this weekend I received a link that had a pretty good Q&A from Microsoft about OOB (out of band management). I found it a good resource to answering typical questions that are brought up during a Pilot of the technology.

http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/10/03/overflow-additional-quiz-questions-for-out-of-band-management-amt.aspx

Enjoy the Q&A. Thank you Sergio for forwarding it..

For those that are not aware, our friends at Microsoft maintain a great blog on System Center Configuration Manager. The blog is used by the SMS Writing team to keep you informed about the content they are writing, the availability of new documents, updates to documents, and other news. The blog is also intended to collect feedback from you, their customers, about existing content and what you'd like to see in the future.

If you haven't already subscribed to the feed, I would highly recommend it. http://blogs.technet.com/wemd_ua_-_sms_writing_team/

This week they have a great article on "[Quiz Questions for Out of Band Management (AMT)|http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/10/03/overflow-additional-quiz-questions-for-out-of-band-management-amt.aspx]"; take a couple minutes and check it out.

--Matt Royer

If you are using SCCM SP1 with AMT 3.2.1 machines (ex: HP7800P) and you see the following error.. this post is for you.

Here is what MEinfo read back during this state of detection

If you do, no need to be frustrated, just need to run a couple of steps to get back on the road. You can utilize Matt Royer's blog at Intel AMT 3.2.1 Self-signed certificate issue and working around it for Microsoft System Configuration Manager SP1

For me I had to give it a go myself, so Nick & I did the following:

• secured our SCCM environment

• borrowed 2 new HP boxes in the box

• downloaded the vbscript file, wsman translator.

After 3 trial runs at it, we captured the video today and here it is. Here are the top things I wish I knew prior to installing:

#1. OOB settings is under component configuration (Under site settings) in SCCM

#2. Having your cert (*.pfx) file downloaded and handy is important (and it's in the dictionary)

#3. Make sure you run the following: winrm set winrm/config/client/auth @{Basic="true"} on the console your running the box on

#4. Be patient - this was the single hardest thing during this process for me..

Here's the video.

My recommendation, if your stuck in this state on your machines, follow Matt's blog, check out my video and then ask if any questions..

Microsoft has just released 2 hotfixes that address issues with System Center Configuration Manager SP1 and vPro/AMT Out of Band Management. Please reference the following WIKI for a comprehensive list of required software bundles and hotfixes for SCCM SP1 and vPro/AMT Out of Band Management: http://communities.intel.com/openport/docs/DOC-1897

System Center Configuration Manager 2007 (KB954718):

• Description: You cannot use the Out of Band Management console in Configuration Manager 2007 to connect to computers that use versions of Intel AMT that are earlier than version 3.2.1

• URL: http://support.microsoft.com/kb/954718

System Center Configuration Manager 2007 (KB955126):

• Description: The SMS_Executive service process (Smsexec.exe) in System Center Configuration Manager 2007 may crash if you have Intel AMT-related software installed

• URL: http://support.microsoft.com/KB/955126

--Matt Royer

Note:  The Self Signed Certificate issue was corrected with AMT firmware 3.2.2.  Please work with your OEM to secure the 3.2.2 firmware update.  -- Matt Royer

Summary

An issue has been identified that may cause the remote configuration provisioning process to fail when using Microsoft System Center Configuration Manager (SCCM) on systems that have been upgraded from Intel AMT 3.x firmware to 3.2.1 firmware. The Self-signed certificate used to establish the initial PKI provisioning (Remote Configuration) connection is being read as invalid, which causes this failure.

The recommended resolution is to perform a provision and un-provision of the system to regenerate the Self-signed certificate. This resolves the certificate being read as invalid and prepares the PC to be provisioned successfully by SCCM. This can be accomplished locally at the PC or remotely from the console. Both scenarios are documented in detail below but local provision/un-provision will require entering the Management Engine BIOS Extension (MEBx) screen at the local machine. To perform this action remotely, the community has developed a software-based script to execute a remote provision/un-provision. The script should be run for vPro clients experiencing this issue prior to SCCM provision. Once the script is executed, the vPro clients can then be natively provisioned by SCCM.

Background
vPro Clients that are experiencing the issue will show up as AMT Status "Detected" within the Collection View after a Management Controller discovery and will exhibit with the following error in the amtopmgr.log:

During SCCM Management Controller Discovery
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x6fcb970 returned by ApplyControlToken
*During a SCCM Provisioning attempt*
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x261b948 returned by ApplyControlToken

Note: An AMT Status of "Detected" can occur for a variety of reasons; in general it means that the SCCM Out of Band Service Point is unable to establish an initial connection with the AMT client. This scenario can also occur when the computer has been previously provisioned for AMT outside Configuration Manager and the password for the AMT Remote Admin Account or the MEBx Account has been changed and is unknown.

When trying to provision a vPro Client that has a firmware version less than 3.2.1 that is impacted with the Self-signed Certificate issue, SCCM will forward the request to the Intel WS-MAN Translator (which is required for provisioning and management of a vPro Client less than 3.2.1.) The Intel WS-MAN Translator will handle provisioning the vPro client despite the invalid Self-signed Certificate. The steps listed below should not be required for firmware versions less than 3.2.1 if you have the Intel WS-MAN Translator installed and properly configured.

As an interim workaround for vPro Clients 3.2.1 experiencing the issue, you can either locally (through the MEBx) or remotely provision and un-provision the AMT client. The un-provisioning process will regenerate a new Self-signed Certificate within the AMT Management Engine, after which, SCCM can natively use this newly generated certificate to establish the initial secure connection during the provisioning process.

Provisioning via Pre-Shared Key (PSK) is not impacted by the Self-signed Certificate issue; however, to leverage PSK provisioning you will need to install / configure the Intel WS-MAN Translator and load the PID/PPS pair into the vPro client. PID/PPS configuration within the vPro client requires either manual configuration via Management Engine BIOS Extension (MEBx) or One Touch Provisioning through USB key import.

Local Provision / Un-provision

To performing a Provision / Un-provision locally on the vPro Client

1. Log into the MEBx by pressing Ctrl-P during POST

2. If you have not changed the default admin password already, login in with "admin" as the password. If you have already changed the MEBx password, log in with the password you changed it to

3. Within the MEBx Menu, select "Change Intel(R) ME Password".

4. 1. When presented with "Intel (R) New ME Password", Enter in the same password you configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.

   2. When presented with "Verify Password", re-enter the password.

5. From the MEBx Menu, select "Intel(R) AMT Configuration"

6. Within the Intel(R) AMT Configuration Menu, select "Provision Model"

7. 1. When presented with "Change to Intel(R) AMT 1.0 Mode: (Y/N)", enter "N"

   2. When presented with "Change to Small Business : (Y/N), enter "Y"

8. When returned to the Intel(R) AMT Configuration Menu, select "Unprovision"

9. 1. When presented with "Reset Intel(R) AMT Provisioning: (Y/N), enter "Y"

   2. When presented, ensure you select "Full Unprovision" and press enter

10. When returned to the Intel(R) AMT Configuration Menu, select "Return to Previous Menu"

11. When returned to the MEBx Menu, select "Exit"

12. 1. When presented with "Are you sure you want to exit: (Y/N)", enter "Y"

13. Allow vPro Client to reboot fully

After performing the local Provision / Un-provision, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. Although fairly simplistic, one of key disadvantages of locally provisioning and un-provisioning the vPro Client is that you will need to have physical (touch) access.

Remote Provision / Un-provision

To perform a Provision / Un-provision remotely on the vPro Client, the community has created a visual basic script that will perform the function remotely. In an attempt to reduce the complexity, the VBScript leverages the Intel WS-MAN Translator to provide the authentication and remote configuration connection. To leverage this remote Provision/Un-provision capability, you must have the Intel WS-MAN Translator installed and configured prior to executing the VBScript. Please visit the following Blog to learn how to install and configure the Intel WS-MAN Translator.

The VBScript and guide can be download from the following location (http://communities.intel.com/docs/DOC-1850) and contents can be decompressed to a folder on either your SCCM server or on workstation that you want to run the script from. Please note that you must have WINRM basic authentication switched to "true" on the computer you are planning to run the VBscript from; WINRM Basic Authentication is required for connections to the Intel WS-MAN Translator to work properly. To turn WINRM Basic Authentication to true, run the following command from the command line:

winrm set winrm/config/client/auth @{Basic="true"}

With the archive file decompressed, you will see two VBScripts in the folder: SelfSignedFix.vbs and ExecFromCollection.vbs. SelfSignedFix.vbs is the VBScript that will perform the remote Provision / Un-provision. To use the SelfSignedFix.vbs, there are several parameters you must supply for it to work properly:

• Intel WS-MAN Translator URL: This is the secure URL on which the Intel WS-MAN Translator is listening

• The Hostname, FQDN, or IP Address of the vPro Client: This is the vPro Client that is having the issue with the Self-signed Certificate and needs to be Provisioned / Un-provisioned

• Log File Location: This is the folder or share where the results of the provision / un-provision will be logged for the client. Note that SelfSignedFix.vbs script will automatically create a new log with the filename of the hostname, FQDN, or IP Address you used as the previous parameter.

• Screen Output: Whether (Y) or not (N) to display the Provisioning / Un-provisioning output on the console screen.

Critical Note: Prior to executing the SelfSignedFix.vbs, it is imperative that you change the MEBx password in the SelfSignedFix.vbs VBScript to match what is configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.

As a general reference, you can only change the MEBx password remotely once and only if the vPro Client is in a factory default state (never been provisioned). Since this VBScript remotely provisions and un-provisions the vPro client, we must set the MEBx password during this provisioning process. To Change the MEBx password, open SelfSignedFix.vbs with any text editor and modify (line 19) with your environment specific information:

Const SCCMMEBxPassword = "P@ssw0rd" to Const SCCMMEBxPassword = "<your SCCM MEBx password>"

Note: If you have already changed the MEBx password, the MEBx password will not changed; however, you should still change the SCCMMEBxPassword in SelfSignedFix.vbs VBScript to match your SCCM Configuration in case you run into a vPro Client where you have not changed the MEBx password yet.

With the MEBx Password modified, here are some examples of how the SelfSignedFix.vbs can be run from the command line:

• cscript SelfSignedFix.vbs

  vpro-client.vprodemo.com c:\temp N
  
  
  

• • The script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on vpro-client.vprodemo.com. c:\temp\vpro-client.vprodemo.com.log will be generated with the results of the provision / un-provision and those results will not be displayed on console.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1769/4.JPG!

• cscript SelfSignedFix.vbs

  vpro-client "
  sccmsp1\certfix$\error logs" Y
  
  
  

• • The script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on vpro-client.
    sccmsp1\certfix$\error logs\vpro-client.log will be generated with the results of the provision / un-provision and those results will be displayed on console.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1770/5.JPG!

• cscript SelfSignedFix.vbs

  192.168.0.101 "" Y
  
  
  

• • The script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on client located at IP address 192.168.0.101. 192.168.0.101.log file will be generated in the current working directory that the script was ran from with the results of the provision / un-provision and those results will be displayed on console.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1771/6.JPG!

After running SelfSignedFix.vbs, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues.

Provision / Un-provision Log

Similar to what is displayed in the previous screen shots, a successful remote Provision / Un-provision log will look like the following:

**Begin Execution 8/11/2008 8:22:22 PM*************************
Connecting to https://sccmsp1.vprodemo.com/wstrans/setup/eoi20/192.168.0.101/wsman
Setting AMT Clock
Setting HostName
Setting TLS settings
Setting new MEBx Password
CommitChanges
CommitChanges_OUTPUT
ReturnValue = 2057

Unprovision
PartialUnprovision_OUTPUT
ReturnValue = 0
**End Execution 8/11/2008 8:22:30 PM*************************

In an event that vPro Client is inaccessible to be remotely provisioned / un-provisioned, the error log will look like the following:

**Begin Execution 8/11/2008 8:22:12 PM*************************
Connecting to https://sccmsp1.vprodemo.com/wstrans/setup/eoi20/192.168.0.100/wsman
Unable to connect to AMT Device: 192.168.0.100
**End Execution 8/11/2008 8:22:12 PM*************************

This error can occur for a variety of reasons. Some common causes of this error are:

• vPro Client is not accessible on the network

• vPro Client is already provision

• Remote Admin password for the vPro Client has already been changed from the factory default. If the remote admin password has been changed, you can modify SelfSignedFix.vbs with the correct password.
  !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1772/7.JPG!

In either case, you will need to root cause why the vPro Client was not remotely accessible to be provisioned / un-provisioned. You can then run SelfSignedFix.vbs at a later time to retry and remotely provision / un-provision.

Automating the execution of SelfSignedFix.vbs within SCCM

To avoid having to run SelfSignedFix.vbs on each impacted system individually, there are a couple of automated procedures you can perform depending on what is right for your environment. To identify and isolate the vPro Clients that are impacted by the invalided Self-signed Certificate, you can create a SCCM Collection using the following criteria "Select * from sms_r_system where AMTStatus=1"; this will automatically bucket all the vPro Clients listed as AMTStatus Detected in a single collection for easy identification.

For step by step instructions on how to create the collection for vPro Clients with the AMT Status of Detected, please reference the guide included with the scripts.

Once you have the impacted vPro Clients in a single collection, you can either use SCCM Advertisements to push and execute SelfSignedFix.vbs from the client or you can use the included ExecFromCollection.vbs to connect directly to collection and execute SelfSignedFix.vbs on an enumerated list of members in that collection.

Critical Note: Before proceeding to use one of these large execution methods, it is recommended that you test your configuration (both SelfSignedFix.vbs and Intel WS-MAN Translator) by testing on a few impacted system individually first. Once you run SelfSignedFix.vbs steps above on these select impacted vPro Clients, you need to ensure you are able to natively provision the client within SCCM before you move onto a more automated implementation.

Using ExecFromCollection.vbs

ExecFromCollection.vbs is a VBscript that will connect to a desired collection, enumerate the list of members in the collection, and execute SelfSignedFix.vbs VBScript against each member in the collection. Prior to using ExecFromCollection.vbs, you must first change the SMSSiteCode, SMSServer, SMSCOLLECTION, and WSTransURL constants. To modify the required constants, open up ExecFromCollection.vbs with any text editor and change the following values with entries specific to your environment (Make sure you save your changes).

• SMSSITECODE : This is your SMS Site Code

• SMSSERVER : This is the FQDN of you SMS Site Server

• SMSCollection : This is the SMS Collection ID that you want to enumerate the list of vPro Clients from. You can find the Collection ID of a particular collection by right clicking on the collection and select "Properties"; the Collection ID will be at the bottom of the General Tab
  !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1774/9.JPG!

• WSTransURL : This is the secure URL in which the Intel WS-MAN Translator is listening on

Once the constants have been modified within ExecFromCollection.vbs, you can execute the VBscript by running the following Command Line:

cscript ExecFromCollection.vbs

ExecFromCollection.vbs will cycle through each enumerate member in the collection and execute SelfSignedFix.vbs VBScript against it. Prior to running ExecFromCollection.vbs, you need to ensure that the SelfSignedFix.vbs VBscript and ExecFromCollection.vbs VBscript are located in the same folder.

After running ExecFromCollection.vbs VBscript, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log files to help isolate the root of their issue. For step- by-step instructions on using ExecFromCollection.vbs, please reference the Guide included in the download package.

Using SCCM Advertisement to Execution SelfSignedFix.vbs

In terms of leveraging SCCM Advertisements to push the SelfSignedFix.vbs down to the client and execute it, there are several different ways this could be done. This example simply pulls the SelfSignedFix.vbs off a remote share which is then executed by a SCCM Task Sequence. When the advertisement is picked up by the SCCM Client Agent, the task sequence is executed and SelfSignedFix.vbs is run on the vPro Client machine. Depending on your environment, you may want to leverage alternative methods of deploying and executing this with a SCCM Advertisement. Please note, that the SelfSignedFix.vbs is not performing any provision / un-provision commands locally on the client; although it is running on the local client, the provision / un-provision commands are being routed to the Intel WS-MAN Translator and then the commands are sent back down to the vPro client from the Intel WS-MAN Translator.

1. In preparation of creating a task sequence, create a remote share on a server where the SelfSignedFix.vbs will be run from and the log files generated from SelfSignedFix.vbs will be stored. Ensure sufficient permissions are granted to the account running the advertisement.

2. Create a New Task Sequence and give it a name that is easily recognizable. Make sure you create the Task Sequence with the option of "Create a new custom task sequence".

3. When you edit your task sequence, add a new "General"-> "Run Command Line" task.

4. Give the task an appropriate name and in the Command Line field enter in:
   cscript
   server\share\SelfSignedFix.vbs %COMPUTERNAME% "
   server\share" N
   ... where
   server\share is the remote share that you created and https://wsmantransurl/ is the secure URL of your Intel WS-MAN Translator. %COMPUTERNAME% is an OS environment variable that will give you the hostname of the client.
   !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1766/12.JPG!

5. Once the task sequence is created, you can advertise the task sequence on a Collection you created for just the AMT Detected vPro Clients.

6. Depending on your advertisement mandate, the next time the client's SCCM agent pulls down an updated policy it will execute the task sequence.

After running SelfSignedFix.vbs VBscript via the advertisement, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log file and isolate the root of their issue.

Note: Depending on your Client OS configuration, it may be necessary to set WINRM basic authentication to "true" prior to execution SelfSignedFix.vbs; this can be accomplished by add winrm set winrm/config/client/auth @{Basic="true"} command line task prior to the execution of SelfSignedFix.vbs.

This blog was intended to give you a general understanding of the issue and the work arounds that are in place. For a comprehensive step-by-step guide, please refer to the documentation included with Remote Provision / Un-provision Script archive file. To download the Scripts and the Guide, please visit the following URL: http://communities.intel.com/docs/DOC-1850

--Matt Royer

For those that don't know, you can use the Intel AMT Web console as an alternative to running the out of band management console in Configuration Manager 2007 SP1 to manage vPro computers.

On more than a few occasions, people have been experiencing problems with connecting to the vPro AMT Web console after the vPro Client has been provisioned by SCCM. In every case that I have been involved in, it simply comes down to one or two of the following:

• Not having the required HotFix (KB908209) for IE 6 installed and registry entry for both IE6 & IE 7 added

• Connecting to the wrong URL of the vPro Client

• Not having the "Enable Web Interface" checked within SCCM "Out of Band Management Properties"

• Not connecting with a user that has appropriate access

Making sure you have KB908209 installed and having the registry key added for Internet Explore

There is a hotfix released for Internet Explorer 6 that addresses connecting to a web site with Kerberos authentication protocol that uses a non-standard port. Since you are trying to authenticate with Kerberos on a non-standard port when you connect to a vPro AMT Web console, you need this hot fix: http://support.microsoft.com/default.aspx/kb/908209. Keep in mind, besides the hotfix you also need to add a registry entry to allow the hotfix to be active (steps listed in the KB article). Here is the registry entry you need to add.

• For 32 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001

• For 64 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001

Although Microsoft included the hotfix into Internet Explorer 7, you still need to add the registry entry to get the authentication to work. Forgetting to add this registry entry tends to be the number 1 reason why people are having the problem!!!!

Connecting to the correct URL

When connecting to vPro AMT Web console, you must connect to the vPro Client with the following URL https://FQDN:16993 where the FQDN is the full qualified domain name of the vPro client (ie. https://vpro-client.vprodemo.com:16993). Using the IP address will not work (or at least you will get a warning about an invalid certificate) because SCCM has configured the vPro client to use TLS and the URL needs to match the certificate that was issued during the provisioning process. As a general reference, 16993 is the port that the TLS web services is listening on and you need connect with https since it's a secure connection

Ensuring you have "Enable Web Interface" check

To enable vPro AMT Web console support on the vPro Client, you need to verify that "Enable Web Interface" is checked within the SCCM "Out of Band Management Properties" - "AMT Settings" Tab. With this checked, SCCM (during the provisioning process) will configure the vPro Client to allow vPro AMT Web console access.

!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1712/Webui+checked.JPG!

Make sure you have permission

Since SCCM only supports Kerberos authentication (with exception of the Remote Admin account, who's password is only known by SCCM), you need to authentication with a Kerberos users that has been granted access to the vPro Client. If you are having problems authenticating, make sure the user you are trying to authenticate with is listed in the AMT User Accounts in the "Out of Band Management Properties" - "AMT Settings" tab.

--Matt Royer

Version 3.3 of the Intel Client Manageability Add-on has been released to bring more vPro manageability features to SMS. The following new features have been added:

• Scheduled power command operations on collections. (Note that scheduled power commands are not executed on subcollections.)

• Graceful shutdown (attempting to shut down a platform via its operating system) for Power Down operations on collections

• Changes in the way the Add-on interprets and applies IP site boundaries within SMS, including an optional registry switch. If the switch is set, if the platform's subnet does not appear in the SMS properties for the platform, the platform will be considered as being in the site boundaries. Note: There is no change in the way the Add-on interprets and applies Active Directory site boundaries.

Intel Client Manageability Add-on version 3.3 can be downloaded from the following location: http://downloadcenter.intel.com/Filter_Results.aspx?strOSs=All&strTypes=All&ProductID=2609&lang=eng&OSFullName=All%20Operating%20Systems :

--Matt Royer