On mmy SCCM Site server, I was looking througurah my AMTOPMGR.log and I noticed the following entry:
Error: The provisioning certificate with the thumbprint 55B7AF313A725CA10BB47A382494A3BD2927D1FB will expire in 1 day(s). Please ensure that this certificate is renewed. (CertID = 1)
In looking at my Provisioning Certificate loaded on my SCCM SP2 site server, I did find out the expiration date was about to hit.
So I will let this cert expire so I can report out what happens to an environment that has their provisioning certificate expire. I will add more of these learnings after this expiration date hits. More to come....and then type for me to re-purchase this cert so my lab continues to provision.
Don't miss this new resource in the Activation zone! It has a checklist for customer infrastructure preparation for implementing systems with Intel(R) vPro(TM) technology within the customer's corporate production environment.
While working on-site with a customer and a Microsoft SCCM Technical Consultant, I was shown a great capability in the OS to force the SCCM client agent to check its AMT auto-provisioning policy at will.
The Windows OS ships with a utility called Windows Management Instrumentation Tester that can be used to force the SCCM agent to check its AMT Auto-Provisioning Policy (standard WMI calls). The following steps show this manual method that you can perform with this utility, either locally or remotely, to force this check. By default the SCCM server's site control file sets the agent check to automatically run every 24 hours. However, in a lab or testing environments this 24 hour default cycle is not convenient. With these steps below, you can execute this check at will or even use while troubleshooting issues. To perform these steps, you must have administrative privileges on the target OS.
After the manual steps listed below, Matt Royer has provided a reference to a .vbs file that performs these steps to help automate the process. Feel free to use these steps and scripts for your environment. And if you find new and/or improved methods with these WMI calls, please post for others to learn from.
Manual Steps to issue WMI command:
Open a command prompt and type wbemtest
This is the Windows Management Instrumentation Tester
After the Windows Management Instrumentation Tester Utility Opens, click Connect
In the Namespace of the Connect Window, type the system name you want to force the check followed by \root\ccm
Example: **
Click Connect
You can also simply run the command on the local system by simply leaving out the host name
Example: \root\ccm
After you successfully connect to the target system, click the Execute Method Button
In the Get Object Path window, type sms_client in the Object Path field
Click OK
In the Execute Method Window, enter TriggerSchedule in the Method Field
Click the Edit In Parameters Button
In the Object editor for _PARAMETERS window, Double Click the sScheduleID in the Properties field
In the Property Editor Window, change the Value to Not NULL and add the following {00000000-0000-0000-0000-000000000120}
This value is the Object ID to initiate this OOB auto-provisioning check.
Click the Save Property button
In the Object editor for _Parameters window, click the Save Object button
In the Execute Method window, click the Execute Button
After you Execute the method, you should see a message that the Method was executed successfully
To confirm that your method was executed, look at the target systems c:\windows\system32\CCM\Logs\oobmgt.log
You should now see a new entry in the log GetProvisioningSetting indicating that the policy has been re-evaluated.
To perform these steps automatically through a .vbs script:
All you need to do is run the following command:
cscript sendsched.vbs {00000000-0000-0000-0000-000000000120} <target vpro machine name with sccm client>
Within SCCM there are two primary ways to provision a vPro Client: Using the Import Out of Band Computers Wizard and the In-band provisioning with the Configuration Manager client Agent. Because of the ease and automated provision, it is typically recommended that you leverage the In-band provisioning with the Configuration Manager client agent; however, there may be cases where this method may not work based on your environment or business process. This may leaves you with the only option of using the Import Out of Band Computers Wizard for vPro Client provisioning.
To provision clients with Import Out of Band Computer Wizard, you are required to supply at a minimum the Computer Name, FQDN, and UUID for the vPro client you are trying to provision. Hand retrieving and entering this data for a few vPro clients may be fairly straight forward; however, if you are in a scenario where you are trying to provision a large number of vPro clients it may become very time consuming. As part of the Import Out of Band Computer Wizard, you are able to specific a comma-separated values (CSV) formatted file that has these required attributes listed. With this capability available, you can technically mass import a large number of vPro clients to be provisioned; the challenge then becomes automating the retrieval of this Computer Name, FQDN, and UUID.
Example CSV File
Select Source - Choose Mapping
Select Source - Data Preview
Select Source - Summary
There can be a variety of sources such as the Active Directory, Local Computer Operating System, alternate software inventory agent, etc (your imagination is the limitation) where you could potentially pull this information.
For example, this UUID Resolver is an example utility that will query your Active Directory for computers, determine if they are vPro Capable, connects to the OS, and Exports the Computer Name, FQDN, and UUID to a CSV files that can be imported through Import Out of Band Computer Wizard; once the hello packet is received, SCCM will provision the vPro Client (Special Thanks to Ariel Toporovsky for developing this example).
Another example may be to use a Software Agent or other remote execution capability to run a localized VBS, Perl Script, exe, etc that grabs the Computer Name, FQDN, and UUID locally from the client and copies the contents to a remote share to be consolidated; once there it can be imported through the SCCM Import Out of Band Computer Wizard.
What else can you think of? If you have any thoughts or tricks on how to automate this, please post your idea / exampls in the comments. Thanks.
While at MMS, Microsoft System Center Configuration Manager Program Manager Dave Randall demonstrated how Intel vPro Technology enhances Microsoft System Center Configuration Manager 2007 SP1. The videos below include demonstrations around secure remote power control, remote diagnosis and repair of troubled PCs, discovery of PC assets, and remote configuration.
1) Video demonstration of hardware-assisted Secure Remote Power Control:
]]>
2) Video demonstration of hardware-assisted Remote Diagnosis and Repair:
]]>
3) Video demonstration of hardware-assisted Discovery of PC Assets:
]]>
4) Video demonstration of Remote Configuration of Intel vPro technology:
At MMS, we had Brad Anderson, General Manager of Microsoft Management and Services Division, and Gregory Bryant, Intel VP and General Manager of the Digital Office Platform Division, answer some questions about the new capabilities in System Center Configuration Manager 2007 SP1 with Intel vPro technology. See their responses below.
1) How does Intel vPro Technology fit into System Center Configuration Manager 2007 SP1?
]]>
2) What can IT expect in terms of the level of integration of Intel vPro Technology into System Center Configuration Manager 2007 SP1?
]]>
3) Why should IT now take advantage of Intel vPro Technology and System Center Configuration Manager 2007 SP1?
]]>
4) When should enterprises activate Intel vPro Technology with System Center Configuration Manager 2007 SP1 in their PC infrastructure?
]]>
5) Last, we asked a series of questions about System Center Configuration Manager 2007 SP1 Support for the Current Generation of Intel vPro Technology with WS-MAN Support, as well as with Legacy Generations of Intel vPro technology.
One of the great features of SCCM SP1 is the ability to provision vPro Clients through the SCCM SP1 client agent. This allows for vPro clients to be deployed in an unprovisioned state and then later provisioned via the client agent once the client agent has been deployed using in-band methodologies.
Prior to Client Agent provisioning to occurs, there are a couple of configuration steps you need to do within SCCM SP1. First, it is recommended that you create a new collection that will house your vPro clients that have been discovered and are in an unprovision state. It is viable to use the "All Systems" collection to set the policy for automatic provisioning via the clients agent; however, it is not advised.
To create a new collection...
Right Click on Collection, and select "New Collection"
When the "New Collection" window appears, enter in a Collection Name. Something like "Unprovisioned vPro Clients" is recommended. Fill in the comment field appropriately and click "Next"
When the "Membership Rules" appear, click on the "Query Rule Properties" (it is the Database icon)
In the "Query Properties", enter in a name something similar to "Unprovisioned vPro Client Query" and then click "Edit Query Statement..."
When the Query Properties appear, click "Show Query Language"
In the Query Statement textbox, type in the following: Select * from sms_r_system where AMTStatus=2 This will pull all the clients that are vPro capable and in an unprovisioned state
Once completed, click "OK" and "OK" again on the Query Rule Properties. When returned to the "Membership Rules" screen, click "Next"
Add any desired advertisements and click "Next"
On the "Security" screen, add any appropriate users or groups and click "Next".
On the Confirmation screen, click "Close".
You should now see your new Collection in the collection list. The next step is to configure this collection so that vPro Clients in the collection are automatically provisioned.
Right Click on the "Unprovisioned vPro Clients" collection and select "Modify Collection Settings".
In the Settings windows, click on the "Out of Band" tab.
Check the checkbox "Enable Automatic out of band management controller provisioning" and click "OK"
It is also recommended that you add the "AMT Status", "AMT Version" and "Automatic AMT Provisioning" columns to the collection for easier troubleshooting.
To do so...
Select the "Unprovisioned vPro Client" collection and right click in the open white space
When the context menu appears, select "View" -> "Add/Remove Columns"
When the "Add/Remove Columns" screen appears, add "AMT Status", "AMT Version", and "Automatic AMT Provisioning" to the collection view. Click "OK" when finished.
This collection is now setup so that any vPro client in the collection will be automatically provisioned through the SP1 client agent. With the collection defined, you can use any of the client discover methods that SCCM SP1 provides (AD System Group, AD Security Group, AD System , AD User, Heartbeat, or Network) to discover the client. If you decide to use Network discovery, you can also check the checkbox on the "General" tab to "Enable Discovery of out of band controllers"; by doing so it will also check to see if the client is vPro capable. After you run the discover method and update the collection (either manually or via scheduled policies), you should now be able to see the client in the "All Systems" Collection.
Now that the clients have been discovered by SCCM, you will need to perform a "Discover Management Controller" to see if any of them are vPro capable. On the "All Systems" right click and select "Out of Band Management" -> "Discovery Management Controller". This will scan through your collection and validate which clients are ready to be provisioned.
After a few minutes, depending on the size of your collection, you can update your collection membership by right click on "Collections" and select "Update Collection Membership". If you now refresh your "Unprovisioned Vpro Clients" collection, you should see a list of unprovisioned vPro clients ready to be provisioned. The AMT Status of the client should be listed as "Not Provisioned".
Depending on your SCCM SP1 Client Pulling schedule, it may take a few hours for the client agent to pull down the new provisioning policy. You can, however, force the policy to be refreshed earlier by opening the Configuration Manager Properties within the client's Windows Control Panel and selecting the "Action" tab. Once in the Action Tab, select "Machine Policy Retrieval & Evaluation Cycle" and click "Initiate Action". For instructions on how to deploy the SCCM SP1 client agent, please
reference the SCCM SP1 Help and look for the “Overview of Configuration
Manager Client Deployment” article.
After the provisioning has occurred, the vPro Client will be removed from the newly created "Unprovisioned vPro Clients" collection and be listed as an "AMT Status" as provisioned.
Similar to provisioning via the Out Of Band Wizard, you can track the progress of the provisioning process through the SCCM Out Of Band reports or for more detail amtopmgr.log. There is also the oobmgmt.log on the client machine that will track the Agent based provisioning process.
Another clarifying note is that once the SCCM SP1 Agent is installed and acknowledged by SCCM, the Client Agent initiated provisioning is the only provisioning method supported; SCCM will ignore any vPro hello packets it receives from the client. Also, the vPro client must be in a unprovisioned state with for the Agent based provisioning to occur.
Here is a video that goes over the high level process
