1 2 Previous Next 21 Replies Latest reply on Dec 5, 2011 8:51 AM by

    Deploying vPro for the first time

    GiantGuineaPig

      Hi,

      I've been going over so many documents about this and I'm struggling to work out where I actually need to start.

       

      My environment is:

       

      350 PC's

      4 different sites

      vPro clients up to 3 years old (2009 onward)

      Windows/AD environment

       

      I'd like to just use the standalone Intel Powershell to manage them.

       

      So, what I'm looking at first is - where do I start, how do I distribute/connect to all our PC's to have them enabled?

       

      We have an internal CA server, so we can sign our own certificate.

       

      All the documentation I've found is overly complex and covers so many scenarios and tools it's hard to work out what I need for the above.

       

      Hoping to get pointed in the right direction.

       

      Thanks

        • 1. Re: Deploying vPro for the first time
          jjcopela

          It looks like the easiest way to get you up and running with vPro is to get the Intel SCS installed in your environment:

          This will be the tool you use to activate your AMT systems.
          Just follow the instructions in the Intel SCS User Guide to help you decide what the best method will be for your environment.
          The guide will walk through decisions such as: Configuration methods, Security Considerations, Maintenance Policies, etc..
          Once you complete the configuration steps, you will be able to easily manage the systems from PowerShell by installing the Intel vPro PowerShell Module:
          thanks!
          Josh
          • 2. Re: Deploying vPro for the first time

            I've had a look at that page, it's a bit overwhelming. I already tried Intel SCS 7.1 and installed it, but that only seems to be for 2011 clients where you can deploy the xml settings file and the executable?

             

            Then there's SCS Lite 6.5 or SCS 5.5. SCS Lite didn't support AMT v7, so I thought SCS 5.5 might do the job.

             

            Am I going down the right track here?

             

            Thanks

            • 3. Re: Deploying vPro for the first time
              jjcopela

              You can use most any version of SCS to provision your machines..

              For example, with SCS 7 you can set up the RCS to perform Remote Configuration on your devices (which seems like the best solution in your case).

               

              Here are the supported configuration methods and their supported Firmware Versions:

               

              Configuration Method / Intel AMT Versions
              Host Based Configuration 6.2 and higher
              SMB/Manual Configuration 4.0 and higher
              One Touch Configuration (PSK) 2.1 and higher
              Remote Configuration (PKI) 2.2, 2.6, 3.0 and higher

               

              as you can see (if you do not want to manually touch all of your systems) Remote Configuration would be the best choice.

               

              Just follow the Intel® Setup and Configuration Service User Guide for Remote Configuration using the RCS and you should be on the right path!

               

              thanks

              Josh

              • 4. Re: Deploying vPro for the first time

                Thanks again.

                That was the original path I went down, and I got as far as creating a configuration profile and export it, but I'm still stuck on how to distribute it. This is the point I was told that the .xml file distribution required AMT v7.

                 

                Is this incorrect? Looking at the document there is "Configuring Systems Using the RCS (Legacy)" where you use the ACUConfig.exe command to import the .xml configuration file.

                 

                I've tried this command on my test PC:

                 

                ACUConfig.exe ConfigViaRCSOnly "SCS/RCS Servername" test.xml

                 

                How can I tell if it's worked? I'm trying to use this command from the powershell vPro utility:

                 

                get-amthardwareasset testpcname

                 

                But I'm getting a 'could not connect to host' error, even though I can ping the PC via the same name.

                 

                Again, hoping you can verify what I'm doing here and what I might have missed.

                 

                Thanks

                • 5. Re: Deploying vPro for the first time
                  jjcopela

                  So it looks like you are on the right track, the XML file is used in the following way:

                  say you have a mixed envrionment of host-based capable machines and legacy machines and you want to use host-based where you can, you would use the Unified Configuration Process:

                  The Unified Configuration process uses two copies of the same XML profile:
                  • The first copy is created and stored in the RCS. This copy is used by the RCS to
                  remotely configure devices that do not support host-based configuration.
                  • The second copy is “exported” from the RCS and must be included in the deployment
                  package. This copy is used by the Configurator to locally configure devices that
                  support host-based configuration. This copy also includes data (added during export)
                  about the RCS and the required control mode for the Intel AMT device

                   

                  If you do not want to use Host-Based or have only legacy systems, you can use the command you described below (ConfigViaRCSOnly) to configure them:

                   

                  Again, if you are going to be wanting to remotely configure the systems without touching them, you will have to purchase/install a configuration certificate from one of the certificate vendors. See the Setting up Remote Configuration (PKI) section of the SCS User Guide.

                   

                  To verify that your systems are configured, open the Intel Management and Security Status Icon from the notification area on your client system.

                  In the advanced tab, you should see a status of Configured.

                   

                  thanks!

                  Josh

                  • 6. Re: Deploying vPro for the first time

                    OK, I don't have any Intel Management and Security Status icon, what program needs to be installed to get that? Is that a requirement for this to all work, or just handy to see certain information?

                     

                     

                    I've found the details about Unified Configuration. I think I'm getting confused here again:

                     

                    "RCS is used to remotely configure devices that do not support host-based configuration" - How??

                     

                    "The second copy of the XML profile is exported for devices that support host-based configuration". AMT 7 is the only device that supports host-based configuration, is that correct?

                     

                    If so, why would the ConfigViaRCSOnly work for only Non-Host based or legacy systems? To me that's contradicting the above.

                     

                    Also, I can't use an internal CA certificate? I have to use a public one?

                     

                    Thanks

                    • 7. Re: Deploying vPro for the first time
                      jjcopela

                      Hi Adam,

                      I went through the process of setting up a new SCS 7 instance and then did a test provision on a client.

                      I attempted to capture everything I did in the attached .PDF

                       

                      Let me know if this helps clear up the process!

                       

                      thanks,

                      Josh

                      • 8. Re: Deploying vPro for the first time

                        Hi,

                        That does help thanks - it's confirmed I've done it right but I'm at the stage where I need a certificate. There are some details mentioned in the guide, but is there a more lightly explained version of what certificate is required?

                        We'd be buying from GoDaddy too, we already have a wildcard cert but I'm not sure if it can be used.

                         

                        Thanks

                        • 9. Re: Deploying vPro for the first time
                          dbrunton

                          Adam,

                           

                          Take a look at this post:

                           

                          http://communities.intel.com/community/openportit/vproexpert/blog/2011/03/09/vpro-provisioning-certificate-from-godaddy--new-standard-ssl-certificate-support

                           

                          It will give you the specifics on what you need to do to get a provisioning cert from GoDaddy.

                           

                          -Dan

                          • 10. Re: Deploying vPro for the first time

                            Hi,

                            Thanks for that, I've had a good read.

                            It mentions it's for SCCM, will this work without SCCM also?

                            Can I use a CName that goes to the server I've configured for RCS as the FQDN on this certificate?

                             

                            Lastly there was a question I asked earlier but it was missed:

                             

                            I don't have any Intel Management and Security Status icon, what program needs to be installed to get that? Is that a requirement for this to all work, or just handy to see certain information?

                             

                            Thanks
                            Adam

                            • 11. Re: Deploying vPro for the first time
                              dbrunton

                              Yes, the proces for ordering certs is the same no matter what provisioning tool you use.  Yes, use the FQDN of your RCS server when requesting the cert.

                               

                              As for the missing IMSS icon in the task tray, try downloading the AMT drivers from your client's manufacturer and reinstalling them.  That should bring it back.

                               

                              -Dan

                              • 12. Re: Deploying vPro for the first time
                                GiantGuineaPig

                                Hi,

                                So I've now followed the process from beginning to end. I'm running the manual ACUConfig.exe command, but it enables Intel RPAT for 8 seconds then disables again.


                                How do I work out what's going wrong? I can't connect to it via Powershell, and the command gives no error. I can't find any log files on the client or server.

                                 

                                I really don't know where to start looking apart from going over all the instructions I have.

                                 

                                Thanks

                                • 13. Re: Deploying vPro for the first time
                                  dbrunton

                                  Try running ACUConfig with /output file <filename here> switches to capture what's happening when it tires to provision the client.  Share the log file here and we should be able to get an idea of where it's hanging up.

                                   

                                  -Dan

                                  • 14. Re: Deploying vPro for the first time
                                    GiantGuineaPig

                                    Here's the error: Obviously something to do with the certificate...

                                     

                                    2011-11-09 15:43:00:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2011-11-09 15:43:00
                                    2011-11-09 15:43:02:(INFO) : ACU Configurator , Category: VerifyFileSignature: The file "C:\temp\ACU_Configurator\ACU.dll" is signed and the signature was verified.
                                    2011-11-09 15:43:04:(INFO) : ACU Configurator, Category: -ConfigViaRCSOnly-: xxx.com.au :Starting Remote configuration...
                                    2011-11-09 15:43:10:(INFO) : ACU Configurator , Category: Information message: Activate Intel(R) AMT configuration (0xc0000050)
                                    2011-11-09 15:43:10:(INFO) : ACU Configurator , Category: Information message: Success (0xc0000051)
                                    2011-11-09 15:43:20:(ERROR) : ACU.dll, Category: Remote Profile Configuration: Remote Profile Configuration failed: An SSL error occurred. Verify the username and password, and the PSK or certifcate settings, where applicable.- 0xc0000fb7. (Intel(R) AMT %1 failed. Initial connection to the Intel(R) AMT device failed.  Valid certificate for PKI configuration not found. (Failed while calling  Soap call  GetCoreVersion. Intel(R) AMT connection error  -1073737801: An SSL error occurred. Verify the username and password, and the PSK or certifcate settings, where applicable., error in discover 0xc0000fb7))
                                    2011-11-09 15:43:20:(ERROR) : ACU Configurator, Category: Exit: ***********Exit with code 75 - Failed to complete remote configuration of this Intel(R) AMT device. Details: An SSL error occurred. Verify the username and password, and the PSK or certifcate settings, where applicable.- 0xc0000fb7. (Intel(R) AMT %1 failed. Initial connection to the Intel(R) AMT device failed.  Valid certificate for PKI configuration not found. (Failed while calling  Soap call  GetCoreVersion. Intel(R) AMT connection error  -1073737801: An SSL error occurred. Verify the username and password, and the PSK or certifcate settings, where applicable., error in discover 0xc0000fb7))

                                    1 2 Previous Next