Intel® vPro™ and Microsoft® System Center Configuration Manager 2007 SP2 Training Welcome • This step-by-step training guide is intended to get you familiar with managing Intel®
Download ReportTranscript Intel® vPro™ and Microsoft® System Center Configuration Manager 2007 SP2 Training Welcome • This step-by-step training guide is intended to get you familiar with managing Intel®
Intel® vPro™ and
Microsoft® System Center
Configuration Manager 2007 SP2
Training
1
Welcome
• This step-by-step training guide is intended to get you
familiar with managing Intel® vPro™ systems with Microsoft*
System Center Configuration Manager 2007 Service Pack 2
(SCCM 2007 SP2)
• Please use this guide to do lab exercises in the virtual
“training environment” assigned to you
NOTE: This training guide is an updated version of the previously
released SP1. Please refer to SP1 training guide if your environment
has not been updated to SP2.
Intel Confidential
2
Training Objectives
• Provide an overview of Intel® vPro™ Technology and
discuss its capabilities
• Provide students with hands-on experience configuring
System Center Configuration Manager 2007 SP2
environment to support Intel® vPro™ capable machines
• Provide hands-on experience provisioning and managing
Intel® vPro™ capable machines
• Show Case “Real World” use cases of Intel® vPro™
systems within a SCCM environment
• Provide Students with a better understanding and ability
to discuss the components necessary in Configuration
Manager 2007 SP2 to support Intel® vPro™ systems
(both native and legacy support) with their customers,
management, partners, vendors, etc
Intel Confidential
3
Training Agenda
• What is Intel® vPro™ Technology? – High level overview (Skip slides 7-11 if you are already familiar
with Intel® vPro™)
• What is Intel® vPro™ Provisioning? (Skip slides 12-14 if you are already familiar with Intel® vPro™
provisioning)
• Steps to access Intel’s Remote Training Environment (skip slides 16-19 if you are running a local copy of
the training images)
• Lab Module 1 – Infrastructure Preparation
– Hands-on experience configuring the Enterprise Infrastructure (AD/PKI) to support
ConfigMgr 2007 SP2 and Intel® vPro™ systems
• Lab Module 2 - ConfigMgr 2007 SP2 OOB Service Point and Components
– Hands-on experience setting up and configuring Out of Band Service Point in
ConfigMgr 2007 SP2 to support Intel® vPro™ systems
• Lab Module 3 – ConfigMgr 2007 SP2 Collections and InBand Provisioning
– Hands-on experience utilizing the ConfigMgr 2007 SP2 client agent for in-band
provisioning
– Hands-on experience configuring ConfigMgr 2007 SP2 Collection for Discovering and
automatically provisioning Intel® AMT capable machines
• Lab Module 4 – ConfigMgr 2007 SP2 Out of Band Management Console
– Hands-on experience utilizing the ConfigMgr 2007 SP2 OOB Console to manage
(OOB) Intel® vPro™ systems
• Lab Module 5 – Real World Use Cases
– Hands-on setting up and running actual use cases for a production environment
Intel Confidential
4
Training Caveats
• This is not a replacement for Microsoft’s documentation on installing and
configuring ConfigMgr 2007 SP2
• This presentation only focuses on the Intel® vPro™ related configuration
components
• It is highly recommended that you thoroughly review all of Microsoft’s
documentation before activating Intel® vPro™ with ConfigMgr 2007 SP2
Recommended Material (from Microsoft TechNet):
–
–
–
–
–
–
–
–
–
What's New in Configuration Manager 2007 SP2
Fundamentals of Configuration Manager 2007
Configuration Manager Planning and Deployment Overview
Configuration Manager Supported Configurations
Planning and Deploying the Server Infrastructure for Configuration Manager 2007
Planning and Deploying Clients for Configuration Manager 2007
How to Configure Configuration Manager 2007
Out of Band Management in Configuration Manager 2007 SP1 and later
Administrator Checklist: Enabling Out of Band Management
Intel Confidential
5
Acronyms Used
•
•
•
•
•
•
•
•
•
•
•
•
•
•
3PDS – Third Party Data Storage
FW – Firmware
Intel® AMT – Active Management Technology
Intel® ME – Management Engine (Microsoft calls this
component the Management Controller)
Intel® MEBX – Management Engine BIOS Extension
KVM – Keyboard, Video and Mouse
OOB – Out Of Band
OSD – Operating System Deployment
OTP – One Time Password
PKI – Public Key Infrastructure
PSK – Pre-Shared Key
Radius Server – Remote Authentication Dial In User Service
SCCM – System Center Configuration Manager
SUM – Scheduled Update Management
Intel Confidential
6
What is Intel® vPro™ Technology?
Intel Confidential
7
Intel® Core™ vPro™ Processor Family
Platform is more than the sum of its parts
Processor
Chipset
Intel® Core™ i5 & i7
Processors
Intel®
Anti-Theft
Technology
Intel® Express
Chipset
Intel® Active
Management
Technology
Intel®
Virtualization
Technology
Network
Intel® Gigabit
Network
Intel® Trusted
Execution
Technology
Intel® vPro™ Technology
Security & Manageability on the Chip
Intel Confidential
8
Continued Business Client Platform Evolution
Desktop
2006
AMT 2.0
Remote diagnostics
Remote repair
Remote HW/SW inv
System defense
2008
2007
AMT 3.0, VT-x, VT-d, TXT
Remote config
Enhanced system defense
Cisco SDN
AMT 2.6, VT-x
Remote config
Cisco SDN
Wireless support
AMT 5.0
MSFT NAP
Fast Call for Help
Remote Schedule Maintenance
Remote PC Assist Technology
AMT 4.0, VT-d, TXT
MSFT NAP
Fast Call for Help
Remote Schedule Maint.
2010
KVM Remote Control1
Intel® Anti-Theft
Technology
PC Alarm Clock
Remote Encryption
Management
AES-NI
Mobile
Enterprise
Remote
Management
Extend beyond
Full remote control,
firewall,
Data & asset security,
Remote
Converged roadmaps
management
Servicesto deliver the
Sustained innovation
Security,
Virtualization,
Wireless
best platform for business
1 Requires
processor with integrated graphics
Intel Confidential
10
Intel Technology Business Impact
®
®
TM
PCs with Intel vPro
Technology
Actual Customer Experiences with Intel® vProTM Technology
Up to
Up to
90%
Reduction
Software-Related
Desk-Side Visits
Indiana State Office
of Technology
Read case study
98%
Up to
Up to
25%
Less
More
51%
ROI
Unintended PC
Downtime due to
Software Issues
Power-Efficiency
Improvement
Advocate Health
Care
Value Space
EDS
Read case study
Read case study
Read case study
View video on
YouTube
http://communities.intel.com/docs/DOC-1494/
Intel Confidential
11
ConfigMgr 2007 SP2 Features
Provisioning
Discovery/Inventory
• Secure Setup & Configuration of
Intel® AMT
• Zero Touch – Certificate Hash
• Zero Touch – In band via agent
• Ties to OSD with targeting
• Discover On Demand
• Per machine / per collection
• Scheduled Discovery
• In band inventory via agent
Remote Console
Power Control
• Helpdesk of Break/Fix
• Serial over LAN
• IDE Redirection
• BIOS password bypass
• Manual power control
• Scheduled Power On
• SWDist, SUM, OSD
• On Demand Power Control
• Wake, Restart, Shutdown
• Interactive via OOB Console
Intel Confidential
12
System Center with Intel® vPro™ Technology
NEW! Integrated OOB features in ConfigMgr 2007 SP2
OOB Wireless Management: Wireless Profile Management
• Provide configuration of up to eight (8) wireless profiles per site that are available to AMT clients assigned to
that site
• Set the wireless information during AMT provisioning and configure all required profile settings (SSID, key
management, encryption, etc.)
• Send wireless profile operations to the Intel translator on AMT systems with revisions earlier than 3.2.1
End Point Access Control: 802.1x support
• Provision 802.1x settings on AMT wireless clients during AMT provisioning
• Send 802.1x settings to the Intel translator on AMT systems with revisions earlier than 3.2.1
Data Store (3PDS)
• Write string data into 3PDS on AMT through OOB management console
Access Monitor: Audit Log
• Enable or Disable Audit Log (no critical event settings)
• View Audit Log through OOB Console
Remote Power Management
• Power State Configuration (ME on in S0, ME on in S0 and S3 but off in S5, ME is Always On)
http://communities.intel.com/community/openportit/vproexpert/microsoftvpro/blog/2009/09/19/a-closer-look-at-sccm-sp2-the-more-subtle-changes-with-sccm-sp2
Intel Confidential
13
Intel® vPro™ Provisioning
Intel Confidential
14
What is Intel® vPro™ Provisioning?
Provisioning is
the process by
which an Intel
® vPro™
System is
configured with
the appropriate
parameters to…
This process is
sometimes
referred to as
Setup &
Configuration
Provisioning
sets parameters
in the
Manageability
Engine (ME)
allow it to
become
manageable
& operational
within an IT
environment
Example
parameters:
Administrator
credentials
AMT Host
Name
Microsoft refers to
the Manageability
Engine as the
Management
Controller
Intel Confidential
15
Networking
details
(DHCP,VLAN,
etc.)
Intel® vPro™ Manageability Engine
BIOS Extension (MEBx)
• The MEBx is the user interface to the Manageability
Engine (ME); it allows for the configuration of
settings that control the operation of the ME
• The MEBx is an option ROM module provided to the
OEM by Intel that is an extension to the system
BIOS
• The Manageability Engine runs on an embedded
processor inside the Memory Controller Hub (MCH)
and is responsible for executing the various AMT
functions (Remote Power, IDE-Redirection, etc.)
Intel Confidential
16
Access the MEBx on your
vPro system and perform
a full unprovision of AMT
• Start up the Intel® vPro™ Laptop (e.g.
LNVT400-01)
• During boot process, press the Blue
ThinkVantage button to access the
MEBx interface (other OEM systems you
hit CTRL+P to access the MEBx)
• Select F12 at the Startup Interrupt Menu
• Select <Enter ME Configuration
Screens>
• Type P@ssw0rd to login to the MEBx
(admin is default when shipped from
OEM but has been modified for this
training)
• Select Intel AMT Configuration and
Enter
• Select Un-Provision and Enter
• Enter Y to Reset AMT Provisioning
• Select Full Unprovision and Enter
• After the Unprovision is complete, hit the
ESC key and Select Exit
Note: This will Fully unprovision the MEBx and set it back
to factory default mode with the exception of the local
MEBx password. This is the manual method to
unprovision AMT but is not usually required in the
production environment as it can be done remotely.
• Enter Y to reboot the system
Intel Confidential
17
ConfigMgr SP2 Remote Provisioning Process InBand Agent
Based Provisioning
http://technet.microsoft.com/en-us/library/cc431371.aspx
Recommended ConfigMgr Setup approach:
•
Setup Collection for Not-Provisioned Intel®
vPro™ Systems
•
Enable Network discovery or manaual
discovery if system is Intel® AMT capable
•
Machine will be place in collection
•
Benefits for this approach:
•
Only provision Intel AMT systems
•
Reduce network load
1
2
5
2.
3.
4.
5.
ConfigMgr Agent checks for autoprovisioning policy
4
6.
SCCM
Primary
Site Server
7.
6
8.
7
9.
9
Intel Confidential
18
ConfigMgr Agent checks in with ConfigMgr
Server for policies
If Auto-Provisioning Policy is enabled,
ConfigMgr Agent will generate and send
an OTP to Intel AMT and ConfigMgr
Server
ConfigMgr Server performs a discovery of
Intel AMT
ConfigMgr places Intel AMT discovered
systems in a Not Provisioned Collection
that has auto-provisioning policy enabled
5.
3
8
Intel® vPro™
Clients
1.
--Provisioning Started—
Agent Sets OTP in Intel AMT and sends to
ConfigMgr server
Intel AMT sends embedded hashes to
ConfigMgr server
ConfigMgr sends Remote Config
Certificate to Intel AMT for authentication
Intel AMT validates Remote Config
Certificate is issued by a trusted CA in
Intel AMT firmware
Configuration data passed to Intel AMT
over a secure tunnel
Agent Based Provisioning and Infrastructure
Services
1. Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If I can, it will
create a One Time Password and send the OTP to both the OOB Service and into the Intel® AMT Firmware
2. OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate,
Present Provisioning Certificate along with the OTP for initial Authentication
3. OOB Service Point sets the Remote Admin and Intel® MEBX password (if not changed)
4. OOB Service Point requests a web server certificate on behalf of the Intel AMT client
5. OOB Service Point created an Object in AD for the Intel® vPro™ Client
6. OOB Service Point pushes web server certificate to Intel AMT client
7. OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision
http://technet.microsoft.com/en-us/library/cc431371.aspx
Intel Confidential
19
Physical Hands-on Training
Lab Environment
Intel Confidential
23
Physical Lab Environment Overview
All passwords =
P@ssw0rd
Intel vPro
Laptop/Desktop
AMT firmware (4.x,
5.x or 6.x)
Virtualized Machine Environment
Laptop
Microsoft AD
PKI\Ent
Root CA
DNS/DHCP
Infrastructure Image
192.168.0.x
ConfigMgr 2007 SP1
Server
SQL 2005
ConfigMgr Image
Note: A minimum of 4G of memory should be installed on the
host machine running the Virtual images
Intel Confidential
24
Launch the Microsoft
Virtual Infrastructure
Image
Start the laptop (e.g. HP6930P)
hosting the Virtual Images
Double Click the shortcut DC1 on the
Desktop of the host OS to start the
Infrastructure VM image
Note:
• To Maximize/Minimize the Virtual
Image window CTRL + ALT + ENTER
• As needed, Use CTRL+ ALT + Insert
to login
• Login Information
• Domain Admin: ITproadmin
• Password: P@ssw0rd
• Domain: VPRODEMO
Note: Make sure you have not started
your ConfigMgr 2007 SP1 SP1 Server
Image up until after completing the
configuration of your infrastructure
image.
Intel Confidential
25
Lab Module 1
Configure the Active Directory and
PKI Infrastructure to support
Configuration Manger 2007 SP2
and Intel® vPro™ Systems
Intel Confidential
26
Prepare Active Directory
Domain Services for Out of
Band Management
Intel Confidential
27
Active Directory Configuration
• Active Directory OU container must be created to store
Intel® AMT device objects
– Recommended Name: Out of Band Management Controllers
– Primary site server computer account (ConfigMgr 2007 SP2 Server) must be
granted Full Control permissions on the OU and all child objects in the OU
– http://technet.microsoft.com/en-us/library/cc161814.aspx
– Schema Extension not required for Intel® vPro™ support
– However Schema Extension is required for other ConfigMgr 2007 SP2 features and
make ConfigMgr 2007 SP2 Client Agent Deployments easier (required for Agent
Based provisioning)
• Extend AD Schema (optional): http://technet.microsoft.com/en-
us/library/bb633121(TechNet.10).aspx
Intel Confidential
28
Create Active Directory
Security Group for
ConfigMgr 2007 SP2
Primary Site Servers
On your Domain Infrastructure
Image, Click Start > Programs >
Administrator Tools > Active
Directory Users and Computers
Note: Under the View menu option,
ensure Advanced Features is checked
Expand the vProDemo.com domain
Right Click on Users and select New >
Group
In the New Object - Group dialog box,
type ConfigMgr Primary Site Servers
Click OK
Intel Confidential
29
Add ConfigMgr 2007 SP2
Server as a member to the
Security Group
In the Active Directory Users and
Computers, right-click the ConfigMgr
Primary Site Servers Group and select
Properties
In the ConfigMgr Primary Site Servers
Properties window, select the Members
tab and click Add
Add the MSSCCM server and click OK
(make sure to click the Object Types
button and check Computers to find SCCM
Computer Account)
Click OK to close the Properties window
Note: Your ConfigMgr server is now a
member of your ConfigMgr Primary Site
Servers Group and will be used later for
applying security rights to AD OUs and
Certificate Templates.
Make sure you have not started up the
ConfigMgr server image while setting up
this server security setting. If you have
the ConfigMgr server running, please
shutdown now.
Intel Confidential
30
Create Active Directory OU
for Client Management
Controller Objects
On your Infrastructure Image, Click
Start > Programs > Administrator
Tools > Active Directory Users and
Computers
Right Click on vProDemo.com > New
> Organizational Unit
In the New Object - Organizational
Unit dialog box, type Out of Band
Management Controllers click OK
Intel Confidential
31
Add ConfigMrg Primary Site
Servers Security group to
the Management Controller
OU
Right-click Out of Band Management
Controllers OU and click Properties
In the Out of Band Management
Controllers Properties window, click the
Security tab
Click Add and select the ConfigMgr
Primary Site Servers group
Click OK to add the group, but DO NOT
close the Properties window…continue
to next slide to set full control for this
group.
Intel Confidential
32
Give Full Control for
ConfigMrg Primary Site
Servers Security group to the
Management Controllers OU
Check Full Control for ConfigMgr
Primary Site Servers Security Group
With ConfigMgr Primary Site Servers
selected, click Advanced
Highlight ConfigMgr Primary Site
Servers group, and click Edit
In the Apply to drop down, select This
object and all descendant objects
Click OK 3 times
Note: We have now created an
AD OU and given the ConfigMgr
2007 SP2 proper permission to
create AMT objects for each
vPro system during the
provisioning phase.
Intel Confidential
33
Create RADIUS Security
Group for AMT devices
On your Infrastructure Image, Click
Start > Programs > Administrator
Tools > Active Directory Users and
Computers
Expand vProDemo.com and Right
Click on Users and select New >
Group
In the New Object – Group Windows,
enter AMT RADIUS Clients in the
Group name field
Click OK
Intel Confidential
34
Set Permissions on RADIUS
Security Group
Right Click on AMT RADIUS Clients
Group and select Properties
In the AMT RADIUS Clients
Properties Window, Click the
Security Tab and Click the Add button
In the Select Users, Computers, or
Groups Window, add ConfigMgr
Primary Site Servers
Click OK
Select the ConfigMgr Primary Site
Servers and select Full control
Click OK
COMPLETED: We have now created
an AD OU, AMT Radius Group, and
given the Security Group that
ConfigMgr 2007 SP2 Server is a
member of, the proper permission to
create Management Controllers objects
for each Intel® vPro™ system during
the provisioning phase.
Intel Confidential
35
Configure PKI Web Server
Certificates for each
Management Controller
Intel Confidential
36
Closer look at Certificates with ConfigMgr 2007 SP2 and
Intel® vPro™
• There are three types of Certificates that are used in association to
Intel vPro client provisioning and management within ConfigMgr
2007 SP2
• Intel® AMT Self Signed Certificate
• Used during PKI provisioning to secure the connection
• Transparent to process
• Intel® AMT Provisioning Certificate
• Used for Remote Configuration authentication by the Out of Band Service Point
• Can be generated from Internal PKI Infrastructure or purchased from 3rd Party
CA (VeriSign*, GoDaddy*, Comodo, Starfield)
• Provisioning certificate can be generated from internal PKI environment
• Require Internal Root hash to be imported into the MEBx
• Requires Option 15 set on DHCP to support “Zero Touch” Configuration
• Intel® AMT Web Server Certificate
• Used to secure a connection to Intel AMT client by the management console
• Issued to the Intel AMT client during the provisioning process
• ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft
Enterprise CA
• PKI certificate key sizes <=2048-bits
Intel Confidential
37
Enterprise CA & Provision Certificate Configuration
• Assumes that a Microsoft Enterprise CA exists and is already configured
• Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert
• Intel AMT Provisioning Certificate (Used for Provisioning)
•
•
Determine 3rd party or Self Generated
• 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield)
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1
• Self Generated from Internal PKI infrastructure
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2
Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3
• Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro)
•
Create New Web server Template
• Recommend certificate name: ConfigMgr AMT Web Server Certificate
• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver
• 802.1x RADIUS Certificate (Optional for 802.1x networks)
•
•
Create New RADIUS Client Template for 802.1x network
Allows AMT to securely authenticate to an 802.1x network without an OS present
• Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate
• Ensure you select Supply in the request to provide the Subject Name
• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions
• http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate
Intel Confidential
38
Configure PKI Web
Server Certificate
Template
Open your Certificate Authority issuing
PKI Server - Click Start > Programs >
Administrator Tools > Certification
Authority
Expand DC1.vprodemo.com
Note: This is a Microsoft Enterprise
Certificate Authority, Standalone CAs
are not supported with ConfigMgr 2007
SP2 for Intel® vPro™
Right Click on Certificate Templates
> Manage
Intel Confidential
39
Configure PKI Web
Server Certificate
Template
In the Certificate Templates Console on
the right hand window pane, right click
on Web Server and select Duplicate
Template
In the Duplicate Template Window
Select the radio button for
Windows 2003 Server,
Enterprise Edition
Click OK
In the Properties of New Template
Window on the General Tab:
Enter ConfigMgr AMT Web
Server Certificate
Proceed to next foil to set security
rights on this template
Intel Confidential
40
Apply Security Permission
to Web Server Certificate
Template
In the Properties of New Template window,
click the Security tab
Click Add
Select ConfigMgr Primary Site
Servers group
Click OK
With the ConfigMgr Primary Site
Servers group highlighted, check Read
and Enroll
Click OK
Close the Certificate Templates Console
Intel Confidential
41
Issue Web Server
Certificate Template
In the Certification Authority Window,
Right Click on Certificate Templates
> New > Certificate Template to
Issue
In the Enable Certificate Templates
Window, select ConfigMgr AMT Web
Server Certificate (this template
created in the previous step)
Click OK
Intel Confidential
42
Web Server Certificate
Template issued in CA
for use by ConfigMgr
2007 SP2
In the Certification Authority Window >
Certificate Templates, you will now see
ConfigMgr AMT Web Server
Certificate listed in the right hand
window and ready for use by the Out of
Band Service Point
Note: This Web Server Template will be
used by ConfigMgr 2007 SP2 to generate a
unique certificate for each Intel® AMT
system during the provisioning process
and used for TLS session during
management of Intel AMT.
Intel Confidential
43
Configure RADIUS
Client Certificate
Template
Open your Certificate Authority issuing
PKI Server - Click Start > Programs >
Administrator Tools > Certification
Authority
Expand DC1.vprodemo.com
Right Click on Certificate Templates
> Manage
Intel Confidential
44
Configure RADIUS
Client Certificate
Template
In the Certificate Templates Console on the
right hand window pane, right click on
Workstation Authentication and select
Duplicate Template
In the Duplicate Template Window
Select the radio button for Windows
2003 Server, Enterprise Edition
Click OK
In the Properties of New Template Window
General Tab:
Enter ConfigMgr AMT
802.1X Client
Authentication Certificate
Subject Name Tab:
Select Supply in the request
Click OK in the warning
message
Proceed to next foil to set security rights on
this template
Intel Confidential
45
Apply Security Permission
to ConfigMgr AMT 802.1X
Client Authentication
Certificate Template
In the Properties of New Template window,
click the Security tab
Click Add
Select ConfigMgr Primary Site
Servers group
Click OK
With the ConfigMgr Primary Site
Servers group highlighted, check Read
and Enroll
Click OK
Close the Certificate Templates Console
Intel Confidential
46
Issue RADIUS Client
Certificate Template
In the Certification Authority Window,
Right Click on Certificate Templates
> New > Certificate Template to
Issue
In the Enable Certificate Templates
Window, select ConfigMgr AMT
802.1X Client Authentication
Certificate (this template created in
the previous step)
Click OK
Intel Confidential
47
RADIUS Client
Certificate Template
issued in CA for use by
ConfigMgr 2007 SP2
In the Certification Authority Window >
Certificate Templates, you will now see
ConfigMgr AMT 802.1X Client
Authentication Certificate listed in
the right hand window and ready for
use by the Out of Band Service Point
Note: This Certificate Template will be
used by ConfigMgr 2007 SP2 to generate a
unique certificate for each Intel® AMT
system and stored in the firmware during
the provisioning process and allow vPro
systems to authenticate to an 802.1x
network while OS is in a sleep/off state.
Intel Confidential
48
Configure Root CA to Allow
Revocation of Client
Management Controller
Certificates
In the Certification Authority Window,
right click on DC1.vprodemo.com and
select Properties
In the DC1.vprodemo.com
Properties Window, select the
Security tab
Click Add
Intel Confidential
49
Configure Root CA to Allow
Revocation of Client
Management Controller
Certificates
Add the ConfigMgr Primary Site
Servers group
Click OK
Select the ConfigMgr Primary Site
Servers group
Check Allow Issue and Manage
Certificates and Request Certificates
permissions for this group
Click OK
Note: This setting is required when you
are performing actions like an unprovision
of the Management Controller. This will
keep your PKI Issued certificates cleaned
up (revoked).
Intel Confidential
50
Lab 1 Exercise Review
Active Directory Changes
Enterprise PKI Changes
• Created Active Directory
Security Group for ConfigMgr
2007 SP2 Primary Site Servers
• Added ConfigMgr 2007 SP2
Server as a member to the
Security Group
• Created Active Directory OU for
Client Management Controller
Objects
• Added ConfigMgr Primary Site
Servers Security group to the
Management Controller OU
• Gave Full Control for ConfigMgr
Primary Site Servers Security
group to the Management
Controllers OU
• Configured PKI Web Server
Certificate Template
• Applied Security Permission to
Web Server Certificate Template
• Issued Web Server Certificate
Template for use by ConfigMgr
2007 SP2
• Created RADIUS Client Template
and issued for RADIUS
certificates
• Configure Root CA to Allow
Revocation of Client
Management Controller
Certificates
Intel Confidential
51
Lab Module 2
Install and Configure
Configuration Manager 2007 SP2
Out of Band Service Point
to support Intel® vPro™ Systems
Intel Confidential
52
Launch the Microsoft
Virtual PC ConfigMgr
Image
Double Click the shortcut SCCM SP2
on the host OS to start the SCCM SP2
VM image (leaving the Infrastructure
running in parallel)
Note:
• To Maximize/Minimize the Virtual
Image window CTRL + ALT + ENTER
• As needed, Use CTRL+ ALT + Insert
to login
• Login Information
• Domain Admin: ITproadmin
• Password: P@ssw0rd
• Domain: VPRODEMO
Intel Confidential
53
ConfigMgr 2007 SP2 Out-of-Band
Management Service Point
• OOB Management : Out of band management allows
an administrator to connect to a computer's management
controller (a.k.a. Management Engine) when the computer is
turned off, in sleep or hibernate modes, or otherwise
unresponsive through the operating system.
(http://technet.microsoft.com/en-us/library/cc161963.aspx)
• OOB Service Point – ConfigMgr 2007 SP2 Service
component (role) responsible for provisioning and managing
Management Controllers (aka Intel® AMT).
– Installing: http://technet.microsoft.com/enus/library/cc161863.aspx
Intel Confidential
54
ConfigMgr 2007 SP2 Prerequisites
http://technet.microsoft.com/en-us/library/cc161785.aspx
• Prior to ConfigMgr 2007 SP2 install, ensure ALL prerequisites
are met (see link above of complete list)
– Telnet is installed on computers running the OOB management console with
Vista and Windows 2008 (used for SoL)
– IE / Kerberos authentication on non-standard port HotFix (KB908209) – hotfix
is for IE6 but registry key applies to all IE versions
– http://support.microsoft.com/kb/908209
• If ConfigMgr 2007 SP2 is not installed, install prior to
ConfigMgr 2007 SP2 setup and config
– Refer to Microsoft’s Install and Configuration documentation
– http://technet.microsoft.com/en-us/library/bb735860
• Download and Install ConfigMgr 2007 SP2:
– http://www.microsoft.com/downloads/details.aspx?familyid=BAD49573-6AD74521-A898-2EF99BC868C4&displaylang=en
• Create a ConfigMgr 2007 SP2 Site Boundary
– http://technet.microsoft.com/en-us/library/bb693530.aspx
Intel Confidential
55
Install Out of Band
Service Point
Open the ConfigMgr Console (shortcut located on the desktop of the SCCM
image)
Navigate to System Center
Configuration Manager > Site
Database > Site Management > PRO
– vPro Demo Primary Site > Site
Settings > Site Systems
Right-click \\MSSCCM and click New
Roles to launch the New Site Roles
Wizard
http://technet.microsoft.com/en-us/library/cc161863.aspx
Intel Confidential
56
Install Out of Band
Service Point
On the General page, click Next
(default settings)
Intel Confidential
57
Install Out of Band
Service Point
On the System Role Selection page,
check Out of band service point, and
click Next
Intel Confidential
58
Install Out of Band
Service Point
On the Out of Band Service Point
page, click Next
Click Next again on Summary page
Intel Confidential
59
Install Out of Band
Service Point
Once the Wizard completes, click Close
You have now added the required
Service Role to support Intel® vPro™
Systems through ConfigMgr 2007 SP2.
Intel Confidential
60
Install Out of Band
Service Point
You will now see ConfigMgr out of
band service point listed under the
\\MSSCCM Roles
Note: After installing the ConfigMgr 2007
SP2 Out of Band Service Point, the log file
C:\Program Files\Microsoft
Configuration
Manager\Logs\AMTSPSetup.Log can
be reviewed to inspect the success or
failure of the installation.
Intel Confidential
61
Configure Out of Band
Component - General
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Site Management >
PRO – vPro Demo Primary Site>
Site Settings > Component
Configuration
Right-click Out of band management
component, and click Properties
Intel Confidential
62
Configure Out of Band
Component - General
In the Out of Band Management
Properties window on the General
tab, Under the Provisioning Settings,
click Browse to select the Active
Directory container to store each Intel®
AMT object
Note: These fields may already be
populated with the correct information
from past lab exercises – use this screen
as a reference if that is the case.
Select Out of Band Management
Controllers from vProDemo Domain
Note: This is the OU created in Exercise 1
Click OK
http://technet.microsoft.com/en-us/library/cc161833.aspx
Intel Confidential
63
Configure Out of Band
Component - General
Click Set and provide the Intel® MEBX
admin password (please us P@ssw0rd
for this exercise) to be set during
provisioning
Note 1
Click OK
Note 1: This Intel MEBX password setting
is used for ConfigMgr 2007 SP2 to change
the local password on the Management
Controller during the provisioning process.
By default, the factory setting for the
password is admin.
If this local password was manually
changed on the Intel MEBX or from a
previous provisioning process, this setting
will be ignored. The local Intel MEBX
password can only be changed remotely if
the password is set to factory default
(admin).
http://technet.microsoft.com/en-us/library/cc431452.aspx
Intel Confidential
64
Configure Out of Band
Component - General
Check the box to Allow out of band
provisioning
Note 1: Out of Band provisioning provides
alternative methods to provision devices
without an OS or SCCM Client. The
preferred method is to use inband SCCM
agent based provisioning shown in later
modules.
Note 1
Intel® AMT Provisioning port can be
modified if necessary, but requires
modification (physical touch) on each
Management Controller (leave default
9971).
Click Yes in the Security Warning to
Allow for Out of Band Provisioning.
Note: OOB Provisioning is not required if
you are going to leverage inband SCCM
Agent based provisioning (preferred
method). This option is for scenarios like
bare metal provisioning when no host OS
or SCCM client agent is available.
http://technet.microsoft.com/en-us/library/dd796347.aspx
Intel Confidential
65
Configure Out of Band
Component - General
Check the box to Register
ProvisionServer as an alias in DNS
Note: This creates an Alias in your DNS
environment to allow provisioning hello
packets from AMT to get routed to the
ConfigMgr 2007 SP2 server used in PSK /
Bare Metal Provisioning and SCS ->
ConfigMgr 2007 SP2 migration. This would
not apply or be necessary for in-band
ConfigMgr 2007 SP2 Agent initiated
Provisioning.
Intel Confidential
66
Configure Out of Band
Component - General
Under the Certificates section, Click
Browse and select the Intel(R) Client
Setup Cert – GoDaddy
vProDemo.com and vProDemo.us
UCC Backup.pfx (located in
z:\GoDaddy_vProDemo)
Click Open
Note: This is the Remote Configuration
Certificate (previously purchased from
GoDaddy* which could also be purchased
from VeriSign*, Comodo, or Starfield) and
used for Remote Provisioning. The Root
hash that issued this certificate can be
found pre-configured in the Management
Controller’s firmware that ships from the
OEM.
Enter the password for this certificate
(Pr0t3ct!0n) and click OK
Note: Zeros are used in the
above password
Note: If the password is incorrect, you will
receive and Invalid Password message. If
the certificate is not a valid Remote
Configuration Certificate, you will receive
an Invalid Certificate message.
Intel Confidential
67
Configure Out of Band
Component - General
Click Select for the AMT Certificate
Template
Select
Issuing CA: DC1.vprodemo.com
CA name: DC1.vprodemo.com
AMT certificate template:
ConfigMgr AMT Web Server
Certificate
Note: This is the Certificate Template
created in Exercise 1 on the Infrastructure
Domain image.
Click OK
Click Apply
Intel Confidential
68
Configure Out of Band
Component – Intel® AMT
Settings
On the AMT Settings tab, click
icon to add AMT User Accounts
In the AMT User Account Setting
window, click Browse and add the
VPRODEMO\AMTAdmins account,
click OK
Note: These fields may
already be populated with
the correct information
from past lab exercises –
use this screen as a
reference if that is the
case.
Check the Platform Administration
box which will automatically select all
options by default
Click OK
Click Apply
Note: This account specifies the rights to
the management controller for selected
capabilities to Intel® AMT.
http://technet.microsoft.com/enus/library/cc161918.aspx
http://technet.microsoft.com/en-us/library/cc161891.aspx
Intel Confidential
69
Configure Out of Band
Component – Intel® AMT
Settings
In the Default IDE-redirect image text box,
enter \\DC1\IDER\rds_rw.iso
In the drop down menu for Manageability is on in
the following power states: select Always on
(S0-S5)
Note: This setting will ensure the Management
Controller is on regardless of the state of the
Operating System (on, sleep, hibernate, off)
Check the boxes:
Enable Web interface
Enable serial over LAN and IDE-redirect
Allow ping responses
Enable BIOS password bypass for power
on and restart commands
Enable Support for Intel WS-MAN
Translator (covered in Legacy Provisioning
Class)
Default setting for Kerberos clock tolerance (5)
Click Apply
Intel Confidential
70
Configure Out of Band
Component –
Provisioning Settings
On the Provisioning Settings Tab,
click
to add a Digest User and
Password for Provisioning
Enter:
Name: admin
Password: P@ssw0rd
Confirm Password: P@ssw0rd
Description: Digest Account
Click OK
Click APPLY
Note: This digest account will be used for
provisioning if the default remote admin
password has been modified.
Determine if this account is necessary for
your environment
http://technet.microsoft.com/enus/library/cc431451.aspx
http://technet.microsoft.com/en-us/library/cc161815.aspx
Intel Confidential
71
Configure Out of Band
Component – Audit
Settings
On the Audit Settings Tab, check All
of the AMT features to enable auditing
Click APPLY
Note: To unprovision a system from the
MEBx you have to disable audit log first.
Select the audit settings that are
applicable to your production environment.
http://technet.microsoft.com/en-us/library/ee344520.aspx
Intel Confidential
72
Configure Out of Band
Component –
Provisioning Schedule
Settings
On the Provisioning Schedule Tab,
change the Simple Schedule to 1
hour
Click OK
Note: By default, Intel AMT systems will
attempt to initiate in-band provisioning
every 24 hours. This default option is
modified by these settings so the
provisioning will occur on a more frequent
basis.
Another Option is to use the Custom
Schedule so you can configure a start date
and time with a reoccurrence pattern.
http://technet.microsoft.com/en-us/library/ee344296.aspx
Intel Confidential
73
Lab Module 2.1
Advanced Out of Band
Configuration
The following 2.1 module is an advanced topic on 802.1x
and Wireless Profiles
Intel Confidential
74
802.1x and Wireless Profiles
Requirements: http://technet.microsoft.com/en-us/library/ee344543.aspx
• This section is for advanced vPro users that are
familiar with 802.1x networking and RADIUS server
for authentication
– Wireless AP = Linksys Dual-Band Wireless N Gigabit router
that supports 802.1x
– There are many options available for wireless and 802.1x
profiles and this training will only cover one set (refer to
Microsoft TechNet for complete list of supported protocols)
– The RADIUS Server (Microsoft NPS – Windows 2008
Server) has been Pre-Configured for training
How to: http://technet.microsoft.com/en-us/library/ee344378.aspx
Intel Confidential
75
Configure Out of Band
Component – 802.1x
Settings
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Site Management >
PRO – vPro Demo Primary Site>
Site Settings > Component
Configuration
Right-click Out of band management
component, and click Properties
On the 802.1x and Wireless Settings
Tab, check the box for Enable 802.1x
authentication for wired network
and click Set
Note: This setting will provision the vPro
system with proper 802.1x credentials in
order for the device to authenticate to a
protected 802.1x network. The RADIUS
server is pre-configured for this lab and
steps to setup this RADIUS server is out of
scope for this training module.
http://technet.microsoft.com/en-us/library/ee344664.aspx
Intel Confidential
76
Configure Out of Band
Component – 802.1x
Settings
In the 802.1x Wired Network Access
Control window, click the Select
button
In the Trusted Root Certificate for
Radius authentication window, select
the radio button for From certificate
authority (CA): and select
DC1.vprodemo.com from the drop
down menu
Click OK
Note: This certificate is the root certificate
from the Enterprise CA on the
infrastructure image to communicate with
the Radius server. The Radius server is
pre-configured on the infrastructure server
for training purposes.
http://technet.microsoft.com/en-us/library/ee344378.aspx
Intel Confidential
77
Configure Out of Band
Component – 802.1x
Settings
In the 802.1x Wired Network Access
Control window, select EAP-TLS from
the drop-down menu for Client
Authentication Method
Click the Select button to select a
Client Authentication Client Certificate
template
In the RADIUS Client Certificate
Configuration windows, select the
following:
Issuing CA: DC1.vprodemo.com
CA name: DC1.vprodemo.com
RADIUS client Certificate
template: ConfigMgr AMT
802.1X Client Authentication
Certificate
Click OK twice to complete 802.1x
configurations
Note: This template will be used by the
Site Server during the provisioning process
to generate an 802.1x Radius Certificate
for each AMT device.
Intel Confidential
78
Configure Out of Band
Component – Wireless
Settings
On the 802.1x and Wireless Settings Tab,
click the
icon to create a wireless profile
In the Wireless Profile Window, enter the
following information:
Profile Name: ProDemoAP
Network name (SSID): ProDemoAP
Security Type: WPA2-Enterprise
Encryption method: AES
http://technet.microsoft.com/en-us/library/ee344683.aspx
Intel Confidential
79
Configure Out of Band
Component – Wireless
Settings
In the 802.1x authentication section, click the
Select button under Server authentication
In the Trusted Root Certificate for Radius
Authentication window, select the radio button
for From certificate authority (CA): and select
DC1.vprodemo.com from the drop down menu
Click OK
In the 802.1x authentication section, click the
Select button under Client authentication
In the RADIUS Client Certificate Configuration
windows, select the following:
Issuing CA: DC1.vprodemo.com
CA name: DC1.vprodemo.com
RADIUS client Certificate template:
ConfigMgr AMT 802.1X Client
Authentication Certificate
Click OK twice to complete wireless configurations
Intel Confidential
80
Configure Out of Band
Component – Wireless
Settings
In the Security Group for RADIUS
authentication section, select the radio button for
Automatically add AMT-based computers to
security group
Click the Browse button to choose a Security
group for RADIUS Server
In the Select Group window, add AMT RADIUS
Clients
Click OK – 2 times
Note: This completes the configuration for the 802.1x
and Wireless profile setting.
Intel Confidential
81
Configure New Site
Boundary
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Site Management > PRO
– vPro Demo Primary Site > Site
Settings
Right click on Boundaries and select
New Boundary
Enter the following fields
Description = Net Boundary
Site Code = PRO - vPro Demo
Primary Site
Type = IP address range
Starting Address = 192.168.0.10
Ending Address = 192.168.0.199
Network Connection = Fast
Click OK
Note: This will allow the SCCM agent to
discover the ConfigMgr Site Server.
Congratulations! You have configured
ConfigMgr 2007 SP2 for Intel® vPro™
Clients
Intel Confidential
82
Lab 2 Exercise Review
Installed OOB Service Component and configured Properties
•
Used to Configure General OOB Properties and Intel® AMT Client Profile
• http://technet.microsoft.com/en-us/library/cc161960.aspx
• Configured General Tab
• Provisioning Settings - Active Directory container
• Stores Intel AMT Objects
• Select AD Container previously created: Out of Band Management Controllers
• Provisioning Settings – Intel® MEBx Account
• What to set the Intel MEBx Password (if not already set) and remote admin
account to during Provisioning
• Register ProvisionServer as an alias in DNS (used for PKI/PSK (Bare Metal) hello
packet routing to OOB Service Point)
• Certificate – Provisioning Certificate
• PKI / Remote Configuration Certificate
• Configure with certificate exported during Enterprise CA & Provision Certificate
configuration
• Certificate – Certificate Template
• Configure with template created during Enterprise CA & Provision Certificate
configuration: ConfigMgr AMT Web Server Certificate and RADIUS Certificate
http://technet.microsoft.com/en-us/library/cc161833.aspx
Intel Confidential
83
Lab 2 Exercise Review
• Configured Intel® AMT Settings Tab
• Intel AMT User Accounts
• Allows you to define Kerberos user who can invoke Intel AMT features
• Define which accounts have which Intel AMT realm permissions
• Default IDE-redirect image
• Default location of image files
• Manageability Power States
• Sets power state for when you want to manage the AMT-based computer out of
band (S0 – S5)
• Enable Web interface
• Enables / Disables Intel AMT web interface for provisioned Intel AMT clients
• Enable Serial Over LAN and IDE redirection
• Enables / Disables SOL and IDER for provisioned Intel AMT clients
• Allow ping responses
• Enables / Disables ping responses for provisioned Intel AMT clients
• Enable support for Intel® WS-MAN translator
• Enables support within ConfigMgr 2007 SP2 to forward Provisioning and
Intel AMT operation command to the Intel WS-MAN Translator for firmware less
than 3.2.1
• http://technet.microsoft.com/en-us/library/cc161891.aspx
Intel Confidential
84
Lab 2 Exercise Review
• Configured Provisioning Settings Tab
• Add Provisioning and Discovery Accounts
• Allows you to define additional Digest accounts that can be used to provision
and discover AMT systems if the standard default account has been modified
• http://technet.microsoft.com/en-us/library/cc161815.aspx
• Configured 802.1X and Wireless Tab
• Created wired and wireless profiles to be added to AMT during the provisioning
process to allow AMT to authenticate to an 802.1x protected network
• Automatically added AMT devices to a security group for RADIUS authentication
• http://technet.microsoft.com/en-us/library/ee344664.aspx
• Configured Audit Settings Tab
• Enabled the features to be audited by AMT
• http://technet.microsoft.com/en-us/library/ee344520.aspx
• Configured Provisioning Schedule Tab
• Specified a specific schedule for AMT systems to initiate provisioning
• http://technet.microsoft.com/en-us/library/ee344296.aspx
• Configured Site Boundary for Agent discovery
• http://technet.microsoft.com/en-us/library/bb693530.aspx
Intel Confidential
85
Lab Module 3
Configuration Manager 2007 SP2
Collections and In-Band
Provisioning
Intel Confidential
86
ConfigMgr 2007 SP2 Agent Installation and
InBand Provisioning
• In this exercise, you will
– Install the ConfigMgr 2007 SP2 Client Agent on an
Intel® vPro™ system (e.g. Intel vPro Laptop/Desktop)
– Create an Unprovisioned vPro Client Collection to place
discovered Unprovisioned systems and enable the autoprovisioning policy on this collection
– Initiate an InBand remote configuration provisioning of an
Intel vPro system with native ConfigMgr 2007 SP2 support
– NOTE: Bare Metal / Out-of-Band provisioning (No OS or
SCCM Client) is supported but not covered in this training)
– for information on this process see: SCCM Out of Band
Provisioning (Bare Metal Provisioning)
Intel Confidential
87
Agent Based Provisioning Process
1. Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If I can, it will
create a One Time Password and send the OTP to both the OOB Service and into the Intel® AMT Firmware
2. OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate,
Present Provisioning Certificate along with the OTP for initial Authentication
3. OOB Service Point sets et Remote Admin and Intel® MEBX password (if not changed)
4. OOB Service Point requests a web server certificate on behalf of the Intel AMT client
5. OOB Service Point created an Object in AD for the Intel® vPro™ Client
6. OOB Service Point pushes web server certificate to Intel AMT client
7. OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision
http://technet.microsoft.com/en-us/library/cc431371.aspx
Intel Confidential
88
Install ConfigMgr 2007
SP2 Client Agent on
local system
Login to the Intel® vPro™ Laptop
User: ITproadmin
Password: P@ssw0rd
Domain: VPRODEMO
Once logged into the Intel® vPro™
client, map a drive to \\mssccm\c$
Go to Program Files\Microsoft
Configuration Manager\Client
In the Client folder, double click
ccmsetup.exe
Note: This will install the SCCM SP2
client from you SCCM Site server. This
Intel vPro system must be joined to
the infrastructure domain – Prior to
the client setup.
http://technet.microsoft.com/en-us/library/bb693546.aspx
Intel Confidential
89
Monitor ConfigMgr 2007
SP2 Client Agent Install
Track the setup by monitoring the Process
ccmsetup.exe in Task Manager
Installation is complete once the
CcmExec.exe process is running in Task
Manager
You can track the agent installation on the
client in
c:\windows\system32\ccmsetup\ccm
setup.log (for Vista 64bit file is located in
c:\windows\SysWOW64\CCM)
Note: Once the installation is complete, you
will see CcmExec Service running in Task
Manager.
A reboot of the vPro system will help speed
up the SCCM agent to check in with the Site
Server.
Intel Confidential
90
SCCM Agent discovered
in ConfigMgr
In the Configuration Manager console,
navigate to System Center
Configuration Manager > Site
Database > Computer Management >
Collections
Right Click on All System and select
Update Collection Membership
After a few moments, right click All
Systems and select Refresh
Note: You will see the client system in All
Systems that you installed the SCCM Client.
You will also see a Yes in the Client Column
and listed as Approved. This integration into
ConfigMgr happens after the SCCM Client has
been installed and checked in with the site
server. This may take several minutes.
Do not proceed until this client shows up
in SCCM.
Intel Confidential
91
Configuration Manager 2007 SP2
Collection Configuration for
Automatic Provisioning of
Management Controllers
Intel Confidential
92
Collection Configuration
• In this exercise, you will
– Create an Intel® AMT Collection to group Intel AMT
systems that are AMT Capable and unprovisioned
– Configure an Intel AMT Collection to automatically provision
Out of Band Management Controllers
Intel Confidential
93
Agent Based Provisioning Configuration Overview
• To provision via the ConfigMgr 2007 SP2 Client Agent, you must configure
ConfigMgr 2007 SP2 to allow agent integration
• Requirements for Agent
• Prerequisites for Configuration Manager Client Deployment
• http://technet.microsoft.com/en-us/library/bb680537.aspx
• Configure Collection for Automatic Provisioning
• Recommend Collection Created for “Unprovisioned vPro Clients”
• Create Collection Membership Rules based on Intel® AMT Hardware
Inventory
• http://technet.microsoft.com/en-us/library/cc431387.aspx
• Ensure “Enable Automatic out of band management controller provisioning”
checked in Collection Name Settings: Out of Band Tab for Collection
• http://technet.microsoft.com/en-us/library/cc161955.aspx
• Install ConfigMgr 2007 SP2 client on Intel AMT Client
• http://technet.microsoft.com/en-us/library/bb632762.aspx
Intel Confidential
94
Create Intel® AMT
Unprovisioned
Collection
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Computer Management
> Collections
Right click on Collections and select
New Collection
In the New Collection Wizard, enter
the name Unprovisioned vPro Clients
and add optional Comments as
required
Click Next
http://technet.microsoft.com/en-us/library/cc161961.aspx
Intel Confidential
95
Modify Membership
Rules for the
Unprovisioned
Collection
In the Membership Rules window,
click the Query Rule Properties (it is
the Database icon)
Intel Confidential
96
Edit Query Statement in
the Membership Rules
In the Query Rule Properties window,
enter the name Unprovisioned vPro
Clients
Click Edit Query Statement...
In the Unprovisioned vPro Clients
Query Statement Properties window,
click Show Query Language
Intel Confidential
97
Add AMTStatus check to
Query Statement
In the Query Statement textbox,
type: select
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.Reso
urceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.S
MSUniqueIdentifier,SMS_R_SYSTEM.ResourceDom
ainORWorkgroup,SMS_R_SYSTEM.Client from
SMS_R_System inner join
SMS_G_System_AMT_AGENT on
SMS_G_System_AMT_AGENT.ResourceID =
SMS_R_System.ResourceId where
SMS_G_System_AMT_AGENT.AMT >= "0" and
(SMS_R_System.AMTStatus != "3" or
SMS_R_System.AMTStatus is NULL)
Note: This query statement can be found in a text file
under w:\SCCM New Hardware Inventory Query.txt.
This will pull all the clients into this collection that are discovered
Intel® vPro™ capable and not provisioned.
Note: Additionally you can setup up a collection for
Provisioned Clients, in the Query Statement textbox, you will
use: Select * from SMS_R_System where AMTStatus=3
This will show ALL vPro systems that have been provisioned.
Click OK and OK again on the Query Rule Properties Window
In the Membership Rules window, click Next
Intel Confidential
98
Create Intel® AMT
Unprovisioned
Collection
In the Advertisements window, click
Next
Intel Confidential
99
Create Intel® AMT
Unprovisioned
Collection
In the Security window, add any
appropriate users or groups and click
Next (keep defaults for this exercise)
In the Confirmation window, click
Close
Note: Optional step - Repeat foils to
create a collection for Provisioned vPro
Clients. See note on foil 98 for Select *
from SMS_R_System where
AMTStatus=3
Intel Confidential
100
Enable Automatic OOB
provisioning for the
Unprovisioned Collection
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Computer Management
> Collections > Unprovisioned vPro
Clients
Right click on Unprovisioned vPro
Clients and select Modify Collection
Settings
In the Unprovisioned vPro Clients
Settings window, click the Out of
Band tab
Check the checkbox Enable Automatic
out of band management controller
provisioning and click OK
Note: This setting enables ConfigMgr 2007
SP2 Clients to automatically provision
Intel® AMT with ConfigMgr 2007 SP2.
http://technet.microsoft.com/en-us/library/cc161955.aspx
Intel Confidential
101
Add Intel® AMT Display
Columns to the
collection
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Computer Management
> Collections > Unprovisioned vPro
Clients
Click the Unprovisioned vPro Clients
collection, right click in the right hand
window, and select View >
Add/Remove Columns
In the Add/Remove Columns window,
add AMT Status and AMT Version to
the Displayed columns and move
these fields below the Name field for
easy viewing
Click OK
Note: Perform these same steps for the
All Systems collection. This will allow
you to see Intel AMT related information in
the collection.
Intel Confidential
102
Configure Site Parameters to
Use Secure Remote Power
Control
To allow ConfigMgr 2007 SP2 to use
AMT Power On commands with
advertisements, Wake On LAN for the
site needs to be Enabled
In the Configuration Manager
console, navigate to System
Center Configuration Manager >
Site Database > Site
Management > PRO – vPro Demo
Primary Site
Right click on PRO – vPro Demo
Primary Site server and select
Properties
Note: This will allow
ConfigMgr 2007 SP2 to
wake-up Intel® AMT
enabled systems with
secure and
authenticated wake-up
methods in Intel AMT for
scheduled activities.
Select the Wake on LAN tab
Check the Enable Wake on LAN
for this site
Select Use power on commands
only
Click OK
http://technet.microsoft.com/en-us/library/bb694191.aspx
Intel Confidential
103
Initiate Action on the
ConfigMgr 2007 SP2
Client Agent
On the Intel® vPro™ System, open the
Control Panel
After the Agent installation is complete,
you will see a Configuration Manager
Icon under System and Security
Note: It may be helpful to reboot the client at this
time
Double Click the Configuration
Manager Icon
Select the Actions Tab
Note: On Vista 64bit OS, you will find the
Configuration Manager Icon under View
32-bit Control Panel Items Icon In the
Control Panel
Intel Confidential
104
Initiate Action on the
ConfigMgr 2007 SP2
Client Agent
Click on Machine Policy Retrieval & Evaluation
Cycle and click Initiate Action button
Click OK in the window indicating the action has been
initiated
Note: This process will speed up the provisioning cycle
rather than waiting for the schedule event to occur as
you would do in a production environment. You may
need to initiate the Machine Policy action more than once
to start the provisioning process immediately.
Note: You can track the progress by monitoring the logs
directory c:\windows\system32\CCM\Logs
(on Vista 64bit OS, the logs folder is located under
c:\windows\SysWOW64\CCM\Logs)
OOBMGMT.log will track the progress of the auto
provisioning of AMT. You should see a log entry stating
“Successfully activated the device.” This indicates the
SCCM agent has initiated the provisioning process
PolicyAgent.log will track all of the policies pulled down
by the agent from ConfigMgr 2007 SP2 server.
Refer to the SendSched Utility in the Appendix to
launch the provisioning immediately (click here)
Intel Confidential
105
Provision AMT via InBand ConfigMgr 2007
SP2 Client Agent
After a few minutes, provisioning will
automatically complete and you can
update your collection membership
Right Click Collections and select
Update Collection Membership
Click Yes to confirm that you want to
proceed
Right click on All Systems collection
and select Refresh
The client will now appear in All
Systems Collection as Provisioned
and no longer be listed in the
Unprovisioned vPro Clients collection
Note: You can track the provisioning
progress under C:\Program Files\Microsoft
Configuration Manger\Logs\Amtopmgr.log
This process length depends on the time it
takes for ConfigMgr 2007 SP2 Agent to
check in with the Server and pull down its
policies.
Congratulations! You have just
successfully completed InBand
provisioning in ConfigMgr 2007 SP2
and enabled Intel® vPro™ systems to
be manageable out of band by
ConfigMgr 2007 SP2 console.
Intel Confidential
106
Lab Module 3 Review
•
•
•
•
•
•
•
Installed the SCCM Client Agent on the Intel vPro system
Created Intel® AMT Unprovisioned Collection
Modify Membership Rules for the Unprovisioned Collection
Added AMT Hardware Inventory check to Query Statement
Enabled Automatic OOB provisioning on the Collection
Added Intel AMT Display Columns to the collections
Configured Site Parameters to Use Secure Remote Power
Control (used in Real World Use Cases module)
• Initiated an InBand agent based provisioning
• Updated Collections to see Provisioned AMT System
Intel Confidential
107
Lab Module 4
Configuration Manger 2007 SP2
Out of Band Management Console
Intel Confidential
108
Using the Out Of Band
Management Console in
ConfigMgr 2007 SP2 to manage
Intel® vPro™ Systems
Intel Confidential
109
ConfigMgr 2007 SP2 OOB Mgt
Console
• The following screen captures show the ConfigMgr
2007 SP2 OOB console interfaces for each of the
OOB management capabilities.
http://technet.microsoft.com/en-us/library/cc161766.aspx
Intel Confidential
110
OOB Management
Console
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Computer Management
> Collections > All Systems
Right click on a Provisioned System
Select Out of Band Management >
Out of Band Management Console
Note: This will launch the OOB
Management console that allows you to
perform all of the OOB management
capabilities in ConfigMgr 2007 SP2.
You can also perform Power Control,
Update / Delete Data in the
Management Controller,
Enable/Disable/Clear Audit Log
without opening the OOB Management
Console.
Update = Reprovisioning
http://technet.microsoft.com/en-us/library/cc161875.aspx
Intel Confidential
111
OOB Management
Console – System Status
Once the OOB Management Console
opens, you will see
System: Connected/Busy
Serial connection: Inactive
Note: SCCM SP2 no longer automatically
connects a serial connection. Instead, the
serial connection is left inactive until you
select Tools > Open Serial-over-LAN
Connection. You will see a warning
indicating that if this device is connected
wirelessly, the connection may be
disconnected during the SoL session.
In this screen, you can view
Power
IP Address
Host Name
Domain Suffix
System ID (UUID)
Date of last refresh
Time of last refresh
Intel Confidential
112
OOB Management
Console – System
Information
In this screen, you can view all of the
System Hardware Inventory stored
in the Intel® ME firmware
Intel Confidential
113
OOB Management
Console – Power Control
In this screen, you can perform all of
the OOB power function capabilities
Power ON
Power OFF
Restart Computer
IDER to ISO
Boot to BIOS
• Bypass BIOS Password
• Lock remote keyboard
Take a few minutes to perform a few
power option features:
Power on/off the Desktop
Redirect BIOS to see system BIOS
in Serial Connection Window
Perform IDER to a local ISO (this will
be covered in depth in our “real world”
Use Case section)
Note: Remember to start a Serial-overLAN session before redirecting to an ISO or
BIOS so you can view/control the session
in the serial connection tab.
Note: When you select to power cycle a vPro
system, you will be warned that this action can
cause data loss on the system if they system has
opened applications and unsaved data (this is not a
graceful shut down)
http://technet.microsoft.com/en-us/library/cc161974.aspx
Intel Confidential
114
OOB Management
Console – System Event
Log
In this screen, you can
View System Event log
Set Log Level
Intel Confidential
115
OOB Management
Console – IDE-Redirect
Log
In this screen, you can view the IDERedirect log
Intel Confidential
116
OOB Management
Console – System Audit
Log
In this screen, you can view the
System Audit log and can Export this
information to a file
http://technet.microsoft.com/en-us/library/ee344294.aspx
Intel Confidential
117
OOB Management
Console – Serial
Connection
In this screen, you can view and control
the Serial Connection of the remote
screen (e.g. Bios or DOS based ISO
image)
Intel Confidential
118
OOB Management
Console – Data Storage
In this screen, you can enter
information into the 3rd Party Data
Store (3PDS) and save this
information for later viewing
Type any random data in the window
and select save
Note: Intel has provided Powershell
scripts that can be used to push/pull data
down to this 3PDS from a central location
(e.g. Site Server). This would allow you
to push data remotely (e.g. asset tag and
location information) and access this data
through the OOB console. For more
information on these scripts:
Real World Use Case #4 Powershell
Scripts for 3PDS
http://technet.microsoft.com/en-us/library/ee373487.aspx
Intel Confidential
119
Use Internet Explorer*
to manage Intel® AMT
On your ConfigMgr 2007 SP2 server, open
Internet Explorer
Type
https://<AMThostname>.vprodemo.com:16
993
If the system is successfully provisioned with a
TLS certificate, you will see the Intel AMT WebUI
interface.
Click Log On
In the login Window, use the Account setup in the
OOB Componet
User name: vprodemo\ITproadmin
Password: P@ssw0rd
If you successfully authenticate to Intel AMT, you
will see the WebUI to manage Intel AMT
System Status
Hardware Information
Event Log
Remote Control
Power Policies
Network Settings
User Accounts
Note: Accessing the WebUI and successfully logging in
confirms both your Kerberos authentication is
successful and your TLS certificate is functioning
properly. This is a good testing steps to ensure the
system was successfully provisioned by SCCM.
http://technet.microsoft.com/en-us/library/cc161817.aspx
Intel Confidential
120
Lab Module 4 Review
• The Out of Band Management Console is the ConfigMgr 2007
SP2 interface to perform Out of Band Management Features
– Power Up/Down
– Restart
– Boot to BIOS
– Redirect to an ISO
– Hardware Inventory
– System Information
• You can also perform Power Up/Down and Management
Controller reprovisioning/delete from within ConfigMgr 2007
SP2 directly
• Use the Web Interface in IE to manage Intel® AMT Systems
Intel Confidential
121
Lab Module 5
Real World Use Cases for Intel vPro
Systems with SCCM SP2
Intel Confidential
122
Real World Use Cases
• The following “Real World” Use Cases have been
developed to help customers with drop-in solutions
that will enable them to gain immediate value with
Intel® vPro™ and SCCM within a production
environment
– Wake On Advertisements
– Remote KVM
– Remote Drive Share
– Powershell Scripts for 3PDS
http://communities.intel.com/docs/DOC-4080
Intel Confidential
123
Real World Use Case #1
Intel Wake-On Advertisement
Intel Confidential
124
Using Intel® AMT Power Options to
wake up a system with a SCCM
Advertisement
• When creating software distribution in ConfigMgr
2007 SP2, you can leverage Intel AMT power
options to wake up system (e.g. after hour
patching scenarios).
• Make sure your vPro Client is Powered Off for the
next exercise.
Intel Confidential
125
Create a Task Sequence
to be used in an
Advertisement
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Computer Management
> Operating System Deployment >
Task Sequences
Right click on Task Sequences, select
New > Task Sequence
In the New Task Wizard window,
select Create a New custom task
sequence
Click Next
Intel Confidential
126
Create a Task Sequence
to be used in an
Advertisement
In Task Sequence Information, Enter
in Task Sequence Name: Just
Shutdown and add appropriate
Comments
Click Next
Confirm information in the Summary
and click Next
Once the Wizard completes, click Close
Intel Confidential
127
Edit Task Sequence to
be used in an
Advertisement
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Computer Management
> Operating System Deployment >
Task Sequences
Right click on Just Shutdown Task
Sequences (created in previous step),
select Edit
In the Just Shutdown Task Sequence
Editor, click Add > General > Run
Command Line
In the Name Field, type Shut Down
In the Command Line window, type
shutdown –s –f
Click OK
Intel Confidential
128
Create an Advertisement
to use Intel® AMT power
up and run Task
Sequence
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Computer
Management > Collections > All
Systems
Right click on All Systems, select
Advertise Task Sequence
In the New Advertisement Wizard,
enter Shut Down Client in the name
field
In the Task Sequence Field, click
Browse
In the Select Task Sequence
window, select Just Shutdown Task
Sequence
In the Collections Field, Click
Browse and select All Systems
Click OK
Click Next
Intel Confidential
129
Create an Advertisement
to use Intel® AMT power
up and run Task
Sequence
In the Schedule Screen, Enter an
Advertisement start time (leave
default)
Under Mandatory Assignments, Click
the New button
In the Assignment Schedule window,
select Assign Immediately after this
event and select as soon as possible
in the drop down list
Click OK
Check Enable Wake On LAN box
Note: This check box will enable
ConfigMgr 2007 SP2 to use Intel AMT
secure Power on feature to wake up the
system per the settings defined in a
previous step: Site Power Controls
Select Priority as High
Click Next
Intel Confidential
130
Create an Advertisement
to use Intel® AMT power
up and run Task
Sequence
On the Distribution Screen, leave the
defaults and click Next
On the Interaction Screen, leave the
defaults and click Next
On the Security Screen, leave the
defaults and click Next
On the Summary Screen, click Next
On the Wizard Complete, click Next
Note: As soon as the advertisement is
seen, it will begin powering up the Intel®
vPro™ provisioned system using the Intel
AMT power up command and run the Task
sequence to shut it back down.
Intel Confidential
131
Real World Use Case #2
Intel KVM integrated into
SCCM SP2 and Microsoft
Diagnostic and Recovery
Tools
Intel Confidential
132
Intel® vPro™ KVM
• Keyboard, Video and Mouse Redirection over IP
• Intel® AMT 6.0 platform (Piketon and Calpella) with
integrated graphics
• Similar to a full IP-KVM experience, without expensive
hardware
• ISV Support:
• RealVNC will be shipping soon:
http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/04/vnc-viewerplus-enabling-remote-access-to-the-2010-intel-core-vpro-processor-family
• Others to be announced
Intel Confidential
133
Keyboard, Video and Mouse Redirection over IP
Video - redirected from managed machine to Management Console
Keyboard and Mouse - redirected from Management Console to managed machine
Logo
Console
Computer
Comp
Comp
Comp
Comp
A
B
C
D
_
State
Unhealthy
Repair mode
S3 - Standby
Booting
Select a machine to remote
Dsfsd.sys
failed at mem
location
0x12345678
Memory dump:
X
Comp A Screen
Blue screen
3409afed 3409afed
3409afe d 340 9afe d
3409afe d 340 9afe d
OS-unresponsive/
Repair Mode
Dsfsd.sys
failed at mem
location
0x12345678
Memory dump:
3409afed 3409afed
3409afed 3409afed
3409afed 3409afed
Wake
from S3
AT
Console
TLS / Kerberos
Booting
Allows remote operator to securely access a remote
system as if he/she was sitting in front of it
Intel Confidential
134
KVM typical session flow
Intel Confidential
135
Install KVM Viewer on
SCCM Site Server
On the MSSCCM VM image, double click
KVMViewSetup.exe to install the KVM
Viewer
In the KVMView Setup Wizard, click
Next
In the Select Installation Folder
window, click Next
In the Confirmation Installation
window, click Next
In the Installation Complete window,
click Close
Note: This installation will install the
KVMViewer application in c:\program
files\Intel\KVMView
After installation is complete, delete
the KVMCerts.PEM file in the KVMView
Folder
Recreate a KVMCerts.PEM file by
creating a new text file (New Text
Document.txt) and renaming it to
KVMCerts.PEM (file size will now be
0KB)
Intel Confidential
136
Integrating KVM into
SCCM Site Server
Close the ConfigMgr Console in the VM
image
Copy the file vpro_client.xml and place
into c:\Program Files\Microsoft
Configuration
Manager\AdminUI\xmlstorage\Exte
nsions\Actions\7ba8bf44-23444035-bdb4-16630291dcf6\
Note: This file will give you the ability to
right click on a provisioned vPro KVM
system and launch the KVMViewer from
within the ConfigMgr Console.
Intel Confidential
137
Launching Integrated
KVM Console
Open the ConfigMgr Console (shortcut on the desktop)
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Computer Management
> Collections > All Systems
Right click on a Provisioned vPro
system that is KVM Capable
Select Intel KVM Remote Control >
Start Session
The KVMView Console will Launch and
will start to automatically recreate the
trusted root certificate file (.PEM file)
for securing a connection to the device
Note: This new right click KVM remote
control feature calls the KVMView Console
installed previously.
Intel Confidential
138
Authenticating with KVM
Console
The KVM Console will connect to the
KVM system and prompt the user for a
User Consent Code (Note 1)
The end user will read the User
Consent Code to the Remote KVM
administrator so it can be entered into
the KVM Console (Note 2)
Note 2
This will establish a secure KVM
session between the KVM Console and
the Intel vPro KVM system
Note: This User Consent Code is for privacy
and security protection but can be disabled
for your environment.
Note 1
Intel Confidential
139
Managing with KVM
Console
After you the remote KVM Console is
authenticate with the User Consent
Code, a full secure KCM session is
established
With the KVM Console, restart the
remote vPro System
With a KVM session established, you can
see the entire boot process
Note: You can perform all functions
remotely within the OS, similar to using the
standard inband agent based remote
control functions. Intel vPro KVM extends
this reach and allows you to see the system
regardless of the OS state (on, off, BSoD,
hung, etc).
Intel Confidential
140
Intel KVM and MSDaRT
During the reboot process, select MSDaRT
at the Windows Boot Manager
Click Enter
Note: This will load a WinPE image from a
local partition on the drive that contains
Microsoft’s Diagnostic and Recovery Utilities.
http://technet.microsoft.com/en-us/library/ee532075.aspx
Intel Confidential
141
Intel KVM and MSDaRT
Click Yes to initialize the network
connectivity
Click Yes to remap drives from host OS
Click Next for System Recovery Options
Select Windows 7 and click Next to
repair OS
Enter Account Information
User Name: admin
Password: P@ssw0rd
Note: This will load a WinPE image from a
local partition on the drive that contains
Microsoft’s Diagnostic and Recovery Utilities.
Intel Confidential
142
Managing with KVM
Console
In the System Recovery Options
window, click Microsoft Diagnostic and
Recovery Toolset
This will bring up the MSDaRT Tools to
allow you to remote troubleshoot the Intel
vPro System
Note: Depending on the issues experienced
with this remote system, many of these tools
can be used to diagnosis and repair the
remote system without having to make a
“deskside” visit.
Intel Confidential
143
Real World Use Case #3
IDER Remote Drive Share
(RDS)
Intel Confidential
144
IDE Redirection Remote Drive Share
• Redirect to a small Linux based .iso that allows a
remote share to the NTFS drive
– http://communities.intel.com/docs/DOC-4785
• Using Remote Drive Sharing and Intel vPro
Technology to Perform a Remote Kernel Memory
Dump Analysis
– http://communities.intel.com/docs/DOC-4826
• Using Remote Drive Sharing and Intel vPro
Technology to Perform a Remote Virus Scan
– http://communities.intel.com/docs/DOC-4787
Intel Confidential
145
Real World Use Case #4
Powershell Scripts for 3PDS
Intel Confidential
146
Powerscript Shells for 3PDS
• http://communities.intel.com/docs/DOC-4800
•
Intel Confidential
147
Lab Module 6
Requirements and Prerequisites
for ConfigMgr SP2 2007
Intel Confidential
148
Requirements for ConfigMgr 2007 SP2
ConfigMgr 2007 SP2 requires…
Intel® AMT v3.2.1 systems and beyond (If your customer has Intel AMT systems prior to v3.2.1, please talk
to Intel/Microsoft about WS-Management Translator Utility: http://software.intel.com/en-us/articles/intelws-management-translator/)
Active Directory
(AD)
and Kerberos
• For client authentication
• ConfigMgr 2007 SP2 AD schema extensions are not required to take advantage of
ConfigMgr 2007 SP2 Out of Band Management capability; however, it may be required
for use non-Intel AMT related ConfigMgr 2007 SP2 features
TLS
• For server authentication
• Requires a Microsoft Enterprise Certificate Authority
Remote
Configuration
• Zero Touch configuration or called PKI (public key infrastructure)
• Standard remote configuration procedures apply from provisioning
• ConfigMgr 2007 SP2 provides its own remote agent provisioning support through the
SCCM client agent
• Provisioning authorization can also be done through OOB Import Wizard (no agent
required
ConfigMgr 2007 SP2 does not require or support…
Mutual TLS
• This functionality is redundant with Kerberos for client authentication
• ConfigMgr 2007 SP2 only uses Mutual TLS during the Intel AMT set-up/provisioning
Digest User
Accounts
• Microsoft only supports Kerberos user accounts
• Although not used by ConfigMgr 2007 SP2, Digest Accounts can be defined
Pre-shared Keys
(PSK)
• Also referred to as PID/PPS provisioning
• ConfigMgr 2007 SP2 can support PID/PPS provisioning through the
Intel® WS-Management Translator
Intel Confidential
149
Prerequisites for ConfigMgr 2007 SP2 OOB Management
• ConfigMgr 2007 SP2 Site Server
–
Windows Remote Management (WinRM) version 1.1 (or later)
– http://go.microsoft.com/fwlink/?LinkId=105682
– If Windows 2003,
– Service Pack 2 or Later
– Hotfix KB942841 http://support.microsoft.com/kb/942841/en-us
– MSXML 6.0 is required on computers that run the out of band management console
– If Windows 2008 or Vista running the OOB console,
– Telnet Client installed to perform Serial-over-LAN
• Active Directory
– Intel® vPro™ Clients being managed must belong to the same AD Forest as the
OOB Service Point
– AD Schema Extensions are not required for Intel vPro support; however, are
required for other ConfigMgr 2007 SP2 features and make ConfigMgr 2007 SP2
Client Agent Deployments easier (required for Agent Based provisioning)
• Microsoft Enterprise Certification Authority
– Issue and Manage certificates required for TLS based out of band management
– Must automatically approve certificate request from the site server
– Key Length not to exceed 2048 (4096 for newer AMT firmware)
Intel Confidential
150
Prerequisites for ConfigMgr 2007 SP2 OOB Management
• Remote Configuration Certificate -
http://technet.microsoft.com/en-
us/library/cc161804.aspx#BKMK_AMTprovisioning1
– Supported 3rd party CA (Verisign, Godaddy, Comodo, Starfield)
• DNS / DHCP / Network Ports
– provisionserver associated to ConfigMgr 2007 SP2 Out of Band Service Point
– Active DCHP Scope with Option 6 (DNS servers) and Option 15 (Domain Name)
configured
– Open Network ports: 9971 - Provisioning Port; and 16992 through 16995 - OOB
Management Ports
– Dynamic updates to DNS from DHCP (Option 81)
• Intel® vPro™ Client
– Intel® AMT HECI and SoL Driver for ConfigMgr 2007 SP2 Client Agent based Provisioning
– Firmware >=3.2.1 for Native Support
• Administrators Checklist and Prerequisties
– http://technet.microsoft.com/en-us/library/cc161943.aspx
– http://technet.microsoft.com/en-us/library/cc161785.aspx
Intel Confidential
151
Intel AMT Firmware Requirements
• ConfigMgr SP2 can work with a mixed AMT Firmware
environment
– Any pre-3.2.1 firmware requires WS-MAN Translator; avoid if
at all possible
• Recommend to upgrade to latest AMT Firmware version
made available by your OEM for your chosen platform
–
–
–
–
–
–
Typically systems won’t be shipped with latest firmware
Depending on OEM, might be bundled with BIOS
Firmware upgrade sometimes requires BIOS upgrade as well
Download from OEM website
If not available, contact OEM
Distribute like any other software package
Intel Confidential
152
Intel Confidential
153
Glossary
• Legacy Provisioning/Managing – Provisioning and Managing
Intel® vPro™ systems that are less than Intel® AMT firmware 3.2.1
• Native Provisioning/Managing – Provisioning and Managing Intel vPro
systems that have Intel AMT firmware 3.2.1 (today) and higher
(future releases)
• Intel® Manageability Engine (Intel® ME) – microprocessor in Intel
vPro platforms that perform the Intel AMT functions and capabilities
• Intel® Manageability Engine BIOS Extension (Intel® MEBX) - the user
interface to the Intel ME; it allows for the configuration of settings
that control the operation of the Intel ME
Intel Confidential
154
Lab Extras
ConfigMgr 2007 SP2 Logs
and Troubleshooting Tips
Intel Confidential
155
SendSched Utility to start provisioning
In order to start the Inband agent based provisioning immediately, you can use the sendsched
utility to initiate the process from the vPro Client
•
This is the Windows Management Instrumentation Tester
Open a command prompt and type wbemtest
After the Windows Management Instrumentation Tester Utility Opens, click Connect
In the Namespace of the Connect Window, type the remote system name you want to force the check followed by
\root\ccm (requires admin rights on the remote system)
Click Connect
•
•
After you successfully connect to the target system, click the Execute Method Button
In the Get Object Path window, type sms_client in the Object Path field
•
•
•
•
Click OK
In the Execute Method Window, enter TriggerSchedule in the Method Field
Click the Edit In Parameters Button
In the Object editor for _PARAMETERS window, Double Click the sScheduleID in the Properties field
In the Property Editor Window, change the Value to Not NULL and add the following {00000000-0000-0000-0000000000000120}
•
•
•
–
–
You can also simply run the command on the local system by simply leaving out the host name
Example: \root\ccm
•
This value is the Object ID to initiate this OOB auto-provisioning check
Click the Save Property button
•
•
•
•
In the Object editor for _Parameters window, click the Save Object button
In the Execute Method window, click the Execute Button
After you Execute the method, you should see a message that the Method was executed successfully
To confirm that your method was executed, look at the target systems c:\windows\system32\CCM\Logs\oobmgt.log
You should now see a new entry in the log GetProvisioningSetting indicating that the policy has been re-evaluated
Click Here to return
http://communities.intel.com/community/openportit/vproexpert/microsoft-vpro/blog/2008/09/30/using-wmi-to-force-the-sccmagent-to-check-for-its-amt-auto-provisioning-policy;jsessionid=EFD16EF6C2DB47CFED050A242B7AFE5F.node5COMS
Intel Confidential
156
Helpful ConfigMgr 2007 SP2 Logs for
Troubleshooting Intel® AMT Provisioning
and Management
C:\Program Files\Microsoft Configuration
Manger\Logs
Amtopmgr.log - log for tracking provisioning process
Amtproxymgr.log – log used for tracking activities like
Certificate generation, OU creation, etc
C:\Program Files\Microsoft Configuration
Manger\AdminUI\AdminUILog
OOBConsole.log - Log for tracking OOB Management
Console activity (note: for more detailed information change "Error" to "Verbose" in the following file c:\Program
Files\Microsoft Configuration
Manager\AdminUI\bin\oobconsole.exe.config
Intel Confidential
157
Helpful ConfigMgr 2007 SP2 Logs for
Troubleshooting on the Intel® vPro™
Client
C:\windows\system32\ccm\logs
oobmgmt.log – log to track the provisioning of Intel® AMT
C:\windows\system32\ccmsetup
ccmsetup.log – log to track installation progress of
ConfigMgr 2007 SP2 Client Agent
Intel Confidential
158
Troubleshooting
ConfigMgr 2007 SP2
Agent Auto-provisioning
policy
If you do not see your system
automatically provision in ConfigMgr
2007 SP2, look in the
c:\windows\system32\CCM\Logs
(on Vista 64bit OS, the logs folder
is located under
c:\windows\SysWOW64\CCM\Log
s)
OOBMGMT.log
If you see the log stating Auto Provision
Policy Disabled, perform the following
steps.
MORE TO BE ADDED
• If you see the OOBMGMT.log showing
autoprovisioning policy disabled,
this indicates the agent has not found a
collection that has enabled automatic
provisioning.
Intel Confidential
159
ConfigMgr 2007 SP2 Resources
• Intel® vPro™ Expert Center devoted to Microsoft
products and Intel vPro Technology http://communities.intel.com/openport/blogs/micro
soft-vpro
• Intel® vPro™ Expert Center; Known Issues, Best
Practices, and Workarounds http://communities.intel.com/docs/DOC1247;jsessionid=4ABCE498498C0EB58EBCAA16C2
2F6250.node5COMS
Intel Confidential
160
Manually Unprovision
Intel® AMT in the
Intel® MEBX
Reboot the HP7800 and hit CTRL + P to
enter the Intel MEBX Interface
Enter the password; P@ssw0rd
Select Intel (R) AMT Configuration
and hit Enter
Select Un-Provision and Enter
Click Y for Yes to reset Intel AMT
Select Full Unprovision and Enter
Note: This will fully unprovision the
Intel AMT system and set it back to factory
default mode with the exception of the
Intel MEBX password.
Intel Confidential
161
SCCM Out of Band Provisioning
(Bare Metal Provisioning)
• Out of Band Management Controller Import Wizard invoked
from Collections menu
• Wizard requests Computer Name, FQDN, MAC, UUID
• Intel vPro client(s) imported into collection allowing additional
non-AMT SCCM 2007 SP1 related discovery
• When Hello Packet received, SCCM 2007 SP1 will perform the
provisioning process
• Process: OOB Import -> Hello Packet Received -> SCCM 2007
SP1 Provisions Client
Intel Confidential
162
SCCM Out of Band Provisioning
Microsoft SCCM
OOB Import
Wizard
1. Admin imports provisioning data for Client being provisioned into ConfigMgr 2007 SP1
2. vPro Client sends PKI hello packet to provisioning server (defined firmware schedule)
3. OOB Service Point secures connection with AMT client through Embedded AMT Self Signed
Certificate and Present Provisioning Certificate for initial Authentication
4. OOB Service Point sets Remote Admin and MEBx password (if not changed)
5. OOB Service Point requests a web server certificate on behalf of the AMT client
6. OOB Service Point created an Object in AD for the vPro Client
7. OOB Service Point pushes web server certificate to AMT client
8. OOB Service Point pushes ACL, power schema, and other configuration data to AMT to
finalize provision
Intel Confidential
163
REMOVED SLIDES
Intel Confidential
164
2010 Additions to Intel® vPro™ Technology
Expanded
Manageability
Enhanced Security
Manageable data
protection with
integration of drive
encryption solutions
Uninterrupted keyboard,
video & mouse control
Local wake capability to
ensure local management
tasks are executed
Asset & data protection
with anti-theft features
and services
Energy Efficient
Performance
Cross Client
Consistency
New micro-architecture
and partitioning to support
better application
performance with
continued energy savings
Same security and
manageability features
for both desktop and
notebook
DASH 1.1 and full IPv6
support
Lower TCO with more efficient, more secure, more manageable platforms
Intel Confidential
165
Provision AMT via InBand ConfigMgr 2007
SP2 Client Agent
After a few minutes, provisioning will
automatically complete and you can
update your collection membership
Right Click Collections and select
Update Collection Membership
Click Yes to confirm that you want to
proceed
Right click on All Systems collection
and select Refresh
The client will now appear in All
Systems Collection Provisioned and
no longer be listed in the
Unprovisioned vPro Clients collection
Note: You can track the provisioning
progress under C:\Program Files\Microsoft
Configuration Manger\Logs\Amtopmgr.log
This process length depends on the time it
takes for ConfigMgr 2007 SP2 Agent to
check in with the Server and pull down its
policies.
Congratulations! You have just
successfully completed InBand
provisioning in ConfigMgr 2007 SP2
and enabled Intel® vPro™ systems to
be manageable out of band by
ConfigMgr 2007 SP2 console.
Intel Confidential
166
Lab Module 4
Collection Configuration for
In-Band Provisioning
Intel Confidential
167
Monitor Policies being
applied to ConfigMgr
2007 SP2 Client
After the Agent has pulled down the
machine policies from the ConfigMgr
2007 SP2 server, you will see more
Actions listed in the Actions tab of the
Configuration Manager
Intel Confidential
168
Discover Systems with
ConfigMgr 2007 SP2
Discovery
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Site Management > PRO
– vPro Demo Primary Site > Site
Settings > Discovery Methods
Double Click on Active Directory
System Discovery
Note: With the collection defined, you can
use any of the discover methods that
ConfigMgr 2007 SP2 provides (AD System
Group, AD Security Group, AD System ,
AD User, Heartbeat, or Network) to
discover the client. If you decide to use
Network discovery (refer back to steps on
required configuration)
Note: For more information about
network discovery and how to schedule it
to run, see About Network Discovery and
How to Schedule Network Discovery.
http://technet.microsoft.com/en-us/library/cc161971.aspx
Intel Confidential
169
Enable Active Directory
System Discovery
In the Active Directory System
Discovery Properties window General
Tab, check Enable Active Directory
System Discovery
Click the
Button
In the New Active Directory
Container window, select Local
Domain and click OK
In the Select New Container window,
select Computers
Click OK….proceed to next foil
Intel Confidential
170
Initiate the Polling
Schedule for Discovery
On the Polling Schedule, check the
box to Run discovery as soon as
possible
Click Apply
Click OK
Note: This will initiate a discovery of all
the systems listed in the computer OU in
the Active Directory.
Intel Confidential
171
Update Collection to
see Discovered System
After you run the discover method
Right Click All Systems and select
Update Collection Membership
Update Images
Click OK to confirm that you want to
proceed
Right click on All Systems and select
Refresh (f5)
The client will now appear in the All
Systems and Unprovisioned vPro
Cleints Collection
Note: It may take a couple minutes for
the system to show up. You may continue
to click Refresh All Systems Collection until
you see the client in the collection. The
Intel® AMT status of the device will be in a
unknown state. Ensure the firewalls on
the virtual images, host OS running the
virtual images, and the vPro system are
not enabled. The Windows Client firewall
can inhibit communications.
Intel Confidential
172
Use Out of Band
Management to
Discover Management
Controllers
After the client is populated in the All
Systems Collection, check to see if any
of the systems are Intel® vPro™
capable
Update Images
Right Click on the newly discovered
system > Out of Band Management
> Discover Management Controllers
Click OK
Note: This will scan the system and
validate which clients are Intel vPro
capable and ready to be provisioned. You
can also scan an entire collection for AMT
systems.
Note: You can monitor the discovery
process by watching the amtopmgr.log
located in C:\Program Files\Microsoft
Configuration Manger\Logs (you will find a short
cut to this log on the SCCM Virtual Image
desktop)
Intel Confidential
173
Update Collection membership
to see Intel® vPro™ system Not
Provisioned
After a few minutes, depending on the
size of your collection, you can update
your collection membership
Right click Collections and select
Update Collection Membership
Click Yes to confirm that you want to
proceed
After one minute, right click on
Collections and select Refresh
The client will now appear in
Unprovisioned vPro Clients
Collection and listed as Not
Provisioned and when the ConfigMgr
2007 SP2 Agent checks in for its
policies, this collection will start the
automatic provisioning process.
Note: If you look back at the All Systems
collection, you will now see the system as
listed as Not Provisioned. You will also see
the version of Intel® AMT listed. If you do
not see your system in the Unprovisioned
Collection, the collection query or
discovery method failed (refer back to
previous steps).
Note: If the system is listed as Detected, remove client from
ConfigMgr, boot client into the Intel MEBX and SMB
provision, unprovision, repeat AD Discovery (p.96-97), and
repeat Discover Management Controllers (p.98-99)
Intel Confidential
174
Lab Module 3 Review
• Installed ConfigMgr 2007 SP2 Client Agent on local
system
• Initiated Action on the ConfigMgr 2007 SP2 Client
Agent to check in with the ConfigMgr 2007 SP2 server
to receive its policies
• Validated Policies were being applied to the ConfigMgr
2007 SP2 Client through associated logs
• Updated the ConfigMgr 2007 SP2 Collection
Membership and found that Intel® vPro™ system was
successfully provisioned using ConfigMgr 2007 SP2
Inband agent.
Intel Confidential
175
Configure Network
Discovery for
Management
Controllers
In the Configuration Manager
console, navigate to System Center
Configuration Manager > Site
Database > Site Management > PRO
– vPro Demo Site > Site Settings >
Discovery Methods
In the right hand window, Right-click
Network Discovery, and click
Properties
On the General tab, select Enable
Network Discovery and Select
Topology radio button
Select Enable discovery of out of
band management controllers
Click OK
Note: This will allow ConfigMgr 2007 SP2
to detect if a system is Intel® AMT capable.
http://technet.microsoft.com/en-us/library/ee344683.aspx
Intel Confidential
176