Microsoft has just released System Center Configuration Manager Service Pack 2.  In addition to providing feature parity with SP1 and AMT firmware versions 3.2.1, 4.0 and 5.0, the following new features are supported:

• Wireless management with up to 8 wireless profiles
• End point access control: 802.1x support
• Audit logging
• Support for different power states
• Power control options at the collection level
• Data storage
• Scheduling configuration for in-band provisioning

You can download it from the following location:http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3318741a-c038-4ab1-852a-e9c13f8a8140#tm

--Matt Royer

An updated version of the SCS to SCCM migration utility has just been released.  For those customers that were previously activated on the SMS Add-on and the Intel SCS, this utility will help ease your migration to SCCM SP1 or the upcoming SCCM SP2.  This new version has been tested and validated to support up to SCS 5.x and SCCM SP2.

The SCS to SCCM migration utility is used to prepare Intel® Active Management Technology (Intel® AMT) systems, that were configured using the Intel® Setup and Configuration Service (Intel® SCS) and managed by any management console, to be configured and managed by Microsoft* System Center Configuration Manager (SCCM).

The migration utility is an executable (SCS_2_SCCM_Migration_Utility.exe) that performs the following:

1. Creates a Comma Separated Values (CSV) file containing information on all Intel AMT systems configured by the Intel SCS that are to be migrated. This CSV file includes the data about these systems that is needed by SCCM and is imported to SCCM before the actual migration.
2. Performs a series of tasks (including partial unconfiguration) that bring the Intel AMT systems to a state that will enable the SCCM to configure them.
3. Removes the records of the migrated Intel AMT system from the SCS database.

Once the Intel AMT systems are unconfigured they will send out “Hello” messages to SCCM, which will then configure the systems.

The SCS to SCCM migration Utility can be downloaded from the following location: http://software.intel.com/en-us/articles/intel-amt-setup-and-configuration-service-scs-to-microsoft-system-center-configuration-manager-sccm-system-migration/

--Matt Royer

This information is based on Microsoft’s Release Candidate of System Center Configuration Manager Service Pack 2 and is subject to change.

There are several new features / changes that are coming with ConfigMgr SP2 related to AMT / vPro functionality.  As noted in previous articles, some of the more obvious changes are:

OOB Wireless Management: Wireless Profile Management

• Provide configuration of up to eight (8) wireless profiles per site that are available to AMT clients assigned to that site
• Set the wireless information during AMT provisioning and configure all required profile settings (SSID, key management, encryption, etc.
• Send wireless profile operations to the Intel translator on AMT systems with revisions earlier than 3.2.

End Point Access Control: 802.1x support

• Provision 802.1x settings on AMT wireless clients during AMT provisioning
• Send 802.1x settings operations to the Intel translator on AMT systems with revisions earlier than 3.2.1

Data Store (3PDS)

• Write string data into 3PDS on AMT through OOB management console

Access Monitor: Audit Log

• Enable or Disable Audit Log (no critical event settings)
• View Audit Log through OOB Console

Remote Power Management

• Power State Configuration

However, Microsoft has also made some more subtle changes between SCCM SP1 and SP2 to improve the end user experience that you may have not notice.

• In-band Provisioning attempt schedule:  With SCCM SP1, in-band provisioning was hard coded to initiate once every 24 hours.  SCCM SP2 now supports the ability to set the provisioning attempt schedule to a configurable value within the Out of Band Management Properties - Provisioning Schedule Tab.
• Handling wired and wireless contented clients with in-band provisioning:  To provision an AMT / vPro client with SCCM 2007, first stage provisioning must be completed on the wired interface.  With SCCM 2007 SP2, the wired interface information will be sent along with the AMT One Time Password (OTP) during agent initiated in-band provisioning.  Second stage provisioning can then occur over either wireless or wired interface (which one is resolved by DNS).
• Out of Band Provisioning disabled by default:  The ability to use Out of Band provisioning (provisioning through AMT hello packet initiation) is configurable and defaulted to disabled with SCCM 2007 SP2.  If you are using Out of Band provisioning, you will need to enable it after upgrading from SCCM SP1 to SCCM SP2.  This is configured on the Out of Band Management Properties - General Tab.
• Opening the Out of Band Console ensures an updated Kerberos token:  With SCCM SP1, occasionally you would run into a scenario where the Out of Band Management Console would attempt to connect with an expired or involved Kerberos token; this would prevent OOB Console from properly authenticating with the AMT / vPro Client.  This was common if you tried to connect to an AMT / vPro client immediately after an AMT client reprovision.  The Out of Band Management Console with SCCM SP2 now refreshes the Kerberos token to ensure a proper connection.
• AMT / vPro client provisioning prevented if Configuration Manager Client is blocked or not approved:  If an SCCM client is block or not approved within with the site server, SCCM will not allow you provision an AMT / vPro client.
• AMT PKI Certificates are revoked during an Update Management Controller:  If you have wired or wireless 802.1x authentications being used, SCCM will revoke these certificates and new certificate will be requested & issued.  As a clarifying note, the AMT TLS certificate used to secure the manageability traffic will not be revoked during this process.
• Power control available for collection execution:  SCCM SP2 now allows the execution of an AMT power control on an entire collection just by right clicking on the collection and selecting Out of Band Management -> Power Control.  Previously with SCCM SP1, you were required to multi-select all the clients in that collection to perform the same function.
• Serial over LAN (SOL) requires manual initiation with the Out of Band Management Console:  With SCCM SP1, when you opened the Out of Band Management Console, the SOL session was automatically started.  In SCCM SP2, you are now required to open and close the Serial over LAN connection via a new button or with the new Tools menu option.
• IDE-Redirect Log renamed: What was previous known as the System Audit Log in SCCM SP1 within the Out of Band Management Console has been renamed to IDE-Redirect Log.  This was done to allow the AMT Audit Log to assuming that name.
• Working with AMT Data Storage: Within SCCM SP2, you are now able to interact with the AMT / vPro 3rd Party Data Store through the new button added in Out of Band Management Console labeled Data Storage.  Note that the data storage is limited to ASCII characters and length of 4096 bytes.

--Matt Royer

Microsoft has recently updated the Configuration Manager Documentation Library for out of band management for SP2, including revisions to troubleshooting issues.  Some of these revisions are also applicable to Configuration Manager 2007 SP1, but they can't publish them with their monthly updates because of the new SP2 content.  Rather than waiting until SP2 is released, they have included the revisions here that affect existing customers using out of band management in Configuration Manager 2007 SP1.

http://blogs.technet.com/configmgrteam/archive/2009/08/13/updated-troubleshooting-information-for-out-of-band-management-sp1.aspx

--Matt Royer

This information is based on Microsoft’s beta release of System Center Configuration Manager Service Pack 2 and is subject to change.

Within the SCCM SP2 beta, Microsoft has included support for AMT Audit Log.  Audit Log was introduced in AMT version 4 and provides a mechanism to captures the occurrence of significant AMT events and who performed those actions.

Before you begin, you must configure SCCM SP2 on which AMT Audit Log events it turns on.  This can be done by selecting Out of Band Management properties under "Site Database" -> "Site Management" -> <Site Code> -> "Site Settings" -> "Component Configuration" -> “Audit Setting” Tab.

Unlike other AMT feature enablement with SCCM, Audit log is not enabled during Provisioning or through the Update Management Controller process; it must be performed as a post provisioning step.  To enable the AMT Audit log, you must right click on the AMT client and select “Out of Band Management” -> “Enable Auditing and Apply Audit Log Settings”.  You can also disable and clear the audit log from this menu as well.

Once enabled on the AMT Client, you can access the AMT Audit Log through the Out of Band Management Console available through right clicking on the AMT client and select “Out of Band Management” -> “Out of Band Management Console”.

--Matt Royer

Updated August 2009

These instructions are for Windows 7 builds 7077 and beyond.

Several Intel based platforms contain Management Engine Interface (MEI) and Serial over LAN (SOL) devices.  Windows 7 drivers for these devices have been made available to OEMs for currently shipping platforms (2008 / 2009 model desktop and mobile PCs).  MEI and SOL Windows 7 driver support for previous generation PCs (2007 desktop and mobile) is planned for early Q1, ’10.

To enable Windows 7 testing and evaluation,  prior to driver availability, MEI and SOL Vista drivers, either pre-loaded on your PC or available from the OEM, can be installed on the Windows 7 Release Candidate or RTM OS builds by utilizing Windows 7 compatibility mode.  The following instructions can be used to install the MEI and SOL Vista drivers:

1. Locate or download the released MEI and SOL Vista drivers from your OEM
2. Locate the setup.exe file for the device to be installed
3. Right click on the setup.exe and select properties
4. Select the Compatibility tab
5. In the compatibility mode section check the box “Run the program in compatibility mode for:”
6. Select the following in the drop down “Windows Vista (Service Pack 2)”
7. At the bottom of the properties window set the privilege level by checking the box in front of “Run the program as an administrator”
8. Click Apply
9. Click OK to exit out of the properties window
10. Double click on the setup.exe and follow the normal install/setup steps

Microsoft has just released Hotfix KB960804.  This is a hotfix rollup package that addresses issues that involve the Out of Band Management (OOB) feature in Microsoft System Center Configuration Manager 2007 Service Pack 1 (SP1). These issues are documented in the following Microsoft Knowledge Base articles: (Even if you have all or some of the other Hotfixes installed that are included in this rolled up HotFix, it is recommended that you install KB960804 Roll-up Hotfix)

• 954718: You cannot use the Out of Band Management console in Configuration Manager 2007 to connect to computers that use versions of Intel AMT that are earlier than version 3.2.1
• 955114: The SMS_Executive service process may crash when the System Center Configuration Manager 2007 SP1 Hierarchy Manager handles the site control (.ct2) file from child sites that are running the RTM version of Configuration Manager 2007
• 955126: The SMS_Executive service process (Smsexec.exe) in System Center Configuration Manager 2007 may crash if you have Intel AMT-related software installed
• 955355:  A distinguished name that contains more than 100 characters and that is discovered from Active Directory for an AMT host causes the SMS_EXECUTIVE service to crash in System Center Configuration Manager 2007
• 956337: System Center Configuration Manager 2007 Service Pack 1 is unable to remove AMT user ACLs during the provisioning process for AMT 2.x computers
• 957183: You cannot add a group as an AMT user account in Configuration Manager 2007 Service Pack 1 if the group name has more than 20 characters
• 957469: The Out of Band Power control function does not work for clients that have the Intel AMT 4 or Intel AMT 5 chipset in System Center Configuration Manager 2007 Service Pack 1
• 959700: The Out of Band Management console in Configuration Manager 2007 Service Pack 1 cannot connect to AMT-enabled computers
• 960741: The SMS_Executive service process crashes on a Configuration Manager 2007 Service Pack 1 site server when you use Intel WS-MAN Translator to provision computers that are equipped with AMT 3.2.1 chipsets
• 961328: System Center Configuration Manager 2007 Service Pack 1-based systems cannot provision AMT 2.2/2.6 clients in PKI mode and AMT 2.1/2.5 clients in PSK mode

--Matt Royer

An updated version (release 1.1 - build 552) of the Intel WS-MAN Translator has just been released. Updated features include:

• Provides support for running on 64-bit systems

• Provides additional translation services for legacy systems such as wireless profiles, and 802.1x.

• You can upgrade from existing builds by using this VB Script or it can be installed on its own.

To download the latest version, please visit: http://software.intel.com/en-us/articles/intel-ws-management-translator

Upgrading from Intel WS-MAN Translator 1.0 to Intel WS-MAN Translator 1.1 (Build 552)

To upgrade a previous version of the Intel WS-Man Translator to a newer version, download the Update Translator VBScript and run it in the same folder that the latest Translator MSI is located. This will upgrade your WS-MAN Translator version and keep your previous configuration setting.

Fresh install of the Intel WS-MAN Translator

Generate a Certificate Request on SCCM Server for Intel WS-MAN Translator

1. On the SCCM Server, go to Start &gt; All Programs &gt; Administrative Tools &gt; Internet Information Services (IIS)

2. Expand Web Sites and Right Click on Default Web Site and select Properties
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1723/GenerateCert1.JPG!*

3. In the Default Web Site Properties windows Select the Directory Security Tab. In the Secure Communications section, click the Server Certificate button
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1724/GenerateCert2.JPG!

4. This will launch the Web Server Certificate Wizard. Click Next
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1725/GenerateCert3.JPG!*

5. In the IIS Certificate Wizard Window, select Create a new certificate . Click Next
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1726/GenerateCert4.JPG!*

6. Select Send the request immediately to an online certification authority. Click Next
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1727/GenerateCert5.JPG!

7. Enter a Name for the certificate: WS-MAN Translator Server Certificate. Click Next
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1728/GenerateCert6.JPG!

8. Enter Organization Information (Organization and Organizational Unit) and Click Next
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1729/GenerateCert7.JPG!*

9. Enter the Common name: This is the FQDN of your server you are installing the Intel WS-MAN Translator on and should be the same as the FQDN of your SCCM Server. Click Next
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1730/GenerateCert8.JPG!

10. Enter in your Geographical Information. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1731/GenerateCert9.JPG!

11. Enter 443 for the SSL Port for this web site. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1732/GenerateCert10.JPG!

12. In the Choose a Certification Authority Window, select your issuing Certificate Authority. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1733/GenerateCert11.JPG!*

13. Confirm your request and click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1734/GenerateCert12.JPG!

14. Once Wizard is complete, click Finished
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1735/GenerateCert13.JPG!*

Set Delegation for the SCCM Server

1. On your Domain Infrastructure Image, Click Start &gt; All Programs &gt; Administrator Tools &gt; Active Directory Users and Computers &gt; vprodemo.com &gt; Computers. Right Click on SCCM Server and select Properties.
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11434-1782/Computer.JPG!

2. Check the box Trust Computer for Delegation and click OK
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11434-1781/delegation.JPG!*
   Note: If you do not allow this, you will need to setup the WS-MAN Translator (during configuration steps) run time account with a user that has permission to the AMT client. At that point the credentials configured in the run time account are used to manage the client for Kerberos authentication.

Installing the Intel WS-MAN Translator

1. On the SCCM Server, run the Intel WS-MAN Translator Setup

2. In the Intel WS-Management Translator setup window, click Next
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1736/Install1.JPG!*

3. In the Intel WS-Management Translator setup window, click Next
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1737/Install2.JPG!*

4. During the installation, keep all of the Default settings until installation wizard is complete and install has finished.
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1738/Install3.JPG!
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1740/Install5.JPG!

Configuring the Intel WS-MAN Translator

1. Click Start &gt; All Programs &gt; Intel WS-Management Translator &gt; wtranscfg.exe to configure the Translator

2. In the WS-Translator Configuration Wizard Window, Set common setup accounts, Set TLS/forwarding options, & Set WinRM Options. Click Next
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11641-1935/config1.JPG!*

3. In the Set initial setup password window, enter the password you configured within SCCM Out of Band Management Properties &gt; Provisioning setting Section &gt; MEBx Account. Click Next
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1719/ConfigTrans2.JPG!*

4. In the Set Common Pre-Shared Key window, should select a more random and secure PID and PPS for security reasons. Click Next.
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1720/ConfigTrans3.JPG!

5. In the Import Common Setup Certificate, Click Browse and select the Same Certificate you used in SCCM Out of Band Management Properties &gt; Certificates Section &gt; Provisioning Certificate. Click Next.
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1721/ConfigTrans4.JPG!

6. In the Select TLS/forwarding options windows, select (default Options): Listening Port: 443 & Forwarding Port: 16993. For the Server Certificate: select the WS-Man Translator certificate created in previous step.
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1722/ConfigTrans5.JPG!

7. Select Allow Basic Authoziation and Click Finished. Click OK to Restart the Translator Service.
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11641-1936/config2.JPG!

Configuring SCCM SP1 to use the Intel WS-MAN Translator

1. Within System Center Configuration Manager Out of Band Management Properties &gt; Provisioning setting Section &gt; AMT Settings. Check the option for Enable support for Intel WS-MAN Translator. Once selected, click Apply.
   *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1717/ConfigSCCM1.JPG!*

--Matt Royer