Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > Tags > amt
Up to Blog Posts in Intel® vPro™ Expert Center
1 2 3 4 ... 10 Previous Next

Intel vPro Expert Center Blog

147 Posts tagged with the amt tag
Scott Smith
0

Hang Onto That Laptop

Posted by Scott Smith Apr 26, 2009

I attended an eye-opening press briefing the other day where George Thangadurai, strategic planning director for Intel’s Anti-Theft Program, Ponemon Institute founder Larry Ponemon; and Rex Rountree, an encryption expert from Intel’s IT group disclosed details from a study that calculated the actual cost of losing or having notebook computer stolen, a rapidly growing problem.  The basic message to the millions of us mobile workers was: Hang onto that laptop.

Chain it to you if you must because if it’s lost or stolen the bill to your company will be $49,264 on the average.  The “Cost of a Lost Notebook,” study was commissioned by Intel and conducted by the Ponemon Institute.  You can find an overview of the findings in the news release.

Intel undertook the study to better understand the problem and devise remedies that are simpler than handcuffing yourself to your notebook.  In January, Intel introduced Anti-Theft Technology as one way to help make laptops less appealing to thieves.  Anti-Theft Technology works by locking a computer reported lost or stolen either from a remote server or from policies embedded into the PC.  Once locked, the computer is useless until recovered at which time IT can issue the owner a password to make it functional once again.

Intel works with computer makers and service providers, such as Absolute, Lenovo, PGP and Phoenix to implement Anti-Theft Technology.  If used in conjunction with a hard-disk encryption service vendor, such as PGP, Anti-Theft Technology can house the encryption keys, which are normally stored on the hard disk, in the chipset.  If the PC turns up missing, the keys can be deleted.  So, even if a thief has the passwords to unencrypt the drive, they are useless and the data protected.  If the thief removes the hard disk from a locked computer in hopes of installing it in another computer to gain access to the data, he leaves the keys locked behind  But, back to the study.

That $50,000 cost, which I suspect has any CFO reading this clutching his chest, results, of course, from this potential compromise of data.  In fact, responding to a data breach is responsible for about 80 percent of the cost, according to the study.  The rest covers investigating the loss, the price tag for any lost intellectual property, legal expenses and making regulatory disclosures.  Let’s also not forget the disruption to an employee whose entire job function likely hinges on his computer.

So, what can a company do?  The study concludes that encryption helps.  It knocks about $20,000 of the bill.  Why doesn’t it eliminate all of the expense?  Encryption depends on who has access to the encryption credentials to decipher the data.  If they’ve somehow been compromised or you’re dealing with a disgruntled employee, then even the most elaborate cipher won’t help.  It also depends on employees actually using the encryption features and on which data they encrypt.

So, in the end, cutting the cost of missing laptops requires a multifaceted blend of technology and practices.  Rex added that training employees how to protect their notebooks goes a long way in cutting the risk as well.

After the briefing, I still had some questions and caught up with George, Larry and Rex for a chat.  If you’d like to listen to the briefing, it’s available at 1-800-475-6701, conference ID# 997098.

Ever had a laptop stolen or have any thoughts on preventing theft?  I’m sure everyone would be interested in your comments.

0 Comments Permalink Tags: client_management, centrino_pro, vpro, vpro_expert_center, security, amt
Trevor Sullivan
2

I wanted to quickly share an example of how to set the current power state of a provisioned Intel vPro system using Windows Powershell!

 

Take a moment, and ask yourself these quick questions:

 

  • Have you ever wanted to be able to automate the powering up, or powering off, of multiple computers?
  • Is your company interested in saving money by not needlessly leaving computers powered on at night?
  • Do you have a time-critical environment, such as a call center, where you need to reliably power up your computers so they are ready to go in the morning for agents?
  • Do you want to be able to create your own helpdesk tools to enable remote reset of hung systems?

 

If you answered "yes" to any of the previous questions, then hopefully this Powershell code will help you, as an administrator, achieve your goals! Let's take a look at how to perform the actions of:

 

  • Powering up a vPro (AMT) system
  • Powering down a vPro (AMT) system (not gracefully, just FYI)
  • Power cycling a vPro (AMT) system (also not graceful)

 

For the sake of simplicity, we'll continue to work with the ManageabilityStack.AmtSystem object that I have referenced in my previous article(s). If you aren't sure how to get the $Global:Amtdevice Powershell variable, please look back at my other articles. This will also require the download of the Intel AMT Developer Toolkit. You'll need the Manageability Stack.dll library contained within.

 

-------------------

In order to control the remote power state of an AMT system, all you really need to know are these 3 hex values:

 

0x10 = System reset

0x11 = Power on

0x12 = Power off

0x13 = Reset w/ power cycle

 

These hex values will be used with the $AmtSystem.Remote.SendRemoteControl() method to alter the power state of the remote system. The SendRemoteControl() method included with the DTK includes a number of parameters that go beyond the scope of this article, so we will pass hex value 0x0 to these parameters for the time being. In order to use the above hex values, simply pass the hex value as the first parameter of the SendRemoteControl() method. In order to fulfill the parameter requirements of this method, pass 5 additional parameters with the value 0x0. Here are some examples:

 

Powering up an AMT System

 

$Result = $AmtDevice.Remote.SendRemoteControl(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

 

Powering off an AMT System

 

$Result = $AmtDevice.Remote.SendRemoteControl(0x12, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

 

Power cycling an AMT System

 

$Result = $AmtDevice.Remote.SendRemoteControl(0x10, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

 

The above samples show how to use the SendRemoteControl() method of the AmtRemoteControl .NET type in the Intel AMT Developer Toolkit (DTK) to control the power state of a remote AMT device.

