Skip navigation

While working on-site with a customer and a Microsoft SCCM Technical Consultant, I was shown a great capability in the OS to force the SCCM client agent to check its AMT auto-provisioning policy at will.


The Windows OS ships with a utility called Windows Management Instrumentation Tester that can be used to force the SCCM agent to check its AMT Auto-Provisioning Policy (standard WMI calls). The following steps show this manual method that you can perform with this utility, either locally or remotely, to force this check. By default the SCCM server's site control file sets the agent check to automatically run every 24 hours. However, in a lab or testing environments this 24 hour default cycle is not convenient. With these steps below, you can execute this check at will or even use while troubleshooting issues. To perform these steps, you must have administrative privileges on the target OS.


After the manual steps listed below, Matt Royer has provided a reference to a .vbs file that performs these steps to help automate the process. Feel free to use these steps and scripts for your environment. And if you find new and/or improved methods with these WMI calls, please post for others to learn from.

Manual Steps to issue WMI command:

  • Open a command prompt and type wbemtest

    This is the Windows Management Instrumentation Tester

  • After the Windows Management Instrumentation Tester Utility Opens, click Connect

  • In the Namespace of the Connect Window, type the system name you want to force the check followed by \root\ccm

    Example: **

  • Click Connect

  • You can also simply run the command on the local system by simply leaving out the host name

  • Example: \root\ccm


  • After you successfully connect to the target system, click the Execute Method Button

  • In the Get Object Path window, type sms_client in the Object Path field

    Click OK

  • In the Execute Method Window, enter TriggerSchedule in the Method Field

    Click the Edit In Parameters Button

  • In the Object editor for _PARAMETERS window, Double Click the sScheduleID in the Properties field

  • In the Property Editor Window, change the Value to Not NULL and add the following {00000000-0000-0000-0000-000000000120}

    This value is the Object ID to initiate this OOB auto-provisioning check.

  • Click the Save Property button


  • In the Object editor for _Parameters window, click the Save Object button

  • In the Execute Method window, click the Execute Button

  • After you Execute the method, you should see a message that the Method was executed successfully

  • To confirm that your method was executed, look at the target systems c:\windows\system32\CCM\Logs\oobmgt.log

    You should now see a new entry in the log GetProvisioningSetting indicating that the policy has been re-evaluated.


To perform these steps automatically through a .vbs script:

  • All you need to do is run the following command:


cscript sendsched.vbs {00000000-0000-0000-0000-000000000120} <target vpro machine name with sccm client>


sendsched.vbs is piece of code included in the SMS 2003 Toolkit:


00000000-0000-0000-0000-0000 00000120 is the scheduled ID for auto-provisioning policy.

Where to Buy Intel(R) vPro(TM) Technology

Have you been hearing all the news on vPro? Check out this document for the latest update of models available through 8 different Original Equipment Manufacturers.


Order an Intel® vPro™ Technology "Activation-Ready" PC or WS

[Acer|] | [Dell|]| [FSC|] | [HP|] | [Lenovo|] | [LG|] | [Panasonic|] | [Samsung|]


I had the pleasure this last week of working with Hank (The Server Room) and was able to watch Paul Otellini's keynote @ the conference.  he talked about vPro a bit, therefore I am posting this quick video on what he said.   Enjoy!



Here's a new ROI analysis paper - that shows a positive ROI over 4 years of 180%!


Telkomsel upgraded approximately 36% of their machines with vPro systems. They implemented use cases such as off-hours patch management, remote asset tracking, and remote diagnostics and repair - and started to see significant savings!


ROI Analysis: Positive ROI of 180% with More Reliable, Secure, Scalable IT Using PCs with Intel® vPro™ Technology


SyAM Use Case - BIOS Changes

Posted by ntrent Sep 26, 2008

Here is my second use case video - this time on SyAM (System Area Manager).


This use case video is on making changes in your BIOS through entering a SOL session.


Enjoy! =]



Over the next few posts I would like to describe 3 different scenarios as they apply to the adoption of vPro technology. I will be leveraging 3 categories as it describes to the IT shop (Maintain your baseline, Maximize your potential and Migrate completely to the new technology).  These categories also relate directly to the % of vPro machines that are in your IT shop.  


First, let’s start with maintaining your baseline.   What are the challenges facing the IT shop and support provider of IT services as it relates to the client computers? Manageability and Security of that asset, along with ensuring lower costs for keeping them updated and the highest level of availability as it relates to the usage. However what is missing above is the Energy savings piece of the equation.  To date our experience has been that integrating a power management & energy savings profile in your IT environment for vPro machines is an easy way to keep your baseline going and just add one new usage in your environment.  I consider this to be maintaining your baseline, but making a small modification to realize benefits.    Specifically this means the standard ability with turning Machines off that can reduce the power bills, however it is just a small change in the current IT policies/practices. 


Now for the IT shop that is looking to Maximize your potential and have new level’s of service.   The opportunity to implement more usages is always possible, for example if you are looking to move beyond the power use case to more of the remote repair to save $$’s in both Tech Time, downtime, productivity of the employees.  I would note that the further you look to maximize your potential it will require additional planning, testing and of course effort to do so.   I will deep dive deeper into the impact of each additional usage and what you can expect from a change perspective for your IT shop in the coming blogs.  


Last case is the Migration path..  full migration of ZERO/Little vPro to all vPro ( here is where it gets fun )..  Must haves are:  Good Strategy, Architecture awareness, Manageability/Security Landscape, & Top Pain points.  If you have these at your disposal you are in good shape to have immediate value to your migration.  


I look forward to deep diving into each of these over the coming weeks.


Josh H

Using Symantec Altiris for your management console? Check out this use case document to help you implement asset tracking inventory:


Altiris Use Case: Asset Tracking Inventory

The 3rd generation of Intel vPro technology that was launched yesterday, along with the recently launched Intel Centrino 2 with vPro technology, will, for the first time, enable IT to manage PCs beyond the corporate firewall even when the PC is off or the OS is unavailable.  There are various use models that this new functionality enables, such as:

  • Fash Call for Help

  • Scheduled Remote Maintenance

  • Remote Alerts


Steve Grobman, Intel's Director of Client Business Architecture, gives an excellent overview of the new benefits that come with support outside the corporate firewall. Watch below and also see a demo of this new functionality with the Symantec Altiris Client Management Suite.


Also, see how this new functionality is supported with the LANDesk Management Suite.

With Intel vPro technology now out in the marketplace for more than 2 years, hear from industry analyst Peter Kastner on the impact Intel vPro technology has had in the marketplace.

Also, hear from Symantec and LANDesk, on how their end-customers are taking advantage of Intel vPro technology, and how they will take advantage of new 2008 features.

Symantec with Intel vPro technology:


LANDesk with Intel vPro technology:

Another exciting development with Intel vPro technology has been the emergence of virtualized PC models.  Hear from Citrix and VirtualLogix on these new PC models.

Citrix with Intel vPro technology:

Demo of Citrix software with Intel vPro technology:

VirtualLogix with Intel vPro technology:

We also had Infineon talk about how they are using an industry-standard TPM that is now part of Intel vPro technology to store keys in hardware.  Listen to their video below.


I recently blogged about the interview with Citrix Software's Paul Hahn, Director of Business Development / Virtualization & Management Division, and Matt Edwards, Product Manager at:


For part 2 of this blog, you can view the actual demonstration of the software below. In this demonstration, you will see the solution explained in much more detail.



Citrix and Intel have been working together to deliver a solution that builds on both companies expertise.  The end-to-end solutions, application delivery, and virtualization software that Citrix provides combined with the manageability, performance, and security from vPro deliver a novel solution.  The solution allow the IT OS build to go through a secure or trusted boot, where the hardware and software used to launch the OS is measured for integrity before the program executes.  The OS can be streamed off a remote server, and the end-user gets the rich client side local execution experience.


In this video, Citrix Software's Paul Hahn, Director of Business Development / Virtualization & Management Division, and Matt Edwards, Product Manager, talk about how Citrix Systems is developing products for OS/App Streaming on top of Intel vPro technology.  You will see that the virtualized, measured, and streamed OS is able to still render and rotate a rich CAD drawing. 



Hi all,


If you heard the keynote with Gregory Bryant, you probably heard Frank Soqui talk about IT director.  You may be wondering to get this new software - well here's the link  however it's no live until next week. check back..


Josh H

Come see us at ManageFusion 2008 in Orlando!!


October 14-16, 2008



JW Marriott Grande Lakes, Orlando



This is your opportunity to talk with the experts face-to-face, experience the technology, hear how others are utilizing the technology, and more!!


Here's a quick summary of the Intel lineup


Intel Booth (#1)


See compelling Intel® vPro technology demos focusing on: Dynamic Virtual Client (streaming applications), manageability and client-initiated remote access.



Take part in the Intel Passport Program and receive a bamboo running cap. Also, enter to win an Intel® Centrino® notebook.



Participate in the IT Quest and get a T-shirt. And, you can enter to win an Intel® Centrino® notebook.





Tuesday, October 14

Opening Keynote:  9-10:30 am


Gregory Bryant takes part in Steve Morton's road trip. 





Hands-On Lab: 10:45 -11:45 am


AP L02: Eliminate Network Attacks during Remote Software Deployment



Abstract: Protecting networks and PCs from potential threats is a full-time job; however, Intel® vProTM technology can help IT administrators streamline the process and better protect clients and block network access. Network filtering software is commonly used to protect the network from a client, or protect the client from a potential threat on the network. Intel vPro technology enables IT administrators to easily deploy software without making a deskside visit and even though the filter is engaged, the Notification Server can still manage the client. During this lab, attendees will learn how to deliver software and update the client while the network filters are engaged. 



Instructors: John Dickensheets (ITS), Terry Cutler (Intel), Lee Bender (Symantec)





Breakout Session: 2:15-3:15 pm


AP B05: Implement Intel® vPro Technology Today



This session will give you a nuts to bolts overview of what's needed to realize the benefits of implementing Intel® vPro technology. During the session attendees will learn which OEMs are using Intel vPro technology in their PCs, the value of the Intel/Symantec solution along with implementation options and tools that facilitate self activation. If that's not enough, you will also find out which partners can assist in implementation. This is a must-attend session for those who are Intel vPro technology-serious.



Instructors: Tracie Zenti (Intel) and Matt Bingham (Symantec)





Wednesday, October 15

Breakout Session: 10:30-11:30 am


AP B09: What's Keeping You Awake At Night? Interact with Industry Experts and IT Professionals.



Abstract: This session is designed to be an interactive Q&A with the audience. Peter Kastner, industry analyst will act as moderator and attendees will hear his take on industry trends, issues and what companies are facing when it comes to their IT infrastructure. Panel members will also discuss IT pain points and how to meet the ever-changing, end-user management and security needs. Material will also address how Intel and Symantec are helping IT organizations improve efficiencies, reduce costs and prepare for the future. Presentations will be brief with most of the time devoted to taking questions from the audience.



Panel Members: Peter Kastner (Industry Analyst), Chad Perniciaro (Valerent, Inc.), Kevin Unbedacht (Symantec), Josh Hilliker (Intel), and Other participants TBD





Hands-On Lab: 12:45 -1:45 pm


*AP L02: Eliminate Network Attacks during Remote Software Deployment*



Abstract: Protecting networks and PCs from potential threats is a full-time job; however, Intel® vProTM technology can help IT administrators streamline the process and better protect clients and block network access. Network filtering software is commonly used to protect the network from a client, or protect the client from a potential threat on the network. Intel vPro technology enables IT administrators to easily deploy software without making a deskside visit and even though the filter is engaged, the Notification Server can still manage the client. During this lab, attendees will learn how to deliver software and update the client while the network filters are engaged. 



Instructors: John Dickensheets (ITS), Terry Cutler (Intel), Lee Bender (Symantec)

I'm the PR guy responsible for Intel vPro Technology, the newest version of which rolled out today. Be sure you check out the virtual event. In addition to being a PR manager for which Intel pays me for my services, I could possibly be our IT department's biggest nemesis. It seems like several times a week something fizzles in my PC and I'm online for hours with our IT staff trying to figure it out. Of course, I have to be there if a problem is to be discovered. So, in addition to my PR services, Intel pays me fairly often to hang around online with IT, while I provide no services to Intel at all. This doesn't overjoy Intel, and it makes me want to strangle my mouse. I'm not alone, of course, there is a whole brotherhood of the digitally cursed out there, good hardworking employees resigned to blue screens, stuck cursors, frozen applications and rebellious keys as a normal part of the business day. So, whenever Intel comes out with a new version of its popular vPro technology, I don't get all worked up over what a great boon this will be for IT professionals, I want to know what's in it for me and my brethren. So, when the 2008 version was about to roll out, I poured over the PowerPoint in anticipation. There were a number of new features, but three caught my eye - Fast Call for Help, Remote Scheduled Maintenance and Remote Alert. All sounded promising, but as I said, I'm not interested in features "designed to save time and money for IT professionals." What's in it for the end-user, is what I want to know. So I looked closer. Fast Call for Help looked OK. Even with a blue screen, even outside the firewall, we could summon assistance in seconds with a couple of key strokes. (I had to send my computer to IT the last time this happened to me and a keyboard met an ugly death against the wall.) I really like Remote Scheduled Maintenance because I wouldn't even have to be there. The computer simply knows it's time for a tune-up and checks in online to get its transistors cleaned. But Remote Alert, that one brought tears to my eyes. Imagine, a computer that gets sick in the middle of the night, wakes itself up and calls in for a cure. The user shows up the next the morning and his PC fires right up for a bright new day of productivity. You (and I'm talking to my cursed brothers) need to take a look at "New Capabilities and Benefits" section of this video for more on Fast Call for Help, Remote Scheduled Maintenance and Remote Alert. Meanwhile, I need to find a tissue and compose myself.

Their break-even point for Intel vPro technology was achieved in under a year! Read all about it:


ROI Analysis: Leaner and Greener Because of Intel® Core™2 Processors with vPro™ Technology (University of Plymouth)

The time has come, September 22nd..   Check out the link above in the image to get to the virtual experience where you can learn more about what is in vPro 2008 launch.   I will be following up soon with more lab video's on this new desktop.   


Here are the highlights from me:

  • Fast Call for help

  • Access Monitor Control

  • Remote alerting



Here's Andy Tryba (Marketing Director, Digital Office Platform Division), after I caught him after the online keynote  he talked through the 3 highlights. 




Also here is a Landesk video showing the fast call for help (NOTE: fast forward to 3:16 where The Remotely Managing PC Outside Corporate Firewall starts)



Where to buy is being updated shortly to reflect where you can buy.

Is having an IT Client Architecture important?  


At first glance the discussion around architecture can be more of academic exercise vs. practical.  It also may conjure up hours of wasted calories that have little relevance to the fires of the day.   However I encourage you that the activity of IT architecture is something of great relevance and will help define your business, data, applications & technology strategy with their interdependencies.  My boss and direct manager Prasad Rampalli (Vice President, Digital Enterprise Group) was one of the founding fathers of setting up Architecture practices in Intel IT and his experiences prior, during and after help shed light on why IT Architecture is critical for the success of the IT shop. Also, over the last couple of months you have seen Bob Stoddard (IT Architect) from Intel talk about what is happening in his world from and why it is important for his role in Intel IT.   I also have participated, contributed and helped drive architecture in my prior roles inside Intel IT, therefore  I thought it would be good to get us all together and spend a few moments talking about why IT Architecture is important.  




I would also check out our Architecture WIKI, where we are taking our Enterprise Integration Lab and Architecture activities a step further.


Bob’s blogs

The specified item was not found.

The specified item was not found.

The specified item was not found.




Please let us know if you have questions.


Josh H

Check out the latest updates to the SMB Activation Cheat Sheet for MSPs. The value and use cases of vPro for MSPs has been added, as well as basic mode (smb mode) configuration guides for various OEM systems.


SMB Activation Cheat Sheet for MSPs









See the discussion with linked articles and notes.


Even better - add your thoughts, inputs, and so forth to the discussion

There is simply no bigger pickle than the one you find yourself in when your computer receives a boot error. Whether it's because your ntldr file is missing or your boot.ini is corrupted, boot errors are quite the serious annoyance within the IT world. Imagine one of your clients recieves a boot error and is unable to access the Operating System, what are you supposed to do? Sure, you could waste the time to walk over to wherever the system is located and manually repair the problem, but what if your client system is not even at the same site that you're working at? Well there's an easy fix with vPro AMT technology and that's known as Remote Diagnostics Remote Repair, more commonly called the "Spare Tire ISO fix". The Spare Tire ISO essentially allows you to send an image of the missing or corrupted boot file down the wire to temporarily boot the OS, thereby allowing you to use simple tools such as mapping a network drive to replace your malovent file. More importantly, all of this is easily executable in literally little to no time at all. In this short video, I'll show you how to utilize the Spare Tire ISO through a SMB perspective using System Center Essentials and the AMT Management Pack.




To find out more about the Spare Tire Fix and how to actually CREATE this particular ISO from scratch, make sure to check out this resource.


OS Repair using SOL and IDE-R

Posted by Flowy Sep 18, 2008

The SOL IDE-R for OS repair document was just updated and can be used to create a boot floppy or boot ISO that will allow for image redirection using SOL and IDE-R.


The SOL IDE-R for OS repair document has instructions on different methods of creating the boot floppy, where to get the setup files, and how you could use it for imaging. This document was meant for IT administrators who have knowledge on imaging, and batch file creation. The document is a framework on how to create it and should not be attempted by technicians who do not have some batch file programming or OS deployment background. There are provided samples in the document with instructions on how to create the bootable files, to add network drivers, and to image and when to use 1 for 1 imaging versus a sysprep image.


For more information, review the SOL IDE-R for OS Repair Resource Page.



If you are the type of person who actually reads the manual (and I thank you for it ), then this is your lucky day!


I just uploaded a Hands On Training Lab for the Microsoft SMS Add-on. It covers Basic (SMB) and Standard (Enterprise) provisioning models.


Hands On Training Lab for the Microsoft* SMS 2003 Add-on


In addition, Intel(R) Management Engine User Guide (Intel(R) AMT 4.0) was uploaded yesterday - and Flowy posted an awesome use case doc to help you create your ISO images.

I just posted a newly revised version of this user guide - it was transformed by a technical writer to improve usability. It's just what you need if you are getting ready to deploy one of the new Centrino2's with vPro technology.


Intel(R) Management Engine User Guide (Intel(R) AMT 4.0)

If you are using SCCM SP1 with AMT 3.2.1 machines (ex: HP7800P) and you see the following error..  this post is for you.



Here is what MEinfo read back during this state of detection



If you do, no need to be frustrated, just need to run a couple of steps to get back on the road.  You can utilize Matt Royer's blog at  Intel AMT 3.2.1 Self-signed certificate issue and working around it for Microsoft System Configuration Manager SP1


For me I had to give it a go myself, so Nick & I did the following:

  • secured our SCCM environment

  • borrowed 2 new HP boxes in the box

  • downloaded the vbscript file, wsman translator.


After 3 trial runs at it, we captured the video today and here it is. Here are the top  things I wish I knew prior to installing:

#1.  OOB settings is under component configuration (Under site settings) in SCCM

#2.  Having your cert (*.pfx) file downloaded and handy is important (and it's in the dictionary)

#3.  Make sure you run the following:  winrm set winrm/config/client/auth @{Basic="true"} on the console your running the box on

#4.  Be patient - this was the single hardest thing during this process for me.. 


Here's the video.




My recommendation, if your stuck in this state on your machines, follow Matt's blog, check out my video and then ask if any questions..

Hello everyone,


Here is my first use case video on SCE about power control options with managed clients. Check back often for other use case videos from SCE and SyAM!





Some of you might find that you need to provision your vPro systems with hostname only as opposed to the generally recommended and accepted fully qualified domain name - FQDN. The typical reason for using hostname only would be because the FQDN that appears at the OS level of a client will not match what will appear in the DNS forward and reverse lookup zones.


You might ask - how can that be? An example from one of my customers is that they have a network domain that is appended to entries in DNS via DHCP option 15. However, their DNS/DHCP is not integrated with their Active Directory and a different AD domain exists. Therefore when using the activator tool to extract the FQDN of the system and write it into the SCS DB as part of the provisioning process, it will conflict with the FQDN that appears in DNS. This will not cause a problem for provisioning per se, but for trying to access the machine later on using a management tool/interface it probably will.


Note: if you are using TLS certificates (server or mutual authentication) then hostname only provisioning will probably not be a viable option for you in any case because of the scrutiny of certificate exchanges that check whether domain suffices match.


So what does all this have to do with SCS 5.0? In 3.x versions of SCS there wasn't anything special you needed to do to allow hostname only provisioning, but with SCS 5.0 there is. When you construct your provisioning profile, in the optional settings you will need to select domains and make sure you select the checkbox of ‘Allow configuration when platform has no domain name'.


What if you are doing AD Integration?

If you are opting for AD Integration (as many will), you will have a problem with SCS 5.0. The reason for this is that the Kerberos protocol will insist that the request ticket will rely on DNS for your FQDN entry, whereas your object within the AMT OU in Active Directory will have a service principle name field (SPN) that will not match that FQDN - the SPN will have hostname and the request ticket will be whatever it is in DNS and at that point the kerberos negotiation will fail. It is important to stress that provisioning will work fine and you will see no hint to these issues, however once you try and access the machines via WebUI or any management console, you will have a problem.



The fix for (for now) will be to edit the SPN field for each provisioned machine's object in AD to what will appear in DNS. The SPN field has an entry for each port number that could potentially be used for AMT purposes (16992,16993,16994,16995,623,664) but if you are not using SOL/IDER and are not using certificates (you won't if you've opted for hostname only in any case) then the only field you should need to change is for the 16992 port. You can edit this field manually using ADSIedit. A more scalable solution will require a script to run as a post provisioning step to edit the SPN. A solution within SCS 5.0 is not available at present.






Ylian created this based on his class at IDF (Intel Developers Forum).  this video is 23 minutes and well worth the time.   If you are getting started, looking for a refresher or just want to hear one of the brightest folks talk about AMT, this is your video.. 




Sometimes it’s just easier to adopt a technology that you’re able to use “out-of-the-box” and don’t have to spend excessive amounts of time trying to get it to a configured and operational state. Bypassing some of the advanced configurations may be sufficient, as long as you are able to “take-control” of the situation at a future date.


Repeatedly setting up demonstration, training, and lab environments for Intel vPro may present a challenge in adjusting the Intel AMT firmware settings. From an "in-band" perspective - it's relatively easy and known how to re-image a group of systems - thus resetting the operating system state, application configuration, and so forth. However, mass resetting or management of the Intel AMT firmware remotely may not be as straight forward.

Another environment or situation to consider is when more than one management console is used. Does it matter which console owns the Intel AMT firmware configuration? What if the console used to configure the system is no longer available? Can you regain control of the system configuration?


Are there command-line tools to provide some management of the Intel AMT firmware?

What if an OEM or a value-added reseller (VAR) provisioned the client in a staging area totally separate from the production environment?


These questions are raised to help address a number of questions raised by customers and partners.


In my lab, I've left my Intel vPro systems in a "standard provisioned" state - meaning that they are enterprise provisioned, yet are not using Kerberos, TLS, or other advanced security configuration options. I am able to change out management consoles, re-associate or rediscover the clients that are Intel AMT capable and provisioned, and continue doing tests on associated usage models. A ProvisionServer or provisioning service is not needed - as the Intel AMT firmware is already provisioned. Should I need to regain control of the configuration within my present "ProvisionServer" - a few commandline tools or agents are used to adjust the environment accordingly.


If you've read this far - I apparently have your attention. Let me provide a few reference points and guidelines on how this is possible:


  • An initial provision event MUST occur on the system - be it a Basic or Standard provisioning event which is manual or automated.

  • Once an Intel vPro\AMT system is provisioned - authenticated and authorized requests can be accepted from any source using the defined admin account credentials

  • Authentication\authorization of requests - at the basic level - is done via a Digest username\password

  • Commandline utilities such as Intel AMT Reflector Utility or UnprovisionEX (see allow for remotely adjusting basic or standard provisioning settings – including remotely UnProvisioning the Intel AMT firmware. Some consoles – such as Altiris – also include a remote unprovision capability (see


Note: If you have a ProvisionServer already defined, make use of it to change configurations and settings. These tools and insights are provided for situations where the original ProvisionServer is no longer available and you want to adjust settings without physically touching the client.

  • If an environment is using TLS or Kerberos and the former management console is not longer available – the new console must be a member of the same Active Directory domain and have the root certificate used by TLS in it’s local certificate store.

  • Management consoles must support network discovery or agent based discovery of Intel vPro systems already in a provisioned state (Basic or Standard – see For an example of agent based remote discovery – see

  • The consoles must be configured with the known digest username\password. This unfortunately excludes Microsoft SCCM – as it requires TLS and Kerberos. Other common consoles and interfaces have options to both discover and connect to clients using Digest authentication (i.e. Altiris, LANDesk, HP Openview, SupportSoft, Intel System Defense Utility, etc)


In support of the above ideas and conditions, the following scenarios could be supported without any



  • An OEM or VAR provisions a set of systems before shipping them to a customer. Upon arrival, the IT administrator adjusts the management console configuration with the OEM or VAR provided credentials used, and continues with normal deployment activities. Once the systems are on the network, a network scan or agent based discovery of the Intel AMT capabilities updates the management console, and the IT administrator now has full use-case functionality of the out-of-band technology as supported by the host management console. (NOTE: No mention of ProvisionServer, Intel vPro provisioning process, etc)

  • In deploying the systems, the hostname of the operating system does not match the hostname of the Intel AMT firmware. Using the Intel AMT Reflector Utility, the administrator sends out a single command script to all clients. (This assumes the “server” component of the utility is running on a single system separate from the Intel vPro clients, and that the Intel vPro clients have the Intel AMT reflector client console executable and associated DLLs local). An example of the single command sent to all clients for synchronizing the host operating system and Intel AMT firmware name is:


Reflector –user admin –password P@ssw0rd –server –port 16992 –syncFQDN&gt; > Note: This utility must be run locally on the Intel vPro\AMT client, as it will obtain the local FQDN before transmitting to the Intel vPro Reflector Server component. If you have an existing ProvisionServer in the environment – do NOT use this tool. Utilize the FQDN synchronization option of the ProvisionServer, such as the /f option with the Intel vPro Activator Utility for Intel SCS based environments.

  • Not feeling comfortable with the OEM\VAR preset values of Intel AMT admin firmware username and password, the IT administrator wants to remotely change these credentials. Instead of the default username of “admin”, the IT administrator wishes to use “PCSupport” with an associated strong password. This could be handled via the WebUI, supporting management consoles, or via commandline script. The following example uses the Intel AMT reflector utility from the management system to the Intel vPro client:

Reflector –user admin –pass P@ssw0rd –server – –port 16992 –setAdminCred –newUsername PCsupport –newPassword Pr0t3ct!0n





Finally, a situation occurs where the IT administrator wishes to transfer or take control of the provisioning process with a designated ProvisionServer. The preference is not to physically touch any of the systems to make this adjustment – thus the requirements of remote configuration must be met (i.e. support by the management console running ProvisionServer, remote configuration certificate obtained and installed, etc).


Using the Intel AMT Reflector or UnprovisionEX utility (see, the IT administrator executes a command to remotely unprovision the Intel AMT firmware and reset to a factory default state. (As noted in the linked article above, some management consoles may have this capability already built in). Once the target systems or group of systems have been unprovisioned, a provisioning event can be initiated via the Intel vPro Activator Utility, supporting management console agent, or related methods.


All of the above scenarios and situations have been proven out in a lab environment – mostly out of necessity as I desired to automate procedures a little (resetting an environment a few times a week or month becomes exhausting, thus my quest to find methods or simplification). Although my lab is only 10 systems, the concepts have been applied to large lab, testing, and training environments.


Do you have additional ideas or inputs on this topic?


A final thought – since a majority of the initial deployments of Intel vPro are pilot or limited test situations, the advanced security features are not the initial focus. The initial focus is on the usage and applicability of the technology within a target environment. Unfortunately, getting the initial setup or provision event to occur presents an upfront hurdle which many have overcome… yet would have preferred to sidestep. What if during the pre-staging of the equipment the firmware was put into a Basic or Standard provisioned state (again – no TLS, no Kerberos, no 802.1x - see Wouldn’t this help get to the desired state of using the technology – allowing time to gain a better understanding first? If at a later time the IT administrator wants to setup a ProvisionServer and own the configuration – then the process could be done remotely via command scripts, agents, and so forth.


Open to comments, criticisms, corrections, or alternative viewpoints out there…

After a longer wait than I planned here are the key screens that your end users may see if they click on the Icon in the Centrino 2 Platform with Intel vPro Technology.   They show the different tabs and the difference between Unprovisioned & Provisioned.


What's next..  Testing them in the lab and sharing those video's out..  stay tuned for more.


Through trial and error I've come across a working method for installing Intel's Setup and Configuration Service (SCS) on a server that does not have Notification Server, and thus Out of Band Management, installed. When NS is installed, all rights, etc, are already assumed by logging in as the Application Identity. Intel SCS installs fine this way, but when on a separate server certain prerequisites and configurations need to be met before the installed SCS will function properly.






For the best results, the prerequisites should be met before hand. If SCS has already been installed, the necessary components can be added or configuration changed to support it properly. The first section of this article I'll assume we'll do the install from scratch, while with the second I'll cover how to reconfigure SCS if it has already been installed so it works successfully. This is with version 6.2 of Out of Band Management Solution.




New SCS Installation

NOTE: This is for an Intel SCS installation that is not on an existing Notification Server with Out of Band Management installed.


First, we need to prep the system for the actual install of Intel SCS. The following components are required for Intel SCS to function normally:



  • Windows 2000 Server, Windows 2003 Server

  • Internet Information Services (IIS)

  • Microsoft .NET 2.0





Run through the following steps to install Intel SCS. I've assumed the above prerequisites have already been met.



  1. Log onto the system as the Application Identity user for Notification Server.

  2. Using the ‘Pull' method, install the Altiris Agent from the Server that houses Out of Band Management:

    1. Typically the URL is formatted as: http://%3cnsname%3e/Altiris/NS/Agent/AltirisAgentDownload.aspx.

    2. Use the resulting page to download and install the Altiris Agent. Typically it takes a few minutes to complete the process of installing and registering with the Notification Server.

  3. If needed, provide the App ID account local administrator rights on this Server. In one case this was not the case, and the service was unable to connect to the NS.

  4. Browse to the following path on the NS:

  5. Launch the EXE AMTConfServer.exe.

  6. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

  7. Choose ‘Complete' as the type of setup and click ‘Next'.

  8. In the User name and Password fields put in the Application Identity for the NS.

  9. Check the Web details.

  10. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

  11. Under ‘Database Server' select the database name and instance to use. This should be the SQL Server used to install the IntelAMT database when OOB was originally installed on the notification Server, or if the database was never created, this should be the same server and SQL Instance where the Altiris database that hosts Out of Band Management is installed.

  12. Check the database details. Click ‘Next'.

  13. Click the ‘Install' button to proceed with the install using the parameters set.

  14. If the IntelAMT database was previously created, you'll receive a notice saying that the database IntelAMT already exists. Make sure to click ‘Yes' so it uses the existing one. This is especially important if you have provisioned systems already in the database. If no database exists by name IntelAMT, a new one will automatically be created and no prompt will appear.

  15. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'

  16. From the Notification Server, at this location:
    &lt;NS_Name&gt;\c$\Program Files\Altiris\OOBSC\, copy the file oobprov.exe to the same path on the SCS Server (default will be C:\Program Files\Altiris\OOBSC\).

  17. NOTE! You must use the same path that it used on the Notification Server, this is a limitation with our implementation at this time.

  18. Copy to the same folder the attached file Interop.AeXClient.dll.



  1. Normally the script (oobprov.exe) is properly registered to the correct path, but if it is not, we must manually change it.
         NOTE: Using this option to install SCS on a different server than the NS often leaves the csti_configuration table poorly configured. If this is the case, the following two steps must be done to fix the problem.

  2. Open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

    1. USE IntelAMT
                SELECT Props_script_path, use_props_script
                FROM csti_Configuration

  3. Check the path and make sure it matches the remote and local Intel SCS install. Also verify that the use_props_script is set to 1, which means ‘True' (0 means ‘False'). Now run the following query if they need to be updated, but take note to change the path to match your environment:

    1. UPDATE csti_configuration
                SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
                SET use_props_script = 1
                WHERE configuration_id = 1

  4. Everything should now be in place for the new Intel SCS install to work with systems being provisioned, including all maintenance and post-provisioning actions.

  5. As one last check, let's ensure the Intel SCS installation registered itself in the IntelAMT database. If this part has failed the service AMTConfig will not be able to start, throwing an exception about database connection in the Application Event Log.

  6. On the Database Server, run the following query:
         USE IntelAMT
         SELECT * FROM csto_servers

  7. You should have one entry for every Intel SCS install you've completed, even the original OOB install if you also installed Intel SCS originally on the NS. Note the server_name column to contain the name of the server you installed Intel SCS onto. If it is not here the problem generally stems from SQL database access rights on the SQL Server. Please ensure the account you are using has rights to create a new database, or update an existing one.


Fixing a Previous SCS Install

If you've already install SCS, and provisioning is not occurring (see the following article group for troubleshooting steps:, we need to go through the steps to provide the remote Intel SCS Install the necessary configuration to properly work with the remote IntelAMT database and Notification Server.






The following steps provide the right changes to ensure everything is setup correctly:



  1. Log onto the Server with the NS Application ID.

  2. Uninstall the Altiris Agent from the system. If it is not installed simply continue through the steps.

  3. Check to ensure the account that is running the Intel SCS service, AMTConfig, has admin rights to the NS. If it does not, add the user to the Admin group on the Notification Server.

  4. Check to ensure the Application ID has local administrative rights to the server Intel SCS is installed on.

  5. Install or reinstall the Altiris Agent, ensuring it is pointing to the NS where Out of Band Management is hosted.

  6. Once the five preceding steps are completed successfully, move to Database server and launch SQL Enterprise Manager against the IntelAMT database.

  7. Run the following query:
         USE IntelAMT
         SELECT Props_script_path, use_props_script
         FROM csti_Configuration

  8. Please note the following details from the resulting line:

    • use_props_script - This column needs to be set to TRUE (1). If this is set to 0 no provisioning attempts will even be executed. I've seen this set to 0 at times.

    • props_script_path - This value is passed to the Intel SCS service that's available to run oobprov.exe. This must be the same location on both the NS and the remote server.

    • props_script_timeout - This timeout should be set at 180.

  9. If the values are not set right, use the following query to update the table to have the correct values (note that the props_script_path may be different in your environment. If so, change the query to match your installation setup):
         UPDATE csti_configuration
         SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
         SET use_props_script = 1
         SET prop_script_timeout = 180
         WHERE configuration_id = 1

  10. Once the above changes have been made, restart the AMTConfig service on the local Intel SCS Server to have all cached items dropped so the changes are filtered down properly.


Functional Intel SCS

The immediate question after installing and/or fixing an existing install of Intel SCS is are things working correctly? Time will definitely tell, but if you want to know immediately you can use the following process to check the workability of the install:


  1. On the Intel SCS server, go into the Services Manager within Administrative Tools. Is the AMTConfig service running? If not, try to start it. Also check the Event Log for failures. If it stays running, it can successfully start and then connect to the IntelAMT database. Note that if it starts but then stops a minute or two later, the database is likely unreachable by the service.

  2. On the Notification Server, browse in the Altiris Console from View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Provisioning &gt; Logs &gt; Actions Status. Do you see any successful Provisioning requests since the time you finished configuring the Intel SCS install?

  3. If possible, manually configure a system to provision and see if it goes through. The reason the existing ones trying to provision may not work is due to IP Address changes that make it impossible or SCS to connect back to the system. New Hello Packets will remedy this situation in the long-term.



These processes should allow you to properly install and configure Intel SCS on a server that is not where the Notification Server and Out of Band Management are installed and running.

Here are the key use cases supported by MS SCE (Microsoft System Center Essentials).  Each of the use cases below will reference a certain page in the Manageability Pack located @  Therefore I highly recommend you download the PDF and then cross reference the list below. 


System Discovery

Discovery allows the Management Pack to locate Intel® AMT systems. During the discovery process, the Management Pack retrieves asset information from the Intel® AMT subsystem. Discovery needs to be performed before you can perform any other Intel® AMT-related tasks.

For details on the different ways to perform discovery, see “Discovering Systems” on page 87.


Viewing Asset Information

You can view information about the Intel® AMT system’s hardware assets (CPU, memory, and more).

For details on viewing asset information, see “Retrieving Asset Identification Information” on page 97.Intel® AMT Management Pack for Ops Manager and Essentials • Installation and User’s Guide 6


Power Control Operations

Power control operations enable you to remotely control the power states of Intel® AMT-supported systems.

You can apply the following power control operations to Intel® AMT systems:



•power cycle


You can specify the way that a system should boot, depending on the specific system implementation.

For details on power control operations, see “Power Control Operations” on page 101.


SOL/IDE Redirection Operations

The SOL/IDE Redirection feature enables you to remotely perform the following redirection operations on Intel® AMT-supported systems:

•Serial Over LAN (SOL): Allows you to display the non-graphic boot screens of an Intel® AMT machine, thereby allowing you to modify BIOS entries or to change the way that the system boots.

•IDE Redirection (IDER): Allows you to boot the Intel® AMT machine from a boot image located elsewhere on the network.

For details on redirection operations, see “Redirection Operations” on page 109.


System Defense

The System Defense feature allows you to define multiple system defense policies and apply them individually to a system.

For details on the System Defense feature, see “System Defense” on page 121.Chapter 1 • Introduction7


Event Handling

You can configure Intel® AMT systems to send PET (Platform Event Trap) events to multiple event collectors, and view these events in Ops Mgr/Essentials. For information on the PET protocol, refer to the ASF specification at

For details on registering for PET events, see “Registering and Unregistering for PET Events” on page 137.

For details on monitoring PET events, see “Monitoring Alerts (PET Events)” on page 157.


Looking ahead to the next post..

the plan is to showcase each use case in quick video's and post out.. stay tuned for more..


Josh H

If you are using Altiris as your management console, then check out this new use case document for implementing network filters!


Altiris Use Case: Network Filtering and System Defense

Take a look at this ROI Analysis document. It shows that Cleveland Clinic will save $442k in net power savings over 4 years. In addition, they will save 29,000 IT support man-hours by year 4 through improved asset management and reduced deskside visits, remote patch management and reimaging and repair.


ROI Analysis: Improving Productivity and Reducing Energy Costs and Consumption with Intel® vPro™ Technology


NOTE: If you have not read parts 1 through 5, please read these before reading this part as this is a continuation of the story begun in the previous sections.







The Might Modern Marketing IT team has just seen two suspected competitors encroach on the home turf. What can they do in light of this brazen intrusion? Can Altiris and Intel's vPro help them gain the upper hand when the opposition brings the fight to the very top? In this part of the story we'll learn the final outcome of their major competitor's struggle to gain the majority share of the market through fierce competition and unscrupulous IT sabotage.





Mighty Modern Marketing HQ - Boston, Massachusetts

"Bobby!" Jessica Langley whispered loudly. Or, more accurately, she said loudly to just pierce the cacophony of fans filling the server room. She turned the corner and saw Bobby perched at his desk. His hands rested on his keyboard, as if posed to begin coding at an instant's notice. He seemed to be looking intently at his monitor.


"Bobby?" she urged, stepping closer. He didn't respond, and as she watched his head tipped forward. He jerked, a loud snort escaping his nose. He glanced around, blinking bleary eyes, before his eyelids seemed to close of their own volition. He settled back into his chair, hands still poised.



Jessica tapped him on the shoulder. He didn't respond. She tapped harder, and he shrugged, but his eyes remained closed. She shook the back of his chair, and he jumped, hand flailing out to grab the sides of his desk. He whirled around, staring at her with wide, reddened eyes.



"Jessica!" he said, blinking rapidly. "Something wrong?"



She folded her arms. "Yes, something's wrong," she responded tersely. "We're under attack."



He wiped at his face with his long-fingered hands. "A virus?"



"No, something a bit more direct. I saw that ninja guy again, and some smooth-slick character with him. He might be Jake, the New Nifty Network CEO."



"The ninja? The guy I thumped with the laptop??"






Bobby looked at her wide-eyed. His eyes darted about, and he finally picked up a power strip, gripping the plug and cord. He twirled a few times, and Jessica backed away.



"What are you doing?" she demanded.



"I need something in case he comes after me for revenge!"



"Is that supposed to be a ball and chain?"



He glanced down at the strip, the empty black slots seeming to stare back up at him forlornly.



"Yes. No. Maybe... I don't know!"



She reached out and took it from him. "Tevita's following them, but we need to lock things down."



Bobby rubbed his hands together, his expression tightening a little. "I always have things locked down," he said. "You're insulting my..."



"No time for that. Lock up all the servers, and backup all databases right now. If possible bring non essential applications down until we get these guys out of here. And call security."



Bobby nodded. "There's a ton of locks. Can you help while I call?"



As Jessica set locks on the server's chassis and covers, she watched the door leading into the server room. She couldn't seem to keep her eyes away from it, half expecting one of the suspects to barge in waving a bat around and demanding their most sensitive data. Halfway through the process Bobby gave her a large key ring full of small metal keys with short-stubby teeth.



"Go check the server racks and lock any covers that are open with those," he instructed.



She stared at him. "There are a hundred keys here, and none of them are labeled!"



"I know. I keep meaning to get around to label them, but... well... how fun would that be?"



"Yeah, how fun?" she mumbled as she headed around the corner. She started down the row, checking the front of the cases. She made it almost halfway around before she found one that opened. She looked down at the mass of keys and sighed.



She only had inserted about thirty keys, all without budging the lock, when her mobile phone rang. She quickly fished it out of her jacket pocket, glancing at the number before putting it to her ear as she pushed the answer button.



"Tevita?" she prompted.



"Jessica! They're up here on the executive level!" he said in a loud whisper, and she had to press her phone hard against her ear to hear.



"Bobby called security..."



"These guys are really delivering packages as if they're legit, but that taller guy, the slick one, keeps looking around as if expecting to see something."



"Why don't you go tell Mr. Johnson? I think that's Jake Wells."



"That's a good idea. I'll call back if I need anything..."



"Just be careful..." she started to say when the line dropped. She locked the keypad and slipped the phone back in her pocket. She stared down at the keys on her other hand, and finally decided she had better things she could do. She walked quickly to Bobby's office. He started intently at his screen, his fingers flying over the keyboard so fast they seemed to blur in her vision. She placed the key ring on his desk and he looked up.



"The first half of them are secure," she said, not mentioned she hadn't needed the keys for any of those.



"That was fast..."



"I got a call from Tevita. I think I need to secure some of the more vital PCs in the office, here. Did you ever finish those network filters I asked for?"

Bobby nodded. "I did. I still need to test the last one..."



"But the accounting and executive filters are ready?"



He nodded again. "Yes. I'll email them to you now. It wasn't easy, what with the limitation on how many filters I can apply, but I weeded out the nonessentials. Instant Messenger won't work, nor will standard Internet Explorer stuff, but all the applications the two groups will use respectively are available."






"I think so... it's not reliable..."



She shrugged. "Better than nothing. Thanks!"



She hurried out the door. Her eyes looked around the office as she walked tensely back towards her desk. She expected to see signs of stress or something, but everyone acted normally. Several even said hi, and she managed to smile back, though the smile felt stiff on her face. Why couldn't she have a normal IT job where emergencies consisted of no coffee in the break room, or typical, non-intentional application crashes? Couldn't someone simply forget their domain password for the highlight of the day? That kind of stress she could handle without her stomach tying itself into knots.



She sat down as a new email came in from Bobby. She opened the email, and downloaded the attachments to a share on the Notification Server. She quickly initiated a Remote Desktop to the Notification Server. When she clicked connect, she received a message indicating the max number of session had been reached. She stared at the screen.



"No way," she muttered as she jumped to her feet. She hurried over to Tevita's desk, but he'd locked all his systems. Definitely wise, but If he had sessions open she'd be unable to close them. She hurried back and launched the Altiris Console on her own desktop. She'd wanted to add the filters in the right places on the drive of the server, but it wasn't necessary. The console came up, and she browsed through Manage, clicked on Jobs, browsed through Tasks and Jobs, Server Tasks, Real-Time System Manager, and clicked on Network Filtering Task.



Jessica right-clicked on the Task and choose "Clone". She named it "Accounting Network Filtering Task" and clicked OK. The new filtering task appeared, the task configuration loading in the right pane. She clicked the Edit button on the icon bar with the small pencil symbol. Under the section ‘Filter network traffic other than to and from the Notification Server' she changed the radial selection to ‘Import network filtering settings from the custom XML file'. Under the section ‘Location of the file to import from:' she clicked the Browse button. In the subsequent window she browsed to the share she'd copied the custom files Bobby had created and selected the Accounting one. She clicked Open which returned her to the Settings page.



At the bottom of the right-pane she clicked the Apply button. Next, she clicked on the ‘Run Now' button on the icon bar. Within the pop-up window that appeared she set the ‘Run name' field as ‘Accounting Lockdown SOS'. Under the ‘Connection credentials settings' section she clicked on the hyperlink labeled: Runtime Profile. From the list she selected the list of credentials containing her Domain credentials that had full rights to all AMT systems. When she'd committed the changes she then clicked the hyperlink under the Resources heading labeled ‘Select computers'. The Task Server resource selection window appeared.



In the left most pane she expanded the Computer Collections folder and the My Collections folder. Under this section she highlighted the collection labeled: All Accounting Computers. By double-clicking on this collection the picker added it to the right most pane, labeled Selected Items. She clicked OK to add the collection to the Task. On the main Run Task screen she hovered the mouse-pointer over the ‘Run Now' button. She wondered if both words were capitalized to emphasis the finality of the button! She believed the filter would work since she had faith in Bobby's skills, but if something went wrong...



For just a moment she paused, taking her hand off the mouse. Over reacting might save the day if these two interlopers really came with Mighty Modern Marketing's determent in mind, but if she'd jumped to the wrong conclusions she might just create a huge mess for no reason at all.



Another thought, one she'd had previously, surfaced in her mind. If Bobby hadn't verified the filter worked, and it somehow invoked a filter that did NOT give access to the systems via Notification Server, she might just decapitate every single one of the Accounting department's computers with a single click. She shuddered as she imagined Tevita and her running from computer to computer in a desperate effort to manually disengage the network filter using their credentials. There was a reason Bobby tested all the filters he created, and that same reason applied as to why she and Tevita each independently tested them again.



So far Bobby always got it right, at least from the Notification Server aspect. Sometimes the other filter items didn't work properly, but she'd still be able to quickly remove the filter from all the systems. She sat up straighter in her chair, her lips pressed into a firm line, and took hold of the mouse again. With only the briefest of hesitations she slicked the ‘Run Now' button.



She waited a minute, then refreshed the status display. So far so good. She quickly ran through the same procedure, but this time setting the Task to quarantine, this time for the system's own protection, the Executive systems. She paused before running it, then quickly picked up the phone and dialed Mr. Johnson's number.



"Mr. Johnson's office," a young voice greeted.



She paused. She didn't recognize the voice, but didn't attribute it to the two she'd seen. "Uh, yes, this is Jessica Langley down in the IT department. Is Mr. Johnson available?"



"No, ma'am. He's currently in a meeting. Can I take a message?"



"When did he get a secretary?"



She heard a chuckle. "I'm not a secretary, I'm his son, Roger. It's ‘Go to Work With Mom or Dad' day at school. I'd rather be here than school, so... here I am."



"Okay... Can you tell him this is urgent?"



"I would, except he left for the meeting and I don't know where."



She sighed. "Thanks Roger." As she hung up the phone she clicked the ‘Run Now' button.



Leaning back in her seat, she folded her arms, eyes on the Altiris Console. Having applied the filters she did feel a little better, but she still couldn't sit still. She stood and walked to the drinking fountain, trying to think what next she needed to do to ensure whatever their competitors planned didn't cripple the business. Her eyes roved over the immediate area. It seemed everyone moved calmly, with occasional conversations heard above the hum of computers. She fished in her pocket and removed her cell phone, staring at the display as it lighted up. If Tevita was hiding somewhere, calling him might give him away. But surely he'd have placed in phone on vibrate...? She hated not knowing where and what Tevita did, and what the interlopers meant to do.



She found herself facing the stairs. Part of her wanted to run up there and blow the whole thing wide open so that the sheer number of Might Modern Marketing's employees would stop whatever they planned. Of course if it ended up being an innocent visit... she threw that thought aside. They'd shown up looking like delivery guys, and the furtive glances from the "ninja" seemed to proclaim their guilt. She reached up and rubbed at her eyes, trying to decide what to do next.



They'd locked down the servers, taking down nonessential applications, and employed filters against critical systems. She squared her shoulders and entered the stairwell, hurrying up the two flights to the third floor. When she reached the door at the top she stopped, taking out her cell phone again. She dialed Tevita's number and pressed the send button. The phone rang several times before his voicemail started playing. She hung up the phone, fidgeting with it for a few moments before slipping it back into her pocket.



She tried to square her shoulders again, but somehow the thought of heading through the door started her stomach doing flips. She pressed a hand against her middle, trying to physical calm her nerves. It wasn't like these guys were armed... were they? So far the incidents had all been non-violent, but had desperation driven them to take extreme measures? Thinking about her job description, the security and protection for the intellectual property of Might Modern Marketing fell under her job description. These rubes from New Nifty Networks certainly qualified as a threat, but where should she draw the line?



She smiled wryly, decided she didn't like the spineless turn of her thoughts. True, there could be real danger on the floor, but most of the people up here she knew well and trusted. She opened the door and stepped through.



To the left sat the accounting team, most in closed-door offices to help with keeping sensitive data from wandering eyes. She saw one of them exit his office, a frown on his face. She walked towards him, intending to head through towards the executive staff area, when he looked up.



"Hi Jessica," he said, the tight expression on his face easing. "Can you help? I'm having internet problems right now."



"I know," she responded with what she hoped was a firm but friendly smile. "We have a security issue I'm dealing with and we've locked most systems. You should still be able to run the Accounting software... Balance Act. Have you had any problems with it?"



"No... I just... well... do you know when we'll get it back?"



"Hopefully soon. I'll send out a notice when it's back up."



"Okay. Thanks..."



She nodded and continued on her way. She heard him behind her start talking to another of the accountants, and he sounded a little annoyed, but she thought that better than any wrath had the critical application Balance Act gone down. She smiled, hoping someone would try to strip the data from the application and try to send it out, only to find that they couldn't make a connection to anything. She hoped they stewed over it, trying to figure out why the computer wouldn't connect to anywhere despite showing a network connection.



She tried to look casual as she raced towards the executive area. What would she find? By the look of people on the floor, no one had any inkling that two unwanted people prowled the hallways. As she turned the corner, her eyes followed the line of doors, most of them open. The sound of conversations floated out of a few, all sounding normal and unhurried. She noticed that Mr. Johnson's door remained closed. She walked on her tiptoes for a few steps, trying to look down into the cubes opposite the CEO's office. The first two stood empty, while the next two held their normal occupants, none looking more harried than normal.



She reached his door and glanced through the side window set to the left of the door. She noticed a young man sitting at the computer. He slouched back in the office chair, right hand moving around the mouse, his hair spiky and bleached blond. She assumed this was Roger, and moved on. She fished her phone out of her pocket and dialed Tevita gain. For the second time he didn't answer and she reached his voicemail. This time she left a short, terse message asking him to call her, and hung up.



She looked either way down the hall, her stomach slowly turning over. So far everything looked fine, except that Mr. Johnson wasn't at his office and Tevita wouldn't answer his phone. Many possibilities as to why held nothing malicious, and probably nothing amiss had happened. Somehow she couldn't convince her body of that, and found herself walking stiffly down the hall towards the set of conference rooms at the end. She couldn't unlock her knees, as if her joints had seized up. She wrung her hands in a gesture she'd long ago overcome, and forced her arms to swing normally at her side. Even that gesture felt forced, and she shook herself, trying to loosen up her tense muscles.



One of the conference room doors held shut, the other room's doors open and the lights out. Light streamed under the door and through the indoor window of the occupied conference room. She sidled up to it, trying to peer in without showing her face. She caught of glimpse of Tevita, standing against the wall. His normal smiley features pulled down in a frown, his arms folded tightly across his chest. She knew he only folded his arms like that when angry. Not just a little angry, but very angry. She quickly backtracked to approach the door from the other side.



The first person she saw held a sly smile on his face, his slick features seeming to hold confidence to overflowing. He spoke, his mouth quirking at the corner as if he had trouble keeping a secret. He pointed at a laptop plugged into one of the network cables snaking out of the middle of the large oval conference table. It looked like one of their field laptops meant for Sales Engineers or Consultants. She even saw the telltale barcode they stuck on all laptops before shipping them out, but also noted it was vPro capable. She glanced around, but in the dead-end hallway no one paid her any mind. She ducked down and put her ear against the door, trying to hear inside.



"...really think you're as spineless as that, old man." The voice reminded Jessica of a new car salesman who knew he could really sell cars.



Mr. Johnson's voice sounded as measured and confident as always. "You know that's not true, Jake."



"I do have to give you credit, Mr. Unflappable. You act like you aren't phased, but I've seen your employees run around like chickens with their heads cut off from time to time. I was hoping to reach an agreement today, to avoid future... incidents."



"We're not afraid of you," Tevita said hotly, the words loud enough to cause her to flinch.



She could just imagine Mr. Johnson holding up a placating hand to Tevita. "Why do we need an agreement? You've seen the projected numbers, I assume. You've done no real harm."



"Oh? You seem to forget I have access to your network, as this laptop proves. I know everything, including pending projects, budget allotment, fiscal year targets, and actual revenue both real and pending."



"You love the threat," Mr. Johnson said, a hint of mocking in his tone. "Did you think I'd be impressed that you'd have the gall to walk in here and make ludicrous demands?"



"You'll notice that security hasn't stopped me yet. If you need proof, let me show you..."



Jessica glanced through the window, her eyes trying to focus on the number printed below the barcode. If she knew which machine this was, she might be able to control it. She quickly pulled out her cell phone and punched in the number. She then quickly retreated, heading back quickly towards the stairs. She scampered down them, only to almost fall as the heel on her left shoe broke off. She skidded down the last few steps, barely catching the rail to stop a certain face plant. She quickly slipped both shoes off, hurrying down to the first floor.



She reached her cube, glad she'd left the Altiris Console up. She used the barcode in Asset Management to find the name of the system. She browsed in the console under View, Solutions, Real-Time Console Infrastructure, Tools, and clicked on the Manage node. She quickly typed in the name and clicked OK. A window appeared, giving her the RTSM interface. A grim smile slipped on her lips as the tree loaded, giving her all of the Real-Time System Manager functionality. In the left-hand pane she browsed down into Real-Time Consoles, Real-Time System Manager, Administrative Tasks, and selected Hardware management.



With her hand hovering over the mouse, her mind whirled through the possibilities. With vPro, she had a lot more power. Taking control of the system wouldn't do much since she could only access a non-graphical interface with Serial Over LAN. Anything else she might do would only alert them to what was occurring. She needed to do something fast. She selected to reboot the system, checking the option under Redirection options labeled, Perform boot from: and Display task progress and remotely control computer. She selected to provide a CD image, browsing to a utility for disk formatting. The utility had the ability to quickly write zeroes to the drive. This essentially cleared the hard drive of all data.



It was a good first step, and she initiated the reboot, redirection. She wished she could see the snide smile vanish as the computer abruptly turned off without any warning. She knew the laptops had reasonable boot times, but it seemed to take an eternity to load the utility. She half expected the laptop to be removed from the network, the SOL session dropping, but eventually the utility's interface appeared. She glanced at her watch. It took forty seconds, though she swore it had to be at least five fretful minutes.



She quickly selected the option to wipe the drive, quickly pressing through the double-warning that all data would be lost as quickly as she could. With luck the two dimwits wouldn't realize what was happening until it was too late.



Now what had he said about security? Bobby said he'd called them, so why hadn't anyone responded? She pushed to her feet as she locked her computer, hurrying towards the front desk area. When she reached the front desk she found it unoccupied. A visitor stood at the front of the desk, looking around with a frown and lines creasing his forehead.



"It's about time," the man said, visibly trying to smooth his expression. "I have an interview and need a temp badge."



Jessica shook her head. "Sorry, I'm not with security," she said hurriedly as she picked up the phone.



"If you're an employee, you can escort me," he said with the words forceful. She paused, looking him over quickly. He carried a thin folder under his left arm, with his arms held closely to his sides, his legs shoulder-length apart. His dark eyes watched her far too intently, hardly a blink to disrupt his scrutiny. Despite his oversized short, she could see the honed muscles tensed underneath.



She swallowed the lump that formed in her throat. If she hadn't failed Drama in high school she wouldn't be as worried as she tried to smooth her expression.



"It's against policy," she said, grateful the words came out firmly. "Without a badge... I'm sure security will return shortly."



The man's lips thinned. "You don't understand..."



She dialed the phone as if she wasn't two millimeters away from bolting back into the secured section of the building. The wide desk might give her enough lead time to get through before this suspicious man grabbed her. If he chased her, would she try to force the door closed behind her, or simply start screaming? Her face felt cold, but she still found the whole situation absurdly funny.



Bobby answered his phone. "What, IM broken again?"



"Hi, this is Jess. I came up to talk to the front desk folk, but nobody's here. Can you page them?"



The man standing in front of the desk scowled. "Look, I can't wait any longer..."



"Really? I called and told them the situation."



"I know. I need to take care of the power problem to the servers we discussed earlier, and need someone from facilities here, now. Can you try again?"



"Power...? Oh. I see. I'll get right on it."






She hung up the phone. She contemplated calling the police, but she wondered if the two stooges upstairs had actually broken any laws. If they hadn't, what would the police think? She knew something had to be illegal, but did police get involved in this kind of thing? She continued to watch the man carefully. He stood stiff, visibly trying to keep his face smooth.



"Sorry," she said. "I can't help you, but someone should be here soon."



"That might be too late," the man said, throwing his free hand up into the air, almost dropping the folder with the other. "I'm supposed to do sneaky about this, but it's been too long. I'm Detective Cassidy from the Boston Police Department and believe some criminal activity is being conducted in this facility."



He reached back into his pocket and produced a wallet. He flipped it open, revealing a gleaming badge.



She stared at him, mouth open for a moment. "You're with the police?" she managed to say.



"Yes, now get me into that building unless you want to be held culpable as well!"



"Culpable? No, by all means! Please, come in."



She walked over to the main door, pulling her badge up to the magnetic reader. Her heart hammered in her chest, relief flowing through her limbs until she felt almost weak. She held the door open for the detective. He walked in, eyeing her suspiciously.



"I'm Jessica Langley," she offered. "I'm on the IT staff."



"Jessica... I'm surprised you'd offer your name so freely," he said, eyes moving over the collection of cubes.



"Why? Whatever you've heard, you'll see the truth soon enough."



"The truth, eh?" he said with a hint of a dry smile. "Okay. Lead on."



They quickly headed up the stairs, through the marketing section, past the executive offices, to finally reach the one closed door in the conference area.



"That guy there, Jake Wells I believe is his name, is the CEO of New Nifty Networks."



Cassidy peered in.



"Fix it!" Jake demanded with his face an unhealthy shade of red. The "ninja", still sporting his delivery guy outfit, fussed with the computer.



"It's dead..." he said. "Somehow I can't boot to the hard drive."



Mr. Johnson sighed. "Are we done here? I have a business to run."



"No!" Jake exclaimed. "I don't know how you did it, but this isn't the only laptop of yours I have, of course. I can access everything, even your accounting software..."



Cassidy stepped back, fingering his chin. "Well. This is certainly odd. But a few unanswered facts are now coming into focus."



Jessica gestured towards the door. "So you came here thinking we're doing something illegal?"



"No, according to the evidence presented to us, you were doing illegal stuff. This all but confirms the counter-theory that Jake Wells, a well-known business criminal, was in fact setting you guys up. Alright, don't tell him I came here as I need to get the right evidence in place before arresting him..."



"What if he gets violent?" Jessica asked as Detective Cassidy began hurrying away.



"Violent? Not likely, but if so, I'll have an officer waiting outside the building. Now if you'll excuse me..."



The man practically ran away, hurrying down the stairs. Jessica watched him disappear, and then heard the door behind her open. She turned around to face Jake Wells.



"Hello," Jake said with his broad smile just a little strained.



"Uh, hi," she responded, stepping to the side. She half-expected him to see right through her wary expression, but he simply walked on past, his cohort the ninja following behind, carrying the now defective laptop behind him.



Later Tevita, Jessica, Bobby, Edgar, and Daniel the CSO sat in Mr. Johnson's office. The CEO smiled, a look of relief cracking his normally stoic demeanor.



"Perfect," he said, standing up to offer his hand to Jessica. She blushed furiously as she rose and accepted the hand shake.



"Was nothing," she mumbled.



"Nonsense. You not only stole his thunder, that which he enjoys the most, but you unmasked his entire operation to the police. His sly and underhanded method to use the police to clear out our own security in his plans was ingenious, I must admit, but it certainly backfired. Bobby. Thank you for digging through the servers to find which stolen laptops made the illicit connections to our network to fudge our accounting procedures. Tevita. Well done identifying and cutting off access for those computers and those accounts on them. By removing that potential threat we've finished securing ourselves against any current threat, and with Jake Wells back under the watchful eye of the police, we will likely have a good respite."



"You're welcome," several said at the same time.



He smiled again. "Take the rest of the day off. Expect a bonus soon for all your troubles, but most of all, I'm letting half of you take next week off, and the other half the following week, and you won't have to use your accrued vacation days."



Jessica smiled. Vacation. She hadn't been able to think about it for months now with the ongoing threat, and the idea almost put her to sleep on the spot. She yawned, then offered a nod of thanks.



She didn't really believe things would suddenly become easy as sliding across a newly iced hockey rink, but surely things couldn't be as bad as they'd been?



As she traveled home on the early metro commuter train, a thought struck her hard. She'd said to Tevita that things should be easier. Knowing fate, and her own unlucky streak, she'd just opened herself up to an even harder, scarier situation; one that would probably arise on the first day of her vacation. She considered throwing her mobile phone out the window, but as she raised her arm she stopped. That would be drastic; besides, fate wasn't really against her, was it? And if it was, wouldn't the arsenal provided by Intel's vPro, Altiris Manageability Platform, and tighter security policies stop it?



She didn't throw the phone out the window, but she did turn it off, vowing to turn it back on only when Sunday arrived before she was to return.





The End of Part 6





This concludes this story arc. I hope you enjoyed reading as much as I enjoyed writing this. I hope also that some of the value of vPro has been properly communicated through this story, highlighting some of the features that could be used in a security situation.



Like many others, I have downloaded Google's Chrome Browser (using it to write this blog), and gave it a try. Of course, the first thing people are focused on is the UI and visible features... After reading the comic book explanation (the team did an awesome job at describing the architecture via a comic book - very unique idea), I think people need to look at what this browser really is - it’s not just a browser, it’s a web execution client.


First, they went away from launching a bunch of threads and went to processes, they are extending a well know operating system fundamental, making the browser similar to a sub OS of your OS (one that does not have to care about drivers and such). They went for the overhead of the process model to focus on scalability and stability. Both of these have to be fundamentals if Google Gears is to provide content to this web execution client, as who wants to run a cloud application and have your browser crash, run out of memory, or suffer from many of the other common limitations of browser-based applications (very few truly rich applications run purely in a browser).


Other features that seem to be radically different for this web execution client are the virtual machine manager used to execute Java script, the garbage collection method, the scalable user interface, and the way they are doing the developer testing. They have really taken a different approach here, an approach more focused on how things execute over being an web page rendering engine. The developer testing concept is very neat, they are leveraging the core of Google to test their builds against the most commonly viewed sites, this gives instant feedback about real world usages (but no testing is ever enough, right?).


Now how does a new browser release get into blog on compute models? The way I look at it, this is really a prime time client for executing cloud programs, Google Gears or others. The way they made the browser to not be limited in its processing capabilities and coupled that with common computer science stability models, the browser (even if not launched as a browser) is a prime candidate to become our interface to the rich application capability to cloud computing.


However, my biggest worry with this model is how the application verifies that the virtual machine manager and the other core services of the browser integrity have not been compromised. Is their a TXT style measurement of this browser? If cloud is going where people think it is, I am going to want my client execution engine to be trustworthy as possible.


From my first look, great job Google team.  What are your thoughts?

-Jason A. Davidson

As many of you might know or have experienced, relying fully on the default provisioning window where the Management Engine sends 'Hello Packets' to the SCS server is problematic. Problems start arising in the following instances:


  1. The network has multiple domain suffices being allocated as connection specific DNS suffices depending on location and this could potentially lead to a mismatch between the SCS domain suffix and the client domain suffix.

  2. DHCP option 15 upon which the default process relies on might need be in use for one reason or another

  3. The provisioning window (24 hours for RCFG and 6 hours for PID/PPS by default) has closed before the infrastructure has been put in place to do something useful with these hello messages.


In the past there was a solution based on sample vbscripts provided by Intel- either Server side only or a combination of client and server side scripts that would be used in conjunction with SCS. This has now evolved to the Activator Utility which is considered the best known method, however there are some subtleties where using the Activator isn't as straight forward, such as:


  1. The Activator utility will typically run under the context of the Local System Account - to allow each Local System Account to write information to the SCS DB requires delegating control all the Computer Objects. This is seen as a significant security risk by some organisations.

  2. The syntax for running the Activator utility necessitates the specification of a profile ID. The number of the profile ID can't be pre-determined with absolute certainty and the SCS API only accept the profile ID and not the profile name. A situation can ensue that the wrong profile ID has been hardcoded on the clients.

  3. Some operations like /a cannot work under the Local System Account context to begin with


Together with the hetrogeneous states of vPro machines (some provisioned, some not, some needing to be re-provisioned) some further logic needs to be put in place to provide a robust end to end solution. This has lead to the implementation (in a nutshell) of the following solution at a large scale enterprise customer (it assumes knowledge of the activator utility and it's switches):


  1. A scriptable interface needs to be able to determine whether a system is provisioned or not - this is achieved by running MEInfo and parsing the contents of the output and writing some information into registry keys.

  2. A script always checks the registry keys to know whether to run the Activator utility

  3. The script is run at every boot-up of the system to make sure any previous failed attempts or if the system has been unprovisioned since the last boot is covered

  4. Once a script (which runs under the context of the Local System Account) determines it needs to execute - i.e. the machine is unprovisioned but has PID/PPS loaded it runs the Activator Utility with the //s h /d PID but not /o and /p

  5. At this point you might ask yourself, if I am using the client side vbscript, why should I use the Activator tool as well? The answer is that the Activator tool provides you the ability to send an in-band 'hello message' to kick-off the provisioning process. That is why we make use of the /h and /d PID parameters. If you wouldn't use the Activator tool, the out of band 'hello messages' would have easily timed-out a long time ago and you wouldn't be able to commence their resending unless you pulled the power cable out and back in - i.e. restart the Management Engine.

  6. The PID is predetermined per machine type and can be inserted into XML file that sits in client - if the PID was unique per each machine this would have broken the whole solution - hence a clear recommendation to have the same PID/PPS across all machines or at least across all machines of the same model

  7. At this point the information is written into an Interim DB using SQL account permissions

  8. Note that no permissions need to have been delegated for all Local System Accounts

  9. On the server side the script uses the same or different SQL account permissions to access to the interim DB

  10. On the server side the script contains the /p and /o parameters - this is crucial as this is a single point where the /p and /o parameters can be changed thus providing flexibility

  11. In addition since the customer has opted to not use certificates and because there is a difference between the connection specific and Active Directory domain suffices, provisioning is take place with hostname only - typically this would have involved using the /a switch, however there is a known issue that won't work under the context of the Local System Account. Therefore the FQDN is stripped of it's domain the server script and the hostname is derived.

  12. The server script creates an XML file with the appropriate content to plug into the Configuration Parameters table in the main SCS DB, as the SCS service can parse the contents of this XML file and check that it is valid content.


The overall benefit of this solution is you avoid the security risk of delegating access rights for all Local System accounts, cover the different scenarios when the Activator Utility should be run, avoid the problems of mismatching domain suffices and maintain the flexibility of a single point of changing parameters for the variable Activator Utility syntax.


The same logic will apply if you are using RCFG - simply ignore point #6 above regarding PID.


Hope some of you find this useful.


Thanks, Tal

Last week I had an opportunity to drive with Todd Christ, one of the first folks to join the vPro Expert Center.  He has since moved on to servers & working on Data Center space - check his blog.  Dialing in your Datacenter - using Intel Dynamic Power Datacenter Manager




Good news is he's still blogging..

I am in the process of setting up a SyAM environment and ran across their use case documentation on their site.  While I'm just in the reading phase right now I am pleased with what I am seeing around the use cases and documentation for configuration.  here's the TOC from their document - 


Use Case 1: Patch Deployment

Use Case 2: BIOS Flash

Use Case 3: BIOS Changes

Use Case 4: System Recovery from Corrupt NTLDR File

Use Case 5: Restoring the Operating System


My next step is to finish installation & test it out.   If you are using SyAM i'd like to hear from you on your experience, configuration and any vPro relevant information.  


Josh H

Part of my focus is to ensure that the community can see all the data and have a good experience on the site, therefore when I received an email this week saying that folks couldn't see the video's embedded in blogs I thought it best to respond here on the site. 


If you are having any problems with video, try downloading this Adobe Flash player


If this fix does not work please let me know.. thank you


Josh H

I was asked recently which consoles are available for Small / Medium buisness, therefore I  talked with my peers in the SMB space to pulse them for the info below.. here’s what they said.. 


Intel tools are designed only to demonstrate AMT functionality and do not include all of the features one would need to manage a network.


The 2 main SW packages for companies 200-1000 that have Intel vPro Technology built in are:


Microsoft SCE:


For over 1000:



Microsoft SCCM


So..  the next question is what do you do with the infrastructure that is less than 200?  This is what I’m going after to figure out and post.  Also to note is that we just finished building our first SCE server in my lab and we’re managing a few machines and it looks pretty good, of course I’ve yet to try automation & other tasks, currently just testing the OOB capability and the functionality for vPro.   Nicole on my team is going to blog about this more.  Things I wish I knew BEFORE I installed SCE (System Center Essentials)  As for SyAM I saw this installed at an End Users site right before the summer and looked like a lot of the DTK functionality integrated in, however I’m still working to get it installed on a console to test/break, etc.. 


So..  next journey, finish out the use cases on the MS System Center Essentials console with Nicole and then start-up our SyAM testing with a 1/2 dozen boxes.  If you want to see something specific or discuss a certain area please let us know as we dig deeper into SMB setup's.

SCS 5.0 is the latest version of the Intel Setup and Configuration Service. This new version boasts a number of fundamental and exciting additions to the world of vPro:


  1. You can enjoy the benefits of Active Directory Integration without the need to extend the Active Directory Schema!

  2. You can use Windows Authentication to communicate with the SCS Database

  3. The SCS Console version 5.0 has a much nicer and professional looking user interface

  4. The performance, stability and logging capabilities of the application have notably improved

  5. You have the ability to dynamically create collectoins of AMT Systems based on different filter conditions

  6. This is still early days for AMT Firmware versions 4 and 5 and the use of CIRA (Client Initiated Remote Access) and MPS (Management Presence Server) but it supports them


Note: If you are using SMS as your Management Software you will need to use the Intel (R) Client Manageability Addon version 5.0 which is available for download from the following url:


To emphasize the point - you will not be able to use SMS Addon version 3.3 with SCS 5.0. SCS version 5.0 will be bundled already for you with the Addon version 5.0.


Some potentially useful technical insights that I have gathered through my experience of being an early adopter of SCS 5.0 through trying to deploy it at a large-scale enterprise customer:




  1. If you opt for having windows authentication (as opposed to the dummy SQL account which was part of the design up until SCS 3.3) you will need to opt for the custom installation path. In there you will be prompted to specify twice the user for running the AMTSCS and AMTSCS_RCFG virtual directories in IIS. You will need to specify the same username and password of the accounts that are running your IIS services where your SCS is being installed. Pay attention to this step - if you specify any user other than the user that is running the IIS services: this could a local account for example and not a domain account, then you will not be able to log into SCS via the SCS console.

  2. When you opt for the windows authentication to DB you wil not be able to use the default website on IIS. If you are creating a new website and you are going to opt for https connection, make sure your new website is setup with the server ssl certificate. You will also need to remember to stop the default website and have your new website running.

  3. You will need to remember to delegate permissions to the account that is running the SCS service on the AD OU for AMT objects, but this time it will be for objects of type 'Computer Objects'. There will not be a conflict with the Host OS level computer objects as these AMT Computer Objects are seen as user objects.

  4. You have the option to create the DB separately using an SQL Standalone DB script (i.e. not as part of the install wizard) however even if you are opting for windows authentication to your SCS DB, you can achieve this by only running the wizard (the custom install path). If you have created the DB prior to SCS install, you can point the SCS service to this DB instance during the install wizard.

  5. A general point to note that would apply to any provisioning with SCS (not just SCS 5.0) - when you are creating a profile

  6. Another point to mention is that the profile ID number is not fully deterministic if you don't run through the config of a new profile without pressing cancel at any point. For example, if you have the default profile as profile ID #1 then when you try and create an additional profile and at some point click cancel and then try and create a new profile it can eventually have a profile ID of #5 for example. This can start becoming a problem if you rely on the profile ID number as part of your provisioning process using the Activator Utility for example, as you can only pass the profile ID as far as the SCS API is concerned, yet if you've hardcoded the profile ID in some file on the vPro client where your Activator Utility will run then you cannot know for sure until your profile has been created in SCS what its profile ID will be. If you are editing an existing profile, its ID number won't change. You also cannot go into the DB and change that value manually as it is a primary key and is auto generated as part of an indexing mechanism in the SCS code. - this one might be a bit tricky, so contact me if you need me to clarify.

  7. I don't know whether you've noticed any sluggishness in the past when trying to install 3.x versions of SCS - for example with one of my large customers it would take 1.5 hours to install SCS because of looking up users in a rather large Active Directory; whereas with SCS 5.0 it takes 5 minutes at most.

  8. Whilst I haven't taken advantage of the capability to create collectoins of AMT systems I wanted to point out one of the main benefits of this feature. I have been faced in the past with situations where I need to perform an operation through SCS on many machines, but not all machines. Therefore the global operations in SCS 3.x versions only gave me the possibility of running the command on a single or all machines. Now I can tailor which machines I want to perform operations on.


My overall recommendation to you is to give SCS 5.0 a go. It is easily the best SCS version that has been released. I have blogged about it as part of my first hand experiences - I have had nothing to do with its development and I am speaking out of the objective view of a user. Hope you find this useful.





Filter Blog

By date: By tag: