Microsoft System Center Configuration Manager can provision an AMT / vPro client in two different capacities: Bare metal and Agent Initiated.  Bare metal provisioning begins with the AMT client sending a “hello packet” to the SCCM Out of Band Service Point; if the AMT client is approved and authorized to be provisioned, SCCM will initiated the provisioning process.  Agent Initiated provisioning begins with the SCCM Client Agent pulling down the “Automatic Provisioning” policy from the SCCM Policy Server; if the SCCM Client Agent receives the policy, the Agent will negotiated a One Time password (OTP) with the AMT ME firmware and send the provisioning request along with the OTP to the Out of Band Service point to begin the provisioning process.

Bare Metal / Hello Packet Initiated Provisioning
For Bare Metal provisioning to work properly on AMT / vPro Clients with firmware 2.x, there are a couple of prerequisites that must be met.

SCCM Server

• SCCM SP1 with Rollup Hotfix KB960804 or higher (full list of required hotfixes found here: http://communities.intel.com/docs/DOC-1897Required Software Bundles and HotFixes (KB’s) for System Center Configuration Manager SP1
• Intel WS-MAN Translator installed and configured (Download available from here: http://software.intel.com/en-us/articles/intel-ws-management-translator/ )
• SCCM configured for Out of Band Management (SCCM Quick Start Guide: http://communities.intel.com/docs/DOC-1754)

AMT Client

• AMT Firmware version that support PKI provisioning with SCCM.  For AMT 2.x Desktops and Laptops, you will want to ensure that you have a minimum of AMT Firmware 2.2.20 (Desktop) and 2.2.20 (Laptop).  Note: For AMT Desktops with firmware 3.x, you will want to ensure that you have firmware 3.2.2 or above to meet the minimal requirements.  AMT Laptops with firmware 4.x and Desktops with firmware 5.x have the minimum requirements meet from the initial firmware release.

SCCM Client Agent Initiated Provisioning
In addition to the prerequisites needed for Bare Metal provisioning, SCCM Agent initiated provisioning requires a couple additional items.

AMT Client

• AMT ME / HECI Driver installed (available from your OEM driver website)
• Execution of RNGSeedCreator.exe (Download available from here: http://communities.intel.com/docs/DOC-3807).  RNGSeedCreator.exe is an executable that is ran on an AMT / vPro client with firmware version 2.x that has never been configured or provisioned; this utility generates a random number for the firmware to support the OTP used during the SCCM Agent Initiated Provisioning process.  For SCCM PKI provisioning to complete successfully, the random number generated by RNGSeedCreator.exe must be completed prior to initiating provisioning via the SCCM Client Agent.Note: AMT / vPro clients with firmware version 3.x and higher do not need to have the RNGSeedCreator.exe ran prior to SCCM Agent Initiated provisioning.

If your AMT clients do not meet the minimal firmware version for PKI based provisioning (Bare Metal or Agent Initiated), you can use the software distribution capabilities within SCCM to remotely upgrade the AMT firmware and drivers; check out the following Blog / Video which walks you through creating this software package.  Similar to upgrading the AMT firmware with SCCM Software distribution, you can also use the same Software Distribution process to run the RNGSeedCreator.exe utility on your 2.2 (Desktop) and 2.6 clients.  If you wish to combine the firmware upgrade and RNGSeedCreator.exe execution into a single SCCM advertisement, you can construct a single task sequence that runs both the Firmware upgrade and RNGSeedCreator.exe software packages.  A guide on how to accomplish this has been included in the RNGSeedCreator download package.

Once the firmware has been upgraded to the minimal firmware version to support PKI provisioning and the RNGSeedCreator.exe has been run, SCCM Agent Initiated provision can complete successfully on 2.2 and 2.6 clients.

--Matt Royer

In order for Microsoft Systems Center Configuration Manager to provision a vPro system, via bare-metal provisioning, it needs to know its UUID (Also referred to as a GUID), MAC address, short name and FQDN.  This information can be collected into a CSV file and imported into SCCM manually, or automatically by leveraging a script and WMI.  This package will outline the security configuration and point you to resources you can use to create a script to automate this process.  You can get a copy here:

Update 6/25/2009:  An updated version of the script is available at the link below.

http://communities.intel.com/docs/DOC-3067

At MMS, Kiron Lahiri, Lead Systems Engineer for Client Systems, and Brian Boresi, Information Services Division, both with Sisters of Mercy Health System, talked about some of the powerful benefits of combining Intel vPro technology with Microsoft System Center Configuration Manager. Listen to the video and see how Sisters of Mercy Health System is benefiting from this combination of hardware and software in their infrastructure.

]]>

To see more videos from MMS, go to http://www.intel.com/go/mms/

While at MMS, Microsoft System Center Configuration Manager Program Manager Dave Randall demonstrated how Intel vPro Technology enhances Microsoft System Center Configuration Manager 2007 SP1. The videos below include demonstrations around secure remote power control, remote diagnosis and repair of troubled PCs, discovery of PC assets, and remote configuration.

1) Video demonstration of hardware-assisted Secure Remote Power Control:

]]>

2) Video demonstration of hardware-assisted Remote Diagnosis and Repair:

]]>

3) Video demonstration of hardware-assisted Discovery of PC Assets:

]]>

4) Video demonstration of Remote Configuration of Intel vPro technology:

]]>

Click here to learn more about the combination of Microsoft System Center 2007 products with Intel vPro technology: http://communities.intel.com/community/vproexpert/microsoft-vpro

At MMS, we had Brad Anderson, General Manager of Microsoft Management and Services Division, and Gregory Bryant, Intel VP and General Manager of the Digital Office Platform Division, answer some questions about the new capabilities in System Center Configuration Manager 2007 SP1 with Intel vPro technology. See their responses below.

1) How does Intel vPro Technology fit into System Center Configuration Manager 2007 SP1?

]]>

2) What can IT expect in terms of the level of integration of Intel vPro Technology into System Center Configuration Manager 2007 SP1?

]]>

3) Why should IT now take advantage of Intel vPro Technology and System Center Configuration Manager 2007 SP1?

]]>

4) When should enterprises activate Intel vPro Technology with System Center Configuration Manager 2007 SP1 in their PC infrastructure?

]]>

5) Last, we asked a series of questions about System Center Configuration Manager 2007 SP1 Support for the Current Generation of Intel vPro Technology with WS-MAN Support, as well as with Legacy Generations of Intel vPro technology.

]]>

To see more videos, demonstrations, interviews and more from MMS 2008, go to http://www.intel.com/go/mms/

Hello to the vPro community!

I'm David Randall, and have been working in the Configuration Manager team over the last year to develop our integration with Intel's AMT hardware.

I recently attended MMS 2008, and was very happy to hear all the enthusiasm around the Configuration Manager integration, and your plans to use vPro in conjunction with ConfigMgr.

I plan to post here weekly with new information that we've learned about ConfigMgr / AMT integration, help you with some walk throughs, list interesting new uses for vPro and where possible, help you streamline your Configuration Manager deployment with vPro.

Thanks, and here's to out of band management!

David Randall

Program Manager, Microsoft