

                                  -With TLS only ports 16993 and 16995 are open
                                  With non-TLS ports 16992, 16994 and 5900 ports are open.
                                  From security point of view, could be considered port 5900 open (Non-TLS) less secure than TLS ?

                                   

                                  Regards.

                                  • 14. Re: vPro not consistent/working & Intel KVM displays blank screen
                                    MrGadget Expert

                                    Once a computer is provisioned whether TLS or non-TLS it will stay that way until it is manually unprovisioned.

                                     

                                    The problem with TLS is Internet explorer would not bring up port 16993 on a computer provisioned with TLS. I had to install Firefox to get into those computers.(Google it and you'll find not all browers act the same on a TLS port)

                                     

                                    It was not the GoDaddy certificate that was showing a expired certificate. I still don't know what happened but Firefox had that expired certificate message when I tryed to open port 16993 on many of my computers and could not get in.

                                     

                                    When I wrote the above reply in this dicussion I had not found my problem. I have since found 6 or 7 of my sites had Option 15 on the DHCP server (somebody set it wrong) set for my outside domain thus they had not been fully provisioned because Landesk was looking for Provisionserver in the wrong domain and failed provisioning. Why that caused these many conmputers to show in Firefox as having a expired certificate I cannot answer. Also Intel has a diagnostic utility that tests several things and it had failed in the DNS test showing Landesk was looking for Provisionserver in the wrong domain.

                                     

                                    Tls port 16993 is more secure then port 16992 Non-TLS but I'm not a guru on security and don't see this as a problem.

                                     

                                    I still don't like TLS because of how many click this, click that I have to do to get into port 16993 with firefox. With non-TLS you just type in the computer:16992 and you're at the login screen.

                                    1 2 Previous Next