Intel vPro Expert Center Blog

Intel vPro Expert Center Blog

Intel vPro Expert Center Blog : February 2008

Previous Next
Click to view josh.hilliker's profile
0

Hi all,

if you missed our alst 3 radio shows you can easily subscribe in Itunes to the show & download the MP3's.

http://www.blogtalkradio.com/openport/feed

Next Up on the show is around vPro Tools with Tim Duncan & of course my co-host Russ Pam. I'll blog about it when the time is confirmed.

Josh H

0 Comments 0 References Permalink Tags: vpro, radio, russ_pam, josh_hilliker, itunes
Click to view Ajay Mungara's profile
2

Computer Scientists at Princeton University have shown some very easy and creative methods to hack
cryptographic key material with physical access to an encrypted
machine. Watch the video embedded below to find out how existing
technology is really vulnerable against Cold Boot Attacks on Encryption Keys.

All you need is a Duster spray can, if that, to cool the DRAM and extract the keys. The paper published
along with the video clearly outlines techniques for finding keys
residing in memory.The really cool part is that this technique doesn't
really hack into the encryption directly. Rather, it depends on
scanning the encryption keys by accessing the contents of the RAM and
then extracting the data either by directly tampering with the RAM or
by simply booting the computer from a USB drive. You can also read the
industry response and more details on these findings in the news.com article.

It is not all bad news ... Intel is planning on releasing a
technology code named “Danbury” which drastically reduces exposure to
the Cold boot attacks. Please note that Danbury technology will be part of the Intel vPro processor technology to be released later this year. Danbury uses dedicated platform hardware to
provide full disk encryption and the actual data encryption keys are
not kept in the DRAM. Although, Intermediate, or ‘wrapping’, keys used
to unlock data encryption keys are stored in DRAM temporarily,
when the user is physically present or while remote IT operation has
control of the platform. These keys are subsequently deleted once no
longer needed, thus reducing the exposure significantly.

I am also very happy to announce that Danbury SDK that can leveraged
by software vendors to enhance encryption software will be made on the manageability developer community
later this year. If you are interested to find out more about this
technology or are interested in developing encryption software using
this technology then feel free to leave a comment on this post.

2 Comments 0 References Permalink
Click to view tcduncan's profile
0

Today we are announcing version 1.0.5.4 of the packet decoder. This version includes some minor bug fixes as well as two important enhancements:

+ Prerelease* support for Intel® AMT Versions 4 & 5
+ Results search & sort
+ Logging
*Due to hardware availability, not all constructs have been tested

These enhancements are in direct response to user requests.

Here's a 5 minute movie on the tool.

We are currently reviewing other user's feedback to determine what the next update will contain and when it will be available. Stay tuned.

DOPD Software Engineering Team

0 Comments 0 References Permalink Tags: amt, centrino_pro, intel, vpro_expert_center, pro, packet, developer, tool
Click to view michelegartner's profile
0

Check'em out:

0 Comments 0 References Permalink Tags: amt, lenovo, drivers, scs, troubleshoot
Click to view josh.hilliker's profile
0

Wednesday - Russ will be co-hosting with me as we discover more about Microsoft SCCM SP1 with Matt Royer. You may have seen the river of great posts from Matt around SCCM and he's a known pro on SCCM. Matt will be discussing the following topics:

• SCCM SP1 Provisioning and Ease of vPro Client Provisioning
• SCCM SP1 Collection Based Power Management and Task Sequence Power On Capability
• SCCM SP1 Out of Band Management Console for 1 to 1 vPro Client Management

We usually do this every two weeks, however with all that is happening with SCCM SP 1 we thought it would be great to discuss this as soon as we could pull this together. I hope you can join us. Here's the data on the Talk Show:

Dial In: (347) 326-9831
Time: 1:30PM PST

You can listen here or go to the URL below as well .


or

http://www.blogtalkradio.com/openport/2008/02/27/vPro-Expert-Center-On-The-Air

If you have questions fire up chat during the call & ask the experts...

Josh H

0 Comments 0 References Permalink Tags: vpro, sccm_sp1, sccm, microsoft, josh_hilliker, matt_royer, russell_pam
Click to view Ylian Saint-Hilaire's profile
0


Years before I started working on Intel AMT, designers where creating a list of usages that would be enabled by Intel AMT. The list included, I presume, usages around 3PDS, remote reboot to BIOS, disk redirection, etc. Many of the Intel AMT usages that are promoted on the Intel web site. When I started work on the DTK, a personal challenge had always been to find new ways of using existing features to do different and sometimes unexpected things. Create new usages for Intel AMT that it was never originally designed to do. I now present my top 5 abuses of existing features.

TCP-over-Serial-over-LAN. The Intel AMT serial port I am told, was originally designed as an easy way to remotely take control of the BIOS and recovery OS remotely. Designers needed a way for BIOS to be able to send test display data to a remote console. A virtual serial port was a great solution. It so happens that in the original design, this serial port was always enabled and usable, even when the normal OS was running. This allows a serial agent to talk to a console while bypassing the OS’s network stack. This is interesting on its own and I started work on a serial agent of my own. Things took a weird twist when I started sending binary data and sending files over this serial port, making it very valuable. It’s only a few weeks later that I realized I could also send TCP traffic over this serial link, making it possible to contact TCP services on the Intel AMT computer even if the network stack was disabled. A few days later, I showcased the first demonstration of VNC-over-SOL, and turning this abuse of the serial port into an instant hit. To this day, VNC-over-SOL is still, one of the most impressive demonstrations of Intel AMT.

Reverse Watchdog. When Intel sales people demonstrate Intel AMT to customers, they often get asked if you can shutdown gracefully an Intel AMT computer using Intel AMT. The simple answer was no, Intel AMT will perform a brutal shutdown or reset upon request. To perform operations like a clean shutdown or reset, sleep or hibernation requires the involvement of the OS. You could tell a serial agent like Intel AMT Outpost to perform the shutdown, but that required opening the serial connection and could be a problem if you had to shutdown many computers. I needed a way to pass a small amount of information to a running Intel AMT agent on the PC, do it using SOAP/WSMAN only and if possible get confirmation of reception. We could store the command into 3PDS and have the agent read it periodically, but 3PDS required setup and that little amount of data would have required allocation of a 4K flash page. The solution came when looking at the agent presence feature. When a console creates a new agent, the agent can now register this agent locally. The agent also get the timeout of the agent in seconds (from 1 to 65535), this would be the key. By constantly trying to register a known GUID, Intel AMT Outpost could see if the agent existed or not. If suddenly the registration works, the timeout value would indicate that type of shutdown operation to perform. Better yet, the simple fact that registration occurred changes the state of the agent to “Running”, confirming to the console that the message was indeed received. Today the Intel AMT Terminal has “Agent Commands” in the remote control that allows a user to perform soft operations when the agent is running, even if the OS network stack is not working.

Mouse over serial. A few months back I started work on a smaller version of Intel AMT Outpost called Intel AMT Guardpost. The idea was that if a serial agent was going to be useful, it was going to need to run on a recovery OS, run in the background with no dependencies and with as little footprint as possible (Is it not annoying to have all there background processes running?). The C/C++ version of Intel AMT Outpost was on its way. One feature I always wanted to work on was a remote Windows command prompt; it took over a week to finally pull this off. I could now remotely shell to DOS and perform basic command line operations. I could also enter the command like editor with the “Edit” command at which point, the temptation to support the mouse-over-serial-over-LAN was a must have. Using the binary serial protocol, I added the support to the terminal in a few hours. To this day, it’s still a fun and amazing demonstration of outstanding remote manageability.

IDE-R within the OS. A few days after first enabling IDE-R within Intel AMT Commander, I stumbled upon something I had not noticed before. If an administrator where to start IDE redirection and the OS was to re-scan its plug & play devices, the additional floppy and CDROM drive would show up in Microsoft Windows. This was immediately interesting since transferring files over the serial port was limited to 115kb/sec a very slow speed in today’s world. With IDE-R, you can copy files at around CDROM 4x speed on a local network. All I needed was a way for Intel AMT Outpost to cause the OS to rescan its plug & play devices. A few hours later the “HWRESCAN” command was built and for the first time, an administrator could mount a CDROM remotely and install a patch as high speed without ever using the OS’s network stack. This feature also turned out to be an excellent compliment to VNC-over-SOL.

Fast data path using IDE-R. This is not an idea I never built into the DTK, but I wanted to add it to this list since it would also be an interesting was to use existing features in new ways. The serial-over-LAN feature turned out to be extremely valuable, but it is also slow. Serial ports are very inefficient. One way someone could speed things up is to use IDE-R as a fast by-pass to the OS. An administrator would mount a virtual floppy disk drive containing a single file. This file, would not really exist, it would contain different data each time it was read, making it possible to send data to an OS agent thru Intel AMT at much higher speeds. Also, since the floppy is a read/write device, the agent could write into the virtual file data that it wants to send to the console. It would be quite a bit of work to pull this off, but it certainly seems possible. Someone would just have to know the internal format of an .img file.

That’s my top 5. I realize this is probably a rather advanced blog article, but this is proof that you can have a lot of fun to any technologies.


Ylian (Intel AMT Blog)

0 Comments 8 References Permalink Tags: intel, amt, dtk, commander, outpost, director, guardport, serial, ider, sol
Click to view josh.hilliker's profile
0

ACTIVATION - New Zone & vPro Radio

Over the last few months we have seen a lot of dialogue around how to turn on vPro systems, the steps to turn on the ME, configure, etc.. So we took this to action & created a new Sub Zone that is just focused on Activations - This new zone will focus deeper on Tools, Training & documentation.
btn_activate.gif


Check out our latest vPro Radio talk show with Terry, Russ & Michele (vPro Experts) as we discuss Activation.

NEXT TALK SHOW
Microsoft System Center Confirmation Manager - listen in on Weds 2/27/08 - http://www.blogtalkradio.com/openport

0 Comments Permalink Tags: self_activate, vpro, activation, vpro_radio
Click to view Ylian Saint-Hilaire's profile
1

The Intel AMT Developer Tool Kit (DTK) is now over a year old and by many accounts, the most popular software package for using Intel AMT that exists today. As I work on improvements and new features I also get to interact with my users, developers, IT departments, testers, etc. I also come across many common ideas for how Intel AMT should be improved. Today I decided to compile my own list of changes I would make to improve Intel AMT. Even if I work at Intel, I have no special access or power over what gets changed, so it’s important that users of Intel AMT make your voices heard if you think you have changes you need made.

1. No TLS, Serial-over-LAN/IDE-R password in the clear. As many of you have discovered, when using Intel AMT in small business or enterprise mode without TLS, the login username and password is sent on the network in the clear when the administrator performs a serial-over-LAN or IDE redirect operation. With so many coffee shops, schools, Internet cafes playing around with Intel AMT features, this could be a big problem. Imagine a classroom with a few vPro computers with AMT setup in SMB mode by an unsuspecting teacher. A student running a packet sniffer, obtaining the password and rebooting AMT computers remotely. This can be avoided by setting up TLS using Intel AMT Director, but this should not be problem in the first place. The HTTP digest used for web pages could easily be adapted and used.

2. Allow TLS in SMB mode. This is a long time feature request that is somewhat related to the first issue. In my work with Intel AMT, I can do everything I need to setup TLS in SMB mode except enabling it. Allowing administrators to setup server-side authenticated TLS would be very easy to add to Intel AMT and would provide improved security with almost no work. In fact, Intel AMT Commander could just prompt the administrator on first connect if he or she want to enable TLS when a non-TLS SMB computer is found. A new root certificate would be generated if none already exist. Strictly speaking, it would not provide “bank level” security, but would go a long way for shops, schools, small business owners that have more to think about than understanding secure manageability.

3. Release the SOL/IDE-R redirection source code. The library called “IMRSDK.dll” is compiled by Intel and not available in source code form. It’s available in Windows and Linux but it has been a problem for people trying to port this feature on to other platforms. It’s also a problem because this library is far from perfect and I would be the first to make changes to it. One of the most critical changes I would make involves knowing if the Serial-over-LAN is connected or not. Imagine how annoying it is to have the SOL connection drop and that application not know about it. Intel AMT Terminal will show “Connected” at the top even when it’s really not. I also want a debugging feature to know exactly what is going on, people report in forums and privately to me that SOL has problems and I have no way to help. My list does not end there; I have more changes I really need made.

4. Make Intel AMT discovery and connection easier. Some Intel AMT software have a discovery feature that attempts to sweep a network to find Intel AMT computers and add them to a management console. To make it easier on the user, Intel AMT Commander also attempts to automatically detect that type of AMT computer it’s talking to. Once you discover a computer, the work is not done. Is the computer setup with TLS? Is it in WSMAN only mode? Is it using TLS mutual-auth? Are you talking to LMS? What version is this? The Intel AMT DTK has an elaborate system to attempt gather this data when a user connects. With new version of Intel AMT, transition to WSMAN and more, it’s getting more and more difficult to correctly detect and connect to all versions of Intel AMT. Developers looking at the DTK’s connection algorithm will be stunned, we need to simplify this process.

5. Get permitted access realms upon connection. So you setup Intel AMT with various user accounts, one for asset monitoring only, one for packet control, another for remote repair. When software like Intel AMT Commander connects to Intel AMT using one of these accounts, it has no idea what types of permissions this account has. As a result, the software is left to assume it has all rights, or fail with an error when things start to go wrong. I don’t think it would be unreasonable to be able to query the allowed realms upon connection for the account currently being used. This would make it easy for Intel AMT Commander to remove from the UI features that are not allowed.

Of course, being an avid fan of Intel AMT, I could write many things I like about it, just look at my many blogs. It’s my hope that this list will spur discussion and action. If you read this, take the time to write a small comment saying which one of these would want fixed first, or tell me if you have your own issue.

Ylian (Intel AMT Blog)

1 Comments 11 References Permalink Tags: intel, amt, commander, dtk, serial-over-lan, tls
Click to view gbit_ford's profile
0

When trying to update your bios on a vPro machine with an Intel® Desktop Board DQ35JO you might find a problem when you try to boot it from a CD. It reads it as a boot CD, but when you press any key to start the boot it may come up with an error message similar to this:

error.JPG

To fix this, you must change how your BIOS manages SATA disk drives. Under the “Advanced” tab, you will find a category called “Drive Configuration”. Change the “Configure SATA as” option from “AHCI” to “IDE” as shown.

IDE.JPG

Otherwise, you must upgrade through Windows using the .EXE file provided Here

Download the .exe file onto a flash drive or CD and open the .exe when the computer has booted up by going to My Computer, Flash Drive or CD Drive, then double click the .exe file to runing the setup.

vista-drive.JPG

Follow the onscreen instructions, until the screen looks like this:

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-10937-1273/update-3-small.JPG

Click Finish, and setup will update the BIOS. It will shut down then reboot and show a black screen showing what it is doing. It should take about 5-7 minutes. When it is done then it will boot up and should come up with a screen that says it completed successfully.

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-10937-1274/update-4.JPG

Congratulations! You have updated your Intel BIOS. Including numerous bug fixes, this will update your AMT ME firmware to version 3.0.8.1132.


--Cody Frank
GBiT Technician - vPro Coordinator

and

--Matt Ford
GBiT Technical Services Manager

0 Comments 11 References Permalink
Click to view BrianBrougham's profile
0

Check out this excellent example of activating vPro and a usage model in a creative way to achieve a relitivly quick Break Even point and Return on Investment .... vPro ROI Analysis- Reducing IT Resource Needs & Service Costs Through Intel Core2

Abstract: Intel's investigation into the savings offered by Intel vPro technology was conducted in a globally distributed environment. The test environment consisted of 39 training rooms in Asia, the United States, and western Europe, with approximately 800 PCs, of which 300 systems were PCs with Intel vPro technology.

  • Brian Brougham

0 Comments 0 References Permalink Tags: amt, vpro, roi, investment, intel, usage, model
Click to view joelsmith's profile
0

Installing Multiple Intel SCS components for a large Notification Server environment

Some Notification Servers carry huge loads of managed systems. I've seen Notification Servers managing 10,000, 15,000, and even 20,000 plus systems. For Out of Band Management with the Intel SCS Component, a multiple-service install may be required to handle large loads of provisioning or maintenance requests into the Intel SCS Component. This article covers how to setup such an environment.

Introduction

Normally in a simple Notification Server environment when the install for Out of Band Management is initiated, all the necessary pieces, including the Intel SCS Component, install automatically and silently. In more complex environments the automatic install of the SCS Component often throws an exception and provides a message indicating the install should be conducted manually. This manual process is what will be used when installing the components on the subordinate servers who will share the load for the Intel SCS Component.

Installing Out of Band Management

The first step is to install Out of Band Management and the primary Intel SCS Component on the Notification Server. This will setup the IntelAMT database that will be used with every install of the Intel SCS Component. The following process details the install methods for Out of Band and the Intel SCS Component.

Simple NS environment

For a simple NS environment where the Application Identity for Notification Server has full rights to both the Notification Server system and SQL Server, the initial install is simple. Note that this process should be used for Simple and Complex environments to lay down the essential components on the NS.

  1. In the Altiris Console, browse View > Configuration > Install/Upgrade additional solutions.
  2. Under available solutions, click the ‘Segments' button.
  3. Expand the Partner Solutions section and locate the Altiris Manageability Toolkit for Intel vPro Technology.
    SolCtrvPro.jpg
  4. Click the link to launch the install.
  5. NOTE: This will install the following primary components, all of which tie into aspects of Out of Band Management and Real-Time System Manager:
    1. Task Server and supporting installs
    2. Real-Time System Manager
    3. Real-Time Console Infrastructure
    4. Out of Band Management Solution
    5. Our of Band Setup and Configuration (AKA the Intel SCS Component)
    6. Network Discovery
  6. The install will commence. Note that if the Intel SCS Component is unable to be successfully installed you will receive a message indicating it needs to be installed manually. If this is the case, see the next section entitled ‘Complex NS Environment'.
  7. If no errors are shown, the Intel SCS Component with the IntelAMT database should have been installed and created successfully.

Complex NS Environment

Despite the name of this section, sometimes the steps here need because of a minor security issue when the automatic install was attempted. The following steps detail the process of install the Intel SCS Component manually.

  1. Run through the install as detailed under the ‘Simple NS Environment' section above. This will put all the typical components in place, and likely the automatic install of Intel SCS will fail, requiring the next series of steps to be completed.
  2. It's recommended to log into the Notification Server as the Application Identity user.
  3. Browse to the following path on the NS: +install_path+\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\
  4. Launch the EXE AMTConfServer.exe.
  5. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.
  6. Choose ‘Complete' as the type of setup and click ‘Next'.
  7. In the User name and Password fields put in the Application Identity for the NS.
  8. Check the Web details.
  9. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.
  10. Under ‘Database Server' select the database name and instance (if applicable) to use. It is recommended to use Windows Authentication, but if the SQL setup requires a SQL account, choose that option. Click ‘Next'.
  11. The next details should be left as is. Click ‘Next'.
  12. Click the ‘Install' button to proceed with the install using the parameters set.
  13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'.

Subsequent SCS Installs

Now that NS has all the required components, and the IntelAMT database has been created, the following details cover how to install a subordinate install of the Intel SCS Component. Note the following prerequisites for this type of install:

  • Windows 2000 Server, Windows 2003 Server
  • Internet Information Services (IIS)
  • Microsoft .NET 2.0

Run through the following steps to install Intel SCS.

  1. Log onto the system as the Application Identity user for Notification Server.
  2. Browse to the following path on the NS: \\<NS_Name>\NSCap\Bin\Win32\X86\OOB\IntelSCS\
  3. Launch the EXE AMTConfServer.exe.
  4. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.
  5. Choose ‘Complete' as the type of setup and click ‘Next'.
  6. In the User name and Password fields put in the Application Identity for the NS. If this is not possible the user should have full access to the SQL Server. This will also be the user set on the Service AMTConfig.
  7. Check the Web details.
  8. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.
  9. Under ‘Database Server' select the database name and instance (if applicable) to use. This should be the SQL Server used to install the IntelAMT database in previous steps.
  10. The database details . Click ‘Next'.
  11. Click the ‘Install' button to proceed with the install using the parameters set.
  12. You'll receive a notice saying that the database IntelAMT already exists. Make sure to click ‘Yes' so it uses the existing one.
  13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'
  14. From the Notification Server, at this location: , copy the file oobprov.exe to the same path on the subordinate install (default will be C:\Program Files\Altiris\OOBSC\).
  15. NOTE! You must use the same path that it used on the Notification Server, this is a limitation of this implementation.
  16. Copy to the same folder the attached file Interop.AeXClient.dll.
    RemoteSCS.JPG
  17. Normally the script (oobprov.exe) is properly registered to the correct path, but if it is not, we must manually change it.
  18. Open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:
    1. USE IntelAMT
      SELECT Props_script_path, use_props_script
      FROM csti_Configuration
  19. Check the path and make sure it matches the remote and local Intel SCS install. Also verify that the use_props_script is set to 1, which means ‘True' (0 means ‘False'). Now run the following query if they need to be updated, but take note to change the path to match your environment:
    1. UPDATE csti_configuration
      SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
      SET use_props_script = 1
      WHERE configuration_id = 1
  20. Everything should now be in place for both the primary and secondary Intel SCS install to work with systems being Provisioned, including subsequent maintenance or reconfiguration functions, sharing the load.

Confirm Registration

The next step is to confirm that the install has successfully registered in the IntelAMT database and is running. Use the following steps to make the checks:

  1. First, let's check that the Secondary SCS Server has properly registered in the IntelAMT database. On the SQL Server where the IntelAMT database is housed, open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:
    1. USE IntelAMT
      SELECT * FROM csto_servers
  2. You should have one entry for every Intel SCS install you've completed.
  3. On the secondary Intel SCS Server, go to Start > Administrative Tools > and click on ‘Services'.
  4. Locate the Service ‘AMTConfig'. Ensure the following settings:
    • Status = Started
    • Startup Type = Automatic
    • Log On As = NS Application ID

Adjust Queue Settings

The last part is to adjust the general settings to account for the added resources.

  1. In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > and click on ‘General'.
  2. Look under the ‘Service Maintenance' section. See the screenshot, followed by the recommended settings:
    OOBGenSettings.jpg
    • Max queue size: 2000 for one instance, add 1000 per secondary server
    • Worker threads: 10 for one instance, add 5 per secondary server. Same for the Slow worker threads
  3. The above values are recommendations. Since thorough testing has not been performed, it is recommended to change these in small increments if performance is a problem.
  4. Make sure to ‘Apply' the changes once they've been made. This should allow the SCS infrastructure to handle larger loads of incoming requests.

Conclusion

The subordinate Intel SCS install process should be repeated for each Intel SCS install desired in the environment. This will help distribute the load of incoming requests from Intel AMT vPro systems. Moving forward Symantec and Intel will be testing this scenario further. In the interim this article can be used to increase the resource power of the SCS infrastructure.

0 Comments 9 References Permalink Tags: intel_vpro, out_of_band_management, altiris, symantec, provisioning, intel_scs
Click to view jlvb's profile
0

With the launch of Intel Centrino with vPro technology - several medium to large customers (with 1000 or more PCs in the infrastructure) have asked for Intel's help with building the financial business case for the new technology. Given this need, Intel asked WiPro to survey senior IT managers from 41 companies about current notebook PC management costs that could potentially be reduced by taking advantage of the new technology. WiPro specifically focused on PC maintenance costs that IT usually budgets for on an annual basis (these are "hard dollar costs", such as help desk calls, help desk visits (especially for hardware and software malfunctions - such as OS blue screens and hard drive failures), auditing, security incidents, software patch deployment costs, major application (such as Office) deployment costs into the infrastructure, etc.).

WiPro's findings are as follows:

  • Estimated hard dollar savings of up to ~$140 / PC / year with Intel Centrino with vPro technology vs. the mobile PC in the installed PC base today
  • Reduces the need for hardware-related desk-side visits by as much as 58% and for software-related desk-side visits by as much as 57%
  • Up to 51% faster patch saturation per incident and reduces number of inventory failures by 62%
  • Enterprises can take advantage of most of the Intel Centrino with vPro technology features (including remote diagnosis and repair) in the mobile PC form factor for about 16 hours a day (the other 8 hours, on average, the mobile PC is asleep or off-line, and an IT manager cannot use the Intel vPro technology features)

For those interested in the report, please read about it here: http://www.intel.com/business/business-pc/roi/centrinoprowhitepaper.pdf

In order to help customers model the "hard dollar" savings in your environment, Intel has created the Intel Centrino with vPro technology and Intel Core2 with vPro technology ROI Estimator that is based on the data from the above study, as well as another study that focused on desktops with Intel Core2 with vPro technology that was published last year. This ROI Estimator is located here: http://www.intel.com/business/business-pc/roi/demo.htm

To learn more about the ROI Estimator and the desktop and mobile PC studies, please listen to Josh, me and WiPro talk about them in this PodTech videocast: http://www.podtech.net/home/4679/roi-intel-vpro-technology-in-the-enterprise

Cheers -

Justin Van Buren

Intel Business Marketing Manager

0 Comments Permalink Tags: intel, vpro, technology, it, efficiency, pc, refresh, program, hardware, complexity, wipro, desktop, management, justin, van, buren, centrino, propatrick, kalaher, timothy, morey, josh, hilliker, roi, estimator
Click to view cmp1's profile
0

SDP-1: Permit a Single IP

Posted by cmp1 Feb 20, 2008

This is 1/10 System Defense policy tests I worked on. This test has four systems: three servers & one AMT 3.0 client. I run pings from each server to the vPro and from the vPro (via RDP session) to each server. Then I block all IP except from one server. I lose connectivity including the RDP session but can still manage the system to remove the policy.

0 Comments 1 References Permalink Tags: system_defense, policies, sdp, sdp-1, amt, vpro, intel, vpro_expert_center, vpro, craig_pierce
Click to view miroyer's profile
0

Although Danbury is the ultimate solution for Disk Encryption and Remote Manageability, the following whitepaper provides a reference design for using Intel® vPro™ Technology and Serial Over LAN (SOL) as a means to perform remote disk drive unlock on client boot up.


Whitepaper: Intel® vProTM Technology Enables Remote Manageability of PCs Employing Encrypted Disk Technology

Matt Royer

0 Comments 0 References Permalink Tags: vpro, amt, sol, disk_encryption
Click to view miroyer's profile
0

Note: This information is based off Microsoft System Center Configuration Manager 2007 SP1 Beta and is subject to changes between now and RTM.

Once the vPro client has been provisioned by SCCM SP1, you can now start performing vPro Client Manageability through either Collection based power operation or through the “Out of Band Console”.

To invoke vPro power management feature from within a collection, you can right click on a single client (or multi-select several clients) and select “Out of Band Management” -> “Power Control”. After which, a “Power Control” Screen will appears for the client(s); from there you can select whether to power on, power off, or restart the vPro Clients.

Here is a video that visually goes through the process:


To perform more vPro client manageability options, right click on the client in the collection to manage and select “Out of Band Management” -> “Launch Out of Band Console”. It may take several seconds for the “Launch Out of Band Console” to fully load; make sure that System status in the bottom left section of the “Out of Band Console” reads as “System: Connected”. Once the “Out of Band Management” is loaded, you will see 7 menu options:

  • System Status: Displays the following for the connected computer:
    • The power state
    • IP address
    • Computer name
    • System ID
    • System date
    • System time
  • System Inventory: Displays the hardware inventory information for the connected computer.
  • Power Control: Initiates one of the following power control actions:
    • Power on the computer
    • Power off the computer
    • Restart the comput
    • If you power on or restart the computer, select one of the supported boot options that is retrieved from the computer. These can typically include the following:
      • Normal boot
      • Boot from local CD/DVD drive
      • Boot from local hard drive
      • Boot from alternative media (and specify the image file in Alternative media path)
      • Boot from the network
      • Boot to BIOS
  • System Event Log: Displays activity for the management controller on the selected computer. You can also clear and set log levels from this screen.
  • System Audit Log: Displays IDE redirection and PXE boot information.
  • Serial Connection: Starts a terminal emulation session so that you can run commands and character-based applications. After invoking an IDER or BIOS redirections, you will want to come to this screen to interaction with the SOL session.
  • Configuration: Allows you to perform either a full or partial unprovision of the vPro Client
    • Full Unprovision: “Delete both configuration data and identification data from the management controller”
    • Partial Unprovision: “Delete configuration data and retain identification from the management controller”


Here is a video that visually goes through the process:


Matt Royer

0 Comments 0 References Permalink Tags: sccm_sp1, vpro, amt, sccm
Click to view miroyer's profile
1

Client Manageability Add-on (aka AMT Add-on) version 3.2 for SMS 2003 has been released. For download and more information, please visit: http://softwarecommunity.intel.com/articles/eng/1356.htm

Bug Fixes / Issues Resolved

  • An Intel® AMT PC can be configured to use HTTP Digest network communication. Part of the Digest header is a random string which includes the platform UUID. Under certain circumstances depending on the manufacturing flow, it is possible that the Digest UUID and the actual platform UUID as stored in the hardware inventory table do not match. The Intel® Add-on for SMS would reject HTTP Digest communications from a system with mismatching UUIDs. Note that the Digest string uses the UUID purely as a random number and does not use it as an identifier, so there is no reason that they must match. This hotfix amends the functioning to ignore mismatching UUIDs.
  • There were cases involving sites containing very large numbers of AMT devices where menu selections would be displayed unacceptably slowly. This has been solved.
  • In rare cases, expired advertisements would wake up AMT devices. This has been solved.
  • Due to the way in which SMS performs log message collection large numbers of messages are collected, many of which are not critical AMT device messages. Although these messages are valid, they are nonetheless not required in many situations. A workaround has been implemented that allows for the suppression of various levels of non-critical messages.

New Features from 3.1 to 3.2

  • The Add-on service account no longer requires local administrator permissions.
  • There is no longer a need for a dedicated Add-on service account. The user specifies the Add-on service account during installation.
  • New Active Directory groups.
  • The Add-on is integrated with version 3.3 of the Intel® AMT Setup and Configuration Service.
  • Operations no longer require SMS Administer permissions, except for changing the Add-on Settings.
  • A user in the Redirection Managers group can terminate another user's redirection operation.

Matt Royer

1 Comments 0 References Permalink Tags: sms, vpro, add-on
Click to view josh.hilliker's profile
0

Congratulations to the 3 winners of the "rock your world" contest. due to limited submissions the team has made the decision that the 3 submissions will win a Intel(r) Centrino(TM) notebook with Intel(R) vPro(TM) technology. We are awarding the following systems:

Lenovo T61 - Intel(R) Centrino(TM) with Intel(R) vPro(TM) Technology

  • Intel Turbo Memory
  • Select models have .11n
  • Energy Star 4.0 rating

Hewlett Packard 2510P - Intel(R) Centrino(TM) with Intel(R) vPro(TM) Technology

Here are the winning video's
1st Place

2nd Place

3rd Place

Thank You all & look forward to our next contest in Q2.

0 Comments 0 References Permalink Tags: rock_your_world, josh_hilliker, vpro_expert_center
Click to view michelegartner's profile
0




0 Comments 0 References Permalink Tags: troubleshoot, amt, lenovo, heci, hp
Click to view cmp1's profile
0

Hi, I'm Craig Pierce and I work for Intel's Information Technology department. I started playing around with System Defense last year and wanted to share my learning. There's been some requests on some "How to" implement so I created an add & change video I am posting today. Look next week for my first policy use case.

-Craig

0 Comments 0 References Permalink
Click to view josh.hilliker's profile
0

This week I was reflecting on my IT journey in the last few years and how I successfully adopted new technology. I thought that sharing this type of information may be helpful to those out there that are either about to start or in the middle of their integration of Intel® vPro™ Technology. First things first, here’s an illustration of the different camps within an IT shop (architecture, engineering, operations, finance, security) and then of course there is the leadership (mgmt) that provides air cover for such new adoptions / also a key stakeholder in the success.

blogroles2.jpg

For each of these camps there is a different perspective and frames of reference, therefore let me dive into each one.

ARCHITECTURE: for the architect community, the requirement is to understand their 3-5 year roadmap and how a new client technology fits in - does it violate any major design rules, does it embrace the technology strategy?. Specifically the focus is around conceptual and reference architecture with focus on high level themes i.e. Compliance, Provisioning, Remediation, Automation, Virtualization. The vantage point here is looking at the big picture and being able to define it in relationship to the rest of the architecture. This includes the BDAT model as well (business, data, applications and technology), focus is around the business process changes, data architecture changes with respect to where data is being stored, retained, transmitted, etc.. Applications are all about the application architecture requirements and potentially any changes to the high level picture.

ENGINEERING: for engineering it’s all about the connection points, ports, protocol’s, access rights. What I find very compelling in this realm is that the dialogue is around AS IS and TO BE solution architecture with heavy reference to the BDAT model output. How does it specifically fit in w/ the rest of the pieces, what is the traffic pattern, what is the fault tolerance, how does it reuse the pieces of infrastructure already in place, how does each level of the support stack manage their respective pieces without breaking the separation of duties requirements, scaling out ramifications.

OPERATIONS: for operations it all about what is the process change, realization of the value and how does it all work. As you dig in more in this area it is about the 1-x process steps required, there is a heavier view on automation of remedial tasks, there is focus on ownership of problems, reliability of the solution, SLA’s, OLA’s (operational level agreements). The dialogue for operations is about the minutes it takes to operate a given function, the time to execute, back out, re provision, etc.. This is where the business process understanding and changes are the most critical as they are truly tested in live production scenarios

FINANCE: for finance, it’s a few things that I think are important to know, it’s not all about the ROI & TCO, however that is about 90% of it. The other 10% is primarily focused on how this solution would enable company objectives, goals and vision. They are also the keepers of the value (from Headcount, costs, impact, including how to verbalize) when it’s all said and done, as they play the role in delivering a projected vs. actual account of the events, therefore their keen involvement and insight is important. An Enlisted finance manager can make a world of difference.

SECURITY: I initially did not draw in secu