Greetings from the trenches! My name is Sandy Wood and I'm a network administrator for the Orange County District Attorney's office in Southern California.

What I do

My primary job is to manage and support our fleet of 950 or so Windows workstations and 30 Windows servers. This covers everything from updating software, performance monitoring, alert management as well as second level Help Desk support.

The tools I use the most in my day to day activities are Microsoft SMS Server 2003 and Microsoft System Center Operations Manager 2007. These tools are indispensable in our daily jobs to keep our systems running smoothly and up to date.

vPro What?

Earlier this year, while attending a Microsoft Management conference, I stopped by the Intel booth and learned about vPro technology. Boy, what an eye opener for a management geek! This could really be system management nirvana! Since we were in the beginning stages of planning for the replacement our entire PC fleet, I called my boss and told him he had to make sure that our next systems had vPro technology. This was going to revolutionize the way we managed our systems from deployment to software updating to day-to-day support.

Why Should You Care?

Well, fast forward to today and we're just beginning to receive our first new systems. Brand, spanking new HP systems with, yes, you guessed it, Vpro with AMT 3.0! Everyone watched while we opened and unpacked the first system box. After my big vPro sales pitch, management was keen to see all the great new bells and whistles that vPro and AMT were sure to bring us. Before I go into just how cool it all worked and how cool I looked doing it, I thought it would be instructive to blog the actual steps (and missteps) I took in planning and deploying AMT in a real world situation, warts and all.

This is why you should care - if you're getting ready to deploy AMT or are just interested in the technology, this may (I hope) offer a glimpse into what it will take to get AMT rolling in your world. Reading the manuals is good and I highly recommend it however, nothing beats a real step by step walk through with real situations to give you a feel for the product and its potential.

What's Next?

The next step for me will be the planning phase. Although most of us love to just get out there and run setup, planning before you deply AMT in your environment will truly pay off for you. AMT has a lot of pieces and features that you're going to want to sit down and do a bit of thinking about before running setup. Trust me; you'll be glad you did.

Well, I'm finishing up my planning and will be back here soon with another installment of Life in the Trenches as I run down just what I did to plan for AMT deployment in my environment.

Stay tuned and as always, your comments and questions are welcome!

Take a look at the latest resource article posted at http://communities.intel.com/docs/DOC-1210

Use the file to generate custom setup.bin files for AMT 2.1, AMT 2.5, and AMT 3.0 systems.

Sometimes the methods for dealing with hostile or infected systems on the network are drastic, resulting in lost productivity, time, and energy. In one example the IT staff would physically shut down the user's main network port, sealing off all production systems, test systems, etc, until the hostile machine could be dealt with. Phone calls results, requiring the user to deal personally with the affected system. Now take Intel AMT's System Defense. Remotely quarantine a hostile system and use Altiris to remediate it. System Defense, it puts the power in the hands of the administrator remotely.

Introduction

System Defense

Use Cases

• Virus attack from an infected vPro client - This cuts off the ability of that virus to send packets out on the network
• Vulnerable vPro clients without anti-virus - Close off the ability of a virus from getting through to the vulnerable system
• Vulnerable vPro clients without critical patches or updates - Quarantine systems, but allow NS to remediate to bring the system up to corporate security standards
• Unauthorized Network use - plug a system that is found participating in unauthorized network use, whether it be unauthorized content, gross use of bandwidth for non-approved purposes, etc...
• For fun - Drive a fellow administrator crazy by applying and removing filters randomly from his computer (Just kidding, don't try this at home, or at work for that matter)

Task Server Integration

Task Server Jobs

1. Apply a System Defense network filter, either the default filter allowing communication to the NS for remediation or a custom filter allowing access to necessary resources
2. Remove a System Defense network filter to open back up general network communication

• The first radial button allows the application of a filter, either a custom or the default, with the added option of enabling anti-spoofing filter
• The second radial button simply applies a PING filter to the target systems
• The third and final radial button removes any filters previous applied to the system

Job Targeting

Filter Configuration

Edit Network Filters Utility

Installation The ENF Utility

1. Windows 2000 Server or Windows 2003 Server
2. .NET 1.1
3. Notification Server 6.0 Sp3
4. At least Real-Time Console Infrastructure 6.2

Using the ENF Utility

The default file is called CBFilters.xml and is found at \Program Files\Altiris\RTSM\UIData\. Other files can be created and used in the System Defense Filtering Tasks. It is configurable per Task or Job instance.

NOTE: If you plan on making changes to the default filter file, it is recommended to browsing to the file and making a copy of it. The copy will be a backup to use in case the default file becomes corrupt through editing or for related recovery options.

The best way to know how to open which ports to enable the access you require is to consult the documentation for the application or mechanism you are trying to work with. For example the Task Server uses ports 50120 through 50124, and these ports need to be opened between the Task Server to be used and the client computer.

Conclusion

This is the third and final part of this series (at least for now). The previous two posts include Basics and Common Intel SCS errors

BEFORE GOING ANY FURTHER - PLEASE READ AND ENSURE THE FOLLOWING
At this point, you have ensured the infrastructure is setup correctly and have attempted to troubleshoot the common Intel SCS errors as listed in the SCSconsole log file. Intel vPro systems are being recognized and listed in the SCSconsole. However, strange or unexpected behavior continues to occur - whether during provisioning, maintenance, or other activities. If Intel SCS has been included in a system management console or a provisioning script provider with whom you are working - AND - further debug analysis is needed, the following points may help. The debug log output may be one of the datapoints requested to replicate and remediate issues.

Before we go on - please note that these steps require modifications to the Microsoft Windows Registry on the system labeled as "ProvisionServer". That system will be running the AMTconfig service. Enabling the debug logging features will require root drive access and space to capture and store the log outputs. The logs will be stored at the root of C:

Ready to create an Intel SCS debug log?
SCS debug logging is off by default. If enabling for troubleshooting purposes, be sure to disable when done troubleshooting. The following steps will require a new registry key and string value to be added. Once these changes have been made - restart the AMTconfig service. At most, two log files will appear on the root of c: drive. The first is scs_win_server.log the second is scs_server.log. The second commonly appears only after errors have occurred.

Create the following registry key on the service's machine:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\AMTConfServer\Log with string value "LogLevel"="V"

Click on the following image to view the entire image

This blog is divided into 3 sections - understanding the basics, addressing common Intel SCS errors, and how to generate an Intel SCS debug log.

If only solutions were perfect, errors resolved automatically, and tuning was never required nor needed. Then again, that's what many of us get paid to do and handle. The intent here is to focus on common Intel® vPro™ configuration and provisioning errors with Intel Setup and Configuration Services (SCS). More importantly, the article intent is to provide some insight on the correction needed or tasks to handle common errors.

The Basics
Deploying Intel® vPro™ enabled solutions presents many working parts. In a lab environment - these "always" work well. In a production environment, determining the cause of an error could be difficult. Generally speaking, to isolate the scenario take into consideration the management console, the vPro configuration services (e.g. Intel® SCS), the OEM firmware and drivers, and the infrastructure. The lab environment comes in handy to isolate components and aspects, especially when so many variables are present.

In stepping through each item, consider the following basic points:

• OEM hardware and drivers - Check the update page for the latest BIOS and Firmware on the platform. The BIOS update will often include the Intel® AMT firmware. The drivers to be checked are mentioned Management Engine Interface (MEI), Local Management Service (LMS), Serial over LAN (SoL), and User Notification Service (UNS). NOTE: UNS applies to AMT 3.0 and higher versions.

• Intel® SCS version - Don't know what version if running? Check the AMTconfig service properties or version listed in the SCSconsole. More on SCS and AMT versions here. Version 3.2 is the latest. If running version 1.x, an update to version 3.x is recommended. Check first with preferred system management vendor on supported setups, upgrade paths, and so forth.

• Infrastructure - Ensure a ProvisionServer DNS record exists for the target DNS domain, and that this pointer record resolves to the server running AMTconfig (e.g. Intel SCS). Ensure proper resolution of the DNS entry for the FQDN of ProvisionServer (e.g. ProvisionServer.company.com)

• Verbose Logging for SCS events - Within the SCSconsole, access the Change the Log Level to "Verbose" mode. This will log all informational, warning, and error messages and events in the SCS log. This is good to see when a hello packet is received, when the ProvisionServer attempts to provision the target system, and so forth. When changing this setting, you may also want to decrease the log retention level to a few days or shorter timeframe than the default value. Depending on the number of systems managed or attempting to provision, setting the log level to "verbose" may rapidly grow the size of the IntelAMT database.

Image of SCSconsole and setting logging to verbose mode




Image of SCSconsole viewing log events in verbose mode

Over the last year I have worked with our internal IT shop to implement vPro & CentrinoPro into the environment. While that was fun & rewarding, I thought now would be a good time to implement a smaller instance w/ a mix of clients & try out the new Intel System Defense Utility that I put a link on the tool page..

I've currently procured a centrinoPro, vPro(AMT2.x) & working on obtaining a vPro(AMT3.0) box to showcase all use cases & functionality, especially the Remote Configuration feature. What is good to note is that Matt Royer already helped me demonstrate Remote Configuration in San Francisco IDF & it was very nice to watch the out of the box to having the console automatically provision & show the vPro machine. However now the immediate challenge is for me to set this up w/ ISDU & see what use cases I can utilize.

if your on this path as well, let me know. I like to hear how you are using AMT (active management technology).

Cheers. Off to Provisioning....

UPDATE
I updated the BIOS via USB on the CentrinoPro & vPRO machines to ensure latest bios. I will work to get the post up this week on how to create a dos bootable USB stick & the preferences on size of the stick.

I then downloaded the Intel System Defense Utility, then I hard lined the CentrinoPro machine for now as I have not changed my Access Point settings for WPA at this point
(remember i'm doing this in SMB mode).

I then started the scan & was able to see both machines. If you click on link below you will find that I was able to detect both machines. I started first with inventory to show what I could validate from the Machines. Good to note is that both machines are Plugged into the network & the power (desktop - of course, notebook - yes). I wasn't satisified with the results so I went to each of the machines Web UI to ensure I could connect.


Initial Scan to obtain machines on the subnet, while this took longer than I expected it did find all the machines.


After finding you double click on each PC & it connects you to the Firmware.


Then I pulled an asset mgmt screen on both the notebook & desktop to show that I can pull inventory, take in account each machine is powered down at this point.



Now to be sure you can establish communication I went to the Web UI on both, which in the ISDU tool it is simple to click the link & hit the admin login.

While this is good, it's time to now showcase the rest of the use cases, including System Defense with a few good filters. I was out hunting for a good virus & found the backdoor.darkmoon. One of the ports is listens on is 6868 & 7777.. I was able to use System Defense as seen below to block these ports by doing the following:
#1. Open up Intel System Defense Utility
#2. Connect to the impacted machine
#3. Select the "System Defense" tab
#4. Select "Block LImited Services"
#5. Uncheck all items & then in blocked ports in put "6868,7777"
#6. Hit Apply Settings, then Apply Changes

DONE - I've now protected my machine quickly against the potential exploit. It doesn't fix it for cleaning, however it does protect the virus from communicating & receiving future instruction.

Now I can remote control it, turn it on, update the DAT files.

The conference goes through end of the week - yet the excitement around Intel vPro will continue for days\months to come. Below is a quick summary of items shown. Have questions or want more information? Add a comment or post a question.

• Keynote demonstration - showing how the Intel vPro client can be remediated (or isolated) to only the management console on specific ports. Using the Altiris TaskServer - a 1:many job was defined to place a system in remediation, restart a process on the client, and remove the system from remediation. This did require a customization to the network filter settings (e.g. System Defense). The value of isolating a system on the computers NIC was very compelling and led to many conversations.

• At the demo booth - some of the most frequent questions (and associated answers) include:

1. When will Intel vPro and Centrino Pro be available? (Product available today from all major OEMs - including Dell's recent product announcement for Latitude 630c)
2. How long has Intel vPro been available? (Product has been available for a year now)
3. Are customers adopting Intel vPro? (Yes)
4. How do channel partners and service providers get training or more information to assist their customers? (Utilize sites such Intel vPro Expert, Altiris Juice, and so forth today. Formalized training material and events are being created. Stay tuned)
5. Does Intel vPro utilize Wake-on-LAN? (The remote power features are communicated via TCP\IP for reliability\consistency. WoL utilizes UDP and a "magic packet" to contact systems - yet may not act as reliably. In addition, Intel vPro remote power features allow for power off. With integration into Altiris - the ability to record present power state, perform list of defined tasks, and to return the system to the previously recorded power state.)
6. Will Intel vPro appear in other platforms beyond PC-based laptops and desktops? (No publicly stated plans. Raise the question\interest with your preferred OEM)
7. What break-out sessions and materials were available at the event? ("Realizing the value of Intel vPro" - focus on how to integrate Intel vPro into a production environment. A hands-on lab also occurred to step through common operational usage models.)

Just released version v0.40 of the Intel AMT DTK, with the addition of 802.1x and Endpoint Access Control (EAC) as I wrote about in my previous blog. This is probably not going to be a big impact on many people since this feature is exclusive to large enterprises, but it's very useful for testing Intel AMT in environments where the network has access control. As I noted previously, I don't have equipment to test 802.1x and EAC, so, I will rely on the community to give me feedback.

Another interesting feature in v0.40 is the additon of Intel AMT Guardport as a Microsoft Windows tray icon application and Windows Service. Guardpost is of course the C/C++ version of Intel AMT Outpost, perfect to deployments with smaller system footprint but also for adding to a WinPE based recovery OS.

Intel AMT DTK v0.40 Audio Blog (.mp3)

Ylian (Intel AMT Blog)

In my never ending quest to try to have full coverage of all Intel AMT features in the Intel AMT DTK, I got motivated by two colleges to add 802.1x and Endpoint Access Control (EAC