Microsoft has just released 2 hotfixes that address issues with System Center Configuration Manager SP1 and vPro/AMT Out of Band Management. Please reference the following WIKI for a comprehensive list of required software bundles and hotfixes for SCCM SP1 and vPro/AMT Out of Band Management: http://communities.intel.com/openport/docs/DOC-1897

System Center Configuration Manager 2007 (KB954718):

• Description: You cannot use the Out of Band Management console in Configuration Manager 2007 to connect to computers that use versions of Intel AMT that are earlier than version 3.2.1
• URL: http://support.microsoft.com/kb/954718

System Center Configuration Manager 2007 (KB955126):

• Description: The SMS_Executive service process (Smsexec.exe) in System Center Configuration Manager 2007 may crash if you have Intel AMT-related software installed
• URL: http://support.microsoft.com/KB/955126

--Matt Royer

Summary
An issue has been identified that may cause the remote configuration provisioning process to fail when using Microsoft System Center Configuration Manager (SCCM) on systems that have been upgraded from Intel AMT 3.x firmware to 3.2.1 firmware. The Self-signed certificate used to establish the initial PKI provisioning (Remote Configuration) connection is being read as invalid, which causes this failure.

The recommended resolution is to perform a provision and un-provision of the system to regenerate the Self-signed certificate. This resolves the certificate being read as invalid and prepares the PC to be provisioned successfully by SCCM. This can be accomplished locally at the PC or remotely from the console. Both scenarios are documented in detail below but local provision/un-provision will require entering the Management Engine BIOS Extension (MEBx) screen at the local machine. To perform this action remotely, the community has developed a software-based script to execute a remote provision/un-provision. The script should be run for vPro clients experiencing this issue prior to SCCM provision. Once the script is executed, the vPro clients can then be natively provisioned by SCCM.

Background
vPro Clients that are experiencing the issue will show up as AMT Status "Detected" within the Collection View after a Management Controller discovery and will exhibit with the following error in the amtopmgr.log:

During SCCM Management Controller Discovery
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x6fcb970 returned by ApplyControlToken
During a SCCM Provisioning attempt
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x261b948 returned by ApplyControlToken

Note: An AMT Status of "Detected" can occur for a variety of reasons; in general it means that the SCCM Out of Band Service Point is unable to establish an initial connection with the AMT client. This scenario can also occur when the computer has been previously provisioned for AMT outside Configuration Manager and the password for the AMT Remote Admin Account or the MEBx Account has been changed and is unknown.

When trying to provision a vPro Client that has a firmware version less than 3.2.1 that is impacted with the Self-signed Certificate issue, SCCM will forward the request to the Intel WS-MAN Translator (which is required for provisioning and management of a vPro Client less than 3.2.1.) The Intel WS-MAN Translator will handle provisioning the vPro client despite the invalid Self-signed Certificate. The steps listed below should not be required for firmware versions less than 3.2.1 if you have the Intel WS-MAN Translator installed and properly configured.

As an interim workaround for vPro Clients 3.2.1 experiencing the issue, you can either locally (through the MEBx) or remotely provision and un-provision the AMT client. The un-provisioning process will regenerate a new Self-signed Certificate within the AMT Management Engine, after which, SCCM can natively use this newly generated certificate to establish the initial secure connection during the provisioning process.

Provisioning via Pre-Shared Key (PSK) is not impacted by the Self-signed Certificate issue; however, to leverage PSK provisioning you will need to install / configure the Intel WS-MAN Translator and load the PID/PPS pair into the vPro client. PID/PPS configuration within the vPro client requires either manual configuration via Management Engine BIOS Extension (MEBx) or One Touch Provisioning through USB key import.

Local Provision / Un-provision
To performing a Provision / Un-provision locally on the vPro Client

1. Log into the MEBx by pressing Ctrl-P during POST
2. If you have not changed the default admin password already, login in with "admin" as the password. If you have already changed the MEBx password, log in with the password you changed it to
3. Within the MEBx Menu, select "Change Intel(R) ME Password".
   1. When presented with "Intel (R) New ME Password", Enter in the same password you configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.
   2. When presented with "Verify Password", re-enter the password.
4. From the MEBx Menu, select "Intel(R) AMT Configuration"
5. Within the Intel(R) AMT Configuration Menu, select "Provision Model"
   1. When presented with "Change to Intel(R) AMT 1.0 Mode: (Y/N)", enter "N"
   2. When presented with "Change to Small Business : (Y/N), enter "Y"
6. When returned to the Intel(R) AMT Configuration Menu, select "Unprovision"
   1. When presented with "Reset Intel(R) AMT Provisioning: (Y/N), enter "Y"
   2. When presented, ensure you select "Full Unprovision" and press enter
7. When returned to the Intel(R) AMT Configuration Menu, select "Return to Previous Menu"
8. When returned to the MEBx Menu, select "Exit"
   1. When presented with "Are you sure you want to exit: (Y/N)", enter "Y"
9. Allow vPro Client to reboot fully

After performing the local Provision / Un-provision, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. Although fairly simplistic, one of key disadvantages of locally provisioning and un-provisioning the vPro Client is that you will need to have physical (touch) access.

Remote Provision / Un-provision
To perform a Provision / Un-provision remotely on the vPro Client, the community has created a visual basic script that will perform the function remotely. In an attempt to reduce the complexity, the VBScript leverages the Intel WS-MAN Translator to provide the authentication and remote configuration connection. To leverage this remote Provision/Un-provision capability, you must have the Intel WS-MAN Translator installed and configured prior to executing the VBScript. Please visit the following Blog to learn how to install and configure the Intel WS-MAN Translator.

The VBScript and guide can be download from the following location (http://communities.intel.com/docs/DOC-1850) and contents can be decompressed to a folder on either your SCCM server or on workstation that you want to run the script from. Please note that you must have WINRM basic authentication switched to "true" on the computer you are planning to run the VBscript from; WINRM Basic Authentication is required for connections to the Intel WS-MAN Translator to work properly. To turn WINRM Basic Authentication to true, run the following command from the command line:

winrm set winrm/config/client/auth @{Basic="true"}

With the archive file decompressed, you will see two VBScripts in the folder: SelfSignedFix.vbs and ExecFromCollection.vbs. SelfSignedFix.vbs is the VBScript that will perform the remote Provision / Un-provision. To use the SelfSignedFix.vbs, there are several parameters you must supply for it to work properly:

• Intel WS-MAN Translator URL: This is the secure URL on which the Intel WS-MAN Translator is listening
• The Hostname, FQDN, or IP Address of the vPro Client: This is the vPro Client that is having the issue with the Self-signed Certificate and needs to be Provisioned / Un-provisioned
• Log File Location: This is the folder or share where the results of the provision / un-provision will be logged for the client. Note that SelfSignedFix.vbs script will automatically create a new log with the filename of the hostname, FQDN, or IP Address you used as the previous parameter.
• Screen Output: Whether (Y) or not (N) to display the Provisioning / Un-provisioning output on the console screen.

Critical Note: Prior to executing the SelfSignedFix.vbs, it is imperative that you change the MEBx password in the SelfSignedFix.vbs VBScript to match what is configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.


As a general reference, you can only change the MEBx password remotely once and only if the vPro Client is in a factory default state (never been provisioned). Since this VBScript remotely provisions and un-provisions the vPro client, we must set the MEBx password during this provisioning process. To Change the MEBx password, open SelfSignedFix.vbs with any text editor and modify (line 19) with your environment specific information:

Const SCCMMEBxPassword = "P@ssw0rd" to Const SCCMMEBxPassword = "<your SCCM MEBx password>"

Note: If you have already changed the MEBx password, the MEBx password will not changed; however, you should still change the SCCMMEBxPassword in SelfSignedFix.vbs VBScript to match your SCCM Configuration in case you run into a vPro Client where you have not changed the MEBx password yet.

With the MEBx Password modified, here are some examples of how the SelfSignedFix.vbs can be run from the command line:

• cscript SelfSignedFix.vbs vpro-client.vprodemo.com c:\temp N
  • The script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on vpro-client.vprodemo.com. c:\temp\vpro-client.vprodemo.com.log will be generated with the results of the provision / un-provision and those results will not be displayed on console.
    
• cscript SelfSignedFix.vbs vpro-client "\\sccmsp1\certfix$\error logs" Y
  • The script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on vpro-client. \\sccmsp1\certfix$\error logs\vpro-client.log will be generated with the results of the provision / un-provision and those results will be displayed on console.
    
• cscript SelfSignedFix.vbs 192.168.0.101 "" Y
  • The script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on client located at IP address 192.168.0.101. 192.168.0.101.log file will be generated in the current working directory that the script was ran from with the results of the provision / un-provision and those results will be displayed on console.
    

After running SelfSignedFix.vbs, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues.

Provision / Un-provision Log
Similar to what is displayed in the previous screen shots, a successful remote Provision / Un-provision log will look like the following:

***Begin Execution 8/11/2008 8:22:22 PM**************************
Connecting to https://sccmsp1.vprodemo.com/wstrans/setup/eoi20/192.168.0.101/wsman
Setting AMT Clock
Setting HostName
Setting TLS settings
Setting new MEBx Password
CommitChanges
CommitChanges_OUTPUT
ReturnValue = 2057

Unprovision
PartialUnprovision_OUTPUT
ReturnValue = 0
***End Execution 8/11/2008 8:22:30 PM**************************

In an event that vPro Client is inaccessible to be remotely provisioned / un-provisioned, the error log will look like the following:

***Begin Execution 8/11/2008 8:22:12 PM**************************
Connecting to https://sccmsp1.vprodemo.com/wstrans/setup/eoi20/192.168.0.100/wsman
Unable to connect to AMT Device: 192.168.0.100
***End Execution 8/11/2008 8:22:12 PM**************************

This error can occur for a variety of reasons. Some common causes of this error are:

• vPro Client is not accessible on the network
• vPro Client is already provision
• Remote Admin password for the vPro Client has already been changed from the factory default. If the remote admin password has been changed, you can modify SelfSignedFix.vbs with the correct password.
  

In either case, you will need to root cause why the vPro Client was not remotely accessible to be provisioned / un-provisioned. You can then run SelfSignedFix.vbs at a later time to retry and remotely provision / un-provision.

Automating the execution of SelfSignedFix.vbs within SCCM
To avoid having to run SelfSignedFix.vbs on each impacted system individually, there are a couple of automated procedures you can perform depending on what is right for your environment. To identify and isolate the vPro Clients that are impacted by the invalided Self-signed Certificate, you can create a SCCM Collection using the following criteria "Select * from sms_r_system where AMTStatus=1"; this will automatically bucket all the vPro Clients listed as AMTStatus Detected in a single collection for easy identification.

For step by step instructions on how to create the collection for vPro Clients with the AMT Status of Detected, please reference the guide included with the scripts.

Once you have the impacted vPro Clients in a single collection, you can either use SCCM Advertisements to push and execute SelfSignedFix.vbs from the client or you can use the included ExecFromCollection.vbs to connect directly to collection and execute SelfSignedFix.vbs on an enumerated list of members in that collection.

Critical Note: Before proceeding to use one of these large execution methods, it is recommended that you test your configuration (both SelfSignedFix.vbs and Intel WS-MAN Translator) by testing on a few impacted system individually first. Once you run SelfSignedFix.vbs steps above on these select impacted vPro Clients, you need to ensure you are able to natively provision the client within SCCM before you move onto a more automated implementation.

Using ExecFromCollection.vbs
ExecFromCollection.vbs is a VBscript that will connect to a desired collection, enumerate the list of members in the collection, and execute SelfSignedFix.vbs VBScript against each member in the collection. Prior to using ExecFromCollection.vbs, you must first change the SMSSiteCode, SMSServer, SMSCOLLECTION, and WSTransURL constants. To modify the required constants, open up ExecFromCollection.vbs with any text editor and change the following values with entries specific to your environment (Make sure you save your changes).

• SMSSITECODE : This is your SMS Site Code
• SMSSERVER : This is the FQDN of you SMS Site Server
• SMSCollection : This is the SMS Collection ID that you want to enumerate the list of vPro Clients from. You can find the Collection ID of a particular collection by right clicking on the collection and select "Properties"; the Collection ID will be at the bottom of the General Tab
  
• WSTransURL : This is the secure URL in which the Intel WS-MAN Translator is listening on

Once the constants have been modified within ExecFromCollection.vbs, you can execute the VBscript by running the following Command Line:

cscript ExecFromCollection.vbs

ExecFromCollection.vbs will cycle through each enumerate member in the collection and execute SelfSignedFix.vbs VBScript against it. Prior to running ExecFromCollection.vbs, you need to ensure that the SelfSignedFix.vbs VBscript and ExecFromCollection.vbs VBscript are located in the same folder.


After running ExecFromCollection.vbs VBscript, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log files to help isolate the root of their issue. For step- by-step instructions on using ExecFromCollection.vbs, please reference the Guide included in the download package.

Using SCCM Advertisement to Execution SelfSignedFix.vbs
In terms of leveraging SCCM Advertisements to push the SelfSignedFix.vbs down to the client and execute it, there are several different ways this could be done. This example simply pulls the SelfSignedFix.vbs off a remote share which is then executed by a SCCM Task Sequence. When the advertisement is picked up by the SCCM Client Agent, the task sequence is executed and SelfSignedFix.vbs is run on the vPro Client machine. Depending on your environment, you may want to leverage alternative methods of deploying and executing this with a SCCM Advertisement. Please note, that the SelfSignedFix.vbs is not performing any provision / un-provision commands locally on the client; although it is running on the local client, the provision / un-provision commands are being routed to the Intel WS-MAN Translator and then the commands are sent back down to the vPro client from the Intel WS-MAN Translator.

1. In preparation of creating a task sequence, create a remote share on a server where the SelfSignedFix.vbs will be run from and the log files generated from SelfSignedFix.vbs will be stored. Ensure sufficient permissions are granted to the account running the advertisement.
2. Create a New Task Sequence and give it a name that is easily recognizable. Make sure you create the Task Sequence with the option of "Create a new custom task sequence".
3. When you edit your task sequence, add a new "General"-> "Run Command Line" task.
4. Give the task an appropriate name and in the Command Line field enter in:
   cscript \\server\share\SelfSignedFix.vbs %COMPUTERNAME% "\\server\share" N
   ... where \\server\share is the remote share that you created and https://wsmantransurl/ is the secure URL of your Intel WS-MAN Translator. %COMPUTERNAME% is an OS environment variable that will give you the hostname of the client.
   
5. Once the task sequence is created, you can advertise the task sequence on a Collection you created for just the AMT Detected vPro Clients.
6. Depending on your advertisement mandate, the next time the client's SCCM agent pulls down an updated policy it will execute the task sequence.

After running SelfSignedFix.vbs VBscript via the advertisement, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log file and isolate the root of their issue.

Note: Depending on your Client OS configuration, it may be necessary to set WINRM basic authentication to "true" prior to execution SelfSignedFix.vbs; this can be accomplished by add winrm set winrm/config/client/auth @{Basic="true"} command line task prior to the execution of SelfSignedFix.vbs.

This blog was intended to give you a general understanding of the issue and the work arounds that are in place. For a comprehensive step-by-step guide, please refer to the documentation included with Remote Provision / Un-provision Script archive file. To download the Scripts and the Guide, please visit the following URL: http://communities.intel.com/docs/DOC-1850

--Matt Royer

For those that are not aware, Microsoft has a System Center Configuration Manager 2007 Toolkit that provides some excellent tools to help with troubleshooting, security hardening, and easier log viewing within SCCM.

To download System Center Configuration Manager 2007 Toolkit, please visit http://www.microsoft.com/downloads/details.aspx?FamilyID=948e477e-fd3b-4a09-9015-141683c7ad5f&DisplayLang=en

Here are the tools that are included (as documented on Microsoft's Website)

• Client Spy - A tool to help troubleshoot issues related to software distribution, inventory, and software metering on Configuration Manager 2007 clients.
• Policy Spy - A policy viewer to help review and troubleshoot the policy system on Configuration Manager 2007 clients.
• Trace32 - A log viewer that provides a way to easily view and monitor log files created and updated by Configuration Manager 2007 clients and servers.
• Security Configuration Wizard Template for Configuration Manager 2007 - An attack-surface reduction tool for the Microsoft Windows Server 2003 operating system with Service Pack 1 and Service Pack 2 (SP1 and SP2) that determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.
• DCM Model Verification - A tool used by desired configuration management content administrators for the validation and testing of configuration items and baselines authored externally from the Configuration Manager console.
• DCM Digest Conversion - A tool used by desired configuration management content administrators to convert existing SMS 2003 Desired Configuration Management Solution templates to Desired Configuration Management 2007 configuration items.
• DCM Substitution Variables - A tool used by desired configuration management content administrators for authoring desired configuration management configuration items that use chained setting and object discovery.

--Matt Royer

As referenced in the Overview of SMS/Intel SCS migration to SCCM SP1 blog post, Intel has developed a utility to easy the migration of vPro Client that have been activated on SMS/SCS to SCCM SP1.

The Production version of the Intel SCS to SCCM Migration Utility has been released and will be available for downloaded from the following location shortly: http://softwarecommunity.intel.com/articles/eng/3898.htm

A User Guide on how to use the migration utility has been included in the download.

--Matt Royer

Version 3.3 of the Intel Client Manageability Add-on has been released to bring more vPro manageability features to SMS. The following new features have been added:

• Scheduled power command operations on collections. (Note that scheduled power commands are not executed on subcollections.)
• Graceful shutdown (attempting to shut down a platform via its operating system) for Power Down operations on collections
• Changes in the way the Add-on interprets and applies IP site boundaries within SMS, including an optional registry switch. If the switch is set, if the platform's subnet does not appear in the SMS properties for the platform, the platform will be considered as being in the site boundaries. Note: There is no change in the way the Add-on interprets and applies Active Directory site boundaries.

Intel Client Manageability Add-on version 3.3 can be downloaded from the following location: http://downloadcenter.intel.com/Filter_Results.aspx?strOSs=All&strTypes=All&ProductID=2609&lang=eng&OSFullName=All%20Operating%20Systems :

--Matt Royer

Some enterprises may find that they want to take advantage of both Microsoft System Center Configuration Manager 2007 (SP1) and System Center Operation Manager 2007 in their environment. Each independently have the ability to provision and manage vPro clients (natively from SCCM and through the Intel SCOM MP for SCOM), but is there a way so that both can manage the same vPro clients? YES, there is!

The way it works is that SCCM owns the provisioning (setting up certification, ACL, base configuration) and then both SCCM and SCOM w/ Intel SCOM MP can invoke vPro Use Cases. To get SCCM and SCOM w/ Intel AMT Management Pack to work together with vPro, here are the high level steps:

1. If you have not already installed Microsoft SCCM SP1, Microsoft SCOM 2007, and the Intel SCOM MP, following the standard install documentation.
2. Create a domain account that the Intel SCOM MP Service will run under. Once created, ensure you set the Log-in Account for the Intel SCOM MP Service to run under that account.
3. Within SCCM under the Component Configuration -> AMT Settings -> AMT User Account Setting, add the domain account you created to run the Intel SCOM MP service under. Ensure you give that account sufficient access to perform the desired vPro function.
4. Within SCOM Intel Management Pack, navigate to the "Intel AMT Management Pack Settings". Under Security Settings, set Kerberos to be used and check the "TLS Enable" check box. Under the CA Certificate, ensure to specify the file location of an export of the Root CA cert (This should be the same CA that SCCM is using to issue AMT client certificates). Once complete, make sure you restart the Intel SCOM MP Service.
5. Now that base configuration is done, provision your vPro Client normally through SCCM. If you have already provisioned the vPro Client, ensure you "update management controller" so that new ACL is pushed to the vPro Clients. Once provisioned, you should be able to invoke vPro Use Case through SCCM Collection Based power control or the Out of Band Console without issue.
6. Within SCOM, configure the IP range that includes all vPro Clients to be monitored by the Intel SCOM Management Pack. After the vPro Clients are discovered, you should be able to invoke vPro Usage from within SCOM as well.

--Matt Royer

By default, the Intel WS-MAN Translator has logging turned off. To turn logging on, browse to "C:\Program Files\Intel Corporation\Intel WS-Management Translator\" directory and open "wstrans.exe.config" file with a text editor. Within the wstrans.exe.config file, browse to the the system.diagnostics section. You can change the values of the switches from "off" to "verbose".

<system.diagnostics>

<switches>

<add name="Intel.Wstrans" value="verbose" />
<add name="Intel.Wstrans.Eoi" value="verbose" />
<add name="Intel.Wstrans.WsMan" value="verbose" />

</switches>

</system.diagnostics>

After you make the changes, you will be required to restart the Intel WS-MAN translator service for the changes to take effect. After which, the Intel WS-MAN Translator will report actions and errors in the "C:\Program Files\Intel Corporation\Intel WS-Management Translator\wstrans.log".

The wstrans.log has been formatted to allow easy readablity via Microsoft SMS Trace utility which is included in the Microsoft System Center Configuration Manager 2007 Toolkit.

Matt Royer