Intel vPro Technology
To start out, you might be asking yourself “what is vPro and why do I need it?” vPro/AMT is a set of hardware-based tools developed by Intel to allow for monitoring, management, and maintenance of devices at the hardware level, even when the OS is corrupt or even missing. Why do you need it? You probably do not, but the additional abilities are great to have, such as cold booting, remote KVM, remote assistance, and IDE redirection.
LANDesk has done a great job of integrating some of these abilities into their core suite. Two quick examples of this; when you go to remote control a device you will now also see a KVM option or when you send a scheduled task that has the “wake up” option enabled, it will use vPro to boot the device automatically and then try a magic packet.
In order to start setting up vPro in your LANDesk environment you will need to do a couple of things.
1. Obtain a CA SSL certificate (I used GoDaddy because they were 1/10th of the cost of Verisign)
- To start this process I would suggest this article: link
*Note – Intel(R) Client Setup Certificate is no longer required to be in the OU setting of the certificate.
2. Open the following ports between your end-points and your core:
- 16992 (non-TLS) and 16993 (TLS)
3. Create a DNS CName of “ProvisionServer” that points to your LANDesk core server.
4. Once the above steps are completed you will need to import your CA SSL certificate onto your core server. Do so by doing the following:
- Copy the corecacert.pem, corecakey.pem, trusted_cert.pem, and trusted_cert_intermediate.pem to DriveLetter:\Program Files (x86)\LANDesk\ManagementSuite\amtprov\certStore\cert_1 corecacert.pem - Your core server's public key corecakey.pem - Your core server's private key (do not share this, even with LD) trusted_cert.pem - CA public key trusted_cert_intermediate.pem - CA Intermediate public key
5. With in the LANDesk core console go to Configure, Intel vPro options, then select Intel vPro KVM Configuration.
- Select the following options: Enable KVM Disable User Consent (unless you require it to be on) Set a 15 minute time out.
*Note – The user consent can be configured per device, but this is the default you are choosing.
6. Next select the System Defense Remediation… settings and enable System Defense globally.
7. The final step is to enable vPro. You will do this by selecting the General Configuration… settings and entering a strong Password that will be used to manage your end-points. (Do not lose this password, however in the case that you do – you can still recover from it.)
At this point vPro will now be enabled on your LANDesk core server. Any vPro capable devices that have the proper MEI, SOL, HECI, or LMS drivers installed will be eligible for vPro to be enabled.
There are two primary methods to enable the vPro features for a devices.
1. When the LANDesk client is installed it will automatically provision vPro. 2. If the LANDesk client is already installed then you can simply right click the device in the console and select Intel vPro Options -> Setup and Configure vPro.
*Note – The provisioning process for versions 5 and below can take a few minutes, while versions 6 and above normally average about 45 seconds.
Lastly you should be aware that there are different versions of Intel’s management tools, vPro and AMT Standard SDK, and they do not give the same features. Each of these have 9 product versions (1 through 9). For a complete listing on capabilities I would suggest reading this wiki: Intel AMT Versions
*Note – if you are interested in using KVM, you need vPro and not Standard.
*Note – Only versions 4 and above support remote certificate provisioning. For versions 1-3 you will need to manually provision them.