Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > 2009 > March
Up to Blog Posts in Intel® vPro™ Expert Center
Previous Next

Intel vPro Expert Center Blog

March 2009
Terry Cutler
0
Perhaps a better question is - How can the current Intel vPro Technology combined with existing management\security solutions help protect client systems?

 

This is not an attempt to scare or over-generalize the reality of security threats such as the Conficker worm.  The intent is directed to how a real-world situation can be addressed.  The suggestions below assume Intel vPro Technology is already configured within your environment - thus you are ready and able to use the out-of-band management technology in connection with existing "in-band" management tools.
An overview of the Conficker worm is available online. The following are a few examples:
·         http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm (there’s a 60 minute interview video)
There are a mix of good\bad reports on preventing, detecting, removing, and basically addressing the worm.
The following are a few suggestions on how to combine Intel vPro Technology with client management and security solutions to help protect and remediate a worm infection situation.
Interested to know if you’ve employed such tactics and how these have assisted in combating the Conficker worm threat.
·         System Defense/Network Filtering to totally isolate a client - For systems that have been detected as infected on the network
·         Out-of-band discovery of systems needing a patch – In searching databases\logs for clients that have not received the latest security updates, the ability to locate those system on the network even when powered-off
·         Wake-up, patch and/or scan systems – using a job to reliably power-on via Intel vPro technology, distribute necessary security patches to the client, run security scans, and then power-off the client.
·         Isolate and patch – For systems that have not been patched\scanned, yet to provide a security precaution before allowing them on the network. This will require a customized system defense or network filter to allow certain “in-band” actions on the targeted client. (i.e. patch, scan, etc).
If not already familiar with how to combine out-of-band and in-band management techniques as mentioned above, example demonstrations for an Altiris CMS version 6 environment are available at http://www.symantec.com/connect/articles/combining-band-and-out-band-management, with the same material (including lab documents) also posted at http://communities.intel.com/docs/DOC-2347
0 Comments Permalink Tags: virus, vpro, symantec, worm, conficker
Liesa Harkness
0

If you have having problems accessing the WebUI of a provisioned system using an Active Directory User ID review the data in my latest document....  Access to the Intel® vPro™ Web UI with Active Directory User IDs

0 Comments Permalink Tags: intel_amt, webui, eds, ad, active_directory, intel_scs, liesa_harkness, kerberos, vpro
Michele Gartner
0

On March 30, Climate Savers Computing, the EPA, and Forrester are co-producing a webinar on IT Power Management.  One of the case studies highlights Intel vPro technology. This is another great (and free!) opportunity to learn more about power savings!

 

Visit this site to register: http://www.climatesaverscomputing.org/it-power-management-summit

0 Comments Permalink Tags: events, webinar, power
William York
7

vPro AMT can leverage Kerberos authentication to allow management from your management console to the AMT firmware. Depending on the management console of choice (e.g. SCCM, Altiris, SMS) you may be using Kerberos or digest authentication. If you are using a management console like SCCM that only uses Kerberos authentication, there are a few things you should be aware of in case you are having problems managing your vPro systems. If you are interested to know more about Kerberos authentication and AMT, you can refer to this previous posting in vPro Expert Center around an Altiris environment: http://communities.intel.com/docs/DOC-1913

In AMT (version 2.x, 3.x, 4.x, and 5.x) there is a Kerberos ticket size limit that varies among versions of AMT (see graph 1 below on specifics for each firmware version). With respect to Kerberos authentication, AMT has different limits for HTTP connection and Serial-Over-LAN (SoL).

The Intel® vPro firmware supports Kerberos service tickets that are 4K or smaller for HTTP connections (authenticating the management console to AMT). This 4K limit is specific to making an authenticated connection via Kerberos. IDER/SoL capabilities have a Kerberos ticket size limited to 3K. These 4K and 3K limits are values in Base 64. This ticket size for a given Kerberos account will vary based on variables like the account’s group memberships in the domain.

Therefore it is important to know the size of this ticket created when an account logs on to the management console. If a given account that is logging in to the management console tries to connect to AMT and exceeds these limits, you may either experience failure when trying to connect to AMT or invoke IDER/SoL.

If you are experiencing issues with connecting or using IDER/SoL, you can download a free Microsoft utility (Link to Utility) to validate the size of the Kerberos token for an account. The output from this utility will indicate the size of the token in binary value. You will need to convert this value from binary to Base 64 to determine if the account being used exceeds these thresholds - [Algorithm for Base64 to binary: (base64 length/4)*3].

Here is an example for the output from this utility for a logged in user:

C:\Tools\Kerberos>tokensz.exe /compute_tokensize | findstr -i complete

This is the output -> MaxToken (complete context)  2337

You will notice this binary value of 2337 will exceed several versions of AMT for use with IDER/SoL capabilities. In this example, the account would need to be reduced (e.g. removed from x number of domain groups) to decrease the Kerberos ticket size in order to use IDER/SoL.

Here is a video to show different examples of an account with various Kerberos token sizes and the different behaviors experienced on an AMT 4.0 system [Link to Video - WMV format].

Also, I would appreciate to hear from the entire community on what size Kerberos tokens your support group has that would be utilizing SCCM to manage vPro system.  Would these current size restrictions cause issues for your support teams?  Thanks in advance for the "real-world" feedback.

Kerberos Token Size Limits.jpg

7 Comments Permalink Tags: kerberos, bill_york, amt
Justin Van Buren
0

On May 10th, Intel Vice-President Gregory Bryant was part of the opening ManageFusion keynote led by Symantec's Steve Morton.

Gregory talked about how customers are realizing value today with Intel vPro technology and getting a return on investment that pays for itself in less than one year.  He also talked about new Intel vPro technology product developments with Altiris Client Management Suite Version 7 and Symantec Workspace Streaming. View the highlights below or click here to see the full keynote.

0 Comments Permalink Tags: management, 2009, gregory, streaming, managefusion, refresh, bryant, roi, intel, altiris, vpro, workplace, symantec, client, morton, technology, steve, pc
Liesa Harkness
1

Murphy's Law states that just when you think you have shared all you have to give in a document you find a juicy tidbit that should have been included.  Therefore, I have updated the Intel® AMT™ Add-On for SMS from V3.3 to V5.0 Upgrade OverviewPDF. 

 

I discovered a batch file that is included in the default installation directory, C:\SMSAMTInstallation\iAMT addon for SMS\IAMTSMSSettingsExport.bat.  Within it contains the command line to export the registry settings for your currently installed version of the Add-on.

1 Comments Permalink Tags: intel_vpro, client_manageablity, microsoft, vpro, liesa_harkness, eds, iamtsmssettingsexport.bat, upgrade, intel_amt, sms
Liesa Harkness
0

Before you upgrade the IIntel® AMT™ Add-On for SMS to the Intel® Client Manageability Add-On for Microsoft* SMS 2003 version 5.0 check out my document about the process and some things to keep in mind befor you begin..  Thanks! Intel® AMT™ Add-On for SMS from V3.3 to V5.0 Upgrade Overview

0 Comments Permalink Tags: liesa_harkness, intel_vpro, upgrade, sms, client_manageablity, eds, microsoft, intel_amt, vpro
Michele Gartner
0

Come join us for our first ever virtual conference on the Intel vPro Expert Center. This virtual conference series, entitled Intel Solutions for Today's Economy, kicks off on Tuesday, March 24th. The first installment is "Optimize Your Business and Improve the Bottom Line." The overall theme of the webinar will be discussing how to do more with less.

 

Is it just Intel people talking about Intel?

No! Here's the cool part. We are bringing in several users who have implemented Intel vPro technology in their workplace - they will be discussing how they now save time and money by using PCs with vPro technology - as well as how they are increasing organizational productivity. You'll be able to ask them questions at the end of their presentation.

 

Our featured speakers are:

  • Paul Baltzell, Director of Distributed Services for the Indiana Office of Technology
  • Dan Lutter, Director, Field Technology Services at Advocate Healthcare

 

Event Logistics

Date: Tuesday, March 24th

Time: 8:00 am PDT

 

How to Register

Visit this link to visit the registration page: https://www2.gotomeeting.com/register/862206193

 

More Information

http://communities.intel.com/docs/DOC-2709

0 Comments Permalink Tags: power, event, virtual_conference, vpro_expert_center
Trevor Sullivan
5

Dell just released a new BIOS update for the Dell Optiplex 755 system, version A13. This update includes an AMT firmware update to version 3.2.3 also that resolves a couple of security issues. I just performed the update on an Optiplex 755 that I had already provisioned, and it didn't break anything

 

If you're deploying the BIOS update via a ESM software package, such as Microsoft System Center Configuration Manager (SCCM) 2007, you can automate the staging of the BIOS update (without forcing a reboot) using the following command line:

 

O755-A13.exe -noreboot -nopause

 

Get it while it's hot!

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

5 Comments Permalink Tags: dell, amt, update, a13, optiplex, 755, sccm, 3.2.3, configmgr, firmware, trevor, vpro, sullivan, deploy, bios, workstation
Scott Smith
1

Intel and Symantec have landed another punch on the chin of excess energy use. In an enhancement akin to putting a horseshoe in a boxing glove, Symantec’s new Altiris Client Management Suite 7.0 takes advantage of Intel vPro technology’s latest capability to extend IT’s reach outside the corporate firewall.

As a result, IT can literally shut the lights out on the PCs that were previously bobbing and weaving just outside its reach. Many companies have an always-on rule – everyone has to leave their computers glow all night so IT can perform routine maintenance, install patches and other tasks.  Of course, this makes electric bills soar and leaves an enormous carbon footprint.

With advent of vPro three years ago, Altiris Management Suite users began turning off PCs when not in use. Intel vPro enable IT to turn them back on remotely just long enough for the task at hand and then turn them off.  However, this was only as long as the PCs were on the corporate network.

With the latest version of vPro, the firewall is no longer an obstacle with a couple of benefits.  First is extending IT’s reach, but second is enabling those remote end-users to place a fast call for help.  With a few keystrokes, a telecommuter or traveler with computer trouble now can immediately connect with IT for a fix.  But, of course, wasted energy isn’t the only opponent IT is nose to nose with these days.

The shrinking IT budget has a number of moves that has IT professionals worldwide feeling punch-drunk.  In this conversation, Intel Product Manager Tracie Zenti and Symantec Strategic Alliance Director Kevin Unbedacht discuss additional tactics, including a rather counterintuitive approach in a recession – spending money to save money.  I hear you, but give them a listen, especially how the State of Indiana saved $1.4 million.

 

 



1 Comments Permalink Tags: altiris, power, client_management, vpro, client_management_suite, symantec
Trevor Sullivan
1

         

Integrating VNC on Windows PE 2.0

                            Author: Trevor Sullivan

                      Company:    OfficeMax Corporation

                        Versions: 1.0 – April 24, 2008 – original document

Synopsis

Integrating VNC on Windows PE allows a remote user, such as a support person, to remotely control a Windows pre-execution environment, and perform administrative tasks such as deploying an operating system image, or diagnosing hardware and software problems using 3rd party tools. This image can be remotely booted in a LAN environment using the IDE-R feature of Intel AMT.

Requirements

  1. Microsoft Windows AIK v1.1 (downloadable from Microsoft)
  2. A working Windows PE 2.x CD (can be built from WAIK)
  3. UltraVNC 1.02 (downloadable from Internet)
  4. ImageX (to mount WIM files) - included with WAIK

Setting up UltraVNC

Install UltraVNC 1.02 on a development system

 

You can optionally install UltraVNC 1.02 to an Altiris SVS virtual layer to avoid making permanent changes to your development system

 

After UltraVNC is installed:

1.  Execute VNC in user-mode

2.  Run the following command: winvnc –defaultsettings

3.  You should be presented with a configuration dialog

4.  Set a password for VNC and choose to disable the tray icon

5.  Confirm the settings dialog, and stop Winvnc by running: winvnc –kill

6.  Extract the following registry tree: HKLM\Software\ORL (vnc.reg)

7.  Add the password to the default key

a.  Open the registry file (vnc.reg)

b. Create a new section (key) for HKLM\Software\ORL\Default

c.  Copy the password value from ORL to the Default key

Gathering Source Files

Copy the following list of files from the UltraVNC installation directory on the source computer into a separate working folder:

 

  • Authadmin.dll
  • Authssp.dll
  • Ldapauth.dll
  • Logging.dll
  • Logmessages.dll
  • Mslogon.acl
  • Unzip32.dll
  • Vnchooks.dll
  • Vnchooks_settings.reg
  • Vncviewer.exe
  • Winvnc.exe
  • Workgrpdomnt4.dll
  • Zip32.dll
  • Vnc.reg (from previous section)
  • Vnc.vbs (see below)

 

Trevor developed a short script to get around a problem with winvnc hanging when I’d execute it. This executes winvnc.exe asynchronously so that it continues to run in the background, but startnet.cmd will be allowed to continue. The script source is included below:

 

ScriptPath = Left(Wscript.ScriptFullname, len(Wscript.ScriptFullName) - len(Wscript.ScriptName))

set sh = CreateObject("Wscript.Shell")

sh.Run "regedit /s " & ScriptPath & "vnc.reg", 1, true

sh.Run "wpeutil disablefirewall", 0, true

sh.Run ScriptPath & "winvnc.exe", 1, false

Modifying the PE Disc

  • Mount WIM file on filesystem using ImageX
  • Copy all source files to folder on root of WIM mount path
  • Modify startnet.cmd to execute VNC vbscript using cscript.exe
    • Use the fully qualified path to the script file (eg. “cscript X:\vnc\vnc.vbs”)

Notes

  • Winvnc does not work under service mode on Windows PE; Winvnc must be run under user context
  • The registry value “password” must exist under HKLM\Software\ORL\Default, otherwise winvnc will prompt for a password upon startup

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

1 Comments Permalink Tags: remote, tools, vnc, trevor, sullivan, configuration, pe, winvnc, control, winpe, ultravnc, microsoft, windows, imaging, deployment, manage
Michele Gartner
0

Did you know that the Expert Center has a group on Facebook? Come join us! Write on the Wall or start a discussion! We've been using this group to announce events, post videos and pictures - and would love to see some dialog. Join the fun!

0 Comments Permalink Tags: vpr, facebook, vpro, vpro_expert_center
Scott Smith
1

Many at Intel have been taking smug pride at at the success that Intel vPro technology has been making in easing IT techs’ jobs.  Now, from their consoles IT pros are handling problems that used to require a trek down the hall if not a journey across town.  Even if the the OS goes south or the user has clicked the off switch and gone on vacation, they don’t even have to lean forward in their chairs to update an application or download a patch.  They just whack a few keys and the problem is no more.  But in the wake of all this efficiency, vPro has sucked all the creativity out of repairing PCs.  Before vPro, I’ll bet each of us, pros and end-users alike, had a sure-fire trick that we’d wield like a magic screwdriver every time the cursor froze or the “g” key would only produce a smiley face.  In my home office, when “No Network Found” appeared instead of Intel.com, I’d unplug the power cords from the cable modem and wireless router, count to 10 and plug them back in, and I was back to hammering out press releases.  (I have to be honest though, I didn’t invent this procedure.  It’s the cable company’s official fix.  True, you can call them.) In the end, I plugged both into the outlet controlled by the wall switch.  So now, they sync every time I come in to work.  As I became more enraged at the clever fixes that are being lost because of vPro, I polled some of my friends just to see what tricks they had, but likely would never use again.  Cameron Tabucchi had been told to put her computer in the freezer to help keep the battery charged. (She declined to confirm whether she actually does this, but the ice cream smears are a giveaway.) When Ellen Topp’s computer freezes, she religiously restarts, defrags and restarts it, again.  As if by a miracle it springs back to life. CTRL…ALT…DELETE! – repeated several times as if it were an incantation (once has been proven insufficient and correct rhythm is crucial) – always works for Amy Cook.  We need your help in collecting and archiving this wealth of creative prescriptions for patching up our computers to prevent their loss.  So, if you have a favorite fix – the wackier the more worthy of preserving – share it in this quick survey to ensure that despite vPro it follow eight-track tapes into obscurity.

1 Comments Permalink Tags: client_management, vpro, scott_e_smith, manageability, vpro_expert_center
Geoff Glave
1

Absolute recently received a theft report concerning a laptop that a salesman claimed had been 'stolen from his vehicle.'  Soon after the 'crime' the computer logged onto the Internet and began checking in with our monitoring center.  This allowed our theft recovery team to extract information on the computer’s unauthorized user and location.  Guess where the computer turned up?  It was still in the hands of the user who claimed it was stolen!  He had falsely filed a theft report so he could keep the computer for himself.

 

You can read more of the story here:

 

http://blog.absolute.com/absolute-recovers-laptop-from-clever-thief/

 

This scenario brings up an interesting issue for those deploying laptops equipped with Intel's AT-p anti-theft technology.  Do you tell your users it's deployed?  Or keep its existence as much of a secret as you can?

 

In this example, informing this user that AT-p was deployed would likely have prevented the 'theft' of this laptop.  The salesman, realizing his laptop would have been rendered useless by means of a poison pill or a timer rundown, probably wouldn't have 'stolen' it in the first place.

 

However, the 'theft' resulted in the removal of a bad apple from this company - The one silver lining in this unfortunate incident.

 

So the question is this: When you deploy AT-p in your company, will you tell your employees it's there?

 

--------------------------------------

 

Please note that any indictments and criminal complaints referenced in this post are merely unproven accusations, and the accused, in all cases, are innocent until proven guilty.

1 Comments Permalink Tags: absolute, at-p, absolute_software, computrace_at-p
Josh Hilliker
0

Gregory & I in our 1:1 interview talk about the community and the call to action, along with feedback.    Tune in to hear more and hear the funny comment he tells me.

 

 

 

Next up on Feet on the Street -  I met w/ a local IT company, stay tuned to hear more..

0 Comments Permalink Tags: vpro_expert_center, josh_hilliker, gregory_bryant, vpro
Kelsey Witherow
0

Are you not much of a blogger? Well, have no fear...There are more ways for you to stay updated and get involved with everything vPro! If writing up your best known methods or posting a quick start guide to the Expert Center isn't your idea of fun then here are seven other great options to stay involved with the vPro community...

Facebook3-2-2009 12-38-30 PM.png

Facebook gives people the power to share and makes the world more open and connected. The site that millions of users have grown to love also has a page for need-to-know and latest news on Intel vPro Technology. Go to http://www.facebook.com, create a profile, and add "Intel-vPro" as a friend through this link.

Twittertwitter.png

As its website states, "Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?" Curious what vPro is up to? Create an account and follow the tweets of "intelvPro" at http://twitter.com/intelvPro or follow the "Proest of Pro's," Josh Hilliker, at www.twitter.com/joshprostar

Heartbeat Newsletter heart.png

This bi-weekly newsletter includes everything new with Intel vPro Technology. You’ll learn about new white papers, user guides, known issues and more when you receive this newsletter. Click here to sign up!

Distribution Lists myit.png

Get Intel vPro help/updates/news/BKMs & MORE delievered right to your inbox. Questions and answers are swapped and info distributed through this list. Go to this link and subscribe.

YouTube youtube.png

The leader in online video and perfect destination to watch and share videos on the worldwide web, YouTube has been an awesome outlet for some of our favorite and most helpful vPro videos. You can find tons of vPro videos on http://www.youtube.com/vproexpert and can also watch those that Josh Hilliker has posted at http://www.youtube.com/joshprostar

BlogTalkRadio btrbetalogo.gif

Hosted by Josh Hilliker, Russ Pam, and Jeff Torello (and featuring a little bit of myself every now and then) this bi-weekly informal show covered a variety of topics and was a perfect avenue to get your questions answered. On BlogTalkRadio you can listen to all of the shows that we have already recorded! Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts. Visit the Open Port Radio site to hear previous shows and stay updated as we release our future show topics...

Quick Start Guideslogos.png

Another helpful resource that is provided on Intel vPro are the quick start guides that are posted. These guides include the steps to setup Intel AMT devices with LANDesk, Altiris, and Microsoft.

0 Comments Permalink Tags: distribution_list, kelsey_witherow, twitter, you_tube, vpro_radio, vpro, facebook, youtube, vpro_expert_center, quick_start_guide, blogtalkradio

Popular Blog Posts