More blog posts in Intel® vPro™ Expert CenterWhere is this place located?
1 2 3 80 Previous Next

Intel vPro Expert Center Blog

1,195 Posts

Detecting, configuring, and maintaining the Intel AMT configuration across an enterprise requires automation.

 

Setting up a lab or initial pilot environment through McAfee ePO should be simple without any 3rd party software or infrastructure customization.

 

Announcing McAfee Deep Command 2.0 Beta

  • Simple - "One-Click" configuration of Intel AMT from McAfee ePO
  • Microsoft CA optional - generate and apply Intel AMT certificates via McAfee ePO (including CIRA\Gateway Certificates)
  • Planning for the future - works with McAfee ePO 4.6.x or 5.0

 

The beta starts April 30th.

 

See the introductory video at https://community.mcafee.com/videos/1600

 

Interested in beta participation?  Subscribe to https://community.mcafee.com/groups/epo-direct-beta

 

New to McAfee ePO Deep Command?   See recorded demonstration of version 1.5 at https://community.mcafee.com/videos/1499

 

Note: Viewing content on McAfee Community will require a logon account.

Intel IT is fully engaged in the process of integrating Windows* 8 into the corporate environment now that the new OS is running on thousands of business Ultrabooks, other mobile devices, and desktop PCs at Intel. Checkout today's live webinar where Intel experts Tiffany Pany and David Scheer will share their team’s insights and experiences on integrating Windows* 8. Register now!

Project Informatica.jpgDownload Now

 

Italian ICT specialist Project Informatica needs the latest mobile computing devices—combining all the best elements of performance, security and usability—to show off to customers and keep its employees productive in the office or on the road. After rigorous testing, it chose the Samsung Slate* 700T, a tablet based on the second-generation Intel® Core™ i5 processor and the Windows* 8 operating system.


“The touch-based tablet powered by the Intel Core i5 processor and Windows 8 is strategic for our sales team," explained Alberto Ghisleni, managing director at Project Informatica.  "It allows them to save time while having a more appealing and interactive graphic interface for their most commonly-used applications.”

 

Learn all about it in our new Project Informatica business success story. You can find more like this one on the Intel.com Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes. And to keep up to date on the latest stories, follow ReferenceRoom on Twitter.

 

*Other names and brands may be claimed as the property of others.

Unisys.jpgDownload Now

  
To speed the time it takes clinicians to get to critical patient records, IT solutions provider Unisys is developing an application called MovilMed* that compiles data from multiple systems into one interface that’s easily accessible. Tablets featuring 3rd generation Intel® Core™ and Intel® Core™ vPro™ processors and Intel® Atom™ processors will give medical staff access to MovilMed no matter where they are. The Intel processor-based tablets also support Microsoft Windows* 8, giving IT a common platform.


“We’re developing the MovilMed solution around the Intel platform, which provides an environment that’s easy to manage and delivers the performance we need,” explained David Howard, director of IT automation for Unisys.


Read all about it in our new Unisys business success story. You can find more like this one on the Intel.com Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes. And to keep up to date on the latest stories, follow ReferenceRoom on Twitter.


*Other names and brands may be claimed as the property of others.

Digital Text.jpgDownload Now

 

Digital Text creates digital and multimedia textbooks for schoolchildren in Spain. To be sure it was recommending the most appropriate and up-to-date hardware for its customers, the company evaluated a number of mobile computing devices including the Lenovo Twist* convertible Ultrabook™ powered by Intel® Core™ i5 processor and running  Microsoft Windows* 8. Digital Text needed the device it chose to be lightweight and relatively compact to fit onto a student’s desk along with other resources and more traditional textbooks.

 

“[The Ultrabook] demonstrated optimum performance, with fantastic speed when starting it up and opening our applications," explained Héctor Ruiz-Martín, general manager of Digital Text. "It was really fluid with elements like Flash* and this was impressive. The device that I tested had the power of a desktop PC and it was clear that Flash was very responsive.”


Read all about it in our new Digital Text business success story. You can find more like this one on the Intel.com Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes. And to keep up to date on the latest stories, follow ReferenceRoom on Twitter.

 

*Other names and brands may be claimed as the property of others.

 

Client Hyper-V* with Intel® Active Management Technology (Intel® AMT):

Client Hyper-V* virtualizes your Windows 8* installation. It allows you to add one or more child virtual machines, running other Operating Systems, as windows inside the Windows 8 desktop.

 

If you give Hyper-V* a try, you won’t have to worry about the effect of Hyper-V on your Intel vPro platform. Intel® Active Management Technology (Intel® AMT) functionality is still available with Hyper-V* enabled.

  • Hyper-V* can be enabled or disabled on vPro systems at any time.
  • Intel® Active Management Technology (Intel® AMT) can be enabled and provisioned with or without Hyper-V*.

 

Note: Intel® Active Management Technology (Intel® AMT) provides the capability for IT departments to manage client systems even when the PCs are powered down.

 

The advantage of Hyper-V*

 

There have been significant barriers to implementing other Client Virtualization solutions including:

  • Deployment:

Other virtualization solutions, utilizing a hypervisor, may require a new installation which deletes whatever is already on the hard drive. The existing OS and data are lost. With Windows 8 there is no need to replace the operating system.

 

Hyper-V is relatively easy to deploy. In the Windows 8 features list, simply turn Hyper-V on and reboot. Windows 8 is now virtualized, although you wouldn’t notice it unless you were told. It doesn’t appear any different than Windows 8 without Hyper-V enabled. All of the user settings remain as before.

  • Platform Compatibility

Other virtualization solutions may have a difficult time keeping up with the HW devices and platform models that are available. The hypervisors used by other solutions may only install on a fraction of the systems supported by Windows 8*.

 

While not all windows 8* compatible systems will run Hyper-V*, there is a broader range of hardware that is compatible with Hyper-V* than some of the other client virtualization solutions. See the list of Hyper-V requirements below.

 

  • VM management

The Hyper-V* manager provides the capability to easy manage VMs. VMs can be managed locally or on a Windows 2012* server. On the local system you can create snapshots of your VMs. For example, you can create a base install and create a new snapshot. Then add a service pack to that snapshot and create another snapshot. Next you could add applications and create yet another snapshot.

 

You can also create different branches from the various snapshots. Based on the example above you could create a new snapshot of the base install and add another set of applications without installing the service pack. Using the Hyper-V manager you can switch to any snapshot and make it active.

 

Hyper-V* Requirements:

  • 64 bit PCs with Second Level Address Translation running 64 bit versions of Windows 8 pro or enterprise
  • 4 G of Memory
  • HW virtualization such as Intel’s VT-x technology

 

Resources:

  • About Virtual Machines and Guest Operating Systems

http://technet.microsoft.com/en-us/library/cc794868(v=ws.10).aspx

  • Client Hyper-V

http://technet.microsoft.com/en-us/library/hh857623.aspx

http://social.technet.microsoft.com/wiki/contents/articles/7704.client-hyper-v-survival-guide.aspx

 

Hyper-V Enabling Process

Hyper-V* is enabled through Control Panel -> Programs and Features -> Turn Windows features on or off.

clip_image002.png

     

After Hyper-V is enabled a reboot is required. Once the system has rebooted, launch the Hyper-V Manager and select the system name in the left pane. Next, select new -> Virtual Machine under options in the right pane. The New Virtual Machine Wizard will launch.

clip_image004.jpg

New Virtual Machine Wizard

Skip the “Before You Begin” screen.

 

Specify Name and Location:

clip_image006.jpg

      

Assign Memory:

clip_image008.jpg

   

Configure Network: for the first VM the only choice will be “not connected”. The network will be added later.

clip_image010.jpg

      

Connect Virtual Hard Drive:

clip_image012.jpg

   

Installation Options:

clip_image014.jpg

   

Completing the New Virtual Machine Wizard:

clip_image016.jpg

 

Select Finish and follow the OS install instructions. The new Virtual Machine is now visible in the Hyper-V Manager. Select the VM and start it by selecting “connect”.

 

clip_image017.jpg

     

Once the OS is installed disconnect the ISO image from the CD/DVD drive. Click on settings of the VM and then select the DVD drive under the IDE Controller. Select “none” under media. Note: do not delete the CD/DVD drive.

clip_image029.jpg

 

Virtual Switch Manager

From the Hyper-V Manager select the Virtual Switch Manager. Create a new “External” virtual network switch for your wired LAN, and if needed create another for your wireless LAN.

clip_image021.jpg

   

Wired network settings:

clip_image023.jpg

      

Wireless network settings:

clip_image025.jpg

   

Running the VM

After launching the Virtual Machine you can see Windows 7 running in a separate window on the Windows 8 desktop.

 

clip_image027.jpg

     

Below you can see that Windows 7 and Windows 8 both have internet access.

clip_image029.jpg

      

VM Snapshots

Hyper-V provides the capability to take snapshots of your VM. You can create a snapshot of your base OS install and then use that to create separate snapshots that have different applications or configurations. You can instantly switch to any snapshot you want by selecting it and applying it to the VM. Snapshots can even be taken when the VM is running.

Yes - This feature is enabled via the Intel Management and Security Status (IMSS) application.

 

IMSS is installed as part of the Intel AMT driver set.   A small icon will appear in the task tray.

imss icon.png

The user does need to open or see this icon.   The default key sequence to stop a redirection session is Shift+Escape

 

Shown below is the IMSS screen, on the Intel AMT tab.   The hot key can be changed by the user if they so desired.


stop KVM session.png

Note: The IMSS application and hotkey functionality are operating system dependent.


How does a user know if a redirection session is occuring on their computing device?

 

Two items will show on the screen independent of the host operating system: 

  1. Shown in the upper right corner of the screen - a flashing icon
  2. Red border around the screen. 
    • Note: The red border is more pronounced on Intel AMT 8.x and higher systems, where an alternating red\yellow flashing border occurs.

flash control icon.png

One final reminder - in many circumstances User Consent must be obtained to establish the initial session.   This further helps to protect the privacy of the end user.   Shown below is an example of the prompt on the user screen - which will appear regardless of the operating system state.

 

user consent.png

A while back I ran into an issue configuring an AMT system in TLS mode. I wanted to walk you through the issue and one potential solution in the event you are seeing similar issues with TLS.

 

I did a quick overview of my environment and everything appeared to be set up correctly. I was able to provision using a non-TLS profile in SCS, but when I switched to a TLS profile I kept getting this error on the vPro client while running ACUConfig.exe:

 

“Exit with code 75.

Details: Failed to complete remote configuration of this Intel(R) AMT device. Failed to get the certificate from the CA. (Certificate ID: 3310051103).  (0xc0002825). The certificate chain could not be built. Please make sure that the root certificate is installed properly. (0xc0003e93). Intel(R) AMT Operation failed. (Request Certificate). (0xc00007d5). The RCS failed to process the request.”


I checked out the SCS server and made sure the root Cert was installed correctly and everything looked normal. Then accessing the MMC cert snap-in on the SCS server, I created a test request to the CA for the AMT TLS cert and it issued it to me:

 

1.png

 

2.png

3.png

 

4.png

 

5.png

 

And as you can see, the OS had no issues with the certificate, but I was still seeing the errors on the vPro client while running ACUConfig.exe.

 

Taking a closer look at the acuconfig error message, it seemed like the SCS was having trouble building the certificate chain. So I decided to take a look at the CRL. After some digging around a bit, I decided to copy the CRL from the Cert Authority. To do this I just ran this command from a PowerShell prompt on the Certificate Authority:

 

6.png

 

Then I copied the crl.crl file over to the SCS server and installed it:

 

7.png

 

After I finally got the CRL installed on the SCS server, I restarted the SCS service and attempted the provision again. Sure enough, I was able to complete the process and the Cert Authority issued the TLS certificate for the AMT device.

 

Capture3.PNG

 

There are quite a few different methods of publishing / referencing the CRL in your environment, for more information see this technet page: http://technet.microsoft.com/en-us/library/cc737760(v=ws.10).aspx

 

Instead of relying on the SCS error messages, you could also use a utility like certutil to check the validity of the CRL. Here is a blog post on TechNet on Basic CRL Checking with certutil: http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx

 

Bill York also has some information related to expired CRLs and SCCM: http://communities.intel.com/thread/20138

 

If you suspect you are having issues with the CRL in your environment, this manual workaround will get you back up and running, but for a long term fix you should bring it up with your PKI team.

Intel® IT Center Talk to an Expert Webinar:
PC Refresh in the Consumerized IT Environment
Tuesday, February 12, 2013
9:00 - 10:00 a.m. Pacific Standard Time

Talk Live with Intel Experts:
David Buchholz, Director of Consumerization, Intel IT
John Mahvi, Business Client Product Line Manager, Intel IT

Moderator: Chris Peters, Global Business Marketing Strategist, Intel

In this live video webinar, Intel experts will share the insights their teams have gained through firsthand experience with PC refresh in a complex, fast-changing consumerized IT environment.

David and John will cover the positive impact of PC refresh on:

  • Security and manageability
  • Decisions regarding services and devices to be supported
  • User productivity and satisfaction
  • TCO plus support, repair, and energy costs

 
With an efficient, strategic PC refresh program that includes PCs featuring Intel® vPro™ technology, you can dramatically enhance the user experience on company-issued PCs and laptops. And, by doing so, you can resolve many of the issues that arise due to BYO in particular, and consumerization in general.

So, bring your most pressing questions, and take advantage of this opportunity to ask the experts.

Register now >

Intel vPro Platform Solution Manager:

A plug-in designed to target  Intel vPro Technology usages

 

  • Receive the latest and greatest Intel vPro functionality as soon as its launched!
  • Improve time to market for platform feature availability for end customers
  • Provides a solution for the Help Desk to utilize Intel vPro Technology
  • Increase your ROI by providing more use cases to your IT Department and Help Desk
  • No cost

 

Allow your IT Department to focus on innovation and not the traditional every day tasks!

Download NOW! http://www.intel.com/vprosolutions

Download Now

 

First American.jpgFirst American Financial Corporation is one of the largest title insurance companies in the U.S., with desktop and laptop computers that support employees who facilitate title and escrow closing for real estate sales. To improve remote PC management, the company’s desktop management group worked with Allied Digital Services to activate the Intel® vPro™ platform in HP computers equipped with Intel® Core™ i5 vPro™ processors. First American anticipates improving employee productivity by reducing the time to resolve computer problems, streamlining software provisioning, and using remote power management to drive down energy consumption.

 

“With the Intel vPro platform, we can diagnose and solve complex issues, like OS failures and boot problems, all remotely," explained Dale Hiser, manager of desktop management at First American. "As a result, we can save the shipping costs of replacing systems, avoid expensive deskside visits, and significantly reduce the productivity loss and frustration that downtime can cause employees.”

 

Learn all about it in our new First American business success story. Find more like this one on the Intel.com Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes.  And to keep up to date on the latest business success stories, follow ReferenceRoom on Twitter.

When creating an Intel AMT Configuration profile with Transport Layer Security (TLS), a target Microsoft Certificate Authority (CA) and certificate template must be specified.  When using TLS with Intel AMT, a Server Authentication certificate must be defined and applied into the firmware of each system.   The easiest choice is the WebServer certificate template.   In some environments, this template might be disabled or removed due to security policies.

 

The following steps summarize the required steps.

 

First - if a valid Server Authentication certificate template has not be published, a screen similar to the following will occur.   The certificate template field is blank with no available options

 

pic1.png

Within the Microsoft Enterprise CA, duplicate the WebServer certificate template.  When prompted, select the default option for "Windows 2003 Server, Enterprise Edition"

pic2.png

Provide the details for the certificate template.   Shown below the certificate template name is "Intel AMT TLS Cert".

pic3.png

On the security tab, provide access to the template for the logon account of RCSserver.   In this example, RCSserver is running under the Network Service Account of a system with hostname SCS8, thus the select "SCS8$".   Grant the "Read" and "Enroll" permissions

pic4.png

Next, issue the certificate template.   Right click on Certificate Templates under the target Microsoft CA (Note: Required only for Microsoft Enterprise CA to issue certificate templates to the Microsoft Active Directory.   Microsoft Standalone CA implementations do not include this option.)

pic5.png

With the certificate template issued...

pic6.png

... in the Intel SCS console, select "Refresh CAs &Templates".   Via the pull down list, select the target certificate template.

pic7.png

Two final reminders - ensure the logon account for RCSserver (the server component of the Intel SCS installation) has rights to "Issue and Manage Certificates" along with "Request Certificates" as required for the Web Enrollment process.

pic8.png

And ensure the Policy Module setting allows for automatically issuing certificates

pic9.png

 

The above information is provided in the Intel SCS User Guide.   This article provides a summary and reminder

On April 3rd, 2010 Steve Jobs showed this renewed computer tablet concept (i.e. iPad, which was not the first tablet computer available in the market, but was one that had great success), triggering a new kind of personal computer system that complements traditional form factors (e.g. desktops and notebooks) used by knowledge workers in corporate environment or even replace the workers in some cases. In fact, a tablet design is an excellent form factor to consume information, but it lacks ergonomic qualities to produce content with a physical QWERT keyboard larger display screen.


The computer industry is investing in several form factors in order to reinvigorate personalcomputer systems with exciting designs: Ultrabook, convertibles designs, touch screens, tablets, tablets with slide QWERT keyboard, multiples dock station capabilities. And in this new World of mobility and thin design, looks that RJ45 interface has become antiquated. For business, wired interface still predominant in most organizations and lot investments were made in this media for security and manageability and how to manage seamless Intel vPro devices, independently of form factor and connectivity medium (i.e. wired or wireless)?


507px-Wireless_tower.svg.png

Some Ultrabooks, such as Lenovo ThinkPad X1, arrived without an embedded Ethernet port, only with a dongle RJ45 interface that can provide wired connectivity for Operating System, however it doesn’t work for OOB (i.e. Intel ME).


The absence of an integrated Ethernet interface in these devices limits some use cases for devices of this category. E.g. Host-based Configuration (aka. HBC) is the only remote Setup and Configuration method supported, user consent is required for healing scenarios such as KVM or IDE-R, but fortunately, these limitations in most cases fits well with mobile use models. Admin Control mode can be achieved only configuring locally in Small and Business Mode (SMB), which for enterprise environment can be undesirable due to the required manual labor for configuration.


System Defense, that is enabled by McAfee ePo Deep Command for example, will not be available in WLAN-only systems for security reasons – basically, HBC transfers IT admin authentication to users, that is the reason that in HBC, for each remote operation, user consent is needed. However, for System Defense, there is no reason for user consent to switch on, that is the reason that System Defense is turned off in HBC.


For a wireless-only device be managed OOB with Intel vPro technology, it’s required that Intel ME be in 8.1 version and Wireless driver 15.3 (for Windows 7) and 15.5 (for Windows 8) have been updated for a correct operation.


For further details on creating a profile for wireless environment, read my priorblog post about “Managing Intel® vPro™ Technology clients in a wireless environment” where I discuss some basic configurations and lessons learned in this kind of environment.


Some management consoles such as Microsoft System Center 2007 or 2012, use the concept of provisioning using PKI that set the machine in Admin Control Mode that is not supported for wireless-only devices. So for these cases, Intel Setup and Configuration Services 8.1 (aka. Intel SCS) can be used for provisioning and configuring, following these instructions.


In order to provide better service for “road warriors” you can provided a full set of capabilities, including Fast Call For Help (aka. FCFH). This allows users outside of a corporate firewall to have support from a help desk technician even OOB. Intel vPro configuration profile provides detailed possibilities for provisioning as showed an example of a complete wireless configuration option:


SCS_Internface.png

  • Active Directory Integration is required if corporate wireless network requires 802.1x authentication;
  • Access Control List (ACL) that is required in order to specify users/groups for permissions (i.e. authorization) in Intel ME;
  • Home Domains used to specify when machine is inside or outside corporate network based on suffix DNS received by DHCP - this definition is important to enable FCFH when machine is outside corporate perimeter;
  • Remote Access specify address for Intel vPro Gateway (former Management Presence Server) and requires server configuration in corporate DMZ - read further details in Intel AMT SDK;
  • Wifi connection defines configuration and profiles for OOB connection and with Intel PROSet there profiles can be populated by users when added into PROSet profile.

 

For further details on each of these sections, read Intel SCS 8.1 documentation available on the Intel website.


Following these instructions and guidelines, you will be able to integrate these new categories of managed form factor with actual management console and allow seamless management.


Comment below with any questions – I would be more than happy to provide further details.


Best Regards!

Hi

 

Some new vPro platforms heading our way in 2013 may not have LAN port on-board, therefore only WLAN will be available. This configuration implies of course that Intel AMT will connect via WLAN only.

 

In general, LAN-less platforms are becoming common in the emerging Ultrabook segment, as Ultrabook requirements put limitations on traditional LAN solutions both in power consumption and in physical size. While the LAN solutions are evolving to handle those new requirements (still LAN is the most reliable and fast communication method in wide use) there are vPro Ultrabooks with WLAN only, and more platforms are anticipated.

 

Most capabilities of vPro platform are available on the WLAN only systems, including security use cases and the majority of automation use cases. I would like to take this opportunity to remind the AMT IT manager of the key differences between LAN and WLAN in terms of AMT usage:

  • Provisioning:
    • Host-based Configuration (HBC) is the only remote Setup and Configuration method supported in WLAN**
    • HBC over WLAN enables the AMT in Client Control Mode, for which user consent is required for healing scenarios (e.g. KVM or IDE-R). Indeed user presence for some of these use cases fits well with the mobile Ultrabook use models, but this is still a limitation to consider.
    • Notice that provisioning the AMT for Admin Control Mode is still available through local provisioning
  • The vPro based capability "System Defense", enabled by ecosystem solutions like McAfee ePO Deep Command, will not function on WLAN-only systems.

 

** Note: Usage of a docking station that makes AMT available through Intel LAN is not considered as WLAN only as long as system is docked.

National Bank of Egypt.jpgThe Intel® vPro™ platform helps companies efficiently manage their enterprise client resources.Two new business success stories show how companies are making the most of it:

 

You can find more real-world business success stories like these on Intel.com and iTunes. And to keep up to date on the latest business success stories, be sure to follow ReferenceRoom on Twitter.

1 2 3 80 Previous Next

Filter Blog

By author:
By date:
By tag: