What is it?

When vPro and more specifically AMT was initially designed and engineered it was architected to work on an internal corporate network which allowed for the Server to client communications model. The problem was that many organisations have client PCs that are actually situated outside the corporate environment and were excluded from the reach of the vPro benefits available to systems residing within the corporate network. The reason for this is that client PCs that are not on the corporate environment would be sitting behind a home router and would actually posses a private local IP address that is not publicly addressable - i.e. it is not unique and the Management Console has no way of reaching that remote client. The solution to this situation is what is called CIRA - Client Initiated Remote Access.

The term Fast Call for Helpis what we refer to the use case that is enabled by CIRA (which is a means to an end, but not a use case on its own). It specifically addresses a help desk type scenario where the PC is broken and it is being fixed from remote by an administrator or technician.

How does it work?

It works on the principle that as with any usage of a PC behind a NAT'd router, once the client initiates a request (say for a web page) and the information returned comes back to the router, the router knows locally which PC to forward the information back to. The important distinction from the analogy used is that this connection is created Out of Band and does not rely on the operating system or some local software client agent being available or in a healthy state.

The connection that is initiated by the client arrives at the vPro Enabled Gateway which needs to be 'publicly reachable' - so it would typically reside in a DMZ and by protected by an external firewall which might have some port forwarding.

The management console has a listner for incoming CIRA connections and once such a connection arrives it can perform AMT commands on the remote vPro client.

The high level flow is as follows (with a graphical representation below):

1. The user of the remote vPro client initiates the connection to a component that acts as a proxy Server and is called the vPro Enabled Gateway (aka MPS - manageability presence server).
2. The connection can either be initiated manually by a user in an OS level utility or pre-OS level with a key combination
3. Alternatively, the connection can be scheduled to automatically be initiated according to a pre-determined time frequency
4. Once the connection reaches the Gateway, a secure encrypted tunnel is established back to the vPro client
5. At this point the Management Console which is sitting inside the corporate environment is notified of the incoming connection from the vPro client
6. The administrator/technician which is using the Management Console can now initiate any AMT command to the remote vPro client

What components are required for getting CIRA and Fast Call for Help to work?

1. vPro systems
2. Management software that has built in support for Fast Call for Help
3. vPro Enabled Gateway

In addition, you should also be aware that there are configuration files that need to be edited for the vPro Enabled Gateway, some configurable ports need to be open and that AMT provisioning (with CIRA profiles) are a pre-requisite.

Which vPro Hardware do I need to take advantage of Fast Call for Help?

Any vPro system that has AMT Firmware 4.0 and above supports Fast Call for Help. That means any 4.x, 5.x and now the up and coming 6th generation of vPro which is being released in the 1st quarter of 2010. The new capability which is being introduced in 2010 is that this CIRA connection can be initiated over a wireless network interface as well, whereas today it is limited to being initiated over a wired network connection.

Which manageability software is available today for implementing a utilise CIRA capabilities?

1. Symantec Management Suite version 7 (formerly Altiris Management Console and aka CMS7) Beta II
2. LANDesk Management Suite 8.8 SP3
3. Setup and Configuration Service (SCS) 5.x and above (including the Intel DTK) also support CIRA

Which vPro Enabled Gateway products are available today for setting up a CIRA capable infrastructure?

1. Checkpoint Secure Gateway (interoperable with the Symantec Management Console, but not with the LANDesk console)
2. LANDesk Gateway which is embedded inside the LANDesk Management Console (however does require to run specific installer for MPS)

Why am I blogging about this now?

CIRA and Fast Call for Help were actually supported in Intel Firmware from version 4.0 which was released about 1.5 years ago. Unfortunately all the components required to make Fast Call for Help work were either unavailable or had stability issues. However, today the components exist and are validated to work successfully (with a few known issues that are being addressed). Therefore, if this is of interest to you then you are in a position to implement Fast Call for Help in your environment today. We would welcome anyone out there that is interested in trying to implementing this

Is this everything I need to know?

There are more technical details required for a successful implementation, however this should provide a good introduction and starting point. If you have any questions, please don't hesitate to contact me.

On Sept 2nd at 8am PDT, I'll be hosting a Symantec\vPro webinar. Register at -

https://www2.gotomeeting.com/register/947074427

The webinar is open to anyone.   It will provide insight to the Symantec\vPro compelling features and capabilities – emphasis will be on Endpoint Management, with references to BESR, pcAnywhere, SEP (anti-virus), and related Endpoint Management tools in connection with vPro.

The webinar content is a subset of the materials\discussions\demonstrations that occurred this week with the worldwide Symantec technical sales teams

To register for the webinar, please use the following link https://www2.gotomeeting.com/register/947074427

The webinar will be recorded and posted to the Intel vPro Expert Center.

