Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2

Guide Intel Centrino with vpro Technology Intel Core 2 Processor with vpro Technology Intel Core i5 vpro Processor Intel Core i7 vpro Processor Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 For Use With Intel vpro Processor Technology and Microsoft* System Center Configuration Manager 2007 SP2 Based on Intel Active Management Technology Version 2.0.1 May 2010

ii

Contents Executive Summary... 1 Microsoft Resources for ConfigMgr 2007... 1 Section 1.0: Lab Network Design and Layout... 3 Section 2.0: Overview of the Implementation Process... 4 Section 2.1: High Level Steps... 4 Section 2.2: Installation and Configuration Process Flowchart... 5 Section 2.3: Summary of Prerequisites Required for OOB Management... 7 Section 2.4: Check for the latest Microsoft Hot Fixes... 7 Section 3.0: Configure Active Directory for Out of Band Management... 8 Section 4.0: Configure Enterprise PKI Certificate Server... 18 Section 5.0: Install ConfigMgr 2007 SP2... 26 Section 6.0: Install Out of Band Management Service Point... 32 Section 6.1: Configure Out of Band Management Service Point on ConfigMgr 2007... 36 Section 6.2: Configure Network Discovery for Management Controllers... 43 Section 6.3: Configure New Site Boundary... 44 Section 7.0: ConfigMgr 2007 Collection Setup... 46 Section 7.1: Create Intel AMT Unprovisioned Collection... 46 Section 7.2: Configure Intel AMT Collection to Automatically Provision Intel AMT Devices... 51 Section 8.0: ConfigMgr 2007 Agent Installation and In-Band Provisioning... 56 Section 9.0: Legacy Provisioning... 62 Section 9.1: Intel WS-MAN Translator Installation and Configuration... 63 Section 9.2: ConfigMgr Import Wizard for PSK Provisioning with Intel WS-MAN Translator... 74 Section 10.0: Helpful ConfigMgr 2007 Logs for Troubleshooting... 83 Section 10.1: Server Logs... 83 Section 10.2: Client Logs... 83 Section 11.0: Resources... 84 Appendix: Code Example for GetProvisioningData Script... 85 iii

iv

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Executive Summary This document describes the process to set up the Out of Band Management (OOB) capabilities within Microsoft* System Center Configuration Manager 2007 (ConfigMgr 2007) Service Pack 2 (SP2). It is not intended to replace the detailed documentation in the ConfigMgr 2007 SP2 help file. Intel highly recommends that all readers reference Microsoft s TechNet information for complete ConfigMgr 2007 information (Uhttp://technet.microsoft.com/en-us/library/bb735860(TechNet.10).aspxU). This document is intended to condense the necessary information to the least amount of material to make a quick start guide for readers to enable Out of Band Management for Intel vpro technology based systems. The document uses a lab environment setting as an example to demonstrate the overall ConfigMgr 2007 OOB setup and configuration process. ConfigMgr 2007 SP2 provides native Intel vpro technology support of Intel Active Management Technology (Intel AMT) firmware version 3.2.1 and later. Contact your OEMs (see OEMs web site) for the latest Intel AMT Firmware releases. For legacy Intel vpro technology-based systems (Intel AMT firmware version lower than 3.2.1), you will need to install Intel WS-Man Translator on your ConfigMgr 2007 OOB management console system. Setup and configuration information is provided in this guide in Section 9.1: Intel WS-MAN Translator Installation and Configuration on page 63 to support for these versions of Intel vpro technology. This document is posted on the Intel vpro Expert Center (Uhttp://communities.intel.com/community/openportit/vproexpert/microsoft-vpro?view=documentsU) and updated periodically. Use the Intel vpro Expert Center contact link to provide feedback on this document. Microsoft Resources for ConfigMgr 2007 The Microsoft System Center Configuration Manager 2007 TechNet article shown below is an excellent resource to use when building your production environment. Information specific to Intel vpro technology is located under Out of Band Manage Configuration Manager 2007 SP1 and Later. (Uhttp://technet.microsoft.com/en-us/library/cc161989.aspxU). 1

2

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Section 1.0: Lab Network Design and Layout As mentioned previously, an example of a lab setup is used throughout this document. This section briefly describes the lab environment referred to in the examples throughout the document. Your environment (lab or production environment) may vary and need additional steps to properly configure your environment to work with Intel vpro systems. Lab design: The example lab uses a virtualized environment within one server. Five separate virtual images were installed on this one server system, each running its own Windows 2008 Enterprise Server R2 with all of the latest service packs and software releases from Microsoft Windows Update (as of 4/1/2010). The five VMs are: Domain Controller (DHCP and DNS) Enterprise Root Certificate Authority Subordinate Certificate Authority SQL Server 2008 (Database for ConfigMgr 2007 SP2) ConfigMgr 2007 SP2 with the OOB Management Service Point The virtual images were separated for different functions rather than running everything on a single system as this emulates a realistic customer environment. Additionally, all Intel vpro technology-based lab systems were joined to this single Domain to perform provisioning and OOB management capabilities. The lab environment is pictured in the following illustration. 3

Section 2.0: Overview of the Implementation Process The following is a high level overview of the process to implement Microsoft* ConfigMgr 2007 OOB management of Intel vpro technology-based client systems. These high level steps are discussed in more detail in the subsequent sections of this guide. Related sections with detailed steps are referenced in each high-level step. Section 2.1: High Level Steps 1. Configure the networking and IT infrastructure (open the required firewall and router ports for management traffic, configure the network domain for the ConfigMgr 2007 OOB Service Point to the same domain as the Intel vpro technology-based systems, etc.). 2. Configure Microsoft* Active Directory. 3. Configure a Certificate Server. 4. Install ConfigMgr 2007 SP2, as well as all required hot fixes. 5. Install and configure the ConfigMgr 2007 OOB Service Point. 6. Set up a ConfigMgr 2007 Collection of Intel vpro technology based systems for In-Band provisioning. 7. Discover the unprovisioned Intel vpro technology-based clients in ConfigMgr 2007 (part of Collection Setup process). 8. Decide whether to use agent-based provisioning (recommended for clients with Intel vpro technology firmware version 3.2.1 or later) or bare metal Remote Configuration (required for clients with Intel vpro technology firmware version less than 3.2.1). Note that if you have a mix of clients, you may need to use agent-based provisioning for some clients and Remote Configuration for others, depending on the firmware version of the clients. 9. For clients with Intel vpro technology firmware version 3.2.1 or later, install the ConfigMgr 2007 agent on each client (Section 8.0: ConfigMgr 2007 Agent Installation and In-Band Provisioning, page 56). Once the agent is installed, the ConfigMgr 2007 OOB Service Point will automatically begin provisioning the client. If you do not have any clients with Intel vpro technology firmware version less than 3.2.1, skip to step 14 below. 10. For clients with Intel vpro technology firmware version less than 3.2.1, or if you choose not to install the ConfigMgr 2007 client agent and instead use Remote Configuration with firmware version 3.2.1 clients, record each client s provisioning data (hostname, UUID, and FQDN) and enter that data in the ConfigMgr 2007 Import Wizard. 11. For Remote Configuration without installing the ConfigMgr client agent on clients having Intel vpro technology firmware version 3.2.1 or later, once you have imported the client provisioning data into ConfigMgr, the clients will automatically be provisioned by the ConfigMgr OOB Service Point once you connect them to the network and boot them to the Windows OS. Skip to step 14 below. 12. For clients with Intel vpro technology firmware version less than 3.2.1, you MUST install the Intel WS-MAN translator on the same server system as the ConfigMgr 2007 OOB Service Point. 13. For clients with Intel vpro technology firmware version less than 3.2.1, manually enter a Pre-shared Key (PSK), also referred to as a PID-PPS pair, into each client s Intel Active Management Technology (Intel AMT) configuration using the Intel Management Engine BIOS Extension (Intel MEBx). Once the PSK has been entered, exit the Intel MEBx and reboot the client to the Windows OS; the client will automatically be provisioned by the ConfigMgr OOB Service Point. 4

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 14. Verify that the required drivers are installed on the Intel vpro technology-based clients. 15. Test the ConfigMgr 2007 OOB management functionality with the Intel vpro technology based clients. Checklist: Uhttp://technet.microsoft.com/en-us/library/cc161943(TechNet.10).aspxU Prerequisites: Uhttp://technet.microsoft.com/en-us/library/cc161785(TechNet.10).aspxU Section 2.2: Installation and Configuration Process Flowchart The following flowchart is intended to provide a visual map through the installation and configuration process, to illustrate the various implementation paths available to you depending on the version of Intel vpro technology firmware you are working with and other installation decisions. The steps shown in green represent the recommended path through the process for Intel vpro technology based clients with firmware version 3.2.1 or higher. The steps and terminology in the flowchart are explained in detail in the subsequent sections of this guide. 5

6

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Section 2.3: Summary of Prerequisites Required for OOB Management The list below describes the necessary client, server, and infrastructure elements required in order to manage your Intel vpro technology-based systems Out-of-Band using Microsoft Configuration Manager 2007 SP2. The high level steps in Section 2.1 above (and the corresponding detailed steps in the subsequent sections of this guide) are the process by which to achieve the OOB management prerequisites listed below. Note: The reader is presumed to be familiar with setting up some of the prerequisites below, such as configuring the clients on the same network domain as the OOB Service Point server and setting certain firewall and networking ports open for management traffic. Prerequisites specific to Intel vpro technology and Microsoft ConfigMgr 2007 are discussed in detail in the remainder of this guide. Enterprise Certificate Authority to issue Web Server certificates to each Intel vpro technology-based system for encrypted communications with ConfigMgr 2007 SP2 Management Console (Standalone CA is insufficient) Active Directory OU to store Intel AMT objects for each Intel vpro technology based system that will be managed OOB ConfigMgr 2007 SP2 Out of Band Service Point installed and configured to support Intel vpro technology based systems Windows Remote Management (WinRM) installed on each ConfigMgr 2007 server 3 rd Party Remote Configuration Certificate on each OOB Service Point to provision Intel vpro technology-based systems (VeriSign, GoDaddy, Comodo, and Starfield have pre-installed hashes in the Intel AMT firmware) Optionally you can generate your own Provisioning Certificate from your Enterprise CA. However, this requires you to manually enter the CA hash into the Intel MEBx of Intel AMT http://technet.microsoft.com/en-us/library/cc161804(technet.10).aspx#bkmk_amtprovisioning1 Configure OOB network discovery of Intel vpro technology based systems (optional step but used in this lab) Intel vpro technology and firmware of 3.2.1 or higher for native support from ConfigMgr 2007 SP2 Intel HECI Driver installed on the client OS (see OEM for latest driver) Configuration Manager Client Agent installed on each Intel vpro system to initiate the provisioning process (there are alternative methods available in the help file but this is the most effective and easiest method) Intel vpro technology based systems joined to the same domain as the OOB Service point provisioning and managing these devices Open Intel vpro technology related network ports on routers and firewalls: 9971 - Provisioning Port; and 16992 through 16995 - OOB Management Ports Section 2.4: Check for the latest Microsoft Hot Fixes Verify that all the latest hot fixes for Microsoft Server 2008, Microsoft Configuration Manager 2007 SP2, Microsoft Internet Explorer, and Microsoft SQL Server have been applied. Uhttp://support.microsoft.com/U 7

Section 3.0: Configure Active Directory for Out of Band Management Uhttp://technet.microsoft.com/en-us/library/cc161814(TechNet.10).aspxU Active Directory Schema extensions are not required for Intel AMT OOB Management functionality but Microsoft recommends applying the schema extensions for other non-related Intel vpro technology capabilities. If do not extend your AD with the supplied ConfigMgr 2007 Schema extension and configure your environment to publish ConfigMgr 2007 related components to the AD per Microsoft s instructions, you will need to update your WINS environment to allow for the ConfigMgr 2007 Agent to auto-discover your ConfigMgr 2007 Site Server (see Microsoft TechNet for details: Uhttp://technet.microsoft.com/enus/library/bb633121(TechNet.10).aspxU). However, the Active Directory must have two items configured for ConfigMgr 2007 to manage Intel vpro technology based systems. Create the Active Directory OU container in the domain for each Intel AMT device Configure security permissions on the container for ConfigMgr 2007 to generate an object for each Intel AMT device ConfigMgr 2007 SP2 will publish an Intel AMT object into a specific OU for each Intel vpro technology-based system that is provisioned by the OOB Management Service Point. This is a different object than the computer object that hosts the computer account in the domain. Also, Intel vpro technology-based clients must belong to the same AD Forest as the OOB Service Point. The following list provides the required steps to create this Intel AMT specific OU and provide the necessary rights for ConfigMgr 2007 server to create this object during the provisioning phase. Later, you will configure the OOB Management Server Point to use this object. This section illustrates the procedure described in the following Microsoft* TechNet article: How to Prepare Active Directory Domain Services for Out of Band Management (Uhttp://technet.microsoft.com/en-us/library/cc161814(TechNet.10).aspxU ). Click Start > Programs > Administrator Tools > Active Directory Users and Computers Note: Under the View menu option, ensure Advanced Features is checked Right Click on vprodemo.com > New > Group 8

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 In the New Object - Group dialog box, type ConfigMgr Primary Site Servers Click OK In the Active Directory Users and Computers, right-click the ConfigMgr Primary Site Servers Group and select Properties 9

In the ConfigMgr Primary Site Servers Properties window, select the Members tab and click Add Add the MSSCCM server and click OK (make sure you click the Object Types button and check Computers to find the SCCM Computer Account) Click OK to close the Properties window Note: Your ConfigMgr server is now a member of your ConfigMgr Primary Site Servers Group and will be used later for applying security rights to AD OUs and Certificate Templates. Note: Make sure you have not started up the ConfigMgr server image while setting up this server security setting. If you have the ConfigMgr server running, please shutdown now. 10

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Click Start > All Programs > Administrator Tools > Active Directory Users and Computers Note: Under the View menu option, ensure Advanced Features is checked Right Click on vprodemo.com > New > Organizational Unit In the New Object - Organizational Unit dialog box, type Out of Band Management Controllers click OK 11

Right-click Out of Band Management Controllers OU and click Properties Select the Security tab Click Add 12

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Select the ConfigMgr 2007 primary site server account (ConfigMgr Primary Site Servers is the name in this example) Note: you will need to click Object Types to add Computer Objects to find the server account Click OK after adding the ConfigMgrPrimary Site Server Account With the ConfigMgr Primary Site Servers Account selected, check Allow Full Control Click Advanced 13

Highlight ConfigMgr Primary Site Servers Account, and click Edit In the Apply onto drop down, select this object and all child objects. Click OK three times to close all windows 14

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Create RADIUS Security Group for AMT devices (if you use 802.1x) Click Start > Programs > Administrator Tools > Active Directory Users and Computers Expand vprodemo.com and right-click on Users and select New > Group In the New Object Group Windows, enter AMT RADIUS Clients in the Group name field Click OK 15

Set Permissions on RADIUS Security Group Right Click on AMT RADIUS Clients Group and select Properties In the AMT RADIUS Clients Properties Window, click the Security Tab and Click the Add button In the Select Users, Computers, or Groups Window, add ConfigMgr Primary Site Servers Click OK We have now created an AD OU, AMT Radius Group, and given the Security Group that ConfigMgr 2007 SP2 Server is a member of, the proper permission to create Management Controllers objects for each Intel vpro system during the 16

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 provisioning phase. We have now created an AD OU and given the ConfigMgr 2007 Server proper permissions to create Intel AMT objects for each Intel vpro technology based system during the provisioning phase. 17

Section 4.0: Configure Enterprise PKI Certificate Server For more information, refer to the following Microsoft* TechNet article: Certificate Requirements for Out of Band Management (Uhttp://technet.microsoft.com/en-us/library/cc161874(TechNet.10).aspxU ). ConfigMgr 2007 SP2 uses four types of certificates for Out Of Band Management. These four different certificates are: AMT Self Signed certificate Intel AMT will generate a self-signed certificate during the PKI provisioning process to secure the connection with the ConfigMgr 2007 Server. AMT provisioning certificate This certificate is used by ConfigMgr 2007 to provision Intel AMT devices. This certificate can either be purchased from a third- party Certificate Authority or generated by an in-house Enterprise Certificate Authority. The most simple and automated method for provisioning is the process of purchasing this certificate from a third- party provider (VeriSign, GoDaddy, Comodo, or Starfield). This certificate will need to be installed on each OOB Service Point in the environment. Web server certificate - This certificate is generated by an internal Enterprise Certificate Authority during the provisioning process and installed on each AMT device within the firmware. This will allow for a TLS management session between the ConfigMgr 2007 OOB Management console and the AMT firmware. WS-Man Translator certificate The WS-Man translator also users a Web Server certificate to secure the communications to and from the ConfigMgr 2007 server during Legacy Provisioning. This will be covered in more detail during the WS-Man Translator section. 802.1x RADIUS Certificate Optional certificate that allows the Intel AMT client to securely authenticate to an 802.1x network without the operating system being present. The process for generating the Certificate Signing Request (CSR) and requesting the provisioning certificate from a third-party certificate authority can be found in the following resources: Microsoft* TechNet, Requesting and Installing the AMT Provisioning Certificate from an External CA (Uhttp://technet.microsoft.com/en-us/library/dd252737.aspx#BKMK_AMTprovisioning12008U ) Intel vpro Expert Center, Request and Install a Provisioning Certificate from VeriSign (Uhttp://communities.intel.com/docs/DOC-2200U ) Intel vpro Expert Center, Obtaining a Provisioning Certificate for Intel vpro Platforms using OpenSSL Tools (Uhttp://communities.intel.com/docs/DOC-2110U) Intel vpro Expert Center, How to procure and install a Verisign Cert for Remote Configuration on SCS (Uhttp://communities.intel.com/community/openportit/vproexpert/blog/2008/03/19/how-to-procure-and-install-a-verisign-certfor-remote-configuration-on-scsU) 18

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Open your Certificate Authority issuing PKI Server - Click Start > All Programs > Administrator Tools > Certification Authority Expand DC1.vprodemo.com Right Click on Certificate Templates > Manage In the Certificate Templates Console Window, right click on Web Server and select Duplicate Template In the Duplicate Template Window, select the radio button for Windows 2003 Server, Enterprise Edition Click OK 19

In the Properties of New Template Window: Enter ConfigMgr AMT Web Server Certificate Check the Box to Publish certificate in Active Directory Proceed to next step to set the security rights on this template. Select the Security Tab and click Add Select the ConfigMgr 20

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 2007 primary site server computer group Click OK With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll Click OK Close the Certificate Templates Console 21

In the Certificatio n Authority Window, right-click on Certificate Templates > New > Certificate Template to Issue In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template was created in the previous step) Click OK 22

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 In the Certification Authority Window, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand Window and ready for use by the Out of Band Service Point Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel AMT system during the provisioning process, and used for TLS session during management of the Intel AMT client. Configure Root CA to Allow Revocation of Client Management Controller Certificates In the Certification Authority Window, rightclick on DC1.vprodemo.com and select Properties 23

In the Properties Window, select the Security tab Click Add Configure Root CA to Allow Revocation of Client Management Controller Certificates Add the ConfigMgr Primary Site Servers group Click OK. 24

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Select the ConfigMgr Primary Site Servers group. Check Allow for Issue and Manage Certificates permissions for this group (leave Request Certificates option unchanged). Click OK. Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI issued certificates cleaned-up (revoked). Your PKI server is now configured with a Web Certificate Template that ConfigMgr 2007 will use during the provisioning phase to generate a TLS certificate for each Intel AMT device. 25

Section 5.0: Install ConfigMgr 2007 SP2 These are the steps used to install a basic installation of ConfigMgr 2007 SP2 for a lab environment to test the Out Of Band Management capabilities for Intel vpro technology based systems. Lab setups and names will vary for your environment. Contact Microsoft for the latest version of ConfigMgr 2007 SP2. Please refer to Microsoft for the complete setup documentation: Uhttp://technet.microsoft.com/en-us/library/bb735860(TechNet.10).aspxU Launch SPLASH.hta Click Install Configuration Manager 2007 SP2 26

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Click Next on the Welcome screen Select to Install a Configuration Manager Site Server Click Next Check I accept these license terms Click Next Select Custom Settings for installation Click Next Select Primary Site Click Next Select If you want to participate to help Microsoft Click Next 27

Enter Product Key Click Next Enter destination folder Click Next Enter in the three letter site code (PRO used in this example) Click Next Select Configuration Manager Mixed Mode Note: Native mode is required if you are managing Internet clients. Click Next Select all of the Client Agent options except Network Access Protection Click Next Enter the name of the SQL 2008 database (SCCM in this example) to setup the ConfigMgr 2007 database (Default name SMS_PRO) Click Next 28

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Enter the name for the ConfigMgr 2007 server (SCCM used in this example) Click Next Enter in the FQDN of the ConfigMgr 2007 Server (SCCM. VPRODEMO.COM used in this example) to install the Management Point Click Next Use default port Click Next Select Check for updates and download newer version to alt path Click Next After the prerequisite files have been successfully downloaded (Internet connection required), click OK Review the Settings Summary and click Next Installation started 29

The first part of the installation does a Prerequisite check. In this example, Setup discovered that WSUS on the Primary Site Server was missing (it is listed only as a warning but, you can add it anyway.) This component is only necessary if you are going to do Software Updates internally from a WSUS location. If you get this error message: Web-based Distributed Authoring and Versioning (WebDAV) is required for the management point and distribution point site system roles. If you have selected to install a site role requiring WebDAV, and it is not enabled, this rule will fail. Webbased Distributed Authoring and Versioning (WebDAV) is not enabled and/or IIS 6 WMI compatibility component for IIS is not installed on the computer specified for management point installation or setup was unable to verify remote IIS settings because IIS common components were not installed on the site server computer. ConfigMgr requires WebDAV to be installed and enabled in Internet Information Services (IIS) for management point site systems. Setup cannot continue. Add the WebDAV component in the WWW Services within Windows 2008 Server (requires Windows 2008 installation CD). 30

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 (Installation will continue after WSUS and WebDAV were added.) Installation Completed Successfully! 31

Section 6.0: Install Out of Band Management Service Point Uhttp://technet.microsoft.com/en-us/library/cc161863(TechNet.10).aspxU The Out Of Band Service Point is the ConfigMgr 2007 component responsible for provisioning and managing Intel vpro technology based systems. The following section will provide the necessary steps for installing this OOB Service Point and Configuring for Intel vpro technology based systems. These steps assume that you have installed ConfigMgr 2007 SP2 on a supported server. For steps to install ConfigMgr 2007 SP2, please refer to the previous section, or to the Microsoft TechNet documentation. OOB Management (as defined by Microsoft in ConfigMgr 2007 Help File): Out of band management allows an administrator to connect to a computer's Umanagement controlleru when the computer is turned off, in sleep or hibernate modes, or otherwise unresponsive through the operating system. OOB Service Point ConfigMgr 2007 Service component responsible for provisioning and managing Intel AMT enabled devices. On the ConfigMgr 2007 SP2 Server, open the Configuration Manager console Navigate to System Center Configuration Manager > Site Database > Site Management > Pro vpro Demo SCCM > Site Settings > Site Systems Right-click ConfigMgr 2007 Server (\\SCCM in this example) Select New Roles to launch the New Site Roles Wizard 32

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 On the General page, click Next (default settings) On the System Role Selection page, check Out of band service point Click Next 33

On the Out of Band Service Point page, click Next Note: change any default settings you require for how out of band transmission packets are sent Click Next again on Summary page Once the Wizard completes, click Close 34

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 You will now see ConfigMgr out of band service point listed under the ConfigMgr 2007 Site System (SCCM in this example) You have now added the Out Of Band Service Point to your ConfigMgr 2007 server. This service will provide the capability to provision and manage Intel AMT devices. The next section will cover the configuration process of this OOB Service Point. 35

Section 6.1: Configure Out of Band Management Service Point on ConfigMgr 2007 Uhttp://technet.microsoft.com/en-us/library/cc161822(TechNet.10).aspxU In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > Pro vpro Demo SCCM > Site Settings > Component Configuration Right-click Out of band management component, and then click Properties On the General tab, Under the Provisioning Settings, click Browse to select the Active Directory container to store each AMT object Click Yes at the security warning 36

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Select Out of Band Management Controllers from the Domain (vprodemo in this example) This is the OU create in Section 3.0 Click OK Click Set and provide the MEBx admin password (e.g. P@ssw0rd) to be set during provisioning. The password must be a strong password (8 or more characters, a special character, and a mixture of upper and lower case characters). Note: This MEBx password setting is used for ConfigMgr 2007 to change the local password on the Management Controller during the provisioning process. By default, the factory setting for the password is admin. If this password was manually changed locally on the MEBx, this will be ignored. This password will modify the local and remote MEBx password of AMT during the provisioning process. Click OK on the MEBx Account dialog Leave AMT Provisioning Port as default: 9971 Note: AMT Provisioning port can be modified if necessary, but requires modification on each Intel AMT system. 37

Check the box to Register ProvisionServer as an alias in DNS Note: This creates an Alias in your DNS environment to allow provisioning hello packets from AMT to get routed to the ConfigMgr 2007 server. This is not required for Agent Initiated Provisioning using the ConfigMgr 2007 Client Agent. Also, the necessary rights to your DNS environment would need to be granted to allow for the ConfigMgr 2007 server to update an Alias record in your DNS environment. Under the Certificates section, Click Browse and select a valid Remote Configuration Provisioning Certificate (Intel(R) Client Setup Cert Verisign vprodemo Backup.pfx is used in this example). This certificate is the Provisioning Certificate that was either purchased from a 3 rd Party Certificate Authority (e.g. VeriSign) or created from an Internal CA. For complete steps to create an external Provisioning Certificate for a 3 rd party Certificate Authority: Uhttp://technet.microsoft.com/enus/library/cc161804(TechNet.10).aspx#BKMK_AMTprovisioning1U For complete steps to generate your own certificate from an internal PKI, see: Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2008 Certification Authority, Uhttp://technet.microsoft.com/enus/library/dd252737.aspxU. You can also refer to Intel vpro Expert Center for steps to purchase a certificate: Uhttp://communities.intel.com/openport/blogs/proexpert/2008/03/19/ho w-to-procure-and-install-a-verisign-cert-for-remote-configuration-onscsu 38

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Click Open Enter the password for this certificate and click OK Note: If the password is incorrect, you will receive and Invalid Password message. If the certificate is not a valid Remote Configuration Certificate, you will receive an Invalid Certificate message. Click Select for the AMT Certificate Template Select ConfigMgr AMT Web Server Certificate Click OK Click Apply Note: The ConfigMgr AMT Web Server Certificate Template was previously generated within this image and the steps to create are not covered in this section. ConfigMgr 2007 Help file has complete steps on how to create and apply the appropriate settings to this template. These steps will vary based on the environment 39

Please refer to Microsoft TechNet and closely review the necessary PKI Certificates required for Out Of Band Service Point - Uhttp://technet.microsoft.com/en-us/library/cc161874(TechNet.10).aspxU On the AMT Settings tab, click Accounts icon to add AMT User Note: These are Windows Domain accounts/groups that ConfigMgr 2007 applies to AMT during the provisioning phase. These accounts will authenticated via Kerberos during the OOB management sessions. In the AMT User Account Setting window, click Browse and add the VPRODEMO\Administrator account, click OK Note: Please review Microsoft TechNet documentation to understand the appropriate users and rights for your environment. This example simply uses the domain administrator for lab testing purposes only. Choose Platform Administration. Check all of the boxes for the related Supported AMT Features for this account, click OK 40

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Click Apply In the Default IDE-redirect image text box, enter a previouslydefined share location that will host your.iso images to be used with redirection capabilities. (\\SCCMSP2\IDER\dos_gold.iso is used in this example). Check the following boxes: Enable Web interface for AMT systems Enable serial over LAN and IDE-redirect for AMT systems Allow ping responses Enable BIOS password bypass for power on and restart commands Enable Support for Intel WS-MAN Translator (this allows OOB Service Point to communicate with AMT systems that have firmware less than 3.2.1) Default setting for Kerberos clock tolerance (5) Click Apply 41

On the Provisioning Settings Tab, click User and Password to add a Digest Note: This is a digest account and password that is used to authenticate to the management controller during provisioning (this is not a domain account). You should add admin password to match the local MEBx password modified when going into the MEBx (CTRL+P). If you have not modified the MEBx on the system, ConfigMgr 2007 is programmed to try the default OEM password of admin. Enter: Name: TestUser used in this example Password: P@ssw0rd (using a zero in this example) Click OK Click OK again. Note: This digest account can be used when you have a mixed environment when the MEBx has been modified to different passwords (e.g. different ISV consoles) and ConfigMgr can use these user/password information to connect to these Intel vpro systems.. You have completed the installation and configuration of the Out Of Band Service Point in ConfigMgr 2007 SP2. 42

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Section 6.2: Configure Network Discovery for Management Controllers In this section, we will configure ConfigMgr 2007 to be able to discover AMT Management Controllers in a lab setting. In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > VPD vpro Demo Site > Site Settings > Discovery Methods In the right hand window, Right-click Network Discovery, and then click Properties On the General tab, select Enable discovery of management controllers Click OK 43

Section 6.3: Configure New Site Boundary In this section, we will configure ConfigMgr 2007 Site Boundary for a lab setting. Net Boundary is only one type of boundary and other options are available. A requirement is at least one Site Boundary setup and configured. Some configurations settings in these steps will vary based on your lab setup. Note: the new site boundary is not required for OOB management of Intel vpro clients, but is required for agent installation on the clients. In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > VPD vpro Demo Site > Site Settings Right click on Boundaries and select New Boundary 44

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Enter the following fields Description = Net Boundary Site Code = Site Code (VPD-vPro Demo Site used in this example and may vary in your lab) Type = IP Address Range Starting Address = 192.168.0.10 (Use the IP Address range appropriate for your lab environment) Ending Address = 192.168.0.254 (Use a small range to limit the discovery amount low) Network Connection = Fast Click OK 45

Section 7.0: ConfigMgr 2007 Collection Setup In this section, you will configure your ConfigMgr 2007 Server with an Intel AMT Collection, setup your Intel vpro technology based system with a ConfigMgr 2007 Agent, and enable the agent to initiate the in-band Provisioning Process with your ConfigMgr 2007 Server. Section 7.1: Create Intel AMT Unprovisioned Collection In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections Right click on Collections and select New Collection In the New Collection Wizard, enter the name Unprovisioned vpro Clients and add optional Comments as required Click Next 46

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 In the Membership Rules window, click the Query Rule Properties (it is the Database icon) In the Query Rule Properties window, enter the name Unprovisioned vpro Clients Click Edit Query Statement... In the Unprovisioned vpro Clients Query Statement Properties window, click Show Query Language 47

In the Query Statement textbox, type: SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_S YSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM. ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_AMT_AGENT on SMS_G_System_AMT_AGENT.ResourceID = SMS_R_System.ResourceId where SMS_G_System_AMT_AGENT.AMT >= "0" and (SMS_R_System.AMTStatus!= "3" or SMS_R_System.AMTStatus is NULL) Note: This will pull all the clients that are enabled for Intel vpro technology, and in an unprovisioned state. Note: Additionally, you can setup a collection for Provisioned Clients by using the following Query Statement: Select * from SMS_R_System where AMTStatus=3 This will show ALL vpro systems that have been provisioned. For more information on Intel AMT status codes, see the link below: Uhttp://technet.microsoft.com/en-us/library/cc431387.aspxU Click OK and OK again on the Query Rule Properties Note: Refer to Microsoft TechNet for complete details on this step: Uhttp://technet.microsoft.com/en-us/library/cc161856(TechNet.10).aspxU In the Membership Rules window, click Next 48

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 In the Advertisement window, add any desired advertisements and click Next In the Security window, add any appropriate users or groups and click Next (keep default) 49

In the Confirmation window, click Close 50

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Section 7.2: Configure Intel AMT Collection to Automatically Provision Intel AMT Devices In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vpro Clients Right click on Unprovisioned vpro Clients and select Modify Collection Settings In the Unprovisioned vpro Clients Settings windows, click the Out of Band tab Check the checkbox Enable Automatic out of band management controller provisioning and click OK Note: This setting is what enables ConfigMgr 2007 Clients to automatically provision with ConfigMgr 2007. Note: see Microsoft TechNet article for complete details: Uhttp://technet.microsoft.com/enus/library/cc161955(TechNet.10).aspxU 51

Add Intel AMT Columns to ConfigMgr 2007 In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vpro Clients Click the Unprovisioned vpro Clients collection, right click in the right hand window, and select View > Add Remove Columns In the Add/Remove Columns window, add AMT Status, AMT Version, and Automatic AMT Provisioning to the Displayed columns Click OK In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > VPD vpro Demo Site > Site Settings > Discovery Methods Double Click on Active Directory System Discovery Note: With the collection defined, you can use any of the discover methods that ConfigMgr 2007 provides (AD System Group, AD Security Group, AD System, AD User, Heartbeat, or Network) to discover the client. Refer to Microsoft documentation for understanding the appropriate method for your environment. This method is used simply for lab testing purposes only. 52

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 In the Active Directory System Discovery Properties window General tab, check Enable Active Directory System Discovery Click the button In the New Active Directory Container window, select Local Domain and click OK In the Select New Container window, select Computers Click OK 53

On the Polling Schedule tab, check the box to Run discovery as soon as possible Click Apply Note: This will initiate a discovery of all the systems listed in the computer OU in the Active Directory. After you run the discover method Right Click Collection and select Update Collection Membership Click Yes to confirm that you want to proceed Right click on All Systems and select Refresh The client will now appear in the All Systems Collection Note: If may take a couple minutes for the system to show up. You may continue to click Update Collection until you still the client in the collection. The AMT status of the device will most likely be in a unknown state. In this example, you will see ConfigMgr 2007 has discovered HP7800 system that was joined to the domain. The AMT Status = Unknown at this time 54

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 After the client is populated in the All Systems Collection, check to see if any of the systems are enabled for Intel vpro technology. Right Click on All Systems > Out of Band Management > Discover Management Controllers Note: This will scan through your collection and validate which clients are enabled for Intel vpro technology and ready to be provisioned. Click OK After a few minutes, depending on the size of your collection, you can update your collection membership Right Click Collection and select Update Collection Membership Click Yes to confirm that you want to proceed Right click on Unprovisioned vpro Clients collection and select Refresh The client will now appear in Unprovisioned vpro Clients Collection and listed as Not Provisioned Note: If you look back at the All Systems collection, you will now see the system as listed as Not Provisioned. You will also see the version of AMT listed. 55

Section 8.0: ConfigMgr 2007 Agent Installation and In-Band Provisioning There are several methods to perform a ConfigMgr 2007 Agent installation on an Intel vpro technology based system. The steps listed in this section are used simply for a lab environment. Refer to Microsoft documentation to understand the various methods to distribute Microsoft ConfigMgr 2007 Agent: Uhttp://technet.microsoft.com/en-us/library/bb633063(TechNet.10).aspxU On the ConfigMgr 2007 Server, copy the entire directory C:\Program Files\Microsoft Configuration Manager\Client to a USB drive (or other device to copy to your Intel vpro technology based systems). Copy this Client directory to each of your Intel vpro technology based systems. 56

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 On the client system, open a command prompt and navigate to the Client folder you copied over to the client system. From the command prompt, run the following command: ccmsetup /mp:sccmservername /logon smssitecode=3 Letter ConfigMgr 2007 Site Code Note: Make sure to use your ConfigMgr 2007 Server Name and the 3 letter Site code for your lab environment. (example ccmsetup /mp:sccmsp2 /logon smssitecode=vpd) Run ccmsetup /? for a complete list of command switches. Track the setup process by monitoring the Process ccmsetup.exe in Task Manager 57

Installation is complete once the CcmExec.exe process is running in Task Manager You can track the agent installation on the client in c:\windows\system32\ccmsetup\ccmsetup.log Note: If you update the All Systems Collection in ConfigMgr 2007, you will see Yes in the Client Column after the Agent installation is complete. On the client system, open the Control Panel After the Agent installation is complete, you will see a Configuration Manager Icon 58

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Double Click the Configuration Manager Icon Select the Actions Tab Click on Machine Policy Retrieval & Evaluation Cycle and click Initiate Action button Click OK in the window indicating the action has been initiated Repeat Previous Step: Click on User Policy Retrieval & Evaluation Cycle and click Initiate Action button Click OK in the window indicating the action has been initiated Note: This process will speed up the provisioning cycle rather than waiting for the schedule event to occur. 59

After the Agent has pulled down the machine policies from the ConfigMgr 2007 server, you will see more Actions listed in the Actions tab of the Configuration Manager Note: You can track the progress by monitoring the logs directory c:\windows\system32\ccm\logs OOBMGMT.log will track the progress of the auto provisioning of AMT. PolicyAgent.log will track all of the policies pulled down by the agent from ConfigMgr 2007 server. After a few minutes, provisioning will complete and you can update your collection membership on your ConfigMgr 2007 Server Right click Collection and select Update Collection Membership Click Yes to confirm that you want to proceed Right click on All Systems collection and select Refresh The client will now appear in All Systems Collection Provisioned and no longer be listed in the Unprovisioned 60

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 vpro Clients collection Note: You can track the provisioning progress under C:\Program Files\Microsoft Configuration Manger\Logs\Amtopmgr.log 61

Section 9.0: Legacy Provisioning If you are provisioning Intel vpro clients that have a version of Intel AMT less than 3.2.1, you will need to install the Intel WS- MAN translator on the ConfigMgr 2007 server system. For more information on the WS-MAN translator, follow the links below: Uhttp://softwarecommunity.intel.com/articles/eng/3840.htmU Link to download translator: Uhttp://software.intel.com/en-us/articles/intel-ws-management-translatorU Also, here is a link to information about how to setup and use the translator: Uhttp://communities.intel.com/openport/blogs/microsoft-vpro/2008/08/19/intel-wsman-translator-10-released In addition, you will need to import client identification and authentication information using the ConfigMgr s Import Wizard. Once you have imported the client authentication information, you will need to manually configure Intel AMT on each Intel vpro client, using the Intel Management Engine BIOS Extension (Intel MEBx). NOTE: If you are provisioning clients with Intel AMT 3.2.1 or greater and are choosing not to install the ConfigMgr 2007 agent on the clients (referred to as In-Band provisioning), then you do not need to install the WS-MAN translator. In this case, follow the procedures in section 9.2 to import the client authentication information into ConfigMgr 2007, after which the clients will be automatically provisioned (provided you have installed and configured a certificate server with a matching provisioning cert) once they have been restarted and allowed to boot to the Windows OS. 62

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Section 9.1: Intel WS-MAN Translator Installation and Configuration Web Services Management (WS-MAN) describes the interaction and execution order among the various PC components to execute a management command. ConfigMgr 2007 communicates with Intel AMT using WS-MAN only. However, versions of Intel AMT older than version 3.2.1 do not understand WS-MAN. They understand only the EOI protocol (Intel AMT 3.2.1 and above works with both WS-MAN and EOI). So, Intel developed the WS-MAN translator to translate WS-MAN to EOI and vice-versa. Generate a Certificate Request on SCCM Server for Intel WS-MAN Translator On the SCCM Server, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS). Expand Web Sites and right-click on Default Web Site and select Properties. In the Default Web Site Properties window, select the Directory Security tab. In the Secure Communications section, click the Server Certificate button. 63

This will launch the Web Server Certificate Wizard. Click Next. In the IIS Certificate Wizard window, select Create a new certificate. Click Next. Select Send the request immediately to an online certification authority. Click Next. 64

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Enter a Name for the certificate: WS- MAN Translator Server Certificate. Click Next. Enter Organization Information Organization: Intel Organization Unit: Training Click Next. Enter the Common name: sccmsp2.vprodemo.com Note: The Common Name must match the FQDN of the SCCM Server. Click Next. 65

Enter in your Geographical Information Country: US State: Oregon City: Hillsboro Click Next. Enter 443 for the SSL Port for this web site. Click Next. In the Choose a Certification Authority window, select vprodemdc.vprodemo.com\vprodemoc A Note: This will send you web server certificate request to this CA. Click Next. 66

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Confirm your request and click Next. Once Wizard is complete, click Finished. Install Intel WS-Man Translator on the SCCM Server On the SCCM Server, go to C:\Install and double click the WsTransSetup 532.msi setup file. In the Intel WS-Management Translator setup window, click Next. 67

Click Next. During the installation, keep all of the default settings until installation wizard is complete and installation has finished. Once the installation is complete, you will see a new program has been added to your All Programs Group: Intel WS- Management Translator. 68

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Configure Intel WS-Man Translator Click Start > All Programs > Intel WS-Management Translator > wtranscfg.exe to configure the Translator. In the WS-Translator Configuration Wizard window, select Set common setup accounts Set TLS/forwarding options Set WinRM Options (optional) Note: You can set common runtime accounts that the translator will use to connect to legacy management controllers. Instead for this lab, we will configure Delegation for the SCCM server in the next section. Click Next. 69

In the Set initial setup password window, enter P@ssw0rd for the setup password (admin is default user). Click Next. In the Set Common Pre-Shared Key window, leave the default Key Name and Key Values. Note: Remember these values so you can manually enter this information into the Intel MEBx in the next lab module. Also, for real world implementations, you should select a more random and secure PID and PPS for security reasons. Click Next. 70

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 In the Import Common Setup Certificate window, click Browse. Browse to c:\certificates and open the Intel Client Setup Cert Verisign vprodemo Backup.pfx file. Password on the Certificate: Pr0t3ct!0n Click Next. Note: This is the Verisign Certificate (previously purchased for this training) used for Remote Provisioning. Uncheck Allow Basic Authentication, if desired. In the Select TLS/forwarding options windows, select (default options) Listening Port: 443 Forwarding Port: 16993 For the Server Certificate: select the WS-Man Translator certificate created in previous step: CN=sccmSP2.vprodemo.com Thumbprint=CD7A1097E822DD9B3E0 FBBFF3D65906230AE305D (thumbprint varies per certificate you created view thumbprint on the 71

certificate created in previous step) Click Finished. Click OK to restart the Translator Service. Validate Intel WS-Man Translator is configured properly On the ConfigMgr 2007 Server, open Internet Explorer and go to Uhttps://sccmSP2.vprodemo.com/wstransU You will see the following web page if the WS-Man Translator is configured properly, including the Web Server Certificate. Congratulations! You have just installed and configured the Intel WS- Management Translator for SCCM to be used with legacy Intel AMT systems (firmware < 3.2.1). 72

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Modifying Windows Remote Management (WinRM) On the SCCM Server, open a command prompt and run the following command: winrm set winrm/config/client/auth @{Basic="true"} (command line is case sensitive). Note the spaces and syntax in the image. You should see Basic = True returned. Note: When SCCM does provisioning and collection based power control, it connects to the Intel AMT client with digest credentials. To get the Translator to accept digest credentials, you need to enable Basic Authentication in WinRM. Set Delegation for the SCCM Server When WS-MAN Translator passes credentials from the OOBC to the Intel vpro client, it is doing it as Delegated. For the Active Directory to allow this, you need to check Trust computer to delegation on the SCCM server AD object. This will keep the token valid when it is passed. Just browse to the computers in the AD, open up the proprieties for the ConfigMgr 2007 server and check the box located on the General tab. On your Domain Infrastructure Image, click Start > All Programs > 73

Administrator Tools > Active Directory Users and Computers > vprodemo.com > Computers. Right-click on SCCMSP2 Server and select Properties. Check the box Trust Computer for Delegation. Click OK. Note: Reboot the ConfigMgr 2007 Server image after previous installation and changes were made. Note: If you do not do this, you will need to setup the WS-MAN Translator (during configuration steps above) run time account with a user that has permission to the Intel AMT client. At that point the credentials configured in the run time account are used to manage the client. Section 9.2: ConfigMgr Import Wizard for PSK Provisioning with Intel WS-MAN Translator The Import Computer for Out of Band Management Wizard in Configuration Manager 2007 SP2 imports new computer information into the Configuration Manager database. This allows administrators to provision computers for Intel AMT when: Computers do not have the Configuration Manager 2007 SP2 client installed, including computers that currently have no operating system installed (aka Bare Metal Provisioning) Legacy Intel AMT systems (<3.2.1) that are not natively supported by ConfigMgr 2007 and use the Intel WS-Man Translator for Provisioning 74

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Intel AMT systems that are being migrated from another Provisioning environment to a ConfigMgr 2007 environment (e.g. SMS -> ConfigMgr) (Uhttp://technet.microsoft.com/en-us/library/cc161950(TechNet.10).aspxU) Collect System Information on the client system to import into SCCM On the client system, right click on Computer and select Properties. Record the Host Name and the Full Computer Name (FQDN). On the desktop of the client system, create a script GetProvisionData in the folder c:\uuid Info using the code example in the appendix of this document. Create the new folder if necessary. Once the script is created, open c:\uuid Info Folder. Double-click the GetProvisionData script. 75

This utility will pull the Host Name, FQDN, MAC Address, and UUID of the system and display in a window. Record this information for later use in the ConfigMgr Import Wizard. Click OK. Import Intel vpro System Information into ConfigMgr OOB Import Wizard In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management. Right-click on Collections, and select Import Out of Band Computers. Note: This will launch the OOB Import Wizard. 76

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 In the OOB Import Wizard, select Import single computer Note: You can use a the file option to import multiple system at once (e.g. Migration purposes) Click Next. In the Single Computer import window, use the information you recorded previously from your client system to enter: Computer Name FQDN MAC Address (Enter 11:11:11:11:11:11 for MAC) SMBIOS GUID (this is the UUID you recorded) MEBx Password = P@ssw0rd Confirm Password = P@ssw0rd Remote Admin Password = P@ssw0rd Confirm Password = P@ssw0rd Note: The Intel MEBx and Remote Admin passwords are only needed if the Intel AMT passwords are different than what was set 77

in the OOB Component Settings. Click Next. Confirm the Data Preview and click Next. 78

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 In the Choose Target Collection screen, select Add new computers only to the All Systems collection. Click Next. Confirm the summary information displayed and click Next. 79

The Wizard will complete and confirm the import was successful. Click Close. In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections Right-click All Systems and select Update Collection Membership. Refresh the Collection. Note: You will now see the system you imported into the All Systems Collection; AMT Status Unknown. ConfigMgr 2007 is now waiting for Hello Packets with a PSK from the Intel vpro client system. 80

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Manually enter the PID / PPS into Intel MEBx Reboot the client and press CTRL + P to enter the Intel MEBx Interface. Enter the password: P@ssw0rd. Select Intel (R) AMT Configuration and press Enter. Select Un-Provision and Enter. Click Y for Yes to Reset Intel AMT. Select Full Unprovision and Enter. Select Setup and Configuration and Enter. Select TLS PSK and Enter. Select PID and PPS and Enter. Enter PID = 4444-4444. Enter PPS = 0000-0000-0000-0000-0000-0000-0000-0000. Exit from the Intel MEBx and let system reboot. Note: You will recall that these same PID/PPS keys were used during the setup of the Intel WS-Man Translator. Upon reboot, the system will send hello packets to the SCCM server with PID/PPS. 81

Intel AMT Provisioning Log On the ConfigMgr 2007 Server Image, open the AMT Provisioning Log (C:\Program Files\Microsoft Configuration Manager\ Logs\amtopmgr.log). In this log, you will see the Hello packets from your HP7800 system with the matching PID (4444-4444). This Hello packet will start the provisioning process. Note: If the PID /PPS keys were not imported or do not match, the provisioning process will fail and the log will indicate that the system has not been imported into ConfigMgr 2007. 82

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Section 10.0: Helpful ConfigMgr 2007 Logs for Troubleshooting Section 10.1: Server Logs C:\Program Files\Microsoft Configuration Manger\Logs AMTOPMGR.LOG - log for tracking provisioning process AMTPROXYMGR.LOG log to help identify failures with CA and OU C:\Program Files\Microsoft Configuration Manger\AdminUI\AdminUILog OOBConsole.log - Log for tracking OOB Management Console activity (note: for more detailed information - change "Error" to "Verbose" in the following file c:\program Files\Microsoft Configuration Manager\AdminUI\bin\oobconsole.exe.config Section 10.2: Client Logs C:\windows\system32\ccm\logs oobmgmt.log log to track the provisioning of AMT C:\windows\system32\ccmsetup ccmsetup.log log to track installation progress of ConfigMgr 2007 Client Agent 83

Section 11.0: Resources Intel vpro Expert Center devoted to Microsoft products and Intel vpro technology - Uhttp://communities.intel.com/openport/blogs/microsoft-vproU Microsoft TechNet Reference Material System Center Configuration Manager 2007 - Uhttp://technet.microsoft.com/en-us/library/bb735860(TechNet.10).aspxU Out of Band Management in ConfigMgr 2007 SP2 - Uhttp://technet.microsoft.com/en-us/library/cc161989(TechNet.10).aspxU Intel Software To support systems earlier than 3.2.1, an Intel WS-Man Translator is required with ConfigMgr 2007. Intel WS-MAN Translator version 1.1 - Uhttp://softwarecommunity.intel.com/articles/eng/3840.htmU 84

Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2 Appendix: Code Example for GetProvisioningData Script 'SCCM Import Data Generation Script 'Created by Dan Brunton, Intel Corporation 'This script will connect to the local system via WMI and output the hostname, FQDN, MAC address and UUID to a file. Option Explicit 'Change this to pont to whatever directory you want the script to write to. It could be a local path or a network share. strdirectory = "c:\temp" 'Change this to the file name you want to have the data written to. strfile = "\import.csv" 'Define the variables used in the script. dim objnicinfo, objnic, objsyscomps, objitem, objservice, objsysmac, objnetwork, objfso, objfolder, objshell, objtextfile, objfile dim struuid, strhostname, strdnsdomain, strmac, strdirectory, strfile, strtext 'Define the WMI interface object to retrieve information with. Set objservice = GetObject("winmgmts:\root\cimv2") 'Use the Win32_NetworkAdapter class to retrieve the MAC address and computer name for supported network adapters. Depending on the platform you are using, the NIC you may need to add or change NIC descriptions in the query below. Set objnicinfo = objservice.execquery("select * FROM Win32_NetworkAdapter where description='intel(r) 82566DM Gigabit Network Connection' or Description = 'Intel(R) 82566MM Gigabit Network Connection'") For Each objnic in objnicinfo strmac = objnic.macaddress strhostname = LCase(objNIC.SystemName) 'The hostname comes in as upper case, LCase changes it to lower case. There is no functional need to do this, it is purely ascetic. Next 'Use the Win32_NetworkAdapterConfiguration class to get the DNS suffix for the NIC identified above. Set objnetwork = objservice.execquery ("Select * from Win32_NetworkAdapterConfiguration WHERE MACAddress = '" & strmac & "' and DNSHostName = '" & strhostname & "'") for each objitem in objnetwork strdnsdomain = objitem.dnsdomain next 'get UUID Set objsyscomps = objservice.execquery("select * from Win32_ComputerSystemProduct") For Each objitem in objsyscomps struuid = objitem.uuid next 'Assemble the various data elements into a single string. strtext = strhostname & "," & strhostname & "." & strdnsdomain & "," & strmac & "," & struuid 85

'This section writes information retrieved from the script to a file. Set objfso = CreateObject("Scripting.FileSystemObject") 'Check to see if the strfile exists and create it if it does not If objfso.fileexists(strdirectory & strfile) Then Set objfolder = objfso.getfolder(strdirectory) Else Set objfile = objfso.createtextfile(strdirectory & strfile) End If set objfile = nothing set objfolder = nothing Const ForAppending = 8 'Create the file object Set objtextfile = objfso.opentextfile(strdirectory & strfile, ForAppending, True) 'Append the value of strtext to the text file and close it objtextfile.writeline(strtext) objtextfile.close 86

Intel vpro Processor Technology Out of Band Management Quick Start Guide *Other names and brands may be claimed as the property of others. Copyright 2008, 2009, 2010 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel. Leap ahead, the Intel Leap ahead Logo, Centrino, the Centrino logo, Intel Core, vpro, the vpro logo, Intel SpeedStep, Pentium, Core and Celeron are registered trademarks of Intel Corporation in the United States and other countries.. Intel Active Management Technology requires the computer system to have an Intel AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. Setup requires configuration by the purchaser and may require scripting with the management console or further integration into existing security frameworks to enable certain functionality. It may also require modifications of implementation of new business processes. With regard to notebooks, Intel AMT may not be available or certain capabilities may be limited over a host OSbased VPN or when connecting wirelessly, on battery power,

sleeping, hibernating or powered off. For more information, see Uhttp://www.intel.com/technology/manage/iamt/U INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Intel may make changes to specifications and product descriptions at any time, without notice. Intel Active Management Technology requires the platform to have an Intel AMT-enabled chipset, network hardware and software, connection with a power source, and a network connection. 88