1 2 Previous Next 22 Replies Latest reply on Apr 17, 2014 11:43 AM by joebaggadonuts

    Exploring vPro

    joebaggadonuts Apprentice

         I have spend the past year and a half working to get vPro to function correctly here on the enterprise. vPro (if working correctly) provides your LANDesk installation with some very significant tools. The ability to turn systems on and off in order to deploy software or patch at night is very nice. The ability to remote into a system (via KVM) and run an anti-virus rescue CDROM  from your local system to the remote "victim" is a tasty little treat also. Certainly everyone can see the benefit of using vPro with LANDesk.


         Intel vPro is one of those tools which is at the mercey of a little thing I like to call "fellowship"; that is to say, while Intel has defined the various versions and what they can do the OEMs have the capacity to stray from the true form if they sell boxes which do not meet the higher requirements. One example is how all systems which have the i5 and i7 cores can be "full vPro" systems (they have Intel chipset, video and NIC) so all of the features within vPro will work on them. If a system is sold with i3 core then the OEM may not provide any more than a few "AMT" solutions. THis may not be a big thing at first glance, but vPro tends to gravitate to the old "weakest link" concept wherein you really want all vPro equipped devices to have the same level of support or it becomes increasingly difficult to figure out what is happening and how to get it working with the systems you support.

          Truly, I found this trek to be like a climb up the mountain to meet the wise philosopher. For every person that I spoke to about setting this up I found 4 or 5 others which said they had already spilled enough blood trying to make this work. All any of these poor souls could say was something akin to, "If you ever make it to Nirvana, please send a bus to pick us up..."

          Back to the "fellowship" point. It seems that Intel, in providing this free to OEMs is not getting the support from vendors which would propel this potentially valuable solution to the place where it needs to be. Couple that with the OEMs not communicating all that is required to LANDesk support and then working to ensure that LANDesk can function with the fewest of steps to make vPro viable... well you get the idea. It appears that since there is no money in it for anyone then the solution is waiting for some Don Quixote, or some Joebaggadonuts to volunteer to collect all of the information from the various resources about the country and make this thing work.

         Well, we have it working... In test and provisionally in production. I want to further compile my findings and get a real person to translate them from 1337 speak to Geek speak to English so we in the community can compare notes. I am convinced that once the data is looked upon by others we can put a guide together which will allow newcomers and those waitin on the Nirvana bus a means to get their vPro experience working.

         Of late I had the blessing to attend a class that Intel hosted locally demonstrating their SCS (Setup Configuration Software) which they use to provision and unprovision vpro devices over the LAN/WAN. This solution is well documented (especially compared to what you usually get from vPro sources) and well conceived. It was easy to setup and used very little resources. The instructor, William York, was very knowledgeable and didn't look things up rather recalled them from memory on a time when he had resolved the question for himself. All in all very impressive as an option. I am hopng to take this solution and use it to address provisioning and changes to provisioning from this solution and then use LANDesk to reap the rewards of a fully configured vPro environment. More on this later - I only have this working on the test servers at this point. If this all works out we, in the community, may be able to make the titans dance with one another.


         One can dream, I suppose.

        • 1. Re: Exploring vPro
          mrspike SSMMVPGroup

          Looking forward to reading more on your process and results

          • 2. Re: Exploring vPro
            joebaggadonuts Apprentice



               Here are a couple of links to the base Intel solution to give some background to where I am coming from. The first one is the SCS Deployment Guide at http://downloadmirror.intel.com/20921/eng/Intel(R)_SCS_8_Deployment_Guide.pdf and the other is the SCS User's Guide at http://www.intel.com/content/dam/www/public/us/en/documents/guides/scs-user-guide.pdf


               These documents are the meat and potatoes of the class that I attended on vPro provisioning. There are many facets to making it all work, but I have found that there are many in the community (much brighter than I) which can figure this sort of thing out without a class. It is for this reason that I post these things here.

            • 3. Re: Exploring vPro
              mrspike SSMMVPGroup

              Thanks, and are you using LANDesk 9.5 or an earlier version?

              • 4. Re: Exploring vPro
                joebaggadonuts Apprentice

                Excellent question. We have a production core that is on LDMS 9.0 SP3 . We employ preferred servers about the WAN to support distribution, patching and provisioning tasks in an effort to off-load tasks from the core server. We use a SQL database (2008 Standard) and all of our servers are 2008 R2 in an ESX environment.

                • 5. Re: Exploring vPro
                  mrspike SSMMVPGroup

                  Thanks, the reason I ask is, from what I have seen, in LD 9.5, deploying / configuring VPro is "supposed" to be super simple.

                  • 6. Re: Exploring vPro
                    joebaggadonuts Apprentice

                    Actually, because we had already turned on vPro in LANDesk and our devices were auto-provisioning in vPro we were getting an error in 9.5. What was happening is the "little red circle with the line through it" would not appear for systems that had a cable plugged into their NIC. This was due to vPro responding to pings. I had to unprovision all of the units in test in order to be able to determine that they were off. Additionally, if you do not get the red circle with the line through it then you cannot use Wake on LAN nor Wake on WAN. So I contacted support and they confirmed (after a time) that there are problems in provisioning and that they have not been corrected in the current release of 9.5. The statement was made that a number of customers have noted that they cannot get the proper behavior out of the software - in respects to vPro. While this is not universal it was a problem in our environment so we have deployment to 9.5 in test mode at this time.

                    • 7. Re: Exploring vPro
                      joebaggadonuts Apprentice

                      Just an update:

                           One of the early benefits I have noted using the provisioning process that Intel has in SCS and their "Intel vPro Platform Solution Manager" is the ability to confirm success in each step of the process of fully configuring a system to function using vPro. One of the problems I had in early testing with the LANDesk core server acting as the provisioning agent was the difficulty of taking single steps through the process. Additionally the log files created during the provisioning proces (and saved on the core server) are not unique to individual machines so they are first very long and then later overwritten as new information is placed in them concerning machines provisioned later. This made it difficult to isolate where problems were located, especially in reference to whether of not the problem in question related to infrastructure or process or what.

                           Using the vPro Platform Solution Manager it is possible to "double check on the functionality and ensure that all of the features are properly provisioned. This tool also has a means of (using a purchased VNC Viewer Plus) to allow connection using KVM. Of course once the LANDesk core is reconnected I dont require that piece, but it is nice to be able to use it to prove that the KVM solution is provisioned and is working properly. With this I can ensure that any problems which I am encountering are indeed related to LANDesk.

                         More later...

                      • 8. Re: Exploring vPro

                        vPro is frustrating...

                        • 9. Re: Exploring vPro
                          Tanner Lindsay SupportEmployee


                          I'm familiar with the SCS tools and all the challenges that you outlined with vPro. I'm wondering what you plan is to move the machines to LANDesk, or as you said "reconnect" LANDesk once you have provisioned them with the SCS tools. I've heard it mentioned before, but haven't heard from anyone that tried it yet. The maturity of the SCS tool is more recent in its ability to accomplish the tasks you mentioned.


                          Are you working with mostly AMT 6+ or do you have older machines as well? The various versions introduce much more inequality than the changes that OEMs might make. Also, sometimes all the requirements or limitations aren't clear : ). For example, KVM will ONLY work if you have and use only the onboard video card. If you have a discrete graphics card it doesn't work.


                          LDMS 9.5 does introduce some significant changes to how machines are provisioned, especially those that have Client Config Mode and Admin mode. Actually, any machine that has an agent installed, and has the vPro drivers, will be put into CCM and connected to the LANDesk Core and some features will be available. We also can later seamlessly transition those machines into Admin control mode once a certificate is present. (Shh.. don't tell.. it is supposed to be harder than that)


                          I can totally understand the difficulty you have encountered working with vPro. It does seem, by its very nature, to be complicated. As you outlined so well, there are a lot of moving parts that have to line up just right.


                          I haven't seen the issue you describe with the agent discovery and vPro... I'll have to try that out with my machines here.

                          • 10. Re: Exploring vPro
                            joebaggadonuts Apprentice

                            Tanner, good to hear from you. I spoke to you about vPro in a noisy bar in the MGM Grand at my last InterChange (2011, I believe). I will try to respond to your questions and thank you for taking time to look this over.

                            -  I'm wondering what you plan is to move the machines to LANDesk, or as you said "reconnect" LANDesk once you have provisioned them with the SCS tools.

                            - - response - - I am hoping to use the SCS tools to provision and record the process as follows

                            1) I have a SQL database server that houses all of the transactions, logs and keys from the SCS Server

                            2) There is an OU called IntelAMT that warehouses all of the computer accounts which SCS creates as it provisions devices

                            3) I have opted to use a thumb drive to deploy the initial binary to devices (at some point I plan to go back to my GoDaddy cert and zero touch, but for now it is actually preferrable to do a one touch. This gives me the ability to control the number of devices that provision rather than all of them coming home at once).

