1 intel ® vpro™ and microsoft ® system center configuration manager 2007 sp2 training
TRANSCRIPT
1
IntelIntel®® vPro™ and vPro™ andMicrosoftMicrosoft®® System Center System Center
Configuration Manager 2007 SP2Configuration Manager 2007 SP2TrainingTraining
Intel Confidential
2
Welcome
• This step-by-step training guide is intended to get you familiar with managing Intel® vPro™ systems with Microsoft* System Center Configuration Manager 2007 Service Pack 2 (SCCM 2007 SP2)
• Please use this guide to do lab exercises in the virtual “training environment” assigned to you
NOTE: This training guide is an updated version of the previously released SP1. Please refer to SP1 training guide if your environment has not been updated to SP2.
Intel Confidential
3
Training Objectives
• Provide an overview of Intel® vPro™ Technology and discuss its capabilities
• Provide students with hands-on experience configuring System Center Configuration Manager 2007 SP2 environment to support Intel® vPro™ capable machines
• Provide hands-on experience provisioning and managing Intel® vPro™ capable machines
• Show Case “Real World” use cases of Intel® vPro™ systems within a SCCM environment
• Provide Students with a better understanding and ability to discuss the components necessary in Configuration Manager 2007 SP2 to support Intel® vPro™ systems (both native and legacy support) with their customers, management, partners, vendors, etc
Intel Confidential
4
Training Agenda• What is Intel® vPro™ Technology? – High level overview (Skip slides 7-11 if you are already familiar with
Intel® vPro™)• What is Intel® vPro™ Provisioning? (Skip slides 12-14 if you are already familiar with Intel® vPro™
provisioning)• Steps to access Intel’s Remote Training Environment (skip slides 16-19 if you are running a local copy of
the training images)
• Lab Module 1 – Infrastructure PreparationInfrastructure Preparation– Hands-on experience configuring the Enterprise Infrastructure (AD/PKI) to support
ConfigMgr 2007 SP2 and Intel® vPro™ systems• Lab Module 2 - ConfigMgr 2007 SP2 OOB Service Point and ComponentsConfigMgr 2007 SP2 OOB Service Point and Components
– Hands-on experience setting up and configuring Out of Band Service Point in ConfigMgr 2007 SP2 to support Intel® vPro™ systems
• Lab Module 3 – ConfigMgr 2007 SP2 Collections and InBand ProvisioningConfigMgr 2007 SP2 Collections and InBand Provisioning– Hands-on experience utilizing the ConfigMgr 2007 SP2 client agent for in-band
provisioning– Hands-on experience configuring ConfigMgr 2007 SP2 Collection for Discovering and
automatically provisioning Intel® AMT capable machines• Lab Module 4 – ConfigMgr 2007 SP2 Out of Band Management ConsoleConfigMgr 2007 SP2 Out of Band Management Console
– Hands-on experience utilizing the ConfigMgr 2007 SP2 OOB Console to manage (OOB) Intel® vPro™ systems
• Lab Module 5 – Real World Use CasesReal World Use Cases– Hands-on setting up and running actual use cases for a production environment
Intel Confidential
5
Training Caveats• This is not a replacement for Microsoft’s documentation on installing and
configuring ConfigMgr 2007 SP2• This presentation only focuses on the Intel® vPro™ related configuration
components• It is highly recommended that you thoroughly review all of Microsoft’s
documentation before activating Intel® vPro™ with ConfigMgr 2007 SP2
Recommended Material (from Microsoft TechNet):– What's New in Configuration Manager 2007 SP2– Fundamentals of Configuration Manager 2007– Configuration Manager Planning and Deployment Overview– Configuration Manager Supported Configurations– Planning and Deploying the Server Infrastructure for Configuration Manager 2007– Planning and Deploying Clients for Configuration Manager 2007– How to Configure Configuration Manager 2007– Out of Band Management in Configuration Manager 2007 SP1 and later– Administrator Checklist: Enabling Out of Band Management
Intel Confidential
6
Acronyms Used• 3PDS – Third Party Data Storage• FW – Firmware• Intel® AMT – Active Management Technology• Intel® ME – Management Engine (Microsoft calls this
component the Management Controller)• Intel® MEBX – Management Engine BIOS Extension• KVM – Keyboard, Video and Mouse• OOB – Out Of Band• OSD – Operating System Deployment• OTP – One Time Password• PKI – Public Key Infrastructure• PSK – Pre-Shared Key• Radius Server – Remote Authentication Dial In User Service• SCCM – System Center Configuration Manager• SUM – Scheduled Update Management
Intel Confidential
7
What is IntelWhat is Intel®® vPro™ Technology? vPro™ Technology?
Intel Confidential
8
Processor Chipset Network
Intel® Core™ i5 & i7
Processors
Intel® Express
Chipset
Intel® Gigabit Network
Intel® Intel® Anti-Theft Anti-Theft TechnologyTechnology
Intel® Active Intel® Active Management Management TechnologyTechnology
Intel® Intel® Virtualization Virtualization TechnologyTechnology
Intel® Intel® Trusted Trusted Execution Execution TechnologyTechnology
Intel® Core™ vPro™ Processor Family Platform is more than the sum of its parts
Intel Confidential
10
Continued Business Client Platform Evolution
AMT 3.0, VT-x, VT-d, TXTRemote configEnhanced system defenseCisco SDN
AMT 2.0Remote diagnosticsRemote repairRemote HW/SW invSystem defense
AMT 2.6, VT-xRemote configCisco SDNWireless support
AMT 4.0, VT-d, TXTMSFT NAPFast Call for HelpRemote Schedule Maint.
2006 2007 2008
Desktop
Mobile
AMT 5.0MSFT NAPFast Call for HelpRemote Schedule MaintenanceRemote PC Assist Technology
20102010KVM Remote ControlKVM Remote Control11
IntelIntel®® Anti-Theft Anti-Theft TechnologyTechnologyPC Alarm ClockPC Alarm ClockRemote Encryption Remote Encryption ManagementManagementAES-NIAES-NI
EnterpriseRemote
Management
Security, Virtualization,
Wireless
Extend beyond firewall,Remote
management Services
Full remote control, Data & asset security,Converged roadmaps
Sustained innovation to deliver the Sustained innovation to deliver the best platform for business best platform for business
Sustained innovation to deliver the Sustained innovation to deliver the best platform for business best platform for business
1 Requires processor with integrated graphics
Intel Confidential
11
Intel® Technology Business Impact
PCs with Intel®
vProTM
Technology
Up to
Software-Related Desk-Side Visits
Indiana State Office of Technology
Read case study
Reduction90%
Unintended PC Downtime due to Software Issues
Value Space
Read case study
Up to
Less98%
Power-Efficiency Improvement
EDS
Read case study
View video on YouTube
Up to
More25%
Up to
Advocate Health Care
Read case study
51% ROI
Actual Customer Experiences with Intel® vProTM Technology
http://communities.intel.com/docs/DOC-1494/
Intel Confidential
12
ConfigMgr 2007 SP2 Features
ProvisioningProvisioning
• Secure Setup & Configuration of Intel® AMT
• Zero Touch – Certificate Hash• Zero Touch – In band via agent• Ties to OSD with targeting
• Secure Setup & Configuration of Intel® AMT
• Zero Touch – Certificate Hash• Zero Touch – In band via agent• Ties to OSD with targeting
Discovery/InventoryDiscovery/Inventory
• Discover On Demand• Per machine / per collection
• Scheduled Discovery• In band inventory via agent
• Discover On Demand• Per machine / per collection
• Scheduled Discovery• In band inventory via agent
Remote ConsoleRemote Console
• Helpdesk of Break/Fix• Serial over LAN• IDE Redirection• BIOS password bypass• Manual power control
• Helpdesk of Break/Fix• Serial over LAN• IDE Redirection• BIOS password bypass• Manual power control
Power ControlPower Control
• Scheduled Power On• SWDist, SUM, OSD
• On Demand Power Control• Wake, Restart, Shutdown
• Interactive via OOB Console
• Scheduled Power On• SWDist, SUM, OSD
• On Demand Power Control• Wake, Restart, Shutdown
• Interactive via OOB Console
Intel Confidential
13
System Center with Intel® vPro™ Technology NEW! Integrated OOB features in ConfigMgr 2007 SP2
http://communities.intel.com/community/openportit/vproexpert/microsoft-vpro/blog/2009/09/19/a-closer-look-at-sccm-sp2-the-more-subtle-changes-with-sccm-sp2
Intel Confidential
14
IntelIntel®® vPro™ Provisioning vPro™ Provisioning
Intel Confidential
15
What is Intel® vPro™ Provisioning?
Microsoft refers to the Manageability
Engine as the Management
Controller
Intel Confidential
16
Intel® vPro™ Manageability Engine BIOS Extension (MEBx)•The MEBx is the user interface to the Manageability
Engine (ME); it allows for the configuration of settings that control the operation of the ME
•The MEBx is an option ROM module provided to the OEM by Intel that is an extension to the system BIOS
•The Manageability Engine runs on an embedded processor inside the Memory Controller Hub (MCH) and is responsible for executing the various AMT functions (Remote Power, IDE-Redirection, etc.)
Intel Confidential
17
• Start up the Intel® vPro™ Laptop (e.g. LNVT400-01)
• During boot process, press the Blue ThinkVantage button to access the MEBx interface (other OEM systems you hit CTRL+P to access the MEBx)
• Select F12 at the Startup Interrupt Menu
• Select <Enter ME Configuration Screens>
• Type P@ssw0rd to login to the MEBx (admin is default when shipped from OEM but has been modified for this training)
• Select Intel AMT Configuration and Enter
• Select Un-Provision and Enter
• Enter Y to Reset AMT Provisioning
• Select Full Unprovision and Enter
• After the Unprovision is complete, hit the ESC key and Select Exit
• Enter Y to reboot the system
Access the MEBx on your vPro system and perform a full unprovision of AMT
Note: This will Fully unprovision the MEBx and set it back to factory default mode with the exception of the local MEBx password. This is the manual method to unprovision AMT but is not usually required in the production environment as it can be done remotely.
Intel Confidential
18
ConfigMgr SP2 Remote Provisioning Process InBand Agent Based Provisioning
Intel® vPro™ Clients
SCCM Primary
Site Server
1. ConfigMgr Agent checks in with ConfigMgr Server for policies
2. If Auto-Provisioning Policy is enabled, ConfigMgr Agent will generate and send an OTP to Intel AMT and ConfigMgr Server
3. ConfigMgr Server performs a discovery of Intel AMT
4. ConfigMgr places Intel AMT discovered systems in a Not Provisioned Collection that has auto-provisioning policy enabled
5. ConfigMgr Agent checks for auto-provisioning policy
--Provisioning Started—
5. Agent Sets OTP in Intel AMT and sends to ConfigMgr server
6. Intel AMT sends embedded hashes to ConfigMgr server
7. ConfigMgr sends Remote Config Certificate to Intel AMT for authentication
8. Intel AMT validates Remote Config Certificate is issued by a trusted CA in Intel AMT firmware
9. Configuration data passed to Intel AMT over a secure tunnel
1
2
3
7
5
6
8
9
Recommended ConfigMgr Setup approach:• Setup Collection for Not-Provisioned
Intel® vPro™ Systems• Enable Network discovery or manaual
discovery if system is Intel® AMT capable
• Machine will be place in collection • Benefits for this approach:
• Only provision Intel AMT systems• Reduce network load
4
http://technet.microsoft.com/en-us/library/cc431371.aspx
Intel Confidential
19
Agent Based Provisioning and Infrastructure Services
1. Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If I can, it will create a One Time Password and send the OTP to both the OOB Service and into the Intel® AMT Firmware
2. OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate, Present Provisioning Certificate along with the OTP for initial Authentication
3. OOB Service Point sets the Remote Admin and Intel® MEBX password (if not changed)4. OOB Service Point requests a web server certificate on behalf of the Intel AMT client5. OOB Service Point created an Object in AD for the Intel® vPro™ Client6. OOB Service Point pushes web server certificate to Intel AMT client7. OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision
http://technet.microsoft.com/en-us/library/cc431371.aspx
Intel Confidential
23
Physical Hands-on Training Physical Hands-on Training Lab EnvironmentLab Environment
Intel Confidential
24
Physical Lab Environment Overview
Microsoft AD
SQL 2005DNS/DHCPPKI\Ent Root CA
ConfigMgr 2007 SP1
Server
Intel vPro Laptop/Desktop
AMT firmware (4.x, 5.x or 6.x)
Virtualized Machine EnvironmentLaptop
Infrastructure Image ConfigMgr Image
All passwords = P@ssw0rd
192.168.0.x Note: A minimum of 4G of memory should be installed on the host machine running the Virtual images
Intel Confidential
25
Start the laptop (e.g. HP6930P) hosting the Virtual Images
Double Click the shortcut DC1 on the Desktop of the host OS to start the Infrastructure VM image
Note:
• To Maximize/Minimize the Virtual Image window CTRL + ALT + ENTER
• As needed, Use CTRL+ ALT + Insert to login
• Login Information
• Domain Admin: ITproadmin
• Password: P@ssw0rd
• Domain: VPRODEMO
Launch the Microsoft Virtual Infrastructure Image
Note: Make sure you have not started your ConfigMgr 2007 SP1 SP1 Server Image up until after completing the configuration of your infrastructure image.
Intel Confidential
26
Lab Module 1Lab Module 1
Configure the Active Directory and PKI Infrastructure to support
Configuration Manger 2007 SP2 and Intel® vPro™ Systems
Intel Confidential
27
Prepare Active Directory Prepare Active Directory Domain Services for Out of Domain Services for Out of
Band ManagementBand Management
Intel Confidential
28
Active Directory Configuration
• Active Directory OU container must be created to store Intel® AMT device objects
– Recommended Name: Out of Band Management Controllers– Primary site server computer account (ConfigMgr 2007 SP2 Server) must be
granted Full Control permissions on the OU and all child objects in the OU
– http://technet.microsoft.com/en-us/library/cc161814.aspx
– Schema Extension not required for Intel® vPro™ support– However Schema Extension is required for other ConfigMgr 2007 SP2 features and
make ConfigMgr 2007 SP2 Client Agent Deployments easier (required for Agent Based provisioning)
• Extend AD Schema (optional): http://technet.microsoft.com/en-us/library/bb633121(TechNet.10).aspx
Intel Confidential
29
On your Domain Infrastructure Image, Click Start > Programs > Administrator Tools > Active Directory Users and Computers
Note: Under the View menu option, ensure Advanced Features is checked
Expand the vProDemo.com domain
Right Click on Users and select New > Group
In the New Object - Group dialog box, type ConfigMgr Primary Site Servers
Click OK
Create Active Directory Security Group for ConfigMgr 2007 SP2 Primary Site Servers
Intel Confidential
30
In the Active Directory Users and Computers, right-click the ConfigMgr Primary Site Servers Group and select Properties
In the ConfigMgr Primary Site Servers Properties window, select the Members tab and click Add
Add the MSSCCM server and click OK (make sure to click the Object Types button and check Computers to find SCCM Computer Account)
Click OK to close the Properties window
Note: Your ConfigMgr server is now a member of your ConfigMgr Primary Site Servers Group and will be used later for applying security rights to AD OUs and Certificate Templates.
Make sure you have not started up the ConfigMgr server image while setting up this server security setting. If you have the ConfigMgr server running, please shutdown now.
Add ConfigMgr 2007 SP2 Server as a member to the Security Group
Intel Confidential
31
On your Infrastructure Image, Click Start > Programs > Administrator Tools > Active Directory Users and Computers
Right Click on vProDemo.com > New > Organizational Unit
In the New Object - Organizational Unit dialog box, type Out of Band Management Controllers click OK
Create Active Directory OU for Client Management Controller Objects
Intel Confidential
32
Right-click Out of Band Management Controllers OU and click Properties
In the Out of Band Management Controllers Properties window, click the Security tab
Click Add and select the ConfigMgr Primary Site Servers group
Click OK to add the group, but DO NOT close the Properties window…continue to next slide to set full control for this group.
Add ConfigMrg Primary Site Servers Security group to the Management Controller OU
Intel Confidential
33
Check Full Control for ConfigMgr Primary Site Servers Security Group
With ConfigMgr Primary Site Servers selected, click Advanced
Highlight ConfigMgr Primary Site Servers group, and click Edit
In the Apply to drop down, select This object and all descendant objects
Click OK 3 times
Give Full Control for ConfigMrg Primary Site Servers Security group to the Management Controllers OU
Note: We have now created an AD OU and given the ConfigMgr 2007 SP2 proper permission to create AMT objects for each vPro system during the provisioning phase.
Intel Confidential
34
On your Infrastructure Image, Click Start > Programs > Administrator Tools > Active Directory Users and Computers
Expand vProDemo.com and Right Click on Users and select New > Group
In the New Object – Group Windows, enter AMT RADIUS Clients in the Group name field
Click OK
Create RADIUS Security Group for AMT devices
Intel Confidential
35
Right Click on AMT RADIUS Clients Group and select Properties
In the AMT RADIUS Clients Properties Window, Click the Security Tab and Click the Add button
In the Select Users, Computers, or Groups Window, add ConfigMgr Primary Site Servers
Click OK
Select the ConfigMgr Primary Site Servers and select Full control
Click OK
Set Permissions on RADIUS Security Group
COMPLETED: We have now created an AD OU, AMT Radius Group, and given the Security Group that ConfigMgr 2007 SP2 Server is a member of, the proper permission to create Management Controllers objects for each Intel® vPro™ system during the provisioning phase.
Intel Confidential
36
Configure PKI Web Server Configure PKI Web Server Certificates for each Certificates for each
Management Controller Management Controller
Intel Confidential
37
Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™
• There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2• Intel® AMT Self Signed Certificate
• Used during PKI provisioning to secure the connection• Transparent to process
• Intel® AMT Provisioning Certificate• Used for Remote Configuration authentication by the Out of Band Service Point• Can be generated from Internal PKI Infrastructure or purchased from 3rd Party
CA (VeriSign*, GoDaddy*, Comodo, Starfield)• Provisioning certificate can be generated from internal PKI environment
• Require Internal Root hash to be imported into the MEBx
• Requires Option 15 set on DHCP to support “Zero Touch” Configuration
• Intel® AMT Web Server Certificate• Used to secure a connection to Intel AMT client by the management console• Issued to the Intel AMT client during the provisioning process• ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft
Enterprise CA• PKI certificate key sizes <=2048-bits
Intel Confidential
38
Enterprise CA & Provision Certificate Configuration
• Assumes that a Microsoft Enterprise CA exists and is already configured• Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert• Intel AMT Provisioning Certificate (Used for Provisioning)
• Determine 3rd party or Self Generated• 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield)
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1• Self Generated from Internal PKI infrastructure
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2• Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3
• Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro)• Create New Web server Template
• Recommend certificate name: ConfigMgr AMT Web Server Certificate• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver
• 802.1x RADIUS Certificate (Optional for 802.1x networks)• Create New RADIUS Client Template for 802.1x network• Allows AMT to securely authenticate to an 802.1x network without an OS present
• Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate• Ensure you select Supply in the request to provide the Subject Name• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions• http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate
Intel Confidential
39
Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority
Expand DC1.vprodemo.com
Note: This is a Microsoft Enterprise Certificate Authority, Standalone CAs are not supported with ConfigMgr 2007 SP2 for Intel® vPro™
Right Click on Certificate Templates > Manage
Configure PKI Web Server Certificate Template
Intel Confidential
40
In the Certificate Templates Console on the right hand window pane, right click on Web Server and select Duplicate Template
In the Duplicate Template Window
Select the radio button for Windows 2003 Server, Enterprise Edition
Click OK
In the Properties of New Template Window on the General Tab:
Enter ConfigMgr AMT Web Server Certificate
Proceed to next foil to set security rights on this template
Configure PKI Web Server Certificate Template
Intel Confidential
41
In the Properties of New Template window, click the Security tab
Click Add
Select ConfigMgr Primary Site Servers group
Click OK
With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll
Click OK
Close the Certificate Templates Console
Apply Security Permission to Web Server Certificate Template
Intel Confidential
42
In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue
In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template created in the previous step)
Click OK
Issue Web Server Certificate Template
Intel Confidential
43
In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand window and ready for use by the Out of Band Service Point
Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system during the provisioning process and used for TLS session during management of Intel AMT.
Web Server Certificate Template issued in CA for use by ConfigMgr 2007 SP2
Intel Confidential
44
Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority
Expand DC1.vprodemo.com
Right Click on Certificate Templates > Manage
Configure RADIUS Client Certificate Template
Intel Confidential
45
In the Certificate Templates Console on the right hand window pane, right click on Workstation Authentication and select Duplicate Template
In the Duplicate Template Window
Select the radio button for Windows 2003 Server, Enterprise Edition
Click OK
In the Properties of New Template Window
General Tab:
Enter ConfigMgr AMT 802.1X Client Authentication Certificate
Subject Name Tab:
Select Supply in the request
Click OK in the warning message
Proceed to next foil to set security rights on this template
Configure RADIUS Client Certificate Template
Intel Confidential
46
In the Properties of New Template window, click the Security tab
Click Add
Select ConfigMgr Primary Site Servers group
Click OK
With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll
Click OK
Close the Certificate Templates Console
Apply Security Permission to ConfigMgr AMT 802.1X Client Authentication Certificate Template
Intel Confidential
47
In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue
In the Enable Certificate Templates Window, select ConfigMgr AMT 802.1X Client Authentication Certificate (this template created in the previous step)
Click OK
Issue RADIUS Client Certificate Template
Intel Confidential
48
In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT 802.1X Client Authentication Certificate listed in the right hand window and ready for use by the Out of Band Service Point
Note: This Certificate Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system and stored in the firmware during the provisioning process and allow vPro systems to authenticate to an 802.1x network while OS is in a sleep/off state.
RADIUS Client Certificate Template issued in CA for use by ConfigMgr 2007 SP2
Intel Confidential
49
In the Certification Authority Window, right click on DC1.vprodemo.com and select Properties
In the DC1.vprodemo.com Properties Window, select the Security tab
Click Add
Configure Root CA to Allow Revocation of Client Management Controller Certificates
Intel Confidential
50
Add the ConfigMgr Primary Site Servers group
Click OK
Select the ConfigMgr Primary Site Servers group
Check Allow Issue and Manage Certificates and Request Certificates permissions for this group
Click OK
Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI Issued certificates cleaned up (revoked).
Configure Root CA to Allow Revocation of Client Management Controller Certificates
Intel Confidential
51
Lab 1 Exercise Review
Active Directory Changes• Created Active Directory
Security Group for ConfigMgr 2007 SP2 Primary Site Servers
• Added ConfigMgr 2007 SP2 Server as a member to the Security Group
• Created Active Directory OU for Client Management Controller Objects
• Added ConfigMgr Primary Site Servers Security group to the Management Controller OU
• Gave Full Control for ConfigMgr Primary Site Servers Security group to the Management Controllers OU
Enterprise PKI Changes• Configured PKI Web Server
Certificate Template• Applied Security Permission to
Web Server Certificate Template• Issued Web Server Certificate
Template for use by ConfigMgr 2007 SP2
• Created RADIUS Client Template and issued for RADIUS certificates
• Configure Root CA to Allow Revocation of Client Management Controller Certificates
Intel Confidential
52
Lab Module 2Lab Module 2
Install and Configure Configuration Manager 2007 SP2
Out of Band Service Pointto support Intel® vPro™ Systems
Intel Confidential
53
Double Click the shortcut SCCM SP2 on the host OS to start the SCCM SP2 VM image (leaving the Infrastructure running in parallel)
Note:
• To Maximize/Minimize the Virtual Image window CTRL + ALT + ENTER
• As needed, Use CTRL+ ALT + Insert to login
• Login Information
• Domain Admin: ITproadmin
• Password: P@ssw0rd
• Domain: VPRODEMO
Launch the Microsoft Virtual PC ConfigMgr Image
Intel Confidential
54
ConfigMgr 2007 SP2 Out-of-Band Management Service Point
•OOB Management : Out of band management allows an administrator to connect to a computer's management controller (a.k.a. Management Engine) when the computer is turned off, in sleep or hibernate modes, or otherwise unresponsive through the operating system. (http://technet.microsoft.com/en-us/library/cc161963.aspx)
•OOB Service Point – ConfigMgr 2007 SP2 Service component (role) responsible for provisioning and managing Management Controllers (aka Intel® AMT).– Installing:
http://technet.microsoft.com/en-us/library/cc161863.aspx
Intel Confidential
55
ConfigMgr 2007 SP2 Prerequisiteshttp://technet.microsoft.com/en-us/library/cc161785.aspx
• Prior to ConfigMgr 2007 SP2 install, ensure ALL prerequisites are met (see link above of complete list)– Telnet is installed on computers running the OOB management console with
Vista and Windows 2008 (used for SoL)– IE / Kerberos authentication on non-standard port HotFix (KB908209) – hotfix is
for IE6 but registry key applies to all IE versions– http://support.microsoft.com/kb/908209
• If ConfigMgr 2007 SP2 is not installed, install prior to ConfigMgr 2007 SP2 setup and config– Refer to Microsoft’s Install and Configuration documentation– http://technet.microsoft.com/en-us/library/bb735860
• Download and Install ConfigMgr 2007 SP2:– http://www.microsoft.com/downloads/details.aspx?familyid=BAD49573-6AD7-4
521-A898-2EF99BC868C4&displaylang=en
• Create a ConfigMgr 2007 SP2 Site Boundary– http://technet.microsoft.com/en-us/library/bb693530.aspx
Intel Confidential
56
Open the ConfigMgr Console (short-cut located on the desktop of the SCCM image)
Navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site > Site Settings > Site Systems
Right-click \\MSSCCM and click New Roles to launch the New Site Roles Wizard
Install Out of Band Service Point
http://technet.microsoft.com/en-us/library/cc161863.aspx
Intel Confidential
57
On the General page, click Next (default settings)
Install Out of Band Service Point
Intel Confidential
58
On the System Role Selection page, check Out of band service point, and click Next
Install Out of Band Service Point
Intel Confidential
59
On the Out of Band Service Point page, click Next
Click Next again on Summary page
Install Out of Band Service Point
Intel Confidential
60
Once the Wizard completes, click Close
You have now added the required Service Role to support Intel® vPro™ Systems through ConfigMgr 2007 SP2.
Install Out of Band Service Point
Intel Confidential
61
You will now see ConfigMgr out of band service point listed under the \\MSSCCM Roles
Note: After installing the ConfigMgr 2007 SP2 Out of Band Service Point, the log file C:\Program Files\Microsoft Configuration Manager\Logs\AMTSPSetup.Log can be reviewed to inspect the success or failure of the installation.
Install Out of Band Service Point
Intel Confidential
62
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site> Site Settings > Component Configuration
Right-click Out of band management component, and click Properties
Configure Out of Band Component - General
Intel Confidential
63
In the Out of Band Management Properties window on the General tab, Under the Provisioning Settings, click Browse to select the Active Directory container to store each Intel® AMT object
Note: These fields may already be populated with the correct information from past lab exercises – use this screen as a reference if that is the case.
Select Out of Band Management Controllers from vProDemo Domain
Note: This is the OU created in Exercise 1
Click OK
Configure Out of Band Component - General
http://technet.microsoft.com/en-us/library/cc161833.aspx
Intel Confidential
64
Click Set and provide the Intel® MEBX admin password (please us P@ssw0rd for this exercise) to be set during provisioning
Click OK
Note 1: This Intel MEBX password setting is used for ConfigMgr 2007 SP2 to change the local password on the Management Controller during the provisioning process. By default, the factory setting for the password is admin.
If this local password was manually changed on the Intel MEBX or from a previous provisioning process, this setting will be ignored. The local Intel MEBX password can only be changed remotely if the password is set to factory default (admin).
Configure Out of Band Component - General
Note 1
http://technet.microsoft.com/en-us/library/cc431452.aspx
Intel Confidential
65
Check the box to Allow out of band provisioning
Note 1: Out of Band provisioning provides alternative methods to provision devices without an OS or SCCM Client. The preferred method is to use inband SCCM agent based provisioning shown in later modules.
Intel® AMT Provisioning port can be modified if necessary, but requires modification (physical touch) on each Management Controller (leave default 9971).
Click Yes in the Security Warning to Allow for Out of Band Provisioning.
Note: OOB Provisioning is not required if you are going to leverage inband SCCM Agent based provisioning (preferred method). This option is for scenarios like bare metal provisioning when no host OS or SCCM client agent is available.
Configure Out of Band Component - General
Note 1
http://technet.microsoft.com/en-us/library/dd796347.aspx
Intel Confidential
66
Check the box to Register ProvisionServer as an alias in DNS
Note: This creates an Alias in your DNS environment to allow provisioning hello packets from AMT to get routed to the ConfigMgr 2007 SP2 server used in PSK / Bare Metal Provisioning and SCS -> ConfigMgr 2007 SP2 migration. This would not apply or be necessary for in-band ConfigMgr 2007 SP2 Agent initiated Provisioning.
Configure Out of Band Component - General
Intel Confidential
67
Under the Certificates section, Click Browse and select the Intel(R) Client Setup Cert – GoDaddy vProDemo.com and vProDemo.us UCC Backup.pfx (located in z:\GoDaddy_vProDemo)
Click Open
Note: This is the Remote Configuration Certificate (previously purchased from GoDaddy* which could also be purchased from VeriSign*, Comodo, or Starfield) and used for Remote Provisioning. The Root hash that issued this certificate can be found pre-configured in the Management Controller’s firmware that ships from the OEM.
Enter the password for this certificate (Pr0t3ct!0n) and click OK
Note: Zeros are used in the above password
Note: If the password is incorrect, you will receive and Invalid Password message. If the certificate is not a valid Remote Configuration Certificate, you will receive an Invalid Certificate message.
Configure Out of Band Component - General
Intel Confidential
68
Click Select for the AMT Certificate Template
Select
Issuing CA: DC1.vprodemo.com
CA name: DC1.vprodemo.com
AMT certificate template: ConfigMgr AMT Web Server Certificate
Note: This is the Certificate Template created in Exercise 1 on the Infrastructure Domain image.
Click OK
Click Apply
Configure Out of Band Component - General
Intel Confidential
69
On the AMT Settings tab, click icon to add AMT User Accounts
In the AMT User Account Setting window, click Browse and add the VPRODEMO\AMTAdmins account, click OK
Check the Platform Administration box which will automatically select all options by default
Click OK
Click Apply
Note: This account specifies the rights to the management controller for selected capabilities to Intel® AMT. http://technet.microsoft.com/en-us/library/cc161918.aspx
Configure Out of Band Component – Intel® AMT Settings
http://technet.microsoft.com/en-us/library/cc161891.aspx
Note: These fields may already be populated with the correct information from past lab exercises – use this screen as a reference if that is the case.
Intel Confidential
70
In the Default IDE-redirect image text box, enter \\DC1\IDER\rds_rw.iso
In the drop down menu for Manageability is on in the following power states: select Always on (S0-S5)
Note: This setting will ensure the Management Controller is on regardless of the state of the Operating System (on, sleep, hibernate, off)
Check the boxes:
Enable Web interface
Enable serial over LAN and IDE-redirect
Allow ping responses
Enable BIOS password bypass for power on and restart commands
Enable Support for Intel WS-MAN Translator (covered in Legacy Provisioning Class)
Default setting for Kerberos clock tolerance (5)
Click Apply
Configure Out of Band Component – Intel® AMT Settings
Intel Confidential
71
On the Provisioning Settings Tab, click to add a Digest User and Password for Provisioning
Enter:
Name: admin
Password: P@ssw0rd
Confirm Password: P@ssw0rd
Description: Digest Account
Click OK
Click APPLY
Note: This digest account will be used for provisioning if the default remote admin password has been modified.
Determine if this account is necessary for your environment http://technet.microsoft.com/en-us/library/cc431451.aspx
Configure Out of Band Component – Provisioning Settings
http://technet.microsoft.com/en-us/library/cc161815.aspx
Intel Confidential
72
Configure Out of Band Component – Audit Settings
On the Audit Settings Tab, check All of the AMT features to enable auditing
Click APPLY
Note: To unprovision a system from the MEBx you have to disable audit log first. Select the audit settings that are applicable to your production environment.
http://technet.microsoft.com/en-us/library/ee344520.aspx
Intel Confidential
73
Configure Out of Band Component – Provisioning Schedule Settings
On the Provisioning Schedule Tab, change the Simple Schedule to 1 hour
Click OK
Note: By default, Intel AMT systems will attempt to initiate in-band provisioning every 24 hours. This default option is modified by these settings so the provisioning will occur on a more frequent basis.
Another Option is to use the Custom Schedule so you can configure a start date and time with a reoccurrence pattern.
http://technet.microsoft.com/en-us/library/ee344296.aspx
Intel Confidential
74
Lab Module 2.1Lab Module 2.1
Advanced Out of Band Configuration
The following 2.1 module is an advanced topic on 802.1x and Wireless Profiles
Intel Confidential
75
802.1x and Wireless Profiles
•This section is for advanced vPro users that are familiar with 802.1x networking and RADIUS server for authentication– Wireless AP = Linksys Dual-Band Wireless N Gigabit router
that supports 802.1x– There are many options available for wireless and 802.1x
profiles and this training will only cover one set (refer to Microsoft TechNet for complete list of supported protocols)
– The RADIUS Server (Microsoft NPS – Windows 2008 Server) has been Pre-Configured for training
How to: http://technet.microsoft.com/en-us/library/ee344378.aspx
Requirements: http://technet.microsoft.com/en-us/library/ee344543.aspx
Intel Confidential
76
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site> Site Settings > Component Configuration
Right-click Out of band management component, and click Properties
On the 802.1x and Wireless Settings Tab, check the box for Enable 802.1x authentication for wired network and click Set
Note: This setting will provision the vPro system with proper 802.1x credentials in order for the device to authenticate to a protected 802.1x network. The RADIUS server is pre-configured for this lab and steps to setup this RADIUS server is out of scope for this training module.
Configure Out of Band Component – 802.1x Settings
http://technet.microsoft.com/en-us/library/ee344664.aspx
Intel Confidential
77
In the 802.1x Wired Network Access Control window, click the Select button
In the Trusted Root Certificate for Radius authentication window, select the radio button for From certificate authority (CA): and select DC1.vprodemo.com from the drop down menu
Click OK
Note: This certificate is the root certificate from the Enterprise CA on the infrastructure image to communicate with the Radius server. The Radius server is pre-configured on the infrastructure server for training purposes.
Configure Out of Band Component – 802.1x Settings
http://technet.microsoft.com/en-us/library/ee344378.aspx
Intel Confidential
78
In the 802.1x Wired Network Access Control window, select EAP-TLS from the drop-down menu for Client Authentication Method
Click the Select button to select a Client Authentication Client Certificate template
In the RADIUS Client Certificate Configuration windows, select the following:
Issuing CA: DC1.vprodemo.com
CA name: DC1.vprodemo.com
RADIUS client Certificate template: ConfigMgr AMT 802.1X Client Authentication Certificate
Click OK twice to complete 802.1x configurations
Note: This template will be used by the Site Server during the provisioning process to generate an 802.1x Radius Certificate for each AMT device.
Configure Out of Band Component – 802.1x Settings
Intel Confidential
79
On the 802.1x and Wireless Settings Tab, click the icon to create a wireless profile
In the Wireless Profile Window, enter the following information:
Profile Name: ProDemoAP
Network name (SSID): ProDemoAP
Security Type: WPA2-Enterprise
Encryption method: AES
Configure Out of Band Component – Wireless Settings
http://technet.microsoft.com/en-us/library/ee344683.aspx
Intel Confidential
80
In the 802.1x authentication section, click the Select button under Server authentication
In the Trusted Root Certificate for Radius Authentication window, select the radio button for From certificate authority (CA): and select DC1.vprodemo.com from the drop down menu
Click OK
In the 802.1x authentication section, click the Select button under Client authentication
In the RADIUS Client Certificate Configuration windows, select the following:
Issuing CA: DC1.vprodemo.com
CA name: DC1.vprodemo.com
RADIUS client Certificate template: ConfigMgr AMT 802.1X Client Authentication Certificate
Click OK twice to complete wireless configurations
Configure Out of Band Component – Wireless Settings
Intel Confidential
81
In the Security Group for RADIUS authentication section, select the radio button for Automatically add AMT-based computers to security group
Click the Browse button to choose a Security group for RADIUS Server
In the Select Group window, add AMT RADIUS Clients
Click OK – 2 times
Note: This completes the configuration for the 802.1x and Wireless profile setting.
Configure Out of Band Component – Wireless Settings
Intel Confidential
82
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site > Site Settings
Right click on Boundaries and select New Boundary
Enter the following fields
Description = Net Boundary
Site Code = PRO - vPro Demo Primary Site
Type = IP address range
Starting Address = 192.168.0.10
Ending Address = 192.168.0.199
Network Connection = Fast
Click OK
Note: This will allow the SCCM agent to discover the ConfigMgr Site Server.
Congratulations! You have configured ConfigMgr 2007 SP2 for Intel® vPro™ Clients
Configure New Site Boundary
Intel Confidential
83
Lab 2 Exercise Review
Installed OOB Service Component and configured Properties• Used to Configure General OOB Properties and Intel® AMT Client Profile
• http://technet.microsoft.com/en-us/library/cc161960.aspx• Configured General Tab
• Provisioning Settings - Active Directory container• Stores Intel AMT Objects• Select AD Container previously created: Out of Band Management Controllers
• Provisioning Settings – Intel® MEBx Account• What to set the Intel MEBx Password (if not already set) and remote admin
account to during Provisioning• Register ProvisionServer as an alias in DNS (used for PKI/PSK (Bare Metal) hello
packet routing to OOB Service Point)• Certificate – Provisioning Certificate
• PKI / Remote Configuration Certificate• Configure with certificate exported during Enterprise CA & Provision Certificate
configuration• Certificate – Certificate Template
• Configure with template created during Enterprise CA & Provision Certificate configuration: ConfigMgr AMT Web Server Certificate and RADIUS Certificate
http://technet.microsoft.com/en-us/library/cc161833.aspx
Intel Confidential
84
Lab 2 Exercise Review
• Configured Intel® AMT Settings Tab• Intel AMT User Accounts
• Allows you to define Kerberos user who can invoke Intel AMT features• Define which accounts have which Intel AMT realm permissions
• Default IDE-redirect image• Default location of image files
• Manageability Power States• Sets power state for when you want to manage the AMT-based computer out of
band (S0 – S5)• Enable Web interface
• Enables / Disables Intel AMT web interface for provisioned Intel AMT clients • Enable Serial Over LAN and IDE redirection
• Enables / Disables SOL and IDER for provisioned Intel AMT clients • Allow ping responses
• Enables / Disables ping responses for provisioned Intel AMT clients • Enable support for Intel® WS-MAN translator
• Enables support within ConfigMgr 2007 SP2 to forward Provisioning and Intel AMT operation command to the Intel WS-MAN Translator for firmware less than 3.2.1
• http://technet.microsoft.com/en-us/library/cc161891.aspx
Intel Confidential
85
Lab 2 Exercise Review
• Configured Provisioning Settings Tab• Add Provisioning and Discovery Accounts
• Allows you to define additional Digest accounts that can be used to provision and discover AMT systems if the standard default account has been modified
• http://technet.microsoft.com/en-us/library/cc161815.aspx • Configured 802.1X and Wireless Tab
• Created wired and wireless profiles to be added to AMT during the provisioning process to allow AMT to authenticate to an 802.1x protected network
• Automatically added AMT devices to a security group for RADIUS authentication• http://technet.microsoft.com/en-us/library/ee344664.aspx
• Configured Audit Settings Tab• Enabled the features to be audited by AMT• http://technet.microsoft.com/en-us/library/ee344520.aspx
• Configured Provisioning Schedule Tab• Specified a specific schedule for AMT systems to initiate provisioning• http://technet.microsoft.com/en-us/library/ee344296.aspx
• Configured Site Boundary for Agent discovery• http://technet.microsoft.com/en-us/library/bb693530.aspx
Intel Confidential
86
Lab Module 3Lab Module 3
Configuration Manager 2007 SP2 Collections and In-Band
Provisioning
Intel Confidential
87
ConfigMgr 2007 SP2 Agent Installation and InBand Provisioning
• In this exercise, you will – Install the ConfigMgr 2007 SP2 Client Agent on an
Intel® vPro™ system (e.g. Intel vPro Laptop/Desktop)– Create an Unprovisioned vPro Client Collection to place
discovered Unprovisioned systems and enable the auto-provisioning policy on this collection
– Initiate an InBand remote configuration provisioning of an Intel vPro system with native ConfigMgr 2007 SP2 support
– NOTE: Bare Metal / Out-of-Band provisioning (No OS or SCCM Client) is supported but not covered in this training) – for information on this process see: SCCM Out of Band Provisioning (Bare Metal Provisioning)
Intel Confidential
88
Agent Based Provisioning Process
1. Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If I can, it will create a One Time Password and send the OTP to both the OOB Service and into the Intel® AMT Firmware
2. OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate, Present Provisioning Certificate along with the OTP for initial Authentication
3. OOB Service Point sets et Remote Admin and Intel® MEBX password (if not changed)4. OOB Service Point requests a web server certificate on behalf of the Intel AMT client5. OOB Service Point created an Object in AD for the Intel® vPro™ Client6. OOB Service Point pushes web server certificate to Intel AMT client7. OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision
http://technet.microsoft.com/en-us/library/cc431371.aspx
Intel Confidential
89
Login to the Intel® vPro™ Laptop
User: ITproadmin
Password: P@ssw0rd
Domain: VPRODEMO
Once logged into the Intel® vPro™ client, map a drive to \\mssccm\c$
Go to Program Files\Microsoft Configuration Manager\Client
In the Client folder, double click ccmsetup.exe
Note: This will install the SCCM SP2 client from you SCCM Site server. This Intel vPro system must be joined to the infrastructure domain – Prior to the client setup.
Install ConfigMgr 2007 SP2 Client Agent on local system
http://technet.microsoft.com/en-us/library/bb693546.aspx
Intel Confidential
90
Track the setup by monitoring the Process ccmsetup.exe in Task Manager
Installation is complete once the CcmExec.exe process is running in Task Manager
You can track the agent installation on the client in c:\windows\system32\ccmsetup\ccmsetup.log (for Vista 64bit file is located in c:\windows\SysWOW64\CCM)
Note: Once the installation is complete, you will see CcmExec Service running in Task Manager.
A reboot of the vPro system will help speed up the SCCM agent to check in with the Site Server.
Monitor ConfigMgr 2007 SP2 Client Agent Install
Intel Confidential
91
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections
Right Click on All System and select Update Collection Membership
After a few moments, right click All Systems and select Refresh
Note: You will see the client system in All Systems that you installed the SCCM Client. You will also see a Yes in the Client Column and listed as Approved. This integration into ConfigMgr happens after the SCCM Client has been installed and checked in with the site server. This may take several minutes.
Do not proceed until this client shows up in SCCM.
SCCM Agent discovered in ConfigMgr
Intel Confidential
92
Configuration Manager 2007 SP2 Configuration Manager 2007 SP2 Collection Configuration for Collection Configuration for
Automatic Provisioning of Automatic Provisioning of Management ControllersManagement Controllers
Intel Confidential
93
Collection Configuration
• In this exercise, you will – Create an Intel® AMT Collection to group Intel AMT systems
that are AMT Capable and unprovisioned– Configure an Intel AMT Collection to automatically provision
Out of Band Management Controllers
Intel Confidential
94
Agent Based Provisioning Configuration Overview
• To provision via the ConfigMgr 2007 SP2 Client Agent, you must configure ConfigMgr 2007 SP2 to allow agent integration
• Requirements for Agent• Prerequisites for Configuration Manager Client Deployment
• http://technet.microsoft.com/en-us/library/bb680537.aspx
• Configure Collection for Automatic Provisioning• Recommend Collection Created for “Unprovisioned vPro Clients”
• Create Collection Membership Rules based on Intel® AMT Hardware Inventory
• http://technet.microsoft.com/en-us/library/cc431387.aspx• Ensure “Enable Automatic out of band management controller provisioning”
checked in Collection Name Settings: Out of Band Tab for Collection• http://technet.microsoft.com/en-us/library/cc161955.aspx
• Install ConfigMgr 2007 SP2 client on Intel AMT Client• http://technet.microsoft.com/en-us/library/bb632762.aspx
Intel Confidential
95
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections
Right click on Collections and select New Collection
In the New Collection Wizard, enter the name Unprovisioned vPro Clients and add optional Comments as required
Click Next
Create Intel® AMT Unprovisioned Collection
http://technet.microsoft.com/en-us/library/cc161961.aspx
Intel Confidential
96
In the Membership Rules window, click the Query Rule Properties (it is the Database icon)
Modify Membership Rules for the Unprovisioned Collection
Intel Confidential
97
In the Query Rule Properties window, enter the name Unprovisioned vPro Clients
Click Edit Query Statement...
In the Unprovisioned vPro Clients Query Statement Properties window, click Show Query Language
Edit Query Statement in the Membership Rules
Intel Confidential
98
In the Query Statement textbox,
type: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_AMT_AGENT on SMS_G_System_AMT_AGENT.ResourceID = SMS_R_System.ResourceId where SMS_G_System_AMT_AGENT.AMT >= "0" and (SMS_R_System.AMTStatus != "3" or SMS_R_System.AMTStatus is NULL)
Note: This query statement can be found in a text file under w:\SCCM New Hardware Inventory Query.txt.
This will pull all the clients into this collection that are discovered Intel® vPro™ capable and not provisioned.
Note: Additionally you can setup up a collection for Provisioned Clients, in the Query Statement textbox, you will use: Select * from SMS_R_System where AMTStatus=3
This will show ALL vPro systems that have been provisioned.
Click OK and OK again on the Query Rule Properties Window
In the Membership Rules window, click Next
Add AMTStatus check to Query Statement
Intel Confidential
99
In the Advertisements window, click Next
Create Intel® AMT Unprovisioned Collection
Intel Confidential
100
In the Security window, add any appropriate users or groups and click Next (keep defaults for this exercise)
In the Confirmation window, click Close
Note: Optional step - Repeat foils to create a collection for Provisioned vPro Clients. See note on foil 98 for Select * from SMS_R_System where AMTStatus=3
Create Intel® AMT Unprovisioned Collection
Intel Confidential
101
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vPro Clients
Right click on Unprovisioned vPro Clients and select Modify Collection Settings
In the Unprovisioned vPro Clients Settings window, click the Out of Band tab
Check the checkbox Enable Automatic out of band management controller provisioning and click OK
Note: This setting enables ConfigMgr 2007 SP2 Clients to automatically provision Intel® AMT with ConfigMgr 2007 SP2.
Enable Automatic OOB provisioning for the Unprovisioned Collection
http://technet.microsoft.com/en-us/library/cc161955.aspx
Intel Confidential
102
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vPro Clients
Click the Unprovisioned vPro Clients collection, right click in the right hand window, and select View > Add/Remove Columns
In the Add/Remove Columns window, add AMT Status and AMT Version to the Displayed columns and move these fields below the Name field for easy viewing
Click OK
Note: Perform these same steps for the All Systems collection. This will allow you to see Intel AMT related information in the collection.
Add Intel® AMT Display Columns to the collection
DON’T T
HINK W
E NEED T
HIS S
TEP W
ITH N
EW Q
UERY
Intel Confidential
103
To allow ConfigMgr 2007 SP2 to use AMT Power On commands with advertisements, Wake On LAN for the site needs to be Enabled
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site
Right click on PRO – vPro Demo Primary Site server and select Properties
Select the Wake on LAN tab
Check the Enable Wake on LAN for this site
Select Use power on commands only
Click OK
Configure Site Parameters to Use Secure Remote Power Control
Note: This will allow ConfigMgr 2007 SP2 to wake-up Intel® AMT enabled systems with secure and authenticated wake-up methods in Intel AMT for scheduled activities.
http://technet.microsoft.com/en-us/library/bb694191.aspx
Intel Confidential
104
On the Intel® vPro™ System, open the Control Panel
After the Agent installation is complete, you will see a Configuration Manager Icon under System and Security
Note: It may be helpful to reboot the client at this time
Double Click the Configuration Manager Icon
Select the Actions Tab
Note: On Vista 64bit OS, you will find the Configuration Manager Icon under View 32-bit Control Panel Items Icon In the Control Panel
Initiate Action on the ConfigMgr 2007 SP2 Client Agent
Intel Confidential
105
Click on Machine Policy Retrieval & Evaluation Cycle and click Initiate Action button
Click OK in the window indicating the action has been initiated
Note: This process will speed up the provisioning cycle rather than waiting for the schedule event to occur as you would do in a production environment. You may need to initiate the Machine Policy action more than once to start the provisioning process immediately.
Note: You can track the progress by monitoring the logs directory c:\windows\system32\CCM\Logs
(on Vista 64bit OS, the logs folder is located under c:\windows\SysWOW64\CCM\Logs)
OOBMGMT.log will track the progress of the auto provisioning of AMT. You should see a log entry stating “Successfully activated the device.” This indicates the SCCM agent has initiated the provisioning process
PolicyAgent.log will track all of the policies pulled down by the agent from ConfigMgr 2007 SP2 server.
Refer to the SendSched Utility in the Appendix to launch the provisioning immediately (click here)
Initiate Action on the ConfigMgr 2007 SP2 Client Agent
Intel Confidential
106
After a few minutes, provisioning will automatically complete and you can update your collection membership
Right Click Collections and select Update Collection Membership
Click Yes to confirm that you want to proceed
Right click on All Systems collection and select Refresh
The client will now appear in All Systems Collection as Provisioned and no longer be listed in the Unprovisioned vPro Clients collection
Note: You can track the provisioning progress under C:\Program Files\Microsoft Configuration Manger\Logs\Amtopmgr.log
This process length depends on the time it takes for ConfigMgr 2007 SP2 Agent to check in with the Server and pull down its policies.
Provision AMT via In-Band ConfigMgr 2007 SP2 Client Agent
Congratulations! You have just successfully completed InBand provisioning in ConfigMgr 2007 SP2 and enabled Intel® vPro™ systems to be manageable out of band by ConfigMgr 2007 SP2 console.
Intel Confidential
107
Lab Module 3 Review• Installed the SCCM Client Agent on the Intel vPro system• Created Intel® AMT Unprovisioned Collection• Modify Membership Rules for the Unprovisioned Collection• Added AMT Hardware Inventory check to Query Statement• Enabled Automatic OOB provisioning on the Collection• Added Intel AMT Display Columns to the collections• Configured Site Parameters to Use Secure Remote Power
Control (used in Real World Use Cases module)• Initiated an InBand agent based provisioning• Updated Collections to see Provisioned AMT System
Intel Confidential
108
Lab Module 4Lab Module 4
Configuration Manger 2007 SP2 Out of Band Management Console
Intel Confidential
109
Using the Out Of Band Management Console in
ConfigMgr 2007 SP2 to manage Intel® vPro™ Systems
Intel Confidential
110
ConfigMgr 2007 SP2 OOB Mgt Console•The following screen captures show the ConfigMgr
2007 SP2 OOB console interfaces for each of the OOB management capabilities.
http://technet.microsoft.com/en-us/library/cc161766.aspx
Intel Confidential
111
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > All Systems
Right click on a Provisioned System
Select Out of Band Management > Out of Band Management Console
Note: This will launch the OOB Management console that allows you to perform all of the OOB management capabilities in ConfigMgr 2007 SP2.
You can also perform Power Control, Update / Delete Data in the Management Controller, Enable/Disable/Clear Audit Log without opening the OOB Management Console.
Update = Reprovisioning
OOB Management Console
http://technet.microsoft.com/en-us/library/cc161875.aspx
Intel Confidential
112
Once the OOB Management Console opens, you will see
System: Connected/Busy
Serial connection: Inactive
Note: SCCM SP2 no longer automatically connects a serial connection. Instead, the serial connection is left inactive until you select Tools > Open Serial-over-LAN Connection. You will see a warning indicating that if this device is connected wirelessly, the connection may be disconnected during the SoL session.
In this screen, you can view
Power
IP Address
Host Name
Domain Suffix
System ID (UUID)
Date of last refresh
Time of last refresh
OOB Management Console – System Status
Intel Confidential
113
In this screen, you can view all of the System Hardware Inventory stored in the Intel® ME firmware
OOB Management Console – System Information
Intel Confidential
114
In this screen, you can perform all of the OOB power function capabilities
Power ON
Power OFF
Restart Computer
IDER to ISO
Boot to BIOS
• Bypass BIOS Password
• Lock remote keyboard
Take a few minutes to perform a few power option features:
Power on/off the Desktop
Redirect BIOS to see system BIOS in Serial Connection Window
Perform IDER to a local ISO (this will be covered in depth in our “real world” Use Case section)
Note: Remember to start a Serial-over-LAN session before redirecting to an ISO or BIOS so you can view/control the session in the serial connection tab.
OOB Management Console – Power Control
Note: When you select to power cycle a vPro system, you will be warned that this action can cause data loss on the system if they system has opened applications and unsaved data (this is not a graceful shut down)
http://technet.microsoft.com/en-us/library/cc161974.aspx
Intel Confidential
115
In this screen, you can
View System Event log
Set Log Level
OOB Management Console – System Event Log
Intel Confidential
116
In this screen, you can view the IDE-Redirect log
OOB Management Console – IDE-Redirect Log
Intel Confidential
117
In this screen, you can view the System Audit log and can Export this information to a file
OOB Management Console – System Audit Log
http://technet.microsoft.com/en-us/library/ee344294.aspx
Intel Confidential
118
In this screen, you can view and control the Serial Connection of the remote screen (e.g. Bios or DOS based ISO image)
OOB Management Console – Serial Connection
Intel Confidential
119
In this screen, you can enter information into the 3rd Party Data Store (3PDS) and save this information for later viewing
Type any random data in the window and select save
Note: Intel has provided Powershell scripts that can be used to push/pull data down to this 3PDS from a central location (e.g. Site Server). This would allow you to push data remotely (e.g. asset tag and location information) and access this data through the OOB console. For more information on these scripts:
Real World Use Case #4 Powershell Scripts for 3PDS
OOB Management Console – Data Storage
http://technet.microsoft.com/en-us/library/ee373487.aspx
Intel Confidential
120
On your ConfigMgr 2007 SP2 server, open Internet Explorer
Type https://<AMThostname>.vprodemo.com:16993
If the system is successfully provisioned with a TLS certificate, you will see the Intel AMT WebUI interface.
Click Log On
In the login Window, use the Account setup in the OOB Componet
User name: vprodemo\ITproadmin
Password: P@ssw0rd
If you successfully authenticate to Intel AMT, you will see the WebUI to manage Intel AMT
System Status
Hardware Information
Event Log
Remote Control
Power Policies
Network Settings
User Accounts
Note: Accessing the WebUI and successfully logging in confirms both your Kerberos authentication is successful and your TLS certificate is functioning properly. This is a good testing steps to ensure the system was successfully provisioned by SCCM.
Use Internet Explorer* to manage Intel® AMT
http://technet.microsoft.com/en-us/library/cc161817.aspx
Intel Confidential
121
Lab Module 4 Review• The Out of Band Management Console is the ConfigMgr 2007
SP2 interface to perform Out of Band Management Features– Power Up/Down– Restart– Boot to BIOS– Redirect to an ISO– Hardware Inventory– System Information
• You can also perform Power Up/Down and Management Controller reprovisioning/delete from within ConfigMgr 2007 SP2 directly
• Use the Web Interface in IE to manage Intel® AMT Systems
Intel Confidential
122
Lab Module 5Lab Module 5
Real World Use Cases for Intel vPro Systems with SCCM SP2
Intel Confidential
123
Real World Use Cases
• The following “Real World” Use Cases have been developed to help customers with drop-in solutions that will enable them to gain immediate value with Intel® vPro™ and SCCM within a production environment– Wake On Advertisements– Remote KVM– Remote Drive Share– Powershell Scripts for 3PDS
http://communities.intel.com/docs/DOC-4080
Intel Confidential
124
Real World Use Case #1Real World Use Case #1
Intel Wake-On Advertisement
Intel Confidential
125
Using Intel® AMT Power Options to wake up a system with a SCCM Advertisement•When creating software distribution in ConfigMgr
2007 SP2, you can leverage Intel AMT power options to wake up system (e.g. after hour patching scenarios).
•Make sure your vPro Client is Powered Off for the next exercise.
Intel Confidential
126
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Operating System Deployment > Task Sequences
Right click on Task Sequences, select New > Task Sequence
In the New Task Wizard window, select Create a New custom task sequence
Click Next
Create a Task Sequence to be used in an Advertisement
Intel Confidential
127
In Task Sequence Information, Enter in Task Sequence Name: Just Shutdown and add appropriate Comments
Click Next
Confirm information in the Summary and click Next
Once the Wizard completes, click Close
Create a Task Sequence to be used in an Advertisement
Intel Confidential
128
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Operating System Deployment > Task Sequences
Right click on Just Shutdown Task Sequences (created in previous step), select Edit
In the Just Shutdown Task Sequence Editor, click Add > General > Run Command Line
In the Name Field, type Shut Down
In the Command Line window, type shutdown –s –f
Click OK
Edit Task Sequence to be used in an Advertisement
Intel Confidential
129
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > All Systems
Right click on All Systems, select Advertise Task Sequence
In the New Advertisement Wizard, enter Shut Down Client in the name field
In the Task Sequence Field, click Browse
In the Select Task Sequence window, select Just Shutdown Task Sequence
In the Collections Field, Click Browse and select All Systems
Click OK
Click Next
Create an Advertisement to use Intel® AMT power up and run Task Sequence
Intel Confidential
130
In the Schedule Screen, Enter an Advertisement start time (leave default)
Under Mandatory Assignments, Click the New button
In the Assignment Schedule window, select Assign Immediately after this event and select as soon as possible in the drop down list
Click OK
Check Enable Wake On LAN box
Note: This check box will enable ConfigMgr 2007 SP2 to use Intel AMT secure Power on feature to wake up the system per the settings defined in a previous step: Site Power Controls
Select Priority as High
Click Next
Create an Advertisement to use Intel® AMT power up and run Task Sequence
Intel Confidential
131
On the Distribution Screen, leave the defaults and click Next
On the Interaction Screen, leave the defaults and click Next
On the Security Screen, leave the defaults and click Next
On the Summary Screen, click Next
On the Wizard Complete, click Next
Note: As soon as the advertisement is seen, it will begin powering up the Intel® vPro™ provisioned system using the Intel AMT power up command and run the Task sequence to shut it back down.
Create an Advertisement to use Intel® AMT power up and run Task Sequence
Intel Confidential
132
Real World Use Case #2Real World Use Case #2
Intel KVM integrated into SCCM SP2 and Microsoft Diagnostic and Recovery Tools
Intel Confidential
133
Intel® vPro™ KVM• Keyboard, Video and Mouse Redirection over IP • Intel® AMT 6.0 platform (Piketon and Calpella) with
integrated graphics• Similar to a full IP-KVM experience, without expensive
hardware• ISV Support:
• RealVNC will be shipping soon: http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/04/vnc-viewer-plus-enabling-remote-access-to-the-2010-intel-core-vpro-processor-family
• Others to be announced
Intel Confidential
134
Keyboard, Video and Mouse Redirection over IP
Allows remote operator to securely access a remote system as if he/she was sitting in
front of it
Blue screenBlue screenDsfsd.sys Dsfsd.sys failed at mem failed at mem location location 0x123456780x12345678Memory dumpMemory dump::3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed3409afed 3409afed
ConsoleConsoleLogoLogo __ XX
ComputerComputer StateState Comp AComp A UnhealthyUnhealthy Comp BComp B Repair modeRepair mode Comp CComp C S3 - StandbyS3 - Standby Comp DComp D BootingBooting
Select a machine to remoteSelect a machine to remote
Comp A Screen Comp A Screen
Dsfsd.sys Dsfsd.sys failed at mem failed at mem location location 0x123456780x12345678Memory dump:Memory dump:3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed3409afed 3409afed
AT AT ConsoleConsole
OS-unresponsive/OS-unresponsive/Repair ModeRepair Mode
Wake Wake from S3from S3
BootingBooting
TLS / K
erbero
s
TLS / K
erbero
s
TLS / Kerberos
TLS / Kerberos
TLS / KerberosTLS / Kerberos
TLS / KerberosTLS / Kerberos
Video - redirected from managed machine to Management ConsoleKeyboard and Mouse - redirected from Management Console to managed machine
Intel Confidential
135
KVM typical session flow
Intel Confidential
136
On the MSSCCM VM image, double click KVMViewSetup.exe to install the KVM Viewer
In the KVMView Setup Wizard, click Next
In the Select Installation Folder window, click Next
In the Confirmation Installation window, click Next
In the Installation Complete window, click Close
Note: This installation will install the KVMViewer application in c:\program files\Intel\KVMView
After installation is complete, delete the KVMCerts.PEM file in the KVMView Folder
Recreate a KVMCerts.PEM file by creating a new text file (New Text Document.txt) and renaming it to KVMCerts.PEM (file size will now be 0KB)
Install KVM Viewer on SCCM Site Server
Intel Confidential
137
Close the ConfigMgr Console in the VM image
Copy the file vpro_client.xml and place into c:\Program Files\Microsoft Configuration Manager\AdminUI\xmlstorage\Extensions\Actions\7ba8bf44-2344-4035-bdb4-16630291dcf6\
Note: This file will give you the ability to right click on a provisioned vPro KVM system and launch the KVMViewer from within the ConfigMgr Console.
Integrating KVM into SCCM Site Server
Intel Confidential
138
Open the ConfigMgr Console (short-cut on the desktop)
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > All Systems
Right click on a Provisioned vPro system that is KVM Capable
Select Intel KVM Remote Control > Start Session
The KVMView Console will Launch and will start to automatically recreate the trusted root certificate file (.PEM file) for securing a connection to the device
Note: This new right click KVM remote control feature calls the KVMView Console installed previously.
Launching Integrated KVM Console
Intel Confidential
139
The KVM Console will connect to the KVM system and prompt the user for a User Consent Code (Note 1)
The end user will read the User Consent Code to the Remote KVM administrator so it can be entered into the KVM Console (Note 2)
This will establish a secure KVM session between the KVM Console and the Intel vPro KVM system
Note: This User Consent Code is for privacy and security protection but can be disabled for your environment.
Authenticating with KVM Console
Note 1
Note 2
Intel Confidential
140
After you the remote KVM Console is authenticate with the User Consent Code, a full secure KCM session is established
With the KVM Console, restart the remote vPro System
With a KVM session established, you can see the entire boot process
Note: You can perform all functions remotely within the OS, similar to using the standard inband agent based remote control functions. Intel vPro KVM extends this reach and allows you to see the system regardless of the OS state (on, off, BSoD, hung, etc).
Managing with KVM Console
Intel Confidential
141
During the reboot process, select MSDaRT at the Windows Boot Manager
Click Enter
Note: This will load a WinPE image from a local partition on the drive that contains Microsoft’s Diagnostic and Recovery Utilities.
Intel KVM and MSDaRT
http://technet.microsoft.com/en-us/library/ee532075.aspx
Intel Confidential
142
Click Yes to initialize the network connectivity
Click Yes to remap drives from host OS
Click Next for System Recovery Options
Select Windows 7 and click Next to repair OS
Enter Account Information
User Name: admin
Password: P@ssw0rd
Note: This will load a WinPE image from a local partition on the drive that contains Microsoft’s Diagnostic and Recovery Utilities.
Intel KVM and MSDaRT
Intel Confidential
143
In the System Recovery Options window, click Microsoft Diagnostic and Recovery Toolset
This will bring up the MSDaRT Tools to allow you to remote troubleshoot the Intel vPro System
Note: Depending on the issues experienced with this remote system, many of these tools can be used to diagnosis and repair the remote system without having to make a “deskside” visit.
Managing with KVM Console
Intel Confidential
144
Real World Use Case #3Real World Use Case #3
IDER Remote Drive Share (RDS)
Intel Confidential
145
IDE Redirection Remote Drive Share
•Redirect to a small Linux based .iso that allows a remote share to the NTFS drive– http://communities.intel.com/docs/DOC-4785
•Using Remote Drive Sharing and Intel vPro Technology to Perform a Remote Kernel Memory Dump Analysis– http://communities.intel.com/docs/DOC-4826
•Using Remote Drive Sharing and Intel vPro Technology to Perform a Remote Virus Scan– http://communities.intel.com/docs/DOC-4787
Intel Confidential
146
Real World Use Case #4Real World Use Case #4
Powershell Scripts for 3PDS
Intel Confidential
147
Powerscript Shells for 3PDS• http://communities.intel.com/docs/DOC-4800 •
Intel Confidential
148
Lab Module 6Lab Module 6
Requirements and Prerequisites for ConfigMgr SP2 2007
Intel Confidential
149
Requirements for ConfigMgr 2007 SP2ConfigMgr 2007 SP2 requires…
Intel® AMT v3.2.1 systems and beyond (If your customer has Intel AMT systems prior to v3.2.1, please talk to Intel/Microsoft about WS-Management Translator Utility: http://software.intel.com/en-us/articles/intel-ws-management-translator/)
Active Directory (AD)and Kerberos
• For client authentication• ConfigMgr 2007 SP2 AD schema extensions are not required to take advantage of
ConfigMgr 2007 SP2 Out of Band Management capability; however, it may be required for use non-Intel AMT related ConfigMgr 2007 SP2 features
TLS • For server authentication• Requires a Microsoft Enterprise Certificate Authority
Remote Configuration
• Zero Touch configuration or called PKI (public key infrastructure)• Standard remote configuration procedures apply from provisioning• ConfigMgr 2007 SP2 provides its own remote agent provisioning support through the
SCCM client agent• Provisioning authorization can also be done through OOB Import Wizard (no agent
required
ConfigMgr 2007 SP2 does not require or support…
Mutual TLS • This functionality is redundant with Kerberos for client authentication• ConfigMgr 2007 SP2 only uses Mutual TLS during the Intel AMT set-up/provisioning
Digest User Accounts
• Microsoft only supports Kerberos user accounts• Although not used by ConfigMgr 2007 SP2, Digest Accounts can be defined
Pre-shared Keys (PSK)
• Also referred to as PID/PPS provisioning • ConfigMgr 2007 SP2 can support PID/PPS provisioning through the
Intel® WS-Management Translator
Intel Confidential
150
Prerequisites for ConfigMgr 2007 SP2 OOB Management • ConfigMgr 2007 SP2 Site Server
– Windows Remote Management (WinRM) version 1.1 (or later)– http://go.microsoft.com/fwlink/?LinkId=105682
– If Windows 2003, – Service Pack 2 or Later– Hotfix KB942841 http://support.microsoft.com/kb/942841/en-us
– MSXML 6.0 is required on computers that run the out of band management console– If Windows 2008 or Vista running the OOB console,
– Telnet Client installed to perform Serial-over-LAN
• Active Directory– Intel® vPro™ Clients being managed must belong to the same AD Forest as the OOB Service
Point– AD Schema Extensions are not required for Intel vPro support; however, are required for
other ConfigMgr 2007 SP2 features and make ConfigMgr 2007 SP2 Client Agent Deployments easier (required for Agent Based provisioning)
• Microsoft Enterprise Certification Authority– Issue and Manage certificates required for TLS based out of band management– Must automatically approve certificate request from the site server– Key Length not to exceed 2048 (4096 for newer AMT firmware)
Intel Confidential
151
Prerequisites for ConfigMgr 2007 SP2 OOB Management• Remote Configuration Certificate -
http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1
– Supported 3rd party CA (Verisign, Godaddy, Comodo, Starfield)
• DNS / DHCP / Network Ports– provisionserver associated to ConfigMgr 2007 SP2 Out of Band Service Point– Active DCHP Scope with Option 6 (DNS servers) and Option 15 (Domain Name)
configured– Open Network ports: 9971 - Provisioning Port; and 16992 through 16995 - OOB
Management Ports– Dynamic updates to DNS from DHCP (Option 81)
• Intel® vPro™ Client– Intel® AMT HECI and SoL Driver for ConfigMgr 2007 SP2 Client Agent based Provisioning– Firmware >=3.2.1 for Native Support
• Administrators Checklist and Prerequisties– http://technet.microsoft.com/en-us/library/cc161943.aspx – http://technet.microsoft.com/en-us/library/cc161785.aspx
Intel Confidential
152
Intel AMT Firmware Requirements
• ConfigMgr SP2 can work with a mixed AMT Firmware environment– Any pre-3.2.1 firmware requires WS-MAN Translator; avoid if at
all possible
• Recommend to upgrade to latest AMT Firmware version made available by your OEM for your chosen platform– Typically systems won’t be shipped with latest firmware– Depending on OEM, might be bundled with BIOS– Firmware upgrade sometimes requires BIOS upgrade as well– Download from OEM website– If not available, contact OEM– Distribute like any other software package
Intel Confidential
153
Intel Confidential
154
Glossary
• Legacy Provisioning/Managing – Provisioning and Managing Intel® vPro™ systems that are less than Intel® AMT firmware 3.2.1
• Native Provisioning/Managing – Provisioning and Managing Intel vPro systems that have Intel AMT firmware 3.2.1 (today) and higher (future releases)
• Intel® Manageability Engine (Intel® ME) – microprocessor in Intel vPro platforms that perform the Intel AMT functions and capabilities
• Intel® Manageability Engine BIOS Extension (Intel® MEBX) - the user interface to the Intel ME; it allows for the configuration of settings that control the operation of the Intel ME
Intel Confidential
155
Lab Extras
ConfigMgr 2007 SP2 Logsand Troubleshooting Tips
Intel Confidential
156
SendSched Utility to start provisioningIn order to start the Inband agent based provisioning immediately, you can use the sendsched
utility to initiate the process from the vPro Client
This is the Windows Management Instrumentation Tester• Open a command prompt and type wbemtest • After the Windows Management Instrumentation Tester Utility Opens, click Connect• In the Namespace of the Connect Window, type the remote system name you want to force the check followed by \root\ccm
(requires admin rights on the remote system)• Click Connect
– You can also simply run the command on the local system by simply leaving out the host name– Example: \root\ccm
• After you successfully connect to the target system, click the Execute Method Button• In the Get Object Path window, type sms_client in the Object Path field
Click OK• In the Execute Method Window, enter TriggerSchedule in the Method Field• Click the Edit In Parameters Button• In the Object editor for _PARAMETERS window, Double Click the sScheduleID in the Properties field• In the Property Editor Window, change the Value to Not NULL and add the following {00000000-0000-0000-0000-
000000000120}
This value is the Object ID to initiate this OOB auto-provisioning check• Click the Save Property button
• In the Object editor for _Parameters window, click the Save Object button• In the Execute Method window, click the Execute Button• After you Execute the method, you should see a message that the Method was executed successfully• To confirm that your method was executed, look at the target systems c:\windows\system32\CCM\Logs\oobmgt.log
You should now see a new entry in the log GetProvisioningSetting indicating that the policy has been re-evaluated
http://communities.intel.com/community/openportit/vproexpert/microsoft-vpro/blog/2008/09/30/using-wmi-to-force-the-sccm-agent-to-check-for-its-amt-auto-provisioning-policy;jsessionid=EFD16EF6C2DB47CFED050A242B7AFE5F.node5COMS
Click Here to returnClick Here to return
Intel Confidential
157
Helpful ConfigMgr 2007 SP2 Logs for Troubleshooting Intel® AMT Provisioning and ManagementC:\Program Files\Microsoft Configuration Manger\
LogsAmtopmgr.log - log for tracking provisioning processAmtproxymgr.log – log used for tracking activities like
Certificate generation, OU creation, etc
C:\Program Files\Microsoft Configuration Manger\AdminUI\AdminUILogOOBConsole.log - Log for tracking OOB Management
Console activity (note: for more detailed information - change "Error" to "Verbose" in the following file c:\Program Files\Microsoft Configuration Manager\AdminUI\bin\oobconsole.exe.config
Intel Confidential
158
Helpful ConfigMgr 2007 SP2 Logs for Troubleshooting on the Intel® vPro™ Client
C:\windows\system32\ccm\logsoobmgmt.log – log to track the provisioning of Intel® AMT
C:\windows\system32\ccmsetupccmsetup.log – log to track installation progress of
ConfigMgr 2007 SP2 Client Agent
Intel Confidential
159
If you do not see your system automatically provision in ConfigMgr 2007 SP2, look in the c:\windows\system32\CCM\Logs
(on Vista 64bit OS, the logs folder is located under c:\windows\SysWOW64\CCM\Logs)
OOBMGMT.log
If you see the log stating Auto Provision Policy Disabled, perform the following steps.
MORE TO BE ADDED
• If you see the OOBMGMT.log showing autoprovisioning policy disabled, this indicates the agent has not found a collection that has enabled automatic provisioning.
Troubleshooting ConfigMgr 2007 SP2 Agent Auto-provisioning policy
Intel Confidential
160
ConfigMgr 2007 SP2 Resources
• Intel® vPro™ Expert Center devoted to Microsoft products and Intel vPro Technology - http://communities.intel.com/openport/blogs/microsoft-vpro
• Intel® vPro™ Expert Center; Known Issues, Best Practices, and Workarounds - http://communities.intel.com/docs/DOC-1247;jsessionid=4ABCE498498C0EB58EBCAA16C22F6250.node5COMS
Intel Confidential
161
Reboot the HP7800 and hit CTRL + P to enter the Intel MEBX Interface
Enter the password; P@ssw0rd
Select Intel (R) AMT Configuration and hit Enter
Select Un-Provision and Enter
Click Y for Yes to reset Intel AMT
Select Full Unprovision and Enter
Note: This will fully unprovision the Intel AMT system and set it back to factory default mode with the exception of the Intel MEBX password.
Manually Unprovision Intel® AMT in the Intel® MEBX
Intel Confidential
162
SCCM Out of Band Provisioning(Bare Metal Provisioning)
• Out of Band Management Controller Import Wizard invoked from Collections menu
• Wizard requests Computer Name, FQDN, MAC, UUID
• Intel vPro client(s) imported into collection allowing additional non-AMT SCCM 2007 SP1 related discovery
• When Hello Packet received, SCCM 2007 SP1 will perform the provisioning process
• Process: OOB Import -> Hello Packet Received -> SCCM 2007 SP1 Provisions Client
Intel Confidential
163
SCCM Out of Band Provisioning
1. Admin imports provisioning data for Client being provisioned into ConfigMgr 2007 SP12. vPro Client sends PKI hello packet to provisioning server (defined firmware schedule)3. OOB Service Point secures connection with AMT client through Embedded AMT Self Signed
Certificate and Present Provisioning Certificate for initial Authentication4. OOB Service Point sets Remote Admin and MEBx password (if not changed)5. OOB Service Point requests a web server certificate on behalf of the AMT client6. OOB Service Point created an Object in AD for the vPro Client7. OOB Service Point pushes web server certificate to AMT client8. OOB Service Point pushes ACL, power schema, and other configuration data to AMT to
finalize provision
Microsoft SCCMOOB Import
Wizard
Intel Confidential
164
REMOVED SLIDES
Intel Confidential
165
2010 Additions to Intel® vPro™ Technology
Expanded Manageability
Uninterrupted keyboard, video & mouse control
Local wake capability to ensure local management tasks are executed
Cross Client Consistency
Same security and manageability features for both desktop and notebook
DASH 1.1 and full IPv6 support
Enhanced Security
Manageable data protection with integration of drive encryption solutions
Asset & data protection with anti-theft features and services
Energy Efficient Performance
New micro-architecture and partitioning to support better application performance with continued energy savings
Lower TCO with more efficient, more secure, more manageable Lower TCO with more efficient, more secure, more manageable platformsplatforms
Lower TCO with more efficient, more secure, more manageable Lower TCO with more efficient, more secure, more manageable platformsplatforms
Intel Confidential
166
After a few minutes, provisioning will automatically complete and you can update your collection membership
Right Click Collections and select Update Collection Membership
Click Yes to confirm that you want to proceed
Right click on All Systems collection and select Refresh
The client will now appear in All Systems Collection Provisioned and no longer be listed in the Unprovisioned vPro Clients collection
Note: You can track the provisioning progress under C:\Program Files\Microsoft Configuration Manger\Logs\Amtopmgr.log
This process length depends on the time it takes for ConfigMgr 2007 SP2 Agent to check in with the Server and pull down its policies.
Provision AMT via In-Band ConfigMgr 2007 SP2 Client Agent
Congratulations! You have just successfully completed InBand provisioning in ConfigMgr 2007 SP2 and enabled Intel® vPro™ systems to be manageable out of band by ConfigMgr 2007 SP2 console.Removed Slid
e and used fo
r Refe
rence
/ Back
up
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
167
Lab Module 4Lab Module 4
Collection Configuration forIn-Band Provisioning
Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
168
After the Agent has pulled down the machine policies from the ConfigMgr 2007 SP2 server, you will see more Actions listed in the Actions tab of the Configuration Manager
Monitor Policies being applied to ConfigMgr 2007 SP2 Client
Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
169
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site > Site Settings > Discovery Methods
Double Click on Active Directory System Discovery
Note: With the collection defined, you can use any of the discover methods that ConfigMgr 2007 SP2 provides (AD System Group, AD Security Group, AD System , AD User, Heartbeat, or Network) to discover the client. If you decide to use Network discovery (refer back to steps on required configuration)
Note: For more information about network discovery and how to schedule it to run, see About Network Discovery and How to Schedule Network Discovery.
Discover Systems with ConfigMgr 2007 SP2 Discovery
http://technet.microsoft.com/en-us/library/cc161971.aspx Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
170
In the Active Directory System Discovery Properties window General Tab, check Enable Active Directory System Discovery
Click the Button
In the New Active Directory Container window, select Local Domain and click OK
In the Select New Container window, select Computers
Click OK….proceed to next foil
Enable Active Directory System Discovery
Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
171
On the Polling Schedule, check the box to Run discovery as soon as possible
Click Apply
Click OK
Note: This will initiate a discovery of all the systems listed in the computer OU in the Active Directory.
Initiate the Polling Schedule for Discovery
Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
172
After you run the discover method
Right Click All Systems and select Update Collection Membership
Click OK to confirm that you want to proceed
Right click on All Systems and select Refresh (f5)
The client will now appear in the All Systems and Unprovisioned vPro Cleints Collection
Note: It may take a couple minutes for the system to show up. You may continue to click Refresh All Systems Collection until you see the client in the collection. The Intel® AMT status of the device will be in a unknown state. Ensure the firewalls on the virtual images, host OS running the virtual images, and the vPro system are not enabled. The Windows Client firewall can inhibit communications.
Update Collection to see Discovered System
Update Images
Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
173
After the client is populated in the All Systems Collection, check to see if any of the systems are Intel® vPro™ capable
Right Click on the newly discovered system > Out of Band Management > Discover Management Controllers
Click OK
Note: This will scan the system and validate which clients are Intel vPro capable and ready to be provisioned. You can also scan an entire collection for AMT systems.
Note: You can monitor the discovery process by watching the amtopmgr.log located in C:\Program Files\Microsoft Configuration Manger\Logs (you will find a short cut to this log on the SCCM Virtual Image desktop)
Use Out of Band Management to Discover Management Controllers
Update Images
Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
174
After a few minutes, depending on the size of your collection, you can update your collection membership
Right click Collections and select Update Collection Membership
Click Yes to confirm that you want to proceed
After one minute, right click on
Collections and select Refresh
The client will now appear in Unprovisioned vPro Clients Collection and listed as Not Provisioned and when the ConfigMgr 2007 SP2 Agent checks in for its policies, this collection will start the automatic provisioning process.
Note: If you look back at the All Systems collection, you will now see the system as listed as Not Provisioned. You will also see the version of Intel® AMT listed. If you do not see your system in the Unprovisioned Collection, the collection query or discovery method failed (refer back to previous steps).
Update Collection membership to see Intel® vPro™ system Not Provisioned
Note: If the system is listed as Detected, remove client from ConfigMgr, boot client into the Intel MEBX and SMB provision, unprovision, repeat AD Discovery (p.96-97), and repeat Discover Management Controllers (p.98-99)
Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
175
Lab Module 3 Review• Installed ConfigMgr 2007 SP2 Client Agent on local
system• Initiated Action on the ConfigMgr 2007 SP2 Client
Agent to check in with the ConfigMgr 2007 SP2 server to receive its policies
• Validated Policies were being applied to the ConfigMgr 2007 SP2 Client through associated logs
• Updated the ConfigMgr 2007 SP2 Collection Membership and found that Intel® vPro™ system was successfully provisioned using ConfigMgr 2007 SP2 Inband agent.
Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup
Intel Confidential
176
In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Site > Site Settings > Discovery Methods
In the right hand window, Right-click Network Discovery, and click Properties
On the General tab, select Enable Network Discovery and Select Topology radio button
Select Enable discovery of out of band management controllers
Click OK
Note: This will allow ConfigMgr 2007 SP2 to detect if a system is Intel® AMT capable.
Configure Network Discovery for Management Controllers
http://technet.microsoft.com/en-us/library/ee344683.aspx Removed Slide and use
d for R
efere
nce / B
ackup
Removed Slide and use
d for R
efere
nce / B
ackup