Intel Open Port (our parent community) is sponsoring an opportunity to win a brand-spanking-new HP EliteBook 8440w notebook. How? you ask... It's simple. Participate in the Scavenger Hunt! There are five questions to answer on the topic of Intel vPro technology. If you answer them correctly, you'll be entered into a contest to win prizes - the grand prize being the HP!!

http://h10003.www1.hp.com/digmedialib/prodimg/lowres/c01939024.jpg

What are you waiting for? Head on over and get started!

Are you an IT Service Provider that provides services to SMB? Check out two (free) online events (tomorrow and Thursday - sorry for the short notice!) that will will go over some new SMB and MSP solutions from Lenovo and Intel that will help your service business grow - topline or bottom line.

 

Events will cover

 

  • Lenovo's new notebooks, desktops and specifically the TS200v server featuring Intel® vPro Technology with advanced management functionality
  • Our latest Intel vPro Technology with KVM and other features that make it the right choice for MSPs

 

Wednesday Feb 24th event registration here

Thursday Feb 25th event registration here

 

Scott Allee

Intel SMB Solutions

For those who have been using Intel AMT in the past you may be familiar with the AMT DTK. This is a tool kit (with source code!) that contains several applications that cover vPro functionality. It’s been on hiatus for about a year since the last public release but the latest release was a couple weeks ago. Over the last year there have been many updates to the tools (IPv6 support, ability to set KVM settings, etc). You can see the full list of updates and download the binaries (or source code if you want to play) from here: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/

 

Now, let’s say that you are new to vPro, or you want to quickly play around with some of the new features of vPro. The good news is you can do this in about 10 minutes!

 

The first step is to configure AMT in basic mode (this is similar to Small Business Mode in previous generations). Here is how to do that: http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/08/intel-amt-60-where-is-small-business-mode

 

The second step is to download the DTK (link above) and install the DTK. Once installed you can launch the “Manageability Command Tool” (this needs to be run on a remote machine. It cannot be run on the AMT machine you’re trying to trying to manage)

 

Select “File | Add | Add Intel(R) AMT Computer”

 

Enter the IP address or FQDN and your login credentials and you’re good to go!

 

From here you can click ‘Connect’ and the tool will pull up the System’s HW inventory, AMT settings, System defense filters, etc.

 

Enjoy!

 

Thanks

 

--Richard

We're holding a live chat here on February 23 at 10am PST. Bring your questions!

 

chat.jpg

KVM Remote Control is a new feature that launched with Intel AMT 6 and the newest Intel vPro platform. We are thrilled that it was welcomed with open arms, but that doesn't mean we are done! Please take this survey so that we can better understand how you use remote desktop products. This is your opportunity to influence our roadmap.

 

Click here to take the SurveyMonkey survey.

Have you ever walked into a tool room and thought to yourself - "I could make some really cool stuff with these tools". 

 

If that's the case - let me offer some ideas how Intel vPro Technology combined with the Remote Drive Share use-case reference might expand your reach.

 

As you may already know - Intel vPro technology provides out-of-band management such as reliable remote power control, boot redirection, and so forth.   It's a tool, which when combined with some creativity and applied to a situation becomes a powerful solution.   An additional tool is the Remote Drive Share use case reference design available at http://communities.intel.com/docs/DOC-4785.   This is a small Linux-based bootable ISO image to be used with the boot redirection functionality of Intel vPro technology.   The Remote Drive Share example provides a sample ISO image, source to modify\create your own image, and some brief instructions.

 

Okay - let's look at some potential scenarios where this might be helpful:

  • Remote client will not complete boot process - and you need to grab important files off the harddrive before reimaging

  • Remote client has been infected by a rootkit virus... or you need to run a full virus scan\clean outside of the local host operating system

  • An errorneous registry setting on the remote client needs to be fixed

 

Are you seeing a trend in the scenarios above?  They all reference a "remote client".   There are tools and processes to address each of those situations - IF you are present at the local PC.

 

Take a look at the following video to see how such scenarios could be addressed remotely using Intel vPro Technology with the Remote Drive Share bootable ISO.

 

 

One small clarification to be aware of - the posted Remote Drive Share ISO does not include NTFS-3G or similar components for NTFS partition read\write access.   However, instructions are provided on how the ISO image can be modified to support.   The video is an example of the capability, and more examples on how remote drive share can be utilized (such as obtaining dump files) will be provided soon.

jjcopela

VeriSign Provisioning Certs

Posted by jjcopela Feb 12, 2010

Last year there were some changes to the vPro VeriSign provisioning cert.

This change caused some confusion and a lot of users still have questions about it today!

 

Prior to May 17th2009, if you were ordering a “Standard SSL” vPro Provisioning certificate from VeriSign, you would get a cert signed by the G1 Root CA (742c3192e607e424eb4549542be1bbc53e6174e2).

The G1 root CA was a valid VeriSign hash in the ME firmware.

You would buy the G1 VeriSign cert and it would match the firmware and everything was fine!

You could also purchase the “Premium SSL Certificate” and you would get a cert signed by the same G1 Root CA (742c3192e607e424eb4549542be1bbc53e6174e2 ), again everything worked fine!

 

After May 17th, VeriSign made a few changes and the “Standard SSL” vPro Provisioning cert is now being signed with the G2 Root CA (85371ca6e550143dce2803471bde3a09e8f8770f).

The G2 hash was just recently added to our firmware. Here is a table showing the versions and which VeriSign cert they support:

 

Platform

VeriSign

G1 Support

VeriSign

G1+G2 Support

Averill< 2.2.202.2.20 +
Santa Rosa< 2.6.202.6.20 +
Weybridge< 3.2.103.2.10 +
Montevina< 4.2.204.2.20 +
McCreary< 5.1.105.1.10 +

 

So make sure you have at least this version of Firmware if you are planning on using the “Standard SSL” (G2) vPro Provisioning cert from VeriSign!

 

Not all OEMs have released the latest version of firmware, and if your OEM does not have the latest “G2” supported firmware released, you can still purchase the “Premium SSL Certificate” which is signed by the G1 Root CA.

 

Here is a complete list of supported Hashes:

 

VeriSign Class 3 Public Primary CA – G1

74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2

 

VeriSign Class 3 Public Primary CA – G2 (See the table above)

85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f

 

VeriSign Class 3 Public Primary CA – G3

13 2d 0d 45 53 4b 69 97 cd b2 d5 c3 39 e2 55 76 60 9b 5c c6

 

Go Daddy Class 2 CA

27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4

 

Comodo AAA CA

d1 eb 23 a4 6d 17 d6 8f d9 25 64 c2 f1 f1 60 17 64 d8 e3 49

 

Starfield Class 2 CA

ad 7e 1c 28 b0 64 ef 8f 60 03 40 20 14 c3 d0 e3 37 0e b5 8a

 

VeriSign has also updated their Knowledgebase:

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO10703&actp=search&viewlocale=en_US

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD146&actp=LIST

http://www.verisign.com/ssl/intel-vpro-technology/index.html

 

There are also a few expert center posts from last year that highlight the changes:

http://communities.intel.com/community/openportit/vproexpert/activation/blog/2009/05/22/how-does-the-verisign-root-certificate-change-affect-intel-vpro#comment-4202

http://communities.intel.com/community/openportit/vproexpert/activation/blog/2009/12/02/updated-verisign-root-certificate-for-vpro-provisioning

 

Let me know if you have any questions!

Josh

Among the greatest challenges of the cloud for the small and medium business or the enterprise are the reliability, availability, scalability, security and trust of one's applications and data.  So far, public cloud approaches to these challenges have proven to be more expensive across resource types for both the service provider and customer, and inelastic.  To compound the problem, end users demand high performance, the ability to get their job done, a familiar environment, a great user experience, freedom and flexibility, the ability to use personal apps and data, and faster recovery and migration. At the same time, IT and service providers demand  ease of management, simple deployment and updates, hardware independent images. Moreover, IT needs to be able to protect and secure data, leverage built-in data back-up and recovery, and to isolate business and personal worlds.


With Intel vPro, Citrix XenClient provides this through a high performance type 1 bare-metal hypervisor on the client, which can securely execute multiple images, is hardware aware whilst being hardware independent, with simplified OS management. Through Off-network mobility, application and data security and isolation, bandwidth- and access-intelligent network performance, near-native virtualised performance, large scale manageability, all with hardware-based acceleration and augmentation, this provides a local, mobile platform with management, security and adaptability needed by the small/medium business and enterprise for the cloud.


XenClient caches and executes desktop and application software directly on the device, enabling high performance, rich graphics and full off-network mobility for users. The usage model: A user requests a business image, the control domain creates an image with the desired policies, this initial image is delivered, and subsequent changes are synchronized. Small businesses and enterprises can leverage this to scale management of an increasingly mobile workforce, while enhancing security and always-on access to data and applications.


With vPro, XenClient is manageable whether the device is on or off. This solution is designed for security, with image isolation, trusted measurement & launch of XenClient, memory protection, and vPro management & security. With Intel Virtualization Technology, performance is enhanced over software-only solutions, and I/O device pass-through and assignment enabled. The solution is based on a single image management methodology, drastically reducing patch and upgrade maintenance efforts, enabling service level assurance.


How does this pay off? Users enjoy a rich services cloud experience with a lightweight hypervisor supporting pass thru of latency sensitive devices (e.g. graphics, DVD, USB 2.0), one that is truly mobile optimised with support for offline caching and synchronization, wireless support and power management optimizations. The user's desktop is assembled dynamically, providing instant image provisioning which can be role-based and portable.


This neatly supports the three personae of the cloud - public, personal private and organization private. The public persona covers all data and applications - business/corporate or personal - one could freely share with the world (e.g. social networking, sharing of non-sensitive information, etc.). Whilst many in the blogosphere think that all personal information fits in this category, the reality is that it does not - thus the personal private persona, which covers all personal data and applications whose abuse would adversely affect a user (e.g. financial, health,  identity records, etc.). These are joined by the business/corporate persona which covers sensitive data and applications, or representing intellectual property, to a business/corporation, as well as to ministries/governments, NGOs, non-proflts, etc .


The vPro + XenClient solution provides a way to securely work in each of these personae on devices, whilst maintaining isolation between them.  This enables an employee, consultant or representative of an organisation to access public, personal private and business/corporate data and applications without the risk of exposing sensitive information, violating conformance/compliance, or polluting intellectual property.  Imagine the use who has one or more operating systems installed with all their  tools and applications, which they may delete periodically depending on what they are working on. They also require access to their company’s business applications that are managed and brought to their clients by the corporate IT department. With XenClient, the user can have full control over their own managed operating systems but also benefit from having a corporate managed standard desktop environment.


I am excited about what  vPro + XenClient offers - centralized desktop virtualization  with a rich, personalized device environment, across device form factors, locations and workspaces. Mobile, office and remote workers for small/medium business and  the enterprise will be able to take advantage of enterprise-scale virtualization without sacrificing security, manageability, ease-of-use, performance or mobility. This further extends what the rich services cloud provides to organizations, hardening and augmenting its value to them.

 

For more information on Intel vPro, please visit http://www.intel.com/technology/vpro. For more information on XenClient, please visit http://community.citrix.com/citrixready/xenclient.

If you're planning to attend Symantec Vision Las Vegas (http://www.symantec.com/vision/welcome/index.jsp?locid=las_vegas)...

 

Intel will have 2 breakout sessions and 1 hands-on lab.   The details are provided below.   In addition - come see us at the keynote and in the showcase area.   The sessions\labs will focus on Intel vPro technology (something I talk about a lot in this community), yet expect to see items outside just client systems in the showcase area.

 

Last year we had standing room only in the hands-on lab - look forward to a repeat high attendance.

 

There will be prizes\giveaways in the sessions\lab - you must be present to win. 

 

Here is the summary of the sessions and lab.   We look forward to seeing you at the event.

 

  • Session ID: SS B02
  • Session Date\Time: Tuesday, April 13th, 10:45am
  • Session Title: Intel® vPro Technology and Symantec Client Solutions Help Your Business Save Money
  • Abstract:  Learn how Symantec and Intel are working together to provide money saving features that allow better manageability for your client systems regardless of their operating system state. If you are preparing for a Windows 7 platform refresh, come learn the advantages of the 2010 Intel vPro Technology platform. In addition to the standard capabilities integrated with Symantec Client Management Suite, learn about KVM remote control or managing a client outside the corporate network. Take advantage of Intel® vPro Technology to reduce IT cost and improve service.

 

  • Sesssion ID: SS L01
  • Session Date\Time: Wednesday, April 14th, 10:45am
  • Lab Title: Intel vPro Technology: Find IT and Use IT
  • Lab Abstract:  This hands-on lab demonstrates how Symantec Management Platform (Altiris) and Intel vPro Technology enhances Endpoint Security and Endpoint Management solutions to improve control within the IT environment.   Come learn from one of Intel’s experts with hands-on experience in using Intel vPro technology in a production environment.
  • Note: For a preview or what the lab materials and exercises will look like, see the recorded webinar from September - http://communities.intel.com/community/openportit/vproexpert/blog/2009/09/04/resources-and-recording-from-symantec-altiris-intel-vpro-webinar

 

  • Session ID: SS B01
  • Session Date\Time: Wednesday, April 14th, 2pm
  • Session Title: Intel vPro Technology: A well managed client is a secure client
  • Session Abstract: This session will showcase how Intel vPro Technology and Symantec Management Platform (Altiris) enhances endpoint security.   Come learn how these technologies work together to improve client security and reduce IT cost.
  • Note: The session title and abstract were updated from the original post.

If you have any special requests on the Intel session before the event - let me know.  Look forward to seeing you there

As many of you know development of projects like Intel AMT take a long time. We generally work on a project for a full year before launch (well, I do anyway. Our developers, architects, and project planning folks begin working on it long before that). I realized that for someone just starting to use an AMT 6.0 platform the concept of Enterprise vs. Small Business Mode is now gone. Some people have come to me and asked “How do I just turn it on for a quick demo?”. Well, I’m happy to say it can be done very easily!

 

Enabling Intel AMT is a manner similar to previous generation’s SMB Mode (how’s that for a title?!)
Power on the system and enter MEBx (generally by pressing CTRL-P during boot, but this may vary from PC manufacturer to manufacturer)
Enter your password (the default password is “admin” if it’s never been configured)
Select “Intel(R) ME General Settings”
Select “Activate Network Access”
And you’re done!

 

 

There is a really good step-by-step with screen shots here: http://communities.intel.com/docs/DOC-4795  (See section 3)

 

Thanks

 

--Richard

Intel vPro Technology enhances existing PGP Whole Disk Encryption solutions by enabling IT to remotely disable PCs (and the associated data on the hard drives) that are lost or stolen, regardless of whether the PC connects to the Internet. To learn more, watch the below video from PGP Director Sanjit Shah:

 

Intel vPro Technology enhances existing Absolute solutions by enabling the remote disablement of PCs that are lost or stolen, regardless of whether the PC connects to the Internet. In addition, the lost PC can feature a custom screen that can feature instructions on how to return the PC in case it is found. To learn more, watch the below video from Absolute Software Product Manager Geoff Glave:

 

As part of our efforts to introduce the all new 2010 Intel Core vPro processor family, we put together a series of videos that feature Steve Grobman, Intel's Chieft Architect in our Digital Office Platform Group.  He's been on the team that has led the development of Intel vPro technology for the past half decade, and was once in Intel IT's department. The videos also feature Intel's Josh Hilliker - who helps Steve demonstrate the new technologies.

 

In his first video, Steve talks about the new developments in Intelligent Performance - and he also showcases how Intel Turbo Boost Technology and AES-NI (Advanced Encryption Standard - New Instructions) help improve performance for today's office worker:

 

 

In his second video, Steve talks about the new developments in Smart Security - and he also showcases how Intel vPro technology helps disable lost PCs and data, and can also help IT manage encrypted hard drives remotely:

 

 

 

In his third video, Steve talks about the new developments in Cost Saving Manageability - and he also showcases how Intel vPro technology helps IT or IT service providers control an office worker's keyboard-video-mouse (KVM) remotely ... even when the Operating System has blue-screened:

 

 

In his fourth video, Steve talks about how small businesses can benefit from Intel vPro technology, and how service providers like AT&T are excited about  the all new 2010 Intel Core vPro processor family:

 

 

In his last video, Steve talks about how Intel vPro technology is bringing proven results to organizations today:

 

Do you have questions about our new platforms? Or about previous generations? Bring your questions to the live chat that we are hosting tomorrow, 2/9, at 10am PST. There will be pretty well-rounded group of experts on board to answer your questions - well-versed in areas such as KVM Remote Control, Microsoft ConfigMgr, activations, security, and more. Come chat with us!

 

livechat.jpg

As part of our launch of the all new 2010 Intel Core vPro processor family, Microsoft Vice-President Brad Anderson talked about how "vPro enables us to do things inside of System Center that in the past required the help desk to actually visit a desktop ... [including] remotely troubleshooting PCs even when the Operating System has not been booted."  To see a demonstration of how Intel vPro technology with System Center Config Mgr 2007 helps reduce time-consuming desk-side visits, watch the demonstration below from Jeff Wattlaufer of Microsoft's Systems Center Product Group:

 

Today the Use Case Reference Design (UCRD) team has released Remote Drive Share (RDS). RDS is a very small iso image that, when booted, will share out the contents of the vPro system's hard drives. It works like this:

 

  1. User calls help desk because their system won't boot.

  2. Help Desk uses IDER with RDS to reboot User's system.

  3. Help Desk maps a drive letter to the User's hard disk(s).

  4. Help Desk can now back up user data, edit the registry, scan for viruses, analyze crash dump files, restore corrupt files, etc...

 

So my challenge it this; with KVM Remote Control a help desk can remote control a vpro system in almost any state. With IDE-R a help desk can boot a vpro system to any CD or floppy based recovery tool. With RDS a help desk has remote access to a vpro system's hard drive(s). Besides issues like replacing a broken part or checking cable connections, are there any issues or scenarios that a help desk can not troubleshoot and resolve remotely?

 

We're working on a series of UCRDs outlining how to use RDS and KVM Remote Control for various tasks like remote reg edit. We're also working on UCRDs to aide a help desk get up and running with vPro. So, tell us what you want to see, or scenarios that you think can't be solved and we'll add it to our todo list. I can't promise we'll solve your problem, but at least we'll all have our creative juices flowing in the same direction....fewer desk side visits and faster issue resolution time all by making it possible to do more remotely. What do you wish you could do remotely from your help desk?

Yesterday (Feb 4th) was an exciting day online - the 2010 Intel vPro Technology platform was launched.   (the virtual launch area is available at http://intelcore2010.veplatform.com/).

 

Richard Foote talked about some of new Intel AMT 6 features - see http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/04/intel-amt-60-new-features.   And I agree - the KVM remote control feature is my favorite feature also

 

Jake's blog post provides links to resources and mentioned of RealVNC's KVM viewer plus to be released later in February.  Check it out - http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/04/kvm-remote-control--its-here

 

BUT - KVM remote control is NOT universal across all 2010 Intel vPro platforms.   If shopping for a system, ensure it has Intel integrated graphics, vPro processor, and Intel AMT 6.0.   Specifically - look for vPro systems that have the following processors

 

  • Desktop: i5-650, i5-660, i5-670

  • Laptop: i7-620M, i7-640LM, i7-620LM , i7-640UM,  i7- 620UM, i5-540M, i5-520M, i5-520UM

 

Before buying a systems - check to ensure it's a vPro system with Intel integrated graphics.   A few examples

  • Take a look at the Lenovo T410 system - two models support Intel integrated graphics and 1 does not.

  • Look at the HP 8440p - 2 with Intel integrated graphics and 2 two without.

 

There are other systems out there - take a look at http://communities.intel.com/docs/DOC-2033 for AMT 6.0 systems.   Yet based on the information shared above, keep in mind that KVM remote control is only available on select systems.

There's been alot of tech talk around KVM Remote Control. Now I want to share some of the advantages it brings. This video demonstrates 5 tricks KVM Remote Control brings beyond that of software based remote access services.

In case you missed it, here's the list:

- Ability to diagnose a network driver issue
- Remotely observe steps that cause a catastrophic failure, including the failure itself
- Visibility and control of remote system boot process
- Access to PreBoot Auth Module used by Whole Disk Encryption - reset a forgotten passphrase
- Remote control of any recovery OS

 

What else would you like to see KVM Remote Control do?

We hope you caught our first post introducing VNC® Viewer Plus from RealVNC.  We are really excited by this new technology and would like to tell you more about the innovative features available when connecting to the new vPros:

 

Out-of-band KVM - Users no longer need to rely on a functioning operating system and network drivers to establish a remote access session.   Complex issues can be diagnosed remotely, increasing productivity as users experience less downtime.

 

Remote reboot - A technician can perform a hardware reset in the event that the computer is non-responsive, reducing the need for desk-side visits.

 

Remote power on/off - We put remote power control in the hands of our technician users, creating a simple solution for out of hours working whilst enabling energy and costs savings as computers no longer need to be left on overnight.

 

Security – VNC Viewer Plus connects using the built-in security features provided by the 2010 Intel® Core™ vPro™ system.

 

IDE redirection - Technicians can mount and boot remote images.  As well as diagnosing problems, you can even fix them remotely! Watch our video below for a demonstration.

 

 

We’ll be launching VNC Viewer Plus in the last week of February 2010.  To keep up-to-date visit http://www.realvnc.com/products/viewerplus.

Hello Again!
I wanted to give a quick technical overview of KVM Remote.

 

What is KVM?
I assume that everyone here knows what KVM is. No? Alrighty then. KVM is really an acronym that stands for Keyboard-Video-Mouse. Basically it’s a generic term for allowing one computer to see what is on the screen of another computer and to be able to interact (via keyboard and mouse) as though someone were sitting at that computer. There are different reasons why you might want to use a KVM. For example let’s say you have two computers at home and one monitor/keyboard/mouse on your desk. You could use a hardware KVM switch to access one machine at a time (these are fairly inexpensive for 2-4 machines). “That’s nice, but my other computer is in the other room or in another building. I don’t have cables that long, what should I do?” Well I’m glad you asked.
In this case you’ll need a KVM solution that works remotely over a network. Now you have two choices, you can use a software based remote desktop product or a hardware KVM solution (these are often called IP-KVM solutions). I use a 3rd party hardware KVM in my lab to connect many machine to my monitor when I do testing. It works great! (the down side is that the cost per connection is very high, in my case it’s well over $100/connection!). Software solutions also work well... Well, I guess it’s better to say that a software solution works well as long as everything else on the system is working well. With a software solution you can’t do things like reboot, change BIOS settings, or work in safe mode (without networking). If only there was an inexpensive hardware solution that was built into all your platforms. Voila! Enter KVM remote control stage left.

(after all that rambling I just realized there is a wikipedia article on it. Of course there is. If everything I said made no sense at all, try this: http://en.wikipedia.org/wiki/KVM_switch )

 

Architecture

Ok, on to what you’re really here for, the Intel KMV Remote Control high level architecture (i.e. how it works).

When you look at your screen you’ll see lot of different objects (in my case I have a word processor running, a couple web browsers, etc). These objects will be layered on each and your operating system will figure which is on top and what to display. The OS will collect all these objects, figure out what is visible and what is not and push all that data down to what is called a framebuffer. The framebuffer is effectively the memory that your video card sends out to the monitor. Basically it’s the last stop. Since the manageability engine (the little processor that runs AMT) can access this memory we can package it up and send it out to a remote computer so an IT administrator can see exactly what is on the user’s screen.
When a KVM session is initiated the manageability engine will make a copy of the current framebuffer and send it to a remote viewer. After that it will compare the current frame buffer to the cache. The comparison is done in 64x64 pixel tiles left to right, top to bottom. If there are any differences between the two the manageability engine will update its cache with the new tile and send out the tile to the viewer (at this point there may be other functions performed on the tile such as compression and encryption before its sent).

 

Protocol
The protocol that is used to transport the data is the Remote Frame Buffer protocol (You can find out more info and download the specs from here: http://en.wikipedia.org/wiki/RFB). The nice thing about the RFB protocol is that it’s been around for a long time. The v3.3 revision of the protocol came out in 1998. Since it’s been around for so long you can find viewers for pretty much any platform (Windows, Linux, Unix, MacOS, there are even iPhone viewers! Have I mentioned I love wikipedia? Here is a table of various remote desktop viewers: http://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software).
So now that we’ve talked about how the video gets from the client to the viewer, how does the mouse and keyboard make it? When a connection is established a virtual USB keyboard and mouse is ‘plugged in’ to the client (you’ll see new devices appear in device manager once a session is established). Keyboard commands and mouse movements (and clicks) are sent to the manageability engine. The manageability engine will send those commands to the virtual USB devices and thus the OS.

 

Security
Now let’s talk about security. When a session is initiated the client will show a user consent form. The user consent form is placed directly into the framebuffer (this protects the user consent code from being detected by malware and helps to protect from unauthorized access. It also allows the user consent screen to be seen when it normally wouldn’t be seen such as when running on non-graphical OS like DOS). The user consent code is read to the IT administrator that is connecting to the system and the IT admin is able to connect. Once connected there is a 1 pixel red border around the screen and a blinking icon in the upper right corner of the screen. The client system can be configured to use TLS for encryption just like other AMT connections.

 

That’s mostly it from a high level. Thanks for reading!

 

--Richard

Introduction

Let’s talk about vPro, privacy, security and Big Brother.  Spanning the internet are articles discussing legitimate and imaginary concerns about vPro’s impact to user privacy.  So it’s time we (at Intel) start a dialog with our customers on this topic.

First, I need to emphasize how seriously Intel takes privacy and security.  Ten years ago, when someone at Intel mentioned privacy reviews I thought we were getting offices with doors. Since then, especially prior to vPro’s initial launch, security and privacy have become mainstays at Intel.  Every product we deliver goes through rigorous security and privacy review boards.  These folks are not as friendly as many of you; I have the wounds to prove it.

But enough of conjecture and hand waving, let’s look at the overriding concerns repeated in blogs and articles on vPro:

·        A hacker can use vPro to watch what you type and what web sites you visit

·        vPro operates “stealthily” even when your system is off

·        vPro cannot be disabled

I’ll try and respond to each of these topics and look forward to follow-up questions from you all as well as any additional topics you would like me to cover in the future.

Preventing KVM Remote Control from Being Hijacked

As many of you have read, KVM Remote Control is a new feature in vPro that allows a technician to remotely support platforms by gaining access to the keyboard, video and mouse of the target PC.  This is a similar capability exiting in many IT products today, the difference is KVM operates no matter the state of your system.  I.e. the OS can be completely dead and a technician can use vPro to remote in, diagnose and fix issues.

The benefits of KVM are clear, however many fear what happens if the remote capability gets into the wrong hands.  Clearly the main concern is if an attacker could remotely hack a vPro system, then eavesdrop on everything typed, viewed, etc. 

Taking these threats seriously and to ensure that the user is protected, vPro utilizes the following security mechanisms to establish a remote session:

1.      The user at the vPro PC sends a random “secret” generated by vPro (via phone, e-mail, text message, etc) to remote the administrator who will be helping the user debug his or her system.

2.      The remote admin sends this value securely back to vPro to establish the session.

3.      When the remote session is established (whether or not a session is active), a red border is displayed by graphics HW to show the end user what the remote admin can see.  Since vPro HW protects all video and graphics in the red border nothing can draw over the top of it.

4.      In addition to the red border a flashing KVM icon is displayed for the duration of the session.

5.      The red border and icon continues to be displayed until 2 seconds after the vPro session ends.

For someone to hijack this remote session (and thus take control of your PC) the attacker would need to intercept the secret by eavesdropping. 

Alternatively, an attacker could “social engineer” you to divulge the KVM secret, but if they can do this they can probably get your credit card number for a Nigerian money offer.

Even if they are successful in getting the secret the attackers will still need to break TLS.

The key point to mention is that the end user is always in control of the KVM session.  If you do not provide the secret to the IT administrator, an attacker cannot connect.

vPro Active Low Power States

As advertized, vPro can operate when a PC is in a low power state.  Specifically, these are the S3, S4 and S5 sleep states (Sx for short).  “vPro is active with the PC is Powered off” isn’t technically accurate because the PC is powered in all vPro operational states.  If you yank the cord, I can assure you, vPro will not be active.

The key point is vPro can (not will) operate because it is up to the PC manufacturer whether to add the additional cost to support these power states.  Motherboards require additional power switching logic, circuitry and routing to support these additional power states. 

For the IT environment this capability is clearly advantageous and worth the cost.  For the consumer market it is unlikely OEMs would spend this additional expense.

Another myths to dispense with: “Even with the system is powered off vPro provides remote access to your HDD and all of your data!”

·        Devices such as HDDs, system memory, your web-cam and keyboard are not powered in Sx.

So, even if they wanted to, hackers could not remotely access these devices in a vPro lower power state.  Now, an attacker could use vPro to wake the system, but these devices are still not accessible through vPro.

Disabling vPro

A final myth: “vPro cannot be disabled!”  In actuality, vPro can be disabled in the followed ways:

1.      By disabling vPro in the BIOS setup interface.

2.      By disabling vPro in the MEBX setup interface the user can access just before the OS launches.

If a vPro enabled PC has be re-purposed for home use, the above options are easily accessible. 

However, if your PC is owned by the IT department of your company I’m sorry to say, it’s really not your PC.  In this situation your probably can’t get into BIOS setup or MEBX without the IT generated passwords.  You also probably can’t disable HDD encryption, virus scanners, run with OS administrator privileges, etc. 

United States privacy laws do not require employees of U.S. based firms to be able to disable capabilities such as vPro. 

However, in the EU privacy laws are more strict, but I can’t quote them (partially because I’m too lazy to Google them, but mainly because I don’t want to be mistaken for a lawyer).  So, if you’re employed in the EU you may have full control over vPro.

In Conclusion . . .

Intel takes the vPro brand, customer privacy and security very seriously.  While I hope this quells most of your concerns there always will be conspiracy theorists who believe Intel and PC Manufactures are in collusion with the NSA, CIA and FBI.  While good fodder for Hollywood, such activities make no business sense and absolutely no technical sense.  If interested, I’ll explain why in a future article.

-Daniel Nemiroff

With AMT 6 Intel introduces a feature called KVM Remote Control. It's basically a VNC server running in the hardware. Think about what that means. Say a user calls you at the help desk. Their system won't boot. You can take remote control and see exactly what is happening...no OS needed.

 

Today I want to share two things. First, I have released a Use Case Reference Design that will get you up and running with KVM Remote Control today. It provides step by step instructions, links to all the tools you need, and a detailed Q&A section covering the ins and outs of KVM Remote Control. Try it out, get to know KVM Remote Control, and let me know what you think.

 

Second, imagine is you will, a Help Desk tool that integrated all the vPro features you love - Remote Power Control, IDE Redirection, and KVM Remote Control. With something like that, there isn't much your help desk couldn't do over the phone. Well, RealVNC is working on just that. Check this out - VNC Viewer Plus.

The next-gen of Intel vPro technology is here! Come check out the virtual event - you'll find so many cool videos, so much great information. We also have some key docs to help you get up to speed - you'll find them here: Intel® Core™ i5 and i7 vPro™ Wiki.

 

Click here to visit the virtual event!

 

This is the online event business owners, IT pros and PC users have been waiting for, a chance to learn more about the all new 2010 Intel® Core™ vPro™ processor family... and discover for yourself why this is the ideal time to upgrade your PC fleet with systems that have intelligent performance, smart security, and cost-saving manageability built in.

 

  • Learn how intelligent processors can adapt to end users’ needs
  • See how smart security is built into the DNA of the new processor family
  • Find out how new cost-saving manageability can maximize IT productivity

 

Please accept our personal invitation to attend this virtual event, including an on-demand 20-minute keynote presentation by Intel’s Rick Echevarria with special guest appearances by Microsoft* and Symantec*.

 

Whether you’re a small business owner or IT pro, you’ll also enjoy access to a full range of online exhibits and virtual experiences including demonstrations, technical content, and exhibits featuring Intel partners.

 

If you cannot join us today, you can register any time and return at your convenience. Feel free to refer a colleague who may also want to attend. This event will be available online through the end of April 2010. We hope to see you at our virtual event.

http://www.vproexpert.com/docs/vPECImages/tb_odkeynote.jpg

http://www.vproexpert.com/docs/vPECImages/tb_demos.jpg

Announcing VNC® Viewer Plus from RealVNC, launching at the end of February 2010.  With all the features of our industry standard VNC Viewer, VNC Viewer Plus supports all the manageability features of the new 2010 Intel® Core™ vPro™ Processor Family.

 

The biggest difference between these and older vPros is the built-in KVM functionality.  Now, rather than connecting to a VNC Server running on the operating system, you can connect directly to the hardware. Even if your OS is non-responsive or your PC won’t boot, you can still access remotely from anywhere on the LAN, through a dialled-in VPN connection or over the Internet.

 

VNC Viewer Plus connects to the new vPros for KVM as well as providing other remote control functionality such as power on/power off, remote reboot and IDE redirection - enabling booting from a remote CD or image.

 

This is a truly revolutionary solution from Intel which, combined with the remote control expertise at RealVNC, provides a ground-breaking industry first for the SMB market.

 

To see VNC Viewer Plus in action, see our video below, and for further product information please visit http://www.realvnc.com/products/viewerplus.

 

 

rkfoote

Intel AMT 6.0 New Features

Posted by rkfoote Feb 4, 2010

Hello everyone!

I’m a bit new here, well new to blogging, not new to Intel (I’m coming up on 13 years). I’ve spent the last year working with Intel AMT 6.0 and I wanted to write up a quick article on some of the new features that are included with AMT 6.0.

Every new platform has an array of different features. Our 2010 platforms are no exception with newer video, fancy CPU’s. AMT is my domain. If there is enough interest I’ll write up some more detailed articles on these different features. But enough jibber jabber, let’s get to the features!

 

IPv6

New for AMT 6.0 is support for IPv6. If you just said to yourself “IPv –what??” then I’d recommend checking out the IPv6 page on Wikipedia (http://en.wikipedia.org/wiki/IPv6). In a nutshell the world is running out of IPv4 address (most of the internet currently running on IPv4) and IPv6 helps to solve this issue by moving from 32bit to 128bit address.
“Why do I care?”, well I’m glad you asked. IPv6 isn’t very wide spread right now. Microsoft has started to include IPv6 support in their OS’s that enabled by default (Vista and Win7 support it out of the box, Windows XP can support it) and there are many Linux distributions that support IPv6. In order to use AMT with IPv6 you’ll need an IPv6 compatible network and a remote management console that supports IPv6. Unfortunately these are few and far between right now. The good news is that as more IPv6 support becomes available and more management console vendors start implementing IPv6 AMT will be ready! I like to look at it as future-proofing (hmm... I probably can’t actually say “future-proofing” with our lawyers, let me rephrase that to “future-resilient”).

 

Fast Call for Help over wireless
I don’t have too much to say on this, basically if you’ve used Fast Call for Help (also known as CIRA in some circles) you’ve been limited to wired only connects. This has been updated to work over the wireless interface as well!
While it sounds simple to add in this functionality there is a lot of work that goes into the backend to make this happen. The big difference is now Intel PROSet (our wireless management software) can push wireless profiles down to the Manageability Engine. The advantage you get here is that Fast Call for Help can work from, say, your wireless access point at home (without the need to manually enter all your wireless settings into AMT).


Alarm Clock
I like the analogy here. You set an alarm and your computer wakes up.  In short that is the feature! I can probably explain this better with examples. Let’s say that you run a call center or a school. You have employees and/or students that arrive at 8:00am in the morning to start using their computers. With alarm clock, you can configure those PC to power on at a specific time (in this example we’ll set them for 7:55am). People arrive and their PCs are ready! Another method could be remote patching. You could schedule a wake up every day at 2:00am that checks for SW updates then shuts back down.

 

KVM Remote Control
Ok, I’ve saved the best for last. As I said above, I’ve been working with AMT 6.0 for the last year. KVM Remote Control is my favorite feature. Raise your hand if you’ve used remote control software before (Remote Desktop, VNC, etc...). Everyone?!?! Wow!
Now for the trick question; how many people have done a reboot, editing some BIOS settings, and booted back up to the OS all remotely and all using a remote control solution? (I’ve noticed everyone that doesn’t have an expensive hardware solution has put their hands down). Better yet, how many IT folks have gotten a call from a user complaining that their PC has a blue screen AND THEN could connect to the machine and see the blue screen remotely? Intel’s KVM Remote Control will let me do just that! It’s a HW based implementation that doesn’t require any interaction (or drivers) in the OS to function. Not only that, but the protocol that we use is the Remote Frame Buffer protocol (this also commonly known as VNC). Since this is an open and widely used standard there are viewers available for TONS of platforms (while I haven’t tried it, there are even viewers for the iPhone).
“But what about my privacy?!?!”, well I’m glad you asked. KVM Remote Control has a few features that help to protect your privacy. The first is what we call the user consent screen. KVM Remote Control can be configured to pop up a screen with a random 6 digit number. This number must be given to the IT person before they can see anything on the screen. Oh, and since this is a hardware based product (remember, I said no OS drivers are required) the user consent screen is inserted into the video buffer in hardware. This makes it invisible to user OS (and any malware that may be running on the system). Another feature (also using the video buffer) is that during a remote control session, the user will see a 1 pixel red board around the screen and a small blinking icon in the upper right corner of the screen. This is to let them know that someone is controlling the system.


If you’re interested in more KVM details I’m planning on writing up another article that goes in more depth on KVM (look for that soon).

These are some of the new features that are available in AMT 6.0. Be sure to check back for additional articles on AMT and new (or old) features.

 

Thanks

 

--Richard

So - you're an IT administrator, or your part of an IT services team that delivers outsourced IT to clients. You've heard of vPro and AMT before, but you aren't really sure what it is, or how it can help you in your job.

 

Well, if you are on the same LAN as the vPro/AMT machine, you can do lots of really neat stuff - take a look!

 

1. Power on/off the machine from your laptop/PC

2. Access the BIOS

3. Configure the machine to reboot off of a floppy or CD-ROM drive

4. Get an accurate invnetory of the machines on the LAN - even though that AMT/vPro machine may be turned off, you can still discover it!

 

Now - where things get really interesting is if you have an RMM (remote monitoring and management) too like N-central - wherever you are in the world, so long as you have internet access, an RMM tool allows you to remotely control/access devices on that network, the same as if you were on the LAN!

 

Imagine if a user calls you, and his workstation is behaving in a way that makes you think it's a BIOS setting that is causing the problem. You're in your office, and he's across town - do you really want to get in the truck and drive over? With N-central, you can just login to the UI, click on the device, and presto - you've got access to the BIOS of that user's machine! He's happy because his problem got fixed right away, and you're happy because you fixed the issue in the minimum amount of time, without having to roll a truck  - fantastic!

Filter Blog

By date:
By tag: