If you’ve followed the previous parts in this series, you’ll now have one or more clients provisioned for Out of Band Management in Configuration Manager, in this last part I will go through and show the features that this will provide you with.
Ping
When we configured the AMT Profile in Part 4, we left the option “Enable Intel AMT to respond to ping requests” enabled. This means that the machine will respond to ping request even when powered off, so how can we identify if a system is powered on or off with ping? If you look at the screen shots below you’ll see that PC001 have a TTL=128 when powered on and TTL=255 when powered off.
We also enabled all the management interfaces when we configured the AMT Profile in Part 4;
Web UI
This will enable a Web UI on all your clients provisioned on port 16993, your reach this Web UI on https://fqdn:16993
You will then be presented with the Log On page, here you can log in with one of the users present in the SCCM 2012 R2 AMT Administrators group created in Part 2 of this series.
If you are not able to logon (will fail after 3 attempts) and you are sure that you type the correct username and password, take a look at KB908209. After reading this you’ll see that you need to add the following setting to Registry on the machine you’re trying to access the Web UI from; (Below is for 64-Bit, check KB for 32-Bit computers)
- Start Registry Editor.
- In the left pane, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl - On the Edit menu, point to New, and then click Key.
- Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.
- On the Edit menu, point to New, and then click DWORD Value.
- Type iexplore.exe, and then press ENTER.
- On the Edit menu, click Modify.
- Type 1 in the Value data box, and then click OK.
- Exit Registry Editor.
You don’t have to install the hotfix, just add the registry setting.
After you’ve logged on you’ll be able to see the following information via the Web UI
Serial Over LAN (SOL)
The SOL feature only lets you see the boot process and BIOS remotely (Text only), if you will remote control inside Windows and wants full GUI use the KVM feature described later)
To use the SOL feature you need to start the Out of Band Management Console (Right click computer in Configuration Manager Console -> Manage Out of Band -> Out of Band Management Console)
IDE Redirection (IDER)
IDE-Redirect is a very helpful feature of Intel AMT. With this feature an administrator can reboot the machine on to a redirected disk or a CD ROM Drive. You can control this from the Out of Band Management Console also.
In the example in the screen shots below I use it to remote boot the machine into WinPE from a redirected ISO on my Configuration Manager server.
If you use large ISO’s with IDER, make sure you take a look at this post to speed things up; Speeding up Intel AMT IDE-Redirection with a 2-stage boot process
Power Commands
If you right click computer in Configuration Manager Console -> Manage Out of Band -> Power Control you’ll be able to Power On, Power Off and Restart Computer. Be aware that the Power Off is a hard Power Off, but from version 9.0 of Intel AMT support for Graceful Shutdown is added.
KVM
In Part 1 I’ve posted the link to Intel Core vPro processor add-on for System Center Configuration Manager if you install this on the system that is running the Configuration Manager Console it will add the ability to start a KVM session and set an Alarm Clock for your computers. These features are added as right-click tools, see screenshot below
The Alarm Clock will let you specify a time that you want to wake your computer if it’s turned off;
When you start a KVM session the first thing that will happen is that a user consent is required. (This is because we do host based configuration/provisioning of AMT, if you want to bypass this you’ll need to set up the RCS component of Intel SCS. I’ll post a series on this later). This consent consists of 6 digits that needs to be typed in before you can connect, once typed in you have full control of the remote system and have a full GUI. The session will remain active until terminated and also survives reboots, so you can reboot a remote system and go into BIOS etc.
With this this series of integrating Configuration Manager 2012 R2 and Intel SCS 9.0 comes to an end. I hope it’s been helpfull and if you have any questions or comments please let me know, thank you.
Previous Postings in this series:
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 2 : Active Directory
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 3 : Certification Authority
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 4 : Configuration Profiles for Intel AMT
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 5 : Configuring SCCM 2012 R2
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 6 : Installing Intel SCS Add-on
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 7 : Deploying Intel AMT
SCCM GURU 
Brillant forum, I have just got to the end of this and it all worked perfect! Many thanks.. When do you plan to do RCS intergration.. Would love to to use the KVM tool without userID prompt?
Thanks, great to hear everything is working. I’m working at documenting the RCS integration at the moment, but not sure when it will be ready for posting.
I have tried RCS integration, but I think I have failed somewhere. SCCM discovers clients, checks for hardware, provisions and requests certificates all thru SCS (in database mode). The annoying thing is that the computer names are changing from Computername to ComputernameiME in SCCM.
The distinguishedName changes to the vPro clients group. Name and Netbios gets iME added, the main Security group gets changed to Domanname\AMT Computers as well as in System Group Name and the System OU Name is swapped to the vPro clients OU.
This makes it hard as it is no longer possible to use sccm addons on them anymore as the computers will not resolve. OOB works tho as well as Intel KVM _but_ you have to change the hostname to connect to as it will try to the wrong host (the added iME in the end). The worst part is I do not know where I have messed up.
As usual, post about a problem you have had for some time and solve it the next hour. The culprint was System Group discovery which was set to the root of the domain. Changed this so it would not find the AMT Computers group and things are slowly moving back to normal.
Great that you figured it out, I totaly forgot to mention that you should exclude the AMT OU from discovery in Configuration Manager. I’ll update the posting with this information, since you will run into this problem if you have the discovery configured at root or an OU that includes the AMT OU that contains the AMT Objects.
Hi, I am seeing this issue for a subset of all my objects. I have enabled AMT on approx 1,500 machines and about 50 of these “iME” records are now in my SCCM. They merge with the existing computer record. SCCM is not discovering the AMT OU so I have no idea how they are getting in there..any further ideas…?
Great series mate, thanks for posting about it!
I have one issue which I can’t seem to nut out, so thought I’d ask….
Everything works perfectly, except for KVMView, which appears to authenticate user correctly, and then applies the KVM settings, then goes immediately to a disconnected state after trying to connect to 127.0.0.1:
I’d don’t understand this stuff enough yet, so just thought I’d throw it out there. I’ve opened TCP ports 16992-16995, and 5900, but have found nothing about dynamic ports??
Do you have any ideas??
Hi and thanks for feedback 🙂
For the ports needed you can check this article: http://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_PortsOBSP_EnrollPoint
Looks like you are covered with the ports you have opened already.
Since you already have opened TCP 5900 against the client, you can try and use a stand-alone viewer like VNC Viewer Plus and connect directly to the client on port 5900 with this tool, to verify that you get a connection.
If connecting with a standalone client on port 5900 works, everything should be configured correctly and you should take a look in the Configuration Manager logfiles to see if you can find anything there.
Please let me know if you need further assistance.
Very nice article, Is possible receive AMT event viewer alerts on SCCM console? And integrate to SCCM Alerts Painel?
regards;
Great Series – thanks for taking time to post this. Will be trying this in a lab environment tomorrow before (potentially) putting it into our production env.
Hi,
great series i also want to try it in the next weeks.
I want to ask if when you will publish the RCS Integration Part?
Thanks a lot.
Michael
It would be nice to see the RCS Integration. Do you plan to publish something to that in the near future? Thanks.