In my last postI described the basics on accessing AMT remotely from a command line using WinRM. However, i didn't demonstrate anything incredibly useful. This time I hope to build on the previous post by showing one useful thing you can do. This article assumes you are familiar with "the basics" so if you're not, please read the previous post first.

 

So, here's the situation. You have many AMT systems. As such, you have used an off-the-shelf setup and config server such as Intel AMT SCS to setup and configure your AMT systems remotely (ENT mode). Now you wish to deploy a tool such as Radmin to your help desk so they make use of AMT's SOL & IDE Redirection features. Radmin (or your tool of choice) only officially supports SMB mode, however this shouldn't be an issue since you're not using TLS, right? Well, not exactly. Unless your setup and config server specifically enabled AMT to listen for SOL/IDER connections (which SCS does not), tools that are built for SMB mode will fail. This is because the "Redirection Listener" is enabled by default in SMB mode. However, in ENT mode, it is disabled by default, waiting for a console to enable it.

 

This article describes the issue in detail and work around. However the work around entails connecting to each system one by one with Manageability Commander to enable the listener. We can do better. By using WinRM in a batch file this process can be automated. Assuming you have already configured WinRM and know your AMT's IP and Admin password (read this to get started), this command will enable the redirection listener:

 

winrm put http://intel.com/wbem/wscim/1/amt-schema/1/AMT_RedirectionService @{ListenerEnabled="true"} -remote:%YOUR_AMT_IP%:16992/wsman -u:admin -p:%YOUR_AMT_ADMIN_PASSWORD% -a:Digest -encoding:utf-8

 

Hopefully the parameters make sense. What's new from last time is now we're doing a "put" command, which is telling AMT that we wish to put in a new setting. We are also accessing a different method...AMT_Redirection Service. Look in the AMT SDK docs to see all the possible methods, fields, and values for this service. BTW - you can also call the "enumerate" method on this service to see the current field's values. Finally, we specify the field and the new value with @{ListenerEnabled="true"}.

 

From here I'll leave it as an exercise for the reader. You could use sqlcmd.exe to query the SCS database for a list of AMT systems and their admin passwords. Then, loop through the list, using the command line above to enable the redirection listener on all your AMT systems.

 

I also want to point out one other trick. The AMT SDK includes a few command line apps as samples for developers which can be actually quite useful for end users as well. For example, let's say you don't want to use WinRM, but have the issue mentioned above. No problem, download the SDK and look for RedirectionConfig.exe. This tool does exactly what the above WinRM command does, only in fewer key strokes and no need for WinRM.

 

Hopefully this proves that WinRM can be useful when working with Intel AMT and helped you make more sence of putting the SDK documentation into practice. Stay tuned. I hope to post some other AMT + WinRM tricks soon and to begin exploring some of the useful command line tools included with the AMT SDK.