A user asked us why we didn't have information about buying vPro PCs on the Expert Center. Well, here it is! I am compiling a list of the different manufacturers and their vPro landing pages. It will continue to grow as I find more information.

Find it here: Where can I buy vPro PCs?

You'll find more detailed information about specific model numbers in this document: Order an activation-ready PC

As always, let me know if you need additional information. I'm growing these documents, so check back!

Sometimes within Intel Marketing, we're told that our description of Intel Centrino with vPro technology or Intel Core 2 with vPro technology is a bit lengthy. Therefore, while at ManageFusion, we asked Intel customers as well as technical experts from Intel and Symantec to give us their best, most concise acronym that best describes Intel vPro Technology. Listen to their responses below.

]]>

Remote Configuration is the zero-touch configuration mechanism that allows Intel vPro AMT systems to be setup for AMT management without any manual intervention. This article covers the Best Practices for setting up Remote Configuration and using the Out of Band Delayed Provisioning Task to remotely and automatically provision systems for use within the Altiris infrastructure.

Introduction

In an ideal environment, vPro systems will automatically Provision without any interaction with the Administrator, allowing the versatile and robust functionality of AMT to be available immediately out of the gate. In this article we'll cover how to setup just such a scenario, but also how to use Out of Band Management's Delayed Provisioning Task to ‘kick-start' any AMT system that is no longer sending out configuration requests. Reasons for this need include:

1. The system is powered on in a location that does not have access to the Provisioning Server

2. The system is unable to be Provisioned due to changing identities while being setup in its Fully Qualified Domain Name (FQDN)

3. The IP Address changes during the Provisioning process and the Provision Server is unable to contact it back to Provision

Remote Configuration

Remote Configuration uses a certificate-based authentication model with preloaded certificate hashes to allow quick and automated process to Provision the AMT systems in the environment. The certificates require a vendor-certified cert from Verisign, GoDaddy, Komodo. While you can set your own cert and load your own hashes in the firmware of AMT systems, it turns the ease of Remote Configuration into a cost, whether by having the OEM load the proprietary cert for a fee, or requiring a configuration step to load the hashes manually into the firmware.

Certificates

The firmware will already contain the hashes for Verisign, GoDaddy, and Komodo certificates (more vendors will be added in later versions of AMT). Server-side certificates need to be loaded and registered on the Provision Server, and within Out of Band Management on the Altiris Notification Server. Please see the following article for more information on Remote Configuration:

http://juice.altiris.com/article/3866/frequently-asked-questions-about-remote-configuration

For a specific reference for what items are required, review the section labeled:

What core items MUST be defined in the provisioning certificate?

Also look at the section pointing to how to acquire a certificate (other links):

What resources or guidance are available for acquiring one of the core external certificates?

Additional information:

The Provision Server must be registered with DNS, accessible by the Intel AMT device via a CNAME value of ‘ProvisionServer' pointing to the IP address of the Notification. Note that in a multi-domain (including root-child domain infrastructures) multiple CNAME entries must be setup to include the suffixes to include all network segments the server will be managing.

The Provision Server requires a certificate with the appropriate OID or OU detailing directions to a certificate Authority (CA), which CA must have a root certificate hash stored on the Intel AMT Systems. The OID must be of the type ‘Server Authentication Certificate' with the Intel setup extension: 1.3.6.1.5.5.7.3.1, 2.16.840.1.113741.1.2.3, OR, the OU value in the Subject field must be "Intel(R) Client Setup Certificate".

The Subject CN must be either the fully qualified domain name (FQDN) of the platform running the service (example: Provisionserver.symantec.us), or the domain suffix of the platform (example: *.symantec.us.com or *.symantec.com).

Remote Configuration Process

The following process documents how the Remote Configuration Process works. This high-level overview will be referenced in the subsequent sections covering Delayed Provisioning. The following process assumes that the AMT System can reach the Provision Server and won't change identity through typical setup methods such as imaging or configuration scripts that changes the FQDN and/or Hostname of the system (including adding the system to a Domain).

The following steps must be completed before Remote Configuration will work in the environment. They are detailed with step-by-step processes in the Out of Band Management 6.2 Administrator's Guide, located here: http://www.altiris.com/upload/outofbandrefsep18.pdf

• Setting up Intel AMT using Remote Configuration - Page 44

• Certificate provider - Page 44

• Preparing a Certificate Template - Page 45

• Issuing a New Template - Page 46

• Preparing a Certificate Request - Page 47

• Acquiring a Certificate from an External Certificate Vendor - Page 48

• Installing the Remote Configuration Certificate - Page 48

• Loading the Certificate into Intel SCS - Page 49

• Enabling the Remote Configuration Feature - Page 49

Note that not all the sections need to be accomplished depending on what method you use. If you're creating your own certificate:

• Preparing a Certificate Template

• Issuing a New Template

• Preparing a Certificate Request

...should be used. Otherwise use the ‘Acquiring a Certificate from an External Certificate Vendor' section, including the previous links provided on the subject, should be consulted. Remember this is the recommended method since it requires no special processes to be in place to ready the AMT systems for Provisioning.

Delayed Provisioning

The purpose of Delayed Provisioning is to Provision those systems that failed the original Provision attempt. The includes failure at any part of the Remote Configuration/Provisioning process. Failure points include:

• Hello Packet does not reach the Provision Server during the 24-hour period hello packets are sent

• The IP Address changes after the Provision Server initially receives the hello packet and hasn't sent down a profile to complete the provisioning process

• The FQDN changes, forcing an IP Address change from DHCP so when the OS is up, the Provisioning Server can't reach the system

• The Provision Server is unable to complete the process due to a number of causes, including network access problems, firewalls, subnet locations, etc...

The following items must be in place for Delayed Provisioning to work:

1. AMT System must be in Setup Mode (pre-provisioned). This means the system must be in the state where it is using Remote Configuration and will use the provided hashes.

2. The system must have a functioning Windows Operating System.

3. The Altiris Agent must be installed and functioning within the OS.

4. The Out of Band Task Agent must be installed within the Altiris Agent.

5. The Delayed Provisioning Task must be enabled to target the AMT systems in question.

Delayed Provisioning Process

The following process details how Delayed Provisioning works from start to finish. In essence the process ‘kick starts' the hello packet process, allowing the Provision Server to receive fresh data on the system, allowing it to properly contact and provision it. The following diagram shows a high-level view of the Delayed Provisioning Process:

Full steps:

1. The AMT System must be in Remote Configuration setup mode. This is the default mode for AMT 2.2, 2.6, and 3.0.

2. Install the Altiris Agent on the system. Check the Notification Server reference guide for methods.

3. In the Altiris Console, go to View > Solution > Out of Band Management > Out of Band Discovery.

4. Enable the Out of Band Discovery Policy. This will help with the Provision process after the Delayed Provisioning Task executes.

5. Now go up a level and browse down into Out of Band Task Agent Rollout.

6. Add the collection: Non-Provisioned Intel® AMT Computers to the Policy by clicking on the Collections listed under ‘Applies to Collections' and browsing to it under ‘Out of Band Management', ‘Provisioning'.

7. Enable the Out of Band Task Agent Install Policy.
   !oobagentinst.JPG!

8. Browse in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Delayed Provisioning > and select the ‘Delayed Provision' Task.

9. Concerning the options:

1. Override OTP: - If you don't want to use a random AMT password, check this option.

2. Switch to AMT: - Unless you're using ASF and want to keep using it on those computers that have it enabled, check this option.

3. Ignore intermediate errors: - Don't check this option unless there's a reason to ignore DNS and OTP errors.

10. Leave it on a Daily Schedule. Systems that run this and provision will drop out of the collection and not run the policy again.

11. Enable the Policy.

Once the above steps have been completed, the process should be automated as long as steps 1 and 2 are met. The collections will properly target each system so that the right steps occur in the right order.

Conclusion

The Delayed Provisioning Task allows an administrator to catch those systems that have not provisioned due to a number of reasons. This allows the systems to get provisioned in a targeted fashion, and if properly configured make it completely automated. As of version 6.2 of Out of Band Management, this only applies to provisioning by Remote Configuration. Please check these other articles for details on how to provision systems if not using Remote Configuration:

http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning

Lastly, this process does not touch on certificates used to encrypt AMT management traffic. This is the TLS option set in a Profile for any communication after the AMT system has been properly setup and configured. The certificate obtained for Remote Configuration is only for the Setup and Configuration process (also known as Provisioning).

The Norton Backup Exec looks very promising as a receovey tool now that it uses WinPE...Maybe we can take a recovery point and convert to VMware or MS VM image- possibly use this as temporary system for users while their system is being worked on?

The Altiris CMS version 7 (beta) integrates many of the Norton suite features- of interest to me was the choice of PCanywhere, RDP OR VNC as a remote control

Symantec announced at the event that they purchased AppsStream and plan to intogetrate it into Altiris NS.

The next gen Ghost product includes many new features including Ghconfig, which can be used to rename a system.. this may be useful for easily renaming waterfalled (hand me down) systems...

I'm on my way to the Altiris Manage Fusion conference in Las Vegas...I know, I know, tough duty ... but after just getting off 24 hours of continuous air travel with layovers to meet with Intel vPro design engineers and the Intel IT Operations support staff in the Middle East, I am a bit tired.

Since I work in the Intel IT Innovation Centre where I test new vPro console offerings from various vendors and well as developing support models for Intel IT OPs, I'm looking forward to reviewing the new Altiris offerings and will post my findings here... good night- my body clock says 4 AM

If you want to upgrade your Centrino Pro laptop from AMT 2.5 to 2.6 to take advantage of Remote Configuration (RCFG, AKA "Zero Touch"), it can be done, but few gotach's you need to be aware of:

First, the basics: There are two independent Firmware components at play: The ME Firmware, which is the actual AMT embedded software, and MEBx which is a BIOS extention that provides the interface to configure AMT.

Once you have upgrad the AMT ME Firmware to 2.6 (that you downloaded from Intel web site), your MEBx reamins at a previous ver (i.e 2.5). So, when you go to MEBx screen (using cntrl-P), what you see at the top right of the screen is the version of MEBx not AMT. Many people are confused by that and think that this is the AMT version, which it is not. To see the actual AMT version, you can either run MEInfo (tool which is available with the FW download), or, simply login to AMT through the webUI.

Here is the complication: MEBx, being the older version, does not expose 2.6 features (such as managing certificate hashes) so how can you provision the system in RCFG? As it turns out, when you "un-provision" the client, AMT goes to a default state which is ‘ready for RCFG'. Since it has the built-in certificates hashes, it can be provisioned with one of them. But again, since MEBx 2.5 does not provide access to certificate management, you can not add your own certificate hashes.

This complication stems from the fact that OEMs have not posted yet release 2.6. Usually, OEMs FW release will include both MEBx and AMT as one package. When you download AMT from Intel web site, you get only AMT FW (MEBx is vendor specific). Once OEMs post 2.6 on their website, both MEBx & AMT FW will match and there will be no confusion.

Happy upgrade!

--Noah Inbar

Last month's post of the open source packet decoder is just the first of a strong list of tools planned by the team that brings you the Technology Test Utility. The iCSO software engineering team is charted with making utilities and applications available to the public that accelerate and simplify the adoption and activation of Intel vPro technology.

We will be maintaining these tools and look forward to your feedback, suggestions, and participation in making these tools the best they can be for you and the marketplace. Our commitment is to post new versions of each tool at least every other month and of course post earlier if issues are found that render the tool less than useful.

The next tool we will be posting is a Pre-Installation Utility intended to speed the first user experience and automate as much as possible the initial setup of the Intel® AMT(tm) Setup and Configuration (aka SCS) environment in enterprise mode. Coupled with post setup wizards it will enable users to provision devices with minimal effort and time.

We look forward to hearing your feedback on our efforts.

Intel's iCSO Software Engineering Team

Here are a few quick updates on OEM systems that may help with Intel vPro deployments:

Systems are showing all zero or same UUID across multiples systems in the provisioning console or when accessing the WebUI. This error has appeared on many platforms and is due to an incorrect setting in the MEBx firmware. The system and MEBx UUID should match for each. The UUID is required to uniquely identify the system (hence the name - universally unique identifier). On some platforms, the UUID reported by the MEBx appears valid yet is the same on multiple systems. The following methods can be applied to remedy this situation.

Intel vPro systems that are in a setup state (e.g. the pre-shared provisioning keys have been entered into the system), will retain the state if the firmware is updated. This becomes pertinent for Intel AMT 2.1 to 2.2 updates (similarly for systems that support Intel AMT 2.5 to 2.6 upgrades).

If a system is in a setup state for enterprise provisioning, and the hello packet sequence has stopped, the following options are available.

</ul>

Hope these tidbits help.

Well - it's back into the trenches. Until next time