There are several ways to configure an Intel® vPro™ machine and the most popular among corporate companies is the Zero Touch configuration method, which is based on PKI. You must issue a certificate for a provisioning server in order to establish a trusted relationship between the provisioning server and the ME. VeriSign is one company that can provide a certificate for this.

 

Since the launch of Intel® vPro™ in 2006, VeriSign has made some changes to their products. Rather than issuing certificates from G1 and G3 roots in their Secure Site (Standard SSL) and Secure Site Pro (Premium SSL) SKUs, these products now issue certificates of different roots. Unfortunately, Intel ME is firmware and updating the list of root certificate authorities is not as easy as it is in an operating system. Updating this list in the Intel ME will instead require a firmware upgrade.

 

If you have different Intel® vPro™ generations in your environment, you are most likely looking for a solution that uses the least common denominator like we have displayed in this table:

 

Firmware version

VeriSign Hash

2.x

G1 and G3

2.6.20

G1, G2 and G3

3.x

G1 and G3

3.2.10

G1, G2 and G3

4.x

G1 and G3

4.2.x

G1, G2 and G3

5.x

G1 and G3

5.1.10

G1, G2 and G3

2.6.40

G1, G2, G3 and G5

4.2.30

G1, G2, G3 and G5

5.2.30

G1, G2, G3 and G5

6.x

G1, G2 and G3

6.1

G1, G2, G3 and G5

7.x

G1, G2, G3 and G5

 

As you can see, the latest version of each firmware generation is accompanied with a complete list of trusted roots.

 

However, a problem occurs if you have multiple versions of vPro but are only able to use one certificate for provisioning server (and cannot issue a certificate from G1 or G3 anymore). Fortunately, in order to avoid interoperability issues with legacy browsers, VeriSign makes a cross-signed of VeriSign Class 3 PPCA-G5 with Class 3 PPCA (G1.3). This is called Secure Site Pro, creating a cross certificate as shown in this diagram:

 

 

TrustedChain-Certificate.jpg

Usually, OpenSSL libraries use a PEM file format when building the trust chain in order to validate the certificate. We can statically define the trusted certificates that we would like to use in this chain. Microsoft has some wrapper code available to build the PEM list of certificates and, in this particular case, Windows has 3 possible root certificates to be used. All three are equally valid and Windows built the trusted chain using the shortest chain, i.e. VeriSign "G5" Class 3 PCA Root or VeriSign "G1.5" Class 3 PCA Root, both of which are not present in some old ME firmware. When you install the certificate, without any modification you see the root certificate VeriSign "G5" Class 3 PCA Root as shown here:

 

 

G5-Certificatechain.png

 

In order to force Windows to build the trusted chain up to VeriSign Class 3 Primary CA - G1, we have to eliminate VeriSign "G5" Class 3 PCA Root and VeriSign "G1.5" Class 3 PCA Root from the Root folder (or at least disable Client Authentication and Server Authentication from the purpose list of these certificates).

 

MMCView.PNG

 

Without these two certificates, the only valid chain will be with VeriSign Class 3 Primary CA - G1. That chain is present in every ME firmware version, since the first version, i.e. 2.0 through 7.1 - See below:

 

G1-Certificatechain.png

Now you don’t have to be concerned about these VeriSign certificate issues with your Intel vPro versions, just follow the instructions presented in this document and have yourself a happy vPro configuration.

In summary - these are not compatible, as explained below.

 

Intel AMT Remote Configuration enables the authentication to the firmware for an initial Intel AMT configuration event.  Remote configuration for Admin Control Mode configuration of the Intel AMT firmware is typically done via a valid certificate for the environment.

 

More information on the remote configuration process is available at https://community.mcafee.com/docs/DOC-2225

 

The authentication process should complete without user interaction.   If the requesting application (i.e. Intel SCS) is prompted everytime when the private key is accessed, the autonomy is lost.

 

When importing the certificate to your target server, if the Strong Key Protection option is selected and grayed out this indicates a conflicting group policy for cryptography has been applied to the server.

CertImport-PrivateKeyProtect.png

 

If you miss the first prompt, another clear indication that the conflicting group policy is in affect is shown below.

CertImport-PrivateKeyProtect prompt.png


Changing the group policy setting of the server will remove this barrier.

 

In the example below, the incorrect or conflicting setting is shown.

GPO_crypto.png

 

Change the System Cryptography policy to the "User input is not required when new keys are stored and used"

 

GPO_crypto_correct.png

Green Power SB.jpgDownload Now

 

Intel® vPro™ technology with Intel® Advanced Management Technology (Intel® AMT) provides a way to power remote client computers on or off. A new solution blueprint explains how to extend that capability to include graceful shutdowns to power states other than off, and how to create alarm clock events that run on Intel AMT itself, which you can use to ensure machines are powered on in preparation for scheduled maintenance events. It also discusses a tool to automatically schedule alarm clock events using the management console.

 

Download the solution blueprint here.

Intel AMT, Anti-Theft Technology, and other solutions interfacing with the Management Engine in the chipset commonly use a kernel level driver.   Formerly called the HECI (Hardware Embedded Controller Interface), the driver is known by and commonly called the MEI (Management Engine Interface).

 

If you are using an OEM provider base operating system install, you likely have the MEI driver already.  However, it is more likely that you have reinstalled or re-imaged your system with a corporate image.   If you are getting a missing driver install prompt for "PCI Simple Communications Controller", this indicates that the MEI driver is missing from the system.

 

Shown below is a screenshot of the Device Manager with an "Other Device" missing a device driver.

 

Missing MEI.png

 

There are 2 main ways to get the driver installed.    The best option is to avoid Microsoft Windows Update provided drivers and utilize the OEM  provided drivers

 

Option 1 - For 2010 and newer platforms, a base MEI driver is provided via Microsoft Windows Update similar to the example shown below. 

     Note: There are specific caveats with this approach as listed below.

 

MEI - Windows Update.png

 

Three key caveats with option 1.

  1. An incorrect driver version got released earlier in the year 2011.   If your platform shows the MEI driver installed without expected functionality, check the driver version.   If the MEI driver version is 1.x (such as the example below) or possibly 9.x, this is the incorrect driver.   Remove from your platform and try the Windows Update again.   (The incorrect driver was pulled from the Windows Update).Bad MEI 2010 platform- Windows Update.png
  2. The second caveat is that only 2010 or newer platforms are supported for Microsoft Windows Update download and installation of the MEI driver.   For older platforms or situations where Microsoft Windows Update is not accessible, see the second option below.
  3. The third caveat is that only a basic version of the driver is provided.   Solutions such as Intel® Anti-Theft Technology require the complete MEI driver from the OEM or Intel.

 

Option 2 - Most preferred.  Download and install the MEI driver from the OEM website.  The example below is from HP.com, and for those familiar with HP SSM, notice that this driver is SSM compliant.

OEM provided.png

 

For large scale or script installations, extract the files from the OEM provided package.   In the software delivery script, use the command "setup.exe /s"

 

When the MEI driver is successfully installed and functional, it will look similar to the following Device Manager example

 

MEI correct.png

A comprehensive document for both Intel AMT configuration and McAfee Deep Command installation has been posted at https://community.mcafee.com/docs/DOC-3316

 

The goal of the document is to provide a simple and clear path to be able to start using Deep Command in an enterprise environment.  The document skips many extraneous options, providing a single path that has been tested in the lab and with select customers.   The skipped options may be applicable to certain environments, and those with a solid understanding of Intel AMT configuration will identify necessary alternatives as needed.   Two key points about configuration of Intel AMT in working with McAfee Deep Command – you must have TLS in the profile, and your Digest or Kerberos account for AMT authentication must have PT Admin Realm access in the AMT ACL.

 

The original document exceeded 60 pages with over 6,500 words.    In collaboration with a McAfee SE, we chose to divide the document across several posts on the McAfee Community website.   The link above is the introduction or landing page, where additional links to the sections of the document are provided.

Traditionally, I've known Intel AMT to be part of the toolkit of administrators. It has helped me out by either simplifying or enabling parts of my work as a system administrator. Usually, this meant being able to do things without users entering the picture. Whether it's power management, changing BIOS settings, booting into a CD, and so on.

 

This changed when I deployed a Microsoft Small Business Server 2011 Standard at a customer's site. This was a very small office, with about five client pc's. Suddenly, I had a use case where users themselves would benefit from being able to use AMT features.

 

Although their previous SBS (2003) also had a Remote Web Access website which including a remote desktop (RDP) proxy, it was never used much. However, since the new server was installed, users found it easier to connect to internal clients pc's using this new RDP proxy, and they enjoyed the option of being able to work from home using this feature.

