Activation Blog

11 Posts tagged with the amt tag
Click to view joelsmith's profile
0

For those who have Provisioned Intel AMT Systems, you may wonder what takes place in the background. This article is for you! The process has often been covered at a high level, but here the technical details are provided. Hopefully this helps you understand the inner workings, and provide you information when troubleshooting Provisioning issues. And for those of you who are technically minded, it's also neat to know! This information was compiled working on issues and running through provisioning processes from Symantec Support.

Introduction

Often the Provisioning process for Intel vPro systems has been described as complex. This comes from the fact that the Provisioning process was designed with high security in mind. Since the initial release we have improved success rates by working with Intel to make the process more user friendly without compromising the high level of security. To this end this document will explain the process of Provisioning from a technical level, providing an unfiltered view of the process, also without compromising its security.

Provisioning Flow

The following process assumes that Altiris Out of Band Management and Intel SCS are install, configured, and ready to go. This process follows the flow of Provisioning and what data points, technologies, and methods are used. The level of details is meant to be a resource when working with Provisioning or troubleshooting Provisioning issues, so not all details are available for this process. Note the following points before moving through the process:

  • The console items in the Altiris Console under View > Solutions > Out of Band Management > Provisioning are not tied to the Altiris database like most of the rest of the Altiris Console. They connect through a virtual Website (AMTSCS under the Default Website of the SCS Server) to the IntelAMT database.
  • Data from two databases (IntelAMT and Altiris) are used during the Provisioning process.

The following articles can assist if you need information on these:


  1. The server is loaded with a security key or certificate. See the following two items for how these keys are loaded:
    1. For a PID PPS, either keys are randomly generated or imported into the IntelAMT database. Specifically they reside in the table csti_pid_map. Once created/imported, they are available for verifying authentication from an incoming provisioning request from AMT.
    2. For TLS-PKI (certificate-based Remote Configuration) a certificate is loaded onto the server. See this article for details: http://juice.altiris.com/article/4496/obtaining-and-applying-a-verisign-remote-configuration-certificate.
  2. The clients need the matching keys loaded onto them. This is done differently depending on the type:
    1. For PID PPS the keys are set by one of the following methods: the OEM sets it, it's entered manually into the Intel ME, or inputted via a one-touch USB flash drive. The PID and PPS are written into the firmware to be used as the authentication credentials when it looks for a provisioning server.
    2. For Remote Configuration (TLS-PKI) at the factory predefined hashes are burned into the firmware for the following certificate vendors (more to come in subsequent versions of AMT). This means AMT already has authentication keys to begin the provisioning process direct from the factory.
  • VeriSign
  • Komodo
  • GoDaddy
  1. The client machine, once it has it's keys and has been connected to the network and power, uses one of two methods to find the Provisioning Server:
    1. The IP address of the server can be manually put into the Intel ME, including what port the SCS listener is configured for (default 9971). When this is done, the AMT client will transmit its Hello message directly to the IP Address and port.
    2. The client will transmit its message on port 9971 to the name of ‘ProvisionServer'. If Out of Band Management, Intel SCS, and DNS have been properly setup DNS will route the packet to the Notification Server.
  2. The Notification Server is set to listen for AMT Provisioning traffic on port 9971, but can be configured to use a different port if so desired in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > General. The top options labeled: ‘Listen port:".|
    ListenPort.jpg
  3. When SCS, via the service AMTConfig (process AMTConfigWinService.exe) receives the incoming "hello" packet, it initiates an authentication request with the client to complete the authentication process, the beginning of which was stored in the packet. Once authentication completes successfully, the process moves on.
  4. The service, AMTConfig, catches the incoming packet and logs the data in the IntelAMT database, in the table csti_amts. This table contains all the relevant data for this system's identity.
    csti_amts.jpg
  5. Once the system has been logged into the IntelAMT database, Intel SCS uses the database entries under csti_configuration to initiate what's known as the props script. This script is what will assist in the provisioning process. In Altiris case, it is oobprov.exe, located by default at C:\Program Files\Altiris\OOBSC\oobprov.exe. For an example of how Intel SCS knows about this, see this data snippet from the csti_configuration table:
    csti_configuration.jpg
  6. On a busy SCS server you can look at Task Manager and see multiple instances of oobprov.exe running. The default settings allow 10 threads to work on provisioning requests at any given time. These threads will interface with the Altiris Database via the Altiris Agent on the local server system. In a standard setup the local system is also the Notification Server.
  7. OOBPROV runs a SQL query to fetch the Fully Qualified Domain Name (FQDN) for the system it is to provision. The query is based off the following data points:
    1. UUID passed to it via Intel SCS, Source is as follows: Database: IntelAMT, Table: csti_amts, Data Source: "Hello" packet from AMT system, Values used: uuid
    2. Database: Altiris, Data-class: OOB Capability, Table: Inv_OOB_Capability, Data Source: Out of Band Discovery Task, Values used: _ResourceGuid - UUID
    3. Database: Altiris, Data-class: AeX AC Location, Table: Inv_AeX_AC_Location, Data Source: Basic Inventory Agent, whether from Basic Inventory function or Hardware Inventory from Inventory Solution, Values used: _ResourceGuid - Fully Qualified Domain Name
  8. The Query accomplishes the following: It takes the UUID from csti_amts, uuid and looks for a match in Inv OOB Capability, uuid. If a match is made, it takes the _ResourceGuid from the same table and makes a match of the same columns name to AeX AC Location. With the match it then reads the values stored under Fully Qualified Domain Name (I'm not sure why they didn't just label this column FQDN...).
  9. Next, oobprov.exe hands back the FQDN it's read from AeX AC Location, Fully Qualified Domain Name and passes it to SCS. SCS takes this value and inserts it into the IntelAMT database at csti_amts, fqdn for the matching resource.
  10. Next, oobprov.exe fetches the automatic profile set within Out of Band Management Solution. This is done in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > Resource Synchronization. This policy needs to be enabled for this step to work, and a default profile configured and selected under the dropdown labeled ‘Intel AMT 2.0+ to profile:'.
  11. The profile provides the operational data for management of the AMT system. After AMT accepts the profile, the Provisioning process is now complete. Before this step, AMT functionality is not available on this system, and after this step only properly authenticated functions will be able to use Intel vPro on the target provisioned systems.

Troubleshooting

The following items can be considered break points for this process. If you've done provisioning you may have run into the symptoms produced by the following items. These are compiled as common areas of trouble in this process.

  • The "Hello" packets only transmit for 24 hours, on a back-off schedule, before stopping altogether. If the Server is unable to provision in that time, with IP refreshes becoming more frequent, the system can be in a limbo state. See this article for steps to rectify: http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning
  • IP Address changes, refreshes within DHCP during a system's build process can leave SCS with an out of date IP Address for a system that needs provisioning. Coupled with the preceding issue this can leave the system in an unprovisioned state, leaving no ability of the SCS to contact the system to finish the process.
  • Remote Configuration certificate is not properly installed on the server, producing authentication failure messages in the AMT logs.
  • Oobprov.exe is unable to fetch the FQDN. The AMT system needs the Altiris Agent installed, have sent Basic Inventory when it had a valid FQDN (for example a system in the process of being built might not have a valid FQDN yet), OOB Discovery Task downloaded and executed, and data populated into the OOB Capability data class from the task in order for oobprov.exe to be able to fetch the FQDN. Conversely you can use the option in Resource Synchronization labeled, ‘Use DNS IP resolution to find FQDN when assigning profiles'.

A good resource for troubleshooting issues can be found here:


Conclusion

Knowing the underline mechanisms can help when troubleshooting or even when planning your environment. While not all details are provided here, the most essential are.

0 Comments Permalink Tags: activation, altiris, amt, symantec, intel, provisioning, troubleshoot, vpro, notification_server, out_of_band_management
Click to view josh.hilliker's profile
0

Nick & I got together this week and evaluated a few platforms for their AMT settings in the BIOS. In this video, Nick explains how to get into each BIOS and where the options for AMT are ( or for that case where they are NOT ).


Here are a few screen shots of two of the platforms. We are also going to publish out a matrix of the systems with drivers, bios settings that Frank has been working on.. stay tuned for the link.

HP.png

PANASONIC.png

0 Comments Permalink Tags: bios, amt, vpro_expert_center, josh_hilliker, vpro, centrino
Click to view michelegartner's profile
0

Here are the latest issues posted to the wiki - check'em out!



0 Comments Permalink Tags: troubleshoot, scs, amt, best_practice
Click to view tcduncan's profile
0

Intel® AMT Reflector is a software tool designed to allow local management of Intel® AMT Mangement Engine functionality from the local operating system. Removing the need to reboot to verify and change the Intel® AMT host computer name or un-provision Intel® AMT on the computer. This functionality improves debug and factory operations in activating and building Intel® AMT based client environments. This release completes DOPD SW Engineering's original functionality plan for the tool and is therefore marked as a production level release.

This release has the following updates from the Beta release:

· Added a timestamp to Intel® AMT events in the logs generated by the client-side applications.
· Fixed the XML logfile format so that it will be properly recognized by external applications that support the XML file format.
· Fixed the issue where some commands may not succeed on the first call for some Intel(R) AMT systems.
· Fixed the "Browse" button functionality in the Intel(R) AMT Reflector Server configuration window.
· The Intel® AMT Reflector Server now logs the client FQDN for each event.
· Removed the View Log window from the Intel® AMT Reflector Client application.
· Improved the error handling of the Intel® AMT Reflector Client application.

Download the tool here

Here's a 5 minute video overview of the tool's capabilities (Click here to view video on YouTube) :

0 Comments Permalink Tags: activation, amt, deployment, enterprise, intel_amt, plan, provisioning, server, vpro, vpro_expert_center, intel, downloads, smb, install, quick_start, setup, tool, debug, troubleshoot, unprovision
Click to view miroyer's profile
0

For those looking for a little extra help on System Center Configuration Manager, Microsoft has a great forum resources on a variety of System Center Configuration Manager topics...

Configuration Manager - General
General Discussion on the topics or features not already covered by one of the other forums for System Center Configuration Manager.

Configuration Manager - Announcements
General Announcements for System Center Configuration Manager Forums

Configuration Manager - Admin Console
Discussion on the Admin Console for System Center Configuration Manager

Configuration Manager - Asset Intelligence
Discussion on the Asset Intelligence feature for System Center Configuration Manager

Configuration Manager - Backup and Recovery
Discussions on Backup and Recovery for System Center Configuration Manager Sites

Configuration Manager - Desired Configuration Management
Discussion on the Desired Configuration Management feature for System Center Configuration Manager

Configuration Manager - Documentation
Discussion on the Help and Documentation for System Center Configuration Manager

Configuration Manager - Internet Clients and Native ModeDiscussion on the Internet Based Clients and running sites in Native Mode, certificate and SSL issues for System Center Configuration Manager

Configuration Manager - Inventory
Discussion on the Inventory feature for System Center Configuration Manager

Configuration Manager - Operating System Deployment
Discussion on the Operating System Deployment feature for System Center Configuration Manager

Configuration Manager - SDK
Discussion on the Software Development kit for System Center Configuration Manager

Configuration Manager - Setup/Deployment
Discussion on the Setup and Deployment of Clients and Servers for System Center Configuration Manager

Configuration Manager - Software Distribution
Discussion on the Software Distribution feature for System Center Configuration Manager

Configuration Manager - Software Updates Management
Discussion on the Software Updates Management feature for System Center Configuration Manager
Matt Royer

0 Comments Permalink Tags: sccm_sp1, sccm, vpro, amt
Click to view joelsmith's profile
0

In part 3 we covered troubleshooting common Provisioning Console issues. In part 4 we now focus on those components operating in the background during provisioning. With a functioning install and console, and when the issue appears to be server-related (In part 1 we covered troubleshooting the locale AMT system) now any issues seen must be evaluated on the server side. This article covers this process in a Problem - Cause - Solution format.

Introduction

The server components constitute a lot of ‘background' processes that support what is only seen as Altiris Console points. Much of what goes on in the background is invisible to the user save as a change in status. If setup correctly, machines simply provision. It's when they do not provision that a user should understand the server components so that proper troubleshooting can be accomplished. Note that this covers the symptoms of server-component problems. Some of the symptoms do overlap client-side issues, but in this process we are assuming we've confirmed that the client systems is functioning as expected. If you are unsure, see Part 1 of this article series.

Symptoms

The following symptoms are seen on the Server. Please note that some of the symptoms may appear to be both client and server related making it difficult to know where the issue lies. Use Part 1 in conjunction with this article if necessary in troubleshooting these issues.

  • No update to Intel AMT Systems Node - At times this node can abruptly appear stagnant with no new systems coming in and no provisioning taking place
  • No Systems Appearing - The Intel AMT Systems node may stay blank even after connecting systems in Setup Mode onto the Network.
  • FQDN Not Acquired - Once the SCS receives a hello message, it needs to acquire the FQDN, and if this fails the machine will remain in an unprovisioned state
  • No systems Provisioning - This can occur where systems show up in the system, but none of them provision
  • Properties Script Failed - This is a common error to be covered separately, though many of the above symptoms end up throwing this particular error

In addition to the symptoms, the following tools were used to troubleshoot the issues to find out which particular issue afflicted the Server:

  1. AMT Logs
  2. OOB Trace Loggging
  3. Wireshark

See Part 1 in this article series on how to use these. These will be referenced in the below items.

No update to Intel AMT Systems Node

Problem

The typical symptom is an abrupt stop to updates on this node. For example if you have a number of provisioned systems, with systems added as systems are brought up on the network, and abruptly they stop updating or being added, this is indicative of this issue.

Tools:

AMT Logs - No updates to this log occur.

Cause

AMTConfig Service - The AMTConfig service has stopped, crashed, or is in a hung state. This isn't common in version 3.0 of SCS or higher.

Resolution

Check that the AMTConfig Service is running.

  • 1. Go to Services Manager under Administrative Tools.
  • 2. Check the Service named AMTConfig to make sure it is running.
  • 3. If the service is not running, start it. If the service is running, try restarting it just in case it's in an hung state.
  • 4. Once the service is up and running again (if this is the issue) provisioning should start occurring.

No Systems Appearing

Problem

The symptom is that no machines appear in the Intel AMT Systems list when the page is refreshed over a period of time when new systems are expected. The page ties directly into the IntelAMT database to populate the systems, so if the list isn't updating on the page, the list is also not updating in the database.

IntelAMTSystems.jpg

Tools:

AMT Logs - I. No entries found

II. No entries found

III. Invalid PID Map error

Wireshark - II. On the client the "Hello" packet is sent, but on the server it never arrives.

Cause

The causes vary. See below for known causes for this issue:

  1. I. AMTConfig Service - The AMTConfig service has stopped, crashed, or is in a hung state. This isn't common in version 3.0 of SCS or higher.
  2. II. "Hello" packets - The routing of "hello" packets is not configured correctly, so clients can't reach the Provision Server.
  3. III. PID rejected - The PID provided in the "Hello" packet is not contained as a valid security key in the IntelAMT database. This is only seen in the AMT Log found in the Provisioning Console under Logs, selecting the ‘Log' icon.

Resolution

See the steps to follow for the above causes.

  1. I. AMTConfig Service
    • 1. See the resolution to the section No update to Intel AMT Systems Node.
  2. II. "Hello" Packets
    • 1. In the Provisioning console go to the DNS Configuration node. Does the ‘Test' button allow Provisionserver to resolve back to the IP of the Notification Server?
    • 2. If yes, go to the segment of the network the client is on and try to ping the name ‘Provisionserver'. Does the IP resolve?
    • 3. If answer to either question above is NO, a CNAME record needs to be created on each DNS Server to route to the IP address of the Notification Server.
  3. III. PID rejected
    • 1. In the Provisioning Console go to the Security Keys node under the Configuration Service Settings. The list of unused PID and PPS combinations are listed.
    • 2. In the IntelAMT database, within the csti_pid_map table all used and unused security keys are listed. The ones with a value ‘True' in the ‘Used' column will not show up in the console.
    • 3. Either import the keys if the OEM placed the AMT systems in TLS-PSK Setup Mode through the import button in the Security Keys page, or manually enter the PID PPS.

FQDN Not Acquired

Problem

One or more Intel AMT Systems are registering in Intel SCS, but they never show an FQDN and never move out of the ‘Unprovisioned' status. In the AMT Log often these systems show the error ‘Properties Script Failed' (note that the cause of this error can be many, and this issue is but one of them).

NOTE! If no system is provisioning the issue may not be FQDN related. See No Systems Provisioning in this article for more information.

Tools:

AMT Logs - Properties Script Failed messages

OOB Trace - Unable to locate FQDN (Fully Qualified Domain Name) entries

Cause

Intel SCS calls the Out of Band Provisioning or Properties script oobprov.exe to do a number of things. The first thing it does is obtain an FQDN for the machine needing provisioning. If it fails to obtain an FQDN Provisioning will fail and the computer will remain in an unprovisioned state until oobprov.exe can successfully locate the FQDN.

Resolution

To find the FQDN, oobprov.exe runs through a number of checks. The suggested method is to have the Altiris Agent installed and have run the OOB Discovery Task (located in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Out of Band Discovery > Out of Band Discovery). This populates the Altiris database so it has both an FQDN in the AeX AC Location data class and the UUID in the Inv_OOB_Capability data class. If this data is not available, another option is to check DNS resolution as a method. In the Altiris Console look under the Resource Synchronization node, within the Intel AMT Systems folder. As shown below, this option enables oobprov.exe to use DNS IP resolution as a method.

DNSReverseLookup.jpg

NOTE the warning found directly below the checkbox: Warning! Using DNS for IP to FQDN resolution might lead to incorrect profile mapping. Make sure your DHCP server is configured correctly to give update the DNS server for dynamic addresses.

No systems Provisioning

Problem

Systems are added regularly to the Intel AMT Systems node, but they never provision. This includes never getting an FQDN (see the above section for more information), though the cause may not be the inability of oobprove.exe to obtain the FQDN.

Tools:

AMT Logs - Provisioning Script Failed messages

OOB Trace - No references to oobprov.exe

Cause

If not an FQDN mapping issue, this issue stems from a timeout value in the IntelAMT database being set to 0. In the IntelAMT database, in the table csti_configuration, under the column Props_script_timeout if the value is 0 IntelSCS will timeout before it even has a chance to call oobprov.exe.

Resolution

Normally only one row exists in this table. The following SQL query will properly update this value to the default level. The default is 180 and should be set.


USE IntelAMT

UPDATE csti_configuration

SET props_script_timeout = 180

WHERE use_props_script = 'True'

Execute the script within SQL Query Analyzer or SQL Enterprise Studio to update the value.

Properties Script Failed

Problem

This message can mean a number of things, including the symptoms described in the preceding two section. This message can continually appear into the AMT logs as provisioning is attempted over and over.

Cause

The causes of this issue vary. The basic explanation is that when oobprov.exe is called, if it returns anything other than success, the resulting error message in the AMT logs is ‘Properties Script Failed'.

Resolution

See the above two sections for the symptoms No Systems Provisioning and FQDN Not Acquired, but for additional information see the following article:


Conclusion

This concludes the troubleshooting section for the Provisioning process. For the most common issues, the resolutions and steps presented in the first four parts of this series will resolve them. I also hope the methodology here helps explain how the background processes are working. In the next parts of this series we'll cover troubleshooting issues with the management components after systems have been successfully provisioned.

0 Comments Permalink Tags: activation, altiris, amt, intel, intel_amt, intel_scs, out_of_band_management, provisioning, server, symantec
Click to view joelsmith's profile
0

In part 2 we introduced the Server components used in Provisioning, including some key items to be aware of. In this installment we'll cover troubleshooting the server components in a symptom - cause - resolution format. The methodology should also allow help you understand how these components work for further troubleshooting efforts, or for simply understanding how the data is moving through the Provisioning process. This specific article covers the Console and the common errors that can appear.

Introduction


Once the server components are installed, and the AMT systems are in a correct Setup Mode, one must access the Provisioning Console to manage the Provisioning process. This console is located in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning. This part of the series covers errors in the console, specifically to common errors scene after the installation has taken place. These errors can also surface due to environmental changes in the infrastructure.

Symptoms


This section lists all the symptoms covered in this article. Use this list to guide you if you are working on a specific issue.

  • Provisioning Console Access Forbidden - Generally this is a 403 error on most of the Altiris Console Provisioning Nodes
  • Provisioning Console Connection Closed - All the Provisioning Nodes show an error that the underlining connection was closed
  • Provisioning Console User Not Authorized - This error relates to the access rights to the actual Provision Nodes, and can happen even if a user is an Altiris Administrator
  • Provisioning Console Timeouts - We've seen timeouts occur in the console, when accessing the Intel AMT Systems list

Provisioning Console Access Forbidden

Problem


When accessing the Provisioning Console, the following error is thrown:
The request failed with HTTP status 403: Forbidden

OOBProvCommonError.jpg

Cause


When installing Intel SCS, the manual install defaults to HTTPS, using TLS for secure communication. If the environment is not setup for TLS/HTTPS, the Altiris Provisioning Console will be unable to authenticate to Intel SCS, throwing this error.

Resolution

  1. On the Notification Server where Intel SCS is installed, open up IIS Manager.
  2. Browse down into the Default Web Site and select AMTSCS.
  3. Right-click on AMTSCS and choose Properties.
  4. Select the Directory Security tab.
  5. Click the Edit button under the Secure communications section.
  6. Uncheck the box labeled ‘Require secure channel (SSL).
  7. Click OK.
  8. Click Apply and then OK.

Provisioning Console Connection Closed

Problem


The error ‘The Host Name cannot be resolved', or ‘ the remote connection was closed' appear when accessing the Provisioning Console.

SCSNameNotResolved.jpg

The problem can also be seen when using the Test functionality on the DNS Configuration node. It may show a failed to obtain IP message.

DNSSCSfailed.jpg

Cause


When our Console tries to resolve the name to the Intel SCS Server (even when Altiris and SCS are on the same server) it fails and one of these errors are thrown. The difference can be in the perceived FQDN for the Server. Altiris is attempting to acquire the right IP address so it can communicate with SCS.

Resolution


There are two ways to fix this if a reinstallation does not correctly set the SCS identity within Altiris.

LMHOSTS or HOSTS files - We can update one or both of these files to contain the FQDN we're using to try and translate the IP Address. The difficult part is finding out what Altiris is attempting to connect to. Use the process below to find out what it is looking for:

  1. See Part 1 concerning the use of OOB trace logging and Debug View.
  2. Enable trace logging in OOB and launch dbgview.exe.
  3. Try to access the console and produce the error.
  4. Stop trace logging.
  5. This is the difficult part. Normally I scan through the log looking for the host name of the server. Usually this shows up as part of an FQDN. One example of this is Altiris called Servername.domain, which did not respond, but Servername.domain.com was a valid name.
  6. Do a Search for the Host Name of the system (Not FQDN as it may not be using the valid one). For example, MyServer.
  7. Once complete, access the file named lmhosts (no extension). Place a line in the file with the Server IP Address and invalid name:
    • 10.10.10.1 Servername.domain
  8. Whatever invalid name was located in step 5, the above sequence can be used to give the computer the correct IP Address resolution. This resolves the issue. However there may be other steps needed. If this doesn't resolve the issue, continue to step 8.
  9. Access the Service Location node in the Provisioning Console.
  10. Change the option to ‘Alternate URL:'.
  11. Specify a new location changing the name to one that resolves, for example:
  12. Click Apply to save the changes.

The difficult part in this process is locating what Altiris believe the name of the Intel SCS Server is. Since Altiris and SCS are not integrated, they do not have a mechanism that shows if they are on the same server or not. This is why this issue surfaced.

Provisioning Console User Not Authorized

Problem


After installation or after credential changes the typical error structure appears with the message:

  • Current User can't view this page.
  • Current user can't change settings on this page.

Note that the error does not have the Red error typically associated with other console errors.

ProvConsoleRights.jpg

Cause


After installation only the user who conducted the Intel SCS install has rights to the console nodes. Until other users are added, only this user (usually the Notification Server Application identity) has rights to these nodes. Notification Server role and scope security does not apply to the populating of the data to the right of these nodes (although it does control access to actually showing the nodes themselves in the left-hand tree).

Resolution


Follow these steps to give the necessary users rights to the Provision Console nodes:

  1. Log into the Altiris Console as the Notification Server Application Identity, or the user used to manually install Intel SCS (one of these will usually be the authorized user).
  2. Access the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Users.
  3. Note the users who already have rights.
  4. Click the blue + icon to add a user.
  5. Click the ... browse icon to see a typical Notification Server Domain user and groups search window.
  6. Add a group or user and click OK.
  7. Under the Role: give Enterprise Administrator rights unless you want to limit which nodes are operable.
  8. Click OK to complete adding the user.

If no user can access these nodes, the Intel SCS installation needs to be run again under the correct user. Run through these steps to complete this:

  1. Log onto the Notification Server directly (or with the /console switch if you're using Remote Desktop) with the NS Application Identity.
  2. In Add/Remove Programs, locate ‘Intel® Active Management Technology Setup and Configuration Service and remove it.
  3. On the Notification Server, browse to +install_path+\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\.
  4. Launch the file AMTConfServer.exe and walk through the install. Be sure to use the Application Identity as the credentials for SCS.
  5. When prompted for the database credentials, if permissible use the Application Identity.
  6. Once completed log into the Altiris Console with the Notification Server Application Identity, then move back to step 1 of the previous sequence to add other users as necessary.

Provisioning Console Timeouts

Problem


Even in small environments we've seen timeouts on the Intel AMT Systems node, and much less frequently on the other nodes. The timeout throws a .NET error and the page is replaced by a timeout error.

Cause


The cause is not known at this time. The timeouts do not seem to occur always at particularly busy times for the Notification Server, so it is difficult to know what causes them. When there are plenty of resources available the timeouts generally do not occur, though if the server is extremely busy it doesn't always occur. It appears to be caused by varying factors.

A refresh after the timeout error often loads the page just fine. This suggests the loading the page gets into a loop or hung state, instead of a true processing timeout issue.

Resolution


No full resolution is known at this time, but a few items can help minimize the impact of the issue.

  1. Remote Consoles - We've seen remote consoles perform better than having the console loaded directly on the Notification Server
  2. Refresh - Normally the timeouts occur without loading any of the frames within the page. If you click on the link or hit the refresh for the Intel AMT Systems page and no frames load within a minute, refresh the page. Often when the page is refreshed it then loads correctly, even quickly.

Conclusion


Once the console has been restored, the Provisioning process can be configured and initiated. Because of the all or nothing nature of most of these issues, they must be overcome before even being able to properly setup and configure Intel SCS for the Provisioning process. The above resolutions cover the methods used to resolve these issues at multiple sites.

0 Comments Permalink Tags: activation, altiris, amt, intel_amt, intel_scs, out_of_band_management, provisioning, server, vpro
Click to view tcduncan's profile
0

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/102-1430-3-1288/UKPU.jpg

The USB Key Provisioning Utility (UKPU) tool is designed to create a valid USB key for provisioning Intel® AMT Systems. The UKPU tool prepares a USB Flash drive, copies the requested setup.bin to the drive, and also verifies that the setup.bin is saved using the proper procedures necessary to ensure that it is detected by Intel® AMT.

The tool has a 'repair' mode that allows you to take an existing USB Key and reconstruct it to ensure the setup.bin is visible to Intel® AMT. In addition, you can set up a USB Key using any renamed setup.bin file on your computer, and the tool will automatically ensure it is renamed to 'setup.bin' when setting up the key.

Here's a 3 minute video overview of the tool's capabilities (Click here to view video on YouTube):

Both binary only & open source licensed source versions available at the download site.

DOPD SW Engineering Team

0 Comments Permalink Tags: activation, amt, deployment, intel_amt, vpro_expert_center, vpro, setup, self-activate, data_center, intel, enterprise, setup, bin, source
Click to view tcduncan's profile
0

Today we offer the USB Key Provisioning Utility (UKPU) focused on one-touch provisioning and the Intel® AMT Reflector which offers a unique implimentation allowing an Intel® AMT client to access/manage some Intel® AMT functionality locally via the OS without entering the management engine directly (usually via BIOS).

Click here to learn more about Intel® AMT Reflector or here to download directly. ARC.JPG

Click here to learn more about USB Key Provisioning Utility (UKPU) or here to download it directly. UKPU.jpg

Tell us what you think!
DOPD SW Engineering Team

0 Comments 0 References Permalink Tags: activation, amt, deployment, vpro, server, vpro_expert_center, enterprise, integration, usb
Click to view tcduncan's profile
0

Available for download and use is the SCS Setup Wizard, a tool designed to automate the installation of the Intel® Setup and Configuration Service (SCS) along with the third party pre-requisite components automatically. This is a pre-release alpha level project that will be updated soon. It requires a fresh install of Windows Server 2003 and un-provisioned Intel® AMT clients.

Background -

The Intel Setup and Configuration Service for Intel® Active Management Technology (Intel® AMT) is a free toolset that simplifies the preparation of hardware that supports Intel AMT for remote administration.

Intel SCS automates the process of populating Intel AMT managed platforms with the usernames, passwords, and network parameters that enable the platforms to be administered remotely.

The automation of these activates provide an efficient means of implementing Intel AMT hardware for enterprise customers.

The Intel SCS service works with other services in order to provide a secure setup and configuration infrastructure for Intel AMT devices.

To successfully take advantage of the functionality that the Intel SCS service can provide, all of the other needed services must be correctly installed and configured. These services include:

  • Microsoft SQL* Server
  • Internet Information Services (IIS) 6.0
  • Microsoft Certificate Authority
  • Active Directory

Installing and configuring all of the services needed to utilize the Intel SCS can take an experienced user 2+ hours to complete. Using the automation provided by the SCS Setup Wizard, this process can take less than 30 minutes.

SCS setup Wizard Performs the following functions -
  • Install/configure MS SQL Server 2005 Express* Edition and MS SQL Server Management Studio Express
  • Install/configure Internet Information Services (IIS) 6.0
  • Install/configure MS Certificate Authority*
  • Install/configure Active Directory Services
  • Install certificate for IIS
  • Install certificate for Intel AMT Client
  • Install/configure Intel SCS service

Download here:
http://downloadcenter.intel.com/detail_desc.aspx?ProductID=2557&DwnldID=15532&agr=N

DOPD Software Engineering Team

0 Comments 0 References Permalink Tags: amt, scs, vpro, activation, enterprise
Click to view Dave McCray's profile
0

Define Activation...

Posted by Dave McCray Feb 25, 2008

Depending on your companies requirements (i.e. security, infrastructure, biz process) Activation can mean many things. If your security requirements are such Activation can simply mean enabling AMT in the BIOS in SMB mode. If your requirements are more stringent it can mean enabling AMT to prepare for Remote Configuration (Zero Touch), or, if you are still doing it the "old" way, then you are either manually (YUKE!) applying the PID/PPS combo or using the USB methodology. Great, but is this Activation? What about the other pieces to the device lifecycle i.e. break/fix, reuse, EOL where you have to manage the certificate? Intel IT, along with help from our friends in other Intel orgs are developing a programmatic script to aid in managing the systems as they move through the lifecycle. But is this Activation? How about how you use AMT? What business processes need to be changed to gain the full benefit of the cost savings from AMT?

Activation, as defined by Webster's Dictionary, is to make active or more active, or to set up or formally institute with the necessary personnel and equipment. What this means to AMT is that you need to map out all aspects of the full use of AMT but measure it based on each step of the way to get a clear picture of where you are. In other words, define your total market (system in the environment that are AMT capable); how many have AMT enabled in the BIOS (in prep for RC); how many are fully provisioned; how far have you tested your full lifecycle; do you have your console strategy in place; how have you defined your use cases; are you using it? Each step is making AMT more active. How far have you gone? How do you define Activation?

Note: As the Intel IT and product groups validate the new provisioing script we will post additional information. It effectively removes the ambiguity in provisioing lifecycle; managing from intial provision to break / fix. More to come.

0 Comments 0 References Permalink Tags: activation, amt, enterprise, scs, vpro