Intel vPro Expert Center Blog

22 Posts tagged with the altiris tag 1 2 Previous Next
Click to view joelsmith's profile
0

The primary key of identity for an AMT computer is its Fully Qualified Domain Name (FQDN). One of the essential parts of the setup and configuration process (Provisioning) is when Altiris attempts to map a valid FQDN inside the IntelAMT database. This article covers how to handle FQDN issues, including ways to correct invalid entries, the best method to avoid the issues, and how it all works. If you're using Altiris Out of Band Management for provisioning, this is a must read!

Introduction

The two key identity items for vPro are the UUID (Universally unique Identification) and the FQDN. The UUID is contained within the hello packet sent by AMT, but the FQDN is not held within AMT without Provisioning. This means it is up to Altiris to acquire the system's FQDN. While this may sound simple, the problems arise when the system is in its setup process, whether prepping or being imaged, having software and scripts rolled out to provision and join the system to the domain, including when its final identity on the Domain and network are established and it received a new IP Address.

Preferred Provisioning method

For specifics I'll refer to the Best Practices document, but for the general steps to be followed specifically for the FQDN I'll provide the steps below.


LINK: http://juice.altiris.com/article/2810/best-practices-configuring-intel-vpro-capable-system-within-symantecaltiris-vpro-toolki


  1. Image the system with the Operating System, including any post-imaging work to get the system configured. This includes rolling out software or scripts.
  2. Join the system to the Domain after it has its rightful identity. The computer name should be set. When the computer is joined to the domain, this will provide the valid operable FQDN.
  3. Install the Altiris Agent on the system. This provides the information for the FQDN in the Inv_AeX_AC_Location table.
    NOTE: If the Altiris Agent was part of the image, make sure the system sends Basic Inventory again after the system has been joined to the network to ensure we have the valid FQDN within the Altiris database.
  4. Ensure the Out of Band Discovery package is enabled and configured via the collection to go to all machines.
    NOTE: This step is essential because OOB Discovery will pick up the FQDN from the Basic Inventory and map it in the IntelAMT database. This screenshot shows where the data is located:
    OOBCapACLocation.JPG
  5. Now if the hello message was sent before the above steps were completed, normally it will recover as long as the process completes before 24 hours have passed. 24 hours is the period of time the hello packets will be sent from the client. AMT will continue to send hello packets throughout the period UNTIL it is fully provisioned. This helps reestablish connection if the IP Address changes in the middle of the Provisioning process and the Server can't connect back up to the remote AMT system.

Preferred Provisioning Settings

Not all settings within Out of Band are FQDN friendly. The following items affect how Out of Band Management approaches provisioning.

  1. Resource Synchronization - Make certain this is enabled! A Disabled Resource Synch policy will halt Provisioning, greatly increasing the change for FQDN problems when it is finally enabled.
  2. Use DNS IP resolution to find FQDN when assigning profiles - This option, under the Resource Synchronization policy, is typically unreliable. While this option allows for bare-metal provisioning or Agentless provisioning, it also is at the mercy of the DNS and DHCP environment. It is highly recommended NOT to use this option unless you fully trust your DHCP and DNS environment. Factors to consider are:
    1. IP Lease times - The lease times afforded systems may be short, increasing the possibility that when OOB fetches the FQDN via IP the lease will have expired and the wrong FQDN will be mapped.
    2. PXE or other auxiliary boots - Often these types of systems will obtain a different IP address from DHCP as their identity is not the same as when the system is booted to the OS.
      ResourceSynchronizationOOB2.JPG
  3. Intel AMT 2.0+ to Profile - This option allows a default Profile to be setup for Provisioning. Make sure you've created a default profile and set it in the Resource Synchronization policy. Without a profile Provisioning will not occur.
  4. Intel AMT requires authorization before provisioning - Under the General node within Provisioning, this option stops provisioning from occurring. The profile will not go down to the system until the system is selected, using the right-click to choose ‘authorize'. This can aggravate FQDN problems by delaying full provisioning.

FQDN Fixes

Invalid FQDN in IntelAMT

The first issue stems from a variety of causes. The issue is that in the IntelAMT database, shown under the Intel AMT Systems node under Provisioning for Out of Band Management, the FQDN is invalid. The causes vary, but here are a few we've seen:

  1. Reverse DNS IP Lookup is enabled - Unless your DHCP and DNS environment are rock solid, often IP Address leases expire, and other systems pick up the IPs that the AMT systems originally sent the Hello message with. When this occurs, the wrong FQDN is mapped.
  2. IP Leases short - Often the IP Lease length can create a problem acquiring the correct FQDN. This can especially have problems with TLS as the FQDN is part of authentication using certificates.
  3. FQDN is incomplete - When a system is in setup mode, sometimes the mapped FQDN is not part of a domain, resulting in the Host Name only being set as the FQDN.

IMPORTANT! When the FQDN is invalid in the IntelAMT database, Resource Synchronization can have troubles matching resources with their correct counterparts in the Altiris database. Because of this, duplicates can emerge. If the checkbox in Resource Synchronization labeled: ‘Remove duplicate Intel AMT resources from Notification Server database' is checked, managed resources can get deleted from the Altiris database!

FQDN has Changed

Another not-uncommon occurrence is when a system changes identity. This can occur in a variety of ways, including:

  • The system has been reimaged
  • The computer name has been changed
  • The computer has been migrated to a new Domain
  • The system has switched subnets, resulting in a new FQDN

Regardless of the method, changing the FQDN on the system does not change it in the Intel ME or AMT firmware, and also does not change it within the Intel SCS component database (IntelAMT). When these are not synched up, it can cause problems when you need to manage the system via AMT when the computer is booted to the operating system. This particularly has problems when TLS is enabled and the provisioned certificate no longer matches the FQDN in Windows.

Issues Resolution

Since the Altiris Agent sends Basic Inventory daily by default, the Altiris database usually has a valid FQDN on record in the Inv_AeX_AC_location database table. We can run a query that will capture the correct FQDN from the Altiris database and insert it into the IntelAMT database, correcting any duplicate or invalid FQDN entries. This is the first step. The second step is to update the FQDN within AMT on the local systems. The following processes walk you through the resolution:

Update IntelAMT from Altiris

  1. Open up SQL Query Analyzer or Microsoft SQL Server Management Studio.
  2. Open a Query window within the database instance that contains both the Altiris database and the IntelAMT database.
  3. Run the following query, though for testing purposes you can omit the line ‘COMMIT TRANSACTION until you can verify the operation completed as expected. Once validated, run COMMIT TRANSACTION to complete the process:
    BEGIN TRANSACTION
    UPDATE intelamt.dbo.csti_amts SET fqdn = b.fqdn FROM (SELECT il.Fully Qualified domain name AS 'fqdn',
    REPLACE(oob.uuid, '-', '') AS 'uuid' FROM
    altiris.dbo.Inv_AeX_AC_Location il JOIN altiris.dbo.Inv_OOB_Capability oob ON
    oob._ResourceGuid = il._Resourceguid) b WHERE intelamt.dbo.csti_amts.uuid = b.uuid
    COMMIT TRANSACTION
  4. Done! The FQDNs now match between Altiris and IntelAMT.

Update FQDN on local AMT

  1. It is recommended to follow these steps in batches so as to not overwhelm the Intel SCS component. Perhaps run this against 100 systems at any one time, or run it against those systems you know have been updated. While it doesn't hurt to run this against systems that didn't have the FQDN changed from the above process, it is unnecessary if you are able to target those systems with invalid FQDNs.
    Note: This process assumes that the system can be reached via the SCS using the new FQDN supplied by Altiris. For TLS there may be complications we have not foreseen.
  2. In the Altiris Console browse under View > Solutions > Out of Band Management > Configuration > Intel AMT Systems > and select the Intel AMT Systems node.
  3. Select one or more systems you need to update the local AMT FQDN on.
  4. Right-click and choose the ‘Re-provision...' option.
    Re-provision.JPG
  5. Check the Action status node under Provisioning > Logs > Action Status for messages concerning the Re-provision attempts. You can also check the Log node for errors.
  6. Done! The systems, when reprovisioned, should have the correct FQDN planted by the IntelAMT database entry that was updated from the Altiris database.

Conclusion

Use this article to resolve your FQDN issues to ensure ATM functionality is available when it is needed. The above process has been verified, though all environmental potential issues have not been explored. It is advised to test the process in your environment before implementing on a wide scale.

0 Comments Permalink Tags: altiris, amt, centrino_pro, troubleshoot, fqdn, symantec
Click to view joelsmith's profile
0

The Task Server contains AMT function tasks that give you the ability to integrate AMT functionality into Task Server Jobs. This allows you to use AMT in conjunction with Software Delivery, Scripting, and any other Task Server supported function. Understanding how to troubleshoot the AMT side of a Task Server job will help resolve issues so that AMT can be utilized. This includes the following technologies:

  • System Defense - Network Filtering
  • Reliable Power Management
  • IDE redirect for boot redirection

Introduction

This is the concluding article for the series: Troubleshooting the Altiris Manageability Toolkit for vPro Technology. The first four articles covered the setup and configuration of AMT systems, while parts 5 and 6 covered RTCI and RTSM respectively. This final article discusses troubleshooting the AMT integration into Task Server when issues arise.


As an introduction, the actual SOAP or API calls made to the AMT system is invoked through Real-Time Console Infrastructure, the same as when they are invoked through the Real-Time tab for RTSM. Though the calls are from the same place, how those calls are made differ. The following subjects will be covered:

  • Determining Cause of Failure
  • AMT Detection Issues
  • Authentication Issues

Determining Cause of Failure

Often you'll known the general symptom that tells you a job or task in Task Server didn't execute as expected. For example a power management task may have shown as run but the AMT system never woke up. A failure is not shown except deep within a series of status windows.


To determine the returned error, use the following steps. Task Server's actual failure code is buried deep in a series of status windows, as shown in the screenshot after the steps.

  1. Under the Task or Job that failed, double-click on the general status row for the specific execution attempt.
  2. If within a job, double-click on the line that represents the task or AMT function that failed.
  3. Note the numbers of successes versus failures. Click the ‘View Report' link.
  4. Now you'll get a grid with the status of the Task, including the status and return code, if present.

TaskServerStatusWindows.jpg

AMT Detection Issues

When Task Server reaches a Task that involves AMT, it makes direct calls to AMT in those systems targeted in the task or job. Detecting AMT and subsequently executing the scheduled function requires success at both junctures. The following sections discuss potential issues and solutions in this process.

Power State Unknown

One common problem we see is when a power management task fails due to the failure message: Generic error, FromState detected as unknown:14. This will cause the power action to fail. The causes vary, but the following list contains the most common:

  • System unreachable - The target system is not available on the network
  • AMT failed to be detected - See the subsequent section ‘AMT not detected'
  • Authentication failed - See the subsequent section ‘Authentication Troubleshooting'
  • AMT is unavailable - If a system is not provisioned, or AMT is not functioning on that system

Use the following process to determine what the issue is:

  1. If RTSM is available, try connecting to the target system using RTSM, specifying the same credential profile.
  2. If that fails, try manually putting in credentials until you find one that works.
  3. If Step 1 succeeds, try creating a different connection profile with only AMT functions provided.
  4. If no RTSM is available, still try the profile with only AMT functions to see if it works.
  5. Try other AMT functions, such as Collect Intel AMT Inventory to see if they succeed.
  6. If other functions succeed, try using another method to reboot the system to reset the power state stored in the Intel ME. One way to accomplish this is using the Task Server Power Management Agent to send down a standard reboot command to the PC.
  7. If no other AMT functions are successful, AMT might not be properly setup on this system. Ask the question: Has this system gone through the provisioning process?
  8. If unknown, use the Out of Band Discovery Task to see if AMT is available and to identify what state it is in. See the steps provided under the ‘AMT Not Detected' section following.
  9. If all else fails (generally this is on a system-by-system basis, rarely do a collection of systems encounter this level of this issue) try reprovisioning the system by fully unprovisioning and going through the provisioning process again.

AMT Not Detected

Normally a non-vPro system will receive the return code that AMT was not detected. This is accurate, but when it happens to valid managed vPro systems, the issue must be troubleshot to determine why the applying Task Server cannot detect AMT on the system. Out of Band Discovery is a great way to determine what state the system is in. Use the following steps to take stock of the systems:

  1. In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Out of Band Discovery > and select the ‘Out of Band Discovery' policy.
  2. Enable the policy if it is not yet enabled. If it is enabled, set a schedule to run the discovery again so you have updated information on your systems.
  3. On the AMT system in question, go to the Altiris Agent and bring up the Agent UI by double-clicking on the system tray icon or by launching C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe.
  4. Highlight the ‘Out of Band Discovery Package.
  5. Click the ‘Out of Band Discovery' link under Application Tasks.
    OOBDiscoveryRun.jpg
  6. Once completed, now check back at the server and double-click the system within a collection to bring up Resource Manager.
  7. Click on the Inventory tab and browse to Out of Band Management, and select the data class OOB Capability. This will give you the details of AMT.

If AMT is disabled, it needs to be enabled in the BIOS. A BIOS update from the vendor may provide you a remote way to enable AMT, by using Software Delivery for example. If it is all enabled, next check the provisioning status. Provision as necessary.

Authentication Issues

As with RTSM, Task Server uses the same basic authentication method when executing against a computer. Task Server also includes another option to add additional credentials to the execution to be used when contacting the protocol, which is AMT in this case.

Authentication Methods

Since RTCI controls the authentication, much of the same method is used whether the execution of an AMT command is issues from the Real-Time console or from Task Server, however there are some differences.

Runtime Profile - The Runtime profile contains he following information:

  • All known good credentials used to connect via RTSM to a system
  • The Intel SCS AMT password sent to systems when provisioning occurs
  • Previously successfully used credentials from past RTSM sessions
  • Previously successfully used credentials from a Task that succeeded

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

  • WMI digest or Domain account
  • AMT digest or Kerberos-authenticated user
  • ASF digest or Domain account
  • SNMP community strings

Task-specified Credentials - When a user setups up a job or task, the user can specify specific credentials to be used when executing AMT-related functions through the profile interface. This option is per job or task, and applies to all AMT functions invoked during the job or task. The Interface allows this as shown in the following screenshot:

Task-newprofile.jpg

Authentication Troubleshooting

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with Task Server.

  1. First, how do you determine if your task or job is failing due to authentication? Use the previous section under Introduction labeled ‘Determining Cause of Failure'.
  2. In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles, or in the Task click the ‘Run Now', and on the subsequent page click on the pencil icon next to the credential profile being used.
  3. Where does the green checkmark fall? This is the default profile that will be used when connecting via a Task Server task.
  4. Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
  5. Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
  6. Supply the admin user credentials set when the managed vPro systems were provisioned.
  7. Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
  8. Give the profile a name and then save it.
  9. Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile, or if you are in a job interface select the profile to be used for the run. Note that this does not require you to make it the default profile, allowing another profile to remain the default credentials.
  10. Run the task or job to see if the authentication failure has been resolved.
  11. If it is not, try rerunning with the Runtime Profile. This contains all known good authentication attempts to the system from either Task Server or RTSM.
  12. In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed. If your Task or Job does not contain any of the other protocols, this is recommended.

Conclusion

This concludes the Troubleshooting article series for the Altiris Manageability Toolkit for Intel vPro Technology, version 6. While this doesn't cover all issues, it should resolve most of the common issues we've seen.

0 Comments Permalink Tags: altiris, amt, centrino_pro, vpro, troubleshoot, symantec, task_server
Click to view joelsmith's profile
1

Formerly known as Web Admin for Windows, Real-Time System Manager provides a powerful set of functions for IT specialists. In part 5 of this article series we covered the main points for Real-Time Console Infrastructure troubleshooting. As a natural extension of RTCI, Real-Time System Manager troubleshooting is covered in this article as part 6. With an emphasis on credentials and connection methods, this article provides information to overcome the most common issues seen when using the Real-Time tab for direct, one-to-one computer interaction.

Introduction

Real-Time System Manager provides a powerful tool for directly connecting to a system agentlessly with functionality available through WMI and Intel AMT. This article covers the issues associated with general functions seen with both technologies but with emphasis on the AMT functions. The following sections cover areas of troubleshooting:

  • Connection Issues
  • Authentication Issues
  • IDE Redirect (IDER)
  • Network Filtering

Connection Issues

Under the current architecture the FQDN is the primary method for connecting and authenticating to AMT on remote systems. If the FQDN the Real-Time tab is using does not resolve in DNS, then AMT connectivity and thus functionality will not be available. FQDN connectivity issues are the number one issues we see with RTSM connections to AMT.

Invalid FQDN

To view what FQDN the Real-Time is using, use the ‘Hardware Management' node in the RTSM tree. The following screenshot shows what AMT is using:

RTSMfqdn.jpg

In this example my system is in a workgroup and reported only the hostname as the FQDN, which DNS had no trouble resolving. If this fqdn is not reachable via DNS, we won't be able to connect to the AMT functionality.

NOTE: We use several methods, including IP address, for WMI. WMI functionality may show correctly when AMT is absent in this situation

Use these steps to see the FQDN is the issue:

  1. Open the Real-Time tab for the AMT system you are managing.
  2. Once the tree loads, open the Real-Time System manager folder, open Administrative Tasks, and click on ‘Hardware Management'.
  3. Once the page loads, if AMT is missing as an available technology, take note of the name displayed as in the screenshot above.
  4. Go to Start, Run, type in cmd, and click OK.
  5. Type in nslookup <name displayed>. In the above example it would read:
    1. Nslookup dellvpro
  6. Can DNS resolve this address? If no, we'll need to fix the issue in one of the following ways.
  7. FIX DNS and/or the Altiris record: If DNS can be fixed, this is the preferred method. The difficulty is finding out why the Altiris Agent reported the incorrect record. Once DNS is fixed, have the Altiris Agent run Basic Inventory. The table location we pull this out of for management in RTSM is Inv_AeX_AC_Location, column: Fully Qualified Domain Name.
  8. Use the ‘Manage' node available in RTSM (see the below screenshot): By putting in the IP address of the system, we'll use the IP to lookup the FQDN and not make any assumptions.
    Manageshortcut.JPG
  9. Update the Servers HOSTS or LMHOSTS files to contain the mapping to the invalid name. For example find the LMHOSTS file, edit it and add a line <IP ADDRESS> <FQDN>, as in this example:
    1. 10.10.10.1 Dellvpro

Real-Time unable to connect

If WMI and AMT functions are unavailable, you'll get a message when you click on the Real-Time tab indicating that the functionality isn't available. See the following screenshot:

NoRTSMavailable.jpg

Note: If you use another product such as Dell or HP's plug-ins to this tab, you'll simply not have the ‘Real-Time System Manager' node underneath Real-Time Consoles.

The number one reason this occurs is due to a firewall being engaged. Firewalls need to allow AMT traffic through. If a firewall is enabled, use the following details to resolve the AMT issue:

  1. Create an inclusion in the firewall properties.
  2. Allow the following ports, based off your environment:
    1. 16992 - For non-TLS encrypted traffic - if you are not using TLS this is the port that will be used for communication
    2. 16993 - For TLS-enabled, encrypted AMT traffic - If https is required for communication with AMT, this port will be used
    3. 16994 - For a note, AMT provisioning uses this port for sending out the ‘hello' packet during the configuration process - this will be used if you initiate a reprovision from RTSM
  3. Another options is to disable the firewall when you need to manage the system via RTSM.
  4. Unfortunately WMI has a known issue with the Windows firewall where the dynamic ports WMI uses after initiation will be blocked. It's a bug in WMI that has been addressed in Vista. Previous Operating Systems do not have a resolution at this time.

The other issue we've seen is where the system is simply unavailable for one reason or another. AMT is available if the system is off but still connected to the network, but WMI or if the system is unplugged from power or off the network RTSM obviously cannot function. Verify that the system is available if nothing resolves this issue.

Authentication Issues

Another common issue concerns authentication to the system via the Real-Time tab. First, let me discuss the methods RTSM uses to authenticate to a target system.

Authentication Methods

Runtime Profile - The Runtime profile contains he following information:

  • All known good credentials used to connect via RTSM to a system
  • The Intel SCS AMT password sent to systems when provisioning occurs
  • Previously successfully used credentials from past RTSM sessions

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

  • WMI digest or Domain account
  • AMT digest or Kerberos-authenticated user
  • ASF digest or Domain account
  • SNMP community strings

Manually entered credentials - When RTSM tries to connect, if the default profile set in the RTCI configuration fails to authenticate, the left-hand tree will still load but each node will prompt the user for credentials. A user can put in an AMT account, Domain user, or digest user that has rights on the target system. When authentication succeeds, these credentials are then stored in the Runtime Profile for the target system.

Troubleshooting Authentication

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with RTSM.

  1. In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles.
  2. Where does the green checkmark fall? This is the default profile that will be used when connecting via the Real-Time tab.
  3. Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
  4. Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
  5. Supply the admin user credentials set when the managed vPro systems were provisioned.
  6. Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
  7. Give the profile a name and then save it.
  8. Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile.
  9. Test to see if this new profile is successful. Note that you'll need to launch IE fresh to use the new settings.
  10. If it is not, try entering credentials in manually when you hit the system under the Real-Time tab. See the screenshot below for the connection icon to switch between WMI and AMT authentication. If two show in this area, both technologies are available but not authenticated.
    RTSMconnectiontype.jpg
  11. In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed.
  12. Check the collection you are launching Resource Explorer from. Sometimes the identity of the system is incorrect. For AMT you can launch RTSM from the Provisioned collections populated with the Resource Synchronization.

IDE Redirect (IDER)

IDE Redirect allows a system to be remotely booted to a file, drive, or virtual disc. There are a number of potential issues to be aware of when working with IDER in a vPro environment. The below items include well-known issues and their resolutions.

Redirection Invalid Parameter

When initiating an IDER (IDE Redirect) session to an external source such as an .iso file, the following error appears in the console:


Power management operation failed.
Redirection session start has failed. See logs for more details.

The Notification Server log shows the following error:

Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log
Priority: 2
Date: 3/9/2007 2:51:05 PM
Tick Count: 10617218
Host Name: <>
Process: w3wp.exe (2436)
Thread ID: 5412
Module: AltirisNativeHelper.dll
Source: RTCI.Trace
Description: RedirectionProvider::StartIDER - RedirectionProvider::StartIDER - IMR_IDEROpenTCPSession: IMR_RES_INVALID_PARAMETER

This is caused by Intel's redirection library requiring a correct floppy device to initiate an IDER session (either floppy image or real removable device). Real-Time System Manager 6.2 can work around this. If you put floppy.img file into Program Files\Altiris\RTSM\UIData folder, then the issue will not occur.

IDER or SOL Disabled

In some instances Intel vPro systems are arriving from the OEM with IDER and SOL disabled in the BIOS. When disabled, neither of these functions work from any management engine, including RTSM. Correcting this oversight is not easy, especially if the OEMs do not offer a solution by a firmware or BIOS update. Use the following method to resolve the issue:

  1. Go to the Support site for the OEM for the systems.
  2. Browse to the drivers and downloads section for the exact model (note that sometimes the model will differ based on possessing or not possessing vPro technology).
  3. Check the firmware updates for a new BIOS.
  4. Check the documentation for any new BIOS versions that include vPro to see if they've corrected this.
  5. Contact your OEM if they have not and request a status!
  6. The only other recourse is to develop an update yourself or manually update the settings by visiting the system.

Conclusion

This should account for the most common issues we've seen, and allow you to successfully use RTSM with AMT technology, avoiding those issues.

1 Comments Permalink Tags: altiris, amt, centrino_pro, intel, symantec, vpro, troubleshoot, real-time_system_manager, rtsm, rtci, notification_server
Click to view Terry Cutler's profile
0

For general questions about Remote Configuration, please review the following article - http://communities.intel.com/docs/DOC-1490

Earlier in 2007, I wrote two brief articles about Remote Configuration.


The embedded video below is a summary of how Remote Configuration works in an Altiris environment. The target environment has a VeriSign Intel(R) Client Setup Certificate loaded. Intel AMT 2.2 and 2.6 systems are provisioned using Agent Initiated approach. The Intel AMT 3.0 system is provisioned using the baremetal approach (could have done this via agent initiated... yet wanted to show both methods)

More content\details on acquiring external certificates, or creating a custom internal certificate and adding the associated certificate hash to the clients... can be provided if needed.

0 Comments Permalink Tags: vpro, remote_configuration, altiris
Click to view joelsmith's profile
0

The ability to provide access to the Real-Time tab of Resource Manager will enable administrators to provide this valuable tool to IT specialists or Helpdesk workers. Furthermore the ability to configure access to certain functions within the console will allow administrators to grant or restrict what users can do with Real-Time System Manager. This includes WMI functionality as well as powerful AMT functionality.

Introduction


Your environment will likely have a unique set of requirements on who can access what in Real-Time System Manager. It can be as simple as two levels of workers, from an administrator to an IT Specialist, to a complex system of access rights in a multi-tiered environment tightly controlled. No matter the environment, this article provides the details to customize access to the Real-Time tab, including WMI and AMT access rights.


RTSM contains limited functionality to configure access via WMI. AMT, on the other hand, can be configured at a function-granular level. Whether you're simply trying to give users full access to RTSM, or to provide access to only certain functions, this document assists to achieve this.

NS Role Security


The first item that must be enabled is creating a role or modifying an existing role to have rights to Real-Time System Manager at the general level. Without assignment to such a role, a user cannot gain access to RTSM.

Overview


Briefly I'll explain how NS Role and Scope security work together in Notification Server. Roles give feature access rights. For example in Software Delivery Solution there's a role object labeled ‘Item Tasks - Software Delivery Wizard'. The two options allow use of the Simple or Advanced Software Delivery Wizard. Without this right, the user cannot launch the Software Delivery Wizard, regardless if they have scope rights to the Wizard and Status node in the console.


Scope security is much like the Windows File-System security model. In the Altiris Console the left-hand tree can be accessed like the file system, applying security to folders or to nodes, as opposed to folders and files. Inherence allows security to be inherited from the containing folder, on up the chain until the root node is reached.

Role Configuration


The following steps show how to create a user with RTSM permissions.

  1. In the Altiris Console, browse to View > Configuration > Server Settings > Notification Server Settings > Security Roles.
  2. Select an existing Role or Right-click on the Security Roles folder and choose to create a new Role.
  3. Under Privileges, find the following categories and check the indicated option. After the screenshot the items are details with description of the option:
    RTSMRole.jpg
    1. Altiris System Privileges - Use Real-Time System Management - This is the ability to use the product at the most basic and general level.
    2. Altiris Console Privileges - View Resources Tab - For this example I'm providing the user the ability to see collections so he or she can launch Resource Manager and use the Real-Time tab.
    3. Altiris Console Privileges - View Tasks Tab - Access to the ‘Manage' node allowing launch of Resource Manager requires this privilege.
    4. Item Tasks - Real-Time System Manager - Manage - This is access to the main tree for RTSM. Most functions are covered by this option.
    5. Item Tasks - Real-Time System Manager - Password Reset - Because of the nature of this function, it has been separated out as a single security role object in Notification Server but belongs to the Real-Time tree.
    6. Item Tasks - Real-Time System Manager - Port Check - The Port Check feature is normally accessed as a separate contextual item in the right-click menu, or launch from an icon under the Real-Time tab.
    7. Item Tasks - Real-Time System Manager - Trace Route - This is treated in the same way as Port Check.
    8. Item Tasks - Real-Time System Manager - Hardware Management - This is one of the objects in the tree that provides basic hardware function, which is greatly extended if the system is Intel vPro capable and Provisioned.
  4. Click the Membership tab.
  5. Use the blue + icon to add users and/or groups to the Role. These can be digest users or local computer groups, or Domain users or groups.
  6. Click Apply to save the Role.

Note: The users will not have access yet to the Altiris Console as the scope-level security has not been set for the new Role. Complete the below NS Scope Security section to give access to the Altiris Console

NS Scope Security

Altiris Console


For Altiris Console access, scope security must be configured before a Role can access or login to the console. The security window is the same for any node, be it a folder or otherwise. The two screenshots below show the security window and the permission selection screens:

SecurityProperties.jpg

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1373/ActionPermissions.jpg

Note: Depending on the object type, the available permissions may differ


To allow access to the ‘Manage' Real-Time Console Infrastructure Task, follow these steps:

  1. In the Altiris Console, browse under View > Tasks > Incident Resolution > Tools.
  2. Right-click on the node ‘Manage' and choose Properties.
  3. Click on the Security tab.
  4. Click the ‘Add' button.
  5. Select from the list Role name of your role (+ie:+ Role RTSM Workers) and click the ‘Select' button.
  6. Check the option for ‘Full Control' and click ‘Select'.
    Note: Full Control does not give the user the ability to delete or otherwise manipulate the Manage node. This node can only be accessed for the function alone.
  7. Click ‘Apply' to save the security changes made.

To access Collections so the users of the role can view collections so they can use the RTSM right-click contextual menu options for a listed resource, follow these steps:

  1. In the Altiris Console, browse to View > Resources > Collections.
  2. Depending on what collections you want to give the user access to, browse to a containing folder or an individual collection.
  3. Right-click on the folder or collection and choose Properties.
  4. Click on the Security tab.
  5. Click the ‘Add' button.
  6. Select from the list Role name of your role (+ie:+ Role RTSM Workers) and click the ‘Select' button.
  7. Check the following options:
    1. Altiris System Permissions - Read
    2. Altiris Resource Management Permissions - Read Resource Data
    3. Altiris Resource Management Permissions - Read Resource Association
  8. Click Select, and then click Apply on the permissions window.

Now we have allowed the user access to certain parts of the Altiris Console so they can execute Real-Time System Manager on managed systems. To restrict access to certain parts of the RTSM console, see the previous Role section for what options are available to you.

AMT Permissions


RTSM takes advantage of powerful functionality available in Intel vPro, AMT technology. Once a user has access to RTSM, their user account, if permitted, is used to connect to the remote system by WMI. An AMT connection can either use Kerberos integration or an inputted digest user when prompted. The credentials must be specified in the destination system's AMT Profile, otherwise authentication will fail.


To configure who has rights to AMT, follow these steps:

  1. In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Provision Profiles.
  2. Double-click on an existing profile, or create a new one.
  3. Click on the ACL tab.
  4. Click Add to add either a digest user or to use Domain users and groups with Kerberos integration.
  5. Once a user is inputted, the ‘Realms' section allows or disallows access to different AMT functions. The boxes that are of importance to RTSM are:
    1. Circuit Breaker - Now known as System Defense, or Network Filtering
    2. Hardware Asset - For power management capabilities
    3. Redirection - To allow IDE Redirection
    4. Remote Control - Allows Serial Over LAN (SOL) remote connection
    5. Event Manager - Allows viewing of AMT logs
    6. General Info - Allows viewing of AMT data on the system
  6. The ‘Access Permission' dropdown should be used to select either Network Access or Any. The Local Access option gives that user rights to log into the Intel ME locally when the system boots and isn't needed for RTSM function, however if you wish to allow the user to have access to both, choose ‘Any'.
    AMT-ACL.JPG
  7. Click OK to save the changes.

To apply the updated or new profile to an AMT system Provisioning must occurred. If the system was already provisioned with this same profile previously, a reprovision will update the profile.


This will not limit access to see the functions available in the Real-Time tab for AMT, but will throw a not authorized message if an applicable function is attempted with a user who does not have the rights to execute it.

Conclusion


The Real-Time tab, a one-to-one solution for system access, data gathering, or troubleshooting, provides a powerful tool to IT administrators and IT professionals alike. Providing this ability to users you do not want to have full access to Altiris is essential for any secure environment. With the additional ability to configure granular AMT rights for vPro capable and configured systems, an administrator has the ability to get very specific on what users or groups of what rights.

0 Comments Permalink Tags: altiris, amt, rtsm, real-time_system_manager, intel, security, symantec, vpro
Click to view jlvb's profile
0

While at ManageFusion, Symantec Director of Strategic Alliances Kevin Unbedacht discussed some of the future directions on Intel vPro technology that Symantec is taking advantage of. In the video below, learn how Symantec is taking advantage of the upcoming Intel Centrino 2 with vPro Technology and Intel Anti-theft Technology.


0 Comments Permalink Tags: altiris, centrino_2, intel, anti-theft, technology, vpro, symantec, vpro, future, directions
Click to view jlvb's profile
0

While at ManageFusion, we had Symantec Director of Strategic Alliances Kevin Unbedacht discuss how Intel vPro Technology enhances the Symantec Altiris Client Management Suite. He demonstrates the following hardware assisted use models with Intel vPro technology based PCs:

  • Power Management with Secure Power-On
  • Diagnose and Repair PCs Remotely
  • Isolate and Recover Infected PCs
  • Discover PC Assets


0 Comments Permalink Tags: altiris, centrino_pro, amt, system, defense, symantec, manageability, client, managet, suite, vpro
Click to view jlvb's profile
0

Intel and Symantec value having interactions with the IT community on a year-round basis. Listen to two of the most prominent and prolific bloggers on Intel vPro technology - Terry Cutler from Intel and Joel Smith from Symantec talk about how they communicate with the community via the Altiris Juice or the vPro expert center community websites.


0 Comments Permalink Tags: joel_smith, terry_cutler, vpro, expert, center, altiris, juice, altiris, symantec, manageability, vpro
Click to view jlvb's profile
1

At ManageFusion, we had the Intel vPro technology Challenge at the event - a competition where teams of two competed to find and fix a troubled PC. Each team had an opportunity to interact with Intel vPro technology based PCs from the Symantec Altiris Client Management Suite, and most had fun in the process! Check out the highlights from the Challenge.




1 Comments Permalink Tags: altiris, client_management, vpro, symantec, managefusion, competition, vpro_challenge
Click to view jlvb's profile
2

Sometimes within Intel Marketing, we're told that our description of Intel Centrino with vPro technology or Intel Core 2 with vPro technology is a bit lengthy. Therefore, while at ManageFusion, we asked Intel customers as well as technical experts from Intel and Symantec to give us their best, most concise acronym that best describes Intel vPro Technology. Listen to their responses below.


2 Comments Permalink Tags: altiris, amt, vpro, client_management, symantec, centrino_pro
Click to view jlvb's profile
0

While at ManageFusion, Intel had an opportunity to talk with four leading Symantec Service Integrators who have started deploying and activating PCs with Intel vPro technology within their customers' environment.

In the video below, listen to their thoughts on:

  • When to activate Intel vPro technology
  • How Intel vPro technology seamlessly compliments the Symantec Altiris Client Management Suite
  • How Intel vPro technology delivers on the promise of Wake-On-Lan by being both much more secure and more reliable
  • Thoughts on increased customer service levels and return on investment with Intel vPro technology

0 Comments Permalink Tags: centrino_pro, amt, altiris, vpro, symantec, service, integrators
Click to view joelsmith's profile
1

Remote Configuration is the zero-touch configuration mechanism that allows Intel vPro AMT systems to be setup for AMT management without any manual intervention. This article covers the Best Practices for setting up Remote Configuration and using the Out of Band Delayed Provisioning Task to remotely and automatically provision systems for use within the Altiris infrastructure.

Introduction

In an ideal environment, vPro systems will automatically Provision without any interaction with the Administrator, allowing the versatile and robust functionality of AMT to be available immediately out of the gate. In this article we'll cover how to setup just such a scenario, but also how to use Out of Band Management's Delayed Provisioning Task to ‘kick-start' any AMT system that is no longer sending out configuration requests. Reasons for this need include:

  1. The system is powered on in a location that does not have access to the Provisioning Server
  2. The system is unable to be Provisioned due to changing identities while being setup in its Fully Qualified Domain Name (FQDN)
  3. The IP Address changes during the Provisioning process and the Provision Server is unable to contact it back to Provision

Remote Configuration

Remote Configuration uses a certificate-based authentication model with preloaded certificate hashes to allow quick and automated process to Provision the AMT systems in the environment. The certificates require a vendor-certified cert from Verisign, GoDaddy, Komodo. While you can set your own cert and load your own hashes in the firmware of AMT systems, it turns the ease of Remote Configuration into a cost, whether by having the OEM load the proprietary cert for a fee, or requiring a configuration step to load the hashes manually into the firmware.

Certificates

The firmware will already contain the hashes for Verisign, GoDaddy, and Komodo certificates (more vendors will be added in later versions of AMT). Server-side certificates need to be loaded and registered on the Provision Server, and within Out of Band Management on the Altiris Notification Server. Please see the following article for more information on Remote Configuration:

http://juice.altiris.com/article/3866/frequently-asked-questions-about-remote-configuration

For a specific reference for what items are required, review the section labeled:

What core items MUST be defined in the provisioning certificate?

Also look at the section pointing to how to acquire a certificate (other links):

What resources or guidance are available for acquiring one of the core external certificates?

Additional information:

The Provision Server must be registered with DNS, accessible by the Intel AMT device via a CNAME value of ‘ProvisionServer' pointing to the IP address of the Notification. Note that in a multi-domain (including root-child domain infrastructures) multiple CNAME entries must be setup to include the suffixes to include all network segments the server will be managing.

The Provision Server requires a certificate with the appropriate OID or OU detailing directions to a certificate Authority (CA), which CA must have a root certificate hash stored on the Intel AMT Systems. The OID must be of the type ‘Server Authentication Certificate' with the Intel setup extension: 1.3.6.1.5.5.7.3.1, 2.16.840.1.113741.1.2.3, OR, the OU value in the Subject field must be "Intel(R) Client Setup Certificate".

The Subject CN must be either the fully qualified domain name (FQDN) of the platform running the service (example: Provisionserver.symantec.us), or the domain suffix of the platform (example: *.symantec.us.com or *.symantec.com).

Remote Configuration Process

The following process documents how the Remote Configuration Process works. This high-level overview will be referenced in the subsequent sections covering Delayed Provisioning. The following process assumes that the AMT System can reach the Provision Server and won't change identity through typical setup methods such as imaging or configuration scripts that changes the FQDN and/or Hostname of the system (including adding the system to a Domain).


The following steps must be completed before Remote Configuration will work in the environment. They are detailed with step-by-step processes in the Out of Band Management 6.2 Administrator's Guide, located here: http://www.altiris.com/upload/outofbandrefsep18.pdf

  • Setting up Intel AMT using Remote Configuration - Page 44
    • Certificate provider - Page 44
  • Preparing a Certificate Template - Page 45
  • Issuing a New Template - Page 46
  • Preparing a Certificate Request - Page 47
  • Acquiring a Certificate from an External Certificate Vendor - Page 48
  • Installing the Remote Configuration Certificate - Page 48
  • Loading the Certificate into Intel SCS - Page 49
  • Enabling the Remote Configuration Feature - Page 49

Note that not all the sections need to be accomplished depending on what method you use. If you're creating your own certificate:

  • Preparing a Certificate Template
  • Issuing a New Template
  • Preparing a Certificate Request

...should be used. Otherwise use the ‘Acquiring a Certificate from an External Certificate Vendor' section, including the previous links provided on the subject, should be consulted. Remember this is the recommended method since it requires no special processes to be in place to ready the AMT systems for Provisioning.

Delayed Provisioning

The purpose of Delayed Provisioning is to Provision those systems that failed the original Provision attempt. The includes failure at any part of the Remote Configuration/Provisioning process. Failure points include:

  • Hello Packet does not reach the Provision Server during the 24-hour period hello packets are sent
  • The IP Address changes after the Provision Server initially receives the hello packet and hasn't sent down a profile to complete the provisioning process
  • The FQDN changes, forcing an IP Address change from DHCP so when the OS is up, the Provisioning Server can't reach the system
  • The Provision Server is unable to complete the process due to a number of causes, including network access problems, firewalls, subnet locations, etc...

The following items must be in place for Delayed Provisioning to work:

  1. AMT System must be in Setup Mode (pre-provisioned). This means the system must be in the state where it is using Remote Configuration and will use the provided hashes.
  2. The system must have a functioning Windows Operating System.
  3. The Altiris Agent must be installed and functioning within the OS.
  4. The Out of Band Task Agent must be installed within the Altiris Agent.
  5. The Delayed Provisioning Task must be enabled to target the AMT systems in question.

Delayed Provisioning Process

The following process details how Delayed Provisioning works from start to finish. In essence the process ‘kick starts' the hello packet process, allowing the Provision Server to receive fresh data on the system, allowing it to properly contact and provision it. The following diagram shows a high-level view of the Delayed Provisioning Process:

delayedprovisioning.jpg

Full steps:

  1. The AMT System must be in Remote Configuration setup mode. This is the default mode for AMT 2.2, 2.6, and 3.0.
  2. Install the Altiris Agent on the system. Check the Notification Server reference guide for methods.
  3. In the Altiris Console, go to View > Solution > Out of Band Management > Out of Band Discovery.
  4. Enable the Out of Band Discovery Policy. This will help with the Provision process after the Delayed Provisioning Task executes.
  5. Now go up a level and browse down into Out of Band Task Agent Rollout.
  6. Add the collection: Non-Provisioned Intel® AMT Computers to the Policy by clicking on the Collections listed under ‘Applies to Collections' and browsing to it under ‘Out of Band Management', ‘Provisioning'.
  7. Enable the Out of Band Task Agent Install Policy.
    oobagentinst.JPG
  8. Browse in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Delayed Provisioning > and select the ‘Delayed Provision' Task.
  9. Concerning the options:
    1. Override OTP: - If you don't want to use a random AMT password, check this option.
    2. Switch to AMT: - Unless you're using ASF and want to keep using it on those computers that have it enabled, check this option.
    3. Ignore intermediate errors: - Don't check this option unless there's a reason to ignore DNS and OTP errors.
  10. Leave it on a Daily Schedule. Systems that run this and provision will drop out of the collection and not run the policy again.
  11. Enable the Policy.

Once the above steps have been completed, the process should be automated as long as steps 1 and 2 are met. The collections will properly target each system so that the right steps occur in the right order.

Conclusion

The Delayed Provisioning Task allows an administrator to catch those systems that have not provisioned due to a number of reasons. This allows the systems to get provisioned in a targeted fashion, and if properly configured make it completely automated. As of version 6.2 of Out of Band Management, this only applies to provisioning by Remote Configuration. Please check these other articles for details on how to provision systems if not using Remote Configuration:

http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning

Lastly, this process does not touch on certificates used to encrypt AMT management traffic. This is the TLS option set in a Profile for any communication after the AMT system has been properly setup and configured. The certificate obtained for Remote Configuration is only for the Setup and Configuration process (also known as Provisioning).

1 Comments Permalink Tags: altiris, symantec, amt, centrino_pro, vpro, out_of_band_management, delayed_provisioning, remote_configuration
Click to view josh.hilliker's profile
2

Have you seen this? if you have I bet your wondering why.. This error can be seen during a SOL session with Altiris when there is a BIOS password set on the notebook.


Altiris uisng SOL with HP VT100.JPG

Recently out on a visit we found this error & were checking between a known good system.

We did a little research and saw that default for Terminal Emulation Mode was set to VT100 through the BIOS, instead of using the tool that HP has for windows. After we returned to the plant we used the tool to snap these pixs of the BIOS.

HP Default- VT100.JPG

After changing the Terminal Emulation Mode to ANSI we were able to achieve this.. HP BIOS changed to ANSI mode.JPG

of course after the change the new option was selected "ANSI"..

This is the right result you should see..

Altiris uisng SOL with HP ANSI.JPG

Success!! give this a shot if you are using a BIOS Password on a HP 2510P with Altiris..

2 Comments Permalink Tags: altiris, manageability, vpro_expert_center, josh_hilliker, troubleshoot
Click to view Frank Engelman's profile
0


The Norton Backup Exec looks very promising as a receovey tool now that it uses WinPE...Maybe we can take a recovery point and convert to VMware or MS VM image- possibly use this as temporary system for users while their system is being worked on?

The Altiris CMS version 7 (beta) integrates many of the Norton suite features- of interest to me was the choice of PCanywhere, RDP OR VNC as a remote control

Symantec announced at the event that they purchased AppsStream and plan to intogetrate it into Altiris NS.

The next gen Ghost product includes many new features including Ghconfig, which can be used to rename a system.. this may be useful for easily renaming waterfalled (hand me down) systems...

0 Comments Permalink Tags: altiris, centrino_pro, client_management
Click to view Frank Engelman's profile
2


There were two sessions at ManageFusion 2008 in saving energy on clients in the corporate environment. Almost all hands when up when the question was asked "How many of you have a corporate initiative for green IT?"

HP is pursuing a "top down" power management tool from Verdiem Surveyor for the corporate environment as well as a "bottoms up" tool (HP Power Manager" for installation on clients that lets employees see the actual $ impact of their energy savings using a simple slider bar. I will post the HP link for the client too