I ran into a problem when I accepted my server's default setting when installing my Remote Configuration certificate.  I found root cause and decided to share...

http://communities.intel.com/docs/DOC-2672

I've updated the vPro-ready systems that are available from Panasonic.  These include the fully rugged, business rugged, and semi-rugged notebooks.  John Hilliker just blogged about the Park and Patch use case which features the CF-19.  The full line of Panasonic Toughbook notebook computers available with vPro is shown here: http://communities.intel.com/docs/DOC-2033#Panasonic.  In case it isn't clear from the list, all CF-19K and CF-19L series (CF-19Mk3), CF-30K and CF-30L series (CF-30Mk3), and the CF-T8, CF-W8, and CF-F8 come standard with vPro.

The release of the Notification Server 7.0 platform will provide a new design and infrastructure.  Out of Band Management will also provide a new release with this platform.  First I’ll provide a brief description of what Out of Band Management is used for.  This article will also cover the differences between the 6.2 version of Out of Band and version 7.0.  The changes include UI improvements, relabeling to be in line with current Intel terms, and the addition of limited Dash support.

INTRODUCTION

Out of Band Management 7.0 allows an administrator or IT Professional to setup and configure several protocol technologies for use in the greater Notification Server infrastructure, or even any other solution that supports the protocols handled by Out of Band Management.  The supported technologies are:

• Intel AMT (Active Management Technology) or vPro
• ASF (Alerts Standard Format) primarily from Broadcom
• DASH technology support (open architecture)

The greater focus is on Intel’s AMT technology.  Using the provided configuration pieces with Out of Band, systems with the above technologies can be configured to respond to functions called from either the RTSM interface or via Task Server.  Once configured, the Notification Server is a trusted entity to the local systems and all available functions are available.

More information can be found by browsing through the articles generated on Out of Band Management 6.x at http://www.symantec.com/community/intel.

Terms/Term changes

It’s important to understand the changes in terminology and labeling so the transition from 6.2 to 7.0 Out of Band Management goes smoothly.  This section will also help explain the naming scheme for Out of Band Management.  The following list provides the term, and the previous label (if different), and a brief description:

1. Configuration, AKA Setup and Configuration – Previous term: Provisioning – Intel has standardized on using Configuration as the term for activating a vPro system.  This more aligns with what is occurring and avoids confusion with basic industry understanding of what provisioning means (putting an OS on the system). 
   NOTE: Since this word is used throughout documentation for 6.x it is important to understand the change!
2. TLS – Transport Layer Security can be considered the next generation of SSL (Secure Sockets Layer).  It’s used in 2 sections of Configuration: Remote Configuration authentication, and TLS within the Configuration Profile.
3. Remote Configuration – This specifically means the process for automatic Configuration via the handshake with a TLS certificate, usually purchased from Verisign, GoDaddy, Comodo.

Out of Band Portal

Out of Band Management now has a Portal page that provides access to most function from a user-friendly UI.  It’s accessed in the Symantec Management Console by going to Home > Remote Management > and click on Out of Band Management.  The following screenshot shows a view of the portal:

The upper left-hand pane shows a list of setting groups that will enable a user to go through those steps necessary to enable or complete Out of Band setup and configurations.  Please note the following items and what they can be used for:

• Configuration Service Settings – This provides all the nodes that are used in the Setup and Configuration process for AMT.
• Basic Configuration (without TLS) – This takes you through the process of setting up Configuration where TLS will not be used in the Configuration Profile (not to be confused with Remote Configuration TLS).  See this screenshot for the way the steps are setup:
  
• Enable Remote Configuration – This walks you through setting up the Notification Server to accept Configuration requests using TLS certificates.  Note that 2.6, 3.0+ AMT systems are automatically configured to send out requests using this method.
• Enable Security (TLS) – This walks you through setting up the Notification Server to use TLS when managing AMT systems.
• Intel AMT Tasks – This is a quick area that reveals the Task Server tasks that directly utilize AMT.
• Configure Site Server – This is a link that opens the Site Server Configuration page as part of the Notification Server Platform.  This is available here because OOB has a Site Service that can be deployed to Site Servers.

As a note, Site Servers allow distribution of Out of Band functions across the environment, and helps alleviate any problems with large rollouts involving a large amount of Configuration.  This brings us closer to having true hierarchy support with Out of Band Management.

UI Changes

Those who are familiar with Out of Band Management 6.2 can use this section to find corresponding functions, configuration pages, and utilities when upgrading to Out of Band 7.0.  If you are unfamiliar with this version skip to the next section.

Out of Band Management looks much the same as it did in 6.2, with some notable exceptions.  The following items cover the differences between the two.  The method used to reach the console area for Out of Band Management is as follows: Browse down through Settings > All Settings > in the left-hand tree browse down through Remote Management > Out of Band Management.  The three subfolders are by the same name as they were in 6.2, lacking the fourth folder: Delayed Provisioning.

1. *Provisioning > Configuration – I called this out previously in this article but with my experience the double-exposure is necessary.  In reference to managing vPro AMT systems, consider the previously used term Provisioning to now be Configuring, or Provision to now be Configuration.  If you’re like me and have the word provisioning ingrained in your mind, it will take some getting used to.
2. Auxiliary Profiles – Three new nodes have been added to this folder.  They are described below:
3. 1. Management Presence Server – (MPS) This is the secure gateway CIRA technology will use to connect securely with the network where the NS resides for remote management from anywhere on the Internet.
   2. Remote Access Policies – In relation to the above MPS, this policy dictates how CIRA connections are handled by the Notification Server.
   3. Trusted Root Certificates – Also in relation to MPS, these are required to establish so that trust can be formed from the calling AMT system, the MPS, and the Notification Server.
4. Configuration Profiles – Formerly known as Provision Profiles.  The following items have been added as tabs within the profile configuration.  Descriptions of the items are supplied as well:
5. 1. Domains – Allows the ability to configure AMT to operate in more than one Domain.
   2. Remote Access – This ties directly to the Remote Access Policies found under the Auxiliary Profiles node.  Edits here will take effect in both places.
6. The remaining nodes under the Configuration Service Settings folder are the same between versions 6.2 and 7.0.
7. Delayed Setup and Configuration – Formerly known as Delayed Provisioning, this has been renamed to fit the proper naming convention.  It also no longer has its own folder, but can be found under the Intel® AMT Systems folder above the Intel AMT Systems node.
8. The following screenshot shows the layout of the console:
   

Intel SCS

The component that Out of Band Management plugs into has not changed between versions.  Intel SCS (Setup and Configuration Services) is still the backbone of Out of Band, and handles all the transactions between the server and the remote Intel AMT clients during the Configuration process.  Please note that management functions of AMT are NOT handled by Intel SCS.  SCS stands for only the Configuration process, including maintenance and reconfiguration tasks (for example for profile updates) as part of maintaining the configured state.

Out of Band Management 6.2 used Intel SCS version 3.0 (or 3.2.1 per the Knowledgebase article found at this location: https://kb.altiris.com/article.asp?article=40076&p=1).  Intel SCS version 5.0 ships with Out of Band Management.  While the UI does not reveal all the additional capabilities, SCS 5.0 comes with a tool called Activator.  This utility can handle a number of scenarios that were sticky points in the previous versions of Out of Band and Intel SCS.  The abilities include the following:

1. FQDN Name Change – The Activator, when run on the local AMT system, can tell AMT to send updated information to Intel SCS on its FQDN.  This is especially important if the FQDN has changed in Windows, thus changing the identity of the machine.
2. • The problems associated with this are the failure of AMT systems to authenticate using TLS due to FQDN sensitivity if enabled, and also the inability of Intel SCS to contact back a system whose FQDN has changed.
3. Resending of Hello Packets – While the 3.0 version of Out of Band had the ability to send Hello packets using the Delayed Provisioning (AKA Delayed Configuration) task, it did not have the ability to send PSK (pre shared keys) packets if the 24 hour cycle of the hello packets sequence expires.  This functionality was also added to verison 3.2.1 of Intel SCS.
4. • The problems associated with this are when systems are not configured within that 24-hour cycle they need to be acted upon to get the needed information to the server for configuration.

The above two functions can be utilized by sending Activator down using a Delivery Software job in the Software Management Solution.

Conclusion

Hopefully this introduction will help those familiar with Intel vPro, and especially familiar with Out of Band Management in the Notification Server 6.0 infrastructure, to understand the changes and functions in version 7.0 of Out of Band Management.  In depth articles will be generated in the future to cover some of the new features such as the MPS and CIRA functionality.

A while back, I was talking with Dave McCray, a buddy in Intel's IT group, about a training room that he'd just finished equipping with Intel® vPro^TM Technology-based PCs. As the vPro PR guy, I'm always looking for stories that might interest the media and thought Dave's hands-on experience might yield some angles. Dave has been working with vPro since its early days, and as we chatted about the installation, it became apparent that he'd developed an extensive toolbox of BKMs (Intelese for "best known method methods") that make it quicker and easier to fire up vPro. We came up with the idea for a series of how-to videos as a way to share his honed procedures. To do that, we recruited another friend, Brett Twiggs, a systems engineer with LANDesk, an Avocent company, whose LANDesk* Management Suite incorporates vPro's capabilities in its user-friendly approach. The result is a four-part series of chats and hands-on demos that make the implementation and use of vPro that much easier, plus some sage advice gleaned from Brett's and Dave's experience. They start with some Shop Talk, and then discuss Green IT, Enhancing Security, and finally Remote Diagnostics and Repair. Hope these are helpful. And if you have some tips, let us know.

As many of you might know or have experienced, relying fully on the default provisioning window where the Management Engine sends 'Hello Packets' to the SCS server is problematic. Problems start arising in the following instances:

1. The network has multiple domain suffices being allocated as connection specific DNS suffices depending on location and this could potentially lead to a mismatch between the SCS domain suffix and the client domain suffix.

2. DHCP option 15 upon which the default process relies on might need be in use for one reason or another

3. The provisioning window (24 hours for RCFG and 6 hours for PID/PPS by default) has closed before the infrastructure has been put in place to do something useful with these hello messages.

In the past there was a solution based on sample vbscripts provided by Intel- either Server side only or a combination of client and server side scripts that would be used in conjunction with SCS. This has now evolved to the Activator Utility which is considered the best known method, however there are some subtleties where using the Activator isn't as straight forward, such as:

1. The Activator utility will typically run under the context of the Local System Account - to allow each Local System Account to write information to the SCS DB requires delegating control all the Computer Objects. This is seen as a significant security risk by some organisations.

2. The syntax for running the Activator utility necessitates the specification of a profile ID. The number of the profile ID can't be pre-determined with absolute certainty and the SCS API only accept the profile ID and not the profile name. A situation can ensue that the wrong profile ID has been hardcoded on the clients.

3. Some operations like /a cannot work under the Local System Account context to begin with

Together with the hetrogeneous states of vPro machines (some provisioned, some not, some needing to be re-provisioned) some further logic needs to be put in place to provide a robust end to end solution. This has lead to the implementation (in a nutshell) of the following solution at a large scale enterprise customer (it assumes knowledge of the activator utility and it's switches):

1. A scriptable interface needs to be able to determine whether a system is provisioned or not - this is achieved by running MEInfo and parsing the contents of the output and writing some information into registry keys.

2. A script always checks the registry keys to know whether to run the Activator utility

3. The script is run at every boot-up of the system to make sure any previous failed attempts or if the system has been unprovisioned since the last boot is covered

4. Once a script (which runs under the context of the Local System Account) determines it needs to execute - i.e. the machine is unprovisioned but has PID/PPS loaded it runs the Activator Utility with the //s h /d PID but not /o and /p

5. At this point you might ask yourself, if I am using the client side vbscript, why should I use the Activator tool as well? The answer is that the Activator tool provides you the ability to send an in-band 'hello message' to kick-off the provisioning process. That is why we make use of the /h and /d PID parameters. If you wouldn't use the Activator tool, the out of band 'hello messages' would have easily timed-out a long time ago and you wouldn't be able to commence their resending unless you pulled the power cable out and back in - i.e. restart the Management Engine.

6. The PID is predetermined per machine type and can be inserted into XML file that sits in client - if the PID was unique per each machine this would have broken the whole solution - hence a clear recommendation to have the same PID/PPS across all machines or at least across all machines of the same model

7. At this point the information is written into an Interim DB using SQL account permissions

8. Note that no permissions need to have been delegated for all Local System Accounts

9. On the server side the script uses the same or different SQL account permissions to access to the interim DB

10. On the server side the script contains the /p and /o parameters - this is crucial as this is a single point where the /p and /o parameters can be changed thus providing flexibility

11. In addition since the customer has opted to not use certificates and because there is a difference between the connection specific and Active Directory domain suffices, provisioning is take place with hostname only - typically this would have involved using the /a switch, however there is a known issue that won't work under the context of the Local System Account. Therefore the FQDN is stripped of it's domain the server script and the hostname is derived.

12. The server script creates an XML file with the appropriate content to plug into the Configuration Parameters table in the main SCS DB, as the SCS service can parse the contents of this XML file and check that it is valid content.

The overall benefit of this solution is you avoid the security risk of delegating access rights for all Local System accounts, cover the different scenarios when the Activator Utility should be run, avoid the problems of mismatching domain suffices and maintain the flexibility of a single point of changing parameters for the variable Activator Utility syntax.

The same logic will apply if you are using RCFG - simply ignore point #6 above regarding PID.

Hope some of you find this useful.

Thanks, Tal

I'd like to announce the Expert Center's newest edition...

Are you a small or medium sized business? Have vPro? Want vPro? Then you should see this brand new sub zone of the vPro Expert Center. This site is dedicated to the discussion of Small and Medium Businesses & Intel vPro Technology. You can expect to see great tools, helpful tips, solutions, some best known methods and Service Provider information. Feel free to take a look around and join this new community of SMBs and MSPs.

Michele, Tim & I got together to talk about Activating vPro, the tools & the wiki's that help folks. This video was an output of us getting together.

</object></embed>