This information is based on Microsoft’s beta release of System Center Configuration Manager Service Pack 2 and is subject to change.

Within the SCCM SP2 beta, Microsoft has included support for AMT Audit Log.  Audit Log was introduced in AMT version 4 and provides a mechanism to captures the occurrence of significant AMT events and who performed those actions.

Before you begin, you must configure SCCM SP2 on which AMT Audit Log events it turns on.  This can be done by selecting Out of Band Management properties under "Site Database" -> "Site Management" -> <Site Code> -> "Site Settings" -> "Component Configuration" -> “Audit Setting” Tab.

Unlike other AMT feature enablement with SCCM, Audit log is not enabled during Provisioning or through the Update Management Controller process; it must be performed as a post provisioning step.  To enable the AMT Audit log, you must right click on the AMT client and select “Out of Band Management” -> “Enable Auditing and Apply Audit Log Settings”.  You can also disable and clear the audit log from this menu as well.

Once enabled on the AMT Client, you can access the AMT Audit Log through the Out of Band Management Console available through right clicking on the AMT client and select “Out of Band Management” -> “Out of Band Management Console”.

--Matt Royer

Note: This information is based on Microsoft’s beta release of System Center Configuration Manager Service Pack 2 and is subject to change.

Besides extending ConfigMgr support for new Operating Systems (Windows 7, Windows Server 2008 R2, Windows Server 2008 SP2, Windows Vista Sp2) and Branch Cache (peer to peer content distribution), ConfigMgr SP2 significantly evolves their native support for AMT / vPro use cases and features.  As noted in the SCCM SP2 release notes, extension of the Intel vPro Technology support expands into:

OOB Wireless Management / Wireless Profile Management

·         Provide configuration of up to eight (8) wireless profiles per site that are available to AMT clients assigned to that site

·         Set the wireless information during AMT provisioning and configure all required profile settings (SSID, key management, encryption, etc.)

·         Send wireless profile operations to the Intel translator on AMT systems with revisions earlier than 3.2.1

End Point Access Control / 802.1x support

·         Provision 802.1x settings on AMT wireless clients during AMT provisioning

·         Send 802.1x settings operations to the Intel translator on AMT systems with revisions earlier than 3.2.1

Persistent Data Storage

·         Non Volatile Memory or Third Party Data Store (3PDS)

·         Write string data into 3PDS on AMT through OOB management console

Access Monitor: Audit Log

·         Enable or Disable Audit Log (no critical event settings)

·         View Audit Log through OOB Console

Remote Power Management: Power State Configuration

·         Enable configuration of the power policy settings and include in provisioning settings when provisioning an AMT system

If you are interested in taking a closer look at the SCCM SP2 beta build, you can get access to the download by going to https://connect.microsoft.com and signing up for access.

--Matt Royer

Updated August 2009

These instructions are for Windows 7 builds 7077 and beyond.

Several Intel based platforms contain Management Engine Interface (MEI) and Serial over LAN (SOL) devices.  Windows 7 drivers for these devices have been made available to OEMs for currently shipping platforms (2008 / 2009 model desktop and mobile PCs).  MEI and SOL Windows 7 driver support for previous generation PCs (2007 desktop and mobile) is planned for early Q1, ’10.

To enable Windows 7 testing and evaluation,  prior to driver availability, MEI and SOL Vista drivers, either pre-loaded on your PC or available from the OEM, can be installed on the Windows 7 Release Candidate or RTM OS builds by utilizing Windows 7 compatibility mode.  The following instructions can be used to install the MEI and SOL Vista drivers:

1. Locate or download the released MEI and SOL Vista drivers from your OEM
2. Locate the setup.exe file for the device to be installed
3. Right click on the setup.exe and select properties
4. Select the Compatibility tab
5. In the compatibility mode section check the box “Run the program in compatibility mode for:”
6. Select the following in the drop down “Windows Vista (Service Pack 2)”
7. At the bottom of the properties window set the privilege level by checking the box in front of “Run the program as an administrator”
8. Click Apply
9. Click OK to exit out of the properties window
10. Double click on the setup.exe and follow the normal install/setup steps

Microsoft has just announced that they are accepting participation nominations for the System Center Configuration Manager SP2 Technology Adoption Program (TAP).  The full announcement can be found here https://connect.microsoft.com/content/content.aspx?ContentID=11121&SiteID=16
(Note: you will need to log into the Microsoft Connect website to view the announcement):

As detailed within the announcement, Microsoft is extending new OS support along with improving on the Intel AMT integration with SCCM SP2.  From the announcement, the key AMT / vPro enhancement are:

·         OOB Wireless Management: Wireless Profile Management

·         End Point Access Control: 802.1x support

·         Persistent Data Storage: Non Volatile Memory or Third Party Data Store (3PDS)

·         Access Monitor: Audit Log

·         Remote Power Management: Power State Configuration

Additional detail on these new features can be referenced in the announcement.

To submit your participation nomination for the SCCM SP2 TAP, you will need to fill out the nomination survey (link located in the Nomination section of the announcement).

--Matt Royer

Microsoft has just released Hotfix KB960804.  This is a hotfix rollup package that addresses issues that involve the Out of Band Management (OOB) feature in Microsoft System Center Configuration Manager 2007 Service Pack 1 (SP1). These issues are documented in the following Microsoft Knowledge Base articles: (Even if you have all or some of the other Hotfixes installed that are included in this rolled up HotFix, it is recommended that you install KB960804 Roll-up Hotfix)

• 954718: You cannot use the Out of Band Management console in Configuration Manager 2007 to connect to computers that use versions of Intel AMT that are earlier than version 3.2.1
• 955114: The SMS_Executive service process may crash when the System Center Configuration Manager 2007 SP1 Hierarchy Manager handles the site control (.ct2) file from child sites that are running the RTM version of Configuration Manager 2007
• 955126: The SMS_Executive service process (Smsexec.exe) in System Center Configuration Manager 2007 may crash if you have Intel AMT-related software installed
• 955355:  A distinguished name that contains more than 100 characters and that is discovered from Active Directory for an AMT host causes the SMS_EXECUTIVE service to crash in System Center Configuration Manager 2007
• 956337: System Center Configuration Manager 2007 Service Pack 1 is unable to remove AMT user ACLs during the provisioning process for AMT 2.x computers
• 957183: You cannot add a group as an AMT user account in Configuration Manager 2007 Service Pack 1 if the group name has more than 20 characters
• 957469: The Out of Band Power control function does not work for clients that have the Intel AMT 4 or Intel AMT 5 chipset in System Center Configuration Manager 2007 Service Pack 1
• 959700: The Out of Band Management console in Configuration Manager 2007 Service Pack 1 cannot connect to AMT-enabled computers
• 960741: The SMS_Executive service process crashes on a Configuration Manager 2007 Service Pack 1 site server when you use Intel WS-MAN Translator to provision computers that are equipped with AMT 3.2.1 chipsets
• 961328: System Center Configuration Manager 2007 Service Pack 1-based systems cannot provision AMT 2.2/2.6 clients in PKI mode and AMT 2.1/2.5 clients in PSK mode

--Matt Royer

If you want to have the Intel Manageability Tool Kit interoperate with a vPro client that has been provisioned by Microsoft System Center Configuration Manager SP1, there are two key things you need to do: Configure Manageability Commander to trust the Issuing Certificate Authority of AMT Web Certificates and to authenticate with a Kerberos user that has access to the vPro Client.

Before configuring Manageability Commander, you will need to obtain a copy of the Root Certificate Authority Certificate that the vPro Client AMT Web Server Certificate was issued from. This is the same Certificate Authority that was configured in “Microsoft System Center Configuration Manager Console” -> “Out of Band Component Configuration” -> "Site Database" -> "Site Management" -> "Site" -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" -> "General Tab" -> "Certificate Template".


If you are issuing AMT Web Server Certificates from a subordinate certificate authority, you should still use the certificate from the Root Certificate Authority the SubCA is chained up to.

Export a copy of the Root CA

1)   To export of a copy of the Root CA Certificate, you can open your local certificate store, select “Trusted Root Certificate” -> “Certificate” and search for the proper Root CA Certificate. If you do not have the Root CA certificate in your trusted root store, your CA Administrator can obtain a copy for you from the CA by selecting the “Properties” of the Certificate Authority and selecting “View Certificate”.

2)   Once you have the certificate open, select the “Detail” tab and then select “Copy to File”.

3)   When the “Certificate Export Wizard” appears, click “Next”.

4)   Select “DER encoded binary X.509(.CER)” and click “Next”.

5)   Select a location to export the certificate to and then click “Next”.

6)   On the “Complete the Certificate Export Wizard”, click ‘Finish”.

Trusting your Root Certificate Authority in Manageability Commander

Now that you have a copy of the Root CA certificate, you are able to configure Manageability Commander so that it can manage a vPro client provisioned by SCCM.

1)   If you have not already done so, you can download a copy of the Manageability Tool Kit from the following location: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/. Follow the onscreen instructions on how to install it.

2)   Once Manageability Tool Kit is install and Manageability Commander is open, select “File” -> “Certificate Manager”.

3)   In the “Certificate Manager” window, ensure you delete all other existing certificates by highlighting them and clicking the “Delete” button. After which, select “Import”.

4)   Browse for the Root Certificate Authority Certificate you exported (which is the Root CA Certificate that is chained up from your AMT Web Server certificates) and click “Open”.

5)   Back in the “Certificate Manager” window, click the “Refresh Displayed Certificates” button. You should now see your CA in the “Trusted Root Certificates” list. Click “Close” to exit the Certificate Manager window.

Adding a Client to Manageability Commander

Once the Root CA certificate has been trusted, you can now add the client (that is provisioned by SCCM) you want to manage via Manageability Commander.

1)   To add the vPro client, select “File” -> “Add” -> “Add Intel® AMT Computer”.

2)   When the “Add Intel® AMT Computer” window appears, enter in the full qualified domain name (FQDN) of the client you want to manage. If you want Manageability Commander to use Kerberos authentication of the local user logged, leave the Username and Password blank. If you want to specify a different Kerberos user then the local logged on user, enter in the desired Kerberos user as domain\user and the appropriate password. Click “OK” to close the “Add Intel® AMT Computer” window.

3)   Once you have added the vPro client, you should see it in the list of clients to manage. Right click on the client, and select “Connect”.

4)   Once connected, you can invoke any of the vPro / AMT use cases that the Manageability Commander Tool supports on the client provisioned and also managed by SCCM.

Debugging Connection

If you are having connection issue, you can perform some general troubleshoot by viewing the debug information.

1)   To view the debug information, select “Help” -> “Show Debug Information...”

2)   Once the “Manageability stack” window opens, you can see additional detail of any issues encountered.

--Matt Royer

Use case guides were just published for Microsoft SCCM, as well as the Intel Client Manageability Add-on for Microsoft SMS (formerly known as the Intel AMT Add-on for Microsoft SMS).

These guides are often referred to as recipe book or solution guides. They will show you how to set up power on/off, remote diagnosis and repair, and more.

Check them out here:

Use Case Guide for Microsoft System Center Configuration Manager (SCCM)

Use Case Guide: Intel(R) Client Manageability Add-on for Microsoft SMS