 

This "connect to computer" feature of SBS is shown on the right side in  the screenshot below. This Remote Web Access is a standard feature of  SBS and is normally accessed using https://remote.companyname.com/

01-rwa-mainscreen.png

This is fine during office hours, when a user working from home can ask someone currently still at the office to switch on the computer for them, but outside office hours, this presents a problem. As an administrator I am able to turn on computers remotely, but the tools I use for this (either the web interface, the AMT Commander or (usually, these days) the Powershell module) are more technical than what the users prefer to use, and -- most importantly -- require either the AMT password to work, or more advanced provisioning (e.g. Active Directory integration) than makes sense for such a small site.

 

One solution for this is to use the SBS itself, specifically the included web server, to do both the underlying work (performing AMT commands on the backoffice computers) as well as the authentication, using IIS's builtin user authentication.

 

To do this, we need to compile our AMT code into a DLL that IIS can use. So we need a compiler that can do this. You can download Visual Web Developer 2010 Express (a flavour of Visual Studio 2010) for free from Microsoft, which will do this for us. Alternatively, if you have Visual Studio 2010 Professional already installed somewhere, you can use that instead.

 

http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visual-web-developer-express

 

Also, you will need the Intel AMT Software Development Kit. This contains AMT functionality that we will use in our webpage.

 

http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/

 

Once Visual Studio (or Visual Web Developer, which I shall also call Visual Studio in this article) is installed, and the SDK is unzipped, we can begin. In this example, the SDK is unzipped to C:\VPRO_SDK.

 

First, we open Visual Studio, create a new Empty Web Application and give it a name, in this case "PowerOn". Then click "OK". I've used C# because I'm more familiar with it than Visual Basic.

02-VC-newproject2.png

 

With this new project, it's not technically necessary, but it's wise to set the Target .NET Framework to a slightly older version, for a little more compatibility. If we set it to 3.0 then this page should even run on SBS2008 (or plain Windows Server 2008 running IIS, of course). If you set this too high, you might find you have to install new .NET Frameworks on your server before you can use the page. Right click on "PowerOn" (or your own project name) in the top right corner en click "Properties".

02a-VC-project-properties.png

 

Now, we need to reference the AMT SDK libraries that will enable us to do things like power on computers. Right click on "Reference" and choose "Add reference..."

03-VC-addreference3.png

 

Then under the tab "Browse" we can point to a file we want to add.

04-VC-addreference-filename.png

 

The four files that we need to add as references are (assuming the SDK is at C:\VPRO_SDK):

  • C:\VPRO_SDK\Windows\Intel_AMT\Bin\CIMFramework.dll
  • C:\VPRO_SDK\Windows\Intel_AMT\Bin\CIMFrameworkUntyped.dll
  • C:\VPRO_SDK\Windows\Intel_AMT\Bin\DotNetWSManClient.dll
  • C:\VPRO_SDK\Windows\Intel_AMT\Bin\IWSManClient.dll

 

Next, to make our code simpler and shorter, we're going to use a class from the SDK that already predefined some common tasks. Rightclick the project name, in this example "PowerOn", then click "Add" and "Existing Item..."

05-VC-add-existingitem3.png

 

The item we need is:

  • C:\VPRO_SDK\Windows\Common\WS-Management\C#\common\AssociationTraversalTypedUtils.cs

 

Now we're ready to create code. The only actual webpage that we need is a Default.aspx, this will be the page that is displayed. Rightclick the project name again, click "Add" again, but this time "New Item...". Next choose Web Form (the top option) and name it Default.aspx.

06-VC-add-new-item-Default.png

 

Now you have the option of whether you want to write the code for the table/text/buttons/etc or whether you want to drag-and-drop them in the designer view. Myself, I am clumsy with graphical editors, so I prefer to write code. The tags for writing a table are incredibly simple. This is some sample code for a table with two rows, and a power-on button on each. Of course, after the first row, it's a simple matter of copy-and-pasting until you have enough rows. However, you have to change the following each row:

  • the computer name (in this example DESKTOP1, DESKTOP2, etc.)
  • the ID of the button (changed automatically, when copy-and-pasting)
  • the method that is called upon a click (in this example: Button1_Click, etc.)

 

Here is some sample code. It goes between the <div> and </div> in the middle of the page.

On this page, you can switch on computers using Intel vPro.
        <asp:Table ID="Table1" runat="server" Height="200px" Width="500px">
            <asp:TableRow ID="TableRow1" runat="server">
                <asp:TableCell ID="TableCell1" runat="server">
                    Click here to switch on DESKTOP1:
                </asp:TableCell>
                <asp:TableCell ID="TableCell2" runat="server">
                    <asp:Button ID="Button1" runat="server" Text="POWER ON" onclick="Button1_Click" />
                </asp:TableCell>
            </asp:TableRow>
            <asp:TableRow ID="TableRow2" runat="server">
                <asp:TableCell ID="TableCell3" runat="server">
                    Click here to switch on DESKTOP2:
                </asp:TableCell>
                <asp:TableCell ID="TableCell4" runat="server">
                    <asp:Button ID="Button2" runat="server" Text="POWER ON" onclick="Button2_Click" />
                </asp:TableCell>
            </asp:TableRow>
        </asp:Table>

 

Next, we need to create the "Button1_click" that we mention in this code. The easiest way to go to the source code is to right-click on the method we want to define and choose "View code" in the popup menu. Here, I've right-clicked on "Button1_Click".

07-VC-goto-code2.png

 

This automatically brings us to the file that should contain the source code for button1_Click, button2_Click and whatever other methods you wish to define. First, however, on this page, you need to add a few "using" references at the very top. The start of this page should read:

 

using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Intel.Manageability.Cim;
using Intel.Manageability.Cim.Untyped;
using Intel.Manageability.Cim.Typed;
using Intel.Manageability.WSManagement;
using Intel.Manageability.Exceptions;
using Intel.Manageability.Utils;

 

The first of these are probably already there, but it's wise to check. You're going to have to add the bottom lines that start with "Intel".

 

Next, we define the actual method that does the AMT work. The code for this needs to go below the "Partial Class" line and its opening bracket. The code is:

    protected void Button1_Click(object sender, EventArgs e)
        {
            String computerName = "desktop1.company.local";
            String username = "admin";
            String password = "P@ssw0rd";
            CimReference outJob = null;
            IWSManClient wsmanClient = new DotNetWSManClient( computerName, username, password, false, false, null, null);
            CimReference managedSystemEPR = AssociationTraversalTypedUtils.DiscoverManagedHost(wsmanClient);
            CIM_PowerManagementService powerStateService = (CIM_PowerManagementService)AssociationTraversalTypedUtils.GetAssociated(wsmanClient,
                                                                                               managedSystemEPR,
                                                                                               typeof(CIM_PowerManagementService),
                                                                                               typeof(CIM_HostedService));
            ushort powerState = 2; // "On" is powerstate 2
            uint response = powerStateService.RequestPowerStateChange(powerState, managedSystemEPR, null, null, out outJob);
            if (response != 0)
            {
                throw new WSManException("Wrong response from AMT");
            }
        }

 

Explaining this code is beyond the scope of this document, but if this makes sense for you, then you're likely to expand on it as well, perhaps with the webpage showing the current powerstate of AMT machines, but you don't need to. If you use this code, the button will turn on a computer. Of this code, you need to change the first three lines to reflect the name of the computer you wish to power on, and the username and password needed to do it.

 

These credentials will be compiled and saved into the DLL, so it's important to keep the DLL safe, on the SBS server, and not in shared document folders that regular users can access. During normal use, the DLL and the password contained within will not be accessible for users on your network or to users accessing the website.

 

This page should now look something like this in Visual Studio:

08-VC-code-overview3.png

 

That's all the coding we need to do, now we can deploy our website to the SBS. However, it might be a good idea to test our web page. To do this, change "Debug" at the top, to "Release," then click the green triangle to the left of it.

09-VC-setrelease-and-test.png

 

We should see a layout shaped like a table with (in this example) two buttons and a distinct lack of visual style. For people who are creatively inclined, it might be a good idea to put slightly more effort into the HTML or ASP code that we started with (where the table is). If you are using an underpowered VM (like me) to do this, it might take quite a while before the page appears. This is normal. Also, if you want to test the functioning of the buttons, you need to be able to access the computers. This usually means you have to be directly connected to the intranet, or have a VPN connection running. Also, be wary of any firewalls that might be in the way, blocking TCP port 16992 between the SBS Server and the AMT-enabled workstations.

10-MSIE-testpage.png

 

Now that we're confident that all the visual elements are there and that the buttons work, it's time to publish our work to the SBS server. Just close the Internet Explorer window, so we're back in Visual Studio. At the top, it says "Create Publish Settings", which sounds like a good idea. Click on this and then on "<New...>

11-VC-Publish-new.png

Then, choose "File System" for the simplest method, and type in a temporary folder name where Visual Studio can copy the necessary files to. In this example, I used "C:\DEPLOY" which is easy to find afterwards.

12-VC-Publish-file-system.png

 

Now, it's time to prepare the server. Log into the the server with administrative credentials and open the "Internet Information Services (IIS) Manager" snap-in. This is found under "Administrative Tools". Next, under "Sites" find the "Default Web Site" and right-click on it. Then choose "Add Application..."

13-IIS-new-application.png

 

Next, enter an alias. This will be the last part of the URL for the page. If the alias is "poweron" then the final address will be "https://remote.company.com/poweron". For the physical path, it's good practice to use a location within C:\inetpub\wwwroot\ but you don't have to.

14-IIS-application-settings.png

 

Now comes a very important step. Securing the webpage (preferably before we copy the actual files to it). Back in IIS Manager, select the new entry "poweron" and double-click "Authentication".

15-IIS-Authentication-icon.png

 

Two things are important here: to disable anonymous authentication (you don't want anonymous users turning on your computers), and to enable another form of authentication. The easiest to set up is Basic Authentication. Just right click on "Anonymous Authentication" and click "Disable". Then right click "Basic Authentication" and click "Enable". Next, right click "Basic Authentication" again and choose "Edit..."

16-IIS-Authentication-settings.png

 

In this window, type the domain that your SBS users are located in. Otherwise, your users will have to authenticate with "DOMAIN\user" every time, which is a hassle. The bottom option "Realm" just makes the login window a little bit prettier, but isn't technically needed.

 

Now we've made sure that anonymous users cannot access the /poweron application. But when users do login, we want it to be safe. So, on the left side, select "poweron" again, and this time double click on the large "SSL Settings" icon and select the option "Require SSL" followed by "Apply".

17-IIS-SSL-settings.png

 

Optionally, if you only want to allow specific users or groups access to the page (instead of all authenticated SBS users), choose "poweron" again on the left, and this time double click the "Authorization Rules" in the middle. Here, you can specify which users to allow or deny access.

18-IIS-Auth-rules.png

 

Now that IIS is aware of our application, and it's properly secured, it's time to make it work. For this, simply copy the contents of the "C:\DEPLOY" folder (or where you decided to deploy to, earlier) to the location we specified in IIS as the location for our application. In this example, this is "C:\inetpub\wwwroot\poweron". The result should look similar to this:

19-Explorer-poweron-deployed.png

And, voilá, we're done. Now we can sit back and enjoy the fruits of our labour by going to the website https://remote.company.com/poweron and click on buttons, marvelling at the computers spontaneously turning on.

 

In the scenario of a small company, where the goal is to enable users to switch on computers remotely, so they can connect to them and use all the applications that they're used to at the office, these few easy steps suffice. Of course it's also possible to customize this in various ways, it's possible to automatically generate the number of buttons, to use certificates for authentication, to use TLS connections, to also display the current power status and so on. But for an administrator with merely basic understanding of programming concepts and Visual Studio, it's entirely possible to create such a custom website for a small business customer.

 

The code you see in the example isn't created by me from scratch. The code relating to vPro is from combining code from a few sources within the AMT examples in the SDK. Mostly from a few of the classes in

VPRO_SDK\Windows\Intel_AMT\Samples\WS-Management\RemoteControl

 

Thanks to Intel for providing the SDK.

Every once in a while an invention or product comes along that really makes your life easier. The electric toothbrush. The Crock-Pot*. Automatic transmission. The Intel® vPro™ technology module for Microsoft* Windows PowerShell*. Things that, once you get your hands on them, you wonder how you ever lived without them.

 

Windows PowerShell allows you to create simple, viewable scripts that can be modified as needed, allowing for quick adoption of Intel vPro technology Out of Band (OOB) Management use cases. And, it’s right there in your Microsoft Windows* environment, available to everyone. As Bill York, Intel Enterprise Solution Architect, says, “Every company I support has somebody using [Windows ] PowerShell to support their Enterprise.” It’s ubiquitous. And the Intel vPro technology module for Microsoft Windows PowerShell lets you harness that ubiquitous power to help manage your remote Intel vPro based clients. IT shops can quickly and easily extend Intel vPro technology OOB Management into IT Business process automation to increase efficiency and effectiveness.

 

Along those lines, the Intel vPro technology module for Microsoft Windows PowerShell can help bridge gaps between some management consoles and Intel® Active Management Technology (Intel® AMT). For example, Microsoft System Center* Configuration Manager doesn’t enable KVM Remote Control when it provisions your managed clients. And many help desk staffers don’t have the credentials and permissions to access Intel AMT and turn KVM Remote Control on. But with the Intel vPro technology module for Microsoft Windows PowerShell, IT Engineering can use Windows PowerShell to enable KVM Remote Control on the clients, which in turn allows the help desk (with their more restrictive permissions) to take advantage of this powerful Intel vPro feature to better assist their callers. Says York, “The module allows organizations to configure the lower layers of Intel AMT,” which can also allow them to take advantage of Solution Reference Designs and Use Case Reference Designs that otherwise would have remained out of reach.

 

The upcoming version 3.2 release adds even more value to what you’ve already come to love. With the new GUI editor in version 3.2, your engineering team will be able to generate a customized Windows PowerShell based Intel AMT point-and-click GUI that allows you to take advantage of Windows PowerShell’s Intel AMT capabilities even if you aren’t a Windows PowerShell command line guru. This light-weight, customizable GUI lets you streamline the invoking of core Intel vPro technology OOB use cases. And version 3.2 of the module exposes Intel AMT (local or remote) and the local Intel® Manageability Engine (Intel® ME) driver as a Windows PowerShell Drive, allowing you to map to a client’s Intel AMT firmware from within Windows PowerShell so you can view and manipulate Intel AMT data on the managed client. For example, you can validate which Access Control Lists (ACLs) are currently in Intel AMT, or set timeout values that your management console doesn’t natively configure. “The sky’s the limit for customers to create their own usages,” says York, “without necessarily having to rely on Intel resources to produce these things for them.”

 

All sizes of organizations can benefit greatly from the Intel vPro technology module for Microsoft Windows PowerShell. Charlie Milo, Intel Enterprise Technology Specialist, tells of one large FSI account that that has been purchasing Intel vPro based clients for five years, whose environment consists of around 85% Intel vPro based clients, and yet, though they were impressed with Intel vPro capabilities, they have been unable to make use of them because their management console does not support Intel vPro technology. Enter the Intel vPro technology module for Microsoft Windows PowerShell. “It was a game changer,” says Milo. Using the module, they were able to execute Intel AMT commands on their Intel vPro based managed clients, thus taking advantage of the powerful remote and OOB management capabilities of Intel vPro technology that was already resident in some 85% of their existing PC fleet. That sure beats an electric toothbrush!

 

At another, mid-sized account, Milo was able to deploy the module to help the customer bridge yet another gap between their management console and Intel AMT. The customer wanted to use Intel AMT’s Alarm Clock feature on their 1,200 Intel vPro based PCs, but unfortunately that feature isn’t supported by Configuration Manager. But with the Intel vPro technology module for Microsoft Windows PowerShell, the customer could use Windows PowerShell scripts to remotely configure the Alarm Clock settings on all 1,200 systems.

 

And Intel Solution Support Team’s Steve Davies is having success with the module at his accounts, too. One, a high-quality television entertainment provider, will hopefully be using it in production soon to remotely boot their BitLocker-enabled clients. And another, a well-known European airline, may soon be deploying a PowerShell enabled use case that Davies successfully demonstrated to them recently. Davies also plans to show this use case at local Microsoft MMS events.

 

Even ISVs can benefit from the Intel vPro technology module for Microsoft Windows PowerShell, according to Milo. One ISV that focuses on Client-Side Virtualization to help centrally manage PCs was able to leverage the module to incorporate features like remote power on and IDE Redirection (IDE-R) into their product, even though it does not yet natively support Intel vPro management capabilities.

 

And these are just some of the module success stories out there. Got one of your own? Feel free to relate it in the comments section of this blog.

 

But, like one of those late-night infomercials on cable TV, that’s not all. In addition to revolutionizing our customers’ relationships with their Intel vPro technology based clients, the module is helping to revolutionize the way Intel sells Intel vPro technology itself. The module is part of a growing suite of Intel-developed tools that allow us to provide everything our customers need to get up and running with Intel vPro technology. Intel® Setup and Configuration Service (Intel® SCS), the Intel vPro technology module for Microsoft Windows PowerShell, and a growing number of Solution Reference Designs and Use Case Reference Designs from BCPD Engineering, are making it possible for customers to purchase, provision, configure, and use Intel vPro technology—and start seeing real value right from the start—regardless of whether their entrenched management console supports Intel vPro features or not. What’s more, these tools allow us to deploy new Intel vPro features directly to our customers, on our own cadence, without waiting (and pleading) for ISVs to support those great new features.

 

In short, these tools like the Intel vPro technology module for Microsoft Windows PowerShell are putting Intel in the driver’s seat, in command of our own destiny with regard to the success of Intel vPro technology.

 

Kind of a nice feeling, isn’t it?

Overview

 

SCCM has two methods for tracking the provisioning status of AMT on vPro clients.  The first method is a port-based discovery method where SCCM will connect to a target client and attempt to connect to AMT ports to detect AMT capabilities.  The second method is through the hardware inventory provided by the SCCM agent.  If you have the vPro drivers installed on your clients, the SCCM agent will be able to detect the AMT version and provisioning state, and roll this information up during your regular inventory cycles.

 

Building queries for collections and reports

 

There are two locations you can get AMT data from:

 

 

  • SMS_R_System
  • SMS_G_System_AMT_AGENT

 

 

SMS_R_System contains data about AMT that is updated by the SCCM server itself.  This information is updated when SCCM provisions AMT on a vPro client, or when you perform the discover out-of-band management controllers function against a client.  There are two string values that you can use: AMTFullVersion & AMTStatus.  Take a look at the following link for more detail on this WMI class: http://msdn.microsoft.com/en-us/library/cc145392.aspx.

 

AMTFullVersion will report back the full firmware version in the standard major.minor.micro format.

 

AMTStatus will report back the provisioning status of the client with a range of values.

 

Null for unknown

0 for not supported

1 for detected

2 for not provisioned

3 for provisioned

 

 

SMS_G_System_AMT_AGENT contains the data rolled up during the SCCM hardware inventory process.  This is a mirror of the data from the SCCM client WMI class SMS_AMTObject.  You can learn more about this WMI class at http://msdn.microsoft.com/en-us/library/dd339697.aspx.  There are two fields here that I will focus on: AMT and ProvisionState.

 

AMT will report back the full AMT version in the major.minor.micro format.

 

ProvisionState will give you a range of values.

 

0 for factory set-up mode (not provisioned)

1 for set-up mode (in the process of being provisioned)

2 for operational mode (provisioned)

 

 

So, the bottom line here is that SCCM stores AMT version information and provisioning status information in two places.  You may think this is redundant, but it’s actually beneficial.  Having both a “server view” and “client view” of AMT information can be very useful in identifying potential problems in your environment.  For instance, you could use these fields to track down clients that claim to be provisioned, but SCCM says they are not, or, the reverse.

 

The data in SMS_G_System_AMT_AGENT is also useful for creating reports or collections in SCCM for clients you may have provisioned with another tool, like the Intel Setup and Configuration Service.  You could build collections in SCCM and reference them in other tools, PowerShell, and use the PowerShell Module for Intel vPro Technology to leverage AMT capabilities.

 

Let’s finish this off with a couple of simple example queries.

 

The following is a query I use to create a collection of AMT systems that are unprovisioned based on the hardware inventory:

 

Select
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_AMT_AGENT on SMS_G_System_AMT_AGENT.ResourceID = SMS_R_System.ResourceId where SMS_G_System_AMT_AGENT.AMT >= "0" and (SMS_R_System.AMTStatus != "3" or SMS_R_System.AMTStatus is NULL)

 

The logic in the query identifies vPro clients that have any AMT version that do not have a provisioning status of operational/provisioned (SMS_R_System.AMTStatus != "3") or have a null AMT status (SMS_R_System.AMTStatus is NULL).

 

Here’s a similar query that will pull data from the SCCM server itself:

 

Select
SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.AMTStatus != "3" or SMS_R_System.AMTStatus is null

 

The logic in this query will identify vPro clients the SCCM server has discovered where the AMT provisioning status is not provisioned (where SMS_R_System.AMTStatus != "3") or is null (SMS_R_System.AMTStatus is null).

Download Now

 

Turk Telekom.jpgTürk Telekom Group is the leading communication convergence technology group in Turkey, providing integrated telecommunications services ranging from public switched telephone networks (PSTN) and a global system for mobile communication (GSM) to broadband Internet. The company has about 18,000 desktop and laptop PCs spread across the country. To control and manage this computer fleet, enable greater cost-efficiencies, and introduce more security, the IT department purchased a total of 9,000 Intel® Core™ processors with vPro™ technology. These included Intel® Core™2 Duo processors and 2nd generation Intel® Core™ i5 and i7 vPro™ processors. These processors provide hardware-based remote management and security. The company plans to upgrade the remaining 9,000 computers with 2nd generation Intel Core i5 and i7 vPro processors.


“Intel® vPro™ technology has provided us with powerful remote management capability that has transformed our ability to keep track of and manage our large computer fleet, both in terms of cost efficiencies and management effectiveness,” said Bilal Genç, director of technological systems management for Türk Telekom Group.


For all the details, download our new Türk Telekom Group business success story. As always, you can find many more like this on the Intel.com Business Success Stories for IT Managers page. And to keep up to date on the latest business success stories, follow ReferenceRoom on Twitter

During a recent demonstration of Intel vPro Technology, I experienced the following:

 

  • Used Intel vPro Technology to reboot a remote client
  • The client was encrypted via PGP Whole Disk Encryption (WDE)
  • After the reboot, I connected to the client via the KVM remote control feature of Intel vPro Technology using RealVNC Viewer Plus
  • At the PGP passphrase pre-boot authentication screen, I had no keyboard interaction via the RealVNC session. 

VNC no keyboard.png

Understanding why this happened provides some further insights to what is occurring physically in the hardware.

 

The KVM remote control features relies upon USB injection for the keyboard and mouse interaction, meaning that it appears as a USB keyboard\mouse to the local system.   A USB device needs to be enumerated, and this occurred during the BIOS POST at startup.  Since the KVM remote control session via RealVNC Viewer Plus to the Intel vPro Technology hardware had not yet occurred, the USB injection occurred after the BIOS had enumerated\detected an external USB keyboard.    The PGP passphrase screen uses the BIOS enumeration, thus it does not see any of the keystrokes from the KVM remote control session in this scenario.    Remember that a BIOS is single threaded and simplistic (hence the acronym "BIOS" for "Basic Input Output System")

 

To recover from this situation, one approach is to open the RealVNC session for KVM remote control prior to rebooting the Intel vPro Technology client.   Upon startup, the BIOS will enumerate the USB connections which were temporarily applied for the KVM remote control session.   This is shown in the following example:

 

VNC with keyboard.png

 

The same situation may occur even if a live operating system is running on the Intel vPro Technology client.   A new operating system may not immediately recognize KVM remote control input as it needs to react to the interrupt generated when the first KVM session occurs and a new USB keyboard device appears.  The operating system enumerates that USB device, identifies it as a USB keyboard and loads the appropriate driver as needed.    The first session might be rough, but once the keyboard has been detected subsequent sessions will go smoother.

Download Now


Latrobe.jpgAustralia’s Latrobe Community Health Service (LCHS) provides a wide range of services—from dental  to home care—to the local community in the Latrobe Valley and Gippsland. As a progressive health service provider, LCHS views information and communications technology (ICT) as an enabler to delivering the best healthcare service possible.

 

“LCHS ICT needs to be doing it better and smarter than the rest,” declares Blair Muller, LCHS’s network administrator, “so our community can get more out of our services. Without technology, we cannot give our community the services they need, efficiently.” Towards this end, LCHS has standardized on a PC platform based on the Intel® Core™ vPro™ processor.

 

“Support staff are overjoyed knowing that when they get a support call, 99.95 percent of the time, issues can be resolved without leaving their desk when the system has an Intel Core vPro processor,“ Muller says.


For all the details, download our new LCHS business success story. As always, you can find many more like this on the Intel.com Business Success Stories for IT Managers page.  And to keep up to date on the latest business success stories, follow ReferenceRoom on Twitter.

Remember the times when a customer would be hard down while there system was being rebuilt?  Either a loaner system had to be provided or they would have to go to lunch and the machine would be rebuilt while they were gone.  Well look no further for a solution to keep the user active.  By using WinPE and Intel vPro's SOL and IDER solution, firefox can be added to WinPE to call the Outlook Web Access.   Outlook Web Access gives the user access to their email while in the background, the system can be formated and reimaged.  This use case will talk about the steps to create a WinPE image, and how to edit the startup.cmd to include firefox and to how to launch the Outlook Web Access from it.

 

Outlook Web Access with Imaging

Filter Blog

By date:
By tag: