On Sept 2nd at 8am PDT, I'll be hosting a Symantec\vPro webinar. Register at -

 

 

 

https://www2.gotomeeting.com/register/947074427

 

 

The webinar is open to anyone.   It will provide insight to the Symantec\vPro compelling features and capabilities – emphasis will be on Endpoint Management, with references to BESR, pcAnywhere, SEP (anti-virus), and related Endpoint Management tools in connection with vPro.

 

 

The webinar content is a subset of the materials\discussions\demonstrations that occurred this week with the worldwide Symantec technical sales teams

 

 

To register for the webinar, please use the following link https://www2.gotomeeting.com/register/947074427

 

The webinar will be recorded and posted to the Intel vPro Expert Center.

 

Look forward to having you join

 

Monday, September 14, 2009

Airport city – Avenue ballroom

 

 

Have you ever faced the “blue screen of death”? Have you ever watched your laptop or PC get stuck, when the only solution is to reboot and lose

all your data? Want to know how you can save power, save money and move towards “Greener IT”? Wondering how you can protect your valuable data after a laptop is stolen?

 

 

Then this conference is for you!

 

 

What is Intel® vPro™ Technology?

Laptop and desktop PCs with Intel® vPro™ technology enable IT to take advantage of hardware-assisted security and manageability capabilities that enhance their ability to maintain, manage, and protect their business PCs.

 

 

Platform and Services on the same package

Learn about Intel Service-oriented Technology coupled with our Silicon, Firmware and drivers. Hear more about Intel’s new concept Platform Extension Service (PES) – “Driver in the cloud”. Enjoy new services through ISV and Outsourced Service Providers, Intel Resellers, Retail and Telcos.

 

 

Intel® Upgrade Service (IUS): Flexibility to add additional features to a PC after purchase via remote upgrade. Intel’s Manageability Engine (ME) provides unique opportunity to “sell up” from a low-end system to a flexible upgradeable system.

 

Intel® Remote PC Assist Technology (RPAT): Maintain or restore PC health by remotely servicing a desktop PC over the internet.

Provides Out-of-Band support over the internet at a low cost of entry.

 

Intel® Anti-Theft Technology: PC Protection (Intel® AT): Provides hardware-based client-side intelligence to secure your laptop if it is lost or stolen.

HW-based capabilities provide greater data security, privacy and higher tamper-resistance.

 

 

Target Audience:

  • IT integrators (Ness, Matrix, Malam etc)
  • Telcos (Bezeq International, One, 013)
  • Verticals:  IT industry leaders in Health, Academics, Army, government etc.
  • Israeli / regional ISVs

 

 

Partners:

Intel, Microsoft, Checkpoint, Avalon, SysAid, Support Space, Aternity, Malam team

OEMs – HP, Lenovo, Dell, Acer

PITA - Palestinian IT Association

 

 

About the speakers:

 

Daniel Hershkovitz – Israel Minister of Science and Technology. Professor of Mathematics (Technion).

David Tuhy - General Manager, Platform Products and Technical Marketing Division, Business Client Group, Digital Enterprise Group

Robert Crooke - Vice president and General Manager of the Business Client Group (BCG). He is responsible for directing Intel's vision for delivering innovative business client solutions.

Yishai Fraenkel – Manager of Israel SW design center in Jerusalem. Co-manager the overall Client Component Group Firmware organization

Sinai Bareket – GM Sales and Marketing group - Country manager Israel Greece and Cyprus.

 

Conference Agenda

 

Start
Time

End
time

Day's agenda

8:00

9:00

Gathering and Registration

9:00

9:15

Opening words: Sinai Bareket

9:15

9:45

Intel's Digital office 5 years Vision – Rob Crooke

9:45

10:05

Future direction for Israeli hi-tech, Chief Scientist  and Intel – Prof Daniel Hershkovitz   (Minister of science and technology)

10:05

10:30

Intel’s Services adventure – David Tuhy

10:30

10::50

Life after death using… Intel's vPro    - Yishai Frankel

10:50

11:05

Break - Refreshments & Networking - Sponsors HW and/or SW  booths , Video Taping

Start
Time

End
time

Track #1
What can ISV offer for your vPro machine?

Track #2
What's in it for the
Enterprise , Service providers & Telcos ?

Track #3
vPro hands-on Lab Track

11:05

11:40

vPro manageability: Microsoft SCCM and vPro + Win7 wireless + demo kit

Tamir Peleg + Avi Shitrit   (MSFT)

vPro adoption at Intel IT - Gal   Eylon

Round 1 - KVM, SOL/IDER repair, Sentry Peak- Your enhanced bank   transactions

Itamar Sharoni / Eli Kuperman  /   Moshe Valency

11:45

12:20

Forward looking - SDK Taste from the future
- Green IT, KVM etc

Dan Alloun / Zvi Voldavsky

Customer testimonial - Bank Leumi

Leumi’s rep + Nadav Yedvab

12:20

13:15

Lunch & Networking -
Sponsors HW and/or SW  + Booth

13:15

13:50

Avalon SW - Demo with vPro

Jonathan Maresky + Avalon Rep

Remote PC Assist Technology (RPAT)

Gilad Gitlin and Guy Itzhaki

Round 2 - KVM, SOL/IDER repair, Sentry Peak- Your enhanced bank   transactions

Itamar Sharoni / Eli Kuperman  /   Moshe Valency

13:55

14:30

vPro Security: Checkpoint Story + demo

Dori Eldar + Checkpoint speaker

Intel Anti-Theft solution

Michael Berger and Ofir Haun

14:30

14:45

Networking -
Sponsors HW and/or SW  + Booth

14:45

15:25

Tracks' Panel discussion – 10 Years vision – Cloud computing, Google’s   new Chrome OS, Intel's Moblin and Intel’s vPro. How will these play along?   (with participation of  MSFT, Google,   PITA, and G.HO.S.T  -

Yehuda Konfrtes – Host, Rob Crooke (Intel), Noam Nissan (Google), TBD   (MSFT), Zvi Schreiber (GHOST)

Q & A with the audience

15:25

15:45

Biz cards Raffle :   Netbook.Prize  + Day summary

With Intel vPro Technology allowing for improved remote management via reliable power-on, boot redirection, and so forth - using the technology in a day-to-day environment might reveal some unexpected behaviors.

 

The unexpected behaviors are not necessarily the technology, but how the technology is used.

 

Outside of Intel vPro technology, how responsive is an IT infrastructure during the morning hours?  Consider that workers are powering on systems, logging in, getting email downloads, opening intranet sites\applications, etc.   From an IT infrastructure perspective, there will be noticeable uptake on system\infrastructure resources as logon requests are processed, web pages are served up, etc.   It's like the morning commute where you and a few thousand others are trying to get onto the highway...    (and for those out there that enjoy working from home, you're not isolated.   The IT infrastructure still has to handle the VPN connectivity, email downloads, etc, etc)

 

Well - Intel vPro technology is sometimes blamed for unexpected traffic or application responsiveness issues.   For example, a collection of systems are scheduled to power-on at 3am for patching\maintenance.  Intel vPro technology will help in powering on the target collection of systems - be it a few hundred or a few thousand.   The nature of the Intel vPro technology communications is unicast, and there is an authentication with possible encryption process that has to happen.   If Kerberos authentication is needed, that means that the management server is utilize Microsoft Active Directory Kerberos authentication to login to the Intel vPro technology of the target systems, followed by sending the desired commands.   That whole communication cycle might be a few 100kb of data on the network - relatively minimal.  But - when that 100kb is replicated a few hundred or thousands times for a per instance between management server and target client systems, the traffic will be higher on the network and applications queues.

 

Let's play out this scenario one step further.   A collection of systems (again few hundred or few thousand depending on your collection size\structure) are powering on with agents\services starting up, and some of those agents are attempting to authentication and communicate on the network.   It may be network authentication due to endpoint access control (i.e. 802.1x, NAC, NAP, etc).   It may be a check-in and update sequence with an internal patching, security definition update server (i.e. McAfee), and so forth.   What might be a viewed as a flood of traffic on the network should not be targeted as the fault of Intel vPro technology... but in how the technology was utilized, and how available the infrastructure was to handle the flood of requests.

 

Similarly, using Intel vPro technology to power-off a collection of systems would be equivalent to pressing\holding the power button on all of the systems to force a hard shutoff.   The power-on or power-off sequence via Intel vPro technology directly changes the power state from S0 (system on) to S5 (system off).   For some applications or services this might cause corruption of file cache, logs, data, and so forth.   A better approach would be to utilize a graceful power-off for a healthy operating system environment.   This can be done via WMI call, management agent, windows script with command like "shutdown -s -f -t 5", and so forth.   Intel vPro technology is talking directly to the hardware, is operating system agnostic, and was meant to be utilized in scenarios where the host operating system was unavailable or inoperable.

I went onsite to CA EDD a month back and talked w/ their IT team. Here's what they said about their upcoming integration and implementation of Intel vPro Technology.   We're headed back out soon to hear how it went and the challenges.   Meeting with Western Blue, EDD & HP teams was a great experience to see all groups at the table.   Symantec/Altiris has been a key partner in driving success through the integration.

 

Stay tuned for more info.

Microsoft System Center Configuration Manager can provision an AMT / vPro client in two different capacities: Bare metal and Agent Initiated.  Bare metal provisioning begins with the AMT client sending a “hello packet” to the SCCM Out of Band Service Point; if the AMT client is approved and authorized to be provisioned, SCCM will initiated the provisioning process.  Agent Initiated provisioning begins with the SCCM Client Agent pulling down the “Automatic Provisioning” policy from the SCCM Policy Server; if the SCCM Client Agent receives the policy, the Agent will negotiated a One Time password (OTP) with the AMT ME firmware and send the provisioning request along with the OTP to the Out of Band Service point to begin the provisioning process.


Bare Metal / Hello Packet Initiated Provisioning
For Bare Metal provisioning to work properly on AMT / vPro Clients with firmware 2.x, there are a couple of prerequisites that must be met.


SCCM Server


AMT Client

  • AMT Firmware version that support PKI provisioning with SCCM.  For AMT 2.x Desktops and Laptops, you will want to ensure that you have a minimum of AMT Firmware 2.2.20 (Desktop) and 2.2.20 (Laptop).  Note: For AMT Desktops with firmware 3.x, you will want to ensure that you have firmware 3.2.2 or above to meet the minimal requirements.  AMT Laptops with firmware 4.x and Desktops with firmware 5.x have the minimum requirements meet from the initial firmware release.

 

SCCM Client Agent Initiated Provisioning
In addition to the prerequisites needed for Bare Metal provisioning, SCCM Agent initiated provisioning requires a couple additional items.


AMT Client

  • AMT ME / HECI Driver installed (available from your OEM driver website)
  • Execution of RNGSeedCreator.exe (Download available from here: http://communities.intel.com/docs/DOC-3807).  RNGSeedCreator.exe is an executable that is ran on an AMT / vPro client with firmware version 2.x that has never been configured or provisioned; this utility generates a random number for the firmware to support the OTP used during the SCCM Agent Initiated Provisioning process.  For SCCM PKI provisioning to complete successfully, the random number generated by RNGSeedCreator.exe must be completed prior to initiating provisioning via the SCCM Client Agent.Note: AMT / vPro clients with firmware version 3.x and higher do not need to have the RNGSeedCreator.exe ran prior to SCCM Agent Initiated provisioning.

 

 

If your AMT clients do not meet the minimal firmware version for PKI based provisioning (Bare Metal or Agent Initiated), you can use the software distribution capabilities within SCCM to remotely upgrade the AMT firmware and drivers; check out the following Blog / Video which walks you through creating this software package.  Similar to upgrading the AMT firmware with SCCM Software distribution, you can also use the same Software Distribution process to run the RNGSeedCreator.exe utility on your 2.2 (Desktop) and 2.6 clients.  If you wish to combine the firmware upgrade and RNGSeedCreator.exe execution into a single SCCM advertisement, you can construct a single task sequence that runs both the Firmware upgrade and RNGSeedCreator.exe software packages.  A guide on how to accomplish this has been included in the RNGSeedCreator download package.

 

 

Once the firmware has been upgraded to the minimal firmware version to support PKI provisioning and the RNGSeedCreator.exe has been run, SCCM Agent Initiated provision can complete successfully on 2.2 and 2.6 clients.


--Matt Royer

Hey everyone!

 

We hosted a great webinar this morning to provide the basics on Intel vPro technology. It was a very interactive session and we had Josh in the audience who piped up with some good comments AND some good humor. :-D We referred to quite a few helpful resources in the webinar, which I e-mailed to all of the registrants afterwards. If you missed my email, here are the links:

 

Webinar Recording

If you missed the live event, you can now watch the recording!

http://vproexpert.com/E24VZ/Training/Intro_to_Intel_vPro_Technology.wmv

 

Webinar Slides

Want to download the deck? It's attached to this blog post.

 

Intel® vPro™ Heartbeat Newsletter

A bi-weekly newsletter that announces training, user docs, downloads, and other news about Intel® vPro™ technology.

 

 

Intel® AMT Scan Tool

This tool identifies the vPro systems in your environment.

http://communities.intel.com/docs/DOC-2061

 

Information about Intel® Anti-Theft Technology

http://communities.intel.com/docs/DOC-3266

 

Webinar Archive

http://communities.intel.com/docs/DOC-3492

 

Demo Video

 

During the webinar we received a # of great questions, I took these from the queue and here are the answers: 

 

When can we expect to see some real tools & documentation on remote OS & application diagnosis & repair?

A:    Tools - Check here. http://communities.intel.com/docs/DOC-1171

A:   As for documentation of OS fixes, we leverage items like BSOD Analyzer to check the minidump file to validate the the driver in error.  I highly recommend checking this tool on Microsoft's website. 

 

 

Example: Is there any way to access a remote command prompt in Windows through SoL? What sort of lightweight diagnostic boot images are available that will enable remote diagnosis / repair?

A:   There is, you can boot to a light weight image i.e. windowsPE. 

A:   Here are a few options: 

     Spare Tire ISO - http://communities.intel.com/docs/DOC-1733 - the how to build guide

    Another great thread on ISO's - http://communities.intel.com/message/2508#2508  

 

 

Can I copy files to a remote workstation, through vPro, to a broken Windows workstation, to repair it? If so, where is the documentation on how to do this?

A:   Sparetire ISO can do this very thing, then you can boot into windows (light version) & then utilize your normal tools to fix it. i.e. VNC, etc..  Check out the spare tire ISO post above.    

 

 

Great webinar today, great questions.   Keep them coming..          

Microsoft has recently updated the Configuration Manager Documentation Library for out of band management for SP2, including revisions to troubleshooting issues.  Some of these revisions are also applicable to Configuration Manager 2007 SP1, but they can't publish them with their monthly updates because of the new SP2 content.  Rather than waiting until SP2 is released, they have included the revisions here that affect existing customers using out of band management in Configuration Manager 2007 SP1.

 

http://blogs.technet.com/configmgrteam/archive/2009/08/13/updated-troubleshooting-information-for-out-of-band-management-sp1.aspx

 

 

--Matt Royer

The Next Generation Casino Environment video talks about how Intel® technology enables Connected Casinos by providing Intel based platforms which enhances user experience and providing TCO benefits to the operators.

 

Link: http://www.intel.com/design/intarch/platforms/gaming/products.htm

Scroll the page down to the section Gaming video to view this video.

 

 

 

 

 

 

 

 

 

The Intel® Active Management Technology in Retail video talks about how advanced technology, innovative marketing capability has led to many intelligent devices in the Retail Store front which can be managed using Intel Active Management Technology without burdening the IT dept.

 

 

Link: http://developer.intel.com/design/intarch/platforms/iaclient/products.htm

Scroll the page down to the section Multimedia to view the video.

 

Microsoft has released a really great blog on the “Security Best Practices for Out of Band Management in Configuration Manager 2007 SP1”.  The following topics are covered in great detailed and is a definite read.  http://blogs.technet.com/configmgrteam/archive/2009/08/05/updated-security-best-practices-for-out-of-band-management-in-service-pack-1.aspx

 

  • Request customized firmware before purchasing AMT-based computers
  • Use in-band provisioning instead of out of band provisioning
  • Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site 
  • Control the request and installation of the provisioning certificate
  • Ensure that you request a new provisioning certificate before the existing certificate expires
  • If the provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server, and remove it from the out of band management component configuration properties
  • If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console
  • Use a dedicated certificate template for provisioning AMT-based computers
  • Use out of band management instead of Wake On LAN
  • Use a dedicated OU to publish AMT-based computers
  • Use Group Policy to Restrict User Rights for the AMT Accounts
  • Use a dedicated collection for in-band provisioning
  • Restrict who has the Media Redirection right and the PT Administration right
  • Retrieve and store image files securely when booting from alternative media to use the IDE redirection function
  • Minimize the number of AMT Provisioning and Discovery Accounts

 

--Matt Royer

Pre-OS vPro Provisioning

Accolades to Frank Engelman

 

Problem Statement
Enterprise customers want to be able to “drop ship” a PC to an employee’s desk, direct from the OEM, with no special OS build provided by the OEM… and have the complete customer OS Build take place without a local technician present. This removes the need for taking the employee PC to a service desk or dispatching a technician.

 

 

 

 

 

 


Desired Process
The employee has no special knowledge or tools or software, but is able to un-box the PC, connecting to the LAN and power, turn on the PC.
In addition to the above steps, the employee receives a non-unique CD or UFD (USB Flash drive) containing a program to start Intel vPro Technology provisioning. The employee inserts the CD/UFD and boots off the media. Note, this requires BIOS to have CD/UFD ahead of the hard drive in boot order, or the employee must be given instructions on how to pick the boot device (typically F12 key). The employee was previously emailed a “name” to enter for the system when prompted during this process.

 

 

 

 

vPro based solution

The CD/UFD contains a program that performs the following operations:


 

 

 

  1. Boots the PC from a WinPE image installing WMI support, scripting support and the proper NIC drivers
  2. Reads the MAC address and UUID from the system
  3. Loads the correct version of the Intel vPro HECI drivers
  4. Prompts the employee to enter the system name they were given
  5. Uses Microsoft WMI to contact the Microsoft SCCM Provisioning Server and adds the machine name into the proper collection with the collected information...UUID, MAC and system name
  6. Starts Intel vPro activator to complete vPro provisioning

 

 

Overview of building the CD/UFD program
This program is based on Microsoft WinPE, which is created using Microsoft Windows Automated Installation Kit (WAIK). It also utilizes the Intel Automated SCCM Bare-Metal Provisioning tool, ZTCLocalAgent.exe & StatusStrings.dll which are available on the vPro Expert Center. The Intel NIC (Network Interface Controller) drivers and Intel HECI drivers are available on the Intel support site. The steps to create the image and sample code are listed below.

 

 

 

 

 

 

  1. Extract the basic WinPE image using the WAIK
  2. Mount the WinPE image
  3. Add additional packages
  4. Add the Intel NIC drivers
  5. Un-mount the WinPE image
  6. Replace default boot.wim file
  7. Add the Intel vPro HECI drivers
  8. Add the support scripts
    1. Additions to Startnet.cmd
    2. SetupHECI.cmd
    3. GetSystemName.vbs
    4. Pre-OS-Provsioning.vbs
    5. SCCMAUTO.VBS (Bare Metal Provisioning)
    6. ZTCLocalAgent.exe
    7. StatusStrings.dll
  9. Create the CD or UFD from the ISO

 

 

 

Detailed steps in program creation:

 

  1. Install the Microsoft WAIK and open the Deployment Tools Command Prompt
  2. Create a WinPE folder-> CopyPE.cmd X86 c:\winpe_x86
  3. Mount the image-> imagex /mountrw c:\winpe_x86\winpe.wim 1 c:\winpe_x86\mount
  4. Add Scripting Package-> peimg /install=WinPE-Scripting-Package c:\winpe_x86\mount\windows

  5. Add WMI Package->  peimg /install=WinPE-WMI-Package c:\winpe_x86\mount\windows

  6. Add NIC drivers-> Intel NIC drivers for systems used in your environment to in this manner:
    peimg /inf=c:\drivers\XXX.inf c:\winpe_x86\mount\windows

  7. c:\winpe_x86\mount\windows\system32\DriverStore\FileRepository

  8. Add Custom Script -> Add Custom Script-> Edit c:\winpe_x86\mount\windows\system32\Startnet.cmd and add the following:f.e1.png

  9. Un-mount the image-> imagex /unmount c:\winpe_x86\mount /commit

  10. Copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim

  11. Add AMT HECI Drivers-> Create c:\winpe_x86\ISO\AMT and drivers for every version of AMT used in your environment naming the folders AMT2, AMT3, AMT4, AMT5

  12. Create HECI Installer-> Create a c:\winpe_x86\ISO\AMT\SetupHECI.cmd file with the following:

    1. f.e2.pngNote: You only need to include the AMT Versions used in your environment

  13. Create GetSystemName.vbs-> Create a c:\winpe_x86\ISO\AMT\GetSystemName.vbs file with the following:

    1. f.e3.png

  14. Create Pre-OS-Provision.cmd-> Create a c:\winpe_x86\ISO\AMT\Pre-OS-Provision.cmd file with the following:

    1. f.e4.png

  15. Copy SCCMAUTO.VBS-> Copy the sccmauto.vbs from the Intel VPRO Expert Center to c:\winpe_x86\ISO\AMT

  16. Copy ZTCLocalAgent.exe-> Copy the ZTCLocalAgent.exe from the Intel VPRO Expert Center to c:\winpe_x86\ISO\AMT

  17. Copy StatusStrings.dll-> Copy theStatusStrings.dll from the Intel VPRO Expert Center to c:\winpe_x86\ISO\AMT

 

If creating a bootable CD, create the ISO as follows:


Oscdimg –n –bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso

If creating a UFD,perform the following steps on a Windows Vista system:

f.e5.png

 

xcopy c:\winpe_x86\ISO\*.* /s /e /f e:\  (Assuming your UFD is drive letter e:  )

 

Program Usage:
Boot the system off the CD or UFD device

 

 

WinPE is loadingf.e6.png
WinPE is Startingf.e7.png

StarNet.cmd...

Loading HECI Drivers

f.e8.png

Prompt for System Name

 

Employee enters system name and clicks OK

f.e9.png
SCCMAUTO.vbs runningf.e10.png

ZTCLocalAgent.exe running...

 

Note Setup and Configuration is completed

f.e11.png

 

PC has now been vPro Provisioned!

The windows 7 wiki has been updated to reflect the new video by Dan Brunton on how to install win7 w/ vPro.

 

http://communities.intel.com/docs/DOC-3096

 

We are going to have a few more video's show up in the coming week's, along with the Bare Metal use case will be going live shortly.  Please check back.

Filter Blog

By date:
By tag: