Intel® vPro™ and Intel®
Guide
Intel® Centrino® with vPro™ Technology
Intel® Core™2 Processor with vPro™ Technology
Centrino® Pro
Processor
Technology Quick
Start Guide
Based on Intel® Active Management Technology and HP Out-ofBand Manager v 4.0
Version 0.3
April 2009
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
Contents
Preface.................................................................................................................................3
Intended Audience....................................................................................................................................................................................3
What This Document Contains...........................................................................................................................................................3
Process Overview..............................................................................................................4
Section 3 – Deploying Intel® vPro Using Enterprise Standard Mode
Provisioning........................................................................................................................5
Process Flowchart....................................................................................................................................................................................5
Intel vPro Enterprise Setup and Configuration Flow..............................................................................................................6
Step 1: Configure Existing IT Infrastructure..............................................................................................................................7
Step 2: Verify Intel vPro Client Windows Drivers....................................................................................................................8
Step 3: Install Intel SCS and HP OOBM Management Console...........................................................................................9
Step 4: Configure Intel vPro Client Authentication Settings..........................................................................................10
Step 5: Discover Intel vPro Clients through the Management Console ....................................................................15
Step 6: Test Intel vPro Client Functionality in HP OOBMC...............................................................................................16
Step 7: Post Configuration...............................................................................................................................................................17
Appendix A: Troubleshooting...................................................................................... 19
Appendix B: Glossary of Terms used in this guide................................................. 20
2
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
Preface
This document provides the high level steps required to deploy desktop and notebook PCs with Intel®
vPro™ technology. It does not provide step-by-step procedures for completing those high level steps,
but instead provides links to more detailed information where such step-by-step procedures may be
found.
Note: Hewlett Packard* Out of Band Management (HP OOBM) software only supports Intel vPro
Enterprise mode provisioning. HP OOBM supports both the standard and advanced modes of Enterprise
mode provisioning. To get users started quickly, this guide will focus on Ent erprise standard mode only.
For the TLS advanced configuration, please refer to the HP OOBM manual.
Intended Audience
This Quick Start Guide is intended for Information Technology (IT) prof essionals, system integrators,
and other technical specialists with experience deploying computer systems and networking
technologies in an Information Technology environment. It is not intended for general audiences.
What This Document Contains
Section Description
Process Overview Provides a brief overview of the overall deployment process; lists high
level steps, including decisions to be made, which are explained in
more detail in subsequent sections.
Deploying Intel vPro Using Enterprise
Standard Mode Provisioning
Appendix A: Troubleshooting Provides information on correcting problems that may arise during
Appendix B: Glossary Provides a list of terms used in this document and their definitions.
Provides the overall steps to deploy Intel vPro based systems into your
IT environment using Enterprise Standard mode provisioning.
deployment.
3
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
Process Overview
Intel® Active Management Technology1 (Intel® AMT) provides significant flexibility in order to meet the
needs of various customer environments. This flexibility requires that customers make a number of
decisions when planning and implementing their deployment of Intel AMT enabled systems.
The overall deployment process is shown below:
• Install or validate infrastructure component s (D NS, DHCP, SQL Server, etc.).
• Ensure required Windows* drivers (for SOL and IDE-R) are installed on Intel vPro clients.
• Install Intel
• Intel SCS and Intel vPro Setup: provides steps for setting up and configuring the SCS
Provisioning Server and the Intel vPro device.
• OOB Management Console Installation: specifies system requirements and tells you how to
install, configure, and start the OOB Management Console.
• Configure your management console to manage Intel vPro clients.
• Discover Intel vPro clients in your management console.
• Test Intel vPro client management functionality in your management console.
®
SCS and HP OOBM software.
• Perform post configuration steps (IT support process changes, maintenance procedures, etc.).
1. Intel® Active Management Technology (Intel® AMT) is a hardware-based technology that facilitates remote out-o f-band
management of computers by use of a small secondary processor located on the motherboard.
This out of band (OOB) controller has embedded firmware that runs on the Intel® Management Engine (Intel® ME), a separate
small ARC architecture processor built into either the North Bridge or NIC of the motherboard. The Intel AMT firmware is stored in
the same SPI flash memory component used to store the BIOS and is generally updated along with the BIOS.
4
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
Section 3 – Deploying Intel® vPro Using Enterprise Standard Mode Provisioning
Process Flowchart
The following picture shows the overall process flow fo r provisioning Intel vPro client systems in
Enterprise (Standard and Advanced) mode. The steps for Enterprise Standard mode are described in
further detail in this section.
5
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
Intel vPro Enterprise Setup and Configuration Flow
Prior to executing the steps for configuring the Intel v Pro components (Intel AMT and Intel ME) in
Enterprise standard mode, it is first important to understand the overall flow of the Enterprise mode
configuration process
In Enterprise mode, an Intel vPro machine receives its configuration settings over the network, once it
has been prepared with some initial setup information. The f o llowing diagram shows the modes or
states that an Intel vPro device passes through before it becomes operational.
Intel vPro Configuration States:
1. Factory State
– AMT disabled
– No network configuration
– No security credentials
2. Setup State
– AMT enabled
– Basic network configured
– Admin credentials loaded
3. Configured State
– AMT fully configured (e.g power policies)
– Security credentials fully loaded
– Ready for remote management
Factory State: An Intel vPro machine comes from the OEM in Factory State. In this state Intel AMT is
un-configured and not available for use by management applications. When an operator enters
information via the Intel Management Engine BIOS extension (Intel MEBX) manually or with the aid of a
USB storage device, the Intel vPro machine makes the transition into the setup state. See Step 3 –
Configure AMT Client BIOS for instructions on how to prepare an Intel vPro machine to receive its
configuration settings from a Setup and Configuration Server (SCS) which is part of HP OOBM
distribution.
SETUP
SETUP
(Pre--
Provisioning))
(Pre
Provisioning
CONFIGURATION
CONFIGURATION
(Provisioning)
(Provisioning)
Setup State: When an Intel vPro machine enters Setup State it waits for delivery of its configuration
settings from the SCS. After it enters setup mode, the Intel vPro machine periodically sends messages
to the SCS. When the SCS receives messages from the Intel vPro machine, it responds by delivering the
configuration settings and placing the device in Operational State.
Operational State: The Intel vPro machine enters Operational State once its configuration settings
have been supplied and committed. At this point the Intel vPro machine is ready to interact with HP
OOBM management applications.
6
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
Step 1: Configure Existing IT Infrastructure
In order for an Intel vPro machine to be manageable, it must become known to the management
console. The process by which this occurs is called “provisioning”. Enterprise setup (pre-provisioning)
requires a series of steps that are performed on both the Intel vPro clients and the SCS in order to
prepare the client for provisioning over the network by the SCS (which acts as the provisioning server
for the Intel vPro clients).
Intel vPro Integration Points with IT Infrastructure Components
The following diagram shows the interaction w ith the different network elements. Each will be
discussed briefly in order to understand the integration requirement.
Manages
Management
Console
Intel®vPro™
Clients
Registers
DHCP
Updates
Manages
Core Server
Configuration Server
CA Server
Requests
SQL DB
DNS
DHCP Server: When an Intel vPro machine enters setup state, the default IP addressing scheme is
DHCP (that is, use DHCP to obtain an IP address). The Intel® Management Engine (Intel® ME) also
uses the DHCP server to help dynamically update the DNS server with its network address information.
The DHCP server must support Option 81 to register network address information into the DNS server
on behalf of the Intel ME. Option 15 should also be enabled in the DHCP Scope Options to allow the
DNS to resolve host queries after IP address changes.
DNS Server: The DNS Server is used by network devices such as Management Consoles to locate
address information for Intel vPro clients in order to contact them and manage them. The Intel vPro
clients may also use the DNS server during the provisioning configuration phase to locate the provision
server and request their configuration information, as explained below.
Once configured to the setup state, Intel AMT makes a DNS request for the name "ProvisionServer"
(unless you choose to configure the client’s BIOS manually). If the requested name cannot be resolved
by the DNS server, then a second request is made for "ProvisionServer.DomainName." Intel AMT
expects to either find the IP address of the provision server in this way, or by havin g it set explicitly in
the Intel MEBX configuration process (Step 4: Configure Intel vPro Client A
10). The Intel Management Engine BIOS Extension (Int
el MEBX) is an option ROM module extension to
uthentication Settings, page
the system BIOS, provided to the OEM by Intel. The Intel MEBX allows you to configure settings that
7
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
control the operation of the Management Engine which runs on the Intel AMT client. For more
information on Intel MEBX, see the Intel Management Engine BIOS Extension User’s Guide.
Step 1a: Manually register the “provision server” entry into the DNS server.
Manually resister the “provision server” entry into the DNS server.
Step 1b: Set Firewall/Router Ports Open for Management Traffic
Intel AMT requires certain ports to be “open” in order to allow management traffic through them. The
Intel AMT ports are 16992 (non-TLS), 16994 (non-TLS redirection),– these are IANA-assigned ports
which Intel purchased. They cannot be changed. Port 9971 is used in Enterprise mode to listen f or
“Hello” packets. This port is configurable in the SCS console.
Step 1c: Database Server Integration:
Intel vPro machines will have information about them (inventory) stored in a repository used by the
management console. With HP Software management products, Microsoft SQL 2005 is the primary
choice.
Step 2: Verify Intel vPro Client Windows Drivers
The following Intel AMT drivers, which are digitally signed by Intel and compatible w ith Microsoft
Windows* operating systems (including Windows 2000, Windows XP, and Windows Vista*), are required
on the Intel vPro client platform. Obtain these drivers from your client system manufacturer’s driver
and download support pages (most client drivers and Intel MEBX updates are contained on the same
support web page by the OEM).
• Intel Management Engine Interface (Intel MEI) driver -- Provides a secure local
communications interface between the host operating system and the Intel ME via the Intel MEI.
• Serial-over-LAN (SoL) driver -- Enables a COM port for VT100 or ANSI remote sessions prior
to graphic interface when the operating system loads. You can view and send commands to a
remote client prior to the operating system loading, including en tering into the BIOS, viewing
POST, etc.
• Local Management Service (LMS) driver –Provides an interface enabling local management
software agents to communicate with the Intel Management Engine using the same high-level
protocols as those used for remote management (e.g. XML, SOAP). When first loaded, the driver
will cause a pop-up to occur to confirm that Intel AMT is running. The pop-up can be disabled. As
the Intel AMT firmware is updated, this driver is most likely to require a coordinated update as
new features are enabled. The driver also checks for consistency of the Intel AMT hostname and
the operating system host name.
8
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
It is recommended that the HP OOBMC client agent also be installed, although it is not required. This
agent will communicate with the Intel AMT watchdog timer on the client local system in order to provide
the agent present functionality. The agent software “oobmclocalagent.msi” is located in LocalAgent subdirectory in the HP OOBM software distribution. A manual installation is recommended for a small
number of test systems. There are other ways to install this agent software automatically, which are
described in the HP OOBM Console Guide (OVCOutOFBandMgtConsoleGuide.pdf) under Chapter 2,
“Installing the Local Agent”.
Step 3: Install Intel SCS and HP OOBM Management Console
The following two software packages need to be installed:
• Setup and Configuration Server (SCS): includes the installation executables ATMConfServer.exe
for the server portion and AMTConsole.exe for the console. For details on the SCS installation,
please refer to “Intel_AMT_SCS_Installation_Guide.pdf” Part 9-10. Note that the SCS software is
available in the HP OOBMC distribution under the SetupConfService folder.
• HP Out-of-Band Management Console (HP OOBMC): Please refer to the HP OOBMC guide
(OVCOutOFBandMgtConsoleGuide.pdf) Chapter 3 “Installing the OOBM Management Console” for
details on installing the HP OOBM software.
After the SCS and OOBMC are installed, a vPro profile needs to be created. A profile allows configuration
of multiple Intel AMT platforms with certain configur ation properties. A profile defines the security
settings of the communication with the platform, the network environment, and more. For a quick start,
a basic profile is created with minimum settings. For the detail and screen shots, please refer to
“Intel_AMT_SCS_Console_Guide.pdf” Part 4 “Creating and Changing Profiles”.
1. In the Console tree, right-click the Profiles element and choose Add Profile. Alternat ively, in the
Welcome window, click Create a Profile. The Profile Creator wiz ard opens.
2. Click Next. The New SCS Profile Wizard opens, displaying the Before You Begin section, wh ich
contains information on creating profiles.
3. In the Basic Settings section, click General and enter Profile Name and Description area.
4. Checked ACL in the Profile Components section, the wizard displays the Access Control List
(ACL) settings.
a. To add a new user, Click Add. The ACL Details window opens.
b. To create a digest users, Select Digest User in the User Type section. Enter the user
name and password, and confirm the password. Then, select PT_administration right to
this user and Apply the setting.
During the Intel vPro system provision stage, the Intel vPro systems need to be connected through a
wired network. For Intel Centrino vPro systems, the WiFi option needs to be added so that the wireless
systems can be managed after being provisioned. Please refer to Intel_AMT_SCS_Console_Guide
“Configuring WiFi” section for the detail.
9
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
Step 4: Configure Intel vPro Client Authentication Settings
In Enterprise mode, configuring the authentication settings on the Intel vPro clients can be performed in
either of the following three ways:
• Remote Configuration (Intel AMT 3.0 or higher) – Step 4A below
• OEM pre-configuration – Step 4B below
• One-touch configuration (using a USB thumb drive or manual entry) – Step 4C below
Step 4A: Remote Configuration (Intel AMT 3.0 or higher) – Factory State to Configured
State
Remote Configuration uses matching certificate hashes on the Intel vPro clients and the provisioning
server to authenticate interaction between the clients and the server. Once the client and server
authenticate each other (i.e., the certificate hashes match), the provisioning server automatically
begins provisioning the client.
With Remote Configuration, you have two choices:
• Use your own root certificate, if you already have one
• Use one of the certificate hashes provided with Intel vPro (i.e., already on the client systems)
Using your own root certificate: If you already have a root certificate on your SCS server, then you
need to do one of the following:
• instruct your Intel vPro client manufacturer (OEM) to place a matching certificate hash on each
Intel vPro client during manufacture
• manually enter the matching certificate hash using t he Intel MEBX on each Intel vPro client
before deployment
If you instruct your OEM to load the certificate hashes onto y o ur Intel vPro clients, the clients will
already have a certificate hash that matches the existin g root certificate on your provisioning server
when they arrive. This will allow Intel vPro clients to establish a secure communication channel to
exchange the certificate information to ensure the authenticity of the Intel vPro clients. But the
provisioning process still depends on the Intel vPro Technology Activator to initiate the process.
The Intel® vPro™ Technology Activator Utility is the next generation of th e Remote Configuration tool.
A Windows executable that runs locally on an Intel AMT enabled platform, the Activator does the
following:
• Simplify the process of configuring the Intel vPro systems via Intel SCS
• Facilitate initial Intel AMT configuration or policy change
• Address the following scenarios:
o Intel vPro failure to find the Setup and Configuration server in the network
o Expiration of Intel vPro 'hello' messages
• The configuration server must get the parameters necessary to start the Intel vPro configuration
process
10
Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide
o Intel vPro system becomes unreachable if OS/AMT host names go out of sync
o Some Intel vPro systems are shipped with management mode disabled. Remote
Configuration must be enabled by a local software tool
For more information about the Activator, see the Intel® vPro™ Technology Activator Utility user guide
which is available at http://software.intel.com/en-us/articles/intel-vpro-technology-activator-utility/
,
.
Skip to Step 5: Discover Intel vPro Clients through
the Management Console, on page 15.
Using one of the certificates provided with Intel vPro: If you want to use one of the certificates
provided with Intel vPro, you will need to purchase a matching root certificate, and load it onto your
SCS server. Once a matching root certificate is present on the provisioning server, the Intel vPro clients
will automatically authenticate themselves with the provisioning server at power on, and will then
automatically be provisioned by the provisioning server.
The certificates are purchased from one of the approved Certificate Authority (CA) vendors, such as
VeriSign, Comodo, Go Daddy, and Starfield. Check with your OEM to see which of these CA vendors
they support. The detail steps to purchase the certificate is available at
http://communities.intel.com/docs/DOC-1916
.
Once the pending certificate request has been completed with the .CER file provided, the target website
used for this process has been assigned the issued certificate. In addition, a backup copy of the
certificate is recommended.
In SCS 5.0, which is part of the HP OOBMC 4.0 distribution, the loadcert.exe is no longer needed.
Therefore it is not necessary to run the last step “Run LoadCert.exe to Complete the Certificate Process”
of the certificate import procedure described in the http://communities.intel.com/docs/DOC-1916
.
For more about how remote configuration works, please refer to Intel_AMT_SCS_Console_Guide.pdf,
Appendix A.
If you want to use one of the certificates provided with Int el vPro, the clients will already have a
certificate hash that matches the purchased root certificate on your provisioning server. This will allow
Intel vPro clients to establish a secure communication channel to exchange the certificate information to
ensure the authenticity of the Intel vPro clients. But the provisioning process still depends on the Intel
vPro Technology Activator to initiate the process, which is described in th e previou s section “Using
your own root certificate”. For more information about the Activator, see the Intel® vPro™
Technology Activator Utility user guide, which is available at the following website:
http://software.intel.com/en-us/articles/intel-vpro-technology-activator-utility/.
Skip to Step 5: Discover Intel vPro Clients through
the Management Console, on page 15.
11
Loading...