For those that don't know, you can use the Intel AMT Web console as an alternative to running the out of band management console in Configuration Manager 2007 SP1 to manage vPro computers.





On more than a few occasions, people have been experiencing problems with connecting to the vPro AMT Web console after the vPro Client has been provisioned by SCCM. In every case that I have been involved in, it simply comes down to one or two of the following:


  • Not having the required HotFix (KB908209) for IE 6 installed and registry entry for both IE6 & IE 7 added

  • Connecting to the wrong URL of the vPro Client

  • Not having the "Enable Web Interface" checked within SCCM "Out of Band Management Properties"

  • Not connecting with a user that has appropriate access








Making sure you have KB908209 installed and having the registry key added for Internet Explore



There is a hotfix released for Internet Explorer 6 that addresses connecting to a web site with Kerberos authentication protocol that uses a non-standard port. Since you are trying to authenticate with Kerberos on a non-standard port when you connect to a vPro AMT Web console, you need this hot fix: Keep in mind, besides the hotfix you also need to add a registry entry to allow the hotfix to be active (steps listed in the KB article). Here is the registry entry you need to add.


  • For 32 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001

  • For 64 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001


Although Microsoft included the hotfix into Internet Explorer 7, you still need to add the registry entry to get the authentication to work. Forgetting to add this registry entry tends to be the number 1 reason why people are having the problem!!!!









Connecting to the correct URL



When connecting to vPro AMT Web console, you must connect to the vPro Client with the following URL https://FQDN:16993 where the FQDN is the full qualified domain name of the vPro client (ie. Using the IP address will not work (or at least you will get a warning about an invalid certificate) because SCCM has configured the vPro client to use TLS and the URL needs to match the certificate that was issued during the provisioning process. As a general reference, 16993 is the port that the TLS web services is listening on and you need connect with https since it's a secure connection









Ensuring you have "Enable Web Interface" check



To enable vPro AMT Web console support on the vPro Client, you need to verify that "Enable Web Interface" is checked within the SCCM "Out of Band Management Properties" - "AMT Settings" Tab. With this checked, SCCM (during the provisioning process) will configure the vPro Client to allow vPro AMT Web console access.









Make sure you have permission



Since SCCM only supports Kerberos authentication (with exception of the Remote Admin account, who's password is only known by SCCM), you need to authentication with a Kerberos users that has been granted access to the vPro Client. If you are having problems authenticating, make sure the user you are trying to authenticate with is listed in the AMT User Accounts in the "Out of Band Management Properties" - "AMT Settings" tab.





--Matt Royer