Activation Blog

vPro Insights on using Altiris 7 OOB Site Service

terry.c.cutler@intel.com — Tue, 17 Nov 2009 18:11:21 GMT

If you are moving to an Altiris 7 environment (Symantec Management Platform or Dell Client Management platform), and already have familiarity in working with vPro in an Altiris 6 environment - take a look at this article on Symantec Connect

The article provides 4 quick insights:

Pre-defined TaskServer jobs for configuring and maintaining
Checking and fixing the OOB Site Service installation
Once OOB Discovery is enabled, using Filters to determine what systems have Intel AMT
Placement of the remote configuration certificate (different than Altiris 6 environments)

Recording and Q&As Available: Activate Today! Realize ROI with Intel® vPro Technology and Symantec Altiris

michele.gartner@intel.com — Fri, 17 Jul 2009 22:33:29 GMT

Activate Today! Realize ROI with Intel® vPro Technology and Symantec Altiris is now available for on-demand viewing!

We are hosting a series of ROI and activation webinars on Tech Republic; each one is focused on a specific management console - Symantec Altiris, Microsoft System Center Configuration Manager, and LANDesk.

This webcast features special guest speakers from Intel Corporation, Jeff Marek, Director of End User Platform Engineering, Digital Office, and Jeff Torello, Staff Architect, Digital Office and Lee Bender, Sr. Technical Manager of Strategic Alliances, Symantec. They discuss the ROI possible with Intel vPro technology usage models activated, a review of the primary usage models supported by Altiris, and an overview of the activation process using Altiris.

In addition, Kelsey captured the questions and answers from this session (Thanks Kelsey!!).

Have questions that aren't covered here? Please post them in the Ask An Expert forum and we'll get them answered for you.

Question	Answer
Q1: Are there other vendors/products that take advantage of the vPro technology, or is Symantec exclusively doing the management for the vPro technology?	A1: Yes, there are others. In fact, we have many ISV partners that support vPro Technology in their client management solutions. Other than Symantec, Microsoft supports vPro in their Configuration Manager (aka SCCM) product in the Out-of-Band Manager component. LANDesk also support vPro Technology, as well as others.
Q2: Cleveland Clinic: How much do you pay to purchase desktop from HP? Any minimum purchase?	A2: We buy over 5000 new pc's a year on our lifecycle process. We have built into this process the imaging and vpro setup. The cost is volume based, but anyone can buy a PC from HP with VPRO enablement on a one off basis.
Q3: How could you boot a remote system from a network ISO if the OS is down? ie no vpn client? Thanks!	A3: With the Intel vPro technology, a boot redirection can be initiated. This allows a bootable ISO to be presented to the system. There are online demonstrations at Intel vPro Expert Center and Symantec Connect. This is the power of Intel vPro technology and out-of-band management. Regardless of the host operating system state, Intel vPro technology communications can connect to, power on\off, present a bootable ISO, and other items over the network. The bootable ISO can be located at any accessible UNC share. There are online demonstrations at Intel vPro Expert Center and Symantec Connect. Example article.
Q4A: What specific kinds of problems can be fixed remotely, if the OS isn't operating?	A4: Software problems. By booting to an ISO located somewhere on the network, the technician has the ability to run diagnostic tools or repair corrupt files on the local hard drive. So, specifically, a tech could fix OS problems, perform hardware or low-level scans, boot into the BIOS to review and change BIOS settings, etc. This ability to redirect the boot process allows the tech to access common diagnostic tools, even if the OS won't boot! But obviously, bad hardware cannot be fixed remotely and will require a desk-side visit.
Q4B: OK, so maybe this is obvious, but to implement this, I need all new hardware, right?	A4: You may already have systems supporting Intel Active Management Technology, within the Intel vPro Technology platform. The technology has been in systems for over 3 years now. There are tools and articles on Intel vPro Expert Center and Symantec Connect explaining how to find systems. One example is here. Intel vPro Technology is a platform (analogous to Centrino) that consist of: CPU, chipset, and network adapter(s). I am not aware of any computer manufacturers that offer FRU (field replaceable unit) upgrades for motherboards/systems to convert a non-vPro PC to vPro. So, yes, the short answer is, unless you have existing PC's that support vPro, as companies refresh their fleet, they can opt for vPro Technology in their new PC purchases. We maintain a list of PCs featuring vPro Technology on the vPro Expert Center here.
Q5: How long of a time frame from investigation of vPro to actually having machines up and working?	A5: [Cleveland Clinic] It’s a process to start this. You really need to engage the product your using and vPro together. We were very early adopters in this process, and really took us about 6-7 months. Once we got through all those initial hurdles, we were able to move very quickly. We have a lifecycle process now and also pushed that back to our manufacturer. In terms of new deployment, I think it would be much quicker.
Q6: Were all of your employees behind moving to vPro? Were they all believers at first?	A6: It’s having a positive impact and is lowering the workload for people responsible for managing these systems.
Q7: How could you boot a remote system from a network ISO if the OS is down or maybe if you don’t have a VPN client?	A7: Intel vPro technology is contained in the hardware, so the OS itself is irrelevant to the functionality of vPro. The way this would typically work is that the chipset manages the network stack and so it’s still on the network with same IP/hostname. You can connect with the Symantec tool and tell it to grab this network based image (ISO) of our repair utility that we put together inside our company. That machine will reboot and load that image across the network. Now, if there’s no VPN client, you can provide the user a CD to cause the computer to be rebooted, or a USB image and have that capability still be performed.
Q8: What are the typical types of problems that customers are fixing remotely?	A8: It’s the ability to reach out and repair and recover the machine from a variety of bad scenarios. You can go down the wire to figure out if your inventory isn’t up to date and what kind of hardware it is. Once you have the ability to boot to an ISO – you can jump into the BIOS you can help the end user walk through it, low level scans, copy over possibly corrupted files. We have seen people reboot dead hardware to do even just limited functionality. Once you can fix something remotely you can repair things that you usually couldn’t.
Q9: Are there other software tools that can be used to manage vPro PCs?	There are about 60 different programs that support vPro capabilities. On the vPro Expert Center there is a list of the programs that support vPro. Some examples are Microsoft Systems Center Configuration Manager (SCCM) and LANDesk.

Remote Configuration Certificate Best Practices in Out of Band Management 7 for Intel vPro Systems

joel_smith1@symantec.com — Tue, 07 Apr 2009 20:32:09 GMT

Whether you are planning to implement a Vendor TLS Certificate in the future, or you are having trouble applying a certificate you’ve already obtained, this article walks through the best practices. The details include all the steps to properly install the right items and resolve issues we’ve encountered up to this point. This article applies to Out of Band Management Solution 7.0, included with Client Management Suite 7.0. Since certificates introduce tight encryption security, if the right items and steps are not in place or followed, it can break the ability of AMT systems to provision with Remote Configuration.

Introduction

Why is Configuring a vPro capable system important? Without setup and configuration, the functionality provided by vPro is not accessible within your Symantec Client Management Suite environment. Out of Band Management Solution allows setup and configuration to occur automatically using Remote Configuration.

Using Remote Configuration to setup and configure your Intel AMT vPro capable computers takes the work out of the process, after some initial setup. AMT systems that come preconfigured with versions 2.2, 2.6, 3.0+, 4.0+, and 5.0+ will automatically use Remote Configuration to setup and configure with a valid Provisioning Server. Out of Band Management provides such a server. The hashes from vendors (AMT 3.0 includes Verisign, GoDaddy, Comodo) are already configured in the firmware, and upon connection to power and the network, will begin to send out requests for configuration. Thus in this way the managed vPro systems are already prepared to be configured without any intervention by the IT staff.

Usually the issues we see with the Remote Configuration process originate on the server-side process of adding a certificate from the before mentioned vendors. Obtaining and installing a vendor TLS Remote Configuration certificate needs to be done the correct way so that authentication can succeed. Once in place, provisioning will roll forward without any further intervention as long as the certificate remains valid. This article focuses on applying the server-side certificate so that setup and configuration can move forward automatically.

Obtaining a Remote Configuration Certificate

This subject has been covered previously. I wanted to lightly touch upon this as there is a vital step that should be taken so that if anything goes wrong we can correct it. First, the following article covers how to properly obtain a certificate:

http://juice.altiris.com/article/4496/obtaining-and-applying-a-verisign-remote-configuration-certificate

Note that part of obtaining a Remote Configuration is submitting the request from the Server you plan to install the certificate onto. This process creates the private key for the server-side certificate, and this item will not be available until partway through the application of the crt (or cer) file obtained from the vendor. The specific step that provides the full key, both private and public, is when the certificate is exported into a PFX format after the initial import, checking the option to export the private key will give you a complete backup of the full certificate in case it is needed in the future. If something happens, or if the application doesn’t go right, we’ll need both, so it’s essential to export this as soon as possible.

During the steps to install the certificate emphasis will be given on the step where the export should take place.

Certificate Authority (CA)

In order to use Remote Configuration with Out of Band Management the Microsoft Certificate Authority services must be installed on the Notification Server or the OOB Site Server. Use the following steps to install if it is not installed:

Go to Start > Administrative Tools > and click on Add or Remove Programs.
In the left-side button bar click the button Add/Remove Windows Components.
Check the option labeled Certificate Services. See this screenshot for details:
You’ll receive the pop-up:
After installation Certificate Services, the machine name and domain membership may not be changed due to the binding of the machine name to CA information stored in the Active Directory. Changing the machine name or domain membership would invalidate the certificates issues from the CA. Please ensure the proper machine name and domain membership are configured before installing Certificate Services. Do you want to continue?
Click Yes to continue once your system has the intended identity. Click Next.
Choose what type of CA to create. If you are not installing a hierarchy of CAs you can leave the stand-alone root CA option selected. Click Next.
Input the name the CA will be known by. This must match what is in the hierarchy or by what the Remote Configuration certificate name will be known by.
The Distinguished Name is generated automatically in an AD Environment and will be the suffix of the system.
Click through the rest of the options, noting where the services data files are stored.
You will be prompted to restart IIS. This is required during the installation.
Click Finish to complete the installation.
Done! The NS or Site Server is now prepared to handle certificates in the Remote Configuration process.

Installing the Certificate

The recommended application for a Remote Configuration certificate is to let the certificate dictate where to be installed. However this process has sometimes resulted with the certificate installed to an incorrect place. When this occurred we’ve had headaches trying to clean up the system to properly install the certificate. Why this occurs is unclear. For reference I’m including the process of adding a certificate automatically here:

Save the acquired cer or crt file from the vendor onto the Notification Server or the Site Server for Out of Band Management.
Right-click on the file and choose Install Certificate.
Click next on the Welcome screen.
Leave the radial option on ‘Automatically select the certificate store based on the type of certificate’ and click Next.
Click Finish to complete the installation. You’ll receive a confirmation pop-up that the certificate installed successfully.

While I won’t advise against using this method, the below steps uses the manual installation method to ensure the certificate is installed to the correct place.

I’ve condensed the steps required into the following list. This process works for all vendors once you’ve obtained a certificate. Note that these steps are provided to consolidate both recommended steps and documentation into one whole.

Go to Start > Run > type mmc > and click OK.
In the resulting console click under File and choose Add/Remove Snap-ins…
Near the bottom of the resulting window click the Add button.
From the list that appears select Certificates and then click the Add button.
Leave the radial button selected on ‘My user account’ and click Finish.
From the same list select Certificates again and click the Add button.
From the resulting window change the radial select to ‘Computer account’ and click Next.
Leave the selection at ‘Local computer: (the computer this console is running on) and click Finish.
Click the Close button in the window offering you the list of available snap-ins.
At the original add/remove snap-in screen verify that you have two entries:
1. Certificates – Current User
2. Certificates (Local Computer)
Click OK.
Expand both trees in the left-hand pane within the console. You should see the full certificate stores as shown in this screenshot:
Right-click on the Personal folder under the Current User certificate store and highlight ‘All Tasks’ and click on ‘Import’ in the pop-out menu.
Click Next on the Welcome page of the Certificate Import Wizard and click the Browse button.
Browse to the cer or crt file provided by the vendor, highlight it, and click Open.
Click Next, and leave the radial option on ‘Place all certificates in the following store’, which should be set to ‘Personal’. Click Next.
Under the Completing section of the wizard, Click Finish. You should receive a pop-up indicating the certificate was successfully installed.
NOTE! This is the vital step mentioned previously in the article. We will now export the certificate with both public and private keys, which will give us the full set and allow us to remove and reapply if necessary. In the MMC select the newly imported certificate > right-click > and choose All Tasks > Export…
Click Next on the Welcome screen. In the resulting list you should have an active option for ‘Personal Information Exchange – PKCS #12 (.PFX)’. If this option is not available (grayed out as shown in this screenshot), there is a problem with the certificate and the private key is not accessible:

If this occurs please note the following items:
1. The application of the public key, or cer/crt file, must be done on the server where the key was requested.
2. If this is not your Provisioning Server you’ll need to contact the Vendor of the certificate to resolve the discrepancy.
3. If you did request this certificate from the server you are operating on, you’ll also need to contact the vendor to explain that the private key is not found when exporting the certificate after initial application.
Follow the wizard, and ensure you select the option ‘Yes, export the private key’. When saving the file, it will prompt you to set a password to protect the private key (this is recommended for security reasons). The export should leave you a PFX file. Keep this in a safe place, preferably in line with your company’s encryption certificate backup policy.
Next we need to import the full key into the Computer store. Start back in the MMC > under the Local Computer certificate store > right-click on the Personal folder > select All Tasks > Import…
Click Next on the Welcome screen and click the Browse button on the subsequent screen.
Browse to the newly exported PFX file. Note that you will need to change the ‘Files of type’ to include the PFX format. Click Next.
The Password screen prompts for the password you set when you exported the key in step #20, as shown in the following screenshot. Enter the password and click Next.
Choose or leave the select to ‘Place all certificates in the following store’. The value should be Personal. Click Next.
Click Finish on the end details page to complete the import.
Done!

NOTE: In Out of Band Management 6.x, with Intel SCS 3.x or earlier, a separate utility was required to load certificates into Intel SCS so the Provision Server was aware of them. This is no longer required as Intel SCS 5.x possesses intelligence to automatically acquire all installed Intel vPro Remote Configuration encryption certificates.

Reinstalling the Certificate

If you need to reinstall the certificate and you have a PFX file, you can do so by opening both certificate stores (User and Local Computer) as outlined in the previous steps. Browse through the certificate stores and delete any instance of the vendor certificate. This will remove any associations and allow a clean application of the certificate to occur. Look for the following:

The name matching the name of the cer or crt file obtained from the vendor
The vendor’s certificate (the entry will contain the vendor name).

NOTE: Be careful when removing vendor certificates as they may not be part of the Remote Configuration. The best example is Verisign, which may have many entries. If unsure, leave the certificate in place, or export it before deleting it so you can restore it if necessary.

Enabling Remote Configuration

To ensure that Out of Band Management is setup to use Remote Configuration as a valid setup and configuration method, follow these steps:

In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
In the left-hand tree browse under Configuration > Configuration Service Settings > and select General.
In the resulting page ensure that the option labeled Allow Remote Configuration is checked. If it is not, check it. See this screenshot for an example:
If you needed to check the option, be sure to click Save Changes to register the change.

That should do it for the certificates. You’ve now completed the steps required to install and enable Remote Configuration in the Out of Band Management Environment. However you are not done yet! Certain infrastructure components are required to make this process seamless. Proceed to the next section for details.

Other Setup Requirements

The following items will be used to automate the setup and configuration process. Remote Configuration will use these to locate and communicate with the Provisioning Server (Out of Band Management).

ProvisionServer

Each zone within DNS should have a ProvisionServer entry to ensure that Remote Configuration requests are properly routed to the Server. This will also help properly resolve names during the authentication process. Use the following steps to add ProvisionServer to DNS:

Go to Start > Run > type mmc > and click OK.
In the resulting console click under File and choose Add/Remove Snap-ins…
Near the bottom of the resulting window click the Add button.
From the list that appears select DNS and click Add and click Close.
Click OK in the next Window.
Browse in the tree to the Forward Lookup Zones.
Right-click the entry for the Notification Server computer and choose New Alias.
Type ProvisionServer as the Alias name, in this manner:
ProvisionServer
Done!

Though simple, this is the key to directing the automatic Remote Configuration hello packets from enabled vPro systems to the Notification Server or Site Server. Without this step no setup and configuration of vPro systems will occur.

To test, log onto a system on the subnet you’re trying to conduct Remote Configuration from. Run a command prompt and use the following command:

ping ProvisionServer

We should see the responding IP Address by the IP Address of the Notification Server, or, if you’ve set it up this way, the Intel SCS Server conducting provisioning. Another test you can try is to run the following command:

nslookup ProvisionServer

We should get the data on the Notification Server’s Fully Qualified Domain Name (FQDN).

DNS Zones

In a multiple domain structure this is especially important, but all environments need to have the right data in DNS to properly pass and authenticate in a TLS environment. The DNS Primary Zone should be set to the Domain path contained within the certificate. For example, if the certificate name is MyNSServer_My1Domain_local, the DNS Primary Zone should be My1Domain.local. Without this, authentication can fail as the FQDN is used during authentication, and if the name being transmitted across the wire doesn’t match what’s in the certificate, authentication will fail. Here is another example:

Certificate: MyNSServer_My1Domain_local.crt
DNS Primary lookup Zone: My1Domain.local

DHCP Option

Another Network related requirement may be DHCP Option 15. While I’m not sure why this has proven to be required in some environments and not others, creating this option has resolved failed authentication issues within Remote Configuration.

In DNS, create an entry for Option 15, with the value of the domain path. This will often be the same as what is located in the DNS Primary Zone. The following details are an example:

Certificate: MyNSServer_My1Domain_local.crt
DNS Primary lookup Zone: My1Domain.local
DHCP Option 15: My1Domain.local

Conclusion

Following the above procedure should allow remote configuration to occur without problems. Once in place, the configuration will move forward with automatic setup and configuration for all vPro enabled systems that support Remote Configuration.

Remote Configuration Certificate Application Best Practices for Intel vPro Systems

joel_smith1@symantec.com — Fri, 07 Nov 2008 22:35:26 GMT

Whether you are planning to implement a Vendor TLS Certificate in the future, or you are having trouble applying a certificate you've already obtained, this article walks through the best practices. The details include all the steps to properly install the right items and resolve issues we've encountered up until this point. This article applies to Out of Band Management Solution 6.2. Since certificates introduce tight encryption security, if the right items and steps are not in place or followed, it can break the ability of AMT systems to provision with Remote Configuration.

Introduction

Using Remote Configuration to Provision your Intel AMT vPro capable computers takes the work out of the progress. All 2.6, 3.0+ AMT systems come preconfigured to automatically use Remote Configuration to provision with a valid Provisioning Server. The hashes from vendors (AMT 3.0 includes Verisign, GoDaddy, Comodo) are already configured in the firmware, and upon connection to power and the network, will begin to send out requests for provisioning. Thus in this way the managed vPro systems are already prepared to be provisioned without any needed intervention by the IT staff.

The issues we see then arise from the server-side application of a certificate that matches the hashes already loaded. Obtaining and installing a vendor TLS Remote Configuration certificate needs to be done the right way so that authentication can succeed. Once in place, provisioning will roll forward without any further intervention. This article focuses on applying the server-side certificate so that provisioning can move forward automatically.

Obtaining a Remote Configuration Certificate

http://juice.altiris.com/article/4496/obtaining-and-applying-a-verisign-remote-configuration-certificate

Note that part of obtaining a Remote Configuration is submitting the request from the Server you plan to install the certificate onto. This process creates the private key for the server-side certificate, and this piece will not be available until partway through the application of the crt (or cer) file obtained from the vendor. The specific step that provides the full key, both private and public, is when the certificate is exported after the initial import into a PFX format, checking the option to export the private key will give you a complete backup of the full certificate. If something happens, or if the application didn't go right, we'll need both, so it's essential to export this as soon as possible.

During the steps to install the certificate emphasis will be given on the step where the export should take place.

Installing the Certificate

I've condensed the steps required into the following list. This process works for all vendors once you've obtained a certificate. Note that these steps are provided to consolidate both recommended steps and documentation into one whole.

Go to Start > Run > type mmc > and click OK.
In the resulting console click under File and choose Add/Remove Snap-in...
Near the bottom of the resulting window click the Add button.
From the list that appears select Certificates and then click the Add button.
Leave the radial button selected on ‘My user account' and click Finish.
From the same list select Certificates again and click the Add button.
From the resulting window change the radial select to ‘Computer account' and click Next.
Leave the selection at ‘Local computer: (the computer this console is running on) and click Finish.
Click the Close button in the window offering you the list of available snap-ins.
At the original add/remove snap-in screen verify that you have two entries:

Certificates - Current User
Certificates (Local Computer)

Click OK.
Expand both trees in the left-hand pane within the console. You should see the full certificate stores.
Right-click on the Personal folder under the Current User certificate store and highlight ‘All Tasks' and click on ‘Import' in the pop-out menu.
Click Next on the Welcome page of the Certificate Import Wizard and click the Browse button.
Browse to the cer or crt file provided by the vendor, highlight it, and click Open.
Click Next, and leave the radial option on ‘Place all certificates in the following store', which should be set to ‘Personal'. Click Next.
Under the Completing section of the wizard, Click Finish. You should receive a pop-up .
NOTE! This is the vital step mentioned previously in the article. We will now export the certificate with both public and private keys, which will give us the full set and allow us to remove and reapply if necessary. In the MMC select the newly imported certificate > right-click > and choose All Tasks > Export...
Click Next on the Welcome screen. In the resulting list you should have an active option for ‘Personal Information Exchange - PKCS #12 (.PFX)'. If this option is not available there is a problem with the certificate and the private key is not accessible.
Follow the wizard, and ensure you select the option ‘Yes, export the private key'. When saving the file, it will prompt you to set a password to protect the private key (this is recommended for security reasons). The export should leave you a PFX file. Keep this in a safe place, and back it up just in case.
Next we need to import the full key into the Computer store. Start back in the MMC, under the Local Computer certificate store, right-click on the Personal folder, select All Tasks > Import...
Click Next on the Welcome screen and click the Browse button on the subsequent screen.
Browse to the newly exported PFX file. Note that you will need to change the ‘Files of type' to include the PFX format. Click Next.
The Password screen prompts for the password you set when you exported the key in step #20. Enter the password and click Next.
Choose or leave the select to ‘Place all certificates in the following store'. The value should be Personal. Click Next.
Click Finish on the end details page to complete the import.
Next, we need to load the certificate into Intel SCS so it can properly authenticate with the AMT systems requesting Remote Configuration. Browse to the following location: \Program Files\Intel\AMTConfServer\Tools.
Execute the file loadcert.exe.
Press Y and Enter.
A ‘Select Certificate' popup will appear. Select the name of the cer or crt file you received from the vendor and click OK. The window will disappear.
Now both Personal certificate stores and Intel SCS should have all the needed certificates to successfully work with Remote Configuration. However, we are not done as other steps may be needed.

Reinstalling the Certificate

If you need to reinstall the certificate and have a PFX file, you can do so by opening both certificate stores (User and Local Computer) as outlined in the previous steps. Browse through the certificate stores and delete any instance of the vendor certificate. This will remove any associations and allow a clean application of the certificate to occur. Look for the following:

The name matching the name of the cer or crt file obtained from the vendor
The vendor's certificate (the entry will contain the vendor name).

Other Setup Requirements

The following items may be required, depending on the environment.

ProvisionServer

Each zone within DNS should have a ProvisionServer entry to ensure that Remote Configuration requests are properly routed. This will also help properly resolve names during the authentication process. To test, log onto a system on the subnet you're trying to conduct Remote Configuration from. Run a command prompt and use the following command:

ping ProvisionServer

We should see the responding IP Address by the IP Address of the Notification Server, or, if you've set it up this way, the Intel SCS Server conducting provisioning. Another test you can try is to run the following command:

nslookup ProvisionServer

We should get the data on the Notification Server's name.

DNS Zones

In a multiple domain structure this is especially important, but all environments need to have the right data in DNS to properly pass and authenticate in a TLS environment. The DNS Primary Zone should be set to the Domain path contained within the certificate. For example, if the certificate name is MyNSServer_My1Domain_local, the DNS Primary Zone should be My1Domain.local. Without this, authentication can fail as the FQDN is used during authentication, and if the name being transmitted across the wire doesn't match what's in the certificate, authentication will fail. Here is another example:

Certificate: MyNSServer_My1Domain_local.crt
DNS Primary lookup Zone: My1Domain.local

DHCP Option

Another Network related requirement may be DHCP Option 15. While I'm not sure why this has proven to be required in some environments and not others, creating this option has resolved failed authentication issues within Remote Configuration.

In DNS, create an entry for Option 15, with the value of the domain path. This will often be the same as what is located in the DNS Primary Zone. The following details are an example:

Certificate: MyNSServer_My1Domain_local.crt
DNS Primary lookup Zone: My1Domain.local
DHCP Option 15: My1Domain.local

Conclusion

Following the above procedure should allow remote configuration to occur without problems. Once in place, the configuration will move forward with automatically provisioning systems that support Remote Configuration.

Implementing network filtering with Symantec Altiris

michele.gartner@intel.com — Fri, 05 Sep 2008 20:16:05 GMT

If you are using Altiris as your management console, then check out this new use case document for implementing network filters!

Altiris Use Case: Network Filtering and System Defense

The Mechanics of Provisioning with Out of Band Management 6.3

joel_smith1@symantec.com — Mon, 11 Aug 2008 16:05:04 GMT

For those who have Provisioned Intel AMT Systems, you may wonder what takes place in the background. This article is for you! The process has often been covered at a high level, but here the technical details are provided. Hopefully this helps you understand the inner workings, and provide you information when troubleshooting Provisioning issues. And for those of you who are technically minded, it's also neat to know! This information was compiled working on issues and running through provisioning processes from Symantec Support.

Introduction

Often the Provisioning process for Intel vPro systems has been described as complex. This comes from the fact that the Provisioning process was designed with high security in mind. Since the initial release we have improved success rates by working with Intel to make the process more user friendly without compromising the high level of security. To this end this document will explain the process of Provisioning from a technical level, providing an unfiltered view of the process, also without compromising its security.

Provisioning Flow

The following process assumes that Altiris Out of Band Management and Intel SCS are install, configured, and ready to go. This process follows the flow of Provisioning and what data points, technologies, and methods are used. The level of details is meant to be a resource when working with Provisioning or troubleshooting Provisioning issues, so not all details are available for this process. Note the following points before moving through the process:

The console items in the Altiris Console under View > Solutions > Out of Band Management > Provisioning are not tied to the Altiris database like most of the rest of the Altiris Console. They connect through a virtual Website (AMTSCS under the Default Website of the SCS Server) to the IntelAMT database.
Data from two databases (IntelAMT and Altiris) are used during the Provisioning process.

The following articles can assist if you need information on these:

http://juice.altiris.com/article/1314/altiris-and-intel-reg-vpro-copy-technology-evaluators-guide
Administrator's and Reference Guides: http://www.altiris.com/support/documentation look under Out of Band Management

The server is loaded with a security key or certificate. See the following two items for how these keys are loaded:

For a PID PPS, either keys are randomly generated or imported into the IntelAMT database. Specifically they reside in the table csti_pid_map. Once created/imported, they are available for verifying authentication from an incoming provisioning request from AMT.
For TLS-PKI (certificate-based Remote Configuration) a certificate is loaded onto the server. See this article for details: http://juice.altiris.com/article/4496/obtaining-and-applying-a-verisign-remote-configuration-certificate.

The clients need the matching keys loaded onto them. This is done differently depending on the type:

For PID PPS the keys are set by one of the following methods: the OEM sets it, it's entered manually into the Intel ME, or inputted via a one-touch USB flash drive. The PID and PPS are written into the firmware to be used as the authentication credentials when it looks for a provisioning server.
For Remote Configuration (TLS-PKI) at the factory predefined hashes are burned into the firmware for the following certificate vendors (more to come in subsequent versions of AMT). This means AMT already has authentication keys to begin the provisioning process direct from the factory.

VeriSign
Komodo
GoDaddy

The client machine, once it has it's keys and has been connected to the network and power, uses one of two methods to find the Provisioning Server:

The IP address of the server can be manually put into the Intel ME, including what port the SCS listener is configured for (default 9971). When this is done, the AMT client will transmit its Hello message directly to the IP Address and port.
The client will transmit its message on port 9971 to the name of ‘ProvisionServer'. If Out of Band Management, Intel SCS, and DNS have been properly setup DNS will route the packet to the Notification Server.

The Notification Server is set to listen for AMT Provisioning traffic on port 9971, but can be configured to use a different port if so desired in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > General. The top options labeled: ‘Listen port:".|
!ListenPort.jpg!
When SCS, via the service AMTConfig (process AMTConfigWinService.exe) receives the incoming "hello" packet, it initiates an authentication request with the client to complete the authentication process, the beginning of which was stored in the packet. Once authentication completes successfully, the process moves on.
The service, AMTConfig, catches the incoming packet and logs the data in the IntelAMT database, in the table csti_amts. This table contains all the relevant data for this system's identity.
!csti_amts.jpg!
Once the system has been logged into the IntelAMT database, Intel SCS uses the database entries under csti_configuration to initiate what's known as the props script. This script is what will assist in the provisioning process. In Altiris case, it is oobprov.exe, located by default at C:\Program Files\Altiris\OOBSC\oobprov.exe. For an example of how Intel SCS knows about this, see this data snippet from the csti_configuration table:
!csti_configuration.jpg!
On a busy SCS server you can look at Task Manager and see multiple instances of oobprov.exe running. The default settings allow 10 threads to work on provisioning requests at any given time. These threads will interface with the Altiris Database via the Altiris Agent on the local server system. In a standard setup the local system is also the Notification Server.
OOBPROV runs a SQL query to fetch the Fully Qualified Domain Name (FQDN) for the system it is to provision. The query is based off the following data points:

UUID passed to it via Intel SCS, Source is as follows: Database: IntelAMT, Table: csti_amts, Data Source: "Hello" packet from AMT system, Values used: uuid
Database: Altiris, Data-class: OOB Capability, Table: Inv_OOB_Capability, Data Source: Out of Band Discovery Task, Values used: _ResourceGuid - UUID
Database: Altiris, Data-class: AeX AC Location, Table: Inv_AeX_AC_Location, Data Source: Basic Inventory Agent, whether from Basic Inventory function or Hardware Inventory from Inventory Solution, Values used: _ResourceGuid - Fully Qualified Domain Name

The Query accomplishes the following: It takes the UUID from csti_amts, uuid and looks for a match in Inv OOB Capability, uuid. If a match is made, it takes the _ResourceGuid from the same table and makes a match of the same columns name to AeX AC Location. With the match it then reads the values stored under Fully Qualified Domain Name (I'm not sure why they didn't just label this column FQDN...).
Next, oobprov.exe hands back the FQDN it's read from AeX AC Location, Fully Qualified Domain Name and passes it to SCS. SCS takes this value and inserts it into the IntelAMT database at csti_amts, fqdn for the matching resource.
Next, oobprov.exe fetches the automatic profile set within Out of Band Management Solution. This is done in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > Resource Synchronization. This policy needs to be enabled for this step to work, and a default profile configured and selected under the dropdown labeled ‘Intel AMT 2.0+ to profile:'.
The profile provides the operational data for management of the AMT system. After AMT accepts the profile, the Provisioning process is now complete. Before this step, AMT functionality is not available on this system, and after this step only properly authenticated functions will be able to use Intel vPro on the target provisioned systems.

Troubleshooting

The following items can be considered break points for this process. If you've done provisioning you may have run into the symptoms produced by the following items. These are compiled as common areas of trouble in this process.

The "Hello" packets only transmit for 24 hours, on a back-off schedule, before stopping altogether. If the Server is unable to provision in that time, with IP refreshes becoming more frequent, the system can be in a limbo state. See this article for steps to rectify: http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning
IP Address changes, refreshes within DHCP during a system's build process can leave SCS with an out of date IP Address for a system that needs provisioning. Coupled with the preceding issue this can leave the system in an unprovisioned state, leaving no ability of the SCS to contact the system to finish the process.
Remote Configuration certificate is not properly installed on the server, producing authentication failure messages in the AMT logs.
Oobprov.exe is unable to fetch the FQDN. The AMT system needs the Altiris Agent installed, have sent Basic Inventory when it had a valid FQDN (for example a system in the process of being built might not have a valid FQDN yet), OOB Discovery Task downloaded and executed, and data populated into the OOB Capability data class from the task in order for oobprov.exe to be able to fetch the FQDN. Conversely you can use the option in Resource Synchronization labeled, ‘Use DNS IP resolution to find FQDN when assigning profiles'.

A good resource for troubleshooting issues can be found here:

http://juice.altiris.com/book/3699/troubleshooting-altiris-manageability-toolkit-vpro-technology

Conclusion

Knowing the underline mechanisms can help when troubleshooting or even when planning your environment. While not all details are provided here, the most essential are.

Using Altiris? Check out new docs on best practices, wireless, and remote diagnostics

michele.gartner@intel.com — Thu, 05 Jun 2008 22:47:02 GMT

New documents for Altiris were just posted - Check them out!

Best Practices and Troubleshooting of Intel® vPro™ Technology with the Altiris® Agent

Altiris use case: Remote Diagnostics and Repair

Altiris and Intel(R) vPro(TM) Technology over Wireless

More are coming soon - come back for Altiris docs on provisioning, asset tracking, and network filters.

Optimal situation for provisioning in an Altiris environment

terry.c.cutler@intel.com — Wed, 30 Apr 2008 18:17:44 GMT

Have you ever wondered what the optimal provisioning conditions, and if there is anyway to script the event to occur? The linked article refers to batch files, VBscripts, key learning, and supporting materials for provisioning Intel vPro in an Altiris environment.

http://juice.altiris.com/node/4082

Take a look, add you insights\comments, and so forth.

Remote Configuration and Altiris

terry.c.cutler@intel.com — Fri, 04 Apr 2008 17:47:55 GMT

For those pursuing remote configuration in an Altiris environment, take a look at the article posted at http://juice.altiris.com/article/3866/frequently-asked-questions-about-remote-configuration

Some parts of the article are applicable even outside an Altiris environment

Altiris and Remote Configuration - ManageFusion lab

terry.c.cutler@intel.com — Sat, 22 Mar 2008 02:27:41 GMT

If you are planning to be at the Symantec\Altiris ManageFusion event in Las Vegas this year (April 8-10), be sure to sign up for the vPro labs. On Tuesday afternoon there will be an operations focused lab. On Wednesday afternoon there will be an Enterprise Provisioning using Remote Configuration.

On the enterprise provisioning side, there are mainly three items to keep in mind

Authenticate the Intel vPro firmware to the provisioning service
Obtain the Configuration parameters - provision profile, Active Directory OU, etc
Map the Clients FQDN and UUID

The enterprise provisioning lab will discussion and step through each.

Troubleshooting the Altiris Manageability Toolkit for vPro Technology - Part 4 - Provisioning Server Troubleshooting

joel_smith1@symantec.com — Wed, 19 Mar 2008 20:51:48 GMT

In part 3 we covered troubleshooting common Provisioning Console issues. In part 4 we now focus on those components operating in the background during provisioning. With a functioning install and console, and when the issue appears to be server-related (In part 1 we covered troubleshooting the locale AMT system) now any issues seen must be evaluated on the server side. This article covers this process in a Problem - Cause - Solution format.

Introduction

The server components constitute a lot of ‘background' processes that support what is only seen as Altiris Console points. Much of what goes on in the background is invisible to the user save as a change in status. If setup correctly, machines simply provision. It's when they do not provision that a user should understand the server components so that proper troubleshooting can be accomplished. Note that this covers the symptoms of server-component problems. Some of the symptoms do overlap client-side issues, but in this process we are assuming we've confirmed that the client systems is functioning as expected. If you are unsure, see Part 1 of this article series.

Symptoms

The following symptoms are seen on the Server. Please note that some of the symptoms may appear to be both client and server related making it difficult to know where the issue lies. Use Part 1 in conjunction with this article if necessary in troubleshooting these issues.

No update to Intel AMT Systems Node - At times this node can abruptly appear stagnant with no new systems coming in and no provisioning taking place
No Systems Appearing - The Intel AMT Systems node may stay blank even after connecting systems in Setup Mode onto the Network.
FQDN Not Acquired - Once the SCS receives a hello message, it needs to acquire the FQDN, and if this fails the machine will remain in an unprovisioned state
No systems Provisioning - This can occur where systems show up in the system, but none of them provision
Properties Script Failed - This is a common error to be covered separately, though many of the above symptoms end up throwing this particular error

In addition to the symptoms, the following tools were used to troubleshoot the issues to find out which particular issue afflicted the Server:

AMT Logs
OOB Trace Loggging
Wireshark

See Part 1 in this article series on how to use these. These will be referenced in the below items.

No update to Intel AMT Systems Node

Problem

The typical symptom is an abrupt stop to updates on this node. For example if you have a number of provisioned systems, with systems added as systems are brought up on the network, and abruptly they stop updating or being added, this is indicative of this issue.

Tools:

AMT Logs - No updates to this log occur.

Cause

AMTConfig Service - The AMTConfig service has stopped, crashed, or is in a hung state. This isn't common in version 3.0 of SCS or higher.

Resolution

Check that the AMTConfig Service is running.

1. Go to Services Manager under Administrative Tools.
2. Check the Service named AMTConfig to make sure it is running.
3. If the service is not running, start it. If the service is running, try restarting it just in case it's in an hung state.
4. Once the service is up and running again (if this is the issue) provisioning should start occurring.

No Systems Appearing

Problem

The symptom is that no machines appear in the Intel AMT Systems list when the page is refreshed over a period of time when new systems are expected. The page ties directly into the IntelAMT database to populate the systems, so if the list isn't updating on the page, the list is also not updating in the database.

Tools:

AMT Logs - I. No entries found

II. No entries found

III. Invalid PID Map error

Wireshark - II. On the client the "Hello" packet is sent, but on the server it never arrives.

Cause

The causes vary. See below for known causes for this issue:

I. AMTConfig Service - The AMTConfig service has stopped, crashed, or is in a hung state. This isn't common in version 3.0 of SCS or higher.
II. "Hello" packets - The routing of "hello" packets is not configured correctly, so clients can't reach the Provision Server.
III. PID rejected - The PID provided in the "Hello" packet is not contained as a valid security key in the IntelAMT database. This is only seen in the AMT Log found in the Provisioning Console under Logs, selecting the ‘Log' icon.

Resolution

See the steps to follow for the above causes.

I. AMTConfig Service

1. See the resolution to the section No update to Intel AMT Systems Node.

II. "Hello" Packets

1. In the Provisioning console go to the DNS Configuration node. Does the ‘Test' button allow Provisionserver to resolve back to the IP of the Notification Server?
2. If yes, go to the segment of the network the client is on and try to ping the name ‘Provisionserver'. Does the IP resolve?
3. If answer to either question above is NO, a CNAME record needs to be created on each DNS Server to route to the IP address of the Notification Server.

III. PID rejected

1. In the Provisioning Console go to the Security Keys node under the Configuration Service Settings. The list of unused PID and PPS combinations are listed.
2. In the IntelAMT database, within the csti_pid_map table all used and unused security keys are listed. The ones with a value ‘True' in the ‘Used' column will not show up in the console.
3. Either import the keys if the OEM placed the AMT systems in TLS-PSK Setup Mode through the import button in the Security Keys page, or manually enter the PID PPS.

FQDN Not Acquired

Problem

One or more Intel AMT Systems are registering in Intel SCS, but they never show an FQDN and never move out of the ‘Unprovisioned' status. In the AMT Log often these systems show the error ‘Properties Script Failed' (note that the cause of this error can be many, and this issue is but one of them).

NOTE! If no system is provisioning the issue may not be FQDN related. See No Systems Provisioning in this article for more information.

Tools:

AMT Logs - Properties Script Failed messages

OOB Trace - Unable to locate FQDN (Fully Qualified Domain Name) entries

Cause

Intel SCS calls the Out of Band Provisioning or Properties script oobprov.exe to do a number of things. The first thing it does is obtain an FQDN for the machine needing provisioning. If it fails to obtain an FQDN Provisioning will fail and the computer will remain in an unprovisioned state until oobprov.exe can successfully locate the FQDN.

Resolution

To find the FQDN, oobprov.exe runs through a number of checks. The suggested method is to have the Altiris Agent installed and have run the OOB Discovery Task (located in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Out of Band Discovery > Out of Band Discovery). This populates the Altiris database so it has both an FQDN in the AeX AC Location data class and the UUID in the Inv_OOB_Capability data class. If this data is not available, another option is to check DNS resolution as a method. In the Altiris Console look under the Resource Synchronization node, within the Intel AMT Systems folder. As shown below, this option enables oobprov.exe to use DNS IP resolution as a method.

NOTE the warning found directly below the checkbox: Warning! Using DNS for IP to FQDN resolution might lead to incorrect profile mapping. Make sure your DHCP server is configured correctly to give update the DNS server for dynamic addresses.

No systems Provisioning

Problem

Systems are added regularly to the Intel AMT Systems node, but they never provision. This includes never getting an FQDN (see the above section for more information), though the cause may not be the inability of oobprove.exe to obtain the FQDN.

Tools:

AMT Logs - Provisioning Script Failed messages

OOB Trace - No references to oobprov.exe

Cause

If not an FQDN mapping issue, this issue stems from a timeout value in the IntelAMT database being set to 0. In the IntelAMT database, in the table csti_configuration, under the column Props_script_timeout if the value is 0 IntelSCS will timeout before it even has a chance to call oobprov.exe.

Resolution

Normally only one row exists in this table. The following SQL query will properly update this value to the default level. The default is 180 and should be set.

USE IntelAMT

UPDATE csti_configuration

SET props_script_timeout = 180

WHERE use_props_script = 'True'

Execute the script within SQL Query Analyzer or SQL Enterprise Studio to update the value.

Properties Script Failed

Problem

This message can mean a number of things, including the symptoms described in the preceding two section. This message can continually appear into the AMT logs as provisioning is attempted over and over.

Cause

The causes of this issue vary. The basic explanation is that when oobprov.exe is called, if it returns anything other than success, the resulting error message in the AMT logs is ‘Properties Script Failed'.

Resolution

See the above two sections for the symptoms No Systems Provisioning and FQDN Not Acquired, but for additional information see the following article:

http://juice.altiris.com/article/2982/troubleshooting-properties-script-failed-out-band-management-solution

Conclusion

This concludes the troubleshooting section for the Provisioning process. For the most common issues, the resolutions and steps presented in the first four parts of this series will resolve them. I also hope the methodology here helps explain how the background processes are working. In the next parts of this series we'll cover troubleshooting issues with the management components after systems have been successfully provisioned.

Troubleshooting the Altiris Manageability Toolkit for vPro Technology - Part 3 - Provisioning Console Troubleshooting

joel_smith1@symantec.com — Tue, 18 Mar 2008 16:05:26 GMT

In part 2 we introduced the Server components used in Provisioning, including some key items to be aware of. In this installment we'll cover troubleshooting the server components in a symptom - cause - resolution format. The methodology should also allow help you understand how these components work for further troubleshooting efforts, or for simply understanding how the data is moving through the Provisioning process. This specific article covers the Console and the common errors that can appear.

Introduction

Once the server components are installed, and the AMT systems are in a correct Setup Mode, one must access the Provisioning Console to manage the Provisioning process. This console is located in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning. This part of the series covers errors in the console, specifically to common errors scene after the installation has taken place. These errors can also surface due to environmental changes in the infrastructure.

Symptoms

This section lists all the symptoms covered in this article. Use this list to guide you if you are working on a specific issue.

Provisioning Console Access Forbidden - Generally this is a 403 error on most of the Altiris Console Provisioning Nodes
Provisioning Console Connection Closed - All the Provisioning Nodes show an error that the underlining connection was closed
Provisioning Console User Not Authorized - This error relates to the access rights to the actual Provision Nodes, and can happen even if a user is an Altiris Administrator
Provisioning Console Timeouts - We've seen timeouts occur in the console, when accessing the Intel AMT Systems list

Provisioning Console Access Forbidden

Problem

When accessing the Provisioning Console, the following error is thrown:

The request failed with HTTP status 403: Forbidden

Cause

When installing Intel SCS, the manual install defaults to HTTPS, using TLS for secure communication. If the environment is not setup for TLS/HTTPS, the Altiris Provisioning Console will be unable to authenticate to Intel SCS, throwing this error.

Resolution

On the Notification Server where Intel SCS is installed, open up IIS Manager.
Browse down into the Default Web Site and select AMTSCS.
Right-click on AMTSCS and choose Properties.
Select the Directory Security tab.
Click the Edit button under the Secure communications section.
Uncheck the box labeled ‘Require secure channel (SSL).
Click OK.
Click Apply and then OK.

Provisioning Console Connection Closed

Problem

The error ‘The Host Name cannot be resolved', or ‘ the remote connection was closed' appear when accessing the Provisioning Console.

The problem can also be seen when using the Test functionality on the DNS Configuration node. It may show a failed to obtain IP message.

Cause

When our Console tries to resolve the name to the Intel SCS Server (even when Altiris and SCS are on the same server) it fails and one of these errors are thrown. The difference can be in the perceived FQDN for the Server. Altiris is attempting to acquire the right IP address so it can communicate with SCS.

Resolution

There are two ways to fix this if a reinstallation does not correctly set the SCS identity within Altiris.

LMHOSTS or HOSTS files - We can update one or both of these files to contain the FQDN we're using to try and translate the IP Address. The difficult part is finding out what Altiris is attempting to connect to. Use the process below to find out what it is looking for:

See Part 1 concerning the use of OOB trace logging and Debug View.
Enable trace logging in OOB and launch dbgview.exe.
Try to access the console and produce the error.
Stop trace logging.
This is the difficult part. Normally I scan through the log looking for the host name of the server. Usually this shows up as part of an FQDN. One example of this is Altiris called Servername.domain, which did not respond, but Servername.domain.com was a valid name.
Do a Search for the Host Name of the system (Not FQDN as it may not be using the valid one). For example, MyServer.
Once complete, access the file named lmhosts (no extension). Place a line in the file with the Server IP Address and invalid name:

10.10.10.1 Servername.domain

Whatever invalid name was located in step 5, the above sequence can be used to give the computer the correct IP Address resolution. This resolves the issue. However there may be other steps needed. If this doesn't resolve the issue, continue to step 8.
Access the Service Location node in the Provisioning Console.
Change the option to ‘Alternate URL:'.
Specify a new location changing the name to one that resolves, for example:

Previous URL: http://Servername.domain:80/AMTSCS
Fixed URL: http://Servername.domain.com:80/AMTSCS

Click Apply to save the changes.

The difficult part in this process is locating what Altiris believe the name of the Intel SCS Server is. Since Altiris and SCS are not integrated, they do not have a mechanism that shows if they are on the same server or not. This is why this issue surfaced.

Provisioning Console User Not Authorized

Problem

After installation or after credential changes the typical error structure appears with the message:

Current User can't view this page.
Current user can't change settings on this page.

Note that the error does not have the Red error typically associated with other console errors.

Cause

After installation only the user who conducted the Intel SCS install has rights to the console nodes. Until other users are added, only this user (usually the Notification Server Application identity) has rights to these nodes. Notification Server role and scope security does not apply to the populating of the data to the right of these nodes (although it does control access to actually showing the nodes themselves in the left-hand tree).

Resolution

Follow these steps to give the necessary users rights to the Provision Console nodes:

Log into the Altiris Console as the Notification Server Application Identity, or the user used to manually install Intel SCS (one of these will usually be the authorized user).
Access the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Users.
Note the users who already have rights.
Click the blue + icon to add a user.
Click the ... browse icon to see a typical Notification Server Domain user and groups search window.
Add a group or user and click OK.
Under the Role: give Enterprise Administrator rights unless you want to limit which nodes are operable.
Click OK to complete adding the user.

If no user can access these nodes, the Intel SCS installation needs to be run again under the correct user. Run through these steps to complete this:

Log onto the Notification Server directly (or with the /console switch if you're using Remote Desktop) with the NS Application Identity.
In Add/Remove Programs, locate ‘Intel® Active Management Technology Setup and Configuration Service and remove it.
On the Notification Server, browse to install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\.
Launch the file AMTConfServer.exe and walk through the install. Be sure to use the Application Identity as the credentials for SCS.
When prompted for the database credentials, if permissible use the Application Identity.
Once completed log into the Altiris Console with the Notification Server Application Identity, then move back to step 1 of the previous sequence to add other users as necessary.

Provisioning Console Timeouts

Problem

Even in small environments we've seen timeouts on the Intel AMT Systems node, and much less frequently on the other nodes. The timeout throws a .NET error and the page is replaced by a timeout error.

Cause

The cause is not known at this time. The timeouts do not seem to occur always at particularly busy times for the Notification Server, so it is difficult to know what causes them. When there are plenty of resources available the timeouts generally do not occur, though if the server is extremely busy it doesn't always occur. It appears to be caused by varying factors.

A refresh after the timeout error often loads the page just fine. This suggests the loading the page gets into a loop or hung state, instead of a true processing timeout issue.

Resolution

No full resolution is known at this time, but a few items can help minimize the impact of the issue.

Remote Consoles - We've seen remote consoles perform better than having the console loaded directly on the Notification Server
Refresh - Normally the timeouts occur without loading any of the frames within the page. If you click on the link or hit the refresh for the Intel AMT Systems page and no frames load within a minute, refresh the page. Often when the page is refreshed it then loads correctly, even quickly.

Conclusion

Once the console has been restored, the Provisioning process can be configured and initiated. Because of the all or nothing nature of most of these issues, they must be overcome before even being able to properly setup and configure Intel SCS for the Provisioning process. The above resolutions cover the methods used to resolve these issues at multiple sites.

Troubleshooting the Altiris Manageability Toolkit for vPro Technology - Part 2 - Provisioning - Intro to Server Components

joel_smith1@symantec.com — Fri, 14 Mar 2008 17:35:45 GMT

In part 1 of this series we covered troubleshooting the local AMT client system. In this part we'll discuss the server components as part of the provisioning process. Learn how the symptoms pinpoint each components, and what methods reveal the source of the problem. Learn how Out of Band Management handles the Hello Packets in conjunction with the Intel SCS Component.

Introduction

Provisioning isn't a single road. There are two primary paths to reaching a provisioned state, not counting the simple ‘Small Business Mode'. Pre-shared Keys (TLS-PSK) and Remote Configuration (certificate-based TLS) provide two methods for authenticating with the Provision Server and receiving a Profile to set it into a Provisioned state. Understanding the server components is essential to properly diagnosing and troubleshooting problems with the process. Part 3 of this series will cover the symptoms and their likely causes, including troubleshooting details.

The following components integrate in the following manner:

Out of Band Management

Out of Band Management contains 3 main components, with further components broken down as shown here:

Out of Band Management Solution - This is the main NS installer

NS-based Tasks and Agents
Provisioning Console Nodes

Out of Band Setup and Configuration - This is a wrapper for the Intel SCS install

Creates the files used for the Intel SCS installation

Intel SCS Component - This is Intel code for interacting with AMT systems

AMTConfig Service
IntelAMT database

Out of Band Management Solution

The installer for this Solution creates the Altiris Console pages and underlining code that intersect directly with the Intel SCS component. Consider those pages as hooks into Intel SCS. Intel SCS can install without Out of Band Management. Everything located in the Altiris Console at View > Solutions > Out of Band Management > Configuration > Provisioning ties directly through the AMTSCS web service to access the IntelAMT database (with the exception of DNS Configuration, Service Location, and Delayed Provisioning).

This installer also creates the Tasks, Packages, and Agents used for Out of Band Management, including:

Out of Band Discovery - This is an EXE that uses the standard NS Software Delivery to detect the presence of AMT and pull certain data out, including the UUID. This is used heavily for FQDN mapping and is an important part of the best provisioning method.
Out of Band Task Agent - This agent installs like any other Altiris Agent subagent. It's used to function with ASF, or to restart the Hello Packet sequence with Delayed Provisioning in Remote Configuration.
Delayed Provisioning Task - This restarts the Hello Packet sequence, and requires the Out of Band Task Agent.
Collections and Packages - Collections and Packages for the above items.
Oobprov.exe - This is the Provisioning agent that assists the SCS in provisioning AMT client systems.

Important points:

Out of Band Management NS items will work without IntelSCS, but the Provisioning nodes require Intel SCS to be installed and properly configured.

!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1300/ProvisioningTree.jpg!
Installed Alone most of the above nodes will not function. The default error shown here will show with ANY problem:

Error connecting to the Intel® AMT Setup and Configuration Server. Verify that Intel® AMT Setup and Configuration Service security settings are configured and AMTConfig service is running. See documentation for details on troubleshooting the Intel® Setup and Configuration Server Installation.

The error always has a second bullet point, with another warning box containing additional bullets. These usually give a more specific message concerning the problem. I've rarely found that the message above accurately points to the source of the problem. See this screenshot for an example:

Out of Band Setup and Configuration

This installer is truly just a wrapper for the Intel SCS installation. It does provide a crucial function. It lays down the following folder structure where the Intel SCS Component is installed from:

Install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS

The installer does make an automatic attempt to install Intel SCS using the script located at the above location named InstallWithDefaultSettings.cmd. This install makes the following assumptions:

The SQL database server and instance is the same one the Notification Server is using
The AMTConfig service account will run under the Altiris Application Identity credentials
The Database install and user will be the Altiris Application Identity Account
The Default Web Site is available for install of the AMTSCS virtual directory

Intel SCS Component

The Intel Setup and Configuration Service component is provided by Intel and supported by Altiris\Symantec. This includes the following components:

IntelAMT database - Like the Altiris database, the IntelAMT database is the backbone of the SCS component. The following items are included in the database:

Hello packet data
Queues for Provisioning and Maintenance actions
Settings for SCS
Security keys
AMT machine data
AMT Profiles

AMTConfig Service - This service is the piece that talks to the AMT systems and processes items in the database queues. It also calls oobprov.exe to assist in provisioning, primary to obtain the FQDN for the system.
AMTSCS Virtual Directory - In IIS SCS creates a virtual directory that contains the interfaces Out of Band Management Console uses to connect to the IntelAMT database. It's simple structure belies the importance of this interface.

Keep in mind the following:

Failures to install are almost always security related. See the below ‘Install' section for more information.
The IntelAMT and Altiris databases are required to be installed to the same SQL instance for Resource Synchronization to work (Resource Synch is the process of importing AMT systems from SCS to NS. In cases where a system is already managed by NS, the data will be merged in the existing NS record)

Install

Often when you install Out of Band Management Solution or the Altiris Manageability Toolkit for vPro Technology the assumptions cause the OOBSC component to fail, and a message is thrown giving basic instructions on how to install it manually. In some ways I prefer the manual installation so each setting can be directly controlled. When this happens, it's important to follow these steps to avoid issues:

Log onto the Notification Server with the Application Identity, or if not allowed, log on as the user that has rights to the Notification Server and the SQL Server.
Stop IIS on the Notification Server, shut down all Altiris Consoles, stop the AMTConfig service, and shut down any SQL consoles (SQL Enterprise Studio, Query Analyzer, etc). While this can be difficult to arrange, it ensures all necessary accesses and resources are available.
Launch the installer directly from install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\AMTConfServer.exe
Follow the onscreen prompts. In the next part we'll discuss a scripted install should this install fail. The scripted install allows greater visibility to the process and shows any errors as they occur.

Oobprov.exe

This component is what is known as the Provisioning Script, or Properties Script. Intel SCS requires a provisioning script in order to conduct Provisioning, and as mentioned earlier this is provided as part of Out of Band Management.

When the AMTConfig Service receives an incoming hello message, it logs it in, places the provisioning request in the queue, and then calls oobprov.exe. Any message stating ‘Properties Script Failed' means that oobprov.exe did not successfully provision the AMT system.

AMTSCS Virtual Web-site

The web-site is generally invisible to the admin running the Console. It must exist, but otherwise the mechanism is pretty solid. The only exception to this rule is when TLS, or Transport Level Security, is involved or not.

Keep in mind the following:

If you will be using TLS for AMT management, this virtual directory much be set with https for any functionality.
If you will not be using TLS, https cannot be enabled on this virtual directory.
If TLS is not implemented but https is enabled on the virtual directory, the Altiris Console will fail.
If TLS is enabled but https is disabled on the virtual directory, the Altiris Console will fail.
The default is https enabled when running the SCS install manually.

IntelAMT database

Much like the Altiris database is to NS, the IntelAMT database is the backbone of Intel SCS. While all functions in the console are automatically interconnected in the database, understanding some of the important tables can help in the troubleshooting process.

Important tables

The following is a list of some of the core tables used by Intel SCS:

csti_amts - This is the data on the actual AMT system. When looking in the Intel AMT Systems node in the Altiris Console, it is reflecting data from this table.
csti_configuration - This table holds the core configuration between Out of Band Management and Intel SCS.
csti_uuid_maps - This maps the UUID (Primary AMT ID) to the FQDN.

!csti_uuid_maps.jpg!
csti_pid_map - This table contains the security key information so that Intel SCS can authenticate to the AMT client systems, and the client systems can initially authenticate with Intel SCS.
csto_queue_entries - This is the queue wherein Intel SCS processes Provisioning and Maintenance requests.
csto_delayed_entries - For Provisioning requests that have failed for whatever reason, this queue is used.

Conclusion

This introduction to the Server Components will help provide understanding for the moving pieces, and will be heavily referred to in Part 3. Knowing how each component functions will greatly help when walking through the troubleshooting steps, especially on how to identify where the problem is originating from.

Troubleshooting the Altiris Manageability Toolkit for vPro Technology – Part 1 – Provisioning Client Systems

joel_smith1@symantec.com — Wed, 12 Mar 2008 21:29:44 GMT

*This is a repost of this article to the Activation section of the Site*

Troubleshooting issues with the Intel® AMT Provisioning process can be a daunting prospect. This series walks through the troubleshooting methods to pinpoint where problems originate and how to fix them. Use Part 1 to troubleshoot the AMT systems when provisioning is not occurring. If the issue is on the client side, this document should provide the tools to diagnose and fix the issue.

Introduction

There are several modes a vPro capable system can be in when it arrives at the customer site. The modes are:

AMT disabled
AMT enabled, not in Setup Mode (factory default)
AMT enabled, not in Setup Mode (Password has been changed in the MEBx)
AMT enabled, in Setup Mode for TLS-PSK
AMT enabled, in Setup Mode for Remote Configuration
4 and 5 in ‘Hello' Packet Mode disabled

Each of the modes have their own quirks, and understanding the modes will help determine what state a system is in, and how to change a system from one state to another.

Versioning

It is important to understand the different versions of not only the local AMT build, but of Altiris' Out of Band Management with the Intel SCS Component. See the following table:

OOBM	Intel SCS	AMT
6.1	1.2	2.0
		2.1
	1.3	2.0
		2.1
6.2	3.0	2.0
		2.1
		2.5
		3.0
	3.2.1	2.0
		2.1
		2.2
		2.5
		2.6
		3.0

Note the following points when working with the different versions:

Versions 2.0, 2.1, 2.5 do not support Remote Configuration
Versions 2.5 and 2.6 are notebooks
Versions 2.2 and 2.6 are upgrades to versions 2.0, 2.1 and 2.5 respectively and provide the additional functionality of using Remote Configuration for Provisioning
Intel SCS version 1.2 was unstable. It's recommended to upgrade to 1.3 or upgrade OOB to 6.2.
Versions 2.2 and 2.6 are not supported for Remote Configuration unless Intel SCS is upgraded to version 3.2.1. Check the following KB articles for more information:

AMT Setup

Each mode for AMT sets the system in a specific state. See the brief descriptions below of how AMT acts in each state:

AMT disabled - In this situation AMT must be enabled either manually by looking into the Intel MEBx (Ctrl+P at startup) or by using the RCT Tool. The following article covers the use of this tool, including data on the command-line switch that can be used to enable AMT:

http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning

AMT enabled, not in Setup Mode (factory default) - This is the required mode to use USB One-Touch for provisioning. If a user or the OEM has logged into the MEBx and changed the password, the system is no longer in factory default and the One Touch method will not work.
AMT enabled, not in Setup Mode (Password has been changed in the MEBx) - One Touch will not work, but manually entering the PSK or setting into Remote Configuration mode will allow the system to enter Setup Mode.
AMT enabled, in Setup Mode for TLS-PSK - All Provisioning is encrypted using TLS, however the inner security workings can differ. For Pre-shared Key (known as PID PPS) a public and private key are used. The manufacturer can set a specific PID PPS on the system or a user can auto-generate them. The key is that both the client and server have to have the key in order for authentication to work.
AMT enabled, in Setup Mode for Remote Configuration - All 2.2, 2.6, and 3.0 version AMT systems come in this mode unless the OEM is explicitly instructed to set it differently. The point of Remote Configuration is to avoid visiting the AMT system in order to get it provisioned for manageability use.
Modes 4 and 5 in ‘Hello' Packet Mode disabled - This is common if the system is not immediately hooked up to the production network. All systems will fall into this state if they transmit the ‘hello' packet for 24 hours.

Troubleshooting Tools

Before we get into the actual symptoms, we'll cover the tools used to determine where the problem is coming from. While not easy to use, the logging capabilities allow us to verify if the correct processes are functioning on the local system.

AMT Logs

The Altiris Console has direct ties into the AMT Logs captured in the IntelAMT database as a normal part of operation. The Logging level is set in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > and select General. Debug Warning is recommended so you get both Errors and Warnings.

The logs are accessed from Provisioning > Logs > and select ‘Log'. Entries here will reveal problems during the provisioning process and other Intel SCS functions.

OOB Trace Logging

Out of Band Management has the ability to log trace details to a debugging program. See the following KB article on details on how to set this up:

Intel Communities

Trace logging will log everything from console accesses, to oobprov.exe calls from IntelSCS. When oobprov.exe is called, all actions are logged to trace, which can capture problems with the provisioning process.

Wireshark

While the two above tools are distinctly for Out of Band Provisioning, Wireshark tells the whole story of what is coming and going across the wire. It's important to know what the AMT clients are sending, especially in the ‘Hello' packet, and what the server is responding with.

Wireshark can be obtained from: http://www.wireshark.org/. While this is the recommended tool, any network trace capture program can be used to examine the network traffic between the AMT client and the Provisioning Server.

Altiris Knowledgebase

All know errors and issues we've run across have been documented in the Altiris Knowledgebase. If you have a specific error, search in the KB and see if we have a documented fix for it. Access it directly here:

https://kb.altiris.com/

Symptoms

The following symptoms point to problems with the local AMT system or its ability to communicate to the Provisioning Server so that Provisioning can occur.

System Missing

A common symptom for new AMT client systems is that the system, even if believed to be in Setup Mode, doesn't show up in the Altiris Console under Intel® AMT Systems. The causes vary, but the following methodology should help pinpoint where the problem originates.

Is the system sending ‘Hello' packets? Walk through this procedure to determine if it is or not:

Does the AMT Log contain entries for the system requesting Provisioning? The identifier in the logs is the UUID. One example of an error that would prevent a system from showing up is ‘failed to find PID mapping', meaning the requesting system is trying to authenticate with a PID that the Server does not have. Either import any keys provided by the OEM or other provider, or manually enter in the PID PPS under the ‘Security Keys' section of the Provisioning Altiris Console.
If no entry appears for the system, place Wireshark on both the AMT client and the Server. Now initiate a restart of the ‘Hello' packet sequence by turning the AMT client off and unplugging it from power. Drain the capacitors by pressing the power button while unplugged. Generally the power LED will light for a moment before fading dark. Plug the system back in. Does the Server show hello packets (sending on port 16994, with destination port 9971) coming in from the system?
If the server doesn't show any incoming ‘Hello' requests, fire up Wireshark on the local system to see if we see any ‘Hello' packets heading out. If they are actively leaving, something is blocking the traffic from reaching the Notification Server. These ports are standard TCP calls. See the next section labeled ‘Provision Server'.
If no ‘Hello' packets are being sent, the system may be in a non-Setup State. At the AMT system access the Intel MEBx by pressing Ctrl+P at startup. Is the password what was setup during Setup Mode, or will it only accept Admin? If none of the valid passwords work, this machine may be in an unworkable state. Unplug the CMOS battery for 15 seconds to put the machine back in Factory Default Mode, and Setup as necessary.

Provision Server

With Wireshark we can prove a system is sending ‘Hello' packets out on the wire. The destination is an important distinction as usually this will be simply the name ProvisionServer. By default, Remove Configuration and TLS-PSK will target the simple name ProvisionServer. It's up to the administrator to properly direct that Hello packet to the Notification Server.

If you ping ProvisionServer from a command-prompt, do you get the IP Address of the Notification Server? A CNAME record needs to be created in DNS to correctly direct the hello packets. Check page 21 of the Admin guide located at this KB article: Intel Communities for more information.
Another place you can test the DNS functionality is under Provisioning in the Altiris Console. Select the ‘DNS Configuration' node. Click the ‘Test' button to initiate the test. A correct IP Address signifies that DNS is working correctly from the Notification Server. The ping test is still important to signify that the client can also resolve the name.

If the network cannot support this CNAME, only two methods remain. You can set the Provision Server IP in the MEBx directly. You can also use the RCT tool to simulate the Hello packet and send it to the NS directly (see the previous link to the article on RCT usage).

Conclusion

Part 2 of this series covers the Server components for Provisioning. If you've read all the symptoms and suggestions, you'll note that there is crossover when troubleshooting between the client and the server, regardless of where the problem lies. See Part 2 for the continuation of Provisioning Troubleshooting.