I hear the following scenario and question a lot - "All I want to do is remotely power-on a provisioned Intel AMT system. My target client management environment does not have Intel AMT functionality. If I could just script a remote power-on command, that would be very helpful. Is there a way to script the command?"
The short answer is yes - Take a look at http://www.symantec.com/community/article/6546/scripting-intel-amt-remote-power
Enjoy
Hello Intel vPro Community!
I'm going to talk to you today a little bit about how to use Windows Powershell to set Intel vPro power profiles. I'll provide a quick bit of background first on what power profiles are, and why you'd want to be able to set them with Powershell.
Intel vPro power profiles are nothing more than a setting in the Management Engine that tells the AMT chip when to be powered up, and when not to be powered up. In some cases, you may want vPro to be inactive during sleep states, or after the computer has lost power (eg. UPS failure).
In my case however, I want vPro to be always active. This is problematic, because Microsoft Configuration Manager's implementation of a provisioning server doesn't give you the option of setting the active power profile. Instead, during provisioning, ConfigMgr sets the active profile to whatever index "5" is. You'll actually see this in the amtopmgr.log file on your OOB (Out-Of-Band) service point during the provisioning process.
Because ConfigMgr decides the default power profile during provisioning, I've decided that I wanted to change it. Because Windows Powershell is an awesome automation tool, and because Intel's AMT Developer Toolkit (DTK) offers a .NET library that I can use in Powershell, I figured that I would figure out how to do it!
--------------------
You might remember my last post on how to use Powershell to connect to an AMT device. The process basically involves loading the aforementioned .NET DLL from the DTK, and then establishing a connection to the device. I didn't really get the opportunity to show you how to do a whole lot with it after making the connection though, so that's the purpose of this post! Let's go ahead and take a look at a few lines of Powershell code, so you can understand the retrieval, and setting of power profiles.
-------------------------------------------------
# In my last Powershell script, I used the $amtdevice variable
# to reference the AmtSystem .NET object. We'll assume at this point
# that you have already connected to the AMT device based
# on my last article.
$amtdevice
# By using the .NET Reflector tool, we can see that the AmtSystem
# object has a property called SecurityAdmin, which returns an AmtSecurityAdmin
# object.
$AmtSecAdmin = $AmtDevice.SecurityAdmin
# The AmtSecurityAdmin object has a method called GetPowerPackages().
# After examining this data type in .NET Reflector, we can filter for only the two
# properties we want to see, the profile ID, and its Name. We'll use the Powershell
# Select-Object cmdlet to filter this data.
$AmtSecAdmin.GetPowerPackages() | Select-Object -Property ID,Name
# You should get some output looking something like this:
# 12834f94-10fb-dc4f-968e-1e232b0c9065 Desktop: ON in S0
# ab0086a1-7f9a-424c-a6e6-bb243a295d9e Desktop: ON in S0, S3
# acab8672-b496-e248-9b9e-9b7df91c7fd4 Desktop: ON in S0, S3, S4-5
# 4dcd327b-be6b-8943-a62a-4d7bd8dbd026 Desktop: ON in S0, ME Wake in S3
# 46732273-dc23-2f43-a98a-13d37982d855 Desktop: ON in S0, ME Wake in S3, S4-5
# baa419c5-6f6e-4d8d-b227-517f7e4595db Desktop: ON in S0, S3, S4-5, OFF After Power Loss
# ede30bd6-c504-462c-b772-d18018ee2fc4 Desktop: ON in S0, ME Wake in S3, S4-5, Off After Power Loss
# Once we have a listing of the power profiles available on the AMT device
# we can get the one that we want, and then set it. Since I always want my
# AMT device active, no matter the system's power state, I'm going to choose
# "Desktop: ON in S0, S3, S4-5" which is index 2 (in a zero-based collection).
$TargetPowerProfile = ($AmtSecAdmin.GetPowerPackages())[2]
# Now that I have a variable referencing the target power profile, I will set the
# profile on the AMT device. The AmtSecurityAdmin object has a method called
# SetActivePowerPackage() that takes one parameter: the power profile we have
# a reference to.
$AmtResult = $AmtSecAdmin.SetActivePowerPackage($TargetPowerProfile)
"Setting power profile to $($TargetPowerProfile.Name) resulted in $AmtResult!"
