Intel vPro Expert Center Blog

Known Issues wiki: LANDesk, MS ConfigMgr, Remote BIOS update, and more.

michele.gartner@intel.com — Thu, 05 Nov 2009 15:19:31 GMT

Here's a compilation of some of the issues that were added in the last few months to the Known Issues, Best Practices, and Workarounds wiki:

Ctrl-Alt-Delete – Archiving Low-Tech Computer Fixes

scott1.e.smith@intel.com — Tue, 28 Jul 2009 22:45:26 GMT

A while back I was lamenting the fact that Intel vPro technology promises to end the need (at least among businesses at the moment) for all of the creative low-tech fixes we all use when our PCs crawl onto the shoulder of the Internet and expire as if they've just ran out of electrons. I asked you for your most useful low-tech fixes and many of you responded. We also made this video that captured the secret tricks some San Franciscans use to pump life back into their under-the-weather PCs.

I asked my buddy Dave Buchholz in Intel’s internal IT group if he had any low-tech fixes. Dave’s title is IT Technology Evangelist. If his title conjures up the vision of someone perched atop an equipment cabinet with a tech manual cradled in one arm and soldering iron raised high in the other, well, that’s Dave. He’s an accomplished IT professional and something of an IT historian as well.

Dave recalls years back that there was a period when the bearings in certain hard drives were typically the first thing to go. An audible clicking noise was the giveaway to the problem. Dave says he’d put the ailing drives in a freezer where the bearings would contract slightly as they froze. Once back on a computer, the chilled drives would spin just long enough to offload the data. Dave must have been working for a appliance company at the time because his fix for a gummed-up keyboard was to run it through a dishwasher. Dave, this was a specialized IT dishwasher?

I say low-tech, but when I asked readers to document their surefire fixes for getting their failed computers running again, solutions ranged from the spiritual (“shut down and restart and pray”) to "alchemy” (interestingly from an IT pro) with some tech solutions mixed in.

In the interest of archiving the responses for businesses who may not yet have vPro or consumers interested in bettering their computer capabilities, I’ve taken a shot below at cataloging those I deem key for quick reference. I’ve placed them under appropriate tags that will make them easy to reference when the need arises.

vPro, of course, makes it possible to diagnose and fix problems even in computers that are turned off, or have toasted operating systems or hard drives, and it’s capabilities are now reaching the small-business world with Intel IT Director and even virtualized worlds. Nonetheless, not everyone has vPro.

For that reason, this undoubtedly will become a watershed resource. So, it’s important that it is complete and thoroughly thought through. If you want to propose a category to those below and add any solutions from the complete list of fixes into it or suggest fixes of your own, now is the time to append them in the comments before catastrophe strikes.

My thanks along with the appreciation of those who may eventually need this resource to all of you who contributed.

PC Fixes in Absence of Intel vPro Technology

KISS

Turn it off and on

Slightly Less Simple

Ctrl+Alt+Del, then task manager and ending a whole bunch of tasks so only a few are left. If that doesn't work, restart the computer…after two minutes.

KISS Plus

Turning it off and then turning it back on again. Then hitting it really hard and see if something gets knocked loose.

Wisdom from IT Pros (Apparently from different schools, however)

Extend the life of your computer - buy a desktop KVM and instead of chucking out the PC keep it as an internet-browsing "NetTop". Also useful for long-lasting downloads. Use the KVM to flick between your "main" PC and the NetTop

Black tape. Or sometimes a good kick will do.

Confidential – Not To Be Shared with the IT Department

Defrag, registration defrag and spyware removal

Complete Emotional Breakdown

Start crying, hit the delete button 1,000 times, and if all else fails call my sister and have her boyfriend save me from my tech catastrophe

Tears - it must be the salt or maybe the computer gods taking pity on me but it seems to work

Reboot, reboot, reboot!

Oxygen Depleted Environments

Worst comes to worst, I always just take the battery out of my laptop and let it "breathe" a bit before plugging it back in and booting it up

Try blowing air into any port - battery, power cord, usb port -- sometimes it actually works

Call In the Marines

Call my dad; he's some kind of a computer engineer

Pick the Right Man

Pawning it off on my boyfriend to fix!

Man Up and Do What Feels Right!

I've become very accustom to using hibernate and sleep modes. Why bother with a full shutdown and startup. But - IT support got a little upset…stating I was reckless, the system wasn't "made to do that", and so forth. So - back to the wasted time of shutdown and power-up

When Melt-Down (Structural or Emotional) Is Imminent

Close my eyes and hope the problem goes away

Call the geek squad – ask my children

Don’t Even Mess with It, Refresh

Accelerated upgrade cycle

Microsoft OOB Console Requirement

pcgeek86@gmail.com — Mon, 08 Jun 2009 17:24:06 GMT

Hello vPro Experts!

I would like to pass on some information that I discovered a while ago, based on a Microsoft Premiere Support ticket. I was having trouble getting the Microsoft Out-of-Band (OOB) Management Console functioning from a Windows XP system. I tried everything on a fresh, standard build of Windows XP, but nothing would work.

After working with Premiere Support, we finally discovered that Windows XP Service Pack 3 (SP3) was required for proper functioning of the Microsoft OOB console.

This behavior is actually related to some functionality that was added in SP3, specifically in the winhttp.dll library. There is a function called WinHttpSetOption in the WinHttp library, which is called with a parameter enabling the WinHttp Option Flag named WINHTTP_ENABLE_SPN_SERVER_PORT. This flag enables the WinHttp library to include the server port in the Kerberos Service Principle Name (SPN), since the AMT web service is running on a non-standard HTTP port (16993).

The Windows XP Service Pack 2 (SP2) version of the WinHttp library does not include this capability, and consequently fails to authenticate. In order to properly connect to ConfigMgr-provisioned AMT devices with the Microsoft OOB Console, please make sure your helpdesk / support systems are running Windows XP SP3.

If you have any questions, feel free to post them in the comments section, and I will do my best to answer them.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Powershell: Exploring the Management Engine

pcgeek86@gmail.com — Wed, 25 Feb 2009 04:26:00 GMT

Hello vPro Experts!

I would like to take some time to touch on exploration of the management engine via the local interface (specifically the HECI driver). In order to follow the exercise here, you'll need to have Windows Powershell installed, have the Intel AMT Developer Toolkit downloaded and installed, and have an AMT client (does not need to be provisioned) with the HECI driver installed. The HECI driver should be downloadable from your OEM.

To give you a high-level idea of the program flow we'll use to access the AMT device, consider the following:

Load the "Manageability Stack.dll" .NET library
Create an instance of the ManageabilityStack.HeciWrapper object
Reference the properties and methods of the HeciWrapper object, and the HeciMeInfo object (provided by the HeciWrapper.MeInfo property)

Here is the Powershell code that correlates to the above process:

Loading the .NET Library

# Load the Manageability Stack .NET library

$AmtLib = "C:\Program Files\Intel\Manageability Developer Tool Kit\Manageability Stack.dll"
[System.Reflection.Assembly]::LoadFile($AmtLib)
# Create a HeciWrapper object

$Heci = New-Object ManageabilityStack.HeciWrapper

# Pipe the $Heci variable into the Get-Member cmdlet to determine what properties

# and methods are available to us.

$Heci | Get-Member

Obtaining a list of embedded certificate hashes

# List embedded certificate hashes
$Heci.MeInfo.EnumerateHashHandles()

Getting the BIOS and AMT Versions

# Retrieve the AMT version
Write-Host "AMT version: $($Heci.Versions.Versions["AMT"])"
# Retrieve the BIOS version
Write-Host "BIOS version: $($Heci.Versions.BiosVersion)"

Retrieving Provisioning Information

# Retrieve the provisioning server name
Write-Host "Provisioning server: $($Heci.MeInfo.GetAuditRecord().ProvServerFQDN)"
# Determine provisioning date
# This will return "01/01/0001 00:00:00" if not provisioned
Write-Host "Provision date: $($Heci.MeInfo.GetAuditRecord().TlsStartTime)"
# Get provisioning mode (Enterprise, SMB, etc.)
Write-Host "Provision mode: $($Heci.MeInfo.GetProvisioningMode().ProvisioningMode)"
# Get provisioning state
Write-Host "Provision state: $($Heci.MeInfo.GetProvisioningState())"

-----------------------------------

I hope these code samples are able to help you out in your administration / engineering endeavors! Please let me know if you have any questions, and don't forget that in Powershell .... when in doubt .... use Get-Member to discover what information is available to you!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

“Two days” in the life of an Intel® vPro Anti-Theft Technology for Asset Protection (AT-p) User

abhilasha.bhargav-spantzel@intel.com — Tue, 06 Jan 2009 23:28:26 GMT

The new generation of notebook PCs with Intel vPro technology includes Intel Anti-Theft Technology PC Protection (Intel AT-p). Intel AT-p offers you the option of activating hardware-based client-side intelligence to secure the PC and data if a notebook is lost or stolen. Because the technology is built into PC hardware, it provides local, tamper-resistant defense that works even if the OS is re-imaged, a new hard-drive is installed, or the notebook is not connected to the network.

For a good introduction of the Intel® AT-p Technology please visit - http://communities.intel.com/community/openportit/vproexpert/blog/2008/12/04/anti-theft-technology-has-arrived

In the following we describe an example of how this technology is deployed and used in the life of a typical employee working for a security conscious company. Consider a user Jane who is a new employee of a company called SecureBank. SecureBank wants all its employees laptops to be protected against theft and is therefore utilizing the Intel® vPro Anti-Theft Technology for Asset Protection (AT-p) with Absolute ISV.

In particular Jane has two (rather adventurous) days –

- Day 1: IT admin receives a new laptop and sets it up for Jane. Jane uses the new laptop for the day when she receives her new laptop and manages to loose it to a thief!

- Day 2: the thief is unable to use the laptop due to the poison pill sent as a feature of the AT-p technology. The thief therefore gives up on it and leaves it in a coffee shop. The laptop is subsequently recovered by SecureBank, made functional again and is ready to be handed over to Jane.

Below are the details –

(Check out the video uploaded at youtube –

http://www.youtube.com/watch?v=bnTggBxhOVk&feature=email)

Day 1:

(1) Initial Setup by IT Admin:

The IT admin receives a new laptop and creates the SecureBank IT image on the laptop. This includes the Absolute agent which would be used for AT-p. The Absolute Client Windows Installer is a part of the IT image. The two key steps are undertaken -

- Enrollment: The IT admin runs the Absolute Client Windows Installer which installs the Absolute agent on the client. As part of the installation this client is enrolled with the Absolute server. Enrollment consists of the following steps –

1. The Absolute Agent checks the local platform to ensure that the platform is eligible for Intel® AT-p.

2. The Agent requests permission of activate AT-p with the ISV Server i.e. the Absolute Server.

3. The ISV Server takes this unique client request and sends it (along with a license key) to the Intel permit signing server.

4. Once the Intel signing server has validated this request, an AT-p permit is generated for that unique client. The client system is now ready to validate signed messages from the ISV server.

Once the machine is enrolled it shows up on the administrator console. The machine is identified using a unique identifier generated by the Absolute server, Detected Full Computer Name and Detected Serial Number. At this point a default policy for the client machine is also applied.

- Policy Setup: The IT admin can also fine tune the policy for Jane. Examples of Attributes he can set include:

Policy Attribute	Example Value	Meaning
AT-p Timer Value	48 hours	The machine’s disablement timer (time after which the machine is disabled if it does not connect with the server) is 48 hours.
AT-p Timer Action	Immediate Lock	The action a machine performs once the AT-p Timer has expired. In this case, the machine will shut down immediately (even if OS was up and running) and not allow the boot process to be carried out.
AT-p Theft Action	Immediate Lock	The action a machine performs once the machine is marked stolen when connecting with the server. In this case, the machine will shut down immediately, same as above.
AT-p Password	“StRongP@ssw0rd”	Admin Password used to recover the machine when it is disabled or locked.
AT-pState	Active	Marks whether AT-p is currently active or not on a machine. When it has a legitimate working user then it is marked as active.
Theft Status	Secure	Marks whether the machine is stolen or secure. In this case, the machine is not stolen.

Once the IT admin has set the above policy he is ready to hand over the laptop to Jane.

(2) Normal Usage:

On receiving her new Laptop, Jane logs in with her domain credentials and uses it seamlessly (as if there were no AT-p). The rendezvous may occur without any active participation of Jane. As such the rendezvous happens in the background and is transparent to Jane.

- Rendezvous (Machine Not Stolen)
The Absolute solution has a rendezvous timer of 24.5 hours. After this time the following steps would occur –

1. As the Rendezvous Timer (24.5 hours) expires the ISV Client Agent initializes a rendezvous.

2. The ISV Server’s response is relayed to the Intel Management Engine (in the firmware) through the ISV Client Agent. Any new settings are relayed.

3. Acknowledgments are generated for any message received.

4. Once finished, the Disablement Timer (or AT-p Timer) reset message is sent to the Intel Management Engine.

(3) Theft:

After a good first day of work, Jane’s colleagues take her out for a dinner. She leaves her laptop in the car and heads to the restaurant. To Jane’s bad luck her car is broken into and the notorious thief steals her laptop.

- Malicious Usage: The thief has a hacking tool that allows bypassing the windows login/password challenge and can use the laptop. He feels he can make a good fortune by selling this laptop in the black-market.

- Theft Reporting: When Jane returns to the car, she is shocked to see her car broken into and her laptop stolen. She immediately calls the IT admin helpdesk and reports the theft. The IT admin sets the Theft Status to Stolen. Next time the laptop checks in with the Absolute server, the Theft Action, which is Immediate Lock, will take place.

Day 2:

(4) Poison Pill:

The attacker logs in again using his hacking tool. Since it is past 24.5 hours (i.e. the rendezvous timer has expired) the agent initiates a rendezvous. At this time the following steps happen -

- Rendezvous (Machine Stolen)

As the rendezvous timer expires the ISV Client Agent initializes a rendezvous.
The server has marked the system as stolen, and sends an AssertStolen message (“Poison Pill”) to the system.
The local system takes action based on the current policy.

As the action is to immediately lock, the thief to his surprise observes that the machine just shuts down. When he tries to power on the machine he sees a pre-boot authentication screen which requests him to insert admin credentials. The thief’s hacker tools are not able to bypass this screen as the same OS (which is potentially more vulnerable) as the pre-boot environment serves as an extension of the boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. Brute force attacks in this environment are also much harder as the tamperproof firmware reboots the machine after a threshold time or number of attempts to login has expired.

To the thief’s dismay, he cannot really use the laptop and leaves it in the coffee shop where he logged in from.

(5) Asset Recovery:

The IT admin of SecureBank was able to get the IP of the location where the thief last logged in from and contacts the coffee shop. SecureBank officials pick up the laptop and bring it back to the IT admin desk for recovery. To recover the platform the IT admin carries out the following steps –

The IT admin (re)sets the Theft Status to be Secure (from Stolen).
Upon boot, the admin is presented with a “system locked” message in the pre-boot environment.
The admin recovery passphrase must be entered before a given time (say 2 minutes). The admin immediately inputs his admin passphrase for the given machine.
When the admin credentials and theft status have been verified, the AT-p timer is reset and the client platform is unlocked. The platform then boots to the OS.

Once this is done, the IT admin is ready to return this machine back to Jane without loosing any time. Thus we can see that AT-p solution not only provides a way to secure machines against theft and continued malicious use, but also ensures efficient recovery and continued use of the recovered machine!

AMT 4.0 (vPro 2008) - New Icon for Management & Security Status

josh.hilliker@intel.com — Tue, 04 Nov 2008 18:51:19 GMT

Here's a followon post for the new ICON in the system tray. I just received my new Dell e6400 machine and thought showing the real icon vs. the screen shots from the past would be helpful. They definitely show more information as I discussed prior.

Centrino2 with vPro - Finally more Screens to share out

Quick Tip for the Dell e6400

During bootup you will NOT be presented with a CTRL+P screen, however if you hit right after the machine starts it will take you into the MEBx. I looked throughout the BIOS and there are no places to change this. if you find a route, let me know..

