Intel vPro Expert Center Blog

11 Posts tagged with the activation tag
Click to view telgar's profile
0

As many of you might know or have experienced, relying fully on the default provisioning window where the Management Engine sends 'Hello Packets' to the SCS server is problematic. Problems start arising in the following instances:

  1. The network has multiple domain suffices being allocated as connection specific DNS suffices depending on location and this could potentially lead to a mismatch between the SCS domain suffix and the client domain suffix.
  2. DHCP option 15 upon which the default process relies on might need be in use for one reason or another
  3. The provisioning window (24 hours for RCFG and 6 hours for PID/PPS by default) has closed before the infrastructure has been put in place to do something useful with these hello messages.

In the past there was a solution based on sample vbscripts provided by Intel- either Server side only or a combination of client and server side scripts that would be used in conjunction with SCS. This has now evolved to the Activator Utility which is considered the best known method, however there are some subtleties where using the Activator isn't as straight forward, such as:

  1. The Activator utility will typically run under the context of the Local System Account - to allow each Local System Account to write information to the SCS DB requires delegating control all the Computer Objects. This is seen as a significant security risk by some organisations.
  2. The syntax for running the Activator utility necessitates the specification of a profile ID. The number of the profile ID can't be pre-determined with absolute certainty and the SCS API only accept the profile ID and not the profile name. A situation can ensue that the wrong profile ID has been hardcoded on the clients.
  3. Some operations like /a cannot work under the Local System Account context to begin with

Together with the hetrogeneous states of vPro machines (some provisioned, some not, some needing to be re-provisioned) some further logic needs to be put in place to provide a robust end to end solution. This has lead to the implementation (in a nutshell) of the following solution at a large scale enterprise customer (it assumes knowledge of the activator utility and it's switches):

  1. A scriptable interface needs to be able to determine whether a system is provisioned or not - this is achieved by running MEInfo and parsing the contents of the output and writing some information into registry keys.
  2. A script always checks the registry keys to know whether to run the Activator utility
  3. The script is run at every boot-up of the system to make sure any previous failed attempts or if the system has been unprovisioned since the last boot is covered
  4. Once a script (which runs under the context of the Local System Account) determines it needs to execute - i.e. the machine is unprovisioned but has PID/PPS loaded it runs the Activator Utility with the //s h /d PID but not /o and /p
  5. At this point you might ask yourself, if I am using the client side vbscript, why should I use the Activator tool as well? The answer is that the Activator tool provides you the ability to send an in-band 'hello message' to kick-off the provisioning process. That is why we make use of the /h and /d PID parameters. If you wouldn't use the Activator tool, the out of band 'hello messages' would have easily timed-out a long time ago and you wouldn't be able to commence their resending unless you pulled the power cable out and back in - i.e. restart the Management Engine.
  6. The PID is predetermined per machine type and can be inserted into XML file that sits in client - if the PID was unique per each machine this would have broken the whole solution - hence a clear recommendation to have the same PID/PPS across all machines or at least across all machines of the same model
  7. At this point the information is written into an Interim DB using SQL account permissions
  8. Note that no permissions need to have been delegated for all Local System Accounts
  9. On the server side the script uses the same or different SQL account permissions to access to the interim DB
  10. On the server side the script contains the /p and /o parameters - this is crucial as this is a single point where the /p and /o parameters can be changed thus providing flexibility
  11. In addition since the customer has opted to not use certificates and because there is a difference between the connection specific and Active Directory domain suffices, provisioning is take place with hostname only - typically this would have involved using the /a switch, however there is a known issue that won't work under the context of the Local System Account. Therefore the FQDN is stripped of it's domain the server script and the hostname is derived.
  12. The server script creates an XML file with the appropriate content to plug into the Configuration Parameters table in the main SCS DB, as the SCS service can parse the contents of this XML file and check that it is valid content.

The overall benefit of this solution is you avoid the security risk of delegating access rights for all Local System accounts, cover the different scenarios when the Activator Utility should be run, avoid the problems of mismatching domain suffices and maintain the flexibility of a single point of changing parameters for the variable Activator Utility syntax.

The same logic will apply if you are using RCFG - simply ignore point #6 above regarding PID.

Hope some of you find this useful.

Thanks, Tal

0 Comments Permalink Tags: provision, provisioning, scripting, pid, pps, activation, activator_utility
Click to view telgar's profile
0

SCS 5.0 is the latest version of the Intel Setup and Configuration Service. This new version boasts a number of fundamental and exciting additions to the world of vPro:

  1. You can enjoy the benefits of Active Directory Integration without the need to extend the Active Directory Schema!
  2. You can use Windows Authentication to communicate with the SCS Database
  3. The SCS Console version 5.0 has a much nicer and professional looking user interface
  4. The performance, stability and logging capabilities of the application have notably improved
  5. You have the ability to dynamically create collectoins of AMT Systems based on different filter conditions
  6. This is still early days for AMT Firmware versions 4 and 5 and the use of CIRA (Client Initiated Remote Access) and MPS (Management Presence Server) but it supports them

Note: If you are using SMS as your Management Software you will need to use the Intel (R) Client Manageability Addon version 5.0 which is available for download from the following url: http://downloadcenter.intel.com/Filter_Results.aspx?strOSs=All&strTypes=All&ProductID=2609&lang=eng&OSFullName=All%20Operating%20Systems

To emphasize the point - you will not be able to use SMS Addon version 3.3 with SCS 5.0. SCS version 5.0 will be bundled already for you with the Addon version 5.0.

Some potentially useful technical insights that I have gathered through my experience of being an early adopter of SCS 5.0 through trying to deploy it at a large-scale enterprise customer:


  1. If you opt for having windows authentication (as opposed to the dummy SQL account which was part of the design up until SCS 3.3) you will need to opt for the custom installation path. In there you will be prompted to specify twice the user for running the AMTSCS and AMTSCS_RCFG virtual directories in IIS. You will need to specify the same username and password of the accounts that are running your IIS services where your SCS is being installed. Pay attention to this step - if you specify any user other than the user that is running the IIS services: this could a local account for example and not a domain account, then you will not be able to log into SCS via the SCS console.
  2. When you opt for the windows authentication to DB you wil not be able to use the default website on IIS. If you are creating a new website and you are going to opt for https connection, make sure your new website is setup with the server ssl certificate. You will also need to remember to stop the default website and have your new website running.
  3. You will need to remember to delegate permissions to the account that is running the SCS service on the AD OU for AMT objects, but this time it will be for objects of type 'Computer Objects'. There will not be a conflict with the Host OS level computer objects as these AMT Computer Objects are seen as user objects.
  4. You have the option to create the DB separately using an SQL Standalone DB script (i.e. not as part of the install wizard) however even if you are opting for windows authentication to your SCS DB, you can achieve this by only running the wizard (the custom install path). If you have created the DB prior to SCS install, you can point the SCS service to this DB instance during the install wizard.
  5. A general point to note that would apply to any provisioning with SCS (not just SCS 5.0) - when you are creating a profile
  6. Another point to mention is that the profile ID number is not fully deterministic if you don't run through the config of a new profile without pressing cancel at any point. For example, if you have the default profile as profile ID #1 then when you try and create an additional profile and at some point click cancel and then try and create a new profile it can eventually have a profile ID of #5 for example. This can start becoming a problem if you rely on the profile ID number as part of your provisioning process using the Activator Utility for example, as you can only pass the profile ID as far as the SCS API is concerned, yet if you've hardcoded the profile ID in some file on the vPro client where your Activator Utility will run then you cannot know for sure until your profile has been created in SCS what its profile ID will be. If you are editing an existing profile, its ID number won't change. You also cannot go into the DB and change that value manually as it is a primary key and is auto generated as part of an indexing mechanism in the SCS code. - this one might be a bit tricky, so contact me if you need me to clarify.
  7. I don't know whether you've noticed any sluggishness in the past when trying to install 3.x versions of SCS - for example with one of my large customers it would take 1.5 hours to install SCS because of looking up users in a rather large Active Directory; whereas with SCS 5.0 it takes 5 minutes at most.
  8. Whilst I haven't taken advantage of the capability to create collectoins of AMT systems I wanted to point out one of the main benefits of this feature. I have been faced in the past with situations where I need to perform an operation through SCS on many machines, but not all machines. Therefore the global operations in SCS 3.x versions only gave me the possibility of running the command on a single or all machines. Now I can tailor which machines I want to perform operations on.

My overall recommendation to you is to give SCS 5.0 a go. It is easily the best SCS version that has been released. I have blogged about it as part of my first hand experiences - I have had nothing to do with its development and I am speaking out of the objective view of a user. Hope you find this useful.

Tal


0 Comments Permalink Tags: scs_5.0, scs, scs, tal_elgar, schema_extension, windows_authentication, activation, provision, provisioning
Click to view Kelsey_Witherow's profile
0

I'd like to announce the Expert Center's newest edition...SMB Talk

smbtalkv3.PNG

Are you a small or medium sized business? Have vPro? Want vPro? Then you should see this brand new sub zone of the vPro Expert Center. This site is dedicated to the discussion of Small and Medium Businesses & Intel vPro Technology. You can expect to see great tools, helpful tips, solutions, some best known methods and Service Provider information. Feel free to take a look around and join this new community of SMBs and MSPs.

0 Comments Permalink Tags: smb, small_business, msp, kelsey_witherow, hilliker, vpro, activation
Click to view Kelsey_Witherow's profile
0

7-29-2008 10-14-06 AM.png
Topic: Listen in as your hosts talk with Dave McCray, Intel's IT Program Manager. Intel IT is a leader in the activation and use of AMT. They have activated & provisioned over 10k machines - hear how they did it, why they are doing it & how to make your integration better based on Intel IT's best known methods. Also get a scoop on what you'll find in the coming year.
Date/Time: 8/4/2008 3:30PM
Call-In Number: (347) 326-9831
You can also visit Open Port Radio or Stream this Show Online

btrbetalogo.gif
The vPro Expert Center's BlogTalkRadio show is hosted by Josh Hilliker, Russ Pam, and Jeff Torello. This bi-weekly informal show covers a variety of topics and is a perfect avenue to get your questions answered. Listen in live, give your two cents, or just download the show after it has aired. Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts. Can’t join us live? Have no fear, blogtalkradio let’s you listen to the show whenever you have the time. Visit the Open Port Radio site (link is above) to hear previous shows and even catch a glimpse of what’s to come!

0 Comments Permalink Tags: blogtalkradio, vpro_radio, josh_hilliker, kelsey_witherow, russ_pam, jeff_torello, dave_mccray, intel_it, activation
Click to view josh.hilliker's profile
0

Michele, Tim & I got together to talk about Activating vPro, the tools & the wiki's that help folks. This video was an output of us getting together.

0 Comments Permalink Tags: vpro_expert_center, activation, josh_hilliker, michele_gartner, tim_duncan
Click to view josh.hilliker's profile
0

Monday we're cooking up a great show, Russ, Jeff & I are going to be talking with Michele Gartner about the Activation zone and the latest status on how to self activate. We will also be talking about our top tool picks that we use for troubleshooting & enabling vPro. Definitely a show you won't want to miss out on. Also you can either stream, dial in or download after the show is over to listen. We will also have the chat line open for any and all questions related to vPro.

Here's the info:

http://www.blogtalkradio.com/openport/2008/06/02/Intel-vPro-Expert-Center-Topic-TBD

Number: (347) 326-9831
Date/Time: 6/2/2008 3:30 PM (pacific)

Listen to Intel Open Port Radio on internet talk radio

0 Comments Permalink Tags: vpro_radio, josh_hilliker, russ_pam, jeff_torello, activation, michele_gartner, tools
Click to view Kelsey_Witherow's profile
0

Be sure to view this brand new resource created in the activation subzone. It details out nearly 40 links to documents, tools, and websites that aide in activation of Intel vPro Technology.

CHECK IT OUT:

vPro Useful Links

0 Comments Permalink Tags: vpro, activation, deployment, provision, case, _studies, skus, installation, links
Click to view michelegartner's profile
1

A user asked us why we didn't have information about buying vPro PCs on the Expert Center. Well, here it is! I am compiling a list of the different manufacturers and their vPro landing pages. It will continue to grow as I find more information.

Find it here: Where can I buy vPro PCs?

You'll find more detailed information about specific model numbers in this document: Order an activation-ready PC

As always, let me know if you need additional information. I'm growing these documents, so check back!

1 Comments Permalink Tags: vpro, centrino_pro, activation
Click to view Kelsey_Witherow's profile
0

btrbetalogo.gif
Coming Up: Russ & Josh are hosting and their guest, Jeff Torello, is coming on the show! We'll be discussing the vPro Expert Training program & recently posted Activation training materials. Join us live!
When: April 7th @ 3:30 PM
Call-in Number: (347) 326-9831
http://www.blogtalkradio.com/openport


Here's the scoop, again, for those who haven't heard...
Hosted by Josh Hilliker & Russ Pam, this bi-weekly informal show will be covering a variety of topics and is a perfect avenue to get your questions answered. Listen in live, give your two cents, or just download the show after it has aired. Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts. Can’t join us live? Have no fear, blogtalkradio let’s you listen to the show whenever you have the time. Visit the Open Port Radio site (link is above) to hear previous shows and even catch a glimpse of what’s to come!

Questions, comments, or concerns? Feel free to contact me.

Thanks,
Kelsey

0 Comments Permalink Tags: jeff_torello, vpro, activation, training, blogtalkradio, josh_hilliker, russ_pam, kelsey_witherow
Click to view josh.hilliker's profile
0

ACTIVATION - New Zone & vPro Radio

Over the last few months we have seen a lot of dialogue around how to turn on vPro systems, the steps to turn on the ME, configure, etc.. So we took this to action & created a new Sub Zone that is just focused on Activations - This new zone will focus deeper on Tools, Training & documentation.
btn_activate.gif


Check out our latest vPro Radio talk show with Terry, Russ & Michele (vPro Experts) as we discuss Activation.

NEXT TALK SHOW
Microsoft System Center Confirmation Manager - listen in on Weds 2/27/08 - http://www.blogtalkradio.com/openport

0 Comments Permalink Tags: self_activate, vpro, activation, vpro_radio
Click to view Terry Cutler's profile
0

Checkout the latest embedded or linked YouTube videos on vPro Expert. If you go out on YouTube - check the "vproexpert" and "IntelNick" users. Good short videos.

ProExpert Embedded early examples- http://communities.intel.com/docs/DOC-1128 and http://communities.intel.com/docs/DOC-1129

Direct links on YouTube to these accounts - http://youtube.com/user/vproexpert and http://youtube.com/user/IntelNick

More training and demo based videos are coming. Have an idea or request? Reply to this blog or to the existing discussion at http://communities.intel.com/message/1280

0 Comments Permalink Tags: vpro, activation