Managing Intel vPro Ultrabooks and Tablets in wireless network only

On April 3rd, 2010 Steve Jobs showed this renewed computer tablet concept (i.e. iPad, which was not the first tablet computer available in the market, but was one that had great success), triggering a new kind of personal computer system that complements traditional form factors (e.g. desktops and notebooks) used by knowledge workers in corporate environment or even replace the workers in some cases. In fact, a tablet design is an excellent form factor to consume information, but it lacks ergonomic qualities to produce content with a physical QWERT keyboard larger display screen.

The computer industry is investing in several form factors in order to reinvigorate personalcomputer systems with exciting designs: Ultrabook, convertibles designs, touch screens, tablets, tablets with slide QWERT keyboard, multiples dock station capabilities. And in this new World of mobility and thin design, looks that RJ45 interface has become antiquated. For business, wired interface still predominant in most organizations and lot investments were made in this media for security and manageability and how to manage seamless Intel vPro devices, independently of form factor and connectivity medium (i.e. wired or wireless)?


Some Ultrabooks, such as Lenovo ThinkPad X1, arrived without an embedded Ethernet port, only with a dongle RJ45 interface that can provide wired connectivity for Operating System, however it doesn’t work for OOB (i.e. Intel ME).

The absence of an integrated Ethernet interface in these devices limits some use cases for devices of this category. E.g. Host-based Configuration (aka. HBC) is the only remote Setup and Configuration method supported, user consent is required for healing scenarios such as KVM or IDE-R, but fortunately, these limitations in most cases fits well with mobile use models. Admin Control mode can be achieved only configuring locally in Small and Business Mode (SMB), which for enterprise environment can be undesirable due to the required manual labor for configuration.

System Defense, that is enabled by McAfee ePo Deep Command for example, will not be available in WLAN-only systems for security reasons – basically, HBC transfers IT admin authentication to users, that is the reason that in HBC, for each remote operation, user consent is needed. However, for System Defense, there is no reason for user consent to switch on, that is the reason that System Defense is turned off in HBC.

For a wireless-only device be managed OOB with Intel vPro technology, it’s required that Intel ME be in 8.1 version and Wireless driver 15.3 (for Windows 7) and 15.5 (for Windows 8) have been updated for a correct operation.

For further details on creating a profile for wireless environment, read my priorblog post about “Managing Intel® vPro™ Technology clients in a wireless environment” where I discuss some basic configurations and lessons learned in this kind of environment.

Some management consoles such as Microsoft System Center 2007 or 2012, use the concept of provisioning using PKI that set the machine in Admin Control Mode that is not supported for wireless-only devices. So for these cases, Intel Setup and Configuration Services 8.1 (aka. Intel SCS) can be used for provisioning and configuring, following these instructions.

In order to provide better service for “road warriors” you can provided a full set of capabilities, including Fast Call For Help (aka. FCFH). This allows users outside of a corporate firewall to have support from a help desk technician even OOB. Intel vPro configuration profile provides detailed possibilities for provisioning as showed an example of a complete wireless configuration option:


  • Active Directory Integration is required if corporate wireless network requires 802.1x authentication;
  • Access Control List (ACL) that is required in order to specify users/groups for permissions (i.e. authorization) in Intel ME;
  • Home Domains used to specify when machine is inside or outside corporate network based on suffix DNS received by DHCP - this definition is important to enable FCFH when machine is outside corporate perimeter;
  • Remote Access specify address for Intel vPro Gateway (former Management Presence Server) and requires server configuration in corporate DMZ - read further details in Intel AMT SDK;
  • Wifi connection defines configuration and profiles for OOB connection and with Intel PROSet there profiles can be populated by users when added into PROSet profile.

For further details on each of these sections, read Intel SCS 8.1 documentation available on the Intel website.

Following these instructions and guidelines, you will be able to integrate these new categories of managed form factor with actual management console and allow seamless management.

Comment below with any questions – I would be more than happy to provide further details.

Best Regards!