If you are using Out Of Band (OOB) Management in Microsoft System Center Configuration Manager (SCCM) 2007 SP1 (or greater) to manage your Intel vPro clients, you may have noticed that computer objects are created in your Active Directory domain during provisioning of the Intel vPro firmware. These computer objects are created by the amtproxymgr component of an OOB Service Point, and allow Intel vPro to communicate directory with Active Directory, regardless of the operating system state.

Since these vPro computer objects appear very similar to standard computer objects that are created when joining a Windows OS to an AD domain, it may be hard to distinguish which ones are vPro accounts, and which ones aren't. This situation can be worsened if you somehow have Windows computer accounts mixed into the same OU that contains your AMT objects.

As you'll see below, it's very easy to locate these computers using some simple PowerShell code:

$vprosearcher = [adsisearcher]"(&(objectclass=computer)(serviceprincipalname=*:16993*)(samaccounttype=805306368))"
$vproaccounts = $vprosearcher.FindAll()

These two lines of code simply create a System.DirectoryServices.DirectorySearcher instance, with some LDAP search criteria to identify the accounts, and then assigns the results of this search to a PowerShell variable called $vproaccounts. The default search root is the top-level of your Active Directory domain, and the default search scope is already set to SubTree, so you don't have to specifically configure these settings on the DirectorySearcher. Once you're at this point, you can simply enumerate the accounts, or pipe the results into a PowerShell ForEach loop, and perform some operation against them (for example, givem them a Description attribute value).

Because this code sample uses the "adsisearcher" type accelerator (aka. type shortcut), it will only work with PowerShell v2.0 (included as part of the Windows Management Framework), unless you modify PowerShell v1.0 to include it. There's almost no reason not to be using PowerShell 2.0, now that it has been officially released, however.

I recommend using the free Quest PowerGUI tool to develop and debug PowerShell scripts.

Cheers,

Trevor Sullivan

A hobby of many IT professionals is playing video games ... so we asked the question: "What Video Game Would Intel vPro Technology Be?" while at Symantec ManageFusion 2009 from March 10th to 12th. Check out the responses below from IT executives and managers, Intel partners and industry analysts.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

While at Symantec ManageFusion 2009, we had a chance to talk with Mike Dunham, Executive Director of Product Management for Incendio Technology. In the video below, he talks about the Incendio vMinder Portal, which allows IT profrossional to utilize the Symantec Altiris Client Management Suite without needing console access. From the Incendio vMinder Portal, the IT professional can access Intel vPro technology features such as reliable remote power control that are part of the Symantec Altiris Client Management Suite.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

While at Symantec ManageFusion 2009, we had a chance to talk to IT executives and managers from Disney International, Fox Interactive Media, Blue Cross Blue Shield and McCormick Spice Company and industry analysts from Enterprise Management Associates and Ptak, Noel & Associates LLC. In this video, they talk about the security benefits of Intel vPro technology - which include the ability to deploy software patches faster into the installed PC base, and the ability to quarantine infected PCs and remotely remediate them.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

I wanted to quickly share an example of how to set the current power state of a provisioned Intel vPro system using Windows Powershell!

Take a moment, and ask yourself these quick questions:

• Have you ever wanted to be able to automate the powering up, or powering off, of multiple computers?
• Is your company interested in saving money by not needlessly leaving computers powered on at night?
• Do you have a time-critical environment, such as a call center, where you need to reliably power up your computers so they are ready to go in the morning for agents?
• Do you want to be able to create your own helpdesk tools to enable remote reset of hung systems?

If you answered "yes" to any of the previous questions, then hopefully this Powershell code will help you, as an administrator, achieve your goals! Let's take a look at how to perform the actions of:

• Powering up a vPro (AMT) system
• Powering down a vPro (AMT) system (not gracefully, just FYI)
• Power cycling a vPro (AMT) system (also not graceful)
  

For the sake of simplicity, we'll continue to work with the ManageabilityStack.AmtSystem object that I have referenced in my previous article(s). If you aren't sure how to get the $Global:Amtdevice Powershell variable, please look back at my other articles. This will also require the download of the Intel AMT Developer Toolkit. You'll need the Manageability Stack.dll library contained within.

-------------------

In order to control the remote power state of an AMT system, all you really need to know are these 3 hex values:

0x10 = System reset

0x11 = Power on

0x12 = Power off

0x13 = Reset w/ power cycle

These hex values will be used with the $AmtSystem.Remote.SendRemoteControl() method to alter the power state of the remote system. The SendRemoteControl() method included with the DTK includes a number of parameters that go beyond the scope of this article, so we will pass hex value 0x0 to these parameters for the time being. In order to use the above hex values, simply pass the hex value as the first parameter of the SendRemoteControl() method. In order to fulfill the parameter requirements of this method, pass 5 additional parameters with the value 0x0. Here are some examples:

Powering up an AMT System

$Result = $AmtDevice.Remote.SendRemoteControl(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

Powering off an AMT System

$Result = $AmtDevice.Remote.SendRemoteControl(0x12, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

Power cycling an AMT System

$Result = $AmtDevice.Remote.SendRemoteControl(0x10, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"

The above samples show how to use the SendRemoteControl() method of the AmtRemoteControl .NET type in the Intel AMT Developer Toolkit (DTK) to control the power state of a remote AMT device.

If you have any questions about this, please leave a comment or send me a private message.

Sincerely,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

While at Symantec ManageFusion 2009, we had a chance to talk to IT executives and managers from Disney International, Fox Interactive Media, Las Vegas Sands Corporation and McCormick Spice Company and industry analysts from IDC, Enterprise Management Associates and Ptak, Noel & Associates LLC about Intel vPro technology and industry trends.  In the video below, they discuss the impact of Intel vPro technology on power consumption reduction and energy cost reduction.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

At the recent Symantec ManageFusion 2009, Symantec announced the general availability of Symantec Altiris Client Management Suite Version 7.

One of the new features in Symantec Altiris Client Management Suite Version 7 is support for Intel Centrino 2 with vPro technology's "Fast Call for Help."  The video below by Symantec's Senior Technical Manager Lee Bender is a demonstration of how an end-user would connect back to the Altiris Client Management Suite for remote diagnosis and repair of his notebook even though he connect boot into Windows and is outside of the corporate firewall.

To learn more about Intel's presence at ManageFusion 2009, please go to http://www.intel.com/go/managefusion/

Hello vPro Experts!

I would like to take some time to touch on exploration of the management engine via the local interface (specifically the HECI driver). In order to follow the exercise here, you'll need to have Windows Powershell installed, have the Intel AMT Developer Toolkit downloaded and installed, and have an AMT client (does not need to be provisioned) with the HECI driver installed. The HECI driver should be downloadable from your OEM.

To give you a high-level idea of the program flow we'll use to access the AMT device, consider the following:

1. Load the "Manageability Stack.dll" .NET library
2. Create an instance of the ManageabilityStack.HeciWrapper object
3. Reference the properties and methods of the HeciWrapper object, and the HeciMeInfo object (provided by the HeciWrapper.MeInfo property)

Here is the Powershell code that correlates to the above process:

Loading the .NET Library

# Load the Manageability Stack .NET library

$AmtLib = "C:\Program Files\Intel\Manageability Developer Tool Kit\Manageability Stack.dll"
[System.Reflection.Assembly]::LoadFile($AmtLib)
# Create a HeciWrapper object

$Heci = New-Object ManageabilityStack.HeciWrapper

# Pipe the $Heci variable into the Get-Member cmdlet to determine what properties

# and methods are available to us.

$Heci | Get-Member

Obtaining a list of embedded certificate hashes

# List embedded certificate hashes
$Heci.MeInfo.EnumerateHashHandles()

Getting the BIOS and AMT Versions

# Retrieve the AMT version
Write-Host "AMT version: $($Heci.Versions.Versions["AMT"])"
# Retrieve the BIOS version
Write-Host "BIOS version: $($Heci.Versions.BiosVersion)"

Retrieving Provisioning Information

# Retrieve the provisioning server name
Write-Host "Provisioning server: $($Heci.MeInfo.GetAuditRecord().ProvServerFQDN)"
# Determine provisioning date
# This will return "01/01/0001 00:00:00" if not provisioned
Write-Host "Provision date: $($Heci.MeInfo.GetAuditRecord().TlsStartTime)"
# Get provisioning mode (Enterprise, SMB, etc.)
Write-Host "Provision mode: $($Heci.MeInfo.GetProvisioningMode().ProvisioningMode)"
# Get provisioning state
Write-Host "Provision state: $($Heci.MeInfo.GetProvisioningState())"

-----------------------------------

I hope these code samples are able to help you out in your administration / engineering endeavors! Please let me know if you have any questions, and don't forget that in Powershell .... when in doubt .... use Get-Member to discover what information is available to you!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation