Wednesday, 19 December 2012

Intel(R) AMT connection error 0xc000520d: A Soap Fault occurred. (0xc000520d)

Hi everyone,

When you try to configure a system running the ACU configurator you may receive the following error:

Intel(R) AMT connection error  0xc000520d: A Soap Fault occurred.  (0xc000520d).


When you run the ACU configurator again it succeeds. The only way to reproduce the error again on the same system is to run a full unconfiguration, delete it from SCS and run the ACU Configurator again.  

The issue occurred for me when I had selected home domain's but did not include the DNS Suffix that option 15 returned. I assumed it only required the domain.


Now alot of people will not have this issue because 90% of the time Option 15 will be set to your domain. 

Hope this helps



Monday, 3 December 2012

Additional Steps to Customise your Intel MPS Solution

Hi All,

If you need help setting up Intel's Management Presence Server (MPS) then look no further. Intel have a video blog which is located here.

I recently followed these instructions for a client and I thought I would share the additional steps I used to create a seamless solution.

The client wanted to support their employees over the internet, by remote controlling their systems, the solution I provided is geared around this outcome. 

To make the solution easy and seamless, I did not want the support team changing proxy settings and checking services. I wanted the support team to click one button to control the end users system. To do this I created a dedicated server for MPS and support services. 

It goes like this:
  • Employee calls for help
  • Support team member logs onto MPS server, clicks one button
  • That button checks to ensure all required services are running and if they are not they are started. 
  • Once all the services are running VNC Plus opens and the support team member, can type in the computer name to remote control the system.

Below are the additional steps to make this happen.
  • Modify the SCS profile to include your MPS Server 
  • Changed the Internet Explorer Proxy Settings (If you want to get to the AMT Web GUI) 
  • Allow port 12345 into your DMZ and forward it to your MPS server  
  • Add the proxy settings to VNC plus
  • Add the proxy settings to your customised application (If you want it to work with your MPS server)
  • Add the proxy setting to KVM View (If you want it to work with your MPS server)
  • Streamline the support process

1. Modify the SCS profile to include your MPS Server

1.1 Modify your SCS profile to include Home Domains, Remote Access, and WiFi Connection



1.2. Add all of you internal domains. This is so the Intel system knows when it's internal or external to your domain. Also tick the option All Intel(r) AMT functionality via VPN. 


1.3 Now you need to add a Management Presence Server and a Remote Access Policy. Click on the Add button.


1.4 Management Presence Server

  • IP Address: Your external IP address and port number. The port number is the port number you set in the second video for stunnel. The default is 12345
  • Server Authentication: The Root CA you created from the first video
  • Common Name: FQDN of your MPS server 
  • System Authentication: The username and password that will be used to authenticate.
 1.5 Remote Access Policy

  • Policy Name: Call it whatever you like.
  • Options: Fast Call for All, OS and BIOS Interface
  • Preferred Server: The MPS Server you created from section 3.1

1.6 If you don't already have WiFi support please add it. 


2. Changed the Internet Explorer Proxy Settings 

2.1 To access the Web GUI of your client you will need to point Internet Explorer to your MPS server. The port used is whatever you assigned to Apache (httpd.conf) and your MPS Server (mps.config)


3. Allow port 12345 into your DMZ and forward it to your MPS server 

3.1 You will need allow and forward the port you set in stunnel.conf to your MPS Server. In this example it is 12345.


4. Add the proxy settings to VNC plus

4.1 To remote control the system you will need to add the proxy settings to your VNC plus connection. 
  • HTTP Proxy: The port you assigned in Apache (httpd.conf) and your MPS server (mps.config)
  • SOCKS 5 Proxy: The port you assigned to SOAP to the MPS server (mps.config) and your Proxy Socks port for Apache in (httpd.conf)
  • Username and Password: Not required.
5. Add the proxy settings to your customised application

5.1 If you created your own customised application as I did here you will need to added the HTTP and SOCKS proxy settings as you did for VNC Plus. 

6. Add the proxy setting to KVM View 

6.1 To remote control the system using KVM View you will need to add the proxy settings to your KVM View connection. 
  • HTTP Proxy: The port you assigned in Apache (httpd.conf) and your MPS server (mps.config)
  • Redirection Proxy: The port you assigned to SOAP to the MPS server (mps.config) and your Proxy Socks port for Apache in (httpd.conf)
  • Auto proxy include list: The system you want to remote control


7. Streamline the support process

My idea was to make the solution as seamless as possible. If a user called for support, help desk would log onto the MPS Server, click on one icon and then would be controlling the users system.

For this to happen complete the following:
  • Install VNC Plus onto your MPS server
  • Create a new root directory called MPS_Services and copy the contents from the SDK directory AMT8.1.4198\Windows\Intel_AMT\Bin\MPS into it.
  • Copy MPSNotification.exe from AMT8.1.4198\Windows\Intel_AMT\Bin to C:\MPS_Services

  • Create a bat file called (MPS.Bat with the following command)
  • Create a bat file called (MPSNotification.bat with the following command). Change the IP address to your MPS Server and the port to what you set in NotificationList.config too.

  • Create a VBS script called StartMps.vbs and send the short cut to the desktop for all users. This is what the support team will run that will perform all the necessary check and start VNC Plus.
Set WshShell = WScript.CreateObject ("WScript.Shell")
Set colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")
'==============================================================================================

Dim vFoundApacheMonitor,vFoundstunnel,vFoundmps,vFoundMPSNotification 

'Check if Apache is running
Const strServiceName = "Apache2.2"
Set oShell = CreateObject("Shell.Application")

If Not oShell.IsServiceRunning(strServiceName) Then
  oShell.ServiceStart strServiceName, False
  Msgbox "Starting Apache2.2 service",, "Service Apache Starting"
End If

For Each objProcess in colProcessList
'check to see if ApacheMonitor.exe is running 
    If objProcess.name = "ApacheMonitor.exe" then
            vFoundApacheMonitor = True
    End if
    If objProcess.name = "stunnel.exe" then
            vFoundstunnel = True
    End if
    If objProcess.name = "MPS.exe" then
            vFoundmps= True
    End if
    If objProcess.name = "MPSNotification.exe" then
            vFoundMPSNotification = True
    End if
Next
If vFoundApacheMonitor = "" Then 
    WshShell.Run """C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe"""
    msgbox "Starting Apache Monitoring",, "Apache Monitoring Starting"
end if
If vFoundstunnel = "" Then 
    WshShell.Run """C:\Program Files\stunnel\stunnel.exe"""
    msgbox "Starting stunnel",, "Stunnel Starting"
end if
If vFoundmps  = "" Then 
    WshShell.Run "C:\MPS_Services\MPS.bat"
    msgbox "Starting MPS",, "MPS Starting"
end if
If vFoundMPSNotification  = "" Then 
    WshShell.Run "C:\MPS_Services\MPSNotification.bat"
    msgbox "Starting MPS Notification",, "MPS Notification Starting"
end if

Response = Msgbox ("All services are running that are required for Call For Help. Would you like to open VNC Viewer?",4,"Services Are Started")
If Response = 6 then
   WshShell.Run """C:\Program Files\RealVNC\VNCViewerPlus\vncviewerplus.exe"""
End if

Now all they need to do is click on one file and they are controlling the users desktop.

Monday, 19 November 2012

Preferred command when provisioning vPro systems using SCS

Hi All,

When I set-up SCS and provision a fleet of vPro systems I like to see the systems in the the SCS Database.


To see them in the database, when you export the XML profile, be sure to tick the last option Put locally configured device in Admin Control Mode. I also put the systems in admin control mode because I want to leverage from the features that are only available in admin control mode. Check the difference out here 

Below is an example of the command that can be used to to configure the systems:

ACUConfig.exe /verbose /lowsecurity configAMT Profile.xml /decryptionpassword P@ssw0rd

When you export the profile be sure to tick the last option to ensure the device goes into admin control mode and shows up in the SCS Database



Cannot establish a handle to the Intel(R) Management Engine Interface driver. Access is denied. (5)

Hi All,

If you are receiving the following error when you try to provision a vpro system using SCS and ACUConfig.exe, it will most likely be due to the fact the UAC is on and you are not running the command as an administrator.

 ACU Configurator, Category: Exit Source: Src\ActivatorMain.cpp : wmain Line: 1096: ***********Exit with code 83 - The Intel(R) Management Engine Interface driver is not installed or cannot be accessed. 


When I deploy the package from SCCM I use a task sequence that allows you to use the Run As feature


WMI Access Denied error when provisioning a vPro system with SCS and ACUConfig.exe

Hi all,

If you are receiving the following error when you try to provision a vpro system it will most likely be due to WMI permissions.

2012-11-20 12:19:25: Thread:1584(ERROR) : ACU Configurator , Category: ConnectServer Source: Src\WMIAccess.cpp : ConnectToNamespace Line: 146: A call to this function has failed - (0xc000278b) (Access denied-2147217405)


The command I am using to configure the system is as follows:


ACUConfig.exe /verbose /lowsecurity ConfigViaRCSOnly IPAddressofServer Profile  /WMIuser domain\useraccount /WMIuserpassword P@ssw0rd

You can verify that it is a WMI permissions issue by logging onto the system with the account you are trying to configure the system with and performing a WMI Test
  • Run Wbemtest by going to Start => Wbemtest 
  • Click on Connect
  • Type in \\Your_Server\root\intel_RCS in the NameSpace location. Change Your Server to your SCS server 

If you get the above access denied error you have a WMI permissions issue.

To resolve the issue follow the steps below:
  • Log onto your SCS Server and load wmimgmt.msc. Right click on WMI Control (Local) and select properties

  • Select the Security Tab 

  • Make sure the account you are using to run ACUConfig.exe has the following permissions on all four namespaces.
    • Execute Methods
    • Full Write
    • Remote Enable



Intel has documented the required permissions in the SCS user guide on page 46

Sunday, 21 October 2012

Error when enabling the PXE support on a SCCM 2012 Distribution Point

Hi All,

Recently when I enabled PXE support for clients on a SCCM 2012 Distribution Point I received the following error in the SMSPXE.log located in C:\Program Files\SMS_CCM\Logs

failed to copy C:\RemoteInstall\SMSTempBootFiles\BAM00001\WINDOWS\Boot\PXE\pxeboot.com to C:\RemoteInstall\SMSBoot\x86\pxeboot.com
InstallBootFilesForImage failed. 0x80070003
Warning: Failed to copy the needed boot binaries from the boot image C:\RemoteInstall\SMSImages\BAM00001\boot.BAM00001.wim.
The operation completed successfully. (Error: 00000000; Source: Windows)
Failed adding image C:\RemoteInstall\SMSImages\BAM00001\boot.BAM00001.wim. Will Retry..
The system cannot find the path specified. (Error: 80070003; Source: Windows)



I found that C:\RemoteInstall\SMSBoot\x64 and C:\RemoteInstall\SMSBoot\x86 were also empty. 

Looking further into the log I could see that the boot images were been mounted and closed without doing anything.


The solution for me was to mount and unmount the images and then restart the WDS service. Everything worked like a charm. It must be a bug with the intial deployment

dism /Mount-Wim /WimFile:C:\RemoteInstall\SMSImages\BAM00004\boot.BAM00004.wim /index:1 /MountDir:C:\RemoteInstall\SMSTempBootFiles\BAM00004

dism /Mount-Wim /WimFile:C:\RemoteInstall\SMSImages\BAM00001\boot.BAM00001.wim /index:1 /MountDir:C:\RemoteInstall\SMSTempBootFiles\BAM00001

dism /unmount-Wim /MountDir:C:\RemoteInstall\SMSTempBootFiles\BAM00001 /commit
dism /unmount-Wim /MountDir:C:\RemoteInstall\SMSTempBootFiles\BAM00004 /commit

Thursday, 20 September 2012

Modifying The Intel® Core™ vPro™ processor add-on for System Center Configuration Manager 2012

Hi All,

From the following link you will find the instructions to get the add-on running on your SCCM 2012 server.

I thought I would put together a step-by-step process to make it a little easier.

Below the the instructions you can use to get this on your SCCM 2012 server.



1. Install the add-on. 

The following error kept occurring when I tried to install it on my SCCM 2012 server. I decided to install the add-on on my Windows 7 PC and just copy the contents from my Windows 7 PC to my SCCM 2012 Server. 



From your Windows 7 PC copy the contents from C:\Program Files\Intel Corporation\Intel Core vPro processor add-on for System Center Configuration Manager 2007 to the same location on the SCCM 2012 server. 

2. Create the Right Click Action

Create the following folders if they don't already exists. I already had them because I am using the right click tools for SCCM 2012

C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions\3fd01cd1-9e01-461e-92cd-94866b8d1f39

C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions\ed9dee86-eadd-4ac8-82a1-7234a4646e62

3. Create a new file called IntelvProExt.xml in each folder and paste the following code in it.

ActionDescription Class="Group" DisplayName="Intel vPro" MnemonicDisplayName="Mnemonic" Description="Contains commands for Intel vPro hardware" SqmDataPoint="53">
<ShowOn>
    <string>ContextMenu</string>
</ShowOn>
  <ActionGroups>
    <ActionDescription Class="Executable" DisplayName="Start KVM" MnemonicDisplayName="Start KVM" Description="Starts a KVM session with Intel hardware">
       <ShowOn>
         <string>ContextMenu</string>
      </ShowOn>
      <Executable>
        <FilePath>C:\Program Files\Intel Corporation\Intel Core vPro processor add-on for System Center Configuration Manager 2007\kvmview.exe</FilePath>
        <Parameters>-host ##SUB:Name## -dns</Parameters> 
      </Executable>
      <ActionStateAssembly>
        <Assembly>.\AdminUI.CollectionMenuActions.dll</Assembly>
        <Type>Microsoft.ConfigurationManagement.AdminConsole.CollectionMenuActions.LaunchUtilities</Type>
        <Method>IsAMTPowerControlAndOOBConsoleEnabled</Method>
      </ActionStateAssembly>
    </ActionDescription>

    <ActionDescription Class="Executable" DisplayName="Set Alarm Clock" MnemonicDisplayName="Set Alarm Clock" Description="Schedules a time for Intel hardware to power on">
      <ShowOn>
         <string>ContextMenu</string>
      </ShowOn>
      <ActionStateAssembly>
        <Assembly>.\AdminUI.CollectionMenuActions.dll</Assembly>
        <Type>Microsoft.ConfigurationManagement.AdminConsole.CollectionMenuActions.LaunchUtilities</Type>
        <Method>IsAMTPowerControlAndOOBConsoleEnabled</Method>
      </ActionStateAssembly>
      <Executable>
        <FilePath>C:\Program Files\Intel Corporation\Intel Core vPro processor add-on for System Center Configuration Manager 2007\AlarmExt.exe</FilePath>
        <Parameters>-host ##SUB:Name## -tls -dns</Parameters> 
      </Executable>
    </ActionDescription>

  </ActionGroups>
</ActionDescription>
Christoph von Wittich has provided the files from the above link if you want to download them 


Regards,

Blair











A script to perform a Discover AMT status task remotely for SCCM 2012

Hi Everyone,

Have you every needed to Discover the AMT status of a SCCM client remotely. 

Basically I am provisioning my SCCM 2012 clients with SCS 8.1. When you provision the systems with SCS 8.1 they will show up in SCCM 2012 as externally provisioned

Once the systems are provisioned with SCS you need to manually run a Discover AMT Status on the collection or resource, only then will they show up as externally provisioned. I was looking for a method to automate this process when I came across this article.

Unfortunately this only works with SCCM 2007. Daniel from Intel, who wrote this script pointed out that SCCM 2012 requires two other parameters. It can be found in the following MSDN.

I have modified the script to work with SCCM 2012. It has to be run from the client and requires an extra parameter, the collection ID.

You can call it like this. 

cscript sccmamtmgnt.vbs /s:<SiteServer> /c:<SiteCode> /a:discover /h:%computername% /D:<CollectionID>

I just used the All Systems collection ID


'*****************************************
'       UPDATED BY BLAIR MULLLER 
' I have updated the script for SCCM 2012. Please refer to the following Microsoft Website
' http://msdn.microsoft.com/en-us/library/hh948379.aspx
' SCCM 2012 requires two extra variables. CollectionID and extData. exData can be set to 0
' I am running this from the client. It doesn't pick up the right Resource ID from the SCCM site server
'
'
'
'*****************************************

Option Explicit

'Create some variables
'Blair Muller. Updated to include variable CollectionID
dim objItem, objService, objNetwork, userName, userPassword, strHostName, amtAction, amtActionDesc, amtOpCode, server,CollectionID, colNamedArguments, objLocation, WbemServices, sResourceID(2), colMember, colMembers, sitecode

wscript.echo "SCCM AMT Management Script 1.0"

'Bring in the command line arguments
Set colNamedArguments = WScript.Arguments.Named

'Blair Muller. Updated to include CollectionID variable
'CollectionID
CollectionID = colNamedArguments.Item("d")

'SCCM site server name
server = colNamedArguments.Item("s")

'SCCM site code
sitecode = colNamedArguments.Item("c")

'AMT Action to perform
amtAction = colNamedArguments.Item("a")
select case amtAction
   case "poweron"
      amtOpCode = "1" 'Power On
      amtActionDesc = "Attempting to power on client"
   case "poweroff"
      amtOpCode = "3" 'Power Off
      amtActionDesc = "Attempting to power off client"
   case "powerrestart"
      amtOpCode = "2" 'Power Restart
      amtActionDesc = "Attempting to restart client"
   case "discover"
      amtOpCode = "16" 'AMT Discovery
      amtActionDesc = "Attempting to perform a Management Controller Discovery..."
   case "updatemc"
      amtOpCode = "256" 'Update Management Controllers
      amtActionDesc = "Attempting to perform a Management Controller Update..."
   case "enableauditlog"
      amtOpCode = "2048" 'Enable Audit Log
      amtActionDesc = "Attempting to enable Audit Log..."
   case "disableauditlog"
      amtOpCode = "4096" 'Disable Audit Log
      amtActionDesc = "Attempting to disable Audit Log..."
   case "clearauditlog"
      amtOpCode = "8192" 'Clear Audit Log
      amtActionDesc = "Attempting to clear Audit Log..."
   case "partialunprovision"
      amtOpCode = "32" 'Partial Unprovision
      amtActionDesc = "Attempting to perform partial unprovision..."
   case "fullunprovision"
      amtOpCode = "64" 'Full Unprovision
      amtActionDesc = "Attempting to perform full unprovision..."
   case "clearprovflag"
      amtOpCode = "1024" 'Clear flag that disable automatic provisioning
      amtActionDesc = "Attempting to clear Auto Provisioning surpression flag..."
   case else
      amtOpCode = ""
      amtActionDesc = ""
end select


'Optional credentials to add the computer to SCCM
userName = colNamedArguments.Item("u")
userPassword = colNamedArguments.Item("p")

'Optional hostname
strHostName = colNamedArguments.Item("h")

'Throw an error if the server, site code, or AMT Action arguments are empty
'Blair Muller. Updated to include CollectionID
if server="" or sitecode="" or amtOpCode="" or CollectionID ="" then
   WScript.Echo "Usage: [CScript | WScript] sccmamtmgnt.vbs [/s:SCCM Server] [/c:SCCM Site Code] [/a:AMT Action] [/h:Host] [/u:username] [/p:password]"
   Wscript.Echo
   Wscript.Echo "Required parameters:"
   Wscript.Echo 
   Wscript.Echo "/s: - Name of your SCCM site collection server."
   wscript.Echo "/c: - Your SCCM three character site code"
   wscript.Echo "/a: - SCCM Site Server AMT action"
   wscript.Echo "/d: - Collection ID where the recourse is located."
   Wscript.Echo
   wscript.Echo "  /a:poweron                     Powers on client"
   wscript.Echo "  /a:poweroff                    Powers off client"
   wscript.Echo "  /a:powerrestart                Restarts client"
   wscript.Echo "  /a:discover                    Performs a Management Controller Discovery"
   wscript.Echo "  /a:updatemc                    Performs an Update Management Controller"
   wscript.Echo "  /a:enableauditlog              Enables AMT Audit Log"
   wscript.Echo "  /a:clearauditlog               Clears AMT Audit Log"
   wscript.Echo "  /a:disableauditlog             Disables AMT Audit Log"
   wscript.Echo "  /a:partialunprovision          Performs partial Unprovision"
   wscript.Echo "  /a:fullunprovision             Performs full Unprovision"
   wscript.Echo "  /a:clearprovflag               Clears flag that prevent auto provisioning"
   Wscript.Echo
   Wscript.Echo "Optional parameters:"
   Wscript.Echo
   Wscript.Echo "/h: - Remote host; if blank it will use host of machine running script"
   Wscript.Echo "/u: - User name to access the SCCM server."
   Wscript.Echo "/p: - Password for the user with access to the SCCM server."
   Wscript.Echo
   Wscript.Echo "Example: cscript sccmamtmgnt.vbs /s:sccmsite.company.com /c:VPD /a:discovery /u:domain\user /p:password"
   Wscript.Echo
   WScript.Quit 1
end if

'Create an object to connect to the local WMI provider
Set objService  = GetObject("winmgmts:\root\cimv2")


'Get the hostname from the local WMI agent

if strHostName = "" then
'Update the status on the screen
wscript.echo "Looking up host name..."
Set objNetwork = objService.ExecQuery ("Select * from Win32_NetworkAdapterConfiguration where IPEnabled = True")
for each objItem in objNetwork
    strHostName = ucase(objItem.DNSHostName)
next
end if

wscript.echo "Hostname: " & strHostName
wscript.echo

'Build the WMI connection to the SCCM server
Set objLocation = CreateObject("WbemScripting.SWbemLocator")
Set WbemServices = objLocation.ConnectServer(server, "root\SMS\site_" & sitecode, username, userpassword)

wscript.echo "Looking up host resource ID..."

'Look up the Resouce ID for the computer and place the value in an array (The array is required for the AMTOperateForMachines method)
Set colMembers = wbemServices.ExecQuery("Select * From SMS_FullCollectionMembership WHERE name='" & strHostname & "'")
for each colMember in colMembers
   sResourceID(0) = colMember.ResourceID
Next

wscript.echo "Resource ID: " & sResourceID(0)
wscript.echo

'Throw an error if no resource ID is returned
if sResourceID(0) = "" then
  wscript.echo "Error: Unable to locate the computer on the SCCM server."
  WScript.Quit 1
end if

'Tell the SCCM server to perform AMT action.
wscript.echo amtActionDesc
call RunAmtAction(wbemServices, sResourceID, amtOpCode)

Function RunAmtAction(connection, machineResourceIds, actionType)

    On Error Resume Next
    Dim classObj: Set classObj = connection.Get("SMS_Collection")
    Dim inParams: Set inParams = classObj.Methods_("AMTOperateForMachines").InParameters.SpawnInstance_()
    Dim outParams

    inParams.Properties_.Item("Opcode") = actionType
    inParams.Properties_.Item("ResourceIDs") = machineResourceIds
inParams.Properties_.Item("CollectionID") = CollectionID
inParams.Properties_.Item("extData") = 0

    wscript.echo "Sending update management controller request to " & server & "..."
    Set outParams = connection.ExecMethod("SMS_Collection", "AMTOperateForMachines", inParams)
    wscript.echo "Request sent"
End Function

You can see the results in the amtopmgr.log file located in C:\Program Files\Microsoft Configuration Manager\Logs



You can also see the action in the status Message Viewer



Hope this helps.



Tuesday, 18 September 2012

Integrating SCCM 2012 with SCS 8.1

Hi All,

I was recently on a project that required me to integrate SCS 8.1 with SCCM 2012. 

In case you are unaware, Intel has provided the integration scripts for SCCM 2007. They can be downloaded from here. I have modified their solution for SCCM 2012.

It's a good idea to have a good thorough understanding of the solution that Intel provide for SCCM 2007. My solution is based around it. I will refer to sections of that manual.

The steps I provide are based on my experience. I am only focused on discovering and configuring systems. I haven't focused on the maintenance and unconfiguration tasks. If you need to add these tasks to your project and need assistance, drop me a line. 

This blog is broken up into 9 sections:

1. Adding the Out of Band Role Management Role to your SCCM server
2. Extending the Hardware Inventory for SCCM 2012
3. Modifying the SCS profile for SCCM 2012
4. Creating the collections required for the discovery and configuration of your      
    clients
5. Creating the Discovery and Configurations packages
6. Creating the Task Sequences required for the discovery and configuration of 
    your clients
7. Creating the Deployments (SCCM 2007 - Advertisements)
8. Creating the Status Filter rules to automatically update the Intel collections 
9. Queries to help you troubleshoot

I'll explain how it works in a nutshell. The discovery deployment is advertised to all your systems. The discovery runs and interrogates your system. A Hardware Inventory reports back to your SCCM server on this information. If the system can be configured it is automatically placed into a collection where the configuration runs.

The Configuration deployment configures your system and reports back to your SCCM server using a hardware Inventory. It also forces the SCCM server to check the AMT status meaning it will show up as externally provisioned and you will be able to use the SCCM OOB Native tools.

When each deployment finishes a status filter rule runs and updates the collections.

To make this happen follow the below steps.

1. Adding the Out of Band Role Management Role to your SCCM server

Add the OOB Role and when prompted, select the certificate (usually from Godaddy). 

This is the provisioning certificate you have saved in the users personal store running the SCS service (RCSServer). It is highlighted on page 22 of the deployment guide. You need to export and import that certificate into the SCCM servers computer personal store.





2. Extending the Hardware Inventory for SCCM 2012


The queries that we use to create the collections are based on register entries the discovery process creates. This is why we need to extend the hardware inventory.

2.1 Edit the MOF file

The process has changed for SCCM 2012 and is documented in this blog. Have a read and you will understand the process.

2.1.1 Backup your current Confgiuration.MOF file located in <InstallPath>\inboxes\clifiles.src\hinv

2.1.2 Open the configuration.mof file and browse to the end of the file and look for the following content:

//========================
// Added extensions start
//========================


//========================
// Added extensions end
//========================

Copy the contents of the mof file configuration_IntelSCS8_iAMT.mof which  is located here and can be found under the supporting_files folder. Add the contents between the Added extensions start and Added extensions end.  


2.1.3 Check the modified Configuration.MOF file using MOFComp.exe. This will check the syntax of the MOF File. 


mofcomp.exe -check Configuration.mof

2.1.4 If everything is ok compile the Configuration.MOF file 

mofcomp.exe Configuration.mof

2.2 Add the Hardware Inventory into SCCM. 

2.2.1  Open the SCCM Console >=> Administration => Client Settings = Default Client Settings (Or your desired profile)  => Hardware Inventory => Set Classes 



2.2.2 Click Add => Connect => Type in your SCCM Site Server



2.2.3 For discovery and configuration you only need the following classes. 
  • Intel_AMT_ConfigurationInfo (Intel_AMT_ConfiugrationInto)
  • Intel_AMT_ ManageabilityInfo  (Intel_AMT_ ManageabilityInfo)
  • Intel_AMT_ ManageabilityInfo_Capabilities  (Intel_AMT_ ManageabilityInfo_Capabilities )
  • Intel_AMT_ ManageabilityInfo_ManagementSettings  (Intel_AMT_ ManageabilityInfo_ManagementSettings 

2.3 Verify that the hardware Inventory has been extended. 

Goto Assets and Compliance => Devices. Right click on the device => Start => Resource Explorer.


You should see the three Intel items we imported.



3. Modifying the SCS profile for SCCM 2012


The SCCM site server needs authorisation into the firmware. When you create your SCS profile (Section 5.3.2 of the Deployment Guide) ensure that your SCCM site server is a member of the security group you authorised access to the firmware.



More information about the access control list can be found in section A.2 (Page 59) of the Deployment Guide.

4. Creating the collections required for the discovery and configuration of your clients


The three collections I am focused on in my solution are:
  • Intel AMT Ready Platforms Not Provisioned
  • Intel AMT Platforms Provisioned with ConfigMgr
  • Intel AMT Platforms Provisioned without ConfigMgr
The instructions on how to create these collections can be found in section 7.1.5 of the MS SCCM User Guide v12. The queries are as follows:
  • Intel AMT Ready Platforms Not Provisioned
select * from SMS_R_System inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.ResourceId = SMS_R_System.ResourceId inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.IsAMTConfigured = '0' and SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.IsAMTSupported = '1'
  • Intel AMT Platforms Provisioned with ConfigMgr
select * from SMS_R_System inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.ResourceId = SMS_R_System.ResourceId inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.IsAMTConfigured = '1' and SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.IsAMTSupported = '1' and SMS_R_System.AMTStatus = '3'

  • Intel AMT Platforms Provisioned without ConfigMgr
select * from SMS_R_System inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.ResourceId = SMS_R_System.ResourceId inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.IsAMTConfigured = '1' and SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.IsAMTSupported = '1' and SMS_R_System.AMTStatus != '3'

5. Creating the Discovery and Configurations packages

5.1 The source of your packages

5.1.1 Configurator Folder from SCS 8.1. The source of the package folder comes from the configurator folder within the SCS 8.1 download  You can download it from here. Copy the Configurator folder to the location where you keep your package sources.


5.1.2 The two files configuration.bat and discover.bat come from the integration scripts Intel provid. They are located here and can be found under the supporting_files folder. Copy these two files into your source package.



5.1.3 Create three more files as below:

Wait.vbs:

set objShell = CreateObject("WScript.Shell")
WScript.Sleep(120000)


HardwareInventory.vbs:


'********************************************************************
' This sample code will kick off a Hardware Inventory resync on
'  local SMS Advanced Client machine. This is accomplished in 2 steps:
'
'  1) Reset the Hardware Inventory cache
'  2) Kickoff the Hardware Invetory cycle (which determines there are
'     no items in the cache, and thus performs a resync)
'
Option Explicit
ON ERROR RESUME NEXT
' Code execution begins here
' --------------------------------
Main
' *******************************************************************
' Main() - This is the main subroutine of the script
' *******************************************************************
Sub Main()
 ' Reset the Hardware Inventory Cache
 ResetInventoryCache "{00000000-0000-0000-0000-000000000001}"
 ' Kickoff a Hardware Inventory cycle
 KickoffClientAction "Hardware Inventory Collection Cycle"
 'wscript.echo "Force Full Hardware Inventory Initiated"
End Sub

' *******************************************************************
' ResetInventoryCache() - This sub will reset the inventory cache for the specified inventory action
' *******************************************************************
Sub ResetInventoryCache(sInventoryActionID)
 ' Get a connection to the "root\ccm\invagt" namespace (where the Inventory agent lives)
 Dim oLocator
 Set oLocator = CreateObject("WbemScripting.SWbemLocator")
 Dim oServices
 Set oServices = oLocator.ConnectServer( , "root\ccm\invagt")
 ' Delete the specified InventoryActionStatus instance 
 oServices.Delete "InventoryActionStatus.InventoryActionID=""" & sInventoryActionID & """"
End Sub
' *******************************************************************
' KickoffClientAction() - This sub will kickoff the specified client action
' *******************************************************************
Sub KickoffClientAction(sActionName)
 ' Create a CPAppletMgr instance
 Dim oCPAppletMgr
 Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")
 ' Get the available ClientActions
 Dim oClientActions
 set oClientActions = oCPAppletMgr.GetClientActions()
 ' Loop through the available client actions
 Dim oClientAction
 For Each oClientAction In oClientActions
  ' Is this the action we want to kickoff?
  If oClientAction.Name = sActionName Then
  
   ' Kickoff the action
   oClientAction.PerformAction       
  End If
 Next
End Sub
'********************************************************************
Code to come 

sccmamtmgnt.vbs 

Code can be found from this blog

5.1.4 Edit Dicovery.bat and add the following lines directly under the acuconfig command.

cscript HardwareInventory.vbs
cscript wait.vbs



The Hardware Inventory is going to report in with the results. If the system can be configured it will move into the collection Intel AMT Ready Platforms Not Provisioned. We run the wait script to give the system enough time to report in. Later in the blog I will show you how to create a status filter rule that will run whenever this advertisement is successfully completed.

5.1.5 Edit configuration.bat. Delete everything under the following line
rem acuconfig /output console /verbose configAMT <your xml profile file> /decryptionpassword <your password>



Use the following code. 

ACUConfig.exe /verbose /lowsecurity ConfigViaRCSOnly <IP_address_Of_SCS_Server> <SCS_Profile_Used > /WMIuser <domain\user> /WMIuserpassword <Password>
set EL=%ERRORLEVEL%
cscript wait.vbs

REM Update Details in Reg.
acuconfig systemdiscovery /nofile
REM Hardware Inventory
cscript HardwareInventory.vbs
cscript wait.vbs

REM Perform Out of Band Discovery
cscript sccmamtmgnt.vbs /s:<SiteServer> /c:<SideCode> /a:discover /h:%computername% /D:<CollectionID>
cscript wait.vbs 


The first command configures the system. I use this command over the command provided by Intel because I want to see the systems in the SCS management console. 

This only applies if you have installed SCS in database mode. Change the following variables:

  • <IP_address_Of_SCS_Server>
  • <SCS_Profile_Used>
  • <domain\user>
  • <Password>
  • <SiteServer>
  • <SideCode>
  • <CollectionID>

The second command performs another discovery. Since the system is now configured, we need to update the static details run from the discovery.bat to reflect this change. 

The third step performs a Hardware Inventory. Since the system is now configured we need to report this to the SCCM Server. The discovery script had to run before this script to update the details with the configured details.

The forth command forces your SCCM site server to discovery AMT status of the client. Basically it allows SCCM to know it's provisioned and the native tools can be used.

5.2 The Packages within SCCM

The packages point to the same source. You need two packages because in the task sequences we tell it to never rerun when the package as been run successful. My packages look like this:




6. Creating the Task Sequences required for the discovery and configuration of your clients

The two task sequences that we will use can be found in section 7.1.3 (Page 32) and section 7.2.3 (Page 43) of the integration scripts user guide. I have just named them differently.
  • Intel AMT System Discover
  • Intel AMT Configuration


Follow the steps in the manual and point the discover task sequence to your discover package you created in section 5 and your configure task sequence at your configuration package creating in section 5   

Below is the configuration task sequence


Below is the discover task sequence


Don't forget to suppress task sequence notification



7. Creating the Deployments (SCCM 2007 - Advertisements)

The two advertisements and what are now called deployments that we will use can be found in section 7.1.4 (Page 34) and section 7.2.4 (Page 45) of the integration scripts user guide. I have just named the differently.
  • Intel AMT System Discover
  • Intel AMT Configuration

Below I provide the steps to deploy the Discover package. Follow the same steps to deploy the configure task sequence. Publish it to the collection Intel AMT Ready Platforms Not Provisioned.

7.1 Right click on the Discover task sequence and select Deploy


7.2 Select your collection you want to discover. In this case I made a test collection


7.3 Set the Purpose to Required.


7.4. Tick the option schedule when this deployment will become available. Click the New button and select the default option to schedule the deployment.


7.5 Untick Show Task Sequence progress


7.6 Leave these options as default


7.7 Select download all content locally before starting task sequence.


7.8 Select the defaults for the next two screens and your deployment is finished. You should see it under the deployment tap


8. Creating the Status Filter rules to automatically update the Intel collections 

In this section we will need to create the scripts first and then create the Status Filter rules.

The status filer rules we will create are: 

  • Update Intel Collections After Discovery
  • Update Intel Collections After Configure

Status filter rules are now located under Administration => Site Configuration => Sites => Right click on your site server and select Status filter Rules




8.1 Create the scripts

We are going to use two scripts. UpdateCollection.vbs which is used to update the collections and CallUpdateCollection.vbs which calls the UpdateCollection.vbs.

Updatecollection.vbs

on error resume nextDim strSMSServer,strSMSSiteCode,strCollID,args
Set args = WScript.Arguments
if args.Count = 0 then
wscript.quit
End if
set objShell = CreateObject("WScript.Shell")
WScript.Sleep(20000)
strCollID = args.Item(0)
strSMSServer = "SiteServer
strSMSSiteCode = "SiteCode
Set objCollection = GetObject( "WinMgmts:!\\" & strSMSServer & _ 
"\root\SMS\site_" & strSMSSiteCode & _ 
":SMS_Collection.CollectionID='" & strCollID & "'") 
objCollection.RequestRefresh False 

CallUpdateCollections.vbs

Option Explicit
Dim objshell,Collection01,Collection02
Collection01 = "BAM0000C" 'Intel AMT Platforms Provisioned without ConfigMgr
Collection02 = "BAM0000A" 'Intel AMT Ready Platforms Not Provisioned
'On Error Resume Next
set objShell = CreateObject("WScript.Shell")
objShell.Run "C:\Data\Scripts\UpdateCollection.vbs" + " " + Collection01
WScript.Sleep(9000)
objShell.Run "C:\Data\Scripts\UpdateCollection.vbs" + " " + Collection02
WScript.Sleep(9000)


Make the following changes to CallUpdateCollections.vbs
  • BAM0000C to reflect the collection ID of your Intel AMT Platforms Provisioned without ConfigMgr collection
  • BAM0000A to reflect the collection ID of your Intel AMT Ready Platforms Not Provisioned.
  • C:\Data\Scripts\UpdateCollection.vb to reflect the location you have saved updatecollection.vbs

8.2 Create the status filter rules
 
You will need to change the property value and Site code to reflect your environment. You will not see the ID of your package in the drop down menu until the package has run at least once. 

I suggest that you run the deployment in a test environment first. This will also allow you to verfiy the package ID. I will show you how to do this in 8.2.3

You will also need to change the location on the action tape to reflect your location of CallUpdateCollection.vbs. In my example I use the following code:

C:\windows\System32\cscript.exe C:\Data\Scripts\CallUpdateCollections.vbs

8.2.1 Create the Update Intel Collections After Discovery status filter rule. 




8.2.2 Create the Update Intel Collections After Configure status filter rule





8.3 How to verify your Package ID

Goto Monitoring => Status Message Queries and select Show Messages in the top ribbon.

Look for the status message that indicates the deployment has successfully completed. It should be message ID 11171. In the properties you will see the Package ID. In my example it is BAM0000C. You will need to do this for both packages and update the rules as required.


9. Queries to help you troubleshoot


Queries are an optional part. I like to use them for troubleshooting.

The queries are based on the same criteria as the collections. I find queries assist when you are troubleshooting the automation of collection updates which are based on the results of a hardware inventory. For example, If it shows up in the query but not in the collection you know you either have not refreshed your collection or the update of the collection has not occurred.

The two queries that I have used are:

  • Intel AMT Platforms Provisioned without ConfigMgr 
  • Intel AMT Ready Platforms Not Provisioned

I also added the field AMTStatus. For the clients to move into the collection Intel AMT Platforms Provisioned without ConfigMgr your SCCM site server must discovery that it's externally provisioned. The AMTStatus field helps you troubleshoot this.



With all of the above information you should now be able to intergrate SCS 8.1 with your SCCM 2012. 

Like always, any questions or comments, drop me a line.