Look forward to having you join

While at Symantec ManageFusion 2009 from March 10th to 12th, we had a chance to talk to IT executives and managers, Intel partners and industry analysts who were all familiar with the capabilities of Intel vPro technology. In this video, they discuss what Rock Star or what type of music Intel vPro Technology could be ...

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

While at Symantec ManageFusion 2009, we had a chance to talk with Antwune Gray, a Director at NetX. In the video below, he talks about how the NetX Appliance discovers which PCs in your business environment have Intel vPro technology, as well as the version and setup status of Intel vPro technology.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

While at Symantec ManageFusion 2009, we had a chance to talk to IT executives and managers from Las Vegas Sands Corporation, Blue Cross Blue Shield and McCormick Spice Company and Lee Bender, senior technical manager from Symantec. In this video, they talk about benefits of Symantec Altiris Client Management Suite v6.5 (and above) with Intel vPro Technology, including power management, remote diagnosis and repair, and fast call for help.

To learn more about Intel's presence at Symantec ManageFusion 2009, go to: http://www.intel.com/go/managefusion/

Introduction

Software Management Solution has the ability to deliver and execute any module or installer made for Windows.  This includes Windows capable Firmware updates.  Both the BIOS updates and Intel ME firmware updates, that are windows capable, available from HP, Dell, Lenovo, and any other computer manufacturer that supports vPro that are windows capable can be sent down and executed through Software Management Solution to upgrade firmware.  This document covers how to setup and configure these updates, and hopefully provide you information on caveats and other potential trouble spots.

Why Update Firmware?

The first thing you need to determine is what type of firmware update do you require?  The two typical updates are the Intel Management Engine (ME) firmware and the standard BIOS firmware.  How these two interact is dependent on the Manufacturer.  Some manufacturers will combine the BIOS and firmware updates into a single executable.  However the configuration, the updates can be delivered via Symantec’s Software Management Solution.

Examples and Reasons

For example HP has a BIOS option to enable or disable Intel AMT, and if it is disabled in the BIOS the Intel ME will not be available.  Another example is the Dell laptop model Lattitude 620 Centrino vPro capable.  The BIOS contains a setting to enable or disable the Serial Over LAN (SOL) and IDE Redirection (IDER) capabilities, and by default these came from the manufacturer disabled.  This and other reasons for firmware updates are detailed in this list:

• Dell Lattitude 620 SOL IDER disabled in the BIOS – The update to automatically enable these features without having to physical update each BIOS manually is a BIOS firmware upgrade that set these as enabled, among other fixes/updates.
• Upgrading AMT 2.1 to 2.2 – Desktop models of AMT version 2.1 can be upgraded to support Remote Configuration (certificate-based zero-touch provisioning) by upgrading the Intel ME firmware to version 2.2.
• Upgrading AMT 2.5 to 2.6 – Notebook models of AMT version 2.5 can be upgraded to support Remote Configuration by upgrading the Intel ME firmware to version 2.6.
• Upgrading AMT 2.0 to 2.1 – Some major fixes were incorporated between versions 2.0 and 2.1 of AMT.
• UUID reset fix for HP Compaq 6910p – This fixed a flaw in the firmware where sometimes Intel ME returned the UUID of all zeroes or a default UUID set in the firmware, causing duplicates.  This update patches the firmware for Intel ME on these laptop models.
• Upgrading Intel AMT 4.0 to 4.1 – On the newer version of AMT for laptops, fixes have been provided via version 4.1 and is available from most manufacturers.
• Miscellaneous fixes to Intel ME – Other fixes have been incorporated in ME firmware updates

Obtaining the Right Firmware Update

For all BIOS updates, the manufacturer’s website should be consulted.  For each vPro model you wish to update BIOS firmware with, use the following basic steps:

1. Go to the Manufacturer’s main site.  For this example, we’ll use Dell.  www.dell.com.
2. Choose the Support icon and click ‘Download and Drivers’.
   
3. An applet will appear where you can choose the system through several options:
4. 1. Model
   2. Service tag
   3. Log in to choose from a list of systems
5. Once you have the right system listed, there will be a list where you can click the plus + next to ‘BIOS’.
6. From the provided list choose the applicable update by clicking the ‘Download Now’ link to the right.  The download will usually be in the form of an EXE.

While Intel manages the basic firmware for the Intel ME, the manufacturer packages it for deployment, including changes that may be required for specific models of vPro capable systems.  It is advised that you only use the manufacturer’s Intel ME firmware updates on your vPro systems.  The following walkthrough will hopefully help you identify what updates are available.  For this example we’re using HP’s website.

1. Go to www.hp.com.
2. Click on the ‘Support and Drivers’ tab.
3. Choose the option Download drivers and software (and firmware) for Step 1 and put in the Model number of the vPro system type you wish the update for, in Step 2.
4. Press Enter to go to the main page for the system.
5. Though it prompts for what Windows you’re running, the updates are OS independent so choose any.
6. For the Intel ME firmware updates, the categories differ.  For HP it’s under simply ‘Firmware’.  Other potential categories include:
7. 1. Firmware
   2. System Firmware
   3. Chipsets
8. Click Download to the right of the applicable ME update.
   
9. Once the EXE is downloaded, move on to the next section.

Rolling out the Firmware Update

Once you’ve obtained the EXE, it’s time to configure a Software Management Solution Software Resource, Package, associated Command lines, and create a task to roll it out with.  It’s important to understand how, depending on how the manufacturer packaged the EXE, the rollout can be accomplished silently without user interaction.  Typically administrators do not want users to interfere with the rollout, or to even be aware of it.  The following walkthrough considers this the desired result; however the configuration can be changed as so noted where applicable below.

Creating a Software Package/Program

1. On the Notification Server place the EXE you downloaded for the firmware update into a self-contained folder.  The folder and everything in it will become a “package” for the Software Resource, thus it is recommended to have only the needed file therein.
   Note: You can use another storage location if you prefer, such as UNC or URL.  Simply adapt these steps to fit your preferred source method
2. In the Symantec Management Console browse under Manage > and choose Software.
3. In the left-hand tree browse under Software Catalog > Deliverable Software > and select Updates and Service Packs.
4. In the resulting right-hand pane, click the Add button and choose Software Update.
5. Above the configuration tabs provide a name for the Update.  In this example we’ll use an HP 6930p laptop firmware update of the Intel ME to version 4.1.1.1028.
6. Click on the Package tab.
7. Click the Add package button.
8. Provide a name for the package and browse to the location referred to in step 1.  The name we’ll use in this example is AMT 4.1 Firmware EXE(Windows) for HP 6930p.  See this screenshot for an example:
   
9. Click OK to save the Package details.
10. Click on the Add command button.
11. Provide a Name for the command-line.  For this example we’ll use: Apply AMT 4.1 Firmware Update silently.
12. Check the option labeled Command line requires a package and ensure that the Package you created previously is selected.
13. Under Installation file type choose the option labeled EXE Software Installation File.
14. Change the Command type to Install.
15. Provide a silent command line under the Command line field (this is the potentially difficult part.  The update I tested with had no documentation on silent installs and I had to tinker to find the –s command-line that ran it silently.   ie: “sp42026.exe” –s).
    NOTE: Due to the nature of firmware updates, it is possible the EXE will want to reboot the system.  It is recommended to test the execution and adjust the command-line to suppress the reboot so no user is interrupted in their work.
    See the below screenshot for an example:
    
16. Click Save changes to complete the Software Resource creation.

Creating a rollout Task

The next step is to create a Quick Delivery Task that pushes out the update.  While a Manage Delivery Job may be used, because of the nature of firmware updates reapplying an update may have unintended consequences so for this example we’ll use a Quick Delivery Task. Follow these steps to create the Task:

1. In the Symantec Management Console browse under Manage > and click Jobs and Tasks.
2. In the left-hand tree browse down through System Jobs and Tasks > Software > and select Quick Delivery.
3. Right-click on the Quick Delivery folder > choose New > and click on Job or Task.
4. Within the resulting window choose Quick Delivery from the left-hand tree.
5. Provide a name for the task.  In this example we’ll use AMT 4.1 Firmware Update for 6930p Rollout.
6. Under the Software resource dropdown choose the name of the Software Resource you created.  In this example it is AMT 4.1 Firmware Update for HP 6930p.
   NOTE: The dropdown is also a type field so you can start typing AMT 4.1 to have the selected software found and displayed in the dropdown.
7. Ensure that the Command line and Package in the two subsequent dropdowns correctly show the Command-line and Package you created.  For our example they are Apply AMT 4.1 Firmware Update silently and AMT 4.1 Firmware EXE(Windows) for HP 6930p respectively.
8. Click the Advanced button.
9. Under the Download Options typically what is configured at the Altiris Agent level should be sufficient for your needs.  Click the Run Options tab.
10. This is your execution environment.  Due to the nature of firmware updates, it is advisable to use the option labeled Altiris Agent credential.
    NOTE: Specific user can be used if you wish to provide an account that has Administrator rights on the target systems directly.
11. Under User run conditions check the option labeled Allow user interaction.  We have found that this option improves success rate due to loading a fuller user stack.
12. Change the Display window to Hidden.  See this screenshot for an example:
    
13. Click OK to save the Advanced options and Click OK on the main Task configuration page to save the details of the Quick Delivery Task.
14. You can use the Quick Run under the Task Status section to test the rollout.  Please see the section following labeled ‘Test the Rollout’.  It is vital to properly test the rollout so any corrections can be made before rolling it out generally.
15. Set a schedule.  You can choose Now or set a specific scheduled time if needed.
16. For the next step under Input you’ll need to manually add devices for this firmware update to be run on or select a target.  Step 17 covers how to create a target for the example we’re using in this sequence.  If you are only adding machines manually step 17 is not required.  Move to step 19.
17. To create a target based off of Inventory Solution data that automatically targets the HP Compaq 6930p laptops, follow these steps:
18. 1. In the Symantec Management Console browse under Manage > and click on Filters.
    2. Browse under Computer Filters and select or create a folder to create the filter in.
    3. Right-click on the folder and choose New > Filter.
    4. Name the Filter.  In our example we’ll use All HP 6930p Laptop Computers.
    5. Under the Filter Definition dropdown choose the option Query Mode: Query Builder.  You’ll receive a notice: You are about to switch to the other query editing mode.  This cannot be undone after save.  Click OK to continue.
    6. Expand the Filter Definition section by clicking on the down-arrow to the far right.
    7. Under the query section, select the tree item ‘Resource’ and click the red X delete icon.
    8. When the page refreshes on the right you’ll see a Base Resource Type.  Choose Computer.  When prompted, choose to continue.
    9. Under the actions section to the right, click the link labeled Use Fields & Data Class Attributes.
    10. In the resulting picker type in or choose from the dropdown the data class and column you wish to reference.  For our example choose [Logical Device].[Model] and click OK.
    11. Click the Filter Expressions tab.
    12. Click the Add Condition button and choose one of the options (for a first filter it doesn’t matter).
    13. Type the same data class and column selected previously.  In our example type [Logical into the If: field and then select [Logical Device].[Model] from the dropdown.
    14. Choose Like in the next dropdown to the right (or if you know the exact value you’re looking for, use Equals).
    15. In the last field type the model number.  In our example type %6930p%.  See this screenshot for an example:
        
    16. Click the Save Changes to complete the Filter.
19. To add the Filter to the schedule, go through the following steps:
20. 1. Under the Task Status click the button New Schedule
    2. Set the schedule as desired.
    3. Under Input click Add and choose Target.
    4. Click the Add rule button in the resulting window.
    5. In the first dropdown choose the option labeled exclude the resources not in.
    6. Leave Filter as the option in the second dropdown.
    7. In the third dropdown type in the first words of the filter you created in the previous step.  In our example type All HP and click the dropdown arrow.  Select the appropriate collection from the list.
    8. Click OK to save the Target.
21. Click Schedule to apply the Task to the selected systems.
22. Done!  This Task type will use Task Server to push out the task.  For systems already online they should receive the task within minutes based off of being active on the network.  For systems not on, the next time they come online and check for Tasks, Task Server will push out the Task at that time.

Test the Rollout

The most important part of this process is to test the rollout.  This will allow you to make corrections to the command line or execution environment should the first attempt fail.  By testing the rollout you can ensure it is ready for the greater environment.  In testing, you should:

1. Target a system that matches your Production Environment as closely as possible
2. Test the command-line to ensure it successfully and silently rolls out the firmware update.  You can accomplish this by copying the files over and running the command line manually from a command prompt or from Start > Run.
3. Check the BIOS or Intel AMT for versioning change.
   Note: the ME version may not be synched with the AMT version.  A good test is to try executing the update again manually to see if you receive a message indicating the version is already up to the latest version.

Conclusion

Using this process, you should be able to remotely update any firmware required for successful use of Intel vPro Systems both with Setup and Configuration using Out of Band Management, and vPro functionality use within any Job and Task in the Symantec Management Platform.

At the recent Symantec ManageFusion 2009, Symantec announced the general availability of Symantec Altiris Client Management Suite Version 7.

One of the new features in Symantec Altiris Client Management Suite Version 7 is support for Intel Centrino 2 with vPro technology's "Fast Call for Help."  The video below by Symantec's Senior Technical Manager Lee Bender is a demonstration of how an end-user would connect back to the Altiris Client Management Suite for remote diagnosis and repair of his notebook even though he connect boot into Windows and is outside of the corporate firewall.

To learn more about Intel's presence at ManageFusion 2009, please go to http://www.intel.com/go/managefusion/

On May 10th, Intel Vice-President Gregory Bryant was part of the opening ManageFusion keynote led by Symantec's Steve Morton.

Gregory talked about how customers are realizing value today with Intel vPro technology and getting a return on investment that pays for itself in less than one year.  He also talked about new Intel vPro technology product developments with Altiris Client Management Suite Version 7 and Symantec Workspace Streaming. View the highlights below or click here to see the full keynote.