Provisioning of Intel® vPro™ Technology, Part 2: Determining What Systems are Intel® AMT and Remote Configuration Capable
If Intel® vPro™ labeled systems, or systems having the Intel® AMT capability, have already been deployed into the environment, yet not provisioned - how are you to know what systems have the functional capability within your environment? An asset or system inventory routine may not reveal this information, and a manual walk around or mass email distribution isn't going to help much either. To make the situation a little more difficult and real-world, many OEMs have very similar system names and branding. Plus - not all Intel® AMT capable systems may necessarily be labeled with an Intel® vPro™ logo. Does this sound like an environment you are currently supporting?
Network Discovery May Not Find Intel® AMT Systems
The Altiris Network Discovery has an Advanced option to discover systems with Intel® AMT functionality. Network discoveries may be intrusive to the network and security infrastructure of a production environment - thus use this option with caution.
Similar to other tools and mechanisms to query an Intel® vPro™ or Intel® AMT system, a key reminder is that until the system is in a configured and operational state (e.g. provisioned), the network interface is not ready to authenticate and process requests. In addition, depending on the configuration or provisioning method used (see http://www.symantec.com/connect/node/4480), the settings within Network Discovery will need to be modified.
Using the named methods in the above linked article, a "Basic" or "Standard" provisioning will utilize the "Small Business" mode settings in Network Discovery. An "Advanced" provisioning method with TLS and Kerberos will require the "Enterprise" mode. The following example shows the advanced setting of a network scan set to find all systems in "Small Business" mode, using network port 16992 to determine whether systems in the defined scope are Intel® AMT capable.
Again - until the systems are in a provisioned and configured state, Network Discovery may do little to determine if a system is Intel® AMT capable.
Enabling OOB Discovery and OOB Task Agent
The preferred method is to install the Altiris NS agent on client systems, and utilize the OOB Discovery process to query locally on the client whether the system has OOB Capabilities. This process will work whether or not Intel® AMT has been provisioned or configured on the client. Information from the OOB Discovery process is updated in the Altiris CMDB table Inv_OOB_Capability.
Enabling of OOB Discovery is simple. The core challenge often experienced is ensuring the task schedule and target collection are set appropriately for the environment. The following image provides a summary on how to access and enable. Using an Altiris 6.5 Console, select View > Solutions > Out of Band Management. Once the screen refreshes, navigate to Configuration > Out of Band Discovery.
Again - the OOB Discovery utilizes an existing Altiris agent installation to locally discover the system's OOB capabilities. Both ASF and Intel AMT capabilities will be discovered. If the Altiris agent installation is presenting difficulties in your environment, one idea is an agent installation script referenced at http://www.symantec.com/connect/node/4082.
Just below the OOB Discovery option is the Out of Band Task Agent. If planning to use Remote Configuration, this option should be enabled. Target systems will receive the OOB Task Agent and Delayed Provisioning agent. The screenshot below provides an example of enabling the install.
The next screenshot shows the agents deployed onto a Microsoft Vista client, as found under the Altiris Agent Details.
In connection with the previously posted materials at http://www.symantec.com/connect/node/1621, the OOB Discovery and OOB Task Agent will update collections to quickly locate what systems are Intel® AMT capable and so forth.
The following image shows one example of systems that are Remote Configuration capable, based on the OOB Discovery and OOB Task Agent processes.
By double clicking on one of the target systems, the Real-Time Console is opened. Within the Inventory tab, additional information will be shown for that system based on the Inv_OOB_Capability and Inv_OOB_ZTC_State tables within the Altiris CMDB.
The following screenshot provides an example of the Inventory for OOB Capability:
The next screenshot shows OOB ZTC state. Note: The exact Intel® AMT version is shown.
Responsiveness of the OOB Discovery Process
In some cases, the schedule for OOB Discovery and OOB Task Agent may need to be adjusted. In addition, the priority level of the event may not be sufficient for desirable response in a high volume Altiris NS Server environment. Per discussions with associates across companies, the common response is 80% saturation and response from the OOB Discovery within 48 hours. The communications are fairly light, and in many cases the response will be received in 24 hours or less. This assumes a number of factors - target client systems are powered on, last time the Altiris NS client agent connected, number of managed nodes, present load on the Altiris NS server, client configuration interval, inventory task interval, queued tasks or jobs for the Altiris agent, and so forth.
Generally speaking - The priority of a task with Altiris NS Server can be elevated either via the graphical interface, or by modifying the task configuration via an export\import process provided below. As might be expected, changing priority levels on one task will affect other items at similar or lower priorities.
In checking the OOB Discovery and OOB Task Agent, a GUI option to increase the priority level was not apparent. Although not tested and validated for this article, another method mentioned to modify the priority level is:
- Obtain and XML file editor that preserves the XML formatting (e.g. http://www.crimsoneditor.com)
- Right click on the Task and Choose "Export"
- Search for "Priority"
- Change the number according to the preferred priority level. Tasks often have a default value of Normal which a is "2" priority. "1" is the lowest and "4" is the highest.
- Save the changes and import the XML file to the same Task setting to overwrite.
More examples and related information at https://kb.altiris.com/article.asp?article=28926&p=1
Other Tools and Methods to Determine the Exact Intel® AMT versions?
All of the above information focuses on using the existing Altiris environment and utilities. In some cases, deployment of the Altiris agent may not be allowed or not yet accomplished. For these situations, two additional options have been used in some environments:
- Use the MEInfowin.exe utility - This utility is not distributed independently, yet can be obtained via firmware downloads. One example mentioned at http://communities.intel.com/message/3649.
- Get a single system configured using a manual provisioning method. Login to the Intel WebUI by accessing the system's network interface. This is done via a separate client, opening an internet browser and entering the FQDN address with port 16992 specified. See the following example:
This will access the WebUI which is enabled during a manual provisioning process. Once logged into the client, the summary screen includes the exact Intel® AMT version, as shown in the following example:
Of course - if configuring a single system to determine the Intel® AMT version, the idea of "remotely" determining this data is effectively invalidated. Similarly, accessing the MEBx to try and determine the information requires a physical touch to the system with a good chance that the MEBx version will not directly reflect the true Intel® AMT version on the system.
Part 2 Summary:
Having previously deployed systems presents a problem in determining what BIOS, firmware, and OOB capability are present. A variety of tools and methods exist to discovery systems with OOB capability. Using the Altiris NS agent, OOB Discovery, and OOB Task Agent are the preferred method. When accomplished, the dynamic collections for provisioning within the Altiris Out of Band Management interface will be updated. These collections can be used to target system for updates, provisioning events, and so forth.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.