Skip navigation

Hi all, 


if you missed our alst 3 radio shows you can easily subscribe in Itunes to the show & download the MP3's.


Next Up on the show is around vPro Tools with Tim Duncan & of course my co-host Russ Pam.   I'll blog about it when the time is confirmed. 


Josh H

Computer Scientists at Princeton University have shown some very easy and creative methods to hack

cryptographic key material with physical access to an encrypted

machine. Watch the video embedded below to find out how existing

technology is really vulnerable against Cold Boot Attacks on Encryption Keys.



All you need is a Duster spray can, if that, to cool the DRAM and extract the keys. The paper published

along with the video clearly outlines techniques for finding keys

residing in memory.The really cool part is that this technique doesn't

really hack into the encryption directly. Rather, it depends on

scanning the encryption keys by accessing the contents of the RAM and

then extracting the data either by directly tampering with the RAM or

by simply booting the computer from a USB drive. You can also read the

industry response and more details on these findings in the article.



It is not all bad news ... Intel is planning on releasing a

technology code named “Danbury” which drastically reduces exposure to

the Cold boot attacks. Please note that Danbury technology will be part of the Intel vPro processor technology to be released later this year. Danbury uses dedicated platform hardware to

provide full disk encryption and the actual data encryption keys are

not kept in the DRAM. Although, Intermediate, or ‘wrapping’, keys used

to unlock data encryption keys are stored in DRAM temporarily,

when the user is physically present or while remote IT operation has

control of the platform. These keys are subsequently deleted once no

longer needed, thus reducing the exposure significantly.



I am also very happy to announce that Danbury SDK that can leveraged

by software vendors to enhance encryption software will be made on the manageability developer community

later this year. If you are interested to find out more about this

technology or are interested in developing encryption software using

this technology then feel free to leave a comment on this post.



Today we are announcing version of the packet decoder. This version includes some minor bug fixes as well as two important enhancements:


+ Prerelease* support for Intel® AMT Versions 4 & 5

+ Results search & sort

+ Logging

*Due to hardware availability, not all constructs have been tested


These enhancements are in direct response to user requests.


Here's a 5 minute movie on the tool.


We are currently reviewing other user's feedback to determine what the next update will contain and when it will be available. Stay tuned.


DOPD Software Engineering Team

Update: The SCS Setup Wizard was EOLed to make way for a new and improved tool - the Intel AMT Configuration Utility. This utility is included in the Intel SCS 7.0 download. Check it out!


Available for download and use is the SCS Setup Wizard, a tool designed to automate the installation of the Intel® Setup and Configuration Service (SCS) along with the third party pre-requisite components automatically. This is a pre-release alpha level project that will be updated soon. It requires a fresh install of Windows Server 2003 and un-provisioned Intel® AMT clients.


Background -


The Intel Setup and Configuration Service for Intel® Active Management Technology (Intel® AMT) is a free toolset that simplifies the preparation of hardware that supports Intel AMT for remote administration.


Intel SCS automates the process of populating Intel AMT managed platforms with the usernames, passwords, and network parameters that enable the platforms to be administered remotely.


The automation of these activates provide an efficient means of implementing Intel AMT hardware for enterprise customers.


The Intel SCS service works with other services in order to provide a secure setup and configuration infrastructure for Intel AMT devices.


To successfully take advantage of the functionality that the Intel SCS service can provide, all of the other needed services must be correctly installed and configured. These services include:


  • Microsoft SQL* Server

  • Internet Information Services (IIS) 6.0

  • Microsoft Certificate Authority

  • Active Directory


Installing and configuring all of the services needed to utilize the Intel SCS can take an experienced user 2+ hours to complete. Using the automation provided by the SCS Setup Wizard, this process can take less than 30 minutes.


SCS setup Wizard Performs the following functions -

  • Install/configure MS SQL Server 2005 Express* Edition and MS SQL Server Management Studio Express

  • Install/configure Internet Information Services (IIS) 6.0

  • Install/configure MS Certificate Authority*

  • Install/configure Active Directory Services

  • Install certificate for IIS

  • Install certificate for Intel AMT Client

  • Install/configure Intel SCS service


Download here:


DOPD Software Engineering Team

Wednesday - Russ will be co-hosting with me as we discover more about Microsoft SCCM SP1 with Matt Royer.  You may have seen the river of great posts from Matt around SCCM and he's a known pro on SCCM.  Matt will be discussing the following topics: 


•     SCCM SP1 Provisioning and Ease of vPro Client Provisioning

•     SCCM SP1 Collection Based Power Management and Task Sequence Power On Capability

•     SCCM SP1 Out of Band Management Console for 1 to 1 vPro Client Management


We usually do this every two weeks, however with all that is happening with SCCM SP 1 we thought it would be great to discuss this as soon as we could pull this together.  I hope you can join us.  Here's the data on the Talk Show:


Dial In: (347) 326-9831

Time:  1:30PM PST


You can listen here or go to the URL below as well . 





If you have questions fire up chat during the call & ask the experts... 


Josh H


Years before I started working on Intel AMT, designers where creating a list of usages that would be enabled by Intel AMT. The list included, I presume, usages around 3PDS, remote reboot to BIOS, disk redirection, etc. Many of the Intel AMT usages that are promoted on the Intel web site. When I started work on the DTK, a personal challenge had always been to find new ways of using existing features to do different and sometimes unexpected things. Create new usages for Intel AMT that it was never originally designed to do. I now present my top 5 abuses of existing features.


TCP-over-Serial-over-LAN. The Intel AMT serial port I am told, was originally designed as an easy way to remotely take control of the BIOS and recovery OS remotely. Designers needed a way for BIOS to be able to send test display data to a remote console. A virtual serial port was a great solution. It so happens that in the original design, this serial port was always enabled and usable, even when the normal OS was running. This allows a serial agent to talk to a console while bypassing the OS’s network stack. This is interesting on its own and I started work on a serial agent of my own. Things took a weird twist when I started sending binary data and sending files over this serial port, making it very valuable. It’s only a few weeks later that I realized I could also send TCP traffic over this serial link, making it possible to contact TCP services on the Intel AMT computer even if the network stack was disabled. A few days later, I showcased the first demonstration of VNC-over-SOL, and turning this abuse of the serial port into an instant hit. To this day, VNC-over-SOL is still, one of the most impressive demonstrations of Intel AMT.


Reverse Watchdog. When Intel sales people demonstrate Intel AMT to customers, they often get asked if you can shutdown gracefully an Intel AMT computer using Intel AMT. The simple answer was no, Intel AMT will perform a brutal shutdown or reset upon request. To perform operations like a clean shutdown or reset, sleep or hibernation requires the involvement of the OS. You could tell a serial agent like Intel AMT Outpost to perform the shutdown, but that required opening the serial connection and could be a problem if you had to shutdown many computers. I needed a way to pass a small amount of information to a running Intel AMT agent on the PC, do it using SOAP/WSMAN only and if possible get confirmation of reception. We could store the command into 3PDS and have the agent read it periodically, but 3PDS required setup and that little amount of data would have required allocation of a 4K flash page. The solution came when looking at the agent presence feature. When a console creates a new agent, the agent can now register this agent locally. The agent also get the timeout of the agent in seconds (from 1 to 65535), this would be the key. By constantly trying to register a known GUID, Intel AMT Outpost could see if the agent existed or not. If suddenly the registration works, the timeout value would indicate that type of shutdown operation to perform. Better yet, the simple fact that registration occurred changes the state of the agent to “Running”, confirming to the console that the message was indeed received. Today the Intel AMT Terminal has “Agent Commands” in the remote control that allows a user to perform soft operations when the agent is running, even if the OS network stack is not working.


Mouse over serial. A few months back I started work on a smaller version of Intel AMT Outpost called Intel AMT Guardpost. The idea was that if a serial agent was going to be useful, it was going to need to run on a recovery OS, run in the background with no dependencies and with as little footprint as possible (Is it not annoying to have all there background processes running?). The C/C++ version of Intel AMT Outpost was on its way. One feature I always wanted to work on was a remote Windows command prompt; it took over a week to finally pull this off. I could now remotely shell to DOS and perform basic command line operations. I could also enter the command like editor with the “Edit” command at which point, the temptation to support the mouse-over-serial-over-LAN was a must have. Using the binary serial protocol, I added the support to the terminal in a few hours. To this day, it’s still a fun and amazing demonstration of outstanding remote manageability.


IDE-R within the OS. A few days after first enabling IDE-R within Intel AMT Commander, I stumbled upon something I had not noticed before. If an administrator where to start IDE redirection and the OS was to re-scan its plug & play devices, the additional floppy and CDROM drive would show up in Microsoft Windows. This was immediately interesting since transferring files over the serial port was limited to 115kb/sec a very slow speed in today’s world. With IDE-R, you can copy files at around CDROM 4x speed on a local network. All I needed was a way for Intel AMT Outpost to cause the OS to rescan its plug & play devices. A few hours later the “HWRESCAN” command was built and for the first time, an administrator could mount a CDROM remotely and install a patch as high speed without ever using the OS’s network stack. This feature also turned out to be an excellent compliment to VNC-over-SOL.



Fast data path using IDE-R. This is not an idea I never built into the DTK, but I wanted to add it to this list since it would also be an interesting was to use existing features in new ways. The serial-over-LAN feature turned out to be extremely valuable, but it is also slow. Serial ports are very inefficient. One way someone could speed things up is to use IDE-R as a fast by-pass to the OS. An administrator would mount a virtual floppy disk drive containing a single file. This file, would not really exist, it would contain different data each time it was read, making it possible to send data to an OS agent thru Intel AMT at much higher speeds. Also, since the floppy is a read/write device, the agent could write into the virtual file data that it wants to send to the console. It would be quite a bit of work to pull this off, but it certainly seems possible. Someone would just have to know the internal format of an .img file.


That’s my top 5. I realize this is probably a rather advanced blog article, but this is proof that you can have a lot of fun to any technologies.




Ylian (Intel AMT Blog)



ACTIVATION - New Zone & vPro Radio


Over the last few months we have seen a lot of dialogue around how to turn on vPro systems, the steps to turn on the ME, configure, etc..   So we took this to action & created a new Sub Zone that is just focused on Activations - This new zone will focus deeper on Tools, Training & documentation. 





Check out our latest vPro Radio talk show with Terry, Russ & Michele (vPro Experts) as we discuss Activation.





Microsoft System Center Confirmation Manager - listen in on Weds 2/27/08  -


Define Activation...

Posted by DaveMcCray Feb 25, 2008

Depending on your companies requirements (i.e. security, infrastructure, biz process) Activation can mean many things. If your security requirements are such Activation can simply mean enabling AMT in the BIOS in SMB mode. If your requirements are more stringent it can mean enabling AMT to prepare for Remote Configuration (Zero Touch), or, if you are still doing it the "old" way, then you are either manually (YUKE!) applying the PID/PPS combo or using the USB methodology. Great, but is this Activation? What about the other pieces to the device lifecycle i.e. break/fix, reuse, EOL where you have to manage the certificate? Intel IT, along with help from our friends in other Intel orgs are developing a programmatic script to aid in managing the systems as they move through the lifecycle. But is this Activation? How about how you use AMT? What business processes need to be changed to gain the full benefit of the cost savings from AMT?


Activation, as defined by Webster's Dictionary, is to make active or more active, or to set up or formally institute with the necessary personnel and equipment. What this means to AMT is that you need to map out all aspects of the full use of AMT but measure it based on each step of the way to get a clear picture of where you are. In other words, define your total market (system in the environment that are AMT capable); how many have AMT enabled in the BIOS (in prep for RC); how many are fully provisioned; how far have you tested your full lifecycle; do you have your console strategy in place; how have you defined your use cases; are you using it? Each step is making AMT more active. How far have you gone? How do you define Activation?



Note: As the Intel IT and product groups validate the new provisioing script we will post additional information. It effectively removes the ambiguity in provisioing lifecycle; managing from intial provision to break / fix. More to come.




Got ROI? We do.

Posted by michelegartner Feb 25, 2008

The Intel AMT Developer Tool Kit (DTK) is now over a year old and by many accounts, the most popular software package for using Intel AMT that exists today. As I work on improvements and new features I also get to interact with my users, developers, IT departments, testers, etc. I also come across many common ideas for how Intel AMT should be improved. Today I decided to compile my own list of changes I would make to improve Intel AMT. Even if I work at Intel, I have no special access or power over what gets changed, so it’s important that users of Intel AMT make your voices heard if you think you have changes you need made.


1. No TLS, Serial-over-LAN/IDE-R password in the clear. As many of you have discovered, when using Intel AMT in small business or enterprise mode without TLS, the login username and password is sent on the network in the clear when the administrator performs a serial-over-LAN or IDE redirect operation. With so many coffee shops, schools, Internet cafes playing around with Intel AMT features, this could be a big problem. Imagine a classroom with a few vPro computers with AMT setup in SMB mode by an unsuspecting teacher. A student running a packet sniffer, obtaining the password and rebooting AMT computers remotely. This can be avoided by setting up TLS using Intel AMT Director, but this should not be problem in the first place. The HTTP digest used for web pages could easily be adapted and used.


2. Allow TLS in SMB mode. This is a long time feature request that is somewhat related to the first issue. In my work with Intel AMT, I can do everything I need to setup TLS in SMB mode except enabling it. Allowing administrators to setup server-side authenticated TLS would be very easy to add to Intel AMT and would provide improved security with almost no work. In fact, Intel AMT Commander could just prompt the administrator on first connect if he or she want to enable TLS when a non-TLS SMB computer is found. A new root certificate would be generated if none already exist. Strictly speaking, it would not provide “bank level” security, but would go a long way for shops, schools, small business owners that have more to think about than understanding secure manageability.


3. Release the SOL/IDE-R redirection source code. The library called “IMRSDK.dll” is compiled by Intel and not available in source code form. It’s available in Windows and Linux but it has been a problem for people trying to port this feature on to other platforms. It’s also a problem because this library is far from perfect and I would be the first to make changes to it. One of the most critical changes I would make involves knowing if the Serial-over-LAN is connected or not. Imagine how annoying it is to have the SOL connection drop and that application not know about it. Intel AMT Terminal will show “Connected” at the top even when it’s really not. I also want a debugging feature to know exactly what is going on, people report in forums and privately to me that SOL has problems and I have no way to help. My list does not end there; I have more changes I really need made.


4. Make Intel AMT discovery and connection easier. Some Intel AMT software have a discovery feature that attempts to sweep a network to find Intel AMT computers and add them to a management console. To make it easier on the user, Intel AMT Commander also attempts to automatically detect that type of AMT computer it’s talking to. Once you discover a computer, the work is not done. Is the computer setup with TLS? Is it in WSMAN only mode? Is it using TLS mutual-auth? Are you talking to LMS? What version is this? The Intel AMT DTK has an elaborate system to attempt gather this data when a user connects. With new version of Intel AMT, transition to WSMAN and more, it’s getting more and more difficult to correctly detect and connect to all versions of Intel AMT. Developers looking at the DTK’s connection algorithm will be stunned, we need to simplify this process.


5. Get permitted access realms upon connection. So you setup Intel AMT with various user accounts, one for asset monitoring only, one for packet control, another for remote repair. When software like Intel AMT Commander connects to Intel AMT using one of these accounts, it has no idea what types of permissions this account has. As a result, the software is left to assume it has all rights, or fail with an error when things start to go wrong. I don’t think it would be unreasonable to be able to query the allowed realms upon connection for the account currently being used. This would make it easy for Intel AMT Commander to remove from the UI features that are not allowed.


Of course, being an avid fan of Intel AMT, I could write many things I like about it, just look at my many blogs. It’s my hope that this list will spur discussion and action. If you read this, take the time to write a small comment saying which one of these would want fixed first, or tell me if you have your own issue.


Ylian (Intel AMT Blog)

When trying to update your bios on a vPro machine with an Intel® Desktop Board DQ35JO you might find a problem when you try to boot it from a CD. It reads it as a boot CD, but when you press any key to start the boot it may come up with an error message similar to this:



To fix this, you must change how your BIOS manages SATA disk drives. Under the “Advanced” tab, you will find a category called “Drive Configuration”. Change the “Configure SATA as” option from “AHCI” to “IDE” as shown.









Otherwise, you must upgrade through Windows using the .EXE file provided Here







Download the .exe file onto a flash drive or CD and open the .exe when the computer has booted up by going to My Computer, Flash Drive or CD Drive, then double click the .exe file to runing the setup.











Follow the onscreen instructions, until the screen looks like this:











Click Finish, and setup will update the BIOS. It will shut down then reboot and show a black screen showing what it is doing. It should take about 5-7 minutes. When it is done then it will boot up and should come up with a screen that says it completed successfully.











Congratulations! You have updated your Intel BIOS. Including numerous bug fixes, this will update your AMT ME firmware to version




--Cody Frank

GBiT Technician - vPro Coordinator




--Matt Ford

GBiT Technical Services Manager



Check out this excellent example of activating vPro and a usage model in a creative way to achieve a relitivly quick Break Even point and Return on Investment .... vPro ROI Analysis- Reducing IT Resource Needs & Service Costs Through Intel Core2


Abstract: Intel's investigation into the savings offered by Intel vPro technology was conducted in a globally distributed environment. The test environment consisted of 39 training rooms in Asia, the United States, and western Europe, with approximately 800 PCs, of which 300 systems were PCs with Intel vPro technology.



- Brian Brougham



Installing Multiple Intel SCS components for a large Notification Server environment

Some Notification Servers carry huge loads of managed systems. I've seen Notification Servers managing 10,000, 15,000, and even 20,000 plus systems. For Out of Band Management with the Intel SCS Component, a multiple-service install may be required to handle large loads of provisioning or maintenance requests into the Intel SCS Component. This article covers how to setup such an environment.



Normally in a simple Notification Server environment when the install for Out of Band Management is initiated, all the necessary pieces, including the Intel SCS Component, install automatically and silently. In more complex environments the automatic install of the SCS Component often throws an exception and provides a message indicating the install should be conducted manually. This manual process is what will be used when installing the components on the subordinate servers who will share the load for the Intel SCS Component.


Installing Out of Band Management

The first step is to install Out of Band Management and the primary Intel SCS Component on the Notification Server. This will setup the IntelAMT database that will be used with every install of the Intel SCS Component. The following process details the install methods for Out of Band and the Intel SCS Component.


Simple NS environment

For a simple NS environment where the Application Identity for Notification Server has full rights to both the Notification Server system and SQL Server, the initial install is simple. Note that this process should be used for Simple and Complex environments to lay down the essential components on the NS.


  1. In the Altiris Console, browse View > Configuration > Install/Upgrade additional solutions.

  2. Under available solutions, click the ‘Segments' button.

  3. Expand the Partner Solutions section and locate the Altiris Manageability Toolkit for Intel vPro Technology.

  4. Click the link to launch the install.

  5. NOTE: This will install the following primary components, all of which tie into aspects of Out of Band Management and Real-Time System Manager:

    1. Task Server and supporting installs

    2. Real-Time System Manager

    3. Real-Time Console Infrastructure

    4. Out of Band Management Solution

    5. Our of Band Setup and Configuration (AKA the Intel SCS Component)

    6. Network Discovery

  6. The install will commence. Note that if the Intel SCS Component is unable to be successfully installed you will receive a message indicating it needs to be installed manually. If this is the case, see the next section entitled ‘Complex NS Environment'.

  7. If no errors are shown, the Intel SCS Component with the IntelAMT database should have been installed and created successfully.

Complex NS Environment

Despite the name of this section, sometimes the steps here need because of a minor security issue when the automatic install was attempted. The following steps detail the process of install the Intel SCS Component manually.


  1. Run through the install as detailed under the ‘Simple NS Environment' section above. This will put all the typical components in place, and likely the automatic install of Intel SCS will fail, requiring the next series of steps to be completed.

  2. It's recommended to log into the Notification Server as the Application Identity user.

  3. Browse to the following path on the NS: install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\

  4. Launch the EXE AMTConfServer.exe.

  5. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

  6. Choose ‘Complete' as the type of setup and click ‘Next'.

  7. In the User name and Password fields put in the Application Identity for the NS.

  8. Check the Web details.

  9. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

  10. Under ‘Database Server' select the database name and instance (if applicable) to use. It is recommended to use Windows Authentication, but if the SQL setup requires a SQL account, choose that option. Click ‘Next'.

  11. The next details should be left as is. Click ‘Next'.

  12. Click the ‘Install' button to proceed with the install using the parameters set.

  13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'.

Subsequent SCS Installs

Now that NS has all the required components, and the IntelAMT database has been created, the following details cover how to install a subordinate install of the Intel SCS Component. Note the following prerequisites for this type of install:


  • Windows 2000 Server, Windows 2003 Server

  • Internet Information Services (IIS)

  • Microsoft .NET 2.0


Run through the following steps to install Intel SCS.


  1. Log onto the system as the Application Identity user for Notification Server.

  2. Browse to the following path on the NS:

  3. Launch the EXE AMTConfServer.exe.

  4. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

  5. Choose ‘Complete' as the type of setup and click ‘Next'.

  6. In the User name and Password fields put in the Application Identity for the NS. If this is not possible the user should have full access to the SQL Server. This will also be the user set on the Service AMTConfig.

  7. Check the Web details.

  8. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

  9. Under ‘Database Server' select the database name and instance (if applicable) to use. This should be the SQL Server used to install the IntelAMT database in previous steps.

  10. The database details . Click ‘Next'.

  11. Click the ‘Install' button to proceed with the install using the parameters set.

  12. You'll receive a notice saying that the database IntelAMT already exists. Make sure to click ‘Yes' so it uses the existing one.

  13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'

  14. From the Notification Server, at this location: , copy the file oobprov.exe to the same path on the subordinate install (default will be C:\Program Files\Altiris\OOBSC\).

  15. NOTE! You must use the same path that it used on the Notification Server, this is a limitation of this implementation.

  16. Copy to the same folder the attached file Interop.AeXClient.dll.

  17. Normally the script (oobprov.exe) is properly registered to the correct path, but if it is not, we must manually change it.

  18. Open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

    1. USE IntelAMT
                SELECT Props_script_path, use_props_script
                FROM csti_Configuration

  19. Check the path and make sure it matches the remote and local Intel SCS install. Also verify that the use_props_script is set to 1, which means ‘True' (0 means ‘False'). Now run the following query if they need to be updated, but take note to change the path to match your environment:

    1. UPDATE csti_configuration
                SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
                SET use_props_script = 1
                WHERE configuration_id = 1

  20. Everything should now be in place for both the primary and secondary Intel SCS install to work with systems being Provisioned, including subsequent maintenance or reconfiguration functions, sharing the load.

Confirm Registration

The next step is to confirm that the install has successfully registered in the IntelAMT database and is running. Use the following steps to make the checks:


  1. First, let's check that the Secondary SCS Server has properly registered in the IntelAMT database. On the SQL Server where the IntelAMT database is housed, open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

    1. USE IntelAMT
                SELECT * FROM csto_servers

  2. You should have one entry for every Intel SCS install you've completed.

  3. On the secondary Intel SCS Server, go to Start > Administrative Tools > and click on ‘Services'.

  4. Locate the Service ‘AMTConfig'. Ensure the following settings:

    • Status = Started

    • Startup Type = Automatic

    • Log On As = NS Application ID

Adjust Queue Settings

The last part is to adjust the general settings to account for the added resources.


  1. In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > and click on ‘General'.

  2. Look under the ‘Service Maintenance' section. See the screenshot, followed by the recommended settings:

    • Max queue size: 2000 for one instance, add 1000 per secondary server

    • Worker threads: 10 for one instance, add 5 per secondary server. Same for the Slow worker threads

  3. The above values are recommendations. Since thorough testing has not been performed, it is recommended to change these in small increments if performance is a problem.

  4. Make sure to ‘Apply' the changes once they've been made. This should allow the SCS infrastructure to handle larger loads of incoming requests.


The subordinate Intel SCS install process should be repeated for each Intel SCS install desired in the environment. This will help distribute the load of incoming requests from Intel AMT vPro systems. Moving forward Symantec and Intel will be testing this scenario further. In the interim this article can be used to increase the resource power of the SCS infrastructure.

With the launch of Intel Centrino with vPro technology - several medium to large customers (with 1000 or more PCs in the infrastructure) have asked for Intel's help with building the financial business case for the new technology. Given this need, Intel asked WiPro to survey senior IT managers from 41 companies about current notebook PC management costs that could potentially be reduced by taking advantage of the new technology. WiPro specifically focused on PC maintenance costs that IT usually budgets for on an annual basis (these are "hard dollar costs", such as help desk calls, help desk visits (especially for hardware and software malfunctions - such as OS blue screens and hard drive failures), auditing, security incidents, software patch deployment costs, major application (such as Office) deployment costs into the infrastructure, etc.).


WiPro's findings are as follows:


  • Estimated hard dollar savings of up to ~$140 / PC / year with Intel Centrino with vPro technology vs. the mobile PC in the installed PC base today

  • Reduces the need for hardware-related desk-side visits by as much as 58% and for software-related desk-side visits by as much as 57%

  • Up to 51% faster patch saturation per incident and reduces number of inventory failures by 62%

  • Enterprises can take advantage of most of the Intel Centrino with vPro technology features (including remote diagnosis and repair) in the mobile PC form factor for about 16 hours a day (the other 8 hours, on average, the mobile PC is asleep or off-line, and an IT manager cannot use the Intel vPro technology features)


For those interested in the report, please read about it here:


In order to help customers model the "hard dollar" savings in your environment, Intel has created the Intel Centrino with vPro technology and Intel Core2 with vPro technology ROI Estimator that is based on the data from the above study, as well as another study that focused on desktops with Intel Core2 with vPro technology that was published last year. This ROI Estimator is located here:


To learn more about the ROI Estimator and the desktop and mobile PC studies, please listen to Josh, me and WiPro talk about them in this PodTech videocast:


Cheers -


Justin Van Buren


Intel Business Marketing Manager


SDP-1: Permit a Single IP

Posted by cmp1 Feb 20, 2008

This is 1/10 System Defense policy tests I worked on. This test has four systems: three servers & one AMT 3.0 client. I run pings from each server to the vPro and from the vPro (via RDP session) to each server. Then I block all IP except from one server. I lose connectivity including the RDP session but can still manage the system to remove the policy.




Although Danbury is the ultimate solution for Disk Encryption and Remote Manageability, the following whitepaper provides a reference design for using Intel® vPro™ Technology and Serial Over LAN (SOL) as a means to perform remote disk drive unlock on client boot up.






Whitepaper: Intel® vProTM Technology Enables Remote Manageability of PCs Employing Encrypted Disk Technology









Matt Royer



Cathy Spence in Intel IT has a great blog on the specific use case that she ran with System Manufacturing that starts in my mind to ask the question around streaming both OS & applications.  Here's her Blog @


The question that I have is that application streaming technology has been around for a long time, Windows Terminal Server environments are a NORM.. so why does OS & application streaming really raise the bar on the new computing?   or is this just a matter of time when the HW & SW will become a trusted partner beyond the standards today to a new more compelling future?   


what do you think?   what makes streaming compelling or....../?

Note: This information is based off Microsoft System Center Configuration Manager 2007 SP1 Beta and is subject to changes between now and RTM.


Once the vPro client has been provisioned by SCCM SP1, you can now start performing vPro Client Manageability through either Collection based power operation or through the “Out of Band Console”.





To invoke vPro power management feature from within a collection, you can right click on a single client (or multi-select several clients) and select “Out of Band Management” -> “Power Control”. After which, a “Power Control” Screen will appears for the client(s); from there you can select whether to power on, power off, or restart the vPro Clients.







Here is a video that visually goes through the process:








To perform more vPro client manageability options, right click on the client in the collection to manage and select “Out of Band Management” -> “Launch Out of Band Console”. It may take several seconds for the “Launch Out of Band Console” to fully load; make sure that System status in the bottom left section of the “Out of Band Console” reads as “System: Connected”. Once the “Out of Band Management” is loaded, you will see 7 menu options:

  • System Status: Displays the following for the connected computer:

    • The power state

    • IP address

    • Computer name

    • System ID

    • System date

    • System time

  • System Inventory: Displays the hardware inventory information for the connected computer.

  • Power Control: Initiates one of the following power control actions:

    • Power on the computer

    • Power off the computer

    • Restart the comput

    • If you power on or restart the computer, select one of the supported boot options that is retrieved from the computer. These can typically include the following:

      • Normal boot

      • Boot from local CD/DVD drive

      • Boot from local hard drive

      • Boot from alternative media (and specify the image file in Alternative media path)

      • Boot from the network

      • Boot to BIOS

  • System Event Log: Displays activity for the management controller on the selected computer. You can also clear and set log levels from this screen.

  • System Audit Log: Displays IDE redirection and PXE boot information.

  • Serial Connection: Starts a terminal emulation session so that you can run commands and character-based applications. After invoking an IDER or BIOS redirections, you will want to come to this screen to interaction with the SOL session.

  • Configuration: Allows you to perform either a full or partial unprovision of the vPro Client

    • Full Unprovision: “Delete both configuration data and identification data from the management controller”

    • Partial Unprovision: “Delete configuration data and retain identification from the management controller”




Here is a video that visually goes through the process:






Matt Royer

Client Manageability Add-on (aka AMT Add-on) version 3.2 for SMS 2003 has been released. For download and more information, please visit:


Bug Fixes / Issues Resolved


  • An Intel® AMT PC can be configured to use HTTP Digest network communication. Part of the Digest header is a random string which includes the platform UUID. Under certain circumstances depending on the manufacturing flow, it is possible that the Digest UUID and the actual platform UUID as stored in the hardware inventory table do not match. The Intel® Add-on for SMS would reject HTTP Digest communications from a system with mismatching UUIDs. Note that the Digest string uses the UUID purely as a random number and does not use it as an identifier, so there is no reason that they must match. This hotfix amends the functioning to ignore mismatching UUIDs.

  • There were cases involving sites containing very large numbers of AMT devices where menu selections would be displayed unacceptably slowly. This has been solved.

  • In rare cases, expired advertisements would wake up AMT devices. This has been solved.

  • Due to the way in which SMS performs log message collection large numbers of messages are collected, many of which are not critical AMT device messages. Although these messages are valid, they are nonetheless not required in many situations. A workaround has been implemented that allows for the suppression of various levels of non-critical messages.


New Features from 3.1 to 3.2


  • The Add-on service account no longer requires local administrator permissions.

  • There is no longer a need for a dedicated Add-on service account. The user specifies the Add-on service account during installation.

  • New Active Directory groups.

  • The Add-on is integrated with version 3.3 of the Intel® AMT Setup and Configuration Service.

  • Operations no longer require SMS Administer permissions, except for changing the Add-on Settings.

  • A user in the Redirection Managers group can terminate another user's redirection operation.











Matt Royer

Congratulations to the 3 winners of the "rock your world" contest.  due to limited submissions the team has made the decision that the 3 submissions will win a Intel(r) Centrino(TM) notebook with Intel(R) vPro(TM) technology.  We are awarding the following systems:


Lenovo T61 - Intel(R) Centrino(TM) with Intel(R) vPro(TM) Technology

-     Intel Turbo Memory

-     Select models have .11n

-     Energy Star 4.0 rating


Hewlett Packard 2510P - Intel(R) Centrino(TM) with Intel(R) vPro(TM) Technology





Here are the winning video's

1st Place


2nd Place


3rd Place



Thank You all & look forward to our next contest in Q2.

Hi, I'm Craig Pierce and I work for Intel's Information Technology department. I started playing around with System Defense last year and wanted to share my learning. There's been some requests on some "How to" implement so I created an add & change video I am posting today. Look next week for my first policy use case.





This week I was reflecting on my IT journey in the last few years and how I successfully adopted new technology.  I thought that sharing this type of information may be helpful to those out there that are either about to start or in the middle of their integration of Intel® vPro™ Technology.  First things first, here’s an illustration of the different camps within an IT shop (architecture, engineering, operations, finance, security) and then of course there is the leadership (mgmt) that provides air cover for such new adoptions /  also a key stakeholder in the success.





For each of these camps there is a different perspective and frames of reference, therefore let me dive into each one. 


ARCHITECTURE:  for the architect community, the requirement is to understand their 3-5 year roadmap and how a new client technology fits in - does it violate any major design rules, does it embrace the technology strategy?.  Specifically the focus is around conceptual and reference architecture with focus on high level themes i.e. Compliance, Provisioning, Remediation, Automation, Virtualization.  The vantage point here is looking at the big picture and being able to define it in relationship to the rest of the architecture.  This includes the BDAT model as well (business, data, applications and technology), focus is around the business process changes, data architecture changes with respect to where data is being stored, retained, transmitted, etc..  Applications are all about the application architecture requirements and potentially any changes to the high level picture. 


ENGINEERING:  for engineering it’s all about the connection points, ports, protocol’s, access rights.  What I find very compelling in this realm is that the dialogue is around AS IS and TO BE solution architecture with heavy reference to the BDAT model output.  How does it specifically fit in w/ the rest of the pieces, what is the traffic pattern, what is the fault tolerance, how does it reuse the pieces of infrastructure already in place, how does each level of the support stack manage their respective pieces without breaking the separation of duties requirements, scaling out ramifications. 


OPERATIONS:     for operations it all about what is the process change, realization of the value and how does it all work.  As you dig in more in this area it is about the 1-x process steps required, there is a heavier view on automation of remedial tasks, there is focus on ownership of problems, reliability of the solution, SLA’s, OLA’s (operational level agreements).   The dialogue for operations is about the minutes it takes to operate a given function, the time to execute, back out, re provision, etc..  This is where the business process understanding and changes are the most critical as they are truly tested in live production scenarios


FINANCE:  for finance, it’s a few things that I think are important to know, it’s not all about the ROI & TCO, however that is about 90% of it.  The other 10% is primarily focused on how this solution would enable company objectives, goals and vision. They are also the keepers of the value (from Headcount, costs, impact, including how to verbalize) when it’s all said and done, as they play the role in delivering a projected vs. actual account of the events, therefore their keen involvement and insight is important.  An Enlisted finance manager can make a world of difference.  


SECURITY:  I initially did not draw in security & then went back to add this into the picture above.  Why you ask?  Well, years back security was an afterthought, however Ever since the Code Red/Nimda/SQL Slammer days – they’ve had a pretty strong foothold in decisions within IT – especially in evaluating new technologies…  They have to ensure that the ‘last mile’ is covered in the enterprise, 1 box can wreak havoc on the network, etc.   What this means is that it’s all about CIA (Confidentiality, Availability & Integrity), therefore diving into the technology & understanding the RISK is the key part here (specifically the Risk Assessment). 


LEADERSHIP/MANAGEMENT: the focus here is around not just being an “approver” but to also being a champion for the new technology.  The goal is to have them very aware & equally as passionate as the adopter of the technology.   If you can drive this passion from the top the air cover is significant in removing roadblocks that may arise.


So is one more important than the other?  No, they are all critical for full adoption, however I will highlight that the message crafted towards the leadership team is critical.

Does a small/medium IT shops have these same challenges?  I think so, they are just differing in size of the work required .  for example in a small business the IT director may be participating in arch-eng-ops type of roles and rolling out the technology, where as in large enterprises these may be broken out over different people and groups. 


So..  how do you go for the WIN? 

My past has taught me that if I can understand the differing roles, what is needed to satisfy their requirements, the process is smoother (not perfect).   I have also realized that sometimes even in IT you have to put on a marketing’ish type of role to help push the adoption along, whether it’s brown bag lunch meetings to show off the technology or just asking the Sr. Exec to join you in the data center for a hands on demo.   In every case of new technology I’ve enlisted a team of passionate peers that see the vision and then together we tackle the key area’s as a team, while also diffusing that passion to others.  


I’d like to share some examples of each area if there is interest in the community, specifically focused around Intel® vPro™ Technology.  please comment back and then I will attach examples for each..  


Also. What have I missed? What key questions do you think need to get answered for a “WIN”.

Note: This information is based off Microsoft System Center Configuration Manager 2007 SP1 Beta and is subject to changes between now and RTM.


Here are some general steps to provisioning an AMT client using SCCM SP1 Import Out of Band Computers Wizard. Please note that until the WS-MAN translator is released, you will only be able to Provision and Manager AMT 3.x or higher machines.







  1. Within the Configuration Manager Console, expand “Site Database” -> “Computer Management” -> “Collections” -> “All Systems”. Right click on “Collections” and select “Import Out of Band Computers”.

  2. When the “Import Computer for Out of Band Management Wizard” appears, select “Import single computer” and then click “Next”.

  3. When asked for the information associated to the vPro client you are importing, enter in the following and press “Next”:

    • Computer Name

    • FQDN

    • MAC Address

    • SMBIOS GUID (aka UUID)

      Note: The Computer Name, FQDN, and UUID are required for provisioning. The MAC Address is used for conflict resolution and not required. Feel free to use all 1’s in the MAC Address.

  4. On the “Data Preview” screen, confirm the entries entered and click next.

  5. On the “Choose Target Collection” Screen, select “Add New Computers only to the All Systems Collection” and click next. When presented with the Confirmation Screen, click “Next”. You may choose to put the client in another collection if you wish.

  6. On the “Confirmation” Screen, confirm that import was a success, and click “Close”.

  7. Right Click on “Collection” and select “Update Collection Membership”. Click “Yes” to confirm that you want to proceed.

  8. Within the Configuration Manager Console, expand “Site Database” -> “Computer Management” -> “Collections” -> “All Systems”. Right Click on “Refresh” and confirm that AMT client is now in the collection list.

  9. You should now see the vPro Client in the Collection in an “unprovisioned” state. The provisioning process may take a couple minutes. You can track the provisioning process in the c:\program files\Microsoft Configuration Manager\Logs\amtopmgr.log Log.

  10. Right Click on “Collection” and select “Update Collection Membership”. Click “Yes” to proceed. Within the Configuration Manager Console, expand “Site Database” -> “Computer Management” -> “Collections” -> “All Systems”.

  11. Right Click on “Refresh” and confirm that AMT client is now in the collection list. Once the provisioning process has been completed you should see the device listed as “Provisioned” in the Collection list.


Here is a video that visually goes through the process:




Matt Royer

We are starting a new talk show all around Intel(r) vPro(TM) Technology, which will run every two weeks.  Here is our kick off discussing what we'll talk about & also asking for your feedback on what you want to hear. 



We're looking forward to your comments.

Here are the high level steps to configure SCCM SP1 so that you can begin provisioning and managing vPro Clients out of band.  This does not take in consideration any additional configuration settings you may want to enable based on your business needs.  Please note that until the WS-MAN translator is released, you will only be able to Provision and Manager AMT 3.x or higher machines.


Configure AMT Certificate on Enterprise CA for SCCM SP1




  1. Open of the Certification Authority Management Console for the Certificate Authority that will issue your AMT certificates.

  2. Expand the menu so that the “Certificate Templates” drill down is available.
                                  Right Click on “Certificate Templates” and select “Manage”.

  3. When the “Certificate Templates” windows appears, Select “Web Server” from the Template Display list.

  4. Right Click on “Web Server” Template and select “Duplicate Template”.

  5. When the “Properties of New Template” appears, ensure the “General” tab is select and enter in the “AMT Certificate” in the “Template Display Name” field and check “Publish certificate in Active Directory”.

  6. Within the “Properties of New Template” windows, click on the “Security” tab.

  7. Click “Add” and add the server name of the SCCM SP1 Site Server.

  8. Ensure you give the SCCM SP1 Site computer name read, Enroll, & Autoenroll permissions and then click “OK”.

  9. Close the “Properties of New Template” window

  10. Right Click on “Certificate Templates” and select “New”, then “Certificate Template to Issue”

  11. When the “Enable Certificate Templates” window appears, select “AMT Template” and click “OK”.


Here is a video that visually goes through the process for configuring the CA:








Adding “OOB Service Point” Role






  1. Open up “Configuration Manager Console”Expand “Site Database”-> “Site Manager” -> Site server Name -> “Site Settings” -> “Site Systems”.  Right click on the SCCM Server and select “New Roles”.

  2. When the “New Site Role” wizard appears, click “Next”.

  3. Check the “OOB Service Point” and click “Next”.

  4. When presented with the “Transmission” options, leave default unless business needs dedicate otherwise and click “Next” to finish.


Configure “Out of Band Management”




  1. Open up “Configuration Manager Console”.

  2. Expand “Site Database”-> “Site Manager” -> Site server Name -> “Site Settings” and click on “Component Configuration”.

  3. Right click on “Out of Band Management” and select “Properties”.

  4. Under the “Provisioning Settings”, click “Set” near the MEBx Account.

  5. When the windows appears in the “General” tab, enter in the MEBx password that you want the MEBx password to be or what you have had your OEM preconfigured it with.  SCCM SP1 will try the default (admin) password first (no configuration required) if necessary.  Once completed, click “OK”.

  6. Within the “General” tab, check the “Register provisioning server in DNS for zero touch provisioning”.  This will register provisionserver on your DNS server.

  7. Under “Certificates”, click the “Browse” next to “Provision Certificate”.

  8. On the “Select Provisioning Certificate” window, click “Browse” and choose your Remote Provisioning Certificate and then OK.  Then enter in the password associated to the certificate and click “OK”.  Please check of the following blogs to get more detail on Remote Configuration and process to create the certificate  Please check out Terry Culter’s blog on Remote Configuration - What is it? How does it work? When will it be available?

  9. Back on the “General” tab, Click the “Select” next to “Certificate Template”.

  10. Once the “AMT Certificate Configuration Dialog” window appears and fully loads, select “AMT Certificate” under the “AMT Device Certificate Template” and click “OK”.

  11. Back on the “Out of Band Management Properties”, click the “AMT Settings” tab.

  12. Click the “New Icon” next to “AMT User Accounts”.  When the “AMT User Account Setting” appears, click “Browse”, choose your desired groups or users, and click “OK”.  Once the group has been selected, identify which permissions to authorize for that group or user.  Click “OK” when completed

  13. On the “AMT Settings” tab, ensure that “Enable Web interface”, Enable Serial over LAN and IDE redirection for AMT devices”, and “Allow ping responses”. You may choose which options you want based on your business needs.

  14. Back on the “Out of Band Management Properties”, click the “Provisioning” tab.

  15. Click the “New Icon” next to “Provision Accounts”.  When the “Windows User Account” appears, enter in a user name and password.  This will allow you to specify user accounts that have been configured in the firmware for AMT-based computers, and can provision these computers.  Once satisfied, check “OK”.

  16. Click “Apply” and “OK” to save the changes for the “Out of Band Management”.


Configure “Wake on LAN” settings to work with AMT




  1. Open up “Configuration Manager Console”.

  2. Expand “Site Database”-> “Site Manager”, right click on Site server Name and “Properties”.

  3. On the “Wake On LAN” tab, check “Enable Wake on LAN for this site” and click “OK”.  Checking this option will allow SCCM SP1 Wake on LAN to use AMT remote power up control.


Enable Network discover of Out of Band Management




  1. Open up “Configuration Manager Console”

  2. Expand “Site Database”-> “Site Manager”, right click on Site server Name -> “Discovery Methods” and double click on “Network Discovery”.

  3. When the “Network Discovery Properties” appears, check “Enable network discovery” and “Enable discovery of baseboard management Controller”.  Then click “OK”.

  4. On the “Wake On LAN” tab, check “Enable Wake on LAN for this site” and click “OK”.  Checking this option will allow SCCM SP1 Wake on LAN to use AMT remote power up control.


Here is a video that visually goes through the process four steps above:




Matt Royer

Note: This information is based off Microsoft System Center Configuration Manager 2007 SP1 Beta and is subject to changes between now and RTM.


This is not a replacement for the install documentation that Microsoft provides for installing System Center Configuration Manager SP1, but is merely a high level guide on how to get SCCM SP1 up and running. This does not take in consideration how you should implement SCCM SP1 in your environment, what features beyond vPro Out of Band Management to enable, nor does it take in consideration upgrade paths from SMS 2003. In a supplement blog, I will describe the post installation configuration steps to allow "Out of Band Management" capability to be used within SCCM SP1.


Before you begin the install, there are both infrastructure and base server (the server that SCCM SP1 Site server will be installed on) configuration that need to be performed / consider first.


Infrastructure prerequisites for Out of Band Management




  • Microsoft Enterprise Certification Authority (CA) is necessary for serving web server certification for authentication of the AMT-based computer during out of band management.

  • AMT provisioning certificate from either your own PKI infrastructure or a third party certification from a vendor supported by the vPro platform is required for provisioning vPro clients.

  • vPro Desktops or Laptops that are running AMT firmware version 3.2 or later should have the Intel HECI Driver installed; backward compatibility for AMT firmware version 3.x and 2.x within SCCM SP1 will be provided with the implementation of the Intel WS-MAN Translator which is expected to be release in conjunction with SCCM SP1 RTM.

  • Active Directory and SCCM SP1 Site Server is required to have the correct security permissions in the Active Directory to publish clients. Please note that it is NOT required to extend the AD Scheme to take advantage of SCCM SP1 Out of Band Management capability; however, it may be required to use non-AMT rekated SCCM SP1 Features.

  • You will need to have a DNS Server that resolves the host name ProvisionServer to the Out of Band Service Point for remote configuration of AMT clients. This is not required if you are planning on exclusively using the Configuration Manager 2007SP1 client installed (agent) for provisioning.

  • DHCP with an active scope is necessary. You will need to ensure that DNS servers (006) and Domain name (015) are configured within the scope and the DHCP server is dynamically updating the DNS records.

  • Microsoft SQL 2005 with SP2 needs to be available for the SCCM SP1 Site System Collection Database to be installed on.


SCCM SP1 Site System Server Prerequisites



Installing Microsoft SCCM SP1 is pretty straight forward. The install wizard walks you through all the main configuration steps. To install SCCM SP1, you:


  1. Decompress the SCCM SP1 Install package and run splash.hta.

  2. When the Splash Screen is presented, click "Configuration Manager 2007" under the Install Option.

  3. Verify that you have completed the pre-tasks and click "Next".

  4. Select the "Install a Configuration Manager site server" and click "Next".

  5. Read / Accepted the Microsoft Software License Terms and click "Next".

  6. Select "Custom settings" and click "Next"

  7. Select "Primary site" and click "Next".

  8. Chose whether to participate in "Microsoft's Customer Experience Improvement Program" and click "Next".

  9. Enter in your "Product Key" and click "Next".

  10. Unless otherwise required, choose the default installation directory and click "Next".

  11. Enter in your "Site code", "Site name" and click "Next".

  12. Select "Configuration Manager Mixed Mode" and Click "Next". Reference the Microsoft SCCM SP1 Documentation to determine

  13. if you have a requirement to run SCCM SP1 in a "Configuration Manager Native Mode".

  14. Select the desired "Client Agents" to be enabled and click "Next".

  15. Specify the "SQL Server and instance" to be used and the name of the "ConfigMgr site database". Once entered, click "Next".

  16. Specify the location of the "SMS Provider" and click "Next".

  17. Specify the location of the "Configuration Manager Management Point" and click "Next".

  18. Choose the appropriate client communication port and click "Next".

  19. Select "Check for updates and download newer version to an alternate path" and click "Next"; you will be required to have access to the internet to perform this option. If you have already downloaded the packages, select "The latest updates have already been download to an alternate path" and point to that location on the following screen.
                   Specific a folder to download the Prerequisite Component to and click "Next".

  20. Allow the required packages to be downloaded. You will be notified when the download is complete.

  21. Confirm the settings you have chosen and click "Next".

  22. Click "Run Check" and verify that no errors were found in the "Installation Prerequisite Check"; if any errors or undesirable warnings were discovered, click on the items to review the corrective action. Note that "AD Schema Extensions" are not required for vPro Client Manageability. When you are satisfied with the Prerequisite Check, click "Begin Install".

  23. Allow SCCM SP1 wizard to install the selected components.

  24. Once the install is complete, click "Finish",

Here is a video with screen captures of the install process.


Matt Royer

Note: This information is based off Microsoft System Center Configuration Manager 2007 SP1 Beta and is subject to changes between now and RTM.


Microsoft has just release System Center Configuration Manager 2007 SP1 beta. As part of SCCM 2007 SP1, Microsoft has included native support for several of the core vPro Out of Band Management use cases.


Security-based management: Through the use of public key infrastructure (PKI), SCCM 2007 SP1 allows for remote provisioning and out of band management communication through Kerberos authentication and Transport Layer Security (TLS) Channels. Activities are also recorded and auditable to ensure traceability and compliance.
*AMT Provisioning:* SCCM SP1 provides native provisioning capabilities for vPro Base clients through both bare metal (agent-less) and Configuration Manager 2007 SP1 client (agent based).
*Inventory Data:* SCCM 2007 SP1, through the use of core vPro capability, provides enhanced support for hardware base inventory. Inventory data such as BIOS UUID, power states, memory, process, hard drive information, etc that can all be retrieved out of band and independent of power state.
*Power Control:* SCCM 2007 SP1 enables you to perform both in and out of band power controls for vPro Clients such as power on, power off, and restart capabilities for a single computer or a selection of vPro clients in the collection.
*Out of Band Manager Console:* Within SCCM 2007 SP1, you are able to interaction directly with each vPro client and invoke AMT use cases through the Out of Band Manager Console. This capability allows you leverage additional power control options including the use of Serial over LAN (SOL), IDE Redirect (IDER), and detail vPro Audit / Event logs. SOL allows you to perform terminal emulation to the vPro client and perform character-based commands and/or interact with the systems BIOS. IDER enables you to boot from a remote or local image to take advantage of alternate boot environment or diagnosing / repair tools.

To gain access to Microsoft System Center Configuration Manager 2007 SP1 Beta, you can request access by:




  1. Set-up an account. on MS Connect.
                   MS Connect Website

  2. After you've logged in, select "Available Connections" from the menu on the left side of the screen.

  3. Select "System Center Configuration Manager 2007". You will be asked to fill out a questionnaire so they can get some background and demographic information.


Matt Royer

Intel employee's Scott Smith & Mike Ferron-Jones recent podcast around the various models for computing. The video is embedded in this blog, and can be viewed here. 



The performance studies he references in the video are: and


This is of course the Intel perspective - does it align with what you see?

Serial-over-LAN is quite useful for taking control of a computer, making changes to the BIOS and when Intel AMT Outpost or Guardpost is running, getting a management command prompt even when the OS network driver is disabled. What if you have to repeat the BIOS change on 100’s of computers? Say you want to change a BIOS boot option on 100 computers? Or want to test the reliability of a new computer platform? The Intel AMT Serial-over-LAN scripting can help.


Connect using Intel AMT Commander to the Intel AMT computer and select “Take Control” to enter the VT100 terminal. Make sure everything works well and you can connect and perform Serial-over-LAN correctly. Go in the “Terminal” menu and select “Script editor…” and write a script like this one, using the user interface to guide you:

LABEL “start”
RESET bios
WAIT 40 seconds.
RESET powerdown
WAIT 15 seconds
JUMP “start”

You can save the script, and run it. You can also write more complicated scripts to change BIOS options and do more interesting things. There is a command:

WAITFOR “abcd”

This command will wait until the string “abcd” is anywhere on the VT100 screen. This is very useful to wait for the computer to finish booting and to do something after. You can also send string to SOL:

SEND “dir\r”

To send the “dir” command. Terminal scripting is very powerful. It’s also a great way to impress your friends and customers. In a few minutes, you can write a script that will power on a computer; navigate throughout the BIOS screens and shutdown the computer when done. Once you run it, it’s like a ghost is taking control of your computer and going into the BIOS, very cool.


Ylian (Intel AMT Blog)

Simpler and Tougher Intel® AMT for Embedded Environments


Jackson He



I just got back from a business trip to China where I had several discussions with customers about extended usages of Intel® AMT in their business environments. With the success of Intel® vPro and Intel® AMT, they would like to extend the remote management and computing power to other non-PC application environments. My blog "[Intel® vPro Beyond Desktop/Laptop|p-10752]" talked about how Intel® vPro was used in an embedded video surveillance environment at railway stations in China. There are more evidences that users are looking for simpler and more affordable Intel® AMT in embedded environments.    



Besides video surveillance usage we described in the last blog, the China railway customers told us that there are many other applications in the railway that require remote management, even though may not be as much computing power offered by vPro. They need fully automated no-touch remote management in following areas, that are not typical office environments, but under some rather rigid condition (dust, temperature, RF interference, etc.):


  • Network monitoring

  • Power grid management

  • Railway intersection control


In all these cases, embedded control units are deployed at remote locations throughout hundreds and thousands of miles of railways, often at odd locations. A simple power recycle today may require sending people to the site. In many cases, that is all it takes to solve the problem. 



Similar to the railway operations, we also heard similar stories from airport operation to banks (ATM). For example, the flight information minitors at the newly built Beijing Airport for Olympics are controlled by computers. Since they do not have remote management, technicians have to climb up a ladder to reset the computer. They have to do it one at a time around the airport - it will be so much better, if they can do this remotely without climbing up and down!



All these customer requirements call out Intel® AMT-like remote management features in embedded system. Since embedded systems have different characteristics than that of desktop PC and laptop, it requires different perspectives of remote management features:


  • Low cost: embedded platforms we talked about above are typically low-cost devices. Remote management component on the chipset has to be low cost as a portion of the overall platform cost.

  • Simplified features: In an embedded platform, remote management does not need full featured Intel® AMT. It requires a subset of simplified out-of-band features, such as power on/off, hardware health monitoring, etc.

  • Ubiquitous presence: Intel® AMT-like (Intel® AMT Lite?) features should presence at all IA-based embedded platforms, so that central management solutions of distributed systems could be deployed uniformly.

  • Standard interfaces: Standard interfaces like WS-MAN is essential for ease of integration with central management console. It is critical for ISV and heterogeneous platform integration, as embedded platforms have different form factors.

  • Resistance to environmental interferences: Embedded systems are typically not installed in office environment. They often locate outdoor that operate at rough conditions - temperature, dust, and RF interferences, etc.


As we can see that remote management is not a requirement for PC or laptop. It has broader use in embedded systems as well. We need to look at this from different perspectives and look into how to build low-cost, simplified, and tougher Intel® AMT Lite into embedded platforms. This is an opportunity to build the next billion manageable connected devices - it could be as big as Intel® AMT in desktops and laptops. I think this is real and tangible. What do you think?

Filter Blog

By date: By tag: