I've been asking GoDaddy for over a year to provide a specific Intel vPro site to help customers buy Remote Configuration Certificates.  Glad to see someone was able to get them to add a link on thier site.  http://help.godaddy.com/article/5260

In IT environments where device naming standards may be coarse, or where users can freely rename their systems at will, you may experience problems managing these clients' AMT firmwares. Since, in order to maintain proper AMT functionality, the OS and AMT hostnames must match, an IT administrator or engineer would likely be interested in finding out which machines do not meet this criteria.

With that in mind, I've written a simple SQL query, that can be run against your Configuration Manager database, to determine what devices have mismatching OS and AMT hostnames. I've pasted the text below, but if you want a more nicely formatted version, please see this link at PasteBin.

/*
Author: Trevor Sullivan

Date: Tuesday, July 21st, 2009

Purpose: Identify devices whose AMT hostname and OS hostname mismatch
   in the Configuration Manager database

*/

select
-- Active Directory site name
[AD_Site_Name0] as 'AD SiteName'
-- AMT hostname (in provisioning record)
, [amt].[HostName] as 'AMT HostName'
-- OS hostname (should match AMT firmware)
, [sys].[Name0] as 'OS Hostname'
-- Retrieve UserID to identify device owner
, [UserName0] as 'UserID'
-- Hardware vendor
, [cs].[Manufacturer0] as 'Vendor'
-- Device model
, [cs].[Model0] as 'Model0'

from v_AMTMachineInfo [amt]

-- Join v_R_System to retrieve AD Site Name field
join v_R_System [sys] on [sys].[ResourceID] = [amt].[MachineID]
-- Joinv_GS_Computer_System to allow us to retrieve make/model information
join v_GS_Computer_System [cs] on [sys].[ResourceID] = [cs].[ResourceID]

where
-- We only want current resource records from ConfigMgr
[sys].[Obsolete0] = 0
-- This condition determines the mismatching hostname in the v_R_System and v_AMTMachineInfo SQL views
and [sys].[Name0] <> [amt].[HostName]

Cheers,

Trevor Sullivan

Systems Engineer

I ran into a problem when I accepted my server's default setting when installing my Remote Configuration certificate.  I found root cause and decided to share...

http://communities.intel.com/docs/DOC-2672

Hello Intel vPro Experts!

I've started putting together a document on some issues that I've encountered during my experiences with Intel vPro and ConfigMgr. You can access this document right here on the vPro Expert Center: http://communities.intel.com/docs/DOC-2362

Please provide feedback on the document. It's not of very high quality just yet, because I only started writing it last night, but I hope to keep it updated, to provide a valuable resource to other IT folk interested in using Intel vPro.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

The following document was created for customer preparation to ensure the success of activating vPro platforms within the customer's corporate production environment.

LANDesk Preparation Checklist for Intel(R) vPro(TM) Activation

As many of you might know or have experienced, relying fully on the default provisioning window where the Management Engine sends 'Hello Packets' to the SCS server is problematic. Problems start arising in the following instances:

1. The network has multiple domain suffices being allocated as connection specific DNS suffices depending on location and this could potentially lead to a mismatch between the SCS domain suffix and the client domain suffix.

2. DHCP option 15 upon which the default process relies on might need be in use for one reason or another

3. The provisioning window (24 hours for RCFG and 6 hours for PID/PPS by default) has closed before the infrastructure has been put in place to do something useful with these hello messages.

In the past there was a solution based on sample vbscripts provided by Intel- either Server side only or a combination of client and server side scripts that would be used in conjunction with SCS. This has now evolved to the Activator Utility which is considered the best known method, however there are some subtleties where using the Activator isn't as straight forward, such as:

1. The Activator utility will typically run under the context of the Local System Account - to allow each Local System Account to write information to the SCS DB requires delegating control all the Computer Objects. This is seen as a significant security risk by some organisations.

2. The syntax for running the Activator utility necessitates the specification of a profile ID. The number of the profile ID can't be pre-determined with absolute certainty and the SCS API only accept the profile ID and not the profile name. A situation can ensue that the wrong profile ID has been hardcoded on the clients.

3. Some operations like /a cannot work under the Local System Account context to begin with

Together with the hetrogeneous states of vPro machines (some provisioned, some not, some needing to be re-provisioned) some further logic needs to be put in place to provide a robust end to end solution. This has lead to the implementation (in a nutshell) of the following solution at a large scale enterprise customer (it assumes knowledge of the activator utility and it's switches):

1. A scriptable interface needs to be able to determine whether a system is provisioned or not - this is achieved by running MEInfo and parsing the contents of the output and writing some information into registry keys.

2. A script always checks the registry keys to know whether to run the Activator utility

3. The script is run at every boot-up of the system to make sure any previous failed attempts or if the system has been unprovisioned since the last boot is covered

4. Once a script (which runs under the context of the Local System Account) determines it needs to execute - i.e. the machine is unprovisioned but has PID/PPS loaded it runs the Activator Utility with the //s h /d PID but not /o and /p

5. At this point you might ask yourself, if I am using the client side vbscript, why should I use the Activator tool as well? The answer is that the Activator tool provides you the ability to send an in-band 'hello message' to kick-off the provisioning process. That is why we make use of the /h and /d PID parameters. If you wouldn't use the Activator tool, the out of band 'hello messages' would have easily timed-out a long time ago and you wouldn't be able to commence their resending unless you pulled the power cable out and back in - i.e. restart the Management Engine.

6. The PID is predetermined per machine type and can be inserted into XML file that sits in client - if the PID was unique per each machine this would have broken the whole solution - hence a clear recommendation to have the same PID/PPS across all machines or at least across all machines of the same model

7. At this point the information is written into an Interim DB using SQL account permissions

8. Note that no permissions need to have been delegated for all Local System Accounts

9. On the server side the script uses the same or different SQL account permissions to access to the interim DB

10. On the server side the script contains the /p and /o parameters - this is crucial as this is a single point where the /p and /o parameters can be changed thus providing flexibility

11. In addition since the customer has opted to not use certificates and because there is a difference between the connection specific and Active Directory domain suffices, provisioning is take place with hostname only - typically this would have involved using the /a switch, however there is a known issue that won't work under the context of the Local System Account. Therefore the FQDN is stripped of it's domain the server script and the hostname is derived.

12. The server script creates an XML file with the appropriate content to plug into the Configuration Parameters table in the main SCS DB, as the SCS service can parse the contents of this XML file and check that it is valid content.

The overall benefit of this solution is you avoid the security risk of delegating access rights for all Local System accounts, cover the different scenarios when the Activator Utility should be run, avoid the problems of mismatching domain suffices and maintain the flexibility of a single point of changing parameters for the variable Activator Utility syntax.

The same logic will apply if you are using RCFG - simply ignore point #6 above regarding PID.

Hope some of you find this useful.

Thanks, Tal

NOTE: If you have not read parts 1 through 4, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

Learning from previous mistakes, CSO Dan Williams discusses what they can do to better secure the powerful AMT functionality. Since the human factor is the biggest weakness, what can they do to strengthen this? Obviously they can't remove it altogether; might as well shut the company down. In Intel vPro the human factor can be minimized due to available strong security technologies. AMT can be made more secure, but the continuing threats are emphasized when a computer is hijacked. What can be done to regain control?

Mighty Modern Marketing HQ - Boston, Massachusetts

Bright sunlight filtered through the distant windows , overshadowing the bland fluorescent lights lit above. Jessica Langley watched the distant pedestrians seen in a narrow view near the street moving past with varying degrees of enthusiasm. The hot summer held to the south temporarily by a low pressure that brought in the cool Atlantic breezes. She imagined being able to hear the conversations of those passing, wondering what they spoke of, and if any of them had as crazy a life as her.

"Ah, this is the life," Tevita said as he leaned back. He placed his hands behind his head and stretched out his legs, pushing his office chair as far back as possible. With what looked like a deliberately casual gesture he tossed his headset onto his desk.

"You should be worried," Jessica commented dryly.

"Worried? Why?"

Jessica gestured sharply at her phone. "No one can call us with the phones down, so our work is just piling up while we sit here."

"Hey, we have our mobile phones. If it's not important enough for them to look up our numbers, then why worry about it?"

"You know that's not how it'll happen. As soon as the phones get up... WHAM! We're here until the sun drops below the trees in the west."

Tevita's smile lessened, but only a little. "They've been down for two hours. Perhaps they'll be down all day, and we can leave early."

"Right."

The Tongan shrugged, and Jessica briefly envied his ability to shove aside problems when they weren't directly in front of him. He could have two amazingly nasty issues to work on, and he'd easily concentrate on one at a time as if the other issue didn't exist. She wished she could compartmentalize in that manner, but when she had two critical issues to work on they hung over her like a dark shroud. Usually the one she wasn't currently working pressed down as if to accuse her of negligence, but she couldn't do two things at once. It wasn't like knitting while watching TV.

Like now, when she knew issues piled up while their phones remained down. She reached down and pulled up her mobile phone in case she'd missed an incoming call, but nothing showed. She sighed, standing up and stretching. Tevita frowned at her.

"You aren't going to bug the phone people again, are you?" he asked, as if accusing her of turning him in for some crime.

"No," she said. "Daniel Williams wanted to talk to me today so I'm heading up to his office."

"Good. Don't mention the phone issue to the CSO..."

She rolled his eyes at him, but he only smiled, large hands moving deftly across the keyboard. Without phone call interruptions Tevita would clear out the email queue in no time.

She took the stairs, hoping to work off the donut she'd eaten earlier that morning. It seemed no matter how resolute she thought she was to eat healthier, as soon as someone brought in free goodies her willpower vanished and she indulged. She doubted the climb from the first floor to the third made any real difference, but at least her husband wouldn't get on her case about taking the elevator when she had two perfectly working legs.

The door to Daniels office sat closed, and she peeked into the glass valance to the side. Daniel stared at his computer screen, his brows drawn low. He didn't touch the keyboard and mouse, eyes moving across his monitor as if trying to puzzle something out. He just reached for the mouse when she knocked quietly on the window.

He turned, a smile easing his expression. He waved her in, and she quickly hurried through the door."

"You wanted to see me?" she inquired.

"Yes, please sit down," he said, gesturing to one of the empty chairs across his desk. She sat while he turned back to his computer.

"Please watch," he said as he launched Internet Explorer. "I'm going to talk you through what I'm doing, and I don't want you to interrupt until I'm done. Okay?"

Jessica felt a twinge of uneasiness stiffen her spine. "Of course," she responded, trying to instill confidence in her voice. "What are you doing?"

He only smiled. "First, I've discovered what password I can use to access AMT on all our vPro enabled computers..."

She stood up. "What...?"

He held up his hand, not unkindly. "Please humor me."

She sat back down, her unease blooming. She clasped her hands in her lap so she wouldn't fidget, usually in the form of smoothing down her already crisp and wrinkle-free dress jacket. She couldn't sit completely still, and found herself tapping her toe. Fortunately the carpet, however uninviting bland, muffled the sound.

"Okay," Daniel continued. "I don't have access to Altiris though I have tried to gain it, unofficially of course."

"Of course," she said, and quickly clamped her teeth together before she asked another question.

Daniel continued, "In light of that I've done some Googling and found that AMT has a web-interface that anyone can access using a browser. I haven't figured out how yet, but I don't think it'll take me long. Let's see... how to access AMT via a browser... This first hit talks about someone who is unable to access it."

Url: (http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30249624.aspx).

"Ah, in his post he says, "When I try to access the Web Interface (localhost:16992 or name:16992)... that means I can access my test in the same manner. Let's watch."

Jessica bit her lip to keep from saying anything, determined to keep quiet until he'd finished his demonstration. She really wanted to ask him how he acquired the password, but she supposed she should wait until he validated that claim first. Plus, he'd asked her to keep quiet, and she didn't want the CSO annoyed with her.

Daniel clicked on the address bar, deleting the current address. He then typed in MMMAMT0043:16992 in the address bar. When he hit Enter the page refreshed, showing him the initial AMT login screen. He clicked the ‘Log On' button, which provided a standard Windows security prompt. He entered in Admin as the username, and then typed in a password. Jessica's stomach dropped. She didn't see exactly what he put it, but it did look like he put in the right password.

The Intel Active Management Technology web interface appeared, giving Daniel full access to the system. Jessica reached up and rubbed at her eyes.

"Please tell me you simply asked Tevita for it," she said when he turned to her.

"No, but no need for you or Tevita to worry about that," he said with what Jessica assumed was a reassuring smile. It didn't help. "I believe I used the same methods our traitorous employee working in cahoots with Nifty Networks used to gain these powerful credentials. I'll be conducting security training for our employees soon to try and plug that method."

"So how did you do it?"

Daniel nodded. "Good question, but the better question I'm posing to you is this: how can we better secure the AMT technology? See here under Remote Control? I can remotely reboot this person's system and boot it up into an application I can use to wreak havoc. Nifty, no?"

She swallowed hard. "No, not nifty."

"Good. You see the issue. I'm tempted to not tell you how I did it. Mystery lends me an air of the supernatural, or at least my uber-geekness. Why reveal how? That's like a magician revealing his secrets. Once the how is known, it isn't so magical anymore. Okay, so I'm taking far too much pleasure out of this. I simply watched you and Tevita closely and caught you entering the password. It took several tries before I finally got it right."

The beginning of a migraine colored Jessica's vision. "Great. I thought we had that password locked down..."

"As I said before, don't worry about it. Everyone is too trusting when entering passwords. I'll address that in our upcoming security meeting. What I want to discuss is how we can rectify this situation? Specifically I want to remedy the fact that anyone who does a smidgen of research will know that the administrative username for AMT is admin. We've handed any potential hacker one half of the credential equation."

Jessica nodded. "Yes, I see your point. Luckily I already know how to fix that. It's as simple as making the admin password random on each system and using Kerberos to use our Domain credentials for access."

"Good. The second point is I noticed that I can use a non-secure web address to access this. Can you get SSL enabled for all AMT communication?"

Jessica nodded again. "Yes, specifically AMT uses TLC, the successor to SSL. I believe I saw an article on how to enable that on Symantec Juice."

"Even better. Get those measures in place, and let me know when it's completed."

She nodded, shaking his hand when he offered it. She left his office and headed back down, taking the stairs despite the throbbing in her head. When she reached her cube she noted that Tevita had his headset on, his previous smile absent from his face. She gave him a grin when he glanced over, and this time he rolled his eyes. She should get onto the phones, but she wanted to get those changes implemented as soon as possible so that even Daniel couldn't crack the system... as long as Tevita and she carefully entered their passwords so others couldn't eyeball them.

She sat down and pulled up the Altiris Console. Both of her actions required a new vPro Profile to be pushed down to all the AMT systems, but that was the easy part. She started by enabling TLS on the server. Until she pushed down the new profile the AMT functions would not work. She leaned over to Tevita, and he glanced at her as she rolled closer in her chair.

"AMT will be available for a time," she said.

Tevita reached up and muted his headset. "Why?"

"I'm enabling TLS. You know, encryption. When I enable it on the server side the clients will not be able to communicate back with the server until I update the profile and they have the right certificates."

He shivered. "Is that such a good idea? Certificates are tricky... we could easily mess up the whole thing and have no AMT access..."

"Tevita, it isn't that complicated. I have all the Altiris documentation on how to do it. Besides, there's a specific article on how to do it after the installation, here: http://juice.altiris.com/article/2737/how-enable-tls-within-out-band-management-after-install. Piece of cake."

"If you say so..."

"Trust me. If we had a hierarchal structure of certificate authorities, it might get a bit dodgy, but I'm just setting up the one root."

"Yeah, and the flux capacitor needs just such and such gigawatts of power..."

"Just read up on it! It's not that hard."

Tevita spoke for a moment into his headset, and took it off. "I don't know anyone who understands it all that well."

She planted her hands on her hips. "It's really simple. We give the root CA, aka the King, the credentials that are acceptable. Secondly, the Altiris server gets the credentials so it can work with the CA and the clients. We then load the matching credentials on the clients via the Provisioning Profile. Now everyone has the credentials."

He smiled. "What about client-side and server-side certificates?"

"Again, simple. Communication is unidirectional for a given parent/child certificate set. With basic TLS in vPro, all the clients have server certificates. The Altiris Server uses a client certificate to authenticate with the client so that the client machine will accept the AMT commands sent it."

"Alright. That sounds simple enough, but what about the CA? What's that for?"

Jessica looked at him, her eyes narrowing. "What's with the third degree? 'Tell me Master Qui-Gon. What are midichlorians'?"

Tevita burst out laughing. "Am I that transparent? I didn't know you liked Starwars..."

"I don't. Like that movie quote, your questions are contrived..."

"Hehe, yeah. I'm just trying to prove a point. It's not that simple..."

"But it isn't that complex, either. The CA tells the server-side component (the AMT Client) if the client connection (from the Altiris Server) is to be trusted. I know having the AMT clients act as the server seems a bit backwards, but since we want AMT functionality to be secure, it makes sense. The Altiris Server that tells AMT what to do needs to prove itself. This ensures a rogue server can't just initiate any AMT functionality without having the proper certificate. So the server provides a client certificate, which the AMT system authenticates with the CA before allowing the Altiris Server ‘in'."

"Okay, okay. That sounds simple enough. I'll be sure to avoid AMT until next week when you get TLS finally working... kidding! Take it easy, I'm just joking."

She wanted to keep the stern look on her face, but a smile cracked through. "You just watch it, Mister."

Jessica turned her attention back to the Altiris Console. She opened up a browser on her second monitor and pulled up the Juice article she'd shown Tevita. She walked through the steps, sometimes checking back on the Altiris Administrator's Guide for Out of Band Management, found at http://www.altiris.com/Support/Documentation.aspx. She finished the processes except for updating the profile since she needed to also update the Admin password settings.

She browsed in the Altiris Console under View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and clicked on Provision Profiles. She highlighted her active profile and clicked the pencil icon in the icon bar to edit it. Under the General tab, to the right of the window, she changed the Intel® AMT 2.0 password: setting from Manual to Random creation. She then clicked on the TLS tab and, using the previous directions, enabled TLS within the profile.

She sat back as she clicked OK. Now that the Altiris Server was setup properly, she needed to push the new profile out. From her place in the console she backed up into the Provisioning folder, and then expanded the Intel AMT Systems folder and highlighted the Intel AMT Systems node. All Intel AMT Systems showed within the right pane. She clicked on the top one, scrolled down, and, while holding shift, clicked on the bottom one. She right-clicked and selected the ‘reprovision' option.

With a sly smile she glanced over at Tevita. He wore his headset again, though he looked less stressed than before. She rolled over and wrote on his whiteboard "AMT back up in a few hours". For the time being they could rely on the Runtime Profile for authentication. Since Altiris knew all the random passwords for the Admin account, via Altiris they should have no problems with security. However she needed to quickly implement AD integration with Kerberos authentication just in case.

She got up to take a quick break. She stretched, looking out over the cubes. She froze in mid stretch for a moment, before quickly pulling down her arms, her eyes widening. Two men in blue jumpsuits walked nonchalantly through the building, one holding a sheaf of what looked like generic forms and the other with a nondescript box. Despite their "non"-threatening postures, something about them bothered her. At first she simply watched them, trying to figure it out.

The man in front emanated confidence like a shiny sword and shield, his smile infectious and full of perfectly white and straight teeth. His strong features seemed chiseled from brilliant marble, as if he'd been carved amid the statues of Rome. Not one of the rich brown hairs on his head stood out of place, his hazel eyes roving over the office as if memorizing all the details. He didn't act suspicious, but his very manner belied the blue-collar worker outfit he wore.

Right behind him strode the other man. He wore a beard, a hat pulled low over his eyes. She squinted, hunching down a little so she didn't rise so high above the cube walls. He carried the box, his muscles tensed. He walked jerkily, each step seeming just a little unsteady. Sweat beaded on what little she could see of his forehead.

"Tevita," she whispered. "Does that guy look familiar to you?"

He appeared beside her. "Who? Those two delivery guys?"

"Yes. The one carrying the box."

Tevita turned to stare at her. "It's the ninja!"

She shook her head, though the sudden clenching in her stomach belied the action. "No way, he's in jail, right?"

"Probably not. He didn't threaten anyone or do any actual damage, and the price of the hard drives he tried to steal doesn't equal enough to be a felony, especially since he claims he was only after the hardware..."

"But why come back here? We know who he is..."

He just shrugged. "Maybe he's turning a new leaf..."

She gestured at the other man just as they disappeared into the stairwell. "Maybe, but that other guy gives me the creeps. I wouldn't be surprised if his name happens to be Lex Luther."

Tevita nodded. "Let's follow them."

She shook her head. "No way! Let's just call security and let them deal with it."

The Tongan only shook his head slowly. "The security company might be too slow to respond. Heck, they took forever to show up when our ninja friend showed up the first time. You go tell Bobby and I'll shadow these two shifty guys."

Before she could respond he hurried away, surprisingly quiet for his bulky, muscled size. She clenched her teeth together, torn by indecision for a few precious seconds. She then turned and hurried towards the server rooms, hopping Tevita wouldn't get himself into too much trouble.

END Part 5

This concludes Part 5. This cliff-hanger will be continued in an even more unbelievable conclusion, Part 6. Now that the competitor has breached the office once again, can Might Modern Marketing's IT staff protect their infrastructure, data, and themselves from this all out attack?

Installing Multiple Intel SCS components for a large Notification Server environment

Some Notification Servers carry huge loads of managed systems. I've seen Notification Servers managing 10,000, 15,000, and even 20,000 plus systems. For Out of Band Management with the Intel SCS Component, a multiple-service install may be required to handle large loads of provisioning or maintenance requests into the Intel SCS Component. This article covers how to setup such an environment.

Introduction

Normally in a simple Notification Server environment when the install for Out of Band Management is initiated, all the necessary pieces, including the Intel SCS Component, install automatically and silently. In more complex environments the automatic install of the SCS Component often throws an exception and provides a message indicating the install should be conducted manually. This manual process is what will be used when installing the components on the subordinate servers who will share the load for the Intel SCS Component.

Installing Out of Band Management

The first step is to install Out of Band Management and the primary Intel SCS Component on the Notification Server. This will setup the IntelAMT database that will be used with every install of the Intel SCS Component. The following process details the install methods for Out of Band and the Intel SCS Component.

Simple NS environment

For a simple NS environment where the Application Identity for Notification Server has full rights to both the Notification Server system and SQL Server, the initial install is simple. Note that this process should be used for Simple and Complex environments to lay down the essential components on the NS.

1. In the Altiris Console, browse View &gt; Configuration &gt; Install/Upgrade additional solutions.

2. Under available solutions, click the ‘Segments' button.

3. Expand the Partner Solutions section and locate the Altiris Manageability Toolkit for Intel vPro Technology.
   !SolCtrvPro.jpg!

4. Click the link to launch the install.

5. NOTE: This will install the following primary components, all of which tie into aspects of Out of Band Management and Real-Time System Manager:

1. Task Server and supporting installs

2. Real-Time System Manager

3. Real-Time Console Infrastructure

4. Out of Band Management Solution

5. Our of Band Setup and Configuration (AKA the Intel SCS Component)

6. Network Discovery

6. The install will commence. Note that if the Intel SCS Component is unable to be successfully installed you will receive a message indicating it needs to be installed manually. If this is the case, see the next section entitled ‘Complex NS Environment'.

7. If no errors are shown, the Intel SCS Component with the IntelAMT database should have been installed and created successfully.

Complex NS Environment

Despite the name of this section, sometimes the steps here need because of a minor security issue when the automatic install was attempted. The following steps detail the process of install the Intel SCS Component manually.

1. Run through the install as detailed under the ‘Simple NS Environment' section above. This will put all the typical components in place, and likely the automatic install of Intel SCS will fail, requiring the next series of steps to be completed.

2. It's recommended to log into the Notification Server as the Application Identity user.

3. Browse to the following path on the NS: install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\

4. Launch the EXE AMTConfServer.exe.

5. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

6. Choose ‘Complete' as the type of setup and click ‘Next'.

7. In the User name and Password fields put in the Application Identity for the NS.

8. Check the Web details.

9. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

10. Under ‘Database Server' select the database name and instance (if applicable) to use. It is recommended to use Windows Authentication, but if the SQL setup requires a SQL account, choose that option. Click ‘Next'.

11. The next details should be left as is. Click ‘Next'.

12. Click the ‘Install' button to proceed with the install using the parameters set.

13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'.

Subsequent SCS Installs

Now that NS has all the required components, and the IntelAMT database has been created, the following details cover how to install a subordinate install of the Intel SCS Component. Note the following prerequisites for this type of install:

• Windows 2000 Server, Windows 2003 Server

• Internet Information Services (IIS)

• Microsoft .NET 2.0

Run through the following steps to install Intel SCS.

1. Log onto the system as the Application Identity user for Notification Server.

2. Browse to the following path on the NS:
   &lt;NS_Name&gt;\NSCap\Bin\Win32\X86\OOB\IntelSCS\

3. Launch the EXE AMTConfServer.exe.

4. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

5. Choose ‘Complete' as the type of setup and click ‘Next'.

6. In the User name and Password fields put in the Application Identity for the NS. If this is not possible the user should have full access to the SQL Server. This will also be the user set on the Service AMTConfig.

7. Check the Web details.

8. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

9. Under ‘Database Server' select the database name and instance (if applicable) to use. This should be the SQL Server used to install the IntelAMT database in previous steps.

10. The database details . Click ‘Next'.

11. Click the ‘Install' button to proceed with the install using the parameters set.

12. You'll receive a notice saying that the database IntelAMT already exists. Make sure to click ‘Yes' so it uses the existing one.

13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'

14. From the Notification Server, at this location: , copy the file oobprov.exe to the same path on the subordinate install (default will be C:\Program Files\Altiris\OOBSC\).

15. NOTE! You must use the same path that it used on the Notification Server, this is a limitation of this implementation.

16. Copy to the same folder the attached file Interop.AeXClient.dll.
    !RemoteSCS.JPG!

17. Normally the script (oobprov.exe) is properly registered to the correct path, but if it is not, we must manually change it.

18. Open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

1. USE IntelAMT
   SELECT Props_script_path, use_props_script
   FROM csti_Configuration

19. Check the path and make sure it matches the remote and local Intel SCS install. Also verify that the use_props_script is set to 1, which means ‘True' (0 means ‘False'). Now run the following query if they need to be updated, but take note to change the path to match your environment:

1. UPDATE csti_configuration
   SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
   SET use_props_script = 1
   WHERE configuration_id = 1

20. Everything should now be in place for both the primary and secondary Intel SCS install to work with systems being Provisioned, including subsequent maintenance or reconfiguration functions, sharing the load.

Confirm Registration

The next step is to confirm that the install has successfully registered in the IntelAMT database and is running. Use the following steps to make the checks:

1. First, let's check that the Secondary SCS Server has properly registered in the IntelAMT database. On the SQL Server where the IntelAMT database is housed, open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

1. USE IntelAMT
   SELECT * FROM csto_servers

2. You should have one entry for every Intel SCS install you've completed.

3. On the secondary Intel SCS Server, go to Start &gt; Administrative Tools &gt; and click on ‘Services'.

4. Locate the Service ‘AMTConfig'. Ensure the following settings:

• Status = Started

• Startup Type = Automatic

• Log On As = NS Application ID

Adjust Queue Settings

The last part is to adjust the general settings to account for the added resources.

1. In the Altiris Console browse to View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Provisioning &gt; and click on ‘General'.

2. Look under the ‘Service Maintenance' section. See the screenshot, followed by the recommended settings:
   !OOBGenSettings.jpg!

• Max queue size: 2000 for one instance, add 1000 per secondary server

• Worker threads: 10 for one instance, add 5 per secondary server. Same for the Slow worker threads

3. The above values are recommendations. Since thorough testing has not been performed, it is recommended to change these in small increments if performance is a problem.

4. Make sure to ‘Apply' the changes once they've been made. This should allow the SCS infrastructure to handle larger loads of incoming requests.

Conclusion

The subordinate Intel SCS install process should be repeated for each Intel SCS install desired in the environment. This will help distribute the load of incoming requests from Intel AMT vPro systems. Moving forward Symantec and Intel will be testing this scenario further. In the interim this article can be used to increase the resource power of the SCS infrastructure.