Part 5: Post Deployment of Intel vPro in an Altiris Environment

Version 1

     

    NOTE: This resource and the associated series are a re-post of information provided at http://juice.altiris.com/node/4636 and related articles linked therein. Although the title and material make reference to Altiris, the core concepts apply to most Intel SCS based solutions.

     

    The previous article in this series is http://communities.intel.com/docs/DOC-1921

    Part 5 - Intel® vProTM Activator Utility

    The last few articles have highlighted Altiris specific tools and approaches to initiate Intel® vProTM provisioning in a post deployment situation. This article will focus primarily on Intel® vProTM Activator Utility which is the successor to the RCT.exe utility mentioned in a prior article by Joel Smith (http://juice.altiris.com/node/3612). The latest version of the Intel® vProTM Activator utility is available at http://www.intel.com/software/activator, with the download including a PDF document containing additional information specific to the utility. This article will highlight the core items, setup, usage, and troubleshooting aspects for production usage. Readers of this article should already have a base understanding of provisioning Intel® vProTM or Intel® AMT systems within an Altiris environment.

     

    Core Purpose, Requirements, and Considerations

    When the Altiris OOB Task Agent, Delayed Provision, or default profile settings in Resource Synchronization cannot be used throughout an environment, an alternative approach is the Intel® vProTM Activator Utility. The one key function the Altiris Delayed Provision Task and agent does that Activator does not currently support is transitioning from ASF to AMT manageability mode.

     

    If the ProvisionServer DNS record does not exist or a preferred Altiris Notification Server is to be targeted for provisioning of a specific Intel® vProTM system, the Activator utility provides flexibility by directly specifying the target server. Development, multiple client facing Notification Server, or migration scenarios may present a valid reason to consider using the Activator utility.

     

    The Activator utility is used primarily as a local client agent or script to initiate and direct provisioning events. It can also be used to specify the provision profile, Active Directory OU, changing from the manageability feature from None to AMT, synchronizing the FQDN among the 3 primary entities (e.g. operating system, Intel® vProTM firmware, and the provisioning service database), and so forth. When executing the utility, the associated DLLs included in the download must be registered or in the same directory for the utility to execute properly.

     

    The utility requires that the HECI\MEI and LMS drivers for Intel® AMT are loaded on the client. These drivers and services allow for the agent to securely communicate through the operating system layer to the firmware.

     

    Most of the features and functions of the utility require the Intel® vProTM firmware to be in a setup state. This means that the system is not provisioned, yet is either remote configuration capable or the pre-shared keys have been entered.

     

    Many of the utility's advanced features require the latest version of Intel® SCS to be installed on the target ProvisionServer, which may include versions of the setup and configuration service which are not officially supported by Altiris. The latest version supported by Altiris is Intel® SCS 3.2.1, as indicated in Altiris KB40076 at http://kb.altiris.com/. It is recommended that Altiris KB40117 also be reviewed and applied to update the Real-Time Console Infrastructure in regards to Intel® AMT 2.2 and 2.6 clients. The latest version of Intel® SCS is posted at http://softwarecommunity.intel.com/articles/eng/1025.htm, with version 3.3.1.4 shown at the time this article was written.

     

    NOTE: If unsure what version of Intel® SCS is loaded on your system, check the AMTCONFIG service within the Microsoft Windows Services.NOTE: Intel® SCS versions above 3.2.1 have not been tested nor validated with Altiris Out of Band Management. Upgrading to version 3.3 or higher may provide full capabilities such as the /f option for Intel® vProTM Activator Utility, yet is done at the IT administrator's own risk.

    For functions beyond initiating the hello packet sequence or transitioning to AMT enabled in the MEBx, the Activator requires a Configuration Client role to be defined. This role identifies a privileged domain account or group that must be used to run the utility from the Intel® vProTM client. The Configuration Client role is used to access the AMTSCS_RCFG virtual web directory to apply updates to the profile assignments database tables or other events. This will require the Intel® vProTM client to be joined to the target Microsoft Active Directory domain.

     

    The Intel® vProTM client MUST be able to able to resolve the server the DNS address of the target server's FQDN. In some cases, the ipconfig /flushdns and ipconfig /registerDNS commands may be needed to update the client's host operating system DNS cache and to register the current FQDN of the client into the dynamic DNS environment.

     

     

     

     

    Initiating Hello Packets and Transitioning to AMT mode

    A prior Altiris Juice article (http://juice.altiris.com/node/3612) highlighted the basic features of the Activator utility. The following command provides an example of reinitiating hello packets to the ProvisionServer DNS address, while transitioning to AMT mode, and directing the command output to the console. If the ProvisionServer DNS address is not presently in the target IT infrastructure environment, the command can specific the FQDN of the target Altiris Notification Server handling provisioning requests.

     

    Activator.exe /s http://provisionserver.vprodemo.com/amtscs /t on /h /c

    If successful, the output of this command will include a statement indicating the utility successfully sent the hello packets. Three hello packets will be sent. An exit code 7 is expected, as complete setup of the utility and environment was not performed.

     

    The example script above could be modified to not include the /t on nor the /c. These options were shown only for example purposes, and more will be shared later in this article the purpose of those options.

     

    Preparing for Advanced Intel® vProTM Activator Utility Usages

    The advanced usages will require a Configuration Client user role to be defined for Intel® SCS. At the time this article was written, that user role was not available in the Altiris provisioning console (e.g. Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Users). However, the Intel® SCS console which is included in the main download at http://softwarecommunity.intel.com/articles/eng/1025.htm does include this option.

     

    Once the ZIP file is downloaded, extract out AMTConsole.exe which is approximately 2.65MB in size. Run the executable to install the console. Once installed, start the Intel® SCS console and a window similar to the one below will be shown:

     

     

     

     

     

     

     

     

    The Service Name desired is the same as the Service Location shown in the Altiris provisioning console (e.g. Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Service Location). Once entered, the console will appear.

     

     

    The following steps will add in the Domain Users group as the Configuration Client role. For example purposes only, this will allow any authenticated domain user to use the Intel® vProTM Activator Utility to specify the configuration parameters at time of provisioning. For actual deployment environments, a different user or group can be selected based on the administrator's preference.

     

     

     

     

    1. Within the Intel® SCS Console, navigate to Configuration Service Settings > Users and Groups

    2. Within the Users and Groups windows, select Add to open the New User\Group window

    3. From the Role pull down, select Configuration Client

    4. For the User\Group Name, press Add

    5. On the Name Query entry, enter Domain User and click Find

    6. Select the entry in the Results pane which will be the Domain Users group and click OK

    7. After completing the previous steps, the following screen should appear.

    8. Accept the changes and return to the Intel® SCS console with the new settings.

     

     

    Command Scripts to Specify Profile Assignments

    The default approach to determine the profile assignments is via Resource Synchronization. As indicated previously, Intel® vProTM Activator Utility can be used to directly specify these settings shown below when initiating the provisioning from the client. This allows greater control for environments wanting to use specific profiles and Microsoft Active Directory OUs based on the location, type, user, or other criteria of a particular Intel® vProTM system in the environment. These settings are necessary to avoid Properties Script Failed or Missing Configuration Parameters type of errors in the provisioning logs, which is usually handled automatically by Resource Synchronization. Again - the goal here is to specify custom or preferred profile assignments on a client by client case.

     

     

     

     

     

     

     

     

    When using the full potential of the Activator utility, the profile ID and Microsoft Active Directory must be specified. The following example command was executed locally on a client to get the Profile Assignment settings shown above

     

     

     

     

     

     

     

    Activator /s http://altiris.vprodemo.com/amtscs_rcfg /p 2 /o OU=AMTOU,DC=VPRODEMO,DC=COM /c /h

    A few items to note in the above command:

     

     

     

    • The server address must specify whether HTTP or HTTPS is used. This is the same setting as shown in the Service Location of the Altiris provisioning console

    • The AMTSCS_RCFG must be specified to direct the configuration parameters to the correct virtual web directory

    • The number after /p determines the desired profile ID. Within the Altiris provisioning console, each of the Provision Profiles has a number or identifier associated

    • The value after /o determines the Microsoft Active Directory Organizational Unit to be used. In lab tests, if Integration with Active Directory had not been specified, this value must still be defined yet is not used in the actually provisioning sequence.

    • The /c specifies that output from the command be directed to the console. If not included, a TXT file will be created in the same directory as the Activator utility showing the output of the command.

    • The /h specifies that in addition to sending the configuration parameters, initiate the hello packets.

     

    Additional options and command switches are referenced in the documentation of the Intel® vProTM Activator Utility. The one command not supported by Intel® SCS version 3.2.1 is the /f to synchronize the FQDN value. That command requires SCS version 3.3 or higher. If the environment were updated to version 3.3 or higher, this would be at your own risk as any versions above 3.2.1 are not officially supported by Altiris at the time this article was written. An article posted by Joel Smith for updating of the FQDN provides a supported path within an Altiris environment.

     

    Common Error Code and Resolutions

    The full list of error or exit codes for the Intel® vProTM Activator Utility are included on page 8 of the User guide included in the download. The most common seen in lab and production usages per the guidelines in this document with typical resolution include:

     

    • Exit Code 1: The system is already provisioned.

    • Exit Code 3: Ensure the HECI\MEI and LMS drivers are loaded. Check to ensure Intel® AMT is enabled via the system BIOS on select client platforms.

    • Exit Code 6: The user or group defined as Configuration Client role was not the logged in user at the time the Activator utility was executed.

    • Exit Code 7: If only initiating hello packets, this exit code is expected with success indicated in the output. Otherwise, check to ensure whether an HTTP or HTTPS value should be used, and the AMTConfig service is running on the target server.

    • Exit Code 8: Check the provisioning logs to determine what error or event was recorded by the AMTConfig service.

    • Exit Code 11: The /t on command is needed to transition the manageability feature to Intel® AMT

    • Exit Code 15: Intel® vProTM systems which do not support remote configuration or that are being provisioned via pre-shared key may experience this error. If so, the PID value must be specified in the Activator command script. An example would be /d 4444444, where 4444-4444 is the PID.

     

    Part 5 Summary

    When the traditional Altiris tools and methods are unable to initiate the hello packets, the DNS record for ProvisionServer does not exist, or when the administrator wants to control the exact configuration parameters when initiating an Intel® vProTM provisioning event - the Intel® vProTM Activator Utility provides a capable command script option. Some of the advanced features of the utility require extra setup such as the Intel® SCS console, defining a Configuration Client role, and so forth. Some features require a higher version of Intel® SCS than presently supported by Altiris, although lab usage did not reveal any immediate issues. The Activator utility is a versatile tool in the deployment and provisioning of Intel® vProTM, and may be a welcome addition to the toolset of an IT administrator.