Intel vPro Expert Center Blog

84 Posts tagged with the amt tag 1 2 3 ... 6 Previous Next
Click to view joelsmith's profile
0

The primary key of identity for an AMT computer is its Fully Qualified Domain Name (FQDN). One of the essential parts of the setup and configuration process (Provisioning) is when Altiris attempts to map a valid FQDN inside the IntelAMT database. This article covers how to handle FQDN issues, including ways to correct invalid entries, the best method to avoid the issues, and how it all works. If you're using Altiris Out of Band Management for provisioning, this is a must read!

Introduction

The two key identity items for vPro are the UUID (Universally unique Identification) and the FQDN. The UUID is contained within the hello packet sent by AMT, but the FQDN is not held within AMT without Provisioning. This means it is up to Altiris to acquire the system's FQDN. While this may sound simple, the problems arise when the system is in its setup process, whether prepping or being imaged, having software and scripts rolled out to provision and join the system to the domain, including when its final identity on the Domain and network are established and it received a new IP Address.

Preferred Provisioning method

For specifics I'll refer to the Best Practices document, but for the general steps to be followed specifically for the FQDN I'll provide the steps below.


LINK: http://juice.altiris.com/article/2810/best-practices-configuring-intel-vpro-capable-system-within-symantecaltiris-vpro-toolki


  1. Image the system with the Operating System, including any post-imaging work to get the system configured. This includes rolling out software or scripts.
  2. Join the system to the Domain after it has its rightful identity. The computer name should be set. When the computer is joined to the domain, this will provide the valid operable FQDN.
  3. Install the Altiris Agent on the system. This provides the information for the FQDN in the Inv_AeX_AC_Location table.
    NOTE: If the Altiris Agent was part of the image, make sure the system sends Basic Inventory again after the system has been joined to the network to ensure we have the valid FQDN within the Altiris database.
  4. Ensure the Out of Band Discovery package is enabled and configured via the collection to go to all machines.
    NOTE: This step is essential because OOB Discovery will pick up the FQDN from the Basic Inventory and map it in the IntelAMT database. This screenshot shows where the data is located:
    OOBCapACLocation.JPG
  5. Now if the hello message was sent before the above steps were completed, normally it will recover as long as the process completes before 24 hours have passed. 24 hours is the period of time the hello packets will be sent from the client. AMT will continue to send hello packets throughout the period UNTIL it is fully provisioned. This helps reestablish connection if the IP Address changes in the middle of the Provisioning process and the Server can't connect back up to the remote AMT system.

Preferred Provisioning Settings

Not all settings within Out of Band are FQDN friendly. The following items affect how Out of Band Management approaches provisioning.

  1. Resource Synchronization - Make certain this is enabled! A Disabled Resource Synch policy will halt Provisioning, greatly increasing the change for FQDN problems when it is finally enabled.
  2. Use DNS IP resolution to find FQDN when assigning profiles - This option, under the Resource Synchronization policy, is typically unreliable. While this option allows for bare-metal provisioning or Agentless provisioning, it also is at the mercy of the DNS and DHCP environment. It is highly recommended NOT to use this option unless you fully trust your DHCP and DNS environment. Factors to consider are:
    1. IP Lease times - The lease times afforded systems may be short, increasing the possibility that when OOB fetches the FQDN via IP the lease will have expired and the wrong FQDN will be mapped.
    2. PXE or other auxiliary boots - Often these types of systems will obtain a different IP address from DHCP as their identity is not the same as when the system is booted to the OS.
      ResourceSynchronizationOOB2.JPG
  3. Intel AMT 2.0+ to Profile - This option allows a default Profile to be setup for Provisioning. Make sure you've created a default profile and set it in the Resource Synchronization policy. Without a profile Provisioning will not occur.
  4. Intel AMT requires authorization before provisioning - Under the General node within Provisioning, this option stops provisioning from occurring. The profile will not go down to the system until the system is selected, using the right-click to choose ‘authorize'. This can aggravate FQDN problems by delaying full provisioning.

FQDN Fixes

Invalid FQDN in IntelAMT

The first issue stems from a variety of causes. The issue is that in the IntelAMT database, shown under the Intel AMT Systems node under Provisioning for Out of Band Management, the FQDN is invalid. The causes vary, but here are a few we've seen:

  1. Reverse DNS IP Lookup is enabled - Unless your DHCP and DNS environment are rock solid, often IP Address leases expire, and other systems pick up the IPs that the AMT systems originally sent the Hello message with. When this occurs, the wrong FQDN is mapped.
  2. IP Leases short - Often the IP Lease length can create a problem acquiring the correct FQDN. This can especially have problems with TLS as the FQDN is part of authentication using certificates.
  3. FQDN is incomplete - When a system is in setup mode, sometimes the mapped FQDN is not part of a domain, resulting in the Host Name only being set as the FQDN.

IMPORTANT! When the FQDN is invalid in the IntelAMT database, Resource Synchronization can have troubles matching resources with their correct counterparts in the Altiris database. Because of this, duplicates can emerge. If the checkbox in Resource Synchronization labeled: ‘Remove duplicate Intel AMT resources from Notification Server database' is checked, managed resources can get deleted from the Altiris database!

FQDN has Changed

Another not-uncommon occurrence is when a system changes identity. This can occur in a variety of ways, including:

  • The system has been reimaged
  • The computer name has been changed
  • The computer has been migrated to a new Domain
  • The system has switched subnets, resulting in a new FQDN

Regardless of the method, changing the FQDN on the system does not change it in the Intel ME or AMT firmware, and also does not change it within the Intel SCS component database (IntelAMT). When these are not synched up, it can cause problems when you need to manage the system via AMT when the computer is booted to the operating system. This particularly has problems when TLS is enabled and the provisioned certificate no longer matches the FQDN in Windows.

