All Intel-provided code snippets in or attached to this blog are provided under the BSD License unless otherwise specified.
The last time I demoed our vPro capabilities at one of my customers I came back with interesting question that immediately caught my attention. This customer has quite a large number of workstations for users, that do not have their own computer. These users would log-in to these workstations, check their emails, browse the web, etc. and log-off afterwards. During these sessions the IT department would be required to ask for user consent while they would use KVM, which would be OK, since there would be someone in front of the PC, who most likely just called the help desk for support.
When nobody is using these workstations, hence no user is currently logged in, IT would like to be able to control these workstations without User Consent, since there would most likely be no one in front of the PC to tell them the required PIN.
To summarize, they would like to switch on User Consent as soon as a user is logged in and switch it off, as soon no one is using the PC.
This sounds very much like a job for the new Intel vPro PowerShell Module. Since version 3.1 there is the capability to actually mount the vPro configuration settings as a PowerShell drive and access the individual settings as if they would be files on a hard disk. One of these settings is the flag that determines, whether User Consent is required or not.
To build a small POC out of this idea, I had to write a Powershell script that checks, whether a user is logged on to a certain machine. During some research inside the Powershell community, I came across a blog post on Technet, that described the caveats of checking this to quite some extend.
As recommended in this article, I used the PSLoggedon utility to determine whether a user was using the workstation or not.
The next step was to actually switch on or off the User Consent inside the firmware. To do that I mounted the AMT settings as a PSDrive:
New-PSDrive -Name AMT -PSProvider amtsystem -Root "\" –ComputerName $Computer -Credential $myPScredential
To switch the setting I only had to change the value to either “true” or “false”
Set-Item AMT:\Config\KVM\ConsentRequired -Value "false"
As a last step, I would dismount the PSDrive again
Remove-PSDrive -Name AMT
Take a look at the script below to get the whole picture.
I believe that is another great example how Powershell and the Intel vPro Powershell module can help you overcome some complex problems, that would have been very hard to tackle otherwise.
Some caveats to this solution you should be aware of:
- PSLoggedon needs the remote registry service to run on the target machine to work
- The target machine’s firewall needs to allow remote WMI calls to pass
- You need to be careful when using RealVNC’s Viewerplus to do this: Even though I personally like the ViewerPlus product from RealVNC very much, if you connect using the AMT KVM Ports, it does configure the User Consent Requirement according to its options every time it connects – regardless of what is actually stored in the firmware. But using ViewerPlus connection through the VNC protocol or any other VNC solution works OK.
- This obviously only works when you used Admin Mode/Remote Configuration when configuring vPro on the target machine. Even with the PowerShell scripts, there is no way to switch off the User Consent Requirement if the machine was configured using Client Control Mode/Host Based Configuration.
Some extensions one could think of:
- Using the vPro Powershell module to check whether the workstation is powered on at all – and if not power it on and switch off the User Consent Requirement
- Checking whether KVM is supported at all – AMT Firmware >6.0
Feedback, whether this is useful for other users as well, is always welcome.
consent.ps1 1.8 K