In a previous blog, we noted  the release of the Intel Core vPro Processer PowerShell Module.  The focus of this blog is to you get up and running with the vPro PowerShell Module.

 

If you haven’t already downloaded the vPro PowerShell Module, you can obtain it from the following location:

 

Configuring PowerShell and WinRM

Assuming that you already have PowerShell and WinRM installed, if not you can get it from here with the Windows Management Framework, you do need to perform some basic configuration to allow the vPro PowerShell Module to work properly

 

  1. By default, PowerShell has the Execution Policy set to Restricted.  At a minimum you need to change the execution policy to Allsigned; the vPro PowerShell Module can be ran at lower execution levels such as unrestricted and remotesigned if you so choose.  To change the Execution Policy to Allsigned, run  Set-ExecutionPolicy Allsigned within PowerShell
  2. If your Intel Core vPro Processor enabled client is configured in a Non-TLS and/or you are authenticating via Digest credentials, it will be necessary to adjust the WinRM configuration.
      • To configure WinRM to allow for unencrypted communication: winrm/config/client @{AllowUnencrypted="true"}
      • To configure WinRM to allow for digest authentication: winrm set winrm/config/client/auth @{Digest="true"}
      • To configure WinRM so that you can communicate with specific hosts, if may be necessary to configure the trusted hosts: winrm set winrm/config/client @{TrustedHosts="*"}

     

     

    Installing the Powershell Module

    You will see in the download zip 2 main directories: x32 and x64.  In each of the folders you find install binaries for the vPro PowerShell module.  Select the desired directory, based on the 32bit or 64bit windows OS you are running, and run setup.exe.  Simply follow the on screen instructions and allow the Module to install.  The installer is just copying the associated libraries and PowerShell scripts / CMDLets to the proper PowerShell Module directory.  If you want to take a peek at what was installed, you can look in the following folder: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\IntelvPro

     

     

    Make sure the Client is Provisioned and you have an Account to use

    Before you can use the Intel Core vPro Module on a capable client, you need to make sure that the vPro / AMT client has already been provisioned.  This provisioning can be done with any ISV or method; however, to invoke the use cases via the PowerShell Module, you will need to know an AMT Credential (Kerberos or Digest with sufficient access) that was configured on the vPro / AMT client along with knowing if the AMT Client was configured in a TLS / Non-TLS mode.  Knowing if TLS / Non-TLS mode was configured on the client is important because this will determine if you need to connect to the client over port 16992 (non-TLS) or 16993 (TLS).  If you are unsure, consult you vPro / AMT provisioning server documentation.

     

     

    Importing the Intel Core vPro Processor PowerShell Module

    Just like other PowerShell modules, before you can use it you need to import it.  To import the vPro PowerShell module, execute Import-Module IntelvPro from within PowerShell.  If you are not sure if you installed the vPro Powershell Module, you can run a Get-Module –ListAvailable to see if it is there.  Unless you place the import command into your powershell profile, you will need to import the module each time you open PowerShell.

     

     

    Using the Intel Core vPro Processor PowerShell Module

    Alright, you got PowerShell configured and the Module Imported, let’s start using it.  To get a list of CMDLets available in the module, just type Get-Command –Module IntelvPro.  With version 1.0 of the Intel Core vPro Processor PowerShell module, you will see the following list of CMDLets in list:

    • Clear-AMT3PDS
    • Clear-AMTAlarmClock
    • Clear-AMTSystemDefense
    • Get-AMT3PDS
    • Get-AMTAlarmClock
    • Get-AMTSystemDefense
    • Invoke-AMTForceBoot
    • Invoke-AMTPowerManagement
    • Set-AMT3PDS
    • Set-AMTAlarmClock
    • Set-AMTSystemDefense

     

    To view more detail and examples usage for each CMDLet, you can access the integrated help on any of the vPro PowerShell Module CMDLets by use the Get-Help command.  For example Get-Help Invoke-AMTPowerManagement -Full

     

     

    Some additional things to consider

     

    CMDLet Authentication

    To invoke commands against the Intel vPro / AMT Client, you must specific a set of credentials to authentication with.  Typical behavior of the Intel Core vPro Process PowerShell Module CMDLets are the follows:

    • When no credential is provided as a parameter, the script will use the local logged on Kerberos credential.
    • When only the username (Kerberos or Digest) parameter is included, you will be prompted to provide the associated password.
    • If you have your credential stored as a PowerShell PSCrendential variable, you may pass it into the script with the credential parameter.

    Note: When authenticating with Kerberos, for Active Directory authentication to work correctly you need to specify a hostname or the Full Qualified Domain Name (FQDN) as the computername parameter.

     

     

    Working with AMT Clients configured in Non-TLS and TLS

    If the AMT / vPro Client has been configured to use TLS (a web server certificate has been issued to the AMT management engine), you will be required to use port parameter 16993.  Non-TLS will use port parameter 16992.  When managing an AMT / vPro client over TLS (Port 16993), it is important that the computername parameter matches the primary subject name of the issued TLS certificate.  Typically this is the Full Qualified Domain Name (FQDN).

     

     

     

    --Matt Royer