 

If you have any questions about this, please leave a comment or send me a private message.

 

Sincerely,

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

2 Comments Permalink Tags: customize, vpro, roi, administrator, manageability, trevor, sullivan, script, automate, automation, developer, intel, amt, dtk, sdk, microsoft, windows, powershell
Justin Van Buren
0

While at Symantec ManageFusion 2009, we had a chance to talk to IT executives and managers from Disney International, Fox Interactive Media, Las Vegas Sands Corporation and McCormick Spice Company and industry analysts from IDC, Enterprise Management Associates and Ptak, Noel & Associates LLC about Intel vPro technology and industry trends.  In the video below, they discuss the impact of Intel vPro technology on power consumption reduction and energy cost reduction.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

0 Comments Permalink Tags: vpro, intel, ema, altiris, manageability, control, green, sands, client_management, ptak, power, idc, amt, it, fox, energy_cost, las, symantec, disney, vegas, mccormick, managefusion
Joel Smith
0
Updating the firmware for systems with Intel vPro technology often yields significant results when configuring and using vPro functions.  For example certain Dell laptops shipped with both Serial over LAN (SOL) and IDE Redirect (IDER) disabled in the BIOS.  A new firmware update to the BIOS enables them.  Another example is a desktop running AMT 2.1 firmware can be upgraded to AMT 2.2, which enables Remote Configuration.  No matter the reason, often a firmware upgrade will be beneficial to vPro systems and the Symantec Management Platform 7, and this article covers how to deploy firmware updates using Altiris Software Management Solution 7.

Introduction

Software Management Solution has the ability to deliver and execute any module or installer made for Windows.  This includes Windows capable Firmware updates.  Both the BIOS updates and Intel ME firmware updates, that are windows capable, available from HP, Dell, Lenovo, and any other computer manufacturer that supports vPro that are windows capable can be sent down and executed through Software Management Solution to upgrade firmware.  This document covers how to setup and configure these updates, and hopefully provide you information on caveats and other potential trouble spots.

Why Update Firmware?

The first thing you need to determine is what type of firmware update do you require?  The two typical updates are the Intel Management Engine (ME) firmware and the standard BIOS firmware.  How these two interact is dependent on the Manufacturer.  Some manufacturers will combine the BIOS and firmware updates into a single executable.  However the configuration, the updates can be delivered via Symantec’s Software Management Solution.

Examples and Reasons

For example HP has a BIOS option to enable or disable Intel AMT, and if it is disabled in the BIOS the Intel ME will not be available.  Another example is the Dell laptop model Lattitude 620 Centrino vPro capable.  The BIOS contains a setting to enable or disable the Serial Over LAN (SOL) and IDE Redirection (IDER) capabilities, and by default these came from the manufacturer disabled.  This and other reasons for firmware updates are detailed in this list:

  • Dell Lattitude 620 SOL IDER disabled in the BIOS – The update to automatically enable these features without having to physical update each BIOS manually is a BIOS firmware upgrade that set these as enabled, among other fixes/updates.
  • Upgrading AMT 2.1 to 2.2 – Desktop models of AMT version 2.1 can be upgraded to support Remote Configuration (certificate-based zero-touch provisioning) by upgrading the Intel ME firmware to version 2.2.
  • Upgrading AMT 2.5 to 2.6 – Notebook models of AMT version 2.5 can be upgraded to support Remote Configuration by upgrading the Intel ME firmware to version 2.6.
  • Upgrading AMT 2.0 to 2.1 – Some major fixes were incorporated between versions 2.0 and 2.1 of AMT.
  • UUID reset fix for HP Compaq 6910p – This fixed a flaw in the firmware where sometimes Intel ME returned the UUID of all zeroes or a default UUID set in the firmware, causing duplicates.  This update patches the firmware for Intel ME on these laptop models.
  • Upgrading Intel AMT 4.0 to 4.1 – On the newer version of AMT for laptops, fixes have been provided via version 4.1 and is available from most manufacturers.
  • Miscellaneous fixes to Intel ME – Other fixes have been incorporated in ME firmware updates

Obtaining the Right Firmware Update

For all BIOS updates, the manufacturer’s website should be consulted.  For each vPro model you wish to update BIOS firmware with, use the following basic steps:

  1. Go to the Manufacturer’s main site.  For this example, we’ll use Dell.  www.dell.com.
  2. Choose the Support icon and click ‘Download and Drivers’.
    Dellcom.JPG
  3. An applet will appear where you can choose the system through several options:
    1. Model
    2. Service tag
    3. Log in to choose from a list of systems
  5. Once you have the right system listed, there will be a list where you can click the plus + next to ‘BIOS’.
  6. From the provided list choose the applicable update by clicking the ‘Download Now’ link to the right.  The download will usually be in the form of an EXE.

While Intel manages the basic firmware for the Intel ME, the manufacturer packages it for deployment, including changes that may be required for specific models of vPro capable systems.  It is advised that you only use the manufacturer’s Intel ME firmware updates on your vPro systems.  The following walkthrough will hopefully help you identify what updates are available.  For this example we’re using HP’s website.

  1. Go to www.hp.com.
  2. Click on the ‘Support and Drivers’ tab.
  3. Choose the option Download drivers and software (and firmware) for Step 1 and put in the Model number of the vPro system type you wish the update for, in Step 2.
  4. Press Enter to go to the main page for the system.
  5. Though it prompts for what Windows you’re running, the updates are OS independent so choose any.
  6. For the Intel ME firmware updates, the categories differ.  For HP it’s under simply ‘Firmware’.  Other potential categories include:
    1. Firmware
    2. System Firmware
    3. Chipsets
  8. Click Download to the right of the applicable ME update.
    HPfirmware.jpg
  9. Once the EXE is downloaded, move on to the next section.

Rolling out the Firmware Update

Once you’ve obtained the EXE, it’s time to configure a Software Management Solution Software Resource, Package, associated Command lines, and create a task to roll it out with.  It’s important to understand how, depending on how the manufacturer packaged the EXE, the rollout can be accomplished silently without user interaction.  Typically administrators do not want users to interfere with the rollout, or to even be aware of it.  The following walkthrough considers this the desired result; however the configuration can be changed as so noted where applicable below.

Creating a Software Package/Program

  1. On the Notification Server place the EXE you downloaded for the firmware update into a self-contained folder.  The folder and everything in it will become a “package” for the Software Resource, thus it is recommended to have only the needed file therein.
    Note: You can use another storage location if you prefer, such as UNC or URL.  Simply adapt these steps to fit your preferred source method
  2. In the Symantec Management Console browse under Manage > and choose Software.
  3. In the left-hand tree browse under Software Catalog > Deliverable Software > and select Updates and Service Packs.
  4. In the resulting right-hand pane, click the Add button and choose Software Update.
  5. Above the configuration tabs provide a name for the Update.  In this example we’ll use an HP 6930p laptop firmware update of the Intel ME to version 4.1.1.1028.
  6. Click on the Package tab.
  7. Click the Add package button.
  8. Provide a name for the package and browse to the location referred to in step 1.  The name we’ll use in this example is AMT 4.1 Firmware EXE(Windows) for HP 6930p.  See this screenshot for an example:
    AMT4.1Firmware.jpg
  9. Click OK to save the Package details.
  10. Click on the Add command button.
  11. Provide a Name for the command-line.  For this example we’ll use: Apply AMT 4.1 Firmware Update silently.
  12. Check the option labeled Command line requires a package and ensure that the Package you created previously is selected.
  13. Under Installation file type choose the option labeled EXE Software Installation File.
  14. Change the Command type to Install.
  15. Provide a silent command line under the Command line field (this is the potentially difficult part.  The update I tested with had no documentation on silent installs and I had to tinker to find the –s command-line that ran it silently.   ie: “sp42026.exe” –s).
    NOTE: Due to the nature of firmware updates, it is possible the EXE will want to reboot the system.  It is recommended to test the execution and adjust the command-line to suppress the reboot so no user is interrupted in their work.
    See the below screenshot for an example:
    AMT4.1cmdline.jpg
  16. Click Save changes to complete the Software Resource creation.

Creating a rollout Task

The next step is to create a Quick Delivery Task that pushes out the update.  While a Manage Delivery Job may be used, because of the nature of firmware updates reapplying an update may have unintended consequences so for this example we’ll use a Quick Delivery Task. Follow these steps to create the Task:

  1. In the Symantec Management Console browse under Manage > and click Jobs and Tasks.
  2. In the left-hand tree browse down through System Jobs and Tasks > Software > and select Quick Delivery.
  3. Right-click on the Quick Delivery folder > choose New > and click on Job or Task.
  4. Within the resulting window choose Quick Delivery from the left-hand tree.
  5. Provide a name for the task.  In this example we’ll use AMT 4.1 Firmware Update for 6930p Rollout.
  6. Under the Software resource dropdown choose the name of the Software Resource you created.  In this example it is AMT 4.1 Firmware Update for HP 6930p.
    NOTE: The dropdown is also a type field so you can start typing AMT 4.1 to have the selected software found and displayed in the dropdown.
  7. Ensure that the Command line and Package in the two subsequent dropdowns correctly show the Command-line and Package you created.  For our example they are Apply AMT 4.1 Firmware Update silently and AMT 4.1 Firmware EXE(Windows) for HP 6930p respectively.
  8. Click the Advanced button.
  9. Under the Download Options typically what is configured at the Altiris Agent level should be sufficient for your needs.  Click the Run Options tab.
  10. This is your execution environment.  Due to the nature of firmware updates, it is advisable to use the option labeled Altiris Agent credential.
    NOTE: Specific user can be used if you wish to provide an account that has Administrator rights on the target systems directly.
  11. Under User run conditions check the option labeled Allow user interaction.  We have found that this option improves success rate due to loading a fuller user stack.
  12. Change the Display window to Hidden.  See this screenshot for an example:
    AMT4.1Task.jpg
  13. Click OK to save the Advanced options and Click OK on the main Task configuration page to save the details of the Quick Delivery Task.
  14. You can use the Quick Run under the Task Status section to test the rollout.  Please see the section following labeled ‘Test the Rollout’.  It is vital to properly test the rollout so any corrections can be made before rolling it out generally.
  15. Set a schedule.  You can choose Now or set a specific scheduled time if needed.
  16. For the next step under Input you’ll need to manually add devices for this firmware update to be run on or select a target.  Step 17 covers how to create a target for the example we’re using in this sequence.  If you are only adding machines manually step 17 is not required.  Move to step 19.
  17. To create a target based off of Inventory Solution data that automatically targets the HP Compaq 6930p laptops, follow these steps:
    1. In the Symantec Management Console browse under Manage > and click on Filters.
    2. Browse under Computer Filters and select or create a folder to create the filter in.
    3. Right-click on the folder and choose New > Filter.
    4. Name the Filter.  In our example we’ll use All HP 6930p Laptop Computers.
    5. Under the Filter Definition dropdown choose the option Query Mode: Query Builder.  You’ll receive a notice: You are about to switch to the other query editing mode.  This cannot be undone after save.  Click OK to continue.
    6. Expand the Filter Definition section by clicking on the down-arrow to the far right.
    7. Under the query section, select the tree item ‘Resource’ and click the red X delete icon.
    8. When the page refreshes on the right you’ll see a Base Resource Type.  Choose Computer.  When prompted, choose to continue.
    9. Under the actions section to the right, click the link labeled Use Fields & Data Class Attributes.
    10. In the resulting picker type in or choose from the dropdown the data class and column you wish to reference.  For our example choose [Logical Device].[Model] and click OK.
    11. Click the Filter Expressions tab.
    12. Click the Add Condition button and choose one of the options (for a first filter it doesn’t matter).
    13. Type the same data class and column selected previously.  In our example type [Logical into the If: field and then select [Logical Device].[Model] from the dropdown.
    14. Choose Like in the next dropdown to the right (or if you know the exact value you’re looking for, use Equals).
    15. In the last field type the model number.  In our example type %6930p%.  See this screenshot for an example:
      AMT4.1Filter.jpg
    16. Click the Save Changes to complete the Filter.
  19. To add the Filter to the schedule, go through the following steps:
    1. Under the Task Status click the button New Schedule
    2. Set the schedule as desired.
    3. Under Input click Add and choose Target.
    4. Click the Add rule button in the resulting window.
    5. In the first dropdown choose the option labeled exclude the resources not in.
    6. Leave Filter as the option in the second dropdown.
    7. In the third dropdown type in the first words of the filter you created in the previous step.  In our example type All HP and click the dropdown arrow.  Select the appropriate collection from the list.
    8. Click OK to save the Target.
  21. Click Schedule to apply the Task to the selected systems.
  22. Done!  This Task type will use Task Server to push out the task.  For systems already online they should receive the task within minutes based off of being active on the network.  For systems not on, the next time they come online and check for Tasks, Task Server will push out the Task at that time.

Test the Rollout

The most important part of this process is to test the rollout.  This will allow you to make corrections to the command line or execution environment should the first attempt fail.  By testing the rollout you can ensure it is ready for the greater environment.  In testing, you should:

  1. Target a system that matches your Production Environment as closely as possible
  2. Test the command-line to ensure it successfully and silently rolls out the firmware update.  You can accomplish this by copying the files over and running the command line manually from a command prompt or from Start > Run.
  3. Check the BIOS or Intel AMT for versioning change.
    Note: the ME version may not be synched with the AMT version.  A good test is to try executing the update again manually to see if you receive a message indicating the version is already up to the latest version.

Conclusion

Using this process, you should be able to remotely update any firmware required for successful use of Intel vPro Systems both with Setup and Configuration using Out of Band Management, and vPro functionality use within any Job and Task in the Symantec Management Platform.

0 Comments Permalink Tags: amt, symantec, intel_me, altiris, firmware, software_management_solution
William York
7

vPro AMT can leverage Kerberos authentication to allow management from your management console to the AMT firmware. Depending on the management console of choice (e.g. SCCM, Altiris, SMS) you may be using Kerberos or digest authentication. If you are using a management console like SCCM that only uses Kerberos authentication, there are a few things you should be aware of in case you are having problems managing your vPro systems. If you are interested to know more about Kerberos authentication and AMT, you can refer to this previous posting in vPro Expert Center around an Altiris environment: http://communities.intel.com/docs/DOC-1913

In AMT (version 2.x, 3.x, 4.x, and 5.x) there is a Kerberos ticket size limit that varies among versions of AMT (see graph 1 below on specifics for each firmware version). With respect to Kerberos authentication, AMT has different limits for HTTP connection and Serial-Over-LAN (SoL).

The Intel® vPro firmware supports Kerberos service tickets that are 4K or smaller for HTTP connections (authenticating the management console to AMT). This 4K limit is specific to making an authenticated connection via Kerberos. IDER/SoL capabilities have a Kerberos ticket size limited to 3K. These 4K and 3K limits are values in Base 64. This ticket size for a given Kerberos account will vary based on variables like the account’s group memberships in the domain.

Therefore it is important to know the size of this ticket created when an account logs on to the management console. If a given account that is logging in to the management console tries to connect to AMT and exceeds these limits, you may either experience failure when trying to connect to AMT or invoke IDER/SoL.

If you are experiencing issues with connecting or using IDER/SoL, you can download a free Microsoft utility (Link to Utility) to validate the size of the Kerberos token for an account. The output from this utility will indicate the size of the token in binary value. You will need to convert this value from binary to Base 64 to determine if the account being used exceeds these thresholds - [Algorithm for Base64 to binary: (base64 length/4)*3].

Here is an example for the output from this utility for a logged in user:

C:\Tools\Kerberos>tokensz.exe /compute_tokensize | findstr -i complete

This is the output -> MaxToken (complete context)  2337

You will notice this binary value of 2337 will exceed several versions of AMT for use with IDER/SoL capabilities. In this example, the account would need to be reduced (e.g. removed from x number of domain groups) to decrease the Kerberos ticket size in order to use IDER/SoL.

Here is a video to show different examples of an account with various Kerberos token sizes and the different behaviors experienced on an AMT 4.0 system [Link to Video - WMV format].

Also, I would appreciate to hear from the entire community on what size Kerberos tokens your support group has that would be utilizing SCCM to manage vPro system.  Would these current size restrictions cause issues for your support teams?  Thanks in advance for the "real-world" feedback.

Kerberos Token Size Limits.jpg

7 Comments Permalink Tags: kerberos, bill_york, amt
Trevor Sullivan
5

Dell just released a new BIOS update for the Dell Optiplex 755 system, version A13. This update includes an AMT firmware update to version 3.2.3 also that resolves a couple of security issues. I just performed the update on an Optiplex 755 that I had already provisioned, and it didn't break anything

 

If you're deploying the BIOS update via a ESM software package, such as Microsoft System Center Configuration Manager (SCCM) 2007, you can automate the staging of the BIOS update (without forcing a reboot) using the following command line:

 

O755-A13.exe -noreboot -nopause

 

Get it while it's hot!

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

5 Comments Permalink Tags: dell, amt, update, a13, optiplex, 755, sccm, 3.2.3, configmgr, firmware, trevor, vpro, sullivan, deploy, bios, workstation
Trevor Sullivan
3

Hello vPro Experts!

 

I would like to take some time to touch on exploration of the management engine via the local interface (specifically the HECI driver). In order to follow the exercise here, you'll need to have Windows Powershell installed, have the Intel AMT Developer Toolkit downloaded and installed, and have an AMT client (does not need to be provisioned) with the HECI driver installed. The HECI driver should be downloadable from your OEM.

 

To give you a high-level idea of the program flow we'll use to access the AMT device, consider the following:

 

  1. Load the "Manageability Stack.dll" .NET library
  2. Create an instance of the ManageabilityStack.HeciWrapper object
  3. Reference the properties and methods of the HeciWrapper object, and the HeciMeInfo object (provided by the HeciWrapper.MeInfo property)

 

Here is the Powershell code that correlates to the above process:

 

Loading the .NET Library

 

# Load the Manageability Stack .NET library

$AmtLib = "C:\Program Files\Intel\Manageability Developer Tool Kit\Manageability Stack.dll"
[System.Reflection.Assembly]::LoadFile($AmtLib)
# Create a HeciWrapper object

$Heci = New-Object ManageabilityStack.HeciWrapper

 

# Pipe the $Heci variable into the Get-Member cmdlet to determine what properties

# and methods are available to us.

$Heci | Get-Member

 

Obtaining a list of embedded certificate hashes

 

# List embedded certificate hashes
$Heci.MeInfo.EnumerateHashHandles()

 

Getting the BIOS and AMT Versions

 

# Retrieve the AMT version
Write-Host "AMT version: $($Heci.Versions.Versions["AMT"])"
# Retrieve the BIOS version
Write-Host "BIOS version: $($Heci.Versions.BiosVersion)"

 

Retrieving Provisioning Information

 

# Retrieve the provisioning server name
Write-Host "Provisioning server: $($Heci.MeInfo.GetAuditRecord().ProvServerFQDN)"
# Determine provisioning date
# This will return "01/01/0001 00:00:00" if not provisioned
Write-Host "Provision date: $($Heci.MeInfo.GetAuditRecord().TlsStartTime)"
# Get provisioning mode (Enterprise, SMB, etc.)
Write-Host "Provision mode: $($Heci.MeInfo.GetProvisioningMode().ProvisioningMode)"
# Get provisioning state
Write-Host "Provision state: $($Heci.MeInfo.GetProvisioningState())"

 

-----------------------------------

 

I hope these code samples are able to help you out in your administration / engineering endeavors! Please let me know if you have any questions, and don't forget that in Powershell .... when in doubt .... use Get-Member to discover what information is available to you!

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

3 Comments Permalink Tags: vpro, engineer, troubleshoot, automate, deploy, microsoft, amt, administration, sullivan, tools, powershell, script, intel, automation, trevor, manage
Michele Gartner
0

Hi all - A couple of new issues were posted to the Known Issues, Best Practices, and Workarounds. They include:

 

 

0 Comments Permalink Tags: known_issues, vista, sccm_sp1, intel_amt, sccm, amt
Michele Gartner
0

Just uploaded the updated user guide, which supports Intel AMT 5.0 on the McCreary platform. It's loaded with screenshots and discusses configuration procedures for Basic (SMB), Standard, and Advanced (Enterprise) provisioning models.

 

Intel(R) Management Engine User Guide (Intel AMT 5.0)

0 Comments Permalink Tags: activate, activation, intel_amt, amt, self-activate, mccreary
Trevor Sullivan
0

Hello!

 

Have you ever run into the situation where you want to enable the auto-provisioning policy for a ConfigMgr client, but dont' want to wait for the policy to filter down to the client? If you're like me, then you would answer with a hearty "yes." Thankfully, I've got a method for you to force an SCCM client to enable auto-provisioning, without relying on the collection setting!

 

Keep in mind that, for some odd reason, pasting this code into a Powershell window will probably fail. Instead, paste the first 4 lines, and manually type out the last (red) line.

 

$OobSettings =  [wmiclass]”root\ccm\policy\machine\actualconfig:CCM_OutOfBandManagementSettings”
$OobSettingsInstance =  $OobSettings.CreateInstance()
$OobSettingsInstance.AutoProvision =  $True
$OobSettingsInstance.SiteSettingsKey =  1
$OobSettingsInstance.Put()

 

Basically what this does is spawn an instance of the CCM_OutOfBandManagementSettings WMI class, sets two properties on it, and then writes it back to the system. This should enable auto-provisioning immediately so you don't have to wait!

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Comments Permalink Tags: script, administrate, vpro, microsoft, amt, configmgr, sccm, tools, powershell
Kelsey Witherow
3

So what are Platform Event Traps and what is its relevance to managed systems? With Intel AMT Remote Management you always recieve readily available access to event logs of these things: PC Sensors, effectors, and other non-volatile data. But, what you might not know is that it can also generate out-of-band alerts (PETs) based on sensor events. Platform Event Trap is a specification defining the format for managed systems to alert a remote console. Intel AMT uses this PET format to send these event alerts. And while ASF does the same, with Intel AMT PETs you can subscribe up to 16 different destinations. With ASF, you have to decide on just one unique destination point for every event/alert.

Interested and want to learn more? Below you can find some blogs that can provide some further insight.

More Technology Distinctions - Intel AMT vs ASF: This is part three from Shmuel Gershon in comparing ASF and Intel AMT features on the Intel Software Network.

Between Intel AMT and ASF: Here you can find part 4 of Shmuel Gershon's comparisons.

What about those PET events?: Gael Holmes covers all you need to know on PETs and links to many other questions, blogs, and documents that will lead you to more information on these Platform Event Traps.

"Happy PETting!"

 

3 Comments Permalink Tags: platform_event_traps, pet, pets, asf, kelsey_witherow, amt
Ylian Saint-Hilaire
0

Ok, I have one more trick for all you Intel AMT developers trying to build high security software. One good use of Intel AMT is for power state monitoring, one could build an application that polls many computers for their power state and plots the results on a graph. You can see just how “green” your network is. Typically to do this, you call the Intel AMT method to get the power state periodically located in the Remote Control security realm of Intel AMT.

 

The way Intel AMT security realms are designed: granting a user access to the Remote Control realm gives this user access to reading the power state but also turning on and shutting down (hard shutdown) the computer. As a result, the nice monitoring application you are building can only be run by trusted administrators. It would be nice to be able to create an Intel AMT user with only minimal access to features that could only be used to read the power state and not much else. This is not technically possible…

 

But wait, there is a trick! Create a user account within Intel AMT with only General Info and Hardware Inventory access. These two realms are the minimum needed to access the Intel AMT web UI. Then, using a normal browser we can load the Web UI and notice that the computer power state is displayed on the web page! With a little code, we can extract this information out of what is normally a human readable web page.

 

Of course, this is a hack and your software may need to be upgraded as new firmware may change the WebUI. Still, it’s such a good trick; I use it with great success in my own code. Note that the Intel AMT 2.0 page is a little different from Intel AMT 2.5 and above. So far, I have to handle 2.0 differently but the same parsing code seems to work on all Intel AMT computers (up to 5.0). Also, that web UI page is very fast and you get, as bonus information, the computer’s unique identifier and Intel AMT time in a single call.

 

The only drawback I have noticed is that the WebUI will show the string “Standby” for both S1 and S3 states. So you can’t tell exactly what power state it’s sleeping in. Otherwise, you can detect S0, S4 and S5 states.

 

Ylian

0 Comments Permalink Tags: webui, ylian, amt, power, state
Ylian Saint-Hilaire
5

Hi everyone. I have not been posting much lately, but have been keeping busy writing a book and white papers on Intel AMT. In the last section of the Intel Technology Journal article on extreme usages, I talk about how Intel AMT could be used to build a peer-to-peer mesh network, and that is what I have been working on for the last few months. More to come on this I am sure.

 

Right now, I want to talk about Wake-on-LAN and Intel AMT. I read somewhere that wake-on-LAN is obsolete with Intel AMT, but I want to disagree and explain why Intel AMT in fact makes Wake-on-LAN better. For people how don’t know, Wake-on-LAN is a way to wake-up a computer using a magic packet composed anywhere in the payload of “FFFF FFFF FFFF” + 16 repetitions of the MAC address of the computer you want to wake up.

 

In normal circumstances, the magic packet can only be really used within the same Ethernet subnet as the computer you want to wakeup. All this changes if the target computer supports Intel AMT, since even when sleeping or in soft-off, the Intel AMT computer will defend its IP address (ARP Protocol), it’s now possible to send a directed magic packet to a computer across many routers and have it reach its destination correctly and so, wake up the PC.

 

Now, why would you use a magic packet if you can use Intel AMT to do the same? Everything has to do with security. Because of how Intel AMT security realms are designed, granting permission within Intel AMT for a users to wake up a computer, also grants the same user permission to shutdown the PC at anytime (and not a nice shutdown too). You can’t just grant only the “power on” access in Intel AMT and so, this is a security concern.

 

In conclusion, if we want other general users to be able to wake up a PC on the network to perform routine tasks (access files, backup data, etc .). Making use of Wake-on-LAN + Intel AMT makes a lot of sense. With Intel AMT PC’s, Wake-on-LAN now works better than ever.

 

Ylian

5 Comments Permalink Tags: packet, wake-on-lan, security, ylian, magic, amt, wol
Joel Smith
1

The release of the Notification Server 7.0 platform will provide a new design and infrastructure.  Out of Band Management will also provide a new release with this platform.  First I’ll provide a brief description of what Out of Band Management is used for.  This article will also cover the differences between the 6.2 version of Out of Band and version 7.0.  The changes include UI improvements, relabeling to be in line with current Intel terms, and the addition of limited Dash support.

INTRODUCTION

Out of Band Management 7.0 allows an administrator or IT Professional to setup and configure several protocol technologies for use in the greater Notification Server infrastructure, or even any other solution that supports the protocols handled by Out of Band Management.  The supported technologies are:

  • Intel AMT (Active Management Technology) or vPro
  • ASF (Alerts Standard Format) primarily from Broadcom
  • DASH technology support (open architecture)

The greater focus is on Intel’s AMT technology.  Using the provided configuration pieces with Out of Band, systems with the above technologies can be configured to respond to functions called from either the RTSM interface or via Task Server.  Once configured, the Notification Server is a trusted entity to the local systems and all available functions are available.

More information can be found by browsing through the articles generated on Out of Band Management 6.x at http://www.symantec.com/community/intel.

Terms/Term changes

It’s important to understand the changes in terminology and labeling so the transition from 6.2 to 7.0 Out of Band Management goes smoothly.  This section will also help explain the naming scheme for Out of Band Management.  The following list provides the term, and the previous label (if different), and a brief description:

  1. Configuration, AKA Setup and Configuration – Previous term: Provisioning – Intel has standardized on using Configuration as the term for activating a vPro system.  This more aligns with what is occurring and avoids confusion with basic industry understanding of what provisioning means (putting an OS on the system). 
    NOTE: Since this word is used throughout documentation for 6.x it is important to understand the change!
  2. TLS – Transport Layer Security can be considered the next generation of SSL (Secure Sockets Layer).  It’s used in 2 sections of Configuration: Remote Configuration authentication, and TLS within the Configuration Profile.
  3. Remote Configuration – This specifically means the process for automatic Configuration via the handshake with a TLS certificate, usually purchased from Verisign, GoDaddy, Comodo.

Out of Band Portal

Out of Band Management now has a Portal page that provides access to most function from a user-friendly UI.  It’s accessed in the Symantec Management Console by going to Home > Remote Management > and click on Out of Band Management.  The following screenshot shows a view of the portal:

OOBPortal.jpg

The upper left-hand pane shows a list of setting groups that will enable a user to go through those steps necessary to enable or complete Out of Band setup and configurations.  Please note the following items and what they can be used for:

  • Configuration Service Settings – This provides all the nodes that are used in the Setup and Configuration process for AMT.
  • Basic Configuration (without TLS) – This takes you through the process of setting up Configuration where TLS will not be used in the Configuration Profile (not to be confused with Remote Configuration TLS).  See this screenshot for the way the steps are setup:
    AMTConfigSteps.jpg
  • Enable Remote Configuration – This walks you through setting up the Notification Server to accept Configuration requests using TLS certificates.  Note that 2.6, 3.0+ AMT systems are automatically configured to send out requests using this method.
  • Enable Security (TLS) – This walks you through setting up the Notification Server to use TLS when managing AMT systems.
  • Intel AMT Tasks – This is a quick area that reveals the Task Server tasks that directly utilize AMT.
  • Configure Site Server – This is a link that opens the Site Server Configuration page as part of the Notification Server Platform.  This is available here because OOB has a Site Service that can be deployed to Site Servers.

As a note, Site Servers allow distribution of Out of Band functions across the environment, and helps alleviate any problems with large rollouts involving a large amount of Configuration.  This brings us closer to having true hierarchy support with Out of Band Management.

UI Changes

Those who are familiar with Out of Band Management 6.2 can use this section to find corresponding functions, configuration pages, and utilities when upgrading to Out of Band 7.0.  If you are unfamiliar with this version skip to the next section.

Out of Band Management looks much the same as it did in 6.2, with some notable exceptions.  The following items cover the differences between the two.  The method used to reach the console area for Out of Band Management is as follows: Browse down through Settings > All Settings > in the left-hand tree browse down through Remote Management > Out of Band Management.  The three subfolders are by the same name as they were in 6.2, lacking the fourth folder: Delayed Provisioning.

  1. *Provisioning > Configuration – I called this out previously in this article but with my experience the double-exposure is necessary.  In reference to managing vPro AMT systems, consider the previously used term Provisioning to now be Configuring, or Provision to now be Configuration.  If you’re like me and have the word provisioning ingrained in your mind, it will take some getting used to.
  2. Auxiliary Profiles – Three new nodes have been added to this folder.  They are described below:
    1. Management Presence Server – (MPS) This is the secure gateway CIRA technology will use to connect securely with the network where the NS resides for remote management from anywhere on the Internet.
    2. Remote Access Policies – In relation to the above MPS, this policy dictates how CIRA connections are handled by the Notification Server.
    3. Trusted Root Certificates – Also in relation to MPS, these are required to establish so that trust can be formed from the calling AMT system, the MPS, and the Notification Server.
  4. Configuration Profiles – Formerly known as Provision Profiles.  The following items have been added as tabs within the profile configuration.  Descriptions of the items are supplied as well:
    1. Domains – Allows the ability to configure AMT to operate in more than one Domain.
    2. Remote Access – This ties directly to the Remote Access Policies found under the Auxiliary Profiles node.  Edits here will take effect in both places.
  6. The remaining nodes under the Configuration Service Settings folder are the same between versions 6.2 and 7.0.
  7. Delayed Setup and Configuration – Formerly known as Delayed Provisioning, this has been renamed to fit the proper naming convention.  It also no longer has its own folder, but can be found under the Intel® AMT Systems folder above the Intel AMT Systems node.
  8. The following screenshot shows the layout of the console:
    ConfigConsole.jpg

Intel SCS

The component that Out of Band Management plugs into has not changed between versions.  Intel SCS (Setup and Configuration Services) is still the backbone of Out of Band, and handles all the transactions between the server and the remote Intel AMT clients during the Configuration process.  Please note that management functions of AMT are NOT handled by Intel SCS.  SCS stands for only the Configuration process, including maintenance and reconfiguration tasks (for example for profile updates) as part of maintaining the configured state.

Out of Band Management 6.2 used Intel SCS version 3.0 (or 3.2.1 per the Knowledgebase article found at this location: https://kb.altiris.com/article.asp?article=40076&p=1).  Intel SCS version 5.0 ships with Out of Band Management.  While the UI does not reveal all the additional capabilities, SCS 5.0 comes with a tool called Activator.  This utility can handle a number of scenarios that were sticky points in the previous versions of Out of Band and Intel SCS.  The abilities include the following:

  1. FQDN Name Change – The Activator, when run on the local AMT system, can tell AMT to send updated information to Intel SCS on its FQDN.  This is especially important if the FQDN has changed in Windows, thus changing the identity of the machine.
    • The problems associated with this are the failure of AMT systems to authenticate using TLS due to FQDN sensitivity if enabled, and also the inability of Intel SCS to contact back a system whose FQDN has changed.
  3. Resending of Hello Packets – While the 3.0 version of Out of Band had the ability to send Hello packets using the Delayed Provisioning (AKA Delayed Configuration) task, it did not have the ability to send PSK (pre shared keys) packets if the 24 hour cycle of the hello packets sequence expires.  This functionality was also added to verison 3.2.1 of Intel SCS.
    • The problems associated with this are when systems are not configured within that 24-hour cycle they need to be acted upon to get the needed information to the server for configuration.

The above two functions can be utilized by sending Activator down using a Delivery Software job in the Software Management Solution.

Conclusion

Hopefully this introduction will help those familiar with Intel vPro, and especially familiar with Out of Band Management in the Notification Server 6.0 infrastructure, to understand the changes and functions in version 7.0 of Out of Band Management.  In depth articles will be generated in the future to cover some of the new features such as the MPS and CIRA functionality.

1 Comments Permalink Tags: altiris, amt, symantec, vpro, intel, activation
Trevor Sullivan
2


Hello vPro Experts!


I've got something sitting in the back of my mind, that I would like to share with you all. Unfortunately, it's simply a theory, and I have not yet had the opportunity to test it, but I am in the early stages of developing and documenting it, and would really appreciate any feedback, to help make it become a reality.


----

The Problem

 

Are you asking yourself either of these questions?


"How can I reduce the amount of overhead involved with imaging every new client system that comes through the doors, but at the same time, not shift that cost to the vendor?"


or, slightly paraphrased:


"How can I streamline the provisioning of new systems, but at the same time, not sacrifice the flexibility of having in-house imaging?"


If your support teams are imaging each desktop and laptop that is shipped from your hardware vendor, you may have investigated the option of having the vendor pre-image systems prior to shipping them out. There are a couple of caveats to this methodology though. First of all, there is usually an additional cost associated with any sort of customization that the vendor must make to a system. Secondly, if you are using a task sequence-based "imaging" process in-house, then you may not have a way of transferring that process (which is inherently network-reliant), to the vendor. Typically, in this scenario, your operating systems, applications, and Active Directory domain, are all residing on network servers that can't be contacted by the vendor during the process (unless you have some uber-fast, secure VPN link between you and them, in which case you can stop reading).


----


The Theoretical Solution (utilizing Intel vPro)


The proposed solution to the problem presented above, is actually a combination of technologies, and custom development work. In this case, I'm going to be working with the following tools:



Requirements


Here are the requirements for the process:


  • Microsoft Configuration Manager SP1
  • An Out-of-Band (OOB) service point for ConfigMgr SP1
  • ProvisionServer” DNS record pointing to out-of-band service point
  • Collection 1: SCCM collection to temporarily store resource records created by script
  • Collection 2: SCCM collection that contains provisioned vPro clients without the ConfigMgr client agent
  • ConfigMgr Task Sequence to build vPro system
  • ConfigMgr advertisement to link task sequence to Collection 2

Step-by-Step Workflow


This is the theoretical process that would be followed:


  1. Physically plug in vPro system – power and network (device remains powered off)
  2. vPro System obtains IP address and DHCP Option 15 (mydomain.com)
  3. vPro System sends “hello packet” to site server (CNAME provisionserver.mydomain.com)
  4. Script reads vPro system’s UUID from amtopmgr.log file on site server
  5. Script creates Resource Record for system in “Collection 1” with auto-provisioning enabled
    1. Use a random name for the hostname (based off of the SMBIOS UUID perhaps)
    2. Make sure to refresh the collection membership, or verify that it gets added somehow
  6. vPro System sends another hello packet to site server at built-in interval
  7. vPro System is recognized as a SCCM resource and provisions
  8. Provisioned vPro resource is automatically populated into SCCM “Collection 2
  9. Task sequence begins executing
  10. Once the operating system is installed, the device should detect a mismatching hostname between the OS and the ME firmware (this could be configured as part of the task sequence)
  11. The device will send a request to the ConfigMgr site server to re-provision the AMT firmware with the new hostname (equivalent of "Update Provisioning Data"?)


Known Issues and Risks


There is at least one known outstanding issue that I'm aware of, and there may be a way to solve it.

Possibility of over-writing an existing system

If an existing, un-provisioned system is not reporting into Configuration Manager properly, it may be incorrectly assumed to be a new, blank system. Therefore, during the build (or imaging) process, an automated check may need to be put into place to verify whether or not the system is truly a new client or not. This could theoretically be done by analyzing the filesystem, or mounting the offline registry hives, and looking for any indicators. Additionally, if a vPro device was already provisioned, it would need to be excluded from being targeted with this process.

----

Conclusion

I hope that this overview gives you some ideas about how to automate the provisioning of new enterprise clients using Intel vPro out-of-band provisioning. If you have any suggestions for improvement, I'd be interested in hearing them. If you'd like, you can download a copy of this document below.


Thanks,


Trevor Sullivan

Systems Engineer

OfficeMax Corporation

 


2 Comments Permalink Tags: sccm, configuration, manager, engineering, roi, 5.0, sccm_sp1, automation, tools, configmgr, deploy, vista, vpro, amt, trevor, provision, 3.2.1, install, windows, 4.0, dtk, xp, sullivan, automated, microsoft
1 2 3 4 ... 10 Previous Next

Popular Blog Posts