##### End Setting Power Profile #####
# Let's also take a quick look at how to get some basic information about
# the AMT device's provisioning data. We can figure out if IDE-R, SoL, and the
# WebUI are enabled. We'll use the AmtGeneralInfo object for this.
# Get a reference to the AmtGeneralInfo object
$AmtInfo = $amtdevice.Info
# Write out the current configuration settings
"SOL Enabled: $AmtInfo.SerialOverLanEnabled"
"IDE-R Enabled: $AmtInfo.IdeRedirectEnabled"
"WebUI Enabled: $AmtInfo.WebUiEnabled"
-------------------------------------------------
I hope this helps get you on your way to doing some cool Powershell / vPro automation! Let me know whether or not this helps you in your endeavors 
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
Hello vPro community!
I rather quickly posted the Powershell code I got functioning yesterday just to make sure that I didn't forget to post it at some point, but if you're new to Powershell, you might not understand everything that's going on here. If I left your head spinning, then I apologize, but tonight, I'm wrapping back around to help describe to you the thought process behind the script I posted!
On top of that, once I put together some notes from earlier today, I will post later on about some of my newest findings! To give you a teaser, I found a method of setting AMT power profiles using Powershell code! I'll be sure to get this posted as soon as I can, but for now, I think it would be most beneficial to understand the basics of connecting to a vPro system.
I'm going to step through the script line-by-line and leave some comments about each of them. Comments will be denoted by lines beginning with a pound sign (#). This is because Powershell uses this character as a "comment" character.
If you're experienced with .NET, then you'll probably either already know about, or want to get familiar with, the tool known as the .NET Reflector. This utility allows you to "reflect" over a .NET library, and discover the objects, methods, and properties that are available to you to use in your Powershell scripts. It's not always a simple task to figure out how to use .NET objects, especially if there is either poor documentation, or none at all, but this tool definitely makes it easier.
----------------------------------
# The following 6 lines are simply variables that we are setting
# to make troubleshooting and customizing our script easier.
# We will be instantiating (creating) an object of the data type
# "AmtSystem" that requires these values as params to its
# constructor method.
# This is the domain\userID we want to authenticate as
$amtusername = "vprodemo\DomainUser"
# This is the password for the user account to authenticate
$amtpassword = "P@SSW0Rd"
# This is the FQDN of the vPro client system we want to connect to
$amthostname = "vproclient.vprodemo.com"
# This is the TCP port that we want to connect to the vPro client on
# TCP 16993 is used for TLS communications to AMT clients
$amtport = 16993
# This parameter determines whether or not your password is
# saved in the AmtSystem object (I think)
$amtrecallpassword = $false
# I haven't verified this, but I believe that this parameter determines
# whether or not WS-MAN is used exclusively on vPro clients
# that support it. Otherwise, it will attempt to use EOI (SOAP).
$amtwebservicesonly = $false
# Next, this variable stores the path to the "Manageability Stack.dll"
# which is included with the Intel AMT Developer Toolkit (DTK).
# Be sure to download the latest version from the Intel website.
# This DLL is a .NET library, written in C#, that provides an API
# to interact with Intel vPro clients.
$manageabilitystack = "C:\Program Files\Intel\Manageability Developer Tool Kit\0.6.08325.2\Manageability Stack.dll"
# This line uses the built-in Assembly class (part of .NET reflection)
# to load the .NET DLL containing the AMT API. The Out-Null Powershell
# cmdlet is used to suppress any console output of the LoadFile() method.
[System.Reflection.Assembly]::LoadFile("$ManageabilityStack") | Out-Null
# The Write-Host cmdlet is built into Powershell and simply writes
# some text to the console. We are using inline variables to dynamically
# display the information about the client we're connecting to.
Write-Host "Connecting to $amthostname on port $amtport"
# This is the line that's actually getting the object that we will use to
# reference our target Intel AMT client. We are creating a global variable
# name "amtdevice" and setting its value to a "New-Object" of datatype
# ManageabilityStack.AmtSystem (you can use .NET Reflector to find this)
# and then passing the parameters that we defined before to its constructor.
# If the below line wraps in your browser, please be sure to put it all on one line in your script.
$global:amtdevice = New-Object ManageabilityStack.AmtSystem -ArgumentList $amthostname,$amtport,$amtusername,$amtpassword,$amtrecallpassword,$amtwebservicesonly
