Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Powering on Multiple Intel vPro Systems at the Same Time

Created: 23 Nov 2011
Language Translations
Terry Cutler's picture
0 0 Votes
Login to vote

The out-of-band power control functionality between Symantec Management Platform and Intel vPro Technology is very handy for on-demand power control events.   However, since the communications are unicast this requires the Symantec Management Platform to establish a session with each Intel vPro Technology system targeted to invoke the power control command (i.e. power-on, power-reset, power-off).   That simply doesn't scale very well, especially if you need to power on a large number of systems.

Surely there must be a better way to ensure reliable power-on events at defined intervals without having to communicate to each client at the time of the event.   Keep in mind that power-on events in this case include systems that are powered off, hibernating, or in a sleep state.   Keep in mind that this can be done via BIOS wake-timers which are set specifically according to a specific OEM or BIOS vendor.   What's needed is a uniform method across OEMs\models.


PC Alarm Clock with Intel AMT 5.1 and above

Starting with Intel Active Management Technology (AMT) version 5.1, a little known feature called "PC Alarm Clock" was introduced.   Intel AMT is the out-of-band management portion of Intel vPro Technology.   PC Alarm Clock does exactly what the name suggests - it powers-on the client based on a defined time with a definable repeat interval.

How do you know if you have Intel AMT systems, specifically version 5.1?   Take a look at http://www-secure.symantec.com/connect/articles/environment-assessment-report-intel-vpro-technology-part-1

The feature is not natively integrated with Symantec Management Platform at this time, but you can use this great Intel AMT feature today.   The image below shows how a batch file is used to invoke a Microsoft PowerShell script with a defined list of computers to set the PC Alarm Clock on two systems from different OEMs.   The script also defines a recurrence interval of every 2 hours.  In summary - starting at 4pm local time and recurring every 2 hours, the two systems listed will power-on.

The event will only occur if Intel AMT firmware is powered (i.e. the system could be powered off, but AC power is attached).   This will ensure that a laptop in a bag doesn't inadvertently power-on during take-off on your next business trip.wink

A little more information on the above screenshot


Intel vPro PowerShell Module (vPSM)

In an attempt to demonstrate many hidden or underutilized capabilities of Intel AMT, a few developers decided to write some enabling PowerShell cmdlets.   Version 3.1 of the Intel vPro PowerShell module is available at at http://communities.intel.com/docs/DOC-4800.   The user guide and on-screen help tools are very helpful.   Here at Intel, we commonly use the acronym "vPSM" when referring to Intel vPro PowerShell Module.

If not already familiar with Microsoft PowerShell, take a look at http://technet.microsoft.com/en-us/library/bb978526.aspx among other resources.   In summary, it is a powerful scripting language provided by Microsoft

After you download and install vPSM, you will need to configure your PowerShell environment.   Be sure to review section 3 of the vPSM user guide.   The most common items I forget to do are setting the execution policy (section 3.1.1 in the document) and setting the vPSM into the PowerShell profile (section 3.3.1).   One of my favorite "features" is the Intel AMT Credential storage feature referenced in 3.3.2


Preparatory Steps to the Batch File

After you get vPSM installed and complete sections 3.1.1 and 3.3.1 of the vPSM user guide, you are almost ready for a step-by-step sequence of the above batch file example.  

Before you begin, determine what Intel AMT credentials will be used.   If a Kerberos account, vPSM will default to impersonating the logged in user.   If a Digest account, vPSM can be used to define a secure storage of the AMT credentials.  This is done by running the following command which will prompt you for the credentials and assign them to the a variable in the secure storage (in the example below, the variable is $amtcred)

$amtcred = Write-AMTcredential

When prompted, enter the same Intel AMT admin password used in your Connection Profile for AMT protocol.   This password is now securely stored and can be referenced in future scripts without directly typing the password.   The secure storage with the Intel AMT password remains in effect, even if you exit out of the PowerShell command prompt.

You will also need a list of target systems in a text file.   This can easily be obtained from Symantec Management Platform by querying for Intel AMT configured systems that are AMT 5.1 or higher.   (see linked article series above for some insights).    For the context of this article, save the list of computers as follows in a file called "computers.txt"

system1

system2

system3


Understand the Target vPSM cmdlet to be used

To get a listing of vPSM cmdlets and functions, start a PowerShell command prompt session using a profile.ps1 that imports the IntelvPro module.  Once this is done, type the following

Get-Command -Module IntelvPro

All of the cmdlets and functions will be listed.   The one needed for this example is Set-AMTAlarmClock.   To see an example how this is used, type the following

Get-Help Set-AMTAlarmClock -examples

Try running a command or two based on the examples.


Step-by-Step Decipher of the Batch File

Now you are ready for the individual steps that where sequenced and piped together in the batch file.

  • Get the Intel AMT admin password secure string assigned to a variable

$amtcred = Get-AMTcredential

  • Get the list of computers and pipe into the command to be executed.   In the batch file example, the following was used

Get-Content computers.txt | Set-AMTAlarmClock -credential $amtcred -AlarmTime:2011-11-22T16:00:00 -Interval:00-02:00:00

Note: The Set-AMTAlarmClock command will need to be modified for your environment.   The AlarmTime value must designate a date and time in the future for the initial alarm.   More information is available in the vPSM user guide or via the on-screen help prompts.

To sequence the above individual steps via a single batch\cmd script, use a semicolon (;) to separate commands.   Plus, you will need to call powershell with a command sequence to execute.   In the example above, the batch file contains the following

powershell -command "& {$amtcred = read-amtcredential; Get-Content computers.txt | Set-AMTAlarmClock -credential $amtcred -AlarmTime:2011-11-22T16:00:00 -Interval:00-02:00:00"}

You are now ready to take advantage of a very compelling feature called PC Alarm Clock.   Even better - you now have the foundation to explore what else the vPSM offers. 


Concluding Thoughts

Now that you know the foundations of vPSM, I have a request for you.   How do you integrate a PowerShell script into TaskServer job?  Can this be done for only a single client or a list of clients as defined when scheduling the job?

You may have noticed a slight delay during the Import-Module IntelvPro event caused by the modified profile.ps1.   The goal would be to avoid this delay.

Interested to hear success stories with PC Alarm Clock and how you choose to utilize vPSM in your environment.

 

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries