Intel vPro Expert Center Blog

AMT / ConfigMgr SQL Query: Mismatched Hostnames

pcgeek86@gmail.com — Tue, 21 Jul 2009 18:50:10 GMT

In IT environments where device naming standards may be coarse, or where users can freely rename their systems at will, you may experience problems managing these clients' AMT firmwares. Since, in order to maintain proper AMT functionality, the OS and AMT hostnames must match, an IT administrator or engineer would likely be interested in finding out which machines do not meet this criteria.

With that in mind, I've written a simple SQL query, that can be run against your Configuration Manager database, to determine what devices have mismatching OS and AMT hostnames. I've pasted the text below, but if you want a more nicely formatted version, please see this link at PasteBin.

/*
Author: Trevor Sullivan

Date: Tuesday, July 21st, 2009

Purpose: Identify devices whose AMT hostname and OS hostname mismatch
in the Configuration Manager database

select
-- Active Directory site name
[AD_Site_Name0] as 'AD SiteName'
-- AMT hostname (in provisioning record)
, [amt].[HostName] as 'AMT HostName'
-- OS hostname (should match AMT firmware)
, [sys].[Name0] as 'OS Hostname'
-- Retrieve UserID to identify device owner
, [UserName0] as 'UserID'
-- Hardware vendor
, [cs].[Manufacturer0] as 'Vendor'
-- Device model
, [cs].[Model0] as 'Model0'

from v_AMTMachineInfo [amt]

-- Join v_R_System to retrieve AD Site Name field
join v_R_System [sys] on [sys].[ResourceID] = [amt].[MachineID]
-- Joinv_GS_Computer_System to allow us to retrieve make/model information
join v_GS_Computer_System [cs] on [sys].[ResourceID] = [cs].[ResourceID]

where
-- We only want current resource records from ConfigMgr
[sys].[Obsolete0] = 0
-- This condition determines the mismatching hostname in the v_R_System and v_AMTMachineInfo SQL views
and [sys].[Name0] <> [amt].[HostName]

Cheers,

Trevor Sullivan

Systems Engineer

Microsoft OOB Console Requirement

pcgeek86@gmail.com — Mon, 08 Jun 2009 17:24:06 GMT

Hello vPro Experts!

I would like to pass on some information that I discovered a while ago, based on a Microsoft Premiere Support ticket. I was having trouble getting the Microsoft Out-of-Band (OOB) Management Console functioning from a Windows XP system. I tried everything on a fresh, standard build of Windows XP, but nothing would work.

After working with Premiere Support, we finally discovered that Windows XP Service Pack 3 (SP3) was required for proper functioning of the Microsoft OOB console.

This behavior is actually related to some functionality that was added in SP3, specifically in the winhttp.dll library. There is a function called WinHttpSetOption in the WinHttp library, which is called with a parameter enabling the WinHttp Option Flag named WINHTTP_ENABLE_SPN_SERVER_PORT. This flag enables the WinHttp library to include the server port in the Kerberos Service Principle Name (SPN), since the AMT web service is running on a non-standard HTTP port (16993).

The Windows XP Service Pack 2 (SP2) version of the WinHttp library does not include this capability, and consequently fails to authenticate. In order to properly connect to ConfigMgr-provisioned AMT devices with the Microsoft OOB Console, please make sure your helpdesk / support systems are running Windows XP SP3.

If you have any questions, feel free to post them in the comments section, and I will do my best to answer them.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Powershell: Controlling AMT Power States

pcgeek86@gmail.com — Sun, 19 Apr 2009 16:25:53 GMT

I wanted to quickly share an example of how to set the current power state of a provisioned Intel vPro system using Windows Powershell!

Take a moment, and ask yourself these quick questions:

Have you ever wanted to be able to automate the powering up, or powering off, of multiple computers?
Is your company interested in saving money by not needlessly leaving computers powered on at night?
Do you have a time-critical environment, such as a call center, where you need to reliably power up your computers so they are ready to go in the morning for agents?
Do you want to be able to create your own helpdesk tools to enable remote reset of hung systems?

If you answered "yes" to any of the previous questions, then hopefully this Powershell code will help you, as an administrator, achieve your goals! Let's take a look at how to perform the actions of:

Powering up a vPro (AMT) system
Powering down a vPro (AMT) system (not gracefully, just FYI)
Power cycling a vPro (AMT) system (also not graceful)

For the sake of simplicity, we'll continue to work with the ManageabilityStack.AmtSystem object that I have referenced in my previous article(s). If you aren't sure how to get the $Global:Amtdevice Powershell variable, please look back at my other articles. This will also require the download of the Intel AMT Developer Toolkit. You'll need the Manageability Stack.dll library contained within.

-------------------

In order to control the remote power state of an AMT system, all you really need to know are these 3 hex values:

0x10 = System reset

0x11 = Power on

0x12 = Power off

0x13 = Reset w/ power cycle

These hex values will be used with the $AmtSystem.Remote.SendRemoteControl() method to alter the power state of the remote system. The SendRemoteControl() method included with the DTK includes a number of parameters that go beyond the scope of this article, so we will pass hex value 0x0 to these parameters for the time being. In order to use the above hex values, simply pass the hex value as the first parameter of the SendRemoteControl() method. In order to fulfill the parameter requirements of this method, pass 5 additional parameters with the value 0x0. Here are some examples:

Powering up an AMT System

$Result = $AmtDevice.Remote.SendRemoteControl(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

Powering off an AMT System

$Result = $AmtDevice.Remote.SendRemoteControl(0x12, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

Power cycling an AMT System

$Result = $AmtDevice.Remote.SendRemoteControl(0x10, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

The above samples show how to use the SendRemoteControl() method of the AmtRemoteControl .NET type in the Intel AMT Developer Toolkit (DTK) to control the power state of a remote AMT device.

If you have any questions about this, please leave a comment or send me a private message.

Sincerely,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Dell Optiplex 755 BIOS Update (includes AMT update)

pcgeek86@gmail.com — Fri, 13 Mar 2009 15:15:51 GMT

Dell just released a new BIOS update for the Dell Optiplex 755 system, version A13. This update includes an AMT firmware update to version 3.2.3 also that resolves a couple of security issues. I just performed the update on an Optiplex 755 that I had already provisioned, and it didn't break anything

If you're deploying the BIOS update via a ESM software package, such as Microsoft System Center Configuration Manager (SCCM) 2007, you can automate the staging of the BIOS update (without forcing a reboot) using the following command line:

O755-A13.exe -noreboot -nopause

Get it while it's hot!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Integrating VNC and WinPE 2.x

pcgeek86@gmail.com — Tue, 10 Mar 2009 16:58:59 GMT

Integrating VNC on Windows PE 2.0

Author: Trevor Sullivan

Company: OfficeMax Corporation

Versions: 1.0 – April 24, 2008 – original document

Synopsis

Integrating VNC on Windows PE allows a remote user, such as a support person, to remotely control a Windows pre-execution environment, and perform administrative tasks such as deploying an operating system image, or diagnosing hardware and software problems using 3^rd party tools. This image can be remotely booted in a LAN environment using the IDE-R feature of Intel AMT.

Requirements

Microsoft Windows AIK v1.1 (downloadable from Microsoft)
A working Windows PE 2.x CD (can be built from WAIK)
UltraVNC 1.02 (downloadable from Internet)
ImageX (to mount WIM files) - included with WAIK

Setting up UltraVNC

Install UltraVNC 1.02 on a development system

You can optionally install UltraVNC 1.02 to an Altiris SVS virtual layer to avoid making permanent changes to your development system

After UltraVNC is installed:

1. Execute VNC in user-mode

2. Run the following command: winvnc –defaultsettings

3. You should be presented with a configuration dialog

4. Set a password for VNC and choose to disable the tray icon

5. Confirm the settings dialog, and stop Winvnc by running: winvnc –kill

6. Extract the following registry tree: HKLM\Software\ORL (vnc.reg)

7. Add the password to the default key

a. Open the registry file (vnc.reg)

b. Create a new section (key) for HKLM\Software\ORL\Default

c. Copy the password value from ORL to the Default key

Gathering Source Files

Copy the following list of files from the UltraVNC installation directory on the source computer into a separate working folder:

Authadmin.dll
Authssp.dll
Ldapauth.dll
Logging.dll
Logmessages.dll
Mslogon.acl
Unzip32.dll
Vnchooks.dll
Vnchooks_settings.reg
Vncviewer.exe
Winvnc.exe
Workgrpdomnt4.dll
Zip32.dll
Vnc.reg (from previous section)
Vnc.vbs (see below)

Trevor developed a short script to get around a problem with winvnc hanging when I’d execute it. This executes winvnc.exe asynchronously so that it continues to run in the background, but startnet.cmd will be allowed to continue. The script source is included below:

ScriptPath = Left(Wscript.ScriptFullname, len(Wscript.ScriptFullName) - len(Wscript.ScriptName))

set sh = CreateObject("Wscript.Shell")

sh.Run "regedit /s " & ScriptPath & "vnc.reg", 1, true

sh.Run "wpeutil disablefirewall", 0, true

sh.Run ScriptPath & "winvnc.exe", 1, false

Modifying the PE Disc

Mount WIM file on filesystem using ImageX
Copy all source files to folder on root of WIM mount path
Modify startnet.cmd to execute VNC vbscript using cscript.exe
- Use the fully qualified path to the script file (eg. “cscript X:\vnc\vnc.vbs”)

Notes

Winvnc does not work under service mode on Windows PE; Winvnc must be run under user context
The registry value “password” must exist under HKLM\Software\ORL\Default, otherwise winvnc will prompt for a password upon startup

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Powershell: Exploring the Management Engine

pcgeek86@gmail.com — Wed, 25 Feb 2009 04:26:00 GMT

Hello vPro Experts!

I would like to take some time to touch on exploration of the management engine via the local interface (specifically the HECI driver). In order to follow the exercise here, you'll need to have Windows Powershell installed, have the Intel AMT Developer Toolkit downloaded and installed, and have an AMT client (does not need to be provisioned) with the HECI driver installed. The HECI driver should be downloadable from your OEM.

To give you a high-level idea of the program flow we'll use to access the AMT device, consider the following:

Load the "Manageability Stack.dll" .NET library
Create an instance of the ManageabilityStack.HeciWrapper object
Reference the properties and methods of the HeciWrapper object, and the HeciMeInfo object (provided by the HeciWrapper.MeInfo property)

Here is the Powershell code that correlates to the above process:

Loading the .NET Library

# Load the Manageability Stack .NET library

$AmtLib = "C:\Program Files\Intel\Manageability Developer Tool Kit\Manageability Stack.dll"
[System.Reflection.Assembly]::LoadFile($AmtLib)
# Create a HeciWrapper object

$Heci = New-Object ManageabilityStack.HeciWrapper

# Pipe the $Heci variable into the Get-Member cmdlet to determine what properties

# and methods are available to us.

$Heci | Get-Member

Obtaining a list of embedded certificate hashes

# List embedded certificate hashes
$Heci.MeInfo.EnumerateHashHandles()

Getting the BIOS and AMT Versions

# Retrieve the AMT version
Write-Host "AMT version: $($Heci.Versions.Versions["AMT"])"
# Retrieve the BIOS version
Write-Host "BIOS version: $($Heci.Versions.BiosVersion)"

Retrieving Provisioning Information

# Retrieve the provisioning server name
Write-Host "Provisioning server: $($Heci.MeInfo.GetAuditRecord().ProvServerFQDN)"
# Determine provisioning date
# This will return "01/01/0001 00:00:00" if not provisioned
Write-Host "Provision date: $($Heci.MeInfo.GetAuditRecord().TlsStartTime)"
# Get provisioning mode (Enterprise, SMB, etc.)
Write-Host "Provision mode: $($Heci.MeInfo.GetProvisioningMode().ProvisioningMode)"
# Get provisioning state
Write-Host "Provision state: $($Heci.MeInfo.GetProvisioningState())"

-----------------------------------

I hope these code samples are able to help you out in your administration / engineering endeavors! Please let me know if you have any questions, and don't forget that in Powershell .... when in doubt .... use Get-Member to discover what information is available to you!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Fully Automated Enterprise Client Builds :: Toying with ideas ...

pcgeek86@gmail.com — Tue, 16 Dec 2008 15:25:09 GMT

Hello vPro Experts!

I've got something sitting in the back of my mind, that I would like to share with you all. Unfortunately, it's simply a theory, and I have not yet had the opportunity to test it, but I am in the early stages of developing and documenting it, and would really appreciate any feedback, to help make it become a reality.

----

The Problem

Are you asking yourself either of these questions?

"How can I reduce the amount of overhead involved with imaging every new client system that comes through the doors, but at the same time, not shift that cost to the vendor?"

or, slightly paraphrased:

"How can I streamline the provisioning of new systems, but at the same time, not sacrifice the flexibility of having in-house imaging?"

If your support teams are imaging each desktop and laptop that is shipped from your hardware vendor, you may have investigated the option of having the vendor pre-image systems prior to shipping them out. There are a couple of caveats to this methodology though. First of all, there is usually an additional cost associated with any sort of customization that the vendor must make to a system. Secondly, if you are using a task sequence-based "imaging" process in-house, then you may not have a way of transferring that process (which is inherently network-reliant), to the vendor. Typically, in this scenario, your operating systems, applications, and Active Directory domain, are all residing on network servers that can't be contacted by the vendor during the process (unless you have some uber-fast, secure VPN link between you and them, in which case you can stop reading).

----

The Theoretical Solution (utilizing Intel vPro)

The proposed solution to the problem presented above, is actually a combination of technologies, and custom development work. In this case, I'm going to be working with the following tools:

Microsoft Configuration Manager SP1 / R2 (R2 for unknown computer OSD support)
Intel vPro / AMT Clients 3.2.1 and greater (4.0, 5.0)
Microsoft VBscript and/or Windows Powershell
Microsoft Windows Management Instrumentation (WMI)
Intel AMT Developer Toolkit (DTK)

Requirements

Here are the requirements for the process:

Microsoft Configuration Manager SP1
An Out-of-Band (OOB) service point for ConfigMgr SP1
“ProvisionServer” DNS record pointing to out-of-band service point
Collection 1: SCCM collection to temporarily store resource records created by script
Collection 2: SCCM collection that contains provisioned vPro clients without the ConfigMgr client agent
ConfigMgr Task Sequence to build vPro system
ConfigMgr advertisement to link task sequence to Collection 2

Step-by-Step Workflow

This is the theoretical process that would be followed:

Physically plug in vPro system – power and network (device remains powered off)
vPro System obtains IP address and DHCP Option 15 (mydomain.com)
vPro System sends “hello packet” to site server (CNAME provisionserver.mydomain.com)
Script reads vPro system’s UUID from amtopmgr.log file on site server
Script creates Resource Record for system in “Collection 1” with auto-provisioning enabled

Use a random name for the hostname (based off of the SMBIOS UUID perhaps)
Make sure to refresh the collection membership, or verify that it gets added somehow

vPro System sends another hello packet to site server at built-in interval
vPro System is recognized as a SCCM resource and provisions
Provisioned vPro resource is automatically populated into SCCM “Collection 2”
Task sequence begins executing
Once the operating system is installed, the device should detect a mismatching hostname between the OS and the ME firmware (this could be configured as part of the task sequence)
The device will send a request to the ConfigMgr site server to re-provision the AMT firmware with the new hostname (equivalent of "Update Provisioning Data"?)

Known Issues and Risks

There is at least one known outstanding issue that I'm aware of, and there may be a way to solve it.

Possibility of over-writing an existing system

If an existing, un-provisioned system is not reporting into Configuration Manager properly, it may be incorrectly assumed to be a new, blank system. Therefore, during the build (or imaging) process, an automated check may need to be put into place to verify whether or not the system is truly a new client or not. This could theoretically be done by analyzing the filesystem, or mounting the offline registry hives, and looking for any indicators. Additionally, if a vPro device was already provisioned, it would need to be excluded from being targeted with this process.

----

Conclusion

I hope that this overview gives you some ideas about how to automate the provisioning of new enterprise clients using Intel vPro out-of-band provisioning. If you have any suggestions for improvement, I'd be interested in hearing them. If you'd like, you can download a copy of this document below.

Thanks,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Updated AMT Troubleshooting Document

pcgeek86@gmail.com — Tue, 09 Dec 2008 14:23:02 GMT

Hello, vPro Experts!

I've uploaded an updated document with additional troubleshooting measures related to Intel vPro and Microsoft Configuration Manager. Please download and provide feedback on it.

Troubleshooting Intel AMT and ConfigMgr

Thanks!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Setting Power Policies in Windows Powershell

pcgeek86@gmail.com — Tue, 09 Dec 2008 02:03:20 GMT

Hello Intel vPro Community!

I'm going to talk to you today a little bit about how to use Windows Powershell to set Intel vPro power profiles. I'll provide a quick bit of background first on what power profiles are, and why you'd want to be able to set them with Powershell.

Intel vPro power profiles are nothing more than a setting in the Management Engine that tells the AMT chip when to be powered up, and when not to be powered up. In some cases, you may want vPro to be inactive during sleep states, or after the computer has lost power (eg. UPS failure).

In my case however, I want vPro to be always active. This is problematic, because Microsoft Configuration Manager's implementation of a provisioning server doesn't give you the option of setting the active power profile. Instead, during provisioning, ConfigMgr sets the active profile to whatever index "5" is. You'll actually see this in the amtopmgr.log file on your OOB (Out-Of-Band) service point during the provisioning process.

Because ConfigMgr decides the default power profile during provisioning, I've decided that I wanted to change it. Because Windows Powershell is an awesome automation tool, and because Intel's AMT Developer Toolkit (DTK) offers a .NET library that I can use in Powershell, I figured that I would figure out how to do it!

--------------------

You might remember my last post on how to use Powershell to connect to an AMT device. The process basically involves loading the aforementioned .NET DLL from the DTK, and then establishing a connection to the device. I didn't really get the opportunity to show you how to do a whole lot with it after making the connection though, so that's the purpose of this post! Let's go ahead and take a look at a few lines of Powershell code, so you can understand the retrieval, and setting of power profiles.

-------------------------------------------------

# In my last Powershell script, I used the $amtdevice variable

# to reference the AmtSystem .NET object. We'll assume at this point

# that you have already connected to the AMT device based

# on my last article.

$amtdevice

# By using the .NET Reflector tool, we can see that the AmtSystem

# object has a property called SecurityAdmin, which returns an AmtSecurityAdmin

# object.

$AmtSecAdmin = $AmtDevice.SecurityAdmin

# The AmtSecurityAdmin object has a method called GetPowerPackages().

# After examining this data type in .NET Reflector, we can filter for only the two

# properties we want to see, the profile ID, and its Name. We'll use the Powershell

# Select-Object cmdlet to filter this data.

$AmtSecAdmin.GetPowerPackages() | Select-Object -Property ID,Name

# You should get some output looking something like this:

# 12834f94-10fb-dc4f-968e-1e232b0c9065 Desktop: ON in S0
# ab0086a1-7f9a-424c-a6e6-bb243a295d9e Desktop: ON in S0, S3
# acab8672-b496-e248-9b9e-9b7df91c7fd4 Desktop: ON in S0, S3, S4-5
# 4dcd327b-be6b-8943-a62a-4d7bd8dbd026 Desktop: ON in S0, ME Wake in S3
# 46732273-dc23-2f43-a98a-13d37982d855 Desktop: ON in S0, ME Wake in S3, S4-5
# baa419c5-6f6e-4d8d-b227-517f7e4595db Desktop: ON in S0, S3, S4-5, OFF After Power Loss
# ede30bd6-c504-462c-b772-d18018ee2fc4 Desktop: ON in S0, ME Wake in S3, S4-5, Off After Power Loss

# Once we have a listing of the power profiles available on the AMT device

# we can get the one that we want, and then set it. Since I always want my

# AMT device active, no matter the system's power state, I'm going to choose

# "Desktop: ON in S0, S3, S4-5" which is index 2 (in a zero-based collection).

$TargetPowerProfile = ($AmtSecAdmin.GetPowerPackages())[2]

# Now that I have a variable referencing the target power profile, I will set the

# profile on the AMT device. The AmtSecurityAdmin object has a method called

# SetActivePowerPackage() that takes one parameter: the power profile we have

# a reference to.

$AmtResult = $AmtSecAdmin.SetActivePowerPackage($TargetPowerProfile)

"Setting power profile to $($TargetPowerProfile.Name) resulted in $AmtResult!"

##### End Setting Power Profile #####

# Let's also take a quick look at how to get some basic information about

# the AMT device's provisioning data. We can figure out if IDE-R, SoL, and the

# WebUI are enabled. We'll use the AmtGeneralInfo object for this.

# Get a reference to the AmtGeneralInfo object

$AmtInfo = $amtdevice.Info

# Write out the current configuration settings

"SOL Enabled: $AmtInfo.SerialOverLanEnabled"

"IDE-R Enabled: $AmtInfo.IdeRedirectEnabled"

"WebUI Enabled: $AmtInfo.WebUiEnabled"

-------------------------------------------------

I hope this helps get you on your way to doing some cool Powershell / vPro automation! Let me know whether or not this helps you in your endeavors

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Stepping through vPro / Powershell code

pcgeek86@gmail.com — Thu, 04 Dec 2008 01:21:45 GMT

Hello vPro community!

I rather quickly posted the Powershell code I got functioning yesterday just to make sure that I didn't forget to post it at some point, but if you're new to Powershell, you might not understand everything that's going on here. If I left your head spinning, then I apologize, but tonight, I'm wrapping back around to help describe to you the thought process behind the script I posted!

On top of that, once I put together some notes from earlier today, I will post later on about some of my newest findings! To give you a teaser, I found a method of setting AMT power profiles using Powershell code! I'll be sure to get this posted as soon as I can, but for now, I think it would be most beneficial to understand the basics of connecting to a vPro system.

I'm going to step through the script line-by-line and leave some comments about each of them. Comments will be denoted by lines beginning with a pound sign (#). This is because Powershell uses this character as a "comment" character.

If you're experienced with .NET, then you'll probably either already know about, or want to get familiar with, the tool known as the .NET Reflector. This utility allows you to "reflect" over a .NET library, and discover the objects, methods, and properties that are available to you to use in your Powershell scripts. It's not always a simple task to figure out how to use .NET objects, especially if there is either poor documentation, or none at all, but this tool definitely makes it easier.

----------------------------------

# The following 6 lines are simply variables that we are setting

# to make troubleshooting and customizing our script easier.

# We will be instantiating (creating) an object of the data type

# "AmtSystem" that requires these values as params to its

# constructor method.

# This is the domain\userID we want to authenticate as

$amtusername = "vprodemo\DomainUser"

# This is the password for the user account to authenticate
$amtpassword = "P@SSW0Rd"

# This is the FQDN of the vPro client system we want to connect to
$amthostname = "vproclient.vprodemo.com"

# This is the TCP port that we want to connect to the vPro client on

# TCP 16993 is used for TLS communications to AMT clients

$amtport = 16993

# This parameter determines whether or not your password is

# saved in the AmtSystem object (I think)
$amtrecallpassword = $false

# I haven't verified this, but I believe that this parameter determines

# whether or not WS-MAN is used exclusively on vPro clients

# that support it. Otherwise, it will attempt to use EOI (SOAP).
$amtwebservicesonly = $false

# Next, this variable stores the path to the "Manageability Stack.dll"

# which is included with the Intel AMT Developer Toolkit (DTK).

# Be sure to download the latest version from the Intel website.

# This DLL is a .NET library, written in C#, that provides an API

# to interact with Intel vPro clients.

$manageabilitystack = "C:\Program Files\Intel\Manageability Developer Tool Kit\0.6.08325.2\Manageability Stack.dll"

# This line uses the built-in Assembly class (part of .NET reflection)

# to load the .NET DLL containing the AMT API. The Out-Null Powershell

# cmdlet is used to suppress any console output of the LoadFile() method.

[System.Reflection.Assembly]::LoadFile("$ManageabilityStack") | Out-Null

# The Write-Host cmdlet is built into Powershell and simply writes

# some text to the console. We are using inline variables to dynamically

# display the information about the client we're connecting to.

Write-Host "Connecting to $amthostname on port $amtport"

# This is the line that's actually getting the object that we will use to

# reference our target Intel AMT client. We are creating a global variable

# name "amtdevice" and setting its value to a "New-Object" of datatype

# ManageabilityStack.AmtSystem (you can use .NET Reflector to find this)

# and then passing the parameters that we defined before to its constructor.

# If the below line wraps in your browser, please be sure to put it all on one line in your script.

$global:amtdevice = New-Object ManageabilityStack.AmtSystem -ArgumentList $amthostname,$amtport,$amtusername,$amtpassword,$amtrecallpassword,$amtwebservicesonly

# Footnote: With respect to variable scope in Powershell, the reason I am

# defining this as a global variable explicitly, is because if you copy and paste

# this code into a script, and then run that script from within an interactive

# Powershell session, the $amtdevice will now be defined as global to the session

# and will not be deleted when the script exits. This allows you to run the script to

# retrieve the device object, but then continue to work with it interactively once

# the connection is established!

# Tell the AmtSystem object that we want to use TLS

$amtdevice.UseTls = $true

# Enable WS-MAN support (if available) on the connection
$amtdevice.WsManSupport = $true

# Once we've set up all of our configuration options about the connection,

# this next line actually establishes the connection.

$amtdevice.Connect()

# The "State" property of the AmtSystem object is "Connecting" until the

# connection either succeeds or fails. We want to monitor the status until

# this occurs.

while ($amtdevice.State -eq "Connecting") { Start-Sleep 1 }

# Finally, once the connection either succeeds or fails, we write out the

# State property to the console so that we know what the outcome was.

Write-Host "AMT device is in state $($amtdevice.State.ToString())"

-----------------------------------

So, there you have it. That is the code, with my comments inline. If you have any questions or feedback on my articles, please feel free to comment on this blog article. I will try my best to answer them, although please understand that I am still working on comprehending this great API! If this is useful to any of you, I would like to know that, and if not, then please recommend something that you would like to hear about!

As promised, I will eventually write another follow-up article on how you can set Management Engine (ME) power profiles on a provisioned AMT client remotely, using Powershell! Until next time ...

Happy Powershell Scripting!!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Troubleshooting Intel vPro Issues with Configuration Manager 2007

pcgeek86@gmail.com — Wed, 03 Dec 2008 12:57:31 GMT

Hello Intel vPro Experts!

I've started putting together a document on some issues that I've encountered during my experiences with Intel vPro and ConfigMgr. You can access this document right here on the vPro Expert Center: http://communities.intel.com/docs/DOC-2362

Please provide feedback on the document. It's not of very high quality just yet, because I only started writing it last night, but I hope to keep it updated, to provide a valuable resource to other IT folk interested in using Intel vPro.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Intel AMT, Windows Powershell, and You

pcgeek86@gmail.com — Wed, 03 Dec 2008 03:36:40 GMT

Hello everyone!

I have been working on understanding the Intel AMT Developer's Toolkit (DTK) so that I can begin developing some custom tools around Intel vPro. One of the tools that I am planning on working with is Microsoft's Windows Powershell. Windows Powershell is a very powerful, object-oriented command-line replacement for Windows XP, Vista, 2003, and 2008. It's an administrative scripting language that is significantly more powerful than VBscript, and has the entire power of the Microsoft .NET Platform behind it.

Just today, I've had my first success in using the Intel DTK with Windows Powershell, in my quest to automate Intel vPro related tasks using Powershell!

This is some really cool stuff, and I just had to get it out there to share with the community. I can't wait to see what else people build off of this!

Here is the first sample code that I've gotten to function correctly. I'm using it against a Dell Optiplex 755 running AMT firmware version 3.2.1, which was provisioned through ConfigMgr SP1.

-------------

$amtusername = "vprodemo\DomainUser"
$amtpassword = "P@SSW0Rd"
$amthostname = "vproclient.vprodemo.local"
$amtport = 16993
$amtrecallpassword = $false
$amtwebservicesonly = $false

$manageabilitystack = "C:\Program Files\Intel\Manageability Developer Tool Kit\Manageability Stack.dll"

[System.Reflection.Assembly]::LoadFile("$ManageabilityStack") | Out-Null
Write-Host "Connecting to $amthostname on port $amtport"
$amtdevice = New-Object ManageabilityStack.AmtSystem $amthostname,$amtport,$amtusername,$amtpassword,$amtrecallpassword,$amtwebservicesonly
$amtdevice.UseTls = $true
$amtdevice.WsManSupport = $true
Write-Host "TLS: $($amtdevice.UseTls), WsMan Support: $($amtdevice.WsManSupport)"
$amtdevice.Connect()

while ($amtdevice.State -eq "Connecting")
{
Start-Sleep 1
}
Write-Host "AMT device is in state $($amtdevice.State.ToString())"

-------------

Unfortunately that's all I can post for now, but I definitely plan on continuing work on this development!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Intel AMT Provisioning Issues with ConfigMgr SP1

pcgeek86@gmail.com — Tue, 18 Nov 2008 13:27:29 GMT

Hello,

This is my first contribution to the Intel vPro Expert center, and although I would not consider myself an expert on this product, I've still been graciously allowed to post here. Thanks Josh!

I'd like to start out by introducing myself. My name is Trevor Sullivan, and I am a desktop systems engineer at a large retail corporation. Over the past 8 months or so, I've been working quite a bit with several people from Intel and Microsoft to better understand the Intel vPro technology, and how it can benefit my company. Overall, I'm really impressed with the technology, and I am fortunate enough to be working with an environment that has a pretty decent install base of Intel vPro-enabled systems.

I'd like to take a few minutes to explain a few issues that we recently experienced with our production vPro implementation.

Provisioning Certificate Chain Invalid

We're using Intel vPro with Microsoft Configuration Manager 2007 SP1, and for a while, we had been running into issues that prevented us from provisioning a vPro device. It turns out that the reasoning behind this was related to our provisioning certificate. We requested a certificate from Verisign, and imported it into our central SCCM site server. We have several child primaries to our central SCCM primary site server, however, and we were using the same provisioning certificate on those systems (Intel confirmed that this was possible).

When I exported the certificate (using the Certificates MMC snap-in), with its private key, from my central SCCM site server, I did not choose the option to export the certificate chain with it. Importing the certificate, with its private key, went just fine on the other SCCM primaries, but provisioning just didn't work. After working with Bill York from Intel for several hours, it was finally determined that the Verisign Class 3 Intermediate Certificate Authority's public key certificate was expired in the Intermediate certificate store on the SCCM site server running the out-of-band (OOB) service point. I imported the updated Verisign Intermediate certificate into the server's Intermediate CA certificate store, which resolved the issue I was having.

If you are experiencing this specific problem, you should see something like the following in your amtopmgr.log on the SCCM site server running the OOB service point:

Try to use provisioning account to connect target machine vprosystem.subdomain.mydomain.com...

Server unexpectedly disconnected when TLS handshaking.

**** Error 0x382b948 returned by ApplyControlToken

Although this probably should have been obvious to me, I did not actually open the provisioning certificate on the server I had imported the certificate on, to verify that the certificate was valid. If I had done so, I would have seen a message stating that the certificate was invalid, and then I could have looked at the certificate chain tab to see that the Verisign Intermediate CA's certificate was not valid. After examining the certificate for the Intermediate CA, it was determined that it had expired, causing my provisoning certificate to become invalid.

Microsoft PKI -Auto-Approval of Pending Certificate Requests

After resolving the certificate issue, we started seeing another issue. This issue was related to our internal Microsoft PKI. The next symptom we saw was again in the amtopmgr.log file (+in case you haven't figured it out, this is probably the most useful AMT log in SCCM). Here are the messages we saw:

Send request to AMT proxy component to generate client certificate. (MachineId = 60752)

Successfully created instruction file for AMT proxy task: D:\SMS\inboxes\amtproxymgr.box

RETRY(1) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(2) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(3) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(4) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

RETRY(5) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.

Error: Missed device certificate. To provision device with TLS server or Mutual authentication mode, device certficate is required. (MachineId = 60752)

Error: Can't finish provision on AMT device vprosystem.subdomain.mydomain.com with configuration code (0)!

>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<<

What this is telling you, is that the OOB service point was unsuccessful with its attempt to generate and retrieve a web server certificate, for the vPro client, from your internal Microsoft CA (either root or subordinate, but in our case, a subordinate). Although we had duplicated and configured the web server certificate template on our CA, the certificate was not getting created as we expected. The issue, in this case, was that our CA was not configured to automatically approve pending certificate requests.

In order to resolve this issue, follow these steps:

1. Open the Certification Authority MMC snap-in and connect to your CA

2. Right-click the CA node, and select Properties

3. Select the "Policy Module" tab

4. Click the Properties button

5. Choose the lower radio button (It reads: "Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.")

6. Click OK on all dialog boxes

7. Restart the CA service, to allow the setting to take effect

I have a few more issues I'd like to talk about, mostly related to DNS. I will post again with details.

Thanks for reading,

Trevor Sullivan

Systems Engineer