Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Environment Assessment Report for Intel vPro Technology, Part 2

Created: 12 Apr 2011 • Updated: 30 Aug 2011 | 3 comments
Language Translations
Terry Cutler's picture
+1 1 Vote
Login to vote

Author's Note:

The original article below suggests the use of a majority of the systemdiscovery custom data fields.   For production environments, it may be best to collect only the subset needed.   More information on an appropriate subset of custom data is shown at http://www.symantec.com/connect/videos/part-4-configure-intel-amt-integrating-altiris

 

Introduction

The first article highlighted a useful custom report based on natively available data within ITMS 7.1.   Additional data can be obtained to both assess the environment and assist with troubleshooting issues.   The information shared in this article is helpful to those who have not yet moved to Altiris 7.1, are not gathering Full Inventory, or that want to get additional insights on the settings and capabilities of the Intel vPro Technology firmware.   This article will utilize a tool from Intel called SCSDiscovery and will require a custom data class.   Some of the captured data may appear duplicated to available datapoints within the Altiris CMDB.   The difference is real-time data at the time the SCSDiscovery tool was run on the client.

SCSDiscovery

The tool is available at http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/under the title of “System Discovery Utility”.   A variety of early generations or components to the tool have existed, yet most were never posted publicly by Intel.   The contents of the ZIP file include a PDF document providing more insights on what data is collected along with the SCSDiscovery.exe and associated DLL files.

The tool will detect the presence of Intel AMT whether or not the associated drivers are loaded.   If the drivers are loaded, the tool will capture approximately 70 fields of data locally on the client.   By default, this data is stored to the local Windows registry and an XML file in the directory where SCSDiscovery.exe was executed.   For an optimal data capture across all generations of Intel Active Management Technology, the LMS service should be stopped prior to running the utility.   More information and background are provided in the PDF document within tool download as mentioned above.

Custom Inventory for SCSDiscovery

Using the Altiris 7 Custom Inventory guidance provided at http://www.symantec.com/connect/articles/introduction-custom-inventory-notification-server-70, a custom data class should be created along with a VBscript to collect the data from the clients.   For convenience, attached is an example VBscript developed from my own lab environment.   The one datapoint I did not include was the Certificate Hashes.    The NS7_Send VBscript is provided “as-is” for your reference along with an XML for the custom data class (ACU_Discovery_Data.xml).  

Review the datapoints captured and determine what is needed for your environment.   If you choose to utilize the custom data class file, a quick and easy method is to import as shown below.    This is my approach and I invite you to validate accordingly for your environment as needed.   Remember – this will add a custom data class to your Symantec CMDB which will be populated with data associated to client resource records.   (I add this disclaimer as customer responses have been mixed.   All agree with the end goal.   Some are hesitant to add custom data.)

Sequence for Capturing Data from Client to Notification Server

On a target client with Intel Active Management Technology, run the following set of commands:

  • Sc stop lms
  • Scsdiscovery.exe systemdiscovery
  • Sc start lms

A partial screenshot of the resulting data on a test client is shown below:

Using the sample NS7_Send.vbs file, call “cscript ns7_send.vbs” to capture this data to the registered Notification Server.   Note: This will require the Altiris Inventory sub-agent to be loaded.

Once captured to the server, open the Resource Manager of the target client and change View > Inventory.   Navigate to the custom inventory data class as captured for that client. Again, a partial screenshot is shown below for reference.

The data is now centrally stored on the Notification Server enabling a number of possibilities.

To help automate the process, use a TaskServer job or other means to deliver the client files, perform the steps in sequence, and so forth.

Example Custom Report

Similar to part 1 of this article series, a custom query and report can be written to provide a central view based on key datapoints.   The example below queries for only a subset of the data

The example query produces a report similar to the following (which is intentionally similar to the native report shown in part 1 of this article series)

Summary of key custom data points

The custom data and report will be needed in events prior to Altiris 7.1 if the exact Intel AMT firmware and driver version are to be captured.   The additional data points will prove helpful for a complete environmental assessment or when troubleshooting.

For example:

  • WiredIPv4 – knowing the exact IP address of the firmware.   If blank or different than an expected IP address, this indicates the firmware network interface may be unreachable.
  • OSPrimaryDNSSuffix – knowing the exact network DNS suffix from the client’s perspective will help determine what remote configuration certificate needs to be acquired

There are other beneficial nuggets of data provided by the SCSDiscovery custom data which will be shared later.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

Return to Part 1

Read Part 3

Comments 3 CommentsJump to latest comment

Terry Cutler's picture

Another example where SystemDiscovery helps is identifying false positives for vPro capable systems.   Although it's rarely happened, over the years I've come across a few customers who thought they purchased vPro systems yet could not get the technology configured on a certain batch of units.    Traditional tools and approaches show the system is Intel AMT capable and ready to be configured.

This scenario happened to me recently with a new demonstration unit.   At first, the data fields from SystemDiscovery showed the system was AMT capable and ready to be configured.   Try as I might, the system would not configure.

Upon closer inspection of the SystemDiscovery output, the following XML data tag helped clarify why the system did not respond to configuration requests.

<IsAMTEnabledInBIOS>false</IsAMTEnabledInBIOS>

In essence - all of the vPro silicon components were present, but the final firmware burn in to the client has AMT disabled in the BIOS.    If you have systems in this state in your own environment, the setting is not reversible after the unit is released by the OEM.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

0
Login to vote
Terry Cutler's picture

I made a mistake in the SQL query highlighted in the original article\post above.

For the DHCP option 15 field, use "OSSpecificDNSSuffix" instead of "OSPrimaryDNSSuffix"

In the example below, the "Connection-specific DNS suffix" is the DHCP option 15 value which systemdiscovery reports as "OSSpecificDNSSuffix".    The example shows this value to be "vprodemo.com" which is the domain used by the remote configuration certificate.

In contrast, the "Primary DNS Suffix" in the example below is blank since the client is not joined to a domain.   This value is set via a local host operating system setting.   Systemdiscovery will report as "OSPrimaryDNSSuffix".

If further questions - please let me know.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

0
Login to vote
Terry Cutler's picture

Some have asked - "Must I collect all of the data fields provided by SystemDiscovery?"

No - you do not need to collect all data.   See "Author's note" at beginning linking to video demonstration at http://www.symantec.com/connect/videos/part-4-configure-intel-amt-integrating-altiris

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

0
Login to vote