Skip navigation

If you watch the AMTOPMGR.log in SCCM when new Intel vPro systems come on line (connect to the production network) and start communicating with your SCCM site server, you may see the following message:


Start processing incoming hello message from SMS_AMT_OPERATION_MANAGER 4/30/2010 10:07:50 AM 2172 (0x087C)
Incoming data is - Configuration version: PKI Configuration. SMS_AMT_OPERATION_MANAGER 4/30/2010 10:07:50 AM 2172 (0x087C)
Count  : 5 SMS_AMT_OPERATION_MANAGER 4/30/2010 10:07:50 AM 2172 (0x087C)
UUID   : 4C4C4544-0031-3210-8057-B8C04F564431 SMS_AMT_OPERATION_MANAGER 4/30/2010 10:07:50 AM 2172 (0x087C)
Found matched hash from hello message with current provision certificate. (Hash: 2796BAE63F1801E277261BA0D77770028F20EEE4) SMS_AMT_OPERATION_MANAGER 4/30/2010 10:07:50 AM 2172 (0x087C)
Warning: AMT device 4C4C4544-0031-3210-8057-B8C04F564431 is a SMS client. Reject hello message to provision. SMS_AMT_OPERATION_MANAGER 4/30/2010 10:07:50 AM 2172 (0x087C)
Error: Failed to process hello message from SMS_AMT_OPERATION_MANAGER 4/30/2010 10:07:50 AM 2172 (0x087C)



This is an expected behavior if you are leveraging inband agent based provisioning:


The reason this error shows up in the AMTOPMGR.log is because the system is setup for inband provisioning, and this error is related to out-of-band provisioning (no SCCM agent or OS on the client).  If the Intel vPro system has not been imported into SCCM with the Out-of-Band Import wizard (details for this method in the link above), then the hello packet is ignored.  If the Out-of-Band provisioning method is a preferred option (which is not the preferred/recommended choice, although an option), you need to import the system into SCCM with the wizard.


First, right click on Collections and select Import Out of Band Computers



Next, you can either select to import a list of systems from a csv file or a single computer.



If you select a single computer, you need to enter in the following information.




Finish the prompts and the computer will be imported into SCCM for out-of-band provisioning.  The next time SCCM receives a "Hello" packet from the SCCM client, SCCM will recognize this system has been imported and being the provisioning process.


I hope this help clear us this confusion that many have regarding this "error"message since most customers use the inband provisioning method.

Citrix and Intel are banding together to give away 16 laptops at Citrix Synergy next month. Yeah! These laptops are all Intel vPro technology-based PCs and are XenClient-compatible.There are 8 HPs and 8 Dells in this giveaway.


Want to learn more? Click here.


Citrix Synergy is May 12-14, 2010 in San Francisco. If you are attending, Don't miss RickE's breakout session at Citrix Synergy!

Read the blog on Shinhan Bank ROI analysis. Shinhan Bank uses Intel(R) vPro Technology in their ATMs which allows to perform remote updates, patching, reimaging and problem resolution of the machines. IT technicians now remotely maintain, update, diagnose and repair ATMs.


Highlights from ROI analysis on Shinhan Bank's ATM using Intel(R) vPro Technology:

  • Shinhan Bank reduced ATM downtimeby 1,014 hours (1.4 hours per ATM) within the first year of implementation of Intel vPro Technology in ATMs.

  • ROI study projects 43% reduction in ATM downtime; 33% reduction in the site visits.

  • Projected Break-even point in year 2, savings of over $608,000 across 6 years.

  • Positive ROI of 524% in year 6


Read the blog for details ...


Link:Shinhan Bank Projects 524% ROI in 6 Years and 43% Reduction in ATM Downtime via Embedded Intel® vPro™ Technology

I know a lot has been posted on vPro Expert Center (VPEC) about all of the PKI certificates that are involved in Intel vPro technology, but I thought it was time to repost some information again specific to SCCM.  And much of this applies to the various ISVs that support vPro technology.


