Have you ever wondered what that word 'Vpro' means for you? You will see it on the Intel sticker that is stuck to your laptop or workstation.
It may look something like this:
The feature within Vpro is called KVM (Keyboard-Video-Mouse). It is available within firmware versions 6.02 and onwards. You can upgrade 6.01 to 6.02. The chipset has VNC server on it which allows you to remote control the system regardless of the operating system.
You can use multiple applications such as VNC viewer plus or Intel's free program KVM view, to access the VNC server on the chipset. If your like me you properly manage your fleet with SCCM, you can install an add-on that allows you to control a system with a right-click action.
If I'm at a coffee shop and a gorgeous women is sitting at a table. Say her name is Jessica. Jessica is waiting for me to talk to her however, Jessica will only talk to me if her father (Bruce) approves. Once Bruce has checked my background and determines I'm ok to date his daughter, Bruce will give me a letter to pass to Jessica which says he approves. Once I give that letter to Jessica and Jessica checks to ensure it's real she will talk to me :)
In this example,
- Jessica is the client machine that I want to provision
- I am the SCS server that wants to provision the client machine.
- Bruce it a trusted certificate authority that the client machine trusts.
- The letter is the provisioning certificate that is singed by the certificate authority which is trusted by the client machine
The root hash of the certificate authority which issued the provisioning certificate must be stored within the Vpro's firmware. Systems come with preconfiugrated hash's, from well known certificate authorities, meaning you can provision systems without having to physical touch any of your fleet. The cheapest is Godaddy.
If you plan to integrate a provisioned system into SCCM, you also need to secure the system with TLS (Transport Layer Security), Kerberos authentication and Active Directory integration. It's pretty straight forward once you know what you are doing.
There is alot of information which shows you how to provision and manage Intel Vpro chipsets. I thought I would share my experience. I'm not an expert and don't have all the answers but I hope this will save you alot of time troubleshooting.
1. Ensure the systems are Vpro capable and if you want to control the systems ensure they have the Intel(R) HD Graphics Driver.
Some useful links to help checking this are below
2. Understand how the different ports and protocols work. Gael Holmes Hofemeier from Intel wrote a good blog about this which can be found here
3. Download the lastest version of the Intel Setup and Cofiguration software (Intel SCS). At the time of this blog it is located here. There are two documents that will help you setup the software. The user guide and deployment guide.
4. When you are testing KVM control, download VNC plus. At the time of this blog you can download it from here
5. When you first provision a system with SCS do it with the lowest security possible and then work your way up. For example
- Provision a system without TLS and connect via IP address.
- Provision a system with TLS and connect using a Digest username and password.
- Provision a the system with TLS and connect using a AD Authentication.
6. If you are having a problem connecting by host name, turn of IPV6. I am still working out why this is an issue and you can follow the progress on this forum.
7. In you think typing in the RFP password is a solution for TLS errors as I thought on this blog you are wrong. It bypasses TLS.
8. To setup TLS security for the provisioned systems, follow the instructions on Page 170. The guides release date is Jule 12th 2012 so it might be a different page, if you are using a different version of this guide. This is the certificate you select in your SCS profile. Once provisioned with TLS you should be able to log into https://FQDN:16993/
9. If you are using an internal certificate authority to provision the systems, rather then a certificate authority such as godaddy, follow the instructions in the SCS user guide on page 186. There you will create a certificate template,certificate request and enter the root hash manually into the Intel AMT firmware. This guides release date is Jule 12th 2012 so it might be a different page if you are using a different version of the guide.
10. I think it's best to provision the systems with SCS and not SCCM. Then if you decide to upgrade SCCM or move to a different solution you won't need to unprovision and reprovision the systems.
11. If you have SCCM and want to integrate SCS with it, Intel have already built the scripts and instructions on how to do this. It can be found here and is very easy to follow. It actually provides scripts that will unprovision and reprovision systems for you.
12. If you cannot control a system with the Intel add-on (customised KVM-View) you may need to import the Root CA into KVM View.
If you have any questions or comments or need any help please leave a comment.