At ManageFusion Orlando and in The Hague, we did a hands-on lab which combined Intel vPro System Defense capabilities, customized network filter from Altiris, and Altiris Software Delivery to securely update a client(summary available at http://juice.altiris.com/node/5721)
One of the attendees pointed out the following real-world challenge: They are migrating from one security solution to another. This will temporarily expose their client systems to attacks. With the capability to do secure updates – as noted in the lab – they are much better positioned to do to the migration for vPro\AMT enabled systems.
If you’re unsure what 5 minutes “in the open” can do to unsecure client – read the following news article entitled “Malicious ‘botnets’ turn PCs into ‘zombie’ slaves” - http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1224564910237820.xml&coll=7
Another attendee provided more reference to how they could use this. A classic "chicken/egg" problem - if a client is out of compliance or infected, it must be patched. The patch solution is on the production network, yet corporate policy states systems out of compliance are placed on an isolated or remediated network. So - how do you patch a client to which the production software delivery server cannot connect? Sneaker-net shouldn't be the answer... especially when the target client system is far outside the building you're in.
The key to remember about this use case - the System Defense filters must allow communications on the software delivery network ports. The Altiris Juice article above provides references on this is done in a Symantec\Altiris environment