I often work with many customers to help them understand the details around certificates and how they apply to Intel vPro technology.  So I figured I would post some of this material to help others in the future.  I will try to make it very succinct and not write a book in this subject...which is challenging when it comes to certificates.  Hopefully, you can reference this material in the future (or point others to it) to help understand and setup the necessary requirements for certificates.


The attached ppt lists the high level certificates requirements in a SCCM vPro environment (note: SCCM requiresTLS to manage vPro systems).  The attached foils (see attaced ppt - Certificates for SCCM and vPro.ppt) also list the specifics steps used to configure your Microsoft Enterprise PKI server to support SCCM/vPro.  You will note in this slide deck I have inserted several references to Microsoft TechNet article for more in-depth information.


There are two different certificate requirements to “provision” and “manage” Intel vPro systems in a SCCM environment.  This assumes that a Microsoft Enterprise CA exists and is already configured in the production environment.


Two Certificates Required in SCCM:
     *  Intel® AMT Provisioning Certificate
     * Intel® AMT TLS Web Server Certificate

1.  Intel AMT Provisioning Certificate (Used for Provisioning, aka, Setup and Configuration)
This can be created from a 3rd party or Self Generated from the internal corporate PKI environment
     -  3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield)
     -  Self Generated from Internal PKI infrastructure
               NOTE:  If you self generate your own provisioning certificate from your PKI environment, you will be required to touch each system and insert your Root CA hash that was used to generate your provisioning certificate (top level root CA in the chain).  See Internal vs External Provisioning Certificates.ppt (attachment).
See TechNet link on the process to generate your own provisioning certificate from your Microsoft Enterprise CA:

This provisioning certificate is only used one time during the provisioning process of vPro systems.


2.  Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro)
This certificate is used each time the SCCM console manages vPro systems (used to setup a SSL session between the console and client)
Required to create New Web server Template on the production PKI server
Recommend certificate name: ConfigMgr AMT Web Server Certificate
Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll  permissions to this template
TechNet article discussion these steps:


Hopefully this gives enough high-level explanation of certificates as it relates to SCCM and Intel vPro, as well as reference links for more in-depth details.

Rick Echevarria, VP of the Business Client Platform Division, is hosting a breakout session (SYN601) at Citrix Synergy next month.


I hear a lot of planning chatter about demos and videos for this session coming out of the cube next to mine - this will be good!


Session Description: This session will provide insight and guidance about achieving maximum performance, power efficiency, manageability and security with Intel-based server and client platforms hosting Citrix virtual computing software.


In this session you will learn more about:


  • Key engineering collaboration focus areas with Citrix for you to be aware of and track near term and beyond.
  • How you can maximize performance and returns with Intel-based client and server technologies when using Citrix desktop and server virtualization technologies.


Where: Moscone West Convention Center, San Francisco

When: May 13, 2010 / 3:00 pm - 3:50 pm




Computers worldwide have been experiencing a continuous state of reboot due to a McAfee DAT Update that deleted a critical file and caused a loss of network connectivity. For business with Intel® Core™ vPro™ processors , there could be a quick fix to this problem.


Intel Core vPro processors can help in situations like this where the remote PCs are inoperable or having connectivity problems.  With Intel Core vPro processors, you can remotely configure, diagnose, isolate, and repair an infected PC—even if it’s unresponsive.  And you can centrally schedule diagnostic events to run locally on PCs, even if they are powered down or disconnected.



Get the Download


Intel and Symantec have worked together to post a scripted solution to automate the steps needed to correct this outage situation remotely:


The solution uses a single bootable image delivered to a configured Intel Core vPro processor based system via the Symantec Client Management Suite.    The core solution was developed and released within 24 hours of the announced issue.   Instead of prolonged manual steps via an onsite technician or user attempting to follow written instructions, the solution enables remote remediation within minutes.


The solution utilizes Intel vPro Technology remote power control, boot redirection, and serial of LAN.   The bootable image is a variant of Remote Drive Share as available at Logic contained within the bootable image detects the Microsoft Windows boot partition, whether the client PC is affected, replaces the svchost.exe as needed, and updates the extra.dat file from McAfee. Since all of these functions are performed outside of the client operating system, booting to Microsoft Windows Safe Mode and disabling of the McAfee Anti-Virus process are not required. If using the Serial-over-LAN console, output is directed to the administrator console only.


Resolution of the situation can be accomplished within a few minutes. Customers who have configured the Fast-Call-for-Help capability, enabling out-of-band management of Intel vPro Technology systems over the internet, are able to utilize the single ISO image with the Symantec Client Management Suite to complete the solution. Full remediation is accomplished out-of-band via the Intel vPro Technology session.


Alternative scripted solutions are being developed by Symantec for customers who do not have Intel Core vPro processors. These solutions utilize Altiris Deployment Server with a PXE-boot process and WinPE to accomplish similar steps. If customers had an Intel vPro Technology enabled solution, they could remote control the power of the client before initiating the PXE-boot session.


Intel Core vPro processors deliver cost-cutting efficiency and maximum productivity with the intelligence of hardware-assisted security and manageability features.


Information on manually resolving the issue is available at and



McAfee 5958 .dat file

Posted by jake_friz Apr 22, 2010

In my last blog I talked about the possibility of using vPro to remotely fix a system troubled by the McAfee 5958 .dat file. I even promised a video. The video is not ready, but hopefully this is better. We made a new boot disk that will fix this issue.


There are two disks in the package. e5958r.iso can be used with vPro systems remotely with SOL/IDER. Basically you just trigger the remote boot and the disk works around the issue. e5958r_kvm.iso is nearly the same, except that it can be used on non-vpro systems as well. You can either IDER boot it remotely. Using KVM Remote Control you can see it's output. Or you can burn it to a CD and boot it locally. Either method will result in working around the issue.


Also included are details instructions on using the boot disk and the exact actions the disk will take on your systems. Plus the source code for the boot disks are included so you can modify the script.


And yes, I'm working on a video...stay tuned :-).


If you use this disk, I'd love to hear about it.

You may have heard about the McAfee virus definition file that wrongly detects svchost.exe as a virus, causing Windows XP to no longer boot:


As the vPro Uber geek, I wanted to toss in my $.02 on how the work around could be implimented with vPro. It's actually pretty simple. Using IDE Redirection, a vPro system can be triggered to remotly boot the Remote Drive Share CD image ( From there it's easy, just map a drive to vpro, copy in extra.dat and svchost.exe, and send another reboot. When the vPro system comes up, everything should be back in working order. I am working on a video to illustrate this, but I wanted to get the concept out quickly, just in case it helps.

Matt is running a Service Manager demo at the Microsoft Management Summit - showcasing how KVM Remote Control works with Service Manager. Check out this short demo video. And, if you are at MMS - be sure to stop in at his session tomorrow.



Reducing TCO with Intel® manageability technologies and Microsoft® System Center products (Matt Royer)

Reduce your IT operating costs by leveraging Microsoft® System Center System Center Configuration Manager and Service Manager to take advantage of Intel’s latest client and server manageability technologies.  This session will cover the usages of Intel® vPro technology, Intel® Anti-Theft technology, and Intel® Intelligent Power Node Manager which deliver the cost savings through secure / reliable remote client power control, improved client remote diagnostics via KVM remote control, remote client media redirection for remediation & easing Windows 7 OS deployments, and server & power management.


Thursday, 4/22, 10:15am-11:30am, BK12, Room: Bellini 2005-2006

We're hosting a live chat on Wednesday, April 28th at 10am PST. We have guests this time - Intel IT! They are deploying Windows 7 and Intel vPro technology at Intel - come ask them about their experience. Joining us will be John Mahvi, the notebook fleet owner at Intel, and John Gonzalez, who runs the Windows 7 program at Intel - and you'll also be able to ask questions of our engineers from both the IT and vPro sides of the house.


Save the date!



If you're going to MMS, be sure to stop by our booth and say Hi! Our booth is going to be packed with demos - including manageability with Microsoft ConfigMgr, Intel Anti-Theft technology, Windows 7 & IT@Intel, desktop virtualization, node manager, unified networking, the vPro Alliance, cloud computing, and yes! the Intel vPro Expert Center.


Matt Royer will be teaching a class on Thursday, 4/22. Here is the session description - to see a complete list of sessions at MMS, click here.


Reducing TCO with Intel® manageability technologies and Microsoft® System Center products (Matt Royer)

Reduce your IT operating costs by leveraging Microsoft® System Center System Center Configuration Manager and Service Manager to take advantage of Intel’s latest client and server manageability technologies.  This session will cover the usages of Intel® vPro technology, Intel® Anti-Theft technology, and Intel® Intelligent Power Node Manager which deliver the cost savings through secure / reliable remote client power control, improved client remote diagnostics via KVM remote control, remote client media redirection for remediation & easing Windows 7 OS deployments, and server & power management.


Thursday, 4/22, 10:15am-11:30am, BK12, Room: Bellini 2005-2006

Where to find us



I met up with Russ Wilson who heads the Microsoft SCCM development team for Intel AMT at Microsoft. We are at the Intel vPro technology showcase and chat about the session of Intel vPro. It's been a privilage to have Russ be my co-speaker at IDF to show off what Microsoft is doing with Intel vPro. I also have many more video on my channel.


If you are about to attempt the remote configuration process and will be using a remote configuration certficate, you might have some questions regarding domain name suffices, such as:


  • Do you need more than one remote configuration certificate?

  • How are different domain names handled?

  • Is a .com domain handled in the same was a domain?

  • Is the behaviour consistent across all AMT Firmware versions?

  • Can I input a domain suffix via the OS or a client agent instead of using DHCP Option 15?

Up until now this has been a bit of an enigma, but the following document I have just posted contains all the detailed information you require to understand the checks that are being performed and to comprehend how your specific circumstances and domain name will be handled by the AMT Firmware.


Domain Suffix Guide for vPro Remote Configuration Process

I’m happy to announce that there is a new release of the Manageability Developer Tool Kit!


I use the DTK internally to demo AMT features and for validation efforts. What I really like about the DTK is that all the source code is included (what can I say, I like to tinker).


The latest version has been updated to support Intel AMT 6.0. This includes features like:

  • IPv6 support

  • KVM Support (adjust settings and a viewer!)

  • Alarm Clock

  • Bug fixes

  • And much more!


A big thanks to the DTK development team for their efforts!


The latest version can be downloaded from here:






I just finished my second session with my co-speaker, Russ Wilson from Microsoft. Both the first sessions that introduced Intel AMT and the seconds session with Microsoft SCCM went very well. With both sessions done, most of the stress of gone, tomorrow I still have 4 hours of “showtime” with two back-to-back labs on Intel AMT and Intel vPro.


I did not get to see Renee’s keynote this morning since I have to bail out to get ready for the session, but judging for the advanced technology showcase, she introduced more 3D technology. There is a great 3D gaming demo using circular polarized glasses and 3D TV’s, it’s really amazing. I just uploaded a bunch for videos for the Intel vPro Expert Center blog site on my YouTube Channel.


This video recorded before the keynote.


Before the first Intel vPro session, getting ready.


A walkthru of the showcase floor before the opening.


Having fun, more reports tomorrow from day 2 of IDF.




My morning video blog report for IDF Beijing 2010. It's two hours before the keynote start and people are getting ready for the big event. The public is waitting outside and sessions speakers are meeting up and getting ready.




AMT Legacy Redirection Mode

Posted by rkfoote Apr 12, 2010

As much as we try to simplify AMT, at the end of the day it’s a very complex product. Sometimes when we try to simplify it, well, it can become slightly more complicated (the good news is that in the long run it will become better).


When Intel AMT development began there was a lot of emphasis on _where_ AMT would be used. Would it be an enterprise “big business” product or a small business product or both? The answer was both of course, but then we needed to look at what features would apply to each (for example, a small business probably doesn’t have a full certificate authority infrastructure in place). This lead to the development of a Small Business Mode (SMB) and Enterprise mode. While this wasn’t a bad idea to lead it issues where an “enterprise” customer wanted SMB features and vice versa.


Now let’s fast forward to 2010, starting with AMT 6.0 there is no longer a differentiation between the two. (If you want SMB “just turn it on” you can still do that. See: )
Now that I’ve set the stage if you look inside MEBx you’ll see a new option: “Legacy Redirection Mode” under the SOL/IDER menu. You may be asking yourself what that is and do I need it enabled?

Well, in AMT there is a redirection listener for SOL/IDER. In previous generations this listener was opened or closed by default depending on if the user was in SMB or enterprise mode. In SMB mode the listener was always open by default. Thus if a management console tried to connect it would work and everyone was happy. For enterprise mode this listener was closed by default. An “enterprise” management console would need to open the listener, connect, then close the listener. As of AMT 6.0 this listener is closed by default so if a management console, such as an ‘SMB’ console, doesn’t support opening the listener then SOL/IDER redirection will fail. That’s not good, so we added a switch to support it.


Does your management console use the SMB model or Enterprise model? You can ask your vendor directly, or if you see a failing case you can enable legacy direction. So in simplifying the product, it become a bit more complicated.  But now you know!


How can I enabled/disable AMT legacy redirection?
Enter MEBx (CTRL-P during boot on most platforms)
Select “Intel(R) AMT Configuration”
Select “SOL/IDER”
Select “Legacy Redirection Mode”
A message will show “Redirection Mode must be enabled when using a legacy SMB Redirection Console”
Choose Enabled / Disabled






Ross Wilson from Microsoft is leading a team building Intel vPro features into Microsoft SCCM. He is also my co-speaker at IDF where he will be talking about the latest version of SCCM and demonstrating how to use it to manage Intel vPro system. I caught up with him for this short video blog.




The big kick off is tomorrow for IDF Beijing 2010! Sessions rehersals are going on and I just completed own trial. So far, equipment is good and we are ready to go for both the sessions and the lab. I got asked many times... to make sure to wake up tomorrow in time and show up. Ha! The stress I tell you.



We are pleased to announce that 2 of our Intel AMT Embedded Tools Suite product family have recently been updated in the Embedded Design Center (EDC).  The new updates are mainly to support the new Intel AMT 6.0 features, plus usability enhancements based on the feedback from the previous version.


Intel Embedded AMT Management Express Console 2.0


This is a great evaluation tool for the Embedded Board Manufacturers to demonstrate and test the various Intel AMT usage models.  The new usage models supported in this new version included Remote KVM, PC Alarm Clock and UUID Verifications.  In addition, there were many usability enhancements since the version 1.0 release.  Check out the new tool at:


Note that the Management Express Console was developed based on Intel AMT Software Development Kit (SDK) and the Manageability Developer Tool Kit (DTK).  For those who are interested in developing your own Intel AMT-enabled management console, please download the tool kits from the links below:



Diagram 1: Screenshot of Alarm Clock in Intel Embedded AMT Management Express Console 2.0



Intel AMT Integration Wizard 2.0


This latest Integration Wizard has been updated with Intel AMT 6 support for both Q57 and QM57 platforms.  The tool also added many flexible time-saving features for the design engineers, e.g. partial programming by BIOS/GbE/ME region, saving of configuration settings and build info, customization of read/write access for different regions and many other user-friendly features.  The tool is available at:


Diagram 2: Screenshot of Intel AMT Integration Wizard 2.0

The third edition of the interactive eBook is now live - check out the new material including the section on security. And, if you're going Vision this week stop by the Intel booth (#3) to see compelling demos and don't forget to attend an Intel session and the hands-on lab.


After landing on Friday, it's Sunday evening and we are setting up the showcase area at IDF Beijing 2010. I recorded this quick video to let everyone see what is going on. Most Intel groups and partners will be setting up tomorrow but we where early and got our booth ready to go. Tomorrow I will be focusing on sessions. I am involved in a total of two sessions and two labs along with running the Intel vPro booth when I am not speaking. This should result is a pretty full two days.



I arrived in Beijing a few hours ago ahead of the Intel Developer Forum (IDF) which starts on April 13th. It's a great honor for me to be a speaker and to show off the existing and newer features in Intel AMT. I am scheduled to be a speaker at two sessions on the first day and two labs on the second day. The first day sessions will recap many of the features of Intel AMT and see how Microsoft SCCM can be used in actual deployments. On the seconds day, I will be running two labs of two hours each. These are my favorite time since I get to be in a smaller room and show off and explain Intel AMT in a more personal setting. The labs are also much less scripted, so it's a time for our users and partners to get help of topics that are important for them, or provide feedback on the technology.


If being a speaker for a total of 6 hours during the two day event was not suffisent, I also get to run part-time the Intel vPro booth in the technology showcase. This is the general area where people go from booth to booth to get a quick overview of our technology. I will be there answering questions and showing off many of the features that get people to say "wow, my computer can't do that". I also shipped a few boxes of my book "Active Platform Management Demystified" as give away prises for our more entousiastic participants.


In all, this promesses to be two very full and fun days. I landed yesterday which should give me time to sync up with the local timezone. Well, I am not off to a good start, I am typing this blog and it's 2:40am here.



The Aberdeen Group has determined that for every 100 laptop PCs companies issue, 15 will never be seen again. According to “Laptop Lost or Stolen? Five Questions to Ask and Answer,” sponsored partly by Intel, five will be lost or stolen (one recovered) and 11 will simply vanish, leaving companies stuck for millions of dollars in compromised data alone.  According to Aberdeen “the research shows that the top performers are much more likely than all others to standardize and lock down their platforms and configurations, and to remotely disable or “kill” the platforms if they are lost or stolen”.  Which puts Intel® Anti-Theft Technology right in the sweet spot for best in class companies.


Other tidbits from Aberdeen:


  • Top performers realize $44 per endpoint in cost savings from reducing the net number of lost, stolen and missing endpoints
  • Tens of millions of dollars in costs avoided by averting more  than 2-times the number of data loss or data exposure incidents


Read more here: Laptop Lost or Stolen?

Just a quick video showing off the new KVM Remote Control feature being used from an iPad. Yes, now you can service your end users right from your iPad. To make it work, I followed this Reference Design ( and then substituted RealVNC's iPhone viewer. Hey RealVNC, when's the iPad version due?

Shinshu University Hospital (SUH) is a well-known hospital in Nagano, Japan. Founded in 1949, the hospital manages 11 departments in

internal medicine and 14 departments in surgery. The hospital employs about 1,300 professionals, such as physicians, nurses, pharmacists, and medical technicians. Currently, SUH has approximately 1,500 PCs which are used for health care administration, patient record management, medical information access, and office productivity applications. More than 200 of the PCs are mobile laptops with wireless connectivity. A number of these laptops are

carried around by hospital staff for patient visits and bedside consultation during the day. SUH believes that wireless mobile computing has helped improve the efficiency and quality of patient care delivery.


Key findings from TCO/ROI analysis


  • Projected ROI of 170% over 5 years, from use of Intel® vPro™ technology to support file and patch distribution, and software diagnostics and repairs on wired and wireless PCs.
  • Break-even point in 22 months.
  • Projected net benefit of up to $242,300 across 5 years, by reducing desk-side visits and improving IT efficiencies for daily PC management and support tasks.

This ROI Analysis paper focuses on Shinhan Bank, headquartered in South Korea. They implemented Intel vPro technology as an embedded controller in their ATMs, allowing for better remote updates, patching, reimaging, and problem resolution of the machines. The bank's IT techs can now remotely maintain, update, diagnose, and repair ATMs for issues that used to require a site visit.


Shinhan has already reduced ATM downtime by 1,014 hours (1.4 hours per ATM) within the first year of implementation of Intel vPro technology in its ATMs. The Shinhan ROI study projects a 43% reduction in ATM downtime, and a 33% reduction in the site visits historically required for maintenance and problem resolution. Results of the study showed a projected break-even point in year 2, savings of over $608,000 across 6 years, and a positive ROI of 524% in year 6.


Filter Blog

By date: By tag: