Skip navigation

Hi!

Is anyone aware if there is any way to trigger BIOS recovery (normally available by long power button press) remotely through AMT? I have remote unattended system (NUC7i5DNHE). There i have left small USB memory plugged in - just in case something would be needed for BIOS recovery. BUT, is there any way to trigger it via AMT (/MeshCommander)?? Anything maybe through custom boot action??

 

My problem is that the remote update of BIOS to version DNKBLi5v.86A.0053.2018.0903.2245 fails with the following screen:

biosfail.png

 

Kind regards,

Chris

 

Intel® Manageability Commander (IMC) is a lightweight console used to connect and use the features of Intel® Active Management Technology (Intel® AMT). Authenticated and authorised users are able to connect to configured AMT devices to access services such as power control, remote hardware-based keyboard, video, mouse (remote desktop), hardware inventory and more.

 

Additionally IMC integrates with Microsoft* System Center Configuration Manager (SCCM) version 1511 and to provide reliable, TCP based mass wake capabilities for collections of configured AMT systems.

The IMC console extensions will automatically perform an AMT power-on action against collections of AMT systems for deployments triggered in SCCM. Additionally you can use IMC to manually power on collections of supported AMT systems directly from the SCCM console using the right-click context menu (see below).

 

Download and extract Intel® Manageability Commander. During installation, ensure that "Microsoft* SCCM Console Extension" is selected.

NOTE: This component can only be selected when installing on a Microsoft* SCCM primary site and when wake-on-LAN is enabled for scheduled tasks.

 

During installation you will be asked to specific the logon account for the "Intel(R) Managebility Commander SCCM Partner Notification File Service".

Console Extensions.GIFService_Account.GIF

The specified account should have "Logon As A Service" user rights as the installation creates a system service.

 

NOTE: Digest authentication credentials cannot be used when utilising IMC from SCCM against a collection, only Kerberos authentication is supported.

 

In the example below we've used the service account responsible for running the Intel Remote Configuration Service. Intel SCS is a seperate component installed to support remote configuration of Intel AMT.

 

Please see this link for information on Intel® Setup and Configuration Software (Intel® SCS)

 

If the account doesn't have  "Logon As A Service" privileges then the warning below will be displayed during installation. Use the Local Security Policy to assign the required user right to the service account.

Intel MC WoL Service.PNGLogon As A Service.GIF

 

Once installation has been completed on the primary site, the SMS_EXECUTIVE service must be restarted to ensure features show up in Microsoft* SCCM.

 

Additionally, if the Microsoft* SCCM console was open during installation, then this will need to be closed and re-opened.

 

From the SCCM console right-cick against a collection and the option to "Power on with Intel Managebility Commander" is available.

 

It is recommended that you test the functionaility manually first if you have configured AMT systems in the collection.

 

When performing a mass wake from SCCM on a collection, IMC will prompt the user for the optional use of TLS for the remote connections.

NOTE:When AMT wake is used as part of a deployment, IMC will default to using TLS for all remote connections.

Power On with Intel Manageability Commander.GIFPower On with Intel Manageability Commander - TLS option.GIF

When performing a mass wake from SCCM on a collection, IMC will remain open so that the per-system status can be reviewed (see below)

Perform a bulk power operation.GIF

The final step will be to logon on using the service acccount that runs the "Intel(R) Managebility Commander SCCM Partner Notification File Service" specified earlier. Once logged in run Intel Manageability Commander and connect to a provisioned AMT device, then disconnect and logoff.

 

This saves configuration changes for that account and ensures the "Intel(R) Managebility Commander SCCM Partner Notification File Service" is able to power on AMT devices unattended.

NOTE: A new version of the Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager (SCCM) is now available.

 

The Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager (SCCM) is a configuration wizard that creates collections, packages and task sequences that can be used to automatically discover, configure and maintain Intel Active Management Technology (Intel® AMT) within your organisation directly from the Configuration Manager Console.


This document details how to automatically discover AMT devices within your client estate to determine platform manageability capabilities and whether AMT firmware updates are required.

 

Subsequent articles will detail how to automatically configure, unconfigure and maintain Intel Active Management Technology (Intel® AMT)

Intermediate certificates act as a proxy for a Root certificate authority (CA) which is traditionally kept behind several layers of security i.e. “offline”, kept in a highly secure environment with limited access to ensure its keys are inaccessible.

 

Hence the Root CA is not used to directly sign SSL certificates but delegates these tasks to intermediate CA’s. The Root certificate signs the intermediate certificate which in turn is used to sign digitial SSL certificates and maintain the "Chain of Trust."

 

Traditionally an Intel® AMT system could only use trusted root certificates or a full certificate chain i.e. intermediate, leaf certifcates in it's own certifccate store to authenticate correctly. Intel SCS 12 now has support to enable the use of intermediate certificates to support authentication for any of the features below:

  • 802.1x Setups
  • Remote Access using a Management Presence Server
  • Mutual authentication in Transport Layer Security

 

You may say "so what" however this capability is becoming increasingly important where, for example the 802.1x network protocol is used to provide an authentication mechanism to devices wishing to connect to a corporate LAN or WLAN. The variety of RADIUS servers available i.e. Microsoft Network Policy Server (NPS), Aruba Clearpass, Cisco Identity Services Engine etc. means authentication is not always performed using a complete certificate chain, rather using an intermediate and leaf.

 

This feature enhancement should enable Intel AMT to integrate easier into 802.1x environments to support robust network authentication and still be available to support out-of-band services such as KVM (keyboard, video, mouse) or power control when the OS isn't running or the system is powered off/down/hibernate within an enterprise environment.

Intel Setup and Configuration Software (SCS) 12.0 now defaults to TLS 1.1 to encrypt communications with Intel AMT. The TLS 1.0 protocol has identified security vulnerabilities, including CVE-2011-3389 and CVE-2014-3566.

 

The Remote Configuration Service (RCS) now uses TLS 1.1 for secure configuration, unconfiguration and maintenance operations of AMT devices. To continue to manage legacy AMT systems, you must opt in for TLS 1.0 support (or add it). With SCS 12.0, the RCS will first attempt to connect using TLS version 1.1 and only if AMT system supports TLS 1.0 will it use that version.

 

You can enable TLS 1.0 protocol support to enable backwards compatibility (for devices running Intel® AMT version 7.0 and newer only) optionally during installation/upgrade of the Remote Configuration Server (RCS) and after installation.

 

During installation the "Support for Transport Layer Security (TLS) Protocol 1.0" check box can be selected (not enabled by default). After pressing Next you will have to confirm that you want to enable TLS 1.0 protocol support.

If you are running Intel SCS 12.0 and experience provisioning errors such as "***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device" when provisioning older AMT devices, check the following registry entry on the system running the RCS:

  • 32-bit Operating Systems: HKLM\SOFTWARE\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
  • 64-bit Operating Systems: HKLM\SOFTWARE\Wow6432Node\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
    • Set the key value for EnableTLS1.0 to 1 the ensure the RCS supports both TLS 1.1 and TLS 1.0 protocols for encryption.
    • If the key value for EnableTLS1.0 equals 0, the RCS defaults to support TLS 1.1 protocol.

Restart the RCSServer service to ensure it rechecks the value of this key.

 

Please reference the Intel® Setup and Configuration Software (Intel® SCS) User Guide for additional information

 

Intel® Manageability Commander 2.0 has also removed TLS 1.0 protocol support and will only support connections to device running Intel® AMT version 7.0 and newer only.

Download Intel® Manageability Commander version 2.0.245

 

If you need to remotely manage older AMT devices (than version 7.0) then an earlier version of Intel® Manageability Commander is available (not sure for how long though!)

Download Intel® Manageability Commander version 1.08

 

Finally AMT 12.0 firmware support for TLS 1.0 has been removed and in TLS 1.2 support has been added its place.

We experience irrelevant ATM event log on HP 800 G2 machines. We have arount 1000 of such machines and bout 30% displays in AMT event log: system boot failure events. But this event means nothing as windows 7 installed on these computers boots normally. This event apperas in event log after normall reboot of computer from Windows 7 OS. Anyone experience similar problem?

There are some situations in which it would be nice to be able to export and import Intel Setup and Configuration Service (Intel SCS) provisioning profiles...

 

  • Environments with multiple Intel RCS servers to accomodate provisioning workload where profiles need to be duplicated across servers
  • Environments with multiple Intel RCS servers because of organization administration demands (i.e. politics, segregation...) where profiles need to be copied across servers
  • Situations in which it is required to simply backup and restore profiles

 

 

Exporting profiles from Intel RCS is simple enough; from the Intel SCS console you use the toolbar to export profiles to an encryted XML format file. But there is no import function on the Intel SCS console to import profiles from a backup file or another Intel RCS server.

 

So here's a simple solution; Intel RCS supports a WMI provider which is used to communicate with other software such as the SCS console and ACUConfig utility. Intel SCS provisioning profiles (amongst other things) can be read and written using this WMI provider. Windows PowerShell includes built-in cmdlets to provide easy access to WMI providers. With a little effort we can construct a couple of lines of PowerShell script to do everything we need to export, backup, restore and import profiles with Intel RCS servers.

 

The following code reads all Intel SCS profiles from an Intel RCS server and stores them in a PowerShell variable...

 

# Configure source RCS server
$SourceRCSServer = "SourceRCSServerHostname"


# Read profiles from source RCS server
$RCSProfiles = Get-WmiObject -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $SourceRCSServer

 

Once we've read all the profiles, we may want to back them up. The following code copies our prevously read profiles to a backup file...

 

# Save profiles to backup file

$RCSProfiles | Export-Clixml .\ProfilesBackup.xml

 

Sometime later we may want to restore our profiles. The following code restores our profiles from the backup file to a PowerShell variable...

 

# Restore profiles from backup file

$RCSProfiles = Import-Clixml .\ProfilesBackup.xml

 

And finally, if we want to write our profiles to one or more Intel RCS servers, the following code writes our profiles from a PowerShell variable to Intel RCS...

 

# Configure one or more destination RCS servers
$DestinationRCSServers = "DestinationRCSServer1", "DestinationRCSServer2", "DestinationServerN"


# Write profiles to destination RCS servers
foreach ($DestinationRCSServer in $DestinationRCSServers)
{
   # Read and delete any existing profiles on the destination RCS server
   Get-WmiObject -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $DestinationRCSServer | Remove-WmiObject

 

   # Write all profiles to the destination RCS server
   foreach ($RCSProfile in $RCSProfiles)
   {
      Set-WmiInstance -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $DestinationRCSServer -Arguments @{ElementName=$RCSProfile.ElementName;InstanceId=$RCSProfile.InstanceId;Text=$RCSProfile.Text;ProfileDescription=$RCSProfile.ProfileDescription;SolutionGUID=$RCSProfile.SolutionGUID;SolutionName=$RCSProfile.SolutionName} | Out-Null
   }
}

 

All of the above code assumes the currently logged on Windows user has access to the Intel_RCS_Editor WMI namespace and appropriate DCOM permissions on the Intel RCS server (see the Intel SCS Users Guide for information on configuring these permissions during Intel RCS installation). The example code can easily be enhanced, for example scheduling it to run regularly to automatically synchronize profiles across multiple Intel RCS servers or by using PowerShell's filtering capabilities to save some profiles and delete others.

 

Two cautionary notes:

 

  1. The code shown above to backup profiles to a file does not encrypt those files, therefore any plaintext credentials in the profile (e.g. the MEBX password, a fixed AMT admin password, AMT digest credentials or KVM RFB password) will be visible in the backup file. The Intel SCS package includes a file encryption utility called SCSEncryption that can be used to encrypt/decrypt profile backup files or the files can be stored such that they are only accessible to authorized personnel.
  2. Profiles containing Microsoft Active Directory domain accounts, domain groups or certificate template information are tied to specific Active Directory installations because profiles store domain account, domain group and certificate template information by SID information rather than by name. SID's are specific to individual Active Directory installations therefore profiles cannot be transported between installations if they contain domain accounts, domain groups or certificate template information. So this means you can use the above scripts with Intel RCS servers if they are all part of the same Active Directory structure (which is typically the case with most organizations). But profiles containing domain accounts, domain groups or certificate templates cannot be copied between different customer environments or between customer test environments and production environments if they are based on different Active Directory installations.

Things are changing around here! Do you want to receive support direct from an Intel engineer? Intel® Business Support is a new portal designed to provide faster, more personalized assistance. Users submit tickets, track their tickets’ progress, and get their environment up and running faster within the Intel® Business Support website. Users are eligible to submit tickets by filling out a quick enrollment form.

 

If you choose not to enroll, you can access community-based support at the Intel® vPro™ Expert Center. The community, however, will no longer be supported by Intel experts. The only way to get assistance direct from Intel will be by enrolling. Enroll now and get your environment back on the fast track to success!

 

Intel® Business Support

Getting your business back to what’s important, faster.

bizsupport.intel.com

Implementing Intel vPro in a production environment is "easy" in comparison to a major project such as domain migration, email setup\migration, ERP setup\update, or changes due to business acquisition or divestiture.  A successful project requires disciplines across IT operations, business processes and governance, project management, client systems management, and understanding of the vPro\AMT technology.

 

That said - there are a few roles\responsibilities that might help.

 

Project Sponsor or Champion

The executive or project sponsor with the vision of success, ability to get "buy-in" from others, and has the foresight to navigate internal non-technical challenges.

 

Project Management

Coordination of resources, schedules, expectations, and so forth. A key role for any successful project, which often has representation both inside and outside a production environment.

 

Business Process Change Management

Intel vPro extends the reach of client system management with out-of-band capabilities. Understanding the current and future business processes and IT governance is key. Understanding the capabilities of Intel vPro and how it will augment and extend the environment is key. Understanding the desired future state of the environment and associated metrics is paramount.

 

IT Infrastructure

Intel vPro is focused on the security and manageability of the client systems. It leverages many of the infrastructural capabilities which exist as a foundation to build upon. Understanding the impacts, interactions, troubleshooting, and so forth is important technologically.

 

Client Systems Management

Understanding the usage models requires some technical experience with the platform. Combined with the roles above, along with the functionality of client system management and Intel vPro technology - this project team role\responsibility is critical.

 

Principal and Strategic Architects

Individual or team with a holistic understanding of the current and future state of the environment, upcoming technological advances, and so forth. Perhaps a superset of previously stated roles. This role\team assists in making visions become reality.

 

Agree or disagree?  Please share

Filter Blog

By date: By tag: