1 intel ® vpro™ and microsoft ® system center configuration manager 2007 sp2 training

1

IntelIntel®® vPro™ and vPro™ andMicrosoftMicrosoft®® System Center System Center

Configuration Manager 2007 SP2Configuration Manager 2007 SP2TrainingTraining

Intel Confidential

2

Welcome

• This step-by-step training guide is intended to get you familiar with managing Intel® vPro™ systems with Microsoft* System Center Configuration Manager 2007 Service Pack 2 (SCCM 2007 SP2)

• Please use this guide to do lab exercises in the virtual “training environment” assigned to you

NOTE: This training guide is an updated version of the previously released SP1. Please refer to SP1 training guide if your environment has not been updated to SP2.

Intel Confidential

3

Training Objectives

• Provide an overview of Intel® vPro™ Technology and discuss its capabilities

• Provide students with hands-on experience configuring System Center Configuration Manager 2007 SP2 environment to support Intel® vPro™ capable machines

• Provide hands-on experience provisioning and managing Intel® vPro™ capable machines

• Show Case “Real World” use cases of Intel® vPro™ systems within a SCCM environment

• Provide Students with a better understanding and ability to discuss the components necessary in Configuration Manager 2007 SP2 to support Intel® vPro™ systems (both native and legacy support) with their customers, management, partners, vendors, etc

Intel Confidential

4

Training Agenda• What is Intel® vPro™ Technology? – High level overview (Skip slides 7-11 if you are already familiar with

Intel® vPro™)• What is Intel® vPro™ Provisioning? (Skip slides 12-14 if you are already familiar with Intel® vPro™

provisioning)• Steps to access Intel’s Remote Training Environment (skip slides 16-19 if you are running a local copy of

the training images)

• Lab Module 1 – Infrastructure PreparationInfrastructure Preparation– Hands-on experience configuring the Enterprise Infrastructure (AD/PKI) to support

ConfigMgr 2007 SP2 and Intel® vPro™ systems• Lab Module 2 - ConfigMgr 2007 SP2 OOB Service Point and ComponentsConfigMgr 2007 SP2 OOB Service Point and Components

– Hands-on experience setting up and configuring Out of Band Service Point in ConfigMgr 2007 SP2 to support Intel® vPro™ systems

• Lab Module 3 – ConfigMgr 2007 SP2 Collections and InBand ProvisioningConfigMgr 2007 SP2 Collections and InBand Provisioning– Hands-on experience utilizing the ConfigMgr 2007 SP2 client agent for in-band

provisioning– Hands-on experience configuring ConfigMgr 2007 SP2 Collection for Discovering and

automatically provisioning Intel® AMT capable machines• Lab Module 4 – ConfigMgr 2007 SP2 Out of Band Management ConsoleConfigMgr 2007 SP2 Out of Band Management Console

– Hands-on experience utilizing the ConfigMgr 2007 SP2 OOB Console to manage (OOB) Intel® vPro™ systems

• Lab Module 5 – Real World Use CasesReal World Use Cases– Hands-on setting up and running actual use cases for a production environment

Intel Confidential

5

Training Caveats• This is not a replacement for Microsoft’s documentation on installing and

configuring ConfigMgr 2007 SP2• This presentation only focuses on the Intel® vPro™ related configuration

components• It is highly recommended that you thoroughly review all of Microsoft’s

documentation before activating Intel® vPro™ with ConfigMgr 2007 SP2

Recommended Material (from Microsoft TechNet):– What's New in Configuration Manager 2007 SP2– Fundamentals of Configuration Manager 2007– Configuration Manager Planning and Deployment Overview– Configuration Manager Supported Configurations– Planning and Deploying the Server Infrastructure for Configuration Manager 2007– Planning and Deploying Clients for Configuration Manager 2007– How to Configure Configuration Manager 2007– Out of Band Management in Configuration Manager 2007 SP1 and later– Administrator Checklist: Enabling Out of Band Management

Intel Confidential

6

Acronyms Used• 3PDS – Third Party Data Storage• FW – Firmware• Intel® AMT – Active Management Technology• Intel® ME – Management Engine (Microsoft calls this

component the Management Controller)• Intel® MEBX – Management Engine BIOS Extension• KVM – Keyboard, Video and Mouse• OOB – Out Of Band• OSD – Operating System Deployment• OTP – One Time Password• PKI – Public Key Infrastructure• PSK – Pre-Shared Key• Radius Server – Remote Authentication Dial In User Service• SCCM – System Center Configuration Manager• SUM – Scheduled Update Management

Intel Confidential

7

What is IntelWhat is Intel®® vPro™ Technology? vPro™ Technology?

Intel Confidential

8

Processor Chipset Network

Intel® Core™ i5 & i7

Processors

Intel® Express

Chipset

Intel® Gigabit Network

Intel® Intel® Anti-Theft Anti-Theft TechnologyTechnology

Intel® Active Intel® Active Management Management TechnologyTechnology

Intel® Intel® Virtualization Virtualization TechnologyTechnology

Intel® Intel® Trusted Trusted Execution Execution TechnologyTechnology

Intel® Core™ vPro™ Processor Family Platform is more than the sum of its parts

Intel Confidential

10

Continued Business Client Platform Evolution

AMT 3.0, VT-x, VT-d, TXTRemote configEnhanced system defenseCisco SDN

AMT 2.0Remote diagnosticsRemote repairRemote HW/SW invSystem defense

AMT 2.6, VT-xRemote configCisco SDNWireless support

AMT 4.0, VT-d, TXTMSFT NAPFast Call for HelpRemote Schedule Maint.

2006 2007 2008

Desktop

Mobile

AMT 5.0MSFT NAPFast Call for HelpRemote Schedule MaintenanceRemote PC Assist Technology

20102010KVM Remote ControlKVM Remote Control11

IntelIntel®® Anti-Theft Anti-Theft TechnologyTechnologyPC Alarm ClockPC Alarm ClockRemote Encryption Remote Encryption ManagementManagementAES-NIAES-NI

EnterpriseRemote

Management

Security, Virtualization,

Wireless

Extend beyond firewall,Remote

management Services

Full remote control, Data & asset security,Converged roadmaps

Sustained innovation to deliver the Sustained innovation to deliver the best platform for business best platform for business

Sustained innovation to deliver the Sustained innovation to deliver the best platform for business best platform for business

1 Requires processor with integrated graphics

Intel Confidential

11

Intel® Technology Business Impact

PCs with Intel®

vProTM

Technology

Up to

Software-Related Desk-Side Visits

Indiana State Office of Technology

Read case study

Reduction90%

Unintended PC Downtime due to Software Issues

Value Space

Read case study

Up to

Less98%

Power-Efficiency Improvement

EDS

Read case study

View video on YouTube

Up to

More25%

Up to

Advocate Health Care

Read case study

51% ROI

Actual Customer Experiences with Intel® vProTM Technology

http://communities.intel.com/docs/DOC-1494/

Intel Confidential

12

ConfigMgr 2007 SP2 Features

ProvisioningProvisioning

• Secure Setup & Configuration of Intel® AMT

• Zero Touch – Certificate Hash• Zero Touch – In band via agent• Ties to OSD with targeting

• Secure Setup & Configuration of Intel® AMT

• Zero Touch – Certificate Hash• Zero Touch – In band via agent• Ties to OSD with targeting

Discovery/InventoryDiscovery/Inventory

• Discover On Demand• Per machine / per collection

• Scheduled Discovery• In band inventory via agent

• Discover On Demand• Per machine / per collection

• Scheduled Discovery• In band inventory via agent

Remote ConsoleRemote Console

• Helpdesk of Break/Fix• Serial over LAN• IDE Redirection• BIOS password bypass• Manual power control

• Helpdesk of Break/Fix• Serial over LAN• IDE Redirection• BIOS password bypass• Manual power control

Power ControlPower Control

• Scheduled Power On• SWDist, SUM, OSD

• On Demand Power Control• Wake, Restart, Shutdown

• Interactive via OOB Console

• Scheduled Power On• SWDist, SUM, OSD

• On Demand Power Control• Wake, Restart, Shutdown

• Interactive via OOB Console

Intel Confidential

13

System Center with Intel® vPro™ Technology NEW! Integrated OOB features in ConfigMgr 2007 SP2

http://communities.intel.com/community/openportit/vproexpert/microsoft-vpro/blog/2009/09/19/a-closer-look-at-sccm-sp2-the-more-subtle-changes-with-sccm-sp2

Intel Confidential

14

IntelIntel®® vPro™ Provisioning vPro™ Provisioning

Intel Confidential

15

What is Intel® vPro™ Provisioning?

Microsoft refers to the Manageability

Engine as the Management

Controller

Intel Confidential

16

Intel® vPro™ Manageability Engine BIOS Extension (MEBx)•The MEBx is the user interface to the Manageability

Engine (ME); it allows for the configuration of settings that control the operation of the ME

•The MEBx is an option ROM module provided to the OEM by Intel that is an extension to the system BIOS

•The Manageability Engine runs on an embedded processor inside the Memory Controller Hub (MCH) and is responsible for executing the various AMT functions (Remote Power, IDE-Redirection, etc.)

Intel Confidential

17

• Start up the Intel® vPro™ Laptop (e.g. LNVT400-01)

• During boot process, press the Blue ThinkVantage button to access the MEBx interface (other OEM systems you hit CTRL+P to access the MEBx)

• Select F12 at the Startup Interrupt Menu

• Select <Enter ME Configuration Screens>

• Type P@ssw0rd to login to the MEBx (admin is default when shipped from OEM but has been modified for this training)

• Select Intel AMT Configuration and Enter

• Select Un-Provision and Enter

• Enter Y to Reset AMT Provisioning

• Select Full Unprovision and Enter

• After the Unprovision is complete, hit the ESC key and Select Exit

• Enter Y to reboot the system

Access the MEBx on your vPro system and perform a full unprovision of AMT

Note: This will Fully unprovision the MEBx and set it back to factory default mode with the exception of the local MEBx password. This is the manual method to unprovision AMT but is not usually required in the production environment as it can be done remotely.

Intel Confidential

18

ConfigMgr SP2 Remote Provisioning Process InBand Agent Based Provisioning

Intel® vPro™ Clients

SCCM Primary

Site Server

1. ConfigMgr Agent checks in with ConfigMgr Server for policies

2. If Auto-Provisioning Policy is enabled, ConfigMgr Agent will generate and send an OTP to Intel AMT and ConfigMgr Server

3. ConfigMgr Server performs a discovery of Intel AMT

4. ConfigMgr places Intel AMT discovered systems in a Not Provisioned Collection that has auto-provisioning policy enabled

5. ConfigMgr Agent checks for auto-provisioning policy

--Provisioning Started—

5. Agent Sets OTP in Intel AMT and sends to ConfigMgr server

6. Intel AMT sends embedded hashes to ConfigMgr server

7. ConfigMgr sends Remote Config Certificate to Intel AMT for authentication

8. Intel AMT validates Remote Config Certificate is issued by a trusted CA in Intel AMT firmware

9. Configuration data passed to Intel AMT over a secure tunnel

1

2

3

7

5

6

8

9

Recommended ConfigMgr Setup approach:• Setup Collection for Not-Provisioned

Intel® vPro™ Systems• Enable Network discovery or manaual

discovery if system is Intel® AMT capable

• Machine will be place in collection • Benefits for this approach:

• Only provision Intel AMT systems• Reduce network load

4

http://technet.microsoft.com/en-us/library/cc431371.aspx

Intel Confidential

19

Agent Based Provisioning and Infrastructure Services

1. Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If I can, it will create a One Time Password and send the OTP to both the OOB Service and into the Intel® AMT Firmware

2. OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate, Present Provisioning Certificate along with the OTP for initial Authentication

3. OOB Service Point sets the Remote Admin and Intel® MEBX password (if not changed)4. OOB Service Point requests a web server certificate on behalf of the Intel AMT client5. OOB Service Point created an Object in AD for the Intel® vPro™ Client6. OOB Service Point pushes web server certificate to Intel AMT client7. OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision


Intel Confidential

23

Physical Hands-on Training Physical Hands-on Training Lab EnvironmentLab Environment

Intel Confidential

24

Physical Lab Environment Overview

Microsoft AD

SQL 2005DNS/DHCPPKI\Ent Root CA

ConfigMgr 2007 SP1

Server

Intel vPro Laptop/Desktop

AMT firmware (4.x, 5.x or 6.x)

Virtualized Machine EnvironmentLaptop

Infrastructure Image ConfigMgr Image

All passwords = P@ssw0rd

192.168.0.x Note: A minimum of 4G of memory should be installed on the host machine running the Virtual images

Intel Confidential

25

Start the laptop (e.g. HP6930P) hosting the Virtual Images

Double Click the shortcut DC1 on the Desktop of the host OS to start the Infrastructure VM image

Note:

• To Maximize/Minimize the Virtual Image window CTRL + ALT + ENTER

• As needed, Use CTRL+ ALT + Insert to login

• Login Information

• Domain Admin: ITproadmin

• Password: P@ssw0rd

• Domain: VPRODEMO

Launch the Microsoft Virtual Infrastructure Image

Note: Make sure you have not started your ConfigMgr 2007 SP1 SP1 Server Image up until after completing the configuration of your infrastructure image.

Intel Confidential

26

Lab Module 1Lab Module 1

Configure the Active Directory and PKI Infrastructure to support

Configuration Manger 2007 SP2 and Intel® vPro™ Systems

Intel Confidential

27

Prepare Active Directory Prepare Active Directory Domain Services for Out of Domain Services for Out of

Band ManagementBand Management

Intel Confidential

28

Active Directory Configuration

• Active Directory OU container must be created to store Intel® AMT device objects

– Recommended Name: Out of Band Management Controllers– Primary site server computer account (ConfigMgr 2007 SP2 Server) must be

granted Full Control permissions on the OU and all child objects in the OU

– http://technet.microsoft.com/en-us/library/cc161814.aspx

– Schema Extension not required for Intel® vPro™ support– However Schema Extension is required for other ConfigMgr 2007 SP2 features and

make ConfigMgr 2007 SP2 Client Agent Deployments easier (required for Agent Based provisioning)

• Extend AD Schema (optional): http://technet.microsoft.com/en-us/library/bb633121(TechNet.10).aspx

Intel Confidential

29

On your Domain Infrastructure Image, Click Start > Programs > Administrator Tools > Active Directory Users and Computers

Note: Under the View menu option, ensure Advanced Features is checked

Expand the vProDemo.com domain

Right Click on Users and select New > Group

In the New Object - Group dialog box, type ConfigMgr Primary Site Servers

Click OK

Create Active Directory Security Group for ConfigMgr 2007 SP2 Primary Site Servers

Intel Confidential

30

In the Active Directory Users and Computers, right-click the ConfigMgr Primary Site Servers Group and select Properties

In the ConfigMgr Primary Site Servers Properties window, select the Members tab and click Add

Add the MSSCCM server and click OK (make sure to click the Object Types button and check Computers to find SCCM Computer Account)

Click OK to close the Properties window

Note: Your ConfigMgr server is now a member of your ConfigMgr Primary Site Servers Group and will be used later for applying security rights to AD OUs and Certificate Templates.

Make sure you have not started up the ConfigMgr server image while setting up this server security setting. If you have the ConfigMgr server running, please shutdown now.

Add ConfigMgr 2007 SP2 Server as a member to the Security Group

Intel Confidential

31

On your Infrastructure Image, Click Start > Programs > Administrator Tools > Active Directory Users and Computers

Right Click on vProDemo.com > New > Organizational Unit

In the New Object - Organizational Unit dialog box, type Out of Band Management Controllers click OK

Create Active Directory OU for Client Management Controller Objects

Intel Confidential

32

Right-click Out of Band Management Controllers OU and click Properties

In the Out of Band Management Controllers Properties window, click the Security tab

Click Add and select the ConfigMgr Primary Site Servers group

Click OK to add the group, but DO NOT close the Properties window…continue to next slide to set full control for this group.

Add ConfigMrg Primary Site Servers Security group to the Management Controller OU

Intel Confidential

33

Check Full Control for ConfigMgr Primary Site Servers Security Group

With ConfigMgr Primary Site Servers selected, click Advanced

Highlight ConfigMgr Primary Site Servers group, and click Edit

In the Apply to drop down, select This object and all descendant objects

Click OK 3 times

Give Full Control for ConfigMrg Primary Site Servers Security group to the Management Controllers OU

Note: We have now created an AD OU and given the ConfigMgr 2007 SP2 proper permission to create AMT objects for each vPro system during the provisioning phase.

Intel Confidential

34

On your Infrastructure Image, Click Start > Programs > Administrator Tools > Active Directory Users and Computers

Expand vProDemo.com and Right Click on Users and select New > Group

In the New Object – Group Windows, enter AMT RADIUS Clients in the Group name field

Click OK

Create RADIUS Security Group for AMT devices

Intel Confidential

35

Right Click on AMT RADIUS Clients Group and select Properties

In the AMT RADIUS Clients Properties Window, Click the Security Tab and Click the Add button

In the Select Users, Computers, or Groups Window, add ConfigMgr Primary Site Servers

Click OK

Select the ConfigMgr Primary Site Servers and select Full control

Click OK

Set Permissions on RADIUS Security Group

COMPLETED: We have now created an AD OU, AMT Radius Group, and given the Security Group that ConfigMgr 2007 SP2 Server is a member of, the proper permission to create Management Controllers objects for each Intel® vPro™ system during the provisioning phase.

Intel Confidential

36

Configure PKI Web Server Configure PKI Web Server Certificates for each Certificates for each

Management Controller Management Controller

Intel Confidential

37

Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™

• There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2• Intel® AMT Self Signed Certificate

• Used during PKI provisioning to secure the connection• Transparent to process

• Intel® AMT Provisioning Certificate• Used for Remote Configuration authentication by the Out of Band Service Point• Can be generated from Internal PKI Infrastructure or purchased from 3rd Party

CA (VeriSign*, GoDaddy*, Comodo, Starfield)• Provisioning certificate can be generated from internal PKI environment

• Require Internal Root hash to be imported into the MEBx

• Requires Option 15 set on DHCP to support “Zero Touch” Configuration

• Intel® AMT Web Server Certificate• Used to secure a connection to Intel AMT client by the management console• Issued to the Intel AMT client during the provisioning process• ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft

Enterprise CA• PKI certificate key sizes <=2048-bits

Intel Confidential

38

Enterprise CA & Provision Certificate Configuration

• Assumes that a Microsoft Enterprise CA exists and is already configured• Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert• Intel AMT Provisioning Certificate (Used for Provisioning)

• Determine 3rd party or Self Generated• 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield)

• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1• Self Generated from Internal PKI infrastructure

• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2• Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step

• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3

• Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro)• Create New Web server Template

• Recommend certificate name: ConfigMgr AMT Web Server Certificate• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll

permissions• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver

• 802.1x RADIUS Certificate (Optional for 802.1x networks)• Create New RADIUS Client Template for 802.1x network• Allows AMT to securely authenticate to an 802.1x network without an OS present

• Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate• Ensure you select Supply in the request to provide the Subject Name• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll

permissions• http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate

Intel Confidential

39

Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority

Expand DC1.vprodemo.com

Note: This is a Microsoft Enterprise Certificate Authority, Standalone CAs are not supported with ConfigMgr 2007 SP2 for Intel® vPro™

Right Click on Certificate Templates > Manage

Configure PKI Web Server Certificate Template

Intel Confidential

40

In the Certificate Templates Console on the right hand window pane, right click on Web Server and select Duplicate Template

In the Duplicate Template Window

Select the radio button for Windows 2003 Server, Enterprise Edition

Click OK

In the Properties of New Template Window on the General Tab:

Enter ConfigMgr AMT Web Server Certificate

Proceed to next foil to set security rights on this template

Configure PKI Web Server Certificate Template

Intel Confidential

41

In the Properties of New Template window, click the Security tab

Click Add

Select ConfigMgr Primary Site Servers group

Click OK

With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll

Click OK

Close the Certificate Templates Console

Apply Security Permission to Web Server Certificate Template

Intel Confidential

42

In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue

In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template created in the previous step)

Click OK

Issue Web Server Certificate Template

Intel Confidential

43

In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand window and ready for use by the Out of Band Service Point

Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system during the provisioning process and used for TLS session during management of Intel AMT.

Web Server Certificate Template issued in CA for use by ConfigMgr 2007 SP2

Intel Confidential

44

Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority

Expand DC1.vprodemo.com

Right Click on Certificate Templates > Manage

Configure RADIUS Client Certificate Template

Intel Confidential

45

In the Certificate Templates Console on the right hand window pane, right click on Workstation Authentication and select Duplicate Template

In the Duplicate Template Window

Select the radio button for Windows 2003 Server, Enterprise Edition

Click OK

In the Properties of New Template Window

General Tab:

Enter ConfigMgr AMT 802.1X Client Authentication Certificate

Subject Name Tab:

Select Supply in the request

Click OK in the warning message

Proceed to next foil to set security rights on this template

Configure RADIUS Client Certificate Template

Intel Confidential

46

In the Properties of New Template window, click the Security tab

Click Add

Select ConfigMgr Primary Site Servers group

Click OK

With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll

Click OK

Close the Certificate Templates Console

Apply Security Permission to ConfigMgr AMT 802.1X Client Authentication Certificate Template

Intel Confidential

47

In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue

In the Enable Certificate Templates Window, select ConfigMgr AMT 802.1X Client Authentication Certificate (this template created in the previous step)

Click OK

Issue RADIUS Client Certificate Template

Intel Confidential

48

In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT 802.1X Client Authentication Certificate listed in the right hand window and ready for use by the Out of Band Service Point

Note: This Certificate Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system and stored in the firmware during the provisioning process and allow vPro systems to authenticate to an 802.1x network while OS is in a sleep/off state.

RADIUS Client Certificate Template issued in CA for use by ConfigMgr 2007 SP2

Intel Confidential

49

In the Certification Authority Window, right click on DC1.vprodemo.com and select Properties

In the DC1.vprodemo.com Properties Window, select the Security tab

Click Add

Configure Root CA to Allow Revocation of Client Management Controller Certificates

Intel Confidential

50

Add the ConfigMgr Primary Site Servers group

Click OK

Select the ConfigMgr Primary Site Servers group

Check Allow Issue and Manage Certificates and Request Certificates permissions for this group

Click OK

Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI Issued certificates cleaned up (revoked).

Configure Root CA to Allow Revocation of Client Management Controller Certificates

Intel Confidential

51

Lab 1 Exercise Review

Active Directory Changes• Created Active Directory

Security Group for ConfigMgr 2007 SP2 Primary Site Servers

• Added ConfigMgr 2007 SP2 Server as a member to the Security Group

• Created Active Directory OU for Client Management Controller Objects

• Added ConfigMgr Primary Site Servers Security group to the Management Controller OU

• Gave Full Control for ConfigMgr Primary Site Servers Security group to the Management Controllers OU

Enterprise PKI Changes• Configured PKI Web Server

Certificate Template• Applied Security Permission to

Web Server Certificate Template• Issued Web Server Certificate

Template for use by ConfigMgr 2007 SP2

• Created RADIUS Client Template and issued for RADIUS certificates

• Configure Root CA to Allow Revocation of Client Management Controller Certificates

Intel Confidential

52


Install and Configure Configuration Manager 2007 SP2

Out of Band Service Pointto support Intel® vPro™ Systems

Intel Confidential

53

Double Click the shortcut SCCM SP2 on the host OS to start the SCCM SP2 VM image (leaving the Infrastructure running in parallel)

Note:

• To Maximize/Minimize the Virtual Image window CTRL + ALT + ENTER

• As needed, Use CTRL+ ALT + Insert to login

• Login Information

• Domain Admin: ITproadmin

• Password: P@ssw0rd

• Domain: VPRODEMO

Launch the Microsoft Virtual PC ConfigMgr Image

Intel Confidential

54

ConfigMgr 2007 SP2 Out-of-Band Management Service Point

•OOB Management : Out of band management allows an administrator to connect to a computer's management controller (a.k.a. Management Engine) when the computer is turned off, in sleep or hibernate modes, or otherwise unresponsive through the operating system. (http://technet.microsoft.com/en-us/library/cc161963.aspx)

•OOB Service Point – ConfigMgr 2007 SP2 Service component (role) responsible for provisioning and managing Management Controllers (aka Intel® AMT).– Installing:


Intel Confidential

55

ConfigMgr 2007 SP2 Prerequisiteshttp://technet.microsoft.com/en-us/library/cc161785.aspx

• Prior to ConfigMgr 2007 SP2 install, ensure ALL prerequisites are met (see link above of complete list)– Telnet is installed on computers running the OOB management console with

Vista and Windows 2008 (used for SoL)– IE / Kerberos authentication on non-standard port HotFix (KB908209) – hotfix is

for IE6 but registry key applies to all IE versions– http://support.microsoft.com/kb/908209

• If ConfigMgr 2007 SP2 is not installed, install prior to ConfigMgr 2007 SP2 setup and config– Refer to Microsoft’s Install and Configuration documentation– http://technet.microsoft.com/en-us/library/bb735860

• Download and Install ConfigMgr 2007 SP2:– http://www.microsoft.com/downloads/details.aspx?familyid=BAD49573-6AD7-4

521-A898-2EF99BC868C4&displaylang=en

• Create a ConfigMgr 2007 SP2 Site Boundary– http://technet.microsoft.com/en-us/library/bb693530.aspx

Intel Confidential

56

Open the ConfigMgr Console (short-cut located on the desktop of the SCCM image)

Navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site > Site Settings > Site Systems

Right-click \\MSSCCM and click New Roles to launch the New Site Roles Wizard

Install Out of Band Service Point


Intel Confidential

57

On the General page, click Next (default settings)


Intel Confidential

58

On the System Role Selection page, check Out of band service point, and click Next


Intel Confidential

59

On the Out of Band Service Point page, click Next

Click Next again on Summary page


Intel Confidential

60

Once the Wizard completes, click Close

You have now added the required Service Role to support Intel® vPro™ Systems through ConfigMgr 2007 SP2.


Intel Confidential

61

You will now see ConfigMgr out of band service point listed under the \\MSSCCM Roles

Note: After installing the ConfigMgr 2007 SP2 Out of Band Service Point, the log file C:\Program Files\Microsoft Configuration Manager\Logs\AMTSPSetup.Log can be reviewed to inspect the success or failure of the installation.


Intel Confidential

62

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site> Site Settings > Component Configuration

Right-click Out of band management component, and click Properties

Configure Out of Band Component - General

Intel Confidential

63

In the Out of Band Management Properties window on the General tab, Under the Provisioning Settings, click Browse to select the Active Directory container to store each Intel® AMT object

Note: These fields may already be populated with the correct information from past lab exercises – use this screen as a reference if that is the case.

Select Out of Band Management Controllers from vProDemo Domain

Note: This is the OU created in Exercise 1

Click OK



Intel Confidential

64

Click Set and provide the Intel® MEBX admin password (please us P@ssw0rd for this exercise) to be set during provisioning

Click OK

Note 1: This Intel MEBX password setting is used for ConfigMgr 2007 SP2 to change the local password on the Management Controller during the provisioning process. By default, the factory setting for the password is admin.

If this local password was manually changed on the Intel MEBX or from a previous provisioning process, this setting will be ignored. The local Intel MEBX password can only be changed remotely if the password is set to factory default (admin).


Note 1


Intel Confidential

65

Check the box to Allow out of band provisioning

Note 1: Out of Band provisioning provides alternative methods to provision devices without an OS or SCCM Client. The preferred method is to use inband SCCM agent based provisioning shown in later modules.

Intel® AMT Provisioning port can be modified if necessary, but requires modification (physical touch) on each Management Controller (leave default 9971).

Click Yes in the Security Warning to Allow for Out of Band Provisioning.

Note: OOB Provisioning is not required if you are going to leverage inband SCCM Agent based provisioning (preferred method). This option is for scenarios like bare metal provisioning when no host OS or SCCM client agent is available.


Note 1

http://technet.microsoft.com/en-us/library/dd796347.aspx

Intel Confidential

66

Check the box to Register ProvisionServer as an alias in DNS

Note: This creates an Alias in your DNS environment to allow provisioning hello packets from AMT to get routed to the ConfigMgr 2007 SP2 server used in PSK / Bare Metal Provisioning and SCS -> ConfigMgr 2007 SP2 migration. This would not apply or be necessary for in-band ConfigMgr 2007 SP2 Agent initiated Provisioning.


Intel Confidential

67

Under the Certificates section, Click Browse and select the Intel(R) Client Setup Cert – GoDaddy vProDemo.com and vProDemo.us UCC Backup.pfx (located in z:\GoDaddy_vProDemo)

Click Open

Note: This is the Remote Configuration Certificate (previously purchased from GoDaddy* which could also be purchased from VeriSign*, Comodo, or Starfield) and used for Remote Provisioning. The Root hash that issued this certificate can be found pre-configured in the Management Controller’s firmware that ships from the OEM.

Enter the password for this certificate (Pr0t3ct!0n) and click OK

Note: Zeros are used in the above password

Note: If the password is incorrect, you will receive and Invalid Password message. If the certificate is not a valid Remote Configuration Certificate, you will receive an Invalid Certificate message.


Bill York

GoDaddy Cert Image incorrect

Intel Confidential

68

Click Select for the AMT Certificate Template

Select

Issuing CA: DC1.vprodemo.com

CA name: DC1.vprodemo.com

AMT certificate template: ConfigMgr AMT Web Server Certificate

Note: This is the Certificate Template created in Exercise 1 on the Infrastructure Domain image.

Click OK

Click Apply


Intel Confidential

69

On the AMT Settings tab, click icon to add AMT User Accounts

In the AMT User Account Setting window, click Browse and add the VPRODEMO\AMTAdmins account, click OK

Check the Platform Administration box which will automatically select all options by default

Click OK

Click Apply

Note: This account specifies the rights to the management controller for selected capabilities to Intel® AMT. http://technet.microsoft.com/en-us/library/cc161918.aspx

Configure Out of Band Component – Intel® AMT Settings


Note: These fields may already be populated with the correct information from past lab exercises – use this screen as a reference if that is the case.

Intel Confidential

70

In the Default IDE-redirect image text box, enter \\DC1\IDER\rds_rw.iso

In the drop down menu for Manageability is on in the following power states: select Always on (S0-S5)

Note: This setting will ensure the Management Controller is on regardless of the state of the Operating System (on, sleep, hibernate, off)

Check the boxes:

Enable Web interface

Enable serial over LAN and IDE-redirect

Allow ping responses

Enable BIOS password bypass for power on and restart commands

Enable Support for Intel WS-MAN Translator (covered in Legacy Provisioning Class)

Default setting for Kerberos clock tolerance (5)

Click Apply

Configure Out of Band Component – Intel® AMT Settings

Bill York

ADD Image and share location

Intel Confidential

71

On the Provisioning Settings Tab, click to add a Digest User and Password for Provisioning

Enter:

Name: admin

Password: P@ssw0rd

Confirm Password: P@ssw0rd

Description: Digest Account

Click OK

Click APPLY

Note: This digest account will be used for provisioning if the default remote admin password has been modified.

Determine if this account is necessary for your environment http://technet.microsoft.com/en-us/library/cc431451.aspx

Configure Out of Band Component – Provisioning Settings


Intel Confidential

72

Configure Out of Band Component – Audit Settings

On the Audit Settings Tab, check All of the AMT features to enable auditing

Click APPLY

Note: To unprovision a system from the MEBx you have to disable audit log first. Select the audit settings that are applicable to your production environment.

http://technet.microsoft.com/en-us/library/ee344520.aspx

Intel Confidential

73

Configure Out of Band Component – Provisioning Schedule Settings

On the Provisioning Schedule Tab, change the Simple Schedule to 1 hour

Click OK

Note: By default, Intel AMT systems will attempt to initiate in-band provisioning every 24 hours. This default option is modified by these settings so the provisioning will occur on a more frequent basis.

Another Option is to use the Custom Schedule so you can configure a start date and time with a reoccurrence pattern.


Intel Confidential

74

Lab Module 2.1Lab Module 2.1

Advanced Out of Band Configuration

The following 2.1 module is an advanced topic on 802.1x and Wireless Profiles

Intel Confidential

75

802.1x and Wireless Profiles

•This section is for advanced vPro users that are familiar with 802.1x networking and RADIUS server for authentication– Wireless AP = Linksys Dual-Band Wireless N Gigabit router

that supports 802.1x– There are many options available for wireless and 802.1x

profiles and this training will only cover one set (refer to Microsoft TechNet for complete list of supported protocols)

– The RADIUS Server (Microsoft NPS – Windows 2008 Server) has been Pre-Configured for training

How to: http://technet.microsoft.com/en-us/library/ee344378.aspx

Requirements: http://technet.microsoft.com/en-us/library/ee344543.aspx

Intel Confidential

76

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site> Site Settings > Component Configuration

Right-click Out of band management component, and click Properties

On the 802.1x and Wireless Settings Tab, check the box for Enable 802.1x authentication for wired network and click Set

Note: This setting will provision the vPro system with proper 802.1x credentials in order for the device to authenticate to a protected 802.1x network. The RADIUS server is pre-configured for this lab and steps to setup this RADIUS server is out of scope for this training module.

Configure Out of Band Component – 802.1x Settings


Intel Confidential

77

In the 802.1x Wired Network Access Control window, click the Select button

In the Trusted Root Certificate for Radius authentication window, select the radio button for From certificate authority (CA): and select DC1.vprodemo.com from the drop down menu

Click OK

Note: This certificate is the root certificate from the Enterprise CA on the infrastructure image to communicate with the Radius server. The Radius server is pre-configured on the infrastructure server for training purposes.



Intel Confidential

78

In the 802.1x Wired Network Access Control window, select EAP-TLS from the drop-down menu for Client Authentication Method

Click the Select button to select a Client Authentication Client Certificate template

In the RADIUS Client Certificate Configuration windows, select the following:



RADIUS client Certificate template: ConfigMgr AMT 802.1X Client Authentication Certificate

Click OK twice to complete 802.1x configurations

Note: This template will be used by the Site Server during the provisioning process to generate an 802.1x Radius Certificate for each AMT device.


Intel Confidential

79

On the 802.1x and Wireless Settings Tab, click the icon to create a wireless profile

In the Wireless Profile Window, enter the following information:

Profile Name: ProDemoAP

Network name (SSID): ProDemoAP

Security Type: WPA2-Enterprise

Encryption method: AES

Configure Out of Band Component – Wireless Settings


Intel Confidential

80

In the 802.1x authentication section, click the Select button under Server authentication

In the Trusted Root Certificate for Radius Authentication window, select the radio button for From certificate authority (CA): and select DC1.vprodemo.com from the drop down menu

Click OK

In the 802.1x authentication section, click the Select button under Client authentication

In the RADIUS Client Certificate Configuration windows, select the following:



RADIUS client Certificate template: ConfigMgr AMT 802.1X Client Authentication Certificate

Click OK twice to complete wireless configurations


Intel Confidential

81

In the Security Group for RADIUS authentication section, select the radio button for Automatically add AMT-based computers to security group

Click the Browse button to choose a Security group for RADIUS Server

In the Select Group window, add AMT RADIUS Clients

Click OK – 2 times

Note: This completes the configuration for the 802.1x and Wireless profile setting.


Intel Confidential

82

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site > Site Settings

Right click on Boundaries and select New Boundary

Enter the following fields

Description = Net Boundary

Site Code = PRO - vPro Demo Primary Site

Type = IP address range

Starting Address = 192.168.0.10

Ending Address = 192.168.0.199

Network Connection = Fast

Click OK

Note: This will allow the SCCM agent to discover the ConfigMgr Site Server.

Congratulations! You have configured ConfigMgr 2007 SP2 for Intel® vPro™ Clients

Configure New Site Boundary

Intel Confidential

83


Installed OOB Service Component and configured Properties• Used to Configure General OOB Properties and Intel® AMT Client Profile

• http://technet.microsoft.com/en-us/library/cc161960.aspx• Configured General Tab

• Provisioning Settings - Active Directory container• Stores Intel AMT Objects• Select AD Container previously created: Out of Band Management Controllers

• Provisioning Settings – Intel® MEBx Account• What to set the Intel MEBx Password (if not already set) and remote admin

account to during Provisioning• Register ProvisionServer as an alias in DNS (used for PKI/PSK (Bare Metal) hello

packet routing to OOB Service Point)• Certificate – Provisioning Certificate

• PKI / Remote Configuration Certificate• Configure with certificate exported during Enterprise CA & Provision Certificate

configuration• Certificate – Certificate Template

• Configure with template created during Enterprise CA & Provision Certificate configuration: ConfigMgr AMT Web Server Certificate and RADIUS Certificate


Intel Confidential

84


• Configured Intel® AMT Settings Tab• Intel AMT User Accounts

• Allows you to define Kerberos user who can invoke Intel AMT features• Define which accounts have which Intel AMT realm permissions

• Default IDE-redirect image• Default location of image files

• Manageability Power States• Sets power state for when you want to manage the AMT-based computer out of

band (S0 – S5)• Enable Web interface

• Enables / Disables Intel AMT web interface for provisioned Intel AMT clients • Enable Serial Over LAN and IDE redirection

• Enables / Disables SOL and IDER for provisioned Intel AMT clients • Allow ping responses

• Enables / Disables ping responses for provisioned Intel AMT clients • Enable support for Intel® WS-MAN translator

• Enables support within ConfigMgr 2007 SP2 to forward Provisioning and Intel AMT operation command to the Intel WS-MAN Translator for firmware less than 3.2.1

• http://technet.microsoft.com/en-us/library/cc161891.aspx

Intel Confidential

85


• Configured Provisioning Settings Tab• Add Provisioning and Discovery Accounts

• Allows you to define additional Digest accounts that can be used to provision and discover AMT systems if the standard default account has been modified

• http://technet.microsoft.com/en-us/library/cc161815.aspx • Configured 802.1X and Wireless Tab

• Created wired and wireless profiles to be added to AMT during the provisioning process to allow AMT to authenticate to an 802.1x protected network

• Automatically added AMT devices to a security group for RADIUS authentication• http://technet.microsoft.com/en-us/library/ee344664.aspx

• Configured Audit Settings Tab• Enabled the features to be audited by AMT• http://technet.microsoft.com/en-us/library/ee344520.aspx

• Configured Provisioning Schedule Tab• Specified a specific schedule for AMT systems to initiate provisioning• http://technet.microsoft.com/en-us/library/ee344296.aspx

• Configured Site Boundary for Agent discovery• http://technet.microsoft.com/en-us/library/bb693530.aspx

Intel Confidential

86


Configuration Manager 2007 SP2 Collections and In-Band

Provisioning

Intel Confidential

87

ConfigMgr 2007 SP2 Agent Installation and InBand Provisioning

• In this exercise, you will – Install the ConfigMgr 2007 SP2 Client Agent on an

Intel® vPro™ system (e.g. Intel vPro Laptop/Desktop)– Create an Unprovisioned vPro Client Collection to place

discovered Unprovisioned systems and enable the auto-provisioning policy on this collection

– Initiate an InBand remote configuration provisioning of an Intel vPro system with native ConfigMgr 2007 SP2 support

– NOTE: Bare Metal / Out-of-Band provisioning (No OS or SCCM Client) is supported but not covered in this training) – for information on this process see: SCCM Out of Band Provisioning (Bare Metal Provisioning)

Intel Confidential

88

Agent Based Provisioning Process

1. Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If I can, it will create a One Time Password and send the OTP to both the OOB Service and into the Intel® AMT Firmware

2. OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate, Present Provisioning Certificate along with the OTP for initial Authentication

3. OOB Service Point sets et Remote Admin and Intel® MEBX password (if not changed)4. OOB Service Point requests a web server certificate on behalf of the Intel AMT client5. OOB Service Point created an Object in AD for the Intel® vPro™ Client6. OOB Service Point pushes web server certificate to Intel AMT client7. OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision


Intel Confidential

89

Login to the Intel® vPro™ Laptop

User: ITproadmin

Password: P@ssw0rd

Domain: VPRODEMO

Once logged into the Intel® vPro™ client, map a drive to \\mssccm\c$

Go to Program Files\Microsoft Configuration Manager\Client

In the Client folder, double click ccmsetup.exe

Note: This will install the SCCM SP2 client from you SCCM Site server. This Intel vPro system must be joined to the infrastructure domain – Prior to the client setup.

Install ConfigMgr 2007 SP2 Client Agent on local system

http://technet.microsoft.com/en-us/library/bb693546.aspx

Intel Confidential

90

Track the setup by monitoring the Process ccmsetup.exe in Task Manager

Installation is complete once the CcmExec.exe process is running in Task Manager

You can track the agent installation on the client in c:\windows\system32\ccmsetup\ccmsetup.log (for Vista 64bit file is located in c:\windows\SysWOW64\CCM)

Note: Once the installation is complete, you will see CcmExec Service running in Task Manager.

A reboot of the vPro system will help speed up the SCCM agent to check in with the Site Server.

Monitor ConfigMgr 2007 SP2 Client Agent Install

Intel Confidential

91

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections

Right Click on All System and select Update Collection Membership

After a few moments, right click All Systems and select Refresh

Note: You will see the client system in All Systems that you installed the SCCM Client. You will also see a Yes in the Client Column and listed as Approved. This integration into ConfigMgr happens after the SCCM Client has been installed and checked in with the site server. This may take several minutes.

Do not proceed until this client shows up in SCCM.

SCCM Agent discovered in ConfigMgr

Intel Confidential

92

Configuration Manager 2007 SP2 Configuration Manager 2007 SP2 Collection Configuration for Collection Configuration for

Automatic Provisioning of Automatic Provisioning of Management ControllersManagement Controllers

Intel Confidential

93

Collection Configuration

• In this exercise, you will – Create an Intel® AMT Collection to group Intel AMT systems

that are AMT Capable and unprovisioned– Configure an Intel AMT Collection to automatically provision

Out of Band Management Controllers

Intel Confidential

94

Agent Based Provisioning Configuration Overview

• To provision via the ConfigMgr 2007 SP2 Client Agent, you must configure ConfigMgr 2007 SP2 to allow agent integration

• Requirements for Agent• Prerequisites for Configuration Manager Client Deployment

• http://technet.microsoft.com/en-us/library/bb680537.aspx

• Configure Collection for Automatic Provisioning• Recommend Collection Created for “Unprovisioned vPro Clients”

• Create Collection Membership Rules based on Intel® AMT Hardware Inventory

• http://technet.microsoft.com/en-us/library/cc431387.aspx• Ensure “Enable Automatic out of band management controller provisioning”

checked in Collection Name Settings: Out of Band Tab for Collection• http://technet.microsoft.com/en-us/library/cc161955.aspx

• Install ConfigMgr 2007 SP2 client on Intel AMT Client• http://technet.microsoft.com/en-us/library/bb632762.aspx

Intel Confidential

95

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections

Right click on Collections and select New Collection

In the New Collection Wizard, enter the name Unprovisioned vPro Clients and add optional Comments as required

Click Next

Create Intel® AMT Unprovisioned Collection


Intel Confidential

96

In the Membership Rules window, click the Query Rule Properties (it is the Database icon)

Modify Membership Rules for the Unprovisioned Collection

Intel Confidential

97

In the Query Rule Properties window, enter the name Unprovisioned vPro Clients

Click Edit Query Statement...

In the Unprovisioned vPro Clients Query Statement Properties window, click Show Query Language

Edit Query Statement in the Membership Rules

Intel Confidential

98

In the Query Statement textbox,

type: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_AMT_AGENT on SMS_G_System_AMT_AGENT.ResourceID = SMS_R_System.ResourceId where SMS_G_System_AMT_AGENT.AMT >= "0" and (SMS_R_System.AMTStatus != "3" or SMS_R_System.AMTStatus is NULL)

Note: This query statement can be found in a text file under w:\SCCM New Hardware Inventory Query.txt.

This will pull all the clients into this collection that are discovered Intel® vPro™ capable and not provisioned.

Note: Additionally you can setup up a collection for Provisioned Clients, in the Query Statement textbox, you will use: Select * from SMS_R_System where AMTStatus=3

This will show ALL vPro systems that have been provisioned.

Click OK and OK again on the Query Rule Properties Window

In the Membership Rules window, click Next

Add AMTStatus check to Query Statement

Intel Confidential

99

In the Advertisements window, click Next


Intel Confidential

100

In the Security window, add any appropriate users or groups and click Next (keep defaults for this exercise)

In the Confirmation window, click Close

Note: Optional step - Repeat foils to create a collection for Provisioned vPro Clients. See note on foil 98 for Select * from SMS_R_System where AMTStatus=3


Intel Confidential

101

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vPro Clients

Right click on Unprovisioned vPro Clients and select Modify Collection Settings

In the Unprovisioned vPro Clients Settings window, click the Out of Band tab

Check the checkbox Enable Automatic out of band management controller provisioning and click OK

Note: This setting enables ConfigMgr 2007 SP2 Clients to automatically provision Intel® AMT with ConfigMgr 2007 SP2.

Enable Automatic OOB provisioning for the Unprovisioned Collection


Intel Confidential

102

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vPro Clients

Click the Unprovisioned vPro Clients collection, right click in the right hand window, and select View > Add/Remove Columns

In the Add/Remove Columns window, add AMT Status and AMT Version to the Displayed columns and move these fields below the Name field for easy viewing

Click OK

Note: Perform these same steps for the All Systems collection. This will allow you to see Intel AMT related information in the collection.

Add Intel® AMT Display Columns to the collection

DON’T T

HINK W

E NEED T

HIS S

TEP W

ITH N

EW Q

UERY

Intel Confidential

103

To allow ConfigMgr 2007 SP2 to use AMT Power On commands with advertisements, Wake On LAN for the site needs to be Enabled

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site

Right click on PRO – vPro Demo Primary Site server and select Properties

Select the Wake on LAN tab

Check the Enable Wake on LAN for this site

Select Use power on commands only

Click OK

Configure Site Parameters to Use Secure Remote Power Control

Note: This will allow ConfigMgr 2007 SP2 to wake-up Intel® AMT enabled systems with secure and authenticated wake-up methods in Intel AMT for scheduled activities.

http://technet.microsoft.com/en-us/library/bb694191.aspx

Intel Confidential

104

On the Intel® vPro™ System, open the Control Panel

After the Agent installation is complete, you will see a Configuration Manager Icon under System and Security

Note: It may be helpful to reboot the client at this time

Double Click the Configuration Manager Icon

Select the Actions Tab

Note: On Vista 64bit OS, you will find the Configuration Manager Icon under View 32-bit Control Panel Items Icon In the Control Panel

Initiate Action on the ConfigMgr 2007 SP2 Client Agent

Intel Confidential

105

Click on Machine Policy Retrieval & Evaluation Cycle and click Initiate Action button

Click OK in the window indicating the action has been initiated

Note: This process will speed up the provisioning cycle rather than waiting for the schedule event to occur as you would do in a production environment. You may need to initiate the Machine Policy action more than once to start the provisioning process immediately.

Note: You can track the progress by monitoring the logs directory c:\windows\system32\CCM\Logs

(on Vista 64bit OS, the logs folder is located under c:\windows\SysWOW64\CCM\Logs)

OOBMGMT.log will track the progress of the auto provisioning of AMT. You should see a log entry stating “Successfully activated the device.” This indicates the SCCM agent has initiated the provisioning process

PolicyAgent.log will track all of the policies pulled down by the agent from ConfigMgr 2007 SP2 server.

Refer to the SendSched Utility in the Appendix to launch the provisioning immediately (click here)

Initiate Action on the ConfigMgr 2007 SP2 Client Agent

Intel Confidential

106

After a few minutes, provisioning will automatically complete and you can update your collection membership

Right Click Collections and select Update Collection Membership

Click Yes to confirm that you want to proceed

Right click on All Systems collection and select Refresh

The client will now appear in All Systems Collection as Provisioned and no longer be listed in the Unprovisioned vPro Clients collection

Note: You can track the provisioning progress under C:\Program Files\Microsoft Configuration Manger\Logs\Amtopmgr.log

This process length depends on the time it takes for ConfigMgr 2007 SP2 Agent to check in with the Server and pull down its policies.

Provision AMT via In-Band ConfigMgr 2007 SP2 Client Agent

Congratulations! You have just successfully completed InBand provisioning in ConfigMgr 2007 SP2 and enabled Intel® vPro™ systems to be manageable out of band by ConfigMgr 2007 SP2 console.

Intel Confidential

107

Lab Module 3 Review• Installed the SCCM Client Agent on the Intel vPro system• Created Intel® AMT Unprovisioned Collection• Modify Membership Rules for the Unprovisioned Collection• Added AMT Hardware Inventory check to Query Statement• Enabled Automatic OOB provisioning on the Collection• Added Intel AMT Display Columns to the collections• Configured Site Parameters to Use Secure Remote Power

Control (used in Real World Use Cases module)• Initiated an InBand agent based provisioning• Updated Collections to see Provisioned AMT System

Intel Confidential

108


Configuration Manger 2007 SP2 Out of Band Management Console

Intel Confidential

109

Using the Out Of Band Management Console in

ConfigMgr 2007 SP2 to manage Intel® vPro™ Systems

Intel Confidential

110

ConfigMgr 2007 SP2 OOB Mgt Console•The following screen captures show the ConfigMgr

2007 SP2 OOB console interfaces for each of the OOB management capabilities.


Intel Confidential

111

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > All Systems

Right click on a Provisioned System

Select Out of Band Management > Out of Band Management Console

Note: This will launch the OOB Management console that allows you to perform all of the OOB management capabilities in ConfigMgr 2007 SP2.

You can also perform Power Control, Update / Delete Data in the Management Controller, Enable/Disable/Clear Audit Log without opening the OOB Management Console.

Update = Reprovisioning

OOB Management Console


Intel Confidential

112

Once the OOB Management Console opens, you will see

System: Connected/Busy

Serial connection: Inactive

Note: SCCM SP2 no longer automatically connects a serial connection. Instead, the serial connection is left inactive until you select Tools > Open Serial-over-LAN Connection. You will see a warning indicating that if this device is connected wirelessly, the connection may be disconnected during the SoL session.

In this screen, you can view

Power

IP Address

Host Name

Domain Suffix

System ID (UUID)

Date of last refresh

Time of last refresh

OOB Management Console – System Status

Intel Confidential

113

In this screen, you can view all of the System Hardware Inventory stored in the Intel® ME firmware

OOB Management Console – System Information

Intel Confidential

114

In this screen, you can perform all of the OOB power function capabilities

Power ON

Power OFF

Restart Computer

IDER to ISO

Boot to BIOS

• Bypass BIOS Password

• Lock remote keyboard

Take a few minutes to perform a few power option features:

Power on/off the Desktop

Redirect BIOS to see system BIOS in Serial Connection Window

Perform IDER to a local ISO (this will be covered in depth in our “real world” Use Case section)

Note: Remember to start a Serial-over-LAN session before redirecting to an ISO or BIOS so you can view/control the session in the serial connection tab.

OOB Management Console – Power Control

Note: When you select to power cycle a vPro system, you will be warned that this action can cause data loss on the system if they system has opened applications and unsaved data (this is not a graceful shut down)


Intel Confidential

115

In this screen, you can

View System Event log

Set Log Level

OOB Management Console – System Event Log

Intel Confidential

116

In this screen, you can view the IDE-Redirect log

OOB Management Console – IDE-Redirect Log

Intel Confidential

117

In this screen, you can view the System Audit log and can Export this information to a file

OOB Management Console – System Audit Log


Intel Confidential

118

In this screen, you can view and control the Serial Connection of the remote screen (e.g. Bios or DOS based ISO image)

OOB Management Console – Serial Connection

Intel Confidential

119

In this screen, you can enter information into the 3rd Party Data Store (3PDS) and save this information for later viewing

Type any random data in the window and select save

Note: Intel has provided Powershell scripts that can be used to push/pull data down to this 3PDS from a central location (e.g. Site Server). This would allow you to push data remotely (e.g. asset tag and location information) and access this data through the OOB console. For more information on these scripts:

Real World Use Case #4 Powershell Scripts for 3PDS

OOB Management Console – Data Storage


Intel Confidential

120

On your ConfigMgr 2007 SP2 server, open Internet Explorer

Type https://<AMThostname>.vprodemo.com:16993

If the system is successfully provisioned with a TLS certificate, you will see the Intel AMT WebUI interface.

Click Log On

In the login Window, use the Account setup in the OOB Componet

User name: vprodemo\ITproadmin

Password: P@ssw0rd

If you successfully authenticate to Intel AMT, you will see the WebUI to manage Intel AMT

System Status

Hardware Information

Event Log

Remote Control

Power Policies

Network Settings

User Accounts

Note: Accessing the WebUI and successfully logging in confirms both your Kerberos authentication is successful and your TLS certificate is functioning properly. This is a good testing steps to ensure the system was successfully provisioned by SCCM.

Use Internet Explorer* to manage Intel® AMT


Intel Confidential

121

Lab Module 4 Review• The Out of Band Management Console is the ConfigMgr 2007

SP2 interface to perform Out of Band Management Features– Power Up/Down– Restart– Boot to BIOS– Redirect to an ISO– Hardware Inventory– System Information

• You can also perform Power Up/Down and Management Controller reprovisioning/delete from within ConfigMgr 2007 SP2 directly

• Use the Web Interface in IE to manage Intel® AMT Systems

Intel Confidential

122


Real World Use Cases for Intel vPro Systems with SCCM SP2

Intel Confidential

123

Real World Use Cases

• The following “Real World” Use Cases have been developed to help customers with drop-in solutions that will enable them to gain immediate value with Intel® vPro™ and SCCM within a production environment– Wake On Advertisements– Remote KVM– Remote Drive Share– Powershell Scripts for 3PDS

http://communities.intel.com/docs/DOC-4080

Intel Confidential

124

Real World Use Case #1Real World Use Case #1

Intel Wake-On Advertisement

Intel Confidential

125

Using Intel® AMT Power Options to wake up a system with a SCCM Advertisement•When creating software distribution in ConfigMgr

2007 SP2, you can leverage Intel AMT power options to wake up system (e.g. after hour patching scenarios).

•Make sure your vPro Client is Powered Off for the next exercise.

Intel Confidential

126

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Operating System Deployment > Task Sequences

Right click on Task Sequences, select New > Task Sequence

In the New Task Wizard window, select Create a New custom task sequence

Click Next

Create a Task Sequence to be used in an Advertisement

Intel Confidential

127

In Task Sequence Information, Enter in Task Sequence Name: Just Shutdown and add appropriate Comments

Click Next

Confirm information in the Summary and click Next

Once the Wizard completes, click Close

Create a Task Sequence to be used in an Advertisement

Intel Confidential

128

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Operating System Deployment > Task Sequences

Right click on Just Shutdown Task Sequences (created in previous step), select Edit

In the Just Shutdown Task Sequence Editor, click Add > General > Run Command Line

In the Name Field, type Shut Down

In the Command Line window, type shutdown –s –f

Click OK

Edit Task Sequence to be used in an Advertisement

Intel Confidential

129


Right click on All Systems, select Advertise Task Sequence

In the New Advertisement Wizard, enter Shut Down Client in the name field

In the Task Sequence Field, click Browse

In the Select Task Sequence window, select Just Shutdown Task Sequence

In the Collections Field, Click Browse and select All Systems

Click OK

Click Next

Create an Advertisement to use Intel® AMT power up and run Task Sequence

Intel Confidential

130

In the Schedule Screen, Enter an Advertisement start time (leave default)

Under Mandatory Assignments, Click the New button

In the Assignment Schedule window, select Assign Immediately after this event and select as soon as possible in the drop down list

Click OK

Check Enable Wake On LAN box

Note: This check box will enable ConfigMgr 2007 SP2 to use Intel AMT secure Power on feature to wake up the system per the settings defined in a previous step: Site Power Controls

Select Priority as High

Click Next


Intel Confidential

131

On the Distribution Screen, leave the defaults and click Next

On the Interaction Screen, leave the defaults and click Next

On the Security Screen, leave the defaults and click Next

On the Summary Screen, click Next

On the Wizard Complete, click Next

Note: As soon as the advertisement is seen, it will begin powering up the Intel® vPro™ provisioned system using the Intel AMT power up command and run the Task sequence to shut it back down.


Intel Confidential

132


Intel KVM integrated into SCCM SP2 and Microsoft Diagnostic and Recovery Tools

Intel Confidential

133

Intel® vPro™ KVM• Keyboard, Video and Mouse Redirection over IP • Intel® AMT 6.0 platform (Piketon and Calpella) with

integrated graphics• Similar to a full IP-KVM experience, without expensive

hardware• ISV Support:

• RealVNC will be shipping soon: http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/04/vnc-viewer-plus-enabling-remote-access-to-the-2010-intel-core-vpro-processor-family

• Others to be announced

Intel Confidential

134

Keyboard, Video and Mouse Redirection over IP

Allows remote operator to securely access a remote system as if he/she was sitting in

front of it

Blue screenBlue screenDsfsd.sys Dsfsd.sys failed at mem failed at mem location location 0x123456780x12345678Memory dumpMemory dump::3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed3409afed 3409afed

ConsoleConsoleLogoLogo __ XX

ComputerComputer StateState Comp AComp A UnhealthyUnhealthy Comp BComp B Repair modeRepair mode Comp CComp C S3 - StandbyS3 - Standby Comp DComp D BootingBooting

Select a machine to remoteSelect a machine to remote

Comp A Screen Comp A Screen

Dsfsd.sys Dsfsd.sys failed at mem failed at mem location location 0x123456780x12345678Memory dump:Memory dump:3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed 3409afed3409afed 3409afed

AT AT ConsoleConsole

OS-unresponsive/OS-unresponsive/Repair ModeRepair Mode

Wake Wake from S3from S3

BootingBooting

TLS / K

erbero

s

TLS / K

erbero

s

TLS / Kerberos

TLS / Kerberos

TLS / KerberosTLS / Kerberos

TLS / KerberosTLS / Kerberos

Video - redirected from managed machine to Management ConsoleKeyboard and Mouse - redirected from Management Console to managed machine

Intel Confidential

135

KVM typical session flow

Intel Confidential

136

On the MSSCCM VM image, double click KVMViewSetup.exe to install the KVM Viewer

In the KVMView Setup Wizard, click Next

In the Select Installation Folder window, click Next

In the Confirmation Installation window, click Next

In the Installation Complete window, click Close

Note: This installation will install the KVMViewer application in c:\program files\Intel\KVMView

After installation is complete, delete the KVMCerts.PEM file in the KVMView Folder

Recreate a KVMCerts.PEM file by creating a new text file (New Text Document.txt) and renaming it to KVMCerts.PEM (file size will now be 0KB)

Install KVM Viewer on SCCM Site Server

Bill York

We need to copy the KVMViewr Files on to the SCCM image

Intel Confidential

137

Close the ConfigMgr Console in the VM image

Copy the file vpro_client.xml and place into c:\Program Files\Microsoft Configuration Manager\AdminUI\xmlstorage\Extensions\Actions\7ba8bf44-2344-4035-bdb4-16630291dcf6\

Note: This file will give you the ability to right click on a provisioned vPro KVM system and launch the KVMViewer from within the ConfigMgr Console.

Integrating KVM into SCCM Site Server

Intel Confidential

138

Open the ConfigMgr Console (short-cut on the desktop)


Right click on a Provisioned vPro system that is KVM Capable

Select Intel KVM Remote Control > Start Session

The KVMView Console will Launch and will start to automatically recreate the trusted root certificate file (.PEM file) for securing a connection to the device

Note: This new right click KVM remote control feature calls the KVMView Console installed previously.

Launching Integrated KVM Console

Intel Confidential

139

The KVM Console will connect to the KVM system and prompt the user for a User Consent Code (Note 1)

The end user will read the User Consent Code to the Remote KVM administrator so it can be entered into the KVM Console (Note 2)

This will establish a secure KVM session between the KVM Console and the Intel vPro KVM system

Note: This User Consent Code is for privacy and security protection but can be disabled for your environment.

Authenticating with KVM Console

Note 1

Note 2

Intel Confidential

140

After you the remote KVM Console is authenticate with the User Consent Code, a full secure KCM session is established

With the KVM Console, restart the remote vPro System

With a KVM session established, you can see the entire boot process

Note: You can perform all functions remotely within the OS, similar to using the standard inband agent based remote control functions. Intel vPro KVM extends this reach and allows you to see the system regardless of the OS state (on, off, BSoD, hung, etc).

Managing with KVM Console

Intel Confidential

141

During the reboot process, select MSDaRT at the Windows Boot Manager

Click Enter

Note: This will load a WinPE image from a local partition on the drive that contains Microsoft’s Diagnostic and Recovery Utilities.

Intel KVM and MSDaRT


Intel Confidential

142

Click Yes to initialize the network connectivity

Click Yes to remap drives from host OS

Click Next for System Recovery Options

Select Windows 7 and click Next to repair OS

Enter Account Information

User Name: admin

Password: P@ssw0rd

Note: This will load a WinPE image from a local partition on the drive that contains Microsoft’s Diagnostic and Recovery Utilities.

Intel KVM and MSDaRT

Intel Confidential

143

In the System Recovery Options window, click Microsoft Diagnostic and Recovery Toolset

This will bring up the MSDaRT Tools to allow you to remote troubleshoot the Intel vPro System

Note: Depending on the issues experienced with this remote system, many of these tools can be used to diagnosis and repair the remote system without having to make a “deskside” visit.

Managing with KVM Console

Intel Confidential

144


IDER Remote Drive Share (RDS)

Intel Confidential

145

IDE Redirection Remote Drive Share

•Redirect to a small Linux based .iso that allows a remote share to the NTFS drive– http://communities.intel.com/docs/DOC-4785

•Using Remote Drive Sharing and Intel vPro Technology to Perform a Remote Kernel Memory Dump Analysis– http://communities.intel.com/docs/DOC-4826

•Using Remote Drive Sharing and Intel vPro Technology to Perform a Remote Virus Scan– http://communities.intel.com/docs/DOC-4787

Intel Confidential

146


Powershell Scripts for 3PDS

Intel Confidential

147

Powerscript Shells for 3PDS• http://communities.intel.com/docs/DOC-4800 •

Intel Confidential

148


Requirements and Prerequisites for ConfigMgr SP2 2007

Intel Confidential

149

Requirements for ConfigMgr 2007 SP2ConfigMgr 2007 SP2 requires…

Intel® AMT v3.2.1 systems and beyond (If your customer has Intel AMT systems prior to v3.2.1, please talk to Intel/Microsoft about WS-Management Translator Utility: http://software.intel.com/en-us/articles/intel-ws-management-translator/)

Active Directory (AD)and Kerberos

• For client authentication• ConfigMgr 2007 SP2 AD schema extensions are not required to take advantage of

ConfigMgr 2007 SP2 Out of Band Management capability; however, it may be required for use non-Intel AMT related ConfigMgr 2007 SP2 features

TLS • For server authentication• Requires a Microsoft Enterprise Certificate Authority

Remote Configuration

• Zero Touch configuration or called PKI (public key infrastructure)• Standard remote configuration procedures apply from provisioning• ConfigMgr 2007 SP2 provides its own remote agent provisioning support through the

SCCM client agent• Provisioning authorization can also be done through OOB Import Wizard (no agent

required

ConfigMgr 2007 SP2 does not require or support…

Mutual TLS • This functionality is redundant with Kerberos for client authentication• ConfigMgr 2007 SP2 only uses Mutual TLS during the Intel AMT set-up/provisioning

Digest User Accounts

• Microsoft only supports Kerberos user accounts• Although not used by ConfigMgr 2007 SP2, Digest Accounts can be defined

Pre-shared Keys (PSK)

• Also referred to as PID/PPS provisioning • ConfigMgr 2007 SP2 can support PID/PPS provisioning through the

Intel® WS-Management Translator

Intel Confidential

150

Prerequisites for ConfigMgr 2007 SP2 OOB Management • ConfigMgr 2007 SP2 Site Server

– Windows Remote Management (WinRM) version 1.1 (or later)– http://go.microsoft.com/fwlink/?LinkId=105682

– If Windows 2003, – Service Pack 2 or Later– Hotfix KB942841 http://support.microsoft.com/kb/942841/en-us

– MSXML 6.0 is required on computers that run the out of band management console– If Windows 2008 or Vista running the OOB console,

– Telnet Client installed to perform Serial-over-LAN

• Active Directory– Intel® vPro™ Clients being managed must belong to the same AD Forest as the OOB Service

Point– AD Schema Extensions are not required for Intel vPro support; however, are required for

other ConfigMgr 2007 SP2 features and make ConfigMgr 2007 SP2 Client Agent Deployments easier (required for Agent Based provisioning)

• Microsoft Enterprise Certification Authority– Issue and Manage certificates required for TLS based out of band management– Must automatically approve certificate request from the site server– Key Length not to exceed 2048 (4096 for newer AMT firmware)

Intel Confidential

151

Prerequisites for ConfigMgr 2007 SP2 OOB Management• Remote Configuration Certificate -

http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1

– Supported 3rd party CA (Verisign, Godaddy, Comodo, Starfield)

• DNS / DHCP / Network Ports– provisionserver associated to ConfigMgr 2007 SP2 Out of Band Service Point– Active DCHP Scope with Option 6 (DNS servers) and Option 15 (Domain Name)

configured– Open Network ports: 9971 - Provisioning Port; and 16992 through 16995 - OOB

Management Ports– Dynamic updates to DNS from DHCP (Option 81)

• Intel® vPro™ Client– Intel® AMT HECI and SoL Driver for ConfigMgr 2007 SP2 Client Agent based Provisioning– Firmware >=3.2.1 for Native Support

• Administrators Checklist and Prerequisties– http://technet.microsoft.com/en-us/library/cc161943.aspx – http://technet.microsoft.com/en-us/library/cc161785.aspx

Intel Confidential

152

Intel AMT Firmware Requirements

• ConfigMgr SP2 can work with a mixed AMT Firmware environment– Any pre-3.2.1 firmware requires WS-MAN Translator; avoid if at

all possible

• Recommend to upgrade to latest AMT Firmware version made available by your OEM for your chosen platform– Typically systems won’t be shipped with latest firmware– Depending on OEM, might be bundled with BIOS– Firmware upgrade sometimes requires BIOS upgrade as well– Download from OEM website– If not available, contact OEM– Distribute like any other software package

Intel Confidential

153

Intel Confidential

154

Glossary

• Legacy Provisioning/Managing – Provisioning and Managing Intel® vPro™ systems that are less than Intel® AMT firmware 3.2.1

• Native Provisioning/Managing – Provisioning and Managing Intel vPro systems that have Intel AMT firmware 3.2.1 (today) and higher (future releases)

• Intel® Manageability Engine (Intel® ME) – microprocessor in Intel vPro platforms that perform the Intel AMT functions and capabilities

• Intel® Manageability Engine BIOS Extension (Intel® MEBX) - the user interface to the Intel ME; it allows for the configuration of settings that control the operation of the Intel ME

Intel Confidential

155

Lab Extras

ConfigMgr 2007 SP2 Logsand Troubleshooting Tips

Intel Confidential

156

SendSched Utility to start provisioningIn order to start the Inband agent based provisioning immediately, you can use the sendsched

utility to initiate the process from the vPro Client

This is the Windows Management Instrumentation Tester• Open a command prompt and type wbemtest • After the Windows Management Instrumentation Tester Utility Opens, click Connect• In the Namespace of the Connect Window, type the remote system name you want to force the check followed by \root\ccm

(requires admin rights on the remote system)• Click Connect

– You can also simply run the command on the local system by simply leaving out the host name– Example: \root\ccm

• After you successfully connect to the target system, click the Execute Method Button• In the Get Object Path window, type sms_client in the Object Path field

Click OK• In the Execute Method Window, enter TriggerSchedule in the Method Field• Click the Edit In Parameters Button• In the Object editor for _PARAMETERS window, Double Click the sScheduleID in the Properties field• In the Property Editor Window, change the Value to Not NULL and add the following {00000000-0000-0000-0000-

000000000120}

This value is the Object ID to initiate this OOB auto-provisioning check• Click the Save Property button

• In the Object editor for _Parameters window, click the Save Object button• In the Execute Method window, click the Execute Button• After you Execute the method, you should see a message that the Method was executed successfully• To confirm that your method was executed, look at the target systems c:\windows\system32\CCM\Logs\oobmgt.log

You should now see a new entry in the log GetProvisioningSetting indicating that the policy has been re-evaluated

http://communities.intel.com/community/openportit/vproexpert/microsoft-vpro/blog/2008/09/30/using-wmi-to-force-the-sccm-agent-to-check-for-its-amt-auto-provisioning-policy;jsessionid=EFD16EF6C2DB47CFED050A242B7AFE5F.node5COMS

Click Here to returnClick Here to return

Intel Confidential

157

Helpful ConfigMgr 2007 SP2 Logs for Troubleshooting Intel® AMT Provisioning and ManagementC:\Program Files\Microsoft Configuration Manger\

LogsAmtopmgr.log - log for tracking provisioning processAmtproxymgr.log – log used for tracking activities like

Certificate generation, OU creation, etc

C:\Program Files\Microsoft Configuration Manger\AdminUI\AdminUILogOOBConsole.log - Log for tracking OOB Management

Console activity (note: for more detailed information - change "Error" to "Verbose" in the following file c:\Program Files\Microsoft Configuration Manager\AdminUI\bin\oobconsole.exe.config

Intel Confidential

158

Helpful ConfigMgr 2007 SP2 Logs for Troubleshooting on the Intel® vPro™ Client

C:\windows\system32\ccm\logsoobmgmt.log – log to track the provisioning of Intel® AMT

C:\windows\system32\ccmsetupccmsetup.log – log to track installation progress of

ConfigMgr 2007 SP2 Client Agent

Intel Confidential

159

If you do not see your system automatically provision in ConfigMgr 2007 SP2, look in the c:\windows\system32\CCM\Logs

(on Vista 64bit OS, the logs folder is located under c:\windows\SysWOW64\CCM\Logs)

OOBMGMT.log

If you see the log stating Auto Provision Policy Disabled, perform the following steps.

MORE TO BE ADDED

• If you see the OOBMGMT.log showing autoprovisioning policy disabled, this indicates the agent has not found a collection that has enabled automatic provisioning.

Troubleshooting ConfigMgr 2007 SP2 Agent Auto-provisioning policy

Intel Confidential

160

ConfigMgr 2007 SP2 Resources

• Intel® vPro™ Expert Center devoted to Microsoft products and Intel vPro Technology - http://communities.intel.com/openport/blogs/microsoft-vpro

• Intel® vPro™ Expert Center; Known Issues, Best Practices, and Workarounds - http://communities.intel.com/docs/DOC-1247;jsessionid=4ABCE498498C0EB58EBCAA16C22F6250.node5COMS

Intel Confidential

161

Reboot the HP7800 and hit CTRL + P to enter the Intel MEBX Interface

Enter the password; P@ssw0rd

Select Intel (R) AMT Configuration and hit Enter

Select Un-Provision and Enter

Click Y for Yes to reset Intel AMT

Select Full Unprovision and Enter

Note: This will fully unprovision the Intel AMT system and set it back to factory default mode with the exception of the Intel MEBX password.

Manually Unprovision Intel® AMT in the Intel® MEBX

Intel Confidential

162

SCCM Out of Band Provisioning(Bare Metal Provisioning)

• Out of Band Management Controller Import Wizard invoked from Collections menu

• Wizard requests Computer Name, FQDN, MAC, UUID

• Intel vPro client(s) imported into collection allowing additional non-AMT SCCM 2007 SP1 related discovery

• When Hello Packet received, SCCM 2007 SP1 will perform the provisioning process

• Process: OOB Import -> Hello Packet Received -> SCCM 2007 SP1 Provisions Client

Intel Confidential

163

SCCM Out of Band Provisioning

1. Admin imports provisioning data for Client being provisioned into ConfigMgr 2007 SP12. vPro Client sends PKI hello packet to provisioning server (defined firmware schedule)3. OOB Service Point secures connection with AMT client through Embedded AMT Self Signed

Certificate and Present Provisioning Certificate for initial Authentication4. OOB Service Point sets Remote Admin and MEBx password (if not changed)5. OOB Service Point requests a web server certificate on behalf of the AMT client6. OOB Service Point created an Object in AD for the vPro Client7. OOB Service Point pushes web server certificate to AMT client8. OOB Service Point pushes ACL, power schema, and other configuration data to AMT to

finalize provision

Microsoft SCCMOOB Import

Wizard

Intel Confidential

164

REMOVED SLIDES

Intel Confidential

165

2010 Additions to Intel® vPro™ Technology

Expanded Manageability

Uninterrupted keyboard, video & mouse control

Local wake capability to ensure local management tasks are executed

Cross Client Consistency

Same security and manageability features for both desktop and notebook

DASH 1.1 and full IPv6 support

Enhanced Security

Manageable data protection with integration of drive encryption solutions

Asset & data protection with anti-theft features and services

Energy Efficient Performance

New micro-architecture and partitioning to support better application performance with continued energy savings

Lower TCO with more efficient, more secure, more manageable Lower TCO with more efficient, more secure, more manageable platformsplatforms

Lower TCO with more efficient, more secure, more manageable Lower TCO with more efficient, more secure, more manageable platformsplatforms

Intel Confidential

166

After a few minutes, provisioning will automatically complete and you can update your collection membership

Right Click Collections and select Update Collection Membership


Right click on All Systems collection and select Refresh

The client will now appear in All Systems Collection Provisioned and no longer be listed in the Unprovisioned vPro Clients collection

Note: You can track the provisioning progress under C:\Program Files\Microsoft Configuration Manger\Logs\Amtopmgr.log

This process length depends on the time it takes for ConfigMgr 2007 SP2 Agent to check in with the Server and pull down its policies.

Provision AMT via In-Band ConfigMgr 2007 SP2 Client Agent

Congratulations! You have just successfully completed InBand provisioning in ConfigMgr 2007 SP2 and enabled Intel® vPro™ systems to be manageable out of band by ConfigMgr 2007 SP2 console.Removed Slid

e and used fo

r Refe

rence

/ Back

up

Removed Slide and use

d for R

efere

nce / B

ackup

Bill York

Should we add the sendsched utility to help kick off the provisioning? Add to the infrastrucutre image so we can pull it down to the client and run it?

Intel Confidential

167


Collection Configuration forIn-Band Provisioning


d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Intel Confidential

168

After the Agent has pulled down the machine policies from the ConfigMgr 2007 SP2 server, you will see more Actions listed in the Actions tab of the Configuration Manager

Monitor Policies being applied to ConfigMgr 2007 SP2 Client


d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Intel Confidential

169

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site > Site Settings > Discovery Methods

Double Click on Active Directory System Discovery

Note: With the collection defined, you can use any of the discover methods that ConfigMgr 2007 SP2 provides (AD System Group, AD Security Group, AD System , AD User, Heartbeat, or Network) to discover the client. If you decide to use Network discovery (refer back to steps on required configuration)

Note: For more information about network discovery and how to schedule it to run, see About Network Discovery and How to Schedule Network Discovery.

Discover Systems with ConfigMgr 2007 SP2 Discovery

http://technet.microsoft.com/en-us/library/cc161971.aspx Removed Slide and use

d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Intel Confidential

170

In the Active Directory System Discovery Properties window General Tab, check Enable Active Directory System Discovery

Click the Button

In the New Active Directory Container window, select Local Domain and click OK

In the Select New Container window, select Computers

Click OK….proceed to next foil

Enable Active Directory System Discovery


d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Bill York

AD System Discovery containers currently in the images.Check updated images but if exists, leave alone and remove comment

Intel Confidential

171

On the Polling Schedule, check the box to Run discovery as soon as possible

Click Apply

Click OK

Note: This will initiate a discovery of all the systems listed in the computer OU in the Active Directory.

Initiate the Polling Schedule for Discovery


d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Intel Confidential

172

After you run the discover method

Right Click All Systems and select Update Collection Membership

Click OK to confirm that you want to proceed

Right click on All Systems and select Refresh (f5)

The client will now appear in the All Systems and Unprovisioned vPro Cleints Collection

Note: It may take a couple minutes for the system to show up. You may continue to click Refresh All Systems Collection until you see the client in the collection. The Intel® AMT status of the device will be in a unknown state. Ensure the firewalls on the virtual images, host OS running the virtual images, and the vPro system are not enabled. The Windows Client firewall can inhibit communications.

Update Collection to see Discovered System

Update Images


d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Intel Confidential

173

After the client is populated in the All Systems Collection, check to see if any of the systems are Intel® vPro™ capable

Right Click on the newly discovered system > Out of Band Management > Discover Management Controllers

Click OK

Note: This will scan the system and validate which clients are Intel vPro capable and ready to be provisioned. You can also scan an entire collection for AMT systems.

Note: You can monitor the discovery process by watching the amtopmgr.log located in C:\Program Files\Microsoft Configuration Manger\Logs (you will find a short cut to this log on the SCCM Virtual Image desktop)

Use Out of Band Management to Discover Management Controllers

Update Images


d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Intel Confidential

174

After a few minutes, depending on the size of your collection, you can update your collection membership

Right click Collections and select Update Collection Membership


After one minute, right click on

Collections and select Refresh

The client will now appear in Unprovisioned vPro Clients Collection and listed as Not Provisioned and when the ConfigMgr 2007 SP2 Agent checks in for its policies, this collection will start the automatic provisioning process.

Note: If you look back at the All Systems collection, you will now see the system as listed as Not Provisioned. You will also see the version of Intel® AMT listed. If you do not see your system in the Unprovisioned Collection, the collection query or discovery method failed (refer back to previous steps).

Update Collection membership to see Intel® vPro™ system Not Provisioned

Note: If the system is listed as Detected, remove client from ConfigMgr, boot client into the Intel MEBX and SMB provision, unprovision, repeat AD Discovery (p.96-97), and repeat Discover Management Controllers (p.98-99)


d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Intel Confidential

175

Lab Module 3 Review• Installed ConfigMgr 2007 SP2 Client Agent on local

system• Initiated Action on the ConfigMgr 2007 SP2 Client

Agent to check in with the ConfigMgr 2007 SP2 server to receive its policies

• Validated Policies were being applied to the ConfigMgr 2007 SP2 Client through associated logs

• Updated the ConfigMgr 2007 SP2 Collection Membership and found that Intel® vPro™ system was successfully provisioned using ConfigMgr 2007 SP2 Inband agent.


d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

Intel Confidential

176

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Site > Site Settings > Discovery Methods

In the right hand window, Right-click Network Discovery, and click Properties

On the General tab, select Enable Network Discovery and Select Topology radio button

Select Enable discovery of out of band management controllers

Click OK

Note: This will allow ConfigMgr 2007 SP2 to detect if a system is Intel® AMT capable.

Configure Network Discovery for Management Controllers

http://technet.microsoft.com/en-us/library/ee344683.aspx Removed Slide and use

d for R

efere

nce / B

ackup


d for R

efere

nce / B

ackup

1 intel ® vpro™ and microsoft ® system center configuration manager 2007 sp2 training

Documents

intel vpro systems configmgr

intel confidential

sp2 environment

managing intel vpro

sp2 training slide

intel vpro capable machines

intel vpro provisioning

sp2 collections