I have recently posted a new Quick Start guide to help you quickly setup your SCCM SP1 lab environment and start testing the Out of Band management capabilities for your vPro systems.

http://communities.intel.com/docs/DOC-1754

As always, feedback is highly encouraged and appreciated.

Thanks,

Bill

Within SCCM there are two primary ways to provision a vPro Client: Using the Import Out of Band Computers Wizard and the In-band provisioning with the Configuration Manager client Agent. Because of the ease and automated provision, it is typically recommended that you leverage the In-band provisioning with the Configuration Manager client agent; however, there may be cases where this method may not work based on your environment or business process. This may leaves you with the only option of using the Import Out of Band Computers Wizard for vPro Client provisioning.

To provision clients with Import Out of Band Computer Wizard, you are required to supply at a minimum the Computer Name, FQDN, and UUID for the vPro client you are trying to provision. Hand retrieving and entering this data for a few vPro clients may be fairly straight forward; however, if you are in a scenario where you are trying to provision a large number of vPro clients it may become very time consuming. As part of the Import Out of Band Computer Wizard, you are able to specific a comma-separated values (CSV) formatted file that has these required attributes listed. With this capability available, you can technically mass import a large number of vPro clients to be provisioned; the challenge then becomes automating the retrieval of this Computer Name, FQDN, and UUID.

Example CSV File

Select Source - Choose Mapping

Select Source - Data Preview

Select Source - Summary

There can be a variety of sources such as the Active Directory, Local Computer Operating System, alternate software inventory agent, etc (your imagination is the limitation) where you could potentially pull this information.

For example, this UUID Resolver is an example utility that will query your Active Directory for computers, determine if they are vPro Capable, connects to the OS, and Exports the Computer Name, FQDN, and UUID to a CSV files that can be imported through Import Out of Band Computer Wizard; once the hello packet is received, SCCM will provision the vPro Client (Special Thanks to Ariel Toporovsky for developing this example).

Another example may be to use a Software Agent or other remote execution capability to run a localized VBS, Perl Script, exe, etc that grabs the Computer Name, FQDN, and UUID locally from the client and copies the contents to a remote share to be consolidated; once there it can be imported through the SCCM Import Out of Band Computer Wizard.

What else can you think of? If you have any thoughts or tricks on how to automate this, please post your idea / exampls in the comments. Thanks.

--Matt Royer

One of the advantages that is brought with SCCM SP1 having integrated support with vPro is the ability to leverage vPro Power On command with Advertisements. What this allows you to do is power up a vPro client that is currently turned off and executive a desired task sequence or software distribution package. So in a scenario where you want to patch your clients at 2:00 am in the morning, you can leveraging vPro and SCCM SP1 to wake your clients up, patch them, and shutdown them back down. This gives you the option of shutting down your vPro clients (to save power) without sacrificing ideal patching / software upgrade times at night (which may be less impactful to your end users) and then gracefully shut them back down again when the patching is complete.

In a limited fashion, Wake On LAN (WOL) has given us this option in the past. However unlike WOL, Intel vPro Technology allows you to securely and reliability power up a client without the challenges and potential security issues that comes with the transitional WOL Magic Packet. The following abstract has a pretty good explanation of the differences between WOL and vPro Power On.

To configure SCCM SP1 to use the vPro Power Up commands, you will need to drill down to "Site Database" -> "Site Management" and select properties from the right click menu on your site server. Once the "Site Properties" window appears, click on the Wake On LAN Tab. After ensuring that the "Enable Wake On LAN for this site" is Checked, you will notice three additional configurable options:

• Use power on commands if the computer supports this technology; otherwise, use wake-up packets
• Use power on commands only
• Use wake-up packets only

The reference to "use power on commands" is Microsoft's definition of leveraging vPro Power Management. So to use vPro Power Management for client power on during an advertisements, you will need to ensure that either "Use power on commands if the computer supports this technology; otherwise, use wake-up packets" or "Use power on commands only" is selected. Since you are likely to have a mix of vPro and non-vPro clients in your environment, it is recommended that you use the "Use power on commands if the computer supports this technology; otherwise, use wake-up packets" option.

To allow for easy use of both vPro Power Control and WOL within SCCM SP1, Microsoft decided to bundle both options under "Wake on LAN". So when you are leverage vPro Power Up control on Advertisement, you just need to specify use to Wake on LAN (WOL) and depending on the configuration in the "Site Properties: Wake On LAN Tab" it will use vPro Power or the traditional Legacy WOL packet.

To create an advisement that leverages vPro Power up command...

1. Right Click on the Collection you want the advertisement for and select "Advertise Task Sequence".
2. When the "New Advertisement Wizard" window appears, enter in the Name of the Advertisement and a comment.
3. Select the desired "Task Sequence" you have created (To create a Task Sequence, please reference the following article: http://technet.microsoft.com/en-us/library/bb693631.aspx). Click "Next" to Proceed.
4. On the Schedule Screen, specify your Advertisement Start & Expires (if required) dates.
5. To allow the "Enable Wake on LAN" option to be selected, you must first specify a "Mandatory Assignments". Click the new icon and define a schedule or immediate action and click "OK".
6. Once the "Mandatory Assignments" has been defined, check the "Enable Wake on LAN". Select other option and priority as necessary and click "Next".
7. Select the desired "Distribution Points" options and click "Next".
8. Select the desired "Interaction" options and click "Next".
9. Select the desired "Security" options and click "Next".
10. When the "Summary" Appears, confirm and click "Next".

The advertisement with vPro Power Up control has now been configured. Based on the Mandatory Assignments specified, you should see the vPro Client power on and execute the task sequence. For more details on how to create Advertisements within SCCM SP1, please visit Microsoft Web site.

--Matt Royer

Some enterprises may find that they want to take advantage of both Microsoft System Center Configuration Manager 2007 (SP1) and System Center Operation Manager 2007 in their environment. Each independently have the ability to provision and manage vPro clients (natively from SCCM and through the Intel SCOM MP for SCOM), but is there a way so that both can manage the same vPro clients? YES, there is!

The way it works is that SCCM owns the provisioning (setting up certification, ACL, base configuration) and then both SCCM and SCOM w/ Intel SCOM MP can invoke vPro Use Cases. To get SCCM and SCOM w/ Intel AMT Management Pack to work together with vPro, here are the high level steps:

1. If you have not already installed Microsoft SCCM SP1, Microsoft SCOM 2007, and the Intel SCOM MP, following the standard install documentation.
2. Create a domain account that the Intel SCOM MP Service will run under. Once created, ensure you set the Log-in Account for the Intel SCOM MP Service to run under that account.
3. Within SCCM under the Component Configuration -> AMT Settings -> AMT User Account Setting, add the domain account you created to run the Intel SCOM MP service under. Ensure you give that account sufficient access to perform the desired vPro function.
4. Within SCOM Intel Management Pack, navigate to the "Intel AMT Management Pack Settings". Under Security Settings, set Kerberos to be used and check the "TLS Enable" check box. Under the CA Certificate, ensure to specify the file location of an export of the Root CA cert (This should be the same CA that SCCM is using to issue AMT client certificates). Once complete, make sure you restart the Intel SCOM MP Service.
5. Now that base configuration is done, provision your vPro Client normally through SCCM. If you have already provisioned the vPro Client, ensure you "update management controller" so that new ACL is pushed to the vPro Clients. Once provisioned, you should be able to invoke vPro Use Case through SCCM Collection Based power control or the Out of Band Console without issue.
6. Within SCOM, configure the IP range that includes all vPro Clients to be monitored by the Intel SCOM Management Pack. After the vPro Clients are discovered, you should be able to invoke vPro Usage from within SCOM as well.

--Matt Royer

I've created three videos to cover every step required to install and configure SCCM SP1 to work with Intel AMT platforms. The videos are best viewed at 1024x768 video resolution (click the video to enlarge). Enjoy!

SCCM SP1 Pre-Installation video

Click To Play

Click To Play

Click To Play

Here is a closer look at the install and configuration of the Intel WS-MAN translator for Microsoft SCCM SP1. The included video should be used as a reference only and not a replacement for the steps defined in the following documentation.

High Level Installation steps & reference documentation:

• Configuring ISS Certificate
• WS-MAN Translator Install & Configuration
• Enabling support for Intel WS-MAN translator within SCCM SP1

Matt Royer

As referenced in the Overview of SMS/Intel SCS migration to SCCM SP1 blog post, Intel has developed a utility to easy the migration of vPro Client that have been activated on SMS/SCS to SCCM SP1.

The beta of the Intel SCStoSCCM Migration Utility has been released and can be downloaded from the following location: http://communities.intel.com/openport/docs/DOC-1660

A User Guide on how to use the migration utility has been included in the download. Since SCCM SP1 has a dependency on the Intel WS-MAN Translator for any vPro Client less than firmware version 3.2.1, the WS-MAN translator will need to be installed and configured before proceeding with the migration if you have legacy system already activated in your environment.

Note: Intel SCStoSCCM Migration Utility is currently in Beta status and not considered a released product at this time.

Matt Royer