Skip navigation

As referenced in the Overview of SMS/Intel SCS migration to SCCM SP1 blog post, Intel has developed a utility to easy the migration of vPro Client that have been activated on SMS/SCS to SCCM SP1. 





The beta of the Intel SCStoSCCM Migration Utility has been released and can be downloaded from the following location:




A User Guide on how to use the migration utility has been included in the download.  Since SCCM SP1 has a dependency on the Intel WS-MAN Translator for any vPro Client less than firmware version 3.2.1, the WS-MAN translator will need to be installed and configured before proceeding with the migration if you have legacy system already activated in your environment.




Note: Intel SCStoSCCM Migration Utility is currently in Beta status and not considered a released product at this time.





Matt Royer


As noted in a previous blog, SCCM SP1 only natively supports vPro firmware version 3.2.1 and higher.  For legacy (less than 3.2.1) vPro clients to be supported, SCCM SP1 depends on the WS-MAN Translator.






There has been an issue identified within SCCM SP1 (RTW version) Out of Band Console that does not route AMT management communication through the WS-MAN Translator for legacy systems.  Microsoft is aware of the issue and will be releasing a SCCM SP1 HotFix (targeted for July’2008) to address the problem.






Provisioning and collection based (power control / WOL via AMT) are not impacted by this issues; vPro firmware version 3.2.1 and above are also not impacted.






Matt Royer

Monday we're cooking up a great show, Russ, Jeff & I are going to be talking with Michele Gartner about the Activation zone and the latest status on how to self activate.  We will also be talking about our top tool picks that we use for troubleshooting & enabling vPro.  Definitely a show you won't want to miss out on.    Also you can either stream, dial in or download after the show is over to listen.   We will also have the chat line open for any and all questions related to vPro.  


Here's the info:


Number:  (347) 326-9831     

Date/Time:  6/2/2008 3:30 PM  (pacific)


Listen to Intel Open Port Radio on internet talk radio


Here's a ROI analysis paper that provides a real-world example of how vPro helped a company save money. This one is about a company named ValueSpace and details how their vPro implementation is making a huge impact on help desk services for their iCafes.


ROI Analysis - Substantial savings and revenue gains via 65% to 98% faster remote help-desk services

I witnessed our Internal IT guys defining a BKM that I thougth was very relevant to share out to the community, therefore let me explain.


Challenge:   How can you use a mgmt console to read the AMT version so you can write a report in your mgmt console? 


Output:  You need to have a value placed into the registry that has data whether it's all of the BIOS, MEBx, SOL, HECI, etc.. driver versions, then you can read this data into a mgmt report.  


Solution:  run MEInfowin.exe and redirect the output to a text file using the “>” operator

Example --




Then you need the write a program in your favorite language such as VB script or C# to read through that text file and write the desired into to the registry.


Then use your mgmt console to read these values & report out.    The internal IT guys are doing this to check versions.


Thanks Intel IT folks for the BKM.

I wanted to share out why my top 3 tool picks are for starting up with vPro, usually I am using these tools when I'm working on connectivity, packets or errors in the logs in the mgmt console. I also often find that I'm using these tools late at night when i'm deep in troubleshooting mode & trying to do a root cause on why something is not working as planned i.e. hello packets are not starting on a given hardware platform, etc..   (I'll save the showcase for a youtube video soon)..


here they are.................  


#1.  MEinfowin.exe -  Brian C posted a good link of where & how to get this from Lenovo's BIOS update.   I highly recommend this tool for troubleshooting version of the ME, SOL, etc..  it also has good information on setup & configuration, link status, etc..


#2.  Wireshark - Joel Smith (altiris) wrote about this in his blog, which is where I initially found the link. 



While the two above tools are distinctly for Out of Band Provisioning, Wireshark tells the whole story of what is coming and going across the wire. It's important to know what the AMT clients are sending, especially in the 'Hello' packet, and what the server is responding with.


Wireshark can be obtained from: While this is the recommended tool, any network trace capture program can be used to examine the network traffic between the AMT client and the Provisioning Server.


#3.  Intel® vPro™ Technology Test Utility - this is the old faithful tool to ensure your vPro system has the right ingredients.


These are my top 3, however if I were to go, in SMB mode I utilize the vPro Packet decoder and the AMT reflector, however I use those at very specific times when i've passed the top 3 and I am digging in even deeper.


I hope you enjoy the list and if you have a TOP tool favorite write a comment at the end of the blog and let me know as I am always looking for new tools that help troubleshooting.


Josh H


Go download from Microsoft and start managing vPro today with SCCM SP1.



And when you do, make sure to checkout the Microsoft TechNet Library on SCCM: 



And drill down to the section on Out of Band Management for vPro: (Great material).



Microsoft has done a great job with instructions on how to prepare the environment, setup OOB service, and manage vPro systems.



We had the Intel vPro technology Challenge at MMS 2008 - a competition where teams of two competed to fix a troubled PC using Microsoft System Center Configuration Manager 2007 with PCs with Intel vPro technology. Check out how much fun this Challenge was at MMS 2008 this year:




To see more videos from MMS 2008, go to:

One topic of curiousity at MMS 08 was around the new benefits of Intel Centrino 2 with vPro technology. In the video below, D.C. Tardy, System Architect at EDS, and Kiron Lahiri, Lead Systems Engineer for Client Systems at Sisters of Mercy Health System, talk about the benefits that they are looking forward to with the upcoming Intel Centrino 2 with vPro technology.





Microsoft has announced today (May 22, 2008) that they are shipping System Center Configuration Manager SP1. For more detail on the announcement, please visit .






You can now download SCCM SP1 RTM from Microsoft web site







Matt Royer


If you are like me, when you travel, computers break at home - and being a computer person, you are the tech support...your house is most likely your personal lab, in a constant state of flux.  If not, I salute you. To make matters worse, I am often the one who messed things up before I leave - luckily, my wife patiently waits for me to get into my hotel and work with her to fix it remotely.  She already does a great job at tolerating the wires, keyboards, mice, monitors, and various other computer parts in every corner of our house - so having to wait for me to fix these, is a hassle for her I would like to reduce. 



I have a real life scenario from my current trip that is worth sharing with this community.  First let me explain a bit about the way I have my house setup.  Network wise, I have a standard DSL connection to the house which plugs into a slim & quite desktop that I has 2 network cards on it and runs the firewall solution, which I have added onto and use the OpenVPN GUI application on my mobile computer.  From the 2nd network connection I serve up my wireless and wired infrastructures and have gigabyte connections to all rooms in the house as well as a great wireless solution, even the printers and TV are networked.  I have more than one vPro clients in the house that I have enabled in small business mode.  I also have a RAID solution on one of my computers that handles all the file shares - including running various emerging solutions that we talk about on this site (I mentioned I view my home network as a lab, right?). 



Now the scenario - while on this trip one of the PC's who is up to date with virus protection and patches developed a virus, and as much as I would like to spend the time looking into how the virus got there - doing this over the phone would not be feasible.  Therefore, I did what any modern day geek would do - I VPN'd into my home from my hotel, I took control of the computer over a remote desktop session and started fixing.  I found the virus engrained into the system, and to keep my home running until I return, I set the machine to boot to the network instead of the local hard disk using IDE-R (a feature in vPro).  Then I rebooted the machine and it booted Ubuntu Linux over my network, and the files that my family uses are accessible over the file shares. 



