Skip navigation


Hello vPro Experts!

I've got something sitting in the back of my mind, that I would like to share with you all. Unfortunately, it's simply a theory, and I have not yet had the opportunity to test it, but I am in the early stages of developing and documenting it, and would really appreciate any feedback, to help make it become a reality.


The Problem


Are you asking yourself either of these questions?

"How can I reduce the amount of overhead involved with imaging every new client system that comes through the doors, but at the same time, not shift that cost to the vendor?"

or, slightly paraphrased:

"How can I streamline the provisioning of new systems, but at the same time, not sacrifice the flexibility of having in-house imaging?"

If your support teams are imaging each desktop and laptop that is shipped from your hardware vendor, you may have investigated the option of having the vendor pre-image systems prior to shipping them out. There are a couple of caveats to this methodology though. First of all, there is usually an additional cost associated with any sort of customization that the vendor must make to a system. Secondly, if you are using a task sequence-based "imaging" process in-house, then you may not have a way of transferring that process (which is inherently network-reliant), to the vendor. Typically, in this scenario, your operating systems, applications, and Active Directory domain, are all residing on network servers that can't be contacted by the vendor during the process (unless you have some uber-fast, secure VPN link between you and them, in which case you can stop reading).


The Theoretical Solution (utilizing Intel vPro)

The proposed solution to the problem presented above, is actually a combination of technologies, and custom development work. In this case, I'm going to be working with the following tools:


Here are the requirements for the process:


  • Microsoft Configuration Manager SP1
  • An Out-of-Band (OOB) service point for ConfigMgr SP1
  • ProvisionServer” DNS record pointing to out-of-band service point
  • Collection 1: SCCM collection to temporarily store resource records created by script
  • Collection 2: SCCM collection that contains provisioned vPro clients without the ConfigMgr client agent
  • ConfigMgr Task Sequence to build vPro system
  • ConfigMgr advertisement to link task sequence to Collection 2


Step-by-Step Workflow

This is the theoretical process that would be followed:


  1. Physically plug in vPro system – power and network (device remains powered off)
  2. vPro System obtains IP address and DHCP Option 15 (
  3. vPro System sends “hello packet” to site server (CNAME
  4. Script reads vPro system’s UUID from amtopmgr.log file on site server
  5. Script creates Resource Record for system in “Collection 1” with auto-provisioning enabled
    1. Use a random name for the hostname (based off of the SMBIOS UUID perhaps)
    2. Make sure to refresh the collection membership, or verify that it gets added somehow
  6. vPro System sends another hello packet to site server at built-in interval
  7. vPro System is recognized as a SCCM resource and provisions
  8. Provisioned vPro resource is automatically populated into SCCM “Collection 2
  9. Task sequence begins executing
  10. Once the operating system is installed, the device should detect a mismatching hostname between the OS and the ME firmware (this could be configured as part of the task sequence)
  11. The device will send a request to the ConfigMgr site server to re-provision the AMT firmware with the new hostname (equivalent of "Update Provisioning Data"?)



Known Issues and Risks

There is at least one known outstanding issue that I'm aware of, and there may be a way to solve it.

Possibility of over-writing an existing system

If an existing, un-provisioned system is not reporting into Configuration Manager properly, it may be incorrectly assumed to be a new, blank system. Therefore, during the build (or imaging) process, an automated check may need to be put into place to verify whether or not the system is truly a new client or not. This could theoretically be done by analyzing the filesystem, or mounting the offline registry hives, and looking for any indicators. Additionally, if a vPro device was already provisioned, it would need to be excluded from being targeted with this process.



I hope that this overview gives you some ideas about how to automate the provisioning of new enterprise clients using Intel vPro out-of-band provisioning. If you have any suggestions for improvement, I'd be interested in hearing them. If you'd like, you can download a copy of this document below.


Trevor Sullivan

Systems Engineer

OfficeMax Corporation



Park N Patch Use case

Posted by josh.hilliker Dec 15, 2008

Over the last few weeks I have been twittering about a new use case that Frank & I have coined "Park N Patch" use case.  We have finished our hardware test and we are really close to shooting the video, however I wanted to jump start this by sharing out the single foil (thank you to wendy west for the pix).  


parknpatch_vPro_Use Case.jpg


Next up, we'll share out the technical specifications of our test and the video of us really doing the use case outside (pending rain).


any questions please let me know. 


Josh H

I was talking with the marketing team this last week about what they have for hot video's that are showing vPro in use with End User's.  They shared this list with me and I thought I would share with you all as well.  I wish these were in a better format to play on demand, however for the time being here they are for you. 


21st Century Learning: Watch how Viglen and Intel® vPro™ technology help the Green School drive innovation in learning.

Management Lesson: Watch how the Clayton County, Georgia, public schools manage their IT assets and reduce desk-side visits with Intel® vPro™ technology.

Managing Assets: Watch Verizon's Chris Maylor explain how Intel® Core™2 processor with vPro™ technology helps the company manage its IT assets.

Transforming Troubleshooting: Watch how one of the largest telecommunications companies in the world makes IT troubleshooting easier with Intel® vPro™ technology.

Saving Taxpayers' Money: Watch how Indiana's Office of Technology saved the state millions by improving IT efficiency, standardizing on Intel® multi-core server technologies. Now it's saving millions more with Intel® vPro™ technology.

Healthy Manageability: Watch how Sisters of Mercy Health System keeps its IT manageability healthy with Intel® vPro™ technology.

Healthy Upgrade: Watch how Marshfield Clinic improved efficiency and manageability and maximized its IT budget using Intel® vPro™ technology.

The Real CSI: Watch to see Las Vegas Metro's unsurpassed use of technology for information management-including Intel® vPro™ technology.

If you are deploying vPro have you thought about what might happen if you are running virtual machines on your vPro clients? The virtual machine will have its own virtual IP address which will be different from the actual host IP address which is the one we want when using vPro. What was happening was that the vPro machine was getting provisioned with SCS, but then when discovery was attempted with the SMS Addon, the provisioned vPro system could never be discovered and sub sequentially managed because the systems showed up as 'Outside Site Boundaries'. It seems that the SMS Addon had a 'flaw' in that it assumed that a machine will only have a single IP address. I cannot say based on my experience whether sometimes the host IP address will be picked up and the problem won't manifest itself or whether it will always be the virtual IP address that will be picked up.


I emphasize that I have experienced this situation when using the SMS Addon and not with any other management consoles. That doesn't mean the problem won't manifest with them as well or whether the design of those products caters for this. If anyone has come across virtual machines on vPro clients and this has or has not caused issues I would be interested in your feedback.


At a high level, the nature of the fix will be that the SMS Addon will not assume there is a single IP address and will loop through the IP addresses. If an IP address comes up as outside the site boundaries the sms addon will loop onto the next available IP address. This process will continue until it has exhausted all the IP addresses available on that local vPro machine and only at that point 'give up'.


The fix within the SMS Addon will be incorporated into an official hotfix which will be published soon; I'll provide an update once it has been released.

Hello, vPro Experts!


I've uploaded an updated document with additional troubleshooting measures related to Intel vPro and Microsoft Configuration Manager. Please download and provide feedback on it.


Troubleshooting Intel AMT and ConfigMgr




Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Hello Intel vPro Community!


I'm going to talk to you today a little bit about how to use Windows Powershell to set Intel vPro power profiles. I'll provide a quick bit of background first on what power profiles are, and why you'd want to be able to set them with Powershell.


Intel vPro power profiles are nothing more than a setting in the Management Engine that tells the AMT chip when to be powered up, and when not to be powered up. In some cases, you may want vPro to be inactive during sleep states, or after the computer has lost power (eg. UPS failure).


In my case however, I want vPro to be always active. This is problematic, because Microsoft Configuration Manager's implementation of a provisioning server doesn't give you the option of setting the active power profile. Instead, during provisioning, ConfigMgr sets the active profile to whatever index "5" is. You'll actually see this in the amtopmgr.log file on your OOB (Out-Of-Band) service point during the provisioning process.


Because ConfigMgr decides the default power profile during provisioning, I've decided that I wanted to change it. Because Windows Powershell is an awesome automation tool, and because Intel's AMT Developer Toolkit (DTK) offers a .NET library that I can use in Powershell, I figured that I would figure out how to do it!




You might remember my last post on how to use Powershell to connect to an AMT device. The process basically involves loading the aforementioned .NET DLL from the DTK, and then establishing a connection to the device. I didn't really get the opportunity to show you how to do a whole lot with it after making the connection though, so that's the purpose of this post! Let's go ahead and take a look at a few lines of Powershell code, so you can understand the retrieval, and setting of power profiles.




# In my last Powershell script, I used the $amtdevice variable

# to reference the AmtSystem .NET object. We'll assume at this point

# that you have already connected to the AMT device based

# on my last article.



# By using the .NET Reflector tool, we can see that the AmtSystem

# object has a property called SecurityAdmin, which returns an AmtSecurityAdmin

# object.

$AmtSecAdmin = $AmtDevice.SecurityAdmin


# The AmtSecurityAdmin object has a method called GetPowerPackages().

# After examining this data type in .NET Reflector, we can filter for only the two

# properties we want to see, the profile ID, and its Name. We'll use the Powershell

# Select-Object cmdlet to filter this data.

$AmtSecAdmin.GetPowerPackages() | Select-Object -Property ID,Name

# You should get some output looking something like this:

# 12834f94-10fb-dc4f-968e-1e232b0c9065         Desktop: ON in S0
# ab0086a1-7f9a-424c-a6e6-bb243a295d9e         Desktop: ON in S0, S3
# acab8672-b496-e248-9b9e-9b7df91c7fd4         Desktop: ON in S0, S3, S4-5
# 4dcd327b-be6b-8943-a62a-4d7bd8dbd026         Desktop: ON in S0, ME Wake in S3
# 46732273-dc23-2f43-a98a-13d37982d855         Desktop: ON in S0, ME Wake in S3, S4-5
# baa419c5-6f6e-4d8d-b227-517f7e4595db         Desktop: ON in S0, S3, S4-5, OFF After Power Loss
# ede30bd6-c504-462c-b772-d18018ee2fc4         Desktop: ON in S0, ME Wake in S3, S4-5, Off After Power Loss


# Once we have a listing of the power profiles available on the AMT device

# we can get the one that we want, and then set it. Since I always want my

# AMT device active, no matter the system's power state, I'm going to choose

# "Desktop: ON in S0, S3, S4-5" which is index 2 (in a zero-based collection).

$TargetPowerProfile = ($AmtSecAdmin.GetPowerPackages())[2]


# Now that I have a variable referencing the target power profile, I will set the

# profile on the AMT device. The AmtSecurityAdmin object has a method called

# SetActivePowerPackage() that takes one parameter: the power profile we have

# a reference to.

$AmtResult = $AmtSecAdmin.SetActivePowerPackage($TargetPowerProfile)

"Setting power profile to $($TargetPowerProfile.Name) resulted in $AmtResult!"


##### End Setting Power Profile #####


# Let's also take a quick look at how to get some basic information about

# the AMT device's provisioning data. We can figure out if IDE-R, SoL, and the

# WebUI are enabled. We'll use the AmtGeneralInfo object for this.


# Get a reference to the AmtGeneralInfo object

$AmtInfo = $amtdevice.Info


# Write out the current configuration settings

"SOL Enabled: $AmtInfo.SerialOverLanEnabled"

"IDE-R Enabled: $AmtInfo.IdeRedirectEnabled"

"WebUI Enabled: $AmtInfo.WebUiEnabled"



I hope this helps get you on your way to doing some cool Powershell / vPro automation! Let me know whether or not this helps you in your endeavors


Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Professionals running IT shops these days are facing a number of mandates regarding the relationship of PCs and servers:  The CEO demands that data be secure.  The government requires compliance to a plethora of laws governing data retention.  The CIO says cut costs.  The IT technician would love to have them manageable within an eight-hour day and without a trip in the rain.  The end-user is amenable to anything as long as its mobile and he can get what he wants in nanoseconds.  Until not too long ago, IT professionals wrestling with this dilemma could pick rich clients or thin clients, and be assured that a number of these mandates would go unfulfilled while good part of his constituency would be letting him know exactly where he’d gone wrong.  Lately, however, a number of new client-server models have been emerging.  Taking advantage of such technologies as streaming and virtualization, these "dynamic virtual client" technologies provide options for getting the benefits of both rich and thin clients.  If you’re interested in knowing more, Intel’s expert is this area is Mike Ferron-Jones, director of Dynamic Virtual Client Technology.  He’ll be giving a seminar on dynamic virtual clients, including some that have emerged in just the past few months, in a , on Wednesday, December 10 from 11:30 a.m.-12:30 p.m. PST.  You can find the webcast here or on the viewer below.  Log on a few minutes early as there’s a short registration.  Best yet in these financially troubling times, the price is right – it’s free.



Hey, you guys, those of you makin’ like you’re part of the décor in an airport lounge or imitating camouflage behind a fern in a hotel lobby waiting for some mark to get distracted so you can lift his laptop. I’m going to save you some major grief. I’m feeling like a snitch doing this since I’m an Intel flack, but even criminals deserve an inside tip once in awhile. So, listen up, swifty. Before you slip ‘n slide that notebook under your trench coat, look it up and down carefully. If it says Lenovo Thinkpad T400 anywhere on it just put it back and save yourself a raft of frustration. Here’s the inside skinny: Absolute Software, Lenovo and Intel ganged up to develop this diabolical security stuff that’s … well, I was going to say almost criminal. They took these Lenovo ThinkPad T400 notebooks and booby-trapped ‘em with Intel’s new Anti-Theft PC Protection and Absolute’s Computrace technology. Here’s what’s gonna happen if you’re a sucker enough to boost one of these units. First thing you’re gonna do is turn it on to see if you can crack the password. These guys are just waiting for you to do that. They’re probably standing behind the other fern laughing their beanies off. After a few missed tries this notebook’s going to shut down like an iron door on the hole. It won’t do nothin’. It becomes a brick. Good luck tryin’ to hawk that. It’s because of this Intel Anti-Theft PC Protection. But let’s say you’re smart enough not to try to crack the password. Instead, you’re sitting there admiring the family of five on the screensaver trying to figure out what it will go for on eBay when WHAM! the thing shuts down. Won’t turn back on or nothin’. That’s ‘cause of Absolute’s Computrace. What happened was that soon as the mark saw his computer flew the coop, he called the guys at Absolute and they fixed their servers, so as soon as that computer came online, they sent it a poison pill through the Internet and that laptop became, yep, a brick. You’d do life for sending a poison pill, but these mugs got good lawyers and get away with it. But let’s say you’re a real Einstein, and you’re casing the airport parking lot and see some stiff shove one of those T400s in his trunk, grab his suitcase and head for the terminal. You’re figuring he’s gonna be gone for days, long enough to fence that T400 before he even knows it’s gone. So, you’re hanging out in a back alley, whispering “Hey, you wanna good computer cheap?” to every Joe that strolls by, until you finally hook some patsy. But you hit the button to turn it on and nothing happens. Yeah, you guessed it. You’re peddling that brick, again. This is because these Lenovo, Absolute, Intel guys covered that angle, too. Turns out the pigeon’s computer geniuses at the office set that ThinkPad T400 so it has to check in regularly, like it’s on parole. If it misses even once, it gets the poison pill treatment thanks to Computrace and Intel Anti-theft PC Protection, and, of course, dem guys at Lenovo who stick that stuff into those ThinkPad T400s in the first place. In the end, filching these rigged T400s will drive you crazy. Worse than being in the cooler. I know what you’re thinking, I’ll just grab another brand of computer. All I can say is, Are ya feelin’ lucky, punk? ‘Cause Lenovo is gonna be putting this Computrace and Anti-Theft PC Protection in their other computers. And, well, this ain’t no exclusive deal, if you know what I mean. So, before you do something stupid, my pal Josh Hilliker spills all the beans here. Check it out and save yourself some time…maybe hard time, not to mention saving you’s from going crazy frustratin’ yourself.

AT-p has arrived & here's a few links of relevance.




Who's Offering?  Lenovo T400


Press Release


Anti-Theft corporate net page


Video's, demo's, are in the works - stay tuned for those..  

Hello vPro community!


I rather quickly posted the Powershell code I got functioning yesterday just to make sure that I didn't forget to post it at some point, but if you're new to Powershell, you might not understand everything that's going on here. If I left your head spinning, then I apologize, but tonight, I'm wrapping back around to help describe to you the thought process behind the script I posted!


On top of that, once I put together some notes from earlier today, I will post later on about some of my newest findings! To give you a teaser, I found a method of setting AMT power profiles using Powershell code! I'll be sure to get this posted as soon as I can, but for now, I think it would be most beneficial to understand the basics of connecting to a vPro system.


I'm going to step through the script line-by-line and leave some comments about each of them. Comments will be denoted by lines beginning with a pound sign (#). This is because Powershell uses this character as a "comment" character.


If you're experienced with .NET, then you'll probably either already know about, or want to get familiar with, the tool known as the .NET Reflector. This utility allows you to "reflect" over a .NET library, and discover the objects, methods, and properties that are available to you to use in your Powershell scripts. It's not always a simple task to figure out how to use .NET objects, especially if there is either poor documentation, or none at all, but this tool definitely makes it easier.




# The following 6 lines are simply variables that we are setting

# to make troubleshooting and customizing our script easier.

# We will be instantiating (creating) an object of the data type

# "AmtSystem" that requires these values as params to its

# constructor method.


# This is the domain\userID we want to authenticate as

$amtusername = "vprodemo\DomainUser"


# This is the password for the user account to authenticate
$amtpassword = "P@SSW0Rd"


# This is the FQDN of the vPro client system we want to connect to
$amthostname = ""


# This is the TCP port that we want to connect to the vPro client on

# TCP 16993 is used for TLS communications to AMT clients

$amtport = 16993


# This parameter determines whether or not your password is

# saved in the AmtSystem object (I think)
$amtrecallpassword = $false


# I haven't verified this, but I believe that this parameter determines

# whether or not WS-MAN is used exclusively on vPro clients

# that support it. Otherwise, it will attempt to use EOI (SOAP).
$amtwebservicesonly = $false


# Next, this variable stores the path to the "Manageability Stack.dll"

# which is included with the Intel AMT Developer Toolkit (DTK).

# Be sure to download the latest version from the Intel website.

# This DLL is a .NET library, written in C#, that provides an API

# to interact with Intel vPro clients.

$manageabilitystack = "C:\Program Files\Intel\Manageability Developer Tool Kit\0.6.08325.2\Manageability Stack.dll"


# This line uses the built-in Assembly class (part of .NET reflection)

# to load the .NET DLL containing the AMT API. The Out-Null Powershell

# cmdlet is used to suppress any console output of the LoadFile() method.

[System.Reflection.Assembly]::LoadFile("$ManageabilityStack") | Out-Null


# The Write-Host cmdlet is built into Powershell and simply writes

# some text to the console. We are using inline variables to dynamically

# display the information about the client we're connecting to.

Write-Host "Connecting to $amthostname on port $amtport"


# This is the line that's actually getting the object that we will use to

# reference our target Intel AMT client. We are creating a global variable

# name "amtdevice" and setting its value to a "New-Object" of datatype

# ManageabilityStack.AmtSystem (you can use .NET Reflector to find this)

# and then passing the parameters that we defined before to its constructor.

# If the below line wraps in your browser, please be sure to put it all on one line in your script.

$global:amtdevice = New-Object ManageabilityStack.AmtSystem -ArgumentList $amthostname,$amtport,$amtusername,$amtpassword,$amtrecallpassword,$amtwebservicesonly


# Footnote: With respect to variable scope in Powershell, the reason I am

# defining this as a global variable explicitly, is because if you copy and paste

# this code into a script, and then run that script from within an interactive

# Powershell session, the $amtdevice will now be defined as global to the session

# and will not be deleted when the script exits. This allows you to run the script to

# retrieve the device object, but then continue to work with it interactively once

# the connection is established!


# Tell the AmtSystem object that we want to use TLS

$amtdevice.UseTls = $true

# Enable WS-MAN support (if available) on the connection
$amtdevice.WsManSupport = $true


# Once we've set up all of our configuration options about the connection,

# this next line actually establishes the connection.



# The "State" property of the AmtSystem object is "Connecting" until the

# connection either succeeds or fails. We want to monitor the status until

# this occurs.

while ($amtdevice.State -eq "Connecting") { Start-Sleep 1 }


# Finally, once the connection either succeeds or fails, we write out the

# State property to the console so that we know what the outcome was.

Write-Host "AMT device is in state $($amtdevice.State.ToString())"




So, there you have it. That is the code, with my comments inline. If you have any questions or feedback on my articles, please feel free to comment on this blog article. I will try my best to answer them, although please understand that I am still working on comprehending this great API! If this is useful to any of you, I would like to know that, and if not, then please recommend something that you would like to hear about!


As promised, I will eventually write another follow-up article on how you can set Management Engine (ME) power profiles on a provisioned AMT client remotely, using Powershell! Until next time ...


Happy Powershell Scripting!!


Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Hello Intel vPro Experts!


I've started putting together a document on some issues that I've encountered during my experiences with Intel vPro and ConfigMgr. You can access this document right here on the vPro Expert Center:


Please provide feedback on the document. It's not of very high quality just yet, because I only started writing it last night, but I hope to keep it updated, to provide a valuable resource to other IT folk interested in using Intel vPro.


Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Hello everyone!


I have been working on understanding the Intel AMT Developer's Toolkit (DTK) so that I can begin developing some custom tools around Intel vPro. One of the tools that I am planning on working with is Microsoft's Windows Powershell. Windows Powershell is a very powerful, object-oriented command-line replacement for Windows XP, Vista, 2003, and 2008. It's an administrative scripting language that is significantly more powerful than VBscript, and has the entire power of the Microsoft .NET Platform behind it.


Just today, I've had my first success in using the Intel DTK with Windows Powershell, in my quest to automate Intel vPro related tasks using Powershell!


This is some really cool stuff, and I just had to get it out there to share with the community. I can't wait to see what else people build off of this!


Here is the first sample code that I've gotten to function correctly. I'm using it against a Dell Optiplex 755 running AMT firmware version 3.2.1, which was provisioned through ConfigMgr SP1.




$amtusername = "vprodemo\DomainUser"
$amtpassword = "P@SSW0Rd"
$amthostname = "vproclient.vprodemo.local"
$amtport = 16993
$amtrecallpassword = $false
$amtwebservicesonly = $false

$manageabilitystack = "C:\Program Files\Intel\Manageability Developer Tool Kit\Manageability Stack.dll"

[System.Reflection.Assembly]::LoadFile("$ManageabilityStack") | Out-Null
Write-Host "Connecting to $amthostname on port $amtport"
$amtdevice = New-Object ManageabilityStack.AmtSystem $amthostname,$amtport,$amtusername,$amtpassword,$amtrecallpassword,$amtwebservicesonly
$amtdevice.UseTls = $true
$amtdevice.WsManSupport = $true
Write-Host "TLS: $($amtdevice.UseTls), WsMan Support: $($amtdevice.WsManSupport)"

while ($amtdevice.State -eq "Connecting")
    Start-Sleep 1
Write-Host "AMT device is in state $($amtdevice.State.ToString())"




Unfortunately that's all I can post for now, but I definitely plan on continuing work on this development!


Trevor Sullivan

Systems Engineer

OfficeMax Corporation

For those that have been watching my blogs over the last 3 months I have spent a lot of time on power management, what it means, how do you save $$’s, therefore this radio show means a lot to me as we are meeting with the key folks that I respect as the Power Pro’s.       Here’s the scoop: 


Tomorrow. Jeff Torello, Russ Pam & I will be talking with 4 of our key Power Management folks inside Intel.   Greg Boitano, Robert Reed, Jeff Tripp & Doug DeVetter. 


Time: 12:30PM PST (30 Min show)

Call-in Number:  (347) 326-9831



You can dial in to ask questions, chat with us, stream during the show or download from Itunes after.


I thought it would be good to include a # of case studies we have on this topic, therefore the team is pulling  the list together & I'll update this post this afternoon.


- Josh H

Ever turn on your PC and find out that the NTLDR file is missing? Do not fear, there is a solution! Here is a use case video used with SyAM (System Area Management) to demonstrate how to fix this issue.




Filter Blog

By date: By tag: