Intel vPro Expert Center Blog

Finding AMT Objects in Active Directory

pcgeek86@gmail.com — Wed, 11 Nov 2009 21:03:38 GMT

If you are using Out Of Band (OOB) Management in Microsoft System Center Configuration Manager (SCCM) 2007 SP1 (or greater) to manage your Intel vPro clients, you may have noticed that computer objects are created in your Active Directory domain during provisioning of the Intel vPro firmware. These computer objects are created by the amtproxymgr component of an OOB Service Point, and allow Intel vPro to communicate directory with Active Directory, regardless of the operating system state.

Since these vPro computer objects appear very similar to standard computer objects that are created when joining a Windows OS to an AD domain, it may be hard to distinguish which ones are vPro accounts, and which ones aren't. This situation can be worsened if you somehow have Windows computer accounts mixed into the same OU that contains your AMT objects.

As you'll see below, it's very easy to locate these computers using some simple PowerShell code:

$vprosearcher = [adsisearcher]"(&(objectclass=computer)(serviceprincipalname=*:16993*)(samaccounttype=805306368))"
$vproaccounts = $vprosearcher.FindAll()

These two lines of code simply create a System.DirectoryServices.DirectorySearcher instance, with some LDAP search criteria to identify the accounts, and then assigns the results of this search to a PowerShell variable called $vproaccounts. The default search root is the top-level of your Active Directory domain, and the default search scope is already set to SubTree, so you don't have to specifically configure these settings on the DirectorySearcher. Once you're at this point, you can simply enumerate the accounts, or pipe the results into a PowerShell ForEach loop, and perform some operation against them (for example, givem them a Description attribute value).

Because this code sample uses the "adsisearcher" type accelerator (aka. type shortcut), it will only work with PowerShell v2.0 (included as part of the Windows Management Framework), unless you modify PowerShell v1.0 to include it. There's almost no reason not to be using PowerShell 2.0, now that it has been officially released, however.

I recommend using the free Quest PowerGUI tool to develop and debug PowerShell scripts.

Cheers,

Trevor Sullivan

Can I script Intel AMT commands?

terry.c.cutler@intel.com — Wed, 10 Dec 2008 23:42:41 GMT

I hear the following scenario and question a lot - "All I want to do is remotely power-on a provisioned Intel AMT system. My target client management environment does not have Intel AMT functionality. If I could just script a remote power-on command, that would be very helpful. Is there a way to script the command?"

The short answer is yes - Take a look at http://www.symantec.com/community/article/6546/scripting-intel-amt-remote-power

Enjoy

Setting Power Policies in Windows Powershell

pcgeek86@gmail.com — Tue, 09 Dec 2008 02:03:20 GMT

Hello Intel vPro Community!

I'm going to talk to you today a little bit about how to use Windows Powershell to set Intel vPro power profiles. I'll provide a quick bit of background first on what power profiles are, and why you'd want to be able to set them with Powershell.

Intel vPro power profiles are nothing more than a setting in the Management Engine that tells the AMT chip when to be powered up, and when not to be powered up. In some cases, you may want vPro to be inactive during sleep states, or after the computer has lost power (eg. UPS failure).

In my case however, I want vPro to be always active. This is problematic, because Microsoft Configuration Manager's implementation of a provisioning server doesn't give you the option of setting the active power profile. Instead, during provisioning, ConfigMgr sets the active profile to whatever index "5" is. You'll actually see this in the amtopmgr.log file on your OOB (Out-Of-Band) service point during the provisioning process.

Because ConfigMgr decides the default power profile during provisioning, I've decided that I wanted to change it. Because Windows Powershell is an awesome automation tool, and because Intel's AMT Developer Toolkit (DTK) offers a .NET library that I can use in Powershell, I figured that I would figure out how to do it!

--------------------

You might remember my last post on how to use Powershell to connect to an AMT device. The process basically involves loading the aforementioned .NET DLL from the DTK, and then establishing a connection to the device. I didn't really get the opportunity to show you how to do a whole lot with it after making the connection though, so that's the purpose of this post! Let's go ahead and take a look at a few lines of Powershell code, so you can understand the retrieval, and setting of power profiles.

-------------------------------------------------

# In my last Powershell script, I used the $amtdevice variable

# to reference the AmtSystem .NET object. We'll assume at this point

# that you have already connected to the AMT device based

# on my last article.

$amtdevice

# By using the .NET Reflector tool, we can see that the AmtSystem

# object has a property called SecurityAdmin, which returns an AmtSecurityAdmin

# object.

$AmtSecAdmin = $AmtDevice.SecurityAdmin

# The AmtSecurityAdmin object has a method called GetPowerPackages().

# After examining this data type in .NET Reflector, we can filter for only the two

# properties we want to see, the profile ID, and its Name. We'll use the Powershell

# Select-Object cmdlet to filter this data.

$AmtSecAdmin.GetPowerPackages() | Select-Object -Property ID,Name

# You should get some output looking something like this:

# 12834f94-10fb-dc4f-968e-1e232b0c9065 Desktop: ON in S0
# ab0086a1-7f9a-424c-a6e6-bb243a295d9e Desktop: ON in S0, S3
# acab8672-b496-e248-9b9e-9b7df91c7fd4 Desktop: ON in S0, S3, S4-5
# 4dcd327b-be6b-8943-a62a-4d7bd8dbd026 Desktop: ON in S0, ME Wake in S3
# 46732273-dc23-2f43-a98a-13d37982d855 Desktop: ON in S0, ME Wake in S3, S4-5
# baa419c5-6f6e-4d8d-b227-517f7e4595db Desktop: ON in S0, S3, S4-5, OFF After Power Loss
# ede30bd6-c504-462c-b772-d18018ee2fc4 Desktop: ON in S0, ME Wake in S3, S4-5, Off After Power Loss

# Once we have a listing of the power profiles available on the AMT device

# we can get the one that we want, and then set it. Since I always want my

# AMT device active, no matter the system's power state, I'm going to choose

# "Desktop: ON in S0, S3, S4-5" which is index 2 (in a zero-based collection).

$TargetPowerProfile = ($AmtSecAdmin.GetPowerPackages())[2]

# Now that I have a variable referencing the target power profile, I will set the

# profile on the AMT device. The AmtSecurityAdmin object has a method called

# SetActivePowerPackage() that takes one parameter: the power profile we have

# a reference to.

$AmtResult = $AmtSecAdmin.SetActivePowerPackage($TargetPowerProfile)

"Setting power profile to $($TargetPowerProfile.Name) resulted in $AmtResult!"

##### End Setting Power Profile #####

# Let's also take a quick look at how to get some basic information about

# the AMT device's provisioning data. We can figure out if IDE-R, SoL, and the

# WebUI are enabled. We'll use the AmtGeneralInfo object for this.

# Get a reference to the AmtGeneralInfo object

$AmtInfo = $amtdevice.Info

# Write out the current configuration settings

"SOL Enabled: $AmtInfo.SerialOverLanEnabled"

"IDE-R Enabled: $AmtInfo.IdeRedirectEnabled"

"WebUI Enabled: $AmtInfo.WebUiEnabled"

-------------------------------------------------

I hope this helps get you on your way to doing some cool Powershell / vPro automation! Let me know whether or not this helps you in your endeavors

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Intel AMT, Windows Powershell, and You

pcgeek86@gmail.com — Wed, 03 Dec 2008 03:36:40 GMT

Hello everyone!

I have been working on understanding the Intel AMT Developer's Toolkit (DTK) so that I can begin developing some custom tools around Intel vPro. One of the tools that I am planning on working with is Microsoft's Windows Powershell. Windows Powershell is a very powerful, object-oriented command-line replacement for Windows XP, Vista, 2003, and 2008. It's an administrative scripting language that is significantly more powerful than VBscript, and has the entire power of the Microsoft .NET Platform behind it.

Just today, I've had my first success in using the Intel DTK with Windows Powershell, in my quest to automate Intel vPro related tasks using Powershell!

This is some really cool stuff, and I just had to get it out there to share with the community. I can't wait to see what else people build off of this!

Here is the first sample code that I've gotten to function correctly. I'm using it against a Dell Optiplex 755 running AMT firmware version 3.2.1, which was provisioned through ConfigMgr SP1.

-------------

$amtusername = "vprodemo\DomainUser"
$amtpassword = "P@SSW0Rd"
$amthostname = "vproclient.vprodemo.local"
$amtport = 16993
$amtrecallpassword = $false
$amtwebservicesonly = $false

$manageabilitystack = "C:\Program Files\Intel\Manageability Developer Tool Kit\Manageability Stack.dll"

[System.Reflection.Assembly]::LoadFile("$ManageabilityStack") | Out-Null
Write-Host "Connecting to $amthostname on port $amtport"
$amtdevice = New-Object ManageabilityStack.AmtSystem $amthostname,$amtport,$amtusername,$amtpassword,$amtrecallpassword,$amtwebservicesonly
$amtdevice.UseTls = $true
$amtdevice.WsManSupport = $true
Write-Host "TLS: $($amtdevice.UseTls), WsMan Support: $($amtdevice.WsManSupport)"
$amtdevice.Connect()

while ($amtdevice.State -eq "Connecting")
{
Start-Sleep 1
}
Write-Host "AMT device is in state $($amtdevice.State.ToString())"

-------------

Unfortunately that's all I can post for now, but I definitely plan on continuing work on this development!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Real world experiences with provisioning using a hybrid Activator Utility and Scripts approach

tal.elgar@intel.com — Wed, 03 Sep 2008 12:45:47 GMT

As many of you might know or have experienced, relying fully on the default provisioning window where the Management Engine sends 'Hello Packets' to the SCS server is problematic. Problems start arising in the following instances:

The network has multiple domain suffices being allocated as connection specific DNS suffices depending on location and this could potentially lead to a mismatch between the SCS domain suffix and the client domain suffix.
DHCP option 15 upon which the default process relies on might need be in use for one reason or another
The provisioning window (24 hours for RCFG and 6 hours for PID/PPS by default) has closed before the infrastructure has been put in place to do something useful with these hello messages.

In the past there was a solution based on sample vbscripts provided by Intel- either Server side only or a combination of client and server side scripts that would be used in conjunction with SCS. This has now evolved to the Activator Utility which is considered the best known method, however there are some subtleties where using the Activator isn't as straight forward, such as:

The Activator utility will typically run under the context of the Local System Account - to allow each Local System Account to write information to the SCS DB requires delegating control all the Computer Objects. This is seen as a significant security risk by some organisations.
The syntax for running the Activator utility necessitates the specification of a profile ID. The number of the profile ID can't be pre-determined with absolute certainty and the SCS API only accept the profile ID and not the profile name. A situation can ensue that the wrong profile ID has been hardcoded on the clients.
Some operations like /a cannot work under the Local System Account context to begin with

Together with the hetrogeneous states of vPro machines (some provisioned, some not, some needing to be re-provisioned) some further logic needs to be put in place to provide a robust end to end solution. This has lead to the implementation (in a nutshell) of the following solution at a large scale enterprise customer (it assumes knowledge of the activator utility and it's switches):

A scriptable interface needs to be able to determine whether a system is provisioned or not - this is achieved by running MEInfo and parsing the contents of the output and writing some information into registry keys.
A script always checks the registry keys to know whether to run the Activator utility
The script is run at every boot-up of the system to make sure any previous failed attempts or if the system has been unprovisioned since the last boot is covered
Once a script (which runs under the context of the Local System Account) determines it needs to execute - i.e. the machine is unprovisioned but has PID/PPS loaded it runs the Activator Utility with the //s h /d PID but not /o and /p
At this point you might ask yourself, if I am using the client side vbscript, why should I use the Activator tool as well? The answer is that the Activator tool provides you the ability to send an in-band 'hello message' to kick-off the provisioning process. That is why we make use of the /h and /d PID parameters. If you wouldn't use the Activator tool, the out of band 'hello messages' would have easily timed-out a long time ago and you wouldn't be able to commence their resending unless you pulled the power cable out and back in - i.e. restart the Management Engine.
The PID is predetermined per machine type and can be inserted into XML file that sits in client - if the PID was unique per each machine this would have broken the whole solution - hence a clear recommendation to have the same PID/PPS across all machines or at least across all machines of the same model
At this point the information is written into an Interim DB using SQL account permissions
Note that no permissions need to have been delegated for all Local System Accounts
On the server side the script uses the same or different SQL account permissions to access to the interim DB
On the server side the script contains the /p and /o parameters - this is crucial as this is a single point where the /p and /o parameters can be changed thus providing flexibility
In addition since the customer has opted to not use certificates and because there is a difference between the connection specific and Active Directory domain suffices, provisioning is take place with hostname only - typically this would have involved using the /a switch, however there is a known issue that won't work under the context of the Local System Account. Therefore the FQDN is stripped of it's domain the server script and the hostname is derived.
The server script creates an XML file with the appropriate content to plug into the Configuration Parameters table in the main SCS DB, as the SCS service can parse the contents of this XML file and check that it is valid content.

The overall benefit of this solution is you avoid the security risk of delegating access rights for all Local System accounts, cover the different scenarios when the Activator Utility should be run, avoid the problems of mismatching domain suffices and maintain the flexibility of a single point of changing parameters for the variable Activator Utility syntax.

The same logic will apply if you are using RCFG - simply ignore point #6 above regarding PID.

Hope some of you find this useful.

Thanks, Tal

Intel AMT Commander’s Serial-over-LAN scripting

ylian.saint-hilaire@intel.com — Tue, 05 Feb 2008 06:31:34 GMT

Serial-over-LAN is quite useful for taking control of a computer, making changes to the BIOS and when Intel AMT Outpost or Guardpost is running, getting a management command prompt even when the OS network driver is disabled. What if you have to repeat the BIOS change on 100’s of computers? Say you want to change a BIOS boot option on 100 computers? Or want to test the reliability of a new computer platform? The Intel AMT Serial-over-LAN scripting can help.

Connect using Intel AMT Commander to the Intel AMT computer and select “Take Control” to enter the VT100 terminal. Make sure everything works well and you can connect and perform Serial-over-LAN correctly. Go in the “Terminal” menu and select “Script editor…” and write a script like this one, using the user interface to guide you:

LABEL “start”
RESET bios
WAIT 40 seconds.
RESET powerdown
WAIT 15 seconds
JUMP “start”

You can save the script, and run it. You can also write more complicated scripts to change BIOS options and do more interesting things. There is a command:

WAITFOR “abcd”

This command will wait until the string “abcd” is anywhere on the VT100 screen. This is very useful to wait for the computer to finish booting and to do something after. You can also send string to SOL:

SEND “dir\r”

To send the “dir” command. Terminal scripting is very powerful. It’s also a great way to impress your friends and customers. In a few minutes, you can write a script that will power on a computer; navigate throughout the BIOS screens and shutdown the computer when done. Once you run it, it’s like a ghost is taking control of your computer and going into the BIOS, very cool.

Ylian (Intel AMT Blog)