Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Microsoft Manageability > Blog > 2008 > August > 14
Up to Blog Posts in Microsoft Manageability
Previous Next

Microsoft Manageability

August 14, 2008
Matt Royer
0

 

For those that are not aware, Microsoft has a System Center Configuration Manager 2007 Toolkit that provides some excellent tools to help with troubleshooting, security hardening, and easier log viewing within SCCM.

 

 

 

 

 

To download System Center Configuration Manager 2007 Toolkit, please visit http://www.microsoft.com/downloads/details.aspx?FamilyID=948e477e-fd3b-4a09-9015-141683c7ad5f&DisplayLang=en

 

 

 

 

 

Here are the tools that are included (as documented on Microsoft's Website)

 

  • Client Spy - A tool to help troubleshoot issues related to software distribution, inventory, and software metering on Configuration Manager 2007 clients.

  • Policy Spy - A policy viewer to help review and troubleshoot the policy system on Configuration Manager 2007 clients.

  • Trace32 - A log viewer that provides a way to easily view and monitor log files created and updated by Configuration Manager 2007 clients and servers.

  • Security Configuration Wizard Template for Configuration Manager 2007 - An attack-surface reduction tool for the Microsoft Windows Server 2003 operating system with Service Pack 1 and Service Pack 2 (SP1 and SP2) that determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.

  • DCM Model Verification - A tool used by desired configuration management content administrators for the validation and testing of configuration items and baselines authored externally from the Configuration Manager console.

  • DCM Digest Conversion - A tool used by desired configuration management content administrators to convert existing SMS 2003 Desired Configuration Management Solution templates to Desired Configuration Management 2007 configuration items.

  • DCM Substitution Variables - A tool used by desired configuration management content administrators for authoring desired configuration management configuration items that use chained setting and object discovery.

 

 

 

 

--Matt Royer

0 Comments Permalink Tags: sccm, sccm_sp1, toolkit, matt_royer
Matt Royer
1

 

For those that don't know, you can use the Intel AMT Web console as an alternative to running the out of band management console in Configuration Manager 2007 SP1 to manage vPro computers.

 

 

 

 

On more than a few occasions, people have been experiencing problems with connecting to the vPro AMT Web console after the vPro Client has been provisioned by SCCM. In every case that I have been involved in, it simply comes down to one or two of the following:

 

  • Not having the required HotFix (KB908209) for IE 6 installed and registry entry for both IE6 & IE 7 added

  • Connecting to the wrong URL of the vPro Client

  • Not having the "Enable Web Interface" checked within SCCM "Out of Band Management Properties"

  • Not connecting with a user that has appropriate access

 

 

 

 

 

 

 

Making sure you have KB908209 installed and having the registry key added for Internet Explore

 

 

There is a hotfix released for Internet Explorer 6 that addresses connecting to a web site with Kerberos authentication protocol that uses a non-standard port. Since you are trying to authenticate with Kerberos on a non-standard port when you connect to a vPro AMT Web console, you need this hot fix: http://support.microsoft.com/default.aspx/kb/908209. Keep in mind, besides the hotfix you also need to add a registry entry to allow the hotfix to be active (steps listed in the KB article). Here is the registry entry you need to add.

 

  • For 32 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001

  • For 64 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001

 

Although Microsoft included the hotfix into Internet Explorer 7, you still need to add the registry entry to get the authentication to work. Forgetting to add this registry entry tends to be the number 1 reason why people are having the problem!!!!

 

 

 

 

 

 

 

 

Connecting to the correct URL

 

 

When connecting to vPro AMT Web console, you must connect to the vPro Client with the following URL https://FQDN:16993 where the FQDN is the full qualified domain name of the vPro client (ie. https://vpro-client.vprodemo.com:16993). Using the IP address will not work (or at least you will get a warning about an invalid certificate) because SCCM has configured the vPro client to use TLS and the URL needs to match the certificate that was issued during the provisioning process. As a general reference, 16993 is the port that the TLS web services is listening on and you need connect with https since it's a secure connection

 

 

 

 

 

 

 

 

Ensuring you have "Enable Web Interface" check

 

 

To enable vPro AMT Web console support on the vPro Client, you need to verify that "Enable Web Interface" is checked within the SCCM "Out of Band Management Properties" - "AMT Settings" Tab. With this checked, SCCM (during the provisioning process) will configure the vPro Client to allow vPro AMT Web console access.

 

 

!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1712/Webui+checked.JPG!

 

 

 

 

 

Make sure you have permission

 

 

Since SCCM only supports Kerberos authentication (with exception of the Remote Admin account, who's password is only known by SCCM), you need to authentication with a Kerberos users that has been granted access to the vPro Client. If you are having problems authenticating, make sure the user you are trying to authenticate with is listed in the AMT User Accounts in the "Out of Band Management Properties" - "AMT Settings" tab.

 

 

 

 

--Matt Royer

1 Comments Permalink Tags: sccm, sccm_sp1, amt, vpro, webui, matt_royer

Popular Blog Posts

Incoming Links