Intel,Altiris Group

Optimal Client Environment for Intel vPro Provisioning 

Apr 30, 2008 01:59 PM

In setting up a number of training and lab environments, along with advising others on production deployments, a collection of thoughts and tools have come to mind relating to the optimal client environment for provisioning Intel® vPro™ using Altiris Client Management Suite.

With an Altiris Out-of-Band Management environment installed, the latest updates applied from the Altiris Solutions Center, and the Intel® vPro™ provisioning service configured and ready to start configuring clients - what else is needed to make the provisioning process run smoothly?

For those new to Intel® vPro™ provisioning in an Altiris environment, or having difficulties in getting the service to work properly, the following articles and associated resources may be of interest.

In addition, a few Altiris Knowledge Base (KB) articles reference some updates that may be of interest for the environment. At the time of this article, these updates were obtained separately and were not included in the Solutions Center update list. Access to the Altiris KB is available at http://kb.altiris.com. Do a search for the following updates - although not immediately required, they may address some advanced challenges you are facing in the environment.

  • 38437 - Allowing for more than 16 characters in the Real Time Console AMT profile
  • 40076 - Update of the Intel® SCS service to version 3.2.1.2.0
  • 40117 - Update for Intel AMT 2.6 provisioning and inventory

An optimal situation for the provisioning or configuration of Intel® vPro™ in an Altiris environment includes the items below. This assumes that the provisioning service has been installed, configured, and validated in provisioning clients. The minor tweaks below will help to automate and enhance the Intel® vPro™ provisioning process:

  • Altiris Console
    • Altiris OOB Discovery has been enabled
    • Resource Synchronization is enabled with the preferred provisioning profile (required) and Active Directory OU (only if Active Directory integration has been enabled)
  • Intel® vPro™ Client
    • Joined to the target domain with an established FQDN
    • The Altiris Notification Server Client Agent has been installed
    • The latest system BIOS, Intel® AMT firmware, and associated Intel® AMT drivers\software have been installed on the client (e.g. MEI, LMS-SoL, and UNS)
    • Use of the Altiris OOBTaskAgent or the Intel Activator Utility to initiate, reinitiate, or direct hello packets. In addition, if the management engine is set to "none" on the platform, these utilities can be used to change to Intel® AMT.

In desiring to force certain events to occur on my own time schedule instead of waiting a mere 15 minutes, and to help avoid repetitive manual steps, I got to thinking - "Surely there must be a way script or automate this" - in respect to preparing the clients for an optimal provisioning experience. Typically speaking, the client systems I worked with were not joined to the domain, did not have the Altiris agent installed or the agent was pointing to the wrong Notification Server, and finally the system had been on the network long enough that the provisioning hello packets had ceased. Thus my challenge - get a system joined to the domain, Altiris Notification Server client installed, and start the provisioning process - on my schedule and at my command. Many out there likely have some ideas on how they would - and do everyday - accomplish this. Here's the path I chose and plan to use in more demonstration and lab setups going forward.

Join the Client to a Target Microsoft NT Domain

A quick search on the Internet found several results and ideas on how to script this trivial task. The script I used is provided below for reference, with the understanding that my target domain is "vprodemo.com" with a defined and authorized account to perform the operation. Something quick and simple to add to a client build process is the following JoinDomain.vbs example:

Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
 
strDomain = "vProDemo.com"
strPassword = "P@ssw0rd"
strUser = "administrator"
 
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
 
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
  strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _
    strComputer & "'")
 
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
  strPassword, strDomain & "\" & strUser, NULL, _
    JOIN_DOMAIN + ACCT_CREATE)
    

Install the Altiris Notification Server Client

With the client joined to the domain, using a push or pull method with the Altiris Notification server may be sufficient to the get the client installed. What if the domain of the server is different from the domain of the client, thus preventing domain based credentials or access? What if WMI is not supported in the infrastructure of on the client? What if the administrator or technician "fat fingered" the address in attempting a pull method of http://<Altiris server>/Altiris/NS/Agent/AltirisAgentDownload.aspx. To many chances of error due to human intervention and so forth - sounds like a script would be helpful here.

What if during the client build process, the Altiris NS Agent installation file were copied locally to the client? The AexNSAgent.exe file is available at the NScap fileshare - \\<Altiris NS Server>\NScap\Bin\Win32\X86\NS Client Package.

After joining the client to the domain, the following command will silent install the Altiris NS Agent with an assignment to the target Altiris NS Server.

AexNSAgent.exe -s -a -ns=Altiris.vprodemo.com /s 

Replace the Altiris.vprodemo.com portion with the correct fully-qualified domain name of your target Altiris NS Server. For those good at scripting - adding a variable to that portion for passing your preferred value could also be used.

Latest Client System BIOS and Drivers with Intel AMT Enabled

With the Altiris or other management agents installed - this task becomes a little easier especially when systems have already been deployed into the environment. HP and Dell both have client management suites added into Altiris to also assist, providing handy tools and capabilities to update and manage the clients ONCE the support management agent is installed. Additionally, HP and Lenovo (and perhaps other OEMs) have BIOS configuration utilities for situations where the system BIOS has Intel® AMT disabled or other setting.

Including a list of BIOS, firmware, or driver updates in the client build is another option to get through this step, using silent install methods and processes and so forth. During the client staging or deployment process, possibly before the management agents have been installed, these base updates could also be applied.

Activator Utility - Enabling Intel® AMT and Initiating Hello Packets

If an Intel® vPro™ system is remote configuration capable or has provisioning keys already installed into the management firmware, then the system is in a "setup" state and looking to resolve a DNS entry for ProvisionServer in the DNS context identified by DHCP option 15. That statement makes few assumptions - that the environment supports DHCP option 15 with the correct setting, that only one Altiris client facing Notification Server with Altiris OOBM exists in the environment, and that a DNS entry exists for ProvisionServer to appropriately map to the correct IP address of the target Altiris server. In many cases - these assumptions will not be an issue. However, a few additional caveats might interfere on your provisioning experience.

First - if an Intel® vPro™ system is in a "setup" configuration state and able to resolve the ProvisionServer address, it will stop sending hello packets after a few hours until the system is fully power cycled. The hello packets are used to initiate the provisioning process from the client.

Second - In some client implementations, the management feature is set to "None" in the management engine BIOS extension (MEBx). In the past, changing that setting required accessing the MEBx locally on every client... not a very compelling use of an individual's time.

The Intel® vPro™ Activator Utility (http://www.intel.com/software/activator) is one method, and is a newer version of the same utility previously referred to as RCT.exe (see Altiris Juice article - http://www.symantec.com/connect/node/3612). It requires the HECI or Management Engine Interface driver but loaded and up-to-date on the client, and must be executed with administrative privileges on the local client. The following commands are the "lite" version of the utility which does not require a domain privileged account to be specified on the provisioning service. The following example is provided for your reference:

Activator /s http://ProvisionServer.vprodemo.com/amtscs /h /t on /c

The command as stated above will do the following:

  • Send the hello packets to the IP address of http://ProvisionServer.vprodemo.com. For environment using SSL security on the AMTSCS virtual web directory, the command would be adjusted with HTTPS instead of HTTP
  • The /h command will restart the hello packet sequence ONLY if the system is already in a setup configuration state.
  • The /t on command will transition the manageability mode from none to Intel AMT
  • The /c command will redirect the output of the Activator utility to the console. If this command is not included, a text will be created in the same directory as the utility with a client's FQDN as the filename. If you have used the Activator utility, you will notice that the output includes Intel AMT firmware version and other data points that if captured, might provide additional help in troubleshooting scenarios.

A key item to note is that this utility does not require the ProvisionServer DNS entry. The utility simply needs to resolve the IP address of the target server to receive the hello packets. The ProvisionServer DNS provides a nice option to automatically resolve the IP address, and to help in automating the provisioning process. However, for environments with multiple client facing Altiris Notification Servers with the role of "ProvisionServer", there are additional considerations to be made. For more information on such environment, please refer to this article.

With the Activator.exe utility locally on the client, the command could be executed via a script, Altiris TaskServer job, or other methods. In one interesting situation, an environment wanted to locally determine the Altiris NS Server address used by the agent for the Activator.exe utility. The following is a shortened version of the VBscript used.

Option Explicit
Dim oShell, sValue

Set oShell = WScript.CreateObject("WScript.Shell")
sValue= oShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Servers\")

wscript.run "C:\activator /s http:// " & sValue & "/amtscs /h /t on"

The Intel® vPro™ Activator Utility has more advanced functions such as directly specifying the provisioning profile, synchronizing the FQDN of the host operating system to the Intel® vPro™ firmware, and other functions. These advanced capabilities have a few additional prerequisites and considerations that are not covered in this article.

Altiris OOBTask Agent - Enabling Intel® AMT and Initiating Hello Packets

Similar to the Activator utility mentioned above, the Altiris Out-of-Band Task Agent performs a similar function in connection with the Delayed Provisioning setting. The Delayed Provisioning setting is specific to Remote Configuration capable systems, and the OOB Task Agent requires the base Altiris NS Agent to be installed. The following image shows where to enable the Altiris OOB Task Agent.

Once enabled and installed on Intel® vPro™ client system, the schedule of the Delayed Provisioning configuration will indicate when to initiate the provisioning process and to what collection this applies. The following image provides an example.

My personal preference is the Intel® vPro™ Activator Utility - since I have a little more control over when, where, what, and so forth. Plus, the Activator utility works with pre-shared key (e.g. PID\PPS) or remote configuration systems.

Miscellaneous Items to Assist Client Preparations

The previous tidbits provide a number of helpful and powerful options to ensuring an optimal environment for client provisioning. Some concluding tidbits may be of interest - and again, may already be known by many reading this article.

In the final batch file used to process the above items, a system reboot will likely be needed - especially after joining the client to the domain. The shutdown -r command will perform a graceful reboot on the client from the script, with similar options and utilities available via the Altiris agent, WMI, and so forth. There are other options and capabilities of the Microsoft Windows shutdown command which are listed if running from a command prompt and if no parameters are arguments are passed.

In environments where the Altiris agent is already installed yet pointing to the wrong Altiris NS Server, use of the AexAgentUtil.exe may be useful. The full list of options is shown if /? is used in the command. The following example is provided as a reference to direct the Altiris NS agent to the server Altiris.vprodemo.com.

c:\program files\Altiris\Altiris Agent\AexAgentUtil.exe /Server=altiris.vprodemo.com /web=http://altiris.vprodemo.com/Altiris

Lastly, if the demonstration environment needs to be reset, one of the items you may want to do is remove the Altiris agent from the client system. In a cleanup batch file, the following command might be useful.

c:\program files\Altiris\Altiris Agent\Aexnsagent.exe /uninstall

Putting It All Together

The following example is a batch file (e.g. clientpreps.cmd) I use on the Altiris NScap share with a pre-populated folder which contains the necessary files to be copied down to the client. The core files include AexNSagent.exe, Activator.exe with supporting DLL files, and VBscript files as mentioned above. As scripting is not a daily chore for me, there is no doubt there are better ideas out there - please share as needed.

REM clientpreps.cmd - used to optimize an Intel vPro client for provisioning enablement
	
REM map a drive to the NScap share of Altiris.vprodemo.com
net use z: \\altiris.vprodemo.com\nscap /User:administrator P@ssw0rd

REM create a local directory on the client to copy files for local execution
md c:\vProClientPreps
xcopy z:\vProClientPreps\*.* c:\vProClientPreps\ /e

REM join the client to the domain, install the Altiris agent, initiate provisioning

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jun 06, 2008 03:36 PM

Forgot to mention script I'm using

netdom join %COMPUTERNAME% /Domain:vprodemo.com /UserD:administator /PasswordD:P@ssw0rd

This will grab the existing COMPUTERNAME variable from the Windows OS, joining the system to the vprodemo.com domain using the administrator account

May 28, 2008 08:43 PM

A good friend\associate pointed out the the JoinDomainorWorkGroup vbscript call is a "bindless-join". What this means is the script doesn't always work - and I've experienced that occasionally. The computer will show that it's part of the domain, yet the domain controller will have no record\instance of the computer.
The reverse script - to remove a client from the domain seems to work, yet may not cleanup the entry from the last domain controller (e.g. UnJoinDomainOrWorkgroup)
Utility like NETDOM.exe may be better suited. There are also more advanced scripts which regenerate the SID, etc, etc.

Related Entries and Links

No Related Resource entered.