NOTE: This resource and the associated series are a re-post of information provided at http://juice.altiris.com/node/4636 and related articles linked therein. Although the title and material make reference to Altiris, the core concepts apply to most Intel SCS based solutions.
The previous article in this series is http://communities.intel.com/docs/DOC-1920
Part 4 - Remotely resetting the provisioning state
When setting up and tearing down lab or development environments, wanting to perform a reset of solutions, or other related items - the goal is to repeat a single or set of tasks without physically touching every system. With an operating system and application environment, a PXE boot and Deployment server with a fresh client image provides a foundation to automate such a task. How is this possible in resetting a firmware configuration remotely?
As part of the series on provisioning Intel® vProTM after systems have been deployed, it may seem strange to address how to mass unprovision systems. However, scenarios may arise whether in the lab or in production when the need to remotely unprovision or unconfigure the firmware settings is present. Three common scenarios where this need has been raised:
Systems were provisioned in a Basic or Small-Medium Business mode. To change to an enterprise mode, the Intel® vProTM firmware settings must be reset.
Systems were enterprise provisioned via a lab or development environment, and must now be unprovisioned or redirected to a production environment.
The management console and provisioning service used to configure the systems is no longer available, and a group of systems must be reset.
Via the Altiris Real-Time Console, Task Server, or the Intel® AMT Reflector Utility - resetting or unprovisioning of Intel® AMT firmware can be down remotely via the network interface.
Key Requirements to Keep in Mind
Once the Intel® vProTM firmware is configured or provisioned, it is a service awaiting a properly authenticated request with appropriate authorization to execute the desired command. The command may be a configuration request or execution of a system management request.
In addition to the Intel® AMT admin account, any user account defined in the provision profile with authorization to the PT Administration (e.g. Platform Technology Administration) realm on the network interface has the ability to change the configuration parameters. The default preference is to use the Intel® AMT admin account, with the password defined at the time of provisioning.
If TLS has been enabled than the requesting user must have access or awareness to the root certificate used by the issuing certificate authority. Generally speaking, provisioned systems often do not use TLS. In addition, if the Altiris provision profile included TLS, then the environment is already aware of the certificate server. The main caution is when a foreign or non-existing environment had previously configured the Intel® vProTM systems in TLS mode and was then removed - communication on the Intel® AMT HTTPS port 16993 will not be possible without an awareness of the root certificate authority.
Partial UnProvision vs. Full UnProvision vs. Factory Default
When an Intel® AMT system is configured in Small-Medium business mode, only a Full UnProvision option is available. This erases all configuration settings, yet retains the MEBx strong password.
When an Intel® AMT system is configured in Enterprise mode, both a Partial and Full unprovision option are available. Partial unprovision retains the pre-shared keys from the last provisioning event, and leaves the firmware in a setup mode. When in a setup mode, the firmware will attempt to obtain an IP address followed by attempts to locate the ProvisionServer DNS record. Similar to the Full UnProvision mentioned above, all settings including the provisioning or pre-shared keys are removed from the system. Again, the last changed value to the MEBx password is retained and is not reset.
Returning to a true factory default state is to reset all of the management firmware settings including the MEBx password back to admin. Typically, this option cannot be done remotely. Some OEM implementations offer a system BIOS option to reset to factory defaults - this has been seen on select Lenovo and HP mobile platforms. In these scenarios, accessing Enter BIOS at Startup via Real-Time Console > Real-Time Systems Manager > Hardware Management will initiate a Serial-over-LAN session to view the BIOS settings and reset the Intel® AMT configuration. An example screenshot of the Remote Control terminal with an option to Unconfigure AMT on the next boot using an HP 6910p laptop is shown below:
Since the BIOS option to fully reset Intel® AMT is available in only a few systems, this capability is not always available remotely. The other option is a CMOS clear which will also reset the system BIOS and can only be accomplished only locally at the client system.
UnProvisioning a Single System via Real-Time Console
The previous sub-sections of this article have set the stage. Now the focus is on unprovisioning the Intel® vPro firmware settings via the Real-Time Console. By double-clicking on a provisioned system known by the Altiris environment and navigating to Real-Time System Manager > Administrative Tasks > Provisioning Mode, the example screen below is presented to the Altiris administrator. The full options on the screen are available ONLY when the client is provisioned in enterprise mode. This screen will allow a reset or unprovision within enterprise mode, or the ability to fully unprovision and set the firmware to Small Business mode. When executed, the task will also delete the matching Intel® AMT system entry from the IntelAMT database. This action can be validated both in the provisioning logs and by viewing Intel® AMT systems within the Out-of-Band Management interface.
Using Task Server to UnProvision Several Systems at a Time
Similar to the Real-Time Console option to unprovision a single system, a predefined job also exists within Altiris Task Server thus allowing a collection or multiple systems to be targeted for an unprovisioning event. Only systems provisioned in enterprise mode and to which the administrator has the access can be partially or fully unprovisioned.
It may be best to create a new job within Task Server and copy the existing template Update Intel® AMT Settings, which is located under Server Jobs > Real-Time Console Infrastructure
In a future article, migration scenarios will be addressed. One example scenario is to migrate the configuration and provisioning routines from one ProvisionServer to the next. If the systems were known by the Altiris environment, this job within Altiris Task Server could be assigned to the collection for a partial unprovision routine. Once the firmware of the target systems is returned to a setup state, they will commence in attempting to locate the ProvisionServer DNS record which should be pointed to the new destination server. This is just one idea on why and how this particular Task Server job could be utilized.
Command Line Scripting Option
The last option in this article to unprovision several systems is via a command line tool, which could be integrated into a customized script. At one time, the unprovision.exe utility was available via the Intel® AMT SDK. However, this was replaced and enhanced via the Intel® AMT Reflector Utility. In addition to fully unprovisioning systems, this utility can be used for other advanced functions and capabilities.
The key item to remember is the utility updates only the firmware, and not the configuration database. Therefore, if the Intel® vProTM clients were provisioned by the Altiris environment, the previous options may be better suited. Also - if the primary intent is to update both the configuration database and the FQDN setting in the firmware - a previous article by Joel Smith (http://juice.altiris.com/node/4268) may be best suited for the Altiris environment, or you can venture into unsupported options of the Intel® vProTM Activator utility. The next article will cover more on the advanced options of Intel® vProTM Activator utility - both what is supported and what is officially not supported within an Altiris environment.
Returning back to this article - the Intel® AMT Reflector Utility is demonstrated and available at http://communities.intel.com/docs/DOC-1431. The utility includes a PDF document to provide more information, along with a single installation package with options for both server and client components. The desired executable for command line operations from the installation package is Intel AMT Reflector Client Console.exe. For simplicity in working with the desired executable, it may help to rename the file to an abbreviated name such as reflector.exe
When using the command line utility to unprovision a client, it must be executed from a system remote to the target Intel® vProTM client to access the network interface. The screenshot below shows both the available options along with an example of fully unprovisioning a system that was setup in Small-Medium Business (SMB) mode.
Due to the verbosity of the screenshot, the actual command is re-typed below for reference purposes. As mentioned above, the actual executable was renamed to reflector.exe for the purpose of the above screenshot example. The target system is HPDC7700sys2.vprodemo.com, with an Intel AMT admin password of P@ssw0rd. Interestingly, one of the switches in the command specifies -server. Since a configured Intel® vProTM system responds to out-of-band management service requests, it is considered a "server" in this context. Also, the port defined refers to a non-TLS setup of the Intel® vProTM firmware which uses port 16692. If the system were provisioned in a TLS mode, the port would be 16993.
Reflector -user admin -pass P@ssw0rd -server HPDC7700sys2.vprodemo.com -port 16992 -unprov
After running the command, the output indicates a successfully unprovisioning of the target client. Once completed, the client will remain in an unconfigured mode until further actions are taken.
Part 4 Summary
Provisioning of Intel® vProTM into the target Altiris environment after deployment may require a reset from a previously configured state. In the past, this reset was often plagued by visiting each system to reset via the MEBx, BIOS, or a CMOS clear event. Options and utilities exist to perform unprovisioning or resetting of the configuration remotely, including the ability to define a task or utilize a command line script.
The next article in this series is http://communities.intel.com/docs/DOC-1922