OTPs: Good to see that they're gone.
SCCM 2012 discovery: Insure that the clients are configured in TLS mode and make sure the SCCM 2012 machine account has admin privileges to AMT.
ACM_Unconfigure_SCCM.bat failure: Please send me command output and we can see if we can get them unconfigured without a physical visit.
You know - luckyregister.com/support/article.php?aid=6935&locale=en
So how can i use vpro in intranet if i have FQDN of sccm like this sccm.moscow.mycompany.holding? Godaddy (or others) can't give me cert on this fqdn.
MarkusA854,
The first thing I would suggest trying is to pull the CMOS battery. This will reset both the BIOS and MEBx to factory default settings. After replacing the CMOS battery do the following:
If you still have an issue configuring AMT then download this AMT diagnostic tool and attach the Results.nfo the program produces.
bulka,
There are a few options available to you when using a local domain.
Alan, thanks!
I know all of them (provision methods), but i want full automated one (cert from root CA).
May be there are some workarounds?
This methods, like entering hash, usb and host-based are good when you have a few computers. I have half thousand... 
I understand your desire for a fully automated process for inserting your internally created certificate hash into the MEBx. However, due to security concerns automating this process is not an option.
That said, certain OEMs have been known to work with customers on a case by case basis. Creating a custom BIOS that would come pre-populated with your internally created certificate hash.
Is there posibility to use Active Directory authentication to access to KVM?
idosk,
Yes, it's possible to use Active Directory to authenticate your KVM connections. You will need to select both Active Directory Integration and Access Control List in your SCS profile. Then in the ACL section give your Active Directory user or group the necessary access rights.
For more information about this download Intel SCS and look through the Intel SCS User Guide.
https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921
I can only connect to KVM if I grant permission "PT Administration" directly to user account.
If I grant this permission to a group (which includes my user account), I can't connect to KVM.
Is there possibility to grant permission for an AD group for connect to KVM?
After reading info and documentation it seems to me that these are the ways of setting a remote computer in "Admin Control Mode":
It's that correct? are there any other methods?
Thank you!
Granting permissions to an AD group instead of a single user is possible. Just make sure that you are logged into the computer initiating the KVM connection with a user from that AD group. Also, if you're using RealVNC Viewer Plus to initiate the connection, verify "Use single sign-on if VNC Server supports it" is checked.
JlBarbosa,
Correct, all three of those methods allow you to configure a vPro computer in Admin Control Mode. You are also able to configure a vPro computer using a USB key containing a single non-consumable PKI record file.
I was able to get a trial ssl certificate from Verisign(Symantec). I use an internal domain called somethingsomething.loc. I haven't tested it out yet.
I really logged into the computer initiating the KVM connection with a user from AD group which has "PT Administration". And "Use single sign-on if VNC Server supports it" is checked. But I get error: "The user account [Intel(r) AMT: RemoteID 35] does not have the relevant permissions to access the AMT server."
Greetings.
What purpose does Intel AMT stuff serve, imbedded into system BIOSes, when the OEM decides not to fully implement? Why do they bother putting ME firmware on their chips at all? Why do they bother offering updated drivers and sometimes updated ME versions via a BIOS upgrade?
I was initially curious about two Asus and MicroStar based systems I had to work on, but in researching this, apparently there are plenty of vendors who decide to not provide the MEBx interface. There is no MEBx header upon booting, no Ctrl-P works, and trying to access tcp/19662 gets no response. I have no idea why they decide to not implement the MEBx interface, when they integrate ME into their system BIOS packages, and continue to provide updates to both the drivers and firmware! I have gotten half-assed answers from both vendors, so I decided to come here and ask.
Again, I am confused beyond the ability to ask a questions correctly. Please bear with my rambling.
Since in modern EFI BIOS setups allocated on your common 8Mbit SPI Flash ICs, this is all very structured. A block for the system BIOS, a block for the GbE firmware, and so forth. And a specific address range associated with ME firmware. I have flashed different versions into a running system BIOS by only flashing that range, probably the same way the proper Intel FWUpdLcl utility works. If I run MeInfoWin, it identifies the version I just flashed, and my system still operates correctly. (Granted, this is an OEM BIOS with that region extracted from the firmware BIN, not directly using an Intel ME firmware update image.)
I want to see if, without any assistance or approval from the vendor, if we can enable MEBx. I'm sure ME is already there. There's probably a single byte toggle or something equally easy to enable access. But I could be wrong, the vendors are only flashing it onto their BIOS chips because it's required due to chipset licensing and only enabling the parts necessary for compliance, and none of the code to hook to the hardware devices is there.
Also I understand Intel's position on information disclosure, so if this is something we don't discuss in public, please say so. Besides, reading compiled machine code isn't as difficult as it used to be. Although in paging through the ME firmware hex, I see embedded x86 executable code. No decoding necessary. I'll guess it's the html server and the various configuration utilities that a fully-deployed and activated MEBx uses. And that's my point. The firmware is there. I want to enable it. Why won't said vendor(s) enable it? Choice? Cost? Complexity? Customers? I really want to know.
Sidenote: in trying to research this, I found many, many posts by people that think AMT is bad/evil/wrong. Really?
I'm sure I just scared all the conspiracists: "He wants to voluntarily activate the Intel spyware!!? Is he crazy?!"
Yes. So thanks for reading the ramblings of a crazy person.
And thanks in advance for any illumination provided... it's dark over here.
I would suggest trying a klist purge command to clear any old Kerberos tickets. This will eliminate the possibility of an old Kerberos ticket being used in error.
Hi all
I have just started looking into using Intel vPro with our SCCM infrastructure and wondering about what the difference is between provisioning AMT computers with SCCM 2012 or Intel SCS?
Which is best? Which is simplest? Are there any benefits with choosing one over the other? Which is best supported?
/B
Baatch,
Intel SCS is the better of the two options for many reasons, the most important being support for WS-Management. Originally SOAP (Simple Object Access Protocol) was used during configuration, however SOAP was deprecated in AMT 6, and as of AMT 9 no longer supported. SCCM’s configuration process was built around using SOAP, so moving forward configuring vPro computers with SCCM’s built in method will no longer be an option.
-Alan
Bill_P,
The short answer is, the decision whether or not to enable ME is completely up to the OEM. That said, if the OEM is updating both OS drivers and ME firmware, then there is a good possibility AMT is simply disabled in the BIOS menu.
I'm trying to find out what the difference is with Intel SCS with or without SQL database?
Is it needed with SCCM 2012? Can and should I install Intel SCS on the SCCM primary server (I only have 1) ?