Login to participate
Endpoint Management & Virtualization ArticlesRSS

Dell CFI Process and Intel vPro Provisioning

Terry Cutler's picture
Terry Cutler
July 29th, 2009
Filed under: , , ,

Have you utilized the Dell CFI process to provision\configure Intel vPro units, and have a CSV file delivered to you? Wondering what you are supposed to do with that CSV file and how this maps to the .BIN file Altiris is expecting to receive? This article will provide some background along, explanation how to utilize the CSV file to insert the data, and sample files for your testing\validation.

Background Information

The Intel vPro enterprise setup and configuration process (aka vPro provisioning) occurs outside of the operating system. Typically - a brand new Intel vPro system comes unconfigured. Until that initial setup and configuration step is completed, the enhanced management capabilities and feature of Intel vPro technology are inaccessible. This approach is for security reasons

The enterprise configuration process can be accomplished using preshared keys or a certificate-based implementation. Preshared keys means a key pair (8 character public key and 32 character private key) is set into the firmware of the Intel vPro system. That key pair is also known by the management console, being stored within the IntelAMT database. The preshared key approach is also referred to as "USB One-touch" or "OEM pre-provisioning". The reason is that a physical touch is needed on each client system to securely insert the preshared key pair into the firmware - this is accomplish via a specially configured USB key with setup.bin file, which is inserted prior to power-on of the system. Alternatively, some OEMs such as Dell provide a service to insert these keys during their build customization process. In the case of Dell, the CFI (Custom Factory Integration) process.

Many customers choose to utilize certificate based provisioning - commonly referred to as remote configuration. The security keys\features of remote configuration involve a set of predefined root certificate hashes within every Intel vPro platform. The rest of this article will focus on preshared key setup and configuration of Intel vPro. If you are looking for remote configuration information - there are other articles on Symantec Connect.

Before I go further - let's step back and briefly address the preshared key process from an Altiris Out-of-Band Management perspective. The USB one-touch with security keys process is documented in a few locations. One example is the recorded vPro activation workshop at Video Workshop: Intel vPro Activation - see the 3rd and 4th video (provisioning walkthrough and USB one-touch provisioning). The following image from an Altiris 6.x environment has been inserted for convenience - a similar menu\screen is available in Altiris 7.x

imagebrowser image

The original idea and intent was that all client systems would go through a staging process. Therefore, using a screen similar to above - the administrator or technician would generate a series of keys known by the Altiris management server and distributed to the client PCs via a USB thumb drive. As each system was staged, the technician would insert the USB thumb drive, power on the system, confirm the keys were to applied when prompted, and then proceed with the other staging aspects of the PC. When the PC was delivered to a production location, the Intel vPro technology would initiate an announcement from the firmware to the target server. This model has worked for many customers.

The preshared key model has also been used by value-added resellers (VARs), system builders and OEMs to "pre-provision" the Intel vPro technology. The difference from the above process is that OEM or VAR involvement introduces an external party. The generated keys and password are on their server and need to transferred in a secure manner to your production environment. (Side note for those wondering - each vpro configuration event will randomize the keys and you control the final password which is set).

The preferred method to transfer the preshared keys is via setup.bin file, which can be encrypted and so forth. The BIN file is formatted specifically to be understood by the import process of the above shown screen. In fact - you can generate your own setup.bin files by creating\selecting a group of keys and exporting them.

Another technology design preference is that every preshared key pair is unique from the other key pairs. Some OEMs (not Dell) have chosen to use a single preshared key pair for units within a single order. This approach will work - and keep in mind that once vPro is configured, a new randomized per individual system key pair is assigned and known only by the ProvisionServer and the target Intel vPro client.

With me so far?

How Do I Use the CSV File Generated by Dell CFI Process?

If you've utilized the Dell CFI process for vPro configuration\provisioning, you've likely received a CSV file with a list of preshared keys and password. The normal process of importing the security keys will not work, since the Altiris Out-of-Band configuration console is prompting for a .BIN file.

One workaround is to directly import the CSV data into the target database - IntelAMT.

Making a direct database modification has it's inherit risks - thus you may want to test this on a separate system if unsure. The good news - if you test on a separate non-production system, you can then follow the correct key export procedure which will generate a valid setup.bin file. The valid setup.bin file can then be imported to your production server.

For those that want to go directly to database insert - here's what you do:

  • Check the last index number of IntelAMT database table csti_pid_map.
  • Modify the CSV file to align to the target database table format (id, pid, pps, current_password, admin_password, used)
  • For the "used" field, value of zero '0' is unused and will show the values in the console once imported. A value of '1' is used and will hide from console view
  • Use a bulk SQL import to insert the modified CSV file directly into the database

Explanation of Attached Sample File

In the attached file (convertCSV2BIN.zip) are three sample files for your reference:

  • samplesetup.csv - Modified CSV file to match the database table structure. Notice that the index starts at 108 - this is because my test system already had generated 107 keys before stepping through this exercise
  • importcsvPID.sql - Sample SQL script for bulk import of samplesetup.csv to the IntelAMT database table csti_pid_map
  • samplesetup.bin - Correctly formatted .BIN file for preferred method of import (this is unnecessary if you've decided to directly import)

Concluding Thoughts

My intent in sharing this is to provide a simple workaround method to frustrating situation. Conversations with Dell associates have occurred, yet corrections to the CFI process for vPro provisioning have not yet occurred. Thus in the meantime - if you receive a CSV file - use the workaround.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.

+3 (3 votes)