Intel AMT Deployment via Batch Script

Intel AMT Deployment via Batch Script

I recently created a script in hopes of enabling and configuring Intel AMT on all of our machines spanning several remote branches. They already have the Intel Management and Security Client installed, and it's not enabled by default - it's how they came from Dell. My plan was to copy the script to the branch server and it would use psexec to run the script on each specified workstation. In testing the script, I can open the Management and Security Client and verify that the settings appear to be correct, but if I restart and enter the MEBx interface from the bios, it hasn't applied anything - it's still disabled, and hasn't applied the new password or anything from the xml profile that was generated and specified in the script - the client doesn't seem to pass the info to the BIOS level. Do I need to use the Intel® vPro Technology Activator Utility, or is there something else I'm missing?

 

@echo off
REM This script is intended to deploy a default profile for Intel AMT settings to all AMT-enabled devices on the network
REM This script is intended to be run from the server in the store and target the workstations in the same store
REM Place PsExec.exe (SysInternals), ACU.dll (Intel SCS), ACUConfig.exe (Intel SCS), IntelAMTDefaultProfile.xml, and this script on the store server in C:\Scripts\AMT_Temp prior to running the script
REM The target machine must be configured for a static ip in order for this script to work
echo --------------------Intel AMT Settings Deployment Script v1.0--------------------
echo --------------------------------Last updated: 01/06/2014--------------------------------
ECHO.
:Menu
echo Let's deploy the Intel AMT settings to a remote computer..
echo Enter the IP address or hostname of the store SERVER (this computer) and press ENTER:
SET /P SERVER_ID=
echo Enter the name of a local administrator account on the WORKSTATION that you know the password for.
SET /P ADMIN_USER=
echo Enter the password of the user you chose and press Enter:
SET /P ACCT_PASSWD=
setlocal
echo Enter the IP address or hostname of the WORKSTATION and press ENTER:
SET /P REMOTE_ID=
IF exist "\\%REMOTE_ID%\C$\Program Files (x86)\Intel\Intel(R) Management Engine Components" goto AMTPresent
:AMTPresent
xcopy /f /i \\%SERVER_ID%\C$\Scripts\AMT_Temp \\%REMOTE_ID%\C$\Scripts\AMT_Temp
PsExec.exe \\%REMOTE_ID% /u %ADMIN_USER% /p "%ACCT_PASSWD%" "C:\Scripts\AMT_Temp\ACUConfig.exe" /Output File C:\intelamtinstalllog.txt ConfigAMT C:\Scripts\AMT_Temp\IntelAMTDefaultProfile.xml /DecryptionPassword "insertdecryptionpasswordhere" /AbortOnFailure /AdminPassword "admin"
PsExec.exe \\%REMOTE_ID% /u %ADMIN_USER% /p "%ACCT_PASSWD%" rmdir \\%REMOTE_ID%\C$\Scripts\AMT_Temp
echo Done with this machine..
echo Rebooting the machine before moving on..
runas /netonly /user:%REMOTE_ID%\%ADMIN_USER% "shutdown /r /m \\%REMOTE_ID% /t 60 /c \"A computer reboot has been initiated by the IT Department (%USERNAME%) and will take place in 60 seconds. Please save any changes before the reboot.\""
goto Return
IF not exist "\\%REMOTE_ID%\C$\Program Files (x86)\Intel\Intel(R) Management Engine Components" goto AMTNotPresent
:AMTNotPresent
echo This system isn't AMT-enabled. Move on to the next machine on the list..
goto Return
:Return
endlocal
pause
cls
goto Menu

12 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

 

Hi There,

Is Powershell configured correctly? Are you importing the Intelvpro module?

Here are some blogs that I wrote that might help:

Also, I had some issues when I was trying these scripts wirelessly. You need to add your wireless access point to the me (you can bring up the webui to see what information that it needs)  My problem was that I was on my employer's network and there are proxy settings that I couldn't add so I couldn't get the ME onto the wireless network that the ME uses.  Check to see if you are trying to do this wirelessly and if so, plug in a network cable and see if that works.

Let me know if this helps.

 

 

The script is just a batch script, not Powershell, as unfortunately I've just never had the time to learn it. As far as the network connection, all of our machines are wired connections, not wireless. I'll check out your blog posts tonight and see if there's anything I can learn from there to help our issue. I've confirmed that if I physically go to the computer and configure things via MEBx, I can get to the web interface from another machine, so I don't think it's a network issue - it's something fundamental I seem to be missing. I just don't want to go to 400 computers located at over 25 locations and enable and configure it on each one.

Ok - you may want to check out this utility:  Intel® Setup and Configuration Software  - You probably need a remote provisioning certificate. If you are provisioning on the client without going through the network you don't need the cert.  If you are doing this from a management console that is on the network then you do. 

The Intel Profile Designer from the SCS Utility is what I used to create the xml file with all of the desired AMT settings. The script isn't using the management console, it's literally just a Windows 2008 R2 server physically located in the store, where I launch the batch file, which then uses the psexec utility to launch the Intel SCS Configurator tool on the target machine, telling it to use the desired AMT settings defined in the profile xml file and print the output to the command prompt on the server. I'll take another look.

It looks like I could  copy the ACU wizard and xml profile  to the machines from the server and use the ACU wizard on each machine and specify the profile if I can't write a script that works

It looks like Intel calls this Host-based configuration and that it's done using the ACUConfig tool, which is what I've been trying to do. I don't think I could need a certificate with the host-based configuration method. My script just uses the PSExec tool from Sysinternals which just runs the commands from the target machine and sends the output to stdout on the machine you're using PSExec from

Ok - I'm not familiar with the PSExe from Sysinternals.  PS = Powershell, right?  If so, in order to use powershell with Intel AMT, you have to import the Intelvpro module.  My blogs describe how to configure your system so that the Powershell snippets in the SDK will be able to "talk" to the ME.

No Powershell to PSExec

"PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems."

https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Ok got it!  But you are using the ACUconfig utility, right.  So that requires the WMI Provider - are you getting any messages about WMI provider not found? 

What version(s) of AMT are your clients?

Could you attach your xml profile that you generated from the Intel SCS?  You are using a secure password?  What kind of keyboard are you using (international?)  (this actually matters...)

If I can't get you going today, I will escalate.

When you export the xml file, are you giving it a decryption password?

 

 

 

No warning messages at all when I run the command. To remove PSExec and the script from the picture alltogether for testing, on the machine I wanted to configure, I launched a command prompt as administrator and ran the following command:

"C:\Scripts\AMT_Temp\ACUConfig.exe" /Output File C:\intelamtinstalllog.txt ConfigAMT C:\Scripts\AMT_Temp\IntelAMTDefaultProfile.xml /DecryptionPassword "insertdecryptionpasswordhere" /AbortOnFailure /AdminPassword "admin"

All it should do is run the ACUConfig program, specify a log file location, tell it to apply the configuration profile I set up previously with the SCS Profile Designer, specify the decryption password for said profile, tell it to abort on failure, and give it the default administrator password since AMT comes unconfigured.

Is there somewhere to find the AMT version info? The machine is a Dell Optiplex 7010 and keyboard is a standard US keyboard

I will PM you the Profile xml file and the password we're actually using along with the log file that should help

Files sent.

 

The Intel Management and Security client shows that it changes to configured after the command is executed, but it changes back to unconfigured 30 seconds later, and it doesn't use the ip address of the client as specified in the xml file

 

It's failing on the first attempt to connect to AMT.  Do you have a firewall?  Firewalls sometimes blog message going to ports 16992/16993.  Can you verify?  If it is then you can add an exception to allow traffic through on these ports.

Are you using Static or DCHP for your network?  (I can't seem to view your xml file.)  

Your Dell is an AMT 8 client. Don't think that should be an issue.  It has the latest fw, correct?

Leave a Comment

Please sign in to add a comment. Not a member? Join today