Posts Tagged ‘OOB’

If you’ve followed the previous parts in this series, you’ll now have one or more clients provisioned for Out of Band Management in Configuration Manager, in this last part I will go through and show the features that this will provide you with.

(more…)

We are now ready to deploy our first system for Out of Band Management using the Intel SCS integration, so we have support for newer versions of Intel AMT.

In my lab I have 2 HP laptops for demoing this (EliteBook 2560p and EliteBook 8440p), and before we start we need to make sure that our clients have all the pre-requisites installed;

(more…)

In this post we will install the Intel SCS Add-on and verify the the installation. I’ve also added some steps to fix a couple of bugs.

Installing the Add-on

1. Copy the IntelSCS_SCCMAddon folder to the computer where the Configuration Manager Console is running, in my lab this is the Primary Server. You can find the link for this Add-on in Part 1 of this series.

2. In the SCCMAddon subfolder, double-click SCCMAddon.exe. The Welcome window opens.

3. Click Next. The License Agreement window opens.

4. Select I accept the terms of the license agreement and click Next. The SCCM Settings window opens.
1

5. The wizard automatically detects the necessary SCCM settings. Make sure that the settings shown in the SCCM Settings window are correct and click Next to continue.

6. The Select Components window opens. The necessary files for these components are located in the download package of Intel SCS 9.0. You can find the link for Intel SCS 9.0 in Part 1 of this series.

2

  1. In the Path column of the Intel Solutions Framework row click the icon under path to select the file.
  2. Browse to the Solutions_Framework\Framework folder of the Intel SCS 9.0 download package and select the file named HostSolutionManagerInstaller.msi.
  3. Click Open. The path to the file is updated in the Path column. In addition, the wizard automatically searches the download package for the required files of the remaining default components in these locations:
      • Intel SCS Platform Discovery Utility – The PlatformDiscovery.exe file in the Solutions_Framework\PlatformDiscovery folder.
      • Intel AMT – The ACUConfig.exe file in the Configurator folder.

If successful, the paths to the files are updated in the Path column of each row. You can hover the mouse over the Path entry to show the full path.

7. For each row in the table of components verify Install is the option set in the Action column. In this series we are not integrating with RCS so make sure this option is not selected.

8. Click Next. If you selected to install Intel AMT, the Intel AMT window opens.

3

  1. Select the check boxes of the capabilities that you want to enable. For each capability that you select, the Add-on will create packages and task sequences in SCCM. It is recommended to enable all the capabilities.
  2. When the Configure check box is selected, you will need to specify the configuration profile that you created (in advance) for Intel AMT. Click Browse to select the profile XML file that you created and enter the password in the Encryption password field. (This is the profile XML that we created in Part 4 of this series).

9. Click Next. The User Account Settings window opens.

4

By default, the packages created by the Add-on are run using the SCCM client on the host computer. If you want to use a different user, you can define the user account in this window. If you define a user account in this window, all packages created by the Add-on will be defined to run using this account. Here select the CM_AMT account we created for AMT Provisioning in Part 2 of this series. (Also note that this account must be member of the local administrator group on each client where you want to run this package.)

10. Click Next. The Add-on Packages Folder window opens.

5

During installation, the Add-on automatically creates packages for the components that you select to install. For each package, the Add-on creates a folder containing the files required by the package. For simplicity, all these folders will be located in a single parent folder that you define in this window. The parent folder must be in a location that the Configuration Manager can always access.

  1. Click Browse. The Browse for Folder window opens.
  2. Browse to a location that the Configuration Manager will always be able to access and create a parent folder for the Add-on packages. Give the folder a name that will help you to recognize the purpose of this folder.
  3. Click OK to close the Browse for Folder window.

11. Click Next. The wizard installs the selected components. When complete, click Next. The Completed Successfully window opens.

6

12. Click Finish to exit the wizard and then perform the Post Installation Tasks described below.

Post Installation Tasks

This section describes the tasks that you need to do after installing the Add-on.

Refreshing the Collections

After installation, the collections added by the Add-on might need to be updated in the Console.

  1. Select Asset and Compliance > Overview > Device Collections.
  2. To update the members of a collection:
    1. Right-click the collection and select Update Membership.
    2. Right-click the collection again and select Refresh.

7

Bugfix #1

There is an error in the script that is created during installation of the Add-on so browse to the path where you specified that the package would be created in step 10 above. (D:\PackageSource\Applications\Intel in my lab example)

So browse to this path and edit the configure.bat file that is placed in the Intel AMT subfolder.

Scroll to the bottom and here you will see that the script still have references to the Intel Demo environment where this script probably where created; “wmic /Node:2008R2SCCM2012.vprodemo.com /namespace:\\root\SMS\site_A12” I’ve changed this to the correct server name and site code of my lab. See screenshots below.

8

9

Bugfix #2

Based upon how you specified the path to your profile XML file you also must edit the Intel AMT Configuration Task Sequence to make sure that the path to XML file is correct. Since the profile XML actually is part of the packaged created I’ve just removed the path and reference the profile XML directly. See screenshot below.

1011

Enabling the Task Sequences

By default, the task sequences created by the Add-on are disabled. You will need to enable them before you can use them.

12

Before you enable a task sequence you can modify the deployment target collection and schedule the re-occurrence according to your company policy. For Intel AMT, it is recommended to schedule a daily recurrence of Maintenance, Configuration and Unconfiguration, and a weekly recurrence of Discovery.

As you can see from the screenshot above all Collections created by the add-on are limited on the All Systems Collection, so be careful when you enable the Task Sequences so you do not target all your systems without intention. Since this is in a lab I have control and uses the collections created by the add-on, but when I deployed at customer we created new collections to make sure no one accidently deployed to all the systems without intention.

To enable a task sequence right-click it and select Enable.

13

What is created by the Add-on?

Below a series of screenshots will show what is created in Configuration Manager when you install the add-on.

Collections

14

Task Sequences

12

Packages

15

We have now installed the add-on and a ready to deploy our first client to verify functionality. So in the next posting we will go through the prerequisites on the client, configure a client for AMT and look at the different functionality we get with Out of Band Management.

Previous Postings in this series:

Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 2 : Active Directory
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 3 : Certification Authority
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 4 : Configuration Profiles for Intel AMT
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 5 : Configuring SCCM 2012 R2

In this post we will do the configuration needed in Configuration Manager before we install the Intel SCS Add-on. We will go through the following steps;

  • Adding Hardware Inventory Classes
  • Adding the Enrollment Point and Out of Band Service Point
  • Configuring the Out of Band Management Component
  • Enabling Out of Band Management Controller Discovery
  • Giving Permissions for Management Controller Discovery
  • Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities

As you can see there are a lot of steps involved so this will be a long post, I’ll break it up in parts so it will be easier to follow.

Adding Hardware Inventory Classes

Before installing the Add-on, you must add some hardware inventory classes to Configuration Manager that are required by some of the Add-on components. These classes are imported from files supplied with the Add-on:

  • sms_def_AMT.mof – Adds classes with a prefix of Intel_AMT. You must import this file if you want to install the Intel AMT component.
  • sms_def_SCSDiscovery.mof – Adds a class named Intel_SCS_Discovery. You must import this file if you want install any of the other Add-on components.

These 2 files are found in the Intel SCS Add-on for Microsoft System Center Configuration Manager package mentioned in Part 1 of this series.

  1. Open the Configuration Manager Console.
  2. In the left pane, select Administration > Client Settings.
  3. In the right pane, right-click Default Client Settings and select Properties.1
  4. Select Hardware Inventory.2
  5. Click Set Classes. The Hardware Inventory Classes window opens.3
  6. Click Import.
  7. Navigate to the SCCMAddon folder, select the sms_def_AMT.mof file that was included with the Add-on, and click OK. The Import Summary window opens.4
  8. Click Import and then click OK two more times to close the open Windows.
  9. Repeat steps 6 through 8 to import the sms_def_SCSDiscovery.mof file.

Adding the Enrollment Point and Out of Band Service Point

  1. In the Configuration Manager console, click Administration.
  2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use for AMT provisioning.
  3. On the Home tab, in the Server group, click Add Site System Roles.
  4. On the General page, specify the general settings for the site system, and then click Next.
  5. On the Proxy page, click Next.
  6. On the System Role Selection page, select Out of band service point and Enrollment point from the list of available roles, and then click Next.
  7. On the Out of band service point page, do not change the default settings for the scheduled power on commands unless you have to fine-tune these for your network infrastructure. Click Next.
  8. On the AMT Provisioning Certificate page, click Browse to select the AMT provisioning certificate that you created in Part 3 of this series. If you have multiple certificates to choose from and are unsure of which certificate to choose you can check this by doing the following;1 2 3
  9. Decide whether you must clear the Enable CRL checking for the AMT provisioning certificate check box, and then click Next.
  10. On the Enrollment Point Settings page, review the settings. Keep the default settings unless you need to change them for your environment. Click Next.
  11. Complete the wizard.

This guide can also be found on TechNet.

Configuring the Out of Band Management Component

  1. In the Configuration Manager console, click Administration.
  2. In the Administration workspace, expand Site Configuration and then click Sites.
  3. On the Home tab, in the Settings group, click Configure Site Components, and then click Out of Band Management.
  4. Select the enrollment point that you configured in the preceding procedure.
  5. Specify the OU and then the universal group that you configured in Part 2 of this series. (AMT Provisioned Computers)
  6. Specify the AMT web server certificate that you configured in Part 3 of this series. (ConfigMgr 2012 R2 AMT Provisioning)
  7. Click Set to specify a strong password for the account in the Management Engine BIOS extension (MEBx) that is used for the initial authenticated access to manage AMT-based computers. (In my example vu9ESes!)
  8. Your Out of Band Management Components Properties page should then be similar to this;1
  9. Click OK to close the Out of Band Management Component Properties dialog box.

Enabling Out of Band Management Controller Discovery

Configuration Manager has a built-in capability for discovering the status of an Intel AMT system. (This built-in capability is not the “Discovery” capabilities that are added when you install the Add-on.) The purpose of the Configuration Manager discovery is to get the status of Intel AMT on each system. The status is then shown in the Configuration Manager in the “AMT Status” column. (You can add this column to the list of devices by right-clicking the table header in Devices and selecting AMT Status, as shown in this example.)2

When you right-click a system, the Out of Band Management Console is only made available if the “AMT Status” of the system is “Provisioned”. This status is only updated by SCCM when the OOB Management Controller Discovery is run. This means that it is very important to make sure that this capability is configured and can run successfully.

To get the status, Configuration Manager connects to the system OOB via the Intel AMT ports. To connect successfully, Configuration Manager must use credentials of an admin user account configured in Intel AMT. This means that you must make sure that you configure an admin user account in Intel AMT that Configuration Manager can use.

  1. Open the Configuration Manager Console.
  2. In the left pane, select Administration > Overview > Site Configuration > Sites.
  3. In the right pane, right-click the site and select Configure Site Components > Out of Band Management. The Out of Band Management Component Properties window opens.
  4. Click . The AMT Provisioning and Discovery Account window opens.
  5. In the Name field, type “admin”. (This is the name of the default Digest admin user account.)
  6. In the Password fields, type the password we defined in the profile in Part 4 of this series. (In my example this is vu9ESes!)
  7. Click OK to close the open Windows.

3

Giving Permissions for Management Controller Discovery

Some of the task sequences installed by the Add-on will automatically try to run the Management Controller Discovery on the systems. For this to succeed, you must give certain permissions to the domain computers account.

  1. Open the Configuration Manager Console and select Administration > Security > Administrative Users.
  2. Right-click Administrative Users and select Add User or Group. The Add User or Group window opens.4
  3. Click Browse and select the Domain Computers account.
  4. Click Add and select the Operations Administrator role.
  5. Click OK. To close the Add User or Group window.

Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities

  1. In the Configuration Manager console, click Administration.
  2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure.
  3. On the Home tab, click Properties, and then click the Wake On LAN tab.
  4. Select the Enable Wake On LAN for this site check box, and then select Use AMT power on commands only.5
  5. Click OK.

Configuration Manager 2012 R2 is now configured and in the next post in this series we’ll install the Intel SCS Add-on.

Previous Postings in this series:

Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 2 : Active Directory
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 3 : Certification Authority
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 4 : Configuration Profiles for Intel AMT

If you want to enable the configuration capability of the Add-on for Intel AMT, you must define a configuration profile for Intel AMT. How you create this profile depends on if you want to use RCS Integration with Intel AMT:

  • If you want to use RCS Integration – The Add-on will define the packages to get the profile from the RCS and use the remote configuration method to configure Intel AMT. You must create the profile using the Intel SCS Console.
  • If you do not want to use RCS Integration – The Add-on will define the packages to get the profile from an XML file and use the host-based configuration method. You must create the profile using the Intel AMT Configuration Utility.

In this posting I’m not using the RCS Integration, so we will use the host-based configuration method.

To create the profile;

  1. From the Intel SCS package that you downloaded (see Part 1 of this series), open the ACU_Wizard folder.
  2. Double-click ACUWizard.exe. The Welcome window opens.
    1
  3. Click Create Settings to Configure Multiple Systems. The Profile Designer opens.
    2
  4. Click and define the folder where you want to save the profile. (I’ve selected D:\Setup\SCS Profiles in my lab environment)
  5. Click on the green plus button and The Getting Started window opens.
  6. In the Profile Description section, enter a description for the profile. This field is for informational purposes only. (I’ve used ThinkIT AMT Profile in this example)
  7. Make sure that the Configuration / Reconfiguration option is selected and click Next.3
  8. Select these check boxes:
    • Active Directory Integration
    • Access Control List (ACL)
    • Transport Layer Security
      4
  9. Click Next. The Active Directory Integration window opens.
  10. Click and select the Organizational Unit (OU) where the object will be stored in AD. During configuration, Intel SCS sends a request to the AD to create a Computer object representing the Intel AMT device. The object is added to the OU you defined in this field. I’ve selected the OU we created in Part 2 of this series; AMT Provisioned Computers
    5
  11. Click Next. The Access Control List window opens. This window lets you define users and their access privileges in Intel AMT.
  12. Define the user/group that will be used by SCCM and Intel SCS:
    1. Click Add. The User/Group Details window opens.
    2. Select Active Directory User/Group.
    3. Click Browse and select the Group that we created in Part 2 of this series; SCCM 2012 R2 AMT Administrators
    4. In Access Type section, select Both.
    5. In the Realms section, select the PT Administration check box and click OK. The User/Group Details window closes and the user is added to the list of users.
      6
  13. Click Next. The Transport Layer Security window opens. This window is used to define TLS settings to apply to the Intel AMT system. When TLS is enabled, the Intel AMT device authenticates itself with other applications using a server certificate.
  14. Make sure that Request certificate from Microsoft CA is selected and then:
    1. From the Certificate Authority drop-down list, select the certification authority.
    2. From the Server Certificate Template drop-down list, select the template that you defined for TLS in Part 3 of this series; AMT Client Configuration Certificate.
      7
  15. Click Next. The System Settings window opens.
  16. Define the password for the default Digest admin user built into each Intel AMT device, select Use the following password for all systems, and type in the password, I’ve used vu9ESes! in my lab.
    8
  17. Click Next. The Finish window opens.
  18. Save the profile:
    1. In the Name of XML file field, enter a name for this profile.
    2. In the password fields, enter a password that will be used to encrypt the profile. (I’ve used ThinkIT2014! in my lab example)
      9
  19. Click Finish. The profile is added to the list of profiles and saved to the location you specified in Step 4. We will use this profile when installing the Intel SCS add-on in a later part of this series.
    10

Previous Postings in this series:

Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 2 : Active Directory
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 3 : Certification Authority