2 Replies Latest reply on Feb 27, 2009 11:14 AM by Trevor.Sullivan

    Exploring Intel AMT WS-MAN Settings - Class setting dump tool

    sdavies

       

      A couple of months ago, when I started experimenting with WS-MAN, one of the things I did to explore the topic was write a WS-MAN class setting dump tool to enable me to examine WS-MAN class settings on Intel AMT platforms. Great for learning, and as it turned out, useful for debugging as well ... being able to dump a complete list of client settings has been helpful

       

      The tool is written in VBScript and is included in the attached ZIP. I am not a scripting guru so the script is probably not the most elegant, but may be useful. It works with clients provisioned in Enterprise or SMB mode, with or without certificates, with Digest or Kerberos authentication and with or without the Intel WS-MAN Translator

       

      To run the tool, use the syntax

       

      cscript DumpWsman.vbs ClientHostname [optional switches]

       

       

      The optional switches are:-

       

      /?

      /Domain:Domainname

      /Ver:Version

      /User:Username /Pass:Password

      /NoTLS

      /IgnoreCerts

      /Trans:FQDN

      /Class:Classname

       

      where:-

       

      ClientHostname specifies the Intel(R) AMT client hostname

      /? Displays tool usage

      /Domain:Domainname specifies Intel(R) AMT client domain name. The default is VPROLAB.COM

      /Ver:Version specifies Intel(R) AMT client firmware version. The default is 3.2.1

      /User:Username and /Pass:Password specifies digest credentials. By default, Kerberos authentication is used

      /NoTLS specifies not to use TLS. By default, TLS is used

      /IgnoreCerts specifies not to validate certificates when using TLS. By default, certificates are validated

      /Trans:FQDN specifies FQDN of Intel(R) WS-MAN translator. The default is SCCM.VPROLAB.COM

      /Class:Classname specifies a specific WSMAN classname to dump. By default, all classes supported by Intel AMT V5 are dumped

       

      The default domain name setting is VPROLAB.COM and can be edited in the script source code to suite the target environment and save using the /Domain switch every time

       

      The /Ver switch controls whether the tool attempts direct communication with the client, or uses the Intel WS-MAN Translator to communicate with the client. Specify a version of 3.2, 4.0 or 5.0 and the tool will attempt direct communication. Specify a version of 2.0, 2.1, 2.2, 2.5, 2.6 or 3.0 (or an unknown version) and the tool will use the Intel WS-MAN Translator. If you want to force the tool to use the Intel WS-MAN Translator even though you are retreiving class settings from an Intel AMT 3.2 or later client, then use the /Ver switch to force the tool into believing the client firmware is earlier than it really is. This can be useful if you want to run the tool on the actual Intel AMT client and therefore need to use the Intel WS-MAN Translator as a reflector. The FQDN of the Intel WS-MAN Translator can be specified using the /Trans switch if the default is not suitable - or the script source can be edited to change the default to suite the target environment

       

      If you are using Kerberos authentication (the default) through the Intel WS-MAN Translator, make sure the server hosting the Intel WS-MAN Translator has Kerberos delegation enabled otherwise Kerberos authentication will fail

       

      The /Class switch specifies a specific WS-MAN class to retrieve. This setting is case sensitive and details of available classes are contained in the Intel AMT WS-Management Class Reference included in the Intel AMT SDK documentation. If no class is specified, all available classes are dumped (and this can be a lot on an Intel AMT client using version 5.X firmware)

       

      Here are some usage examples:-

       

      Example #1 retrieves the BIOS information directly from an Intel AMT client and uses Kerberos authentication

       

       

      >cscript DumpWSMan hp6930p /Class:CIM_BIOSElement

       

      Microsoft (R) Windows Script Host Version 5.6

      Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

       

      Client FQDN: hp6930p.vprolab.com

       

      WSMAN Service URL:

       

       

      https://hp6930p.vprolab.com:16993/wsman

      Authentication Method: Kerberos

       

      CIM_BIOSElement

      ElementName = Primary BIOS

      Manufacturer = Hewlett-Packard

      Name = Primary BIOS

      OperationalStatus = 0

      PrimaryBIOS = true

      ReleaseDate = 2008-09-26

      SoftwareElementID = 68PCD Ver. F.0B

      SoftwareElementState = 2

      TargetOperatingSystem = 66

      Version = 68PCD Ver. F.0B

       

      ----------------

       

       

      Example #2 is similar to example #1, but shows how the /Ver switch can be used to force the tool to work through the Intel WS-MAN Translator. Again Kerberos authentication is used

       

       

      >cscript DumpWSMan hp6930p /Class:CIM_BIOSElement /Ver:2.6 /Trans:sccmc01.vprolab.com

       

      Microsoft (R) Windows Script Host Version 5.6

      Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

       

      Client FQDN: hp6930p.vprolab.com

       

      WSMAN Service URL:

       

       

      https://sccmc01.vprolab.com/wstrans/pro/eoi25/hp6930p.vprolab.com/wsman

      Authentication Method: Kerberos

       

      CIM_BIOSElement

      ElementName = Primary BIOS

      Manufacturer = Hewlett-Packard

      Name = Primary BIOS

      OperationalStatus = 0

      PrimaryBIOS = true

      ReleaseDate = 09/26/2008

      SoftwareElementID = 68PCD Ver. F.0B

      SoftwareElementState = 2

      TargetOperatingSystem = 66

      Version = 68PCD Ver. F.0B

       

      ----------------

       

       

      Example #3 shows how 802.1X authentication settings can be retrieved

       

       

      >cscript DumpWSMan hp6930p /Class:AMT_8021XProfile

       

      Microsoft (R) Windows Script Host Version 5.6

      Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

       

      Client FQDN: hp6930p.vprolab.com

       

      WSMAN Service URL:

       

       

      https://hp6930p.vprolab.com:16993/wsman

      Authentication Method: Kerberos

       

      AMT_8021XProfile

      ActiveInS0 = true

      AuthenticationProtocol = 0

      ClientCertificate

       

      Address =

       

       

      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

      ReferenceParameters

       

      ResourceURI =

       

       

      http://intel.com/wbem/wscim/1/amt-schema/1/AMT_PublicKeyCertificate

      SelectorSet

      Selector: InstanceID = Intel(r) AMT Certificate: Handle: 2

      ElementName = Intel(r) AMT 802.1x Profile

      Enabled = true

      InstanceID = Intel(r) AMT 802.1x Profile 0

      PxeTimeout = 0

      ServerCertificateIssuer

       

      Address =

       

       

      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

      ReferenceParameters

       

      ResourceURI =

       

       

      http://intel.com/wbem/wscim/1/amt-schema/1/AMT_PublicKeyCertificate

      SelectorSet

      Selector: InstanceID = Intel(r) AMT Certificate: Handle: 1

      ServerCertificateName = vprolab.com

      ServerCertificateNameComparison = 1

      Username = HP6930P$iME@vprolab.com

       

      ----------------

       

       

      As a learning tool, being able to dump WS-MAN class settings after provisioning is quite educational. The tool does not demonstrate modifying class settings, but once a Microsoft WinRM object has been created and connected to a client, reading Microsoft's TechNet WinRM and Intel's AMT SDK documentation should allow progression to using the WS-MAN class methods to read / write settings