# Footnote: With respect to variable scope in Powershell, the reason I am
# defining this as a global variable explicitly, is because if you copy and paste
# this code into a script, and then run that script from within an interactive
# Powershell session, the $amtdevice will now be defined as global to the session
# and will not be deleted when the script exits. This allows you to run the script to
# retrieve the device object, but then continue to work with it interactively once
# the connection is established!
# Tell the AmtSystem object that we want to use TLS
$amtdevice.UseTls = $true
# Enable WS-MAN support (if available) on the connection
$amtdevice.WsManSupport = $true
# Once we've set up all of our configuration options about the connection,
# this next line actually establishes the connection.
$amtdevice.Connect()
# The "State" property of the AmtSystem object is "Connecting" until the
# connection either succeeds or fails. We want to monitor the status until
# this occurs.
while ($amtdevice.State -eq "Connecting") { Start-Sleep 1 }
# Finally, once the connection either succeeds or fails, we write out the
# State property to the console so that we know what the outcome was.
Write-Host "AMT device is in state $($amtdevice.State.ToString())"
-----------------------------------
So, there you have it. That is the code, with my comments inline. If you have any questions or feedback on my articles, please feel free to comment on this blog article. I will try my best to answer them, although please understand that I am still working on comprehending this great API! If this is useful to any of you, I would like to know that, and if not, then please recommend something that you would like to hear about!
As promised, I will eventually write another follow-up article on how you can set Management Engine (ME) power profiles on a provisioned AMT client remotely, using Powershell! Until next time ...
Happy Powershell Scripting!!
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
Hello,
This is my first contribution to the Intel vPro Expert center, and although I would not consider myself an expert on this product, I've still been graciously allowed to post here. Thanks Josh! 
I'd like to start out by introducing myself. My name is Trevor Sullivan, and I am a desktop systems engineer at a large retail corporation. Over the past 8 months or so, I've been working quite a bit with several people from Intel and Microsoft to better understand the Intel vPro technology, and how it can benefit my company. Overall, I'm really impressed with the technology, and I am fortunate enough to be working with an environment that has a pretty decent install base of Intel vPro-enabled systems.
I'd like to take a few minutes to explain a few issues that we recently experienced with our production vPro implementation.
-
We're using Intel vPro with Microsoft Configuration Manager 2007 SP1, and for a while, we had been running into issues that prevented us from provisioning a vPro device. It turns out that the reasoning behind this was related to our provisioning certificate. We requested a certificate from Verisign, and imported it into our central SCCM site server. We have several child primaries to our central SCCM primary site server, however, and we were using the same provisioning certificate on those systems (Intel confirmed that this was possible).
When I exported the certificate (using the Certificates MMC snap-in), with its private key, from my central SCCM site server, I did not choose the option to export the certificate chain with it. Importing the certificate, with its private key, went just fine on the other SCCM primaries, but provisioning just didn't work. After working with Bill York from Intel for several hours, it was finally determined that the Verisign Class 3 Intermediate Certificate Authority's public key certificate was expired in the Intermediate certificate store on the SCCM site server running the out-of-band (OOB) service point. I imported the updated Verisign Intermediate certificate into the server's Intermediate CA certificate store, which resolved the issue I was having.
If you are experiencing this specific problem, you should see something like the following in your amtopmgr.log on the SCCM site server running the OOB service point:
Try to use provisioning account to connect target machine vprosystem.subdomain.mydomain.com...
Server unexpectedly disconnected when TLS handshaking.
**** Error 0x382b948 returned by ApplyControlToken
Although this probably should have been obvious to me, I did not actually open the provisioning certificate on the server I had imported the certificate on, to verify that the certificate was valid. If I had done so, I would have seen a message stating that the certificate was invalid, and then I could have looked at the certificate chain tab to see that the Verisign Intermediate CA's certificate was not valid. After examining the certificate for the Intermediate CA, it was determined that it had expired, causing my provisoning certificate to become invalid.
-
After resolving the certificate issue, we started seeing another issue. This issue was related to our internal Microsoft PKI. The next symptom we saw was again in the amtopmgr.log file (+in case you haven't figured it out, this is probably the most useful AMT log in SCCM). Here are the messages we saw:
Send request to AMT proxy component to generate client certificate. (MachineId = 60752)
Successfully created instruction file for AMT proxy task: D:\SMS\inboxes\amtproxymgr.box
RETRY(1) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.
Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...
AMT Provision Worker: Wakes up to process instruction files
AMT Provision Worker: Wait 20 seconds...
RETRY(2) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.
Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...
