Blog Posts From Tagged With vpro_expert_center

Managing Intel vPro Ultrabooks and Tablets in wireless network only

webadmin@intel.com — Sat, 12 Jan 2013 23:34:19 GMT

On April 3rd, 2010 Steve Jobs showed this renewed computer tablet concept (i.e. iPad, which was not the first tablet computer available in the market, but was one that had great success), triggering a new kind of personal computer system that complements traditional form factors (e.g. desktops and notebooks) used by knowledge workers in corporate environment or even replace the workers in some cases. In fact, a tablet design is an excellent form factor to consume information, but it lacks ergonomic qualities to produce content with a physical QWERT keyboard larger display screen.

The computer industry is investing in several form factors in order to reinvigorate personalcomputer systems with exciting designs: Ultrabook, convertibles designs, touch screens, tablets, tablets with slide QWERT keyboard, multiples dock station capabilities. And in this new World of mobility and thin design, looks that RJ45 interface has become antiquated. For business, wired interface still predominant in most organizations and lot investments were made in this media for security and manageability and how to manage seamless Intel vPro devices, independently of form factor and connectivity medium (i.e. wired or wireless)?

Some Ultrabooks, such as Lenovo ThinkPad X1, arrived without an embedded Ethernet port, only with a dongle RJ45 interface that can provide wired connectivity for Operating System, however it doesn’t work for OOB (i.e. Intel ME).

The absence of an integrated Ethernet interface in these devices limits some use cases for devices of this category. E.g. Host-based Configuration (aka. HBC) is the only remote Setup and Configuration method supported, user consent is required for healing scenarios such as KVM or IDE-R, but fortunately, these limitations in most cases fits well with mobile use models. Admin Control mode can be achieved only configuring locally in Small and Business Mode (SMB), which for enterprise environment can be undesirable due to the required manual labor for configuration.

System Defense, that is enabled by McAfee ePo Deep Command for example, will not be available in WLAN-only systems for security reasons – basically, HBC transfers IT admin authentication to users, that is the reason that in HBC, for each remote operation, user consent is needed. However, for System Defense, there is no reason for user consent to switch on, that is the reason that System Defense is turned off in HBC.

For a wireless-only device be managed OOB with Intel vPro technology, it’s required that Intel ME be in 8.1 version and Wireless driver 15.3 (for Windows 7) and 15.5 (for Windows 8) have been updated for a correct operation.

For further details on creating a profile for wireless environment, read my priorblog post about “Managing Intel® vPro™ Technology clients in a wireless environment” where I discuss some basic configurations and lessons learned in this kind of environment.

Some management consoles such as Microsoft System Center 2007 or 2012, use the concept of provisioning using PKI that set the machine in Admin Control Mode that is not supported for wireless-only devices. So for these cases, Intel Setup and Configuration Services 8.1 (aka. Intel SCS) can be used for provisioning and configuring, following these instructions.

In order to provide better service for “road warriors” you can provided a full set of capabilities, including Fast Call For Help (aka. FCFH). This allows users outside of a corporate firewall to have support from a help desk technician even OOB. Intel vPro configuration profile provides detailed possibilities for provisioning as showed an example of a complete wireless configuration option:

Active Directory Integration is required if corporate wireless network requires 802.1x authentication;
Access Control List (ACL) that is required in order to specify users/groups for permissions (i.e. authorization) in Intel ME;
Home Domains used to specify when machine is inside or outside corporate network based on suffix DNS received by DHCP - this definition is important to enable FCFH when machine is outside corporate perimeter;
Remote Access specify address for Intel vPro Gateway (former Management Presence Server) and requires server configuration in corporate DMZ - read further details in Intel AMT SDK;
Wifi connection defines configuration and profiles for OOB connection and with Intel PROSet there profiles can be populated by users when added into PROSet profile.

For further details on each of these sections, read Intel SCS 8.1 documentation available on the Intel website.

Following these instructions and guidelines, you will be able to integrate these new categories of managed form factor with actual management console and allow seamless management.

Comment below with any questions – I would be more than happy to provide further details.

Best Regards!

Configuring Intel vPro with Linux in Admin Control Mode

webadmin@intel.com — Mon, 13 Feb 2012 17:30:03 GMT

If you have been following along, this will be the third in a series of posts regarding Intel vPro configuration with Linux. Our first post was about Intel Setup and Configuration Service 7.2 (a special version designed for Linux users). Following that, we wrote in our second post about configuring vPro with Linux in User Control Mode. Now, this post will explain how to configure in Admin Control Mode, i.e. no user consent required, that is the desired mode for most of embedded usage modes such as ATMs, Kiosks and Digital Signage.

Now, I’ll describe how to configure a Linux machine using Intel SCS 7.2 in admin control mode – This means the administrator doesn’t need user consent to access the remote control operations.

(Tux, the Linux Penguin, is copyrighted by Larry Ewing and Simon Budig (penguin-variant.sk also by Anja Gerwinski). Used with permission.)

Creating Profile

In order to configure Intel® vPro™ it is required that we supply the system with information about how all of the tools should behave, such as: WebUI, IDE-R, KVM, security authentication and authorizations, network connectivity, etc. The way we accomplish it with Linux is the same as with Windows machines: you should use Intel SCS 7.1 console to create profile and export it to .xml file as demonstrated in my previous post. However, there is a direct way to make a basic configuration only using ACUConfig and command line parameters as I have demonstrated in this video, where I also decided to make this configuration using static IP.

Best Regards!

Configuring Intel vPro with Linux in User Control Mode

webadmin@intel.com — Thu, 19 Jan 2012 21:54:00 GMT

This is the second post about configuring Intel vPro with Linux, the first post was about Intel Setup and Configuration Service 7.2 that is a special version designed for Linux users, actually only supported on SUSE Linux Enterprise Desktop (SLED) 11 SP1, 64bits.

Now, I’ll describe how to configure a Linux machine using Intel SCS 7.2 for Host-based configuration. The very first step is to install the required drivers and services in order to allow the ACUConfig (i.e. a utility that is part of Intel SCS) to communicate with the Intel ME for locally provisioning the Linux machine.

Intel Management Engine Interface:

It’s a driver that must be installed that allows applications to access the Management Engine firmware via the host interface. Messages from the Intel MEI driver are sent to the systems log (i.e. /var/log/messages). Once the Intel MEI driver is running, an application can open a file to it, connect to an application on the firmware side, and send and receive messages to that application.

Click here to download the MEI driver. If you are using a SLED 11 SP1 64bits you only need extract the content of this package and install it using the RPM with root privileges:

linux:#rpm –i mei-7.1.20.25.x86_64.rpm

There isn’t a console output showing that installation succeeded.

Intel Local Manageability Service:

The Local Manageability Services (aka. LMS) allow applications, such as ACUconfig, to access the ME firmware via the Management Engine Interface. The LMs is dependent on the MEI driver, so the MEI driver should be installed prior to LMS installations. As the majority of Linux services, LMS runs as a daemon and messages from the service will be sent to syslog. Once the LMS is running, it listens for incoming connection requests on the following ports:

Port 16992 for SOAP and WS-Management requests.
Port 623 for WS-Management requests.

Click here to download the LMS Service. If you are using a SLED 11 SP1 64bits you only need extract the content of this package and install it using the RPM with root privileges:

linux:#rpm –i lms-7.1.20.25.x86_64.rpm

You should receive a message in the console about the status of installation and service.

Using ACUConfig

Now that your Linux is ready for host-based configuration, you can test and check the status of your vPro machine using ACUConfig using syntax like this:

linux-8xff:/home/bruno/Downloads/IntelAMTSCS/Executables # ./ACUConfig -Output console Status Starting log 2011-12-27 19:23:42

: Retrieving machine status...

Host information-

UUID- 0EC7E5D1-32B8-11E1-B45E-A484BF0CC0AD

Intel(R) AMT version- 7.1.3

The system is unconfigured.

The system TLS setup is using PKI.

The system supports host-based configuration.

AMT state- Pre-Provision(0)

***********

Exit with code 0 - The requested operation completed successfully.

Note in this output that the system is unconfigured and that supports host-based configuration.

Creating Profile

In order to configure Intel® vPro™ it is required that we supply information about how the machine behaves such as: WebUI, IDE-R, KVM, security authentication and authorizations, network connectivity, etc. The way that we accomplish it with Linux is the same with Windows machines: you should use Intel SCS 7.1 console to create the profile and export to .xml file.

This process is fully documented in Intel SCS 7.1 documentation folder.

Provisioning

The provisioning process is very similar with Windows ACUConfig version as you can in this video:

At this point, we are able to manage an Intel vPro machine in User Control Mode.

Best Regards!

Demystifying VeriSign certificates for Intel® vPro™ activation

webadmin@intel.com — Tue, 20 Dec 2011 17:44:00 GMT

There are several ways to configure an Intel® vPro™ machine and the most popular among corporate companies is the Zero Touch configuration method, which is based on PKI. You must issue a certificate for a provisioning server in order to establish a trusted relationship between the provisioning server and the ME. VeriSign is one company that can provide a certificate for this.

Since the launch of Intel® vPro™ in 2006, VeriSign has made some changes to their products. Rather than issuing certificates from G1 and G3 roots in their Secure Site (Standard SSL) and Secure Site Pro (Premium SSL) SKUs, these products now issue certificates of different roots. Unfortunately, Intel ME is firmware and updating the list of root certificate authorities is not as easy as it is in an operating system. Updating this list in the Intel ME will instead require a firmware upgrade.

If you have different Intel® vPro™ generations in your environment, you are most likely looking for a solution that uses the least common denominator like we have displayed in this table:

Firmware version	VeriSign Hash
2.x	G1 and G3
2.6.20	G1, G2 and G3
3.x	G1 and G3
3.2.10	G1, G2 and G3
4.x	G1 and G3
4.2.x	G1, G2 and G3
5.x	G1 and G3
5.1.10	G1, G2 and G3
2.6.40	G1, G2, G3 and G5
4.2.30	G1, G2, G3 and G5
5.2.30	G1, G2, G3 and G5
6.x	G1, G2 and G3
6.1	G1, G2, G3 and G5
7.x	G1, G2, G3 and G5

As you can see, the latest version of each firmware generation is accompanied with a complete list of trusted roots.

However, a problem occurs if you have multiple versions of vPro but are only able to use one certificate for provisioning server (and cannot issue a certificate from G1 or G3 anymore). Fortunately, in order to avoid interoperability issues with legacy browsers, VeriSign makes a cross-signed of VeriSign Class 3 PPCA-G5 with Class 3 PPCA (G1.3). This is called Secure Site Pro, creating a cross certificate as shown in this diagram:

Usually, OpenSSL libraries use a PEM file format when building the trust chain in order to validate the certificate. We can statically define the trusted certificates that we would like to use in this chain. Microsoft has some wrapper code available to build the PEM list of certificates and, in this particular case, Windows has 3 possible root certificates to be used. All three are equally valid and Windows built the trusted chain using the shortest chain, i.e. VeriSign "G5" Class 3 PCA Root or VeriSign "G1.5" Class 3 PCA Root, both of which are not present in some old ME firmware. When you install the certificate, without any modification you see the root certificate VeriSign "G5" Class 3 PCA Root as shown here:

In order to force Windows to build the trusted chain up to VeriSign Class 3 Primary CA - G1, we have to eliminate VeriSign "G5" Class 3 PCA Root and VeriSign "G1.5" Class 3 PCA Root from the Root folder (or at least disable Client Authentication and Server Authentication from the purpose list of these certificates).

Without these two certificates, the only valid chain will be with VeriSign Class 3 Primary CA - G1. That chain is present in every ME firmware version, since the first version, i.e. 2.0 through 7.1 - See below:

Now you don’t have to be concerned about these VeriSign certificate issues with your Intel vPro versions, just follow the instructions presented in this document and have yourself a happy vPro configuration.

Intel Setup and Configuration Service 7.2: Designed for Linux

webadmin@intel.com — Thu, 03 Nov 2011 14:21:26 GMT

This post is the first in a series about configuring Intel vPro with the Linux operating system. The motivation for this series is that Intel vPro has been adopted for embedded systems such as ATMs, Digital Signage, Kiosks, etc. and the knowledge to do it is almost tribal. In this post, I would like to introduce the Intel SCS 7.2 that was tailor made for Linux and the following posts I’ll demonstrate how do it with more details.

As I mentioned, Intel® Setup and Configuration Service 7.2 (aka SCS 7.2) is a special version designed for the Linux operating system on an Intel vPro machine. However, the capability presented in this version is not the same that is present in Intel SCS 7.1, which is designed for the Windows operating system. Intel SCS 7.2 brings only these two components:

Configurator (aka. ACUConfig): A command-line application that runs locally on the Intel AMT system. You can use this tool to configure the system using an XML file (i.e. Host Base Configuration) or Manual configuration through a USB key.

Configuration Profiles: XML files that contain configuration settings for the Intel AMT devices.

However, these components are more than enough to cover most usage cases:

- Desktops running Linux where you want user consent with remote operations such as KVM;

- Embedded Devices that are in a staging area to be completely prepared before deployment; the configuration can be performed by a USB key (i.e. manually);

At this stage, this version only works with Intel vPro with firmware version 7.1.2 (or later) and Intel SCS was tested only on SUSE Linux Enterprise Desktop (SLED) 11 Service Pack 1, however there are no reasons for it to not work with different Linux flavors.

Requirements:

In order to create the Configuration Profiles (i.e. XML files), you will need the ACU Wizard found in Intel SCS 7.1 under ACU_Wizard folder (it requires a Windows machine to execute it).

In order to bridge the communication between the Intel ME (aka. vPro firmware) and Linux OS, there are two components required: Intel® Management Engine Interface (Intel MEI) driver and Local Management Service (Intel LMS) driver. Intel® MEI driver allows application, such as ACUConfig, communicate with the firmware using host interface, and LMS driver allows applications to access the Intel® ME via local Intel® MEI.

If you are not using a Linux kernel version 3.0 or later, you should install these drivers that can be downloaded here.

In the next blog I’ll show you how configure an Intel® vPro machine running Linux in Admin Control mode using manual configuration (i.e. USB key).

For further information about how to enable Linux for Intel® vPro, read this document.

Best Regards!

Intel vPro provisioning with static IP

webadmin@intel.com — Tue, 01 Nov 2011 01:03:55 GMT

***************

All Intel-provided code snippets in or attached to this blog are provided under the BSD License unless otherwise specified.

Any user submitted code or materials posted on this blog is supplied under license from the submitter, and should be used or downloaded in accordance with any license terms specified. Intel is not responsible for user submitted code nor warrants that it will work correctly. If no license is provided, you should contact the submitter.

****************

Since Intel vPro launched in 2006, there are lots of questions about how configure a vPro device that is using static IP. I’ll try demystifying and explain how vPro TCP/IP stack works and what you can and can’t do. I’ll also bring to your attention some best practices to make these procedures easier and less susceptible to manual error.

First of all, we need to understand the relationship between Host and Intel Management Engine (aka Intel ME) TCP/IP stack: Before ME 4.0, the OEM had the ability to set a different MAC address to the ME and host. In such a case, they should also use different IPs and this mode was called "dedicated MAC". The consequences of this approach is that usually, in a regular infrastructure you should also use the different names in order to avoid mismatching in DNS and risk having the machine inaccessible while switching NIC ownership between the Host and ME.

However, in "Shared MAC," available since ME 4.0 (where ME dedicated MAC was left “FF"), ME uses the host MAC, hence, in DHCP they must have the same name and in static IP they may still use the same IP address or different, but if using different IP address, must use also different names.

There are several situations where static IP is required such as ATMs, Kiosks, Digital Signage and several embedded devices or even legacy network infrastructure. For those, manual configuration into the MEBx is error susceptible. For some cases, including PCs with ME 6.2 and beyond, exists Host Base Configuration (aka HBC) in order to accomplish this task without external infrastructure dependencies or requirements to pass a long IP parameter string based on the host operating system. However, HBC configures the machine in Client Control Mode, and it’s mandatory due security reasons. At least for most embedded devices, such as ATMs, Kiosks and Digital Signage, where we don’t have a regular user that we can send the consent request, it’s a show stopper.

A possible approach to overcome manual entry configuration is to use a USB key created by USBfile.exe that can be found in the Intel AMT SDK or ACUConfig.exe found in Intel Setup and Configuration Service 7.x (aka Intel SCS 7.x), but both tools require that IP parameters (i.e. IP address, network mask, default gateway and DNS servers) be passed by command line and is also error susceptible.

A possible solution for these situations is to use a Visual Basic script that basically captures IP parameters from Windows and creates the USB key previously attached to the machine’s USB interface, and then automatically reboots to configure the ME with the same IP address of host. I developed this script that can be downloaded here (i.e. provisionUSB.vbs).

If you would like to configure a vPro machine using Kerberos (i.e. with Active Directory integration) or issue a TLS certificate (usually required by highly secure environments), you will need to use the Remote Configuration Server (aka RCS) found in Intel SCS 7.x. In this situation, the principle of capturing IP parameters and the USB key is the same as the previous case, but now requires a PSK exchange with RCS that will be used for ME and RCS communication to conclude the configuration. I just developed a script (called provision.vbs) based on SCS 7.1 (fail with SCS 7.0) that automates these tasks and is demonstrated in this video:

At this point, there are some requirements and known issues with these scripts as listed:

All IP parameters must be present in Windows Host (i.e. IP address, Subnet mask, default gateway, and primary and secondary DNS);
ACUConfig.exe, ACU.dll and xerces-c_2_8.dll found in Intel SCS package should be placed in the same script directory;
Tested only on ME 7.0
You need to define in script which NIC adapter is the ME interface (onboard) to capture the correct IP address parameters, look for this line:

("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Description = 'Intel(R) 82579LM Gigabit Network Connection' and IPEnabled = TRUE")

And replace the Description with description that showed in an ipconfig command line.

For further details, just execute the script in command line instead of windows interface:

C:\>cscript provisionUSB –or- C:\>cscript provision.vbs

Please, let me know if you find any issue or suggestions that are not covered in this version.

Best Regards!

Managing Intel® vPro™ Technology clients in a wireless environment

webadmin@intel.com — Mon, 11 Jul 2011 16:27:27 GMT

There is no doubt that wireless networks are widely used by many companies, and, for some, it’s the only media available (that is, there is no wired connection). Wireless-only work environments are becoming more frequent nowadays for many reason: 1) it’s the cheapest connection technology if compared with traditional wired networks that require switch ports, cables, etc.; 2) office lay-out reconfiguration is much easier without the cables; and 3) wireless networks can be more secure than similar wired networks at least for most enterprise implementations where the IEEE 802.1x protocol is the de facto standard for the wireless networks.

There are several options to configure an 802.1x protected wireless network, however, the most common methods are called EAP-TLS (certificate-based) and EAP-PEAP (computer account based). Intel® vPro™ Technology based clients should be configured to work in an 802.1x environment in order to get out of band access to the corporate network and be remotely managed using Intel Active Management Technology (Intel AMT).

Intel™ vPro™ Technology clients in 802.1x wireless networks require Microsoft* Active Directory integration and a RADIUS server (for example, Microsoft* IAS) that will bridge the authentication from the client to Active Directory through an 802.1x capable switch.

Figure 1 – Intel® SCS 802.1x profile configuration

EAP-* protocol requires a cryptographic session to be established in order to send the credentials, and uses the certificate issued to RADIUS server to create a TLS session between client and the RADIUS server. The Intel® vPro™ Technology client receives the Trusted Root Certificates list during setup and configuration and records the certificate into Intel® ME flash memory. Figure 1 shows the Intel Setup and Configuration Service (Intel SCS) wizard used to select the “Trusted Root Certificate” during setup and configuration stage.

If EAP-TLS is selected, you must also pick the certificate authority that will be used to issue the 802.1x certificates and select the desired template. During the setup and configuration phase, the Intel Remote Configuration Service (Intel RCS) will act as proxy, requesting the certificate in name of Intel® vPro™ Technology client.

In addition to the how-to configuration steps listed above, there are two points that you should consider when planning your Intel® vPro™ Technology configuration that can differ from your regular desktop configuration:

Certificates
Network Speed

Certificates

There are some limitations on certificate length as described in Table 1.

Table 1 – Intel® AMT PKI certificate length limitations

The most common issue that I found in the field with certificates is when the root certificate authority uses certificates greater than 2048 bits (i.e. 4096 bits). When the key length is too long, instead of getting a failed provisioning status, the client is shown as “configured” but unable to authenticate against the RADIUS server. If you look into the Intel SCS log, you will see an ERROR shown in Figure 2.

Figure 02 – Intel® SCS log showing the certificate update error

Unfortunately, there is not an easy workaround for this problem. You can take two different approaches here:

Reissue the root CA with a smaller certificate length. In this case, the certificate authority will handle two CRLs, one for previous root CA that will be revoked (for our example, the certificate with the 4096 bit length), and one for new certificate. This is the recommended approach if you use PKI for SMIME of file encryption, because these usage models usually require CRL checking for longer periods.

Install a second root CA. This approach is intended to be used as part of a migration strategy: instead of administering two CRLs, you can reissue the client certificates using GPO and, after some period, you can just decommission the old CA. This method is not recommended if you use SMIME, file encryption, etc.

Network Speed

Usually, for compatibility reason, you can configure wireless network to allow for speed negotiation, but there are also situations where you don’t want to allow speed negotiation. The main reason to limit speed negotiation is to reduce the wireless coverage range to limit it to a single room or auditorium. If, in this case, you configure the access point to accept only the G or N speed networks, you will have a problem with using Intel® vPro™ Technology, because the the maximum out-of-band speed for the Intel ME is 40 Mbps (which is too slow for the G or N network speeds).

What’s Next

In a future post, I’ll discuss about how to manage Intel® vPro™ Technology in a public wireless environment, and behind a NAT using Fast Call for Help (aka. Client Initiated Remote Access or CIRA).

Best Regards!

AMT Power Policies

webadmin@intel.com — Wed, 31 Mar 2010 17:58:48 GMT

What is a power policy? In short it’s a policy of when (or not) the manageability engine (ME) should be happily humming away. It’s important because there may be times you may not want the ME to be running. For example, you don’t want the ME running while your laptop is powered off and not plugged in (otherwise you’d wonder why your battery is always dead).

AMT has had many different options for power policies over the years (I think the AMT 4.0/5.0 generations had the most options, something like 5 on desktop and 7 on mobile). For AMT 6.0, we’re down to two (so much easier!).

They look something like this:
MEBx > ME General Settings > Power Control > Intel ME ON in Host Sleep States (this is kind of a mouthful).
[ ] Mobile: On in S0
[*] Mobile: On in S0, ME Wake in S3, S4-5 (AC only)

Raise your hand if that makes sense to you... Anyone? If you find yourself asked what is S0/S3/S4-5 you’re probably not alone. These map to ACPI system states (you can read about them here: http://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface )

In reality we really only care about a few states:
- S0 – The system is powered on
- S3 – The system is sleeping
- S4 – The system has hibernated
- S5 – The system is off
- G3 – There is no power (unplugged, and battery removed if mobile)

So now, looking at the second option, we have:
ME is ON is S0 (on when the system is powered up)
ME wake in S3/S4/S5 (AC Only) (The ME is running if the system is sleeping, hibernated, or off but only if plugged in as to not drain your battery).

But what is this ME Wake?

Well the ME has its own internal power states. Basically a high power mode and a low power mode. When you are doing management stuff (KVM sessions/Getting inventory/etc) the ME is running at full speed. If you are not using the ME it can go to sleep on its own (you can configure this in the MEBx with the “Idle Timeout” settings). This mode tells the ME to go to sleep if your machine is in a lower power state which helps to save energy. In this mode then ME will ‘wake’ when it receives manageability traffic.

Each of these power policies has a unique ID configured (these have changed from generation to generation). If you are using an older setup and configuration server you may see an error when setting the power policy (depends on how the setup and configuration server sets the policy). Using the latest configuration servers and/or ISV software is always the best practice.

Thanks

--Richard

Intel AMT in 10 minutes with the Manageability Developer Tool Kit

webadmin@intel.com — Tue, 23 Feb 2010 17:45:30 GMT

For those who have been using Intel AMT in the past you may be familiar with the AMT DTK. This is a tool kit (with source code!) that contains several applications that cover vPro functionality. It’s been on hiatus for about a year since the last public release but the latest release was a couple weeks ago. Over the last year there have been many updates to the tools (IPv6 support, ability to set KVM settings, etc). You can see the full list of updates and download the binaries (or source code if you want to play) from here: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/

Now, let’s say that you are new to vPro, or you want to quickly play around with some of the new features of vPro. The good news is you can do this in about 10 minutes!

The first step is to configure AMT in basic mode (this is similar to Small Business Mode in previous generations). Here is how to do that: http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/08/intel-amt-60-where-is-small-business-mode

The second step is to download the DTK (link above) and install the DTK. Once installed you can launch the “Manageability Command Tool” (this needs to be run on a remote machine. It cannot be run on the AMT machine you’re trying to trying to manage)

Select “File | Add | Add Intel(R) AMT Computer”

Enter the IP address or FQDN and your login credentials and you’re good to go!

From here you can click ‘Connect’ and the tool will pull up the System’s HW inventory, AMT settings, System defense filters, etc.

Enjoy!

Thanks

--Richard

What's new in the all new 2010 Intel Core vPro processor family

webadmin@intel.com — Mon, 08 Feb 2010 21:55:56 GMT

As part of our efforts to introduce the all new 2010 Intel Core vPro processor family, we put together a series of videos that feature Steve Grobman, Intel's Chieft Architect in our Digital Office Platform Group. He's been on the team that has led the development of Intel vPro technology for the past half decade, and was once in Intel IT's department. The videos also feature Intel's Josh Hilliker - who helps Steve demonstrate the new technologies.

In his first video, Steve talks about the new developments in Intelligent Performance - and he also showcases how Intel Turbo Boost Technology and AES-NI (Advanced Encryption Standard - New Instructions) help improve performance for today's office worker:

In his second video, Steve talks about the new developments in Smart Security - and he also showcases how Intel vPro technology helps disable lost PCs and data, and can also help IT manage encrypted hard drives remotely:

In his third video, Steve talks about the new developments in Cost Saving Manageability - and he also showcases how Intel vPro technology helps IT or IT service providers control an office worker's keyboard-video-mouse (KVM) remotely ... even when the Operating System has blue-screened:

In his fourth video, Steve talks about how small businesses can benefit from Intel vPro technology, and how service providers like AT&T are excited about the all new 2010 Intel Core vPro processor family:

In his last video, Steve talks about how Intel vPro technology is bringing proven results to organizations today:

KVM Remote Control Technical Overview

webadmin@intel.com — Fri, 05 Feb 2010 17:47:50 GMT

Hello Again!
I wanted to give a quick technical overview of KVM Remote.

What is KVM?
I assume that everyone here knows what KVM is. No? Alrighty then. KVM is really an acronym that stands for Keyboard-Video-Mouse. Basically it’s a generic term for allowing one computer to see what is on the screen of another computer and to be able to interact (via keyboard and mouse) as though someone were sitting at that computer. There are different reasons why you might want to use a KVM. For example let’s say you have two computers at home and one monitor/keyboard/mouse on your desk. You could use a hardware KVM switch to access one machine at a time (these are fairly inexpensive for 2-4 machines). “That’s nice, but my other computer is in the other room or in another building. I don’t have cables that long, what should I do?” Well I’m glad you asked.
In this case you’ll need a KVM solution that works remotely over a network. Now you have two choices, you can use a software based remote desktop product or a hardware KVM solution (these are often called IP-KVM solutions). I use a 3rd party hardware KVM in my lab to connect many machine to my monitor when I do testing. It works great! (the down side is that the cost per connection is very high, in my case it’s well over $100/connection!). Software solutions also work well... Well, I guess it’s better to say that a software solution works well as long as everything else on the system is working well. With a software solution you can’t do things like reboot, change BIOS settings, or work in safe mode (without networking). If only there was an inexpensive hardware solution that was built into all your platforms. Voila! Enter KVM remote control stage left.

(after all that rambling I just realized there is a wikipedia article on it. Of course there is. If everything I said made no sense at all, try this: http://en.wikipedia.org/wiki/KVM_switch )

Architecture

Ok, on to what you’re really here for, the Intel KMV Remote Control high level architecture (i.e. how it works).

When you look at your screen you’ll see lot of different objects (in my case I have a word processor running, a couple web browsers, etc). These objects will be layered on each and your operating system will figure which is on top and what to display. The OS will collect all these objects, figure out what is visible and what is not and push all that data down to what is called a framebuffer. The framebuffer is effectively the memory that your video card sends out to the monitor. Basically it’s the last stop. Since the manageability engine (the little processor that runs AMT) can access this memory we can package it up and send it out to a remote computer so an IT administrator can see exactly what is on the user’s screen.
When a KVM session is initiated the manageability engine will make a copy of the current framebuffer and send it to a remote viewer. After that it will compare the current frame buffer to the cache. The comparison is done in 64x64 pixel tiles left to right, top to bottom. If there are any differences between the two the manageability engine will update its cache with the new tile and send out the tile to the viewer (at this point there may be other functions performed on the tile such as compression and encryption before its sent).

Protocol
The protocol that is used to transport the data is the Remote Frame Buffer protocol (You can find out more info and download the specs from here: http://en.wikipedia.org/wiki/RFB). The nice thing about the RFB protocol is that it’s been around for a long time. The v3.3 revision of the protocol came out in 1998. Since it’s been around for so long you can find viewers for pretty much any platform (Windows, Linux, Unix, MacOS, there are even iPhone viewers! Have I mentioned I love wikipedia? Here is a table of various remote desktop viewers: http://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software).
So now that we’ve talked about how the video gets from the client to the viewer, how does the mouse and keyboard make it? When a connection is established a virtual USB keyboard and mouse is ‘plugged in’ to the client (you’ll see new devices appear in device manager once a session is established). Keyboard commands and mouse movements (and clicks) are sent to the manageability engine. The manageability engine will send those commands to the virtual USB devices and thus the OS.

Security
Now let’s talk about security. When a session is initiated the client will show a user consent form. The user consent form is placed directly into the framebuffer (this protects the user consent code from being detected by malware and helps to protect from unauthorized access. It also allows the user consent screen to be seen when it normally wouldn’t be seen such as when running on non-graphical OS like DOS). The user consent code is read to the IT administrator that is connecting to the system and the IT admin is able to connect. Once connected there is a 1 pixel red border around the screen and a blinking icon in the upper right corner of the screen. The client system can be configured to use TLS for encryption just like other AMT connections.

That’s mostly it from a high level. Thanks for reading!

--Richard

Intel AMT 6.0 New Features

webadmin@intel.com — Thu, 04 Feb 2010 16:54:19 GMT

Hello everyone!

I’m a bit new here, well new to blogging, not new to Intel (I’m coming up on 13 years). I’ve spent the last year working with Intel AMT 6.0 and I wanted to write up a quick article on some of the new features that are included with AMT 6.0.

Every new platform has an array of different features. Our 2010 platforms are no exception with newer video, fancy CPU’s. AMT is my domain. If there is enough interest I’ll write up some more detailed articles on these different features. But enough jibber jabber, let’s get to the features!

IPv6

New for AMT 6.0 is support for IPv6. If you just said to yourself “IPv –what??” then I’d recommend checking out the IPv6 page on Wikipedia (http://en.wikipedia.org/wiki/IPv6). In a nutshell the world is running out of IPv4 address (most of the internet currently running on IPv4) and IPv6 helps to solve this issue by moving from 32bit to 128bit address.
“Why do I care?”, well I’m glad you asked. IPv6 isn’t very wide spread right now. Microsoft has started to include IPv6 support in their OS’s that enabled by default (Vista and Win7 support it out of the box, Windows XP can support it) and there are many Linux distributions that support IPv6. In order to use AMT with IPv6 you’ll need an IPv6 compatible network and a remote management console that supports IPv6. Unfortunately these are few and far between right now. The good news is that as more IPv6 support becomes available and more management console vendors start implementing IPv6 AMT will be ready! I like to look at it as future-proofing (hmm... I probably can’t actually say “future-proofing” with our lawyers, let me rephrase that to “future-resilient”).

Fast Call for Help over wireless
I don’t have too much to say on this, basically if you’ve used Fast Call for Help (also known as CIRA in some circles) you’ve been limited to wired only connects. This has been updated to work over the wireless interface as well!
While it sounds simple to add in this functionality there is a lot of work that goes into the backend to make this happen. The big difference is now Intel PROSet (our wireless management software) can push wireless profiles down to the Manageability Engine. The advantage you get here is that Fast Call for Help can work from, say, your wireless access point at home (without the need to manually enter all your wireless settings into AMT).

Alarm Clock
I like the analogy here. You set an alarm and your computer wakes up. In short that is the feature! I can probably explain this better with examples. Let’s say that you run a call center or a school. You have employees and/or students that arrive at 8:00am in the morning to start using their computers. With alarm clock, you can configure those PC to power on at a specific time (in this example we’ll set them for 7:55am). People arrive and their PCs are ready! Another method could be remote patching. You could schedule a wake up every day at 2:00am that checks for SW updates then shuts back down.

KVM Remote Control
Ok, I’ve saved the best for last. As I said above, I’ve been working with AMT 6.0 for the last year. KVM Remote Control is my favorite feature. Raise your hand if you’ve used remote control software before (Remote Desktop, VNC, etc...). Everyone?!?! Wow!
Now for the trick question; how many people have done a reboot, editing some BIOS settings, and booted back up to the OS all remotely and all using a remote control solution? (I’ve noticed everyone that doesn’t have an expensive hardware solution has put their hands down). Better yet, how many IT folks have gotten a call from a user complaining that their PC has a blue screen AND THEN could connect to the machine and see the blue screen remotely? Intel’s KVM Remote Control will let me do just that! It’s a HW based implementation that doesn’t require any interaction (or drivers) in the OS to function. Not only that, but the protocol that we use is the Remote Frame Buffer protocol (this also commonly known as VNC). Since this is an open and widely used standard there are viewers available for TONS of platforms (while I haven’t tried it, there are even viewers for the iPhone).
“But what about my privacy?!?!”, well I’m glad you asked. KVM Remote Control has a few features that help to protect your privacy. The first is what we call the user consent screen. KVM Remote Control can be configured to pop up a screen with a random 6 digit number. This number must be given to the IT person before they can see anything on the screen. Oh, and since this is a hardware based product (remember, I said no OS drivers are required) the user consent screen is inserted into the video buffer in hardware. This makes it invisible to user OS (and any malware that may be running on the system). Another feature (also using the video buffer) is that during a remote control session, the user will see a 1 pixel red board around the screen and a small blinking icon in the upper right corner of the screen. This is to let them know that someone is controlling the system.

If you’re interested in more KVM details I’m planning on writing up another article that goes in more depth on KVM (look for that soon).

These are some of the new features that are available in AMT 6.0. Be sure to check back for additional articles on AMT and new (or old) features.

Thanks

--Richard

vPro Uber Geek breaking it down

webadmin@intel.com — Thu, 28 Jan 2010 23:57:07 GMT

One week without social media really does have an impact

webadmin@intel.com — Mon, 02 Nov 2009 21:49:49 GMT

Over the last week I decided to take a journey, one without social media and interacting with folks online. What I learned is the following:

Took longer to do my job (it’s true!!)
Missed out a few key interactions that would have helped me – it’s true, I am now combing back through to look a few posts – example: Spiceworks just announced a new plug in capability that is leveraging vPro
Realized I was not sharing as much as I could have – I was working on win7 & vPro for SMB, defining the ease of use of both technologies in the 3-5 PC space. I missed sharing this information out to the team and group.
Had a few dialogues around me missing something online – a few folks ping’d me throughout the week if I had seen certain things (from technology to people movement inside Intel)

So why does this matter to vPro? Well, I believe part of the success of realizing your vPro value is to use our community, interact with us on twitter and be a part of the technology adoption and usage. I also realized that usage of our technology is not confined to how we believe it will help you, but also how it will be used in different situations, location’s, and relevant to your business.

If you want to connect with us, here’s who’s on twitter for vPro? Here’s a few accounts.

IntelvPro twitter.com/intelvpro

SmartchickPdx twitter.com/smartchickpdx

Joshprostar twitter.com/joshprostar

I also missed the interactions online that I usually participate in throughout the week.

Call for Topics - Intel vPro

webadmin@intel.com — Mon, 26 Oct 2009 18:40:26 GMT

HI all,

Internally we are cooking up a # of topics that we would like to share from Use Cases, BIOS versions, form factor's, etc.. However we wanted to ask you first as a community, what would you like to hear more on? What piece of vPro do we need to show more?

Let us know.. leave a comment or shoot me an email josh@intel.com.

Thank You

Josh H