Configuration Guide for Intel vpro Technology with Microsoft* ConfigMgr SP2

Guide

Intel® Centrino® with vPro™ Technology Intel® Core™2 Processor with vPro™ Technology Intel® Core™ i5 vPro™ Processor

Intel® Core™ i7 vPro™ Processor

Configuration Guide for

Intel® vPro™ Technology

with Microsoft*

ConfigMgr SP2

For Use With Intel vPro Processor Technology and Microsoft*

System Center Configuration Manager 2007 SP2

Based on Intel® Active Management Technology

Version – 2.0.1 May 2010

iii

Executive Summary ... 1

Microsoft Resources for ConfigMgr 2007 ... 1

Section 1.0: Lab Network Design and Layout ... 3

Section 2.0: Overview of the Implementation Process ... 4

Section 2.1: High Level Steps ... 4

Section 2.2: Installation and Configuration Process Flowchart ... 5

Section 2.3: Summary of Prerequisites Required for OOB Management ... 7

Section 2.4: Check for the latest Microsoft Hot Fixes ... 7

Section 3.0: Configure Active Directory for Out of Band Management ... 8

Section 4.0: Configure Enterprise PKI Certificate Server ... 18

Section 5.0: Install ConfigMgr 2007 SP2 ... 26

Section 6.0: Install Out of Band Management Service Point ... 32

Section 6.1: Configure Out of Band Management Service Point on ConfigMgr 2007 ... 36

Section 6.2: Configure Network Discovery for Management Controllers ... 43

Section 6.3: Configure New Site Boundary ... 44

Section 7.0: ConfigMgr 2007 Collection Setup ... 46

Section 7.1: Create Intel AMT Unprovisioned Collection ... 46

Section 7.2: Configure Intel AMT Collection to Automatically Provision Intel AMT Devices ... 51

Section 8.0: ConfigMgr 2007 Agent Installation and In-Band Provisioning ... 56

Section 9.0: Legacy Provisioning ... 62

Section 9.1: Intel WS-MAN Translator Installation and Configuration ... 63

Section 9.2: ConfigMgr Import Wizard for PSK Provisioning with Intel WS-MAN Translator ... 74

Section 10.0: Helpful ConfigMgr 2007 Logs for Troubleshooting ... 83

Section 10.1: Server Logs ... 83

Section 10.2: Client Logs ... 83

Section 11.0: Resources ... 84

1

Executive Summary

This document describes the process to set up the Out of Band Management (OOB) capabilities within Microsoft* System Center Configuration Manager 2007 (ConfigMgr 2007) Service Pack 2 (SP2). It is not intended to replace the detailed documentation in the ConfigMgr 2007 SP2 help file. Intel highly recommends that all readers reference Microsoft’s TechNet information for complete

ConfigMgr 2007 informatio

This document is intended to condense the necessary information to the least amount of material to make a quick start guide for readers to enable Out of Band Management for Intel® vPro™ technology based systems. The document uses a lab environment setting as an example to demonstrate the overall ConfigMgr 2007 OOB setup and configuration process.

ConfigMgr 2007 SP2 provides native Intel vPro technology support of Intel® Active Management Technology (Intel® AMT) firmware version 3.2.1 and later. Contact your OEMs (see OEMs web site) for the latest Intel AMT Firmware releases. For legacy Intel vPro technology-based systems (Intel AMT firmware version lower than 3.2.1), you will need to install Intel WS-Man Translator on your ConfigMgr 2007 OOB management console system. Setup and configuration information is provided in this guide in Section 9.1: Intel WS-MAN Translator Installation and Configuration on page 63 to support for these versions of Intel vPro technology. This document is posted on the Intel® vPro™ Expert Center

Intel vPro Expert Center contact link to provide feedback on this document.

Microsoft Resources for ConfigMgr 2007

The Microsoft System Center Configuration Manager 2007 TechNet article shown below is an excellent resource to use when building your production environment. Information specific to Intel vPro technology is located under Out of Band Manage Configuration

3

Section 1.0: Lab Network Design and Layout

As mentioned previously, an example of a lab setup is used throughout this document. This section briefly describes the lab

environment referred to in the examples throughout the document. Your environment (lab or production environment) may vary and need additional steps to properly configure your environment to work with Intel vPro systems.

Lab design: The example lab uses a virtualized environment within one server. Five separate virtual images were installed on this one server system, each running its own Windows 2008 Enterprise Server R2 with all of the latest service packs and software releases from Microsoft Windows Update (as of 4/1/2010). The five VMs are:

• Domain Controller (DHCP and DNS)

• Enterprise Root Certificate Authority

• Subordinate Certificate Authority

• SQL Server 2008 (Database for ConfigMgr 2007 SP2)

• ConfigMgr 2007 SP2 with the OOB Management Service Point

The virtual images were separated for different functions rather than running everything on a single system as this emulates a realistic customer environment. Additionally, all Intel vPro technology-based lab systems were joined to this single Domain to perform provisioning and OOB management capabilities. The lab environment is pictured in the following illustration.

4

Section 2.0: Overview of the Implementation Process

The following is a high level overview of the process to implement Microsoft* ConfigMgr 2007 OOB management of Intel vPro technology-based client systems. These high level steps are discussed in more detail in the subsequent sections of this guide. Related sections with detailed steps are referenced in each high-level step.

Section 2.1: High Level Steps

1. Configure the networking and IT infrastructure (open the required firewall and router ports for management traffic, configure the network domain for the ConfigMgr 2007 OOB Service Point to the same domain as the Intel vPro technology-based systems, etc.).

2. Configure Microsoft* Active Directory. 3. Configure a Certificate Server.

4. Install ConfigMgr 2007 SP2, as well as all required hot fixes. 5. Install and configure the ConfigMgr 2007 OOB Service Point.

6. Set up a ConfigMgr 2007 Collection of Intel vPro technology based systems for In-Band provisioning.

7. Discover the unprovisioned Intel vPro technology-based clients in ConfigMgr 2007 (part of Collection Setup process). 8. Decide whether to use agent-based provisioning (recommended for clients with Intel vPro technology firmware version 3.2.1

or later) or bare metal Remote Configuration (required for clients with Intel vPro technology firmware version less than 3.2.1). Note that if you have a mix of clients, you may need to use agent-based provisioning for some clients and Remote Configuration for others, depending on the firmware version of the clients.

9. For clients with Intel vPro technology firmware version 3.2.1 or later, install the ConfigMgr 2007 agent on each client (Section 8.0: ConfigMgr 2007 Agent Installation and In-Band Provisioning, page 56). Once the agent is installed, the ConfigMgr 2007 OOB Service Point will automatically begin provisioning the client. If you do not have any clients with Intel vPro technology firmware version less than 3.2.1, skip to step 14 below.

10. For clients with Intel vPro technology firmware version less than 3.2.1, or if you choose not to install the ConfigMgr 2007 client agent and instead use Remote Configuration with firmware version 3.2.1 clients, record each client’s provisioning data (hostname, UUID, and FQDN) and enter that data in the ConfigMgr 2007 Import Wizard.

11. For Remote Configuration without installing the ConfigMgr client agent on clients having Intel vPro technology firmware version 3.2.1 or later, once you have imported the client provisioning data into ConfigMgr, the clients will automatically be provisioned by the ConfigMgr OOB Service Point once you connect them to the network and boot them to the Windows OS. Skip to step 14 below.

12. For clients with Intel vPro technology firmware version less than 3.2.1, you MUST install the Intel WS-MAN translator on the same server system as the ConfigMgr 2007 OOB Service Point.

13. For clients with Intel vPro technology firmware version less than 3.2.1, manually enter a Pre-shared Key (PSK), also referred to as a PID-PPS pair, into each client’s Intel® Active Management Technology (Intel® AMT) configuration using the Intel® Management Engine BIOS Extension (Intel® MEBx). Once the PSK has been entered, exit the Intel MEBx and reboot the client to the Windows OS; the client will automatically be provisioned by the ConfigMgr OOB Service Point.

5

14. Verify that the required drivers are installed on the Intel vPro technology-based clients.

15. Test the ConfigMgr 2007 OOB management functionality with the Intel vPro technology based clients.

Checklist

Prerequisites:

Section 2.2: Installation and Configuration Process Flowchart

The following flowchart is intended to provide a visual “map” through the installation and configuration process, to illustrate the various implementation paths available to you depending on the version of Intel vPro technology firmware you are working with and other installation decisions.

The steps shown in green represent the recommended path through the process for Intel vPro technology based clients with firmware version 3.2.1 or higher.

7

Section 2.3: Summary of Prerequisites Required for OOB Management

The list below describes the necessary client, server, and infrastructure elements required in order to manage your Intel vPro

technology-based systems Out-of-Band using Microsoft Configuration Manager 2007 SP2. The high level steps in Section 2.1 above (and the corresponding detailed steps in the subsequent sections of this guide) are the process by which to achieve the OOB

management prerequisites listed below.

Note: The reader is presumed to be familiar with setting up some of the prerequisites below, such as configuring the clients on the same network domain as the OOB Service Point server and setting certain firewall and networking ports open for management traffic. Prerequisites specific to Intel vPro technology and Microsoft ConfigMgr 2007 are discussed in detail in the remainder of this guide.

•

Enterprise Certificate Authority to issue Web Server certificates to each Intel vPro technology-based

system for encrypted communications with ConfigMgr 2007 SP2 Management Console (Standalone CA

is insufficient)

•

Active Directory OU to store Intel AMT objects for each Intel vPro technology based system that will

be managed OOB

•

ConfigMgr 2007 SP2 Out of Band Service Point installed and configured to support Intel vPro

technology based systems

•

Windows Remote Management (

) installed on each ConfigMgr 2007 server

•

3

Party Remote Configuration Certificate on each OOB Service Point to provision Intel vPro

technology-based systems (VeriSign, GoDaddy, Comodo, and Starfield have pre-installed hashes in the

Intel AMT firmware) – Optionally you can generate your own Provisioning Certificate from your

Enterprise CA. However, this requires you to manually enter the CA hash into the Intel MEBx of Intel

AMT

•

Configure OOB network discovery of Intel vPro technology based systems (optional step but used in

this lab)

•

Intel vPro technology and firmware of 3.2.1 or higher for native support from ConfigMgr 2007 SP2

•

Intel HECI Driver installed on the client OS (see OEM for latest driver)

•

Configuration Manager Client Agent installed on each Intel vPro system to initiate the provisioning

process (there are alternative methods available in the help file but this is the most effective and easiest

method)

•

Intel vPro technology based systems joined to the same domain as the OOB Service point provisioning

and managing these devices

•

Open Intel vPro technology related network ports on routers and firewalls: 9971 - Provisioning Port; and

16992 through 16995 - OOB Management Ports

Section 2.4: Check for the latest Microsoft Hot Fixes

Verify that all the latest hot fixes for Microsoft Server 2008, Microsoft Configuration Manager 2007 SP2, Microsoft Internet Explorer, and Microsoft SQL Server have been applied.

8

Section 3.0: Configure Active Directory for Out of Band Management

Active Directory Schema extensions are not required for Intel AMT OOB Management functionality but Microsoft recommends applying the schema extensions for other non-related Intel vPro technology capabilities. If do not extend your AD with the supplied ConfigMgr 2007 Schema extension and configure your environment to publish ConfigMgr 2007 related components to the AD per Microsoft’s instructions, you will need to update your WINS environment to allow for the ConfigMgr 2007 Agent to auto-discover your ConfigMgr 2007 Site Server (see Microsoft TechNet for details

manage Intel vPro technology based systems.

• Create the Active Directory OU container in the domain for each Intel AMT device

• Configure security permissions on the container for ConfigMgr 2007 to generate an object for each Intel AMT device ConfigMgr 2007 SP2 will publish an Intel AMT object into a specific OU for each Intel vPro technology-based system that is provisioned by the OOB Management Service Point. This is a different object than the computer object that hosts the computer account in the domain. Also, Intel vPro technology-based clients must belong to the same AD Forest as the OOB Service Point. The following list provides the required steps to create this Intel AMT specific OU and provide the necessary rights for ConfigMgr 2007 server to create this object during the provisioning phase. Later, you will configure the OOB Management Server Point to use this object. This section illustrates the procedure described in the following Microsoft* TechNet article: How to Prepare Active

Directory Domain Services for Out of Band Management

Click Start > Programs >

Administrator Tools > Active Directory Users and Computers

Note: Under the View menu option, ensure

Advanced Features is

checked

Right Click on

vProDemo.com > New > Group

9

In the New Object - Group dialog box, type ConfigMgr Primary Site Servers Click OK

In the Active Directory

Users and Computers,

right-click the ConfigMgr Primary Site Servers Group and select Properties

10

In the ConfigMgr Primary Site Servers Properties window, select the Members tab and click Add…

Add the MSSCCM server and click OK (make sure you click the Object Types button and check

Computers to find the SCCM Computer Account) Click OK to close the Properties window

Note: Your ConfigMgr

server is now a member of your ConfigMgr Primary Site Servers Group and will be used later for applying security rights to AD OUs and Certificate Templates. Note: Make sure you have not started up the ConfigMgr server image while setting up this server security setting. If you have the ConfigMgr server running, please shutdown now.

11

Click Start > All Programs >

Administrator Tools > Active Directory Users and Computers

Note: Under the View menu option, ensure Advanced Features is checked

Right Click on

vProDemo.com > New > Organizational Unit

In the New Object - Organizational Unit dialog box, type Out of Band Management Controllers click OK

12

Right-click Out of Band Management Controllers OU and click Properties

Select the Security tab Click Add

13

Select the ConfigMgr 2007 primary site server account (ConfigMgr Primary Site Servers is the name in this example)

Note: you will need to click Object Types to add Computer Objects to find the server account

Click OK after adding the

ConfigMgrPrimary Site Server Account

With the ConfigMgr Primary Site Servers Account selected, check AllowFull Control

14

Highlight ConfigMgr Primary Site Servers Account, and click Edit

In the Apply onto drop down, select this object and all child objects.

15 Create RADIUS Security Group for

AMT devices (if you use 802.1x)

Click Start > Programs > Administrator Tools > Active Directory Users and Computers

Expand vProDemo.com and right-click on Users and select New > Group

In the New Object – Group Windows, enter AMT RADIUS Clients in the Group name field

16

Set Permissions on RADIUS Security Group

Right Click on AMT RADIUS Clients Group and select Properties

In the AMT RADIUS Clients Properties Window, click the Security Tab and Click the Add button

In the Select Users, Computers, or Groups Window, add ConfigMgr Primary Site Servers

Click OK

We have now created an AD OU, AMT Radius Group, and given the Security Group that ConfigMgr 2007 SP2 Server is a member of, the proper permission to create Management Controllers objects for each Intel® vPro™ system during the

17

provisioning phase.

We have now created an AD OU and given the ConfigMgr 2007 Server proper permissions to create Intel AMT objects for each Intel vPro technology based system during the provisioning phase.

18

Section 4.0: Configure Enterprise PKI Certificate Server

For more information, refer to the following Microsoft* TechNet article: Certificate Requirements for Out of Band Management

ConfigMgr 2007 SP2 uses four types of certificates for Out Of Band Management. These four different certificates are: AMT Self Signed certificate – IntelAMT will generate a self-signed certificate during the PKI provisioning process to secure the connection with the ConfigMgr 2007 Server.

AMT provisioning certificate – This certificate is used by ConfigMgr 2007 to provision Intel AMT devices. This certificate can either be purchased from a third- party Certificate Authority or generated by an in-house Enterprise Certificate Authority. The most simple and automated method for provisioning is the process of purchasing this certificate from a third- party provider (VeriSign, GoDaddy, Comodo, or Starfield). This certificate will need to be installed on each OOB Service Point in the environment.

Web server certificate - This certificate is generated by an internal Enterprise Certificate Authority during the provisioning process and installed on each AMT device within the firmware. This will allow for a TLS management session between the ConfigMgr 2007 OOB Management console and the AMT firmware.

WS-Man Translator certificate – The WS-Man translator also users a Web Server certificate to secure the communications

to and from the ConfigMgr 2007 server during Legacy Provisioning. This will be covered in more detail during the WS-Man Translator section.

802.1x RADIUS Certificate – Optional certificate that allows the Intel AMT client to securely authenticate to an 802.1x network without the operating system being present.

The process for generating the Certificate Signing Request (CSR) and requesting the provisioning certificate from a third-party certificate authority can be found in the following resources:

• Microsoft* TechNet, Requesting and Installing the AMT Provisioning Certificate from an External CA

• Intel vPro Expert Center, Request and Install a Provisioning Certificate from VeriSign

• Intel vPro Expert Center, Obtaining a Provisioning Certificate for Intel® vPro Platforms using OpenSSL Tools

• Intel vPro Expert Center, How to procure and install a Verisign Cert for Remote Configuration on SCS

19

Open your Certificate Authority issuing PKI Server - Click Start > All Programs > Administrator Tools > Certification Authority Expand

DC1.vprodemo.com

Right Click on Certificate Templates > Manage

In the Certificate Templates Console Window, right click on Web Server and select Duplicate Template

In the Duplicate Template Window, select the radio button for Windows 2003 Server, Enterprise Edition

20

In the Properties of New Template Window:

Enter ConfigMgr AMT Web Server Certificate

Check the Box to Publish certificate in Active Directory Proceed to next step to set the security rights on this template.

Select the Security Tab and click Add

21

2007 primary site server computer group

Click OK

With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll Click OK

Close the Certificate Templates Console

22

In the Certificatio n Authority Window, right-click on

Certificate Templates > New > Certificate Template to Issue

In the Enable Certificate

Templates Window, select

ConfigMgr AMT Web Server Certificate (this template was created in the previous step)

23

In the Certification

Authority Window, you

will now see ConfigMgr AMT Web Server Certificate listed in the right hand Window and ready for use by the Out of Band Service Point Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel AMT system during the provisioning process, and used for TLS session during management of the Intel AMT client.

Configure Root CA to Allow Revocation of Client Management Controller Certificates In the Certification Authority Window, right-click on

DC1.vprodemo.com and

24

• In the Properties Window, select the Security tab

• Click Add

Configure Root CA to Allow Revocation of Client

Management Controller Certificates

• Add the ConfigMgr Primary Site Servers group

25 • Select the ConfigMgr Primary Site

Servers group.

• Check Allow for Issue and Manage Certificates permissions for this group (leave Request Certificates option unchanged).

• Click OK.

Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI issued certificates cleaned-up (revoked).

Your PKI server is now configured with a Web Certificate Template that ConfigMgr 2007 will use during the provisioning phase to generate a TLS certificate for each Intel AMT device.

26

Section 5.0: Install ConfigMgr 2007 SP2

These are the steps used to install a basic installation of ConfigMgr 2007 SP2 for a lab environment to test the Out Of Band Management capabilities for Intel vPro technology based systems. Lab setups and names will vary for your environment. Contact Microsoft for the latest version of ConfigMgr 2007 SP2. Please refer to Microsoft for the complete setup documentation:

Launch SPLASH.hta

27

Click Next on the Welcome screen Select to Install a Configuration Manager Site Server

Click Next

Check I accept these license terms

Click Next

Select Custom Settings for installation

Click Next

Select Primary Site Click Next

Select If you want to participate to help Microsoft…

28

Enter Product Key Click Next

Enter destination folder Click Next

Enter in the three letter site code (PRO used in this example) Click Next

Select Configuration Manager Mixed Mode

Note: Native mode is required if you are managing Internet clients. Click Next

Select all of the Client Agent options – except Network Access Protection

Click Next

Enter the name of the SQL 2008 database (SCCM in this example) to setup the ConfigMgr 2007 database (Default name SMS_PRO)

Click Next

29

Enter the name for the ConfigMgr 2007 server (SCCM used in this example)

Click Next

Enter in the FQDN of the ConfigMgr 2007 Server (SCCM. VPRODEMO.COM used in this example) to install the

Management Point Click Next

Use default port Click Next

Select Check for updates and download newer version to alt path

Click Next

After the prerequisite files have been successfully downloaded (Internet connection required), click OK

Review the Settings Summary and click Next

Installation started

30

The first part of the installation does a Prerequisite check. In this example, Setup discovered that WSUS on the Primary Site Server was missing (it is listed only as a warning but, you can add it anyway.) This component is only necessary if you are going to do Software Updates internally from a WSUS location.

If you get this error message:

Web-based Distributed Authoring and Versioning (WebDAV) is required for the management point and distribution point site system roles. If you have selected to install a site role requiring WebDAV, and it is not enabled, this rule will fail. Web-based Distributed Authoring and Versioning (WebDAV) is not enabled and/or IIS 6 WMI compatibility

component for IIS is not installed on the computer specified for management point installation or setup was unable to verify remote IIS settings because IIS common components were not installed on the site server computer. ConfigMgr requires WebDAV to be installed and enabled in Internet Information Services (IIS) for management point site systems. Setup cannot continue.

Add the WebDAV component in the WWW Services within Windows 2008 Server (requires Windows 2008 installation CD).

31

(Installation will continue after WSUS and WebDAV were added.)

32

Section 6.0: Install Out of Band Management Service Point

The Out Of Band Service Point is the ConfigMgr 2007 component responsible for provisioning and managing Intel vPro technology based systems. The following section will provide the necessary steps for installing this OOB Service Point and Configuring for Intel vPro technology based systems. These steps assume that you have installed ConfigMgr 2007 SP2 on a supported server. For steps to install ConfigMgr 2007 SP2, please refer to the previous section, or to the Microsoft TechNet documentation.

OOB Management (as defined by Microsoft in ConfigMgr 2007 Help File): Out of band management allows an

administrator to connect to a computer's Umanagement controllerU when the computer is turned off, in sleep or hibernate

modes, or otherwise unresponsive through the operating system.

OOB Service Point – ConfigMgr 2007 Service component responsible for provisioning and managing Intel AMT enabled

devices.

On the ConfigMgr 2007 SP2 Server, open the Configuration Manager console

Navigate to System Center Configuration Manager > Site Database > Site Management > Pro vPro Demo SCCM > Site Settings > Site Systems Right-click ConfigMgr 2007 Server (\\SCCM in this example) Select New Roles to launch the

33

On the General page, click Next (default settings)

On the System Role Selection page, check Out of band service point

34

On the Out of Band Service Point page, click Next

Note: change any default settings you require for how out of band transmission packets are sent

Click Next again on Summary page

Once the Wizard completes, click Close

35

You will now see ConfigMgr out of band service point listed under the ConfigMgr 2007 Site System (SCCM in this example)

You have now added the Out Of Band Service Point to your ConfigMgr 2007 server. This service will provide the capability to provision and manage Intel AMT devices. The next section will cover the configuration process of this OOB Service Point.

36

Section 6.1: Configure Out of Band Management Service Point on ConfigMgr 2007

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > Pro vPro Demo SCCM > Site Settings > Component Configuration

Right-click Out of band management component, and then click Properties

On the General tab, Under the Provisioning Settings, click Browse to select the Active Directory container to store each AMT object

37

Select Out of Band Management Controllers from the Domain (vprodemo in this example)

This is the OU create in Section 3.0 Click OK

Click Set and provide the MEBx admin password (e.g. P@ssw0rd) to be set during provisioning. The password must be a strong password (8 or more characters, a special character, and a mixture of upper and lower case

characters).

Note: This MEBx password setting is used for ConfigMgr 2007 to change the local password on the Management Controller during the provisioning process. By default, the factory setting for the password is admin. If this password was manually changed locally on the MEBx, this will be ignored.

This password will modify the local and remote MEBx password of AMT during the provisioning process. Click OK on the MEBx Account dialog

Leave AMT Provisioning Port as default: 9971 Note: AMT Provisioning port can be modified if necessary, but requires modification on each Intel AMT system.

38

Check the box to Register ProvisionServer as an alias in DNS Note: This creates an Alias in your DNS environment to allow provisioning hello packets from AMT to get routed to the ConfigMgr 2007 server. This is not required for Agent Initiated Provisioning using the ConfigMgr 2007 Client Agent. Also, the necessary rights to your DNS environment would need to be granted to allow for the ConfigMgr 2007 server to update an Alias record in your DNS environment.

Under the Certificates section, Click Browse and select a valid Remote Configuration Provisioning Certificate (Intel(R) Client

Setup Cert – Verisign vProDemo Backup.pfx is used in this

example).

This certificate is the Provisioning Certificate that was either purchased from a 3rd Party Certificate Authority (e.g. VeriSign) or created from an Internal CA.

For complete steps to create an external Provisioning Certificate for a 3rd party Certificate Authority:

For complete steps to generate your own certificate from an internal PKI, see: Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2008 Certification Authority

You can also refer to Intel vPro Expert Center for steps to purchase a certificate:

39

Click Open

Enter the password for this certificate and click OK Note: If the password is incorrect, you will receive and Invalid Password message. If the certificate is not a valid Remote Configuration Certificate, you will receive an Invalid Certificate message.

Click Select for the AMT Certificate Template

Select ConfigMgr AMT Web Server Certificate Click OK

Click Apply

Note: The ConfigMgr AMT Web Server Certificate Template was previously generated within this image and the steps to create are not covered in this section. ConfigMgr 2007 Help file has complete steps on how to create and apply the appropriate settings to this template. These steps will vary based on the environment

40

Please refer to Microsoft TechNet and closely review the necessary PKI Certificates required for Out Of Band Service Point -

On the AMT Settings tab, click icon to add AMT User Accounts

Note: These are Windows Domain accounts/groups that ConfigMgr 2007 applies to AMT during the provisioning phase. These accounts will authenticated via Kerberos during the OOB management sessions.

In the AMT User Account Setting window, click Browse and add the VPRODEMO\Administrator account, click OK

Note: Please review Microsoft TechNet documentation to understand the appropriate users and rights for your environment. This example simply uses the domain administrator for lab testing purposes only.

Choose Platform Administration.

Check all of the boxes for the related Supported AMT Features for this account, click OK

41

Click Apply

In the Default IDE-redirect image text box, enter a previously-defined share location that will host your .iso images to be used with redirection capabilities. (\\SCCMSP2\IDER\dos_gold.iso is used in this example).

Check the following boxes:

• Enable Web interface for AMT systems

• Enable serial over LAN and IDE-redirect for AMT systems

• Allow ping responses

• Enable BIOS password bypass for power on and restart commands

• Enable Support for Intel WS-MAN Translator (this allows OOB Service Point to communicate with AMT systems that have firmware less than 3.2.1)

Default setting for Kerberos clock tolerance (5) Click Apply

42

On the Provisioning Settings Tab, click to add a Digest User and Password

Note: This is a digest account and password that is used to authenticate to the management controller during provisioning (this is not a domain account). You should add admin | password to match the local MEBx password modified when going into the MEBx (CTRL+P). If you have not modified the MEBx on the system, ConfigMgr 2007 is programmed to try the default OEM password of admin.

Enter:

Name: TestUser used in this example Password: P@ssw0rd

(using a zero in this example) Click OK

Click OK again.

Note: This digest account can be used when you have a mixed environment when the MEBx has been modified to different passwords (e.g. different ISV consoles) and ConfigMgr can use these user/password information to connect to these Intel vPro systems..

43

Section 6.2: Configure Network Discovery for Management Controllers

In this section, we will configure ConfigMgr 2007 to be able to discover AMT Management Controllers in a lab setting.

In the Configuration Manager console, navigate to System Center

Configuration Manager > Site

Database > Site Management > VPD – vPro Demo Site > Site Settings > Discovery Methods

In the right hand window, Right-click Network Discovery, and then click Properties

On the General tab, select Enable discovery of management controllers

44

Section 6.3: Configure New Site Boundary

In this section, we will configure ConfigMgr 2007 Site Boundary for a lab setting. Net Boundary is only one type of boundary and other options are available. A requirement is at least one Site Boundary setup and configured. Some configurations settings in these steps will vary based on your lab setup.

Note: the new site boundary is not required for OOB management of Intel vPro clients, but is required for agent installation on the clients.

In the Configuration Manager console, navigate to System Center

Configuration Manager > Site

Database > Site Management > VPD – vPro Demo Site > Site Settings

Right click on Boundaries and select New Boundary

45

Enter the following fields Description = Net Boundary

Site Code = Site Code (VPD-vPro Demo Site used in this example and may vary in your lab)

Type = IP Address Range

Starting Address = 192.168.0.10 (Use the IP Address range appropriate for your lab environment)

Ending Address = 192.168.0.254 (Use a small range to limit the discovery amount low)

Network Connection = Fast Click OK

46

Section 7.0: ConfigMgr 2007 Collection Setup

In this section, you will configure your ConfigMgr 2007 Server with an Intel AMT Collection, setup your Intel vPro technology based system with a ConfigMgr 2007 Agent, and enable the agent to initiate the in-band Provisioning Process with your ConfigMgr 2007 Server.

Section 7.1: Create Intel AMT Unprovisioned Collection

navigate to System Center Configuration Manager > Site Database > Computer Management > Collections

Right click on Collections and select New Collection

In the New Collection Wizard, enter the name Unprovisioned vPro Clients and add optional Comments as required

47

In the Membership Rules window, click the Query Rule Properties (it is the Database icon)

In the Query Rule Properties window, enter the name Unprovisioned vPro Clients

Click Edit Query Statement...

In the Unprovisioned vPro Clients Query

Statement Properties window, click

48

In the Query Statement textbox, type:

SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_S YSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM. ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from

SMS_R_System inner join SMS_G_System_AMT_AGENT on

SMS_G_System_AMT_AGENT.ResourceID = SMS_R_System.ResourceId where SMS_G_System_AMT_AGENT.AMT >= "0" and

(SMS_R_System.AMTStatus != "3" or SMS_R_System.AMTStatus is NULL)

Note: This will pull all the clients that are enabled for Intel vPro technology, and in an unprovisioned state.

Note: Additionally, you can setup a collection for Provisioned Clients by using the following Query Statement: Select * from SMS_R_System where AMTStatus=3

This will show ALL vPro systems that have been provisioned. For more information on Intel AMT status codes, see the link below:

Click OK and OK again on the Query Rule Properties

Note: Refer to Microsoft TechNet for complete details on this step:

In the Membership Rules window, click Next

49

In the Advertisement window, add any desired advertisements and click Next

In the Security window, add any appropriate users or groups and click Next (keep default)

50

51

Section 7.2: Configure Intel AMT Collection to Automatically Provision Intel AMT Devices

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vPro Clients

Right click on Unprovisioned vPro Clients and select Modify Collection Settings

In the Unprovisioned vPro Clients Settings windows, click the Out of Band tab

Check the checkbox Enable Automatic out of band management controller provisioning and click OK

Note: This setting is what enables ConfigMgr 2007 Clients to automatically provision with ConfigMgr 2007.

Note: see Microsoft TechNet article for complete details:

52

Add Intel AMT Columns to ConfigMgr 2007

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vPro Clients

Click the Unprovisioned vPro Clients collection, right click in the right hand window, and select View > Add

Remove Columns

In the Add/Remove Columns window, add AMT Status, AMT Version, and Automatic AMT Provisioning to the Displayed columns

Click OK

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > VPD – vPro Demo Site > Site Settings > Discovery Methods

Double Click on Active Directory System Discovery Note: With the collection defined, you can use any of the discover methods that ConfigMgr 2007 provides (AD System Group, AD Security Group, AD System , AD User, Heartbeat, or Network) to discover the client. Refer to Microsoft documentation for understanding the appropriate method for your environment. This method is used simply for lab testing purposes only.

53

In the Active Directory System Discovery Properties window General tab, check Enable Active Directory System Discovery

Click the button

In the New Active Directory Container window, select Local Domain and click OK

In the Select New Container window, select Computers

54

On the Polling Schedule tab, check the box to Run discovery as soon as possible

Click Apply

Note: This will initiate a discovery of all the systems listed in the computer OU in the Active Directory.

After you run the discover method Right Click Collection and select Update Collection Membership

Click Yes to confirm that you want to proceed Right click on All Systems and select Refresh The client will now appear in the All Systems Collection

Note: If may take a couple minutes for the system to show up. You may continue to click Update Collection until you still the client in the collection. The AMT status of the device will most likely be in a unknown state.

In this example, you will see ConfigMgr 2007 has discovered HP7800 system that was joined to the domain. The AMT Status = Unknown at this time

55

After the client is populated in the All Systems Collection, check to see if any of the systems are enabled for Intel vPro technology.

Right Click on All Systems > Out of Band

Management > Discover Management

Controllers

Note: This will scan through your collection and validate which clients are enabled for Intel vPro technology and ready to be provisioned.

Click OK

After a few minutes, depending on the size of your collection, you can update your collection membership Right Click Collection and select Update Collection Membership

Click Yes to confirm that you want to proceed

Right click on Unprovisioned vPro Clients collectionand select Refresh

The client will now appear in Unprovisioned vPro Clients Collection and listed as Not Provisioned

Note: If you look back at the All Systems collection, you will now see the system as listed as Not Provisioned. You will also see the version of AMT listed.

56

Section 8.0: ConfigMgr 2007 Agent Installation and In-Band Provisioning

There are several methods to perform a ConfigMgr 2007 Agent installation on an Intel vPro technology based system. The steps listed in this section are used simply for a lab environment. Refer to Microsoft documentation to understand the various methods to

distribute Microsoft ConfigMgr 2007 Agent:

On the ConfigMgr 2007 Server, copy the entire directory C:\Program Files\Microsoft Configuration Manager\Client to a USB drive (or other device to copy to your Intel vPro technology based systems). Copy this Client directory to each of your Intel vPro technology based systems.

57

On the client system, open a command prompt and navigate to the Client folder you copied over to the client system.

From the command prompt, run the following command: ccmsetup /mp:SCCMServerName /logon smssitecode=3 Letter ConfigMgr 2007 Site Code

Note: Make sure to use your ConfigMgr 2007 Server Name and the 3 letter Site code for your lab

environment. (example ccmsetup /mp:sccmSP2 /logon

smssitecode=VPD)

Run ccmsetup /? for a complete list of command switches.

Track the setup process by monitoring the Process

58

Installation is complete once the CcmExec.exe process is running in Task Manager

You can track the agent installation on the client in c:\windows\system32\ccmsetup\ccmsetup.log

Note: If you update the All Systems Collection in ConfigMgr 2007, you will see Yes in the Client Column after the Agent installation is complete.

On the client system, open the Control Panel

After the Agent installation is complete, you will see a Configuration Manager Icon

59

Double Click the Configuration

Manager Icon

Select the Actions Tab

Click on Machine Policy Retrieval & Evaluation Cycle and click Initiate Action button

Click OK in the window indicating the action has been initiated

Repeat Previous Step: Click on User Policy Retrieval & Evaluation Cycle and click Initiate Action button Click OK in the window indicating the action has been initiated

Note: This process will speed up the provisioning cycle rather than waiting for the schedule event to occur.

60

After the Agent has pulled down the machine policies from the ConfigMgr 2007 server, you will see more Actions listed in the Actions tab of

the Configuration Manager

Note: You can track the progress by monitoring the logs directory c:\windows\system32\CCM\Logs

OOBMGMT.log will track the progress of the auto provisioning of AMT.

PolicyAgent.log will track all of the policies pulled down by the agent from ConfigMgr 2007 server.

After a few minutes, provisioning will complete and you can update your collection membership on your ConfigMgr 2007 Server

Right click Collection and select Update Collection Membership

Click Yes to confirm that you want to proceed

Right click on All Systems collection and select Refresh

The client will now appear in All Systems Collection Provisioned and no longer be listed in the Unprovisioned

61 vPro Clients collection

Note: You can track the provisioning progress under C:\Program

Files\Microsoft Configuration Manger\Logs\Amtopmgr.log

62

Section 9.0: Legacy Provisioning

If you are provisioning Intel vPro clients that have a version of Intel® AMT less than 3.2.1, you will need to install the Intel WS-MAN translator on the ConfigMgr 2007 server system. For more information on the WS-WS-MAN translator, follow the links below:

Link to download translator

Also, here is a link to information about how to setup and use the translator:

In addition, you will need to import client identification and authentication information using the ConfigMgr’s Import Wizard. Once you have imported the client authentication information, you will need to manually configure Intel AMT on each Intel vPro client, using the Intel® Management Engine BIOS Extension (Intel® MEBx).

NOTE: If you are provisioning clients with Intel AMT 3.2.1 or greater and are choosing not to install the ConfigMgr 2007 agent on the clients (referred to as In-Band provisioning), then you do not need to install the WS-MAN translator. In this case, follow the procedures in section 9.2 to import the client authentication information into ConfigMgr 2007, after which the clients will be automatically provisioned (provided you have installed and configured a certificate server with a matching provisioning cert) once they have been restarted and allowed to boot to the Windows OS.

63

Section 9.1: Intel WS-MAN Translator Installation and Configuration

Web Services Management (WS-MAN) describes the interaction and execution order among the various PC components to execute a management command. ConfigMgr 2007 communicates with Intel AMT using WS-MAN only. However, versions of Intel AMT older than version 3.2.1 do not understand WS-MAN. They understand only the EOI protocol (Intel AMT 3.2.1 and above works with both WS-MAN and EOI). So, Intel developed the WS-MAN translator to translate WS-MAN to EOI and vice-versa.

Generate a Certificate Request on SCCM Server for Intel WS-MAN Translator

On the SCCM Server, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS). Expand Web Sites and right-click on Default Web Site and select Properties.

In the Default Web Site Properties window, select the Directory Security tab.

In the Secure Communications section, click the Server Certificate button.

64

This will launch the Web Server Certificate Wizard.

Click Next.

In the IIS Certificate Wizard window, select Create a new certificate. Click Next.

Select Send the request immediately to an online certification authority. Click Next.

65

Enter a Name for the certificate:

WS-MAN Translator Server Certificate.

Click Next.

Enter Organization Information

• Organization: Intel

• Organization Unit: Training Click Next.

Enter the Common name: sccmSP2.vprodemo.com

Note: The Common Name must match the FQDN of the SCCM Server.

66

Enter in your Geographical Information

• Country: US

• State: Oregon

• City: Hillsboro Click Next.

Enter 443 for the SSL Port for this web site.

Click Next.

In the Choose a Certification Authority window, select

vprodemdc.vprodemo.com\vProDemoC A

Note: This will send you web server certificate request to this CA.

67

Confirm your request and click Next. Once Wizard is complete, click Finished.

Install Intel WS-Man Translator on the SCCM Server

On the SCCM Server, go to C:\Install and double click the WsTransSetup – 532.msi setup file.

In the Intel WS-Management Translator setup window, click Next.

68

Click Next.

During the installation, keep all of the default settings until installation wizard is complete and installation has finished.

Once the installation is complete, you will see a new program has been added to your All Programs Group: Intel WS-Management Translator.

69 Configure Intel WS-Man Translator

Click Start > All Programs > Intel WS-Management Translator > wtranscfg.exe to configure the Translator.

In the WS-Translator Configuration Wizard window, select

Set common setup accounts Set TLS/forwarding options Set WinRM Options (optional) Note: You can set common runtime accounts that the translator will use to connect to legacy management

controllers. Instead for this lab, we will configure Delegation for the SCCM server in the next section.

70

In the Set initial setup password window, enter P@ssw0rd for the setup password (admin is default user). Click Next.

In the Set Common Pre-Shared Key window, leave the default Key Name and Key Values.

Note: Remember these values so you can manually enter this information into the Intel MEBx in the next lab module. Also, for “real world” implementations, you should select a more random and secure PID and PPS for security reasons.

71

In the Import Common Setup Certificate window, click Browse.

Browse to c:\certificates and open the Intel® Client Setup Cert – Verisign

vProDemo Backup.pfx file.

Password on the Certificate: Pr0t3ct!0n Click Next.

Note: This is the Verisign Certificate (previously purchased for this training) used for Remote Provisioning.

Uncheck Allow Basic Authentication, if desired.

In the Select TLS/forwarding options windows, select (default options) Listening Port: 443

Forwarding Port: 16993

For the Server Certificate: select the WS-Man Translator certificate created in previous step:

CN=sccmSP2.vprodemo.com

Thumbprint=CD7A1097E822DD9B3E0 FBBFF3D65906230AE305D

(thumbprint varies per certificate you created – view thumbprint on the

72

certificate created in previous step) Click Finished.

Click OK to restart the Translator Service.

Validate Intel WS-Man Translator is configured properly

On the ConfigMgr 2007 Server, open Internet Explorer and go to

You will see the following web page if the WS-Man Translator is configured properly, including the Web Server Certificate.

Congratulations! You have just installed and configured the Intel WS-Management Translator for SCCM to be used with legacy Intel AMT systems (firmware < 3.2.1).

73 Modifying Windows Remote

Management (WinRM)

On the SCCM Server, open a command prompt and run the following command: winrm set winrm/config/client/auth @{Basic="true"} (command line is case sensitive).

Note the spaces and syntax in the image. You should see Basic = True returned. Note: When SCCM does provisioning and collection based power control, it connects to the Intel AMT client with digest credentials. To get the Translator to accept digest credentials, you need to enable Basic Authentication in WinRM.

Set Delegation for the SCCM Server

When WS-MAN Translator passes credentials from the OOBC to the Intel vPro client, it is doing it as Delegated. For the Active Directory to allow this, you need to check “Trust computer to delegation” on the SCCM server AD object. This will keep the token valid when it is passed. Just browse to the computers in the AD, open up the proprieties for the ConfigMgr 2007 server and check the box located on the General tab.

On your Domain Infrastructure Image, click Start > All Programs >

74

Administrator Tools > Active Directory Users and Computers > vprodemo.com > Computers. Right-click on SCCMSP2 Server and select Properties.

Check the box Trust Computer for Delegation.

Click OK.

Note: Reboot the ConfigMgr 2007 Server image after previous installation and changes were made.

Note: If you do not do this, you will need to setup the WS-MAN Translator (during configuration steps above) run time account with a user that has permission to the Intel AMT client. At that point the credentials configured in the run time account are used to manage the client.

Section 9.2: ConfigMgr Import Wizard for PSK Provisioning with Intel WS-MAN Translator

The Import Computer for Out of Band Management Wizard in Configuration Manager 2007 SP2 imports new computer information into the Configuration Manager database. This allows administrators to provision computers for Intel AMT when:

• Computers do not have the Configuration Manager 2007 SP2 client installed, including computers that currently have no operating system installed (aka Bare Metal Provisioning)

• Legacy Intel AMT systems (<3.2.1) that are not natively supported by ConfigMgr 2007 and use the Intel WS-Man Translator for Provisioning

75 • Intel AMT systems that are being migrated from another Provisioning environment to a ConfigMgr 2007 environment

(e.g. SMS -> ConfigMgr)

Collect System Information on the client system to import into SCCM

On the client system, right click on

Computer and select Properties.

Record the Host Name and the Full Computer Name (FQDN).

On the desktop of the client system, create a script GetProvisionData in the folder c:\UUID Info using the code example in the appendix of this document. Create the new folder if necessary.

Once the script is created, open c:\UUID Info Folder.

76

This utility will pull the Host Name, FQDN, MAC Address, and UUID of the system and display in a window.

Record this information for later use in the ConfigMgr Import Wizard.

Click OK.

Import Intel vPro System Information into ConfigMgr OOB Import Wizard

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer

Management.

Right-click on Collections, and select

Import Out of Band Computers.

Note: This will launch the OOB Import Wizard.

77

In the OOB Import Wizard, select Import single computer

Note: You can use a the file option to import multiple system at once (e.g. Migration purposes)

Click Next.

In the Single Computer import window, use the information you recorded previously from your client system to enter:

• Computer Name

• FQDN

• MAC Address (Enter 11:11:11:11:11:11 for MAC)

• SMBIOS GUID (this is the UUID you recorded)

• MEBx Password = P@ssw0rd

• Confirm Password = P@ssw0rd

• Remote Admin Password = P@ssw0rd

• Confirm Password = P@ssw0rd

Note: The Intel MEBx and Remote Admin passwords are only needed if the Intel AMT passwords are different than what was set

78

in the OOB Component Settings.

Click Next.

79

In the Choose Target Collection screen, select Add new computers only to the All Systems collection.

Click Next.

Confirm the summary information displayed and click Next.

80

The Wizard will complete and confirm the import was successful.

Click Close.

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections

Right-click All Systems and select Update

Collection Membership.

Refresh the Collection.

Note: You will now see the system you imported into the All Systems Collection; AMT Status Unknown. ConfigMgr 2007 is now waiting for “Hello” Packets with a PSK from the Intel vPro client system.

81 Manually enter the PID / PPS into Intel

MEBx

Reboot the client and press CTRL + P to enter the Intel MEBx Interface.

Enter the password: P@ssw0rd.

Select Intel (R) AMT Configuration and press Enter.

Select Un-Provision and Enter. Click Y for Yes to Reset Intel AMT. Select Full Unprovision and Enter. Select Setup and Configuration and Enter. Select TLS PSK and Enter.

Select PID and PPS and Enter. Enter PID = 4444-4444 .

Enter PPS = 0000-0000-0000-0000-0000-0000-0000-0000.

Exit from the Intel MEBx and let system reboot.

Note: You will recall that these same PID/PPS keys were used during the setup of the Intel WS-Man Translator. Upon reboot, the system will send “hello” packets to the SCCM server with PID/PPS.

82

Intel AMT Provisioning Log

On the ConfigMgr 2007 Server Image, open the AMT Provisioning Log

(C:\Program Files\Microsoft Configuration Manager\

Logs\amtopmgr.log).

In this log, you will see the “Hello” packets from your HP7800 system with the

matching PID (4444-4444). This Hello packet will start the provisioning process.

Note: If the PID /PPS keys were not imported or do not match, the provisioning process will fail and the log will indicate that the system has not been imported into ConfigMgr 2007.

83

Section 10.0: Helpful ConfigMgr 2007 Logs for Troubleshooting

Section 10.1: Server Logs

C:\Program Files\Microsoft Configuration Manger\Logs

• AMTOPMGR.LOG - log for tracking provisioning process

• AMTPROXYMGR.LOG – log to help identify failures with CA and OU C:\Program Files\Microsoft Configuration Manger\AdminUI\AdminUILog

• OOBConsole.log - Log for tracking OOB Management Console activity (note: for more detailed information - change "Error" to "Verbose" in the following file c:\Program Files\Microsoft Configuration

Manager\AdminUI\bin\oobconsole.exe.config

Section 10.2: Client Logs

C:\windows\system32\ccm\logs

• oobmgmt.log – log to track the provisioning of AMT C:\windows\system32\ccmsetup

84

Section 11.0: Resources

Intel vPro Expert Center devoted to Microsoft products and Intel vPro technology

Microsoft TechNet Reference Material

System Center Configuration Manager 2007 -

Out of Band Management in ConfigMgr 2007 SP2 -

Intel Software

To support systems earlier than 3.2.1, an Intel WS-Man Translator is required with ConfigMgr 2007.

85

Appendix: Code Example for GetProvisioningData Script

'SCCM Import Data Generation Script

'Created by Dan Brunton, Intel Corporation

'This script will connect to the local system via WMI and output the hostname, FQDN, MAC address and UUID to a file.

Option Explicit

'Change this to pont to whatever directory you want the script to write to. It could be a local path or a network share.

strDirectory = "c:\temp"

'Change this to the file name you want to have the data written to. strFile = "\import.csv"

'Define the variables used in the script.

dim objNICInfo, objNIC, objSysComps, objItem, objService, objSysMAC, objNetwork, objFSO, objFolder, objShell, objTextFile, objFile

dim strUUID, strHostName, strDNSDomain, strMAC, strDirectory, strFile, strText

'Define the WMI interface object to retrieve information with. Set objService = GetObject("winmgmts:\root\cimv2")

'Use the Win32_NetworkAdapter class to retrieve the MAC address and computer name for supported network adapters. Depending on the platform you are using, the NIC you may need to add or change NIC descriptions in the query below.

Set objNICInfo = objService.ExecQuery("SELECT * FROM Win32_NetworkAdapter where description='Intel(R) 82566DM Gigabit Network Connection' or Description = 'Intel(R) 82566MM Gigabit Network Connection'")

For Each objNIC in objNICInfo strMAC = objNIC.MACAddress

strHostName = LCase(objNIC.SystemName) 'The hostname comes in as upper case, LCase changes it to lower case. There is no functional need to do this, it is purely ascetic. Next

'Use the Win32_NetworkAdapterConfiguration class to get the DNS suffix for the NIC identified above.

Set objNetwork = objService.ExecQuery ("Select * from Win32_NetworkAdapterConfiguration WHERE MACAddress = '" & strMAC & "' and DNSHostName = '" & strHostName & "'")

for each objItem in objNetwork strDNSDomain = objItem.DNSDomain next

'get UUID

Set objSysComps = objService.ExecQuery("Select * from Win32_ComputerSystemProduct") For Each objItem in objSysComps

strUUID = objItem.UUID next

'Assemble the various data elements into a single string.

strText = strHostName & "," & strHostname & "." & strDNSDomain & "," & strMAC & "," & strUUID

86

'This section writes information retrieved from the script to a file. Set objFSO = CreateObject("Scripting.FileSystemObject")

'Check to see if the strFile exists and create it if it does not If objFSO.FileExists(strDirectory & strFile) Then

Set objFolder = objFSO.GetFolder(strDirectory) Else

Set objFile = objFSO.CreateTextFile(strDirectory & strFile) End If

set objFile = nothing set objFolder = nothing

Const ForAppending = 8

'Create the file object

Set objTextFile = objFSO.OpenTextFile(strDirectory & strFile, ForAppending, True)

'Append the value of strText to the text file and close it objTextFile.WriteLine(strText)