List of resources and insights to provisioning Intel vPro in an Altiris environment

Version 9

    The following checklist of items provides a reference point when preparing to provision and enable Intel vPro in an Altiris version 6 environment. This document is posted online as a resource, and is expected to receive updates over time. Please check the version and date at the top of this resource for updates. This material is provided "as-is" with an invitation for community members to utilize, comment on, and improve.

     

    With the release of Altiris CMS7, customers are starting to deploy\update and looking for insights on provisioning and using Intel vPro technology.  Most of the core principles and information provided below apply to CMS6 and CMS7.  The key changes with CMS7 are the Intel SCS is version 5.x, the administrator must install\configure an OOB Site service separate from the CMS7 install, and the remote configuration provisioning certificate is stored in "My Certificates" and not "Local Computer Certificates".  A video was created to briefly introduce and step through.  The video is posted on Symantec Connect and is embedded among a collection of videos posted at http://www.intel.com/go/managefusion

     

    If printed or exported to PDF format - this material originates from http://communities.intel.com/docs/DOC-2032

     

    NOTE: A Microsoft Word document version of this checklist is attached. You can use it to fill out the checklist.

    -


    Foundational Information and Resources

     

    The following resources may be of interest in understanding the Intel® vPro provisioning process within an Altiris environment.

     

     

    Do you know if Intel AMT is inside your environment?


    Take a look at the following article on how to run a custom inventory scan in your environment, thus

    helping to identify system that are Intel AMT capable.  This custom inventory will provide you with a

    snapshot of the systems... and it does not require the Altiris agent to already be loaded on the client

    system!  http://www.symantec.com/community/node/6382

    How will the Intel vPro technology with Altiris be used in your environment?

    Description and Example

    Priority Rank (1=high, 5=low)

    Remote Power on. Example - http://juice.altiris.com/node/2182

    Out-of-Band Asset Inventory. Example - http://communities.intel.com/docs/DOC-2021

    Hardware based isolation and remove remediation. Example - http://communities.intel.com/docs/DOC-1927

    Remote diagnostics and repair Examples - http://juice.altiris.com/node/6094

    Other use case?

     

     

    General Infrastructure Questions

    Question

    Reference Point

    Answer and Comments for Target Environment

    Is there a dynamic DNS record for each Intel vPro clients in the environment?

    Understanding how DNS\IP mappings and updates occur within the environment is relevant to provisioning and subsequent of the Intel vPro technology. If unsure on a client's DNS registration, use ping and nslookup to determine.

    Example: "ping -a 192.168.0.15" returns "vproclientsystem.vprodemo.com".  Using the returned value, type "nslookup vproclientsystem.vprodemo.com" and ensure mapping is found

    If changes are required to the DNS, Microsoft Active Directory, Microsoft IIS configurations, Microsft SQL database servers, or other infrastructural components - do you have the access, contacts, and associated change control processes to handle?

    Review the provisioning documents referenced above. More will be addressed in provisioning section below

    Are there network port restrictions which may affect the Intel vPro management traffic?

    Common network ports for Intel vPro include:

    • 16992 - AMT port for non-TLS communication

    • 16993 - AMT port for TLS communication

    • 16994 - AMT port non-secure SOL/IDER. Also used for Provisioning from SCS to AMT

    • 16995 - AMT port for secure SOL/IDER

    • 9971 - Default port used for initiating of provisioning events

    • 56666 - SOL-IDER port for communication

    In addition to network ports, please note if client systems are behind NAT, outside the corporate network, or require enterprise access control security (e.g. 802.1x, NAC, NAP, etc) to access the network.

     

    Altiris Server Infrastructure and Preparations

    Question

    Reference Point

    Answer and Comments for Target Environment

    Have you recently performed a Basic Health Check on your target Altiris server?

    Information available at https://kb.altiris.com/display/1/articleDirect/index.asp?aid=33202&r=0.1938898

    How many client facing Altiris Notification Servers are in the environment?

    For the purposes of initial deployments, start with a single Altiris NS server.

     

    Multiple Altiris Notification Servers are supported. Determining which will act as ProvisionServers and how the Altiris CMDB inv_oob_capability tables are updated will be addressed in the provisioning section below.  When ready to explore full implementation, the following deployment series may be of interest (http://juice.altiris.com/node/4821) along with series on using Altiris Out-of-Band Management in a Multiple NS Environment (http://juice.altiris.com/node/3771)

    What other client management consoles are used in the environment?

    Potential answers might include Microsoft SMS, Microsoft SCE\SCOM\SCCM, LANDesk, HP OpenView, custom developed solutions, or others.

    Are you expecting more than one client management console to utilize the Intel vPro technology?

    Similar to multiple Altiris Notification Servers, the important aspect is how other consoles are made aware of provisioned Intel vPro systems.

    Are you running the Microsoft SQL Server on the same or separate system from the Altiris Notificiation Server?

    Either configuration is supported, yet the important recommendation for initial deployments is the Altiris CMDB and IntelAMT database instances reside on the same Microsoft SQL Server.  Alternative setups exist and are supported, yet the basic setup is recommended for initial deployments

    What version of Microsoft SQL Server are using in the environment?

    SQL2000 SP4 or SQL2005 are commonly supported.  Installation of the Altiris Out-of-band configuration service (OOBSC) will create the database "IntelAMT"

     

    Will the installation of Microsoft .NET 2 or higher affect your current Altiris environment?

    Core Altiris v6 environments use .NET 1.1, whereas the modules needed for the Intel vPro configuration service require .NET 2 or higher.

     

    For more information, please refer to https://kb.altiris.com/article.asp?article=3890&p=1.  Some environments may require a hotfix from Altiris (refer to KB38640) to allow .NET 2 or higher

    Are the correct modules and supporting licenses installed for the Altiris environment to fully support the Intel vPro Technology?

    Core Altiris modules and versions include:

    • Notification Server 6.0.6074 with SP3 applied

    • Real-Time Console Infrastructure 6.3.1066 or higher

    • Out of Band Management 6.2.1035 or higher

    • Out of Band Setup and Configuration Solution 6.2.1040 or higher

    • Real-Time Systems Manager 6.3.1066 or higher

     

    Installation of Altiris Out-of-band management will add the virtual web directory "AMTSCS" to the Microsoft Internet Information Server. The silent install of Intel Setup and Configuration Service (SCS) will configure this web directory for HTTP usage.

    What updates were applied to the Altiris environment in relation to Intel vPro technology?

    The following article describes an optimal provisioning environment with references to provisioning approaches, Altiris updates and settings, client settings, and so forth - http://juice.altiris.com/node/4082.  The article highlights three recommended updates available on the Altiris Knowledgebase (http://kb.altiris.com/)

     

    • 38437 - Allowing for more than 16 characters in the Real Time Console AMT profile

    • 40076 - Update of the Intel® SCS service to version 3.2.1.2.0

    • 40117 - Update for Intel AMT 2.6 provisioning and inventory

    Are you planning to use Altiris TaskServer to target large collections of computers?

    Optimizing the ASP.NET and Altiris server configuration may be needed.  More information available at http://juice.altiris.com/node/6093

     

     

    Client preparations

    Question

    Reference Point

    Answer and Comments for Target Environment

    Has the client platform BIOS been updated?

    As an extension to the core system BIOS, options or other settings within the main system BIOS may affect the configuration of Intel AMT.  Consult or OEM or system vendor website to ensure the latest version of their system BIOS has been applied

    Has the latest Intel AMT firmware been applied?

    Newer versions of the firmware may allow additional configuration options, fix known issues, and so forth.  Some OEMs or systems vendors include the Intel AMT firmware update within their core system BIOS update module.

    Are the Intel AMT operating system drivers and files installed on the client?

    These are obtained from the OEM or system vendor, and are generally two packages for the Intel AMT management engine interface (HECI or MEI) along with Local Management Service (LMS/SoL/UNS)

    Has the OEM, VAR, or system vendor performed any "pre-provisioning" tasks on the client?

    Intel AMT commonly starts in an unconfigured or unprovisioned state.

     

     

    Intel vPro Provisioning Infrastructure and Preparations

    Question

    Reference Point

    Answer and Comments for Target Environment

    What provisioning model are you planning to use? (Basic, Standard, or Advanced)

    A summary of the core models is provided at http://communities.intel.com/docs/DOC-1684.  For initial deployments, many environments start with a "Standard" model

    Are you familiar with the core critiera required to provision the Intel Active Management Technology?

    Core critera include: authentication between the firmware and the provisioning service, defining and applying the provision profile, mapping of unique identifiers, and updating of the Altiris CMDB.  See http://juice.altiris.com/node/4480

    Are you planning to use the pre-shared key (aka USB One-touch) or remote configuration (aka certificate based) provisioning approach?

    For a summary of the mechanics in provisioning Intel vPro using Altiris Out-of-Band Management 6.2, please refer to http://juice.altiris.com/article/5273

     

    Please refer to the subsections below to either help guide your decision or provide additional reference points to each approach.  Note: Once the firmware is enterprise provisioned, a randomly generated PID\PPS pair are assigned to the platform, with a mapping of the pair in the provisionserver.  Therefore, the decision to use USB One-touch or Remote Configuration generally applies only to the initial provisioning event.

    Are you using the Altiris Agent on the Intel vPro client systems?  Has OOB Discovery or OOBTask Agent been enabled and deployed?

    OOB Discovery will determine what clients are ASF or AMT capable, updating the Inv_OOB_Capability table.  The OOB Task Agent can be used to initiate a remote configuration provisioning event.

    Have Intel vPro client systems already been deployed in the environment?

    If the Intel AMT firmware on the clients has not already been provisioned, the following series may be of interest - http://juice.altiris.com/node/4636.  If the firmware has been provisioned or configured, a simple OOB Discovery may be sufficient to start using the Intel vPro Technology within Altiris Out-of-Band Management - see http://juice.altiris.com/node/5659

    Does a DNS alias record for "ProvisionServer" exist?

    This is the preferred default to direct hello packets during the provisioning sequence.  If the DNS record does not exist or cannot be created within the environment, the Intel vPro Activator Utility can be used to initiate and direct hello packets.  See http://juice.altiris.com/node/4713

     

    Using Pre-Shared Key Provisioning

    An 8 and 32 character key pair (i.e. PID\PPS) are assigned to each Intel vPro system.  A matching set must exist on the ProvisionServer.  The key pairs are used during authentication of the provisioning or configuration process.

     

    PID/PPS is supported on all Intel vPro platforms using Intel AMT 2.x and higher.  Some OEM BIOS settings disable the USB ports to allow USB one-touch.  Additionally, some OEM settings for the MEBx have set the Manageability Feature to "none".  USB one-touch will fail is the system BIOS or default MEBx settings are disabled.  Similarly, USB one-touch works only when the Intel Management Engine (ME) is fully unprovisioned.

    Question

    Reference Point

    Answer and Comments for Target Environment

    How will the PID\PPS keys be generated?

    The default method is within the Altiris OOBm console, using the "security keys".  This allows you to generate, import, export, or manually enter the keys.

    Some OEMs offer a "pre-provisioning" service, where they insight a defined PID\PPS along with new MEBx password.  This information then be transmitted and imported into the provisioning service.

    If using a staging area or wanting to create the pre-shared keys outside of Altiris OOBM, the USBfile.exe utility is another option.  See http://communities.intel.com/docs/DOC-1210

    Do you need to validate the setup.bin file or USB key?

    This binary file is used when keys are generated and exported.  For USB one-touch provisioning, the file is placed on a FAT-16 formatted flash drive.  However, experiences have varied on flash drive models and configurations.  The following utility will help to ensure the flash drive and setup.bin file are correct for USB one-touch.  See http://communities.intel.com/docs/DOC-1430

    When will the PID\PPS keys be applied to the systems?

    This will require a physical visit to each client.  With the client off, insert the USB flash drive with the setup.bin file.  Power on the system, and complete the prompts associated to transfering the keys.  This process will occur after POST and before the OS boot loader.  If error occur, refer to the OEM documentation

    Will a unique or same PID\PPS be used?

    The preferred USB one-touch method is for a unique PID\PPS pair to be applied to each system.  However, when OEMs perform their pre-provisioning service, it is quite common that the same PID\PPS will be used across all systems within a configuration batch.  Similar, for lab testing purposes, a single PID\PPS can be used (PID: 4444-4444, and PPS: 0000-0000-0000-0000-0000-0000-0000-0000).  Rest assured, once the provisioning process occurs, a new randomly generated PID\PPS pair are applied to the client and stored within secured database.

    Will the pre-provisioning happen on or off site from the production network?

    With the data points listed above, this will help to determine what tools and processes are needed to transfer the correct PID\PPS pairs to the production server, matching the assigned pairs used on the clients

     

     

     

    Using Remote Configuration Provisioning

    Since the pre-shared key provisioning approach requires a physical touch to each system, an alternative option was developed.  Sometimes referred to as "Zero-Touch Configuration" (ZTC) or Public-Key Infrastructure Certificate Hash (PKI-CH), this approach using an enterprise certificate and key infrastructure details to establish the first authentication with the client.  Once a client is provisioned, and as long as the client is not fully unprovisioning - subsequent provisioning and configuration operations are authenticated using the randomly generated pre-shared keys (i.e. PID\PPS) known only by the client and the provisioning service.

     

    This is supported on Intel AMT 2.2, 2.6, 3.x and all future platforms.  In supported platforms, the firmware has a set of public root certificate hashes.  Although additional certificate hashes can be added to the firmware, this currently requires a physical touch to each system.  Therefore, before chosing a path of root certificate hashes beyond what is burned into firmware, you may want to reconsider the USB one-touch approach using pre-shared keys.

     

    An FAQ on remote configuration is posted at http://communities.intel.com/docs/DOC-1490.

    Question

    Reference Point

    Answer and Comments for Target Environment

    How soon are you planning to use remote configuration?

    Defining the parameters, requesting the certificate, and completing the import process into the provisioning service will require at least 1 day (and in some cases may require several weeks).

    Who within your organization has the capability and responsibility to acquire SSL certificates?

    This individual will be familiar with the process in creating the CSR, submitting to a target public CA, completing the CSR, and so forth.  Since client management teams rarely handle certificates, save yourself some time and enlist the help of your internal "certificate expert"

    Do the Intel vPro and AMT systems in your environment support remote configuration?

    Methods to determine exact Intel AMT and remote configuration systems are noted in the next section

    Do you have the environmentally specific data required for the certificate request?

    The FAQ linked above provides most of the insights needed.  However, the 3 environmental specific fields in the certificate request are sometimes overlooked.  If entered incorrectly, the certificate authority will either deny the request or issue an incorrect certificate.

    • OU = Intel(R) Client Setup Certificate

    • CN = ServerName.domain.com (this must be the FQDN of the Provisioning Server for Remote Configuration generating the CSR)

    • Organization = The legal name of your organization that can approve your certificate request

    What remote configuration certificate are you planning to acquire?

    The presently supported Certificate Authorities are VeriSign, GoDaddy, Starfield, and Comodo.  Although there are other major certificate authorities, their root certificate hash is not burned into the firmware at this time.  There is a small non-persistent storage section of the firmware to allow 3 additional certificate hashes to be added.  However, this requires a physical touch to the system.  Pre-shared key may be better option.

    Are you looking to utilize a root certificate which is not preloaded into the firmware?

    If yes - understand that although this is possible, the cost ($, time, resources, infrastructure, etc) associated should be considered.  The above pre-shared key approach may be a better option

    That said, some OEMs may offer a process to insert defined root certificate hashes into the firmware.  Similarly, the USBfile utility previously mentioned can insert up to 3 certificate hashes into Intel AMT 3 or higher systems.  For lab testing purposes, you can also manually enter the 40 character certificate hash into supported platforms

    Do you need more insight and information on the certificate request process?

    VeriSign and GoDaddy related insights are available at http://juice.altiris.com/node/4496 and http://communities.intel.com/openport/blogs/proexpert/2008/09/30/get-going-with-godaddy

     

     

    Environment Optimizations and Enhancements

    Question

    Reference Point

    Answer and Comments for Target Environment

    Are you experiencing long delays with RTSM or accessing Intel AMT options?

    A few items may be affecting this.  If the Altiris server is fairly responsive in other scenarios, check the following:

    • Intel AMT Connection timeout values - these are located under the Real-Time Console Infrastructure > Configuration > Configuration area.  Select the Intel AMT connection settings tab

    • Review the insights provided on improving load performance of Altiris RTSM - http://juice.altiris.com/node/4071

    How can the provisioning event be scripted, automated, and optimized?

    As with any automation, understanding the individual steps and requirements is recommended.  A few insights to help optimize and automate provisioning events are provided in the following article:

     

     

    Optional Security Configurations and Considerations

    Question

    Reference Point

    Answer and Comments for Target Environment

    Will Kerberos authentication be used or preferred when using the Intel vPro Technology?

    The default authentication protocol is MD5 Digest authentication, meaning that a separate list of user ID and passwords to connect, manage, and utilize the Intel vPro clients and associated configuration.  Kerberos authentication utilizes the Microsoft Active Directory, and will require a schema extension.  For more information, please refer to http://juice.altiris.com/node/4492

    Must the client operating systems authenticate via a RADIUS or other endpoint access control network security mechanism?

    Since the underlying Intel Active Management technology can be accessible when the host operating system is not, Intel AMT must be able to negotiate network security and infrastructure to allow communications with the client management suite.  More information is available at http://juice.altiris.com/node/4730