The latest ROI study is about a call center who increased their efficiency rate by using vPro to decrease deskside visits.

 

Check it out: Improving Call Center Productivity

Coming Up:

Russ & Josh are hosting and their guest, Jeff Torello, is coming on the show! We'll be discussing the vPro Expert Training program & recently posted Activation training materials. Join us live!

When: April 7th @ 3:30 PM

Call-in Number: (347) 326-9831

http://www.blogtalkradio.com/openport


 

Here's the scoop,

again

, for those who haven't heard...

Hosted by Josh Hilliker & Russ Pam, this bi-weekly informal show will be covering a variety of topics and is a perfect avenue to get your questions answered. Listen in live, give your two cents, or just download the show after it has aired. Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts. Can’t join us live? Have no fear, blogtalkradio let’s you listen to the show whenever you have the time. Visit the Open Port Radio site (link is above) to hear previous shows and even catch a glimpse of what’s to come!

 

Questions, comments, or concerns? Feel free to contact me.

 

Thanks,

Kelsey

Meet the Experts and Learn More About vPro at these Events!

 

Check out the new events page here:  Learn the Latest and Greatest on vPro(tm) at these Events!

 

I put up a new page last week on the vPro Expert Center to inform the community about places where they can meet the experts and get more information on vPro. You can get an overview of the event including location, dates, classes offered, and even links for registration to attend. So far I've got the following five events & more will be coming soon:

 

- Intel Developers Forum (IDF)

- ManageFusion 2008 Conference

- Intel Application and Desktop Virtualization Forum

- Stay Ahead of the Curve: Virtualization and Security Best Practices

- Microsoft Management Summit 2008

 

Hi all. I wanted to announce the release of the Intel AMT DTK v0.51 on the public web site. As usual, lots of improvements have been made since the last version thanks for much testing and feedback from users. There are a few things that are particularly interesting about this new release of the Intel AMT DTK and lets get right to it:

 

 

  • Build-in C# WSMAN stack. As Intel AMT is transitioning to WSMAN calls for remote managibility, adding WSMAN support into the DTK has been increasly important. In the past, the DTK made use of WinRM, a Microsoft component that needed to be installed and configured. With version 0.51 of the DTK, I build my own WSMAN stack in C# right into the DTK stack. As a result, no more dependency on WinRM at all and no more compile problems. Additionaly, the DTK is now much faster at making WSMAN calls since all HTTP requests are now pipelined, and the DTK can connect to AMT computers that have invalid TLS certificates (a warning will be displayed of course). This is big news for anyone interested in WSMAN work. If you build your own managibility solution, I suggest you look at grabbing at least that part of the DTK source code.

  • Intel AMT Flash Tool. This version of the DTK adds a new Intel AMT Flash Tool. It will help users correctly setup a USB flash key so that it can be use to provision Intel AMT computers. As many of you many know, Intel AMT will in the right conditions, read a setup.bin file in a USB flash key when booted and use the information to help setup Intel AMT. The setup.bin file must be at the very start of the USB key and this new tool with help with that. The new tool is based on a similar tool that has already been released on the Intel Pro Center.

  • Intel AMT Reflector tool. Another new tool is a TCP connection reflector. It's a small generic tool that accepts connections and forwards the data back to the source IP address on a target port. It's useful for accessing Intel AMT from your own computer using a reflector on a different computer. I use it for recording some of my demonstration videos, but it can also be used by agents running localy that want to re-configure Intel AMT on itself. For example, detecting an OS name change and updating Intel AMT.

 

 

 

 

Many more changes and fixes have also been done, for example the terminal now correctly detects Serial-over-LAN disconnection, etc. For a full list, the DTK includes a change log.

 

Intel AMT DTK v0.51x Audio Blog (.mp3)

 

Ylian (Intel AMT Blog)

 

 

 

 

 

 

 

 

If you are planning to be at the Symantec\Altiris ManageFusion event in Las Vegas this year (April 8-10), be sure to sign up for the vPro labs.  On Tuesday afternoon there will be an operations focused lab.  On Wednesday afternoon there will be an Enterprise Provisioning using Remote Configuration.

 

On the enterprise provisioning side, there are mainly three items to keep in mind

  • Authenticate the Intel vPro firmware to the provisioning service
  • Obtain the Configuration parameters - provision profile, Active Directory OU, etc
  • Map the Clients FQDN and UUID

 

The enterprise provisioning lab will discussion and step through each.

The vPro Expert Center’s newest endeavor is with blogtalkradio and we want you to get involved!

</b></i></h2>


Hosted by Josh Hilliker & Russ Pam, this bi-weekly informal show will be covering a variety of topics and is a perfect avenue to get your questions answered.  Listen in live, give your two cents, or just download the show after it has aired. Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts.  Can’t join us live? Have no fear, blogtalkradio let’s you listen to the show whenever you have the time. Click the image below to hear previous shows and even catch a glimpse of what’s to come!

 

!180x60_listenlive.gif!



Next show is on Monday, March 24th. Topic is "Ask the Experts" and will be focusing on activation, integration, and features. Send me a quick note if you would like to be added to the calendar invite.

 

Note: Our show schedule is still underway, but will be posted as soon as it is completed. Be sure to send in any topic ideas you may have to either Josh Hilliker, Russ Pam, or myself. They will be greatly appreciated.

 

In part 3 we covered troubleshooting common Provisioning Console issues. In part 4 we now focus on those components operating in the background during provisioning. With a functioning install and console, and when the issue appears to be server-related (In part 1 we covered troubleshooting the locale AMT system) now any issues seen must be evaluated on the server side. This article covers this process in a Problem - Cause - Solution format.

 

 

Introduction

The server components constitute a lot of ‘background' processes that support what is only seen as Altiris Console points. Much of what goes on in the background is invisible to the user save as a change in status. If setup correctly, machines simply provision. It's when they do not provision that a user should understand the server components so that proper troubleshooting can be accomplished. Note that this covers the symptoms of server-component problems. Some of the symptoms do overlap client-side issues, but in this process we are assuming we've confirmed that the client systems is functioning as expected. If you are unsure, see Part 1 of this article series.

 

Symptoms

The following symptoms are seen on the Server. Please note that some of the symptoms may appear to be both client and server related making it difficult to know where the issue lies. Use Part 1 in conjunction with this article if necessary in troubleshooting these issues.

 

 

 

 

 

 

  • No update to Intel AMT Systems Node - At times this node can abruptly appear stagnant with no new systems coming in and no provisioning taking place

  • No Systems Appearing - The Intel AMT Systems node may stay blank even after connecting systems in Setup Mode onto the Network.

  • FQDN Not Acquired - Once the SCS receives a hello message, it needs to acquire the FQDN, and if this fails the machine will remain in an unprovisioned state

  • No systems Provisioning - This can occur where systems show up in the system, but none of them provision

  • Properties Script Failed - This is a common error to be covered separately, though many of the above symptoms end up throwing this particular error

 

 

 

 

In addition to the symptoms, the following tools were used to troubleshoot the issues to find out which particular issue afflicted the Server:

 

 

  1. AMT Logs

  2. OOB Trace Loggging

  3. Wireshark

 

See Part 1 in this article series on how to use these. These will be referenced in the below items.

 

No update to Intel AMT Systems Node

Problem

The typical symptom is an abrupt stop to updates on this node. For example if you have a number of provisioned systems, with systems added as systems are brought up on the network, and abruptly they stop updating or being added, this is indicative of this issue.

 

Tools:

 

 

AMT Logs - No updates to this log occur.

 

 

Cause

AMTConfig Service - The AMTConfig service has stopped, crashed, or is in a hung state. This isn't common in version 3.0 of SCS or higher.

 

Resolution

Check that the AMTConfig Service is running.

 

  • 1. Go to Services Manager under Administrative Tools.

  • 2. Check the Service named AMTConfig to make sure it is running.

  • 3. If the service is not running, start it. If the service is running, try restarting it just in case it's in an hung state.

  • 4. Once the service is up and running again (if this is the issue) provisioning should start occurring.

 

No Systems Appearing

Problem

The symptom is that no machines appear in the Intel AMT Systems list when the page is refreshed over a period of time when new systems are expected. The page ties directly into the IntelAMT database to populate the systems, so if the list isn't updating on the page, the list is also not updating in the database.

 

 

 

Tools:

 

 

AMT Logs - I. No entries found

 

 

II. No entries found

 

 

III. Invalid PID Map error

 

 

Wireshark - II. On the client the "Hello" packet is sent, but on the server it never arrives.

 

 

Cause

The causes vary. See below for known causes for this issue:

 

  1. I. AMTConfig Service - The AMTConfig service has stopped, crashed, or is in a hung state. This isn't common in version 3.0 of SCS or higher.

  2. II. "Hello" packets - The routing of "hello" packets is not configured correctly, so clients can't reach the Provision Server.

  3. III. PID rejected - The PID provided in the "Hello" packet is not contained as a valid security key in the IntelAMT database. This is only seen in the AMT Log found in the Provisioning Console under Logs, selecting the ‘Log' icon.

 

Resolution

See the steps to follow for the above causes.

 

  1. I. AMTConfig Service

    • 1. See the resolution to the section No update to Intel AMT Systems Node.

  2. II. "Hello" Packets

    • 1. In the Provisioning console go to the DNS Configuration node. Does the ‘Test' button allow Provisionserver to resolve back to the IP of the Notification Server?

    • 2. If yes, go to the segment of the network the client is on and try to ping the name ‘Provisionserver'. Does the IP resolve?

    • 3. If answer to either question above is NO, a CNAME record needs to be created on each DNS Server to route to the IP address of the Notification Server.

  3. III. PID rejected

    • 1. In the Provisioning Console go to the Security Keys node under the Configuration Service Settings. The list of unused PID and PPS combinations are listed.

    • 2. In the IntelAMT database, within the csti_pid_map table all used and unused security keys are listed. The ones with a value ‘True' in the ‘Used' column will not show up in the console.

    • 3. Either import the keys if the OEM placed the AMT systems in TLS-PSK Setup Mode through the import button in the Security Keys page, or manually enter the PID PPS.

 

FQDN Not Acquired

Problem

One or more Intel AMT Systems are registering in Intel SCS, but they never show an FQDN and never move out of the ‘Unprovisioned' status. In the AMT Log often these systems show the error ‘Properties Script Failed' (note that the cause of this error can be many, and this issue is but one of them).

 

NOTE! If no system is provisioning the issue may not be FQDN related. See No Systems Provisioning in this article for more information.

 

 

Tools:

 

 

AMT Logs - Properties Script Failed messages

 

 

OOB Trace - Unable to locate FQDN (Fully Qualified Domain Name) entries

 

 

Cause

Intel SCS calls the Out of Band Provisioning or Properties script oobprov.exe to do a number of things. The first thing it does is obtain an FQDN for the machine needing provisioning. If it fails to obtain an FQDN Provisioning will fail and the computer will remain in an unprovisioned state until oobprov.exe can successfully locate the FQDN.

 

Resolution

To find the FQDN, oobprov.exe runs through a number of checks. The suggested method is to have the Altiris Agent installed and have run the OOB Discovery Task (located in the Altiris Console under View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Out of Band Discovery &gt; Out of Band Discovery). This populates the Altiris database so it has both an FQDN in the AeX AC Location data class and the UUID in the Inv_OOB_Capability data class. If this data is not available, another option is to check DNS resolution as a method. In the Altiris Console look under the Resource Synchronization node, within the Intel AMT Systems folder. As shown below, this option enables oobprov.exe to use DNS IP resolution as a method.

 

 

 

NOTE the warning found directly below the checkbox: Warning! Using DNS for IP to FQDN resolution might lead to incorrect profile mapping. Make sure your DHCP server is configured correctly to give update the DNS server for dynamic addresses.

 

 

No systems Provisioning

Problem

Systems are added regularly to the Intel AMT Systems node, but they never provision. This includes never getting an FQDN (see the above section for more information), though the cause may not be the inability of oobprove.exe to obtain the FQDN.

 

Tools:

 

 

AMT Logs - Provisioning Script Failed messages

 

 

OOB Trace - No references to oobprov.exe

 

 

Cause

If not an FQDN mapping issue, this issue stems from a timeout value in the IntelAMT database being set to 0. In the IntelAMT database, in the table csti_configuration, under the column Props_script_timeout if the value is 0 IntelSCS will timeout before it even has a chance to call oobprov.exe.

 

Resolution

Normally only one row exists in this table. The following SQL query will properly update this value to the default level. The default is 180 and should be set.

 

 

 

 

 

USE IntelAMT

 

 

UPDATE csti_configuration

 

 

SET props_script_timeout = 180

 

 

WHERE use_props_script = 'True'

 

 

 

 

 

 

Execute the script within SQL Query Analyzer or SQL Enterprise Studio to update the value.

 

 

Properties Script Failed

Problem

This message can mean a number of things, including the symptoms described in the preceding two section. This message can continually appear into the AMT logs as provisioning is attempted over and over.

 

Cause

The causes of this issue vary. The basic explanation is that when oobprov.exe is called, if it returns anything other than success, the resulting error message in the AMT logs is ‘Properties Script Failed'.

 

Resolution

See the above two sections for the symptoms No Systems Provisioning and FQDN Not Acquired, but for additional information see the following article:

 

 

Conclusion

This concludes the troubleshooting section for the Provisioning process. For the most common issues, the resolutions and steps presented in the first four parts of this series will resolve them. I also hope the methodology here helps explain how the background processes are working. In the next parts of this series we'll cover troubleshooting issues with the management components after systems have been successfully provisioned.

There has been a lot of chatter lately on the boards and newsgroups I monitor about the economy in 2008, and whether we can classify its current status as an economic downturn, mini-recession, recession, etc. It's been generally accepted by noted economists that we are certainly experiencing an economic downturn, if measured by a significant decline in activity spread across the economy, and lasting longer than a few months. On the other hand, the technical indicator of a recession is defined as two consecutive quarters of negative economic growth as measured by our GDP.

 

We'll need to wait for this quarter's numbers to see if the US economy will indeed be categorized as in recession, based upon last quarter's decline in growth, even though most economists agree we are heading that way, led by indicators such as the fall of the housing market to its lowest level since 1993, and consumer spending posting its smallest gain since 1991. The most telling news heralding the severity of our current economic climate is Sunday's announcement of the buyout of Bear Stearns, one of the world's largest and most venerable investment banks by JPMorgan, for the fire-sale price of only $2 a share.

 

So what does this economic downturn mean to us as service providers? Businesses traditionally are much more careful in their spending during times of economic uncertainty, and I.T. projects are normally among the first batch of initiatives to be placed on hold, as clients and prospects tighten their belts to weather the storm. It's important for us to identify this reality and shape our internal processes, deliverables and their supporting technologies, message and value proposition accordingly so that we can take advantage of these opportunities.

 

 

Did that last sentence confuse you? If it did, let me explain my position. If we, as service providers, shape our message, deliverables and pricing in such a way that we are seen as a cost-saving solution to clients and prospects that can mitigate their business risks and increase their efficiencies and productivity; and therefore net profits, we have a really good shot at not only weathering economic downturns ourselves, but actually growing our businesses during these periods. Sound crazy? Let's dive a bit deeper...

 

 

As a reactive service provider, we are most profitable when our clients are experiencing the most pain. If there is an outage or disaster event, we react to and remediate the problem, then bill our client. Our clients are never prepared to pay for these reactive emergencies, so the negative impact to their cash flow and operations is very high. This is the reason many clients and prospects have a less than positive opinion of I.T. maintenance costs in general.

 

 

As a proactive service provider (read: MSP); however, our relationship with clients is the complete opposite, as we are most profitable when our clients are experiencing the least pain. The better we proactively manage and maintain their environments, the higher their efficiencies, productivity and profits. The more we integrate enabling tools and technology such as vPro that reduce our service delivery costs, and utilize processes and procedures to remotely monitor and manage our client environments, the higher our staff's utilization becomes, and the lower our cost of service delivery, increasing our net profits. So in this example, our business goals are in perfect alignment with our clients' - we are the most profitable when they are the most profitable.

 

 

So how can we reduce the cost our deliverables, and improve our efficiencies with technologies such as vPro, and shape our marketing message and value proposition to take advantage of the current economic downturn?

 

 

Watch my next blog post to find out...

