Skip to main content

NightWatchman Enterprise 7.3

WakeUp Intel® AMT component

The WakeUp Intel® AMT component consists of a single service that runs on the same server as WakeUp and registers with the service. Intel® AMT systems should be enabled and set up so that the WakeUp Intel® AMT component service can perform management functions on them.

Intel® AMT must be enabled in the system's BIOS. Bare Intel® AMT systems contain the technology but it is not supported until they are configured. See refer to the OEM's BIOS documentation for details on how to enable this technology.

Enterprise and small business modes

The WakeUp Intel® AMT component supports two modes of operation:

  • Enterprise mode – In enterprise mode, an Intel® AMT platform uses secure communications via transport layer security (TLS) communication protocols. It also provides a standard and single-sign-on style of authentication by integrating its authentication framework with Microsoft Active Directory Server which manages domain authentication based on the Kerberos protocol. Intel® AMT maintains an access control list (ACL) of users that can access realms within the device.

  • Small business mode – In small business mode, when digest authentication (user id and password) is used, the ACL contains an entry per user. When using Active Directory and Kerberos in enterprise mode, an ACL contains a SID, a list of realms and access permissions.

Although the device can be configured to operate in both modes, the WakeUp Intel® AMT component can only be configured to work in a single mode. Please refer to the Intel® AMT Small Business and Enterprise Configuration User Guides for details on how to set up the preferred authentication mode and realms.

Configuring WakeUp to use AMT instead of Last Man Standing

In order to wake machines up, WakeUp in multi-agent mode requires a single machine on the subnet to be always awake to receive messages from the WakeUp service on Primary Configuration Manager Server. There are two alternative methods that WakeUp can use to achieve this.

  1. The administrator can enable Last Man Standing (LMS) in the 1E Agents to allow the agents to constantly monitor shutdowns to keep a single machine up in the subnet.

  2. With the WakeUp Intel® AMT component, if an Intel® AMT machine is available in the subnet; WakeUp LMS can be disabled allowing all machines to be shut down in the subnet. The Intel® AMT machine on the subnet can then be awoken remotely to act as an agent for waking up targeted machines on the subnet.

Last Man Standing is disabled on the 1E Agent with LASTMANENABLED=0. This can be set during an installer repair, if the 1E Agent has already been installed to use LMS.

WakeUp Intel® AMT component and Configuration Manager

The WakeUp Intel® AMT component installs an additional service on the Configuration Manager Server that communicates with WakeUp. This service queries Configuration Manager for discovered Intel® AMT machines and dispatches SOAP messages to wake up them.

Intel® AMT machines discovery

The 1E Agent service installed on every machine attempts to communicate with Intel® AMT Board Management Controller via the Management Engine (ME) interface driver or Host Embedded Controller Interface (HECI) driver. The state set by the 1E Agent is sent to Configuration Manager as an extension to hardware inventory. A hardware inventory WMI class, called SMS_G_SYSTEM_WAKEUP_1E_IAMT, is created in Configuration Manager that contains a list of all machine resources known to Configuration Manager that are Intel® AMT machines with 1E Agent installed.

Waking up an Intel® AMT machine

WakeUp only requires a single machine in a remote subnet to wake up targeted machines on the subnet. If the existing agent finder in WakeUp fails to find any currently awake machines in the subnet, it dispatches a request to the WakeUp Intel® AMT Service to find a suitable agent in the subnet and wake it using an Intel® AMT SOAP message and the pre-configured authentication mechanism. WakeUp subsequently uses the 1E Agent on that machine to wake up other targeted machines on the subnet using magic packet technology.

Configuration Manager Integration

The WakeUp Intel® AMT component needs to be installed on all Configuration Manager Primary Site Servers where WakeUp is installed. It uses system inventory information to send out SOAP messages on requests from the WakeUp service in time for any advertisement schedules.

WakeUp Intel® AMT feature pack components

The main feature pack consists of:

  • WakeUp Intel® AMT service

  • 1E Agent and extensions to Configuration Manager hardware inventory

WakeUp Intel® AMT service

The WakeUp Intel® AMT service is responsible for communicating with the WakeUp service and sending SOAP messages to Intel® AMT machines via the preconfigured authentication mechanism.

When running with Configuration Manager this service should be installed in each Configuration Manager Site server in the hierarchy that has WakeUp installed – providing the site has Intel® AMT Configuration Manager clients and those clients have been provisioned.

When running solely with NightWatchman Management Center, this service only needs to be installed on the WakeUp Server set as the NightWatchman Management Center wake up provider.

If Intel® AMT is configured in enterprise mode using Active Directory for authentication with Kerberos, the service will run using an account that is a member of the Intel® AMT Collections Managers group. The WakeUp Intel® AMT service will attempt to use WinHTTP to impersonate the account and connect to the targeted machine.

If Intel® AMT is configured in small business mode; the WakeUp Intel® AMT service will use a username and password for digest authentication. Once installed, WakeUp will detect the WakeUp Intel® AMT service and dispatch requests when agents are not found on a targeted subnet.

1E Agent

The WakeUp Intel® AMT component provides an alternative to the Last Man Standing mechanism. The alternative still relies on the 1E Agent being installed on every machine. The 1E Agent is responsible for discovering the Intel® AMT Board Management Controller and building up a database of Intel® AMT machines in Configuration Manager or NightWatchman Management Center. Once discovered, the WakeUp Intel® AMT Service will wake up the machine. The 1E Agent on the machine will receive instructions from WakeUp Server to send out magic packets to any systems that need waking.

Intel® AMT support for Last Man Standing

Computers that have Intel® AMT hardware and are configured to support remote wake ups circumvent the WakeUp requirement that there is at least one 1E Agent on the subnet running to handle wake up signals from WakeUp Server. This is because WakeUp is able to use the Intel® AMT capabilities to wake the machine remotely without using magic packet broadcasts, which are liable to be disabled in secure networks.

To use Intel® AMT for a subnet where such hardware exists instead of Last Man Standing, you need to enable the Intel® AMT option during WakeUp Server installation and, except for the 1E Agent on the Intel® AMT computer, install all the other 1E Agents on the subnet with LASTMANENABLED=0.

Configuration Manager Hardware Inventory

A hardware inventory WMI class is created by extending the Configuration Manager Hardware Inventory MOF compiled. Hardware inventory information sent by every Configuration Manager client will contain extended data identifying whether the machine resource is an Intel® AMT machine.

This information is used to enhance the existing hardware inventory information in Configuration Manager providing the WakeUp Intel® AMT service with a means of identifying Intel® AMT machines for a specific subnet.

NightWatchman Management Center Inventory

When running solely with the NightWatchman Management Center, the 1E Agent sends information about the computers running Intel® AMT to be stored in the NightWatchman Management Center database.

Configuring the WakeUp Intel® AMT feature pack

This section describes the two different authentication modes for Intel® AMT and then shows how the individual components of the WakeUp Intel® AMT component are configured. Typically, WakeUp Intel® AMT is configured once and subsequently works without the need for further intervention – thereby providing set and forget functionality.

The WakeUp Intel® AMT component is designed to self-register with an existing WakeUp Server ensuring zero configuration for WakeUp itself. During installation, the WakeUp Intel® AMT service registers a free TCP/IP port on the server with WakeUp Server. Thereafter, WakeUp Server automatically detects the service whenever it needs to dispatch requests to wake up remote Intel® AMT machines.

When starting up, the 1E Agent runs an inexpensive test to check whether its local machine is an Intel® AMT machine. A local registry key is updated which is in turn picked up by the ConfigMgr client and sent up to the ConfigMgr Server on each Hardware Inventory cycle.

Configuring the WakeUp Intel® AMT Service

The WakeUp Intel® AMT service must be configured to use one of the pre-configured authentication modes for managing the power state of the Intel® AMT machine. This section describes the setup in two modes: small business mode (SMB) using digest authentication and enterprise mode using Kerberos.

Small business mode (SBM)

The WakeUp Intel® AMT service runs as LOCAL SYSTEM and uses a username and password specified at install time to connect to Intel® AMT machines. The administrator can modify this username and password from the command-line.

Note

Setting the user name and password for HTTP digest authentication overrides the settings for enterprise mode.

The following parameters are supported by the command-line:

Parameter

Notes

UserName

The HTTP digest account name that is registered with the Intel® AMT Power Control realm on the machine.

Password

The HTTP digest password for the account name specified above.

In order to set the authentication to the default Intel® AMT username and password:

C:\Program Files\1E\WakeUp\Server>WakeUpAMT.exe –username=admin –password=admin
Enterprise mode

The WakeUp Intel® AMT service runs as a domain account that is a member of the Intel® AMT Collections Manager Active Directory group.The administrator can configure the service to run in this mode by manually configuring the service via the Service Control Manager MMC snap-in and forcing Kerberos authentication mode from the command line:

Property

Notes

UseKerberos

Specifies whether to use Kerberos with WinHTTP to connect to the Intel® AMT machines. Values are:

  • 0 – do not use Kerberos

  • 1 – use Kerberos

After modifying the properties of the service, run:

C:\Program Files\1E\WakeUp\Server>WakeUpAMT.exe –useKereberos=1