Having worked with Intel Active Management Technology and Intel vPro Technology since version 1.0, it seems to me that there are a whole host of possibilities for those who are do-it-yourself-ers. One is the ability to programmatically wake a system, remotely trigger a process such as a software patch, and then put the system back to sleep. As it turns out, this is not so hard, even for me who has a limited scripting (read batch file) capability. The video chronicles the results of my effort.

Disclaimer: this is not meant as a how-to or best method. Rather, it is an exploration of what’s possible, meant to educate and stimulate conversation. With that out of the way, let’s get to the fun stuff.

To accomplish this goal I knew I'd need some help via command line tools. I did an Internet search and found these 4 freely downloadable tools that made it all possible. They are;

Remote Control Util - to determine the current power state and turn the system on.

PsService - to start a process remotely

PsShutdown - to put the system back to sleep

sleep.exe - so the batch file can sleep while an event takes place.

The setup is simple; 2 systems. One is the console that executes the batch file and these commands. The other is my vPro system. I setup and configured my it using this Use Case Reference design (another of my batch file creations). That is to say, there's no TLS and I'm using only the admin account. I then ran the batch file on the console system which triggered the whole process. The process is as follows:

1.     Remote control util gets vPro's original power state via AMT (on, sleep, hibernate, or off)

2.     Remote control util power's on vPro via AMT

3.     Remote control util get's vPro's new power state to verify it has turned on

4.     ping vpro and check the TTL. Once it changes to <=128 the OS has booted. For more info

5.     PsService starts a process on vPro. I used notepad but it could be anything, including triggering a download and run of software patch

6.     PsService exits when the process finishes

7.     PsShutdown gracefully places vPro back to it's original sleep state

8.     Remote control util get's vPro's new power state to verify it has returned to it's original power state

Couple of notes.

·         I set an auto login on my vPro so I could see the process. However, PsService will work without a user being logged in. Also, it can run processes in the back ground so an end user would not be able to interact.

·         I used Notepad as my remote process since it made it easy to see success. However, any process can be started. In fact, PsService supports downloading the executable to run. As such, it may be possible to download and then run a patch or batch file as part of this whole process

·         I used a single vPro system. But, with a simple loop the same core batch file could trigger this action on many vPro systems.

Hope you found this post enjoyable and thought provoking. If you have your own do-it-yourself vPro ideas, or want to recreate this one, please share. And, hey, who says batch files are dead?

If you are using Out Of Band (OOB) Management in Microsoft System Center Configuration Manager (SCCM) 2007 SP1 (or greater) to manage your Intel vPro clients, you may have noticed that computer objects are created in your Active Directory domain during provisioning of the Intel vPro firmware. These computer objects are created by the amtproxymgr component of an OOB Service Point, and allow Intel vPro to communicate directory with Active Directory, regardless of the operating system state.

Since these vPro computer objects appear very similar to standard computer objects that are created when joining a Windows OS to an AD domain, it may be hard to distinguish which ones are vPro accounts, and which ones aren't. This situation can be worsened if you somehow have Windows computer accounts mixed into the same OU that contains your AMT objects.

As you'll see below, it's very easy to locate these computers using some simple PowerShell code:

$vprosearcher = [adsisearcher]"(&(objectclass=computer)(serviceprincipalname=*:16993*)(samaccounttype=805306368))"
$vproaccounts = $vprosearcher.FindAll()

These two lines of code simply create a System.DirectoryServices.DirectorySearcher instance, with some LDAP search criteria to identify the accounts, and then assigns the results of this search to a PowerShell variable called $vproaccounts. The default search root is the top-level of your Active Directory domain, and the default search scope is already set to SubTree, so you don't have to specifically configure these settings on the DirectorySearcher. Once you're at this point, you can simply enumerate the accounts, or pipe the results into a PowerShell ForEach loop, and perform some operation against them (for example, givem them a Description attribute value).

Because this code sample uses the "adsisearcher" type accelerator (aka. type shortcut), it will only work with PowerShell v2.0 (included as part of the Windows Management Framework), unless you modify PowerShell v1.0 to include it. There's almost no reason not to be using PowerShell 2.0, now that it has been officially released, however.

I recommend using the free Quest PowerGUI tool to develop and debug PowerShell scripts.

Cheers,

Trevor Sullivan

Matt Royer wrote in June about some of the new AMT-related features being included in Service Pack 2 for Microsoft System Center Configuration Manager 2007. I recently installed ConfigMgr SP2 in my lab environment, and wanted to follow up on Matt's post by sharing some screenshots of the new AMT features, for those of you that may not be beta testing SP2

** The updated AMT Settings screen, which now features the option to set the power package for the management controller.

** The new Provisioning Schedule screen (no more editing your sitectrl.ct0 file!)

** The new main 802.1x & Wireless Profile Configuration screen (there are a couple of detail screens below)

** The new Wireless Profile Detail screen

** The new 802.1x Profile Detail screen

I don't have a provisioned client in my lab yet, but once I do, I will see if I can investigate the updated Microsoft OOB Console, and capture some screenshots. As Matt's post stated, there should be added functionality for inputting information into the 3PDS (Third-party data store), so I assume there will at least be that change.

Cheers,

Trevor Sullivan

Systems Engineer

TriActive, Inc., founded in 1997, has recently added AMT (vPro) capabilities to their software. This product is called Systems Management On Demand and you can read more about it here. In their own words, "TriActive was a pioneer of delivering Systems Management solutions using a SaaS (Software-as-a-Service) model to organizations of all sizes for laptops, desktops, servers, and network devices." (from their website) Below we have provided some screen shots of their newly acquired AMT capabilities...

• Systems Management Overview Video
  • LAN and Web-based remote control & diagnostics
  • Intel vPro with AMT support when Microsoft Windows is not running
  • Asset hardware, software, security inventory with change history
  • Fully integrated SW delivery, Patch mgmt, License Compliance
• Case Studies - From Newsweek to the YMCA, they've aquired a pretty good range of customers.
  • "We were very keen on getting full infrastructure coverage almost instantaneously. TriActive's hosted service got us up and running within days. We did not have to install any software, and we have no software to maintain. TriActive promised us a solution that worked immediately, and that's what we got, without any of the hassles of typical software installations," says the CTO of Newsweek.

TriActive - Systems Management On Demand - Screen Shots

AMT Remote Options

AMT Status

AMT Event Log

Initiate SOL

SOL Boot to BIOS

AMT PowerOn

AMT PowerOff

Hello vPro Experts!

Are you having trouble getting the Microsoft Out-of-Band (OOB) Console to connect to your Intel vPro clients? If so, one of the first things you should do, is enable verbose logging in your OOBConsole.exe.config file. This file is located in the following folder: %PROGRAMFILES%\Microsoft Configuration Manager Console\AdminUI\bin. If you open this file in Notepad, you should see a line that looks like <source name="OOBConsole" switchValue="Error">. If you change the text Error to Verbose, you will enable verbose logging for the OOB Console. The next time you try to connect to an AMT device, you should start seeing more detailed logging in the OOBconsole.log file, located in: %PROGRAMFILES%\Microsoft Configuration Manager Console\AdminUI\AdminUILog.

If you're seeing this message specifically: GetAMTPowerState fail with result:0x800401F3, then you might have forgotten to install WinRM 1.1 on your Windows XP client running the OOB console. Also make sure that you're running Windows XP Service Pack 3! Once you install WinRM 1.1, this error should magically disappear, and have you well on your way to managing vPro devices!

Cheers,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Hello vPro Experts,

In case you've worked with any of the Powershell code samples I've previously posted, you've probably noticed that the AmtSystem.Connect() method executes asynchronously, and returns immediately. In this case, you'd have to develop some sort of loop in order to determine whether or not the connection was successful. Typically, I would just use this code to prevent a script from continuing before the connection was established:

while ($amtdevice.State -eq "Connecting") { Start-Sleep 1 }

But that's ugly, because, what happens if it never connects? Although it's nice to have the ability to asychronously connect to AMT devices, writing code and understanding the logic, to handle async processes is significantly more difficult than writing code that is synchronous. For this reason, we will look at how to modify and recompile the ManageabilityStack .NET assembly in the Intel AMT Developer Toolkit (DTK) to allow synchronous connections to AMT from PowerShell code.

In order to perform the next steps, you'll need the following:

• The Intel AMT DTK source code
• Microsoft Visual Studio 2008 (the Express edition is fully functional and free!)
• Microsoft Windows PowerShell 1.0 or 2.0 CTP3

Once you've installed these components, continue on:

1. Download the Intel AMT DTK source code and extract to a folder
2. Navigate to <Source>\Manageability Stack and open the Manageability Stack.csproj file in Visual Studio 2008
3. Open the AmtSystem.cs file in the Visual Studio Solution Explorer
4. Rename the Connect() method to ConnectAsync()
5. Copy the following code above the ConnectAsync() method:
   public void Connect()
   {
      if (State != AmtSystemObjState.Disconnected) return;
      ChangeState(AmtSystemObjState.Connecting);
      ConnectEx(this);
   }
6. In the Visual Studio Solution Explorer, right-click the Manageability Stack project, and click Build
7. Go to your <Source>\Manageability Stack\obj\Debug folder, and grab your new ManageabilityStack.dll .NET assembly

Now that you have a recompiled ManageabilityStack assembly, you can load this into PowerShell, and connect synchronously using the Connect() method!

Update: I attached the AmtSystem.cs file to this blog post, if you're not comfortable modifying source code yourself! You'll still need to replace the file, open the project, and recompile the library though

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

While at Symantec ManageFusion 2009, we had a chance to talk with Mike Dunham, Executive Director of Product Management for Incendio Technology. In the video below, he talks about the Incendio vMinder Portal, which allows IT profrossional to utilize the Symantec Altiris Client Management Suite without needing console access. From the Incendio vMinder Portal, the IT professional can access Intel vPro technology features such as reliable remote power control that are part of the Symantec Altiris Client Management Suite.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

While at Symantec ManageFusion 2009, we had a chance to talk to IT executives and managers from Disney International, Fox Interactive Media, Blue Cross Blue Shield and McCormick Spice Company and industry analysts from Enterprise Management Associates and Ptak, Noel & Associates LLC. In this video, they talk about the security benefits of Intel vPro technology - which include the ability to deploy software patches faster into the installed PC base, and the ability to quarantine infected PCs and remotely remediate them.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/