Issues Resolution

Since the Altiris Agent sends Basic Inventory daily by default, the Altiris database usually has a valid FQDN on record in the Inv_AeX_AC_location database table. We can run a query that will capture the correct FQDN from the Altiris database and insert it into the IntelAMT database, correcting any duplicate or invalid FQDN entries. This is the first step. The second step is to update the FQDN within AMT on the local systems. The following processes walk you through the resolution:

Update IntelAMT from Altiris

  1. Open up SQL Query Analyzer or Microsoft SQL Server Management Studio.
  2. Open a Query window within the database instance that contains both the Altiris database and the IntelAMT database.
  3. Run the following query, though for testing purposes you can omit the line ‘COMMIT TRANSACTION until you can verify the operation completed as expected. Once validated, run COMMIT TRANSACTION to complete the process:
    BEGIN TRANSACTION
    UPDATE intelamt.dbo.csti_amts SET fqdn = b.fqdn FROM (SELECT il.Fully Qualified domain name AS 'fqdn',
    REPLACE(oob.uuid, '-', '') AS 'uuid' FROM
    altiris.dbo.Inv_AeX_AC_Location il JOIN altiris.dbo.Inv_OOB_Capability oob ON
    oob._ResourceGuid = il._Resourceguid) b WHERE intelamt.dbo.csti_amts.uuid = b.uuid
    COMMIT TRANSACTION
  4. Done! The FQDNs now match between Altiris and IntelAMT.

Update FQDN on local AMT

  1. It is recommended to follow these steps in batches so as to not overwhelm the Intel SCS component. Perhaps run this against 100 systems at any one time, or run it against those systems you know have been updated. While it doesn't hurt to run this against systems that didn't have the FQDN changed from the above process, it is unnecessary if you are able to target those systems with invalid FQDNs.
    Note: This process assumes that the system can be reached via the SCS using the new FQDN supplied by Altiris. For TLS there may be complications we have not foreseen.
  2. In the Altiris Console browse under View > Solutions > Out of Band Management > Configuration > Intel AMT Systems > and select the Intel AMT Systems node.
  3. Select one or more systems you need to update the local AMT FQDN on.
  4. Right-click and choose the ‘Re-provision...' option.
    Re-provision.JPG
  5. Check the Action status node under Provisioning > Logs > Action Status for messages concerning the Re-provision attempts. You can also check the Log node for errors.
  6. Done! The systems, when reprovisioned, should have the correct FQDN planted by the IntelAMT database entry that was updated from the Altiris database.

Conclusion

Use this article to resolve your FQDN issues to ensure ATM functionality is available when it is needed. The above process has been verified, though all environmental potential issues have not been explored. It is advised to test the process in your environment before implementing on a wide scale.

0 Comments Permalink Tags: altiris, amt, centrino_pro, troubleshoot, fqdn, symantec
Click to view Ylian Saint-Hilaire's profile
0

As many of you may know, there are two ways of contacting Intel AMT: The remote network interface and the local LMS/HECI interface. These interfaces are very different; the remote interface that is available thru the wired and sometimes wireless Ethernet and is rich with features while the local Intel AMT interface is very limited. Intel AMT was designed this way from the start for security. Intel AMT acting as an IT agent on desktops and laptops could not be allowed to be meddled with by the local user or local applications that could try to use or deactivate Intel AMT. That at least was the original design intent.

Times have changed it seems and many users of Intel AMT don’t see local users and applications as being always hostile. There are many reasons why it would be very interesting to access all of the features of Intel AMT locally. For example

  • If the user changes the name of the computer is the OS, it would be nice to have a local agent sync up the Intel AMT network with the OS name automatically. This way, when the computer goes to sleep next, Intel AMT will report the correct new name.
  • Circuit breaker policies could be used as a local firewall implemented in hardware. Set it once and the gigabit network chip does all the filtering and counters at gigabit speeds.
  • On a mobile platform, wireless profiles could also be synched up automatically. The user adds a new wireless profile with a WPA key and this profile is automatically added to Intel AMT.
  • Enterprise provisioning of Intel AMT could be done entirely locally using local software removing the need for complicated centralized servers.

Instead of seeing the local user as hostile, the local application now cooperate to setup Intel AMT so that if something goes wrong, it’s ready to be used to recover the computer. All this and more would be possible if Intel AMT allows the local applications full access to all the remote interface features.

A local application can’t simply connect to TCP port 16992 or 16993 and access all of the Intel AMT features since the traffic has to flow thru the gigabit network interface. Connecting to 127.0.0.1 will not work, that will access the more limited local interface.

A solution is to use a reflection application like Intel AMT Reflector found in the Intel AMT DTK. This tool runs on a central always on server and simply reflects back all TCP connections back to the source on ports 16992 to 16995. Using this tool an Intel AMT console or even a web browser can connect to "http://reflector:16992" and log into its own Intel AMT remote services. However, there are issues with this solution: You need this reflector tool running and know where on the network it is running. Also, a rogue application could log into the remote interface and put an annoying circuit breaker policy to drop all packets, etc.

In the future, Intel AMT itself could be modified to allow all services on the local interface removing the need for the reflector. There are security considerations of course, but feedback from users of Intel AMT on this idea would be appreciated.

Ylian (Intel AMT Blog)
http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1391/Reflector.jpg

0 Comments Permalink Tags: ylian, intel, amt, dtk, reflector, local, remote, developer_tool_kit
Click to view joelsmith's profile
0

The Task Server contains AMT function tasks that give you the ability to integrate AMT functionality into Task Server Jobs. This allows you to use AMT in conjunction with Software Delivery, Scripting, and any other Task Server supported function. Understanding how to troubleshoot the AMT side of a Task Server job will help resolve issues so that AMT can be utilized. This includes the following technologies:

  • System Defense - Network Filtering
  • Reliable Power Management
  • IDE redirect for boot redirection

Introduction

This is the concluding article for the series: Troubleshooting the Altiris Manageability Toolkit for vPro Technology. The first four articles covered the setup and configuration of AMT systems, while parts 5 and 6 covered RTCI and RTSM respectively. This final article discusses troubleshooting the AMT integration into Task Server when issues arise.


As an introduction, the actual SOAP or API calls made to the AMT system is invoked through Real-Time Console Infrastructure, the same as when they are invoked through the Real-Time tab for RTSM. Though the calls are from the same place, how those calls are made differ. The following subjects will be covered:

  • Determining Cause of Failure
  • AMT Detection Issues
  • Authentication Issues

Determining Cause of Failure

Often you'll known the general symptom that tells you a job or task in Task Server didn't execute as expected. For example a power management task may have shown as run but the AMT system never woke up. A failure is not shown except deep within a series of status windows.


To determine the returned error, use the following steps. Task Server's actual failure code is buried deep in a series of status windows, as shown in the screenshot after the steps.

