Skip navigation

On behalf of Josh Hilliker with the vPro Expert Center, please take a moment to participate in this survey we have created on the Microsoft Windows 7 upgrade. Thank you in advance! Your responses are appreciated.


Click the link below to take part in this survey!


Win7, SCCM SP2 & vPro

Posted by josh.hilliker Apr 29, 2009

Today at MMS (Microsoft Management Summit) Brad Anderson showed a new use case we have been working on around Windows 7, SCCM SP2 & Intel vPro Technology.  The specific use case is how to do an upgrade with user data while the state of the machine is powered down.   This usage of vPro allows for OOB power up, then win7 installation begins.   Here's what we will be posting shortly to help answer any questions you may have around this use case:


* Video of MMS & Brad showing this use case

* Use case flow document that shows what technology is being leveraged


What we have found in the lab, which I will publish out over the coming weeks, is that this technology works really well together and can make your win7 deployment easier.   Please let me know your questions and tune back here for more of the data, specifics & use cases.

While at Symantec ManageFusion 2009, we had a chance to talk to IT executives and managers from Las Vegas Sands Corporation, Blue Cross Blue Shield and McCormick Spice Company and Lee Bender, senior technical manager from Symantec. In this video, they talk about benefits of Symantec Altiris Client Management Suite v6.5 (and above) with Intel vPro Technology, including power management, remote diagnosis and repair, and fast call for help.




To learn more about Intel's presence at Symantec ManageFusion 2009, go to:


Hang Onto That Laptop

Posted by scott1.e.smith Apr 26, 2009

I attended an eye-opening press briefing the other day where George Thangadurai, strategic planning director for Intel’s Anti-Theft Program, Ponemon Institute founder Larry Ponemon; and Rex Rountree, an encryption expert from Intel’s IT group disclosed details from a study that calculated the actual cost of losing or having notebook computer stolen, a rapidly growing problem.  The basic message to the millions of us mobile workers was: Hang onto that laptop.


Chain it to you if you must because if it’s lost or stolen the bill to your company will be $49,264 on the average.  The “Cost of a Lost Notebook,” study was commissioned by Intel and conducted by the Ponemon Institute.  You can find an overview of the findings in the news release.


Intel undertook the study to better understand the problem and devise remedies that are simpler than handcuffing yourself to your notebook.  In January, Intel introduced Anti-Theft Technology as one way to help make laptops less appealing to thieves.  Anti-Theft Technology works by locking a computer reported lost or stolen either from a remote server or from policies embedded into the PC.  Once locked, the computer is useless until recovered at which time IT can issue the owner a password to make it functional once again.


Intel works with computer makers and service providers, such as Absolute, Lenovo, PGP and Phoenix to implement Anti-Theft Technology.  If used in conjunction with a hard-disk encryption service vendor, such as PGP, Anti-Theft Technology can house the encryption keys, which are normally stored on the hard disk, in the chipset.  If the PC turns up missing, the keys can be deleted.  So, even if a thief has the passwords to unencrypt the drive, they are useless and the data protected.  If the thief removes the hard disk from a locked computer in hopes of installing it in another computer to gain access to the data, he leaves the keys locked behind  But, back to the study.


That $50,000 cost, which I suspect has any CFO reading this clutching his chest, results, of course, from this potential compromise of data.  In fact, responding to a data breach is responsible for about 80 percent of the cost, according to the study.  The rest covers investigating the loss, the price tag for any lost intellectual property, legal expenses and making regulatory disclosures.  Let’s also not forget the disruption to an employee whose entire job function likely hinges on his computer.


So, what can a company do?  The study concludes that encryption helps.  It knocks about $20,000 of the bill.  Why doesn’t it eliminate all of the expense?  Encryption depends on who has access to the encryption credentials to decipher the data.  If they’ve somehow been compromised or you’re dealing with a disgruntled employee, then even the most elaborate cipher won’t help.  It also depends on employees actually using the encryption features and on which data they encrypt.


So, in the end, cutting the cost of missing laptops requires a multifaceted blend of technology and practices.  Rex added that training employees how to protect their notebooks goes a long way in cutting the risk as well.


After the briefing, I still had some questions and caught up with George, Larry and Rex for a chat.  If you’d like to listen to the briefing, it’s available at 1-800-475-6701, conference ID# 997098.


Ever had a laptop stolen or have any thoughts on preventing theft?  I’m sure everyone would be interested in your comments.

The latest newsletter is now available - you can check it out here:


This newsletter is a good resource for documentation updates, known issues, new software downloads, and more. We have plans in the works for more training webinars - this is a good way to keep up on them!


Here's the subscription link if you'd like to see this newsletter in your inbox (it's a bi-weekly newsletter):

I wanted to quickly share an example of how to set the current power state of a provisioned Intel vPro system using Windows Powershell!


Take a moment, and ask yourself these quick questions:


  • Have you ever wanted to be able to automate the powering up, or powering off, of multiple computers?
  • Is your company interested in saving money by not needlessly leaving computers powered on at night?
  • Do you have a time-critical environment, such as a call center, where you need to reliably power up your computers so they are ready to go in the morning for agents?
  • Do you want to be able to create your own helpdesk tools to enable remote reset of hung systems?


If you answered "yes" to any of the previous questions, then hopefully this Powershell code will help you, as an administrator, achieve your goals! Let's take a look at how to perform the actions of:


  • Powering up a vPro (AMT) system
  • Powering down a vPro (AMT) system (not gracefully, just FYI)
  • Power cycling a vPro (AMT) system (also not graceful)


For the sake of simplicity, we'll continue to work with the ManageabilityStack.AmtSystem object that I have referenced in my previous article(s). If you aren't sure how to get the $Global:Amtdevice Powershell variable, please look back at my other articles. This will also require the download of the Intel AMT Developer Toolkit. You'll need the Manageability Stack.dll library contained within.



In order to control the remote power state of an AMT system, all you really need to know are these 3 hex values:


0x10 = System reset

0x11 = Power on

0x12 = Power off

0x13 = Reset w/ power cycle


These hex values will be used with the $AmtSystem.Remote.SendRemoteControl() method to alter the power state of the remote system. The SendRemoteControl() method included with the DTK includes a number of parameters that go beyond the scope of this article, so we will pass hex value 0x0 to these parameters for the time being. In order to use the above hex values, simply pass the hex value as the first parameter of the SendRemoteControl() method. In order to fulfill the parameter requirements of this method, pass 5 additional parameters with the value 0x0. Here are some examples:


Powering up an AMT System


$Result = $AmtDevice.Remote.SendRemoteControl(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"


Powering off an AMT System


$Result = $AmtDevice.Remote.SendRemoteControl(0x12, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"


Power cycling an AMT System


$Result = $AmtDevice.Remote.SendRemoteControl(0x10, 0x0, 0x0, 0x0, 0x0, 0x0)

Write-Host "Power command resulted with: ${Result}"


The above samples show how to use the SendRemoteControl() method of the AmtRemoteControl .NET type in the Intel AMT Developer Toolkit (DTK) to control the power state of a remote AMT device.


If you have any questions about this, please leave a comment or send me a private message.




Trevor Sullivan

Systems Engineer

OfficeMax Corporation

While at Symantec ManageFusion 2009, we had a chance to talk to IT executives and managers from Disney International, Fox Interactive Media, Blue Cross Blue Shield, Las Vegas Sands Corporation and McCormick Spice Company and industry analysts from IDC, Enterprise Management Associates and Ptak, Noel & Associates LLC about Intel vPro technology and industry trends.  In the video below, they discuss how PC refresh and Intel vPro technology helps minimize total cost of ownership.



To learn more about Intel's presence at Symantec ManageFusion 2009, go to:

Recently I was talking with my friends that run our Intel Premier IT program,,  and they were telling me about a new award they are providing, in which you can submit your entries to be feature din CIO magazine.  therefore I wanted to pass this onto the community and also let you know that if your interested in connecting with Intel & peers local to you, the IPIP program is a stellar place to do this very thing. I have attended a few of these events last year and was very impressed with the speakers, material and the great audience of IT folks that showed up. 


If your intersted in hearing more about the award, here's the link. I also heard from them that there are only a few client submissions (mostly in the server & DC space), therefore a great opportunity to show your client story.   



The Intel® Upgrade Service provides a variety of different upgrades/enrollments based on what you have for your platform and configuration.    One of the latest enrollments is the Intel® Anti-Theft Technology PC Protection Services or otherwise called AT-p.


Where can I get it? -  (Currently on Lenovo* T400 has AT-p capability)


Here is a great place to learn more about AT-p thanks to Joshprostar -




About Intel® RPAT – Also found at the following site:

Intel® Remote PC Assist Technology enables you to make a fast call for help and request remote technical assistance from a service provider if you encounter a problem with your PC, even when the OS, network software, or applications are not functioning. Available starting in late 2008, Intel Remote PC Assist Technology will be an option on PCs with Intel® Core™2 processor with vPro™ technology using the Intel® Q45 Express Chipset and will expand to consumer PCs in 2009.


If you are interested in our Early Access Program (EAP), please please post any questions/comments to this blog post and we will be happy to assist!




Intel® Upgrade Service enables down-the-wire hardware upgrades after a system's been purchased, providing new levels of platform flexibility to service providers and end users alike. With the purchase of a PC with qualifying CPU and upgradeable chipset, you'll get future-ready flexibility designed to change with your growing needs.

Visit the main web site at:   

Currently we have a Level I Manageability Upgrade available which is designed to bring a platform from “Standard Manageability” to “Intel® Active Management Technology (AMT) 5.0”.   




What are the minimum system requirements?


Intel® Q45 Express Chipsetbased motherboard with a non-Intel® vPro™ Technology Processor attached. Upgrades will not be supported for platforms based on Intel® Celeron® processors.



Where to buy hardware and/or upgrades?


Click here to learn how to buy hardware and/or upgrades!


Please post any questions/comments to this blog post and we will be happy to assist!




>>Register Here

WHEN: Thursday, April 16, 2009

TIME: 1:00 PM ET / 10:00 AM PT



Advanced solutions for PC management and security

Nearly 90 percent of an organization’s IT budget and time is spent keeping their business running securely and smoothly. When provisioned with Altiris solutions, computers with Intel vPro processor technology allow unprecedented ability to solve business IT problems. These are just a few examples—regardless of the computer’s power state or the health of the operating system:

  • Remove infected computers from the network while     preserving a remote IT connection to the affected computer for remediation   
  • Speed patch saturation by up to 56%.
  • Reduce end-user tampering, which interferes with     enforcing IT policies
  • Conduct hardware/software inventory up to 94% faster     per PC
  • Reduce the need for hardware/software desk-side visits     by up to 56%.
  • Remotely repair BIOS from an IT gold image

The combined strengths of Intel and Altiris means that network management and security are no longer reliant on a software agent, which minimizes exposure to end-user tampering.


Sustainable – Green IT

Symantec and Intel promote and provide the use of energy efficient hardware, software, services, and best practices that reduce environmental impact by enabling IT to run more efficiently, conserve power, and cut energy costs:

  • Gain efficiency and save money when you deploy     Intel®-based platforms together with Symantec IT management software.
  • Reduce your company’s environmental impact by     maximizing resources and conserving power with Intel and Symantec hardware     and software.
  • Make the most of all your IT assets.
  • Control equipment sprawl by optimizing utilization of     each server in your data center.
  • Comply with current energy efficiency regulations and     be ready for future legislation.
  • Comply with the policies of your customers who require vendors to be energy efficient.

If you are using Intel SCS 5.x, after you've installed it you will need to decide whether you want to configure the scs service to either get configuration parameters from a script or from the DB. This seemingly innocuous decision has some technical implications, so here's the background..


Choice A - get configuration parameters from the DB


Let us first define what are the configuration parameters - they are the fields of a vPro system - such as: FQDN, AD OU, Profile - the important ones that are required for completing provisioning - and the remaining informative attributes, such as AMT firmware version etc. Therefore the configuration parameters that are necessary to have are FQDN (or hostname) AD OU path (if you are integrating with Active Directory) and the SCS provisioning profile being assigned to the vPro system. Where will the information for these 3 fields come from?


The wording of this option might be slightly misleading as you might (wrongfully) assume that the configuration parameters to get your vPro systems provisioned smoothly are sitting and waiting in the DB for you and will provide you an extra smooth provisioning experience over above the other method (using a script). This is however not the case; the configuration parameters are empty to begin with and only after going through a (successful or unsuccessful) provisioning process for each vPro machine, it will in turn have these configuration parameters populated in the DB, so that subsequent provisioning attempts will in fact be able to rely on these now populated configuration parameters in the DB.


Let us consider the flow of events...


A vPro system needs to initiate the provisioning process and let the SCS know about its existence - this is commonly known as the 'hello packet'. The hello packet contains a UUID (unique identifier), certificate hash or PID, MAC Address and ip address. Purely technically speaking, this will manifest itself by a new entry appearing in the AMTS table in the SCS DB. At that point you are missing the FQDN, AD OU path and profile ID. Once a new entry makes it into the AMTS table, it will also appear in the SCS Console as an unconfigured system with the UUID field populated, but the rest being blank.


You now have an option to manually double click on the row in the SCS Console and enter these 3 fields. Once you've done that, the information will now be sitting also in the UUID_MAPS table which is also know as the configuration parameters. This is typically not a scalable method and therefore the current BKM is to rely on a client side utility to send more than just the UUID, pre-provisioning information (cert hash or PID) and IP address, but also the FQDN, AD OU path and a profile ID.


The utility that has been designed to do this is the Activator utility which comes bundled when you download the SCS application (this blog posting won't go into the details of how to use the Activator Utility and what options you have and will assume you have an understanding of how to do this). Therefore instead of manually (and quite error prone) populating the fields, you can now have a utility that effectively pushes all the information required for provisioning into the UUID_MAPS table as well.


Another last option is to create a list mapping UUIDs and pre-assigning them FQDNs and uploading it into the UUID_MAPS table. This is more difficult as it relies on the OEM providing you with an accurate list of all the UUIDs prior to receiving the systems. This is technically feasible but logistically more difficult and as such is a rarer implementation.


Choice B - get configuration parameters from the script


This method might be less popular, as it is a bit more complex and should be used only when the circumstances necessesitate it. The script would typically be a VBscript for which a sample script is provided when you install the SCS service. What the server script does in essence is set the AD OU path and profile ID. The FQDN still needs to be provided by the vPro machine itself and for that it will rely on either the activator utility (as mentioned above) or client side vbscript - either of which will typically rely on a WMI query.


Purely technically speaking, the script takes the different parameters available to it and constructs an XML file (map.xml) that is formulated in a manner that is recognised and can be consumed by the SCS application. If there aren't enough permissions for the script to run locally, any necessary parameters are missing, or if the XML is not formulated properly then the SCS will complain about a missing XML file.


Using the server side script provides you the flexibitliy of making changes to the AD OU path and profile ID further down the line as opposed to the client side only method, which would have required you to pre-package the parameters to invoke the client utility and any changes would involve deploying a new package to all machines.


The server side script also allows you to overcome any permissions related issues and security concerns, as the client side only method typically requires administrator priveleges and involves letting each client right into the main DB (which for some security experts is an opportunity for malicious behaviour). Therefore a 2-tiered approach is possible where the client side (script or activator) send information into an interim DB and the server script reads the information from the interim DB. The trigger for the server script to run, is for a new entry to appear in the AMTS table but not have an entry in the UUID_MAPS table - i.e. a hello packet has arrived and there are no present configuration parameters.


Finally, the server script is essential if any further manipulations are required in order to accommodate a particular environment. Such is the case when the FQDN queried on the vPro client has a domain suffix of an Active Directory domain, but there is a separate non-AD integrated network domain and any queries to DNS will return the network domain FQDN. This requires provisioning the vPro system with the network domain, which could either be hard coded as a constant (like the AD OU path and profile ID) if there is only one, or it will need to be dynamic and poll DNS (though something like nslookup on IP address) to replace the AD FQDN with a network FQDN. Provisioning will succeed regardless, but the problem will be later on when trying to manage the vPro machine if you will be using AD integration and therefore will need to conform to the Kerberos protocol.


A situation can arise where you have configured SCS to use the script, however the the configuration parameters have already been populated due to a previous provisioning attempt - be it fully successful or not, since the parameters are in the DB already, the trigger for the server script to run will be missing and therefore it won't execute again. This scenario is typically come across in testing when the same machine is re-used. There are some 'real-world' scenarios such as machine has broken, is re-imaged and fixed by IT department, the client side provisioniong components (activator) kick-in on startup (typically) but the configuration parameters are already in the SCS DB and therefore the script will not run and provisioning won't succeed. Unfortunately SCS does not automatically remove the configuration parameters for machines that are partially or even fully unprovisioned. It can only be done manually when a system is deleted from the SCS Console and the 'delete configuration parameters' must explicitly be selected.


This turned out to be a longer posting than originally intended... but if you've made this far, hopefully you've picked up a few useful nuggets of information...



On the eve of April Fools' Day, TerryCutler blogged about the Conficker worm and Intel vPro technology, posing the question "The specified item was not found." In his post, Terry was looking for community feedback on what the IT community is doing to prevent such attacks from occurring. Are you taking advantage of the use cases on your activated vPro boxes? System Defense is your best friend here - it allows you to isolate infected clients from the network. You can also use vPro technology to do things like drastically improve patch saturation - whether the systems are powered on or out of band.


I just uploaded a paper with more information on this topic - please read and see how you can protect your network from attacks from worms like the Conficker.


Conficker Worm, Response Times, & Intel vPro Technology

My son, Andrew, graduated from college in December and moved back into his room at home (or my den of four years, depending upon your point of view) while looking for a job. Andrew, Gen Y to his core, conducts much of his life through a host of electronic accessories.


