Using Intel's RCT Tool to Restart AMT 'Hello' Packets for Enterprise Provisioning
The key to provisioning Intel AMT systems for Enterprise Mode is the sending of 'hello' messages to a Provisioning Server. Altiris' Notification Server with Out of Band Management and the Intel SCS Component is one such Provisioning Server. The issue stems from the hello packets only being sent for 24 hours, or the IP address changing for the client system, or any other number of potential problems that disrupts this process. This document details a tool that can give you full control over the process.
By utilizing the Notification Server framework, specifically Software Delivery, the hello packet process can be fully controlled. This allows redundancy to make up for failed attempts to find a provision server. By default hello packets will only be transmitted during a 24 hour period. After that, the machine must be unplugged from power for the 24-hour sequence to repeat. The following potential issues can occur due to this methodology:
- IP Change The IP address can change during the Provisioning process, disallowing the Server to contact back the client
- No SCS Available The client wasn't connected to the network properly during the time it transmitted the hello messages so SCS never received it
- AMT unavailable The client moves to another segment of the network and can't be contacted by the Provisioning Server that originally accepted the incoming hello message
- Multi SCS In a multiple NS-Intel SCS environment provisioning is delayed and the Provision Server that picks up the delayed provision request from the queue cannot reach the client
The RCT (Remote Configuration Tool) utility enables the hello packets to be resent. This can overcome all the issues detailed above. Note that the location to download the RCT tool is listed under the Software Delivery Package section.
This tool can be used in two ways. One uses Intel's AMT Console for use. The other is to use Software Delivery (it can be any delivery mechanism) to deploy and execute the tool. While the tool does have multiple uses, in this case we're covering the ability to send hello packets to the Provision Server.
For Remote Configuration, it is recommended to use the Out of Band Task Agent to reinitiate the "hello" packet sequence using the 'Delayed Provisioning' policy.
For PID-PPS systems (TLS-PSK) this process is required to initiate the sequence as the technology does not have a mechanism to do it any other way at this point. The RCT tool does not truly restart the sequence within AMT, but mimics the sequence. See the following diagram for a graphical representation:
Command Line Arguments
The utility contains a number of command-line arguments for use in our scenario. They are listed below, including their applicability:
- /s <web address> This specifies where to send the 'hello' packet to. It should be http://<servername>/amtscs, IE: http://jsserver/amtscs.
- /t on|off For systems that may not have AMT enabled, this switch sets the AMT Manageability to 'on'. Since a system in this state will not have a PID and PPS set, this is only useful for a remote enabling of a system that uses Remote Configuration for provisioning, since enabling this will kick off the "hello" packet sequence.
- /h This command line parameter causes the Utility to send a "Hello" packet to the SCS.
- /l This switch is an extension of the /h for the "hello" packet to specify the port on the Provision Server. The default is 9971, but if the listening port on the destination Provision Server is different from the standard, use this switch to specify it.
- /d <PID> This switch is an extension of the /h for the "hello" packet to provide the PID manually if the Intel AMT system does not allow the RCT tool to retrieve it locally. If a command-line that does not specify the PID fails, try providing the correct PID for the system via this command line. The PID should have been preset on these systems during the Setup process.
To show the command line arguments in use, see this command line:
RCT.exe /s http://jsserver/amtscs /t on /h /l 9971 /d C78L-YRX9
For the RCT Tool to successfully deploy and execute its function, the following conditions must be met:
- The utility needs to be run under the System Account or full Administrator privileges
- AMT needs to be on and in Setup Mode for PSK "hello" packets to be generated
Altiris Agent Delivery
The Altiris Agent can be used, via Software Delivery Solution, to distribute and execute the tool. The following items need to be completed to create the process. Please note the suggestions in the Targeting and Scheduling section for methods of implementation.
Software Delivery Package
Use the following steps to properly create and configure the RCT Package and execution environment.
- Download the RCT Tool from the following location:
- Create a folder on the local NS or use another Package Location as per your environment, IE: C:\Tools\, and extract and place RCT.exe into that location.
- In the Altiris Console, go to View > Solutions > Software Delivery > Packages > right-click on Windows > choose New > Software Delivery Package.
- Choose an appropriate Name for the Package, IE: RCT Tool.
- Under Package Source, choose the appropriate option for where you put the package, and either browse or put in the location details, IE: Access package from a local directory on the NS computer; C:\Tools\.
- Click on the 'Programs' tab.
- Click the 'New' button to create a new Program.
- Give it an appropriate Name, IE: Resend Hello Packets.
- Provide an appropriate command line for your environment, IE:
RCT.exe /s http://jsserver/amtscs /h /d C78L-YRX9 RCT.exe /s http://jsserver/amtscs /h
- Sometimes the simplest command line is the best place to start. By just using the /s and /h switches, we've instructed the utility to access AMT and generate a "hello" packet for it to send out on the wire.
- Under Error Codes, add a comma and six, IE: 0, 6
- Choose the execution options as follows:
- Starting Window: Hidden
- Run with rights: System Account
- Program can run: Whether or not a user is logged on
- Check the box: User Input Required (This will load a fuller user stack, but will not show the execution since we've chosen 'hidden' as the starting window)
- Click 'Apply', and then click 'Update Distribution Points'.
Targeting and Scheduling
As part of the Task, a Collection and Schedule must be selected. While a collection can be based off any criteria using the Out of Band data from Out of Band Discovery or a Resource Synchronization can help target just those systems that are not Provisioned.
None of the default collections will serve to properly contain systems that are AMT capable but not Provisioned. For example the 'Non-Provisioned Intel® AMT Computers' collection is based on SCS having received a "hello" packet from a system but the system remaining in a 'non-provisioned' state.
For our purposes, I've cloned the collection 'All Intel® AMT Capable Computers' and added criteria that IDE Redirect is not active, pulled from an Out of Band Discovery data. This collection can be imported into the Notification Server. Find the attached XML file to this article.
Scheduling depends on the environment. By default when the Task is created the schedule will be set to ASAP, and while this works for an environment where we're only looking for a few systems and expect for one retry attempt to succeed, if the issue is more widespread it is recommended to use a reoccurring schedule. See the following recommendations as per the circumstance:
- IP Change The run ASAP option should suffice as by the time the Altiris Agent gets the job and runs it, the IP lease should be stable enough.
- No SCS Available The run ASAP option should suffice as by the time the Altiris Agent gets the job the SCS should be reachable (it is the NS after all).
- AMT unavailable Same as No SCS Available.
- Multi SCS This is the tricky one. A reoccurring schedule should be set to coincide with the time an OOB Discovery is run. These two tasks work in tandem to get the "hello" packet to the right SCS Server.
For the last option, use the following steps:
- In the Altiris Console, browse under View > Solutions > Out of Band Management > Configuration > Out of Band Discovery > select the Out of Band Discovery policy.
- Enabled the policy if it is not enabled.
- Check the 'Schedule' box and set it to run every day or even twice daily (click on the schedule link to see all options). This schedule should match the schedule set for the Software Delivery Task as defined in the next section.
Software Delivery Task
Use the following steps to properly create and configure the RCT Task to target, schedule, and execute the tool.
- In the Altiris Console, go to View > Solutions > Software Delivery > Tasks > Windows > right-click on Software Delivery Tasks > and choose New > Software Delivery Task.
- Check the 'Enable' checkbox.
- Provide a Name for the Task, IE: Restart AMT Hello Packets.
- Select the Package you created earlier.
- Select the Program you defined previously.
- Select the Collection desired, or as provided by this article.
- Set the schedule as needed according to the Scheduling session.
- Click Apply to save the changes.
Using the RCT tool will allow us to simulate the Hello packet and cause those systems stuck in Setup Mode for whatever reason to fully provision. This allows us to pull systems out of Setup limbo and get them activated for use within the Altiris infrastructure.