Using provisioning IDs (one-touch provisioning)

Intel vPro devices communicate with a provisioning server on the network. This provisioning server listens for messages from Intel vPro devices and allows IT staff to manage servers through out-of-band communication regardless of the state the device’s OS is in. The core server acts as a provisioning server for Intel vPro devices and includes features that help you provision devices when you set them up.

Generate a Provisioning ID (PID) and a Provisioning Passphrase (PPS) for every Intel vPro device you want to provision. A PID is an eight-character encrypted ID used to ensure that the user has the credentials necessary to configure an Intel vPro device. A PPS is a 32-character password to authenticate the PID. The PID and the PPS are matched against each other.

Process for using Intel vPro provisioning IDs

This section describes the process of using one-touch provisioning for Intel vPro 2.0 and later.

When an Intel vPro device is received, the IT technician assembles the computer and powers it on. After powering on the device, the technician logs in to the BIOS-based Intel ME (Management Engine) Configuration Screen and changes the default password (admin) to a strong password. This allows access to the Intel AMT Configuration Screen.

In the Intel AMT Configuration Screen, the following pre-provisioning information is entered:

  • A provisioning ID (PID)
  • A pre-provisioning passkey (PPS) , also known as a pre-shared key (PSK)
  • The IP address of the provisioning server
  • Port 9971 as the port for communicating with the provisioning server
  • Enterprise mode should be selected
  • The host name of the Intel vPro device

The PPS is shared by the provisioning server and the managed device, but can't be transmitted on the network for security purposes. It needs to be entered manually on the device (at the Intel AMT Configuration Screen). PID/PPS pairs are generated by Endpoint Manager and stored in the database. You can print a list of generated ID pairs for use in provisioning, or you can export the ID pairs to a key file on a USB drive.

The IT technician should enter the IP address of the Endpoint Manager core server for the Provisioning Server and specify port 9971. Otherwise, by default, the Intel vPro device sends a general broadcast that can be received only if the configuration server is listening on port 9971.

The default username and password for accessing the Intel AMT Configuration Screen are "admin" and "admin". The username stays the same, but the password must be changed during the provisioning process to a strong password. The new password is entered in the Intel vPro general configuration dialog, as described in the procedural steps below. After each device is configured you can change the password individually per device, but for provisioning purposes you use the password that is found in the general configuration dialog.

After the above information is entered in the Intel AMT Configuration Screen, the device sends “hello” messages when it is first connected to the network, attempting to communicate with the provisioning server. If this message is received by the provisioning server, the provisioning process will begin as the server establishes a connection with the managed device.

When the core server receives the hello message and verifies the PID, it provisions the Intel vPro device to TLS mode. TLS (Transport Layer Security) mode establishes a secure channel of communications between the core server and the managed server while the provisioning is completed. This process includes creating a record in the database with the device’s UUID and encrypted credentials. When the device’s data is in the database, the device appears in the list of unmanaged devices.

When an Intel vPro device has been provisioned by the core server, it can be managed using only Intel vPro functionality. To do this, you can select it in the list of unmanaged devices and add it to your managed devices. You can also deploy management agents to the device to use additional management features.

The recommended process for provisioning Intel vPro devices is as follows.

  1. Specify a new, strong password for provisioning Intel vPro devices.
  2. Generate a batch of Intel vPro provisioning IDs (PID and PPS). Print the list of keys or export them to a USB drive.
  3. Log in to the device's Intel ME Configuration Screen from the BIOS and change the default password to a strong password.
  4. Log in to the Intel AMT Configuration Screen. Enter a PID/PPS key pair from the list of provisioning IDs that you printed. Enter the IP address of the core server (provisioning server), and specify port 9971. Make sure Enterprise mode is selected for provisioning. Enter the host name of the Intel vPro device.
  5. Exit the BIOS screen. The device will begin sending “hello” messages.
  6. The core server receives a "hello" message and checks the PID against the list of generated keys. If there is a match, it provisions the device.
  7. The device is added to the unmanaged device discovery list.
  8. Select the device and add it to your managed devices (click Target on the toolbar, click the Manage tab, then click Move). You can choose to manage it as an agentless device, or you can deploy management agents to it for additional management features.

For detailed instructions for step 1, see Change the Intel vPro password

For detailed instructions for step 2, see Generate a batch of Intel vPro provisioning IDs

Errors in the provisioning process 

If you enter a PID and PPS that are not paired correctly (i.e., the PPS is paired with the wrong PID), you will see an error message in the alert log and provisioning will not continue with that device. You will need to restart the device and re-enter a correct PID/PPS pair in the Intel AMT Configuration Screen.

If, as you type a PID or PPS, the Intel AMT Configuration Screen displays an error message, you have mis-typed the PID or PPS. A checksum is performed to ensure that the PID and PPS are correct.