Troubleshooting issues with the Intel® AMT setup and configuration process can be a daunting prospect. This series walks through the troubleshooting methods to pinpoint where problems originate and how to fix them.
Part 7: Task Server
Determining Cause Of Failure
Amt Detection Issues
Power State Unknown
AMT Not Detected
Authentication Issues
Authentication Methods
Authentication Troubleshooting
Conclusion
The Task Server contains AMT function tasks that give you the ability to integrate AMT functionality into Task Server Jobs. This allows you to use AMT in conjunction with Software Management (Quick Delivery), Scripting, and any other Task Server supported function. Understanding how to troubleshoot the AMT side of a Task Server job will help resolve issues so that AMT can be utilized. This includes the following technologies:
- System Defense - Network Filtering
- Reliable Power Management
- IDE redirect for boot redirection
As an introduction, the actual SOAP or API calls made to the AMT system is invoked through the Real-Time Console Infrastructure, the same as when they are invoked through the Real-Time Management console for RTSM. Though the calls are from the same place, how those calls are made differ. The following subjects will be covered:
- Determining Cause of Failure
- AMT Detection Issues
- Authentication Issues
Determining Cause of Failure
The ability to wake a system is a common use-case scenario that may fail. Now how to diagnose the issue requires a number of drilldowns for the status of a Task or Job. Each individual status is available to see how the Task executed.
To determine the returned error, use the following steps. Task Server's actual failure code is buried deep in a series of status windows, as shown in the screenshot after the steps.
- Under the Task or Job that failed, double-click on the general status row for the specific execution attempt.
- If within a job, double-click on the line that represents the task or AMT function that failed.
- Note the numbers of successes versus failures. Click the 'View Report' link to the right of the Summary section.
- Now you'll get a grid with the status of the Task, including the status and return code, if present.
AMT Detection Issues
When Task Server reaches a Task that involves AMT, it makes direct calls to AMT in those systems targeted in the task or job. Detecting AMT and subsequently executing the scheduled function requires success at both junctures. The following sections discuss potential issues and solutions in this process.
Power State Unknown
One common problem we see is when a power management task fails due to the failure message: Generic error, FromState detected as unknown:14. This will cause the power action to fail. The causes vary, but the following list contains the most common:
- System unreachable - The target system is not available on the network
- AMT failed to be detected - See the subsequent section 'AMT not detected'
- Authentication failed - See the subsequent section 'Authentication Troubleshooting'
- AMT is unavailable - If a system is not configured, or AMT is not functioning on that system
Use the following process to determine what the issue is:
- If RTSM is available, try connecting to the target system using RTSM, specifying the same credential profile.
- If that fails, try different credentials that you know should work to see if there's a problem with the selected credentials. This may require modifying the connection profile you are using.
- If Step 1 succeeds, try creating a different connection profile with only AMT functions provided.
- If no RTSM is available, still try the profile with only AMT functions to see if it works.
- Try other AMT functions, such as Collect Intel AMT Inventory to see if they succeed.
- If other functions succeed, try using another method to reboot the system to reset the power state stored in the Intel ME. One way to accomplish this is using the Task Server Power Management Agent to send down a standard reboot command to the PC.
- If no other AMT functions are successful, AMT might not be properly setup on this system. Ask the question: Has this system gone through the configuring process?
- If unknown, use the Out of Band Discovery Task to see if AMT is available and to identify what state it is in. See the steps provided under the 'AMT Not Detected' section following.
- If all else fails (generally this is on a system-by-system basis, rarely do a collection of systems encounter this level of this issue) try reconfiguring the system by fully unconfiguring and going through the setup and configuration process again.
AMT Not Detected
Normally a non-vPro system will receive the return code that AMT was not detected. This is accurate, but when it happens to valid managed vPro systems, the issue must be troubleshot to determine why the applying Task Server cannot detect AMT on the system. Out of Band Discovery is a great way to determine what state the system is in. Use the following steps to take stock of the systems:
- In the Symantec Management Console, browse under Settings > All Settings > Agents/Plug-ins > Remote Management > Out of Band Management > 'Out of Band Discovery' policy.
- Enable the policy if it is not yet enabled. If it is enabled, set a schedule to run the discovery again so you have updated information on your systems.
- On the AMT system in question, go to the Symantec Management Agent and bring up the Agent UI by double-clicking on the system tray icon or by launching C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe.
- Highlight the 'Out of Band Discovery Package.
- Click the 'Out of Band Discovery' link under Application Tasks.
- Once completed, now check back at the server and double-click the system within a filter to bring up Resource Manager.
- Click on View > Inventory and browse to Out of Band Management, and select the data class OOB Capability. This will give you the details of AMT.
If AMT is disabled, it needs to be enabled in the BIOS. A BIOS update from the vendor may provide you a remote way to enable AMT, by using Software Delivery for example. If it is all enabled, next check the setup and configuration status. Setup and Configure as necessary.
Authentication Issues
As with RTSM, Task Server uses the same basic authentication method when executing against a computer. Task Server also includes another option to add additional credentials to the execution to be used when contacting the protocol, which is AMT in this case.
Authentication Methods
Since RTCI controls the authentication, much of the same method is used whether the execution of an AMT command is issues from the Real-Time console or from Task Server, however there are some differences.
Runtime Profile - The Runtime profile contains the following information:
- All known good credentials used to connect via RTSM to a system
- The Intel SCS AMT password sent to systems when setup and configuration occurs
- Previously successfully used credentials from past RTSM sessions
- Previously successfully used credentials from a Task that succeeded
User-defined Profiles - Used as previously discussed in the Real-Time System Manager section.
- WMI digest or Domain account
- AMT digest or Kerberos-authenticated user
- ASF digest or Domain account
- SNMP community strings
Task-specified Credentials - Just like with the Real-Time Management Console, AMT Tasks via Task Server have a link to select, modify, or create a connection profile. The following screenshot shows where this is found when scheduling a RTSM Power Management Task:
Authentication Troubleshooting
The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with Task Server.
- In the Symantec Management Console browse under Settings > All Settings > Monitoring and Alerting > Protocol Management > Connection Profiles > and select Manage Connection Profiles.
- What Profile have you chosen for the Task? By default it is the Default Connection Profile if no Profile is designated when executing/scheduling the Task.
- For troubleshooting purposes, create a new profile by clicking the blue + on the icon bar.
- By default all protocols will be disabled. Expand the section for AMT (Active Management Technology).
- Click the blue plus next to the first "Select existing credentials" dropdown.
- Create a Credential specific for AMT, that you know works against the target system. Once completed it will show as the selection under the dropdown.
- For the rest of the options, check and supply details as needed.
- Change the protocol to ON (it will show as a green bar instead of red).
- Expand the section for ICMP. This will be used to initially engage the system for detection of other supported protocols.
- Change the Timeout to 2000 and Retry count to 3. This will avoid timeouts causing the inability to connect to the other protocols.
- Change ICMP to ON.
- If so desired, also supply WMI credentials to unlock those functions. Follow the same basic steps as the AMT credential setup.
- Give the Connection profile a name and then save it by clicking OK.
- Now when you schedule the Task, change the Profile by clicking the hyperlink where the connection profile is selected (default is "Select a profile").
- Execute the Task again to see if the new credential profile resolves the issue.
The new profile can be used, or the existing one can be modified to match the settings and credentials of the new one to bring it into a working solution. If it still fails with the old profile, you may need to round out the new profile and use that one. If another error is shown in the status, please consult this documentation or the Symantec Knowledgebase for details on the error.
Conclusion
While this guide attempts to be the source of knowledge for troubleshooting vPro related issues within the Symantec Management Platform, not all issues are covered here. If the answer is not found here, nor at the Intel vPro Expert center, please contact Symantec Support for additional assistance.
Return to Part 1/Index