Tuesday 18 September 2012

Integrating SCCM 2012 with SCS 8.1

Hi All,

I was recently on a project that required me to integrate SCS 8.1 with SCCM 2012. 

In case you are unaware, Intel has provided the integration scripts for SCCM 2007. They can be downloaded from here. I have modified their solution for SCCM 2012.

It's a good idea to have a good thorough understanding of the solution that Intel provide for SCCM 2007. My solution is based around it. I will refer to sections of that manual.

The steps I provide are based on my experience. I am only focused on discovering and configuring systems. I haven't focused on the maintenance and unconfiguration tasks. If you need to add these tasks to your project and need assistance, drop me a line. 

This blog is broken up into 9 sections:

1. Adding the Out of Band Role Management Role to your SCCM server
2. Extending the Hardware Inventory for SCCM 2012
3. Modifying the SCS profile for SCCM 2012
4. Creating the collections required for the discovery and configuration of your      
    clients
5. Creating the Discovery and Configurations packages
6. Creating the Task Sequences required for the discovery and configuration of 
    your clients
7. Creating the Deployments (SCCM 2007 - Advertisements)
8. Creating the Status Filter rules to automatically update the Intel collections 
9. Queries to help you troubleshoot

I'll explain how it works in a nutshell. The discovery deployment is advertised to all your systems. The discovery runs and interrogates your system. A Hardware Inventory reports back to your SCCM server on this information. If the system can be configured it is automatically placed into a collection where the configuration runs.

The Configuration deployment configures your system and reports back to your SCCM server using a hardware Inventory. It also forces the SCCM server to check the AMT status meaning it will show up as externally provisioned and you will be able to use the SCCM OOB Native tools.

When each deployment finishes a status filter rule runs and updates the collections.

To make this happen follow the below steps.

1. Adding the Out of Band Role Management Role to your SCCM server

Add the OOB Role and when prompted, select the certificate (usually from Godaddy). 

This is the provisioning certificate you have saved in the users personal store running the SCS service (RCSServer). It is highlighted on page 22 of the deployment guide. You need to export and import that certificate into the SCCM servers computer personal store.





2. Extending the Hardware Inventory for SCCM 2012


The queries that we use to create the collections are based on register entries the discovery process creates. This is why we need to extend the hardware inventory.

2.1 Edit the MOF file

The process has changed for SCCM 2012 and is documented in this blog. Have a read and you will understand the process.

2.1.1 Backup your current Confgiuration.MOF file located in <InstallPath>\inboxes\clifiles.src\hinv

2.1.2 Open the configuration.mof file and browse to the end of the file and look for the following content:

//========================
// Added extensions start
//========================


//========================
// Added extensions end
//========================

Copy the contents of the mof file configuration_IntelSCS8_iAMT.mof which  is located here and can be found under the supporting_files folder. Add the contents between the Added extensions start and Added extensions end.  


2.1.3 Check the modified Configuration.MOF file using MOFComp.exe. This will check the syntax of the MOF File. 


mofcomp.exe -check Configuration.mof

2.1.4 If everything is ok compile the Configuration.MOF file 

mofcomp.exe Configuration.mof

2.2 Add the Hardware Inventory into SCCM. 

2.2.1  Open the SCCM Console >=> Administration => Client Settings = Default Client Settings (Or your desired profile)  => Hardware Inventory => Set Classes 



2.2.2 Click Add => Connect => Type in your SCCM Site Server



2.2.3 For discovery and configuration you only need the following classes. 
  • Intel_AMT_ConfigurationInfo (Intel_AMT_ConfiugrationInto)
  • Intel_AMT_ ManageabilityInfo  (Intel_AMT_ ManageabilityInfo)
  • Intel_AMT_ ManageabilityInfo_Capabilities  (Intel_AMT_ ManageabilityInfo_Capabilities )
  • Intel_AMT_ ManageabilityInfo_ManagementSettings  (Intel_AMT_ ManageabilityInfo_ManagementSettings 

2.3 Verify that the hardware Inventory has been extended. 

Goto Assets and Compliance => Devices. Right click on the device => Start => Resource Explorer.


You should see the three Intel items we imported.



3. Modifying the SCS profile for SCCM 2012


The SCCM site server needs authorisation into the firmware. When you create your SCS profile (Section 5.3.2 of the Deployment Guide) ensure that your SCCM site server is a member of the security group you authorised access to the firmware.



More information about the access control list can be found in section A.2 (Page 59) of the Deployment Guide.

4. Creating the collections required for the discovery and configuration of your clients


The three collections I am focused on in my solution are:
  • Intel AMT Ready Platforms Not Provisioned
  • Intel AMT Platforms Provisioned with ConfigMgr
  • Intel AMT Platforms Provisioned without ConfigMgr
The instructions on how to create these collections can be found in section 7.1.5 of the MS SCCM User Guide v12. The queries are as follows:
  • Intel AMT Ready Platforms Not Provisioned
select * from SMS_R_System inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.ResourceId = SMS_R_System.ResourceId inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.IsAMTConfigured = '0' and SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.IsAMTSupported = '1'
  • Intel AMT Platforms Provisioned with ConfigMgr
select * from SMS_R_System inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.ResourceId = SMS_R_System.ResourceId inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.IsAMTConfigured = '1' and SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.IsAMTSupported = '1' and SMS_R_System.AMTStatus = '3'

  • Intel AMT Platforms Provisioned without ConfigMgr
select * from SMS_R_System inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.ResourceId = SMS_R_System.ResourceId inner join SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES on SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_MANAGEMENTSETTINGS.IsAMTConfigured = '1' and SMS_G_System_INTEL_AMT_MANAGEABILITYINFO_CAPABILITIES.IsAMTSupported = '1' and SMS_R_System.AMTStatus != '3'

5. Creating the Discovery and Configurations packages

5.1 The source of your packages

5.1.1 Configurator Folder from SCS 8.1. The source of the package folder comes from the configurator folder within the SCS 8.1 download  You can download it from here. Copy the Configurator folder to the location where you keep your package sources.


5.1.2 The two files configuration.bat and discover.bat come from the integration scripts Intel provid. They are located here and can be found under the supporting_files folder. Copy these two files into your source package.



5.1.3 Create three more files as below:

Wait.vbs:

set objShell = CreateObject("WScript.Shell")
WScript.Sleep(120000)


HardwareInventory.vbs:


'********************************************************************
' This sample code will kick off a Hardware Inventory resync on
'  local SMS Advanced Client machine. This is accomplished in 2 steps:
'
'  1) Reset the Hardware Inventory cache
'  2) Kickoff the Hardware Invetory cycle (which determines there are
'     no items in the cache, and thus performs a resync)
'
Option Explicit
ON ERROR RESUME NEXT
' Code execution begins here
' --------------------------------
Main
' *******************************************************************
' Main() - This is the main subroutine of the script
' *******************************************************************
Sub Main()
 ' Reset the Hardware Inventory Cache
 ResetInventoryCache "{00000000-0000-0000-0000-000000000001}"
 ' Kickoff a Hardware Inventory cycle
 KickoffClientAction "Hardware Inventory Collection Cycle"
 'wscript.echo "Force Full Hardware Inventory Initiated"
End Sub

' *******************************************************************
' ResetInventoryCache() - This sub will reset the inventory cache for the specified inventory action
' *******************************************************************
Sub ResetInventoryCache(sInventoryActionID)
 ' Get a connection to the "root\ccm\invagt" namespace (where the Inventory agent lives)
 Dim oLocator
 Set oLocator = CreateObject("WbemScripting.SWbemLocator")
 Dim oServices
 Set oServices = oLocator.ConnectServer( , "root\ccm\invagt")
 ' Delete the specified InventoryActionStatus instance 
 oServices.Delete "InventoryActionStatus.InventoryActionID=""" & sInventoryActionID & """"
End Sub
' *******************************************************************
' KickoffClientAction() - This sub will kickoff the specified client action
' *******************************************************************
Sub KickoffClientAction(sActionName)
 ' Create a CPAppletMgr instance
 Dim oCPAppletMgr
 Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")
 ' Get the available ClientActions
 Dim oClientActions
 set oClientActions = oCPAppletMgr.GetClientActions()
 ' Loop through the available client actions
 Dim oClientAction
 For Each oClientAction In oClientActions
  ' Is this the action we want to kickoff?
  If oClientAction.Name = sActionName Then
  
   ' Kickoff the action
   oClientAction.PerformAction       
  End If
 Next
End Sub
'********************************************************************
Code to come 

sccmamtmgnt.vbs 

Code can be found from this blog

5.1.4 Edit Dicovery.bat and add the following lines directly under the acuconfig command.

cscript HardwareInventory.vbs
cscript wait.vbs



The Hardware Inventory is going to report in with the results. If the system can be configured it will move into the collection Intel AMT Ready Platforms Not Provisioned. We run the wait script to give the system enough time to report in. Later in the blog I will show you how to create a status filter rule that will run whenever this advertisement is successfully completed.

5.1.5 Edit configuration.bat. Delete everything under the following line
rem acuconfig /output console /verbose configAMT <your xml profile file> /decryptionpassword <your password>



Use the following code. 

ACUConfig.exe /verbose /lowsecurity ConfigViaRCSOnly <IP_address_Of_SCS_Server> <SCS_Profile_Used > /WMIuser <domain\user> /WMIuserpassword <Password>
set EL=%ERRORLEVEL%
cscript wait.vbs

REM Update Details in Reg.
acuconfig systemdiscovery /nofile
REM Hardware Inventory
cscript HardwareInventory.vbs
cscript wait.vbs

REM Perform Out of Band Discovery
cscript sccmamtmgnt.vbs /s:<SiteServer> /c:<SideCode> /a:discover /h:%computername% /D:<CollectionID>
cscript wait.vbs 


The first command configures the system. I use this command over the command provided by Intel because I want to see the systems in the SCS management console. 

This only applies if you have installed SCS in database mode. Change the following variables:

  • <IP_address_Of_SCS_Server>
  • <SCS_Profile_Used>
  • <domain\user>
  • <Password>
  • <SiteServer>
  • <SideCode>
  • <CollectionID>

The second command performs another discovery. Since the system is now configured, we need to update the static details run from the discovery.bat to reflect this change. 

The third step performs a Hardware Inventory. Since the system is now configured we need to report this to the SCCM Server. The discovery script had to run before this script to update the details with the configured details.

The forth command forces your SCCM site server to discovery AMT status of the client. Basically it allows SCCM to know it's provisioned and the native tools can be used.

5.2 The Packages within SCCM

The packages point to the same source. You need two packages because in the task sequences we tell it to never rerun when the package as been run successful. My packages look like this:




6. Creating the Task Sequences required for the discovery and configuration of your clients

The two task sequences that we will use can be found in section 7.1.3 (Page 32) and section 7.2.3 (Page 43) of the integration scripts user guide. I have just named them differently.
  • Intel AMT System Discover
  • Intel AMT Configuration


Follow the steps in the manual and point the discover task sequence to your discover package you created in section 5 and your configure task sequence at your configuration package creating in section 5   

Below is the configuration task sequence


Below is the discover task sequence


Don't forget to suppress task sequence notification



7. Creating the Deployments (SCCM 2007 - Advertisements)

The two advertisements and what are now called deployments that we will use can be found in section 7.1.4 (Page 34) and section 7.2.4 (Page 45) of the integration scripts user guide. I have just named the differently.
  • Intel AMT System Discover
  • Intel AMT Configuration

Below I provide the steps to deploy the Discover package. Follow the same steps to deploy the configure task sequence. Publish it to the collection Intel AMT Ready Platforms Not Provisioned.

7.1 Right click on the Discover task sequence and select Deploy


7.2 Select your collection you want to discover. In this case I made a test collection


7.3 Set the Purpose to Required.


7.4. Tick the option schedule when this deployment will become available. Click the New button and select the default option to schedule the deployment.


7.5 Untick Show Task Sequence progress


7.6 Leave these options as default


7.7 Select download all content locally before starting task sequence.


7.8 Select the defaults for the next two screens and your deployment is finished. You should see it under the deployment tap


8. Creating the Status Filter rules to automatically update the Intel collections 

In this section we will need to create the scripts first and then create the Status Filter rules.

The status filer rules we will create are: 

  • Update Intel Collections After Discovery
  • Update Intel Collections After Configure

Status filter rules are now located under Administration => Site Configuration => Sites => Right click on your site server and select Status filter Rules




8.1 Create the scripts

We are going to use two scripts. UpdateCollection.vbs which is used to update the collections and CallUpdateCollection.vbs which calls the UpdateCollection.vbs.

Updatecollection.vbs

on error resume nextDim strSMSServer,strSMSSiteCode,strCollID,args
Set args = WScript.Arguments
if args.Count = 0 then
wscript.quit
End if
set objShell = CreateObject("WScript.Shell")
WScript.Sleep(20000)
strCollID = args.Item(0)
strSMSServer = "SiteServer
strSMSSiteCode = "SiteCode
Set objCollection = GetObject( "WinMgmts:!\\" & strSMSServer & _ 
"\root\SMS\site_" & strSMSSiteCode & _ 
":SMS_Collection.CollectionID='" & strCollID & "'") 
objCollection.RequestRefresh False 

CallUpdateCollections.vbs

Option Explicit
Dim objshell,Collection01,Collection02
Collection01 = "BAM0000C" 'Intel AMT Platforms Provisioned without ConfigMgr
Collection02 = "BAM0000A" 'Intel AMT Ready Platforms Not Provisioned
'On Error Resume Next
set objShell = CreateObject("WScript.Shell")
objShell.Run "C:\Data\Scripts\UpdateCollection.vbs" + " " + Collection01
WScript.Sleep(9000)
objShell.Run "C:\Data\Scripts\UpdateCollection.vbs" + " " + Collection02
WScript.Sleep(9000)


Make the following changes to CallUpdateCollections.vbs
  • BAM0000C to reflect the collection ID of your Intel AMT Platforms Provisioned without ConfigMgr collection
  • BAM0000A to reflect the collection ID of your Intel AMT Ready Platforms Not Provisioned.
  • C:\Data\Scripts\UpdateCollection.vb to reflect the location you have saved updatecollection.vbs

8.2 Create the status filter rules
 
You will need to change the property value and Site code to reflect your environment. You will not see the ID of your package in the drop down menu until the package has run at least once. 

I suggest that you run the deployment in a test environment first. This will also allow you to verfiy the package ID. I will show you how to do this in 8.2.3

You will also need to change the location on the action tape to reflect your location of CallUpdateCollection.vbs. In my example I use the following code:

C:\windows\System32\cscript.exe C:\Data\Scripts\CallUpdateCollections.vbs

8.2.1 Create the Update Intel Collections After Discovery status filter rule. 




8.2.2 Create the Update Intel Collections After Configure status filter rule





8.3 How to verify your Package ID

Goto Monitoring => Status Message Queries and select Show Messages in the top ribbon.

Look for the status message that indicates the deployment has successfully completed. It should be message ID 11171. In the properties you will see the Package ID. In my example it is BAM0000C. You will need to do this for both packages and update the rules as required.


9. Queries to help you troubleshoot


Queries are an optional part. I like to use them for troubleshooting.

The queries are based on the same criteria as the collections. I find queries assist when you are troubleshooting the automation of collection updates which are based on the results of a hardware inventory. For example, If it shows up in the query but not in the collection you know you either have not refreshed your collection or the update of the collection has not occurred.

The two queries that I have used are:

  • Intel AMT Platforms Provisioned without ConfigMgr 
  • Intel AMT Ready Platforms Not Provisioned

I also added the field AMTStatus. For the clients to move into the collection Intel AMT Platforms Provisioned without ConfigMgr your SCCM site server must discovery that it's externally provisioned. The AMTStatus field helps you troubleshoot this.



With all of the above information you should now be able to intergrate SCS 8.1 with your SCCM 2012. 

Like always, any questions or comments, drop me a line.

23 comments:

  1. With this integration, does the AMT wakeup commands work for AMT-enabled computers on SCCM?

    ReplyDelete
    Replies
    1. Yes, the systems will show up as externally provisioned and you can use the native tools.

      Delete
  2. ...even on AMT version greater than 6.1? I read somewhere that SCCM 2012 only supports up to 6.1...

    ReplyDelete
  3. I have seen those comments. I know I haven't had any issues. I'm provisioning the systems with SCS not SCCM.

    Can I ask what you want out of vPro? I find the two best features are KVM and Call for Help. I see power management used alot too.

    I think the native tools of SCCM use WOL for power management rather then the vPro alarm clock.If you wanted to ensure they wake up and shut down I would advertise a powershell script to the collection and utlise the alarm clock feature.

    Hope this helps,

    Regards,

    Blair

    ReplyDelete
  4. I'd like to use the AMT PowerON commands because the standard WOL isn't working for us on SCCM... And you're telling me that it should work?

    Other things we're intrested in is the 802.1X PXE-boot, haven't found any info on that one...

    ReplyDelete
  5. You want to re-image over the wireless? Well it will work because I am working a project now that allows you to control the systems at bios level on wireless.

    Yes provision a couple of systems and try out the alarm clock feature. Works every time. Keep SCCM out of the solution you have all the features working.

    Need a hand, let me know.

    Regards,

    Blair

    ReplyDelete
  6. Not over wireless, wired 802.1X, certificate based authentication on computers and switches in the network.

    Could you explain some more about this alarm clock feature? I was thinking that when you enable AMT-based poweron commands from the SCCM site settings (not WOL), SCCM would handle the wake-up of required deployments using AMT and no additional configuration is needed...

    ReplyDelete
  7. SCCM 2012 uses WOL. TO use the alarm clock feature the systems need to be provisioned and they need to be version 5.1 an above.

    http://mwesterink.wordpress.com/2012/10/01/sccm-2012-how-to-troubleshoot-wake-on-lan-functionality/

    Alarm clock is different.

    http://www.youtube.com/watch?v=OMjEJAJdG9U

    http://software.intel.com/en-us/articles/intel-active-management-technology-pc-alarm-clock

    ReplyDelete
  8. http://technet.microsoft.com/en-us/library/gg712319.aspx#BKMK_ConfigureOutOfBandComponents <-- STEP 6 there. My point is, is that feature working when AMT-systems are externally provisioned...

    ReplyDelete
  9. I havent tested this feature. I will test it and let you know. I don't see why it wouldn't.

    ReplyDelete
  10. If that works, then it'd be superb. Basicly if I had required deployments, SCCM would send those AMT-based wake-up commands and wake the systems... AMT-based commands should work better than any standard WOL implementation...

    Thanks for the great blog!

    ReplyDelete
  11. Any progress on this?

    ReplyDelete
  12. I'll hopefully have a response this week. Been busy building a Intel MPS Solution for a client.

    What was your name?

    Regards,

    Blair

    ReplyDelete
  13. Oh, sorry 'bout that... Tom.

    Thanks in advance for this :)

    ReplyDelete
  14. Thanks Tom, I've started my testing but have a little of work on at the moment. Should free up in the next couple of weeks.

    ReplyDelete
  15. Any progress on this one? -Tom

    ReplyDelete
  16. Hi Brian,

    Thanks a lot for enlightening us with such a great step by step guide through the SCCM 2012 and Intel vPro integration. Just a quick question though, is it true that System Center 2012 Configuration Manager no longer supports provisioning out of band, which could be used in Configuration Manager 2007 when the Configuration Manager client was not installed, or the computer did not have an operating system installed. To provision computers for AMT in System Center 2012 Configuration Manager, they must belong to an Active Directory domain, have the System Center 2012 Configuration Manager client installed, and be assigned to a System Center 2012 Configuration Manager primary site. ?

    Thanks in advance.

    ReplyDelete
  17. Hello Blair,

    Are these directions that you are using for client control mode or admin control mode?

    Thanks
    mike

    ReplyDelete
  18. Hey Mike, when you export the profile you can use either. Since I'm using Remote configuration I can do either.

    ReplyDelete
  19. Hello Blair, according to this technet article http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigOOB it states that SCCM 2012 SP1 only supports intel amt up to version 6. Have you had any positive results with the SCCM 2012 sp1 out of band console managing newer versions of intel AMT?

    Thanks
    Mike

    ReplyDelete
  20. Hello Blair, I was wondering if you have enabled AMT audit logging in any of your AMT provisioning projects (internal or external provisioning)and if so can you please share your experience it?

    Thanks
    Paulo

    ReplyDelete
  21. where do we find configuration_IntelSCS8_iAMT.mof? It looks like links have changed. The new Add-on exe does not work, so we need these instructions to be complete. Thanks!

    ReplyDelete
  22. Australian Writings services for your online business. Quality content development requires precious time and talent, and using article writing services allows you and your employees to focus on other important aspects of your company.




    ReplyDelete