Introducing NightWatchman Enterprise 7.3
How it works
Quick starts, evaluations and pilots
Working with NightWatchman Enterprise
Although the device can be configured to operate in both modes, the WakeUp Intel® AMT component can only be configured to work in a single mode. Please refer to thefor details on how to set up the preferred authentication mode and realms.
Configuring WakeUp to use AMT instead of Last Man Standing
In order to wake machines up, WakeUp in multi-agent mode requires a single machine on the subnet to be always awake to receive messages from the WakeUp service on Primary Configuration Manager Server. There are two alternative methods that WakeUp can use to achieve this.
- The administrator can enable Last Man Standing (LMS) in the 1E Agents to allow the agents to constantly monitor shutdowns to keep a single machine up in the subnet.
- With the WakeUp Intel® AMT component, if an Intel® AMT machine is available in the subnet; WakeUp LMS can be disabled allowing all machines to be shut down in the subnet. The Intel® AMT machine on the subnet can then be awoken remotely to act as an agent for waking up targeted machines on the subnet.
Last Man Standing is disabled on the 1E Agent with
LASTMANENABLED=0. This can be set during an installer repair, if the 1E Agent has already been installed to use LMS.
WakeUp Intel® AMT component and Configuration Manager
The WakeUp Intel® AMT component installs an additional service on the Configuration Manager Server that communicates with WakeUp. This service queries Configuration Manager for discovered Intel® AMT machines and dispatches SOAP messages to wake up them.
Intel® AMT machines discovery
The 1E Agent service installed on every machine attempts to communicate with Intel® AMT Board Management Controller via the Management Engine (ME) interface driver or Host Embedded Controller Interface (HECI) driver. The state set by the 1E Agent is sent to Configuration Manager as an extension to hardware inventory. A hardware inventory WMI class, called
SMS_G_SYSTEM_WAKEUP_1E_IAMT, is created in Configuration Manager that contains a list of all machine resources known to Configuration Manager that are Intel® AMT machines with 1E Agent installed.
Waking up an Intel® AMT machine
WakeUp only requires a single machine in a remote subnet to wake up targeted machines on the subnet. If the existing agent finder in WakeUp fails to find any currently awake machines in the subnet, it dispatches a request to the WakeUp Intel® AMT Service to find a suitable agent in the subnet and wake it using an Intel® AMT SOAP message and the pre-configured authentication mechanism. WakeUp subsequently uses the 1E Agent on that machine to wake up other targeted machines on the subnet using magic packet technology.
Configuration Manager Integration
The WakeUp Intel® AMT component needs to be installed on all Configuration Manager Primary Site Servers where WakeUp is installed. It uses system inventory information to send out SOAP messages on requests from the WakeUp service in time for any advertisement schedules.
WakeUp Intel® AMT feature pack components
The main feature pack consists of:
- WakeUp Intel® AMT service
- 1E Agent and extensions to Configuration Manager hardware inventory
WakeUp Intel® AMT service
The WakeUp Intel® AMT service is responsible for communicating with the WakeUp service and sending SOAP messages to Intel® AMT machines via the preconfigured authentication mechanism.
When running with Configuration Manager this service should be installed in each Configuration Manager Site server in the hierarchy that has WakeUp installed – providing the site has Intel® AMT Configuration Manager clients and those clients have been provisioned.
When running solely with NightWatchman Management Center, this service only needs to be installed on the WakeUp Server set as the NightWatchman Management Center wake up provider.
If Intel® AMT is configured in enterprise mode using Active Directory for authentication with Kerberos, the service will run using an account that is a member of the Intel® AMT Collections Managers group. The WakeUp Intel® AMT service will attempt to use
WinHTTP to impersonate the account and connect to the targeted machine.
If Intel® AMT is configured in small business mode; the WakeUp Intel® AMT service will use a username and password for digest authentication. Once installed, WakeUp will detect the WakeUp Intel® AMT service and dispatch requests when agents are not found on a targeted subnet.
The WakeUp Intel® AMT component provides an alternative to the Last Man Standing mechanism. The alternative still relies on the 1E Agent being installed on every machine. The 1E Agent is responsible for discovering the Intel® AMT Board Management Controller and building up a database of Intel® AMT machines in Configuration Manager or NightWatchman Management Center. Once discovered, the WakeUp Intel® AMT Service will wake up the machine. The 1E Agent on the machine will receive instructions from WakeUp Server to send out magic packets to any systems that need waking.
Intel® AMT support for Last Man Standing
Computers that have Intel® AMT hardware and are configured to support remote wake ups circumvent the WakeUp requirement that there is at least one 1E Agent on the subnet running to handle wake up signals from WakeUp Server. This is because WakeUp is able to use the Intel® AMT capabilities to wake the machine remotely without using magic packet broadcasts, which are liable to be disabled in secure networks.
To use Intel® AMT for a subnet where such hardware exists instead of Last Man Standing, you need to enable the Intel® AMT option during WakeUp Server installation and, except for the 1E Agent on the Intel® AMT computer, install all the other 1E Agents on the subnet with
Configuration Manager Hardware Inventory
A hardware inventory WMI class is created by extending the Configuration Manager Hardware Inventory MOF compiled. Hardware inventory information sent by every Configuration Manager client will contain extended data identifying whether the machine resource is an Intel® AMT machine.
This information is used to enhance the existing hardware inventory information in Configuration Manager providing the WakeUp Intel® AMT service with a means of identifying Intel® AMT machines for a specific subnet.
NightWatchman Management Center Inventory
When running solely with the NightWatchman Management Center, the 1E Agent sends information about the computers running Intel® AMT to be stored in the NightWatchman Management Center database.
Configuring the WakeUp Intel® AMT feature pack
This section describes the two different authentication modes for Intel® AMT and then shows how the individual components of the WakeUp Intel® AMT component are configured. Typically, WakeUp Intel® AMT is configured once and subsequently works without the need for further intervention – thereby providing set and forget functionality.
The WakeUp Intel® AMT component is designed to self-register with an existing WakeUp Server ensuring zero configuration for WakeUp itself. During installation, the WakeUp Intel® AMT service registers a free
TCP/IP port on the server with WakeUp Server. Thereafter, WakeUp Server automatically detects the service whenever it needs to dispatch requests to wake up remote Intel® AMT machines.
When starting up, the 1E Agent runs an inexpensive test to check whether its local machine is an Intel® AMT machine. A local registry key is updated which is in turn picked up by the ConfigMgr client and sent up to the ConfigMgr Server on each Hardware Inventory cycle.
Configuring the WakeUp Intel® AMT Service
The WakeUp Intel® AMT service must be configured to use one of the pre-configured authentication modes for managing the power state of the Intel® AMT machine. This section describes the setup in two modes: small business mode (SMB) using digest authentication and enterprise mode using Kerberos.
Small business mode (SBM)
The WakeUp Intel® AMT service runs as
LOCAL SYSTEM and uses a username and password specified at install time to connect to Intel® AMT machines. The administrator can modify this username and password from the command-line.
The following parameters are supported by the command-line:
|UserName||The HTTP digest account name that is registered with the Intel® AMT Power Control realm on the machine.|
|Password||The HTTP digest password for the account name specified above.|
In order to set the authentication to the default Intel® AMT username and password:
The WakeUp Intel® AMT service runs as a domain account that is a member of the Intel® AMT Collections Manager Active Directory group.The administrator can configure the service to run in this mode by manually configuring the service via the Service Control Manager MMC snap-in and forcing Kerberos authentication mode from the command line:
|UseKerberos||Specifies whether to use Kerberos with |
After modifying the properties of the service, run: