Intel vPro Expert Center Blog

Bring out the cake and candle - 1 year anniversary is here!

josh.hilliker — Wed, 27 Aug 2008 06:15:49 GMT

1 year anniversary - YES!

I wanted to start this blog by saying what an interesting, fun, and action packed year it's been for the vPro Expert Center. we had a vision about 1 1/2 years ago to create a community where we could bring all parties together to talk about vPro and really make a difference in the activation and integration of this technology into the IT environment. I know that to be 1 years old in a community is just a small milestone, however for me it has been a blast to connect with a # of folks from the community both in the forums, onsite and at events where we can talk face to face. As I reflect back on the year, here are the top 5 and bottom 5 of what the community did that I think made a difference. (I could have made this the top 50).

TOP 5

Have seen some of the best bloggers join us online for dialogue (BIG Thank You)
Had great participation across the board - HW(OEM), SW(ISV), YOU, Intel, etc..
Started a Radio show on blogtalkradio - check it out (even on itunes)
Started a few sub zones that are really helping - microsoft, activation, and our latest SMB Talk.
Partnered with Myitforum.com and started using resources/wiki's for key events (Manage fusion, Microsoft mgmt summit)

Bottom 5

We published over a dozen tools and then didn't call them free tools and then we pulled one down that folks really cared about (yes it's almost fixed for those that know what I am referring to)
Implemented an ask the experts section, however we used as a single thread and now it's hard to find past solutions/fixes - (yes this is being fixed)
Tried to do an online TV show (good luck finding that legacy show anywhere)
We started a contest and made it to hard to participate - (we took the feedback and will try something soon that is easier to participate)
We haven't created a points system yet to showcase who's really answering all the questions and if the answers are good one's. (reputation system or something of that nature).

What does this all mean, we still have more work to do to make this community better. I'm committed to making this an awesome community, focused on you and how to make your life easier with vPro. Keep coming back and spreading the word to friends.

I also want to recognize the great community for giving me input on how to make this better over the year and I want to hear more over the next year on what we can do to make this a better community, increased functionality, richer video, tools, etc. If you have input on what you would like to see, what we can improve, what we should stop doing, etc.. please drop me a line by either blogging me back here, or just send me an email - josh@intel.com.

Or if you have product input that is always welcome, for example, on features we should have in the ME (manageability engine) or Software to leverage our silicon.

So.. what's next? I can tell you that I have been planning, thinking, waiting for September 22nd for the last 2 month's, I can't say much, but I can say you will want to be on the vPro Expert Center that day and check out something very exciting. (if I say any more I'll get the PR/Mktg teams yelling at me).. I can say that we will have more video's, more quick start guides and more focus on CIRA (FAst call for help) coming out soon as the HW starts to show up and we can show real life scenario's with rich detail. We are also going to spend more time focused on how to fast track a few use cases, like Going Green with vPro, Remote Repair, & Patching @ Night. After hearing this discussed the last month I believe the community with see value in the output here.

I would also like to give kudos to a # of community peers both inside & outside of Intel that have shared their wisdom, data, approaches and even video editing skills to help me start this community. I think we've only just begun and I am personally looking forward to the road ahead. please give me a shout out to tell me what you think of the community..

Josh H
Community Manager - vPro Expert Center

IDF Class - Activation, Integration & the Expert Center

josh.hilliker — Thu, 21 Aug 2008 15:26:53 GMT

Yesterday Jeff Marek, Big Dave & I taught a class on the value of vPro, Intel IT's experience and more on tools. Here's a quick link to the presentation.

http://intel.wingateweb.com/US08/published/sessions/PROS005/SF08_PROS005_100t.pdf

If you attended yesterday's session please let us know if you have questions, comments, etc. .

IDF: Lucky little intern!!

Sophia.Stalliviere — Wed, 20 Aug 2008 23:22:35 GMT

I am so lucky to experience IDF (thank you Jason Davidson, Josh Hilliker and Kevin Ma). The atmosphere here is amazing. Wide varieties of people are here to enjoy what is new coming out of Intel. Opening key notes were invigorating and exciting. Craig Barrett kicked off the experience with his speech, "Small deeds done are better than great deeds planned," what a simple and powerful saying in Craig Barrett's speech.

Going through show floor area, where the majority of the demos are located, there is so much exciting new stuff, everything from virtualization to new hardware. Let me key you in on something that is going to big with vPro: remote help for your home computer. With this technology, you can have a key stroke on your PC, it will send a signal to several qualified providers that you can choose from, they will receive a code, and the one of your choice can fix your PC remotely. You would not even need to bring in your PC or have a tech come to your place of residence for most problems. Josh Hilliker is going to be putting up w a PDF about it here on the vPro Expert Center. Keep your eye out for some clips and more cool new features from different people on the Open Port site.

(Some cool give-a-ways!!)

Understanding vPro Chapter 7: From virtual world to virtual appliances.

Sophia.Stalliviere — Tue, 19 Aug 2008 19:21:38 GMT

Virtual World - a computer based world that represents all aspects of life, as we know it. There are many fun and exciting examples of ways people have turned aspects of our world into a virtual world, and often these are found in massively multiplayer online games. However, one virtual representation I have been learning about lately is one called virtual appliances. Virtual appliances represent complex software stacks in a virtual environment. However, with a virtual appliance we are taking something that is often very complex and have high maintenance costs and representing it as single application. The virtual appliances I have been learning about lately are not representing real life in a fun environment, but solving real problems by interfacing with the vPro features.

Recently Nicole Trent wrote a blog on Microsoft SCE. It is one of the many examples (you can find an abundance of appliances on the vPro Expert Center) of virtual appliances that can be used to interact with the features in vPro. These appliances are useful when you perform inventory and maintenance to vPro clients as they bundle the software you use to manage the clients into one location. Then you can use this to control your clients from your server by using the remote capabilities.

If you have a whole lot of clients in your business that need to be updated over night because it's critical for these to be in service for the day, you would can use a virtual appliance that contains the IT software needed to make up that script so IT wouldn't have to be there over night. These scripts can execute and maintain your machine while you're away from your desk, sleeping or having a fun weekend. Best of all, the IT people that make these scripts are allowed to have their nights and weekends as well, as the scripts can execute fully automated.

This is convenient for the "green" factor. We are able to send applications with aid of AMT without wasting anybody's time that would go desk side and put the application on each computer or if the computer itself needs help because it's in trouble. They would just apply it at one time not wasting time, money, and packaging (my past blogs emphasizing these features). When the alternative is having an IT person going from one site to another, this helps lower gas consumption.

This is just another tool to our future of virtual computing. The more comes out the more it helps aid in situations that only a few years ago that is changing the way our businesses are operating. Now that it's here we should be able to use it to it's full extent it's up to us to use push the limits.

P.S. This week most of us (yes vPro lovers, Mr. Josh Hilliker will be gracing us with his presence!) will be at IDF there will be a lot of good stuff coming out of the vPro Expert Center. If you cannot be there check, out the vPro site there will be blogs and radio shows (which by the way Blog Talk is on iTunes for free download- search Intel Open Port Radio) who know maybe you will hear me!! Stay tuned!

What are you thoughts on vPro? Oh and you get something for it! [Officially closed!! Sorry!]

Sophia.Stalliviere — Thu, 14 Aug 2008 17:23:18 GMT

This is officially closed on both Survey Monkey and this site.

Just go to Survey Monkey and take the survey that is shown below.

I have been saying so much on what I love about vPro and the cool features that it presents to the public, so now I want to know your perspective. Since you are going to be so nice to put your point of view up here, I am going to give something back to the best answers: a 16GB USB key!! So post what you like best about vPro and I will send you a 16GB USB key! All I need to know is:

What I think is cool about vPro:

Company Name:

Number of vPro/Centrino Pro systems:

Understanding vPro Chapter 6: It’s virtual world.

Sophia.Stalliviere — Tue, 12 Aug 2008 22:46:16 GMT

Ah...I love talking about virtualization. Virtualization feels like some non-reality spectrum. It is as if you can manipulate it to do anything with it. The topic just seems endless; technology is starting to run with the idea of that. With vPro, virtualization will be able to go farther. Remote manageability aids in the virtualization area. The thought of two different versions of a program being on the same client and the computer not being able to have them up is a thing of the past. They wouldn't even know that each other were there.

With the real world in mind, big companies with many different offices could stream private information to each other with vPro. This would prevent sensitive information from leaking out to the wrong hands. Hospitals would benefit from this because when their patients' files are in their data base they can just stream the whole data from their server to the client computer where the doctor is, again security would help aid against any tampering of sensitive documents.

Besides sending out vital and sensitive information, there are also necessary items that people would need that they could stream. School is a great area for that. They are implementing it in a few schools(St. Agnes Prep School Use emerge Compute Models With video). I know there are plenty of times where I have to carry three books and my back felt as if it was going to break. Also, I hated switching the books around depending on what day it was. I could have all my information on the laptop that I was carrying anyways would do me a lot more good.

With vPro, the universities will be able to have a few servers that will check on the laptops that are given out to the students. If there are any problems with the software (it wouldn't have to be just with the books, it could be with software that the university has rights to) that was being streamed the server computer can detect it and fix them remotely. As a college student, I would love to have all my information just through my computer. I wouldn't have to worry about trucking all my stuff everywhere and it's all centrally located in one area. For a company, it ensures that all information needed is gathered in one area that can be obtained by the employees and it can be relayed back and forth.

How many times have you gone to the ATM and it says that it's out of service? For the financial intuitions, how about all of those remote ATM that is difficult to go out and service the computer? With vPro the sever will be anywhere and it can service the client away from the machine, saving the financial institutes plenty because the service guy does not have to go out at all hours. They can check if there is anything wrong with it's software or hardware away from the computers within minutes.

vPro is able to extend the possibilities of virtualization. It has helped to be able communicate two (or more) computers together and talk to each other. knowing that we could go farther and farther with the technology of vPro and having Centrino2 coming out, it's only going to be even more endless. The excuse that the dog ate my homework will not work anymore. (I think I am going to try to find a virtual dog!)

Understanding vPro- Chapter 5: Enhanced Maintenance (I just want to wrap a big hug around AMT!!)

Understanding vPro: Chapter 4 vPro: What is with this trusted environment?

Understanding vPro: Chapter 3- Proactive Security- did Intel put a tiny guard dog in my computer???

“The Intern’s” Understanding vPro: Chapter 2-What is it used for/ why should I use it?

Altiris and Intel vPro Use Cases - Part 5 - Tightening AMT Security

joelsmith — Mon, 11 Aug 2008 16:01:21 GMT

NOTE: If you have not read parts 1 through 4, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

Learning from previous mistakes, CSO Dan Williams discusses what they can do to better secure the powerful AMT functionality. Since the human factor is the biggest weakness, what can they do to strengthen this? Obviously they can't remove it altogether; might as well shut the company down. In Intel vPro the human factor can be minimized due to available strong security technologies. AMT can be made more secure, but the continuing threats are emphasized when a computer is hijacked. What can be done to regain control?

Mighty Modern Marketing HQ - Boston, Massachusetts

Bright sunlight filtered through the distant windows , overshadowing the bland fluorescent lights lit above. Jessica Langley watched the distant pedestrians seen in a narrow view near the street moving past with varying degrees of enthusiasm. The hot summer held to the south temporarily by a low pressure that brought in the cool Atlantic breezes. She imagined being able to hear the conversations of those passing, wondering what they spoke of, and if any of them had as crazy a life as her.

"Ah, this is the life," Tevita said as he leaned back. He placed his hands behind his head and stretched out his legs, pushing his office chair as far back as possible. With what looked like a deliberately casual gesture he tossed his headset onto his desk.

"You should be worried," Jessica commented dryly.

"Worried? Why?"

Jessica gestured sharply at her phone. "No one can call us with the phones down, so our work is just piling up while we sit here."

"Hey, we have our mobile phones. If it's not important enough for them to look up our numbers, then why worry about it?"

"You know that's not how it'll happen. As soon as the phones get up... WHAM! We're here until the sun drops below the trees in the west."

Tevita's smile lessened, but only a little. "They've been down for two hours. Perhaps they'll be down all day, and we can leave early."

"Right."

The Tongan shrugged, and Jessica briefly envied his ability to shove aside problems when they weren't directly in front of him. He could have two amazingly nasty issues to work on, and he'd easily concentrate on one at a time as if the other issue didn't exist. She wished she could compartmentalize in that manner, but when she had two critical issues to work on they hung over her like a dark shroud. Usually the one she wasn't currently working pressed down as if to accuse her of negligence, but she couldn't do two things at once. It wasn't like knitting while watching TV.

Like now, when she knew issues piled up while their phones remained down. She reached down and pulled up her mobile phone in case she'd missed an incoming call, but nothing showed. She sighed, standing up and stretching. Tevita frowned at her.

"You aren't going to bug the phone people again, are you?" he asked, as if accusing her of turning him in for some crime.

"No," she said. "Daniel Williams wanted to talk to me today so I'm heading up to his office."

"Good. Don't mention the phone issue to the CSO..."

She rolled his eyes at him, but he only smiled, large hands moving deftly across the keyboard. Without phone call interruptions Tevita would clear out the email queue in no time.

She took the stairs, hoping to work off the donut she'd eaten earlier that morning. It seemed no matter how resolute she thought she was to eat healthier, as soon as someone brought in free goodies her willpower vanished and she indulged. She doubted the climb from the first floor to the third made any real difference, but at least her husband wouldn't get on her case about taking the elevator when she had two perfectly working legs.

The door to Daniels office sat closed, and she peeked into the glass valance to the side. Daniel stared at his computer screen, his brows drawn low. He didn't touch the keyboard and mouse, eyes moving across his monitor as if trying to puzzle something out. He just reached for the mouse when she knocked quietly on the window.

He turned, a smile easing his expression. He waved her in, and she quickly hurried through the door."

"You wanted to see me?" she inquired.

"Yes, please sit down," he said, gesturing to one of the empty chairs across his desk. She sat while he turned back to his computer.

"Please watch," he said as he launched Internet Explorer. "I'm going to talk you through what I'm doing, and I don't want you to interrupt until I'm done. Okay?"
Jessica felt a twinge of uneasiness stiffen her spine. "Of course," she responded, trying to instill confidence in her voice. "What are you doing?"

He only smiled. "First, I've discovered what password I can use to access AMT on all our vPro enabled computers..."

She stood up. "What...?"

He held up his hand, not unkindly. "Please humor me."

She sat back down, her unease blooming. She clasped her hands in her lap so she wouldn't fidget, usually in the form of smoothing down her already crisp and wrinkle-free dress jacket. She couldn't sit completely still, and found herself tapping her toe. Fortunately the carpet, however uninviting bland, muffled the sound.

"Okay," Daniel continued. "I don't have access to Altiris though I have tried to gain it, unofficially of course."

"Of course," she said, and quickly clamped her teeth together before she asked another question.

Daniel continued, "In light of that I've done some Googling and found that AMT has a web-interface that anyone can access using a browser. I haven't figured out how yet, but I don't think it'll take me long. Let's see... how to access AMT via a browser... This first hit talks about someone who is unable to access it."

Url: (http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30249624.aspx).

"Ah, in his post he says, "When I try to access the Web Interface (localhost:16992 or name:16992)... that means I can access my test in the same manner. Let's watch."

Jessica bit her lip to keep from saying anything, determined to keep quiet until he'd finished his demonstration. She really wanted to ask him how he acquired the password, but she supposed she should wait until he validated that claim first. Plus, he'd asked her to keep quiet, and she didn't want the CSO annoyed with her.

Daniel clicked on the address bar, deleting the current address. He then typed in MMMAMT0043:16992 in the address bar. When he hit Enter the page refreshed, showing him the initial AMT login screen. He clicked the ‘Log On' button, which provided a standard Windows security prompt. He entered in Admin as the username, and then typed in a password. Jessica's stomach dropped. She didn't see exactly what he put it, but it did look like he put in the right password.

The Intel Active Management Technology web interface appeared, giving Daniel full access to the system. Jessica reached up and rubbed at her eyes.

"Please tell me you simply asked Tevita for it," she said when he turned to her.

"No, but no need for you or Tevita to worry about that," he said with what Jessica assumed was a reassuring smile. It didn't help. "I believe I used the same methods our traitorous employee working in cahoots with Nifty Networks used to gain these powerful credentials. I'll be conducting security training for our employees soon to try and plug that method."

"So how did you do it?"

Daniel nodded. "Good question, but the better question I'm posing to you is this: how can we better secure the AMT technology? See here under Remote Control? I can remotely reboot this person's system and boot it up into an application I can use to wreak havoc. Nifty, no?"

She swallowed hard. "No, not nifty."

"Good. You see the issue. I'm tempted to not tell you how I did it. Mystery lends me an air of the supernatural, or at least my uber-geekness. Why reveal how? That's like a magician revealing his secrets. Once the how is known, it isn't so magical anymore. Okay, so I'm taking far too much pleasure out of this. I simply watched you and Tevita closely and caught you entering the password. It took several tries before I finally got it right."

The beginning of a migraine colored Jessica's vision. "Great. I thought we had that password locked down..."

"As I said before, don't worry about it. Everyone is too trusting when entering passwords. I'll address that in our upcoming security meeting. What I want to discuss is how we can rectify this situation? Specifically I want to remedy the fact that anyone who does a smidgen of research will know that the administrative username for AMT is admin. We've handed any potential hacker one half of the credential equation."

Jessica nodded. "Yes, I see your point. Luckily I already know how to fix that. It's as simple as making the admin password random on each system and using Kerberos to use our Domain credentials for access."

"Good. The second point is I noticed that I can use a non-secure web address to access this. Can you get SSL enabled for all AMT communication?"

Jessica nodded again. "Yes, specifically AMT uses TLC, the successor to SSL. I believe I saw an article on how to enable that on Symantec Juice."

"Even better. Get those measures in place, and let me know when it's completed."

She nodded, shaking his hand when he offered it. She left his office and headed back down, taking the stairs despite the throbbing in her head. When she reached her cube she noted that Tevita had his headset on, his previous smile absent from his face. She gave him a grin when he glanced over, and this time he rolled his eyes. She should get onto the phones, but she wanted to get those changes implemented as soon as possible so that even Daniel couldn't crack the system... as long as Tevita and she carefully entered their passwords so others couldn't eyeball them.

She sat down and pulled up the Altiris Console. Both of her actions required a new vPro Profile to be pushed down to all the AMT systems, but that was the easy part. She started by enabling TLS on the server. Until she pushed down the new profile the AMT functions would not work. She leaned over to Tevita, and he glanced at her as she rolled closer in her chair.

"AMT will be available for a time," she said.

Tevita reached up and muted his headset. "Why?"

"I'm enabling TLS. You know, encryption. When I enable it on the server side the clients will not be able to communicate back with the server until I update the profile and they have the right certificates."

He shivered. "Is that such a good idea? Certificates are tricky... we could easily mess up the whole thing and have no AMT access..."

"Tevita, it isn't that complicated. I have all the Altiris documentation on how to do it. Besides, there's a specific article on how to do it after the installation, here: http://juice.altiris.com/article/2737/how-enable-tls-within-out-band-management-after-install. Piece of cake."

"If you say so..."

"Trust me. If we had a hierarchal structure of certificate authorities, it might get a bit dodgy, but I'm just setting up the one root."

"Yeah, and the flux capacitor needs just such and such gigawatts of power..."

"Just read up on it! It's not that hard."

Tevita spoke for a moment into his headset, and took it off. "I don't know anyone who understands it all that well."

She planted her hands on her hips. "It's really simple. We give the root CA, aka the King, the credentials that are acceptable. Secondly, the Altiris server gets the credentials so it can work with the CA and the clients. We then load the matching credentials on the clients via the Provisioning Profile. Now everyone has the credentials."
He smiled. "What about client-side and server-side certificates?"

"Again, simple. Communication is unidirectional for a given parent/child certificate set. With basic TLS in vPro, all the clients have server certificates. The Altiris Server uses a client certificate to authenticate with the client so that the client machine will accept the AMT commands sent it."

"Alright. That sounds simple enough, but what about the CA? What's that for?"

Jessica looked at him, her eyes narrowing. "What's with the third degree? 'Tell me Master Qui-Gon. What are midichlorians'?"

Tevita burst out laughing. "Am I that transparent? I didn't know you liked Starwars..."

"I don't. Like that movie quote, your questions are contrived..."

"Hehe, yeah. I'm just trying to prove a point. It's not that simple..."

"But it isn't that complex, either. The CA tells the server-side component (the AMT Client) if the client connection (from the Altiris Server) is to be trusted. I know having the AMT clients act as the server seems a bit backwards, but since we want AMT functionality to be secure, it makes sense. The Altiris Server that tells AMT what to do needs to prove itself. This ensures a rogue server can't just initiate any AMT functionality without having the proper certificate. So the server provides a client certificate, which the AMT system authenticates with the CA before allowing the Altiris Server ‘in'."

"Okay, okay. That sounds simple enough. I'll be sure to avoid AMT until next week when you get TLS finally working... kidding! Take it easy, I'm just joking."

She wanted to keep the stern look on her face, but a smile cracked through. "You just watch it, Mister."

Jessica turned her attention back to the Altiris Console. She opened up a browser on her second monitor and pulled up the Juice article she'd shown Tevita. She walked through the steps, sometimes checking back on the Altiris Administrator's Guide for Out of Band Management, found at http://www.altiris.com/Support/Documentation.aspx. She finished the processes except for updating the profile since she needed to also update the Admin password settings.

She browsed in the Altiris Console under View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and clicked on Provision Profiles. She highlighted her active profile and clicked the pencil icon in the icon bar to edit it. Under the General tab, to the right of the window, she changed the Intel® AMT 2.0 password: setting from Manual to Random creation. She then clicked on the TLS tab and, using the previous directions, enabled TLS within the profile.

She sat back as she clicked OK. Now that the Altiris Server was setup properly, she needed to push the new profile out. From her place in the console she backed up into the Provisioning folder, and then expanded the Intel AMT Systems folder and highlighted the Intel AMT Systems node. All Intel AMT Systems showed within the right pane. She clicked on the top one, scrolled down, and, while holding shift, clicked on the bottom one. She right-clicked and selected the ‘reprovision' option.

With a sly smile she glanced over at Tevita. He wore his headset again, though he looked less stressed than before. She rolled over and wrote on his whiteboard "AMT back up in a few hours". For the time being they could rely on the Runtime Profile for authentication. Since Altiris knew all the random passwords for the Admin account, via Altiris they should have no problems with security. However she needed to quickly implement AD integration with Kerberos authentication just in case.

She got up to take a quick break. She stretched, looking out over the cubes. She froze in mid stretch for a moment, before quickly pulling down her arms, her eyes widening. Two men in blue jumpsuits walked nonchalantly through the building, one holding a sheaf of what looked like generic forms and the other with a nondescript box. Despite their "non"-threatening postures, something about them bothered her. At first she simply watched them, trying to figure it out.

The man in front emanated confidence like a shiny sword and shield, his smile infectious and full of perfectly white and straight teeth. His strong features seemed chiseled from brilliant marble, as if he'd been carved amid the statues of Rome. Not one of the rich brown hairs on his head stood out of place, his hazel eyes roving over the office as if memorizing all the details. He didn't act suspicious, but his very manner belied the blue-collar worker outfit he wore.

Right behind him strode the other man. He wore a beard, a hat pulled low over his eyes. She squinted, hunching down a little so she didn't rise so high above the cube walls. He carried the box, his muscles tensed. He walked jerkily, each step seeming just a little unsteady. Sweat beaded on what little she could see of his forehead.

"Tevita," she whispered. "Does that guy look familiar to you?"

He appeared beside her. "Who? Those two delivery guys?"

"Yes. The one carrying the box."

Tevita turned to stare at her. "It's the ninja!"

She shook her head, though the sudden clenching in her stomach belied the action. "No way, he's in jail, right?"

"Probably not. He didn't threaten anyone or do any actual damage, and the price of the hard drives he tried to steal doesn't equal enough to be a felony, especially since he claims he was only after the hardware..."

"But why come back here? We know who he is..."

He just shrugged. "Maybe he's turning a new leaf..."

She gestured at the other man just as they disappeared into the stairwell. "Maybe, but that other guy gives me the creeps. I wouldn't be surprised if his name happens to be Lex Luther."

Tevita nodded. "Let's follow them."

She shook her head. "No way! Let's just call security and let them deal with it."

The Tongan only shook his head slowly. "The security company might be too slow to respond. Heck, they took forever to show up when our ninja friend showed up the first time. You go tell Bobby and I'll shadow these two shifty guys."

Before she could respond he hurried away, surprisingly quiet for his bulky, muscled size. She clenched her teeth together, torn by indecision for a few precious seconds. She then turned and hurried towards the server rooms, hopping Tevita wouldn't get himself into too much trouble.

END Part 5

This concludes Part 5. This cliff-hanger will be continued in an even more unbelievable conclusion, Part 6. Now that the competitor has breached the office once again, can Might Modern Marketing's IT staff protect their infrastructure, data, and themselves from this all out attack?

Things I wish I knew BEFORE I installed SCE (System Center Essentials)

ntrent — Wed, 06 Aug 2008 15:47:36 GMT

I have had the pleasure of working at Intel on a high school internship at the Folsom, California site. One of my many exciting tasks has been to install Microsoft System Center Essentials 2007 and connect these to some lab machines for customer demonstration purposes (if you're visiting the Folsom site you should let me know so you can come and check it out). I must say that it was far easier to setup and use than I originally thought before I started the task...nevertheless, I have taken some notes about things I wish I would have known before I started this task. One side note, System Center Essentials is often used as the acronym SCE - which is pronounced like the ski, a concept that in the middle of August sounds great in Folsom (100 degree Fahrenheit weather around here)...

Here are my items:
1) Per domain SCE setup: I found that I needed to join the machines that I wanted to connect to my SCE box together on the same domain. Knowing this in advance would have saved me some troubleshooting time.
2) Learning to create a domain and add the machines to it was another step I had to overcome (I mentioned I am a high school intern, so some of this enterprise stuff is new to me).
3) After a clean OS install, learning where to find all the device drivers and have the installed is pretty important...otherwise your box will not communicate to the server.
4) The number of install options are vast, and each has a profound impact on the outcome of the setup. It is not as simple as clicking next, next, next, and finish. Knowing if you want to install the full server, just the AMT management pack and other such options before you do the setup will save you tons of time after the setup (or at least a uninstall and reinstall).
5) Know your server environment. Are you running Windows Server 2003 or 2008, are you running on a 32 or 64 bit version? If you don't check the system requirements up front, you will most likely download the wrong version.

Once this was done, the box works stellar - I can troubleshoot the problems on these systems, simplify management tasks, and manage multiple systems with a few clicks - I am the head honcho of these boxes. Now I wonder if my boss Josh Hilliker will send me off to experience real skiing as my summer is near complete.

Hopefully the sharing of my experience can help you during your setup. If you have any additional questions or comments, please respond with them to this blog and I will do my best to answer them.

-Nicole Trent

The Intern’s Understanding Centrino 2- Oh new and shiny!

Sophia.Stalliviere — Tue, 05 Aug 2008 14:17:00 GMT

Now that Centrino2 with vPro is coming out, amongst the new features that it will carry is Client Initiated Remote Access (CIRA). I thought to myself "what is this?" My internet digging, tells me that it is a way for the server to communicate to the client via AMT, offsite through a Management Presence Server (MPS). When a user initiates a CIRA request to their MPS, then the MPS is able to reach the client, passing through Virtual Private Networks (VPN). Then it will be able to go through the same AMT communication channels as any Pro system that is on the local network. On the laptop that is wireless that notebook can be anywhere as long as it's plugged in to power, and can connect to the VPN.

Josh Hilliker did a blog about a month ago, and it has a great diagram showing everything I have said. Centrino 2 - Digging in deeper into CIRA

Another great video to look at is the Intel Centrino2: C.T. Phone Home video.

Sleep state manageability is another feature that Centrino2 will carry. It will be able to turn on and off the notebook remotely without it being turned on but it does still need to be in the VPN. The device needs to be plugged in; it can't be running on the battery for this to work. You wouldn't want to try to turn on your computer and find out it's dead because all of the battery power is taken up trying to update your licenses or fixing any problems. The Centrino2 has energy saving features the notebook is using less energy with this new feature, and it is enabled at the times that make sense to your battery.

One feature that people will notice is the clear video technology so items like Hulu.com will look so much better. In addition, it will have more of graphics usage so you wouldn't have to purchase more graphics cards. It will look so good you will want to put your hands all over it!

Now I will not have to look like this when my laptop is on freak out mode. I can just call up IT and they can take care of it!

And if you want to know more go to the Intel Developer Forum Aug 19-21, 2008 in San Francisco. I will be there with my blogging skills!!

SMB Talk has gone live! Check out this sub zone now!

Kelsey_Witherow — Mon, 04 Aug 2008 23:55:59 GMT

I'd like to announce the Expert Center's newest edition...SMB Talk

Are you a small or medium sized business? Have vPro? Want vPro? Then you should see this brand new sub zone of the vPro Expert Center. This site is dedicated to the discussion of Small and Medium Businesses & Intel vPro Technology. You can expect to see great tools, helpful tips, solutions, some best known methods and Service Provider information. Feel free to take a look around and join this new community of SMBs and MSPs.

Understanding vPro- Chapter 5: Enhanced Maintenance (I just want to wrap a big hug around AMT!!)

Sophia.Stalliviere — Fri, 01 Aug 2008 00:00:39 GMT

I had the pleasure of sitting in on a presentation that Josh Hilliker and Todd Christ for some clients this last week about vPro. As I was sitting there, it dawned on me I didn't realize how good the maintenance is. It really came to me because of Josh's passion and Todd's Knowledge drove it home during this presentation.

The chipset has a lot to do with it. Active Management Technology (AMT) is the featured product. I know I have mentioned a lot about AMT but I never really dove into this subject. It is such a vital part of vPro. This little chipset makes sure that the Operating System (OS) is not jeopardized by outside sources. No matter what state the OS is in, AMT will go in and protect it. AMT would tell the server that its needs help then IT would "cut" most of the connection to only enough to communicate remotely between the server and the client. To make this user friendly on the sever side IDE-Redirection (IDE-R) and Serial over LAN (SOL) are there to help the operator with remotely diagnosing and repairing client systems. To go further on how it has been done Brad Lund did a blog called Using SOL/IDE-R to Diagnose and Repair vPro Clients on the vPro expert center site.

AMT is a force of nature in the chip world. Not only does it help with the protection of the hardware it also makes sure the hardware is up to date, nothing is wrong with it, if there was a problem with it then it would let the server know about it. All of the points are below which tells its main benefits. The name and link is Intel® Active Management Technology.

Features and Benefits

Intel® Active Management Technology (Intel® AMT)

Out-of-band system access	Discover. With built-in manageability, Intel AMT allows IT to discover assets even while PCs are powered off.¹ Plus, remote consoles don't rely on local software agents, helping to avoid accidental data loss.
Remote trouble-shooting and recovery	Diagnose. Providing out-of-band management capabilities, Intel AMT allows IT to remotely isolate and recover systems after OS failures while alerting and event logging helps reduce downtime.
Hardware-based agent presence checking	Verify. Ensuring better protection for your enterprise, hardware-based agent presence checking proactively detects that software agents are running while missing agents are automatically detected and alerts are sent to the management console.
Proactive alerting	Isolate. Proactively blocking incoming threats, Intel AMT System Defense contains infected clients before they impact the network while alerting IT when critical software agents are removed.
Remote hardware and software asset tracking	Update. Helping to keep software and virus protection up-to-date across the enterprise, Intel AMT also enable third-party software to store version numbers or policy data in non-volatile memory for off-hours retrieval or updates.

For a business, this is solid reasoning to insure that your information isn't going to be destroyed. That could cost a company millions in time and money if the information is gone. Think for a moment that I was sitting here, writing on a blog and suddenly my computer caught a virus. With out this featured product to protect my computer from hazards then all my work would be gone. That would make for a very unhappy intern. Computers just might fly through the air. Ahhh, but the pleasure of having such a luxury like vPro makes life so much better. I wouldn't have to worry about my work being gone. And I wouldn't feel bad because I wouldn't get anybody else infected with that pesky virus.

There was another thought in all of this, I am really bad at keeping up to date on my hardware and software. Even if it give me the sign saying that I need to update my items, I tend to either ignore them or I just plain forget them (of course I check all the time on my work computer, J). It would be even better for employees and me to have our computers update while we are not at our computers. While the employees are gone, IT can set up a script for vPro to check all of the points and update the licenses, then shut down the computer once again (or restart the computers; however, the company would like to do it). When the employees come back, everything would be as if they never left. That would save companies a lot alone because they are getting more productivity time.

This little piece of equipment is so vital to the pulse of vPro. The three words that come best that I found through my research is that AMT "Discovers, heals, and protects".

Don't forget! BlogTalkRadio is live on Monday, 8/4!

Kelsey_Witherow — Thu, 31 Jul 2008 22:45:25 GMT

Listen in as your hosts talk with Dave McCray, Intel's IT Program Manager. Intel IT is a leader in the activation and use of AMT. They have activated & provisioned over 10k machines - hear how they did it, why they are doing it & how to make your integration better based on Intel IT's best known methods. Also get a scoop on what you'll find in the coming year.
Date/Time: 8/4/2008 3:30PM
Call-In Number: (347) 326-9831
You can also visit Open Port Radio or Stream this Show Online

UNTIL THEN...Be sure to download our prior segments of the show. You can find them on iTunes by searching for "Intel vPro" or on the Open Port Radio site,http://www.blogtalkradio.com/openport. Thanks for listening!

The Intern's vPro's hand's on experience (Finally!!)

Sophia.Stalliviere — Thu, 31 Jul 2008 15:47:12 GMT

I got to enjoy a hand's on experience with vPro this morning, I got tired of just reading everything. Another intern, Nick Molina showed me some capabilities that I have only read in whitepapers and postings from vPro experts. I am not sure on how you like to learn, but one of the best ways for me to learn is to see the product in action. Plus I didn't really understand it until it was put in front of me.

Nick was able to show me different remote capabilities, how the server is able to power on and off the client computers, and how to read the hardware from the client computer through the server. He also showed me how you can apply filters to the network interface that would cut out any outside source (e.g. through the WLAN) that would put the client and/or server in harm.

To be able to see this better you should see this YouTube video which shows the same thing as what I was learning from Nick. It's a bit shorter than what I have experienced, but it gives you the same idea. Watching this, and after reading my blogs of course, it gives you a better understanding of what vPro can do.

Intel vPro Technology integration w/Symantec Backup&Restore

Chapter 4 should be coming soon. It will be on trusted environments. Stay tuned!!

Understanding vPro: Chapter 1- What is it?

Understanding vPro: Chapter 2-What is it used for/ why should I use it

Understanding vPro: Chapter 3- Proactive Security- Does it have a tiny guard dog???

Using SOL/IDE-R to Diagnose and Repair vPRO Clients

blund — Tue, 29 Jul 2008 20:39:04 GMT

My name is Brad Lund; I work in the Enterprise End User Integration Lab (EIL) as a Senior Systems Engineer. This article is the first in a series of blogs I plan to deliver describing how, with the aid of some very useful tools, we can use IDE Redirection (IDE-R) and Serial over LAN (SOL) to provide the console operator with a more user friendly approach to remotely diagnosing and repairing client systems.

SOL is a great technology that has been around for a number of years. It is generally used in data centers for taking control of a computer in order to make changes to its BIOS. Since output from BIOS is by nature "pure text", SOL, whose interface is based on VT-100 terminal emulation, works fine. But what if the problem requires the console operator to interact with the client in a manner that dictates a graphic interface be present to load and run diagnostic applications?

Since the Enterprise Integration Lab are End User focused, we have had several customers ask us how they could leverage this Usage Scenario to take control of an AMT client while providing the operator with a more intuitive and useful interface. Additionally, every one of the End Users we interact with has a set of tools they use to perform diagnostics and repair. But if the client system is out-of-band, meaning no O/S present, it is NOT a BIOS related issue and the diagnostic tools require the operator to have a graphic view of the client system, how can we deliver on this request?

This series of blogs will attempt to show various ways to address these questions and more. I will start this blog series with the client residing inside the Enterprise using AMT to contact the console operator and utilizing very basic tools - take control. Upcoming blogs will show how to do this for clients residing outside the Enterprise (in the internet cloud) using Client Initiated Remote Access (CIRA) to contact the console via of a Management Presence Server in the DMZ and more robust tools - very cool!

So let's get on with it shall we?

The Tool Set

For this first installment I am using AMT Commander from the AMT DTK to initiate a client connection and perform console redirection (IDE-R). The client platform is Montevina (AMT v4.0). I will also push a Pre-installation Environment (PE) down the wire to boot the client into a graphic environment; either WinPE 2.0 or BartPE can be used. Whichever the choice, the greatest thing about a PE is its ability to be customized. You can build a PE to include not only the necessary drivers to bring a system up, but also all the required software for a technician to truly diagnose and practically correct any problem. A full explanation of PE's is beyond the scope of this blog but easily searchable via your favorite search engine. Lastly, to complete the process I will use UltraVNC, a publicly available application that gives the console operator the ability to view the remote client screen; graphically!

The Scenario

In this setting we have a client system where the O/S fails to boot-up (see Figure 1 - left image). This could happen if the client did something to their system which caused the registry to become unreadable by the O/S. Or perhaps the owner of the system accidentally deleted a critical file(s) required by the O/S to boot properly. In any case, the client calls their support center and is walked thru the required steps to perform BIOS initiated AMT. Once initiated, the console operator can then connect to the client; Figure 1 - right image.

Figure 1: Remote client screen on left - Console operator screen on right

After connecting to the client, the console operator opens the SOL/IDE-R mapping interface and assigns the appropriate .iso images for Floppy and CD-R redirection (see Figure 2 - left image). Note: You must assign both a Floppy and a CD image for SOL/IDE-R to operate properly. Also, while you can use IDE devices physically attached to the console system, working with .iso images are faster and more flexible.

Figure 2: Point device mapping to .iso images, start SOL/IDE-R, take control of client system.

The next step after starting redirection is to take control of the remote client as shown in Figure 2 - right image and indicate which image to boot from. In this case since we have our PE stored as a CD-R .iso image we tell it to "Remote Reboot to Redirected CD" Figure 3.

Figure 3: Remote reboot to CD-R image

At this point the client system has started a reboot and loading the PE image from the console. However, because we are using SOL the console operator can only see the "text" generated information. Notice the screen in the foreground of Figure 3 titled "PuTTY", this is the SOL interface and portrays only the "please wait" line from the boot loader; not very intuitive or useful. As a result the console operator will have to ask the client to inform them when the PE has finished loading on their system (see Figure 4).

Figure 4: Client system completed boot to PE and ready for remote control

Here is where the fun begins. After the PE loads onto the client system, the console operator starts UltraVNC; pointing it to the client, Figure 5 - left image. Part of the PE build includes the necessary network drivers to give this system an IP stack so it can be accessed via UltraVNC Once UltraVNC connects it opens a graphic window where we can actually see and control the client as though we are sitting at their machine, Figure 5 - right image. Again, we are using the SOL interface to show us text information and the TCP/IP protocol to allow UltraVNC to connect an OOB client - pretty cool huh?

Figure 5: UltraVNC to display client screen on console operator system

From here we can invoke a whole series of commands and view the results in real-time. In the example shown in Figure 5 - right image, I am running regedit - OK I realize it is showing the PE registry but with the right tools we can load and analyze the client registry or any other application and/or device.

Remember I said the beauty of PE's lie in their ability to be customized? If your shop use specific diagnostic tools you can include them into the PE at build time and use them here by simply clicking on the orange "GO" button (different PE's have different ways to access applications).

What I have shown here is the ability to use some very rudimentary protocols along with widely available tools to perform very powerful diagnostic and repair functions on a broken client. Keep in mind however this is only one of many ways to achieve this capability. In fact, this particular example can take a fair amount of time to load depending on network traffic and size of .iso image. But it is much better than the down time required to bring the remote system into the support center.

EIL are constantly finding solutions to answer the hard questions for our End Users. In upcoming blogs I plan to show similar capabilities using different techniques to minimize load times while maximizing efficiency. I hope you found this blog useful if you have any questions please feel free to ask. See you soon...

Understanding vPro: Chapter 4 vPro: What is with this trusted environment?

Sophia.Stalliviere — Fri, 25 Jul 2008 16:34:43 GMT

Since the previous blog was Proactive Security I feel it is only suiting to discuss the trusted environment. What the trusted environment comes down to is the hardware. Even though trusted environments are virtual, the hardware is needed to feed out any of the potential problems that can occur. Items such as viruses and hackers that can take over the PC and destroy any information we have on there, vPro will be able to, as I said in previous blog, weed out any problems. This is so cool, just think about it, it would be like a six foot, hammering crazy man, finding problems and taking care of them with his deadly hammers. (If I was a bug, I would be scared!)

This trusted environment is very much an issue in today's world. With vPro technology, it will help reduce this vulnerability. The trusted execution technology (TXT) is a new technology that helps within the virtualized computing environments. It will help on getting less software issues to come up. How this works is the TXT work with the virtualization technology for Directed I/O, the hardware will protect or isolate assigned memory to make the virtual machine less prone to attacks.

I came across a case study in my research: a huge hospital by the name of Nottingham University Hospitals (NHS) that has two different primary sites that are 30 min apart. With 6,000 desktops that are there imagine how much they would spend in IT alone. Once this was implemented in the two primary sites, it takes them only 10 minutes to deal with support calls, which would even mean when the client is powered down, instead of two hours. If you would like to read more about this case study go to The Future of IT Support.

Where else would you want a trusted environment to happen? Make sure nobody can get your personal information that you do not want to, but when other physicians and/or staff that need to get to your records, they are able to. If that computer that has all your information is not working properly then other problems can occur and it would be a domino effect. vPro will be able to let the server have access this information and plug it into another client.

Let us look beyond this; how about Financial institutes'? They have a lot of personal information there. If the clients went down at a branch, a main server can come in and fix most software problems from a main site. Less desk side service would mean more money that would be distributed. I like more money also I like having reliability in an area that is holding my money. For some reason I like to retrieve what I put in. Stock markets have many people with computers, which would mean that there could be potential problems. If that happens instead of trying to figure out where that person is, they can fix the problem remotely. The main server that IT works on would make sure that all of the clients are protected from harmful outside sources.

See now don't you wish you always had a big guy with hammers to destroy anything bad!!

Understanding vPro: Chapter 1- What is it?

Understanding vPro: Chapter 2-What is it used for/ why should I use it

Understanding vPro: Chapter 3- Proactive Security- Does it have a tiny guard dog???