Josh H

Simple & easy way to validate machine state with PING

josh.hilliker@intel.com — Tue, 04 Nov 2008 18:03:07 GMT

Here's a TIP from our Interop team around how to verify whether a ping response is through OS or ME. To do so you look to the TTL field in teh ping response.

value in the range of 127/128 = OS NIC responding

Value in the range greater > 128 = ME is responding

Here's a quick video.

New stuff in Known Issues/Best Practices wiki: SCS, Intel AMT Status dialog, LANDesk, SCCM

michele.gartner@intel.com — Wed, 30 Jul 2008 23:12:44 GMT

Check out the new articles this week!

Virtual adapters may cause network discovery to fail

Enabling native (no translation required) support within Microsoft SCCM SP1

Time synchronization errors using Intel®(R) SCS 3.x and Active Directory

SCS Installation Account Security Requirements

No drivers required for bare metal provisioning (LANDesk)

Customizing the Intel AMT Status dialog box

New - Troubleshooting & Best Practices - 5 new articles posted!

michele.gartner@intel.com — Fri, 13 Jun 2008 21:05:29 GMT

New content was just published to the Known Issues, Best Practices, and Workarounds. Check'em out!

My top 3 tool picks for starting to use vPro

josh.hilliker@intel.com — Fri, 30 May 2008 05:42:32 GMT

I wanted to share out why my top 3 tool picks are for starting up with vPro, usually I am using these tools when I'm working on connectivity, packets or errors in the logs in the mgmt console. I also often find that I'm using these tools late at night when i'm deep in troubleshooting mode & trying to do a root cause on why something is not working as planned i.e. hello packets are not starting on a given hardware platform, etc.. (I'll save the showcase for a youtube video soon)..

here they are.................

#1. MEinfowin.exe - Brian C posted a good link of where & how to get this from Lenovo's BIOS update. I highly recommend this tool for troubleshooting version of the ME, SOL, etc.. it also has good information on setup & configuration, link status, etc..

http://communities.intel.com/message/3649#3649

#2. Wireshark - Joel Smith (altiris) wrote about this in his blog, which is where I initially found the link. http://juice.altiris.com/article/3636/troubleshooting-altiris-manageability-toolkit-vpro-technology-part-1-provisioning-clien

Wireshark

While the two above tools are distinctly for Out of Band Provisioning, Wireshark tells the whole story of what is coming and going across the wire. It's important to know what the AMT clients are sending, especially in the 'Hello' packet, and what the server is responding with.

Wireshark can be obtained from: http://www.wireshark.org/. While this is the recommended tool, any network trace capture program can be used to examine the network traffic between the AMT client and the Provisioning Server.

#3. Intel® vPro™ Technology Test Utility - this is the old faithful tool to ensure your vPro system has the right ingredients.

http://downloadcenter.intel.com/Product_Filter.aspx?ProductID=2575

These are my top 3, however if I were to go, in SMB mode I utilize the vPro Packet decoder and the AMT reflector, however I use those at very specific times when i've passed the top 3 and I am digging in even deeper.

I hope you enjoy the list and if you have a TOP tool favorite write a comment at the end of the blog and let me know as I am always looking for new tools that help troubleshooting.

Josh H

Handling vPro AMT FQDN issues with Out of Band Management Solution

joel_smith1@symantec.com — Thu, 15 May 2008 20:35:07 GMT

The primary key of identity for an AMT computer is its Fully Qualified Domain Name (FQDN). One of the essential parts of the setup and configuration process (Provisioning) is when Altiris attempts to map a valid FQDN inside the IntelAMT database. This article covers how to handle FQDN issues, including ways to correct invalid entries, the best method to avoid the issues, and how it all works. If you're using Altiris Out of Band Management for provisioning, this is a must read!

Introduction

The two key identity items for vPro are the UUID (Universally unique Identification) and the FQDN. The UUID is contained within the hello packet sent by AMT, but the FQDN is not held within AMT without Provisioning. This means it is up to Altiris to acquire the system's FQDN. While this may sound simple, the problems arise when the system is in its setup process, whether prepping or being imaged, having software and scripts rolled out to provision and join the system to the domain, including when its final identity on the Domain and network are established and it received a new IP Address.

Preferred Provisioning method

For specifics I'll refer to the Best Practices document, but for the general steps to be followed specifically for the FQDN I'll provide the steps below.

LINK: http://juice.altiris.com/article/2810/best-practices-configuring-intel-vpro-capable-system-within-symantecaltiris-vpro-toolki

Image the system with the Operating System, including any post-imaging work to get the system configured. This includes rolling out software or scripts.
Join the system to the Domain after it has its rightful identity. The computer name should be set. When the computer is joined to the domain, this will provide the valid operable FQDN.
Install the Altiris Agent on the system. This provides the information for the FQDN in the Inv_AeX_AC_Location table.
+NOTE: If the Altiris Agent was part of the image, make sure the system sends Basic Inventory again after the system has been joined to the network to ensure we have the valid FQDN within the Altiris database.+
Ensure the Out of Band Discovery package is enabled and configured via the collection to go to all machines.
+NOTE: This step is essential because OOB Discovery will pick up the FQDN from the Basic Inventory and map it in the IntelAMT database. This screenshot shows where the data is located:+
+!OOBCapACLocation.JPG!+
Now if the hello message was sent before the above steps were completed, normally it will recover as long as the process completes before 24 hours have passed. 24 hours is the period of time the hello packets will be sent from the client. AMT will continue to send hello packets throughout the period UNTIL it is fully provisioned. This helps reestablish connection if the IP Address changes in the middle of the Provisioning process and the Server can't connect back up to the remote AMT system.

Preferred Provisioning Settings

Not all settings within Out of Band are FQDN friendly. The following items affect how Out of Band Management approaches provisioning.

Resource Synchronization - Make certain this is enabled! A Disabled Resource Synch policy will halt Provisioning, greatly increasing the change for FQDN problems when it is finally enabled.
Use DNS IP resolution to find FQDN when assigning profiles - This option, under the Resource Synchronization policy, is typically unreliable. While this option allows for bare-metal provisioning or Agentless provisioning, it also is at the mercy of the DNS and DHCP environment. It is highly recommended NOT to use this option unless you fully trust your DHCP and DNS environment. Factors to consider are:

IP Lease times - The lease times afforded systems may be short, increasing the possibility that when OOB fetches the FQDN via IP the lease will have expired and the wrong FQDN will be mapped.
PXE or other auxiliary boots - Often these types of systems will obtain a different IP address from DHCP as their identity is not the same as when the system is booted to the OS.
!ResourceSynchronizationOOB2.JPG!

Intel AMT 2.0+ to Profile - This option allows a default Profile to be setup for Provisioning. Make sure you've created a default profile and set it in the Resource Synchronization policy. Without a profile Provisioning will not occur.
Intel AMT requires authorization before provisioning - Under the General node within Provisioning, this option stops provisioning from occurring. The profile will not go down to the system until the system is selected, using the right-click to choose ‘authorize'. This can aggravate FQDN problems by delaying full provisioning.

FQDN Fixes

Invalid FQDN in IntelAMT

The first issue stems from a variety of causes. The issue is that in the IntelAMT database, shown under the Intel AMT Systems node under Provisioning for Out of Band Management, the FQDN is invalid. The causes vary, but here are a few we've seen:

Reverse DNS IP Lookup is enabled - Unless your DHCP and DNS environment are rock solid, often IP Address leases expire, and other systems pick up the IPs that the AMT systems originally sent the Hello message with. When this occurs, the wrong FQDN is mapped.
IP Leases short - Often the IP Lease length can create a problem acquiring the correct FQDN. This can especially have problems with TLS as the FQDN is part of authentication using certificates.
FQDN is incomplete - When a system is in setup mode, sometimes the mapped FQDN is not part of a domain, resulting in the Host Name only being set as the FQDN.

IMPORTANT! When the FQDN is invalid in the IntelAMT database, Resource Synchronization can have troubles matching resources with their correct counterparts in the Altiris database. Because of this, duplicates can emerge. If the checkbox in Resource Synchronization labeled: ‘Remove duplicate Intel AMT resources from Notification Server database' is checked, managed resources can get deleted from the Altiris database!

FQDN has Changed

Another not-uncommon occurrence is when a system changes identity. This can occur in a variety of ways, including:

The system has been reimaged
The computer name has been changed
The computer has been migrated to a new Domain
The system has switched subnets, resulting in a new FQDN

Regardless of the method, changing the FQDN on the system does not change it in the Intel ME or AMT firmware, and also does not change it within the Intel SCS component database (IntelAMT). When these are not synched up, it can cause problems when you need to manage the system via AMT when the computer is booted to the operating system. This particularly has problems when TLS is enabled and the provisioned certificate no longer matches the FQDN in Windows.

Issues Resolution

Since the Altiris Agent sends Basic Inventory daily by default, the Altiris database usually has a valid FQDN on record in the Inv_AeX_AC_location database table. We can run a query that will capture the correct FQDN from the Altiris database and insert it into the IntelAMT database, correcting any duplicate or invalid FQDN entries. This is the first step. The second step is to update the FQDN within AMT on the local systems. The following processes walk you through the resolution:

Update IntelAMT from Altiris

Open up SQL Query Analyzer or Microsoft SQL Server Management Studio.
Open a Query window within the database instance that contains both the Altiris database and the IntelAMT database.
Run the following query, though for testing purposes you can omit the line ‘COMMIT TRANSACTION until you can verify the operation completed as expected. Once validated, run COMMIT TRANSACTION to complete the process:
BEGIN TRANSACTION
UPDATE intelamt.dbo.csti_amts SET fqdn = b.fqdn FROM (SELECT il.[Fully Qualified domain name] AS 'fqdn',
REPLACE(oob.uuid, '-', '') AS 'uuid' FROM
altiris.dbo.Inv_AeX_AC_Location il JOIN altiris.dbo.Inv_OOB_Capability oob ON
oob._ResourceGuid = il._Resourceguid) b WHERE intelamt.dbo.csti_amts.uuid = b.uuid
COMMIT TRANSACTION
Done! The FQDNs now match between Altiris and IntelAMT.

Update FQDN on local AMT

It is recommended to follow these steps in batches so as to not overwhelm the Intel SCS component. Perhaps run this against 100 systems at any one time, or run it against those systems you know have been updated. While it doesn't hurt to run this against systems that didn't have the FQDN changed from the above process, it is unnecessary if you are able to target those systems with invalid FQDNs.
+Note: This process assumes that the system can be reached via the SCS using the new FQDN supplied by Altiris. For TLS there may be complications we have not foreseen.+
In the Altiris Console browse under View > Solutions > Out of Band Management > Configuration > Intel AMT Systems > and select the Intel AMT Systems node.
Select one or more systems you need to update the local AMT FQDN on.
Right-click and choose the ‘Re-provision...' option.
!Re-provision.JPG!
Check the Action status node under Provisioning > Logs > Action Status for messages concerning the Re-provision attempts. You can also check the Log node for errors.
Done! The systems, when reprovisioned, should have the correct FQDN planted by the IntelAMT database entry that was updated from the Altiris database.

Conclusion

Use this article to resolve your FQDN issues to ensure ATM functionality is available when it is needed. The above process has been verified, though all environmental potential issues have not been explored. It is advised to test the process in your environment before implementing on a wide scale.

Troubleshooting the Altiris Manageability Toolkit for vPro Technology - Part 7 - Task Server

joel_smith1@symantec.com — Thu, 08 May 2008 19:47:16 GMT

The Task Server contains AMT function tasks that give you the ability to integrate AMT functionality into Task Server Jobs. This allows you to use AMT in conjunction with Software Delivery, Scripting, and any other Task Server supported function. Understanding how to troubleshoot the AMT side of a Task Server job will help resolve issues so that AMT can be utilized. This includes the following technologies:

System Defense - Network Filtering
Reliable Power Management
IDE redirect for boot redirection

Introduction

This is the concluding article for the series: Troubleshooting the Altiris Manageability Toolkit for vPro Technology. The first four articles covered the setup and configuration of AMT systems, while parts 5 and 6 covered RTCI and RTSM respectively. This final article discusses troubleshooting the AMT integration into Task Server when issues arise.

As an introduction, the actual SOAP or API calls made to the AMT system is invoked through Real-Time Console Infrastructure, the same as when they are invoked through the Real-Time tab for RTSM. Though the calls are from the same place, how those calls are made differ. The following subjects will be covered:

Determining Cause of Failure
AMT Detection Issues
Authentication Issues

Determining Cause of Failure

Often you'll known the general symptom that tells you a job or task in Task Server didn't execute as expected. For example a power management task may have shown as run but the AMT system never woke up. A failure is not shown except deep within a series of status windows.

To determine the returned error, use the following steps. Task Server's actual failure code is buried deep in a series of status windows, as shown in the screenshot after the steps.

Under the Task or Job that failed, double-click on the general status row for the specific execution attempt.
If within a job, double-click on the line that represents the task or AMT function that failed.
Note the numbers of successes versus failures. Click the ‘View Report' link.
Now you'll get a grid with the status of the Task, including the status and return code, if present.

AMT Detection Issues

When Task Server reaches a Task that involves AMT, it makes direct calls to AMT in those systems targeted in the task or job. Detecting AMT and subsequently executing the scheduled function requires success at both junctures. The following sections discuss potential issues and solutions in this process.

Power State Unknown

One common problem we see is when a power management task fails due to the failure message: Generic error, FromState detected as unknown:14. This will cause the power action to fail. The causes vary, but the following list contains the most common:

System unreachable - The target system is not available on the network
AMT failed to be detected - See the subsequent section ‘AMT not detected'
Authentication failed - See the subsequent section ‘Authentication Troubleshooting'
AMT is unavailable - If a system is not provisioned, or AMT is not functioning on that system

Use the following process to determine what the issue is:

If RTSM is available, try connecting to the target system using RTSM, specifying the same credential profile.
If that fails, try manually putting in credentials until you find one that works.
If Step 1 succeeds, try creating a different connection profile with only AMT functions provided.
If no RTSM is available, still try the profile with only AMT functions to see if it works.
Try other AMT functions, such as Collect Intel AMT Inventory to see if they succeed.
If other functions succeed, try using another method to reboot the system to reset the power state stored in the Intel ME. One way to accomplish this is using the Task Server Power Management Agent to send down a standard reboot command to the PC.
If no other AMT functions are successful, AMT might not be properly setup on this system. Ask the question: Has this system gone through the provisioning process?
If unknown, use the Out of Band Discovery Task to see if AMT is available and to identify what state it is in. See the steps provided under the ‘AMT Not Detected' section following.
If all else fails (generally this is on a system-by-system basis, rarely do a collection of systems encounter this level of this issue) try reprovisioning the system by fully unprovisioning and going through the provisioning process again.

AMT Not Detected

Normally a non-vPro system will receive the return code that AMT was not detected. This is accurate, but when it happens to valid managed vPro systems, the issue must be troubleshot to determine why the applying Task Server cannot detect AMT on the system. Out of Band Discovery is a great way to determine what state the system is in. Use the following steps to take stock of the systems:

In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Out of Band Discovery > and select the ‘Out of Band Discovery' policy.
Enable the policy if it is not yet enabled. If it is enabled, set a schedule to run the discovery again so you have updated information on your systems.
On the AMT system in question, go to the Altiris Agent and bring up the Agent UI by double-clicking on the system tray icon or by launching C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe.
Highlight the ‘Out of Band Discovery Package.
Click the ‘Out of Band Discovery' link under Application Tasks.
!OOBDiscoveryRun.jpg!
Once completed, now check back at the server and double-click the system within a collection to bring up Resource Manager.
Click on the Inventory tab and browse to Out of Band Management, and select the data class OOB Capability. This will give you the details of AMT.

If AMT is disabled, it needs to be enabled in the BIOS. A BIOS update from the vendor may provide you a remote way to enable AMT, by using Software Delivery for example. If it is all enabled, next check the provisioning status. Provision as necessary.

Authentication Issues

As with RTSM, Task Server uses the same basic authentication method when executing against a computer. Task Server also includes another option to add additional credentials to the execution to be used when contacting the protocol, which is AMT in this case.

Authentication Methods

Since RTCI controls the authentication, much of the same method is used whether the execution of an AMT command is issues from the Real-Time console or from Task Server, however there are some differences.

Runtime Profile - The Runtime profile contains he following information:

All known good credentials used to connect via RTSM to a system
The Intel SCS AMT password sent to systems when provisioning occurs
Previously successfully used credentials from past RTSM sessions
Previously successfully used credentials from a Task that succeeded

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

WMI digest or Domain account
AMT digest or Kerberos-authenticated user
ASF digest or Domain account
SNMP community strings

Task-specified Credentials - When a user setups up a job or task, the user can specify specific credentials to be used when executing AMT-related functions through the profile interface. This option is per job or task, and applies to all AMT functions invoked during the job or task. The Interface allows this as shown in the following screenshot:

Authentication Troubleshooting

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with Task Server.

First, how do you determine if your task or job is failing due to authentication? Use the previous section under Introduction labeled ‘Determining Cause of Failure'.
In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles, or in the Task click the ‘Run Now', and on the subsequent page click on the pencil icon next to the credential profile being used.
Where does the green checkmark fall? This is the default profile that will be used when connecting via a Task Server task.
Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
Supply the admin user credentials set when the managed vPro systems were provisioned.
Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
Give the profile a name and then save it.
Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile, or if you are in a job interface select the profile to be used for the run. Note that this does not require you to make it the default profile, allowing another profile to remain the default credentials.
Run the task or job to see if the authentication failure has been resolved.
If it is not, try rerunning with the Runtime Profile. This contains all known good authentication attempts to the system from either Task Server or RTSM.
In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed. If your Task or Job does not contain any of the other protocols, this is recommended.

Conclusion

This concludes the Troubleshooting article series for the Altiris Manageability Toolkit for Intel vPro Technology, version 6. While this doesn't cover all issues, it should resolve most of the common issues we've seen.

New known issues and best practices posted! Topics are around SCS and the SMS Add-on.

michele.gartner@intel.com — Thu, 08 May 2008 16:50:40 GMT

New articles for you to take a look at this week. As always, let me know if you have a best practice or known issue that you want to share or have investigated!

Using international keyboards to create MEBx passwords via Setup and Configuration Service (SCS)

What is the Authorized column in SCS?

Do management workstations running the SMS console and SMS Add-on require patches as outlined in the documentation for the Intel(R) AMT Add-on for Microsoft SMS*?

Troubleshooting the Altiris Manageability Toolkit for vPro Technology - Part 6 - Real-Time System Manager

joel_smith1@symantec.com — Wed, 07 May 2008 18:18:23 GMT

Formerly known as Web Admin for Windows, Real-Time System Manager provides a powerful set of functions for IT specialists. In part 5 of this article series we covered the main points for Real-Time Console Infrastructure troubleshooting. As a natural extension of RTCI, Real-Time System Manager troubleshooting is covered in this article as part 6. With an emphasis on credentials and connection methods, this article provides information to overcome the most common issues seen when using the Real-Time tab for direct, one-to-one computer interaction.

Introduction

Real-Time System Manager provides a powerful tool for directly connecting to a system agentlessly with functionality available through WMI and Intel AMT. This article covers the issues associated with general functions seen with both technologies but with emphasis on the AMT functions. The following sections cover areas of troubleshooting:

Connection Issues
Authentication Issues
IDE Redirect (IDER)
Network Filtering

Connection Issues

Under the current architecture the FQDN is the primary method for connecting and authenticating to AMT on remote systems. If the FQDN the Real-Time tab is using does not resolve in DNS, then AMT connectivity and thus functionality will not be available. FQDN connectivity issues are the number one issues we see with RTSM connections to AMT.

Invalid FQDN

To view what FQDN the Real-Time is using, use the ‘Hardware Management' node in the RTSM tree. The following screenshot shows what AMT is using:

In this example my system is in a workgroup and reported only the hostname as the FQDN, which DNS had no trouble resolving. If this fqdn is not reachable via DNS, we won't be able to connect to the AMT functionality.

NOTE: We use several methods, including IP address, for WMI. WMI functionality may show correctly when AMT is absent in this situation

Use these steps to see the FQDN is the issue:

Open the Real-Time tab for the AMT system you are managing.
Once the tree loads, open the Real-Time System manager folder, open Administrative Tasks, and click on ‘Hardware Management'.
Once the page loads, if AMT is missing as an available technology, take note of the name displayed as in the screenshot above.
Go to Start, Run, type in cmd, and click OK.
Type in nslookup <name displayed>. In the above example it would read:

Nslookup dellvpro

Can DNS resolve this address? If no, we'll need to fix the issue in one of the following ways.
FIX DNS and/or the Altiris record: If DNS can be fixed, this is the preferred method. The difficulty is finding out why the Altiris Agent reported the incorrect record. Once DNS is fixed, have the Altiris Agent run Basic Inventory. The table location we pull this out of for management in RTSM is Inv_AeX_AC_Location, column: Fully Qualified Domain Name.
Use the ‘Manage' node available in RTSM (see the below screenshot): By putting in the IP address of the system, we'll use the IP to lookup the FQDN and not make any assumptions.
!Manageshortcut.JPG!
Update the Servers HOSTS or LMHOSTS files to contain the mapping to the invalid name. For example find the LMHOSTS file, edit it and add a line <IP ADDRESS> <FQDN>, as in this example:

10.10.10.1 Dellvpro

Real-Time unable to connect

If WMI and AMT functions are unavailable, you'll get a message when you click on the Real-Time tab indicating that the functionality isn't available. See the following screenshot:

Note: If you use another product such as Dell or HP's plug-ins to this tab, you'll simply not have the ‘Real-Time System Manager' node underneath Real-Time Consoles.

The number one reason this occurs is due to a firewall being engaged. Firewalls need to allow AMT traffic through. If a firewall is enabled, use the following details to resolve the AMT issue:

Create an inclusion in the firewall properties.
Allow the following ports, based off your environment:

16992 - For non-TLS encrypted traffic - if you are not using TLS this is the port that will be used for communication
16993 - For TLS-enabled, encrypted AMT traffic - If https is required for communication with AMT, this port will be used
16994 - For a note, AMT provisioning uses this port for sending out the ‘hello' packet during the configuration process - this will be used if you initiate a reprovision from RTSM

Another options is to disable the firewall when you need to manage the system via RTSM.
Unfortunately WMI has a known issue with the Windows firewall where the dynamic ports WMI uses after initiation will be blocked. It's a bug in WMI that has been addressed in Vista. Previous Operating Systems do not have a resolution at this time.

The other issue we've seen is where the system is simply unavailable for one reason or another. AMT is available if the system is off but still connected to the network, but WMI or if the system is unplugged from power or off the network RTSM obviously cannot function. Verify that the system is available if nothing resolves this issue.

Authentication Issues

Another common issue concerns authentication to the system via the Real-Time tab. First, let me discuss the methods RTSM uses to authenticate to a target system.

Authentication Methods

Runtime Profile - The Runtime profile contains he following information:

All known good credentials used to connect via RTSM to a system
The Intel SCS AMT password sent to systems when provisioning occurs
Previously successfully used credentials from past RTSM sessions

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

WMI digest or Domain account
AMT digest or Kerberos-authenticated user
ASF digest or Domain account
SNMP community strings

Manually entered credentials - When RTSM tries to connect, if the default profile set in the RTCI configuration fails to authenticate, the left-hand tree will still load but each node will prompt the user for credentials. A user can put in an AMT account, Domain user, or digest user that has rights on the target system. When authentication succeeds, these credentials are then stored in the Runtime Profile for the target system.

Troubleshooting Authentication

In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles.
Where does the green checkmark fall? This is the default profile that will be used when connecting via the Real-Time tab.
Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
Supply the admin user credentials set when the managed vPro systems were provisioned.
Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
Give the profile a name and then save it.
Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile.
Test to see if this new profile is successful. Note that you'll need to launch IE fresh to use the new settings.
If it is not, try entering credentials in manually when you hit the system under the Real-Time tab. See the screenshot below for the connection icon to switch between WMI and AMT authentication. If two show in this area, both technologies are available but not authenticated.
!RTSMconnectiontype.jpg!
In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed.
Check the collection you are launching Resource Explorer from. Sometimes the identity of the system is incorrect. For AMT you can launch RTSM from the Provisioned collections populated with the Resource Synchronization.

IDE Redirect (IDER)

IDE Redirect allows a system to be remotely booted to a file, drive, or virtual disc. There are a number of potential issues to be aware of when working with IDER in a vPro environment. The below items include well-known issues and their resolutions.

Redirection Invalid Parameter

When initiating an IDER (IDE Redirect) session to an external source such as an .iso file, the following error appears in the console:

Power management operation failed.

Redirection session start has failed. See logs for more details.

The Notification Server log shows the following error:

Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log

Priority: 2

Date: 3/9/2007 2:51:05 PM

Tick Count: 10617218

Host Name: <>

Process: w3wp.exe (2436)

Thread ID: 5412

Module: AltirisNativeHelper.dll

Source: RTCI.Trace

Description: RedirectionProvider::StartIDER - RedirectionProvider::StartIDER - IMR_IDEROpenTCPSession: IMR_RES_INVALID_PARAMETER

This is caused by Intel's redirection library requiring a correct floppy device to initiate an IDER session (either floppy image or real removable device). Real-Time System Manager 6.2 can work around this. If you put floppy.img file into Program Files\Altiris\RTSM\UIData folder, then the issue will not occur.

IDER or SOL Disabled

In some instances Intel vPro systems are arriving from the OEM with IDER and SOL disabled in the BIOS. When disabled, neither of these functions work from any management engine, including RTSM. Correcting this oversight is not easy, especially if the OEMs do not offer a solution by a firmware or BIOS update. Use the following method to resolve the issue:

Go to the Support site for the OEM for the systems.
Browse to the drivers and downloads section for the exact model (note that sometimes the model will differ based on possessing or not possessing vPro technology).
Check the firmware updates for a new BIOS.
Check the documentation for any new BIOS versions that include vPro to see if they've corrected this.
Contact your OEM if they have not and request a status!
The only other recourse is to develop an update yourself or manually update the settings by visiting the system.

Conclusion

This should account for the most common issues we've seen, and allow you to successfully use RTSM with AMT technology, avoiding those issues.

New USB provisioning article published in wiki!

michele.gartner@intel.com — Tue, 29 Apr 2008 20:45:13 GMT

Here's an interesting one on USB provisioning -- just published in Known Issues, Best Practices, and Workarounds:

What is the maximum number of PID/PPS pairs that can be used during USB provisioning?