Intel,Altiris Group

If Intel AMT within a vPro platform allows out-of-band management, could the technology be configured and then utilized to deploy an operating system?   It is an intriguing question raised by a few customers.   Technologically this can be done, yet it requires some foundational understanding and experimentation.   If the out-of-band management technology is already configured, then it will have an associated FQDN, be able to request a DHCP lease, have a defined Access Control list for authentication\authorization, and so forth.   However - if the management technology within the firwmare of the platform has not already stepped through an initial setup and configuration - how can this be done without an operating system already being deployed.

Before venturing down this path - it would be best to first ensure Intel AMT configuration is working with a deployed operating system, Altiris agent installed, etc... and that all functional use-cases are working.

The initial configuration of Intel AMT requires 4 key items:

1. Authentication to the Intel AMT firmware for initial setup or change of configuration
2. Definition of profile or configuration settings to be applied
3. Assigning of a defined profile to a target system
4. Mapping of the platform unique identifiers - UUID and FQDN

If the configuration settings include environmental specific requirements - such as Active Directory integration for Kerberos authentication, or 802.1x profiles - these additional dependencies place a greater challenge in completing the 4 steps mentioned above.   In the case of Active Directory integration, take a closer look at part 2 (and support portions of the series) on Configuring AD integration - http://www.symantec.com/connect/articles/part-2-configuring-ad-integration-and-kerberos-authentication-intel-vpro-technology.   Where will the FQDN definition come from if the operating system does not exist, and the Active Directory object has not yet been defined or associated?   The AD computer object can be defined before the operating system deployment, yet what will ensure that the correct FQDN is used during the client provisioning process for the Intel AMT configuration?  

If only the authentication step were done - the infamous hello packet which can be generated via a DNS entry for ProvisionServer or via the Intel vPro Activator Utility - you may experience the even more infamous "Properties Script Failed" error as mentioned at Troubleshooting 'Properties Script Failed' in Out of Band Management Solution.   What this error most often infers is that an Intel AMT configuration request has been made, yet the configuration profile and FQDN are unknown - thus the configuration script OOBprov.exe (provided by Altiris and set into the Intel SCS configuration settings) is unable to proceed.   The expected situation is that the Altiris agent has already been installed on the client and associated back to the target Notification Server - thus creating a computer object with the reported FQDN of the client.   In addition, Resource Synchronization policy has been executed to assign a provision profile to the client.    Yet again - we are at a difficult conundrum - the intent is a pre-OS configuration of Intel AMT.   The full capabilities of the Intel vPro Activator script can be used, thus directly assigning the desired FQDN and configuration profile - yet this will require a domain privileged account as recognized by Intel SCS with "operator" role capabilities to remotely insert the data into the database.   Again - not impossible, yet requiring some forethought.

To the statement in the introduction - this is technologically possible - yet it requires some understanding of component sources.

What if Intel AMT were configured with a placeholder FQDN, thus allowing the setup\configuration process to complete with a standard profile (i.e. Digest authentication only, no environmentally dependent configuration settings such as AD integration, 802.1x, TLS, etc).   This is the approach suggested in a previous article - Talking to Intel AMT - What to Do When Desiring Features Beyond Symantec Management Console.   This approach is also taken in MSP (Managed Service Provider) environments as noted by a few alternative provisioning methods referenced at http://communities.intel.com/docs/DOC-3811 along with more insights on alternative provisioning methods referenced previously at Alternative Approaches and Tools to Configuring Intel vPro Technology

What if an approach were taken to configure Intel AMT during the operating system deployment... such as using a modified WinPE startup script to prompt for the system name.   One approach is to prompt for the desired computer name, install local drivers\utilities to access the Intel AMT setup\configuration interfaces, and then initiate a setup\configuration request.   This approach is explained in an article on Windows 7 deployment using Microsoft SCCM and WinPE - see http://communities.intel.com/community/openportit/vproexpert/blog/2009/08/06/pre-os-vpro-provisioning-bare-metal-win7vpro-use-case-4

The intent of this article was provide an overview and determine if there's interest to know more.... let me know.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.