Intel vPro Expert Center Blog : 2008 : November

1

Feet on the Street - vPro Series - Meet Jake G. - Part III

Posted by Josh Hilliker Nov 21, 2008

Part III of my trip to Oregon. Jake shows off the server room for the automation environment the team has created for the testing of vPro systems.

Next Up:

I'll be closing out my trip to Oregon and finally show the automation interface they use to test. I also am getting full access in my lab in folsom so i can leverage this awesome infrastructure, therefore save my local folks time and can test consoles on the fly.

Feet on the street Updates

*if there is a specific team you would like to know more about that works on vPro please leave a comment and let me know. I'm planning on a few more groups before the end of the year as I finish my US Feet on the Street: vPro.

Past Feet on the Street Posts

Feet on the Street - vPro Series - Meet Jake G. - Part II

Feet on the Street - vPro Series - Meet Jake G. - Part I

Feet on the Street - vPro Series - Meet Wendy West

1 Comments Permalink Tags: vpro_expert_center, vpro, josh_hilliker, jake_g, feet_on_the_street

0

Feet on the Street - vPro Series - Meet Jake G. - Part II

Posted by Josh Hilliker Nov 18, 2008

Jake walks me through the Ideation Lab, their infrastructure & their console testing automation setup.

NOTE: the lighting was not the best.

Next Up, Jake shows me the data center that houses their infrastructure.

Prior Feet on the Street

Feet on the Street - vPro Series - Meet Jake G. - Part I

Feet on the Street - vPro Series - Meet Wendy West

0 Comments Permalink Tags: vpro_expert_center, vpro, josh_hilliker, jake_g, feet_on_the_street

Intel AMT Provisioning Issues with ConfigMgr SP1

Posted by Trevor Sullivan Nov 18, 2008

Hello,

This is my first contribution to the Intel vPro Expert center, and although I would not consider myself an expert on this product, I've still been graciously allowed to post here. Thanks Josh!

I'd like to start out by introducing myself. My name is Trevor Sullivan, and I am a desktop systems engineer at a large retail corporation. Over the past 8 months or so, I've been working quite a bit with several people from Intel and Microsoft to better understand the Intel vPro technology, and how it can benefit my company. Overall, I'm really impressed with the technology, and I am fortunate enough to be working with an environment that has a pretty decent install base of Intel vPro-enabled systems.

I'd like to take a few minutes to explain a few issues that we recently experienced with our production vPro implementation.

-

Provisioning Certificate Chain Invalid

We're using Intel vPro with Microsoft Configuration Manager 2007 SP1, and for a while, we had been running into issues that prevented us from provisioning a vPro device. It turns out that the reasoning behind this was related to our provisioning certificate. We requested a certificate from Verisign, and imported it into our central SCCM site server. We have several child primaries to our central SCCM primary site server, however, and we were using the same provisioning certificate on those systems (Intel confirmed that this was possible).

When I exported the certificate (using the Certificates MMC snap-in), with its private key, from my central SCCM site server, I did not choose the option to export the certificate chain with it. Importing the certificate, with its private key, went just fine on the other SCCM primaries, but provisioning just didn't work. After working with Bill York from Intel for several hours, it was finally determined that the Verisign Class 3 Intermediate Certificate Authority's public key certificate was expired in the Intermediate certificate store on the SCCM site server running the out-of-band (OOB) service point. I imported the updated Verisign Intermediate certificate into the server's Intermediate CA certificate store, which resolved the issue I was having.

If you are experiencing this specific problem, you should see something like the following in your amtopmgr.log on the SCCM site server running the OOB service point:

Try to use provisioning account to connect target machine vprosystem.subdomain.mydomain.com...

Server unexpectedly disconnected when TLS handshaking.

**** Error 0x382b948 returned by ApplyControlToken

Although this probably should have been obvious to me, I did not actually open the provisioning certificate on the server I had imported the certificate on, to verify that the certificate was valid. If I had done so, I would have seen a message stating that the certificate was invalid, and then I could have looked at the certificate chain tab to see that the Verisign Intermediate CA's certificate was not valid. After examining the certificate for the Intermediate CA, it was determined that it had expired, causing my provisoning certificate to become invalid.

-

Microsoft PKI -Auto-Approval of Pending Certificate Requests

After resolving the certificate issue, we started seeing another issue. This issue was related to our internal Microsoft PKI. The next symptom we saw was again in the amtopmgr.log file (+in case you haven't figured it out, this is probably the most useful AMT log in SCCM). Here are the messages we saw:

Send request to AMT proxy component to generate client certificate. (MachineId = 60752)

Successfully created instruction file for AMT proxy task: D:\SMS\inboxes\amtproxymgr.box

RETRY(1) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(2) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(3) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(4) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(5) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Error: Missed device certificate. To provision device with TLS server or Mutual authentication mode, device certficate is required. (MachineId = 60752)

Error: Can't finish provision on AMT device vprosystem.subdomain.mydomain.com with configuration code (0)!

>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<<

What this is telling you, is that the OOB service point was unsuccessful with its attempt to generate and retrieve a web server certificate, for the vPro client, from your internal Microsoft CA (either root or subordinate, but in our case, a subordinate). Although we had duplicated and configured the web server certificate template on our CA, the certificate was not getting created as we expected. The issue, in this case, was that our CA was not configured to automatically approve pending certificate requests.

In order to resolve this issue, follow these steps:

1. Open the Certification Authority MMC snap-in and connect to your CA

2. Right-click the CA node, and select Properties

3. Select the "Policy Module" tab

4. Click the Properties button

5. Choose the lower radio button (It reads: "Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.")

6. Click OK on all dialog boxes

7. Restart the CA service, to allow the setting to take effect

-

I have a few more issues I'd like to talk about, mostly related to DNS. I will post again with details.

Thanks for reading,

Trevor Sullivan

Systems Engineer

Permalink Tags: trevor, sullivan, sccm, configuration, manager, configmgr, microsoft, sms, 2007, sp1, sccm_sp1, vpro, amt, provision, oob, out-of-band, generate, client, certificate, ca, pki, webserver, template, web_server, error, failure, fail, applycontroltoken

1

Do you have a different network domain to your AD domain? You might want to read this...

Posted by Tal Elgar Nov 17, 2008

Some customers might have an environment where there is a network domain that is different to their Active Directory domain. This typically arises when there is a Microsoft Active Directory structure, yet there is a legacy non Microsoft DHCP and DNS infrastructure that uses a different (network) domain. This can cause a bit of an issue for vPro management if you are integrating with Active Directory (and also if you are using certificates for encrypting communication.) The reason for this is that typically a machine will be provisioned with the AD FQDN as all provisioning methods which rely on the Activator Utility or a management console's client agent will query locally using WMI and will pick up the FQDN that resides at the OS level. This will be OK for provisioning and will not be flagged as an issue. However, when the machine will be accessed for OOB management , the Kerberos protocol that dictates how the AD Objects for your provisioned vPro machines is accessed, will prevent access. This is because when the AD Object is interogated it will get a request from the management console that relies on a DNS resolution. That resolution will provide a different FQDN than the AD OS FQDN.

In the past, the paradigm has been to circumvent this situation for the purposes of vPro provisioning and management by using hostname only provisioning, assuming that the hostname was unique. This was possible as long as you were using SCS 3.x. If you are using SCS 5.0 and above this approach will no longer work. Even though my direct personal experience on this matter has been directly with SCS and SMS I see no reason why this won't also apply to Microsoft SCCM or Altiris with its underlying SCS (when is supports SCS 5.x).

The Solution: you will need to provision your vPro machines with the network resolvable FQDN. The manner that we have implemented it is by having a server script that performs an nslookup dynamically and plugs that into the SCS DB instead of the AD FQDN as part of the provisioning flow. The other thing that caught us out for a while, is that we had to add the network domain into the Server TCP/IP advanced network settings as a secondary domain suffix. As you will most probably have a new Server setup for hosting SCS then this configuration step most probably hasn't been performed for you and therefore you will need to remember to do it!

Hopefully this helps prevent some headaches for some of you...

Tal

1 Comments Permalink Tags: domains, scs_5.0, scs, tal_elgar, provisioning, hostname, network, active_directory, integration, fqdn

0

Microsoft & Intel: A Podcast on vPro and Application Virtualization

Posted by Kelsey Witherow Nov 17, 2008

A representative of Microsoft holds a discussion with an Intel manager from Digital Office Platform Division, Mike Ferron-Jones. Find more about what Intel is doing for security, manageability, and energy efficiency with vPro and how Microsoft is helping to deploy some of the vPro solutions with its software. Listen to this clip for an insight on Wake-on-LAN, Microsoft Application Virtualization, and Virtual Desktop Infrastructures. Click the link below to listen.

Listen Here: [Microsoft/Intel Podcast|http://download.microsoft.com/download/e/b/9/eb90c169-6b47-4bae-b6f1-5c0825e1542a/ESGMicrosoftIntelPodcast.mp3]

0 Comments Permalink Tags: vpro, microsoft, manageability, vpro_radio, virtualization, application_virtualization

0

Feet on the Street - vPro Series - Meet Jake G. - Part I

Posted by Josh Hilliker Nov 14, 2008

While in Oregon this week I was able to talk with Jake G, He's in the Brand Promise Validation team (which I thought he was part of Interop team), however you'll see what he tells me when you watch the video. This is the first part of the day & throughout the afternoon he showed me a couple of innovative ways Intel is testing vPro to ensure it is ready for IT shops & End Users.

Also to note, if you have seen my prior posts on CIRA (FAst Call for Help), Jake is the one helped me get the pitures, demo's & startup data for those posts a few month's back.

Next Up, Jake walks me through the Ideation Lab, their infrastructure & their console testing automation setup.

Prior Feet on the Street

Feet on the Street - vPro Series - Meet Wendy West

0 Comments Permalink Tags: vpro_expert_center, vpro, josh_hilliker, jake_g, feet_on_the_street

0

Feet on the Street - vPro Series - Meet Wendy West

Posted by Josh Hilliker Nov 12, 2008

I had the pleasure this week of having lunch with Wendy West, She is in Digital Office Platform Marketing, which is responsible for vPro Marketing, specifically she is the Communications Program Manager in that team. Here's a quick intro I was able to snap while we were driving. Also to note, I have worked with Wendy about a year now and she is a super star on the vPro virtual team.

Next up, I had the pleasure of meeting with Jake Gauthier & he showed me how we do testing on the platforms and the infrastructure that supports it. stay tuned.

0 Comments Permalink Tags: vpro_expert_center, vpro, josh_hilliker, wendy_west, feet_on_the_street

2

Power Management - GO Green & Get a Rebate

Posted by Josh Hilliker Nov 6, 2008

In continuation of my quest to learn more about power and identify who's making the IT shop transition to power management a possibility, I have news to report out on.

Today while talking with a Frank (Intel IT) he mentioned that the very company I used to work for is now giving out rebates to customers that are utilizing power management software to control their PC's. Specifically if you are in the Northern California area, the power company is called PG&E (Pacific Gas & Electric) www.pge.com.

Here are the conditions: (Please note the NO laptop portion).

NETWORK PC POWER MANAGEMENT SOFTWARE

Must be a PG&E electric customer. The installation of qualifying

software must allow centralized control at the server level of the

power management settings (sleep mode and shutdown) of PCs

on a distributed network. In addition, the software must have a

reporting feature that allows monitoring and validation of energy

savings. Qualifying software must be purchased and installed on

or after March 1, 2007. When contacted, customers must allow

PG&E access to customer property site to verify the software

license installation at the server level and the number of PCs

being controlled by the system. When submitting a rebate

worksheet, customers must ensure the following documentation

is attached:

1. copy of Software License Agreement,

2. a report directly from the Network Energy Management

Software that verifies the number of PCs that are being

controlled by the system, and

3. the number of computers authorized per License.

New Requirements

• Effective August 8, 2008, the rebate for the qualifying

software is for control of desktop PCs only.

• Effective August 8, 2008, a rebate will not be available for

control of laptop and laptop stations.

• Customers who purchase qualifying software by August 8,

2008 for laptop and laptop stations will receive a rebate if

applications are postmarked or received by PG&E’s Integrated

Processing Center (IPC) by October 8, 2008.

• Applications postmarked or received by PG&E’s IPC on or

after October 8, 2008 are not eligible for a rebate for laptop

and laptop stations.

Product Code Rebate/Unit Measure

M03 Network PC Power

Management Software $15.00/perPC

http://www.pge.com/includes/docs/pdfs/mybusiness/energysavingsrebates/rebatesincentives/eefficiency/ref/computing/08businesscomputing.pdf

How wide spread is this across the globe? i know in New York this is happening, where else?

2 Comments Permalink Tags: vpro_expert_center, josh_hilliker, power, green

2

How to create a rock star vPro PC on your own.

Posted by Josh Hilliker Nov 4, 2008

Awhile back Nick the Intern & I decided to build a rock star vPro PC on our own. We scoped out the best hardware we could at the time and we built the following:

Intel BOXDQ35JOE Core 2 Quad/ Intel Q35/ FSB 1333/ vPro/ A&V&GbE/ MATX Motherboard

2.83GHz Core 2 Quad

4GB DDR2 RAM

Apevia X-Qpack2 Case

500W PSU

ASUS HD4870 Video Card

32GB SSD (for OS)

2x500GB RAID (storage)

Blu-ray/HDdvd Drive

After building it we started to test out the vPro functionality and that is when we realized that certain Intel MOBO (motherboard) the AMT settings are not seen through a CTRL+P prompt. So tonight after a bit of VGA2USB conversion I created the following video to show where they are at. Key message is if your building a vPro machine on your own & are planning on managing then be aware of where the location of the AMT settings.

Here's the video.

Have you created your own? Let me know. . post a pix and share. I guess I should also post out a few pixs .. (will do shortly.).

Josh H

2 Comments Permalink Tags: josh_hilliker, vpro_expert_center, vpro, smb

1

HP vPRO ready systems updated

Posted by Leif Olson Nov 4, 2008

I just updated the vPRO ready systems page with the latest models from HP. This list covers all the current systems in the Notebook, Mobile Workstation, and Business PC lines that are vPRO ready. You can view the list here:

Order an Intel® vPro™ technology "Activation-Ready" PC

1 Comments Permalink Tags: vpro, ready

1

AMT 4.0 (vPro 2008) - New Icon for Management & Security Status

Posted by Josh Hilliker Nov 4, 2008

Here's a followon post for the new ICON in the system tray. I just received my new Dell e6400 machine and thought showing the real icon vs. the screen shots from the past would be helpful. They definitely show more information as I discussed prior.

Centrino2 with vPro - Finally more Screens to share out

Quick Tip for the Dell e6400

During bootup you will NOT be presented with a CTRL+P screen, however if you hit right after the machine starts it will take you into the MEBx. I looked throughout the BIOS and there are no places to change this. if you find a route, let me know..

Josh H

1 Comments Permalink Tags: vpro_expert_center, josh_hilliker, troubleshoot, video

0

Simple & easy way to validate machine state with PING

Posted by Josh Hilliker Nov 4, 2008

Here's a TIP from our Interop team around how to verify whether a ping response is through OS or ME. To do so you look to the TTL field in teh ping response.

value in the range of 127/128 = OS NIC responding

Value in the range greater > 128 = ME is responding

Here's a quick video.

0 Comments Permalink Tags: vpro_expert_center, josh_hilliker, troubleshoot, video

0

Fast Call for Help - It is alive!

Posted by Josh Hilliker Nov 3, 2008

if your reading this blog you may have heard these words "Fast call for help" in relation to vPro, however without seeing it in action on a live platform it may not make a lot of sense. Therefore this last week I had an opportunity to see my first platform live in action making a call back to the enterprise and then to be managed through a Serial over LAN to go into the BIOS. The Platform was the new Panasonic CF-F8. Nicole already posted out the console view.

http://communities.intel.com/openport/blogs/activation/2008/10/28/fast-call-for-help-feature-in-amt-40-then-utilizing-sol-example-to-see-the-bios

What questions do you have about this feature? Also to note is that I started blogging about this capability called CIRA (see blogs below).

Client Initaitied Remote Access - vPro in 2008 - IDF

Centrino 2 - Digging in deeper into CIRA

My plan is to do a few more platforms over the next week with help from my IT expert (Frank).

0 Comments Permalink Tags: vpro_expert_center, josh_hilliker, cira, panasonic, vpro