Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2931 Discussions

Deploying vPro for the first time

idata
Employee
3,647 Views

Hi,

I've been going over so many documents about this and I'm struggling to work out where I actually need to start.

My environment is:

350 PC's

4 different sites

vPro clients up to 3 years old (2009 onward)

Windows/AD environment

I'd like to just use the standalone Intel Powershell to manage them.

So, what I'm looking at first is - where do I start, how do I distribute/connect to all our PC's to have them enabled?

We have an internal CA server, so we can sign our own certificate.

All the documentation I've found is overly complex and covers so many scenarios and tools it's hard to work out what I need for the above.

Hoping to get pointed in the right direction.

Thanks

0 Kudos
21 Replies
idata
Employee
1,887 Views

It looks like the easiest way to get you up and running with vPro is to get the Intel SCS installed in your environment:

http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/ http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/ This will be the tool you use to activate your AMT systems. Just follow the instructions in the Intel SCS User Guide to help you decide what the best method will be for your environment.The guide will walk through decisions such as: Configuration methods, Security Considerations, Maintenance Policies, etc.. Once you complete the configuration steps, you will be able to easily manage the systems from PowerShell by installing the Intel vPro PowerShell Module:http://communities.intel.com/docs/DOC-4800 http://communities.intel.com/docs/DOC-4800 thanks!Josh
0 Kudos
idata
Employee
1,887 Views

I've had a look at that page, it's a bit overwhelming. I already tried Intel SCS 7.1 and installed it, but that only seems to be for 2011 clients where you can deploy the xml settings file and the executable?

Then there's SCS Lite 6.5 or SCS 5.5. SCS Lite didn't support AMT v7, so I thought SCS 5.5 might do the job.

Am I going down the right track here?

Thanks

0 Kudos
idata
Employee
1,887 Views

You can use most any version of SCS to provision your machines..

For example, with SCS 7 you can set up the RCS to perform Remote Configuration on your devices (which seems like the best solution in your case).

Here are the supported configuration methods and their supported Firmware Versions:

Configuration Method / Intel AMT VersionsHost Based Configuration 6.2 and higherSMB/Manual Configuration 4.0 and higherOne Touch Configuration (PSK) 2.1 and higherRemote Configuration (PKI) 2.2, 2.6, 3.0 and higher

as you can see (if you do not want to manually touch all of your systems) Remote Configuration would be the best choice.

Just follow the Intel® Setup and Configuration Service User Guide for Remote Configuration using the RCS and you should be on the right path!

thanks

Josh

0 Kudos
idata
Employee
1,887 Views

Thanks again.

That was the original path I went down, and I got as far as creating a configuration profile and export it, but I'm still stuck on how to distribute it. This is the point I was told that the .xml file distribution required AMT v7.

Is this incorrect? Looking at the document there is "Configuring Systems Using the RCS (Legacy)" where you use the ACUConfig.exe command to import the .xml configuration file.

I've tried this command on my test PC:

ACUConfig.exe ConfigViaRCSOnly "SCS/RCS Servername" test.xml

How can I tell if it's worked? I'm trying to use this command from the powershell vPro utility:

get-amthardwareasset testpcname

But I'm getting a 'could not connect to host' error, even though I can ping the PC via the same name.

Again, hoping you can verify what I'm doing here and what I might have missed.

Thanks

0 Kudos
idata
Employee
1,887 Views

So it looks like you are on the right track, the XML file is used in the following way:

say you have a mixed envrionment of host-based capable machines and legacy machines and you want to use host-based where you can, you would use the Unified Configuration Process:

The Unified Configuration process uses two copies of the same XML profile:• The first copy is created and stored in the RCS. This copy is used by the RCS to remotely configure devices that do not support host-based configuration. • The second copy is "exported" from the RCS and must be included in the deployment package. This copy is used by the Configurator to locally configure devices that support host-based configuration. This copy also includes data (added during export) about the RCS and the required control mode for the Intel AMT device

If you do not want to use Host-Based or have only legacy systems, you can use the command you described below (ConfigViaRCSOnly) to configure them:

Again, if you are going to be wanting to remotely configure the systems without touching them, you will have to purchase/install a configuration certificate from one of the certificate vendors. See the Setting up Remote Configuration (PKI) section of the SCS User Guide.

To verify that your systems are configured, open the Intel Management and Security Status Icon from the notification area on your client system.

In the advanced tab, you should see a status of Configured.

thanks!

Josh

0 Kudos
idata
Employee
1,887 Views

OK, I don't have any Intel Management and Security Status icon, what program needs to be installed to get that? Is that a requirement for this to all work, or just handy to see certain information?

I've found the details about Unified Configuration. I think I'm getting confused here again:

"RCS is used to remotely configure devices that do not support host-based configuration" - How??

"The second copy of the XML profile is exported for devices that support host-based configuration". AMT 7 is the only device that supports host-based configuration, is that correct?

If so, why would the ConfigViaRCSOnly work for only Non-Host based or legacy systems? To me that's contradicting the above.

Also, I can't use an internal CA certificate? I have to use a public one?

Thanks

0 Kudos
idata
Employee
1,887 Views

Hi Adam,

I went through the process of setting up a new SCS 7 instance and then did a test provision on a client.

I attempted to capture everything I did in the attached .PDF

Let me know if this helps clear up the process!

thanks,

Josh

0 Kudos
idata
Employee
1,887 Views

Hi,

That does help thanks - it's confirmed I've done it right but I'm at the stage where I need a certificate. There are some details mentioned in the guide, but is there a more lightly explained version of what certificate is required?

We'd be buying from GoDaddy too, we already have a wildcard cert but I'm not sure if it can be used.

Thanks

0 Kudos
idata
Employee
1,887 Views

Adam,

Take a look at this post:

/community/openportit/vproexpert/blog/2011/03/09/vpro-provisioning-certificate-from-godaddy--new-standard-ssl-certificate-support http://communities.intel.com/community/openportit/vproexpert/blog/2011/03/09/vpro-provisioning-certificate-from-godaddy--new-standard-ssl-certificate-support

It will give you the specifics on what you need to do to get a provisioning cert from GoDaddy.

-Dan

0 Kudos
idata
Employee
1,887 Views

Hi,

Thanks for that, I've had a good read.

It mentions it's for SCCM, will this work without SCCM also?

Can I use a CName that goes to the server I've configured for RCS as the FQDN on this certificate?

Lastly there was a question I asked earlier but it was missed:

I don't have any Intel Management and Security Status icon, what program needs to be installed to get that? Is that a requirement for this to all work, or just handy to see certain information?

Thanks

 

Adam
0 Kudos
idata
Employee
1,887 Views

Yes, the proces for ordering certs is the same no matter what provisioning tool you use. Yes, use the FQDN of your RCS server when requesting the cert.

As for the missing IMSS icon in the task tray, try downloading the AMT drivers from your client's manufacturer and reinstalling them. That should bring it back.

-Dan

0 Kudos
idata
Employee
1,887 Views

Hi,

So I've now followed the process from beginning to end. I'm running the manual ACUConfig.exe command, but it enables Intel RPAT for 8 seconds then disables again.

 

How do I work out what's going wrong? I can't connect to it via Powershell, and the command gives no error. I can't find any log files on the client or server.

I really don't know where to start looking apart from going over all the instructions I have.

Thanks

0 Kudos
idata
Employee
1,887 Views

Try running ACUConfig with /output file switches to capture what's happening when it tires to provision the client. Share the log file here and we should be able to get an idea of where it's hanging up.

-Dan

0 Kudos
idata
Employee
1,887 Views

Here's the error: Obviously something to do with the certificate...

2011-11-09 15:43:00:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2011-11-09 15:43:00

 

2011-11-09 15:43:02:(INFO) : ACU Configurator , Category: VerifyFileSignature: The file "C:\temp\ACU_Configurator\ACU.dll" is signed and the signature was verified.

 

2011-11-09 15:43:04:(INFO) : ACU Configurator, Category: -ConfigViaRCSOnly-: xxx.com.au :Starting Remote configuration...

 

2011-11-09 15:43:10:(INFO) : ACU Configurator , Category: Information message: Activate Intel(R) AMT configuration (0xc0000050)

 

2011-11-09 15:43:10:(INFO) : ACU Configurator , Category: Information message: Success (0xc0000051)

 

2011-11-09 15:43:20:(ERROR) : ACU.dll, Category: Remote Profile Configuration: Remote Profile Configuration failed: An SSL error occurred. Verify the username and password, and the PSK or certifcate settings, where applicable.- 0xc0000fb7. (Intel(R) AMT %1 failed. Initial connection to the Intel(R) AMT device failed. Valid certificate for PKI configuration not found. (Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error -1073737801: An SSL error occurred. Verify the username and password, and the PSK or certifcate settings, where applicable., error in discover 0xc0000fb7))

 

2011-11-09 15:43:20:(ERROR) : ACU Configurator, Category: Exit: ***********Exit with code 75 - Failed to complete remote configuration of this Intel(R) AMT device. Details: An SSL error occurred. Verify the username and password, and the PSK or certifcate settings, where applicable.- 0xc0000fb7. (Intel(R) AMT %1 failed. Initial connection to the Intel(R) AMT device failed. Valid certificate for PKI configuration not found. (Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error -1073737801: An SSL error occurred. Verify the username and password, and the PSK or certifcate settings, where applicable., error in discover 0xc0000fb7))
0 Kudos
idata
Employee
1,887 Views

The error you are seeing is typically caused when the RCS can't find a provisioning certificate.

Did you get a provisioning certificate from GoDaddy? If so, did you add the provisioning certificate to the personal cert store for the user account that the RCS?

-Dan

0 Kudos
idata
Employee
1,887 Views

Hi,

Yes the cert is from GoDaddy and it's definitely in the Personal Store for the user account that's running RCS - I checked the user account against the RCS service and it's definitely the same one.

Thanks

Adam

0 Kudos
idata
Employee
1,887 Views

Have you tried restarting the RCS service since you added the provisioning cert to th cert store?

0 Kudos
idata
Employee
1,887 Views

Yes I've rebooted the server in case anything needed to be restarted.

0 Kudos
idata
Employee
1,887 Views

OK well I worked out that you can't have your certificate with a name like: vpro.domainname.com with a cname entry in your DNS to vpro.domain-name.com if your internal domain is vpro.domain-name.com

Remade the cert via GoDaddy as vpro.domain-name.com and it's working.

Now the next step is to work out the best way to distribute it. Can I just package up the command in SCCM and push that out to all PC's?

0 Kudos
idata
Employee
1,803 Views

Yes, SCCM can handle that task just fine. Set it up like any other software package you want to distribute and you're set. You may want to look at using a task sequence (under OS distribution) as part of this process. It gives you the ability to specify the account that the ACUConfig software package will run as.

0 Kudos
Reply