 

 

Here are some high level steps that walk you through procuring a VeriSign certificate and configuring it for the Intel Setup and Configuration Service (SCS). Other certificate vendors like Go Daddy, Starfield, Comdo, etc will have different purchasing processes.

 

Purchase Verisign Certificate

 

 

 

 

 

 

  1. Generate Certificate Signing Request (CSR) by following the instruction in the link, http://www.verisign.com/support/ssl-certificates-support/page_dev019431.html.

  2. The Common Name (CN) needs to be the FQDN of the server you want to install this certificate on. (i.e. host name + domain name)

  3. Enter ‘Intel(R) Client Setup Certificate' for Organization Unit (OU).

  4. Complete all the steps. Visit VeriSign website, [http://www.verisign.com/ssl/buy-ssl-certificates/] to start purchasing process. Select ‘Secure Site: SSL Certificates' under ‘Buy Individual SSL Certificates'.
         Note: you could choose the other two, which are in more advanced level, depending on your need.

  5. Enter all the information required and copy the CSR generated by the server

  6. Complete all the steps and print out the order confirmation page for your record.

  7. You will receive an email of Verisign automated order verification within few hours. You have only 24 hours, after receiving the email, to finish this process. Click the link in the email and go through the process.


    *Important:* If you cannot recognize the second phone number listed on the webpage, cancel the automated verification process and have them call you instead.

 

 

 

 

Certificate Installation and Exporting

 

 

 

 

 

 

 

  1. You will receive the link of installation instruction in the email containing the certificate. Follow the instruction to complete installation

  2. VeriSign will send you the SSL certificate via email. If the certificate is an attachment (Cert.cer), save the file to the hard drive. If the certificate is in the body of the email, create a .cer file (example: NewCertificate.cer) by copying and pasting the certificate text into a plain text editor such as Notepad or Vi. Please be sure to include the header and footer as well as the surrounding dashes. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.

  3. Open the Internet Services Manager (IIS). Click Start &gt; All Programs &gt; Administrative Tools &gt; Internet Information Services (IIS) Manager.

  4. Under Web Sites, right-click your web site and select Properties.

  5. Click the Directory Security tab.

  6. Under Secure Communications, click Server Certificate.

  7. The Web Site Certificate Wizard will open, click Next.

  8. Choose Process the Pending Request and Install the Certificate, then click Next.

  9. Important: The pending request must match the response file. If you deleted the pending request in error you must generate a new CSR and replace this certificate.

  10. Select the location of the certificate response file, and then click Next.

  11. Read the summary screen to be sure that you are processing the correct certificate and then click Next.

  12. You see a confirmation screen.

  13. After you read this information, click Next.

  14. Go back to IIS Manager (Start &gt; Programs &gt; Administrative Tasks &gt; IIS Manager)

  15. Expand Web Sites and right click Default Web Site

  16. Under Secure Communications, click View Certificate...

  17. select Detail tab

  18. Click Copy to file at right bottom of window, the Certificate Export wizard will pop up. (N)

  19. choose Yes, export the private key (N)

  20. mark Include all certificates in the certification path if possible (N)

  21. give a password (can be weak password) and confirm (N)

  22. Give location and file name for the resulting PFX. (N), Finish, Ok.

  23. Close all windows.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Adding Cert To SCS

 

 

 

Install the certificate created above in the System Certificate Store on the platform where the SCS executes. Follow the following steps:

 

 

 

 

 

 

 

  1. Open certificates (local computer) using the Microsoft Management Console (MMC). To add the certificates plug-in to the MMC,

  2. Select file/add snap-in.

  3. Select Add....

  4. Select Certificates.

  5. Select computer account; click Next.

  6. Select Local computer; click Next.

  7. Select Finish; Close; select Certificates and click OK.

  8. In the console tree, click the logical store where the mmc will import the certificate.

  9. On the Action menu, point to All Tasks and then click Import to start the Certificate Import Wizard.

  10. Type the path and file name of the certificate to be imported or click Browse and navigate to the file. Select automatically select the certificate store based on the type of certificate.

 

Invoke the loadcert utility

 

 

 

  1. Located at &lt;install_root&gt;:\Program files\Intel\AMTConfServer\Tools.

  2. Double-click on loadcert.exe

  3. Select the certificate that was just imported. The utility will report any problems in the certificates that it detects that would prevent using it as a ZTC certificate.

 

Matt Royer

In part 2 we introduced the Server components used in Provisioning, including some key items to be aware of.  In this installment we'll cover troubleshooting the server components in a symptom - cause - resolution format.  The methodology should also allow help you understand how these components work for further troubleshooting efforts, or for simply understanding how the data is moving through the Provisioning process.  This specific article covers the Console and the common errors that can appear.

 

 

 

Introduction

 

Once the server components are installed, and the AMT systems are in a correct Setup Mode, one must access the Provisioning Console to manage the Provisioning process.  This console is located in the Altiris Console under View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Provisioning.  This part of the series covers errors in the console, specifically to common errors scene after the installation has taken place.  These errors can also surface due to environmental changes in the infrastructure.

 

Symptoms

 

This section lists all the symptoms covered in this article.  Use this list to guide you if you are working on a specific issue.

 

  • Provisioning Console Access Forbidden - Generally this is a 403 error on most of the Altiris Console Provisioning Nodes

  • Provisioning Console Connection Closed - All the Provisioning Nodes show an error that the underlining connection was closed

  • Provisioning Console User Not Authorized - This error relates to the access rights to the actual Provision Nodes, and can happen even if a user is an Altiris Administrator

  • Provisioning Console Timeouts - We've seen timeouts occur in the console, when accessing the Intel AMT Systems list

Provisioning Console Access Forbidden

Problem

 

When accessing the Provisioning Console, the following error is thrown:

The request failed with HTTP status 403: Forbidden

 

 

 

Cause

 

When installing Intel SCS, the manual install defaults to HTTPS, using TLS for secure communication.  If the environment is not setup for TLS/HTTPS, the Altiris Provisioning Console will be unable to authenticate to Intel SCS, throwing this error.

 

Resolution

  1. On the Notification Server where Intel SCS is installed, open up IIS Manager.

  2. Browse down into the Default Web Site and select AMTSCS.

  3. Right-click on AMTSCS and choose Properties.

  4. Select the Directory Security tab.

  5. Click the Edit button under the Secure communications section.

  6. Uncheck the box labeled ‘Require secure channel (SSL).

  7. Click OK.

  8. Click Apply and then OK.

Provisioning Console Connection Closed

Problem

 

The error ‘The Host Name cannot be resolved', or ‘ the remote connection was closed' appear when accessing the Provisioning Console.

 

 

 

 

The problem can also be seen when using the Test functionality on the DNS Configuration node.  It may show a failed to obtain IP message.

 

 

 

Cause

 

When our Console tries to resolve the name to the Intel SCS Server (even when Altiris and SCS are on the same server) it fails and one of these errors are thrown.  The difference can be in the perceived FQDN for the Server.  Altiris is attempting to acquire the right IP address so it can communicate with SCS.

 

Resolution

 

There are two ways to fix this if a reinstallation does not correctly set the SCS identity within Altiris.

 

 

LMHOSTS or HOSTS files - We can update one or both of these files to contain the FQDN we're using to try and translate the IP Address.  The difficult part is finding out what Altiris is attempting to connect to.  Use the process below to find out what it is looking for:

 

  1. See Part 1 concerning the use of OOB trace logging and Debug View.

  2. Enable trace logging in OOB and launch dbgview.exe.

  3. Try to access the console and produce the error.

  4. Stop trace logging.

  5. This is the difficult part.  Normally I scan through the log looking for the host name of the server.  Usually this shows up as part of an FQDN.  One example of this is Altiris called Servername.domain, which did not respond, but Servername.domain.com was a valid name.

  6. Do a Search for the Host Name of the system (Not FQDN as it may not be using the valid one).  For example, MyServer.

  7. Once complete, access the file named lmhosts (no extension).  Place a line in the file with the Server IP Address and invalid name:

    • 10.10.10.1     Servername.domain

  8. Whatever invalid name was located in step 5, the above sequence can be used to give the computer the correct IP Address resolution.  This resolves the issue.  However there may be other steps needed.  If this doesn't resolve the issue, continue to step 8.

  9. Access the Service Location node in the Provisioning Console.

  10. Change the option to ‘Alternate URL:'.

  11. Specify a new location changing the name to one that resolves, for example:

  12. Click Apply to save the changes.

 

The difficult part in this process is locating what Altiris believe the name of the Intel SCS Server is.  Since Altiris and SCS are not integrated, they do not have a mechanism that shows if they are on the same server or not.  This is why this issue surfaced.

 

Provisioning Console User Not Authorized

Problem

 

After installation or after credential changes the typical error structure appears with the message:

 

  • Current User can't view this page.

  • Current user can't change settings on this page.

 

Note that the error does not have the Red error typically associated with other console errors.

 

 

 

Cause

 

After installation only the user who conducted the Intel SCS install has rights to the console nodes.  Until other users are added, only this user (usually the Notification Server Application identity) has rights to these nodes.  Notification Server role and scope security does not apply to the populating of the data to the right of these nodes (although it does control access to actually showing the nodes themselves in the left-hand tree).

 

Resolution

 

Follow these steps to give the necessary users rights to the Provision Console nodes:

 

  1. Log into the Altiris Console as the Notification Server Application Identity, or the user used to manually install Intel SCS (one of these will usually be the authorized user).

  2. Access the Altiris Console under View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Provisioning &gt; Configuration Service Settings &gt; Users.

  3. Note the users who already have rights.

  4. Click the blue + icon to add a user.

  5. Click the ... browse icon to see a typical Notification Server Domain user and groups search window.

  6. Add a group or user and click OK.

  7. Under the Role: give Enterprise Administrator rights unless you want to limit which nodes are operable.

  8. Click OK to complete adding the user.

 

If no user can access these nodes, the Intel SCS installation needs to be run again under the correct user.  Run through these steps to complete this:

 

  1. Log onto the Notification Server directly (or with the /console switch if you're using Remote Desktop) with the NS Application Identity.

  2. In Add/Remove Programs, locate ‘Intel® Active Management Technology Setup and Configuration Service and remove it.

  3. On the Notification Server, browse to install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\.

  4. Launch the file AMTConfServer.exe and walk through the install.  Be sure to use the Application Identity as the credentials for SCS.

  5. When prompted for the database credentials, if permissible use the Application Identity.

  6. Once completed log into the Altiris Console with the Notification Server Application Identity, then move back to step 1 of the previous sequence to add other users as necessary.

Provisioning Console Timeouts

Problem

 

Even in small environments we've seen timeouts on the Intel AMT Systems node, and much less frequently on the other nodes.  The timeout throws a .NET error and the page is replaced by a timeout error.

 

Cause

 

The cause is not known at this time.  The timeouts do not seem to occur always at particularly busy times for the Notification Server, so it is difficult to know what causes them.  When there are plenty of resources available the timeouts generally do not occur, though if the server is extremely busy it doesn't always occur.  It appears to be caused by varying factors.

 

 

A refresh after the timeout error often loads the page just fine.  This suggests the loading the page gets into a loop or hung state, instead of a true processing timeout issue.

 

Resolution

 

No full resolution is known at this time, but a few items can help minimize the impact of the issue.

 

  1. Remote Consoles - We've seen remote consoles perform better than having the console loaded directly on the Notification Server

  2. Refresh - Normally the timeouts occur without loading any of the frames within the page.  If you click on the link or hit the refresh for the Intel AMT Systems page and no frames load within a minute, refresh the page.  Often when the page is refreshed it then loads correctly, even quickly.

Conclusion

 

Once the console has been restored, the Provisioning process can be configured and initiated.  Because of the all or nothing nature of most of these issues, they must be overcome before even being able to properly setup and configure Intel SCS for the Provisioning process.  The above resolutions cover the methods used to resolve these issues at multiple sites.

 

 

 

The USB Key Provisioning Utility (UKPU) tool is designed to create a valid USB key for provisioning Intel® AMT Systems. The UKPU tool prepares a USB Flash drive, copies the requested setup.bin to the drive, and also verifies that the setup.bin is saved using the proper procedures necessary to ensure that it is detected by Intel® AMT.

 

The tool has a 'repair' mode that allows you to take an existing USB Key and reconstruct it to ensure the setup.bin is visible to Intel® AMT. In addition, you can set up a USB Key using any renamed setup.bin file on your computer, and the tool will automatically ensure it is renamed to 'setup.bin' when setting up the key.

 

Here's a 3 minute video overview of the tool's capabilities (Click here to view video on YouTube):

 

Both binary only & open source licensed source versions available at the download site.

 

DOPD SW Engineering Team

The Intel® Active Management Technology's (Intel® AMT) Setup and Configuration Service (Intel ®SCS or SCS) provides developer or ISV with the tools to set up and configure Intel AMT devices. The Setup and Configuration Service (SCS) allows for most aspects of setup and configuration to be completed through a remote management console. The service package consists of a configuration engine and installer in binary form, plus a reference graphical user interface that the ISV may integrate into their Manageability Product.

 

 

 

 

 

So where is the Intel® SCS in Microsoft System Center Configuration Manager (SCCM) SP1? The short answer is MS SCCM SP1 does not use the Intel SCS. The longer answer is that Microsoft, as part of their architectural design of SCCM SP1, has chosen to develop their own mechanism for performing the initial provisioning and configuration of the Intel® vPro Clients. This is different from the requirement the Intel Client Manageability Add-on for SMS 2003 had on the Intel SCS for enterprise provisioning and configuration.

 

 

 

 

 

 

 

Each ISV, as part of their enablement of vPro Management Technology within their product, can choose to leverage the Intel® SCS or use it as a reference design to develop their own implementation. Microsoft, with SCCM SP1, is not the only ISV that chose to develop their own capability for provisioning and configuring vPro Client; did you know that LANDesk also does not use the Intel SCS for vPro Client provisioning and configuration?

 

 

 

 

 

 

 

 

 

Matt Royer

 

 

In part 1 of this series we covered troubleshooting the local AMT client system. In this part we'll discuss the server components as part of the provisioning process. Learn how the symptoms pinpoint each components, and what methods reveal the source of the problem. Learn how Out of Band Management handles the Hello Packets in conjunction with the Intel SCS Component.

 

Introduction

Provisioning isn't a single road. There are two primary paths to reaching a provisioned state, not counting the simple ‘Small Business Mode'. Pre-shared Keys (TLS-PSK) and Remote Configuration (certificate-based TLS) provide two methods for authenticating with the Provision Server and receiving a Profile to set it into a Provisioned state. Understanding the server components is essential to properly diagnosing and troubleshooting problems with the process. Part 3 of this series will cover the symptoms and their likely causes, including troubleshooting details.

 

The following components integrate in the following manner:

 

 

 

 

Out of Band Management

Out of Band Management contains 3 main components, with further components broken down as shown here:

 

  • Out of Band Management Solution - This is the main NS installer

    • NS-based Tasks and Agents

    • Provisioning Console Nodes

  • Out of Band Setup and Configuration - This is a wrapper for the Intel SCS install

    • Creates the files used for the Intel SCS installation

  • Intel SCS Component - This is Intel code for interacting with AMT systems

    • AMTConfig Service

    • IntelAMT database

Out of Band Management Solution

The installer for this Solution creates the Altiris Console pages and underlining code that intersect directly with the Intel SCS component. Consider those pages as hooks into Intel SCS. Intel SCS can install without Out of Band Management. Everything located in the Altiris Console at View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Provisioning ties directly through the AMTSCS web service to access the IntelAMT database (with the exception of DNS Configuration, Service Location, and Delayed Provisioning).

 

This installer also creates the Tasks, Packages, and Agents used for Out of Band Management, including:

 

 

  • Out of Band Discovery - This is an EXE that uses the standard NS Software Delivery to detect the presence of AMT and pull certain data out, including the UUID. This is used heavily for FQDN mapping and is an important part of the best provisioning method.

  • Out of Band Task Agent - This agent installs like any other Altiris Agent subagent. It's used to function with ASF, or to restart the Hello Packet sequence with Delayed Provisioning in Remote Configuration.

  • Delayed Provisioning Task - This restarts the Hello Packet sequence, and requires the Out of Band Task Agent.

  • Collections and Packages - Collections and Packages for the above items.

  • Oobprov.exe - This is the Provisioning agent that assists the SCS in provisioning AMT client systems.

 

Important points:

 

  1. Out of Band Management NS items will work without IntelSCS, but the Provisioning nodes require Intel SCS to be installed and properly configured.

    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1300/ProvisioningTree.jpg!

  2. Installed Alone most of the above nodes will not function. The default error shown here will show with ANY problem:

    • Error connecting to the Intel® AMT Setup and Configuration Server. Verify that Intel® AMT Setup and Configuration Service security settings are configured and AMTConfig service is running. See documentation for details on troubleshooting the Intel® Setup and Configuration Server Installation.

  3. The error always has a second bullet point, with another warning box containing additional bullets. These usually give a more specific message concerning the problem. I've rarely found that the message above accurately points to the source of the problem. See this screenshot for an example:

 

 

Out of Band Setup and Configuration

This installer is truly just a wrapper for the Intel SCS installation. It does provide a crucial function. It lays down the following folder structure where the Intel SCS Component is installed from:

 

  • Install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS

 

The installer does make an automatic attempt to install Intel SCS using the script located at the above location named InstallWithDefaultSettings.cmd. This install makes the following assumptions:

 

  1. The SQL database server and instance is the same one the Notification Server is using

  2. The AMTConfig service account will run under the Altiris Application Identity credentials

  3. The Database install and user will be the Altiris Application Identity Account

  4. The Default Web Site is available for install of the AMTSCS virtual directory

Intel SCS Component

The Intel Setup and Configuration Service component is provided by Intel and supported by Altiris\Symantec. This includes the following components:

 

  1. IntelAMT database - Like the Altiris database, the IntelAMT database is the backbone of the SCS component. The following items are included in the database:

    1. Hello packet data

    2. Queues for Provisioning and Maintenance actions

    3. Settings for SCS

    4. Security keys

    5. AMT machine data

    6. AMT Profiles

  2. AMTConfig Service - This service is the piece that talks to the AMT systems and processes items in the database queues. It also calls oobprov.exe to assist in provisioning, primary to obtain the FQDN for the system.

  3. AMTSCS Virtual Directory - In IIS SCS creates a virtual directory that contains the interfaces Out of Band Management Console uses to connect to the IntelAMT database. It's simple structure belies the importance of this interface.

 

Keep in mind the following:

 

  1. Failures to install are almost always security related. See the below ‘Install' section for more information.

  2. The IntelAMT and Altiris databases are required to be installed to the same SQL instance for Resource Synchronization to work (Resource Synch is the process of importing AMT systems from SCS to NS. In cases where a system is already managed by NS, the data will be merged in the existing NS record)

Install

Often when you install Out of Band Management Solution or the Altiris Manageability Toolkit for vPro Technology the assumptions cause the OOBSC component to fail, and a message is thrown giving basic instructions on how to install it manually. In some ways I prefer the manual installation so each setting can be directly controlled. When this happens, it's important to follow these steps to avoid issues:

 

  1. Log onto the Notification Server with the Application Identity, or if not allowed, log on as the user that has rights to the Notification Server and the SQL Server.

  2. Stop IIS on the Notification Server, shut down all Altiris Consoles, stop the AMTConfig service, and shut down any SQL consoles (SQL Enterprise Studio, Query Analyzer, etc). While this can be difficult to arrange, it ensures all necessary accesses and resources are available.

  3. Launch the installer directly from install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\AMTConfServer.exe

  4. Follow the onscreen prompts. In the next part we'll discuss a scripted install should this install fail. The scripted install allows greater visibility to the process and shows any errors as they occur.

Oobprov.exe

This component is what is known as the Provisioning Script, or Properties Script. Intel SCS requires a provisioning script in order to conduct Provisioning, and as mentioned earlier this is provided as part of Out of Band Management.

 

When the AMTConfig Service receives an incoming hello message, it logs it in, places the provisioning request in the queue, and then calls oobprov.exe. Any message stating ‘Properties Script Failed' means that oobprov.exe did not successfully provision the AMT system.

 

 

AMTSCS Virtual Web-site

The web-site is generally invisible to the admin running the Console. It must exist, but otherwise the mechanism is pretty solid. The only exception to this rule is when TLS, or Transport Level Security, is involved or not.

 

Keep in mind the following:

 

 

  1. If you will be using TLS for AMT management, this virtual directory much be set with https for any functionality.

  2. If you will not be using TLS, https cannot be enabled on this virtual directory.

  3. If TLS is not implemented but https is enabled on the virtual directory, the Altiris Console will fail.

  4. If TLS is enabled but https is disabled on the virtual directory, the Altiris Console will fail.

  5. The default is https enabled when running the SCS install manually.

IntelAMT database

Much like the Altiris database is to NS, the IntelAMT database is the backbone of Intel SCS. While all functions in the console are automatically interconnected in the database, understanding some of the important tables can help in the troubleshooting process.

 

Important tables

The following is a list of some of the core tables used by Intel SCS:

 

  • csti_amts - This is the data on the actual AMT system. When looking in the Intel AMT Systems node in the Altiris Console, it is reflecting data from this table.

  • csti_configuration - This table holds the core configuration between Out of Band Management and Intel SCS.

  • csti_uuid_maps - This maps the UUID (Primary AMT ID) to the FQDN.

    !csti_uuid_maps.jpg!

  • csti_pid_map - This table contains the security key information so that Intel SCS can authenticate to the AMT client systems, and the client systems can initially authenticate with Intel SCS.

  • csto_queue_entries - This is the queue wherein Intel SCS processes Provisioning and Maintenance requests.

  • csto_delayed_entries - For Provisioning requests that have failed for whatever reason, this queue is used.

Conclusion

This introduction to the Server Components will help provide understanding for the moving pieces, and will be heavily referred to in Part 3. Knowing how each component functions will greatly help when walking through the troubleshooting steps, especially on how to identify where the problem is originating from.

josh.hilliker

Dash 1.1 vs. AMT 3

Posted by josh.hilliker Mar 14, 2008

Recently I was reading an article that discussed the differences between Dash 1.1 vs. AMT3, embedded in a gartner article and thought this was a good piece to share with the community.

 

 

 

 

 

 

I usually don't share articles like this, however thought appropriate since the table is pretty good.    http://mediaproducts.gartner.com/reprints/intel/153886.html

Russ & I are hosting a Ask the Pro's session in our bi-weekly radio show.  We are planning on having an open session with online & phone callers to discuss all your vPro questions.  If you are interested in a certain area like activation, integration or what does vPro do.. etc..  please let us know those questions now and we'll start pulling the data together. 

 

We will blog soon on the date/ time so you can mark you calendars.   

 

Thank You

 

*This is a repost of this article to the Activation section of the Site*

 

 

Troubleshooting issues with the Intel® AMT Provisioning process can be a daunting prospect. This series walks through the troubleshooting methods to pinpoint where problems originate and how to fix them. Use Part 1 to troubleshoot the AMT systems when provisioning is not occurring. If the issue is on the client side, this document should provide the tools to diagnose and fix the issue.

 

Introduction

There are several modes a vPro capable system can be in when it arrives at the customer site. The modes are:

 

  1. AMT disabled

  2. AMT enabled, not in Setup Mode (factory default)

  3. AMT enabled, not in Setup Mode (Password has been changed in the MEBx)

  4. AMT enabled, in Setup Mode for TLS-PSK

  5. AMT enabled, in Setup Mode for Remote Configuration

  6. 4 and 5 in ‘Hello' Packet Mode disabled

 

Each of the modes have their own quirks, and understanding the modes will help determine what state a system is in, and how to change a system from one state to another.

 

Versioning

It is important to understand the different versions of not only the local AMT build, but of Altiris' Out of Band Management with the Intel SCS Component. See the following table:

 

OOBM

Intel SCS

AMT

6.1

1.2

2.0

2.1

1.3

2.0

2.1

6.2

3.0

2.0

2.1

2.5

3.0

3.2.1

2.0

2.1

2.2

2.5

2.6

3.0

 

Note the following points when working with the different versions:

 

  • Versions 2.0, 2.1, 2.5 do not support Remote Configuration

  • Versions 2.5 and 2.6 are notebooks

  • Versions 2.2 and 2.6 are upgrades to versions 2.0, 2.1 and 2.5 respectively and provide the additional functionality of using Remote Configuration for Provisioning

  • Intel SCS version 1.2 was unstable. It's recommended to upgrade to 1.3 or upgrade OOB to 6.2.

  • Versions 2.2 and 2.6 are not supported for Remote Configuration unless Intel SCS is upgraded to version 3.2.1. Check the following KB articles for more information:

AMT Setup

Each mode for AMT sets the system in a specific state. See the brief descriptions below of how AMT acts in each state:

 

  1. AMT disabled - In this situation AMT must be enabled either manually by looking into the Intel MEBx (Ctrl+P at startup) or by using the RCT Tool. The following article covers the use of this tool, including data on the command-line switch that can be used to enable AMT:

  2. AMT enabled, not in Setup Mode (factory default) - This is the required mode to use USB One-Touch for provisioning. If a user or the OEM has logged into the MEBx and changed the password, the system is no longer in factory default and the One Touch method will not work.

  3. AMT enabled, not in Setup Mode (Password has been changed in the MEBx) - One Touch will not work, but manually entering the PSK or setting into Remote Configuration mode will allow the system to enter Setup Mode.

  4. AMT enabled, in Setup Mode for TLS-PSK - All Provisioning is encrypted using TLS, however the inner security workings can differ. For Pre-shared Key (known as PID PPS) a public and private key are used. The manufacturer can set a specific PID PPS on the system or a user can auto-generate them. The key is that both the client and server have to have the key in order for authentication to work.

  5. AMT enabled, in Setup Mode for Remote Configuration - All 2.2, 2.6, and 3.0 version AMT systems come in this mode unless the OEM is explicitly instructed to set it differently. The point of Remote Configuration is to avoid visiting the AMT system in order to get it provisioned for manageability use.

  6. Modes 4 and 5 in ‘Hello' Packet Mode disabled - This is common if the system is not immediately hooked up to the production network. All systems will fall into this state if they transmit the ‘hello' packet for 24 hours.

Troubleshooting Tools

Before we get into the actual symptoms, we'll cover the tools used to determine where the problem is coming from. While not easy to use, the logging capabilities allow us to verify if the correct processes are functioning on the local system.

 

AMT Logs

The Altiris Console has direct ties into the AMT Logs captured in the IntelAMT database as a normal part of operation. The Logging level is set in the Altiris Console under View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Provisioning &gt; Configuration Service Settings &gt; and select General. Debug Warning is recommended so you get both Errors and Warnings.

 

The logs are accessed from Provisioning &gt; Logs &gt; and select ‘Log'. Entries here will reveal problems during the provisioning process and other Intel SCS functions.

 

 

 

OOB Trace Logging

Out of Band Management has the ability to log trace details to a debugging program. See the following KB article on details on how to set this up:

 

 

Trace logging will log everything from console accesses, to oobprov.exe calls from IntelSCS. When oobprov.exe is called, all actions are logged to trace, which can capture problems with the provisioning process.

 

Wireshark

While the two above tools are distinctly for Out of Band Provisioning, Wireshark tells the whole story of what is coming and going across the wire. It's important to know what the AMT clients are sending, especially in the ‘Hello' packet, and what the server is responding with.

 

Wireshark can be obtained from: http://www.wireshark.org/. While this is the recommended tool, any network trace capture program can be used to examine the network traffic between the AMT client and the Provisioning Server.

 

Altiris Knowledgebase

All know errors and issues we've run across have been documented in the Altiris Knowledgebase. If you have a specific error, search in the KB and see if we have a documented fix for it. Access it directly here:

 

 

Symptoms

The following symptoms point to problems with the local AMT system or its ability to communicate to the Provisioning Server so that Provisioning can occur.

 

System Missing

A common symptom for new AMT client systems is that the system, even if believed to be in Setup Mode, doesn't show up in the Altiris Console under Intel® AMT Systems. The causes vary, but the following methodology should help pinpoint where the problem originates.

 

Is the system sending ‘Hello' packets? Walk through this procedure to determine if it is or not:

 

  1. Does the AMT Log contain entries for the system requesting Provisioning? The identifier in the logs is the UUID. One example of an error that would prevent a system from showing up is ‘failed to find PID mapping', meaning the requesting system is trying to authenticate with a PID that the Server does not have. Either import any keys provided by the OEM or other provider, or manually enter in the PID PPS under the ‘Security Keys' section of the Provisioning Altiris Console.

  2. If no entry appears for the system, place Wireshark on both the AMT client and the Server. Now initiate a restart of the ‘Hello' packet sequence by turning the AMT client off and unplugging it from power. Drain the capacitors by pressing the power button while unplugged. Generally the power LED will light for a moment before fading dark. Plug the system back in. Does the Server show hello packets (sending on port 16994, with destination port 9971) coming in from the system?

  3. If the server doesn't show any incoming ‘Hello' requests, fire up Wireshark on the local system to see if we see any ‘Hello' packets heading out. If they are actively leaving, something is blocking the traffic from reaching the Notification Server. These ports are standard TCP calls. See the next section labeled ‘Provision Server'.

  4. If no ‘Hello' packets are being sent, the system may be in a non-Setup State. At the AMT system access the Intel MEBx by pressing Ctrl+P at startup. Is the password what was setup during Setup Mode, or will it only accept Admin? If none of the valid passwords work, this machine may be in an unworkable state. Unplug the CMOS battery for 15 seconds to put the machine back in Factory Default Mode, and Setup as necessary.

Provision Server

With Wireshark we can prove a system is sending ‘Hello' packets out on the wire. The destination is an important distinction as usually this will be simply the name ProvisionServer. By default, Remove Configuration and TLS-PSK will target the simple name ProvisionServer. It's up to the administrator to properly direct that Hello packet to the Notification Server.

 

  1. If you ping ProvisionServer from a command-prompt, do you get the IP Address of the Notification Server? A CNAME record needs to be created in DNS to correctly direct the hello packets. Check page 21 of the Admin guide located at this KB article: for more information.

  2. Another place you can test the DNS functionality is under Provisioning in the Altiris Console. Select the ‘DNS Configuration' node. Click the ‘Test' button to initiate the test. A correct IP Address signifies that DNS is working correctly from the Notification Server. The ping test is still important to signify that the client can also resolve the name.

 

 

  1. If the network cannot support this CNAME, only two methods remain. You can set the Provision Server IP in the MEBx directly. You can also use the RCT tool to simulate the Hello packet and send it to the NS directly (see the previous link to the article on RCT usage).

Conclusion

Part 2 of this series covers the Server components for Provisioning. If you've read all the symptoms and suggestions, you'll note that there is crossover when troubleshooting between the client and the server, regardless of where the problem lies. See Part 2 for the continuation of Provisioning Troubleshooting.

 

Troubleshooting issues with the Intel® AMT Provisioning process can be a daunting prospect.  This series walks through the troubleshooting methods to pinpoint where problems originate and how to fix them.  Use Part 1 to troubleshoot the AMT systems when provisioning is not occurring.  If the issue is on the client side, this document should provide the tools to diagnose and fix the issue.

 

Introduction

 

There are several modes a vPro capable system can be in when it arrives at the customer site.  The modes are:

 

  1. AMT disabled

  2. AMT enabled, not in Setup Mode (factory default)

  3. AMT enabled, not in Setup Mode (Password has been changed in the MEBx)

  4. AMT enabled, in Setup Mode for TLS-PSK

  5. AMT enabled, in Setup Mode for Remote Configuration

  6. 4 and 5 in ‘Hello' Packet Mode disabled

 

Each of the modes have their own quirks, and understanding the modes will help determine what state a system is in, and how to change a system from one state to another.

 

Versioning

 

It is important to understand the different versions of not only the local AMT build, but of Altiris' Out of Band Management with the Intel SCS Component.  See the following table:

 

OOBM

Intel SCS

AMT

6.1

1.2

2.0

2.1

1.3

2.0

2.1

6.2

3.0

2.0

2.1

2.5

3.0

3.2.1

2.0

2.1

2.2

2.5

2.6

3.0

 

Note the following points when working with the different versions:

 

  • Versions 2.0, 2.1, 2.5 do not support Remote Configuration

  • Versions 2.5 and 2.6 are notebooks

  • Versions 2.2 and 2.6 are upgrades to versions 2.0, 2.1 and 2.5 respectively and provide the additional functionality of using Remote Configuration for Provisioning

  • Intel SCS version 1.2 was unstable.  It's recommended to upgrade to 1.3 or upgrade OOB to 6.2.

  • Versions 2.2 and 2.6 are not supported for Remote Configuration unless Intel SCS is upgraded to version 3.2.1.  Check the following KB articles for more information:

AMT Setup

 

Each mode for AMT sets the system in a specific state.  See the brief descriptions below of how AMT acts in each state:

 

  1. AMT disabled - In this situation AMT must be enabled either manually by looking into the Intel MEBx (Ctrl+P at startup) or by using the RCT Tool.  The following article covers the use of this tool, including data on the command-line switch that can be used to enable AMT:

  2. AMT enabled, not in Setup Mode (factory default) - This is the required mode to use USB One-Touch for provisioning.  If a user or the OEM has logged into the MEBx and changed the password, the system is no longer in factory default and the One Touch method will not work.

  3. AMT enabled, not in Setup Mode (Password has been changed in the MEBx) - One Touch will not work, but manually entering the PSK or setting into Remote Configuration mode will allow the system to enter Setup Mode.

  4. AMT enabled, in Setup Mode for TLS-PSK - All Provisioning is encrypted using TLS, however the inner security workings can differ.  For Pre-shared Key (known as PID PPS) a public and private key are used.  The manufacturer can set a specific PID PPS on the system or a user can auto-generate them.  The key is that both the client and server have to have the key in order for authentication to work.

  5. AMT enabled, in Setup Mode for Remote Configuration - All 2.2, 2.6, and 3.0 version AMT systems come in this mode unless the OEM is explicitly instructed to set it differently.  The point of Remote Configuration is to avoid visiting the AMT system in order to get it provisioned for manageability use.

  6. Modes 4 and 5 in ‘Hello' Packet Mode disabled - This is common if the system is not immediately hooked up to the production network.  All systems will fall into this state if they transmit the ‘hello' packet for 24 hours.

Troubleshooting Tools

 

Before we get into the actual symptoms, we'll cover the tools used to determine where the problem is coming from.  While not easy to use, the logging capabilities allow us to verify if the correct processes are functioning on the local system.

 

AMT Logs

 

The Altiris Console has direct ties into the AMT Logs captured in the IntelAMT database as a normal part of operation.  The Logging level is set in the Altiris Console under View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Provisioning &gt; Configuration Service Settings &gt; and select General.  Debug Warning is recommended so you get both Errors and Warnings.

 

 

The logs are accessed from Provisioning &gt; Logs &gt; and select ‘Log'.  Entries here will reveal problems during the provisioning process and other Intel SCS functions.

 

 

 

OOB Trace Logging

 

Out of Band Management has the ability to log trace details to a debugging program.  See the following KB article on details on how to set this up:

 

 

Trace logging will log everything from console accesses, to oobprov.exe calls from IntelSCS.  When oobprov.exe is called, all actions are logged to trace, which can capture problems with the provisioning process.

 

Wireshark

 

While the two above tools are distinctly for Out of Band Provisioning, Wireshark tells the whole story of what is coming and going across the wire.  It's important to know what the AMT clients are sending, especially in the ‘Hello' packet, and what the server is responding with.

 

 

Wireshark can be obtained from: http://www.wireshark.org/. While this is the recommended tool, any network trace capture program can be used to examine the network traffic between the AMT client and the Provisioning Server.

 

Altiris Knowledgebase

 

All know errors and issues we've run across have been documented in the Altiris Knowledgebase.  If you have a specific error, search in the KB and see if we have a documented fix for it.  Access it directly here:

 

 

 

 

Symptoms

 

The following symptoms point to problems with the local AMT system or its ability to communicate to the Provisioning Server so that Provisioning can occur.

 

System Missing

 

A common symptom for new AMT client systems is that the system, even if believed to be in Setup Mode, doesn't show up in the Altiris Console under Intel® AMT Systems.  The causes vary, but the following methodology should help pinpoint where the problem originates.

 

 

Is the system sending ‘Hello' packets?  Walk through this procedure to determine if it is or not:

 

  1. Does the AMT Log contain entries for the system requesting Provisioning?  The identifier in the logs is the UUID.  One example of an error that would prevent a system from showing up is ‘failed to find PID mapping', meaning the requesting system is trying to authenticate with a PID that the Server does not have.  Either import any keys provided by the OEM or other provider, or manually enter in the PID PPS under the ‘Security Keys' section of the Provisioning Altiris Console.

  2. If no entry appears for the system, place Wireshark on both the AMT client and the Server.  Now initiate a restart of the ‘Hello' packet sequence by turning the AMT client off and unplugging it from power.  Drain the capacitors by pressing the power button while unplugged.  Generally the power LED will light for a moment before fading dark.  Plug the system back in.  Does the Server show hello packets (sending on port 16994, with destination port 9971) coming in from the system?

  3. If the server doesn't show any incoming ‘Hello' requests, fire up Wireshark on the local system to see if we see any ‘Hello' packets heading out.  If they are actively leaving, something is blocking the traffic from reaching the Notification Server.  These ports are standard TCP calls.  See the next section labeled ‘Provision Server'.

  4. If no ‘Hello' packets are being sent, the system may be in a non-Setup State.  At the AMT system access the Intel MEBx by pressing Ctrl+P at startup.  Is the password what was setup during Setup Mode, or will it only accept Admin?  If none of the valid passwords work, this machine may be in an unworkable state.  Unplug the CMOS battery for 15 seconds to put the machine back in Factory Default Mode, and Setup as necessary.

Provision Server

 

With Wireshark we can prove a system is sending ‘Hello' packets out on the wire.  The destination is an important distinction as usually this will be simply the name ProvisionServer.  By default, Remove Configuration and TLS-PSK will target the simple name ProvisionServer.  It's up to the administrator to properly direct that Hello packet to the Notification Server.

 

  1. If you ping ProvisionServer from a command-prompt, do you get the IP Address of the Notification Server?  A CNAME record needs to be created in DNS to correctly direct the hello packets.  Check page 21 of the Admin guide located at this KB article: https://kb.altiris.com/article.asp?article=38157&p=1 for more information.

  2. Another place you can test the DNS functionality is under Provisioning in the Altiris Console.  Select the ‘DNS Configuration' node.  Click the ‘Test' button to initiate the test.  A correct IP Address signifies that DNS is working correctly from the Notification Server.  The ping test is still important to signify that the client can also resolve the name.

 

 

  1. If the network cannot support this CNAME, only two methods remain.  You can set the Provision Server IP in the MEBx directly.  You can also use the RCT tool to simulate the Hello packet and send it to the NS directly (see the previous link to the article on RCT usage).

Conclusion

 

Part 2 of this series covers the Server components for Provisioning.  If you've read all the symptoms and suggestions, you'll note that there is crossover when troubleshooting between the client and the server, regardless of where the problem lies.  See Part 2 for the continuation of Provisioning Troubleshooting.

 

 

10:30am  Russ & I are talking with Tim the Tool guy about vPro Tools.

 

Call-in Number:  (347) 326-9831 

 

http://www.blogtalkradio.com/openport/2008/03/11/vPro-Expert-Center-On-The-Air-vPro-Tools

 

Listen in & chat with us online..

The Brand Promise Validation team here at Intel came across an issue in the lab which many customers may also run into when they are trying to deploy AMT. The question was, how do I use two different ISVs to manage different aspects of my Enterprise configured AMT client fleet? Theoretically this isn't neccessarily a tough question. Based on how AMT was designed, so long as you have the same authentication and credentials setup between the different managment software, you should be able to access the AMT features. In practice, however, many management applications attempt to configure AMT in such a way that they have sole access by customizing the provisioning settings and then hide those settings away.

 

However, as I'm about to describe, with a little tweaking, you can force these applications to play nice together.

 

 

The main thing to remember anytime you are setting up AMT in enterprise mode is that the key to accessing AMT is having the correct certificates in place. For access that means having a Web Server based certificate template that will be used for TLS communication between the console and AMT. If you are also using PKI provisioning, you'll have to have a properly configured or purchased provisioning certificate in place (I won't be covering the details of PKI provisioning in this blog, but maybe in a future update). Lastly, for SMS and Altiris you'll also need a .pem certificate. Details on how to create a .pem certificate is included in both the Altiris help and Intel AMT Add-on for SMS documentation. A quick summary of a .PEM file certificate is taking each certificate in the chain starting at the top and concatinating those certificates into a single file. This file is used for secure TLS communication during SOL sessions.

 

 

 

The two management applicaitons we targetted for implementation was Altiris and SMS using the Intel AMT Add-on for SMS. The reason we targetted these apps is that we have inimate knowledge using these applications since they are used in our validation efforts and they both utilize the Intel SCS for provisioning.

 

 

 

Both Altiris and SMS systems should be in the same domain using the same certificate authority and have the same root certificate installed. While it is definately feasible that you could have the the two management applications in different child domains using wildcard certificates for authentication, this article doesn't cover that specific configuration.

 

 

 

I'm not going to go into the details of setting up Altiris and SMS or how to configure SCS for provisioning since it is assumed that if you are attempting to merge these ISVs so that they can manage AMT clients, then you should already know how to get the individual applications to work with AMT.

 

 

 

I started off by getting Altiris setup and configured using the built in SCS included in the OOB Management solution for Altiris. At this point I didn't have to do anything special in order to make sure that the SMS Add-on would work, I just setup Altiris as normal to manage AMT clients. Once setup, I verified that I could provision and manage my AMT clients.

 

 

 

Next step, on a different machine, I setup and configured SMS with the Intel AMT Add-on for SMS. I configured SMS to use it's own SQL server, however, there is no reason that you couldn't have it use the Altiris SQL server (setting up a separate instance) or a stand alone SQL server (again with a separate instance). For ease of configuration, however, I just used a separate SQL install on the same machine as SMS.

 

 

 

Once you have the SMSAMTUser_&lt;sitecode&gt; account created in active directory and have that account as well as whatever user accounts you want to use AMT via SMS added to the Intel(R) AMT groups (there are 3-5 of them depending on the version of the AMT Add-on you are using), you need to add the SMSAMTUser_&lt;sidecode&gt; to the Altiris SCS users list. On the Altiris system go to: View -&gt; Configuration -&gt; Solution Settings -&gt; Platform Administration -&gt; Out of Band Managment -&gt; Provisioning -&gt; Configuration Service Setings -&gt; Users. Click the blue + to add a new user. Click the ... button. Select domain and type in the name query field SMSAMTUser and click Find. Select the SMSAMTUser_&lt;sitecode&gt; that is found in the results field and click OK. Under Role make sure Enterprise Administrator is selected. Click OK. This gives the service account for the Intel(r) AMT Add-on for SMS rights to view and modify the Altiris SCS.

 

 

 

On the SMS system, open up the Intel Add-on Settings dialogue box and configure it to use the Altiris Setup and Configuration Server. In order to find the URL that Altiris uses to connect to the SCS, On the Altiris machine, go to:

 

 

 

View -&gt; Configuration -&gt; Solution Settings -&gt; Platform Administration -&gt; Out of Band Managment -&gt; Provisioning -&gt; Configuration Service Setings -&gt; Service Location.

 

 

 

 

 

 

If you have the Default URL set, you should have something like /&lt;fqdn/AMTSCS. If you are using an alternative URL, copy that down. On the SMS machine, open up the Intel Add-on Settings and go to the Setup and Configuration tab. Select the Integrated Setup and Configuration radio button and type in the URL you copied down into the SCS Service URL box. Click the Set Profiles box and the AMT profiles that are setup in Altiris should pop up in a new window. Select the profiles you want to use in SMS (select all of them if you want all profiles to be able to be managed in SMS) and click OK. The list of supported profiles should now be populated with the profiles that are setup in Altiris.

 

 

 

Next step is to setup the .PEM certificate file that was used in Altiris for the Intel AMT Add-on for SMS. Copy the .PEM file used in Altiris to the SMS system. If you don't know where you .PEM file is located in Altiris, go to:

 

 

 

View -&gt; Configuration -&gt; Solution Settings -&gt; Real-Time Console Infrastructure -&gt; Configuration.

 

 

 

Click on the Intel(r) AMT Connection Settings tab. Under Redirection Security you should see a box next to the Trusted CA certifcate location. That box should have the path to the .PEM file. Once you have copied that file to your SMS system (doesn't matter where you put the .PEM file on your SMS box, so long as you remember where you put it) open up the Intel Add-on Settings dialogue and click on the Security tab. Check the Enable Intel(r) AMT secure Connection (TLS) box. In the CA Certificate Path put in the path to the location of the .PEM file that was copied onto the SMS system. Click Apply.

 

 

 

That is the basicis of what needs to be done. Once you have discovered the AMT clients in SMS and they are populated in the collection, right click on All Systems and go to All Tasks -&gt; Intel(r) AMT Tasks -&gt; Discover Systems. Now when you right click on an AMT system and go to All Tasks -&gt; Intel(r) AMT Tasks you should see the list of AMT functions you can perform such as Asset Identification Information, Power Control Operations, etc.

 

 

 

In order to get SOL/IDE-R to work and System Defense to work, you'll need to go into the Intel(r) Add-on Settings in SMS again and setup the location of the ISO images that will be used for IDE-R and the System Defense file that will be used to filter packets using Circuit Breaker. Creating the System Defense file is covered in the Intel(r) AMT Add-on for SMS documentation and will not be explained in detail here. The repository for the ISO images needs to be a network share and can either reside locally on the SMS system (still mapped to the network share location) or can reside in a central repository. If you want both Altiris and SMS to use the same set of images just use the same network path to the ISO images for both applications.

 

 

 

That's it. In my environment I'm able to manage AMT machines with either management application. The only slight gotcha (and this is more a security feature of AMT) is that if one management application is currently managing a client (ex. using SoL) then the other is unable to break in and use the client. The gotcha part of this is that neither management application gives a clear indication that the system is currently in use by another management application, the attempt to manage just fails with an authentication error.

 

 

Today we offer the USB Key Provisioning Utility (UKPU) focused on one-touch provisioning and the Intel® AMT Reflector which offers a unique implimentation allowing an Intel® AMT client to access/manage some Intel® AMT functionality locally via the OS without entering the management engine directly (usually via BIOS).

 

Click here to learn more about Intel® AMT Reflector or here to download directly.

 

Click here to learn more about USB Key Provisioning Utility (UKPU) or here to download it directly. 

 

Tell us what you think!

DOPD SW Engineering Team

If you want to upgrade your Centrino Pro laptop from AMT 2.5 to 2.6 to take advantage of Remote Configuration (RCFG, AKA "Zero Touch"), it can be done, but few gotach's you need to be aware of:

 

First, the basics: There are two independent Firmware components at play: The ME Firmware, which is the actual AMT embedded software, and MEBx which is a BIOS extention that provides the interface to configure AMT.

 

Once you have upgrad the AMT ME Firmware to 2.6 (that you downloaded from Intel web site), your MEBx reamins at a previous ver (i.e 2.5). So, when you go to MEBx screen (using cntrl-P), what you see at the top right of the screen is the version of MEBx not AMT. Many people are confused by that and think that this is the AMT version, which it is not. To see the actual AMT version, you can either run MEInfo (tool which is available with the FW download), or, simply login to AMT through the webUI.

 

Here is the complication: MEBx, being the older version, does not expose 2.6 features (such as managing certificate hashes) so how can you provision the system in RCFG? As it turns out, when you "un-provision" the client, AMT goes to a default state which is ‘ready for RCFG'. Since it has the built-in certificates hashes, it can be provisioned with one of them. But again, since MEBx 2.5 does not provide access to certificate management, you can not add your own certificate hashes.

 

 

This complication stems from the fact that OEMs have not posted yet release 2.6. Usually, OEMs FW release will include both MEBx and AMT as one package. When you download AMT from Intel web site, you get only AMT FW (MEBx is vendor specific). Once OEMs post 2.6 on their website, both MEBx & AMT FW will match and there will be no confusion.

 

 

Happy upgrade!

--Noah Inbar

 

 

Filter Blog

By date:
By tag: