Blog Posts

If you're planning to attend Symantec Vision Las Vegas (http://www.symantec.com/vision/welcome/index.jsp?locid=las_vegas)...

Intel will have 2 breakout sessions and 1 hands-on lab.   The details are provided below.   In addition - come see us at the keynote and in the showcase area.   The sessions\labs will focus on Intel vPro technology (something I talk about a lot in this community), yet expect to see items outside just client systems in the showcase area.

Last year we had standing room only in the hands-on lab - look forward to a repeat high attendance. 

Here is the summary of the sessions and lab.   We look forward to seeing you at the event.

• Session ID: SS B02
  
• Session Date\Time: Tuesday, April 13th, 10:45am
  
• Session Title: Intel® vPro Technology and Symantec Client Solutions Help Your Business Save Money
  
• Abstract:  Learn how Symantec and Intel are working together to provide money saving features that allow better manageability for your client systems regardless of their operating system state. If you are preparing for a Windows 7 platform refresh, come learn the advantages of the 2010 Intel vPro Technology platform. In addition to the standard capabilities integrated with Symantec Client Management Suite, learn about KVM remote control or managing a client outside the corporate network. Take advantage of Intel® vPro Technology to reduce IT cost and improve service.
  

• Sesssion ID: SS L01
  
• Session Date\Time: Wednesday, April 14th, 10:45am
  
• Lab Title: Intel vPro Technology: Find IT and Use IT
  
• Lab Abstract:  This hands-on lab demonstrates how Symantec Management Platform (Altiris) and Intel vPro Technology enhances Endpoint Security and Endpoint Management solutions to improve control within the IT environment.   Come learn from one of Intel’s experts with hands-on experience in using Intel vPro technology in a production environment.
  
• Note:  For a preview or what the lab materials and exercises will look like, see the recorded webinar from September - http://communities.intel.com/community/openportit/vproexpert/blog/2009/09/04/resources-and-recording-from-symantec-altiris-intel-vpro-webinar
  

• Session ID: SS B01
  
• Session Date\Time: Wednesday, April 14th, 2pm
  
• Session Title: Intel® vPro Technology and Symantec Endpoint Protection Integration Component (SEPIC)
  
• Session Abstract:  This session will showcase exciting new features in Symantec Endpoint Protection Integration Component when enhanced with Intel vPro technology. Come learn how these technologies work together to improve client security and reduce IT cost
  
• Note: A related session led by Symantec that will also mention the SEPIC and vPro integration will be Thursday afternoon.   Look for session CM B02 presented by Rene Kolga
   
  

If you have any special requests on the Intel session before the event - let me know.  Look forward to seeing you there

As many of you know development of projects like Intel AMT take a long time. We generally work on a project for a full year before launch (well, I do anyway. Our developers, architects, and project planning folks begin working on it long before that). I realized that for someone just starting to use an AMT 6.0 platform the concept of Enterprise vs. Small Business Mode is now gone. Some people have come to me and asked “How do I just turn it on for a quick demo?”. Well, I’m happy to say it can be done very easily!

Enabling Intel AMT is a manner similar to previous generation’s SMB Mode (how’s that for a title?!)
Power on the system and enter MEBx (generally by pressing CTRL-P during boot, but this may vary from PC manufacturer to manufacturer)
Enter your password (the default password is “admin” if it’s never been configured)
Select “Intel(R) ME General Settings”
Select “Activate Network Access”
And you’re done!

There is a really good step-by-step with screen shots here: http://communities.intel.com/docs/DOC-4795  (See section 3)

Thanks

--Richard

Intel vPro Technology enhances existing Absolute solutions by enabling the remote disablement of PCs that are lost or stolen, regardless of whether the PC connects to the Internet. In addition, the lost PC can feature a custom screen that can feature instructions on how to return the PC in case it is found. To learn more, watch the below video from Absolute Software Product Manager Geoff Glave:

As part of our efforts to introduce the all new 2010 Intel Core vPro processor family, we put together a series of videos that feature Steve Grobman, Intel's Chieft Architect in our Digital Office Platform Group.  He's been on the team that has led the development of Intel vPro technology for the past half decade, and was once in Intel IT's department. The videos also feature Intel's Josh Hilliker - who helps Steve demonstrate the new technologies.

In his first video, Steve talks about the new developments in Intelligent Performance - and he also showcases how Intel Turbo Boost Technology and AES-NI (Advanced Encryption Standard - New Instructions) help improve performance for today's office worker:

In his second video, Steve talks about the new developments in Smart Security - and he also showcases how Intel vPro technology helps disable lost PCs and data, and can also help IT manage encrypted hard drives remotely:

In his third video, Steve talks about the new developments in Cost Saving Manageability - and he also showcases how Intel vPro technology helps IT or IT service providers control an office worker's keyboard-video-mouse (KVM) remotely ... even when the Operating System has blue-screened:

In his fourth video, Steve talks about how small businesses can benefit from Intel vPro technology, and how service providers like AT&T are excited about  the all new 2010 Intel Core vPro processor family:

In his last video, Steve talks about how Intel vPro technology is bringing proven results to organizations today:

Eind januari introduceerde Intel Benelux in Amsterdam de nieuwe Intel Core i3/i5/i7 Processorenfamilie van 2010 aan de Benelux pers en partners, de internationale en lokale PC bouwers.

Roger Benson, Country Manager en Mark Brailey, Director of Strategy EMEA, gaven een goed overzicht van wat de nieuwe generatie processoren nu precies niet alleen sneller maar ook slimmer maakt. Of met een twist komt het hier op neer: Brain power meets horse power.

Het was een gevarieerde TopGear-a-like aanpak met als gasten o.a. de Nederlandse autocoureur Tom Coronel en Bernd Matthys, de Belgische winnaar van de Intel Core i7 Custom Challenge. De demos rond Intel® Turbo Boost Technologie, Intel® HD Graphics en Intel WiDi (Wireless Display Technologie) werden gegeven door Jan Schouten, nu eens als verkleed als de stig, dan weer als een Intel bunny man. Tot slot was ook Rene Baerdemaker van Codemasters aanwezig om te tonen in welke mate hun kaskraker Dirt2 optimized was voor Core i7.

2010 kon niet veel beter beginnen. Voor alle info rond deze nieuwe generatie ‘slimme’ Core processoren, ga naar www.intel.nl/core. Een goeie digitale versie van echt racen, we zijn er klaar voor.

A little while ago we launched the Windows* embedded operating systems driver support package up onto the EDC website.  Once in the field an issue was discovered that would stop the e1y driver getting DHCP traffic on CE6* under some conditions.  Given the nature of the defect, we elected to field a new version of the webpack with an updated driver.  We also updated the entry readme, the one in the zip file, to correct the missing 1501 device ID from before.  The Driver_Selection_Guide.txt in the webpack is still missing it however.  We didn’t want to add any further delays, and our risk management policies enforced that we could only change the driver inside the webpack.  It’s the same link location as in the original announcement, so if you’ve downloaded it after Feb 3^rd, 2010, you’ve got the new version.  Another way to check if you have the right one is the webpack installer is dated in January, where the old one has a November date.  Digging even further, just in case you’ve already installed it and deleted the webpack, the changed files are in the \PRO1000\WINCE6.0\PCIe folder, e1y51ce6.dll and e1yce6.rel.  These will be dated January 19^th, 2010.  All other driver files will be the same.  (There is a build tracking file, verfile.tic, that changes on all our builds, but that isn’t a driver file so it doesn’t count and it should be ignored.)

Sorry we didn’t catch this defect before launch, and it only impacts the e1y driver. 

Review time!

1)      Here is the updated webpack (It’s the same link location as the old one)

2)      Only the e1y driver is effected, and only ones dated before 2010

3)      Thanks for using wired Intel® Ethernet.

During our recent annual Intel IT Leaders Conference, we put together a fun video to highlight to the IT management team some of the key contributions that individual Intel IT experts are making inside our organization. I really enjoyed seeing my peers participate in this video and share their stories on camera.

While we highlight a few individual rock stars in this video, what really grabbed me was Tim Verrall’s statement in the video: “I don’t see myself as a Rock Star, just a member of an awesome band”.  This attitude is shared by all of our IT rock stars, as they truly understand what it takes to build a great team.

I invite you watch this video – hopefully it makes you smile.

If you want the more serious side of Intel IT and the difference our people, operations, solutions are making for our business, read the 2009 Intel IT Annual Performance Report.

Chris

More from Intel IT

Today the Use Case Reference Design (UCRD) team has released Remote Drive Share (RDS). RDS is a very small iso image that, when booted, will share out the contents of the vPro system's hard drives. It works like this:

1. User calls help desk because their system won't boot.
   
   
2. Help Desk uses IDER with RDS to reboot User's system.
   
   
3. Help Desk maps a drive letter to the User's hard disk(s).
   
   
4. Help Desk can now back up user data, edit the registry, scan for viruses, analyze crash dump files, restore corrupt files, etc...
   
   

So my challenge it this; with KVM Remote Control a help desk can remote control a vpro system in almost any state. With IDE-R a help desk can boot a vpro system to any CD or floppy based recovery tool. With RDS a help desk has remote access to a vpro system's hard drive(s). Besides issues like replacing a broken part or checking cable connections, are there any issues or scenarios that a help desk can not troubleshoot and resolve remotely?

We're working on a series of UCRDs outlining how to use RDS and KVM Remote Control for various tasks like remote reg edit. We're also working on UCRDs to aide a help desk get up and running with vPro. So, tell us what you want to see, or scenarios that you think can't be solved and we'll add it to our todo list. I can't promise we'll solve your problem, but at least we'll all have our creative juices flowing in the same direction....fewer desk side visits and faster issue resolution time all by making it possible to do more remotely. What do you wish you could do remotely from your help desk?

Network World just warned IT to prepare for tremendous network traffic during the SuperBowl.  Peak Demands happen routinely inside IT organizations and IT has to be ready.  In order to be ready, IT must prepare in advance by having a strategy to handle and manage peak demand.

Intel IT deals with peak demands inside our business constantly and this sizing paper talks about some of the impacts that govern our server sizing decisions each year.

Follow Intel IT on twitter

There's been alot of tech talk around KVM Remote Control. Now I want to share some of the advantages it brings. This video demonstrates 5 tricks KVM Remote Control brings beyond that of software based remote access services.

In case you missed it, here's the list:

- Ability to diagnose a network driver issue
- Remotely observe steps that cause a catastrophic failure, including the failure itself
- Visibility and control of remote system boot process
- Access to PreBoot Auth Module used by Whole Disk Encryption - reset a forgotten passphrase
- Remote control of any recovery OS

What else would you like to see KVM Remote Control do?

Hello Again!
I wanted to give a quick technical overview of KVM Remote.

What is KVM?
I assume that everyone here knows what KVM is. No? Alrighty then. KVM is really an acronym that stands for Keyboard-Video-Mouse. Basically it’s a generic term for allowing one computer to see what is on the screen of another computer and to be able to interact (via keyboard and mouse) as though someone were sitting at that computer. There are different reasons why you might want to use a KVM. For example let’s say you have two computers at home and one monitor/keyboard/mouse on your desk. You could use a hardware KVM switch to access one machine at a time (these are fairly inexpensive for 2-4 machines). “That’s nice, but my other computer is in the other room or in another building. I don’t have cables that long, what should I do?” Well I’m glad you asked.
In this case you’ll need a KVM solution that works remotely over a network. Now you have two choices, you can use a software based remote desktop product or a hardware KVM solution (these are often called IP-KVM solutions). I use a 3rd party hardware KVM in my lab to connect many machine to my monitor when I do testing. It works great! (the down side is that the cost per connection is very high, in my case it’s well over $100/connection!). Software solutions also work well... Well, I guess it’s better to say that a software solution works well as long as everything else on the system is working well. With a software solution you can’t do things like reboot, change BIOS settings, or work in safe mode (without networking). If only there was an inexpensive hardware solution that was built into all your platforms. Voila! Enter KVM remote control stage left.

(after all that rambling I just realized there is a wikipedia article on it. Of course there is. If everything I said made no sense at all, try this: http://en.wikipedia.org/wiki/KVM_switch )

Architecture

Ok, on to what you’re really here for, the Intel KMV Remote Control high level architecture (i.e. how it works).

When you look at your screen you’ll see lot of different objects (in my case I have a word processor running, a couple web browsers, etc). These objects will be layered on each and your operating system will figure which is on top and what to display. The OS will collect all these objects, figure out what is visible and what is not and push all that data down to what is called a framebuffer. The framebuffer is effectively the memory that your video card sends out to the monitor. Basically it’s the last stop. Since the manageability engine (the little processor that runs AMT) can access this memory we can package it up and send it out to a remote computer so an IT administrator can see exactly what is on the user’s screen.
When a KVM session is initiated the manageability engine will make a copy of the current framebuffer and send it to a remote viewer. After that it will compare the current frame buffer to the cache. The comparison is done in 64x64 pixel tiles left to right, top to bottom. If there are any differences between the two the manageability engine will update its cache with the new tile and send out the tile to the viewer (at this point there may be other functions performed on the tile such as compression and encryption before its sent).

Protocol
The protocol that is used to transport the data is the Remote Frame Buffer protocol (You can find out more info and download the specs from here: http://en.wikipedia.org/wiki/RFB). The nice thing about the RFB protocol is that it’s been around for a long time. The v3.3 revision of the protocol came out in 1998. Since it’s been around for so long you can find viewers for pretty much any platform (Windows, Linux, Unix, MacOS, there are even iPhone viewers! Have I mentioned I love wikipedia? Here is a table of various remote desktop viewers: http://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software).
So now that we’ve talked about how the video gets from the client to the viewer, how does the mouse and keyboard make it? When a connection is established a virtual USB keyboard and mouse is ‘plugged in’ to the client (you’ll see new devices appear in device manager once a session is established). Keyboard commands and mouse movements (and clicks) are sent to the manageability engine. The manageability engine will send those commands to the virtual USB devices and thus the OS.

Security
Now let’s talk about security. When a session is initiated the client will show a user consent form. The user consent form is placed directly into the framebuffer (this protects the user consent code from being detected by malware and helps to protect from unauthorized access. It also allows the user consent screen to be seen when it normally wouldn’t be seen such as when running on non-graphical OS like DOS). The user consent code is read to the IT administrator that is connecting to the system and the IT admin is able to connect. Once connected there is a 1 pixel red border around the screen and a blinking icon in the upper right corner of the screen. The client system can be configured to use TLS for encryption just like other AMT connections.

That’s mostly it from a high level. Thanks for reading!

--Richard

Introduction

Let’s talk about vPro, privacy, security and Big Brother.  Spanning the internet are articles discussing legitimate and imaginary concerns about vPro’s impact to user privacy.  So it’s time we (at Intel) start a dialog with our customers on this topic.

First, I need to emphasize how seriously Intel takes privacy and security.  Ten years ago, when someone at Intel mentioned privacy reviews I thought we were getting offices with doors. Since then, especially prior to vPro’s initial launch, security and privacy have become mainstays at Intel.  Every product we deliver goes through rigorous security and privacy review boards.  These folks are not as friendly as many of you; I have the wounds to prove it.

But enough of conjecture and hand waving, let’s look at the overriding concerns repeated in blogs and articles on vPro:

·        A hacker can use vPro to watch what you type and what web sites you visit

·        vPro operates “stealthily” even when your system is off

·        vPro cannot be disabled

I’ll try and respond to each of these topics and look forward to follow-up questions from you all as well as any additional topics you would like me to cover in the future.

Preventing KVM Remote Control from Being Hijacked

As many of you have read, KVM Remote Control is a new feature in vPro that allows a technician to remotely support platforms by gaining access to the keyboard, video and mouse of the target PC.  This is a similar capability exiting in many IT products today, the difference is KVM operates no matter the state of your system.  I.e. the OS can be completely dead and a technician can use vPro to remote in, diagnose and fix issues.

The benefits of KVM are clear, however many fear what happens if the remote capability gets into the wrong hands.  Clearly the main concern is if an attacker could remotely hack a vPro system, then eavesdrop on everything typed, viewed, etc. 

Taking these threats seriously and to ensure that the user is protected, vPro utilizes the following security mechanisms to establish a remote session:

1.      The user at the vPro PC sends a random “secret” generated by vPro (via phone, e-mail, text message, etc) to remote the administrator who will be helping the user debug his or her system.

2.      The remote admin sends this value securely back to vPro to establish the session.

3.      When the remote session is established (whether or not a session is active), a red border is displayed by graphics HW to show the end user what the remote admin can see.  Since vPro HW protects all video and graphics in the red border nothing can draw over the top of it.

4.      In addition to the red border a flashing KVM icon is displayed for the duration of the session.

5.      The red border and icon continues to be displayed until 2 seconds after the vPro session ends.

For someone to hijack this remote session (and thus take control of your PC) the attacker would need to intercept the secret by eavesdropping. 

Alternatively, an attacker could “social engineer” you to divulge the KVM secret, but if they can do this they can probably get your credit card number for a Nigerian money offer.

Even if they are successful in getting the secret the attackers will still need to break TLS.

The key point to mention is that the end user is always in control of the KVM session.  If you do not provide the secret to the IT administrator, an attacker cannot connect.

vPro Active Low Power States

As advertized, vPro can operate when a PC is in a low power state.  Specifically, these are the S3, S4 and S5 sleep states (Sx for short).  “vPro is active with the PC is Powered off” isn’t technically accurate because the PC is powered in all vPro operational states.  If you yank the cord, I can assure you, vPro will not be active.

The key point is vPro can (not will) operate because it is up to the PC manufacturer whether to add the additional cost to support these power states.  Motherboards require additional power switching logic, circuitry and routing to support these additional power states. 

For the IT environment this capability is clearly advantageous and worth the cost.  For the consumer market it is unlikely OEMs would spend this additional expense.

Another myths to dispense with: “Even with the system is powered off vPro provides remote access to your HDD and all of your data!”

·        Devices such as HDDs, system memory, your web-cam and keyboard are not powered in Sx.

So, even if they wanted to, hackers could not remotely access these devices in a vPro lower power state.  Now, an attacker could use vPro to wake the system, but these devices are still not accessible through vPro.

Disabling vPro

A final myth: “vPro cannot be disabled!”  In actuality, vPro can be disabled in the followed ways:

1.      By disabling vPro in the BIOS setup interface.

2.      By disabling vPro in the MEBX setup interface the user can access just before the OS launches.

If a vPro enabled PC has be re-purposed for home use, the above options are easily accessible. 

However, if your PC is owned by the IT department of your company I’m sorry to say, it’s really not your PC.  In this situation your probably can’t get into BIOS setup or MEBX without the IT generated passwords.  You also probably can’t disable HDD encryption, virus scanners, run with OS administrator privileges, etc. 

United States privacy laws do not require employees of U.S. based firms to be able to disable capabilities such as vPro. 

However, in the EU privacy laws are more strict, but I can’t quote them (partially because I’m too lazy to Google them, but mainly because I don’t want to be mistaken for a lawyer).  So, if you’re employed in the EU you may have full control over vPro.

In Conclusion . . .

Intel takes the vPro brand, customer privacy and security very seriously.  While I hope this quells most of your concerns there always will be conspiracy theorists who believe Intel and PC Manufactures are in collusion with the NSA, CIA and FBI.  While good fodder for Hollywood, such activities make no business sense and absolutely no technical sense.  If interested, I’ll explain why in a future article.

-Daniel Nemiroff

The next-gen of Intel vPro technology is here! Come check out the virtual event - you'll find so many cool videos, so much great information. We also have some key docs to help you get up to speed - you'll find them here: Intel® Core™ i5 and i7 vPro™ Wiki.

Click here to visit the virtual event!

Announcing VNC® Viewer Plus from RealVNC, launching at the end of February 2010.  With all the features of our industry standard VNC Viewer, VNC Viewer Plus supports all the manageability features of the new 2010 Intel® Core™ vPro™ Processor Family.

The biggest difference between these and older vPros is the built-in KVM functionality.  Now, rather than connecting to a VNC Server running on the operating system, you can connect directly to the hardware. Even if your OS is non-responsive or your PC won’t boot, you can still access remotely from anywhere on the LAN, through a dialled-in VPN connection or over the Internet.

VNC Viewer Plus connects to the new vPros for KVM as well as providing other remote control functionality such as power on/power off, remote reboot and IDE redirection - enabling booting from a remote CD or image.

This is a truly revolutionary solution from Intel which, combined with the remote control expertise at RealVNC, provides a ground-breaking industry first for the SMB market.

To see VNC Viewer Plus in action, see our video below, and for further product information please visit http://www.realvnc.com/products/viewerplus.

Last week I had the opportunity to attend the Intel IT Leaders Summit.  As a relatively new member of the IT Team, the ability to network and gain insight into the priorities, challenges and governance of the organization was invaluable. It is not be possible for me to capture in a single blog all my learnings from this two-day event, so I will just focus today on the role and vision of IT.

The Leaders Summit was an internal gathering of over 700 of the senior managers of the Intel IT organization to focus on the year ahead for the purpose of achieving our vision: Making IT a Competitive Advantage for Intel. 

Diane Bryant (Intel CIO) kicked off the session talking about how our customers (the business leaders of Intel) assess our performance from 2009 and identify their needs for 2010.  The business identified three key themes for worth noting that guided our discussion during the summit.

·         More Dependency on IT

·         Business desires greater strategic alignment with IT

·         “IT should just work”

For the past five years, I have personally talked to many IT managers, quoting industry consultants about similar themes being important to IT leaders and how they shape their organizations.  However, to see firsthand these concepts actively being used to guide our planning was a powerful experience.

Additionally, we had one senior intel business executive conduct a QnA with the IT leaders and when asked about the value of IT, he made three statements:

·         without IT, there would be no Intel

·         if IT is mediocre, then Intel will be mediocre

·         if IT excels, then Intel has a foundation for excellence

I have thought about these statements a lot in the last week and believe they capture the essence of the Intel IT vision of making IT a competitive advantage for Intel and more broadly the role of any IT organization.

What do you think? Do the statements above reflect the relationship between IT and business?

At the event, the 2009 Intel IT Annual Performance Report (APR) was unveiled.  Much of what we discussed at the Leaders Summit is captured inside the APR.  The APR is an in-depth look at Intel’s IT operations, solutions, imperatives and key metrics.