I recently received feedback on how to find key links, tools, and the BKM Wiki. I thought it would be good to create a Tools & Solutions call out box that was easy to find with links that are relevant to the community. I collected up a few relevant links & created the call out box on the left column of the community site.

If you have input on other links I should add to this box please let me know and I will add ASAP. Thank you for your input.

Josh H

As a network administrator for a small local government agency, I have been tasked to deploy Intel's Active Management Technology (AMT) into our network environment. Having sold our IT management on the benefits of vPro technology and how it can revolutionize our system management capabilities, I am ready to move forward and get AMT installed . In addition, today I learned that we will begin receiving brand spanking new HP systems in January that will have the latest greatest vPro technology aboard. I've got a few months to become an AMT expert and be ready for the new systems. Life is good!

Where To Start

The first thing I did after learning about vPro and AMT was to visit the Intel vPro Expert Center web site. There I found a great variety of resources to help me with my deployment. This is a good site to get help and guidance. The only problem I have with the site is that there's no link to download the AMT docs or software. You'll want to get your hands on the Intel Active Management Technology Setup and Configuration Service (SCS) - Installation and User Manual. You can get this document as well as the software from http://softwarecommunity.intel.com/articles/eng/1025.htm. Since SCS is the foundation and support structure of everything that goes on in the AMT and vPro world, this was the most logical place to start.

In addition, since I plan on integrating SCS with my existing SMS 2003 infrastructure, I also downloaded the Intel Active Management Technology Add-on for Microsoft SMS 2003 - Installation and User's Guide. Getting this was a bit of a challenge so stay with me on this one. I had to navigate to another good link you'll want to keep and refer to, The Intel Management Developer Community. From here I searched for "SMS 2003" and found the link to the SMS 2003 Add-on document. For non-developers like me, this site can appear to be not exactly what we do everyday, but hang in there, this site has a lot of info too. Now I had the documents I needed. They created the basis on which I would start to plan and deploy AMT into my network.

Read, read, read

The first thing I did after printing the documents was to read them over several times so I could get the gist of just how all the pieces played together. Then I read them again. After the first pass, it all looked pretty daunting and difficult, but after reading many of the sections over, it all started to come together and make sense. Read. Read. Read.

Time to lay things out

Ok, now I had a pretty good idea of what everything did and why, it was time to make sure I had everything I needed to make the pieces work together. I began to try and lay out what I needed to have to make AMT work.

Servers - I need to decide where to install SCS. I had a recently rebuilt Windows 2003 R2 server available that also had SQL 2005 on it. Plenty of disk space and horsepower. This was good. We were using this server to host our Help Desk application and it didn't appear to be over taxed in any way. The hardware and base OS part was taken care of. The server happened to be in our central office which was also a benefit. Our office is put together in a spoke and wheel configuration with all outer offices connecting to the central office over fast network connections. This would be good when we start to provision systems from outer office locations.

Active Directory - SCS / AMT relies on and utilizes Active Directory quite a bit. Our Active Directory is at Windows 2003 R2 level so I'm good to go. Also, as a Domain Admin, I have the ability to make any changes necessary to Active Directory.

Security - AMT supports Transport Layer Security (TLS) for secure communications between AMT devices and management console applications. TLS is optional for AMT, however we wanted to make all our communications as secure as possible so we're going for a full TLS implementation. This requires certificates and fortunately we have a Microsoft Certificate Authority server in our network that will make things easy to manage.

Database - SCS stores all its information in a database. We're going to use the existing SQL 2005 database on the server we're going to install SCS on.

AMT Device Location - Where were the new systems coming into and who was handling them? In the past when new systems came in, our Help Desk techs were very efficient in imaging them and deploying them right out the door. I need to make sure that everyone in our Help Desk group was tuned into what we were trying to do. We'll need to have a meeting to discuss what's going to happen after they plug in a system to the network for the first time.

Now that I've gotten my infrastructure laid out, it's time to start installing software. Yeah!

Next time I'll detail the steps I took in actually installing SCS into my network. As always, any comments and suggestions are warmly welcomed.

Over the last year I have worked with our internal IT shop to implement vPro & CentrinoPro into the environment. While that was fun & rewarding, I thought now would be a good time to implement a smaller instance w/ a mix of clients & try out the new Intel System Defense Utility that I put a link on the tool page..

I've currently procured a centrinoPro, vPro(AMT2.x) & working on obtaining a vPro(AMT3.0) box to showcase all use cases & functionality, especially the Remote Configuration feature. What is good to note is that Matt Royer already helped me demonstrate Remote Configuration in San Francisco IDF & it was very nice to watch the out of the box to having the console automatically provision & show the vPro machine. However now the immediate challenge is for me to set this up w/ ISDU & see what use cases I can utilize.

if your on this path as well, let me know. I like to hear how you are using AMT (active management technology).

Cheers. Off to Provisioning....

UPDATE

I updated the BIOS via USB on the CentrinoPro & vPRO machines to ensure latest bios. I will work to get the post up this week on how to create a dos bootable USB stick & the preferences on size of the stick.

I then downloaded the Intel System Defense Utility, then I hard lined the CentrinoPro machine for now as I have not changed my Access Point settings for WPA at this point

(remember i'm doing this in SMB mode).

I then started the scan & was able to see both machines. If you click on link below you will find that I was able to detect both machines. I started first with inventory to show what I could validate from the Machines. Good to note is that both machines are Plugged into the network & the power (desktop - of course, notebook - yes). I wasn't satisified with the results so I went to each of the machines Web UI to ensure I could connect.

Initial Scan to obtain machines on the subnet, while this took longer than I expected it did find all the machines.

After finding you double click on each PC & it connects you to the Firmware.

Then I pulled an asset mgmt screen on both the notebook & desktop to show that I can pull inventory, take in account each machine is powered down at this point.

Now to be sure you can establish communication I went to the Web UI on both, which in the ISDU tool it is simple to click the link & hit the admin login.

While this is good, it's time to now showcase the rest of the use cases, including System Defense with a few good filters. I was out hunting for a good virus & found the backdoor.darkmoon. One of the ports is listens on is 6868 & 7777.. I was able to use System Defense as seen below to block these ports by doing the following:

#1. Open up Intel System Defense Utility

#2. Connect to the impacted machine

#3. Select the "System Defense" tab

#4. Select "Block LImited Services"

#5. Uncheck all items & then in blocked ports in put "6868,7777"

#6. Hit Apply Settings, then Apply Changes

DONE - I've now protected my machine quickly against the potential exploit. It doesn't fix it for cleaning, however it does protect the virus from communicating & receiving future instruction.

Now I can remote control it, turn it on, update the DAT files.

In the short history of the Intel AMT Developer Tool Kit (DTK), this is probably the single release with the most changes and improvements in it. One look at the change log and you notice that there are lots of improvements in many areas of the DTK. In this blog, I want to touch on a few of the major new features.

Intel AMT Guardport, a C/C++ version of the Intel AMT Outpost serial agent. Many have noticed that Intel AMT Outpost is a quite powerful Intel AMT agent. The main problem with Outpost is that it is rather fat software and makes use of .NET. It's not practical if you are going to run it on 1000's of computers or most importantly, add it to a recovery OS image. Intel AMT Guardpost is a light weight port of the most important feature of Outpost, the serial agent. Guardpost is a statically linked .exe file (no other .DLL's required) that finds the SOL COM port automatically and binds to it. It offers a command prompt and the same binary-over-SOL support that Outpost supports. In this version, Guardpost is still very limited but supports remote process monitoring and the most impressive of the Outpost features: TCP-over-SOL.

Intel AMT Interceptor, a trace and debug tool that connects to Intel AMT Switchbox. This new tool takes advantage of a new debug port in Switchbox to show in real-time all of the traffic going thru Switchbox. It shows in real time HTTP, SOL and IDE-R traffic flowing thru and for each data chunk, its source and destination. It even works with TLS since a console with authenticate with Switchbox and Switchbox will perform its own TLS connection to Intel AMT. At a minimum, this new tool is very educational for people curious to see in-depth, what Intel AMT network traffic looks like.

Intel AMT DTK Internationalization effort. A lot of effort is going into internalization of the Intel AMT DTK. This started months ago with Simplified Chinese and Japanese support. In order to make it easier to internationalize the DTK (or any .NET application) we started work on a Resource Translator tools. It's only part of the source code package and it's just an early tool right now. I have used it to start translation into French of the Intel AMT Terminal. Some will also notice that some of the Terminal is translated into Hebrew to test to right-to-left support and NetStatus is translated to Russian.

Lots more improvements are coming up for the DTK. Mostly, I have to code all the time and I sometimes have to put aside answering mails for a while. I will try to answer more mails next week.

Audio File: Ylian's audio blog on the Intel AMT DTK v0.38 (.mp3)

Ylian