Skip navigation

I was recently asked about the security of vPro and Intel Active Management Technology, therefore I started to pull together all the resources I leverage when discussing this topic and help to alleviate concerns of the Information Security folks in the IT shops.  here are those links and if you find additional ones that help please add on to the blog.


Hardening Measures Built into Intel® Active Management Technology


AMT System Defense Usecases


Intel® Active Management Technology Protect Use Cases


Intel® Active Management Technology Use Case #7: Hardware-Based Isolation and Recovery (Protect)




If any questions on security of vPro please let me know.


Microsoft has just released two additional hotfixes that address issues with System Center Configuration Manager SP1 and vPro/AMT Out of Band Management. Please reference the following WIKI for a comprehensive list of required software bundles and hotfixes for SCCM SP1 and vPro/AMT Out of Band Management:






System Center Configuration Manager 2007 (KB955355):


  • Description: A distinguished name that contains more than 100 characters and that is discovered from Active Directory for an AMT host causes the SMS_EXECUTIVE service to crash in System Center Configuration Manager 2007

  • URL:





System Center Configuration Manager 2007 (KB956337):


  • Description: System Center Configuration Manager 2007 Service Pack 1 is unable to remove AMT user ACLs during the provisioning process for AMT 2.x computers

  • URL:








--Matt Royer

Microsoft has just released 2 hotfixes that address issues with System Center Configuration Manager SP1 and vPro/AMT Out of Band Management. Please reference the following WIKI for a comprehensive list of required software bundles and hotfixes for SCCM SP1 and vPro/AMT Out of Band Management:






System Center Configuration Manager 2007 (KB954718):



  • Description: You cannot use the Out of Band Management console in Configuration Manager 2007 to connect to computers that use versions of Intel AMT that are earlier than version 3.2.1

  • URL:





System Center Configuration Manager 2007 (KB955126):



  • Description: The SMS_Executive service process (Smsexec.exe) in System Center Configuration Manager 2007 may crash if you have Intel AMT-related software installed

  • URL:









--Matt Royer

1 year anniversary - YES!


I wanted to start this blog by saying what an interesting, fun, and action packed year it's been for the vPro Expert Center.  we had a vision about 1 1/2 years ago to create a community where we could bring all parties together to talk about vPro and really make a difference in the activation and integration of this technology into the IT environment. I know that to be 1 years old in a community is just a small milestone, however for me it has been a blast to connect with a # of folks from the community both in the forums, onsite and at events where we can talk face to face.  As I reflect back on the year, here are the top 5 and bottom 5 of what the community did that I think made a difference. (I could have made this the top 50). 



  • Have seen some of the best bloggers join us online for dialogue (BIG Thank You)

  • Had great participation across the board - HW(OEM), SW(ISV), YOU, Intel, etc.. 

  • Started a Radio show on blogtalkradio -  check it out (even on itunes)

  • Started a few sub zones that are really helping - microsoft, activation, and our latest SMB Talk.

  • Partnered with and started using resources/wiki's for key events (Manage fusion, Microsoft mgmt summit)


Bottom 5

  • We published over a dozen tools and then didn't call them free tools and then we pulled one down that folks really cared about (yes it's almost fixed for those that know what I am referring to)

  • Implemented an ask the experts section, however we used as a single thread and now it's hard to find past solutions/fixes - (yes this is being fixed)

  • Tried to do an online TV show (good luck finding that legacy show anywhere)

  • We started a contest and made it to hard to participate - (we took the feedback and will try something soon that is easier to participate)

  • We haven't created a points system yet to showcase who's really answering all the questions and if the answers are good one's.  (reputation system or something of that nature).


What does this all mean, we still have more work to do to make this community better.  I'm committed to making this an awesome community, focused on you and how to make your life easier with vPro.  Keep coming back and spreading the word to friends.


I also want to recognize the great community for giving me input on how to make this better over the year and I want to hear more over the next year on what we can do to make this a better community, increased functionality, richer video, tools, etc.  If you have input on what you would like to see, what we can improve, what we should stop doing, etc.. please drop me a line by either blogging me back here, or just send me an email -  


Or if you have product input that is always welcome, for example, on features we should have in the ME (manageability engine) or Software to leverage our silicon. 


So.. what's next?  I can tell you that I have been planning, thinking, waiting for September 22nd for the last 2 month's, I can't say much, but I can say you will want to be on the vPro Expert Center that day and check out something very exciting.  (if I say any more I'll get the PR/Mktg teams yelling at me)..  I can say that we will have more video's, more quick start guides and more focus on CIRA (FAst call for help) coming out soon as the HW starts to show up and we can show real life scenario's with rich detail.   We are also going to spend more time focused on how to fast track a few use cases, like Going Green with vPro, Remote Repair, & Patching @ Night.  After hearing this discussed the last month I believe the community with see value in the output here.  


I would also like to give kudos to a # of community peers both inside & outside of Intel that have shared their wisdom, data, approaches and even video editing skills to help me start this community.   I think we've only just begun and I am personally looking forward to the road ahead.    please give me a shout out to tell me what you think of the community..   


Josh H

Community Manager - vPro Expert Center

Yesterday Jeff Marek, Big Dave & I taught a class on the value of vPro, Intel IT's experience and more on tools.   Here's a quick link to the presentation.


If you attended yesterday's session please let us know if you have questions, comments, etc. .

I am so lucky to experience IDF (thank you Jason Davidson, Josh Hilliker and Kevin Ma). The atmosphere here is amazing. Wide varieties of people are here to enjoy what is new coming out of Intel. Opening key notes were invigorating and exciting. Craig Barrett kicked off the experience with his speech, "Small deeds done are better than great deeds planned," what a simple and powerful saying in Craig Barrett's speech.


Going through show floor area, where the majority of the demos are located, there is so much exciting new stuff, everything from virtualization to new hardware. Let me key you in on something that is going to big with vPro: remote help for your home computer. With this technology, you can have a key stroke on your PC, it will send a signal to several qualified providers that you can choose from, they will receive a code, and the one of your choice can fix your PC remotely. You would not even need to bring in your PC or have a tech come to your place of residence for most problems. Josh Hilliker is going to be putting up w a PDF about it here on the vPro Expert Center. Keep your eye out for some clips and more cool new features from different people on the Open Port site.





(Some cool give-a-ways!!)

When you install the Intel WS-MAN Translator, by default it will provide a PSK PID/PPS of 4444-4444 0000-0000-0000-0000-0000-0000-0000-00000. Although easy to remember, it not necessarily the most secure. If you do not have a unique PID/PPS generated for your environment, you can leverage the USBFILE utility availible in the AMT Software Development Kit (SDK) to generate a secure and unique PID/PPS. USBFile.exe is located in the .\Windows\Intel AMT SDK\Bin\Configuration\ConfigScripts directory of the AMT Software Development Kit download file.






Consideration: The Intel WS-MAN 1.0 only supports the use of 1 PID/PPS pair. So that you can provision AMT clients using PSK after a partial un-provision, it is recommended that you use the same PID/PPS pair throughout your Environment.






Generating an unique PID/PPS with USBFile for the Intel WS-MAN Translator


  1. Execute usbfile -create setup.bin admin <new MEBx Password> -gen 1 -xml pidpps.txt
         Note: <new MEBx Password> is what you want the MEBx password to be. If you using the Intel WS-MAN Translator with SCCM, this should be the same password you configured within SCCM Out of Band Management Properties > Provisioning setting Section > MEBx Account.
         Note: Running the USBFILE command will generate a setup.bin file; however, this setup.bin is set to consumable and can only be used once. Please reference the instructions below on how to create a non-consumable setup.bin with your unique PID/PPS

  2. After the command has been executed, you can view the generated PSK PID/PPS pair in the pidpps.txt file.

  3. This PID/PPS pair can then be configured in the Intel WS-MAN Translator by running Start > All Programs > Intel WS-Management Translator > wtranscfg.exe. Navigate to the Set Common Pre-Shared Key screen and enter in the PID/PPS that you generated. Click Finished and then OK to Restart the Translator Service.








Generating a non-consuming setup.bin for One Touch Provisioning


  1. Execute usbfile -create setup.bin admin <new MEBx Password> -pid <PID> -pps <PPS> where PID and PPS are the unique ones you generated for your environment.
         This will create a file called setup.bin in the working directly that you ran usbfile.exe
         Note: <new MEBx Password> is what you want the MEBx password to be. If you using the Intel WS-MAN Translator with SCCM, this should be the same password you configured within SCCM Out of Band Management Properties -> Provisioning setting Section -> MEBx Account.

  2. Using the USB Key Provisioning Utility, you can create a properly formatted USB Key loaded with the setup.bin file that can be used for One Touch Provisioning.





--Matt Royer

Note:  The Self Signed Certificate issue was corrected with AMT firmware 3.2.2.  Please work with your OEM to secure the 3.2.2 firmware update.  -- Matt Royer



An issue has been identified that may cause the remote configuration provisioning process to fail when using Microsoft System Center Configuration Manager (SCCM) on systems that have been upgraded from Intel AMT 3.x firmware to 3.2.1 firmware. The Self-signed certificate used to establish the initial PKI provisioning (Remote Configuration) connection is being read as invalid, which causes this failure.


The recommended resolution is to perform a provision and un-provision of the system to regenerate the Self-signed certificate. This resolves the certificate being read as invalid and prepares the PC to be provisioned successfully by SCCM. This can be accomplished locally at the PC or remotely from the console. Both scenarios are documented in detail below but local provision/un-provision will require entering the Management Engine BIOS Extension (MEBx) screen at the local machine. To perform this action remotely, the community has developed a software-based script to execute a remote provision/un-provision. The script should be run for vPro clients experiencing this issue prior to SCCM provision. Once the script is executed, the vPro clients can then be natively provisioned by SCCM.






vPro Clients that are experiencing the issue will show up as AMT Status "Detected" within the Collection View after a Management Controller discovery and will exhibit with the following error in the amtopmgr.log:


During SCCM Management Controller Discovery
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x6fcb970 returned by ApplyControlToken
*During a SCCM Provisioning attempt*
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x261b948 returned by ApplyControlToken

Note: An AMT Status of "Detected" can occur for a variety of reasons; in general it means that the SCCM Out of Band Service Point is unable to establish an initial connection with the AMT client. This scenario can also occur when the computer has been previously provisioned for AMT outside Configuration Manager and the password for the AMT Remote Admin Account or the MEBx Account has been changed and is unknown.

When trying to provision a vPro Client that has a firmware version less than 3.2.1 that is impacted with the Self-signed Certificate issue, SCCM will forward the request to the Intel WS-MAN Translator (which is required for provisioning and management of a vPro Client less than 3.2.1.) The Intel WS-MAN Translator will handle provisioning the vPro client despite the invalid Self-signed Certificate. The steps listed below should not be required for firmware versions less than 3.2.1 if you have the Intel WS-MAN Translator installed and properly configured.


As an interim workaround for vPro Clients 3.2.1 experiencing the issue, you can either locally (through the MEBx) or remotely provision and un-provision the AMT client. The un-provisioning process will regenerate a new Self-signed Certificate within the AMT Management Engine, after which, SCCM can natively use this newly generated certificate to establish the initial secure connection during the provisioning process.


Provisioning via Pre-Shared Key (PSK) is not impacted by the Self-signed Certificate issue; however, to leverage PSK provisioning you will need to install / configure the Intel WS-MAN Translator and load the PID/PPS pair into the vPro client. PID/PPS configuration within the vPro client requires either manual configuration via Management Engine BIOS Extension (MEBx) or One Touch Provisioning through USB key import.








Local Provision / Un-provision

To performing a Provision / Un-provision locally on the vPro Client


  1. Log into the MEBx by pressing Ctrl-P during POST

  2. If you have not changed the default admin password already, login in with "admin" as the password. If you have already changed the MEBx password, log in with the password you changed it to

  3. Within the MEBx Menu, select "Change Intel(R) ME Password".

    1. When presented with "Intel (R) New ME Password", Enter in the same password you configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.

    2. When presented with "Verify Password", re-enter the password.

  4. From the MEBx Menu, select "Intel(R) AMT Configuration"

  5. Within the Intel(R) AMT Configuration Menu, select "Provision Model"

    1. When presented with "Change to Intel(R) AMT 1.0 Mode: (Y/N)", enter "N"

    2. When presented with "Change to Small Business : (Y/N), enter "Y"

  6. When returned to the Intel(R) AMT Configuration Menu, select "Unprovision"

    1. When presented with "Reset Intel(R) AMT Provisioning: (Y/N), enter "Y"

    2. When presented, ensure you select "Full Unprovision" and press enter

  7. When returned to the Intel(R) AMT Configuration Menu, select "Return to Previous Menu"

  8. When returned to the MEBx Menu, select "Exit"

    1. When presented with "Are you sure you want to exit: (Y/N)", enter "Y"

  9. Allow vPro Client to reboot fully


After performing the local Provision / Un-provision, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. Although fairly simplistic, one of key disadvantages of locally provisioning and un-provisioning the vPro Client is that you will need to have physical (touch) access.








Remote Provision / Un-provision

To perform a Provision / Un-provision remotely on the vPro Client, the community has created a visual basic script that will perform the function remotely. In an attempt to reduce the complexity, the VBScript leverages the Intel WS-MAN Translator to provide the authentication and remote configuration connection. To leverage this remote Provision/Un-provision capability, you must have the Intel WS-MAN Translator installed and configured prior to executing the VBScript. Please visit the following Blog to learn how to install and configure the Intel WS-MAN Translator.


The VBScript and guide can be download from the following location ( and contents can be decompressed to a folder on either your SCCM server or on workstation that you want to run the script from. Please note that you must have WINRM basic authentication switched to "true" on the computer you are planning to run the VBscript from; WINRM Basic Authentication is required for connections to the Intel WS-MAN Translator to work properly. To turn WINRM Basic Authentication to true, run the following command from the command line:


winrm set winrm/config/client/auth @{Basic="true"}




With the archive file decompressed, you will see two VBScripts in the folder: SelfSignedFix.vbs and ExecFromCollection.vbs. SelfSignedFix.vbs is the VBScript that will perform the remote Provision / Un-provision. To use the SelfSignedFix.vbs, there are several parameters you must supply for it to work properly:


  • Intel WS-MAN Translator URL: This is the secure URL on which the Intel WS-MAN Translator is listening

  • The Hostname, FQDN, or IP Address of the vPro Client: This is the vPro Client that is having the issue with the Self-signed Certificate and needs to be Provisioned / Un-provisioned

  • Log File Location: This is the folder or share where the results of the provision / un-provision will be logged for the client. Note that SelfSignedFix.vbs script will automatically create a new log with the filename of the hostname, FQDN, or IP Address you used as the previous parameter.

  • Screen Output: Whether (Y) or not (N) to display the Provisioning / Un-provisioning output on the console screen.


Critical Note: Prior to executing the SelfSignedFix.vbs, it is imperative that you change the MEBx password in the SelfSignedFix.vbs VBScript to match what is configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.


As a general reference, you can only change the MEBx password remotely once and only if the vPro Client is in a factory default state (never been provisioned). Since this VBScript remotely provisions and un-provisions the vPro client, we must set the MEBx password during this provisioning process. To Change the MEBx password, open SelfSignedFix.vbs with any text editor and modify (line 19) with your environment specific information:



Const SCCMMEBxPassword = "P@ssw0rd" to Const SCCMMEBxPassword = "<your SCCM MEBx password>"




Note: If you have already changed the MEBx password, the MEBx password will not changed; however, you should still change the SCCMMEBxPassword in SelfSignedFix.vbs VBScript to match your SCCM Configuration in case you run into a vPro Client where you have not changed the MEBx password yet.




With the MEBx Password modified, here are some examples of how the SelfSignedFix.vbs can be run from the command line:



After running SelfSignedFix.vbs, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues.





Provision / Un-provision Log

Similar to what is displayed in the previous screen shots, a successful remote Provision / Un-provision log will look like the following:


**Begin Execution 8/11/2008 8:22:22 PM*************************
Connecting to
Setting AMT Clock
Setting HostName
Setting TLS settings
Setting new MEBx Password
ReturnValue = 2057

ReturnValue = 0
**End Execution 8/11/2008 8:22:30 PM*************************

In an event that vPro Client is inaccessible to be remotely provisioned / un-provisioned, the error log will look like the following:


**Begin Execution 8/11/2008 8:22:12 PM*************************
Connecting to
Unable to connect to AMT Device:
**End Execution 8/11/2008 8:22:12 PM*************************

This error can occur for a variety of reasons. Some common causes of this error are:



In either case, you will need to root cause why the vPro Client was not remotely accessible to be provisioned / un-provisioned. You can then run SelfSignedFix.vbs at a later time to retry and remotely provision / un-provision.








Automating the execution of SelfSignedFix.vbs within SCCM

To avoid having to run SelfSignedFix.vbs on each impacted system individually, there are a couple of automated procedures you can perform depending on what is right for your environment. To identify and isolate the vPro Clients that are impacted by the invalided Self-signed Certificate, you can create a SCCM Collection using the following criteria "Select * from sms_r_system where AMTStatus=1"; this will automatically bucket all the vPro Clients listed as AMTStatus Detected in a single collection for easy identification.



For step by step instructions on how to create the collection for vPro Clients with the AMT Status of Detected, please reference the guide included with the scripts.



Once you have the impacted vPro Clients in a single collection, you can either use SCCM Advertisements to push and execute SelfSignedFix.vbs from the client or you can use the included ExecFromCollection.vbs to connect directly to collection and execute SelfSignedFix.vbs on an enumerated list of members in that collection.



Critical Note: Before proceeding to use one of these large execution methods, it is recommended that you test your configuration (both SelfSignedFix.vbs and Intel WS-MAN Translator) by testing on a few impacted system individually first. Once you run SelfSignedFix.vbs steps above on these select impacted vPro Clients, you need to ensure you are able to natively provision the client within SCCM before you move onto a more automated implementation.






Using ExecFromCollection.vbs

ExecFromCollection.vbs is a VBscript that will connect to a desired collection, enumerate the list of members in the collection, and execute SelfSignedFix.vbs VBScript against each member in the collection. Prior to using ExecFromCollection.vbs, you must first change the SMSSiteCode, SMSServer, SMSCOLLECTION, and WSTransURL constants. To modify the required constants, open up ExecFromCollection.vbs with any text editor and change the following values with entries specific to your environment (Make sure you save your changes).


  • SMSSITECODE : This is your SMS Site Code

  • SMSSERVER : This is the FQDN of you SMS Site Server

  • SMSCollection : This is the SMS Collection ID that you want to enumerate the list of vPro Clients from. You can find the Collection ID of a particular collection by right clicking on the collection and select "Properties"; the Collection ID will be at the bottom of the General Tab

  • WSTransURL : This is the secure URL in which the Intel WS-MAN Translator is listening on



Once the constants have been modified within ExecFromCollection.vbs, you can execute the VBscript by running the following Command Line:


cscript ExecFromCollection.vbs

ExecFromCollection.vbs will cycle through each enumerate member in the collection and execute SelfSignedFix.vbs VBScript against it. Prior to running ExecFromCollection.vbs, you need to ensure that the SelfSignedFix.vbs VBscript and ExecFromCollection.vbs VBscript are located in the same folder.


After running ExecFromCollection.vbs VBscript, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log files to help isolate the root of their issue. For step- by-step instructions on using ExecFromCollection.vbs, please reference the Guide included in the download package.





Using SCCM Advertisement to Execution SelfSignedFix.vbs

In terms of leveraging SCCM Advertisements to push the SelfSignedFix.vbs down to the client and execute it, there are several different ways this could be done. This example simply pulls the SelfSignedFix.vbs off a remote share which is then executed by a SCCM Task Sequence. When the advertisement is picked up by the SCCM Client Agent, the task sequence is executed and SelfSignedFix.vbs is run on the vPro Client machine. Depending on your environment, you may want to leverage alternative methods of deploying and executing this with a SCCM Advertisement. Please note, that the SelfSignedFix.vbs is not performing any provision / un-provision commands locally on the client; although it is running on the local client, the provision / un-provision commands are being routed to the Intel WS-MAN Translator and then the commands are sent back down to the vPro client from the Intel WS-MAN Translator.


  1. In preparation of creating a task sequence, create a remote share on a server where the SelfSignedFix.vbs will be run from and the log files generated from SelfSignedFix.vbs will be stored. Ensure sufficient permissions are granted to the account running the advertisement.

  2. Create a New Task Sequence and give it a name that is easily recognizable. Make sure you create the Task Sequence with the option of "Create a new custom task sequence".

  3. When you edit your task sequence, add a new "General"-> "Run Command Line" task.

  4. Give the task an appropriate name and in the Command Line field enter in:
    server\share\SelfSignedFix.vbs %COMPUTERNAME% "
    server\share" N
    ... where
    server\share is the remote share that you created and https://wsmantransurl/ is the secure URL of your Intel WS-MAN Translator. %COMPUTERNAME% is an OS environment variable that will give you the hostname of the client.

  5. Once the task sequence is created, you can advertise the task sequence on a Collection you created for just the AMT Detected vPro Clients.

  6. Depending on your advertisement mandate, the next time the client's SCCM agent pulls down an updated policy it will execute the task sequence.

After running SelfSignedFix.vbs VBscript via the advertisement, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log file and isolate the root of their issue.


Note: Depending on your Client OS configuration, it may be necessary to set WINRM basic authentication to "true" prior to execution SelfSignedFix.vbs; this can be accomplished by add winrm set winrm/config/client/auth @{Basic="true"} command line task prior to the execution of SelfSignedFix.vbs.


This blog was intended to give you a general understanding of the issue and the work arounds that are in place. For a comprehensive step-by-step guide, please refer to the documentation included with Remote Provision / Un-provision Script archive file. To download the Scripts and the Guide, please visit the following URL:


--Matt Royer

As explained in the SCCM SP1 & WS-MAN Translator: How vPro firmware versions less than 3.2.1 are supported blog, The Intel WS-MAN Translator is crucial component to providing support for vPro Client with firmware versions less than 3.2.1 with Microsoft System Center Configuration Manager.


Intel has just posted the production release of the Intel WS-MAN Translator 1.0 and is available for download at the following location: At that location you will find the install binaries and documentation on how to install the translator. However, here is a high level overview of how to install and configure the Intel WS-MAN Translator.


Pre-installation Steps


Generate a Certificate Request on SCCM Server for Intel WS-MAN Translator


  1. On the SCCM Server, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS)

  2. Expand Web Sites and Right Click on Default Web Site and select Properties

  3. In the Default Web Site Properties windows Select the Directory Security Tab. In the Secure Communications section, click the Server Certificate button

  4. This will launch the Web Server Certificate Wizard. Click Next

  5. In the IIS Certificate Wizard Window, select Create a new certificate . Click Next

  6. Select Send the request immediately to an online certification authority. Click Next

  7. Enter a Name for the certificate: WS-MAN Translator Server Certificate. Click Next

  8. Enter Organization Information (Organization and Organizational Unit) and Click Next

  9. Enter the Common name: This is the FQDN of your server you are installing the Intel WS-MAN Translator on and should be the same as the FQDN of your SCCM Server. Click Next

  10. Enter in your Geographical Information. Click Next

  11. Enter 443 for the SSL Port for this web site. Click Next

  12. In the Choose a Certification Authority Window, select your issuing Certificate Authority. Click Next

  13. Confirm your request and click Next

  14. Once Wizard is complete, click Finished


Modifying Windows Remote Management (WinRM) to support Basic Authentication


  1. On the SCCM Server, open a command prompt and run the following command: winrm set winrm/config/client/auth @{Basic="true"} (command line is case sensitive)

  2. You should see Basic = True returned


Set Delegation for the SCCM Server


  1. On your Domain Infrastructure Image, Click Start > All Programs > Administrator Tools > Active Directory Users and Computers > > Computers. Right Click on SCCM Server and select Properties.

  2. Check the box Trust Computer for Delegation and click OK
         Note: If you do not allow this, you will need to setup the WS-MAN Translator (during configuration steps) run time account with a user that has permission to the AMT client. At that point the credentials configured in the run time account are used to manage the client for Kerberos authentication.





Installing the Intel WS-MAN Translator





  1. On the SCCM Server, run the Intel WS-MAN Translator Setup

  2. In the Intel WS-Management Translator setup window, click Next

  3. In the Intel WS-Management Translator setup window, click Next

  4. During the installation, keep all of the Default settings until installation wizard is complete and install has finished.


Configuring the Intel WS-MAN Translator


  1. Click Start > All Programs > Intel WS-Management Translator > wtranscfg.exe to configure the Translator

  2. In the WS-Translator Configuration Wizard Window, Set common setup accounts & Set TLS/forwarding options. Click Next

  3. In the Set initial setup password window, enter the password you configured within SCCM Out of Band Management Properties > Provisioning setting Section > MEBx Account. Click Next

  4. In the Set Common Pre-Shared Key window, should select a more random and secure PID and PPS for security reasons. Click Next.

  5. In the Import Common Setup Certificate, Click Browse and select the Same Certificate you used in SCCM Out of Band Management Properties > Certificates Section > Provisioning Certificate. Click Next.

  6. In the Select TLS/forwarding options windows, select (default Options): Listening Port: 443 & Forwarding Port: 16993. For the Server Certificate: select the WS-Man Translator certificate created in previous step. Click Finished. Click OK to Restart the Translator Service.


Configuring SCCM SP1 to use the Intel WS-MAN Translator


  1. Within System Center Configuration Manager Out of Band Management Properties > Provisioning setting Section > AMT Settings. Check the option for Enable support for Intel WS-MAN Translator. Once selected, click Apply.


--Matt Royer


Live @ IDF

Posted by josh.hilliker Aug 19, 2008

Just arrived, checked out the booth and we are ready for this afternoon.  Definitely come by @ 6PM in the vPro Zone today. 


Stay tuned for more video's from Pat's keynote in a few moments.   along with a quick video on the booth.



Josh H

Virtual World - a computer based world that represents all aspects of life, as we know it. There are many fun and exciting examples of ways people have turned aspects of our world into a virtual world, and often these are found in massively multiplayer online games. However, one virtual representation I have been learning about lately is one called virtual appliances. Virtual appliances represent complex software stacks in a virtual environment. However, with a virtual appliance we are taking something that is often very complex and have high maintenance costs and representing it as single application. The virtual appliances I have been learning about lately are not representing real life in a fun environment, but solving real problems by interfacing with the vPro features.


Recently Nicole Trent wrote a blog on Microsoft SCE. It is one of the many examples (you can find an abundance of appliances on the vPro Expert Center) of virtual appliances that can be used to interact with the features in vPro. These appliances are useful when you perform inventory and maintenance to vPro clients as they bundle the software you use to manage the clients into one location. Then you can use this to control your clients from your server by using the remote capabilities.


If you have a whole lot of clients in your business that need to be updated over night because it's critical for these to be in service for the day, you would can use a virtual appliance that contains the IT software needed to make up that script so IT wouldn't have to be there over night. These scripts can execute and maintain your machine while you're away from your desk, sleeping or having a fun weekend. Best of all, the IT people that make these scripts are allowed to have their nights and weekends as well, as the scripts can execute fully automated.


This is convenient for the "green" factor. We are able to send applications with aid of AMT without wasting anybody's time that would go desk side and put the application on each computer or if the computer itself needs help because it's in trouble. They would just apply it at one time not wasting time, money, and packaging (my past blogs emphasizing these features). When the alternative is having an IT person going from one site to another, this helps lower gas consumption.


This is just another tool to our future of virtual computing. The more comes out the more it helps aid in situations that only a few years ago that is changing the way our businesses are operating. Now that it's here we should be able to use it to it's full extent it's up to us to use push the limits.


P.S. This week most of us (yes vPro lovers, Mr. Josh Hilliker will be gracing us with his presence!) will be at IDF there will be a lot of good stuff coming out of the vPro Expert Center. If you cannot be there check, out the vPro site there will be blogs and radio shows (which by the way Blog Talk is on iTunes for free download- search Intel Open Port Radio) who know maybe you will hear me!! Stay tuned

In my tenure at Intel, I have had the pleasure of walking into major companies, educational institutes, non-profits, and government agencies to talk technology with many great people.  “How green is this solution” is a topic on many minds lately – no matter which topic of discussion.   Being an engineer by trade and scientist by education, I will typically dive into the details of around each component’s power consumption and the discussion ends with some simple math multiplying a number of units by their thermal numbers.  However, there is so much more to the overall impact, and as I walk in and out of these locations, I am always amazed at the number of larger issues with much larger impacts that are unresolved or overlooked.  Reading the book “[Living Like Ed: a Guide to the Eco-Friendly Life|]” by Ed Begley Jr.,  inspired me to approach some of these topics, and to similarly classify items by their degree of difficulty to implement – easy changes, not-so-big changes, and big changes.  Additionally, I will belooking at the overall impact that compute model choices can affect.  However, I will leave the topics beyond the realm of compute models to experts such as Ed Begley Jr.


Corporate Recycling, it can be an easy change:

Before I dive into any of these subjects, recycling should come as an essential component to every one of these solutions – it should become part of your culture, the stockholders will most likely appreciate the frugality.  If your purchasing new equipment, you need to be thinking about what you can do with the old equipment, sometimes the answer is to donate the equipment to charities, sometimes it needs to be disposed of, but rarely does that require it fill a landfill.  As an example, everywhere that Intel operates, more than 70% of all waste is recycled.  I am not suggesting you need to achieve this overnight, Intel has been working on this since 1971…it is a gradual process.  Start by looking at what the biggest waste items are from your company and get creative – is it finding a use for all those coffee grounds, finding ways to reuse packaging material when shipping your products, or simply implementing recycle bins and growing employee awareness. 

Here is a great video which highlights how Intel practices corporate recycling:


Pure power consumption items:


I have yet to find a location that I have visited where I cannot find that amongst the rows of office workers, several are still using CRT monitors – and many times they are not even the energy efficient CRTs.  Simply moving these users from CRTs to LCD can have a profound impact on power consumption.  Consider a typical 17” CRT will consume around 80 watts, and a 15” LCD is around 25 watts (these have similar viewing areas).  For any user working behind one of these outdated CRT monitors, we need not discuss any other aspect of power savings at their desk until this is fixed, no compute model savings are looking to give you 55 watts back with such a simple solution.  Added to this are well-known benefits around increased worker productivity when moving from CRT to LCD due to eyestrain reduction, glare, distortions, flicker, and visual search time improvements.  As far as I can see it, switching out these monitors is an easy change, it is in the same vein as moving from incandescent to compact fluorescents light bulbs.  Their are even HVAC efficiency changes when these changes happen on a large enough scale (less heat put off by the monitor equals less cooling needed from the HVAC – and in winter the heating produced by your HVAC system I am going to assume is more efficient than the heat being produced by that CRT).


However, a big change item enabled by the CRT to LCD upgrade comes in the realm of building design.  The distance an employee sits from an LCD is the same as the CRT, however the space needed behind the LCD is far less than that of a CRT – LCD monitors even have direct wall mount options.  This gives space designers the ability to decrease desk depth and develop creative solutions around ergo designs.  This results in more compressed, configurable, and/or productive work environments.  The weight reduction on a given office floor can give some relief to building designers as well (average CRT weights 40-45 lbs, and the similar LCD is 6-8 lbs – multiply this by the number of workers in a building, let say 1000, yields a couple tons removed from a single floor).  Is their a way to utilize the weight and heat to balance locations that are often constrained already, such as your server room?  It’s worth looking into.



The subject of telecommuting in general causes various reactions – from the employer who has witnessed abuse of the telecommuting freedoms to discussions around increased employee focus and higher output, the reaction and debate on this subject will continue, just as it has around anything from solitaire to YouTube and social network use.  Regardless of the outcome of these debates, telecommuting can have an overall world effect on the number of employees on the road to and from the office each day.  Being that most people tend to take a transportation method that is far from efficient, this alone can be a net positive impact.  I have heard some government employees are encouraged to spend 1 day each week working from home (pending their job allows them to do this) simply to reduce the environmental impact.  However, the debate is still out on the efficiencies in power consumption regarding heating and cooling a single residence verses several employees in an office environment, and the infrastructure costs to support more remote verses local employees.  The benefits of mobility in your compute model can definitely benefit the environment – at the least, mobility offers the flexibility to consider various work environments (e.g. what would be greener than a person using a laptop outside using solar power?).


Power policies

Often power policies have taken energy efficient configurations and pushed them another 20% beyond what is already seen as good.  When applied down the wire over manageability interfaces such as can be done on an Intel® vPro™ Technology enabled client, they are easy to deploy and quick to update when needed.  You can decide to simply turn off the unused computer, wake it up and update it when needed, and then return it to the low power states.  On the other hand, you can utilize the processing power of that vacant machine to run a distributed compute environment using an IDE redirection operation, further reducing the loads on your data center and switching the watt per calculation onto inexpensive devices.  Isn’t this the whole argument that drove RAID technology – the I in RAID stands for inexpensive, we took inexpensive drives and made redundant copies, much like we can do with the relatively inexpensive computations of these vacant client machines.  


Data Center Consolidation via Virtualization, DC Racks, and other things inside those glass rooms…

If no one has looked into this area yet at your organization, it may be time to visit your local datacenter and see what is going on.  Chances are the ladies and gentlemen running your datacenter are already plugged into these topics, as they are probably spending a large budget every year just to keep those servers that you never see humming along, money well spent on temperature and climate control, money spent on power consumption, etc.  Lets face it, unless you are someone who understands the difference between 1U, 2U, and 4U and knows what happens when the halon system is engaged, then you should get your teams that do know about such things looking at The Server Room.   There are many fantastic advances in the last few years that can drastically decrease the power consumption, reduce the cooling needs, and increase the manageability and reliability of your server room. 


Compute Model Debates:

The reason I call this section “debate” is that various individuals, corporations, analysts, and product vendors spend much time debating about which of these is greener.  The argument usually stays within the simple math as I described before, but the real answer I believe should extend into the larger, holistic, picture.  All of these solutions fit into the big changes category, as they require establishments to modify the way they operate, often involving the acquisition of new equipment and software, and typically requiring end-users to receive some training to function productively in these environments.  For more information on these compute models you should read the presentation at: Compute Models Explained 


Fixed Location: Terminal Services, Virtual Hosted Desktops, Blade PCs, and Web-Based Apps

I am grouping all of the compute models that move large amounts of computation from clients and place them on server(s), as they all have a very similar green impact with slight nuances related to each one.  Often this group of computing wins out quickly with simple math:

Current:      20 client computers running at X watts + server running at Y watts

Thin-client:      20 thin-client computers running at almost no watts + server running at Y watts

This always looks great, and why not, you are reducing the wattage on the item that is being multiplied.  Too good to be true?  This does not account for several key items with these calculations.  The scenario does not look at how many clients the one server handled before and after the switch.  The change pushes more computing demands on the server, and reduces the demands on the clients.  In the current scenario, the server may have been handling very limited calculations, and could have stretched to thousands of clients.  Anyone who has priced servers and supported them knows that the cost per calculation that you pay on a server is far greater than the cost per calculation on a client.  Servers require redundancy, are often located in raised floor climate and temperature controlled environments, typically are allowed to operate at up to 50% capacity before more are added to the mix, are supported by disk arrays which are also climate controlled and redundant, have built in fans with redundant fans, built in power supplies with redundant power supplies…  All of this is to make sure that you, the end user, never experiences downtime.  On the other hand, your desktop or mobile client is built with the end user in mind, it can often handle limited shocks, a wide range of temperatures, humidity, and electro-magnetic interference.  However, it does not have dedicated employees supporting it as the server does, and does not require a special room.  I have yet to hear a client discussion where we talk about five or six 9’s of uptime – client computers simply reboot much more often. 

The real equation should read something like the following:

Current:      2000 client computers running at X watts + server running at Y watts

+ server room HVAC

Thin-client:      2000 thin-client computers running at almost no watts + 200 servers at Y watts

+ server room HVAC expanded to support 199 more servers

Is this a net wash, increase, or reduction – that depends on how constrained your datacenter already is, what part of the world you are located in (do you have some glaciers nearby), and several other factors.  I am not saying it is not always a net reduction of power, but the equations used are often over simplified, they have to take a holistically approach to each environment to determine the true merits.


Off Network Options: Distributed, Rich Client, Virtual Containers, Application Virtualization and Streaming

The second group I am going to split my debate into is the group that supports mobility and retains computation on clients.  Many of these models support moving computations between the server and client as dictated by policies and system capabilities.  However, in general each of these models enables the server component to scale to a much larger number of clients, and when reaching server capacity can use policies to turn up client compute loads.  The same calculations apply in these environments where you include HVAC costs for the increased server demands.  However, the numbers of servers increased in these scenarios are much smaller.  Don’t just take my word for it, follow this linkto a study done by Fraunhofer Institute 



No step is too small…changing behaviors, deciding which solutions are right for you, and reaping the benefits of growing greener is a gradual process, one for which we all should strive.  With each option we need to be looking at what the larger impacts are – what does it mean to productivity, security, manageability, and is now the right time to gain adoption for this change?

If you are seeing any failures in your log around setting the hostname during a Remote configuration it could be due to a underscore in the host name.   Check out Terry Cutlers post on altiris juice @ . Terry references the RFC952 - DoD Internet host table specification @   Here are the assumptions from that specification.  




   1. A "name" (Net, Host, Gateway, or Domain name) is a text string up

   to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus

   sign , and period (.).  Note that periods are only allowed when

   they serve to delimit components of "domain style names". (See

   RFC-921, "Domain Name System Implementation Schedule", for

   background).  No blank or space characters are permitted as part of a

   name. No distinction is made between upper and lower case.  The first

   character must be an alpha character.  The last character must not be

   a minus sign or period.  A host which serves as a GATEWAY should have

   "-GATEWAY" or "-GW" as part of its name.  Hosts which do not serve as

   Internet gateways should not use "-GATEWAY" and "-GW" as part of

   their names. A host which is a TAC should have "-TAC" as the last

   part of its host name, if it is a DoD host.  Single character names

   or nicknames are not allowed.

If you are a Managed Service Provider and you want to realize the full potential of Intel vPro technology in one or more of your current customer accounts, check out the Self-Administered SMB Intel vPro Technology Activation Program.


For those that are not aware, Microsoft has a System Center Configuration Manager 2007 Toolkit that provides some excellent tools to help with troubleshooting, security hardening, and easier log viewing within SCCM.






To download System Center Configuration Manager 2007 Toolkit, please visit






Here are the tools that are included (as documented on Microsoft's Website)


  • Client Spy - A tool to help troubleshoot issues related to software distribution, inventory, and software metering on Configuration Manager 2007 clients.

  • Policy Spy - A policy viewer to help review and troubleshoot the policy system on Configuration Manager 2007 clients.

  • Trace32 - A log viewer that provides a way to easily view and monitor log files created and updated by Configuration Manager 2007 clients and servers.

  • Security Configuration Wizard Template for Configuration Manager 2007 - An attack-surface reduction tool for the Microsoft Windows Server 2003 operating system with Service Pack 1 and Service Pack 2 (SP1 and SP2) that determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.

  • DCM Model Verification - A tool used by desired configuration management content administrators for the validation and testing of configuration items and baselines authored externally from the Configuration Manager console.

  • DCM Digest Conversion - A tool used by desired configuration management content administrators to convert existing SMS 2003 Desired Configuration Management Solution templates to Desired Configuration Management 2007 configuration items.

  • DCM Substitution Variables - A tool used by desired configuration management content administrators for authoring desired configuration management configuration items that use chained setting and object discovery.





--Matt Royer


For those that don't know, you can use the Intel AMT Web console as an alternative to running the out of band management console in Configuration Manager 2007 SP1 to manage vPro computers.





On more than a few occasions, people have been experiencing problems with connecting to the vPro AMT Web console after the vPro Client has been provisioned by SCCM. In every case that I have been involved in, it simply comes down to one or two of the following:


  • Not having the required HotFix (KB908209) for IE 6 installed and registry entry for both IE6 & IE 7 added

  • Connecting to the wrong URL of the vPro Client

  • Not having the "Enable Web Interface" checked within SCCM "Out of Band Management Properties"

  • Not connecting with a user that has appropriate access








Making sure you have KB908209 installed and having the registry key added for Internet Explore



There is a hotfix released for Internet Explorer 6 that addresses connecting to a web site with Kerberos authentication protocol that uses a non-standard port. Since you are trying to authenticate with Kerberos on a non-standard port when you connect to a vPro AMT Web console, you need this hot fix: Keep in mind, besides the hotfix you also need to add a registry entry to allow the hotfix to be active (steps listed in the KB article). Here is the registry entry you need to add.


  • For 32 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001

  • For 64 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001


Although Microsoft included the hotfix into Internet Explorer 7, you still need to add the registry entry to get the authentication to work. Forgetting to add this registry entry tends to be the number 1 reason why people are having the problem!!!!









Connecting to the correct URL



When connecting to vPro AMT Web console, you must connect to the vPro Client with the following URL https://FQDN:16993 where the FQDN is the full qualified domain name of the vPro client (ie. Using the IP address will not work (or at least you will get a warning about an invalid certificate) because SCCM has configured the vPro client to use TLS and the URL needs to match the certificate that was issued during the provisioning process. As a general reference, 16993 is the port that the TLS web services is listening on and you need connect with https since it's a secure connection









Ensuring you have "Enable Web Interface" check



To enable vPro AMT Web console support on the vPro Client, you need to verify that "Enable Web Interface" is checked within the SCCM "Out of Band Management Properties" - "AMT Settings" Tab. With this checked, SCCM (during the provisioning process) will configure the vPro Client to allow vPro AMT Web console access.









Make sure you have permission



Since SCCM only supports Kerberos authentication (with exception of the Remote Admin account, who's password is only known by SCCM), you need to authentication with a Kerberos users that has been granted access to the vPro Client. If you are having problems authenticating, make sure the user you are trying to authenticate with is listed in the AMT User Accounts in the "Out of Band Management Properties" - "AMT Settings" tab.





--Matt Royer

This is officially closed on both Survey Monkey and this site.


Just go to Survey Monkey and take the survey that is shown below.


I have been saying so much on what I love about vPro and the cool features that it presents to the public, so now I want to know your perspective. Since you are going to be so nice to put your point of view up here, I am going to give something back to the best answers: a 16GB USB key!! So post what you like best about vPro and I will send you a 16GB USB key All I need to know is:












What I think is cool about vPro:
















Company Name:
















Number of vPro/Centrino Pro systems:




Ah...I love talking about virtualization. Virtualization feels like some non-reality spectrum. It is as if you can manipulate it to do anything with it. The topic just seems endless; technology is starting to run with the idea of that. With vPro, virtualization will be able to go farther. Remote manageability aids in the virtualization area. The thought of two different versions of a program being on the same client and the computer not being able to have them up is a thing of the past. They wouldn't even know that each other were there.






With the real world in mind, big companies with many different offices could stream private information to each other with vPro. This would prevent sensitive information from leaking out to the wrong hands. Hospitals would benefit from this because when their patients' files are in their data base they can just stream the whole data from their server to the client computer where the doctor is, again security would help aid against any tampering of sensitive documents.






Besides sending out vital and sensitive information, there are also necessary items that people would need that they could stream. School is a great area for that. They are implementing it in a few schools(St. Agnes Prep School Use emerge Compute Models With video). I know there are plenty of times where I have to carry three books and my back felt as if it was going to break. Also, I hated switching the books around depending on what day it was. I could have all my information on the laptop that I was carrying anyways would do me a lot more good. 






With vPro, the universities will be able to have a few servers that will check on the laptops that are given out to the students.  If there are any problems with the software (it wouldn't have to be just with the books, it could be with software that the university has rights to) that was being streamed the server computer can detect it and fix them remotely.  As a college student, I would love to have all my information just through my computer. I wouldn't have to worry about trucking all my stuff everywhere and it's all centrally located in one area. For a company, it ensures that all information needed is gathered in one area that can be obtained by the employees and it can be relayed back and forth.






How many times have you gone to the ATM and it says that it's out of service? For the financial intuitions, how about all of those remote ATM that is difficult to go out and service the computer? With vPro the sever will be anywhere and it can service the client away from the machine, saving the financial institutes plenty because the service guy does not have to go out at all hours. They can check if there is anything wrong with it's software or hardware away from the computers within minutes.






vPro is able to extend the possibilities of virtualization. It has helped to be able communicate two (or more) computers together and talk to each other. knowing that we could go farther and farther with the technology of vPro and having Centrino2 coming out, it's only going to be even more endless. The excuse that the dog ate my homework will not work anymore. (I think I am going to try to find a virtual dog!)



Understanding vPro- Chapter 5: Enhanced Maintenance (I just want to wrap a big hug around AMT!!)



Understanding vPro: Chapter 4 vPro: What is with this trusted environment?



Understanding vPro: Chapter 3- Proactive Security- did Intel put a tiny guard dog in my computer???



“The Intern’s” Understanding vPro: Chapter 2-What is it used for/ why should I use it?






For those who have Provisioned Intel AMT Systems, you may wonder what takes place in the background. This article is for you! The process has often been covered at a high level, but here the technical details are provided. Hopefully this helps you understand the inner workings, and provide you information when troubleshooting Provisioning issues. And for those of you who are technically minded, it's also neat to know! This information was compiled working on issues and running through provisioning processes from Symantec Support.





Often the Provisioning process for Intel vPro systems has been described as complex. This comes from the fact that the Provisioning process was designed with high security in mind. Since the initial release we have improved success rates by working with Intel to make the process more user friendly without compromising the high level of security. To this end this document will explain the process of Provisioning from a technical level, providing an unfiltered view of the process, also without compromising its security.




Provisioning Flow

The following process assumes that Altiris Out of Band Management and Intel SCS are install, configured, and ready to go. This process follows the flow of Provisioning and what data points, technologies, and methods are used. The level of details is meant to be a resource when working with Provisioning or troubleshooting Provisioning issues, so not all details are available for this process. Note the following points before moving through the process:


  • The console items in the Altiris Console under View > Solutions > Out of Band Management > Provisioning are not tied to the Altiris database like most of the rest of the Altiris Console. They connect through a virtual Website (AMTSCS under the Default Website of the SCS Server) to the IntelAMT database.

  • Data from two databases (IntelAMT and Altiris) are used during the Provisioning process.





The following articles can assist if you need information on these:






  1. The server is loaded with a security key or certificate. See the following two items for how these keys are loaded:

    1. For a PID PPS, either keys are randomly generated or imported into the IntelAMT database. Specifically they reside in the table csti_pid_map. Once created/imported, they are available for verifying authentication from an incoming provisioning request from AMT.

    2. For TLS-PKI (certificate-based Remote Configuration) a certificate is loaded onto the server. See this article for details:

  2. The clients need the matching keys loaded onto them. This is done differently depending on the type:

    1. For PID PPS the keys are set by one of the following methods: the OEM sets it, it's entered manually into the Intel ME, or inputted via a one-touch USB flash drive. The PID and PPS are written into the firmware to be used as the authentication credentials when it looks for a provisioning server.

    2. For Remote Configuration (TLS-PKI) at the factory predefined hashes are burned into the firmware for the following certificate vendors (more to come in subsequent versions of AMT). This means AMT already has authentication keys to begin the provisioning process direct from the factory.

  • VeriSign

  • Komodo

  • GoDaddy

  1. The client machine, once it has it's keys and has been connected to the network and power, uses one of two methods to find the Provisioning Server:

    1. The IP address of the server can be manually put into the Intel ME, including what port the SCS listener is configured for (default 9971). When this is done, the AMT client will transmit its Hello message directly to the IP Address and port.

    2. The client will transmit its message on port 9971 to the name of ‘ProvisionServer'. If Out of Band Management, Intel SCS, and DNS have been properly setup DNS will route the packet to the Notification Server.

  2. The Notification Server is set to listen for AMT Provisioning traffic on port 9971, but can be configured to use a different port if so desired in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > General. The top options labeled: ‘Listen port:".|

  3. When SCS, via the service AMTConfig (process AMTConfigWinService.exe) receives the incoming "hello" packet, it initiates an authentication request with the client to complete the authentication process, the beginning of which was stored in the packet. Once authentication completes successfully, the process moves on.

  4. The service, AMTConfig, catches the incoming packet and logs the data in the IntelAMT database, in the table csti_amts. This table contains all the relevant data for this system's identity.

  5. Once the system has been logged into the IntelAMT database, Intel SCS uses the database entries under csti_configuration to initiate what's known as the props script. This script is what will assist in the provisioning process. In Altiris case, it is oobprov.exe, located by default at C:\Program Files\Altiris\OOBSC\oobprov.exe. For an example of how Intel SCS knows about this, see this data snippet from the csti_configuration table:

  6. On a busy SCS server you can look at Task Manager and see multiple instances of oobprov.exe running. The default settings allow 10 threads to work on provisioning requests at any given time. These threads will interface with the Altiris Database via the Altiris Agent on the local server system. In a standard setup the local system is also the Notification Server.

  7. OOBPROV runs a SQL query to fetch the Fully Qualified Domain Name (FQDN) for the system it is to provision. The query is based off the following data points:

    1. UUID passed to it via Intel SCS, Source is as follows: Database: IntelAMT, Table: csti_amts, Data Source: "Hello" packet from AMT system, Values used: uuid

    2. Database: Altiris, Data-class: OOB Capability, Table: Inv_OOB_Capability, Data Source: Out of Band Discovery Task, Values used: _ResourceGuid - UUID

    3. Database: Altiris, Data-class: AeX AC Location, Table: Inv_AeX_AC_Location, Data Source: Basic Inventory Agent, whether from Basic Inventory function or Hardware Inventory from Inventory Solution, Values used: _ResourceGuid - Fully Qualified Domain Name

  8. The Query accomplishes the following: It takes the UUID from csti_amts, uuid and looks for a match in Inv OOB Capability, uuid. If a match is made, it takes the _ResourceGuid from the same table and makes a match of the same columns name to AeX AC Location. With the match it then reads the values stored under Fully Qualified Domain Name (I'm not sure why they didn't just label this column FQDN...).

  9. Next, oobprov.exe hands back the FQDN it's read from AeX AC Location, Fully Qualified Domain Name and passes it to SCS. SCS takes this value and inserts it into the IntelAMT database at csti_amts, fqdn for the matching resource.

  10. Next, oobprov.exe fetches the automatic profile set within Out of Band Management Solution. This is done in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > Resource Synchronization. This policy needs to be enabled for this step to work, and a default profile configured and selected under the dropdown labeled ‘Intel AMT 2.0+ to profile:'.

  11. The profile provides the operational data for management of the AMT system. After AMT accepts the profile, the Provisioning process is now complete. Before this step, AMT functionality is not available on this system, and after this step only properly authenticated functions will be able to use Intel vPro on the target provisioned systems.



The following items can be considered break points for this process. If you've done provisioning you may have run into the symptoms produced by the following items. These are compiled as common areas of trouble in this process.


  • The "Hello" packets only transmit for 24 hours, on a back-off schedule, before stopping altogether. If the Server is unable to provision in that time, with IP refreshes becoming more frequent, the system can be in a limbo state. See this article for steps to rectify:

  • IP Address changes, refreshes within DHCP during a system's build process can leave SCS with an out of date IP Address for a system that needs provisioning. Coupled with the preceding issue this can leave the system in an unprovisioned state, leaving no ability of the SCS to contact the system to finish the process.

  • Remote Configuration certificate is not properly installed on the server, producing authentication failure messages in the AMT logs.

  • Oobprov.exe is unable to fetch the FQDN. The AMT system needs the Altiris Agent installed, have sent Basic Inventory when it had a valid FQDN (for example a system in the process of being built might not have a valid FQDN yet), OOB Discovery Task downloaded and executed, and data populated into the OOB Capability data class from the task in order for oobprov.exe to be able to fetch the FQDN. Conversely you can use the option in Resource Synchronization labeled, ‘Use DNS IP resolution to find FQDN when assigning profiles'.





A good resource for troubleshooting issues can be found here:





Knowing the underline mechanisms can help when troubleshooting or even when planning your environment. While not all details are provided here, the most essential are.

NOTE: If you have not read parts 1 through 4, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases






Learning from previous mistakes, CSO Dan Williams discusses what they can do to better secure the powerful AMT functionality. Since the human factor is the biggest weakness, what can they do to strengthen this? Obviously they can't remove it altogether; might as well shut the company down. In Intel vPro the human factor can be minimized due to available strong security technologies. AMT can be made more secure, but the continuing threats are emphasized when a computer is hijacked. What can be done to regain control?





Mighty Modern Marketing HQ - Boston, Massachusetts

Bright sunlight filtered through the distant windows , overshadowing the bland fluorescent lights lit above. Jessica Langley watched the distant pedestrians seen in a narrow view near the street moving past with varying degrees of enthusiasm. The hot summer held to the south temporarily by a low pressure that brought in the cool Atlantic breezes. She imagined being able to hear the conversations of those passing, wondering what they spoke of, and if any of them had as crazy a life as her.


"Ah, this is the life," Tevita said as he leaned back. He placed his hands behind his head and stretched out his legs, pushing his office chair as far back as possible. With what looked like a deliberately casual gesture he tossed his headset onto his desk.



"You should be worried," Jessica commented dryly.



"Worried? Why?"



Jessica gestured sharply at her phone. "No one can call us with the phones down, so our work is just piling up while we sit here."



"Hey, we have our mobile phones. If it's not important enough for them to look up our numbers, then why worry about it?"



"You know that's not how it'll happen. As soon as the phones get up... WHAM! We're here until the sun drops below the trees in the west."



Tevita's smile lessened, but only a little. "They've been down for two hours. Perhaps they'll be down all day, and we can leave early."






The Tongan shrugged, and Jessica briefly envied his ability to shove aside problems when they weren't directly in front of him. He could have two amazingly nasty issues to work on, and he'd easily concentrate on one at a time as if the other issue didn't exist. She wished she could compartmentalize in that manner, but when she had two critical issues to work on they hung over her like a dark shroud. Usually the one she wasn't currently working pressed down as if to accuse her of negligence, but she couldn't do two things at once. It wasn't like knitting while watching TV.



Like now, when she knew issues piled up while their phones remained down. She reached down and pulled up her mobile phone in case she'd missed an incoming call, but nothing showed. She sighed, standing up and stretching. Tevita frowned at her.



"You aren't going to bug the phone people again, are you?" he asked, as if accusing her of turning him in for some crime.



"No," she said. "Daniel Williams wanted to talk to me today so I'm heading up to his office."



"Good. Don't mention the phone issue to the CSO..."



She rolled his eyes at him, but he only smiled, large hands moving deftly across the keyboard. Without phone call interruptions Tevita would clear out the email queue in no time.



She took the stairs, hoping to work off the donut she'd eaten earlier that morning. It seemed no matter how resolute she thought she was to eat healthier, as soon as someone brought in free goodies her willpower vanished and she indulged. She doubted the climb from the first floor to the third made any real difference, but at least her husband wouldn't get on her case about taking the elevator when she had two perfectly working legs.



The door to Daniels office sat closed, and she peeked into the glass valance to the side. Daniel stared at his computer screen, his brows drawn low. He didn't touch the keyboard and mouse, eyes moving across his monitor as if trying to puzzle something out. He just reached for the mouse when she knocked quietly on the window.



He turned, a smile easing his expression. He waved her in, and she quickly hurried through the door."



"You wanted to see me?" she inquired.



"Yes, please sit down," he said, gesturing to one of the empty chairs across his desk. She sat while he turned back to his computer.



"Please watch," he said as he launched Internet Explorer. "I'm going to talk you through what I'm doing, and I don't want you to interrupt until I'm done. Okay?"

Jessica felt a twinge of uneasiness stiffen her spine. "Of course," she responded, trying to instill confidence in her voice. "What are you doing?"



He only smiled. "First, I've discovered what password I can use to access AMT on all our vPro enabled computers..."



She stood up. "What...?"



He held up his hand, not unkindly. "Please humor me."



She sat back down, her unease blooming. She clasped her hands in her lap so she wouldn't fidget, usually in the form of smoothing down her already crisp and wrinkle-free dress jacket. She couldn't sit completely still, and found herself tapping her toe. Fortunately the carpet, however uninviting bland, muffled the sound.



"Okay," Daniel continued. "I don't have access to Altiris though I have tried to gain it, unofficially of course."



"Of course," she said, and quickly clamped her teeth together before she asked another question.



Daniel continued, "In light of that I've done some Googling and found that AMT has a web-interface that anyone can access using a browser. I haven't figured out how yet, but I don't think it'll take me long. Let's see... how to access AMT via a browser... This first hit talks about someone who is unable to access it."



Url: (



"Ah, in his post he says, "When I try to access the Web Interface (localhost:16992 or name:16992)... that means I can access my test in the same manner. Let's watch."



Jessica bit her lip to keep from saying anything, determined to keep quiet until he'd finished his demonstration. She really wanted to ask him how he acquired the password, but she supposed she should wait until he validated that claim first. Plus, he'd asked her to keep quiet, and she didn't want the CSO annoyed with her.



Daniel clicked on the address bar, deleting the current address. He then typed in MMMAMT0043:16992 in the address bar. When he hit Enter the page refreshed, showing him the initial AMT login screen. He clicked the ‘Log On' button, which provided a standard Windows security prompt. He entered in Admin as the username, and then typed in a password. Jessica's stomach dropped. She didn't see exactly what he put it, but it did look like he put in the right password.



The Intel Active Management Technology web interface appeared, giving Daniel full access to the system. Jessica reached up and rubbed at her eyes.



"Please tell me you simply asked Tevita for it," she said when he turned to her.



"No, but no need for you or Tevita to worry about that," he said with what Jessica assumed was a reassuring smile. It didn't help. "I believe I used the same methods our traitorous employee working in cahoots with Nifty Networks used to gain these powerful credentials. I'll be conducting security training for our employees soon to try and plug that method."



"So how did you do it?"



Daniel nodded. "Good question, but the better question I'm posing to you is this: how can we better secure the AMT technology? See here under Remote Control? I can remotely reboot this person's system and boot it up into an application I can use to wreak havoc. Nifty, no?"



She swallowed hard. "No, not nifty."



"Good. You see the issue. I'm tempted to not tell you how I did it. Mystery lends me an air of the supernatural, or at least my uber-geekness. Why reveal how? That's like a magician revealing his secrets. Once the how is known, it isn't so magical anymore. Okay, so I'm taking far too much pleasure out of this. I simply watched you and Tevita closely and caught you entering the password. It took several tries before I finally got it right."



The beginning of a migraine colored Jessica's vision. "Great. I thought we had that password locked down..."



"As I said before, don't worry about it. Everyone is too trusting when entering passwords. I'll address that in our upcoming security meeting. What I want to discuss is how we can rectify this situation? Specifically I want to remedy the fact that anyone who does a smidgen of research will know that the administrative username for AMT is admin. We've handed any potential hacker one half of the credential equation."



Jessica nodded. "Yes, I see your point. Luckily I already know how to fix that. It's as simple as making the admin password random on each system and using Kerberos to use our Domain credentials for access."



"Good. The second point is I noticed that I can use a non-secure web address to access this. Can you get SSL enabled for all AMT communication?"



Jessica nodded again. "Yes, specifically AMT uses TLC, the successor to SSL. I believe I saw an article on how to enable that on Symantec Juice."



"Even better. Get those measures in place, and let me know when it's completed."



She nodded, shaking his hand when he offered it. She left his office and headed back down, taking the stairs despite the throbbing in her head. When she reached her cube she noted that Tevita had his headset on, his previous smile absent from his face. She gave him a grin when he glanced over, and this time he rolled his eyes. She should get onto the phones, but she wanted to get those changes implemented as soon as possible so that even Daniel couldn't crack the system... as long as Tevita and she carefully entered their passwords so others couldn't eyeball them.



She sat down and pulled up the Altiris Console. Both of her actions required a new vPro Profile to be pushed down to all the AMT systems, but that was the easy part. She started by enabling TLS on the server. Until she pushed down the new profile the AMT functions would not work. She leaned over to Tevita, and he glanced at her as she rolled closer in her chair.



"AMT will be available for a time," she said.



Tevita reached up and muted his headset. "Why?"



"I'm enabling TLS. You know, encryption. When I enable it on the server side the clients will not be able to communicate back with the server until I update the profile and they have the right certificates."



He shivered. "Is that such a good idea? Certificates are tricky... we could easily mess up the whole thing and have no AMT access..."



"Tevita, it isn't that complicated. I have all the Altiris documentation on how to do it. Besides, there's a specific article on how to do it after the installation, here: Piece of cake."



"If you say so..."



"Trust me. If we had a hierarchal structure of certificate authorities, it might get a bit dodgy, but I'm just setting up the one root."



"Yeah, and the flux capacitor needs just such and such gigawatts of power..."



"Just read up on it! It's not that hard."



Tevita spoke for a moment into his headset, and took it off. "I don't know anyone who understands it all that well."



She planted her hands on her hips. "It's really simple. We give the root CA, aka the King, the credentials that are acceptable. Secondly, the Altiris server gets the credentials so it can work with the CA and the clients. We then load the matching credentials on the clients via the Provisioning Profile. Now everyone has the credentials."

He smiled. "What about client-side and server-side certificates?"



"Again, simple. Communication is unidirectional for a given parent/child certificate set. With basic TLS in vPro, all the clients have server certificates. The Altiris Server uses a client certificate to authenticate with the client so that the client machine will accept the AMT commands sent it."



"Alright. That sounds simple enough, but what about the CA? What's that for?"



Jessica looked at him, her eyes narrowing. "What's with the third degree? 'Tell me Master Qui-Gon. What are midichlorians'?"



Tevita burst out laughing. "Am I that transparent? I didn't know you liked Starwars..."



"I don't. Like that movie quote, your questions are contrived..."



"Hehe, yeah. I'm just trying to prove a point. It's not that simple..."



"But it isn't that complex, either. The CA tells the server-side component (the AMT Client) if the client connection (from the Altiris Server) is to be trusted. I know having the AMT clients act as the server seems a bit backwards, but since we want AMT functionality to be secure, it makes sense. The Altiris Server that tells AMT what to do needs to prove itself. This ensures a rogue server can't just initiate any AMT functionality without having the proper certificate. So the server provides a client certificate, which the AMT system authenticates with the CA before allowing the Altiris Server ‘in'."



"Okay, okay. That sounds simple enough. I'll be sure to avoid AMT until next week when you get TLS finally working... kidding! Take it easy, I'm just joking."



She wanted to keep the stern look on her face, but a smile cracked through. "You just watch it, Mister."



Jessica turned her attention back to the Altiris Console. She opened up a browser on her second monitor and pulled up the Juice article she'd shown Tevita. She walked through the steps, sometimes checking back on the Altiris Administrator's Guide for Out of Band Management, found at She finished the processes except for updating the profile since she needed to also update the Admin password settings.



She browsed in the Altiris Console under View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and clicked on Provision Profiles. She highlighted her active profile and clicked the pencil icon in the icon bar to edit it. Under the General tab, to the right of the window, she changed the Intel® AMT 2.0 password: setting from Manual to Random creation. She then clicked on the TLS tab and, using the previous directions, enabled TLS within the profile.



She sat back as she clicked OK. Now that the Altiris Server was setup properly, she needed to push the new profile out. From her place in the console she backed up into the Provisioning folder, and then expanded the Intel AMT Systems folder and highlighted the Intel AMT Systems node. All Intel AMT Systems showed within the right pane. She clicked on the top one, scrolled down, and, while holding shift, clicked on the bottom one. She right-clicked and selected the ‘reprovision' option.



With a sly smile she glanced over at Tevita. He wore his headset again, though he looked less stressed than before. She rolled over and wrote on his whiteboard "AMT back up in a few hours". For the time being they could rely on the Runtime Profile for authentication. Since Altiris knew all the random passwords for the Admin account, via Altiris they should have no problems with security. However she needed to quickly implement AD integration with Kerberos authentication just in case.



She got up to take a quick break. She stretched, looking out over the cubes. She froze in mid stretch for a moment, before quickly pulling down her arms, her eyes widening. Two men in blue jumpsuits walked nonchalantly through the building, one holding a sheaf of what looked like generic forms and the other with a nondescript box. Despite their "non"-threatening postures, something about them bothered her. At first she simply watched them, trying to figure it out.



The man in front emanated confidence like a shiny sword and shield, his smile infectious and full of perfectly white and straight teeth. His strong features seemed chiseled from brilliant marble, as if he'd been carved amid the statues of Rome. Not one of the rich brown hairs on his head stood out of place, his hazel eyes roving over the office as if memorizing all the details. He didn't act suspicious, but his very manner belied the blue-collar worker outfit he wore.



Right behind him strode the other man. He wore a beard, a hat pulled low over his eyes. She squinted, hunching down a little so she didn't rise so high above the cube walls. He carried the box, his muscles tensed. He walked jerkily, each step seeming just a little unsteady. Sweat beaded on what little she could see of his forehead.



"Tevita," she whispered. "Does that guy look familiar to you?"



He appeared beside her. "Who? Those two delivery guys?"



"Yes. The one carrying the box."



Tevita turned to stare at her. "It's the ninja!"



She shook her head, though the sudden clenching in her stomach belied the action. "No way, he's in jail, right?"



"Probably not. He didn't threaten anyone or do any actual damage, and the price of the hard drives he tried to steal doesn't equal enough to be a felony, especially since he claims he was only after the hardware..."



"But why come back here? We know who he is..."



He just shrugged. "Maybe he's turning a new leaf..."



She gestured at the other man just as they disappeared into the stairwell. "Maybe, but that other guy gives me the creeps. I wouldn't be surprised if his name happens to be Lex Luther."



Tevita nodded. "Let's follow them."



She shook her head. "No way! Let's just call security and let them deal with it."



The Tongan only shook his head slowly. "The security company might be too slow to respond. Heck, they took forever to show up when our ninja friend showed up the first time. You go tell Bobby and I'll shadow these two shifty guys."



Before she could respond he hurried away, surprisingly quiet for his bulky, muscled size. She clenched her teeth together, torn by indecision for a few precious seconds. She then turned and hurried towards the server rooms, hopping Tevita wouldn't get himself into too much trouble.





END Part 5

This concludes Part 5. This cliff-hanger will be continued in an even more unbelievable conclusion, Part 6. Now that the competitor has breached the office once again, can Might Modern Marketing's IT staff protect their infrastructure, data, and themselves from this all out attack?

I have had the pleasure of working at Intel on a high school internship at the Folsom, California site. One of my many exciting tasks has been to install Microsoft System Center Essentials 2007 and connect these to some lab machines for customer demonstration purposes (if you're visiting the Folsom site you should let me know so you can come and check it out). I must say that it was far easier to setup and use than I originally thought before I started the task...nevertheless, I have taken some notes about things I wish I would have known before I started this task. One side note, System Center Essentials is often used as the acronym SCE - which is pronounced like the ski, a concept that in the middle of August sounds great in Folsom (100 degree Fahrenheit weather around here)...


Here are my items:

1) Per domain SCE setup: I found that I needed to join the machines that I wanted to connect to my SCE box together on the same domain. Knowing this in advance would have saved me some troubleshooting time.

2) Learning to create a domain and add the machines to it was another step I had to overcome (I mentioned I am a high school intern, so some of this enterprise stuff is new to me).

3) After a clean OS install, learning where to find all the device drivers and have the installed is pretty important...otherwise your box will not communicate to the server.

4) The number of install options are vast, and each has a profound impact on the outcome of the setup. It is not as simple as clicking next, next, next, and finish. Knowing if you want to install the full server, just the AMT management pack and other such options before you do the setup will save you tons of time after the setup (or at least a uninstall and reinstall).

5) Know your server environment. Are you running Windows Server 2003 or 2008, are you running on a 32 or 64 bit version? If you don't check the system requirements up front, you will most likely download the wrong version.


Once this was done, the box works stellar - I can troubleshoot the problems on these systems, simplify management tasks, and manage multiple systems with a few clicks - I am the head honcho of these boxes. Now I wonder if my boss Josh Hilliker will send me off to experience real skiing as my summer is near complete.



Hopefully the sharing of my experience can help you during your setup. If you have any additional questions or comments, please respond with them to this blog and I will do my best to answer them.


-Nicole Trent

Listen in as your hosts talk with Dave McCray, Intel's IT Program Manager. Intel IT is a leader in the activation and use of AMT. They have activated & provisioned over 10k machines - hear how they did it, why they are doing it & how to make your integration better based on Intel IT's best known methods.


Stream from blogtalkradio or click play below to hear it now...


Centrino 2 with Intel vPro Technology

has arrived and one of the big changes to the platform is that it supports OOB Power management with AC power. This is a welcome addition to the platform, however let's go back to what does each power state mean and the delta between Centrino Pro vs. Centrino 2 with vPro..  


Let’s start by first describing the power states – check out the following blog by Ajay Mungara  Ajay goes into detail what each power state means and how it applies to the vPro technology.  


The next thing is that we look at the centrino pro platform (code name: Santa Rosa) that was our first notebook with Intel vPro Technology.  In Gael’s post she explains with the Santa Rosa platform what the power settings mean.  


However the journey is not over yet..  you have to look to the new generation of Centrino Platform with vPro Technology to see the new changes to the power settings.  Here are a few screen shots that Gael put together that showcase in the ME the configuration changes.   Thank you Gael

If you are asking yourself what does this all mean?  Well, it means you can have OOB Wireless SX States, basically Power control in wireless mode when the platform has AC (yes, it’s finally here).   

Screen Shots of the ME with the new power settings


Now that Centrino2 with vPro is coming out, amongst the new features that it will carry is Client Initiated Remote Access (CIRA). I thought to myself "what is this?" My internet digging, tells me that it is a way for the server to communicate to the client via AMT, offsite through a Management Presence Server (MPS). When a user initiates a CIRA request to their MPS, then the MPS is able to reach the client, passing through Virtual Private Networks (VPN). Then it will be able to go through the same AMT communication channels as any Pro system that is on the local network. On the laptop that is wireless that notebook can be anywhere as long as it's plugged in to power, and can connect to the VPN.


Josh Hilliker did a blog about a month ago, and it has a great diagram showing everything I have said. Centrino 2 - Digging in deeper into CIRA



Another great video to look at is the Intel Centrino2: C.T. Phone Home video.




Sleep state manageability is another feature that Centrino2 will carry. It will be able to turn on and off the notebook remotely without it being turned on but it does still need to be in the VPN. The device needs to be plugged in; it can't be running on the battery for this to work. You wouldn't want to try to turn on your computer and find out it's dead because all of the battery power is taken up trying to update your licenses or fixing any problems. The Centrino2 has energy saving features the notebook is using less energy with this new feature, and it is enabled at the times that make sense to your battery.




One feature that people will notice is the clear video technology so items like will look so much better. In addition, it will have more of graphics usage so you wouldn't have to purchase more graphics cards. It will look so good you will want to put your hands all over it!




Now I will not have to look like this when my laptop is on freak out mode. I can just call up IT and they can take care of it!






And if you want to know more go to the Intel Developer Forum Aug 19-21, 2008 in San Francisco. I will be there with my blogging skills!!






I'd like to announce the Expert Center's newest edition...

[SMB Talk|]



Are you a small or medium sized business? Have vPro? Want vPro? Then you should see this brand new sub zone of the vPro Expert Center. This site is dedicated to the discussion of Small and Medium Businesses & Intel vPro Technology. You can expect to see great tools, helpful tips, solutions, some best known methods and Service Provider information. Feel free to take a look around and join this new community of SMBs and MSPs.

A month and a half has gone by since the BriForum and I am talking about it as if I was there yesterday. Jason Davidson and I, from time to time, reference many events that went on there. One day I was on and there was a post about a webinar that would be taking place on Wednesday July 30, 2008 about a summary on BriForum 2008. I promptly agreed to attend and shot an email to Jason. Jason, of course, signed up in a heartbeat.






It was fun to sit there and conjure up all sorts of thoughts while Brian Madden reviewed different topics that was presented at BriForum over the speaker. One of the interesting headliners that I am always interested in was on virtualization. There were many other topics but this one stuck with me. I remember that I read a blog that Brian did and he believes that if companies did things a certain way then they can become completely virtual by 2010.







You cannot help but reap the benefits from virtualization. There is more opportunity for memory banks, being able to help, fix, or get information remotely so you wouldn't have to be physically there, in addition, it would help on the green cause that much of society has picked up on. Less travel for people to work on the products, streaming applications instead of using products to produce them, and it also allows the IT department to keep the computers up to date almost instantaneously instead of days of work on computers.







While I was sitting there, I started to ponder; with as many positive, there are with virtualization (well with any great product) there is always going to be some sort of negative that goes along with it. I love learning everything I can about it; yet, I can't help but be a little skeptical about it. What if a company becomes so dependant on it and suddenly there is this "problem" that one can't fix. There is no perfect product.







Say the bandwidth is being over used within the company and it slows the internet connection. Could there be a problem large facilities like hospitals who would use and rely on the internet and if they had virtualization in their company and its connection doesn't work anymore? I am sure there would be a back up plan, but in a place where every second counts, would this really be a good situation for virtualization to be? Too much overhead or is this really the solution of our future?



Our Partners over at created a new service that helps with community sharing of large files for troubleshooting or sharing with others. I encourage you to check out their new upload capability and use this is an option when sharing out to other members.

Filter Blog

By date: By tag: