Intel vPro Expert Center Blog

Finding AMT Objects in Active Directory

pcgeek86@gmail.com — Wed, 11 Nov 2009 21:03:38 GMT

If you are using Out Of Band (OOB) Management in Microsoft System Center Configuration Manager (SCCM) 2007 SP1 (or greater) to manage your Intel vPro clients, you may have noticed that computer objects are created in your Active Directory domain during provisioning of the Intel vPro firmware. These computer objects are created by the amtproxymgr component of an OOB Service Point, and allow Intel vPro to communicate directory with Active Directory, regardless of the operating system state.

Since these vPro computer objects appear very similar to standard computer objects that are created when joining a Windows OS to an AD domain, it may be hard to distinguish which ones are vPro accounts, and which ones aren't. This situation can be worsened if you somehow have Windows computer accounts mixed into the same OU that contains your AMT objects.

As you'll see below, it's very easy to locate these computers using some simple PowerShell code:

$vprosearcher = [adsisearcher]"(&(objectclass=computer)(serviceprincipalname=*:16993*)(samaccounttype=805306368))"
$vproaccounts = $vprosearcher.FindAll()

These two lines of code simply create a System.DirectoryServices.DirectorySearcher instance, with some LDAP search criteria to identify the accounts, and then assigns the results of this search to a PowerShell variable called $vproaccounts. The default search root is the top-level of your Active Directory domain, and the default search scope is already set to SubTree, so you don't have to specifically configure these settings on the DirectorySearcher. Once you're at this point, you can simply enumerate the accounts, or pipe the results into a PowerShell ForEach loop, and perform some operation against them (for example, givem them a Description attribute value).

Because this code sample uses the "adsisearcher" type accelerator (aka. type shortcut), it will only work with PowerShell v2.0 (included as part of the Windows Management Framework), unless you modify PowerShell v1.0 to include it. There's almost no reason not to be using PowerShell 2.0, now that it has been officially released, however.

I recommend using the free Quest PowerGUI tool to develop and debug PowerShell scripts.

Cheers,

Trevor Sullivan

Dell Client Manager and Intel vPro configuration

terry.c.cutler@intel.com — Mon, 28 Sep 2009 18:19:47 GMT

In recent weeks, I've received a number of questions about Dell Client Manager 3.0 ability to configure Intel vPro technology.

I have not had the opportunity to review the latest official documentation from Symantec\Altiris or Dell on how to configure Intel vPro technology.

Therefore, this blog provides my perspective and approach. As I'm working with Altiris 7 and vPro on an almost daily basis, authoring a complete set of new documentation has not been accomodating to present schedules, tasks, etc.

I ask for your patience and understanding. This is by no means the final and complete answer - it's a "best effort"

A few key points to keep in mind.

Dell Client Management version 3 is based on Altiris 7
A video posted at http://vproexpert.blip.tv/file/1900890/ - about 5 minutes into that video the focus is on configuring
Much of the Altiris\vPro configuration requirement for Altiris v7 are very similar to v6. The above posted video will highlight the differences.
For an Altiris v6 vPro configuration baseline, see material posted about 2 years ago - http://www.symantec.com/connect/videos/video-workshop-intel-vpro-activation
If you are totally new to Intel vPro technology, I invite you to first learn what the technology is capable of doing. Here is one article resource example - http://www.symantec.com/connect/articles/combining-band-and-out-band-management

So - you've started to deploy Intel vPro systems from Dell and are using their Dell client manager.

Altiris 7 requires SCS 5.x to configure vPro. If vPro is already configured - it's just a matter of enabling OOB Discovery and configuring the Pluggable Protocol Architecture (PPA).. see blip.tv video referenced above.

On the Dell Client Manager, check to see if the following fileshare exists – “\\localhost\nscap\bin\x86\Out of Band Management\IntelSCS”

If so – within that directory, find AMTconfserver.exe. This is the Intel SCS service installation. File should be version 5.0.2.4

On the Dell Client Manager, check for “c:\Altiris OOB Configuration” directory. If present, you should see two files – Interop.AeXClient.dll and OOBProv.exe.

The preferred approach is to install Intel SCS via the Altiris (or Dell Client Manager) interface... but sometimes that scripted install fails without direct indication as to what happened. Although a little advanced, it may be best to directly install the Intel SCS... which is the configuration service for Intel vPro technology.

Two key challenges I’ve seen in directly installing AMTconfserver.exe is that the webdirectories (AMTSCS and AMTSCS_RCFG) need to be set to no TLS and the the integration to SCS via the OOBprov.exe is not done. The TLS settings are handled via the advanced installation options. The OOBprov.exe is the configuration script which checks the Symantec\Altiris database against the IntelAMT database for new records, matching UUID\FQDN, recent vPro configuration events, and so forth.

As to what configuration script will be used, this setting is made in the IntelAMT database. My preference is to use the SCS console to adjust the setting. SCS console is available with the full download at http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/... The other good item here is the updated version of SCS 5.x (presently SCS 5.2.0.34B)

So that's the brief summary.

As stated previously - my intent was not to provide a complete answer, yet to provide a brief insight and references.

Interested to hear from the community. Did this help? More information needed?

OOB Console Error

pcgeek86@gmail.com — Mon, 22 Jun 2009 20:50:08 GMT

Hello vPro Experts!

Are you having trouble getting the Microsoft Out-of-Band (OOB) Console to connect to your Intel vPro clients? If so, one of the first things you should do, is enable verbose logging in your OOBConsole.exe.config file. This file is located in the following folder: %PROGRAMFILES%\Microsoft Configuration Manager Console\AdminUI\bin. If you open this file in Notepad, you should see a line that looks like <source name="OOBConsole" switchValue="Error">. If you change the text Error to Verbose, you will enable verbose logging for the OOB Console. The next time you try to connect to an AMT device, you should start seeing more detailed logging in the OOBconsole.log file, located in: %PROGRAMFILES%\Microsoft Configuration Manager Console\AdminUI\AdminUILog.

If you're seeing this message specifically: GetAMTPowerState fail with result:0x800401F3, then you might have forgotten to install WinRM 1.1 on your Windows XP client running the OOB console. Also make sure that you're running Windows XP Service Pack 3! Once you install WinRM 1.1, this error should magically disappear, and have you well on your way to managing vPro devices!

Cheers,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Microsoft OOB Console Requirement

pcgeek86@gmail.com — Mon, 08 Jun 2009 17:24:06 GMT

Hello vPro Experts!

I would like to pass on some information that I discovered a while ago, based on a Microsoft Premiere Support ticket. I was having trouble getting the Microsoft Out-of-Band (OOB) Management Console functioning from a Windows XP system. I tried everything on a fresh, standard build of Windows XP, but nothing would work.

After working with Premiere Support, we finally discovered that Windows XP Service Pack 3 (SP3) was required for proper functioning of the Microsoft OOB console.

This behavior is actually related to some functionality that was added in SP3, specifically in the winhttp.dll library. There is a function called WinHttpSetOption in the WinHttp library, which is called with a parameter enabling the WinHttp Option Flag named WINHTTP_ENABLE_SPN_SERVER_PORT. This flag enables the WinHttp library to include the server port in the Kerberos Service Principle Name (SPN), since the AMT web service is running on a non-standard HTTP port (16993).

The Windows XP Service Pack 2 (SP2) version of the WinHttp library does not include this capability, and consequently fails to authenticate. In order to properly connect to ConfigMgr-provisioned AMT devices with the Microsoft OOB Console, please make sure your helpdesk / support systems are running Windows XP SP3.

If you have any questions, feel free to post them in the comments section, and I will do my best to answer them.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Which SCS Service setting to go for - script or from DB? Everything you ever wanted to know...

tal.elgar@intel.com — Wed, 15 Apr 2009 11:42:48 GMT

If you are using Intel SCS 5.x, after you've installed it you will need to decide whether you want to configure the scs service to either get configuration parameters from a script or from the DB. This seemingly innocuous decision has some technical implications, so here's the background..

Choice A - get configuration parameters from the DB

Let us first define what are the configuration parameters - they are the fields of a vPro system - such as: FQDN, AD OU, Profile - the important ones that are required for completing provisioning - and the remaining informative attributes, such as AMT firmware version etc. Therefore the configuration parameters that are necessary to have are FQDN (or hostname) AD OU path (if you are integrating with Active Directory) and the SCS provisioning profile being assigned to the vPro system. Where will the information for these 3 fields come from?

The wording of this option might be slightly misleading as you might (wrongfully) assume that the configuration parameters to get your vPro systems provisioned smoothly are sitting and waiting in the DB for you and will provide you an extra smooth provisioning experience over above the other method (using a script). This is however not the case; the configuration parameters are empty to begin with and only after going through a (successful or unsuccessful) provisioning process for each vPro machine, it will in turn have these configuration parameters populated in the DB, so that subsequent provisioning attempts will in fact be able to rely on these now populated configuration parameters in the DB.

Let us consider the flow of events...

A vPro system needs to initiate the provisioning process and let the SCS know about its existence - this is commonly known as the 'hello packet'. The hello packet contains a UUID (unique identifier), certificate hash or PID, MAC Address and ip address. Purely technically speaking, this will manifest itself by a new entry appearing in the AMTS table in the SCS DB. At that point you are missing the FQDN, AD OU path and profile ID. Once a new entry makes it into the AMTS table, it will also appear in the SCS Console as an unconfigured system with the UUID field populated, but the rest being blank.

You now have an option to manually double click on the row in the SCS Console and enter these 3 fields. Once you've done that, the information will now be sitting also in the UUID_MAPS table which is also know as the configuration parameters. This is typically not a scalable method and therefore the current BKM is to rely on a client side utility to send more than just the UUID, pre-provisioning information (cert hash or PID) and IP address, but also the FQDN, AD OU path and a profile ID.

The utility that has been designed to do this is the Activator utility which comes bundled when you download the SCS application (this blog posting won't go into the details of how to use the Activator Utility and what options you have and will assume you have an understanding of how to do this). Therefore instead of manually (and quite error prone) populating the fields, you can now have a utility that effectively pushes all the information required for provisioning into the UUID_MAPS table as well.

Another last option is to create a list mapping UUIDs and pre-assigning them FQDNs and uploading it into the UUID_MAPS table. This is more difficult as it relies on the OEM providing you with an accurate list of all the UUIDs prior to receiving the systems. This is technically feasible but logistically more difficult and as such is a rarer implementation.

Choice B - get configuration parameters from the script

This method might be less popular, as it is a bit more complex and should be used only when the circumstances necessesitate it. The script would typically be a VBscript for which a sample script is provided when you install the SCS service. What the server script does in essence is set the AD OU path and profile ID. The FQDN still needs to be provided by the vPro machine itself and for that it will rely on either the activator utility (as mentioned above) or client side vbscript - either of which will typically rely on a WMI query.

Purely technically speaking, the script takes the different parameters available to it and constructs an XML file (map.xml) that is formulated in a manner that is recognised and can be consumed by the SCS application. If there aren't enough permissions for the script to run locally, any necessary parameters are missing, or if the XML is not formulated properly then the SCS will complain about a missing XML file.

Using the server side script provides you the flexibitliy of making changes to the AD OU path and profile ID further down the line as opposed to the client side only method, which would have required you to pre-package the parameters to invoke the client utility and any changes would involve deploying a new package to all machines.

The server side script also allows you to overcome any permissions related issues and security concerns, as the client side only method typically requires administrator priveleges and involves letting each client right into the main DB (which for some security experts is an opportunity for malicious behaviour). Therefore a 2-tiered approach is possible where the client side (script or activator) send information into an interim DB and the server script reads the information from the interim DB. The trigger for the server script to run, is for a new entry to appear in the AMTS table but not have an entry in the UUID_MAPS table - i.e. a hello packet has arrived and there are no present configuration parameters.

Finally, the server script is essential if any further manipulations are required in order to accommodate a particular environment. Such is the case when the FQDN queried on the vPro client has a domain suffix of an Active Directory domain, but there is a separate non-AD integrated network domain and any queries to DNS will return the network domain FQDN. This requires provisioning the vPro system with the network domain, which could either be hard coded as a constant (like the AD OU path and profile ID) if there is only one, or it will need to be dynamic and poll DNS (though something like nslookup on IP address) to replace the AD FQDN with a network FQDN. Provisioning will succeed regardless, but the problem will be later on when trying to manage the vPro machine if you will be using AD integration and therefore will need to conform to the Kerberos protocol.

A situation can arise where you have configured SCS to use the script, however the the configuration parameters have already been populated due to a previous provisioning attempt - be it fully successful or not, since the parameters are in the DB already, the trigger for the server script to run will be missing and therefore it won't execute again. This scenario is typically come across in testing when the same machine is re-used. There are some 'real-world' scenarios such as machine has broken, is re-imaged and fixed by IT department, the client side provisioniong components (activator) kick-in on startup (typically) but the configuration parameters are already in the SCS DB and therefore the script will not run and provisioning won't succeed. Unfortunately SCS does not automatically remove the configuration parameters for machines that are partially or even fully unprovisioned. It can only be done manually when a system is deleted from the SCS Console and the 'delete configuration parameters' must explicitly be selected.

This turned out to be a longer posting than originally intended... but if you've made this far, hopefully you've picked up a few useful nuggets of information...

Tal

Integrating VNC and WinPE 2.x

pcgeek86@gmail.com — Tue, 10 Mar 2009 16:58:59 GMT

Integrating VNC on Windows PE 2.0

Author: Trevor Sullivan

Company: OfficeMax Corporation

Versions: 1.0 – April 24, 2008 – original document

Synopsis

Integrating VNC on Windows PE allows a remote user, such as a support person, to remotely control a Windows pre-execution environment, and perform administrative tasks such as deploying an operating system image, or diagnosing hardware and software problems using 3^rd party tools. This image can be remotely booted in a LAN environment using the IDE-R feature of Intel AMT.

Requirements

Microsoft Windows AIK v1.1 (downloadable from Microsoft)
A working Windows PE 2.x CD (can be built from WAIK)
UltraVNC 1.02 (downloadable from Internet)
ImageX (to mount WIM files) - included with WAIK

Setting up UltraVNC

Install UltraVNC 1.02 on a development system

You can optionally install UltraVNC 1.02 to an Altiris SVS virtual layer to avoid making permanent changes to your development system

After UltraVNC is installed:

1. Execute VNC in user-mode

2. Run the following command: winvnc –defaultsettings

3. You should be presented with a configuration dialog

4. Set a password for VNC and choose to disable the tray icon

5. Confirm the settings dialog, and stop Winvnc by running: winvnc –kill

6. Extract the following registry tree: HKLM\Software\ORL (vnc.reg)

7. Add the password to the default key

a. Open the registry file (vnc.reg)

b. Create a new section (key) for HKLM\Software\ORL\Default

c. Copy the password value from ORL to the Default key

Gathering Source Files

Copy the following list of files from the UltraVNC installation directory on the source computer into a separate working folder:

Authadmin.dll
Authssp.dll
Ldapauth.dll
Logging.dll
Logmessages.dll
Mslogon.acl
Unzip32.dll
Vnchooks.dll
Vnchooks_settings.reg
Vncviewer.exe
Winvnc.exe
Workgrpdomnt4.dll
Zip32.dll
Vnc.reg (from previous section)
Vnc.vbs (see below)

Trevor developed a short script to get around a problem with winvnc hanging when I’d execute it. This executes winvnc.exe asynchronously so that it continues to run in the background, but startnet.cmd will be allowed to continue. The script source is included below:

ScriptPath = Left(Wscript.ScriptFullname, len(Wscript.ScriptFullName) - len(Wscript.ScriptName))

set sh = CreateObject("Wscript.Shell")

sh.Run "regedit /s " & ScriptPath & "vnc.reg", 1, true

sh.Run "wpeutil disablefirewall", 0, true

sh.Run ScriptPath & "winvnc.exe", 1, false

Modifying the PE Disc

Mount WIM file on filesystem using ImageX
Copy all source files to folder on root of WIM mount path
Modify startnet.cmd to execute VNC vbscript using cscript.exe
- Use the fully qualified path to the script file (eg. “cscript X:\vnc\vnc.vbs”)

Notes

Winvnc does not work under service mode on Windows PE; Winvnc must be run under user context
The registry value “password” must exist under HKLM\Software\ORL\Default, otherwise winvnc will prompt for a password upon startup

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Fully Automated Enterprise Client Builds :: Toying with ideas ...

pcgeek86@gmail.com — Tue, 16 Dec 2008 15:25:09 GMT

Hello vPro Experts!

I've got something sitting in the back of my mind, that I would like to share with you all. Unfortunately, it's simply a theory, and I have not yet had the opportunity to test it, but I am in the early stages of developing and documenting it, and would really appreciate any feedback, to help make it become a reality.

----

The Problem

Are you asking yourself either of these questions?

"How can I reduce the amount of overhead involved with imaging every new client system that comes through the doors, but at the same time, not shift that cost to the vendor?"

or, slightly paraphrased:

"How can I streamline the provisioning of new systems, but at the same time, not sacrifice the flexibility of having in-house imaging?"

If your support teams are imaging each desktop and laptop that is shipped from your hardware vendor, you may have investigated the option of having the vendor pre-image systems prior to shipping them out. There are a couple of caveats to this methodology though. First of all, there is usually an additional cost associated with any sort of customization that the vendor must make to a system. Secondly, if you are using a task sequence-based "imaging" process in-house, then you may not have a way of transferring that process (which is inherently network-reliant), to the vendor. Typically, in this scenario, your operating systems, applications, and Active Directory domain, are all residing on network servers that can't be contacted by the vendor during the process (unless you have some uber-fast, secure VPN link between you and them, in which case you can stop reading).

----

The Theoretical Solution (utilizing Intel vPro)

The proposed solution to the problem presented above, is actually a combination of technologies, and custom development work. In this case, I'm going to be working with the following tools:

Microsoft Configuration Manager SP1 / R2 (R2 for unknown computer OSD support)
Intel vPro / AMT Clients 3.2.1 and greater (4.0, 5.0)
Microsoft VBscript and/or Windows Powershell
Microsoft Windows Management Instrumentation (WMI)
Intel AMT Developer Toolkit (DTK)

Requirements

Here are the requirements for the process:

Microsoft Configuration Manager SP1
An Out-of-Band (OOB) service point for ConfigMgr SP1
“ProvisionServer” DNS record pointing to out-of-band service point
Collection 1: SCCM collection to temporarily store resource records created by script
Collection 2: SCCM collection that contains provisioned vPro clients without the ConfigMgr client agent
ConfigMgr Task Sequence to build vPro system
ConfigMgr advertisement to link task sequence to Collection 2

Step-by-Step Workflow

This is the theoretical process that would be followed:

Physically plug in vPro system – power and network (device remains powered off)
vPro System obtains IP address and DHCP Option 15 (mydomain.com)
vPro System sends “hello packet” to site server (CNAME provisionserver.mydomain.com)
Script reads vPro system’s UUID from amtopmgr.log file on site server
Script creates Resource Record for system in “Collection 1” with auto-provisioning enabled

Use a random name for the hostname (based off of the SMBIOS UUID perhaps)
Make sure to refresh the collection membership, or verify that it gets added somehow

vPro System sends another hello packet to site server at built-in interval
vPro System is recognized as a SCCM resource and provisions
Provisioned vPro resource is automatically populated into SCCM “Collection 2”
Task sequence begins executing
Once the operating system is installed, the device should detect a mismatching hostname between the OS and the ME firmware (this could be configured as part of the task sequence)
The device will send a request to the ConfigMgr site server to re-provision the AMT firmware with the new hostname (equivalent of "Update Provisioning Data"?)

Known Issues and Risks

There is at least one known outstanding issue that I'm aware of, and there may be a way to solve it.

Possibility of over-writing an existing system

If an existing, un-provisioned system is not reporting into Configuration Manager properly, it may be incorrectly assumed to be a new, blank system. Therefore, during the build (or imaging) process, an automated check may need to be put into place to verify whether or not the system is truly a new client or not. This could theoretically be done by analyzing the filesystem, or mounting the offline registry hives, and looking for any indicators. Additionally, if a vPro device was already provisioned, it would need to be excluded from being targeted with this process.

----

Conclusion

I hope that this overview gives you some ideas about how to automate the provisioning of new enterprise clients using Intel vPro out-of-band provisioning. If you have any suggestions for improvement, I'd be interested in hearing them. If you'd like, you can download a copy of this document below.

Thanks,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Updated AMT Troubleshooting Document

pcgeek86@gmail.com — Tue, 09 Dec 2008 14:23:02 GMT

Hello, vPro Experts!

I've uploaded an updated document with additional troubleshooting measures related to Intel vPro and Microsoft Configuration Manager. Please download and provide feedback on it.

Troubleshooting Intel AMT and ConfigMgr

Thanks!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Setting Power Policies in Windows Powershell

pcgeek86@gmail.com — Tue, 09 Dec 2008 02:03:20 GMT

Hello Intel vPro Community!

I'm going to talk to you today a little bit about how to use Windows Powershell to set Intel vPro power profiles. I'll provide a quick bit of background first on what power profiles are, and why you'd want to be able to set them with Powershell.

Intel vPro power profiles are nothing more than a setting in the Management Engine that tells the AMT chip when to be powered up, and when not to be powered up. In some cases, you may want vPro to be inactive during sleep states, or after the computer has lost power (eg. UPS failure).

In my case however, I want vPro to be always active. This is problematic, because Microsoft Configuration Manager's implementation of a provisioning server doesn't give you the option of setting the active power profile. Instead, during provisioning, ConfigMgr sets the active profile to whatever index "5" is. You'll actually see this in the amtopmgr.log file on your OOB (Out-Of-Band) service point during the provisioning process.

Because ConfigMgr decides the default power profile during provisioning, I've decided that I wanted to change it. Because Windows Powershell is an awesome automation tool, and because Intel's AMT Developer Toolkit (DTK) offers a .NET library that I can use in Powershell, I figured that I would figure out how to do it!

--------------------

You might remember my last post on how to use Powershell to connect to an AMT device. The process basically involves loading the aforementioned .NET DLL from the DTK, and then establishing a connection to the device. I didn't really get the opportunity to show you how to do a whole lot with it after making the connection though, so that's the purpose of this post! Let's go ahead and take a look at a few lines of Powershell code, so you can understand the retrieval, and setting of power profiles.

-------------------------------------------------

# In my last Powershell script, I used the $amtdevice variable

# to reference the AmtSystem .NET object. We'll assume at this point

# that you have already connected to the AMT device based

# on my last article.

$amtdevice

# By using the .NET Reflector tool, we can see that the AmtSystem

# object has a property called SecurityAdmin, which returns an AmtSecurityAdmin

# object.

$AmtSecAdmin = $AmtDevice.SecurityAdmin

# The AmtSecurityAdmin object has a method called GetPowerPackages().

# After examining this data type in .NET Reflector, we can filter for only the two

# properties we want to see, the profile ID, and its Name. We'll use the Powershell

# Select-Object cmdlet to filter this data.

$AmtSecAdmin.GetPowerPackages() | Select-Object -Property ID,Name

# You should get some output looking something like this:

# 12834f94-10fb-dc4f-968e-1e232b0c9065 Desktop: ON in S0
# ab0086a1-7f9a-424c-a6e6-bb243a295d9e Desktop: ON in S0, S3
# acab8672-b496-e248-9b9e-9b7df91c7fd4 Desktop: ON in S0, S3, S4-5
# 4dcd327b-be6b-8943-a62a-4d7bd8dbd026 Desktop: ON in S0, ME Wake in S3
# 46732273-dc23-2f43-a98a-13d37982d855 Desktop: ON in S0, ME Wake in S3, S4-5
# baa419c5-6f6e-4d8d-b227-517f7e4595db Desktop: ON in S0, S3, S4-5, OFF After Power Loss
# ede30bd6-c504-462c-b772-d18018ee2fc4 Desktop: ON in S0, ME Wake in S3, S4-5, Off After Power Loss

# Once we have a listing of the power profiles available on the AMT device

# we can get the one that we want, and then set it. Since I always want my

# AMT device active, no matter the system's power state, I'm going to choose

# "Desktop: ON in S0, S3, S4-5" which is index 2 (in a zero-based collection).

$TargetPowerProfile = ($AmtSecAdmin.GetPowerPackages())[2]

# Now that I have a variable referencing the target power profile, I will set the

# profile on the AMT device. The AmtSecurityAdmin object has a method called

# SetActivePowerPackage() that takes one parameter: the power profile we have

# a reference to.

$AmtResult = $AmtSecAdmin.SetActivePowerPackage($TargetPowerProfile)

"Setting power profile to $($TargetPowerProfile.Name) resulted in $AmtResult!"

##### End Setting Power Profile #####

# Let's also take a quick look at how to get some basic information about

# the AMT device's provisioning data. We can figure out if IDE-R, SoL, and the

# WebUI are enabled. We'll use the AmtGeneralInfo object for this.

# Get a reference to the AmtGeneralInfo object

$AmtInfo = $amtdevice.Info

# Write out the current configuration settings

"SOL Enabled: $AmtInfo.SerialOverLanEnabled"

"IDE-R Enabled: $AmtInfo.IdeRedirectEnabled"

"WebUI Enabled: $AmtInfo.WebUiEnabled"

-------------------------------------------------

I hope this helps get you on your way to doing some cool Powershell / vPro automation! Let me know whether or not this helps you in your endeavors

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Intel AMT Provisioning Issues with ConfigMgr SP1

pcgeek86@gmail.com — Tue, 18 Nov 2008 13:27:29 GMT

Hello,

This is my first contribution to the Intel vPro Expert center, and although I would not consider myself an expert on this product, I've still been graciously allowed to post here. Thanks Josh!

I'd like to start out by introducing myself. My name is Trevor Sullivan, and I am a desktop systems engineer at a large retail corporation. Over the past 8 months or so, I've been working quite a bit with several people from Intel and Microsoft to better understand the Intel vPro technology, and how it can benefit my company. Overall, I'm really impressed with the technology, and I am fortunate enough to be working with an environment that has a pretty decent install base of Intel vPro-enabled systems.

I'd like to take a few minutes to explain a few issues that we recently experienced with our production vPro implementation.

Provisioning Certificate Chain Invalid

We're using Intel vPro with Microsoft Configuration Manager 2007 SP1, and for a while, we had been running into issues that prevented us from provisioning a vPro device. It turns out that the reasoning behind this was related to our provisioning certificate. We requested a certificate from Verisign, and imported it into our central SCCM site server. We have several child primaries to our central SCCM primary site server, however, and we were using the same provisioning certificate on those systems (Intel confirmed that this was possible).

When I exported the certificate (using the Certificates MMC snap-in), with its private key, from my central SCCM site server, I did not choose the option to export the certificate chain with it. Importing the certificate, with its private key, went just fine on the other SCCM primaries, but provisioning just didn't work. After working with Bill York from Intel for several hours, it was finally determined that the Verisign Class 3 Intermediate Certificate Authority's public key certificate was expired in the Intermediate certificate store on the SCCM site server running the out-of-band (OOB) service point. I imported the updated Verisign Intermediate certificate into the server's Intermediate CA certificate store, which resolved the issue I was having.

If you are experiencing this specific problem, you should see something like the following in your amtopmgr.log on the SCCM site server running the OOB service point:

Try to use provisioning account to connect target machine vprosystem.subdomain.mydomain.com...

Server unexpectedly disconnected when TLS handshaking.

**** Error 0x382b948 returned by ApplyControlToken

Although this probably should have been obvious to me, I did not actually open the provisioning certificate on the server I had imported the certificate on, to verify that the certificate was valid. If I had done so, I would have seen a message stating that the certificate was invalid, and then I could have looked at the certificate chain tab to see that the Verisign Intermediate CA's certificate was not valid. After examining the certificate for the Intermediate CA, it was determined that it had expired, causing my provisoning certificate to become invalid.

Microsoft PKI -Auto-Approval of Pending Certificate Requests

After resolving the certificate issue, we started seeing another issue. This issue was related to our internal Microsoft PKI. The next symptom we saw was again in the amtopmgr.log file (+in case you haven't figured it out, this is probably the most useful AMT log in SCCM). Here are the messages we saw:

Send request to AMT proxy component to generate client certificate. (MachineId = 60752)

Successfully created instruction file for AMT proxy task: D:\SMS\inboxes\amtproxymgr.box

RETRY(1) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(2) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(3) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(4) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(5) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Error: Missed device certificate. To provision device with TLS server or Mutual authentication mode, device certficate is required. (MachineId = 60752)

Error: Can't finish provision on AMT device vprosystem.subdomain.mydomain.com with configuration code (0)!

>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<<

What this is telling you, is that the OOB service point was unsuccessful with its attempt to generate and retrieve a web server certificate, for the vPro client, from your internal Microsoft CA (either root or subordinate, but in our case, a subordinate). Although we had duplicated and configured the web server certificate template on our CA, the certificate was not getting created as we expected. The issue, in this case, was that our CA was not configured to automatically approve pending certificate requests.

In order to resolve this issue, follow these steps:

1. Open the Certification Authority MMC snap-in and connect to your CA

2. Right-click the CA node, and select Properties

3. Select the "Policy Module" tab

4. Click the Properties button

5. Choose the lower radio button (It reads: "Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.")

6. Click OK on all dialog boxes

7. Restart the CA service, to allow the setting to take effect

I have a few more issues I'd like to talk about, mostly related to DNS. I will post again with details.

Thanks for reading,

Trevor Sullivan

Systems Engineer

Altiris and Intel vPro Use Cases - Part 5 - Tightening AMT Security

joel_smith1@symantec.com — Mon, 11 Aug 2008 16:01:21 GMT

NOTE: If you have not read parts 1 through 4, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

Learning from previous mistakes, CSO Dan Williams discusses what they can do to better secure the powerful AMT functionality. Since the human factor is the biggest weakness, what can they do to strengthen this? Obviously they can't remove it altogether; might as well shut the company down. In Intel vPro the human factor can be minimized due to available strong security technologies. AMT can be made more secure, but the continuing threats are emphasized when a computer is hijacked. What can be done to regain control?

Mighty Modern Marketing HQ - Boston, Massachusetts

Bright sunlight filtered through the distant windows , overshadowing the bland fluorescent lights lit above. Jessica Langley watched the distant pedestrians seen in a narrow view near the street moving past with varying degrees of enthusiasm. The hot summer held to the south temporarily by a low pressure that brought in the cool Atlantic breezes. She imagined being able to hear the conversations of those passing, wondering what they spoke of, and if any of them had as crazy a life as her.

"Ah, this is the life," Tevita said as he leaned back. He placed his hands behind his head and stretched out his legs, pushing his office chair as far back as possible. With what looked like a deliberately casual gesture he tossed his headset onto his desk.

"You should be worried," Jessica commented dryly.

"Worried? Why?"

Jessica gestured sharply at her phone. "No one can call us with the phones down, so our work is just piling up while we sit here."

"Hey, we have our mobile phones. If it's not important enough for them to look up our numbers, then why worry about it?"

"You know that's not how it'll happen. As soon as the phones get up... WHAM! We're here until the sun drops below the trees in the west."

Tevita's smile lessened, but only a little. "They've been down for two hours. Perhaps they'll be down all day, and we can leave early."

"Right."

The Tongan shrugged, and Jessica briefly envied his ability to shove aside problems when they weren't directly in front of him. He could have two amazingly nasty issues to work on, and he'd easily concentrate on one at a time as if the other issue didn't exist. She wished she could compartmentalize in that manner, but when she had two critical issues to work on they hung over her like a dark shroud. Usually the one she wasn't currently working pressed down as if to accuse her of negligence, but she couldn't do two things at once. It wasn't like knitting while watching TV.

Like now, when she knew issues piled up while their phones remained down. She reached down and pulled up her mobile phone in case she'd missed an incoming call, but nothing showed. She sighed, standing up and stretching. Tevita frowned at her.

"You aren't going to bug the phone people again, are you?" he asked, as if accusing her of turning him in for some crime.

"No," she said. "Daniel Williams wanted to talk to me today so I'm heading up to his office."

"Good. Don't mention the phone issue to the CSO..."

She rolled his eyes at him, but he only smiled, large hands moving deftly across the keyboard. Without phone call interruptions Tevita would clear out the email queue in no time.

She took the stairs, hoping to work off the donut she'd eaten earlier that morning. It seemed no matter how resolute she thought she was to eat healthier, as soon as someone brought in free goodies her willpower vanished and she indulged. She doubted the climb from the first floor to the third made any real difference, but at least her husband wouldn't get on her case about taking the elevator when she had two perfectly working legs.

The door to Daniels office sat closed, and she peeked into the glass valance to the side. Daniel stared at his computer screen, his brows drawn low. He didn't touch the keyboard and mouse, eyes moving across his monitor as if trying to puzzle something out. He just reached for the mouse when she knocked quietly on the window.

He turned, a smile easing his expression. He waved her in, and she quickly hurried through the door."

"You wanted to see me?" she inquired.

"Yes, please sit down," he said, gesturing to one of the empty chairs across his desk. She sat while he turned back to his computer.

"Please watch," he said as he launched Internet Explorer. "I'm going to talk you through what I'm doing, and I don't want you to interrupt until I'm done. Okay?"

Jessica felt a twinge of uneasiness stiffen her spine. "Of course," she responded, trying to instill confidence in her voice. "What are you doing?"

He only smiled. "First, I've discovered what password I can use to access AMT on all our vPro enabled computers..."

She stood up. "What...?"

He held up his hand, not unkindly. "Please humor me."

She sat back down, her unease blooming. She clasped her hands in her lap so she wouldn't fidget, usually in the form of smoothing down her already crisp and wrinkle-free dress jacket. She couldn't sit completely still, and found herself tapping her toe. Fortunately the carpet, however uninviting bland, muffled the sound.

"Okay," Daniel continued. "I don't have access to Altiris though I have tried to gain it, unofficially of course."

"Of course," she said, and quickly clamped her teeth together before she asked another question.

Daniel continued, "In light of that I've done some Googling and found that AMT has a web-interface that anyone can access using a browser. I haven't figured out how yet, but I don't think it'll take me long. Let's see... how to access AMT via a browser... This first hit talks about someone who is unable to access it."

Url: (http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30249624.aspx).

"Ah, in his post he says, "When I try to access the Web Interface (localhost:16992 or name:16992)... that means I can access my test in the same manner. Let's watch."

Jessica bit her lip to keep from saying anything, determined to keep quiet until he'd finished his demonstration. She really wanted to ask him how he acquired the password, but she supposed she should wait until he validated that claim first. Plus, he'd asked her to keep quiet, and she didn't want the CSO annoyed with her.

Daniel clicked on the address bar, deleting the current address. He then typed in MMMAMT0043:16992 in the address bar. When he hit Enter the page refreshed, showing him the initial AMT login screen. He clicked the ‘Log On' button, which provided a standard Windows security prompt. He entered in Admin as the username, and then typed in a password. Jessica's stomach dropped. She didn't see exactly what he put it, but it did look like he put in the right password.

The Intel Active Management Technology web interface appeared, giving Daniel full access to the system. Jessica reached up and rubbed at her eyes.

"Please tell me you simply asked Tevita for it," she said when he turned to her.

"No, but no need for you or Tevita to worry about that," he said with what Jessica assumed was a reassuring smile. It didn't help. "I believe I used the same methods our traitorous employee working in cahoots with Nifty Networks used to gain these powerful credentials. I'll be conducting security training for our employees soon to try and plug that method."

"So how did you do it?"

Daniel nodded. "Good question, but the better question I'm posing to you is this: how can we better secure the AMT technology? See here under Remote Control? I can remotely reboot this person's system and boot it up into an application I can use to wreak havoc. Nifty, no?"

She swallowed hard. "No, not nifty."

"Good. You see the issue. I'm tempted to not tell you how I did it. Mystery lends me an air of the supernatural, or at least my uber-geekness. Why reveal how? That's like a magician revealing his secrets. Once the how is known, it isn't so magical anymore. Okay, so I'm taking far too much pleasure out of this. I simply watched you and Tevita closely and caught you entering the password. It took several tries before I finally got it right."

The beginning of a migraine colored Jessica's vision. "Great. I thought we had that password locked down..."

"As I said before, don't worry about it. Everyone is too trusting when entering passwords. I'll address that in our upcoming security meeting. What I want to discuss is how we can rectify this situation? Specifically I want to remedy the fact that anyone who does a smidgen of research will know that the administrative username for AMT is admin. We've handed any potential hacker one half of the credential equation."

Jessica nodded. "Yes, I see your point. Luckily I already know how to fix that. It's as simple as making the admin password random on each system and using Kerberos to use our Domain credentials for access."

"Good. The second point is I noticed that I can use a non-secure web address to access this. Can you get SSL enabled for all AMT communication?"

Jessica nodded again. "Yes, specifically AMT uses TLC, the successor to SSL. I believe I saw an article on how to enable that on Symantec Juice."

"Even better. Get those measures in place, and let me know when it's completed."

She nodded, shaking his hand when he offered it. She left his office and headed back down, taking the stairs despite the throbbing in her head. When she reached her cube she noted that Tevita had his headset on, his previous smile absent from his face. She gave him a grin when he glanced over, and this time he rolled his eyes. She should get onto the phones, but she wanted to get those changes implemented as soon as possible so that even Daniel couldn't crack the system... as long as Tevita and she carefully entered their passwords so others couldn't eyeball them.

She sat down and pulled up the Altiris Console. Both of her actions required a new vPro Profile to be pushed down to all the AMT systems, but that was the easy part. She started by enabling TLS on the server. Until she pushed down the new profile the AMT functions would not work. She leaned over to Tevita, and he glanced at her as she rolled closer in her chair.

"AMT will be available for a time," she said.

Tevita reached up and muted his headset. "Why?"

"I'm enabling TLS. You know, encryption. When I enable it on the server side the clients will not be able to communicate back with the server until I update the profile and they have the right certificates."

He shivered. "Is that such a good idea? Certificates are tricky... we could easily mess up the whole thing and have no AMT access..."

"Tevita, it isn't that complicated. I have all the Altiris documentation on how to do it. Besides, there's a specific article on how to do it after the installation, here: http://juice.altiris.com/article/2737/how-enable-tls-within-out-band-management-after-install. Piece of cake."

"If you say so..."

"Trust me. If we had a hierarchal structure of certificate authorities, it might get a bit dodgy, but I'm just setting up the one root."

"Yeah, and the flux capacitor needs just such and such gigawatts of power..."

"Just read up on it! It's not that hard."

Tevita spoke for a moment into his headset, and took it off. "I don't know anyone who understands it all that well."

She planted her hands on her hips. "It's really simple. We give the root CA, aka the King, the credentials that are acceptable. Secondly, the Altiris server gets the credentials so it can work with the CA and the clients. We then load the matching credentials on the clients via the Provisioning Profile. Now everyone has the credentials."

He smiled. "What about client-side and server-side certificates?"

"Again, simple. Communication is unidirectional for a given parent/child certificate set. With basic TLS in vPro, all the clients have server certificates. The Altiris Server uses a client certificate to authenticate with the client so that the client machine will accept the AMT commands sent it."

"Alright. That sounds simple enough, but what about the CA? What's that for?"

Jessica looked at him, her eyes narrowing. "What's with the third degree? 'Tell me Master Qui-Gon. What are midichlorians'?"

Tevita burst out laughing. "Am I that transparent? I didn't know you liked Starwars..."

"I don't. Like that movie quote, your questions are contrived..."

"Hehe, yeah. I'm just trying to prove a point. It's not that simple..."

"But it isn't that complex, either. The CA tells the server-side component (the AMT Client) if the client connection (from the Altiris Server) is to be trusted. I know having the AMT clients act as the server seems a bit backwards, but since we want AMT functionality to be secure, it makes sense. The Altiris Server that tells AMT what to do needs to prove itself. This ensures a rogue server can't just initiate any AMT functionality without having the proper certificate. So the server provides a client certificate, which the AMT system authenticates with the CA before allowing the Altiris Server ‘in'."

"Okay, okay. That sounds simple enough. I'll be sure to avoid AMT until next week when you get TLS finally working... kidding! Take it easy, I'm just joking."

She wanted to keep the stern look on her face, but a smile cracked through. "You just watch it, Mister."

Jessica turned her attention back to the Altiris Console. She opened up a browser on her second monitor and pulled up the Juice article she'd shown Tevita. She walked through the steps, sometimes checking back on the Altiris Administrator's Guide for Out of Band Management, found at http://www.altiris.com/Support/Documentation.aspx. She finished the processes except for updating the profile since she needed to also update the Admin password settings.

She browsed in the Altiris Console under View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and clicked on Provision Profiles. She highlighted her active profile and clicked the pencil icon in the icon bar to edit it. Under the General tab, to the right of the window, she changed the Intel® AMT 2.0 password: setting from Manual to Random creation. She then clicked on the TLS tab and, using the previous directions, enabled TLS within the profile.

She sat back as she clicked OK. Now that the Altiris Server was setup properly, she needed to push the new profile out. From her place in the console she backed up into the Provisioning folder, and then expanded the Intel AMT Systems folder and highlighted the Intel AMT Systems node. All Intel AMT Systems showed within the right pane. She clicked on the top one, scrolled down, and, while holding shift, clicked on the bottom one. She right-clicked and selected the ‘reprovision' option.

With a sly smile she glanced over at Tevita. He wore his headset again, though he looked less stressed than before. She rolled over and wrote on his whiteboard "AMT back up in a few hours". For the time being they could rely on the Runtime Profile for authentication. Since Altiris knew all the random passwords for the Admin account, via Altiris they should have no problems with security. However she needed to quickly implement AD integration with Kerberos authentication just in case.

She got up to take a quick break. She stretched, looking out over the cubes. She froze in mid stretch for a moment, before quickly pulling down her arms, her eyes widening. Two men in blue jumpsuits walked nonchalantly through the building, one holding a sheaf of what looked like generic forms and the other with a nondescript box. Despite their "non"-threatening postures, something about them bothered her. At first she simply watched them, trying to figure it out.

The man in front emanated confidence like a shiny sword and shield, his smile infectious and full of perfectly white and straight teeth. His strong features seemed chiseled from brilliant marble, as if he'd been carved amid the statues of Rome. Not one of the rich brown hairs on his head stood out of place, his hazel eyes roving over the office as if memorizing all the details. He didn't act suspicious, but his very manner belied the blue-collar worker outfit he wore.

Right behind him strode the other man. He wore a beard, a hat pulled low over his eyes. She squinted, hunching down a little so she didn't rise so high above the cube walls. He carried the box, his muscles tensed. He walked jerkily, each step seeming just a little unsteady. Sweat beaded on what little she could see of his forehead.

"Tevita," she whispered. "Does that guy look familiar to you?"

He appeared beside her. "Who? Those two delivery guys?"

"Yes. The one carrying the box."

Tevita turned to stare at her. "It's the ninja!"

She shook her head, though the sudden clenching in her stomach belied the action. "No way, he's in jail, right?"

"Probably not. He didn't threaten anyone or do any actual damage, and the price of the hard drives he tried to steal doesn't equal enough to be a felony, especially since he claims he was only after the hardware..."

"But why come back here? We know who he is..."

He just shrugged. "Maybe he's turning a new leaf..."

She gestured at the other man just as they disappeared into the stairwell. "Maybe, but that other guy gives me the creeps. I wouldn't be surprised if his name happens to be Lex Luther."

Tevita nodded. "Let's follow them."

She shook her head. "No way! Let's just call security and let them deal with it."

The Tongan only shook his head slowly. "The security company might be too slow to respond. Heck, they took forever to show up when our ninja friend showed up the first time. You go tell Bobby and I'll shadow these two shifty guys."

Before she could respond he hurried away, surprisingly quiet for his bulky, muscled size. She clenched her teeth together, torn by indecision for a few precious seconds. She then turned and hurried towards the server rooms, hopping Tevita wouldn't get himself into too much trouble.

END Part 5

This concludes Part 5. This cliff-hanger will be continued in an even more unbelievable conclusion, Part 6. Now that the competitor has breached the office once again, can Might Modern Marketing's IT staff protect their infrastructure, data, and themselves from this all out attack?

Superhero powers with Intel® vPro™ Technology?

justin.van.buren@intel.com — Sat, 21 Jun 2008 18:25:53 GMT

Given the new exciting capabilities in Intel vPro technology around hardware assisted manageability and security, our IT customers have mentioned that this new technology makes them feel much more powerful - like a superhero! See the video below to see what superhero Intel vPro technology made them feel like.

]]>

]]>

To see more videos from MMS 2008, go to http://www.intel.com/go/mms/

IT administrators compete at MMS 2008 in the Intel vPro technology Challenge

justin.van.buren@intel.com — Wed, 28 May 2008 22:54:21 GMT

We had the Intel vPro technology Challenge at MMS 2008 - a competition where teams of two competed to fix a troubled PC using Microsoft System Center Configuration Manager 2007 with PCs with Intel vPro technology. Check out how much fun this Challenge was at MMS 2008 this year:

]]>

To see more videos from MMS 2008, go to: http://www.intel.com/go/mms/

What Acronym best describes Intel® vPro Technology? (MMS 08)

justin.van.buren@intel.com — Tue, 20 May 2008 00:10:44 GMT

Sometimes within Intel Marketing, we're told that our description of Intel Centrino with vPro technology or Intel Core 2 with vPro technology is a bit lengthy. Therefore, while at MMS 08, we asked Intel customers as well as technical experts from Intel and Microsoft to give us their best, most concise acronym that best describes Intel vPro Technology. Listen to their responses below.

]]>

To see more videos from MMS 08, go to http://www.intel.com/go/mms/

What does the "v" in Intel vPro technology mean to you?

justin.van.buren@intel.com — Mon, 19 May 2008 22:28:37 GMT

When Intel released Intel vPro technology into the marketplace in 2006, the press asked us what the "v" in Intel vPro technology meant. Now that the technology has been in the marketplace for almost two years, we thought that the best answer to the question, "What does the "v" in Intel vPro technology mean to you?" would come from Intel customers, as well as from some of the technical experts from Intel and our partners who deal with our customers on an almost daily basis. See their answers below.

]]>

To see more videos from MMS 2008, go here: http://www.intel.com/go/mms/