Friday 31 August 2012

A cheat sheet that may help you fast track the change control required to implement SCS in your environment


Hi All,

This list may help you fast track the change control that may be required in your environment for the implementation and integration of Intel® Setup and Configuration Software (Intel® SCS) to activate your Vpro systems with SCCM.

I am referring to the User Guide and Deployment Guide from version 8.1 and can be downloaded here.  The SCCM integration guide is available here. I am referring to version 12.

Suggested tasks required for change control:
  • Page 31: (User Guide) - Creation of a user account with local administrator rights on the SCS Server.  (Intel.SCS)
  • Page 35: (User Guide) - Creation of SQL Database. The database is automatically created during the install process. The account selected to install the database must have dbcreater and securityadmin rights. I suggest you use the same user account as above to install and access this database.
  • Page 46 (User Guide) -  Set the required DCOM permissions for the user account created
  • Page 48 (User Guide) -  Set the required WMI permissions for the user account creat
  • Page 84: (User Guide) - Within the SCS profile you need define an Access Control List (ACL) that has access to use the Vpro features. An Active Directory Security Group is usually required to delegate this control. You can also use an already created security groups.
  • Page 170: (User Guide)  - Creation of a new certificate template and issuing a new certificate type.
  • Page 181: (User Guide) - Option 15 must be set on the DHCP server and return the local domain suffix.
  • Page 184: (User Guide) - If you are not using a certificate authority such as GoDaddy to provision the systems, follow the steps from 186 to 189 to create a new template, issue a certificate and enter the certificate hash into the Intel MEBX. 
  • Page 22: (Deployment Guide) – Requesting, installing and exporting a certificate which is used to provision the systems.
  • Page 61: (Deployment Guide) – Creation of a new organisation unit for AD integration.
  • Page 61: (Deployment Guide) – Delegation of control of the organisation unit for the user created to run the SCS service.
  • Page 18: (ACI for MS SCCM User Guide v12) – Section 4.1 details the steps required to edit the SCCM MOF files (sms_def.mof and configuration.mof). This cannot be completed until all the scripts are executed within section 3.

Other requirements and notes that are not in the Deployment or User Guide are as follows:
  • An Enterprise CA with the Certification Authority and Certification Authority Web Enrolment roles is required. 
  • The vPro client must have the Intel Management Engine Interface (MEI) Driver installed. They most likely already have it. They are available from a Windows update. 
  • When the systems are provisioned with Active Directory integration, a new AMT object will be created for every computer.  The details of the AMT object will be shown as Computer name$iME. $iME identifies this object as related to Intel Management Engine. 
  • Page 48 of the Deployment Guide shows you an overview of the systems that SCS require and interact with. 




I hope helps you fast track your SCS deployment Solution. 
Posted by at 1 comment:

Friday 17 August 2012

How to remote control a VPro system on a IPv6 network

Hi All,

This one stumped me for weeks.

Did you know that the out of band management role within SCCM does not support IPv6? Also if you try to remote control a Vpro system when IPv6 is the first communication path it will fail?

 I didn't. I setup Microsoft Direct Access, which as you may know requires IPv6. Check out the section Slow Responses to AMT-Based Computers Using IPv6 from this page. It clearly states Out of band management does not support IPv6. 

The solution was very easy, on you SCCM server or the system you are using to remote control the system, run the following commands so the system requesting to remote control the will try to communicate on IPv4 and if that fails it will communicate on IPv6. 

netsh interface ipv6 delete prefix ::ffff:0:0/96
netsh interface ipv6 add prefix prefix=::ffff:0:0/96 precedence=45 label=4

This one stumped me for weeks. 

 Regards,

 Blair





Posted by at No comments:

Sunday 12 August 2012

Troubleshooting KVM control for Vpro

Hi Everyone,

Have you ever wondered what that word 'Vpro'  means for you? You will see it on the Intel sticker that is stuck to your laptop or workstation.
It may look something like this:


Let me explain, every help desk would use some sort of remote control software (dameware or VNC), to support their computer fleet remotely, at operating system level. Well, one of the technologies within Vpro allow you to do just that, but with one huge benefit, it is not reliant on the operating system, you can actually control the computer at bios level. You can power it off or on remotely too.
The feature within Vpro is called KVM (Keyboard-Video-Mouse). It is available within firmware versions 6.02 and onwards. You can upgrade 6.01 to 6.02. The chipset has VNC server on it which allows you to remote control the system regardless of the operating system.

You can use multiple applications such as VNC viewer plus or Intel's free program KVM view, to access the VNC server on the chipset. If your like me you properly manage your fleet with SCCM, you can install an add-on that allows you to control a system with a right-click action.




To leverage this technology you must first activate it, which is also known as provisioning a system. You do this using a product from Intel called SCS and a provisioning certificate. It's important to understand the different certificates that are used to provision a system. I'll explain this certificate so we all understand it. I like to use real world examples, something we can all understand, so here goes.

If I'm at a coffee shop and a gorgeous women is sitting at a table. Say her name is Jessica. Jessica is waiting for me to talk to her however, Jessica will only talk to me if her father (Bruce) approves. Once Bruce has checked my background and determines I'm ok to date his daughter, Bruce will give me a letter to pass to Jessica which says he approves. Once I give that letter to Jessica and Jessica checks to ensure it's real she will talk to me :)

In this example,
  • Jessica is the client machine that I want to provision
  • I am the SCS server that wants to provision the client machine.
  • Bruce it a trusted certificate authority that the client machine trusts.
  • The letter is the provisioning certificate that is singed by the certificate authority which is trusted by the client machine
Clear as mud?

The root hash of the certificate authority which issued the provisioning certificate must be stored within the Vpro's firmware. Systems come with preconfiugrated hash's, from well known certificate authorities, meaning you can provision systems without having to physical touch any of your fleet. The cheapest is Godaddy.
Once the system is provisioned (the Vpro chip trusts your SCS server), you will be able to remote control the system using KVM View or VNC viewer plus.

If you plan to integrate a provisioned system into SCCM, you also need to secure the system with TLS (Transport Layer Security), Kerberos authentication and Active Directory integration. It's pretty straight forward once you know what you are doing.

There is alot of information which shows you how to provision and manage Intel Vpro chipsets. I thought I would share my experience. I'm not an expert and don't have all the answers but I hope this will save you alot of time troubleshooting.


1. Ensure the systems are Vpro capable and if you want to control the systems ensure they have the Intel(R) HD Graphics Driver.

Some useful links to help checking this are below

2. Understand how the different ports and protocols work. Gael Holmes Hofemeier from Intel wrote a good blog about this which can be found here

3. Download the lastest version of the Intel Setup and Cofiguration software (Intel SCS). At the time of this blog it is located here. There are two documents that will help you setup the software. The user guide and deployment guide.

4. When you are testing KVM control, download VNC plus. At the time of this blog you can download it from here

5. When you first provision a system with SCS do it with the lowest security possible and then work your way up. For example
  • Provision a system without TLS and connect via IP address.
  • Provision a system with TLS and connect using a Digest username and password.
  • Provision a the system with TLS and connect using a AD Authentication.

6. If you are having a problem connecting by host name, turn of IPV6. I am still working out why this is an issue and you can follow the progress on this forum.

7. In you think typing in the RFP password is a solution for TLS errors as I thought on this blog you are wrong. It bypasses TLS.

8. To setup TLS security for the provisioned systems, follow the instructions on Page 170. The guides release date is Jule 12th 2012 so it might be a different page, if you are using a different version of this guide. This is the certificate you select in your SCS profile. Once provisioned with TLS you should be able to log into https://FQDN:16993/


9. If you are using an internal certificate authority to provision the systems, rather then a certificate authority such as godaddy, follow the instructions in the SCS user guide on page 186. There you will create a certificate template,certificate request and enter the root hash manually into the Intel AMT firmware. This guides release date is Jule 12th 2012 so it might be a different page if you are using a different version of the guide.

10. I think it's best to provision the systems with SCS and not SCCM. Then if you decide to upgrade SCCM or move to a different solution you won't need to unprovision and reprovision the systems.

11. If you have SCCM and want to integrate SCS with it, Intel have already built the scripts and instructions on how to do this. It can be found here and is very easy to follow. It actually provides scripts that will unprovision and reprovision systems for you.


12. If you cannot control a system with the Intel add-on (customised KVM-View) you may need to import the Root CA into KVM View.





If you have any questions or comments or need any help please leave a comment.

Posted by at 8 comments:

Sunday 5 August 2012

Intel KVM control not working with Transport Layer Security (TLS)

Hey Everyone,

I was recently working on a project which included provisioning systems with SCS 8.1 and then integrating the provisioned systems with SCCM 2007.

The goal was to control the provisioned systems with the intergation tool provided by intel. You can download it from here.

Everything went well until I tried to control the systems with KVM View.

When I tried to control a system I was left with the following screen. I could power on/off the systems but could not contol the GUI of the system.

 
I also tried to control the systems with VNC Plus and recieved the following error:


I then tried to use the Manageabilty Commandor tool and it just stays at connect/abort

 
The Web Interface looked fine.

 
I decided to provision a system without TLS and I could control the system via IP address. I assumed the issue was with the certficates however it wasn't. The answer lied in enabling the standard port and using the RFBPassword

 
This took me about 3 days to work out. I hope it saves you the time.
Posted by at No comments:
Subscribe to: Posts (Atom)