                            4) I drop the OS onto the PCs in 4 locations across our enterprise using OS Provisioning and preferred servers dedicated to Patch, SD and file delivery. Replication updates these devices on a schedule.

                            5) At the end of the replication process the intel AMT management files are loaded into the OS (this has to be based upon the device so we are struggling to automate that solution better)

                            6) The AMT configuration files from the SCS server are copied to the newly LANDesk OS provisioned device and then AMTConfig is ran with all of its settings and such

                            7) The box provisions and records its individual success to the config folder. The log is sent to a repository.

                            8) The SCS server creates a computer object in the IntelAMT OU

                            9) The Database updates with the machines info and key.

                            10) Ithink itz done 8 /


                            At this point I am hoping to find a way to be able to use things like LANDesk's wake up to vPro and turning machines on and off


                            - Are you working with mostly AMT 6+ or do you have older machines as well? The various versions introduce much more inequality than the changes that OEMs might make.


                            - - response - -

                               Sadly we have a mishmash of older systems, however - since we went to Lenovo we have vPro 6 or better (in most cases 7 or better). Wait - let me clear that up - we have AMT 7 or better. Since in order to have true vPro (as you pointed out) one must have the full Intel build and CORE i3s dont have that. In order to truely be on vPro we need CORE i5 or i7 with Intel NICs and Vidz. Our Lappys have it and we are looking into desktops going there - this makes it difficult to adopt a standard.


                            -- Reference to LANDesk 9.5 --

                               I have SERIOUS testing to do before I can roll to 9.5. I have significant projects this year and my LANDesk installation has come to a place in its LANDesk maturity where I cannot afford to have the problems I see other people experiencing. we simply rely on it too heavily at this point to take ANY chances. So we are going through testing and verification of everything before we roll up to 9.5

                            • 11. Re: Exploring vPro
                              Tanner Lindsay SupportEmployee

                              Wow, that certainly is a lot of steps. Normally, when LANDesk provisionions vPro devices we use a unique key that is stored in the DB. Then future communications with that device authenticate using the key/certificate pair. In the case of one touch, the PID/PPS is this pair. I do know that some functions can work with only the vPro password, but I wonder if/how LANDesk will "authenticate" to these machines after they are provisioned using SCS. I look forward to hearing how your tests go.


                              I'm sure you will be sad about this again, but I'll bring up 9.5 again : ). As I mentioned, the devices are provisioned "automagically" when the agent is installed and there are some general improvements to vPro. Something more to look forward to (and review in your testing) is going to be new to our next update/release to 9.5 this year. I think it can really help you with item 5 in your list. We are extending HII (Hardware Independent Imaging) so that not only can it find and match the drivers automatically, it allows the admin to assign particular drivers to particular hardware, by device/model/OS/architecture. Along with driver assignment, we have added the ability to install "exe based drivers" once Windows has been booted and is running. What that means is you can assign a particular software distribution package to a machine/model and it can be installed as part of the LANDesk Provisioning (not vPro) process that installs the OS.


                              That way you could make a particular vPro install for, say a Lenovo T530, and HII would install it on that machine. But later, you can run the same template and same HII action on a Dell Optiplex 850 (I'm making up numbers here) and it would install a different vPro software/package that applies to that device.


                              Hope that helps and good luck in your testing and validation of 9.5. I suspect it will go well : )

                              • 12. Re: Exploring vPro
                                MrGadget Expert

                                The problem with not getting status or the little red circle is due to vpro having a default of  Respond to Ping checked.

                                If you pull op the web gui you will see it under Network Settings.

                                I am in the process of unchecking that in several thousand computers.

                                • 13. Re: Exploring vPro
                                  joebaggadonuts Apprentice

                                  Gadget. Yeop, that is absolutely the case. However we had to make the change to each of the 3890 machines on the network. With Intel's solution we were able to remotely address that as one task rather than going to the web sites. They have a command line tool that can be sent out as a LANDesk task and that command line resets everyone that runs it. LANDesk Automation meets Intel Development & Ownership. This is the thing I am working on perfecting. Bringing the best of Intel's up to date support for their vPro product to bear on LANDesk's ability to use a properly provisioned vPro solution to work miracles.

                                  • 14. Re: Exploring vPro
                                    MrGadget Expert

                                    what is the Intel command line tool?


                                    Also I added a comment in the Vpro section discussion you might want to look at. http://community.landesk.com/support/message/89452#89452

                                    1 2 Previous Next