  1. Under the Task or Job that failed, double-click on the general status row for the specific execution attempt.
  2. If within a job, double-click on the line that represents the task or AMT function that failed.
  3. Note the numbers of successes versus failures. Click the ‘View Report' link.
  4. Now you'll get a grid with the status of the Task, including the status and return code, if present.

TaskServerStatusWindows.jpg

AMT Detection Issues

When Task Server reaches a Task that involves AMT, it makes direct calls to AMT in those systems targeted in the task or job. Detecting AMT and subsequently executing the scheduled function requires success at both junctures. The following sections discuss potential issues and solutions in this process.

Power State Unknown

One common problem we see is when a power management task fails due to the failure message: Generic error, FromState detected as unknown:14. This will cause the power action to fail. The causes vary, but the following list contains the most common:

  • System unreachable - The target system is not available on the network
  • AMT failed to be detected - See the subsequent section ‘AMT not detected'
  • Authentication failed - See the subsequent section ‘Authentication Troubleshooting'
  • AMT is unavailable - If a system is not provisioned, or AMT is not functioning on that system

Use the following process to determine what the issue is:

  1. If RTSM is available, try connecting to the target system using RTSM, specifying the same credential profile.
  2. If that fails, try manually putting in credentials until you find one that works.
  3. If Step 1 succeeds, try creating a different connection profile with only AMT functions provided.
  4. If no RTSM is available, still try the profile with only AMT functions to see if it works.
  5. Try other AMT functions, such as Collect Intel AMT Inventory to see if they succeed.
  6. If other functions succeed, try using another method to reboot the system to reset the power state stored in the Intel ME. One way to accomplish this is using the Task Server Power Management Agent to send down a standard reboot command to the PC.
  7. If no other AMT functions are successful, AMT might not be properly setup on this system. Ask the question: Has this system gone through the provisioning process?
  8. If unknown, use the Out of Band Discovery Task to see if AMT is available and to identify what state it is in. See the steps provided under the ‘AMT Not Detected' section following.
  9. If all else fails (generally this is on a system-by-system basis, rarely do a collection of systems encounter this level of this issue) try reprovisioning the system by fully unprovisioning and going through the provisioning process again.

AMT Not Detected

Normally a non-vPro system will receive the return code that AMT was not detected. This is accurate, but when it happens to valid managed vPro systems, the issue must be troubleshot to determine why the applying Task Server cannot detect AMT on the system. Out of Band Discovery is a great way to determine what state the system is in. Use the following steps to take stock of the systems:

  1. In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Out of Band Discovery > and select the ‘Out of Band Discovery' policy.
  2. Enable the policy if it is not yet enabled. If it is enabled, set a schedule to run the discovery again so you have updated information on your systems.
  3. On the AMT system in question, go to the Altiris Agent and bring up the Agent UI by double-clicking on the system tray icon or by launching C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe.
  4. Highlight the ‘Out of Band Discovery Package.
  5. Click the ‘Out of Band Discovery' link under Application Tasks.
    OOBDiscoveryRun.jpg
  6. Once completed, now check back at the server and double-click the system within a collection to bring up Resource Manager.
  7. Click on the Inventory tab and browse to Out of Band Management, and select the data class OOB Capability. This will give you the details of AMT.

If AMT is disabled, it needs to be enabled in the BIOS. A BIOS update from the vendor may provide you a remote way to enable AMT, by using Software Delivery for example. If it is all enabled, next check the provisioning status. Provision as necessary.

Authentication Issues

As with RTSM, Task Server uses the same basic authentication method when executing against a computer. Task Server also includes another option to add additional credentials to the execution to be used when contacting the protocol, which is AMT in this case.

Authentication Methods

Since RTCI controls the authentication, much of the same method is used whether the execution of an AMT command is issues from the Real-Time console or from Task Server, however there are some differences.

Runtime Profile - The Runtime profile contains he following information:

  • All known good credentials used to connect via RTSM to a system
  • The Intel SCS AMT password sent to systems when provisioning occurs
  • Previously successfully used credentials from past RTSM sessions
  • Previously successfully used credentials from a Task that succeeded

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

  • WMI digest or Domain account
  • AMT digest or Kerberos-authenticated user
  • ASF digest or Domain account
  • SNMP community strings

Task-specified Credentials - When a user setups up a job or task, the user can specify specific credentials to be used when executing AMT-related functions through the profile interface. This option is per job or task, and applies to all AMT functions invoked during the job or task. The Interface allows this as shown in the following screenshot:

Task-newprofile.jpg

Authentication Troubleshooting

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with Task Server.

  1. First, how do you determine if your task or job is failing due to authentication? Use the previous section under Introduction labeled ‘Determining Cause of Failure'.
  2. In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles, or in the Task click the ‘Run Now', and on the subsequent page click on the pencil icon next to the credential profile being used.
  3. Where does the green checkmark fall? This is the default profile that will be used when connecting via a Task Server task.
  4. Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
  5. Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
  6. Supply the admin user credentials set when the managed vPro systems were provisioned.
  7. Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
  8. Give the profile a name and then save it.
  9. Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile, or if you are in a job interface select the profile to be used for the run. Note that this does not require you to make it the default profile, allowing another profile to remain the default credentials.
  10. Run the task or job to see if the authentication failure has been resolved.
  11. If it is not, try rerunning with the Runtime Profile. This contains all known good authentication attempts to the system from either Task Server or RTSM.
  12. In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed. If your Task or Job does not contain any of the other protocols, this is recommended.

Conclusion

This concludes the Troubleshooting article series for the Altiris Manageability Toolkit for Intel vPro Technology, version 6. While this doesn't cover all issues, it should resolve most of the common issues we've seen.

0 Comments Permalink Tags: altiris, amt, centrino_pro, vpro, troubleshoot, symantec, task_server
Click to view joelsmith's profile
1

Formerly known as Web Admin for Windows, Real-Time System Manager provides a powerful set of functions for IT specialists. In part 5 of this article series we covered the main points for Real-Time Console Infrastructure troubleshooting. As a natural extension of RTCI, Real-Time System Manager troubleshooting is covered in this article as part 6. With an emphasis on credentials and connection methods, this article provides information to overcome the most common issues seen when using the Real-Time tab for direct, one-to-one computer interaction.

Introduction

Real-Time System Manager provides a powerful tool for directly connecting to a system agentlessly with functionality available through WMI and Intel AMT. This article covers the issues associated with general functions seen with both technologies but with emphasis on the AMT functions. The following sections cover areas of troubleshooting:

  • Connection Issues
  • Authentication Issues
  • IDE Redirect (IDER)
  • Network Filtering

Connection Issues

Under the current architecture the FQDN is the primary method for connecting and authenticating to AMT on remote systems. If the FQDN the Real-Time tab is using does not resolve in DNS, then AMT connectivity and thus functionality will not be available. FQDN connectivity issues are the number one issues we see with RTSM connections to AMT.

Invalid FQDN

To view what FQDN the Real-Time is using, use the ‘Hardware Management' node in the RTSM tree. The following screenshot shows what AMT is using:

RTSMfqdn.jpg

In this example my system is in a workgroup and reported only the hostname as the FQDN, which DNS had no trouble resolving. If this fqdn is not reachable via DNS, we won't be able to connect to the AMT functionality.

NOTE: We use several methods, including IP address, for WMI. WMI functionality may show correctly when AMT is absent in this situation

Use these steps to see the FQDN is the issue:

  1. Open the Real-Time tab for the AMT system you are managing.
  2. Once the tree loads, open the Real-Time System manager folder, open Administrative Tasks, and click on ‘Hardware Management'.
  3. Once the page loads, if AMT is missing as an available technology, take note of the name displayed as in the screenshot above.
  4. Go to Start, Run, type in cmd, and click OK.
  5. Type in nslookup <name displayed>. In the above example it would read:
    1. Nslookup dellvpro
  6. Can DNS resolve this address? If no, we'll need to fix the issue in one of the following ways.
  7. FIX DNS and/or the Altiris record: If DNS can be fixed, this is the preferred method. The difficulty is finding out why the Altiris Agent reported the incorrect record. Once DNS is fixed, have the Altiris Agent run Basic Inventory. The table location we pull this out of for management in RTSM is Inv_AeX_AC_Location, column: Fully Qualified Domain Name.
  8. Use the ‘Manage' node available in RTSM (see the below screenshot): By putting in the IP address of the system, we'll use the IP to lookup the FQDN and not make any assumptions.
    Manageshortcut.JPG
  9. Update the Servers HOSTS or LMHOSTS files to contain the mapping to the invalid name. For example find the LMHOSTS file, edit it and add a line <IP ADDRESS> <FQDN>, as in this example:
    1. 10.10.10.1 Dellvpro

Real-Time unable to connect

If WMI and AMT functions are unavailable, you'll get a message when you click on the Real-Time tab indicating that the functionality isn't available. See the following screenshot:

NoRTSMavailable.jpg

Note: If you use another product such as Dell or HP's plug-ins to this tab, you'll simply not have the ‘Real-Time System Manager' node underneath Real-Time Consoles.

The number one reason this occurs is due to a firewall being engaged. Firewalls need to allow AMT traffic through. If a firewall is enabled, use the following details to resolve the AMT issue:

  1. Create an inclusion in the firewall properties.
  2. Allow the following ports, based off your environment:
    1. 16992 - For non-TLS encrypted traffic - if you are not using TLS this is the port that will be used for communication
    2. 16993 - For TLS-enabled, encrypted AMT traffic - If https is required for communication with AMT, this port will be used
    3. 16994 - For a note, AMT provisioning uses this port for sending out the ‘hello' packet during the configuration process - this will be used if you initiate a reprovision from RTSM
  3. Another options is to disable the firewall when you need to manage the system via RTSM.
  4. Unfortunately WMI has a known issue with the Windows firewall where the dynamic ports WMI uses after initiation will be blocked. It's a bug in WMI that has been addressed in Vista. Previous Operating Systems do not have a resolution at this time.

The other issue we've seen is where the system is simply unavailable for one reason or another. AMT is available if the system is off but still connected to the network, but WMI or if the system is unplugged from power or off the network RTSM obviously cannot function. Verify that the system is available if nothing resolves this issue.

Authentication Issues

Another common issue concerns authentication to the system via the Real-Time tab. First, let me discuss the methods RTSM uses to authenticate to a target system.

Authentication Methods

Runtime Profile - The Runtime profile contains he following information:

  • All known good credentials used to connect via RTSM to a system
  • The Intel SCS AMT password sent to systems when provisioning occurs
  • Previously successfully used credentials from past RTSM sessions

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

  • WMI digest or Domain account
  • AMT digest or Kerberos-authenticated user
  • ASF digest or Domain account
  • SNMP community strings

Manually entered credentials - When RTSM tries to connect, if the default profile set in the RTCI configuration fails to authenticate, the left-hand tree will still load but each node will prompt the user for credentials. A user can put in an AMT account, Domain user, or digest user that has rights on the target system. When authentication succeeds, these credentials are then stored in the Runtime Profile for the target system.

Troubleshooting Authentication

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with RTSM.

  1. In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles.
  2. Where does the green checkmark fall? This is the default profile that will be used when connecting via the Real-Time tab.
  3. Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
  4. Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
  5. Supply the admin user credentials set when the managed vPro systems were provisioned.
  6. Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
  7. Give the profile a name and then save it.
  8. Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile.
  9. Test to see if this new profile is successful. Note that you'll need to launch IE fresh to use the new settings.
  10. If it is not, try entering credentials in manually when you hit the system under the Real-Time tab. See the screenshot below for the connection icon to switch between WMI and AMT authentication. If two show in this area, both technologies are available but not authenticated.
    RTSMconnectiontype.jpg
  11. In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed.
  12. Check the collection you are launching Resource Explorer from. Sometimes the identity of the system is incorrect. For AMT you can launch RTSM from the Provisioned collections populated with the Resource Synchronization.

IDE Redirect (IDER)

IDE Redirect allows a system to be remotely booted to a file, drive, or virtual disc. There are a number of potential issues to be aware of when working with IDER in a vPro environment. The below items include well-known issues and their resolutions.

Redirection Invalid Parameter

When initiating an IDER (IDE Redirect) session to an external source such as an .iso file, the following error appears in the console:


Power management operation failed.
Redirection session start has failed. See logs for more details.

The Notification Server log shows the following error:

Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log
Priority: 2
Date: 3/9/2007 2:51:05 PM
Tick Count: 10617218
Host Name: <>
Process: w3wp.exe (2436)
Thread ID: 5412
Module: AltirisNativeHelper.dll
Source: RTCI.Trace
Description: RedirectionProvider::StartIDER - RedirectionProvider::StartIDER - IMR_IDEROpenTCPSession: IMR_RES_INVALID_PARAMETER

This is caused by Intel's redirection library requiring a correct floppy device to initiate an IDER session (either floppy image or real removable device). Real-Time System Manager 6.2 can work around this. If you put floppy.img file into Program Files\Altiris\RTSM\UIData folder, then the issue will not occur.

IDER or SOL Disabled

In some instances Intel vPro systems are arriving from the OEM with IDER and SOL disabled in the BIOS. When disabled, neither of these functions work from any management engine, including RTSM. Correcting this oversight is not easy, especially if the OEMs do not offer a solution by a firmware or BIOS update. Use the following method to resolve the issue:

  1. Go to the Support site for the OEM for the systems.
  2. Browse to the drivers and downloads section for the exact model (note that sometimes the model will differ based on possessing or not possessing vPro technology).
  3. Check the firmware updates for a new BIOS.
  4. Check the documentation for any new BIOS versions that include vPro to see if they've corrected this.
  5. Contact your OEM if they have not and request a status!
  6. The only other recourse is to develop an update yourself or manually update the settings by visiting the system.

Conclusion

This should account for the most common issues we've seen, and allow you to successfully use RTSM with AMT technology, avoiding those issues.

1 Comments Permalink Tags: altiris, amt, centrino_pro, intel, symantec, vpro, troubleshoot, real-time_system_manager, rtsm, rtci, notification_server
Click to view Ylian Saint-Hilaire's profile
0

Last week Intel sent me to Israel for an Intel only gathering of engineers, architects and specialists that work on Intel AMT. I was honored to attend and also to be a speaker taking about the progress made with the DTK. First of all, I want to thank all of the people in Intel Israel for making this trip a great success. I also got to hear about many DTK success stories and it all of the hard work worth it. I was especially surprised with the DTK’s success in Asia, but also all over the world. I am still not sure if it’s the tutorial videos, the translations or what.

In addition to the meetings, we had a great time visiting the old city of Jerusalem, the Dead Sea and later on my own the city of Elat and Petra in Jordan. I got some of the most wonderful pictures and uploaded some on Google servers here:

http://picasaweb.google.com/ysainthilaire/Israel200802


These pictures cover the 10 days of my trip, starting with the old city then me playing in the mud and floating in the Dead Sea and finishing with my visit to Jordan. Jordan was probably this highlight of this trip, there is something just odd about traveling in this vast desert and realizing that I was in the country that had a common border with Iraq. For most of us in the US, it seems so distant. The city of Petra in Jordon has unique sand stone carvings in the walls. Some people will also notice that the Indiana Jones movie was filmed at this location. Petra was named one of the new 7 wonders of the world and as a result got a surge in tourism. It’s a wonderful place, hot and laid back.


Most people travel by air from Jerusalem to Elat and Jordan, but I opted to take the bus. It’s a 4 and a half hour trip thru amazing scenery. It’s also inexpensive, about 12 to 15$ and much more convenient than by airplane. I will say that except for the bus, everything was very expensive in US dollars. It’s a shame the dollar is so weak, I don’t except to make many of these trips.


Last week was the holocaust memorial day in Israel and I happened to visit the Wailing Wall with some of my Intel co-workers just as 1000’s of people where attending a ceremony that was being broadcast live on TV. One of my pictures shows all the people at the wall.


The Dead Sea was really amazing, it’s so saturated with salt that you simply float. This sea is the lowest point on Earth I am told, it’s 1,378 feet below sea level. Your ears pop on the way there as the air pressure increases. As pressure increases so does the temperature which will often be 10 degrees hotter than Jerusalem. The Dead Sea is well known for the Dead Sea salts used as skin treatment. It also gave me a great excuse to play in the mud! You let it dry and wash it off to wonderful skin… but it’s also just loads of fun.


To sum it up, this 10 day trip was simply amazing. In addition to meeting many people who use the DTK, I also got to see and experience some unique places I will never forget.


Ylian (Intel AMT Blog)

0 Comments Permalink Tags: ylian, travel, intel, amt, dtk, commander, israel, jordon
Click to view mprimros's profile
1

I've been getting quite a few questions recenly regarding provisioning. Many folks are confused when it comes to what type of provisioning works with which versions of AMT and I'm hoping that this post will help to clear up some of that confusion.

Currently, there are two types of provisioning, PKI (Protected Key Infrastructure) and PSK (Pre Shared Key). For those who are not familiar with what is involved with these two types of provisioning, PKI involves using a formatted provisioning certificate in order to establish a trust relationship between the AMT client and provisioning server where PSK uses a PID/PPS key pair to establish the trust for provisioning. There is quite a bit of documentation regarding how to setup PKI and PSK provisioning in the deployment documents for AMT, so I won't go into that detail here. What I'd like to cover here is what are the differences between these types of provisioning and which versions of AMT use which types of provisioning.


First, lets cover the different types of provisioning and a brief overview how each of them work.

PSK provisioning uses a Pre Shared Key to encrypt the provisioning process. In order for an AMT client to use a Pre Shared Key, however, the MEBx must first be programed with the correct key. This can be done in either one of two ways, manual entry or via a setup.bin file located on a USB thumb drive.

Manual entry is just that, a user must access the MEBx and manually type in the characters for the PID and PPS and any other settings that are required in order to get provisioning to work (system name, password change, etc). Once the user saves the changes to the MEBx, AMT starts sending out 'hello' packets to the provisioning server to start the provisioning process. This method is the most straight forward but is also the most time consuming, especially when attempting to deploy many systems at the same time.

USB thumb drive provisioning shortens the PSK entry process by using a formatted setup.bin file located on a USB thumb drive that can hold many PID/PPS pairs as well as password change information for MEBx. This key is then used on each system as it boots up to load the PSK information into MEBx. When the system boots, ME detects that a setup.bin file is located on the USB key and, if AMT isn't provisioned already, will prompt the user if they would like to load the provisioning information from the USB key. If the user confirms the request, then ME loads the first available PID/PPS entry into the PSK settings as well as changes the password for MEBx to the password set in the file. ME then marks that entry in the setup.bin file as used and reboots the system. Once rebooted, AMT starts sending out 'hello' packets using the PID/PPS pair. This method is better than manual entry, but only barely. This still requires a user to be at the system and to interact with the process.

PKI provisioning is split into two different types of provisioning as well, Bare Metal and Agent Based/Delayed provisioning.

Bare metal provisioning is where the factory settings in AMT are set at the OEM/System Integrator so that as soon as power and a network connection are applied to the system, then AMT will send out 'hello' packets and provisioning starts. If provisioning doesn't happen right away the provisioning period will continue for 24 hours, sending out 'hello' packets at a decreasing rate, after which AMT goes into delayed provisioning mode. This method of provisioning greatly improves the time savings from a deployment aspect by enabling many systems to be provisioned with minimal interaction from deployment personnel. This method works well when using a 3rd party trusted certificate that is natively supported in AMT (Verisign, GoDaddy, etc).

Agent based/delayed provisoining is where either the 24 hour provisioning period has expired without a successful provisioning transaction or, due to the AMT version, AMT requires an in-band agent or tool to start the PKI provisioning process. In order to start agent based/delayed provisioning the agent or tool sends a command down through the HECI driver in the host OS and tells AMT to start sending out 'hello' packets to the provisioning server. In addition, some basic configuration settings can also be sent to AMT in order to get it ready for provisioning (enable AMT, set PKI provisoining, etc). This method of provisioning tends to be the most reliable. Again this works best when using a 3rd party trusted certificate that is natively supported in AMT but in addition you gain the benefits of having an in-band agent that is able to assist the provisioning process by providing the provision server in-band information that helps keep the out of band aspects of AMT synced with the in-band host OS. Configured correctly, provisioning AMT with the assistance of an in-band agent can make the entire provisioning process hands free for deployment personnel.

Lastly, I want to touch on how each of these provisioning processes relates to the different AMT versions. Different versions of AMT support different types of provisioning. AMT 2.0, 2.1, 2.5 only support PSK provisioning. AMT 2.2 and 2.6 support PKI provisioning (as well as PSK) but only agent based PKI provisioning. AMT 3.0 and higher versions of AMT support bare metal PKI provisioning (as well as agent based/delayed PKI and PSK provisioning). A common utility used to accomplish agent based provisioning is the RCT (Remote Configuration Tool).

Provisioning is a very complex topic and what I've touched on here is really just the tip of the iceburg when it comes to understanding the intricacies involved. I hope I've provided more answers than questions, but if there is something you still don't understand, feel free to comment and I'll try to clear it up!

Thanks,
Matt Primrose

1 Comments Permalink Tags: amt, provision, pki, psk, pid, pps, certificates
Click to view miroyer's profile
2

Much of the recent news around Microsoft System Center has been focus on the upcoming release of Microsoft System Configuration Manager SP1. However, did you know that MS System Center Operations Manager (SCOM) and System Center Essentials (SCE) also have support for vPro Client management through the use of the Intel Client Manageability Pack for SCOM & SCE?


First a little background...

What is MS System Center Operations Manager? SCOM is the third generation of Microsoft's monitoring solution. Operations Manager provides an easy-to-use monitoring environment that monitors thousands of servers, applications, and clients to provide a comprehensive view of the health of an organization's IT environment.


What is MS System Center Essentials? Microsoft System Center Essentials 2007 is a new management solution in the System Center family of IT systems management products. Essentials is specifically designed for IT professionals working in midsize businesses who often face IT challenges similar to those of larger enterprises - troubleshooting end user problems, automating management tasks, managing multiple systems, and diagnosing and resolving IT problems.

So where does the Intel Client Management Pack for SCOM and SCE fit in?

The Intel Client Management Pack for Microsoft System Center Operations Manager and System Center Essentials enables the users of these applications to take advantage of the advanced, hardware-based system management capabilities of vPro. These capabilities will help reduce the cost of discovering, managing and securing desktop and mobile PCs in the enterprise and thereby improving compliance with corporate policies. Information Technology support staff can now rapidly and remotely communicate with, power up, reboot, control, inventory assets, and remediate vPro capable clients even if the PC is powered off or the operating system is not functioning.


For more information and download of the Intel Client Manageability Pack for SCOM and SCE, please visit: http://softwarecommunity.intel.com/articles/eng/3681.htm

Matt Royer

2 Comments Permalink Tags: scom, sce, vpro, amt
Click to view joelsmith's profile
0

The ability to provide access to the Real-Time tab of Resource Manager will enable administrators to provide this valuable tool to IT specialists or Helpdesk workers. Furthermore the ability to configure access to certain functions within the console will allow administrators to grant or restrict what users can do with Real-Time System Manager. This includes WMI functionality as well as powerful AMT functionality.

Introduction


Your environment will likely have a unique set of requirements on who can access what in Real-Time System Manager. It can be as simple as two levels of workers, from an administrator to an IT Specialist, to a complex system of access rights in a multi-tiered environment tightly controlled. No matter the environment, this article provides the details to customize access to the Real-Time tab, including WMI and AMT access rights.


RTSM contains limited functionality to configure access via WMI. AMT, on the other hand, can be configured at a function-granular level. Whether you're simply trying to give users full access to RTSM, or to provide access to only certain functions, this document assists to achieve this.

NS Role Security


The first item that must be enabled is creating a role or modifying an existing role to have rights to Real-Time System Manager at the general level. Without assignment to such a role, a user cannot gain access to RTSM.

Overview


Briefly I'll explain how NS Role and Scope security work together in Notification Server. Roles give feature access rights. For example in Software Delivery Solution there's a role object labeled ‘Item Tasks - Software Delivery Wizard'. The two options allow use of the Simple or Advanced Software Delivery Wizard. Without this right, the user cannot launch the Software Delivery Wizard, regardless if they have scope rights to the Wizard and Status node in the console.


Scope security is much like the Windows File-System security model. In the Altiris Console the left-hand tree can be accessed like the file system, applying security to folders or to nodes, as opposed to folders and files. Inherence allows security to be inherited from the containing folder, on up the chain until the root node is reached.

Role Configuration


The following steps show how to create a user with RTSM permissions.

  1. In the Altiris Console, browse to View > Configuration > Server Settings > Notification Server Settings > Security Roles.
  2. Select an existing Role or Right-click on the Security Roles folder and choose to create a new Role.
  3. Under Privileges, find the following categories and check the indicated option. After the screenshot the items are details with description of the option:
    RTSMRole.jpg
    1. Altiris System Privileges - Use Real-Time System Management - This is the ability to use the product at the most basic and general level.
    2. Altiris Console Privileges - View Resources Tab - For this example I'm providing the user the ability to see collections so he or she can launch Resource Manager and use the Real-Time tab.
    3. Altiris Console Privileges - View Tasks Tab - Access to the ‘Manage' node allowing launch of Resource Manager requires this privilege.
    4. Item Tasks - Real-Time System Manager - Manage - This is access to the main tree for RTSM. Most functions are covered by this option.
    5. Item Tasks - Real-Time System Manager - Password Reset - Because of the nature of this function, it has been separated out as a single security role object in Notification Server but belongs to the Real-Time tree.
    6. Item Tasks - Real-Time System Manager - Port Check - The Port Check feature is normally accessed as a separate contextual item in the right-click menu, or launch from an icon under the Real-Time tab.
    7. Item Tasks - Real-Time System Manager - Trace Route - This is treated in the same way as Port Check.
    8. Item Tasks - Real-Time System Manager - Hardware Management - This is one of the objects in the tree that provides basic hardware function, which is greatly extended if the system is Intel vPro capable and Provisioned.
  4. Click the Membership tab.
  5. Use the blue + icon to add users and/or groups to the Role. These can be digest users or local computer groups, or Domain users or groups.
  6. Click Apply to save the Role.

Note: The users will not have access yet to the Altiris Console as the scope-level security has not been set for the new Role. Complete the below NS Scope Security section to give access to the Altiris Console

NS Scope Security

Altiris Console


For Altiris Console access, scope security must be configured before a Role can access or login to the console. The security window is the same for any node, be it a folder or otherwise. The two screenshots below show the security window and the permission selection screens:

SecurityProperties.jpg

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1373/ActionPermissions.jpg

Note: Depending on the object type, the available permissions may differ


To allow access to the ‘Manage' Real-Time Console Infrastructure Task, follow these steps:

  1. In the Altiris Console, browse under View > Tasks > Incident Resolution > Tools.
  2. Right-click on the node ‘Manage' and choose Properties.
  3. Click on the Security tab.
  4. Click the ‘Add' button.
  5. Select from the list Role name of your role (+ie:+ Role RTSM Workers) and click the ‘Select' button.
  6. Check the option for ‘Full Control' and click ‘Select'.
    Note: Full Control does not give the user the ability to delete or otherwise manipulate the Manage node. This node can only be accessed for the function alone.
  7. Click ‘Apply' to save the security changes made.

To access Collections so the users of the role can view collections so they can use the RTSM right-click contextual menu options for a listed resource, follow these steps:

  1. In the Altiris Console, browse to View > Resources > Collections.
  2. Depending on what collections you want to give the user access to, browse to a containing folder or an individual collection.
  3. Right-click on the folder or collection and choose Properties.
  4. Click on the Security tab.
  5. Click the ‘Add' button.
  6. Select from the list Role name of your role (+ie:+ Role RTSM Workers) and click the ‘Select' button.
  7. Check the following options:
    1. Altiris System Permissions - Read
    2. Altiris Resource Management Permissions - Read Resource Data
    3. Altiris Resource Management Permissions - Read Resource Association
  8. Click Select, and then click Apply on the permissions window.

Now we have allowed the user access to certain parts of the Altiris Console so they can execute Real-Time System Manager on managed systems. To restrict access to certain parts of the RTSM console, see the previous Role section for what options are available to you.

AMT Permissions


RTSM takes advantage of powerful functionality available in Intel vPro, AMT technology. Once a user has access to RTSM, their user account, if permitted, is used to connect to the remote system by WMI. An AMT connection can either use Kerberos integration or an inputted digest user when prompted. The credentials must be specified in the destination system's AMT Profile, otherwise authentication will fail.


To configure who has rights to AMT, follow these steps:

  1. In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Provision Profiles.
  2. Double-click on an existing profile, or create a new one.
  3. Click on the ACL tab.
  4. Click Add to add either a digest user or to use Domain users and groups with Kerberos integration.
  5. Once a user is inputted, the ‘Realms' section allows or disallows access to different AMT functions. The boxes that are of importance to RTSM are:
    1. Circuit Breaker - Now known as System Defense, or Network Filtering
    2. Hardware Asset - For power management capabilities
    3. Redirection - To allow IDE Redirection
    4. Remote Control - Allows Serial Over LAN (SOL) remote connection
    5. Event Manager - Allows viewing of AMT logs
    6. General Info - Allows viewing of AMT data on the system
  6. The ‘Access Permission' dropdown should be used to select either Network Access or Any. The Local Access option gives that user rights to log into the Intel ME locally when the system boots and isn't needed for RTSM function, however if you wish to allow the user to have access to both, choose ‘Any'.
    AMT-ACL.JPG
  7. Click OK to save the changes.

To apply the updated or new profile to an AMT system Provisioning must occurred. If the system was already provisioned with this same profile previously, a reprovision will update the profile.


This will not limit access to see the functions available in the Real-Time tab for AMT, but will throw a not authorized message if an applicable function is attempted with a user who does not have the rights to execute it.

Conclusion


The Real-Time tab, a one-to-one solution for system access, data gathering, or troubleshooting, provides a powerful tool to IT administrators and IT professionals alike. Providing this ability to users you do not want to have full access to Altiris is essential for any secure environment. With the additional ability to configure granular AMT rights for vPro capable and configured systems, an administrator has the ability to get very specific on what users or groups of what rights.

0 Comments Permalink Tags: altiris, amt, rtsm, real-time_system_manager, intel, security, symantec, vpro
Click to view jlvb's profile
0

While at ManageFusion, we had Symantec Director of Strategic Alliances Kevin Unbedacht discuss how Intel vPro Technology enhances the Symantec Altiris Client Management Suite. He demonstrates the following hardware assisted use models with Intel vPro technology based PCs:

  • Power Management with Secure Power-On
  • Diagnose and Repair PCs Remotely
  • Isolate and Recover Infected PCs
  • Discover PC Assets


0 Comments Permalink Tags: altiris, centrino_pro, amt, system, defense, symantec, manageability, client, managet, suite, vpro
Click to view Ylian Saint-Hilaire's profile
0

I just posted a new YouTube video on my own Intel AMT 3.0 computer that runs under my television. It runs Microsoft Media Center, has 4 cores, 4 tuners, 4 hard drives, 3 Gigs of RAM, 2 DVD's... Certainly the most powerful computer I have ever owned. Most importantly, it has Intel AMT 3.0 using an Intel DQ35JO motherboard. This is very useful for me to work on Intel AMT Commander on my spare time and also to remotely manage my computer from anywhere in the world.

If you guys have your own computer project that runs Intel AMT, please let me know. Better yet, if you have pictures it would be great to share with the community.

Ylian (Intel AMT Blog)

0 Comments Permalink Tags: intel, amt, dtk, ylian, home
Click to view Ylian Saint-Hilaire's profile
0

I am glad you inform everyone that the Intel AMT DTK is back online and once again, my apologies for the interruption. Version v0.52x was released, with just a few fixes over the previously posted v0.51x. It's mostly the same as before, not many new features, but if you have experiences problems in the past, try this version.

Probably the area where the DTK is improving most is with general stability and WSMAN. When using Intel AMT 3.0, Intel AMT Commander and Intel AMT Outpost will use WSMAN instead of SOAP. Since all the calls are different, many new bugs showed up. As we get the benefit of more testing and feedback, the code keeps improving. Users can force Commander to use SOAP by going to the "View" - "Advanced properties". The second tab has a check box to remove using WSMAN first. WSMAN will of course still be used if Commander determines that WSMAN is the only available option.

Next week I am once again heading to Israel to meet with this Intel AMT firmware development team. Last year I had a pretty shaky flight over, something I had blogged about. Hopefully this year will be better. At Intel, this is going to be the ultimate meeting of everyone related to AMT, so I will get to meet some of the other people that post on the forums, and many of the people that I get the most complicated answers from.

Ylian (Intel AMT Blog)

0 Comments Permalink Tags: intel, amt, dtk, commander, release, wsman, soap
Click to view jlvb's profile
2

Sometimes within Intel Marketing, we're told that our description of Intel Centrino with vPro technology or Intel Core 2 with vPro technology is a bit lengthy. Therefore, while at ManageFusion, we asked Intel customers as well as technical experts from Intel and Symantec to give us their best, most concise acronym that best describes Intel vPro Technology. Listen to their responses below.


2 Comments Permalink Tags: altiris, amt, vpro, client_management, symantec, centrino_pro
Click to view jlvb's profile
0

While at ManageFusion, Intel had an opportunity to talk with four leading Symantec Service Integrators who have started deploying and activating PCs with Intel vPro technology within their customers' environment.

In the video below, listen to their thoughts on:

  • When to activate Intel vPro technology
  • How Intel vPro technology seamlessly compliments the Symantec Altiris Client Management Suite
  • How Intel vPro technology delivers on the promise of Wake-On-Lan by being both much more secure and more reliable
  • Thoughts on increased customer service levels and return on investment with Intel vPro technology

0 Comments Permalink Tags: centrino_pro, amt, altiris, vpro, symantec, service, integrators
Click to view joelsmith's profile
1

Remote Configuration is the zero-touch configuration mechanism that allows Intel vPro AMT systems to be setup for AMT management without any manual intervention. This article covers the Best Practices for setting up Remote Configuration and using the Out of Band Delayed Provisioning Task to remotely and automatically provision systems for use within the Altiris infrastructure.

Introduction

In an ideal environment, vPro systems will automatically Provision without any interaction with the Administrator, allowing the versatile and robust functionality of AMT to be available immediately out of the gate. In this article we'll cover how to setup just such a scenario, but also how to use Out of Band Management's Delayed Provisioning Task to ‘kick-start' any AMT system that is no longer sending out configuration requests. Reasons for this need include:

  1. The system is powered on in a location that does not have access to the Provisioning Server
  2. The system is unable to be Provisioned due to changing identities while being setup in its Fully Qualified Domain Name (FQDN)
  3. The IP Address changes during the Provisioning process and the Provision Server is unable to contact it back to Provision

Remote Configuration

Remote Configuration uses a certificate-based authentication model with preloaded certificate hashes to allow quick and automated process to Provision the AMT systems in the environment. The certificates require a vendor-certified cert from Verisign, GoDaddy, Komodo. While you can set your own cert and load your own hashes in the firmware of AMT systems, it turns the ease of Remote Configuration into a cost, whether by having the OEM load the proprietary cert for a fee, or requiring a configuration step to load the hashes manually into the firmware.

Certificates

The firmware will already contain the hashes for Verisign, GoDaddy, and Komodo certificates (more vendors will be added in later versions of AMT). Server-side certificates need to be loaded and registered on the Provision Server, and within Out of Band Management on the Altiris Notification Server. Please see the following article for more information on Remote Configuration:

http://juice.altiris.com/article/3866/frequently-asked-questions-about-remote-configuration

For a specific reference for what items are required, review the section labeled:

What core items MUST be defined in the provisioning certificate?

Also look at the section pointing to how to acquire a certificate (other links):

What resources or guidance are available for acquiring one of the core external certificates?

Additional information:

The Provision Server must be registered with DNS, accessible by the Intel AMT device via a CNAME value of ‘ProvisionServer' pointing to the IP address of the Notification. Note that in a multi-domain (including root-child domain infrastructures) multiple CNAME entries must be setup to include the suffixes to include all network segments the server will be managing.

The Provision Server requires a certificate with the appropriate OID or OU detailing directions to a certificate Authority (CA), which CA must have a root certificate hash stored on the Intel AMT Systems. The OID must be of the type ‘Server Authentication Certificate' with the Intel setup extension: 1.3.6.1.5.5.7.3.1, 2.16.840.1.113741.1.2.3, OR, the OU value in the Subject field must be "Intel(R) Client Setup Certificate".

The Subject CN must be either the fully qualified domain name (FQDN) of the platform running the service (example: Provisionserver.symantec.us), or the domain suffix of the platform (example: *.symantec.us.com or *.symantec.com).

Remote Configuration Process

The following process documents how the Remote Configuration Process works. This high-level overview will be referenced in the subsequent sect