The Intel WS-MAN Translator build 568 has just been released.  The new features of this build included:

• Validated with Microsoft System Center Configuration Manager 2007 Service Pack 2
• Enhances legacy support for wireless profiles, 8021.x profiles, and 3rd party data storage
• Enhanced Kerberos authentication and Kerberos ticket handling

There are known issues and feature gaps with the previous versions (builds less than 568) of the Intel WS-MAN and Microsoft SCCM SP2.  It is recommended that customers upgraded to Intel WS-MAN Translator build 568 when upgrading to SCCM SP2.  SCCM SP1 customers will also see stability and performance increases by upgrading to this WS-MAN Translator build.

--Matt Royer

Microsoft System Center Configuration Manager can provision an AMT / vPro client in two different capacities: Bare metal and Agent Initiated.  Bare metal provisioning begins with the AMT client sending a “hello packet” to the SCCM Out of Band Service Point; if the AMT client is approved and authorized to be provisioned, SCCM will initiated the provisioning process.  Agent Initiated provisioning begins with the SCCM Client Agent pulling down the “Automatic Provisioning” policy from the SCCM Policy Server; if the SCCM Client Agent receives the policy, the Agent will negotiated a One Time password (OTP) with the AMT ME firmware and send the provisioning request along with the OTP to the Out of Band Service point to begin the provisioning process.

Bare Metal / Hello Packet Initiated Provisioning
For Bare Metal provisioning to work properly on AMT / vPro Clients with firmware 2.x, there are a couple of prerequisites that must be met.

SCCM Server

• SCCM SP1 with Rollup Hotfix KB960804 or higher (full list of required hotfixes found here: http://communities.intel.com/docs/DOC-1897Required Software Bundles and HotFixes (KB’s) for System Center Configuration Manager SP1
• Intel WS-MAN Translator installed and configured (Download available from here: http://software.intel.com/en-us/articles/intel-ws-management-translator/ )
• SCCM configured for Out of Band Management (SCCM Quick Start Guide: http://communities.intel.com/docs/DOC-1754)

AMT Client

• AMT Firmware version that support PKI provisioning with SCCM.  For AMT 2.x Desktops and Laptops, you will want to ensure that you have a minimum of AMT Firmware 2.2.20 (Desktop) and 2.2.20 (Laptop).  Note: For AMT Desktops with firmware 3.x, you will want to ensure that you have firmware 3.2.2 or above to meet the minimal requirements.  AMT Laptops with firmware 4.x and Desktops with firmware 5.x have the minimum requirements meet from the initial firmware release.

SCCM Client Agent Initiated Provisioning
In addition to the prerequisites needed for Bare Metal provisioning, SCCM Agent initiated provisioning requires a couple additional items.

AMT Client

• AMT ME / HECI Driver installed (available from your OEM driver website)
• Execution of RNGSeedCreator.exe (Download available from here: http://communities.intel.com/docs/DOC-3807).  RNGSeedCreator.exe is an executable that is ran on an AMT / vPro client with firmware version 2.x that has never been configured or provisioned; this utility generates a random number for the firmware to support the OTP used during the SCCM Agent Initiated Provisioning process.  For SCCM PKI provisioning to complete successfully, the random number generated by RNGSeedCreator.exe must be completed prior to initiating provisioning via the SCCM Client Agent.Note: AMT / vPro clients with firmware version 3.x and higher do not need to have the RNGSeedCreator.exe ran prior to SCCM Agent Initiated provisioning.

If your AMT clients do not meet the minimal firmware version for PKI based provisioning (Bare Metal or Agent Initiated), you can use the software distribution capabilities within SCCM to remotely upgrade the AMT firmware and drivers; check out the following Blog / Video which walks you through creating this software package.  Similar to upgrading the AMT firmware with SCCM Software distribution, you can also use the same Software Distribution process to run the RNGSeedCreator.exe utility on your 2.2 (Desktop) and 2.6 clients.  If you wish to combine the firmware upgrade and RNGSeedCreator.exe execution into a single SCCM advertisement, you can construct a single task sequence that runs both the Firmware upgrade and RNGSeedCreator.exe software packages.  A guide on how to accomplish this has been included in the RNGSeedCreator download package.

Once the firmware has been upgraded to the minimal firmware version to support PKI provisioning and the RNGSeedCreator.exe has been run, SCCM Agent Initiated provision can complete successfully on 2.2 and 2.6 clients.

--Matt Royer

Microsoft has released a really great blog on the “Security Best Practices for Out of Band Management in Configuration Manager 2007 SP1”.  The following topics are covered in great detailed and is a definite read.  http://blogs.technet.com/configmgrteam/archive/2009/08/05/updated-security-best-practices-for-out-of-band-management-in-service-pack-1.aspx

• Request customized firmware before purchasing AMT-based computers
• Use in-band provisioning instead of out of band provisioning
• Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site 
• Control the request and installation of the provisioning certificate
• Ensure that you request a new provisioning certificate before the existing certificate expires
• If the provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server, and remove it from the out of band management component configuration properties
• If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console
• Use a dedicated certificate template for provisioning AMT-based computers
• Use out of band management instead of Wake On LAN
• Use a dedicated OU to publish AMT-based computers
• Use Group Policy to Restrict User Rights for the AMT Accounts
• Use a dedicated collection for in-band provisioning
• Restrict who has the Media Redirection right and the PT Administration right
• Retrieve and store image files securely when booting from alternative media to use the IDE redirection function
• Minimize the number of AMT Provisioning and Discovery Accounts

--Matt Royer

If you want to have the Intel Manageability Tool Kit interoperate with a vPro client that has been provisioned by Microsoft System Center Configuration Manager SP1, there are two key things you need to do: Configure Manageability Commander to trust the Issuing Certificate Authority of AMT Web Certificates and to authenticate with a Kerberos user that has access to the vPro Client.

Before configuring Manageability Commander, you will need to obtain a copy of the Root Certificate Authority Certificate that the vPro Client AMT Web Server Certificate was issued from. This is the same Certificate Authority that was configured in “Microsoft System Center Configuration Manager Console” -> “Out of Band Component Configuration” -> "Site Database" -> "Site Management" -> "Site" -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" -> "General Tab" -> "Certificate Template".


If you are issuing AMT Web Server Certificates from a subordinate certificate authority, you should still use the certificate from the Root Certificate Authority the SubCA is chained up to.

Export a copy of the Root CA

1)   To export of a copy of the Root CA Certificate, you can open your local certificate store, select “Trusted Root Certificate” -> “Certificate” and search for the proper Root CA Certificate. If you do not have the Root CA certificate in your trusted root store, your CA Administrator can obtain a copy for you from the CA by selecting the “Properties” of the Certificate Authority and selecting “View Certificate”.

2)   Once you have the certificate open, select the “Detail” tab and then select “Copy to File”.

3)   When the “Certificate Export Wizard” appears, click “Next”.

4)   Select “DER encoded binary X.509(.CER)” and click “Next”.

5)   Select a location to export the certificate to and then click “Next”.

6)   On the “Complete the Certificate Export Wizard”, click ‘Finish”.

Trusting your Root Certificate Authority in Manageability Commander

Now that you have a copy of the Root CA certificate, you are able to configure Manageability Commander so that it can manage a vPro client provisioned by SCCM.

1)   If you have not already done so, you can download a copy of the Manageability Tool Kit from the following location: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/. Follow the onscreen instructions on how to install it.

2)   Once Manageability Tool Kit is install and Manageability Commander is open, select “File” -> “Certificate Manager”.

3)   In the “Certificate Manager” window, ensure you delete all other existing certificates by highlighting them and clicking the “Delete” button. After which, select “Import”.

4)   Browse for the Root Certificate Authority Certificate you exported (which is the Root CA Certificate that is chained up from your AMT Web Server certificates) and click “Open”.

5)   Back in the “Certificate Manager” window, click the “Refresh Displayed Certificates” button. You should now see your CA in the “Trusted Root Certificates” list. Click “Close” to exit the Certificate Manager window.

Adding a Client to Manageability Commander

Once the Root CA certificate has been trusted, you can now add the client (that is provisioned by SCCM) you want to manage via Manageability Commander.

1)   To add the vPro client, select “File” -> “Add” -> “Add Intel® AMT Computer”.

2)   When the “Add Intel® AMT Computer” window appears, enter in the full qualified domain name (FQDN) of the client you want to manage. If you want Manageability Commander to use Kerberos authentication of the local user logged, leave the Username and Password blank. If you want to specify a different Kerberos user then the local logged on user, enter in the desired Kerberos user as domain\user and the appropriate password. Click “OK” to close the “Add Intel® AMT Computer” window.

3)   Once you have added the vPro client, you should see it in the list of clients to manage. Right click on the client, and select “Connect”.

4)   Once connected, you can invoke any of the vPro / AMT use cases that the Manageability Commander Tool supports on the client provisioned and also managed by SCCM.

Debugging Connection

If you are having connection issue, you can perform some general troubleshoot by viewing the debug information.

1)   To view the debug information, select “Help” -> “Show Debug Information...”

2)   Once the “Manageability stack” window opens, you can see additional detail of any issues encountered.

--Matt Royer

Microsoft SCCM 2007 SP1 Intel vPro Training Videos

We’re pleased to announce the availability of Microsoft SCCM 2007 SP1 Intel vPro Training videos. During a recent training event in Redmond, Washington, we had the cameras rolling for this detailed and robust training experience and it is now available for you to experience and utilize.

Below is an overview and link for each training section.

Please let us know if you have questions or comments regarding this material.

This resource along with other resources on the Intel vPro Expert Center can assist you in answering questions when deploying Intel vPro clients in conjunction with Microsoft System Center Configuration Manager 2007 SP1.

this weekend I received a link that had a pretty good Q&A from Microsoft about OOB (out of band management). I found it a good resource to answering typical questions that are brought up during a Pilot of the technology.

http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/10/03/overflow-additional-quiz-questions-for-out-of-band-management-amt.aspx

Enjoy the Q&A. Thank you Sergio for forwarding it..

While working on-site with a customer and a Microsoft SCCM Technical Consultant, I was shown a great capability in the OS to force the SCCM client agent to check its AMT auto-provisioning policy at will.

The Windows OS ships with a utility called Windows Management Instrumentation Tester that can be used to force the SCCM agent to check its AMT Auto-Provisioning Policy (standard WMI calls). The following steps show this manual method that you can perform with this utility, either locally or remotely, to force this check. By default the SCCM server's site control file sets the agent check to automatically run every 24 hours. However, in a lab or testing environments this 24 hour default cycle is not convenient. With these steps below, you can execute this check at will or even use while troubleshooting issues. To perform these steps, you must have administrative privileges on the target OS.

After the manual steps listed below, Matt Royer has provided a reference to a .vbs file that performs these steps to help automate the process. Feel free to use these steps and scripts for your environment. And if you find new and/or improved methods with these WMI calls, please post for others to learn from.

Manual Steps to issue WMI command:

To perform these steps automatically through a .vbs script:

• All you need to do is run the following command:

cscript sendsched.vbs {00000000-0000-0000-0000-000000000120} <target vpro machine name with sccm client>

sendsched.vbs is piece of code included in the SMS 2003 Toolkit: http://technet.microsoft.com/en-us/sms/bb676787.aspx

00000000-0000-0000-0000-0000 00000120 is the scheduled ID for auto-provisioning policy.

Microsoft has just released two additional hotfixes that address issues with System Center Configuration Manager SP1 and vPro/AMT Out of Band Management. Please reference the following WIKI for a comprehensive list of required software bundles and hotfixes for SCCM SP1 and vPro/AMT Out of Band Management: http://communities.intel.com/openport/docs/DOC-1897

System Center Configuration Manager 2007 (KB955355):

• Description: A distinguished name that contains more than 100 characters and that is discovered from Active Directory for an AMT host causes the SMS_EXECUTIVE service to crash in System Center Configuration Manager 2007

• URL: http://support.microsoft.com/kb/955355

System Center Configuration Manager 2007 (KB956337):

• Description: System Center Configuration Manager 2007 Service Pack 1 is unable to remove AMT user ACLs during the provisioning process for AMT 2.x computers

• URL: http://support.microsoft.com/KB/956337

--Matt Royer