AMT Provision Worker: Wakes up to process instruction files
AMT Provision Worker: Wait 20 seconds...
RETRY(3) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.
Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...
AMT Provision Worker: Wakes up to process instruction files
AMT Provision Worker: Wait 20 seconds...
RETRY(4) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.
Wait 20 seconds to find client certificate for AMT device vprosystem.subdomain.mydomain.com being generated again...
AMT Provision Worker: Wakes up to process instruction files
AMT Provision Worker: Wait 20 seconds...
RETRY(5) - Validate client certificate for AMT device vprosystem.subdomain.mydomain.com being generated.
Error: Missed device certificate. To provision device with TLS server or Mutual authentication mode, device certficate is required. (MachineId = 60752)
Error: Can't finish provision on AMT device vprosystem.subdomain.mydomain.com with configuration code (0)!
>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<<
What this is telling you, is that the OOB service point was unsuccessful with its attempt to generate and retrieve a web server certificate, for the vPro client, from your internal Microsoft CA (either root or subordinate, but in our case, a subordinate). Although we had duplicated and configured the web server certificate template on our CA, the certificate was not getting created as we expected. The issue, in this case, was that our CA was not configured to automatically approve pending certificate requests.
In order to resolve this issue, follow these steps:
1. Open the Certification Authority MMC snap-in and connect to your CA
2. Right-click the CA node, and select Properties
3. Select the "Policy Module" tab
4. Click the Properties button
5. Choose the lower radio button (It reads: "Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.")
6. Click OK on all dialog boxes
7. Restart the CA service, to allow the setting to take effect
-
I have a few more issues I'd like to talk about, mostly related to DNS. I will post again with details.
Thanks for reading,
Trevor Sullivan
Systems Engineer
One of the things we advocate when mentoring new I.T. start ups is to take "Baby Steps" in their business building processes.
One of the critical areas that the new I.T. shop needs to build up is the lab.
A simple lab setup that has a relatively low cost, but provides excellent value is the following:
Intel DQ35JO
Intel Q6600 or Q6450 Core 2 Quad
8GB Kingston non-ECC RAM
2x 500GB Seagate Barracuda in RAID 1
Antec Sonata or Minuet.
Intel PRO/1000 PF Dual Port Server Adapter
This is our base configuration. Quad Core gives us the necessary power to run a number of virtual machines with 8GB giving us the space to run at least one or two server OSs and perhaps one or two desktop OSs at the same time.
The host OS to begin with is Windows Vista Business x64 with Virtual PC providing for the virtualization needs. Down the road either Server Core with the Hyper-V role installed or the new Microsoft Hyper-V Server 2008 can provide the host foundation.
RAID 1 via the on board controller is a first step. The second, once the consultancy has grown some, is to install a second pair of 500GB Barracudas to open up the I/O bottleneck a bit with RAID 0+1.
Licensing would be covered by the Microsoft Action Pack Subscription to begin with. TechNet Plus would provide the lab licensing further on.
Why vPro? Because, a business is very conscious of every dollar being spent during the startup and early phases of its existance. Active Management Technology provides a simple but effective way to faciltiate reduced expenses.
While the DQ35JO may cost a bit more than say a Classic series board out of the box, those extra dollars are returned very quickly in two ways:
Power savings by having the lab system or systems off while not in use.
The consultant can fire up that lab system when they are not in their office.
The built-in hardware support for virtualization is also a key feature.
Microsoft Windows Small Business Server 2003 or 2008 provides an SSL secured remote access method to the internal network via the Remote Web Workplace.
The methodology is quite simple:
Log on to RWW as a domain admin.
Log onto the server via "Connect to my Server" link.
Use the Intel System Defense Utility to connect to the lab system and power it up.
Log off SBS and RWW.
Log onto RWW as the lab user
Connect to the lab system via the "Connect to my computer" link.
Once logged onto the lab system's desktop the consultant is good to go with whatever tasks they are looking to test on the lab setup.
Prior to vPro and AMT, we were leaving our lab systems online all of the time. We had to, as there was no guarantee that the lab would be needed while on-site working on a critical issue. And, if a problem arose where the lab system had locked up, there was no way to power cycle the system.
For us, vPro and AMT just make cents! 
Did you know that vPro has the capability to give you remote GUI access out-of-band (OOB) using the serial-over-LAN (SoL) interface? It's true.
