1

Intel vPro AMT7 Presentation & Hands-on Lab

2

Cronograma de apresentaçã :o

Dia 1 Início Término Descrição 09:00 18:00 Preparação da sala de treinamento

Dia 2 Início Término Descrição 09:30 10:00 Acolhida 10:00 11:00 O que é Intel vPro 11:00 11:30 AMT 7 - Novos Recursos 11:30 12:30 Ferramentas e Casos de Uso 13:30 13:50 Lab 1 - Find Intel AMT Capable Machines

13:50 14:10 Lab 2 - Enhanced Remote Repair with Microsoft Windows PE

14:10 14:30 Lab 3 - Enhanced Remote Repair - Virus Scan 14:45 15:05 Lab 4 - Enhanced Remote Repair with Drive Sharing 15:05 15:20 Lab 5 - Enhanced Remote Repair - Registry Edits 15:20 15:45 Lab 6 - Enhanced Remote Repair - Run ThinStation 15:45 16:00 Lab 7 - WebUI Interface Client 16:00 16:30 Lab 8 - Use MSDaRT with Intel vPro Technology 16:30 17:00 Gerenciamento Out-Of-Band

Dia 3 Início Término Descrição 09:30 10:00 Acolhida 10:00 11:00 Unified Configuration 11:00 12:00 Gerenciamento de Perfís 13:00 13:30 Host based Configuration 13:30 14:00 Lab 9 - Windows PowerShell Module for Intel vPro 14:00 15:00 Lab 10 - PC Alarm Clock 15:00 16:00 Lab 11 - GUI 16:00 16:30 Lab 12 - USB Key Provisioning 16:30 17:00 Integração com SCCM 17:00 17:15 Avaliação

3

Lab 1

1. Once you download the Intel SCS 7 7.0.13.31.zip file, expand the files to your local drive 2. Expand the C:\vPro\Source\ACU_Configurator folder. 3. Expand the ACU_Configurator folder. You will need the following files to execute the system discovery capability: • ACUConfig.exe • ACU.dll • xerces-c_2_7.dll • the Licenses folder (all) 4. Copy the ACU_Configurator folder (including all files listed above) over to your Configuration Manager Server or store it on your library network share. 5. Create a new file and name it discover.bat. 6. Open discover.bat in a text editor and enter the following command line as the contents of the file: AcuConfig /output console /verbose systemdiscovery 7. Save the discover.bat file in the ACU_Configurator folder. 8. Run the discover.bat on the AMT client and check the values registered in HKLM\Software\Intel\SCS7.0\System_Discovery

4

Lab 2

Files with a .wim extension can be mounted. This means that all files in the .wim file are temporarily copied to a location on the local hard drive. Once there, the files can be manipulated, added to or removed. When the image is unmounted, all changes can be written back to the image. 1. If you have not already done so, click Start -> Programs -> Microsoft Windows AIK -> Deployment Tools Command Prompt then right-click Deployment Tools Command Prompt and select Run As Administrator. 2. Mount the image: Dism /mount-WIM /wimfile:c:\intel\winpe\winpe_x86.wim /index:1 /mountdir:c:\intel\winpe\mount 3. Type Dism /image:C:\intel\winpe\mount /Add-Driver driver:C:\drivers\lan\e1k6232.inf Dism /image:C:\intel\winpe\mount /Add-Driver driver:C:\drivers\lan\e1c6232.inf 4. Unmount the image Dism /unmount-WIM /mountdir:c:\intel\winpe\mount /commit 5. Create .iso image Type oscdimg –n –bc:\intel\winpe\etfsboot.com c:\intel\iso c:\winpe\winpe.iso. Copy the .iso file in a shared folder.

5

1. Open VNC Viewer Plus. 2. Enter the name intelpc.vprodemo.com name of the remotely managed Intel vPro technology based system. 3. Set Connection mode to Intel AMT. 4. Set Encryption to None (or adjust based on your setup). 5. Click Connect. 6. Enter your Intel AMT credentials. The document example uses admin, P@ssw0rd and click OK. 7. Enter a User Consent Code if prompted. 8. Click the Mount Disk Images menu icon, shown in Figure below.

9. An IDE Redirection window is displayed. Click Browse next to CD/DVD. 10. Enter select the WinRE image. C:\vPro\Source\winpe_x86.iso 11.Click Mount. 12. Place the mouse near the top of the screen and click the Power icon. 13.Click Reset. 14.Choose Boot to CD/DVD. 15.Click Reset. The Intel vPro technology based system will now reboot. It will automatically boot from the WinPE ISO file created above. As it boots, the KVM Remote Control session will display progress. Once the boot process is complete, you will see a command prompt: x:\windows\system32. Proceed to section 4.4 for some of the tools and possibilities available at this point.

6

Lab 3

If your system is using Kerberos and/or TLS, adjust the steps below as needed. 1. If desired, download and install RealVNC’s VNC Viewer Plus: http://www.realvnc.com/products/viewerplus/index.html 2. Open VNC Viewer Plus. 3. Enter the intelpc.vprodemo.com name of the remotely managed Intel vPro technology based system. 4. Set Connection mode to Intel AMT. 5. Set Encryption to None (or adjust based on your setup). 6. Click Connect. 7. Enter your Intel AMT credentials. The document example uses admin, P@ssw0rd and click OK. 8. Enter a User Consent Code if prompted. 9. Click the Mount Disk Images menu icon, shown in Figure below.

10.An IDE Redirection window is displayed. Click Browse next to CD/DVD. 11. Enter select C:\vPro\Source\winpe_x86.iso 12. Click Mount. 13. Place the mouse near the top of the screen and click the Power icon. 14. Click Reset. 15. Choose Boot to CD/DVD. 16. Click Reset. 17. Press any key when prompted in the remote console

7

18. In the command prompt type E: and press enter 19. Type CD TOOLS\TREND_CLEANUP 20. Type vscanwin32.com /S C:\*.* /C /NZ /NJAVA /P=D:\TOOLS\TREND_CLEANUP\lpt$vpn.831 and press enter to start the scanning

8

Lab 4

1. Click Start -> Programs -> RealVNC -> VNC Viewer Plus. 2. On the New Connection screen, set the following (the order is important): • For Connection Mode select Intel AMT KVM. • For AMT Server enter the intelpc.vprodemo.com name of the remotely managed Intel vPro technology based system. • For Encryption select None. 3. Click Connect. 4. Enter your Intel AMT credentials. The document example uses admin, P@ssw0rd. Note: these credentials must have administrative rights to Intel AMT. 5. Click OK. 6. The KVM Remote Control session starts. Depending on how KVM Remote Control was configured you will either be prompted for user consent or be at the remote client’s desktop. If the latter, you are done with these steps. Proceed to the conclusion paragraphs after these steps. 7. On the Managed Client screen a sprite is displayed with a consent code. Enter this code into the viewer window on the console. Note: Do not use the number pad. Once the code is entered you will have remote keyboard, video, and mouse control of the remote client. At this point it is almost as if you are sitting in front of the remote client. You can do many of the same things allowed by a VNC or RDP server such as walk the user through a set of steps, type in the user’s recovery passphrase, or install/uninstall software for the user. This reference design will only cover benefits of a KVM Remote Control session with Intel AMT over the current in band services mentioned above.

9

8. If you have not already done so, copy the Linux ISO file rds.iso (included in this Use Case Reference Design’s download .zip file) to a location that is accessible to the Management Console System, such as the Management Console System’s hard drive. 9. Click the IDE-Redirection menu icon, shown in Figure 5 below.

10. Browse to the location where you copied the rds.iso file. Select the desired file and click Open. Be sure to click Share in the VNC Viewer Plus IDE-Redirection window (to share the ISO with the remote client). 11. Click Start > Shutdown > Restart (on the remote client) to restart the client and boot it to the ISO image you previously shared. If Windows is not running on the remote client, then click the Power button as shown in Figure below:

10

All hard drive partitions found on the Managed Client are listed using Linux device nomenclature. Boot drives are designated by an asterisk (*). Figure 9 shows the Commander SOL/IDER window, but the same content should appear in the KVM Remote Control session window.

12. On the Management Console System, launch Windows Explorer and click Tools > Map Network Drive from the Windows Explorer menu bar. 13. Choose an unused drive letter to map to. In the Folder field, enter the share information from the SOL window. For the example SOL window shown in Figure 10 below, you would enter \\192.168.1.101\drive in the Folder field. Do NOT click Finish at this point.

14. Deselect Reconnect at Logon. 15. Click Connect using a different user name 16. In the Connect As dialog, enter the user name and password from the SOL window 17. Click OK 18. In the Map Network Drive dialog, click Finish.

11

Lab 5

In this section you will create a backup copy of the remote Managed Client’s registry on the Management Console system. This is done so that you can restore the remote Managed Client’s registry if you accidentally corrupt it while editing it. 1. On the Management Console system, open Windows Explorer and create a new folder called C:\Remote_RegBack.j 2. In Windows Explorer, open the mapped drive to the Managed Client’s hard drive (Q: in the document example) and navigate to Q:\sda2\Windows\System32\config. This step assumes that your remote Managed Client’s hard drive is mapped to drive Q: and that its operating system is installed on the partition labeled sda2. 3. Copy the following files from Q:\sda2\Windows\System32\config to your new remote registry backup folder, C:\Remote_RegBack: • COMPONENTS.* • DEFAULT.* • SAM.* • SECURITY.* • SOFTWARE.* • SYSTEM.*

The remote Managed Client’s registry is now backed up on your Management Console system and can be restored if necessary. To restore a corrupted registry on the remote Managed Client, copy the entire set of backup registry files from C:\Remote_RegBack to Q:\sda2\Windows\System32\config, thus overwriting the entire corrupted remote registry with the clean backup. Do not

12

copy individual registry files.

In addition to backing up the remote Managed Client’s registry as described above, you should also back up your local registry for the Management Console, since you will be opening the Registry Editor on the Management Console in the next section. See the procedures outlined in the following Microsoft technical article, under the subheading “Back up the registry”: http://support.microsoft.com/kb/256986

In this section you will open the Registry Editor on the Management Console and load a registry database file (referred to as a “hive”) from the remote Managed Client’s registry, using the mapped drive to the client’s hard drive. 1. On the Management Console, open the Registry Editor as follows: click Start > Run, then type regedit and click OK. 2. In the registry tree (in the left-hand pane), select either HKEY_USERS or HKEY_LOCAL_MACHINE. In the document example we select HKEY_LOCAL_MACHINE.

3. On the menu bar, click File > Load Hive.

4. In the Look in field of the Load Hive dialog, select the drive, folder, or network computer and folder combination that contains the hive you want to load. In the document example, we want to load [HKEY_LOCAL_MACHINE \SOFTWARE] (%windir%/system32/config/SOFTWARE) from the remote Managed Client machine. This hive is located in Q:\sda2\Windows\System32\Config\SOFTWARE (no file extension), assuming that the Managed Client’s hard drive is mapped to drive letter Q: and that the drive partition sda2 contains the Managed Client’s operating system files.

13

Other hives you may want to load from the Managed Client are: [HKEY_LOCAL_MACHINE \SYSTEM] (%windir%/system32/config/SYSTEM) [HKEY_USERS \.Default] (%windir%/system32/config/DEFAULT) 5. In the Load Hive dialog, click Open. 6. In the Key Name dialog, enter the name that you want to assign to the newly loaded remote hive, and then click OK. Be sure to give the newly loaded remote hive a unique name such as “Remote_SOFTWARE” so that you will not confuse it with the local SOFTWARE registry key. The newly loaded remote hive is displayed in the left-hand pane of the Registry Editor, as shown below.

14

7. At this point you have the ability to perform remote registry edits using the newly loaded remote hive. Make changes as needed to fix the Managed Client’s registry. 8. To save your changes, unload the remote hive as follows: in the left-hand pane of the Registry Editor, select the Hive Key Name (Remote SOFTWARE, in this example), then click File > Unload Hive on the menu bar. The changes you made to the remote hive are set in the Managed Client’s local registry. 9. Exit the Registry Editor on the Management Console. 10.Disconnect the mapped drive to the Managed Client’s hard drive.

11. Reboot the Managed Client to ensure that it stops sharing its hard drive.

15

Lab 6

1. Open VNC Viewer Plus. 2. Enter the FQDN of the remotely managed Intel vPro technology based system. 3. Set Connection mode to Intel AMT. 4. Set Encryption to None (or adjust based on your setup). 5. Click Connect. 6. Enter your Intel AMT Admin credentials and click OK. 7. Enter a User Consent Code if prompted. 8. Click the Mount Disk Images menu icon, shown in Figure below.

9.An IDE Redirection window is displayed. Click Browse next to CD/DVD. 10. Enter select the C:\vPro\Source\winpe_x86_owaplus_v1.iso 11.Click Mount. 12. Place the mouse near the top of the screen and click the Power icon. 13.Click Reset. 14.Choose Boot to CD/DVD. 15.Click Reset. The Intel vPro technology based system will now reboot. It will automatically boot from the WinPE ISO file created above. As it boots, the KVM Remote Control session will display progress. Once the boot process is complete, you will see a command prompt: x:\windows\system32. Proceed to section 4.4 for some of the tools and possibilities available at this point.

16

Lab 7

1. Open the internet browser and type the url http://<clientamt>:16992

NOTE: if the client is using the TLS encryption, the communication will use the 16993 tcp port.

2. In internet Browser click “Log on”

3. Insert the MEBx credentials in the “Windows Security” window:

17

4. So then you can navigate in the information from you AMT Client

18

Lab 8

If your system is using Kerberos and/or TLS, adjust the steps below as needed. 1. If desired, download and install RealVNC’s VNC Viewer Plus: http://www.realvnc.com/products/viewerplus/index.html 2. Open VNC Viewer Plus. 3. Enter the fqdn of the remotely managed Intel vPro technology based system. 4. Set Connection mode to Intel AMT. 5. Set Encryption to None (or adjust based on your setup). 6. Click Connect. 7. Enter your Intel AMT Admin credentials and click OK. 8. Enter a User Consent Code if prompted. 9. Click the Mount Disk Images menu icon, shown in Figure below.

10.An IDE Redirection window is displayed. Click Browse next to CD/DVD. 11. Enter select C:\vPro\Source\DaRT_ERD65.iso 12.Click Mount. 13. Place the mouse near the top of the screen and click the Power icon. 14.Click Reset. 15.Choose Boot to CD/DVD. 16.Click Reset. The Intel vPro technology based system will now reboot. It will automatically boot from the WinPE ISO file created above. As it boots, the KVM Remote Control session will display progress.

19

17. You may choose any of these tools. Or, click Microsoft Diagnostics and Recovery Toolset. This will present the MSDaRT tools menu:

20

Lab 9

Install the Windows PowerShell Module for Intel® vProTM technology using the following procedure: 1. Uninstall previous version of the Windows PowerShell Module for Intel® vProTM

technology. 2. Decompress the zip file to a directory. 3. Navigate to the directory where the file was decompressed. 4. From within the x64 or x32 directory run setup.exe. 5. When the Installation Wizard appears click Next. 6. On the License Agreement confirmation screen, click I Agree and then click Next to continue with the installation. 7. There will be an opportunity to change the module installation folder. It is recommended that it is left to the default c:\Program Files\Intel Corporation\PowerShell\Modules. Click Next. 8. Click Next to confirm the installation. 9. If User Account Control is turn on a prompt will appear to continue. 10. When the installation complete screen appears, click Close. The module is installed in the following default directory: C:\Program Files\Intel Corporation\PowerShell\Modules 11. On the License Agreement confirmation screen, click I Agree and then click Next to continue with the installation.

21

1. Open Windows PowerShell and type set-executionPolicy RemoteSigned <enter> for change the default security setting 2. Type Get-Module –ListAvailable <enter>. If the Windows PowerShell Module for Intel® vProTM Technology is installed. 3. Type Import-Module IntelvPro <enter>

4. After import type Get-Module –ListAvailable <enter> to show that the module has been imported along with the available Exported Commands. 5. Once the module has been imported, its Cmdlets can be listed by using the Get-Command –Module IntelvPro <enter> command.

NOTE: All .ps1 scripts are located on this path: C:\Program Files (x86)\Intel Corporation\PowerShell\Modules\IntelvPro

22

1. Invoke-AMTPowerManagement intelpc.vprodemo.com -TLS -Operation

PowerOff -Username:admin <enter> In the Windows Security Logon window, insert the user password and wait the answer in the powershell

This will power off intelpc.vprodemo.com prompting password for the digest user admin;

2. Invoke-AMTPowerManagement intelpc.vprodemo.com -TLS -Operation PowerOn -Username:admin <enter>

This will power off intelpc.vprodemo.com prompting password for the digest user admin;

3. $AMTCreds = Get-Credential <enter> Write-AMTCredential –Username $AMTCreds.Username –Password $AMTCreds.Password <enter> $AMTCreds = Read-AmtCredential <enter>

Invoke-AMTPowerManagement intelpc.vprodemo.com –TLS -operation Poweroff –Credential: $AMTCreds <enter>

This will allow you to set a credential (stored for multiple uses) and then that credential is used to power on intelpc.vprodemo.com. ComputerName, Port, and Operation parameters parameter position; Credential passed by Parameter Name

4. Get-content C:\vPro\Source\Computers.txt | Invoke-AMTPowerManagement –TLS –Operation PowerOn -Username:admin <enter>

You have list of computer names in a text file. That text file is piped into Invoke-AMTPowerManagement and the computers in that list are powered on using your local logged on Kerberos credential. ComputerName parameter is piped in By Value; Port and Operation parameters passed by Parameter Name;

5. Invoke-AMTForceBoot intelpc.vprodemo.com -TLS -Operation Reset -Device PXE -Username:admin <enter>

This will reset in PXE mode intelpc.vprodemo.com prompting password for the digest user admin

23

1. Calling a vPro Cmdlet from a cmd line

Open the command prompt and type: powershell -command "& {import-module intelvpro; $amtcreds = read-amtcredential; invoke-amtpowermanagement -credential $amtcreds -operation Reset}" <enter>

This will call Cmdlet from a command line loading the credential $amtcred from the AMT secure storage. After will be prompted for the computername though. Save that command up inserting the parameter %* in the file “c:\vPro\Source\ps-reset-machine.bat” like below: powershell -command "& {import-module intelvpro; $amtcreds = read-amtcredential; invoke-amtpowermanagement %* -credential $amtcreds -operation Reset}" <enter> In the command prompt type: “c:\vPro\Source\ps-reset-machine.bat” intelpc.vprodemo.com <enter>

2. Secure credential storage in the PowerShell Module for Intel vPro Technology

$AMTCreds = get-credential <enter> Write-AMTCredential –Username $AMTCreds.Username –Password $AMTCreds.Password <enter> Now in a different session we can load and use the credential Import-Module intelvpro $AMTCreds = Read-AmtCredential <enter> Get-AMTFirmwareVersion –computername:intelpc.vprodemo.com –TLS –Credential $AMTCreds <enter>

24

Lab 10

1. Open the PowerShell and change Default Security Setting

set-executionPolicy RemoteSigned <enter>

2. Import Intel vPro Module Import-Module IntelvPro <enter>

3. Import Commands Get-Command –Module IntelvPro <enter>

4. Set Alarm Clock to the OS wake up prompting the Kerberos User Password

Set-AMTAlarmClock intelpc.vprodemo.com -TLS -AlarmTime:2011-09-01T15:30:00 -UserName admin <enter>

5. In the Windows Security Logon window, insert the user password and wait

the answer in the powershell

6. Retrieve the alarm definition using the Get-AMTAlarmClock cmdlet below Get-AMTAlarmClock intelpc.vprodemo.com –TLS –Username admin <enter>

7. Wait the system wake up and so shutdown him

8. Set Alarm Clock for a computer list

Get-Content C:\vPro\Source\Computers.txt | Set-AMTAlarmClock -TLS -AlarmTime:2011-09-01T15:45:00 -UserName admin <enter>

9. Wait the system wake up. PS.: Try to clear the alarm definition running the cmdlet ClearAMTAlarmClock. For more detail and example usages, review the Windows PowerShell integrated help by executing: Get-Help Clear-AMTAlarmClock-Full

25

Lab 11

The Intel® AMT PowerShell Graphical User Interface (GUI) provides a simple interface for invoking a majority of the commands supported within the Intel® vPro Module.

1. Open the PowerShell and change Default Security Setting set-executionPolicy RemoteSigned <enter>

2. Import Intel vPro Module

Import-Module IntelvPro <enter>

3. Import Commands Get-Command –Module IntelvPro <enter>

4. Type Invoke-AMTGUI <enter>

5. In the Windows Security Logon window, insert the user password and wait

the answer in the powershell

6. The Graphical Interface will be displayed bellow:

26

Lab 12

You can prepare a USB key with identical configuration settings to use with multiple Intel AMT systems. When the systems are rebooted with the USB key, Intel AMT is configured on them. To prepare the USB key:

1- Put a USB key in the computer. The Settings for Manual Configuration of Multiple Systems window opens. Note: This option is available only for systems with Intel AMT 6.0 and higher. For other Intel AMT systems you must make a new USB key for each system.

2- Select Tools > Prepare a USB Key for Manual Configuration. Note: The ACU Wizard does not restrict the size of USB key you can use. But, the computer BIOS must fully support the selected USB key and be able to do a reboot from it.

3- Select the versions of Intel AMT that this USB key will configure: • All systems are Intel AMT 6.0 and higher — If selected, you can use this USB key to configure systems that have Intel AMT 6.x and 7.x. • All systems are Intel AMT 7.0 and higher — If selected, you can use this USB key to configure only systems that have Intel AMT 7.x. The data in the USB key is “scrambled” so it cannot easily be read.

4- In the Configuration Settings section, enter the password for the MEBx: • Old MEBx Password— The ACU Wizard always puts the default password of unconfigured systems (“admin”) in this field. If this is not the password currently defined in the MEBx, enter the correct password. If you do not supply the correct password, configuration will fail. • New MEBx Password — The new password to put in the MEBx. For the first configuration it is mandatory to change the MEBx password. For reconfiguration you must also enter a value here, but it can be the same as the Current Password. For information about the required format, see “Password Format” on page 8.

27

5- From the drop-down list, define in which power states (of the host system) the Intel AMT device will operate:

• Always on (S0-S5) — If the system is connected to the power supply, the Intel AMT manageability features are available in any of the system power states. This is the recommended setting. • Host is on (S0) — The Intel AMT manageability features are available only if the operating system of the Intel AMT system is up and running. (Optional) By default, the user consent feature is not enabled for systems configured using this configuration method (see “User Consent” on page 4). If you want to define that user consent is mandatory for redirection sessions, select User consent required for redirection sessions.

6- From the USB Drive drop-down list, select the drive letter of the USB key (you cannot select a USB key if you are using it to run the ACU Wizard).

7- Click Next. The Formatting USB drive window opens.

8- Click Yes if you are sure you want to continue and format the USB key. The

ACU Wizard creates a configuration file on the USB key.