As explained in the SCCM SP1 & WS-MAN Translator: How vPro firmware versions less than 3.2.1 are supported blog, The Intel WS-MAN Translator is crucial component to providing support for vPro Client with firmware versions less than 3.2.1 with Microsoft System Center Configuration Manager.

 

Intel has just posted the production release of the Intel WS-MAN Translator 1.0 and is available for download at the following location: http://softwarecommunity.intel.com/articles/eng/3840.htm. At that location you will find the install binaries and documentation on how to install the translator. However, here is a high level overview of how to install and configure the Intel WS-MAN Translator.

 

Pre-installation Steps

 

Generate a Certificate Request on SCCM Server for Intel WS-MAN Translator

 

  1. On the SCCM Server, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS)

  2. Expand Web Sites and Right Click on Default Web Site and select Properties
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1723/GenerateCert1.JPG!*

  3. In the Default Web Site Properties windows Select the Directory Security Tab. In the Secure Communications section, click the Server Certificate button
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1724/GenerateCert2.JPG!

  4. This will launch the Web Server Certificate Wizard. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1725/GenerateCert3.JPG!*

  5. In the IIS Certificate Wizard Window, select Create a new certificate . Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1726/GenerateCert4.JPG!*

  6. Select Send the request immediately to an online certification authority. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1727/GenerateCert5.JPG!

  7. Enter a Name for the certificate: WS-MAN Translator Server Certificate. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1728/GenerateCert6.JPG!

  8. Enter Organization Information (Organization and Organizational Unit) and Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1729/GenerateCert7.JPG!*

  9. Enter the Common name: This is the FQDN of your server you are installing the Intel WS-MAN Translator on and should be the same as the FQDN of your SCCM Server. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1730/GenerateCert8.JPG!

  10. Enter in your Geographical Information. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1731/GenerateCert9.JPG!

  11. Enter 443 for the SSL Port for this web site. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1732/GenerateCert10.JPG!

  12. In the Choose a Certification Authority Window, select your issuing Certificate Authority. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1733/GenerateCert11.JPG!*

  13. Confirm your request and click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1734/GenerateCert12.JPG!

  14. Once Wizard is complete, click Finished
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1735/GenerateCert13.JPG!*

 

Modifying Windows Remote Management (WinRM) to support Basic Authentication

 

  1. On the SCCM Server, open a command prompt and run the following command: winrm set winrm/config/client/auth @{Basic="true"} (command line is case sensitive)
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1716/WINRM1.JPG!

  2. You should see Basic = True returned

 

Set Delegation for the SCCM Server

 

  1. On your Domain Infrastructure Image, Click Start > All Programs > Administrator Tools > Active Directory Users and Computers > vprodemo.com > Computers. Right Click on SCCM Server and select Properties.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11434-1782/Computer.JPG!

  2. Check the box Trust Computer for Delegation and click OK
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11434-1781/delegation.JPG!*
         Note: If you do not allow this, you will need to setup the WS-MAN Translator (during configuration steps) run time account with a user that has permission to the AMT client. At that point the credentials configured in the run time account are used to manage the client for Kerberos authentication.

 

 

 

 

Installing the Intel WS-MAN Translator

 

 

 

 

  1. On the SCCM Server, run the Intel WS-MAN Translator Setup

  2. In the Intel WS-Management Translator setup window, click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1736/Install1.JPG!*

  3. In the Intel WS-Management Translator setup window, click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1737/Install2.JPG!*

  4. During the installation, keep all of the Default settings until installation wizard is complete and install has finished.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1738/Install3.JPG!
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1740/Install5.JPG!

 

Configuring the Intel WS-MAN Translator

 

  1. Click Start > All Programs > Intel WS-Management Translator > wtranscfg.exe to configure the Translator

  2. In the WS-Translator Configuration Wizard Window, Set common setup accounts & Set TLS/forwarding options. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1718/ConfigTrans1.JPG!*

  3. In the Set initial setup password window, enter the password you configured within SCCM Out of Band Management Properties > Provisioning setting Section > MEBx Account. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1719/ConfigTrans2.JPG!*

  4. In the Set Common Pre-Shared Key window, should select a more random and secure PID and PPS for security reasons. Click Next.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1720/ConfigTrans3.JPG!

  5. In the Import Common Setup Certificate, Click Browse and select the Same Certificate you used in SCCM Out of Band Management Properties > Certificates Section > Provisioning Certificate. Click Next.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1721/ConfigTrans4.JPG!

  6. In the Select TLS/forwarding options windows, select (default Options): Listening Port: 443 & Forwarding Port: 16993. For the Server Certificate: select the WS-Man Translator certificate created in previous step. Click Finished. Click OK to Restart the Translator Service.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1722/ConfigTrans5.JPG!

 

Configuring SCCM SP1 to use the Intel WS-MAN Translator

 

  1. Within System Center Configuration Manager Out of Band Management Properties > Provisioning setting Section > AMT Settings. Check the option for Enable support for Intel WS-MAN Translator. Once selected, click Apply.
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1717/ConfigSCCM1.JPG!*

 

--Matt Royer