Configuring Intel vPro devices

Devices equipped with Intel vPro functionality should be configured when they are first set up and powered on, to enable Intel vPro features. This process includes several security measures to ensure that only authorized users have access to the Intel vPro management features.

Intel vPro devices communicate with a provisioning server on the network. This provisioning server listens for messages from Intel vPro devices on the network and allows IT staff to manage servers through out-of-band communication regardless of the state the device’s OS is in. The core server acts as a provisioning server for Intel vPro devices and includes features that help you provision devices when you set them up. You can then manage the devices with or without additional management agents.

This section outlines a recommended process for configuring new Intel vPro devices. During this process you will use Management Suite to generate a set of provisioning IDs (PID and PPS). These IDs are entered in the device BIOS to ensure a secure connection with the provisioning server during the initial provisioning process. This "one-touch" process can be used to configure devices with release 2.0 and later.

Devices with release 2.2/2.6 and later can also be configured using remote configuration (also referred to as zero-touch provisioning). This process does not require the transfer of PID/PPS IDs, but is initiated automatically after the device's "hello" packet is received by the provisioning server (core server) or after a LANDesk management agent is deployed on the Intel vPro device. An Intel Client Setup certificate from an authorized certificate vendor must be installed on the core server to use remote configuration.

For devices with Intel vPro release 3.0 and later, a "bare metal" or agentless remote configuration is also supported.

Devices with Intel AMT version 1.0 use a similar process but don't use the PID and PPS keys. For details, see Discovering Intel AMT 1.0 devices .

NOTE: Note that the information in this section is a general description of the Intel vPro configuration process. However, individual manufacturers implement Intel vPro functionality in different ways and there may be differences in such areas as accessing the Intel AMT or ME BIOS screens, resetting the device to factory mode (unprovisioning), or in the way that PID/PPS key pairs are provided. Consult the documentation and support information provided by device manufacturers before you begin the configuration process.

This section includes information about:

One-touch provisioning for Intel vPro devices

This section describes the process of using one-touch provisioning for Intel vPro 2.0 and later.

When an Intel vPro device is received, the IT technician assembles the computer and powers it on. After powering on the device, the technician logs in to the BIOS-based Intel ME (Management Engine) Configuration Screen and changes the default password (admin) to a strong password. This allows access to the Intel AMT Configuration Screen.

In the Intel AMT Configuration Screen, the following pre-provisioning information is entered:

The PPS is shared by the provisioning server and the managed device, but can't be transmitted on the network for security purposes. It needs to be entered manually on the device (at the Intel AMT Configuration Screen). PID/PPS pairs are generated by Management Suite and stored in the database. You can print a list of generated ID pairs for use in provisioning, or you can export the ID pairs to a key file on a USB drive.

The IT technician should enter the IP address of the Management Suite core server for the Provisioning Server and specify port 9971. Otherwise, by default, the Intel vPro device sends a general broadcast that can be received only if the configuration server is listening on port 9971.

The default username and password for accessing the Intel AMT Configuration Screen are "admin" and "admin". The username stays the same, but the password must be changed during the provisioning process to a strong password. The new password is entered in the Intel vPro general configuration dialog, as described in the procedural steps below. After each device is configured you can change the password individually per device, but for provisioning purposes you use the password that is found in the general configuration dialog.

After the above information is entered in the Intel AMT Configuration Screen, the device sends “hello” messages when it is first connected to the network, attempting to communicate with the provisioning server. If this message is received by the provisioning server, the provisioning process will begin as the server establishes a connection with the managed device.

When the core server receives the hello message and verifies the PID, it provisions the Intel vPro device to TLS mode. TLS (Transport Layer Security) mode establishes a secure channel of communications between the core server and the managed server while the provisioning is completed. This process includes creating a record in the database with the device’s UUID and encrypted credentials. When the device’s data is in the database, the device appears in the list of unmanaged devices.

When an Intel vPro device has been provisioned by the core server, it can be managed using only Intel vPro functionality. To do this, you can select it in the list of unmanaged devices and add it to your managed devices. You can also deploy management agents to the device to use additional management features.

The recommended process for provisioning Intel vPro devices is as follows. Specific instructions for items 1 and 2 are given in the following procedural steps. If you choose to provision devices with a key file on a USB drive, steps 3-5 below are replaced with the steps described in the section below titled Importing and exporting key files using a USB drive.

  1. Specify a new, strong password for provisioning Intel vPro devices. (See detailed steps below).
  2. Generate a batch of Intel vPro provisioning IDs (PID and PPS). Print the list of keys or export them to a USB drive. (See detailed steps below).
  3. Log in to the device's Intel ME Configuration Screen from the BIOS and change the default password to a strong password.
  4. Log in to the Intel AMT Configuration Screen. Enter a PID/PPS key pair from the list of provisioning IDs that you printed. Enter the IP address of the core server (provisioning server), and specify port 9971. Make sure Enterprise mode is selected for provisioning. Enter the host name of the Intel vPro device.
  5. Exit the BIOS screen. The device will begin sending “hello” messages.
  6. The core server receives a "hello" message and checks the PID against the list of generated keys. If there is a match, it provisions the device.
  7. The device is added to the unmanaged device discovery list.
  8. Select the device and add it to your managed devices (click Target on the toolbar, click the Manage tab, then click Move). You can choose to manage it as an agentless device, or you can deploy management agents to it for additional management features.
To set the Intel vPro password
  1. On the core server, click Configure > Intel vPro options > General configuration.
  2. Under Setup and Configuration, type a strong password and confirm the password.
  3. If you have Intel vPro devices that are already being managed and you want to use the same configuration password for those devices, select the Synchronize this password option.
  4. If you have a highly secure configuration environment and prefer not to use TLS mode for configuring new devices, select the Use non-TLS communications option (we recommend that you use TLS mode).
  5. Click OK.

The new password must be entered here before you can generate a batch of provisioning IDs.

To generate a batch of Intel vPro provisioning IDs
  1. Click Configure > Intel vPro options > ID Generation.
  2. Type the number of IDs to generate (generally the number of devices you plan to provision).
  3. If you want to use a different prefix for the PIDs, type it in the PID prefix text box. This prefix can only contain uppercase alphabetic characters and numerals in the ASCII character set. You can enter a maximum of 7 characters for a prefix.
  4. Type a batch name to identify this group of generated IDs (optional).
  5. Click Generate IDs.
  6. After the IDs have been generated, click Print ID list to print the list of IDs. (Only the IDs currently shown in the list are printed.) The Windows print dialog box opens; select a printer and click Print.
  7. To view all IDs that have been previously generated, select Show all in the View batch IDs drop-down list.
  8. To view one batch of generated IDs, select the batch name in the View batch IDs drop-down list.

The provisioning keys are stored in the database for future reference as you provision new Intel vPro devices. As the devices are provisioned and the provisioning keys are consumed, the Generate Intel vPro IDs page will display shading for the IDs that have been consumed, so you can track which IDs have been used.

A PID prefix is added for your convenience in identifying the IDs as PIDs, but you are not required to use a prefix. We recommend using 0-4 characters; you can use a maximum of 7 characters for the prefix.

To identify batches of provisioning keys, specify a batch name. This should be a descriptive name that indicates which devices the IDs apply to. For example, you could generate batches for each organization in your company and name the batches Development, Marketing, Finance, and so forth. If you later want to view the generated IDs, you type the batch name and click View batch IDs to see a list with only those IDs.

Errors in the provisioning process 

If you enter a PID and PPS that are not paired correctly (i.e., the PPS is paired with the wrong PID), you will see an error message in the alert log and provisioning will not continue with that device. You will need to restart the device and re-enter a correct PID/PPS pair in the Intel AMT Configuration Screen.

If, as you type a PID or PPS, the Intel AMT Configuration Screen displays an error message, you have mis-typed the PID or PPS. A checksum is performed to ensure that the PID and PPS are correct.

Importing and exporting key files using a USB drive

You can generate provisioning IDs and export them to a key file for use in provisioning Intel vPro devices with a USB drive. The exported IDs are saved to a setup.bin file that you can copy to a USB drive. With that USB drive you can automatically populate the PID/PPS fields in the Intel AMT BIOS as you provision new Intel vPro devices, before you discover and manage them.

If a device manufacturer provides you with a set of provisioning IDs for the Intel vPro devices you have purchased, you can import those provisioning IDs into the core database so that the core server will recognize those devices as Intel vPro devices and discover them automatically.

These two processes are described below.

Exporting provisioning IDs for use with a USB drive

Management Suite generates provisioning IDs (PID/PPS pairs) that you use to provision new Intel vPro devices. You can print a list of the generated IDs and enter them manually when you provision each device. Alternately you can export the IDs to a setup.bin key file, save that file on a USB drive, and then use the USB drive to provision the devices. This can reduce errors in provisioning because you don’t need to type the IDs manually at each device.

The USB drive you use must be in FAT-16 format for this process to work.

The setup.bin file is created with a specific key file format defined by Intel. When you provision the new Intel vPro device, you connect the USB drive to the device and reboot it. During the boot process a pair of provisioning IDs (PID and PPS) is taken from the setup.bin file and entered into the device's Intel AMT BIOS. When the device sends its “hello” message on the network, the core server will recognize it and be able to communicate securely with it because the provisioning IDs are found in the core database.

To export a batch of provisioning IDs for use with a USB drive
  1. Click Configure > Intel vPro options > Import/Export.
  2. Select Export AMT IDs to setup.bin file.
  3. For Intel vPro 2.5 or later devices, enter the password you use to access the Intel ME Configuration Screen.
  4. Type a number in the Number of IDs text box to specify how many IDs to export.
    You must enter at least "1" in this field. The maximum number you can enter is the number of available IDs indicated next to the Export AMT IDs to setup.bin file option.
  5. Specify the location of the setup.bin file. Click Browse and select the drive and path where you want the file saved.
    You can save the file to any location and then copy the file to a USB drive, or you can simply specify the location of the USB drive if it is connected to the core server. To use the setup.bin file for provisioning, the file must be saved to the root directory of the USB drive.
  6. Click Apply.
    The dialog box remains open until you click Close.

NOTE: The IDs you generate are listed with other IDs you have generated on the Generate Intel vPro IDs page. The IDs will be shaded in the list to indicate that they are not available for provisioning other devices.

To use exported provisioning IDs on new Intel vPro devices
  1. Export a batch of provisioning IDs as described above, and save the setup.bin file to the root directory of a USB drive.
  2. At each new Intel vPro device, connect the USB drive to the device and reboot it.

As the device boots, it accesses the setup.bin file and takes an available provisioning ID pair (PID and PPS) for use in the provisioning process. It then marks the provisioning ID pair as used so it will not be used by another device. The next device you provision will then take the next available provisioning ID pair.

Note that for this process to work correctly, the default username and password for accessing the Intel AMT BIOS must not have been changed (the default is typically admin/admin). You should not have already entered provisioning IDs on the device.

Importing provisioning IDs from a key file to the core database

If a device manufacturer provides you with a set of provisioning IDs for the Intel vPro devices you have purchased, you can import those provisioning IDs into the core database so that the core server will recognize those devices as Intel vPro devices and discover them automatically. The manufacturer supplies these IDs in a setup.bin key file when you purchase the devices.

To import the IDs into the core database, browse to the location of the setup.bin file that the manufacturer provided (this can be on a CD or DVD, or you can copy the file to any drive). After these IDs are saved to the database, when you start up the Intel vPro devices and they send a “hello” message, the core server recognizes them and discovers the devices.

To import provisioning IDs from a key file to the core database
  1. Click Configure > Intel vPro options > Import/Export.
  2. Select Import from USB key file.
  3. In the Specify the location for setup.bin text box, enter a path or browse to the folder that contains the setup.bin file.
  4. Click Apply.

The provisioning IDs are added to the core database and are listed on the Generate Intel vPro IDs page.

Using static IP addresses with Intel vPro devices

Because Intel vPro devices have two components that are assigned an IP address—the Intel vPro chip and the device’s operating system—you can potentially have two entries in your list of discovered devices for the same Intel vPro device. This happens only if you want to use a static IP address rather than using DHCP.

To use static IP addresses with Intel vPro devices, the Intel vPro firmware should be configured with its own MAC address. (For instructions on how to re-install the firmware and configure it properly, contact Intel.)

Once configured, the Intel vPro device will have a different MAC address, IP address, and host name than the device OS. To be able to manage Intel vPro devices correctly, you need to use the following settings for DHCP and static IP addresses:

If an Intel vPro 2.x machine is provisioned in Enterprise mode, the only way to communicate with it is via the “hello” packet being sent to the setup and configuration server. After the machine is managed by LANDesk software, Intel vPro operations may be performed on it like normal. What you should not do is discover and manage the OS IP address; otherwise you will have two computer entries that represent the same computer. Because the only common identifier between the two devices is the AMT GUID, and because the AMT GUID can't be found remotely for the OS device, the two entries can't be merged.

If you want to install the LANDesk agents, you can't push the agents, because the only IP address in the database is the Intel vPro IP address, and the push utility needs access to the OS. Instead, the agents need to be pulled (from the managed Intel vPro device) by mapping a drive to LDLOGON on the core server and running ServerConfig.exe.

Before pulling the agents, we recommend changing a setting in the Configure Services utility:

  1. Click Start > All Programs > LANDesk > LANDesk Configure Services.
  2. On the Inventory tab, click Device IDs to manage duplicate records.
  3. In the Attributes List, expand AMT Information.
  4. Scroll down and move the AMT GUID attribute to the Identity Attributes list.

    This will force the AMT GUID to be one of the attributes that can uniquely identify a computer.

After you change this setting, when the Inventory scan from the managed Intel vPro device is imported into the database, the Inventory service matches the Intel AMT GUID from the device that’s already in the database with the OS information in the scan file.

Remote configuration (zero-touch provisioning)

This section describes the process for remote configuration of devices with Intel vPro 2.2/2.6 and later.

Remote configuration lets you configure a device in a factory default state through the setup process and then add an Intel AMT profile to make the device ready for out of band management. When the device is first powered on and connected to a network, it begins sending "hello" messages to the Setup and Configuration Server (when you manage devices with LANDesk products, the core server acts as the Setup and Configuration Server). If the Setup and Configuration Server is running, it establishes a secure connection with the Intel vPro device and begins the configuration process.

When this process is successful, the device is added to the list of discovered devices and can then be managed from the core server. Limited management is available with only the Intel vPro functionality, or a management agent can be deployed to the device for full management features.

Remote configuration has two requirements:

Delayed provisioning

If an Intel vPro device is powered on but does not receive a response from the Setup and Configuration Server after a certain period of time (typically 6 to 12 hours, depending on the manufacturer's settings), it stops sending hello packets and waits. At this point Intel vPro functionality is not enabled on the device.

To provision a device in this state, you can install the standard LANDesk management agent on the device. When the agent determines that the device has Intel vPro capabilities it enables Intel vPro functionality on the device and sends a call to the Web service on the core server to receive the "hello" packet. The provisioning process is then initiated from the core server.

Bare metal provisioning

Intel vPro 3.0 and later devices support a bare-metal (or agentless) approach to remote configuration. With the Setup and Configuration Server correctly set up, a DNS entry, and the correct certificate installed on the core server, the configuration process is completed without the use of agents.

NOTE: If an Intel vPro device is powered on but does not begin sending "hello" messages as described above, remote configuration may not be enabled on the device. This is dependent on the manufacturer enabling remote configuration by setting Manageability Mode to "AMT" on the device. If this appears to be the case, you can deploy a LANDesk management agent to the device to enable the Intel vPro functionality and begin provisioning the device as described under "Delayed provisioning" above.

Obtaining and installing an Intel Client Setup Certificate

An Intel Client Setup Certificate is required on every Setup and Configuration Server. The certificate is valid for one namespace on one domain, so if your core server is used on multiple namespaces within a domain you need to purchase a certificate for each namespace.

The certificate must be purchased from an approved certificate vendor and must be a support class. The following vendors are supported for LANDesk products on the following devices.

NOTE: Before you purchase a certificate, verify in the vendor's documentation or support information which certificates are supported on your device.

Vendor/Certificate class Intel devices Acer devices Lenovo devices
Go Daddy class 2 CA X X X
VeriSign class 3 Primary CA-G3 X X X
VeriSign class 3 Primary CA-G1 X X X
Comodo AAA CA X X  
Starfield class 2 CA     X

When you purchase a certificate you need to provide a CSR (certificate signing request) file. This file is generated for your LANDesk product along with a private key file. After you receive the certificate files from the vendor, the private key file is saved in a directory with a shared public key file and the certificate file from the vendor. This procedure is described below.

To obtain an Intel Client Setup Certificate
  1. Select a vendor and log in to the vendor's web site.
  2. Generate a CSR file and private key: In the \Program Files\LANDesk\ManagementSuite\amtprov directory, run AMTProvMgr2.exe with the following arguments:
    AMTProvMgr2.exe -domainName name.domain.com -country [2-letter country code] -state [state name] -city [city name] -organization [organization name]
    The arguments you need to provide may vary depending on the certificate vendor. The domain name you specify should include a namespace. For help information about the arguments and this executable, run the executable from a command prompt with the -h argument.

    This executable saves two files to the amtprov directory: certreq.csr (certificate signing request) and corecakey.pem (a private key file).
  3. Open the certreq.csr file in a text editor and copy the contents.
  4. At the vendor's web site, paste the contents of the certreq.csr file into the field provided, and complete the application for the certificate.

    After your certificate request is processed the vendor will send you two files: a root certificate file (a common or public file) and a certificate file for the domain you specified.
  5. Copy the vendor's root certificate file and rename the copy trusted_cert.pem.
  6. Copy the vendor's certificate file for your domain and rename the copy corecacert.pem.
  7. Save the above two files, along with the corecakey.pem file (generated in step 2 above), to a folder in LDMAIN\amtprov\certStore\cert_1. You can store up to eight certificates in subfolders named cert_1, cert_2, and so on.
  8. If you have additional consoles, copy these three files to the same folder path on each additional console.

Discovering Intel AMT 1.0 devices

When you run a device discovery scan, Intel AMT version 1.0 devices are discovered and added to the Intel vPro folder in the Unmanaged devices list. The devices are recognized as Intel AMT devices if they have been configured with a secure password that replaces the default set by the manufacturer.

When you add a secure password at the Intel AMT Configuration Screen, you can also enter the IP address of the provisioning server and specify port 9971, as is done with Intel vPro 2.x devices. However, no PID/PPS pairs are used in provisioning Intel AMT 1.0 devices. If you specify a provisioning server IP address, the core server acts as a provisioning server and you can manage the device as an agentless device.

Note that Intel AMT version 1.0 does not use the same level of security as vPro version 2.x. Intel recommends that devices with version 1.0 be configured on an isolated, secure network. After configuration is complete they can be moved to a less secure network for management.