Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > Tags > tools
Up to Blog Posts in Intel® vPro™ Expert Center
1 2 Previous Next

Intel vPro Expert Center Blog

24 Posts tagged with the tools tag
Trevor Sullivan
0

Hello vPro Experts!

 

I would like to pass on some information that I discovered a while ago, based on a Microsoft Premiere Support ticket. I was having trouble getting the Microsoft Out-of-Band (OOB) Management Console functioning from a Windows XP system. I tried everything on a fresh, standard build of Windows XP, but nothing would work.

 

After working with Premiere Support, we finally discovered that Windows XP Service Pack 3 (SP3) was required for proper functioning of the Microsoft OOB console.

 

This behavior is actually related to some functionality that was added in SP3, specifically in the winhttp.dll library. There is a function called WinHttpSetOption in the WinHttp library, which is called with a parameter enabling the WinHttp Option Flag named WINHTTP_ENABLE_SPN_SERVER_PORT. This flag enables the WinHttp library to include the server port in the Kerberos Service Principle Name (SPN), since the AMT web service is running on a non-standard HTTP port (16993).

 

The Windows XP Service Pack 2 (SP2) version of the WinHttp library does not include this capability, and consequently fails to authenticate. In order to properly connect to ConfigMgr-provisioned AMT devices with the Microsoft OOB Console, please make sure your helpdesk / support systems are running Windows XP SP3.

 

If you have any questions, feel free to post them in the comments section, and I will do my best to answer them.

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Comments Permalink Tags: oob, console, center, issue, failure, system, configuration, manager, microsoft, isv, configmgr, tools, vpro, sccm_sp1, kerberos, amt, trevor, sullivan, problem, sccm, troubleshoot, authentication
Trevor Sullivan
1

         

Integrating VNC on Windows PE 2.0

                            Author: Trevor Sullivan

                      Company:    OfficeMax Corporation

                        Versions: 1.0 – April 24, 2008 – original document

Synopsis

Integrating VNC on Windows PE allows a remote user, such as a support person, to remotely control a Windows pre-execution environment, and perform administrative tasks such as deploying an operating system image, or diagnosing hardware and software problems using 3rd party tools. This image can be remotely booted in a LAN environment using the IDE-R feature of Intel AMT.

Requirements

  1. Microsoft Windows AIK v1.1 (downloadable from Microsoft)
  2. A working Windows PE 2.x CD (can be built from WAIK)
  3. UltraVNC 1.02 (downloadable from Internet)
  4. ImageX (to mount WIM files) - included with WAIK

Setting up UltraVNC

Install UltraVNC 1.02 on a development system

 

You can optionally install UltraVNC 1.02 to an Altiris SVS virtual layer to avoid making permanent changes to your development system

 

After UltraVNC is installed:

1.  Execute VNC in user-mode

2.  Run the following command: winvnc –defaultsettings

3.  You should be presented with a configuration dialog

4.  Set a password for VNC and choose to disable the tray icon

5.  Confirm the settings dialog, and stop Winvnc by running: winvnc –kill

6.  Extract the following registry tree: HKLM\Software\ORL (vnc.reg)

7.  Add the password to the default key

a.  Open the registry file (vnc.reg)

b. Create a new section (key) for HKLM\Software\ORL\Default

c.  Copy the password value from ORL to the Default key

Gathering Source Files

Copy the following list of files from the UltraVNC installation directory on the source computer into a separate working folder:

 

  • Authadmin.dll
  • Authssp.dll
  • Ldapauth.dll
  • Logging.dll
  • Logmessages.dll
  • Mslogon.acl
  • Unzip32.dll
  • Vnchooks.dll
  • Vnchooks_settings.reg
  • Vncviewer.exe
  • Winvnc.exe
  • Workgrpdomnt4.dll
  • Zip32.dll
  • Vnc.reg (from previous section)
  • Vnc.vbs (see below)

 

Trevor developed a short script to get around a problem with winvnc hanging when I’d execute it. This executes winvnc.exe asynchronously so that it continues to run in the background, but startnet.cmd will be allowed to continue. The script source is included below:

 

ScriptPath = Left(Wscript.ScriptFullname, len(Wscript.ScriptFullName) - len(Wscript.ScriptName))

set sh = CreateObject("Wscript.Shell")

sh.Run "regedit /s " & ScriptPath & "vnc.reg", 1, true

sh.Run "wpeutil disablefirewall", 0, true

sh.Run ScriptPath & "winvnc.exe", 1, false

Modifying the PE Disc

  • Mount WIM file on filesystem using ImageX
  • Copy all source files to folder on root of WIM mount path
  • Modify startnet.cmd to execute VNC vbscript using cscript.exe
    • Use the fully qualified path to the script file (eg. “cscript X:\vnc\vnc.vbs”)

Notes

  • Winvnc does not work under service mode on Windows PE; Winvnc must be run under user context
  • The registry value “password” must exist under HKLM\Software\ORL\Default, otherwise winvnc will prompt for a password upon startup

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

1 Comments Permalink Tags: remote, tools, vnc, trevor, sullivan, configuration, pe, winvnc, control, winpe, ultravnc, microsoft, windows, imaging, deployment, manage
Trevor Sullivan
3

Hello vPro Experts!

 

I would like to take some time to touch on exploration of the management engine via the local interface (specifically the HECI driver). In order to follow the exercise here, you'll need to have Windows Powershell installed, have the Intel AMT Developer Toolkit downloaded and installed, and have an AMT client (does not need to be provisioned) with the HECI driver installed. The HECI driver should be downloadable from your OEM.

 

To give you a high-level idea of the program flow we'll use to access the AMT device, consider the following:

 

  1. Load the "Manageability Stack.dll" .NET library
  2. Create an instance of the ManageabilityStack.HeciWrapper object
  3. Reference the properties and methods of the HeciWrapper object, and the HeciMeInfo object (provided by the HeciWrapper.MeInfo property)

 

Here is the Powershell code that correlates to the above process:

 

Loading the .NET Library

 

# Load the Manageability Stack .NET library

$AmtLib = "C:\Program Files\Intel\Manageability Developer Tool Kit\Manageability Stack.dll"
[System.Reflection.Assembly]::LoadFile($AmtLib)
# Create a HeciWrapper object

$Heci = New-Object ManageabilityStack.HeciWrapper

 

# Pipe the $Heci variable into the Get-Member cmdlet to determine what properties

# and methods are available to us.

$Heci | Get-Member

 

Obtaining a list of embedded certificate hashes

 

# List embedded certificate hashes
$Heci.MeInfo.EnumerateHashHandles()

 

Getting the BIOS and AMT Versions

 

# Retrieve the AMT version
Write-Host "AMT version: $($Heci.Versions.Versions["AMT"])"
# Retrieve the BIOS version
Write-Host "BIOS version: $($Heci.Versions.BiosVersion)"

 

Retrieving Provisioning Information

 

# Retrieve the provisioning server name
Write-Host "Provisioning server: $($Heci.MeInfo.GetAuditRecord().ProvServerFQDN)"
# Determine provisioning date
# This will return "01/01/0001 00:00:00" if not provisioned
Write-Host "Provision date: $($Heci.MeInfo.GetAuditRecord().TlsStartTime)"
# Get provisioning mode (Enterprise, SMB, etc.)
Write-Host "Provision mode: $($Heci.MeInfo.GetProvisioningMode().ProvisioningMode)"
# Get provisioning state
Write-Host "Provision state: $($Heci.MeInfo.GetProvisioningState())"

 

-----------------------------------

 

I hope these code samples are able to help you out in your administration / engineering endeavors! Please let me know if you have any questions, and don't forget that in Powershell .... when in doubt .... use Get-Member to discover what information is available to you!

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

3 Comments Permalink Tags: vpro, engineer, troubleshoot, automate, deploy, microsoft, amt, administration, sullivan, tools, powershell, script, intel, automation, trevor, manage
Trevor Sullivan
0

Hello!

 

Have you ever run into the situation where you want to enable the auto-provisioning policy for a ConfigMgr client, but dont' want to wait for the policy to filter down to the client? If you're like me, then you would answer with a hearty "yes." Thankfully, I've got a method for you to force an SCCM client to enable auto-provisioning, without relying on the collection setting!

 

Keep in mind that, for some odd reason, pasting this code into a Powershell window will probably fail. Instead, paste the first 4 lines, and manually type out the last (red) line.

 

$OobSettings =  [wmiclass]”root\ccm\policy\machine\actualconfig:CCM_OutOfBandManagementSettings”
$OobSettingsInstance =  $OobSettings.CreateInstance()
$OobSettingsInstance.AutoProvision =  $True
$OobSettingsInstance.SiteSettingsKey =  1
$OobSettingsInstance.Put()

 

Basically what this does is spawn an instance of the CCM_OutOfBandManagementSettings WMI class, sets two properties on it, and then writes it back to the system. This should enable auto-provisioning immediately so you don't have to wait!

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Comments Permalink Tags: script, administrate, vpro, microsoft, amt, configmgr, sccm, tools, powershell
Abhilasha Bhargav-Spantzel
3

The new generation of notebook PCs with Intel vPro technology includes Intel Anti-Theft Technology PC Protection (Intel AT-p). Intel AT-p offers you the option of activating hardware-based client-side intelligence to secure the PC and data if a notebook is lost or stolen. Because the technology is built into PC hardware, it provides local, tamper-resistant defense that works even if the OS is re-imaged, a new hard-drive is installed, or the notebook is not connected to the network.

For a good introduction of the Intel® AT-p Technology please visit - http://communities.intel.com/community/openportit/vproexpert/blog/2008/12/04/anti-theft-technology-has-arrived

In the following we describe an example of how this technology is deployed and used in the life of a typical employee working for a security conscious company. Consider a user Jane who is a new employee of a company called SecureBank. SecureBank wants all its employees laptops to be protected against theft and is therefore utilizing the Intel® vPro Anti-Theft Technology for Asset Protection (AT-p) with Absolute ISV.

In particular Jane has two (rather adventurous) days –

-         Day 1: IT admin receives a new laptop and sets it up for Jane. Jane uses the new laptop for the day when she receives her new laptop and manages to loose it to a thief!

-         Day 2: the thief is unable to use the laptop due to the poison pill sent as a feature of the AT-p technology. The thief therefore gives up on it and leaves it in a coffee shop. The laptop is subsequently recovered by SecureBank, made functional again and is ready to be handed over to Jane.

Below are the details –

(Check out the video uploaded at youtube –

http://www.youtube.com/watch?v=bnTggBxhOVk&feature=email)

Day 1:

(1) Initial Setup by IT Admin:

The IT admin receives a new laptop and creates the SecureBank IT image on the laptop. This includes the Absolute agent which would be used for AT-p. The Absolute Client Windows Installer is a part of the IT image. The two key steps are undertaken -

-         Enrollment: The IT admin runs the Absolute Client Windows Installer which installs the Absolute agent on the client. As part of the installation this client is enrolled with the Absolute server. Enrollment consists of the following steps –

1.      The Absolute Agent checks the local platform to ensure that the platform is eligible for Intel® AT-p.

2.      The Agent requests permission of activate AT-p with the ISV Server i.e. the Absolute Server.

3.      The ISV Server takes this unique client request and sends it (along with a license key) to the Intel permit signing server.

4.      Once the Intel signing server has validated this request, an AT-p permit is generated for that unique client. The client system is now ready to validate signed messages from the ISV server.

Once the machine is enrolled it shows up on the administrator console. The machine is identified using a unique identifier generated by the Absolute server, Detected Full Computer Name and Detected Serial Number. At this point a default policy for the client machine is also applied.

-         Policy Setup: The IT admin can also fine tune the policy for Jane. Examples of Attributes he can set include:

 

Policy Attribute

Example Value

Meaning

AT-p Timer Value

48 hours

The machine’s disablement timer (time after which the machine is disabled if it does not connect with the server) is 48 hours.

AT-p Timer Action

Immediate Lock

The action a machine performs once the AT-p Timer has expired. In this case, the machine will shut down immediately (even if OS was up and running) and not allow the boot process to be carried out.

AT-p Theft Action

Immediate Lock

The action a machine performs once the machine is marked stolen when connecting with the server. In this case, the machine will shut down immediately, same as above.

AT-p Password

“StRongP@ssw0rd”

Admin Password used to recover the machine when it is disabled or locked.

AT-pState

Active

Marks whether AT-p is currently active or not on a machine. When it has a legitimate working user then it is marked as active.

Theft Status

Secure

Marks whether the machine is stolen or secure. In this case, the machine is not stolen.



Once the IT admin has set the above policy he is ready to hand over the laptop to Jane.

(2) Normal Usage:

On receiving her new Laptop, Jane logs in with her domain credentials and uses it seamlessly (as if there were no AT-p). The rendezvous may occur without any active participation of Jane. As such the rendezvous happens in the background and is transparent to Jane.

- Rendezvous (Machine Not Stolen)
The Absolute solution has a rendezvous timer of 24.5 hours. After this time the following steps would occur –

1.      As the Rendezvous Timer (24.5 hours) expires the ISV Client Agent initializes a rendezvous.

2.      The ISV Server’s response is relayed to the Intel Management Engine (in the firmware) through the ISV Client Agent. Any new settings are relayed.

3.      Acknowledgments are generated for any message received.

4.      Once finished, the Disablement Timer (or AT-p Timer) reset message is sent to the Intel Management Engine.

(3) Theft:

After a good first day of work, Jane’s colleagues take her out for a dinner. She leaves her laptop in the car and heads to the restaurant. To Jane’s bad luck her car is broken into and the notorious thief steals her laptop.

- Malicious Usage: The thief has a hacking tool that allows bypassing the windows login/password challenge and can use the laptop. He feels he can make a good fortune by selling this laptop in the black-market.

- Theft Reporting: When Jane returns to the car, she is shocked to see her car broken into and her laptop stolen. She immediately calls the IT admin helpdesk and reports the theft. The IT admin sets the Theft Status to Stolen. Next time the laptop checks in with the Absolute server, the Theft Action, which is Immediate Lock, will take place.

Day 2:

(4) Poison Pill:

The attacker logs in again using his hacking tool. Since it is past 24.5 hours (i.e. the rendezvous timer has expired) the agent initiates a rendezvous. At this time the following steps happen -

- Rendezvous (Machine Stolen)

  1. As the rendezvous timer expires the ISV Client Agent initializes a rendezvous.
  2. The server has marked the system as stolen, and sends an AssertStolen message (“Poison Pill”) to the system.
  3. The local system takes action based on the current policy.

As the action is to immediately lock, the thief to his surprise observes that the machine just shuts down. When he tries to power on the machine he sees a pre-boot authentication screen which requests him to insert admin credentials. The thief’s hacker tools are not able to bypass this screen as the same OS (which is potentially more vulnerable) as the pre-boot environment serves as an extension of the boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. Brute force attacks in this environment are also much harder as the tamperproof firmware reboots the machine after a threshold time or number of attempts to login has expired.

To the thief’s dismay, he cannot really use the laptop and leaves it in the coffee shop where he logged in from.

(5) Asset Recovery:

The IT admin of SecureBank was able to get the IP of the location where the thief last logged in from and contacts the coffee shop. SecureBank officials pick up the laptop and bring it back to the IT admin desk for recovery. To recover the platform the IT admin carries out the following steps –

  1. The IT admin (re)sets the Theft Status to be Secure (from Stolen).
  2. Upon boot, the admin is presented with a “system locked” message in the pre-boot environment.
  3. The admin recovery passphrase must be entered before a given time (say 2 minutes). The admin immediately inputs his admin passphrase for the given machine.
  4. When the admin credentials and theft status have been verified, the AT-p timer is reset and the client platform is unlocked. The platform then boots to the OS. 

Once this is done, the IT admin is ready to return this machine back to Jane without loosing any time. Thus we can see that AT-p solution not only provides a way to secure machines against theft and continued malicious use, but also ensures efficient recovery and continued use of the recovered machine!


3 Comments Permalink Tags: vpro_anti-theft_technology, case_study, vpro_expert_center, absolue, asset_protection, tools, security, intel_vpro, troubleshoot, at-p, vpro
Trevor Sullivan
2


Hello vPro Experts!


I've got something sitting in the back of my mind, that I would like to share with you all. Unfortunately, it's simply a theory, and I have not yet had the opportunity to test it, but I am in the early stages of developing and documenting it, and would really appreciate any feedback, to help make it become a reality.


----

The Problem

 

Are you asking yourself either of these questions?


"How can I reduce the amount of overhead involved with imaging every new client system that comes through the doors, but at the same time, not shift that cost to the vendor?"


or, slightly paraphrased:


"How can I streamline the provisioning of new systems, but at the same time, not sacrifice the flexibility of having in-house imaging?"


If your support teams are imaging each desktop and laptop that is shipped from your hardware vendor, you may have investigated the option of having the vendor pre-image systems prior to shipping them out. There are a couple of caveats to this methodology though. First of all, there is usually an additional cost associated with any sort of customization that the vendor must make to a system. Secondly, if you are using a task sequence-based "imaging" process in-house, then you may not have a way of transferring that process (which is inherently network-reliant), to the vendor. Typically, in this scenario, your operating systems, applications, and Active Directory domain, are all residing on network servers that can't be contacted by the vendor during the process (unless you have some uber-fast, secure VPN link between you and them, in which case you can stop reading).


----


The Theoretical Solution (utilizing Intel vPro)


The proposed solution to the problem presented above, is actually a combination of technologies, and custom development work. In this case, I'm going to be working with the following tools:



Requirements


Here are the requirements for the process:


  • Microsoft Configuration Manager SP1
  • An Out-of-Band (OOB) service point for ConfigMgr SP1
  • ProvisionServer” DNS record pointing to out-of-band service point
  • Collection 1: SCCM collection to temporarily store resource records created by script
  • Collection 2: SCCM collection that contains provisioned vPro clients without the ConfigMgr client agent
  • ConfigMgr Task Sequence to build vPro system
  • ConfigMgr advertisement to link task sequence to Collection 2

Step-by-Step Workflow


This is the theoretical process that would be followed:


  1. Physically plug in vPro system – power and network (device remains powered off)
  2. vPro System obtains IP address and DHCP Option 15 (mydomain.com)
  3. vPro System sends “hello packet” to site server (CNAME provisionserver.mydomain.com)
  4. Script reads vPro system’s UUID from amtopmgr.log file on site server
  5. Script creates Resource Record for system in “Collection 1” with auto-provisioning enabled
    1. Use a random name for the hostname (based off of the SMBIOS UUID perhaps)
    2. Make sure to refresh the collection membership, or verify that it gets added somehow
  6. vPro System sends another hello packet to site server at built-in interval
  7. vPro System is recognized as a SCCM resource and provisions
  8. Provisioned vPro resource is automatically populated into SCCM “Collection 2
  9. Task sequence begins executing
  10. Once the operating system is installed, the device should detect a mismatching hostname between the OS and the ME firmware (this could be configured as part of the task sequence)
  11. The device will send a request to the ConfigMgr site server to re-provision the AMT firmware with the new hostname (equivalent of "Update Provisioning Data"?)


Known Issues and Risks


There is at least one known outstanding issue that I'm aware of, and there may be a way to solve it.

Possibility of over-writing an existing system

If an existing, un-provisioned system is not reporting into Configuration Manager properly, it may be incorrectly assumed to be a new, blank system. Therefore, during the build (or imaging) process, an automated check may need to be put into place to verify whether or not the system is truly a new client or not. This could theoretically be done by analyzing the filesystem, or mounting the offline registry hives, and looking for any indicators. Additionally, if a vPro device was already provisioned, it would need to be excluded from being targeted with this process.

----

Conclusion

I hope that this overview gives you some ideas about how to automate the provisioning of new enterprise clients using Intel vPro out-of-band provisioning. If you have any suggestions for improvement, I'd be interested in hearing them. If you'd like, you can download a copy of this document below.


Thanks,


Trevor Sullivan

Systems Engineer

OfficeMax Corporation

 


2 Comments Permalink Tags: sccm, configuration, manager, engineering, roi, 5.0, sccm_sp1, automation, tools, configmgr, deploy, vista, vpro, amt, trevor, provision, 3.2.1, install, windows, 4.0, dtk, xp, sullivan, automated, microsoft
Trevor Sullivan
0

Hello Intel vPro Community!

 

I'm going to talk to you today a little bit about how to use Windows Powershell to set Intel vPro power profiles. I'll provide a quick bit of background first on what power profiles are, and why you'd want to be able to set them with Powershell.

 

Intel vPro power profiles are nothing more than a setting in the Management Engine that tells the AMT chip when to be powered up, and when not to be powered up. In some cases, you may want vPro to be inactive during sleep states, or after the computer has lost power (eg. UPS failure).

 

In my case however, I want vPro to be always active. This is problematic, because Microsoft Configuration Manager's implementation of a provisioning server doesn't give you the option of setting the active power profile. Instead, during provisioning, ConfigMgr sets the active profile to whatever index "5" is. You'll actually see this in the amtopmgr.log file on your OOB (Out-Of-Band) service point during the provisioning process.

 

Because ConfigMgr decides the default power profile during provisioning, I've decided that I wanted to change it. Because Windows Powershell is an awesome automation tool, and because Intel's AMT Developer Toolkit (DTK) offers a .NET library that I can use in Powershell, I figured that I would figure out how to do it!

 

--------------------

 

You might remember my last post on how to use Powershell to connect to an AMT device. The process basically involves loading the aforementioned .NET DLL from the DTK, and then establishing a connection to the device. I didn't really get the opportunity to show you how to do a whole lot with it after making the connection though, so that's the purpose of this post! Let's go ahead and take a look at a few lines of Powershell code, so you can understand the retrieval, and setting of power profiles.

 

-------------------------------------------------

 

# In my last Powershell script, I used the $amtdevice variable

# to reference the AmtSystem .NET object. We'll assume at this point

# that you have already connected to the AMT device based

# on my last article.

$amtdevice

 

# By using the .NET Reflector tool, we can see that the AmtSystem

# object has a property called SecurityAdmin, which returns an AmtSecurityAdmin

# object.

$AmtSecAdmin = $AmtDevice.SecurityAdmin

 

# The AmtSecurityAdmin object has a method called GetPowerPackages().

# After examining this data type in .NET Reflector, we can filter for only the two

# properties we want to see, the profile ID, and its Name. We'll use the Powershell

# Select-Object cmdlet to filter this data.

$AmtSecAdmin.GetPowerPackages() | Select-Object -Property ID,Name

# You should get some output looking something like this:

# 12834f94-10fb-dc4f-968e-1e232b0c9065 Desktop: ON in S0
# ab0086a1-7f9a-424c-a6e6-bb243a295d9e Desktop: ON in S0, S3
# acab8672-b496-e248-9b9e-9b7df91c7fd4 Desktop: ON in S0, S3, S4-5
# 4dcd327b-be6b-8943-a62a-4d7bd8dbd026 Desktop: ON in S0, ME Wake in S3
# 46732273-dc23-2f43-a98a-13d37982d855 Desktop: ON in S0, ME Wake in S3, S4-5
# baa419c5-6f6e-4d8d-b227-517f7e4595db Desktop: ON in S0, S3, S4-5, OFF After Power Loss
# ede30bd6-c504-462c-b772-d18018ee2fc4 Desktop: ON in S0, ME Wake in S3, S4-5, Off After Power Loss

 

# Once we have a listing of the power profiles available on the AMT device

# we can get the one that we want, and then set it. Since I always want my

# AMT device active, no matter the system's power state, I'm going to choose

# "Desktop: ON in S0, S3, S4-5" which is index 2 (in a zero-based collection).

$TargetPowerProfile = ($AmtSecAdmin.GetPowerPackages())[2]

 

# Now that I have a variable referencing the target power profile, I will set the

# profile on the AMT device. The AmtSecurityAdmin object has a method called

# SetActivePowerPackage() that takes one parameter: the power profile we have

# a reference to.

$AmtResult = $AmtSecAdmin.SetActivePowerPackage($TargetPowerProfile)

"Setting power profile to $($TargetPowerProfile.Name) resulted in $AmtResult!"

 

##### End Setting Power Profile #####

 

# Let's also take a quick look at how to get some basic information about

# the AMT device's provisioning data. We can figure out if IDE-R, SoL, and the

# WebUI are enabled. We'll use the AmtGeneralInfo object for this.

 

# Get a reference to the AmtGeneralInfo object

$AmtInfo = $amtdevice.Info

 

# Write out the current configuration settings

"SOL Enabled: $AmtInfo.SerialOverLanEnabled"

"IDE-R Enabled: $AmtInfo.IdeRedirectEnabled"

"WebUI Enabled: $AmtInfo.WebUiEnabled"

-------------------------------------------------

 

I hope this helps get you on your way to doing some cool Powershell / vPro automation! Let me know whether or not this helps you in your endeavors

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Comments Permalink Tags: configmgr, microsoft, system, center, saver, configuration, standardize, trevor, manager, sullivan, 2007, powershell, amt, deploy, administrate, automate, sccm, sccm_sp1, administer, manage, windows, automation, scripting, time, vpro, tools, dtk, intel
Brad Lund
3

My name is Brad Lund; I work in the Enterprise End User Integration Lab (EIL) as a Senior Systems Engineer. This article is the first in a series of blogs I plan to deliver describing how, with the aid of some very useful tools, we can use IDE Redirection (IDE-R) and Serial over LAN (SOL) to provide the console operator with a more user friendly approach to remotely diagnosing and repairing client systems.

 

SOL is a great technology that has been around for a number of years. It is generally used in data centers for taking control of a computer in order to make changes to its BIOS. Since output from BIOS is by nature "pure text", SOL, whose interface is based on VT-100 terminal emulation, works fine. But what if the problem requires the console operator to interact with the client in a manner that dictates a graphic interface be present to load and run diagnostic applications?

 

Since the Enterprise Integration Lab are End User focused, we have had several customers ask us how they could leverage this Usage Scenario to take control of an AMT client while providing the operator with a more intuitive and useful interface. Additionally, every one of the End Users we interact with has a set of tools they use to perform diagnostics and repair. But if the client system is out-of-band, meaning no O/S present, it is NOT a BIOS related issue and the diagnostic tools require the operator to have a graphic view of the client system, how can we deliver on this request?

 

This series of blogs will attempt to show various ways to address these questions and more. I will start this blog series with the client residing inside the Enterprise using AMT to contact the console operator and utilizing very basic tools - take control. Upcoming blogs will show how to do this for clients residing outside the Enterprise (in the internet cloud) using Client Initiated Remote Access (CIRA) to contact the console via of a Management Presence Server in the DMZ and more robust tools - very cool!

 

So let's get on with it shall we?

 

The Tool Set

For this first installment I am using AMT Commander from the AMT DTK to initiate a client connection and perform console redirection (IDE-R). The client platform is Montevina (AMT v4.0). I will also push a Pre-installation Environment (PE) down the wire to boot the client into a graphic environment; either WinPE 2.0 or BartPE can be used. Whichever the choice, the greatest thing about a PE is its ability to be customized. You can build a PE to include not only the necessary drivers to bring a system up, but also all the required software for a technician to truly diagnose and practically correct any problem. A full explanation of PE's is beyond the scope of this blog but easily searchable via your favorite search engine. Lastly, to complete the process I will use UltraVNC, a publicly available application that gives the console operator the ability to view the remote client screen; graphically!

 

The Scenario

In this setting we have a client system where the O/S fails to boot-up (see Figure 1 - left image). This could happen if the client did something to their system which caused the registry to become unreadable by the O/S. Or perhaps the owner of the system accidentally deleted a critical file(s) required by the O/S to boot properly. In any case, the client calls their support center and is walked thru the required steps to perform BIOS initiated AMT. Once initiated, the console operator can then connect to the client; Figure 1 - right image.

 

Figure 1: Remote client screen on left - Console operator screen on right

 

 

 

 

 

 

 

 

After connecting to the client, the console operator opens the SOL/IDE-R mapping interface and assigns the appropriate .iso images for Floppy and CD-R redirection (see Figure 2 - left image). Note: You must assign both a Floppy and a CD image for SOL/IDE-R to operate properly. Also, while you can use IDE devices physically attached to the console system, working with .iso images are faster and more flexible.

 

 

Figure 2: Point device mapping to .iso images, start SOL/IDE-R, take control of client system.

 

 

 

 

 

 

 

 

The next step after starting redirection is to take control of the remote client as shown in Figure 2 - right image and indicate which image to boot from. In this case since we have our PE stored as a CD-R .iso image we tell it to "Remote Reboot to Redirected CD" Figure 3.

 

 

 

Figure 3: Remote reboot to CD-R image

 

 

 

 

 

 

 

 

At this point the client system has started a reboot and loading the PE image from the console. However, because we are using SOL the console operator can only see the "text" generated information. Notice the screen in the foreground of Figure 3 titled "PuTTY", this is the SOL interface and portrays only the "please wait" line from the boot loader; not very intuitive or useful. As a result the console operator will have to ask the client to inform them when the PE has finished loading on their system (see Figure 4).

 

 

Figure 4: Client system completed boot to PE and ready for remote control

 

 

 

 

 

 

 

 

Here is where the fun begins. After the PE loads onto the client system, the console operator starts UltraVNC; pointing it to the client, Figure 5 - left image. Part of the PE build includes the necessary network drivers to give this system an IP stack so it can be accessed via UltraVNC Once UltraVNC connects it opens a graphic window where we can actually see and control the client as though we are sitting at their machine, Figure 5 - right image. Again, we are using the SOL interface to show us text information and the TCP/IP protocol to allow UltraVNC to connect an OOB client - pretty cool huh?

 

 

Figure 5: UltraVNC to display client screen on console operator system

 

 

 

 

 

 

 

 

From here we can invoke a whole series of commands and view the results in real-time. In the example shown in Figure 5 - right image, I am running regedit - OK I realize it is showing the PE registry but with the right tools we can load and analyze the client registry or any other application and/or device.

 

Remember I said the beauty of PE's lie in their ability to be customized? If your shop use specific diagnostic tools you can include them into the PE at build time and use them here by simply clicking on the orange "GO" button (different PE's have different ways to access applications).

 

What I have shown here is the ability to use some very rudimentary protocols along with widely available tools to perform very powerful diagnostic and repair functions on a broken client. Keep in mind however this is only one of many ways to achieve this capability. In fact, this particular example can take a fair amount of time to load depending on network traffic and size of .iso image. But it is much better than the down time required to bring the remote system into the support center.

 

EIL are constantly finding solutions to answer the hard questions for our End Users. In upcoming blogs I plan to show similar capabilities using different techniques to minimize load times while maximizing efficiency. I hope you found this blog useful if you have any questions please feel free to ask. See you soon...

3 Comments Permalink Tags: vpro, cira, brad_lund, eil, epi, winpe, bartpe, sol, ider, tools, utilities, system_maintenance
Josh Hilliker
0

Monday we're cooking up a great show, Russ, Jeff & I are going to be talking with Michele Gartner about the Activation zone and the latest status on how to self activate. We will also be talking about our top tool picks that we use for troubleshooting & enabling vPro. Definitely a show you won't want to miss out on. Also you can either stream, dial in or download after the show is over to listen. We will also have the chat line open for any and all questions related to vPro.

 

Here's the info:

 

http://www.blogtalkradio.com/openport/2008/06/02/Intel-vPro-Expert-Center-Topic-TBD

 

Number: (347) 326-9831

Date/Time: 6/2/2008 3:30 PM (pacific)

 

Listen to Intel Open Port Radio on internet talk radio

 

0 Comments Permalink Tags: vpro_radio, josh_hilliker, russ_pam, jeff_torello, activation, michele_gartner, tools
Josh Hilliker
0

I wanted to share out why my top 3 tool picks are for starting up with vPro, usually I am using these tools when I'm working on connectivity, packets or errors in the logs in the mgmt console. I also often find that I'm using these tools late at night when i'm deep in troubleshooting mode & trying to do a root cause on why something is not working as planned i.e. hello packets are not starting on a given hardware platform, etc.. (I'll save the showcase for a youtube video soon)..

 

here they are.................

 

#1. MEinfowin.exe - Brian C posted a good link of where & how to get this from Lenovo's BIOS update. I highly recommend this tool for troubleshooting version of the ME, SOL, etc.. it also has good information on setup & configuration, link status, etc..

http://communities.intel.com/message/3649#3649

 

#2. Wireshark - Joel Smith (altiris) wrote about this in his blog, which is where I initially found the link. http://juice.altiris.com/article/3636/troubleshooting-altiris-manageability-toolkit-vpro-technology-part-1-provisioning-clien

 

Wireshark

While the two above tools are distinctly for Out of Band Provisioning, Wireshark tells the whole story of what is coming and going across the wire. It's important to know what the AMT clients are sending, especially in the 'Hello' packet, and what the server is responding with.

 

Wireshark can be obtained from: http://www.wireshark.org/. While this is the recommended tool, any network trace capture program can be used to examine the network traffic between the AMT client and the Provisioning Server.

 

#3. Intel® vPro™ Technology Test Utility - this is the old faithful tool to ensure your vPro system has the right ingredients.

http://downloadcenter.intel.com/Product_Filter.aspx?ProductID=2575

 

These are my top 3, however if I were to go, in SMB mode I utilize the vPro Packet decoder and the AMT reflector, however I use those at very specific times when i've passed the top 3 and I am digging in even deeper.

 

I hope you enjoy the list and if you have a TOP tool favorite write a comment at the end of the blog and let me know as I am always looking for new tools that help troubleshooting.

 

Josh H

0 Comments Permalink Tags: tools, josh_hilliker, vpro_expert_center, manageability, troubleshoot, vpro, amt
Josh Hilliker
0

Hi all,

 

Tim's Tool team continues to deliver new tools to the community almost weekly. You can check the latest on the Tool Wiki @ http://communities.intel.com/docs/DOC-1171. Also if you have a need for a new tool please let him know by responding to the wiki.

 

If you are trying to use a tool and not having success please let us know as well as your feedback helps shape the tools the team works on.

 

I also know that Tim is defining a higher level picture of the typical IT infrastructure and how each tool can be used to troubleshoot different connection points. Stay tuned for this..

0 Comments Permalink Tags: tools, vpro_expert_center, josh_hilliker, tool, troubleshoot
Josh Hilliker
0

 

Jeff talked about this in the last show on vPro Radio (http://blogtalkradio.com/openport) about his latest Intel vPro training modules. We finally have those posted and here is the link to get started..

 

 

 

http://download.intel.com/business/vpro/ActivationClass/main.html

 

I believe he posted six out of nine, with the final three still in progress. If you have any questions please let Jeff know.

0 Comments Permalink Tags: vpro_expert_center, vpro, training, tools, josh_hilliker, jeff_torello
Josh Hilliker
1

On my travel's out of the factory and on the road with vPro users, I was able to see a new tool that I had not seen to date. When the User pulled up resource manager he showed me a new way to fast track to a machine. The Screen looked like this.

 

 

I asked where the tool was and was given this link on Altiris Juice.

 

 

Here is the code you will see in the VBS file.

 

REM Authored by: Benjamin Palmer

REM Company: <Your Company Here>

 

strAnswer = InputBox("Please enter a computer name you would like to view the resource information for:",".oO - Quick View Resource Manager - Oo.")

 

If strAnswer = "" Then

Wscript.Quit

Else

strURL = "http://Deploy1/Altiris/Resource/ResourceManagerConsole.aspx?Name="&strAnswer

Set objShell = CreateObject("Wscript.Shell")

objShell.Run(strURL)

End If

 

I found this a very useful tool for Altiris Users that know the machine and want to fast track to the notebook/desktop. Or you could give this tool to your help desk for them to easily get to a machine vs. navigating through the console.

 

NOTE: please make sure you change out the "DEPLOY1" with your console name.

 

If you have a great tool like this that you use, please share out..

 

Cheers..

1 Comments Permalink Tags: altiris, josh_hilliker, vpro, tools
Michele Gartner
0

0 Comments Permalink Tags: amt, tools, troubleshoot, scs
Josh Hilliker
0

10:30am Russ & I are talking with Tim the Tool guy about vPro Tools.

 

Call-in Number: (347) 326-9831

 

http://www.blogtalkradio.com/openport/2008/03/11/vPro-Expert-Center-On-The-Air-vPro-Tools

 

Listen in & chat with us online..

0 Comments Permalink Tags: russ_pam, josh_hilliker, vpro, vpro_radio, tim, tools
1 2 Previous Next

Popular Blog Posts