Nearly as I can tell, his ear buds are permanently affixed. He’ll hush me in midsentence to respond to a text message. He devotes time each day to a social website that keeps him in touch with his former college friends. He conducted his job search completely online, even the networking with friends, friends of friends and those strangers he hoped might befriend him. In fact, he ventured out of my hope-to-be-again-some-day den only for interviews. Then nervously watched his e-mail for responses.


He regards these tools as an entitlement, much like we Baby Boomers regarded television in our younger days – “Gee, Dad, you mean you didn’t have television at all? You must have been really poor.” He wondered aloud one day why I hadn’t responded to his text message. To avoid admitting I didn’t know how, I told him he was grown up now and should send e-mail like an adult.


Paradoxically, he harbors a general disdain for the technology underlying his electronic accoutrements, no more wanting to understand the risks of viruses or personal data theft than the potential consequences of driving his car with the oil light glowing (another failed conversation). This nonchalance makes him a bit of risk at home. We have periodically lost Internet contact with the outside world when he tried to connect his computer to the cable network. We also did without telephone service for some time, victims of a rewiring mishap. He innocently accepted e-mail viruses until his computer, flickering only faintly, coasted to the side of the digital highway.


Andrew recently scored a great job, but I wonder how his Gen-Y attitude and use of technology will mesh with a corporate IT organization, which is more than likely designed and maintained by Baby Boomers. What got me thinking about this is an Intel-sponsored study that looks into how IT is coping with the influx Gen-Y workers like Andrew and his friends who are entering the workforce. We became interested in it because of work we’re doing around “dynamic virtual clients.” These are computing models that enable IT departments to centralize PC images on a server then use data streaming and virtualization to distribute them to end-users. IT gets the security and maintenance ease of centralized management, and users retain the mobility and performance that’s important to them. More on DVC can be found here.


According to the study, 82 percent of IT professionals see Gen Yer’s as a positive influence – “They understand the newest and latest tools.” Many IT organizations are taking advantage of the potential for increased productivity with these new technologies, including enabling e-mail and Internet access on personal smart phones (60 percent), allowing personal PCs access to the corporate networks (39 percent) and relaxing rules regarding participation in social media sites as a company representative (34 percent).


At the same time, 50 percent see Gen Y’ers as a security risk as well – “They share personal and company information on network sites and through email.” In fact, three out of five point to Gen Y’ers use of downloadable applications and social media tools as particularly concerning. But IT professionals also are looking at ways to protect data and their networks. Most said that network security software and hardware solutions are the standard fare. However, roughly half have also implemented application management, streaming, virtualization and chip-based solutions in an effort to keeping their computer fleets running safely and smoothly.


That’s what the poll said, but I was curious about Intel’s strategy regarding Gen Y’ers. So, I talked with my buddy Dave Buchholz. Dave is Intel’s IT technology evangelist and is our point person in evaluating the potential of new technologies. Here’s what Dave told me.


Creating the SCS Database?

Posted by lharkness Apr 10, 2009

I posted some tips on syntax if you need to create the SCS database as a standalone step when building your Intel® Active Management Technology Setup and Configuration Service Server...  This is an optional step, only required if you do not want the AMTConfServer.exe installer to create the database for you.



Details can be found on my post Syntax for manually creating the SCS Database

While at Symantec ManageFusion 2009, we had a chance to talk to IT executives and managers from Disney International, Fox Interactive Media, Las Vegas Sands Corporation and McCormick Spice Company and industry analysts from IDC, Enterprise Management Associates and Ptak, Noel & Associates LLC about Intel vPro technology and industry trends.  In the video below, they discuss the impact of Intel vPro technology on power consumption reduction and energy cost reduction.



To learn more about Intel's presence at Symantec ManageFusion 2009, go to:



Whether you are planning to implement a Vendor TLS Certificate in the future, or you are having trouble applying a certificate you’ve already obtained, this article walks through the best practices.  The details include all the steps to properly install the right items and resolve issues we’ve encountered up to this point.  This article applies to Out of Band Management Solution 7.0, included with Client Management Suite 7.0.  Since certificates introduce tight encryption security, if the right items and steps are not in place or followed, it can break the ability of AMT systems to provision with Remote Configuration.



Why is Configuring a vPro capable system important?  Without setup and configuration, the functionality provided by vPro is not accessible within your Symantec Client Management Suite environment.  Out of Band Management Solution allows setup and configuration to occur automatically using Remote Configuration.


Using Remote Configuration to setup and configure your Intel AMT vPro capable computers takes the work out of the process, after some initial setup.  AMT systems that come preconfigured with versions 2.2, 2.6, 3.0+, 4.0+, and 5.0+ will automatically use Remote Configuration to setup and configure with a valid Provisioning Server.  Out of Band Management provides such a server.  The hashes from vendors (AMT 3.0 includes Verisign, GoDaddy, Comodo) are already configured in the firmware, and upon connection to power and the network, will begin to send out requests for configuration.  Thus in this way the managed vPro systems are already prepared to be configured without any intervention by the IT staff.


Usually the issues we see with the Remote Configuration process originate on the server-side process of adding a certificate from the before mentioned vendors.  Obtaining and installing a vendor TLS Remote Configuration certificate needs to be done the correct way so that authentication can succeed.  Once in place, provisioning will roll forward without any further intervention as long as the certificate remains valid.  This article focuses on applying the server-side certificate so that setup and configuration can move forward automatically.


Obtaining a Remote Configuration Certificate

This subject has been covered previously.  I wanted to lightly touch upon this as there is a vital step that should be taken so that if anything goes wrong we can correct it.  First, the following article covers how to properly obtain a certificate:


Note that part of obtaining a Remote Configuration is submitting the request from the Server you plan to install the certificate onto.  This process creates the private key for the server-side certificate, and this item will not be available until partway through the application of the crt (or cer) file obtained from the vendor.  The specific step that provides the full key, both private and public, is when the certificate is exported into a PFX format after the initial import, checking the option to export the private key will give you a complete backup of the full certificate in case it is needed in the future.  If something happens, or if the application doesn’t go right, we’ll need both, so it’s essential to export this as soon as possible.


During the steps to install the certificate emphasis will be given on the step where the export should take place.


Certificate Authority (CA)

In order to use Remote Configuration with Out of Band Management the Microsoft Certificate Authority services must be installed on the Notification Server or the OOB Site Server.  Use the following steps to install if it is not installed:

  1. Go to Start > Administrative Tools > and click on Add or Remove Programs.
  2. In the left-side button bar click the button Add/Remove Windows Components.
  3. Check the option labeled Certificate Services.  See this screenshot for details:
  4. You’ll receive the pop-up:
    After installation Certificate Services, the machine name and domain membership may not be changed due to the binding of the machine name to CA information stored in the Active Directory.  Changing the machine name or domain membership would invalidate the certificates issues from the CA.  Please ensure the proper machine name and domain membership are configured before installing Certificate Services. Do you want to continue?
  5. Click Yes to continue once your system has the intended identity.  Click Next.
  6. Choose what type of CA to create.  If you are not installing a hierarchy of CAs you can leave the stand-alone root CA option selected.  Click Next.
  7. Input the name the CA will be known by.  This must match what is in the hierarchy or by what the Remote Configuration certificate name will be known by.
  8. The Distinguished Name is generated automatically in an AD Environment and will be the suffix of the system.
  9. Click through the rest of the options, noting where the services data files are stored.
  10. You will be prompted to restart IIS.  This is required during the installation.
  11. Click Finish to complete the installation.
  12. Done!  The NS or Site Server is now prepared to handle certificates in the Remote Configuration process.


Installing the Certificate

The recommended application for a Remote Configuration certificate is to let the certificate dictate where to be installed.  However this process has sometimes resulted with the certificate installed to an incorrect place.  When this occurred we’ve had headaches trying to clean up the system to properly install the certificate.  Why this occurs is unclear.  For reference I’m including the process of adding a certificate automatically here:

  1. Save the acquired cer or crt file from the vendor onto the Notification Server or the Site Server for Out of Band Management.
  2. Right-click on the file and choose Install Certificate.
  3. Click next on the Welcome screen.
  4. Leave the radial option on ‘Automatically select the certificate store based on the type of certificate’ and click Next.
  5. Click Finish to complete the installation.  You’ll receive a confirmation pop-up that the certificate installed successfully.

While I won’t advise against using this method, the below steps uses the manual installation method to ensure the certificate is installed to the correct place.


I’ve condensed the steps required into the following list.  This process works for all vendors once you’ve obtained a certificate.  Note that these steps are provided to consolidate both recommended steps and documentation into one whole.

  1. Go to Start > Run > type mmc > and click OK.
  2. In the resulting console click under File and choose Add/Remove Snap-ins…
  3. Near the bottom of the resulting window click the Add button.
  4. From the list that appears select Certificates and then click the Add button.
  5. Leave the radial button selected on ‘My user account’ and click Finish.
  6. From the same list select Certificates again and click the Add button.
  7. From the resulting window change the radial select to ‘Computer account’ and click Next.
  8. Leave the selection at ‘Local computer: (the computer this console is running on) and click Finish.
  9. Click the Close button in the window offering you the list of available snap-ins.
  10. At the original add/remove snap-in screen verify that you have two entries:
    1. Certificates – Current User
    2. Certificates (Local Computer)
  11. Click OK.
  12. Expand both trees in the left-hand pane within the console.  You should see the full certificate stores as shown in this screenshot:
  13. Right-click on the Personal folder under the Current User certificate store and highlight ‘All Tasks’ and click on ‘Import’ in the pop-out menu.
  14. Click Next on the Welcome page of the Certificate Import Wizard and click the Browse button.
  15. Browse to the cer or crt file provided by the vendor, highlight it, and click Open.
  16. Click Next, and leave the radial option on ‘Place all certificates in the following store’, which should be set to ‘Personal’.  Click Next.
  17. Under the Completing section of the wizard, Click Finish.  You should receive a pop-up indicating the certificate was successfully installed.
  18. NOTE!  This is the vital step mentioned previously in the article.  We will now export the certificate with both public and private keys, which will give us the full set and allow us to remove and reapply if necessary.  In the MMC select the newly imported certificate > right-click > and choose All Tasks > Export…
  19. Click Next on the Welcome screen.  In the resulting list you should have an active option for ‘Personal Information Exchange – PKCS #12 (.PFX)’.  If this option is not available (grayed out as shown in this screenshot), there is a problem with the certificate and the private key is not accessible:
    If this occurs please note the following items:
    1. The application of the public key, or cer/crt file, must be done on the server where the key was requested. 
    2. If this is not your Provisioning Server you’ll need to contact the Vendor of the certificate to resolve the discrepancy.
    3. If you did request this certificate from the server you are operating on, you’ll also need to contact the vendor to explain that the private key is not found when exporting the certificate after initial application.
  20. Follow the wizard, and ensure you select the option ‘Yes, export the private key’.  When saving the file, it will prompt you to set a password to protect the private key (this is recommended for security reasons).  The export should leave you a PFX file.  Keep this in a safe place, preferably in line with your company’s encryption certificate backup policy.
  21. Next we need to import the full key into the Computer store.  Start back in the MMC > under the Local Computer certificate store > right-click on the Personal folder > select All Tasks > Import…
  22. Click Next on the Welcome screen and click the Browse button on the subsequent screen.
  23. Browse to the newly exported PFX file.  Note that you will need to change the ‘Files of type’ to include the PFX format.  Click Next.
  24. The Password screen prompts for the password you set when you exported the key in step #20, as shown in the following screenshot.  Enter the password and click Next.
  25. Choose or leave the select to ‘Place all certificates in the following store’.  The value should be Personal.  Click Next.
  26. Click Finish on the end details page to complete the import.
  27. Done!


NOTE: In Out of Band Management 6.x, with Intel SCS 3.x or earlier, a separate utility was required to load certificates into Intel SCS so the Provision Server was aware of them.  This is no longer required as Intel SCS 5.x possesses intelligence to automatically acquire all installed Intel vPro Remote Configuration encryption certificates.


Reinstalling the Certificate

If you need to reinstall the certificate and you have a PFX file, you can do so by opening both certificate stores (User and Local Computer) as outlined in the previous steps.  Browse through the certificate stores and delete any instance of the vendor certificate.   This will remove any associations and allow a clean application of the certificate to occur.  Look for the following:

  • The name matching the name of the cer or crt file obtained from the vendor
  • The vendor’s certificate (the entry will contain the vendor name).

NOTE: Be careful when removing vendor certificates as they may not be part of the Remote Configuration.  The best example is Verisign, which may have many entries.  If unsure, leave the certificate in place, or export it before deleting it so you can restore it if necessary.


Enabling Remote Configuration

To ensure that Out of Band Management is setup to use Remote Configuration as a valid setup and configuration method, follow these steps:

  1. In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
  2. In the left-hand tree browse under Configuration > Configuration Service Settings > and select General.
  3. In the resulting page ensure that the option labeled Allow Remote Configuration is checked.  If it is not, check it.  See this screenshot for an example:
  4. If you needed to check the option, be sure to click Save Changes to register the change.


That should do it for the certificates.  You’ve now completed the steps required to install and enable Remote Configuration in the Out of Band Management Environment.  However you are not done yet!  Certain infrastructure components are required to make this process seamless.  Proceed to the next section for details.


Other Setup Requirements

The following items will be used to automate the setup and configuration process.  Remote Configuration will use these to locate and communicate with the Provisioning Server (Out of Band Management).



Each zone within DNS should have a ProvisionServer entry to ensure that Remote Configuration requests are properly routed to the Server.  This will also help properly resolve names during the authentication process.  Use the following steps to add ProvisionServer to DNS:

  1. Go to Start > Run > type mmc > and click OK.
  2. In the resulting console click under File and choose Add/Remove Snap-ins…
  3. Near the bottom of the resulting window click the Add button.
  4. From the list that appears select DNS and click Add and click Close.
  5. Click OK in the next Window.
  6. Browse in the tree to the Forward Lookup Zones.
  7. Right-click the entry for the Notification Server computer and choose New Alias.
  8. Type ProvisionServer as the Alias name, in this manner:
  9. Done! 

Though simple, this is the key to directing the automatic Remote Configuration hello packets from enabled vPro systems to the Notification Server or Site Server.  Without this step no setup and configuration of vPro systems will occur.


To test, log onto a system on the subnet you’re trying to conduct Remote Configuration from.  Run a command prompt and use the following command:

  • ping ProvisionServer


We should see the responding IP Address by the IP Address of the Notification Server, or, if you’ve set it up this way, the Intel SCS Server conducting provisioning.  Another test you can try is to run the following command:

  • nslookup ProvisionServer


We should get the data on the Notification Server’s Fully Qualified Domain Name (FQDN).


DNS Zones

In a multiple domain structure this is especially important, but all environments need to have the right data in DNS to properly pass and authenticate in a TLS environment.  The DNS Primary Zone should be set to the Domain path contained within the certificate.  For example, if the certificate name is MyNSServer_My1Domain_local, the DNS Primary Zone should be My1Domain.local.  Without this, authentication can fail as the FQDN is used during authentication, and if the name being transmitted across the wire doesn’t match what’s in the certificate, authentication will fail.  Here is another example:

  • Certificate: MyNSServer_My1Domain_local.crt
  • DNS Primary lookup Zone: My1Domain.local


DHCP Option

Another Network related requirement may be DHCP Option 15.  While I’m not sure why this has proven to be required in some environments and not others, creating this option has resolved failed authentication issues within Remote Configuration.


In DNS, create an entry for Option 15, with the value of the domain path.  This will often be the same as what is located in the DNS Primary Zone.  The following details are an example:

  • Certificate: MyNSServer_My1Domain_local.crt
  • DNS Primary lookup Zone: My1Domain.local
  • DHCP Option 15: My1Domain.local



Following the above procedure should allow remote configuration to occur without problems.  Once in place, the configuration will move forward with automatic setup and configuration for all vPro enabled systems that support Remote Configuration.

Updating the firmware for systems with Intel vPro technology often yields significant results when configuring and using vPro functions.  For example certain Dell laptops shipped with both Serial over LAN (SOL) and IDE Redirect (IDER) disabled in the BIOS.  A new firmware update to the BIOS enables them.  Another example is a desktop running AMT 2.1 firmware can be upgraded to AMT 2.2, which enables Remote Configuration.  No matter the reason, often a firmware upgrade will be beneficial to vPro systems and the Symantec Management Platform 7, and this article covers how to deploy firmware updates using Altiris Software Management Solution 7.



Software Management Solution has the ability to deliver and execute any module or installer made for Windows.  This includes Windows capable Firmware updates.  Both the BIOS updates and Intel ME firmware updates, that are windows capable, available from HP, Dell, Lenovo, and any other computer manufacturer that supports vPro that are windows capable can be sent down and executed through Software Management Solution to upgrade firmware.  This document covers how to setup and configure these updates, and hopefully provide you information on caveats and other potential trouble spots.


Why Update Firmware?

The first thing you need to determine is what type of firmware update do you require?  The two typical updates are the Intel Management Engine (ME) firmware and the standard BIOS firmware.  How these two interact is dependent on the Manufacturer.  Some manufacturers will combine the BIOS and firmware updates into a single executable.  However the configuration, the updates can be delivered via Symantec’s Software Management Solution.


Examples and Reasons

For example HP has a BIOS option to enable or disable Intel AMT, and if it is disabled in the BIOS the Intel ME will not be available.  Another example is the Dell laptop model Lattitude 620 Centrino vPro capable.  The BIOS contains a setting to enable or disable the Serial Over LAN (SOL) and IDE Redirection (IDER) capabilities, and by default these came from the manufacturer disabled.  This and other reasons for firmware updates are detailed in this list:

  • Dell Lattitude 620 SOL IDER disabled in the BIOS – The update to automatically enable these features without having to physical update each BIOS manually is a BIOS firmware upgrade that set these as enabled, among other fixes/updates.
  • Upgrading AMT 2.1 to 2.2 – Desktop models of AMT version 2.1 can be upgraded to support Remote Configuration (certificate-based zero-touch provisioning) by upgrading the Intel ME firmware to version 2.2.
  • Upgrading AMT 2.5 to 2.6 – Notebook models of AMT version 2.5 can be upgraded to support Remote Configuration by upgrading the Intel ME firmware to version 2.6.
  • Upgrading AMT 2.0 to 2.1 – Some major fixes were incorporated between versions 2.0 and 2.1 of AMT.
  • UUID reset fix for HP Compaq 6910p – This fixed a flaw in the firmware where sometimes Intel ME returned the UUID of all zeroes or a default UUID set in the firmware, causing duplicates.  This update patches the firmware for Intel ME on these laptop models.
  • Upgrading Intel AMT 4.0 to 4.1 – On the newer version of AMT for laptops, fixes have been provided via version 4.1 and is available from most manufacturers.
  • Miscellaneous fixes to Intel ME – Other fixes have been incorporated in ME firmware updates


Obtaining the Right Firmware Update

For all BIOS updates, the manufacturer’s website should be consulted.  For each vPro model you wish to update BIOS firmware with, use the following basic steps:

  1. Go to the Manufacturer’s main site.  For this example, we’ll use Dell.
  2. Choose the Support icon and click ‘Download and Drivers’.
  3. An applet will appear where you can choose the system through several options:
    1. Model
    2. Service tag
    3. Log in to choose from a list of systems
  4. Once you have the right system listed, there will be a list where you can click the plus + next to ‘BIOS’.
  5. From the provided list choose the applicable update by clicking the ‘Download Now’ link to the right.  The download will usually be in the form of an EXE.


While Intel manages the basic firmware for the Intel ME, the manufacturer packages it for deployment, including changes that may be required for specific models of vPro capable systems.  It is advised that you only use the manufacturer’s Intel ME firmware updates on your vPro systems.  The following walkthrough will hopefully help you identify what updates are available.  For this example we’re using HP’s website.

  1. Go to
  2. Click on the ‘Support and Drivers’ tab.
  3. Choose the option Download drivers and software (and firmware) for Step 1 and put in the Model number of the vPro system type you wish the update for, in Step 2.
  4. Press Enter to go to the main page for the system.
  5. Though it prompts for what Windows you’re running, the updates are OS independent so choose any.
  6. For the Intel ME firmware updates, the categories differ.  For HP it’s under simply ‘Firmware’.  Other potential categories include:
    1. Firmware
    2. System Firmware
    3. Chipsets
  7. Click Download to the right of the applicable ME update.
  8. Once the EXE is downloaded, move on to the next section.


Rolling out the Firmware Update

Once you’ve obtained the EXE, it’s time to configure a Software Management Solution Software Resource, Package, associated Command lines, and create a task to roll it out with.  It’s important to understand how, depending on how the manufacturer packaged the EXE, the rollout can be accomplished silently without user interaction.  Typically administrators do not want users to interfere with the rollout, or to even be aware of it.  The following walkthrough considers this the desired result; however the configuration can be changed as so noted where applicable below.


Creating a Software Package/Program

  1. On the Notification Server place the EXE you downloaded for the firmware update into a self-contained folder.  The folder and everything in it will become a “package” for the Software Resource, thus it is recommended to have only the needed file therein.
    Note: You can use another storage location if you prefer, such as UNC or URL.  Simply adapt these steps to fit your preferred source method
  2. In the Symantec Management Console browse under Manage > and choose Software.
  3. In the left-hand tree browse under Software Catalog > Deliverable Software > and select Updates and Service Packs.
  4. In the resulting right-hand pane, click the Add button and choose Software Update.
  5. Above the configuration tabs provide a name for the Update.  In this example we’ll use an HP 6930p laptop firmware update of the Intel ME to version
  6. Click on the Package tab.
  7. Click the Add package button.
  8. Provide a name for the package and browse to the location referred to in step 1.  The name we’ll use in this example is AMT 4.1 Firmware EXE(Windows) for HP 6930p.  See this screenshot for an example:
  9. Click OK to save the Package details.
  10. Click on the Add command button.
  11. Provide a Name for the command-line.  For this example we’ll use: Apply AMT 4.1 Firmware Update silently.
  12. Check the option labeled Command line requires a package and ensure that the Package you created previously is selected.
  13. Under Installation file type choose the option labeled EXE Software Installation File.
  14. Change the Command type to Install.
  15. Provide a silent command line under the Command line field (this is the potentially difficult part.  The update I tested with had no documentation on silent installs and I had to tinker to find the –s command-line that ran it silently.   ie: “sp42026.exe” –s).
    NOTE: Due to the nature of firmware updates, it is possible the EXE will want to reboot the system.  It is recommended to test the execution and adjust the command-line to suppress the reboot so no user is interrupted in their work.
    See the below screenshot for an example:
  16. Click Save changes to complete the Software Resource creation.


Creating a rollout Task

The next step is to create a Quick Delivery Task that pushes out the update.  While a Manage Delivery Job may be used, because of the nature of firmware updates reapplying an update may have unintended consequences so for this example we’ll use a Quick Delivery Task. Follow these steps to create the Task:

  1. In the Symantec Management Console browse under Manage > and click Jobs and Tasks.
  2. In the left-hand tree browse down through System Jobs and Tasks > Software > and select Quick Delivery.
  3. Right-click on the Quick Delivery folder > choose New > and click on Job or Task.
  4. Within the resulting window choose Quick Delivery from the left-hand tree.
  5. Provide a name for the task.  In this example we’ll use AMT 4.1 Firmware Update for 6930p Rollout.
  6. Under the Software resource dropdown choose the name of the Software Resource you created.  In this example it is AMT 4.1 Firmware Update for HP 6930p.
    NOTE: The dropdown is also a type field so you can start typing AMT 4.1 to have the selected software found and displayed in the dropdown.
  7. Ensure that the Command line and Package in the two subsequent dropdowns correctly show the Command-line and Package you created.  For our example they are Apply AMT 4.1 Firmware Update silently and AMT 4.1 Firmware EXE(Windows) for HP 6930p respectively.
  8. Click the Advanced button.
  9. Under the Download Options typically what is configured at the Altiris Agent level should be sufficient for your needs.  Click the Run Options tab.
  10. This is your execution environment.  Due to the nature of firmware updates, it is advisable to use the option labeled Altiris Agent credential.
    NOTE: Specific user can be used if you wish to provide an account that has Administrator rights on the target systems directly.
  11. Under User run conditions check the option labeled Allow user interaction.  We have found that this option improves success rate due to loading a fuller user stack.
  12. Change the Display window to Hidden.  See this screenshot for an example:
  13. Click OK to save the Advanced options and Click OK on the main Task configuration page to save the details of the Quick Delivery Task.
  14. You can use the Quick Run under the Task Status section to test the rollout.  Please see the section following labeled ‘Test the Rollout’.  It is vital to properly test the rollout so any corrections can be made before rolling it out generally.
  15. Set a schedule.  You can choose Now or set a specific scheduled time if needed.
  16. For the next step under Input you’ll need to manually add devices for this firmware update to be run on or select a target.  Step 17 covers how to create a target for the example we’re using in this sequence.  If you are only adding machines manually step 17 is not required.  Move to step 19.
  17. To create a target based off of Inventory Solution data that automatically targets the HP Compaq 6930p laptops, follow these steps:
    1. In the Symantec Management Console browse under Manage > and click on Filters.
    2. Browse under Computer Filters and select or create a folder to create the filter in.
    3. Right-click on the folder and choose New > Filter.
    4. Name the Filter.  In our example we’ll use All HP 6930p Laptop Computers.
    5. Under the Filter Definition dropdown choose the option Query Mode: Query Builder.  You’ll receive a notice: You are about to switch to the other query editing mode.  This cannot be undone after save.  Click OK to continue.
    6. Expand the Filter Definition section by clicking on the down-arrow to the far right.
    7. Under the query section, select the tree item ‘Resource’ and click the red X delete icon.
    8. When the page refreshes on the right you’ll see a Base Resource Type.  Choose Computer.  When prompted, choose to continue.
    9. Under the actions section to the right, click the link labeled Use Fields & Data Class Attributes.
    10. In the resulting picker type in or choose from the dropdown the data class and column you wish to reference.  For our example choose [Logical Device].[Model] and click OK.
    11. Click the Filter Expressions tab.
    12. Click the Add Condition button and choose one of the options (for a first filter it doesn’t matter).
    13. Type the same data class and column selected previously.  In our example type [Logical into the If: field and then select [Logical Device].[Model] from the dropdown.
    14. Choose Like in the next dropdown to the right (or if you know the exact value you’re looking for, use Equals).
    15. In the last field type the model number.  In our example type %6930p%.  See this screenshot for an example:
    16. Click the Save Changes to complete the Filter.
  18. To add the Filter to the schedule, go through the following steps:
    1. Under the Task Status click the button New Schedule
    2. Set the schedule as desired.
    3. Under Input click Add and choose Target.
    4. Click the Add rule button in the resulting window.
    5. In the first dropdown choose the option labeled exclude the resources not in.
    6. Leave Filter as the option in the second dropdown.
    7. In the third dropdown type in the first words of the filter you created in the previous step.  In our example type All HP and click the dropdown arrow.  Select the appropriate collection from the list.
    8. Click OK to save the Target.
  19. Click Schedule to apply the Task to the selected systems.
  20. Done!  This Task type will use Task Server to push out the task.  For systems already online they should receive the task within minutes based off of being active on the network.  For systems not on, the next time they come online and check for Tasks, Task Server will push out the Task at that time.


Test the Rollout

The most important part of this process is to test the rollout.  This will allow you to make corrections to the command line or execution environment should the first attempt fail.  By testing the rollout you can ensure it is ready for the greater environment.  In testing, you should:

  1. Target a system that matches your Production Environment as closely as possible
  2. Test the command-line to ensure it successfully and silently rolls out the firmware update.  You can accomplish this by copying the files over and running the command line manually from a command prompt or from Start > Run.
  3. Check the BIOS or Intel AMT for versioning change.
    Note: the ME version may not be synched with the AMT version.  A good test is to try executing the update again manually to see if you receive a message indicating the version is already up to the latest version.



Using this process, you should be able to remotely update any firmware required for successful use of Intel vPro Systems both with Setup and Configuration using Out of Band Management, and vPro functionality use within any Job and Task in the Symantec Management Platform.

In the opening keynote at the recent Symantec ManageFusion 2009, Intel Vice-President Gregory Bryant talked about joint efforts between Symantec and Intel around product offerings that help with centralizing management of applications and licensees, while still enabling end-users to have a responsive experience with rich-client desktop PCs and notebook PCs. The below demonstration by Symantec's Brian Duckering illustrates how Intel and Symantec are bringing these benefits to customers with Symantec Workspace Streaming and Intel vPro technology.




To learn more about Intel's presence at ManageFusion 2009, please go to

At the recent Symantec ManageFusion 2009, Symantec announced the general availability of Symantec Altiris Client Management Suite Version 7.


One of the new features in Symantec Altiris Client Management Suite Version 7 is support for Intel Centrino 2 with vPro technology's "Fast Call for Help."  The video below by Symantec's Senior Technical Manager Lee Bender is a demonstration of how an end-user would connect back to the Altiris Client Management Suite for remote diagnosis and repair of his notebook even though he connect boot into Windows and is outside of the corporate firewall.



To learn more about Intel's presence at ManageFusion 2009, please go to

Filter Blog

By date: By tag: