Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Provisioning of Intel® vPro™ Technology, Part 5: Intel vPro Activator Utility

Created: 19 Jun 2008 • Updated: 24 Apr 2009 | 5 comments
Language Translations
Terry Cutler's picture
+1 1 Vote
Login to vote

The last few articles have highlighted Altiris specific tools and approaches to initiate Intel® vPro™ provisioning in a post deployment situation. This article will focus primarily on Intel® vPro™ Activator Utility which is the successor to the RCT.exe utility mentioned in a prior article by Joel Smith.

The latest version of the Intel® vPro™ Activator utility is available at http://www.intel.com/software/activator, with the download including a PDF document containing additional information specific to the utility. This article will highlight the core items, setup, usage, and troubleshooting aspects for production usage. Readers of this article should already have a base understanding of provisioning Intel® vPro™ or Intel® AMT systems within an Altiris environment.

Core Purpose, Requirements, and Considerations

When the Altiris OOB Task Agent, Delayed Provision, or default profile settings in Resource Synchronization cannot be used throughout an environment, an alternative approach is the Intel® vPro™ Activator Utility. The one key function the Altiris Delayed Provision Task and agent does that Activator does not currently support is transitioning from ASF to AMT manageability mode.

If the ProvisionServer DNS record does not exist or a preferred Altiris Notification Server is to be targeted for provisioning of a specific Intel® vPro™ system, the Activator utility provides flexibility by directly specifying the target server. Development, multiple client facing Notification Server, or migration scenarios may present a valid reason to consider using the Activator utility.

The Activator utility is used primarily as a local client agent or script to initiate and direct provisioning events. It can also be used to specify the provision profile, Active Directory OU, changing from the manageability feature from None to AMT, synchronizing the FQDN among the 3 primary entities (e.g. operating system, Intel® vPro™ firmware, and the provisioning service database), and so forth. When executing the utility, the associated DLLs included in the download must be registered or in the same directory for the utility to execute properly.

The utility requires that the HECI\MEI and LMS drivers for Intel® AMT are loaded on the client. These drivers and services allow for the agent to securely communicate through the operating system layer to the firmware.

Most of the features and functions of the utility require the Intel® vPro™ firmware to be in a setup state. This means that the system is not provisioned, yet is either remote configuration capable or the pre-shared keys have been entered.

Many of the utility's advanced features require the latest version of Intel® SCS to be installed on the target ProvisionServer, which may include versions of the setup and configuration service which are not officially supported by Altiris. The latest version supported by Altiris is Intel® SCS 3.2.1, as indicated in Altiris KB40076 at http://kb.altiris.com. It is recommended that Altiris KB40117 also be reviewed and applied to update the Real-Time Console Infrastructure in regards to Intel® AMT 2.2 and 2.6 clients. The latest version of Intel® SCS is posted at http://softwarecommunity.intel.com/articles/eng/10..., with version 3.3.1.4 shown at the time this article was written.

NOTE: If unsure what version of Intel® SCS is loaded on your system, check the AMTCONFIG service within the Microsoft Windows Services.
NOTE: Intel® SCS versions above 3.2.1 have not been tested nor validated with Altiris Out of Band Management. Upgrading to version 3.3 or higher may provide full capabilities such as the /f option for Intel® vPro™ Activator Utility, yet is done at the IT administrator's own risk.

For functions beyond initiating the hello packet sequence or transitioning to AMT enabled in the MEBx, the Activator requires a Configuration Client role to be defined. This role identifies a privileged domain account or group that must be used to run the utility from the Intel® vPro™ client. The Configuration Client role is used to access the AMTSCS_RCFG virtual web directory to apply updates to the profile assignments database tables or other events. This will require the Intel® vPro™ client to be joined to the target Microsoft Active Directory domain.

The Intel® vPro™ client MUST be able to able to resolve the server the DNS address of the target server's FQDN. In some cases, the ipconfig /flushdns and ipconfig /registerDNS commands may be needed to update the client's host operating system DNS cache and to register the current FQDN of the client into the dynamic DNS environment.

Initiating Hello Packets and Transitioning to AMT Mode

A prior Altiris Juice article highlighted the basic features of the Activator utility. The following command provides an example of reinitiating hello packets to the ProvisionServer DNS address, while transitioning to AMT mode, and directing the command output to the console. If the ProvisionServer DNS address is not presently in the target IT infrastructure environment, the command can specific the FQDN of the target Altiris Notification Server handling provisioning requests.

Activator.exe /s http://provisionserver.vprodemo.com/amtscs /t on /h /c

If successful, the output of this command will include a statement indicating the utility successfully sent the hello packets. Three hello packets will be sent. An exit code 7 is expected, as complete setup of the utility and environment was not performed.

The example script above could be modified to not include the /t on nor the /c. These options were shown only for example purposes, and more will be shared later in this article the purpose of those options.

Preparing for Advanced Intel® vPro™ Activator Utility Usages

The advanced usages will require a Configuration Client user role to be defined for Intel® SCS. At the time this article was written, that user role was not available in the Altiris provisioning console (e.g. Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Users). However, the Intel® SCS console which is included in the main download at http://softwarecommunity.intel.com/articles/eng/10... does include this option.

Once the ZIP file is downloaded, extract out AMTConsole.exe which is approximately 2.65MB in size. Run the executable to install the console. Once installed, start the Intel® SCS console and a window similar to the one below will be shown:

The Service Name desired is the same as the Service Location shown in the Altiris provisioning console (e.g. Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Service Location). Once entered, the console will appear.

The following steps will add in the Domain Users group as the Configuration Client role. For example purposes only, this will allow any authenticated domain user to use the Intel® vPro™ Activator Utility to specify the configuration parameters at time of provisioning. For actual deployment environments, a different user or group can be selected based on the administrator's preference.

  1. Within the Intel® SCS Console, navigate to Configuration Service Settings > Users and Groups
  2. Within the Users and Groups windows, select Add to open the New User\Group window
  3. From the Role pull down, select Configuration Client
  4. For the User\Group Name, press Add
  5. On the Name Query entry, enter Domain User and click Find
  6. Select the entry in the Results pane which will be the Domain Users group and click OK
  7. After completing the previous steps, the following screen should appear.
  8. Accept the changes and return to the Intel® SCS console with the new settings.

Command Scripts to Specify Profile Assignments

The default approach to determine the profile assignments is via Resource Synchronization. As indicated previously, Intel® vPro™ Activator Utility can be used to directly specify these settings shown below when initiating the provisioning from the client. This allows greater control for environments wanting to use specific profiles and Microsoft Active Directory OUs based on the location, type, user, or other criteria of a particular Intel® vPro™ system in the environment. These settings are necessary to avoid Properties Script Failed or Missing Configuration Parameters type of errors in the provisioning logs, which is usually handled automatically by Resource Synchronization. Again - the goal here is to specify custom or preferred profile assignments on a client by client case.

When using the full potential of the Activator utility, the profile ID and Microsoft Active Directory must be specified. The following example command was executed locally on a client to get the Profile Assignment settings shown above

Activator /s http://altiris.vprodemo.com/amtscs_rcfg /p 2 /o OU=AMTOU,DC=VPRODEMO,DC=COM /c /h

A few items to note in the above command:

  • The server address must specify whether HTTP or HTTPS is used. This is the same setting as shown in the Service Location of the Altiris provisioning console
  • The AMTSCS_RCFG must be specified to direct the configuration parameters to the correct virtual web directory
  • The number after /p determines the desired profile ID. Within the Altiris provisioning console, each of the Provision Profiles has a number or identifier associated
  • The value after /o determines the Microsoft Active Directory Organizational Unit to be used. In lab tests, if Integration with Active Directory had not been specified, this value must still be defined yet is not used in the actually provisioning sequence.
  • The /c specifies that output from the command be directed to the console. If not included, a TXT file will be created in the same directory as the Activator utility showing the output of the command.
  • The /h specifies that in addition to sending the configuration parameters, initiate the hello packets.

Additional options and command switches are referenced in the documentation of the Intel® vPro™ Activator Utility. The one command not supported by Intel® SCS version 3.2.1 is the /f to synchronize the FQDN value. That command requires SCS version 3.3 or higher. If the environment were updated to version 3.3 or higher, this would be at your own risk as any versions above 3.2.1 are not officially supported by Altiris at the time this article was written. An article posted by Joel Smith for updating of the FQDN provides a supported path within an Altiris environment.

Common Error Code and Resolutions

The full list of error or exit codes for the Intel® vPro™ Activator Utility are included on page 8 of the User guide included in the download. The most common seen in lab and production usages per the guidelines in this document with typical resolution include:

  • Exit Code 1: The system is already provisioned.
  • Exit Code 3: Ensure the HECI\MEI and LMS drivers are loaded. Check to ensure Intel® AMT is enabled via the system BIOS on select client platforms.
  • Exit Code 6: The user or group defined as Configuration Client role was not the logged in user at the time the Activator utility was executed.
  • Exit Code 7: If only initiating hello packets, this exit code is expected with success indicated in the output. Otherwise, check to ensure whether an HTTP or HTTPS value should be used, and the AMTConfig service is running on the target server.
  • Exit Code 8: Check the provisioning logs to determine what error or event was recorded by the AMTConfig service.
  • Exit Code 11: The /t on command is needed to transition the manageability feature to Intel® AMT
  • Exit Code 15: Intel® vPro™ systems which do not support remote configuration or that are being provisioned via pre-shared key may experience this error. If so, the PID value must be specified in the Activator command script. An example would be /d 4444444, where 4444-4444 is the PID.

Part 5 Summary

When the traditional Altiris tools and methods are unable to initiate the hello packets, the DNS record for ProvisionServer does not exist, or when the administrator wants to control the exact configuration parameters when initiating an Intel® vPro™ provisioning event - the Intel® vPro™ Activator Utility provides a capable command script option. Some of the advanced features of the utility require extra setup such as the Intel® SCS console, defining a Configuration Client role, and so forth. Some features require a higher version of Intel® SCS than presently supported by Altiris, although lab usage did not reveal any immediate issues. The Activator utility is a versatile tool in the deployment and provisioning of Intel® vPro™, and may be a welcome addition to the toolset of an IT administrator.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

Provisioning of Intel® vPro™ Technology, Part 4: Remotely Resetting the Provisioning State

Comments 5 CommentsJump to latest comment

Terry Cutler's picture

In the article above, I provided a link for downloading vPro Activator.   That will lead you to version 3.x of the vPro Activator.   If you're using Altiris 6 which has SCS 3.x - that version will work for you.

However, if you're using Altiris 7 with SCS 5.x - you will want the newer\updated version of vPro Activator.  Version 5.x of the utility is part of the complete SCS downloads at http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/.    Look for SCS 5.x (at this posting, the latest is SCS 5.4.x).   Download and extract the package.   You'll find an Activator directory.   Grab the activator.exe and DLL files in the directory - you do not need the source files (unless you want to modify and recompile activator... but do so at your own risk\responsibility).

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

0
Login to vote
areile's picture

Hello Mr. Cutler

I am stuck in an environment where I will have to go manual with a USB key from machine to machine. The DNS / CName entry is just not an option for me. I really want to try and take advantage of this technology even though it will be a bit more painful this way. Is this information in this post still a valid way to setup in the 7.1 world with the Intel Activator?

Thank you in advance

0
Login to vote
Terry Cutler's picture

Yes - a lot of new information and updates since this article was posted in 2009.

Does your reference to DNS\Cname refer to "ProvisionServer"?   If so - I agree it is not an option and I strongly encourage you (and many others) NOT to use it.    Send me a private message and I'll explain more if you need background\details.

In recent months, I have become a strong advocate in configuring Intel AMT first followed by integrating with Symantec\Altiris or other tools of choice.   Take a look at http://www.symantec.com/connect/videos/part-1-configure-intel-amt-integrating-altiris.    It is a 6 part video series.    A recent comment on part 1 mentions Intel SCS 8 and the Intel SCS 8 Deployment guide available at http://www.intel.com/go/scs

Please review the SCS8 deployment guide - especially sections 3, 4, and 5.   Discover what you have, select a single configuration method that works for your environment, and get Intel AMT to a base configuration.    You are now in a functional state.   The remaining sections of the document address maintenance and delta configuration options.

Hope that helps.

- TC

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

0
Login to vote
areile's picture

Hello

Yes, I was referring to the DNS entry for the ProvisionServer above in my first post. My machines / organization are a member of a large domain of other organizations. I do not want to raise any red flags or cause trouble for the rest of the domain members with a project gone bad. That is the reason the manual process appeals to me.

I have reviewed several of your videos and they have helped me a lot. Thank you. I still have a couple to watch this week before I dive in any further. I do have a few questions.

Can I install and run Intel SCS 8.0 on the same server with my Symantec / Altiris 7.1 ?

If I choose to configure my machines manually do I still need to acquire a certificate for Intel SCS / Symantec OOB or can I use the Intel Activator ? Are there any downsides to the certificate?

Are there any additional security risks or other potential network issues when using ATM? Sorry.. just trying to cover all my bases.

Thank you again!

Alan

0
Login to vote
Terry Cutler's picture
  • Run SCS8 on Symantec\Altiris 7.1 server?   Yes.    They will be two separate applications
  • If configuring manual, is certificate needed?  No.    Take a look at the Intel SCS 8 Deployment Guide (available via http://www.intel.com/go/scs)   Section 4 and 5 discuss different configuration methods and "how-to"   You only need ONE configuration method to get a base profile\setting into the Intel AMT firmware.   You can adjust the configuration via Delta config options.
  • Additional security risks?  That's a broad\open question wink  Once configured, Intel AMT is a service awaiting an authenticated and authorized request.   Core nature\capability is secure out-of-band management.   You have options to further enhance that security based on the configuration settings you choose.   Start simple, add what you need.   Please review the SCS8 deployment guide for more information

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

0
Login to vote