To activate vPro to Admin Control Mode, you need to configure a machine on the same local area network as a vPro Proxy and install an appropriate security certificate. The proxy and target machine must have the same DNS suffix (which can be found by running ipconfig from a command line and checking the "Connection-specific DNS Suffix" line). Once you have ensure that the target vPro machine is on the same LAN as the proxy and that they share a DNS suffix, then you are ready to get the certificate.
- The first step in purchasing a certificate is to generate a Certificate Signing Request. To do so, follow these steps:
- Create a new text file with the following contents. Replace <proxy's full dns name> with the full DNS name for the vPro Proxy. For instance, for machine with server name sbqa2 and on the domain kaseya.com, the full DNS name is sbqa2.kaseya.com. Replace <organization> with your organization's name, <city> with your organization's name, <state> with your organization's state or province (with no abbreviations; for example, use California, not CA), and <country_code> with the two digit abbreviation of your organization's country.
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=<proxy's full dns name>;OU=Intel(R) Client Setup Certificate;O=<organization>;L=<city>;S=<state>;C=<country_code>"
Exportable = TRUE
KeySpec = 1
KeyLength = 2048
MachineKeySet = FALSE
RequestType = PKCS10
KeyUsage = 0xA0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication - Save this text file to a temporary path, such as c:\kworking\certreq.inf
- While logged on to the vPro Proxy as the account configured under the Kaseya "Set Credential" page, run the following command (replacing c:\kworking with the appropriate paths for your environment) from a command line:
certreq -new c:\kworking\certreq.inf c:\kworking\new_request.csr
- Open the new CSR file in notepad (or similar) application. You will need this when you contact your certificate vendor.
- Create a new text file with the following contents. Replace <proxy's full dns name> with the full DNS name for the vPro Proxy. For instance, for machine with server name sbqa2 and on the domain kaseya.com, the full DNS name is sbqa2.kaseya.com. Replace <organization> with your organization's name, <city> with your organization's name, <state> with your organization's state or province (with no abbreviations; for example, use California, not CA), and <country_code> with the two digit abbreviation of your organization's country.
- The next step is to purchase a valid certificate from one of the following vendors:
Comodo http://www.comodo.com/intel/
Entrust http://www.entrust.com/
Go Daddy http://help.godaddy.com/topic/235/article/5260
Starfield http://www.starfieldtech.com
Verisign http://www.verisign.com/ssl/intel-vpro-technology/index.html
Note: These vendors have their root certificate embedded in the vPro chips. While you can manually add a root certificate for another vendor, that requires physically booting to the BIOS on the vPro machine. If you are going to go to the effort of manually visiting each machine's BIOS, then you could also activate vPro manually at that time. - Once the certificate has been purchased, you need to install it on your vPro Proxy.
- Log in to the vPro Proxy as the account configured under the Kaseya "Set Credential" page.
- Download the certificate from your vendor. If your vendor included the certificate data in the body of an email (several lines of text in between the lines "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"), then copy and paste the text exactly as it is in between (and including) those lines into a new text document and save it with a .cer extension.
- Launch certmgr.msc via the command line. Right-click on the "Personal" folder under the "Certificates - Current User", and choose the menu option "All Tasks -> Import...". Walk through the wizard, specifying the downloaded certificate for import.
- The certificate should now be configured. Return to the VSA to the vPro page, and click on the gear icon next to the vPro Proxy, and click on "Configure vPro Proxy...". You may now enable the checkbox marked "I have manually assigned a certificate according to the online instructions". After doing this, all vPro machines that are associated with this vPro Proxy will be enabled in Admin Control Mode instead of Client Control Mode.