vPro Setup and Configuration for the dc7900p Business PC with Intel vPro Processor Technology
27
One or more hash root certificates are embedded into the AMT firmware. These certificates are integrated 
into the Hello messages sent by the AMT system to the SCS. The SCS must have compatible certificates to 
authenticate the AMT system.
A self signed certificate can be generated to create a secure connection between the AMT system and the 
SCS. This certificate is used for encryption, not authentication. The SCS will use the public key from the 
self signed certificate to encrypt the session key it generates and sends it to the AMT system. The AMT sys-
tem can decrypt SCS session key with its private key.
The One-Time Password (OTP) is created during provisioning. This password is used with the remote con-
sole to initiate RCFG and it is sent to both the AMT system and the SCS. This password is used to improve 
security.
The network interface used to send out Hello messages is functional for a limited amount of time. The 
amount of time is configurable by the OEM.
Remote Configuration: Bare-Metal vs. Delayed
There are two ways to implement Remote Configuration: Bare-Metal and Delayed.
Bare-Metal, as the name implies, is remote configuration of the AMT system without an operating system; 
in other words, only the hardware. In this implementation, Setup and Configuration is started (Hello mes-
sage broadcast) as soon as the ME is active and the system is connected to a network. This means that 
the AMT system is configured without the use of a local agent and does not use One Time Password (OTP) 
authentication.
Delayed, as the name implies, is remote configuration at a later time when an operating system has been 
installed on the AMT system. In this implementation, Setup and Configuration is started when a remote 
console application initiates the process by communicating with the ME through the HECI driver. This 
requires a functional OS and agent to be installed on the AMT system. OTP authentication can be used; it 
is optional. The remote console provides the OTP to the AMT system and to the SCS.
Consult your ISV management console provider for details on operating system agents for Delayed remote 
configuration support.
Remote Configuration Time-outs in HP Systems
The HP Compaq dc7900 Business PCs are shipped out of the factory in Bare-Metal mode with the ME set 
to broadcast Hello messages for 255 hours when the ME is active and the system is connected to a net-
work.
If no SCS responds to the Hello messages within the time-out period, then the network interface that sends 
out the Hello messages will be disabled.
The network interface can be re-enabled to send out Hello messages again by the following methods:
• Restarted by a local agent.
• Partial Unprovisioning through the MEBx.
Once the network interface has been re-enabled it will send out Hello messages for the next 6 hours as 
long as the ME is active and the system is connected to a network.