Normally we think of SoL as a solution for remotely accessing BIOS or as a tool for running text based remote diagnostic utilities as part of an IDE redirection (IDR-R) session. SoL is capable of doing more than console redirection. If you look in the device manager on a vPro client and expand the Ports (COM & LPT) you will see an entry for the SoL interface:
This port allows the local operating system to interact with AMT's out-of-band connection to a management console. You can try this yourself with the following steps:
Open up a SoL session to your vPro client using your management console. (you can use the Manageability DTK if you do not currently have access to a management console)
Open up a command prompt on the vPro client you are connected to via SoL.
Enter the following command:
echo hello>com3
Note: the actual COM port number for your SoL interface may be different, check device manager to see what it is.
Look at your SoL session on your management console. You should see the word "hello" appear in your console window.
So what does this all mean? It means that if you have some software monitoring the SoL port that you can send and receive data to your OS OOB.
A great example of how to leverage the SoL interface can be found in the Manageability DTK. The DTK gives you the ability to redirect TCP traffic over the SoL interface by utilizing an agent, the Manageability Outpost, on the vPro client. There is corresponding functionality available in the Manageability Commander tool and Manageability Director tools. This allows you to map a TCP port on your vPro client back to a TCP port on your management console and tunnel TCP traffic between your management console and vPro clients over the SoL connection.
If you combine TCP redirection with remote control software, like Remote Desktop, VNC and similar tools, you can enable OOB access to a full GUI on a remote machine.
I've put together a video that demonstrates how you can use this ability to remotely manage a client with a full GUI, including the ability to transfer files, using vPro's OOB management capabilities.
Through trial and error I've come across a working method for installing Intel's Setup and Configuration Service (SCS) on a server that does not have Notification Server, and thus Out of Band Management, installed. When NS is installed, all rights, etc, are already assumed by logging in as the Application Identity. Intel SCS installs fine this way, but when on a separate server certain prerequisites and configurations need to be met before the installed SCS will function properly.
For the best results, the prerequisites should be met before hand. If SCS has already been installed, the necessary components can be added or configuration changed to support it properly. The first section of this article I'll assume we'll do the install from scratch, while with the second I'll cover how to reconfigure SCS if it has already been installed so it works successfully. This is with version 6.2 of Out of Band Management Solution.
NOTE: This is for an Intel SCS installation that is not on an existing Notification Server with Out of Band Management installed.
First, we need to prep the system for the actual install of Intel SCS. The following components are required for Intel SCS to function normally:
Windows 2000 Server, Windows 2003 Server
Internet Information Services (IIS)
Microsoft .NET 2.0
Run through the following steps to install Intel SCS. I've assumed the above prerequisites have already been met.
Log onto the system as the Application Identity user for Notification Server.
Using the ‘Pull' method, install the Altiris Agent from the Server that houses Out of Band Management:
Typically the URL is formatted as: http://%3cnsname%3e/Altiris/NS/Agent/AltirisAgentDownload.aspx.
Use the resulting page to download and install the Altiris Agent. Typically it takes a few minutes to complete the process of installing and registering with the Notification Server.
If needed, provide the App ID account local administrator rights on this Server. In one case this was not the case, and the service was unable to connect to the NS.
Browse to the following path on the NS:
<NS_Name>\NSCap\Bin\Win32\X86\OOB\IntelSCS\
Launch the EXE AMTConfServer.exe.
Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.
Choose ‘Complete' as the type of setup and click ‘Next'.
In the User name and Password fields put in the Application Identity for the NS.
Check the Web details.
Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.
Under ‘Database Server' select the database name and instance to use. This should be the SQL Server used to install the IntelAMT database when OOB was originally installed on the notification Server, or if the database was never created, this should be the same server and SQL Instance where the Altiris database that hosts Out of Band Management is installed.
Check the database details. Click ‘Next'.
Click the ‘Install' button to proceed with the install using the parameters set.
If the IntelAMT database was previously created, you'll receive a notice saying that the database IntelAMT already exists. Make sure to click ‘Yes' so it uses the existing one. This is especially important if you have provisioned systems already in the database. If no database exists by name IntelAMT, a new one will automatically be created and no prompt will appear.
At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'
From the Notification Server, at this location:
<NS_Name>\c$\Program Files\Altiris\OOBSC\, copy the file oobprov.exe to the same path on the SCS Server (default will be C:\Program Files\Altiris\OOBSC\).
NOTE! You must use the same path that it used on the Notification Server, this is a limitation with our implementation at this time.
Copy to the same folder the attached file Interop.AeXClient.dll.
Normally the script (oobprov.exe) is properly registered to the correct path, but if it is not, we must manually change it.
NOTE: Using this option to install SCS on a different server than the NS often leaves the csti_configuration table poorly configured. If this is the case, the following two steps must be done to fix the problem.
Open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:
USE IntelAMT
SELECT Props_script_path, use_props_script
FROM csti_Configuration
Check the path and make sure it matches the remote and local Intel SCS install. Also verify that the use_props_script is set to 1, which means ‘True' (0 means ‘False'). Now run the following query if they need to be updated, but take note to change the path to match your environment:
UPDATE csti_configuration
SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
SET use_props_script = 1
WHERE configuration_id = 1
Everything should now be in place for the new Intel SCS install to work with systems being provisioned, including all maintenance and post-provisioning actions.
As one last check, let's ensure the Intel SCS installation registered itself in the IntelAMT database. If this part has failed the service AMTConfig will not be able to start, throwing an exception about database connection in the Application Event Log.
On the Database Server, run the following query:
USE IntelAMT
SELECT * FROM csto_servers
You should have one entry for every Intel SCS install you've completed, even the original OOB install if you also installed Intel SCS originally on the NS. Note the server_name column to contain the name of the server you installed Intel SCS onto. If it is not here the problem generally stems from SQL database access rights on the SQL Server. Please ensure the account you are using has rights to create a new database, or update an existing one.
If you've already install SCS, and provisioning is not occurring (see the following article group for troubleshooting steps: http://juice.altiris.com/book/3699/troubleshooting-altiris-manageability-toolkit-vpro-technology), we need to go through the steps to provide the remote Intel SCS Install the necessary configuration to properly work with the remote IntelAMT database and Notification Server.
The following steps provide the right changes to ensure everything is setup correctly:
Log onto the Server with the NS Application ID.
Uninstall the Altiris Agent from the system. If it is not installed simply continue through the steps.
Check to ensure the account that is running the Intel SCS service, AMTConfig, has admin rights to the NS. If it does not, add the user to the Admin group on the Notification Server.
Check to ensure the Application ID has local administrative rights to the server Intel SCS is installed on.
Install or reinstall the Altiris Agent, ensuring it is pointing to the NS where Out of Band Management is hosted.
Once the five preceding steps are completed successfully, move to Database server and launch SQL Enterprise Manager against the IntelAMT database.
Run the following query:
USE IntelAMT
SELECT Props_script_path, use_props_script
FROM csti_Configuration
!csti_configuration.jpg!
Please note the following details from the resulting line:
use_props_script - This column needs to be set to TRUE (1). If this is set to 0 no provisioning attempts will even be executed. I've seen this set to 0 at times.
props_script_path - This value is passed to the Intel SCS service that's available to run oobprov.exe. This must be the same location on both the NS and the remote server.
props_script_timeout - This timeout should be set at 180.
If the values are not set right, use the following query to update the table to have the correct values (note that the props_script_path may be different in your environment. If so, change the query to match your installation setup):
UPDATE csti_configuration
SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
SET use_props_script = 1
SET prop_script_timeout = 180
WHERE configuration_id = 1
Once the above changes have been made, restart the AMTConfig service on the local Intel SCS Server to have all cached items dropped so the changes are filtered down properly.
The immediate question after installing and/or fixing an existing install of Intel SCS is are things working correctly? Time will definitely tell, but if you want to know immediately you can use the following process to check the workability of the install:
On the Intel SCS server, go into the Services Manager within Administrative Tools. Is the AMTConfig service running? If not, try to start it. Also check the Event Log for failures. If it stays running, it can successfully start and then connect to the IntelAMT database. Note that if it starts but then stops a minute or two later, the database is likely unreachable by the service.
On the Notification Server, browse in the Altiris Console from View > Solutions > Out of Band Management > Configuration > Provisioning > Logs > Actions Status. Do you see any successful Provisioning requests since the time you finished configuring the Intel SCS install?
If possible, manually configure a system to provision and see if it goes through. The reason the existing ones trying to provision may not work is due to IP Address changes that make it impossible or SCS to connect back to the system. New Hello Packets will remedy this situation in the long-term.
These processes should allow you to properly install and configure Intel SCS on a server that is not where the Notification Server and Out of Band Management are installed and running.
