Altiris Best Practices For VPro FINAL MG

Best Practices and Troubleshooting of
Intel vPro Technology with the

Altiris Agent
White Paper
June 5, 2008
2007 Altiris Inc. All rights reserved.

ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows
IT organizations to easily manage desktops, notebooks, thin clients,
handhelds, industry-standard servers, and heterogeneous software
including Windows, Linux, and UNIX. Altiris automates and simplifies IT
projects throughout the life of an asset to reduce the cost and comp lexity
of management. Altiris client and mobile, server, and asset management
solutions natively integrate via a common W eb -based console and
repository. For more information, visit www.altiris.com.
NOTICE
INFORMATION IN THI S DO CUMENT: ( I) IS PRO VIDED FOR I NFORMATIONAL PURPOSES O NLY W ITH
RESPECT TO PRODUCTS OF ALTIRI S OR ITS SUBSI DIARI ES (PRODUCT S), (II) REPRESENTS ALTIRI S
VIEW S AS OF THE DAT E OF PUBLICATION OF THIS DO CUMENT, (III) IS SUBJECT TO CHANGE W ITH OUT
NOTICE, AND (I V) SHO ULD NOT BE CONSTRUED AS ANY CO MMIT MENT BY ALTIRI S. EXCEPT AS PROVI DED
IN ALTIRI S LICENSE AGREEMENT GOVERNING ANY PRO DUCTS OF ALTI RIS OR IT S SUBSIDIARIES
(PRODUCT S), ALTIRIS ASSUMES NO LIABILIT Y W HATSOEVER, AND DI SCLAI MS ANY EXPRE SS OR IMPLIED
W ARRANTIES RELATING TO THE USE OF ANY PRODUCT S, INCL UDING W ITHOUT LIMITATION, W ARRANTIES
OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, O R INF RINGEMENT OF ANY THIRD PARTY
INTELLECTUAL PROPERTY RIGHTS. ALTIRIS ASSUMES NO RESPO NSI BIL ITY FOR ANY ERRORS OR
OMISSIONS CO NTAINED IN THI S DO CUMENT AND ALTIRIS SPECIFICALL Y DISCLAI MS ANY AND ALL
LIABILITIES AND/O R OBLIG ATIONS F OR ANY CL AIMS, SUITS O R DAMAGES ARI SING FRO M O R IN
CONNECTION W ITH THE USE OF, RELIANCE UPON OR DISSEMINATION O FTHIS DOCUM ENT AND/OR THE
INFORMATION CO NTAINED HEREIN.
Altiris may ha ve patents or pending patent applications, trademarks, cop yrights, or other intellectual property
rights that relate to the Products referenced herein. The furnishing of this docu ment and other m aterials and
information does not provide any license, express or i mplied, by estoppel or otherwise, to any foregoing
intellectual property rights.
No part of this docu ment may be reproduced, stored in a retrieval system, or transmitted in any form or by any
means without the e xpress written con sent of Altiris, Inc.
Custo mers are solely responsible for assessing the suitability of the Products for use in particular applications.
Products are not intended for use in medical, life saving, life sustaining, c ritical control or safety systems, or in
nuclear facility applications.
Copyright 2006, Altiris, Inc. All rights reserved.
Altiris, Inc.
588 W est 400 South
Lindon, UT 84042
Phone: (801) 226 -8500

Fax: (801) 226 -8506
*Other co mpany na me s or products m e ntioned are or may be trade marks of th eir respective owners.
Infor mation in this document is sub ject to change without notice. For the latest docu mentation, visit
www.altiris.com.
www.altiris.com
CONTENTS Introduction ................................................................................... 1
Troubleshooting the Altiris manageability Toolkit for Intel vPro
Technology .................................................................................... 2
Best Practices ............................................................................. 2
Ports ........................................................................................ 2
Troubleshooting Pt. 1 Provisioning Client Systems .................... 3
Introduction .............................................................................. 3
Versioning ................................................................................ 4
Intel AMT Setup ........................................................................ 5
Troubleshooting Tools .............................................................. 5
Intel AMT Logs ......................................................................... 6
OOB Trace Logging .................................................................. 7
Wireshark ................................................................................. 7
Altiris Knowledgebase .................................................................. 7
Symptoms ................................................................................... 7
System Missing ........................................................................ 7
Provision Server ..................................................................... 10
Conclusion ............................................................................. 12
Troubleshooting the Altiris Manageability Toolkit for Intel vPro
Technology Part 2 Provisioning Intro to Server Components13
Introduction ............................................................................ 13
Out of Band Management ....................................................... 14
Out of Band Management Solution .......................................... 15
Important points to consider with Out of Band Management ..... 16
Out of Band Setup and Configuration ...................................... 17
Intel SCS Component ............................................................. 18
Install ..................................................................................... 18
Oobprov.exe ........................................................................... 19
AMTSCS Virtual W eb-site ....................................................... 19
Intel AMT database .................................................................... 19
Important tables ...................................................................... 20
Conclusion ................................................................................ 20
Technology Part 3 Provisioning Console Troubleshooting ..... 21
Introduction ............................................................................ 21
Symptoms .............................................................................. 21
www.altiris.com
Provisioning Console Access Forbidden ..................................... 22
Problem .................................................................................. 22
Cause .................................................................................... 22
Resolution .............................................................................. 22
Provisioning Console Connection Closed .................................... 23
Problem .................................................................................. 23
Cause .................................................................................... 24
Resolution .............................................................................. 24
Provisioning Console User Not Authorized ................................. 25
Problem .................................................................................. 25
Cause .................................................................................... 25
Resolution .............................................................................. 26
Provisioning Console Timeouts .................................................. 29
Problem .................................................................................. 29
Cause .................................................................................... 29
Resolution .............................................................................. 29
Conclusion ............................................................................. 29
Technology Part 4 Provisioning Server Troubleshooting ........ 30
Introduction ............................................................................ 30
Symptoms .............................................................................. 30
No update to Intel AMT Systems Node ....................................... 31
Problem .................................................................................. 31
Cause .................................................................................... 31
Resolution .............................................................................. 31
No Systems Appearing ............................................................... 32
Problem .................................................................................. 32
Cause .................................................................................... 33
Resolution .............................................................................. 33
FQDN Not Acquired ................................................................... 34
Problem .................................................................................. 34
Cause .................................................................................... 34
Resolution .............................................................................. 35
No systems Provisioning ............................................................ 36
Problem .................................................................................. 36
Cause .................................................................................... 36
Resolution .............................................................................. 36
www.altiris.com
Properties Script Failed.............................................................. 37
Problem .................................................................................. 37
Cause .................................................................................... 37
Resolution .............................................................................. 37
Conclusion ............................................................................. 37
www.altiris.com
INTRODUCTION This document provides Troubleshooting for PCs with Intel Core*2
processor with vPro* technology (PCs with Intel* vPro* technology) ,
Intel* Active Management Technology (Intel* AMT) and the Altiris Agent,
as well as suggested best practices for integrating these technologies
together.
www.altiris.com Best Practices and Troubleshooting of Intel vPro technology with the Altiris Agent > 1
TROUBLESHOOTING Best Practices
THE ALTIRIS
This document provides troubleshooting tips and best practices for
MANAGEABILITY
working with PCs with Intel Core2 processor with vPro technology
TOOLKIT FOR INTEL
(PCs with Intel vPro technology), Intel Active Management
VPRO TECHNOLOGY
Technology (Intel AMT) and the Altiris Agent. Links are included to
show readers other useful sources of information .
It is important to know the latest chang es to technology being used, even

if you are not using the particular functionality that has been changed.
Use the following best practices to keep yourself up to date on changes
to Altiris and Intel AMT and Intel vPro:
Use the Intel vPro Expert center to get the latest information on
the Intel vPro systems: http://www.intel.com/go/vproexpert
Use Altiris Juice to get the latest troubleshooting tips and

practices for integrating Altiris with Intel VPro:
http://juice.altiris.com/intel
Review patches and new releases.
Maintain a test lab, even after deployment.
Carefully review security requirements.
Ports
Which ports does vPro use?
Port Purpose
80 Standard HTTP Port (W eb UI)
443 Standard HTTPS Port (Web UI in SSL mode)
9971 Default port used by SCS/SCA (configurable)
16992 SOAP commands in SMB mode*
16994 IDE-Redirection in SMB mode*
16993 SOAP commands in TLS/Enterprise mode**
16995 IDE-Redirection in TLS/Enterprise mode**
56666 Serial over LAN (SOL)
* -16992 and 16994 are used during SMB mode, not used at all with TLS
** -16993 and 16995 are using during TLS, not used at all with SMB
2 < Best Practices and Troubleshooting of Intel vPro technology with the Altiris Agent www.altiris.com
Troubleshooting Pt. 1 Provisioning Client
Systems
Troubleshooting issues with the Intel AMT provisioning process can be a
daunting prospect. This series walks through the troubleshooting
methods to pinpoint where problems originate and how to fix them. Use
Part 1 to troubleshoot the Intel AMT systems when provisioning is not
occurring. If the issue is on the client side, this document should provide
the tools to diagnose and fix the issue.
Introduction
There are several modes an Intel vPro capable system can be in when it
arrives at the customer site. The modes are:
1. Intel AMT disabled
2. Intel AMT enabled, not in Setup Mode (factory default)
3. Intel AMT enabled, not in Setup Mode (Password has been
changed in the MEBx)
4. Intel AMT enabled, in Setup Mode for TLS-PSK
5. Intel AMT enabled, in Setup Mode for Remote Configuration
6. 4 and 5 in Hello Packet Mode disabled
Each of the modes have their own quirks, and understanding the modes
will help determine what state a system is in, and how to change a
system from one state to another.
Versioning
It is important to understand the dif ferent versions of not only the local
Intel AMT build, but of Altiris Out of Band Management with the Intel
SCS Component. See the following table:
Intel Intel
OOBM SCS AMT
6.1 1.2 2.0
2.1
1.3 2.0
2.1
6.2 3.0 2.0
2.1
2.5
3.0
3.2.1 2.0
2.1
2.2
2.5
2.6
3.0
Note the following points when working with the different versions:
Versions 2.0, 2.1, 2.5 do not support Remote Configuration
Versions 2.5 and 2.6 are notebooks
Versions 2.2 and 2.6 are upgrades to versions 2.0, 2.1 and 2.5
respectively and provide the additional functionality of using
Remote Configuration for Provisioning
Intel SCS version 1.2 was unstable. Its recommended to upgrade
to 1.3 or upgrade OOB to 6.2.
Versions 2.2 and 2.6 are not supported for Remote Configuration
unless Intel SCS is upgraded to version 3.2.1. Check the
following KB articles for more information:
o https://kb.altiris.com/article.asp?article=40076&p=1
o https://kb.altiris.com/article.asp?article=40117&p=1
Intel AMT Setup
Each mode for Intel AMT sets the system in a specific state. See the
brief descriptions below of how Intel AMT acts in each state:
1. Intel AMT disabled In this situation Intel AMT must be enabled
either manually by looking into the Intel MEBx (Ctrl+P at startup)
or by using the RCT Tool. The following article covers the use of
this tool, including data on the command-line switch that can be
used to enable Intel AMT:
o http://juice.altiris.com/article/3612/using -intels-rct-tool-
restart-amt-hello-packets-enterprise-provisioning
2. Intel AMT enabled, not in Setup Mode (factory default) This is
the required mode to use USB One-Touch for provisioning. If a
user or the OEM has logged into the MEBx and changed the
password, the system is no longer in factory default and the One
Touch method will not work.
3. Intel AMT enabled, not in Setup Mode (Password has been
changed in the MEBx) One Touch will not work, but manually
entering the PSK or setting into Remote Configuration mode will
allow the system to enter Setup Mode.
4. Intel AMT enabled, in Setup Mode for TLS-PSK All Provisioning
is encrypted using TLS, however the inner security workings can
differ. For Pre-shared Key (known as PID PPS) a public and
private key are used. The manufacturer can set a specific PID
PPS on the system or a user can auto-generate them. The key is
that both the client and server have to have the key in order for
authentication to work.
5. Intel AMT enabled, in Setup Mode for Remote Configuration All
2.2, 2.6, and 3.0 version Intel AMT systems come in this mode
unless the OEM is explicitly instructed to set it differently. The
point of Remote Configuration is to avoid visiting the Intel AMT
system in order to get it provisioned for manageability use.
6. Modes 4 and 5 in Hello Packet Mode disabled This is common
if the system is not immediately hooked up to the production
network. All systems will fall into this state if they trans mit the
hello packet for 24 hours.
Troubleshooting Tools
Before focusing on the actual symptoms, its important to understand the
tools used to determine where the problem is coming from. While not
easy to use, the logging capabilities can verify if the correct processes
are functioning on the local system.
Intel AMT Logs
The Altiris Console has direct ties into the Intel AMT Logs captured in
the Intel AMT database as a normal part of operation. The logging level
is set in the Altiris Console. Select View > Solutions > Out of Band
Management (See figure 1).
Figure 1: Select Out Of Band Management
Select Configuration > Provisioning > Configuration Service Settings

> General. In the General Service Settings screen, in Log level select
Debug warning in the dropdown list (See Figure 2). Debug Warning is
recommended to receive both Errors and W arnings.
Figure 2: Select Debug warning
The logs are accessed from Provisioning > Logs > Log. Log entries will
reveal problems during the provisioning process and other Intel SCS
functions.
Figure 3: Select Log
OOB Trace Logging
Out of Band Management has the ability to log trace details to a
debugging program. See the following KB article o n details on how to set
this up:
https://kb.altiris.com/article.asp?article=34418&p=1
Trace logging will log everything from console accesses, to oobprov.exe

calls from IntelSCS. W hen oobprov.exe is called, all actions are logged
to trace, which can capture problems with the provisioning process.
Wireshark
While the tools described above are distinctly for Out of Band
Provisioning, W ireshark provides all the details of what is coming and
going across the wire. Its important to know what the Intel AMT clients
are sending, especially in the Hello packet, and what the server is
responding with.
Wireshark can be obtained from: http://www.wireshark.org/. While this is

the recommended tool, any network trace capture program can be used
to examine the network traffic between the Intel AMT client and the
Provisioning Server.
Altiris Knowledgebase
All known errors and issues that are encountered have been documented
in the Altiris Knowledgebase. If you have a specific error, search in the
KB and see if we have a documented fix for it. Access it directly here:
https://kb.altiris.com/
Symptoms
The following symptoms point to problems with the local Intel AMT
system or its ability to communicate to the Provisioning Server so that
provisioning can occur.
System Missing
A common symptom for new Intel AMT client systems is that the system,
even if believed to be in Setup Mode, doesnt show up in the Altiris
Console under Intel AMT Systems. The causes vary, but the following
methodology should help pinpoint where the problem originates.
Is the system sending Hello pack ets? Ask the following question to
determine if it is or not: Does the Intel AMT Log contain UUID entries for
the system requesting provisioning?
The identifier in the logs is the UUID. One example of an error that would
prevent a system from showing up is failed to find PID mapping,
meaning the requesting system is trying to authenticate with a PID that
the Server does not have. Either import any keys provided by the OEM
or other provider, or manually enter in the PID /PPS key in the Intel AMT
client, from a generated PID/PSS key. The PID/PPS key can be
generated from in the Security Keys section of the Provisioning Altiris
Console.
1. Go to View > Configuration (See figure 4).
Figure 4: Select Configuration

2. Select Solution Settings > Platform Administration > Out of
Band Management > Provisioning > Configuration Service
Settings > Security Keys. To generate a security key select the
Generate security keys icon (See figure 5).
Figure 5: Select Security Keys
3. In the Generate Security key window, select the number of keys
you want to generate and enter the Intel* ME default and new
password. (See figure 6) The keys will be generated and you can
now manually provision the Intel AMT client (See the Altiris 6.2
Out of Band Management guide for instructions on how to
manually provision a client).
Figure 6: Generate security keys
If no UUID entry appears for the system, place W ireshark on both the
Intel AMT client and the Server.
1. Initiate a restart of the Hello packet sequence by turning the

Intel AMT client off and unplugging it from power.
2. Drain the capacitors by pressing the power button while
unplugged. Generally the power LED will light for a moment
before fading dark.
3. Plug the system back in.
4. Does the Server show hello packets (sending on port 16994, with
destination port 9971) coming in from the system?
5. If the server doesnt show any incoming Hello requests, turn
Wireshark on in the local system to determine if any Hello
packets heading out. If they are actively leaving, something is
blocking the traffic from reaching the Notification Server. These
ports are standard TCP calls. See the next section labeled
Provision Server.
6. If no Hello packets are being sent, the system may be in a non-
Setup State. Access the Intel MEBx by pressing Ctrl+P at startup.
Is the password what was setup during Setup Mode, or will it only
accept Admin? If none of the valid passwords work, this machine
may be in an unworkable state. Unplug the CMOS battery for 15
seconds to put the machine back in Factory Default Mode, and
restart setup and configuration as necessary.
Provision Server
Wireshark can prove if a system is sending Hello packets out on the
wire. The destination is an importa nt distinction as usually this will be
simply the name ProvisionServer. By default, Remove Configuration and
TLS-PSK will target the simple name ProvisionServer. The administrator
needs to properly direct that Hello packet to the Notification Server.
If you ping ProvisionServer from a command-prompt, do you get the IP

Address of the Notification Server? A CNAME record needs to be
created in DNS to correctly direct the hello packets. Check page 21 of
the Admin guide located at this KB article:
https://kb.altiris.com/article.asp?article=38157&p=1 for more information.
DNS functionality can be tested in the Altiris console.
1. Select View > Configuration.
Figure 7: Select Configuration
2. Select Solution Settings > Platform Administration > Out of
Band Management >Provisioning > Configuration Service
Settings > DNS Configuration (See figure 8).
Figure 8: Select DNS configuration
Select the Test button to initiate the test. A correct IP Address signifies
that DNS is working correctly from the Notification Server. The ping test
is still important to signify that the client can also resolve the name.
Figure 9: Select Test button
If the network cannot support this CNAME, only two methods remain.
The Provision Server IP can be set in the MEBx directly or you can use
the RCT tool to simulate the Hello packet and send it to the NS directly
(see the previous link to the article on RCT usage).
Conclusion
Part 2 of this series covers the Server components for Provisioning. If
youve read all the symptoms and suggestions, youll note that there is
crossover when troubleshooting between the client and the server,
regardless of where the problem lies. See Part 2 for the continuation of
Provisioning Troubleshooting.
Troubleshooting the Altiris Manageability Toolkit
for Intel vPro Technology Part 2 Provisioning
Intro to Server Components
In part 1 of this series we covered troubleshooting the local Intel AMT
client system. In this part well discuss the server components as part of
the provisioning process. Learn how the symptoms pinpoint each
components, and what methods reveal the source of the problem. Learn
how Out of Band Management handles the Hello Packets in conjunction
with the Intel SCS Component.
Introduction
Provisioning isnt a single road. There are two primary paths to reaching
a provisioned state, not counting the simple Small Business Mode. Pre-
shared Keys (TLS-PSK) and Remote Configuration (certificate -based
TLS) provide two methods for authenticating with the Provision Server
and receiving a Profile to set it into a Provisioned state. Understanding
the server components is essential to properly diagnosing and
troubleshooting problems with the process . Part 3 of this series will cover
the symptoms and their likely causes, including troubleshooting details.
The following components integrate in the followi ng manner (See figure
10):
Figure 10: Component Integration
Out of Band Management

Out of Band Management contains 3 main components, with further
components broken down as shown here:
Out of Band Management Solution This is the main NS installer
o NS-based Tasks and Agents
o Provisioning Console Nodes
Out of Band Setup and Configuration This is a wrapper for the
Intel SCS install
o Creates the files used for the Intel SCS installation
Intel SCS Component This is Intel code for interacting with Intel
AMT systems
o Intel AMTConfig Service
o Intel AMT database
Out of Band Management Solution
The installer for this Solution creates the Altiris Console pages and
underlining code that intersect directly with the Intel SCS component .
Consider those pages as hooks into Intel SCS. Intel SCS can install
without Out of Band Management. Everything located in the Altiris
Console at View > Solutions > Out of Band Management >
Configuration > Provisioning ties directly through the Intel AMTSCS
web service to access the Intel AMT database (with the exception of
DNS Configuration, Service Location, and Delayed Provisioning).
This installer also creates the Tasks, Packages, and Agents used for Out
of Band Management, including:
Out of Band Discovery This is an EXE that uses the standard
NS Software Delivery to detect the presence of Intel AMT and pull
certain data out, including the UUID. This is used heavily for
FQDN mapping and is an important part of the best provisioning
method.
Out of Band Task Agent This agent installs like any other Altiris
Agent subagent. Its used to function with ASF, or to restart the
Hello Packet sequence with Delayed Provisioning in Remote
Configuration.
Delayed Provisioning Task This restarts the Hello Packet
sequence, and requires the Out of Band Task Agent.
Collections and Packages Collections and Packages for the
above items.
Oobprov.exe This is the Provisioning agent that assists the
SCS in provisioning Intel AMT client systems.
Important points to consider with Out of Band
Management
1. Out of Band Management NS items will work without IntelSCS,
but the Provisioning nodes require Intel SCS to be installed and
properly configured (See figure 11).
Figure 11: Out of Band Management nodes
2. Installed alone most of the above nodes in figure 11 will not

function. The default error shown in figure 12 will show up with
ANY problem:
Error connecting to the Intel AMT Setup and Configuration
Server. Verify that Intel AMT Setup and Configuration
Service security settings are configured and AMTConfig
service is running. See documentation for details on
troubleshooting the Intel AMT Setup and Configuration
Server Installation.
3. The error always has a second bullet point, with another warning
box containing additional bullets. These usually give a more
specific message concerning the problem . The message
described in point 2 is rarely accurate in pointing to the source of
the problem. See figure 12 for an example:
Figure 12: General error message
Out of Band Setup and Configuration

This installer is a wrapper for the Intel SCS installation. It does provide a
crucial function. It lays down the following folder structure where the Intel
SCS Component is installed from:
Install_path\Program Files\Altiris\Notification
Server\NSCap\Bin\Win32\X86\OOB\IntelSCS
The installer does make an automatic attempt to install Intel SCS using
the script located at the above location named
InstallWithDefaultSettings.cmd. This install makes the follo wing
assumptions:
1. The SQL database server and instance is the same one the
Notification Server is using
2. The AMTConfig service account will run under the Altiris
Application Identity credentials
3. The Database install and user will be the Altiris Application
Identity Account
4. The Default Web Site is available for install of the AMTSCS
virtual directory
Intel SCS Component
The Intel Setup and Configuration Service component is provided by
Intel and supported by Altiris\Symantec. This includes the following
components:
1. Intel AMT database Like the Altiris database, the Intel AMT
database is the backbone of the SCS component . The following
items are included in the database:
a. Hello packet data
b. Queues for Provisioning and Maintenance actions
c. Settings for SCS
d. Security keys
e. Intel AMT machine data
f. Intel AMT Profiles
2. AMTConfig Service This service is the piece that talks to the
Intel AMT systems and processes items in the database queues .
It also calls oobprov.exe to assist in provisioning, primary to
obtain the FQDN for the system.
3. AMTSCS Virtual Directory In IIS SCS creates a virtual directory
that contains the interfaces Out of Band Management Console
uses to connect to the Intel AMT database. Its simple structure
belies the importance of this interface.
Keep in mind the following:
1. Failures to install are almost always security related . See the
below Install section for more information.
2. The Intel AMT database and Altiris database are required to be
installed to the same SQL instance for Resource Synchronization
to work (Resource Synch is the process of importing Intel AMT
systems from SCS to NS. In cases where a system is already
managed by NS, the data will be merged in the existing NS
record).
Install
Often when you install Out of Band Management Solution or the Altiris
Manageability Toolkit for Intel vPro Technology the assumptions cause
the OOBSC component to fail, and a message is shown giving basic
instructions on how to install it manually. W hen this happens, its
important to follow these steps to avoid iss ues:
1. Log onto the Notification Server with the Application Identity, or if
not allowed, log on as the user that has rights to the Notification
Server and the SQL Server.
2. Stop IIS on the Notification Server, shut down all Altiris Consoles,
stop the AMTConfig service, and shut down any SQL consoles
(SQL Enterprise Studio, Query Analyzer, etc). While this can be
difficult to arrange, it ensures all necessary accesses and
resources are available.
3. Launch the installer directly from install_path\Program
Files\Altiris\Notification
Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\AMTConfServer.exe
4. Follow the onscreen prompts. In the next part well discuss a
scripted install should this install fail. The scripted install allows
greater visibility to the process and shows an y errors as they
occur.
Oobprov.exe
This component is known as the Provisioning Script, or Properties Script .
Intel SCS requires a provisioning script in order to conduct Provisioning,
and as mentioned earlier this is provided as part of Out of Band
Management.
When the AMTConfig service receives an incoming hello message, it

logs it in, places the provisioning request in the queue, and then calls
oobprov.exe. Any message stating Properties Script Failed means that
oobprov.exe did not successfully provisi on the Intel AMT system.
AMTSCS Virtual Web-site

The web-site is generally invisible to the admin running the Console . It
must exist, but otherwise the mechanism is pretty solid . The only
exception to this rule is when TLS, or Transport Level Security, is
involved or not.
Keep in mind the following:

1. If you will be using TLS for Intel AMT management, this virtual
directory much be set with https for any functionality.
2. If you will not be using TLS, https cannot be enabled on this
virtual directory.
3. If TLS is not implemented but https is enabled on the virtual
directory, the Altiris Console will fail.
4. If TLS is enabled but https is disabled on the virtual directory, the
Altiris Console will fail.
5. The default is https enabled when running the SCS install
manually.
Intel AMT database

Much like the Altiris database is the backbone to the Notification Server,
the Intel AMT database is the backbone of Intel SCS. While all functions
in the console are automatically interconnected in the database,
understanding some of the important tables can help in the
troubleshooting process.
Important tables
The following is a list of some of the core tables used by Intel SCS (See
figure 13):
csti_amts This is the data on the actual Intel AMT system.
When looking in the Intel AMT Systems node in the Altiris
Console, it is reflecting data from this table.
csti_configuration This table holds the core configuration
between Out of Band Management and Intel SCS.
csti_uuid_maps This maps the UUID (Primary AMT ID) to the
FQDN.
Figure 13: Intel AMT database

csti_pid_map This table contains the security key information
so that Intel SCS can authenticate to the Intel AMT client
systems, and the client systems can initially authenticate with
Intel SCS.
csto_queue_entries This is the queue wherein Intel SCS
processes Provisioning and Maintenance requests.
csto_delayed_entries For Provisioning requests that have failed
for whatever reason, this queue is used.
Conclusion
This introduction to the Server Components will help provide
understanding for the moving pieces, and will be heavily referred to in
Part 3. Knowing how each component functions will greatly help when
walking through the troubleshooting steps, especially on how to identify
where the problem is originating from.
Console Troubleshooting
In part 2 we introduced the Server components used in Provisioning,
including some key items to be aware of . In this installment
troubleshooting the server components is covered in a symptom cause
resolution format. The methodology should also allow help you
understand how these components work for further troubleshooting
efforts, or for simply understanding how the data is moving through the
Provisioning process. This specific article covers the Console and the
common errors that can appear.
Introduction
Once the server components are installed, and the Intel AMT systems
are in a correct Setup Mode, access the Provisioning Console to manage
the Provisioning process. This console is located in the Altiris Console
under View > Solutions > Out of Band Management > Configuration >
Provisioning. This part of the series covers errors in the console,
specifically to common errors scene after the installation has taken
place. These errors can also surface due to environmental changes in
the infrastructure.
Symptoms
This section lists all the symptoms covered in this article . Use this list to
guide you if you are working o n a specific issue:
Provisioning Console Access Forbidden Generally this is a 403
error on most of the Altiris Console Provisioning Nodes
Provisioning Console Connection Closed All the Provisioning
Nodes show an error that the underlining connection wa s closed
Provisioning Console User Not Authorized This error relates to
the access rights to the actual Provision Nodes, and can happen
even if a user is an Altiris Administrator
Provisioning Console Timeouts Timeouts can occur in the
console, when accessing the Intel AMT Systems list
Provisioning Console Access Forbidden
Problem
When accessing the Provisioning Console, the following error is thrown:
The request failed with HTTP status 403: Forbidden (See figure 14).
Figure 14: Access forbidden
Cause
When installing Intel SCS, the manual install defaults to HTTPS, using
TLS for secure communication. If the environment is not setup for
TLS/HTTPS, the Altiris Provisioning Console will be unable to
authenticate to Intel SCS, thro wing this error.
Resolution
1. On the Notification Server where Intel SCS is installed, open up
IIS Manager.
2. Browse down into the Default Web Site and select AMTSCS.
3. Right-click on AMTSCS and choose Properties.
4. Select the Directory Security tab.
5. Click the Edit button under the Secure communications section.
6. Uncheck the box labeled Require secure channel (SSL).
7. Click OK.
8. Click Apply and then OK.
Provisioning Console Connection Closed
Problem
The error The Host Name cannot be resolved, or the remote connecti on
was closed appear when accessing the Provisioning Console (see figure
15).
Figure 15: Host name cannot be resolved
The problem can also be seen when using the Test functionality on the
DNS Configuration node. It may show a failed to obtain IP message (See
Figure 16).
Figure 16: Unable to obtain IP address
Cause
When our Console tries to resolve the name to the Intel SCS Server
(even when Altiris and SCS are on the same server) it fails and one of
these errors are thrown. The difference can be in the perceived FQDN
for the Server. Altiris is attempting to acquire the right IP address so it
can communicate with SCS.
Resolution
There are two ways to fix this if a reinstallation does not correctly set the
SCS identity within Altiris:
LMHOSTS or HOSTS files Update one or both of these files to contain

the FQDN were using to try and translate the IP Address . The difficult
part is finding out what Altiris is attempting to connect to . Use the
process below to find out what it is looking for:
1. See Part 1 concerning the use of OOB trace logging and Debug
View.
2. Enable trace logging in OOB and launch dbgview.exe.
3. Try to access the console and produce the error.
4. Stop trace logging.
5. Scan through the log looking for the host name of the server.
Usually this shows up as part of an FQDN . One example of this in
Altiris was called Servername.domain, which did not respond,
but Servername.domain.com was a valid name.
6. Do a Search for the Host Name of the system (Not FQDN as it
may not be using the valid one). For example, MyServer.
7. Once complete, access the file named lmhosts (no extension) .
Place a line in the file with the Server IP Address and invalid
name:
10.10.10.1 Servername.domain
8. Whatever invalid name was located in step 5, the above
sequence can be used to give the computer the correct IP
Address resolution. This resolves the issue. However there may
be other steps needed. If this doesnt resolve the issue, continue
to step 8.
9. Access the Service Location node in the Provisioning Console.
10. Change the option to Alternate URL:.
11. Specify a new location changing the name to one that resolves,
for example:
Previous URL: http://Servername.domain:80/AMTSCS
Fixed URL: http://Servername.domain.com:80/AMTSCS
12. Click Apply to save the changes.
The difficult part in this process is locating what Altiris believe the name
of the Intel SCS Server is. Since Altiris and SCS are not integrated, they
do not have a mechanism that shows if they are on the same server or
not. This is why this issue surfaced.
Provisioning Console User Not Authorized
Problem
After installation or after credential changes the typical error structure
appears with the message:
Current User cant view this page.
Current user cant change settings on this pa ge.
Note that the error does not have the Red error typically associated with
other console errors (See figure 17).
Figure 17: Error cannot view page
Cause
After installation only the user who conducted the Intel SCS install has
rights to the console nodes. Until other users are added, only this user
(usually the Notification Server Application identity) has rights to these
nodes. Notification Server role and scope security does not apply to the
populating of the data to the right of these nodes (although it does
control access to actually showing the nodes themselves in the left -hand
tree).
Resolution
Follow these steps to give the necessary users rights to the Provision
Console nodes:
1. Log into the Altiris Console as the Notifica tion Server Application
Identity, or the user used to manually install Intel SCS (one of
these will usually be the authorized user).
2. Access the Altiris Console under View > Solutions > Out of
Band Management > Configuration > Provisioning >
Configuration Service Settings > Users (see figure 18).
Figure 18: Select Users

3. Note the users who already have rights. Click the blue + icon to
add a user (See figure 19).
Figure 19: Select the + icon
4. Select the browse icon to see a typical Notification Server
Domain user and groups search window (See figure 20).
Figure 20: Select Browse

5. Select find to add a group or user and select OK (See figure 21).
Figure 21: Find user or group
6. Under the Role: give Enterprise Administrator rights unless you
want to limit which nodes are operable. Select OK to complete
adding the user (See figure 22).
Figure 22: Select type of role
If no user can access these nodes, the Intel SCS installation needs to be
run again under the correct user. Run through these steps to complete
this:
1. Log onto the Notification Server directly (or with the /console
switch if youre using Remote Desktop) with the NS Applic ation
Identity.
2. In Add/Remove Programs, locate Intel Active Management
Technology Setup and Configuration Service and remove it.
3. On the Notification Server, browse to install_path\Program
Files\Altiris\Notification
Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\.
4. Launch the file AMTConfServer.exe and walk through the install .
Be sure to use the Application Identity as the credentials for SCS.
5. When prompted for the database credentials, if permissible use
the Application Identity.
6. Once completed log into the Altiris Console with the Notification
Server Application Identity, then move back to step 1 of the
previous sequence to add other users as necessary.
Provisioning Console Timeouts
Problem
Even in small environments weve seen timeouts on the Intel AMT
Systems node, and much less frequently on the other nodes . The timeout
throws a .NET error and the page is replaced by a timeout error.
Cause
The cause is not known at this time. The timeouts do not seem to occur
always at particularly busy times for the Notific ation Server, so it is
difficult to know what causes them . W hen there are plenty of resources
available the timeouts generally do not occur, though if the server is
extremely busy it doesnt always occur . It appears to be caused by
varying factors.
A refresh after the timeout error often loads the page just fine . This
suggests the loading the page gets into a loop or hung state, instead of a
true processing timeout issue.
Resolution
No full resolution is known at this time, but a few items can help
minimize the impact of the issue.
1. Remote Consoles Weve seen remote consoles perform better
than having the console loaded directly on the Notification Server
2. Refresh Normally the timeouts occur without loading any of the
frames within the page. If you click on the link or hit the refresh
for the Intel AMT Systems page and no frames load within a
minute, refresh the page. Often when the page is refreshed it
then loads correctly, even quickly.
Conclusion
Once the console has been restored, the Provisioning proce ss can be
configured and initiated. Because of the all or nothing nature of most of
these issues, they must be overcome before even being able to properly
setup and configure Intel SCS for the Provisioning process . The above
resolutions cover the methods used to resolve these issues at multiple
sites.
Server Troubleshooting
In part 3 we covered troubleshooting common Provisioning Console
issues. In part 4 we now focus on those components operating in the
background during provisioning. With a functioning install and console,
and when the issue appears to be server -related (In part 1 we covered
troubleshooting the local Intel AMT system) now any issues seen must
be evaluated on the server side. This article covers this process in a
Problem Cause Solution format.
Introduction
The server components constitute a lot of background processes that
support what is only seen as Altiris Console points. Much of wha t goes
on in the background is invisible to the user save as a change in status.
If setup correctly, machines simply provision. Its when they do not
provision that a user should understand the server components so that
proper troubleshooting can be accomplished. Note that this covers the
symptoms of server-component problems. Some of the symptoms do
overlap client-side issues, but in this process we are assuming weve
confirmed that the client systems are functioning as expected. If you are
unsure, see Part 1 of this document.
Symptoms
The following symptoms are seen on the Server. Please note that some
of the symptoms may appear to be both client and server related making
it difficult to know where the issue lies. Use Part 1 in conjunction with
this article if necessary in troubleshooting these issues.
No update to Intel AMT Systems Node At times this node can
abruptly appear stagnant with no new systems coming in and no
provisioning taking place.
No Systems Appearing The Intel AMT Systems node may stay
blank even after connecting systems in Setup Mode onto the
Network.
FQDN Not Acquired Once the SCS receives a hello message, it
needs to acquire the FQDN, and if this fails the machine will
remain in an unprovisioned state.
No systems Provisioning This can occur where systems show
up in the system, but none of them provision.
Properties Script Failed This is a common error to be covered
separately, though many of the above symptoms end up throwing
this particular error.
In addition to the symptoms, the following tools were used to
troubleshoot the issues to find out which particular issue afflicted the
Server:
1. Intel AMT Logs
2. OOB Trace Loggging
3. Wireshark
See Part 1 in this article series on how to use these. These will be
referenced in the below items.
No update to Intel AMT Systems Node

Problem
The typical symptom is an abrupt stop to updates on this node. For
example if a number of provisioned systems, with systems added as
systems are brought up on the network, and abruptly they stop updating
or being added, this is indicative of this issue.
Tools:
AMT Logs No updates to this log occur.
Cause
AMTConfig Service The AMTConfig service has stopped, crashed, or is
in a hung state. This isnt common in version 3.0 of SCS or higher.
Resolution
Check that the AMTConfig Service is running.
1. Go to Services Manager under Administrative Tools.
2. Check the Service named AMTConfig to make sure it is running.
3. If the service is not running, start it. If the service is running, try
restarting it just in case its in a hung state.
4. Once the service is up and running again (if this is the issue)
provisioning should start occurring.
No Systems Appearing
Problem
The symptom is that no machines appear in the Intel AMT Systems list
when the page is refreshed over a perio d of time when new systems are
expected. The page ties directly into the Intel AMT database to populate
the systems, so if the list isnt updating on the page, the list is also not
updating in the database (See figure 23).
Figure 23: No machines appear
Tools:
AMT Logs I. No entries found

II. No entries found
III. Invalid PID Map error
Wireshark II. On the client the Hello packet is sent, but on the
server it never arrives.
Cause
The causes vary. See below for known caus es for this issue:
I. AMTConfig Service The AMTConfig service has stopped,
crashed, or is in a hung state. This isnt common in version 3.0 of
SCS or higher.
II. Hello packets The routing of hello packets is not configured
correctly, so clients cant reac h the Provision Server.
III. PID rejected The PID provided in the Hello packet is not
contained as a valid security key in the Intel AMT database. This
is only seen in the AMT Log found in the Provisioning Console
under Logs, selecting the Log icon.
Resolution
See the steps to follow for the above causes.
I. AMTConfig Service
1. See the resolution to the section No update to Intel AMT
Systems Node.
II. Hello Packets
1. In the Provisioning console go to the DNS Configuration
node. Does the Test button allow Provisi onserver to
resolve back to the IP of the Notification Server?
2. If yes, go to the segment of the network the client is on
and try to ping the name Provisionserver. Does the IP
resolve?
3. If answer to either to the question above is NO, a CNAME
record needs to be created on each DNS Server to route
to the IP address of the Notification Server.
III. PID rejected
1. In the Provisioning Console go to the Security Keys node
under the Configuration Service Settings. The list of
unused PID and PPS combinations are listed.
2. In the Intel AMT database, within the csti_pid_map table
all used and unused security keys are listed. The ones
with a value True in the Used column will not show up in
the console.
3. Either import the keys if the OEM placed the Intel AMT
systems in TLS-PSK Setup Mode through the import
button in the Security Keys page, or manually enter the
PID PPS.
FQDN Not Acquired
Problem
One or more Intel AMT systems are registering in Intel SCS, but they
never show an FQDN and never move out of the Unprovisioned status.
In the AMT Log often these systems show the error Properties Script
Failed (note that the cause of this error can be many, and this issue is
but one of them).
NOTE! If no system is provisioning the issue may not be FQDN related.

See No Systems Provisioning in this article for more information.
Tools:
AMT Logs Properties Script Failed messages
OOB Trace Unable to locate FQDN (Fully Qualified Domain Name)

entries
Cause
Intel SCS calls the Out of Band Provisioning or Properties script
oobprov.exe to do a number of things. The first thing it does is obtain an
FQDN for the machine needing provisioning. If it fails to obtain an FQDN
Provisioning will fail and the computer will remain in an unprovisioned
state until oobprov.exe can successfully lo cate the FQDN.
Resolution
To find the FQDN, oobprov.exe runs through a number of checks. The
suggested method is to have the Altiris Agent installed and have run the
OOB Discovery Task (located in the Altiris Console under View >
Solutions > Out of Band Management > Configuration > Out of Band
Discovery > Out of Band Discovery). This populates the Altiris
database so it has both an FQDN in the AeX AC Location data class and
the UUID in the Inv_OOB_Capability data class. If this data is not
available, another option is to check DNS resolution as a method. In the
Altiris Console look under the Resource Synchronization node, within the
Intel AMT Systems folder. As shown below, this option enables
oobprov.exe to use DNS IP resolution as a method (See figure 24) .
Figure 24: DNS IP resolution
NOTE the warning found directly below the checkbox: Warning! Using
DNS for IP to FQDN resolution might lead to incorrect profile mapping.
Make sure your DHCP server is configured correctly to give update the
DNS server for dynamic addresses.
No systems Provisioning
Problem
Systems are added regularly to the Intel AMT Systems node, but they
never provision. This includes never getting an FQDN (see the above
section for more information), though the cause may not be the inability
of oobprove.exe to obtain the FQDN.
Tools:
AMT Logs Provisioning Script Failed messages
OOB Trace No references to oobprov.exe
Cause
If not an FQDN mapping issue, this issue stems from a timeout value in
the Intel AMT database being set to 0. In the Intel AMT database, in the
table csti_configuration, under the column Props_script_timeout if the
value is 0 IntelSCS will timeout before it even has a chance to call
oobprov.exe.
Resolution
Normally only one row exists in this table. The following SQL query will
properly update this value to the default level. The default is 180 and
should be set.
USE IntelAMT
UPDATE csti_configuration
SET props_script_timeout = 180
WHERE use_props_script = 'True'
Execute the script within SQL Query Analyzer or SQL Enterprise Studio
to update the value.
Properties Script Failed
Problem
This message can mean a number of things, including the symptoms
described in the preceding two sections. This message can continually
appear in the Intel AMT logs as provisioning is attempted over and over.
Cause
The causes of this issue vary. The basic explanation is that when
oobprov.exe is called, if it returns anything other than success, the
resulting error message in the Intel AMT logs is Properties Script
Failed.
Resolution
See the above two sections for the symptoms No Systems Provisioning
and FQDN Not Acquired, but for additional information see the following
article:
http://juice.altiris.com/article/2982/troubleshooting -properties-
script-failed-out-band-management-solution
Conclusion
This concludes the troubleshooting section for the Provisioning process.
For the most common issues, the resolutions and steps presented in the
first four parts of this series will resolve them. The methodology helps
explain how the background processes are working.

Altiris Best Practices For VPro FINAL MG

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Altiris Best Practices For VPro FINAL MG

Transféré par

Droits d'auteur :

Formats disponibles

Best Practices and Troubleshooting of

Intel vPro Technology with the

2007 Altiris Inc. All rights reserved.

Copyright 2006, Altiris, Inc. All rights reserved.

Phone: (801) 226 -8500

It is important to know the latest chang es to technology being used, even

Use Altiris Juice to get the latest troubleshooting tips and

Review patches and new releases.

Maintain a test lab, even after deployment.

Carefully review security requirements.

80 Standard HTTP Port (W eb UI)

443 Standard HTTPS Port (Web UI in SSL mode)

9971 Default port used by SCS/SCA (configurable)

16992 SOAP commands in SMB mode*

16994 IDE-Redirection in SMB mode*

16993 SOAP commands in TLS/Enterprise mode**

16995 IDE-Redirection in TLS/Enterprise mode**

56666 Serial over LAN (SOL)

Figure 1: Select Out Of Band Management

Select Configuration > Provisioning > Configuration Service Settings

Figure 2: Select Debug warning

Figure 3: Select Log

Trace logging will log everything from console accesses, to oobprov.exe

Wireshark can be obtained from: http://www.wireshark.org/. While this is

1. Go to View > Configuration (See figure 4).

Figure 4: Select Configuration

Figure 5: Select Security Keys

Figure 6: Generate security keys

1. Initiate a restart of the Hello packet sequence by turning the

If you ping ProvisionServer from a command-prompt, do you get the IP

1. Select View > Configuration.

Figure 7: Select Configuration

Figure 8: Select DNS configuration

Figure 9: Select Test button

Figure 10: Component Integration

Out of Band Management

Figure 11: Out of Band Management nodes

2. Installed alone most of the above nodes in figure 11 will not

Figure 12: General error message

Out of Band Setup and Configuration

When the AMTConfig service receives an incoming hello message, it

AMTSCS Virtual Web-site

Keep in mind the following:

Intel AMT database

Figure 13: Intel AMT database

Figure 14: Access forbidden

Figure 15: Host name cannot be resolved

Figure 16: Unable to obtain IP address

LMHOSTS or HOSTS files Update one or both of these files to contain

Figure 17: Error cannot view page

Figure 18: Select Users

Figure 19: Select the + icon

Figure 20: Select Browse

Figure 21: Find user or group

Figure 22: Select type of role

No update to Intel AMT Systems Node

Figure 23: No machines appear

AMT Logs I. No entries found

III. Invalid PID Map error

NOTE! If no system is provisioning the issue may not be FQDN related.

AMT Logs Properties Script Failed messages

OOB Trace Unable to locate FQDN (Fully Qualified Domain Name)

Figure 24: DNS IP resolution