Problem patched - until I return home.  Keeping my fingers crossed...






p.s. If you have any questions on how to configure your house this way - fire away.




This SCS deployment and capacity planning white paper presents architectural and infrastructure guidance for deploying Intel setup and configuration service in various enterprise scenarios. The guidance is based on SCS 3.x extensive scalability testing done in Intel Enterprise Integration Lab.



You can download white paper and capacity model calculator from below links:



SCS 3 deployment white paper:



SCS 3 capacity model calculator:



I am currently working on SCS 5 white paper. Any additional inputs will be comprehened in scs5 white paper. Appreciate all the inputs and comments that will help me in refining the content to make it more relevant for end user community.






Anjaneya "Reddy" Chagam




The event in Pittsburgh on May 6th was a fantastic event and the first where we folded the Application & Desktop Virtualization Forums into the already successful Intel Premier IT Professional events - it was a marriage waiting to happen. 



I am excited to reference a write-up on the event on our new sister community site dedicated to these events at: Short Overview Videos from the Pittsburgh Event



We had fellow travelers of Citrix, Microsoft, Symantec, and Tata.  This week we will be in Columbus, Ohio.  Several more of these events going on this year, pop over to the Intel Premier IT Professional Zone and find out about the one nearest you:



Mark Wallis wrote:




One of things folks ask me about the Intel IT Premier Program event is 'what are they presenting about' or 'what demos do they show'? So, while I was at the Pittsburgh event, I took some short videos of the Intel presenters and asked them to explain what they'd be presenting about. I also asked a couple of the demo guys a similar question.


Check out these videos and you'll get a little taste of what happens at these shows. I'll do more videos as I work on upcoming events.


"A Peek at the Future: Intel Product and Technology Roadmap".

Presented By: Rick White, Intel


"Client Virtualization Best Practices"

Presented By: Mike Breton, Intel IT


"Reducing Client TCO through the Use of Virtualization"

Presented By: Dave Buchholz, Intel IT


"Data Center Virtualization and Consolidation"

Presented By: Steve Tadman, Intel IT


Noel Tabotabo talking about some of his vPro demos


Randy Baxter pointing out some of the mobile devices in the showcase



At MMS, Kiron Lahiri, Lead Systems Engineer for Client Systems, and Brian Boresi, Information Services Division, both with Sisters of Mercy Health System, talked about some of the powerful benefits of combining Intel vPro technology with Microsoft System Center Configuration Manager. Listen to the video and see how Sisters of Mercy Health System is benefiting from this combination of hardware and software in their infrastructure.




To see more videos from MMS, go to

So today we had Jason Davidson and Mike Ferron-Jones on the show. We covered the spectrum of emerging compute models and recommendations for when to consider each model. See this ppt for additional info: Slide Deck and click play below to hear our radio show from this afternoon!





I just posted new information to Order an Intel® vPro™ Technology "Activation-Ready" PC or WS   This version includes a notebook offering from Panasonic and the desktop systems from Acer. Information on Acer notebooks is on its way!

We are having our bi-weekly radio show today & we are talking about Streamed Computing.  Kelsey last week posted a blog about it @


Also, remember that there are THREE ways to listen to our show. Not only can you call in and participate live, but you can stream live online or download the show afterwards!


When: TUESDAY, May 20th @ 3:30 PM

Call-in Number: (347) 326-9831

Sometimes within Intel Marketing, we're told that our description of Intel Centrino with vPro technology or Intel Core 2 with vPro technology is a bit lengthy. Therefore, while at MMS 08, we asked Intel customers as well as technical experts from Intel and Microsoft to give us their best, most concise acronym that best describes Intel vPro Technology. Listen to their responses below.




To see more videos from MMS 08, go to

At Intel, we're always looking for feedback on the way IT should be. Therefore, at the recent MMS 2008 Conference, we had Intel customers, partners, and technical experts from Microsoft and Intel tell us their meaning of IT Utopia.




To see more videos from MMS 08, go to

Intel Manager Brian Johnson demonstrates the combination of Microsoft System Center Essentials 2007 with PCs powered by Intel vPro Technology and servers powered by Intel Xeon Processors. This hardware and software technology is designed for businesses with 500 or less PCs, and brings the capabilities that till now only large businesses could take advantage of into a package that's optimized for small business. His video includes demonstrations around remote power control of PCs with Intel vPro Technology and remote diagnosis and repair of troubled servers with Intel Xeon Processors.




To see more videos from MMS 2008, please go here:

When Intel released Intel vPro technology into the marketplace in 2006, the press asked us what the "v" in Intel vPro technology meant. Now that the technology has been in the marketplace for almost two years, we thought that the best answer to the question, "What does the "v" in Intel vPro technology mean to you?" would come from Intel customers, as well as from some of the technical experts from Intel and our partners who deal with our customers on an almost daily basis. See their answers below.



To see more videos from MMS 2008, go here:

While at MMS, we talked to two Service Integrators about Intel vPro technology with System Center 2007 - including the combination of Intel® vPro™ technology with System Center Configuration Manager 2007 for medium to large businesses and the combination of Intel® vPro™ Technology with System Center Essentials 2007 for small businesses.




To see more videos from MMS, go to


Don't miss out this week! You will be able to catch Josh Hilliker, Russ Pam, and Jeff Torello's live chat with Jason Davidson and Mike Ferron-Jones. The show will be on the spectrum of emerging compute models and recommendations for when to consider each model. Feel free to check out this slide deck, you can bring up any questions you have during the show: Slide Deck


Also, remember that there are


ways to listen to our show. Not only can you call in and participate live, but you can stream live online or download the show afterwards!


When: TUESDAY, May 20th @ 3:30 PM

Call-in Number: (347) 326-9831 


On the quest to find tools that showcase saving energy, $$'s & overall how to optimize your energy bill I ran across this cNET Article titled:   Verdiem: Nyquil for energy-hog PCs

Full Details:


I pulled this quote out as it applies to the vPro community. 


"Verdiem Surveyor 5.0 has a console to centrally configure different devices and additional reporting tools. It also has better integration with Windows Vista and integrates with Intel's vPro PC management technology so that it can access machines that aren't turned on"


I think this may be a good tool to showcase the quest on "saving energy" that I have been discussing in my last few energy posts.  I dug in deeper and found this site -  in which they have a free download kit of information it looks like - I have to download & check it out.


If you are on this same quest.. let's check it out together & let me know your input on this blog.  




The primary key of identity for an AMT computer is its Fully Qualified Domain Name (FQDN). One of the essential parts of the setup and configuration process (Provisioning) is when Altiris attempts to map a valid FQDN inside the IntelAMT database. This article covers how to handle FQDN issues, including ways to correct invalid entries, the best method to avoid the issues, and how it all works. If you're using Altiris Out of Band Management for provisioning, this is a must read!






The two key identity items for vPro are the UUID (Universally unique Identification) and the FQDN. The UUID is contained within the hello packet sent by AMT, but the FQDN is not held within AMT without Provisioning. This means it is up to Altiris to acquire the system's FQDN. While this may sound simple, the problems arise when the system is in its setup process, whether prepping or being imaged, having software and scripts rolled out to provision and join the system to the domain, including when its final identity on the Domain and network are established and it received a new IP Address.




Preferred Provisioning method

For specifics I'll refer to the Best Practices document, but for the general steps to be followed specifically for the FQDN I'll provide the steps below.














  1. Image the system with the Operating System, including any post-imaging work to get the system configured. This includes rolling out software or scripts.

  2. Join the system to the Domain after it has its rightful identity. The computer name should be set. When the computer is joined to the domain, this will provide the valid operable FQDN.

  3. Install the Altiris Agent on the system. This provides the information for the FQDN in the Inv_AeX_AC_Location table.
    +NOTE: If the Altiris Agent was part of the image, make sure the system sends Basic Inventory again after the system has been joined to the network to ensure we have the valid FQDN within the Altiris database.+

  4. Ensure the Out of Band Discovery package is enabled and configured via the collection to go to all machines.
    +NOTE: This step is essential because OOB Discovery will pick up the FQDN from the Basic Inventory and map it in the IntelAMT database. This screenshot shows where the data is located:+

  5. Now if the hello message was sent before the above steps were completed, normally it will recover as long as the process completes before 24 hours have passed. 24 hours is the period of time the hello packets will be sent from the client. AMT will continue to send hello packets throughout the period UNTIL it is fully provisioned. This helps reestablish connection if the IP Address changes in the middle of the Provisioning process and the Server can't connect back up to the remote AMT system.


Preferred Provisioning Settings

Not all settings within Out of Band are FQDN friendly. The following items affect how Out of Band Management approaches provisioning.


  1. Resource Synchronization - Make certain this is enabled! A Disabled Resource Synch policy will halt Provisioning, greatly increasing the change for FQDN problems when it is finally enabled.

  2. Use DNS IP resolution to find FQDN when assigning profiles - This option, under the Resource Synchronization policy, is typically unreliable. While this option allows for bare-metal provisioning or Agentless provisioning, it also is at the mercy of the DNS and DHCP environment. It is highly recommended NOT to use this option unless you fully trust your DHCP and DNS environment. Factors to consider are:

    1. IP Lease times - The lease times afforded systems may be short, increasing the possibility that when OOB fetches the FQDN via IP the lease will have expired and the wrong FQDN will be mapped.

    2. PXE or other auxiliary boots - Often these types of systems will obtain a different IP address from DHCP as their identity is not the same as when the system is booted to the OS.

  3. Intel AMT 2.0+ to Profile - This option allows a default Profile to be setup for Provisioning. Make sure you've created a default profile and set it in the Resource Synchronization policy. Without a profile Provisioning will not occur.

  4. Intel AMT requires authorization before provisioning - Under the General node within Provisioning, this option stops provisioning from occurring. The profile will not go down to the system until the system is selected, using the right-click to choose ‘authorize'. This can aggravate FQDN problems by delaying full provisioning.


FQDN Fixes

Invalid FQDN in IntelAMT

The first issue stems from a variety of causes. The issue is that in the IntelAMT database, shown under the Intel AMT Systems node under Provisioning for Out of Band Management, the FQDN is invalid. The causes vary, but here are a few we've seen:


  1. Reverse DNS IP Lookup is enabled - Unless your DHCP and DNS environment are rock solid, often IP Address leases expire, and other systems pick up the IPs that the AMT systems originally sent the Hello message with. When this occurs, the wrong FQDN is mapped.

  2. IP Leases short - Often the IP Lease length can create a problem acquiring the correct FQDN. This can especially have problems with TLS as the FQDN is part of authentication using certificates.

  3. FQDN is incomplete - When a system is in setup mode, sometimes the mapped FQDN is not part of a domain, resulting in the Host Name only being set as the FQDN.





IMPORTANT! When the FQDN is invalid in the IntelAMT database, Resource Synchronization can have troubles matching resources with their correct counterparts in the Altiris database. Because of this, duplicates can emerge. If the checkbox in Resource Synchronization labeled: ‘Remove duplicate Intel AMT resources from Notification Server database' is checked, managed resources can get deleted from the Altiris database!





FQDN has Changed

Another not-uncommon occurrence is when a system changes identity. This can occur in a variety of ways, including:


  • The system has been reimaged

  • The computer name has been changed

  • The computer has been migrated to a new Domain

  • The system has switched subnets, resulting in a new FQDN





Regardless of the method, changing the FQDN on the system does not change it in the Intel ME or AMT firmware, and also does not change it within the Intel SCS component database (IntelAMT). When these are not synched up, it can cause problems when you need to manage the system via AMT when the computer is booted to the operating system. This particularly has problems when TLS is enabled and the provisioned certificate no longer matches the FQDN in Windows.





Issues Resolution

Since the Altiris Agent sends Basic Inventory daily by default, the Altiris database usually has a valid FQDN on record in the Inv_AeX_AC_location database table. We can run a query that will capture the correct FQDN from the Altiris database and insert it into the IntelAMT database, correcting any duplicate or invalid FQDN entries. This is the first step. The second step is to update the FQDN within AMT on the local systems. The following processes walk you through the resolution:




Update IntelAMT from Altiris

  1. Open up SQL Query Analyzer or Microsoft SQL Server Management Studio.

  2. Open a Query window within the database instance that contains both the Altiris database and the IntelAMT database.

  3. Run the following query, though for testing purposes you can omit the line ‘COMMIT TRANSACTION until you can verify the operation completed as expected. Once validated, run COMMIT TRANSACTION to complete the process:
         UPDATE intelamt.dbo.csti_amts SET fqdn = b.fqdn FROM (SELECT il.[Fully Qualified domain name] AS 'fqdn',
         REPLACE(oob.uuid, '-', '') AS 'uuid' FROM
         altiris.dbo.Inv_AeX_AC_Location il JOIN altiris.dbo.Inv_OOB_Capability oob ON
         oob._ResourceGuid = il._Resourceguid) b WHERE intelamt.dbo.csti_amts.uuid = b.uuid

  4. Done! The FQDNs now match between Altiris and IntelAMT.


Update FQDN on local AMT

  1. It is recommended to follow these steps in batches so as to not overwhelm the Intel SCS component. Perhaps run this against 100 systems at any one time, or run it against those systems you know have been updated. While it doesn't hurt to run this against systems that didn't have the FQDN changed from the above process, it is unnecessary if you are able to target those systems with invalid FQDNs.
    +Note: This process assumes that the system can be reached via the SCS using the new FQDN supplied by Altiris. For TLS there may be complications we have not foreseen.+

  2. In the Altiris Console browse under View > Solutions > Out of Band Management > Configuration > Intel AMT Systems > and select the Intel AMT Systems node.

  3. Select one or more systems you need to update the local AMT FQDN on.

  4. Right-click and choose the ‘Re-provision...' option.

  5. Check the Action status node under Provisioning > Logs > Action Status for messages concerning the Re-provision attempts. You can also check the Log node for errors.

  6. Done! The systems, when reprovisioned, should have the correct FQDN planted by the IntelAMT database entry that was updated from the Altiris database.



Use this article to resolve your FQDN issues to ensure ATM functionality is available when it is needed. The above process has been verified, though all environmental potential issues have not been explored. It is advised to test the process in your environment before implementing on a wide scale.

As many of you may know, there are two ways of contacting Intel AMT: The remote network interface and the local LMS/HECI interface. These interfaces are very different; the remote interface that is available thru the wired and sometimes wireless Ethernet and is rich with features while the local Intel AMT interface is very limited. Intel AMT was designed this way from the start for security. Intel AMT acting as an IT agent on desktops and laptops could not be allowed to be meddled with by the local user or local applications that could try to use or deactivate Intel AMT. That at least was the original design intent.


Times have changed it seems and many users of Intel AMT don’t see local users and applications as being always hostile. There are many reasons why it would be very interesting to access all of the features of Intel AMT locally. For example


  • If the user changes the name of the computer is the OS, it would be nice to have a local agent sync up the Intel AMT network with the OS name automatically. This way, when the computer goes to sleep next, Intel AMT will report the correct new name.

  • Circuit breaker policies could be used as a local firewall implemented in hardware. Set it once and the gigabit network chip does all the filtering and counters at gigabit speeds.

  • On a mobile platform, wireless profiles could also be synched up automatically. The user adds  a new wireless profile with a WPA key and this profile is automatically  added to Intel AMT.

  • Enterprise provisioning of Intel AMT could be done entirely locally using local software removing the need for complicated centralized  servers.


Instead of seeing the local user as hostile, the local application now cooperate to setup Intel AMT so that if something goes wrong, it’s ready to be used to recover the computer. All this and more would be possible if Intel AMT allows the local applications full access to all the remote interface features.


A local application can’t simply connect to TCP port 16992 or 16993 and access all of the Intel AMT features since the traffic has to flow thru the gigabit network interface. Connecting to will not work, that will access the more limited local interface.


A solution is to use a reflection application like Intel DTK Network Reflector found in the Intel AMT DTK. This tool runs on a central always on server and simply reflects back all TCP connections back to the source on ports 16992 to 16995. Using this tool an Intel AMT console or even a web browser can connect to "http://reflector:16992" and log into its own Intel AMT remote services. However, there are issues with this solution: You need this reflector tool running and know where on the network it is running. Also, a rogue application could log into the remote interface and put an annoying circuit breaker policy to drop all packets, etc.


In the future, Intel AMT itself could be modified to allow all services on the local interface removing the need for the reflector. There are security considerations of course, but feedback from users of Intel AMT on this idea would be appreciated.


Ylian (Intel AMT Blog)

While at MMS, Microsoft System Center Configuration Manager Program Manager Dave Randall demonstrated how Intel vPro Technology enhances Microsoft System Center Configuration Manager 2007 SP1. The videos below include demonstrations around secure remote power control, remote diagnosis and repair of troubled PCs, discovery of PC assets, and remote configuration.


1)   Video demonstration of hardware-assisted Secure Remote Power Control:





2)   Video demonstration of hardware-assisted Remote Diagnosis and Repair: 





3)   Video demonstration of hardware-assisted Discovery of PC Assets:




4)   Video demonstration of Remote Configuration of Intel vPro technology:





Click here to learn more about the combination of Microsoft System Center 2007 products with Intel vPro technology:

While at MMS, we had the opportunity to talk with D.C. Tardy, System Architect at EDS. He talked about the Return On Investment of Intel vPro technology, including a Canadian Call Center case study that returned a savings of almost $750,000 across 3 years. He also talked about the combination of System Center Configuration Manager with Intel vPro technology.




To see more videos from MMS 2008, go to

At MMS, we had Brad Anderson, General Manager of Microsoft Management and Services Division, and Gregory Bryant, Intel VP and General Manager of the Digital Office Platform Division, answer some questions about the new capabilities in System Center Configuration Manager 2007 SP1 with Intel vPro technology.  See their responses below.


1) How does Intel vPro Technology fit into System Center Configuration Manager 2007 SP1?





2) What can IT expect in terms of the level of integration of Intel vPro Technology into System Center Configuration Manager 2007 SP1?




3) Why should IT now take advantage of Intel vPro Technology and System Center Configuration Manager 2007 SP1?




4) When should enterprises activate Intel vPro Technology with System Center Configuration Manager 2007 SP1 in their PC infrastructure?




5) Last, we asked a series of questions about System Center Configuration Manager 2007 SP1 Support for the Current Generation of Intel vPro Technology with WS-MAN Support, as well as with Legacy Generations of Intel vPro technology.




To see more videos, demonstrations, interviews and more from MMS 2008, go to


The Task Server contains AMT function tasks that give you the ability to integrate AMT functionality into Task Server Jobs. This allows you to use AMT in conjunction with Software Delivery, Scripting, and any other Task Server supported function. Understanding how to troubleshoot the AMT side of a Task Server job will help resolve issues so that AMT can be utilized. This includes the following technologies:



  • System Defense - Network Filtering

  • Reliable Power Management

  • IDE redirect for boot redirection



This is the concluding article for the series: Troubleshooting the Altiris Manageability Toolkit for vPro Technology. The first four articles covered the setup and configuration of AMT systems, while parts 5 and 6 covered RTCI and RTSM respectively. This final article discusses troubleshooting the AMT integration into Task Server when issues arise.






As an introduction, the actual SOAP or API calls made to the AMT system is invoked through Real-Time Console Infrastructure, the same as when they are invoked through the Real-Time tab for RTSM. Though the calls are from the same place, how those calls are made differ. The following subjects will be covered:



  • Determining Cause of Failure

  • AMT Detection Issues

  • Authentication Issues


Determining Cause of Failure

Often you'll known the general symptom that tells you a job or task in Task Server didn't execute as expected. For example a power management task may have shown as run but the AMT system never woke up. A failure is not shown except deep within a series of status windows.






To determine the returned error, use the following steps. Task Server's actual failure code is buried deep in a series of status windows, as shown in the screenshot after the steps.



  1. Under the Task or Job that failed, double-click on the general status row for the specific execution attempt.

  2. If within a job, double-click on the line that represents the task or AMT function that failed.

  3. Note the numbers of successes versus failures. Click the ‘View Report' link.

  4. Now you'll get a grid with the status of the Task, including the status and return code, if present.





AMT Detection Issues

When Task Server reaches a Task that involves AMT, it makes direct calls to AMT in those systems targeted in the task or job. Detecting AMT and subsequently executing the scheduled function requires success at both junctures. The following sections discuss potential issues and solutions in this process.




Power State Unknown

One common problem we see is when a power management task fails due to the failure message: Generic error, FromState detected as unknown:14. This will cause the power action to fail. The causes vary, but the following list contains the most common:


  • System unreachable - The target system is not available on the network

  • AMT failed to be detected - See the subsequent section ‘AMT not detected'

  • Authentication failed - See the subsequent section ‘Authentication Troubleshooting'

  • AMT is unavailable - If a system is not provisioned, or AMT is not functioning on that system





Use the following process to determine what the issue is:



  1. If RTSM is available, try connecting to the target system using RTSM, specifying the same credential profile.

  2. If that fails, try manually putting in credentials until you find one that works.

  3. If Step 1 succeeds, try creating a different connection profile with only AMT functions provided.

  4. If no RTSM is available, still try the profile with only AMT functions to see if it works.

  5. Try other AMT functions, such as Collect Intel AMT Inventory to see if they succeed.

  6. If other functions succeed, try using another method to reboot the system to reset the power state stored in the Intel ME. One way to accomplish this is using the Task Server Power Management Agent to send down a standard reboot command to the PC.

  7. If no other AMT functions are successful, AMT might not be properly setup on this system. Ask the question: Has this system gone through the provisioning process?

  8. If unknown, use the Out of Band Discovery Task to see if AMT is available and to identify what state it is in. See the steps provided under the ‘AMT Not Detected' section following.

  9. If all else fails (generally this is on a system-by-system basis, rarely do a collection of systems encounter this level of this issue) try reprovisioning the system by fully unprovisioning and going through the provisioning process again.


AMT Not Detected

Normally a non-vPro system will receive the return code that AMT was not detected. This is accurate, but when it happens to valid managed vPro systems, the issue must be troubleshot to determine why the applying Task Server cannot detect AMT on the system. Out of Band Discovery is a great way to determine what state the system is in. Use the following steps to take stock of the systems:


  1. In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Out of Band Discovery > and select the ‘Out of Band Discovery' policy.

  2. Enable the policy if it is not yet enabled. If it is enabled, set a schedule to run the discovery again so you have updated information on your systems.

  3. On the AMT system in question, go to the Altiris Agent and bring up the Agent UI by double-clicking on the system tray icon or by launching C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe.

  4. Highlight the ‘Out of Band Discovery Package.

  5. Click the ‘Out of Band Discovery' link under Application Tasks.

  6. Once completed, now check back at the server and double-click the system within a collection to bring up Resource Manager.

  7. Click on the Inventory tab and browse to Out of Band Management, and select the data class OOB Capability. This will give you the details of AMT.





If AMT is disabled, it needs to be enabled in the BIOS. A BIOS update from the vendor may provide you a remote way to enable AMT, by using Software Delivery for example. If it is all enabled, next check the provisioning status. Provision as necessary.





Authentication Issues

As with RTSM, Task Server uses the same basic authentication method when executing against a computer. Task Server also includes another option to add additional credentials to the execution to be used when contacting the protocol, which is AMT in this case.




Authentication Methods

Since RTCI controls the authentication, much of the same method is used whether the execution of an AMT command is issues from the Real-Time console or from Task Server, however there are some differences.


Runtime Profile - The Runtime profile contains he following information:



  • All known good credentials used to connect via RTSM to a system

  • The Intel SCS AMT password sent to systems when provisioning occurs

  • Previously successfully used credentials from past RTSM sessions

  • Previously successfully used credentials from a Task that succeeded


User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:


  • WMI digest or Domain account

  • AMT digest or Kerberos-authenticated user

  • ASF digest or Domain account

  • SNMP community strings


Task-specified Credentials - When a user setups up a job or task, the user can specify specific credentials to be used when executing AMT-related functions through the profile interface. This option is per job or task, and applies to all AMT functions invoked during the job or task. The Interface allows this as shown in the following screenshot:






Authentication Troubleshooting

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with Task Server.


  1. First, how do you determine if your task or job is failing due to authentication? Use the previous section under Introduction labeled ‘Determining Cause of Failure'.

  2. In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles, or in the Task click the ‘Run Now', and on the subsequent page click on the pencil icon next to the credential profile being used.

  3. Where does the green checkmark fall? This is the default profile that will be used when connecting via a Task Server task.

  4. Create a new profile by clicking the blue + on the icon bar in the right-hand pane.

  5. Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.

  6. Supply the admin user credentials set when the managed vPro systems were provisioned.

  7. Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.

  8. Give the profile a name and then save it.

  9. Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile, or if you are in a job interface select the profile to be used for the run. Note that this does not require you to make it the default profile, allowing another profile to remain the default credentials.

  10. Run the task or job to see if the authentication failure has been resolved.

  11. If it is not, try rerunning with the Runtime Profile. This contains all known good authentication attempts to the system from either Task Server or RTSM.

  12. In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed. If your Task or Job does not contain any of the other protocols, this is recommended.



This concludes the Troubleshooting article series for the Altiris Manageability Toolkit for Intel vPro Technology, version 6. While this doesn't cover all issues, it should resolve most of the common issues we've seen.

While at MMS, Brad Anderson, General Manager of Microsoft Management and Services Division, and Gregory Bryant, Intel Vice President and General Manager of the Digital Office Platform Division, talked with executives from Fortune 5000 companies about the benefits of Microsoft System Center Configuration Manager 2007 with Intel vPro Technology.  Watch the video below that highlights this discussion.





To see more interviews and other videos from MMS, go to


Formerly known as Web Admin for Windows, Real-Time System Manager provides a powerful set of functions for IT specialists. In part 5 of this article series we covered the main points for Real-Time Console Infrastructure troubleshooting. As a natural extension of RTCI, Real-Time System Manager troubleshooting is covered in this article as part 6. With an emphasis on credentials and connection methods, this article provides information to overcome the most common issues seen when using the Real-Time tab for direct, one-to-one computer interaction.






Real-Time System Manager provides a powerful tool for directly connecting to a system agentlessly with functionality available through WMI and Intel AMT. This article covers the issues associated with general functions seen with both technologies but with emphasis on the AMT functions. The following sections cover areas of troubleshooting:


  • Connection Issues

  • Authentication Issues

  • IDE Redirect (IDER)

  • Network Filtering


Connection Issues

Under the current architecture the FQDN is the primary method for connecting and authenticating to AMT on remote systems. If the FQDN the Real-Time tab is using does not resolve in DNS, then AMT connectivity and thus functionality will not be available. FQDN connectivity issues are the number one issues we see with RTSM connections to AMT.




Invalid FQDN

To view what FQDN the Real-Time is using, use the ‘Hardware Management' node in the RTSM tree. The following screenshot shows what AMT is using:








In this example my system is in a workgroup and reported only the hostname as the FQDN, which DNS had no trouble resolving. If this fqdn is not reachable via DNS, we won't be able to connect to the AMT functionality.



NOTE: We use several methods, including IP address, for WMI. WMI functionality may show correctly when AMT is absent in this situation







Use these steps to see the FQDN is the issue:



  1. Open the Real-Time tab for the AMT system you are managing.

  2. Once the tree loads, open the Real-Time System manager folder, open Administrative Tasks, and click on ‘Hardware Management'.

  3. Once the page loads, if AMT is missing as an available technology, take note of the name displayed as in the screenshot above.

  4. Go to Start, Run, type in cmd, and click OK.

  5. Type in nslookup <name displayed>. In the above example it would read:

    1. Nslookup dellvpro

  6. Can DNS resolve this address? If no, we'll need to fix the issue in one of the following ways.

  7. FIX DNS and/or the Altiris record: If DNS can be fixed, this is the preferred method. The difficulty is finding out why the Altiris Agent reported the incorrect record. Once DNS is fixed, have the Altiris Agent run Basic Inventory. The table location we pull this out of for management in RTSM is Inv_AeX_AC_Location, column: .

  8. Use the ‘Manage' node available in RTSM (see the below screenshot): By putting in the IP address of the system, we'll use the IP to lookup the FQDN and not make any assumptions.

  9. Update the Servers HOSTS or LMHOSTS files to contain the mapping to the invalid name. For example find the LMHOSTS file, edit it and add a line <IP ADDRESS> <FQDN>, as in this example:

    1. Dellvpro


Real-Time unable to connect

If WMI and AMT functions are unavailable, you'll get a message when you click on the Real-Time tab indicating that the functionality isn't available. See the following screenshot:




Note: If you use another product such as Dell or HP's plug-ins to this tab, you'll simply not have the ‘Real-Time System Manager' node underneath Real-Time Consoles.







The number one reason this occurs is due to a firewall being engaged. Firewalls need to allow AMT traffic through. If a firewall is enabled, use the following details to resolve the AMT issue:



  1. Create an inclusion in the firewall properties.

  2. Allow the following ports, based off your environment:

    1. 16992 - For non-TLS encrypted traffic - if you are not using TLS this is the port that will be used for communication

    2. 16993 - For TLS-enabled, encrypted AMT traffic - If https is required for communication with AMT, this port will be used

    3. 16994 - For a note, AMT provisioning uses this port for sending out the ‘hello' packet during the configuration process - this will be used if you initiate a reprovision from RTSM

  3. Another options is to disable the firewall when you need to manage the system via RTSM.

  4. Unfortunately WMI has a known issue with the Windows firewall where the dynamic ports WMI uses after initiation will be blocked. It's a bug in WMI that has been addressed in Vista. Previous Operating Systems do not have a resolution at this time.





The other issue we've seen is where the system is simply unavailable for one reason or another. AMT is available if the system is off but still connected to the network, but WMI or if the system is unplugged from power or off the network RTSM obviously cannot function. Verify that the system is available if nothing resolves this issue.





Authentication Issues

Another common issue concerns authentication to the system via the Real-Time tab. First, let me discuss the methods RTSM uses to authenticate to a target system.




Authentication Methods

Runtime Profile - The Runtime profile contains he following information:


  • All known good credentials used to connect via RTSM to a system

  • The Intel SCS AMT password sent to systems when provisioning occurs

  • Previously successfully used credentials from past RTSM sessions


User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:


  • WMI digest or Domain account

  • AMT digest or Kerberos-authenticated user

  • ASF digest or Domain account

  • SNMP community strings


Manually entered credentials - When RTSM tries to connect, if the default profile set in the RTCI configuration fails to authenticate, the left-hand tree will still load but each node will prompt the user for credentials. A user can put in an AMT account, Domain user, or digest user that has rights on the target system. When authentication succeeds, these credentials are then stored in the Runtime Profile for the target system.




Troubleshooting Authentication

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with RTSM.


  1. In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles.

  2. Where does the green checkmark fall? This is the default profile that will be used when connecting via the Real-Time tab.

  3. Create a new profile by clicking the blue + on the icon bar in the right-hand pane.

  4. Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.

  5. Supply the admin user credentials set when the managed vPro systems were provisioned.

  6. Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.

  7. Give the profile a name and then save it.

  8. Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile.

  9. Test to see if this new profile is successful. Note that you'll need to launch IE fresh to use the new settings.

  10. If it is not, try entering credentials in manually when you hit the system under the Real-Time tab. See the screenshot below for the connection icon to switch between WMI and AMT authentication. If two show in this area, both technologies are available but not authenticated.

  11. In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed.

  12. Check the collection you are launching Resource Explorer from. Sometimes the identity of the system is incorrect. For AMT you can launch RTSM from the Provisioned collections populated with the Resource Synchronization.


IDE Redirect (IDER)

IDE Redirect allows a system to be remotely booted to a file, drive, or virtual disc. There are a number of potential issues to be aware of when working with IDER in a vPro environment. The below items include well-known issues and their resolutions.




Redirection Invalid Parameter

When initiating an IDER (IDE Redirect) session to an external source such as an .iso file, the following error appears in the console:






Power management operation failed.

Redirection session start has failed. See logs for more details.







The Notification Server log shows the following error:







Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log

Priority: 2

Date: 3/9/2007 2:51:05 PM

Tick Count: 10617218

Host Name: <>

Process: w3wp.exe (2436)

Thread ID: 5412

Module: AltirisNativeHelper.dll

Source: RTCI.Trace

Description: RedirectionProvider::StartIDER - RedirectionProvider::StartIDER - IMR_IDEROpenTCPSession: IMR_RES_INVALID_PARAMETER







This is caused by Intel's redirection library requiring a correct floppy device to initiate an IDER session (either floppy image or real removable device). Real-Time System Manager 6.2 can work around this. If you put floppy.img file into Program Files\Altiris\RTSM\UIData folder, then the issue will not occur.





IDER or SOL Disabled

In some instances Intel vPro systems are arriving from the OEM with IDER and SOL disabled in the BIOS. When disabled, neither of these functions work from any management engine, including RTSM. Correcting this oversight is not easy, especially if the OEMs do not offer a solution by a firmware or BIOS update. Use the following method to resolve the issue:


  1. Go to the Support site for the OEM for the systems.

  2. Browse to the drivers and downloads section for the exact model (note that sometimes the model will differ based on possessing or not possessing vPro technology).

  3. Check the firmware updates for a new BIOS.

  4. Check the documentation for any new BIOS versions that include vPro to see if they've corrected this.

  5. Contact your OEM if they have not and request a status!

  6. The only other recourse is to develop an update yourself or manually update the settings by visiting the system.



This should account for the most common issues we've seen, and allow you to successfully use RTSM with AMT technology, avoiding those issues.

Have you seen the Network World article on Intel vPro technology?


Take a look at the article

Wanted for dead or Alive PCs: Intel vPro technology

.  (Click on the name to link to the article)

I have recently posted a resorce pertaining to SCCM SP1 and Out of Band Management.


  1. SCCM SP1 Help file- This is the help file that ships with SCCM SP1 RC1. It is a great resource to used to get all of the details specific to SCCM as well as a section devoted to Out of Band Management


Last week Intel sent me to Israel for an Intel only gathering of engineers, architects and specialists that work on Intel AMT. I was honored to attend and also to be a speaker taking about the progress made with the DTK. First of all, I want to thank all of the people in Intel Israel for making this trip a great success. I also got to hear about many DTK success stories and it all of the hard work worth it. I was especially surprised with the DTK’s success in Asia, but also all over the world. I am still not sure if it’s the tutorial videos, the translations or what.


In addition to the meetings, we had a great time visiting the old city of Jerusalem, the Dead Sea and later on my own the city of Elat and Petra in Jordan. I got some of the most wonderful pictures and uploaded some on Google servers here:




These pictures cover the 10 days of my trip, starting with the old city then me playing in the mud and floating in the Dead Sea and finishing with my visit to Jordan. Jordan was probably this highlight of this trip, there is something just odd about traveling in this vast desert and realizing that I was in the country that had a common border with Iraq. For most of us in the US, it seems so distant. The city of Petra in Jordon has unique sand stone carvings in the walls. Some people will also notice that the Indiana Jones movie was filmed at this location. Petra was named one of the new 7 wonders of the world and as a result got a surge in tourism. It’s a wonderful place, hot and laid back.




Most people travel by air from Jerusalem to Elat and Jordan, but I opted to take the bus. It’s a 4 and a half hour trip thru amazing scenery. It’s also inexpensive, about 12 to 15$ and much more convenient than by airplane. I will say that except for the bus, everything was very expensive in US dollars. It’s a shame the dollar is so weak, I don’t except to make many of these trips.




Last week was the holocaust memorial day in Israel and I happened to visit the Wailing Wall with some of my Intel co-workers just as 1000’s of people where attending a ceremony that was being broadcast live on TV. One of my pictures shows all the people at the wall.




The Dead Sea was really amazing, it’s so saturated with salt that you simply float. This sea is the lowest point on Earth I am told, it’s 1,378 feet below sea level. Your ears pop on the way there as the air pressure increases. As pressure increases so does the temperature which will often be 10 degrees hotter than Jerusalem. The Dead Sea is well known for the Dead Sea salts used as skin treatment. It also gave me a great excuse to play in the mud! You let it dry and wash it off to wonderful skin… but it’s also just loads of fun.




To sum it up, this 10 day trip was simply amazing. In addition to meeting many people who use the DTK, I also got to see and experience some unique places I will never forget.




Ylian (Intel AMT Blog)



One of the great features of SCCM SP1 is the ability to provision vPro Clients through the SCCM SP1 client agent.  This allows for vPro clients to be deployed in an unprovisioned state and then later provisioned via the client agent once the client agent has been deployed using in-band methodologies.


Prior to Client Agent provisioning to occurs, there are a couple of configuration steps you need to do within SCCM SP1.  First, it is recommended that you create a new collection that will house your vPro clients that have been discovered and are in an unprovision state.  It is viable to use the "All Systems" collection to set the policy for automatic provisioning via the clients agent; however, it is not advised.


To create a new collection...

  1. Right Click on Collection, and select "New Collection"

  2. When the "New Collection" window appears, enter in a Collection Name.  Something like "Unprovisioned vPro Clients" is recommended.  Fill in the comment field appropriately and click "Next"

  3. When the "Membership Rules" appear, click on the "Query Rule Properties" (it is the Database icon)

  4. In the "Query Properties", enter in a name something similar to "Unprovisioned vPro Client Query" and then click "Edit Query Statement..."

  5. When the Query Properties appear, click "Show Query Language"

  6. In the Query Statement textbox, type in the following: Select * from sms_r_system where AMTStatus=2
                This will pull all the clients that are vPro capable and in an unprovisioned state

  7. Once completed, click "OK" and "OK" again on the Query Rule Properties.  When returned to the "Membership Rules" screen, click "Next"

  8. Add any desired advertisements and click "Next"

  9. On the "Security" screen, add any appropriate users or groups and click "Next".

  10. On the Confirmation screen, click "Close".


You should now see your new Collection in the collection list.  The next step is to configure this collection so that vPro Clients in the collection are automatically provisioned.

  1. Right Click on the "Unprovisioned vPro Clients" collection and select "Modify Collection Settings".

  2. In the Settings windows, click on the "Out of Band" tab.

  3. Check the checkbox "Enable Automatic out of band management controller provisioning" and click "OK"


It is also recommended that you add the "AMT Status", "AMT Version" and "Automatic AMT Provisioning" columns to the collection for easier troubleshooting. 


To do so...


  1. Select the "Unprovisioned vPro Client" collection and right click in the open white space

  2. When the context menu appears, select "View" -> "Add/Remove Columns"

  3. When the "Add/Remove Columns" screen appears, add "AMT Status", "AMT Version", and "Automatic AMT Provisioning" to the collection view.  Click "OK" when finished.


This collection is now setup so that any vPro client in the collection will be automatically provisioned through the SP1 client agent.  With the collection defined, you can use any of the client discover methods that SCCM SP1 provides (AD System Group, AD Security Group, AD System , AD User, Heartbeat, or Network) to discover the client.  If you decide to use Network discovery, you can also check the checkbox on the "General" tab to "Enable Discovery of out of band controllers"; by doing so it will also check to see if the client is vPro capable.  After you run the discover method and update the collection (either manually or via scheduled policies), you should now be able to see the client in the "All Systems" Collection.


Now that the clients have been discovered by SCCM, you will need to perform a "Discover Management Controller" to see if any of them are vPro capable.  On the "All Systems" right click and select "Out of Band Management" -> "Discovery Management Controller".  This will scan through your collection and validate which clients are ready to be provisioned.


After a few minutes, depending on the size of your collection, you can update your collection membership by right click on "Collections" and select "Update Collection Membership".  If you now refresh your "Unprovisioned Vpro Clients" collection, you should see a list of unprovisioned vPro clients ready to be provisioned.  The AMT Status of the client should be listed as "Not Provisioned".


Depending on your SCCM SP1 Client Pulling schedule, it may take a few hours for the client agent to pull down the new provisioning policy.  You can, however, force the policy to be refreshed earlier by opening the Configuration Manager Properties within the client's Windows Control Panel and selecting the "Action" tab.  Once in the Action Tab, select "Machine Policy Retrieval & Evaluation Cycle" and click "Initiate Action".  For instructions on how to deploy the SCCM SP1 client agent, please

reference the SCCM SP1 Help and look for the “Overview of Configuration

Manager Client Deployment” article.


After the provisioning has occurred, the vPro Client will be removed from the newly created "Unprovisioned vPro Clients" collection and be listed as an "AMT Status" as provisioned.


Similar to provisioning via the Out Of Band Wizard, you can track the progress of the provisioning process through the SCCM Out Of Band reports or for more detail amtopmgr.log.  There is also the oobmgmt.log on the client machine that will track the Agent based provisioning process.


Another clarifying note is that once the SCCM SP1 Agent is installed and acknowledged by SCCM, the Client Agent initiated provisioning is the only provisioning method supported; SCCM will ignore any vPro hello packets it receives from the client.  Also, the vPro client must be in a unprovisioned state with for the Agent based provisioning to occur.


Here is a video that goes over the high level process


I've been getting quite a few questions recenly regarding provisioning. Many folks are confused when it comes to what type of provisioning works with which versions of AMT and I'm hoping that this post will help to clear up some of that confusion.


Currently, there are two types of provisioning, PKI (Protected Key Infrastructure) and PSK (Pre Shared Key). For those who are not familiar with what is involved with these two types of provisioning, PKI involves using a formatted provisioning certificate in order to establish a trust relationship between the AMT client and provisioning server where PSK uses a PID/PPS key pair to establish the trust for provisioning. There is quite a bit of documentation regarding how to setup PKI and PSK provisioning in the deployment documents for AMT, so I won't go into that detail here. What I'd like to cover here is what are the differences between these types of provisioning and which versions of AMT use which types of provisioning.






First, lets cover the different types of provisioning and a brief overview how each of them work.



PSK provisioning uses a Pre Shared Key to encrypt the provisioning process. In order for an AMT client to use a Pre Shared Key, however, the MEBx must first be programed with the correct key. This can be done in either one of two ways, manual entry or via a setup.bin file located on a USB thumb drive.



Manual entry is just that, a user must access the MEBx and manually type in the characters for the PID and PPS and any other settings that are required in order to get provisioning to work (system name, password change, etc). Once the user saves the changes to the MEBx, AMT starts sending out 'hello' packets to the provisioning server to start the provisioning process. This method is the most straight forward but is also the most time consuming, especially when attempting to deploy many systems at the same time.



USB thumb drive provisioning shortens the PSK entry process by using a formatted setup.bin file located on a USB thumb drive that can hold many PID/PPS pairs as well as password change information for MEBx. This key is then used on each system as it boots up to load the PSK information into MEBx. When the system boots, ME detects that a setup.bin file is located on the USB key and, if AMT isn't provisioned already, will prompt the user if they would like to load the provisioning information from the USB key. If the user confirms the request, then ME loads the first available PID/PPS entry into the PSK settings as well as changes the password for MEBx to the password set in the file. ME then marks that entry in the setup.bin file as used and reboots the system. Once rebooted, AMT starts sending out 'hello' packets using the PID/PPS pair. This method is better than manual entry, but only barely. This still requires a user to be at the system and to interact with the process.



PKI provisioning is split into two different types of provisioning as well, Bare Metal and Agent Based/Delayed provisioning.



Bare metal provisioning is where the factory settings in AMT are set at the OEM/System Integrator so that as soon as power and a network connection are applied to the system, then AMT will send out 'hello' packets and provisioning starts. If provisioning doesn't happen right away the provisioning period will continue for 24 hours, sending out 'hello' packets at a decreasing rate, after which AMT goes into delayed provisioning mode. This method of provisioning greatly improves the time savings from a deployment aspect by enabling many systems to be provisioned with minimal interaction from deployment personnel. This method works well when using a 3rd party trusted certificate that is natively supported in AMT (Verisign, GoDaddy, etc).



Agent based/delayed provisoining is where either the 24 hour provisioning period has expired without a successful provisioning transaction or, due to the AMT version, AMT requires an in-band agent or tool to start the PKI provisioning process. In order to start agent based/delayed provisioning the agent or tool sends a command down through the HECI driver in the host OS and tells AMT to start sending out 'hello' packets to the provisioning server. In addition, some basic configuration settings can also be sent to AMT in order to get it ready for provisioning (enable AMT, set PKI provisoining, etc). This method of provisioning tends to be the most reliable. Again this works best when using a 3rd party trusted certificate that is natively supported in AMT but in addition you gain the benefits of having an in-band agent that is able to assist the provisioning process by providing the provision server in-band information that helps keep the out of band aspects of AMT synced with the in-band host OS. Configured correctly, provisioning AMT with the assistance of an in-band agent can make the entire provisioning process hands free for deployment personnel.



Lastly, I want to touch on how each of these provisioning processes relates to the different AMT versions. Different versions of AMT support different types of provisioning. AMT 2.0, 2.1, 2.5 only support PSK provisioning. AMT 2.2 and 2.6 support PKI provisioning (as well as PSK) but only agent based PKI provisioning.  AMT 3.0 and higher versions of AMT support bare metal PKI provisioning (as well as agent based/delayed PKI and PSK provisioning).  A common utility used to accomplish agent based provisioning is the RCT (Remote Configuration Tool).



Provisioning is a very complex topic and what I've touched on here is really just the tip of the iceburg when it comes to understanding the intricacies involved. I hope I've provided more answers than questions, but if there is something you still don't understand, feel free to comment and I'll try to clear it up!




Matt Primrose

This week we had our hosts Josh Hilliker, Russ Pam, and Jeff Torello chatting with Ajay Mungara about the Manageability Developer Community. If you're interested in developing software for Intel vPro featuring Intel AMT, then you can learn more about all the developer tools and support available on Ajay's online community. To check out more details visit


Hear all about it, right now!

A few new things are up on  Activation Cheat Sheet. Find links to Microsoft System Center resources, as well as new training module videos.


Videos are now available for these modules:


Module 7: 802.1x, NAC, and Wireless Profiles


Module 8: Remote Configuration


Module 9: Best Practices & Troubleshooting Tips


Happy Learning!


In Josh's blog post about "Stump the PRO" - he mentions WMI & ConfigMgr.  I wanted to post a bit more context for everyone interested in that integration point.



Overview:  ConfigMgr client agent uses WMI to query AMT via the HECI driver.



The Configuration Manager client agent ships with a new WMI provider for the AMT HECI driver.  Additionally, we have extended the SMS_DEF.MOF file with new classes that support the WMI provider.  This is used by the hardware inventory agent when returning information about the client computer.  You'll find the data easily for your AMT computers using the resource explorer for an AMT computer.  The information is categorized under a new resource called "AMT Agent"



The inventory from that agent make a great basis for building queries to use the in-band agent based provisioning method. 






Last week while I was out at MMS (Microsoft Management Summit) in Las Vegas, I was stumped twice by two folks that asked me questions I didn’t have top of mind.  I completed my research & here are the answers to those two questions.  Great job guys for stumping me, hopefully you will leave me a comment so I can send you a free vPro shirt.


Is WMI service used for AMT?

WMI is not used for AMT.  WS-MAN and SOAP call from SCCM out of band service point can check to see if it AMT capable.  Example with SCCM:   Using the APIs of the heci drive, the SCCM Agent to can determine whether it is provision-able.


Does Intel vPro Technology support IPV6?

vPro systems in 2008 will have the ability to communicate with IPv6 addressing in 2008 in-band and out of band IPv6 support is planned for a future platform release.


More details can be read on the current state at  by Gael Holmes


Here’s an Excerpt:

•     The ME cannot be assigned an IPV6 address but the host OS can be assigned an IPV6 address (either static or via DHCP).

•     The ME does support System Defense filters on the host traffic, whether or not the host communicates IPV4 or IPV6. This means that the System Defense filters must be configured on the ME network (via IPV4) but the filters are able to filter IPV6 traffic that if that is what the host OS is communicating with.

•     If the host OS is assigned an IPV6 address, the ME must be statically assigned an IPV4 address. The assumption is that if the ME is configured in DHCP mode, it shares its configuration with the host OS. If the host OS is deployed in an IPV6 environment, it cannot share its configuration with the ME.

•     Intel® AMT does not support static IP addresses at all when operating in a Wireless mode, therefore, IPV6 would not be an option at all for Wireless operations.


I'm looking for the next opportunity to get stumped..

Hello to the vPro community!


I'm David Randall, and have been working in the Configuration Manager team over the last year to develop our integration with Intel's AMT hardware.



I recently attended MMS 2008, and was very happy to hear all the enthusiasm around the Configuration Manager integration, and your plans to use vPro in conjunction with ConfigMgr.



I plan to post here weekly with new information that we've learned about ConfigMgr / AMT integration, help you with some walk throughs, list interesting new uses for vPro and where possible, help you streamline your Configuration Manager deployment with vPro.



Thanks, and here's to out of band management!



David Randall

Program Manager, Microsoft




Coming Up:

This week on BlogTalkRadio we'll have our hosts Josh Hilliker, Russ Pam, and Jeff Torello chatting with Ajay Mungara about the Manageability Developer Community. If you're interested in developing software for Intel vPro featuring Intel AMT, then you can learn more about all the developer tools and support available on Ajay's online community. To check out more details visit Listen live - on the phone or stream online!

When: Monday, May 5th @ 3:30 PM

Call-in Number: (347) 326-9831   


Here's the scoop, yet again, for those who haven't heard...

Hosted by Josh Hilliker, Russ Pam, & Jeff Torello this bi-weekly informal show will be covering a variety of topics and is a perfect avenue to get your questions answered. Listen in live, give your two cents, or just download the show after it has aired. Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts. Can’t join us live? Have no fear, blogtalkradio let’s you listen to the show whenever you have the time. Visit the Open Port Radio site (link is above) to hear previous shows and even catch a glimpse of what’s to come!

For general questions about Remote Configuration, please review the following article -


Earlier in 2007, I wrote two brief articles about Remote Configuration. 


The embedded video below is a summary of how Remote Configuration works in an Altiris environment.  The target environment has a VeriSign Intel(R) Client Setup Certificate loaded.  Intel AMT 2.2 and 2.6 systems are provisioned using Agent Initiated approach.  The Intel AMT 3.0 system is provisioned using the baremetal approach (could have done this via agent initiated... yet wanted to show both methods)


More content\details on acquiring external certificates, or creating a custom internal certificate and adding the associated certificate hash to the clients... can be provided if needed.



At the MMS booth I was asked this question & was able to sit down with Matt for a minute.  Here is the answer to when will you see WS MAN & the Migration Tool for Microsoft Service Center configuration manager SP1



Filter Blog

By date: By tag: