rkfoote

AMT Power Policies

Posted by rkfoote Mar 31, 2010

What is a power policy? In short it’s a policy of when (or not) the manageability engine (ME) should be happily humming away. It’s important because there may be times you may not want the ME to be running. For example, you don’t want the ME running while your laptop is powered off and not plugged in (otherwise you’d wonder why your battery is always dead).


AMT has had many different options for power policies over the years (I think the AMT 4.0/5.0 generations had the most options, something like 5 on desktop and 7 on mobile). For AMT 6.0, we’re down to two (so much easier!).

They look something like this:
MEBx > ME General Settings > Power Control > Intel ME ON in Host Sleep States (this is kind of a mouthful).
[ ] Mobile: On in S0
[*] Mobile: On in S0, ME Wake in S3, S4-5 (AC only)

 

Raise your hand if that makes sense to you... Anyone? If you find yourself asked what is S0/S3/S4-5 you’re probably not alone. These map to ACPI system states (you can read about them here: http://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface )

In reality we really only care about a few states:
- S0 – The system is powered on
- S3 – The system is sleeping
- S4 – The system has hibernated
- S5 – The system is off
- G3 – There is no power (unplugged, and battery removed if mobile)

 

So now, looking at the second option, we have:
ME is ON is S0 (on when the system is powered up)
ME wake in S3/S4/S5 (AC Only) (The ME is running if the system is sleeping, hibernated, or off but only if plugged in as to not drain your battery).

 

But what is this ME Wake?

Well the ME has its own internal power states. Basically a high power mode and a low power mode. When you are doing management stuff (KVM sessions/Getting inventory/etc) the ME is running at full speed. If you are not using the ME it can go to sleep on its own (you can configure this in the MEBx with the “Idle Timeout” settings). This mode tells the ME to go to sleep if your machine is in a lower power state which helps to save energy. In this mode then ME will ‘wake’ when it receives manageability traffic.


Each of these power policies has a unique ID configured (these have changed from generation to generation).  If you are using an older setup and configuration server you may see an error when setting the power policy (depends on how the setup and configuration server sets the policy). Using the latest configuration servers and/or ISV software is always the best practice.

 

Thanks

 

--Richard

I got alot of possitive feedback on my last blog about KVM Remote Control from an iPhone. That got me thinking, what else could one do from an iPhone. Here's one, quick idea. Using the iPhone's web browser one could connect to AMT's web UI. From there you can do all sorts of things. In particular, a system can be turned on. This can be useful if you want to access data on your system, but it is currently turned off. Or, if the system is running a critical service that has frozen, you could force reboot the system as well. Anyhow, check out another vPro iPhone short:

 

Intel launched the all new Intel Core vPro processor family on February 4th. Rick Echevarria's keynote is now available for on-demand viewing - Check it out! Also, you can still visit the virtual launch event - where you will find many videos, white papers, and more on all of the new features available in our latest platform.

 

 

Julie_Nusom

Migrating to Windows 7?

Posted by Julie_Nusom Mar 16, 2010

This short animation explains how PCs equipped with new Intel(R) Core(TM) i5 and i7 vPro(TM) processors and Symantec's Altiris Client Management Suite can lead to a more efficient, cost effective Windows 7 deployment.

 

Watch the animation.

KVM Remote Control can give IT full interactivity with problem PCs - remotely. Find out more by watching this brief animation.

- Note some additions have been incorporated into the original posting due to excellent ensuing follow up questions and answers that have appeared in subsequent comments to this posting. The intention is that you have all the relevant information in this blog and aren't misinformed, in case you don't read through all the subsequent comments... the updated information appears towards the bottom of this posting under "new information(1) and "new information(2)"

 

I am writing this blog posting based on a recent vPro activation project with a customer, specifically in the context of Microsoft ConfigMgr, however the principles would apply to any vPro enabled Management Console. It will specifically address an issue which was encountered which relates to the signing algorithm used by the Certificate Authority (CA). This posting is NOTintended as a general purpose vPro and PKI posting but is meant for uncovering one specific issue and its subsequent fix.

 

Brief Introduction

A Microsoft Enterprise Certificate Authority is required (e.g. with Microsoft ConfigMgr) where a certificate template is created in order to issue Web Server based certificates to vPro systems as they get provisioned. These certificates will be used to authenticate and encrypt the AMT communications between the vPro client and the vPro enabled Management Console.

 

Up until now most of the Certificate Authority Installations have been performed on Domain Controllers with Windows Server 2003. Naturally, more and more of these installs will occur on Windows Server 2008. When setting up and configuring a CA that will issue certificates on Server 2008 you need to be aware that you need to configure your CA to use the SHA-1 algorithm and NOTSHA256 or SHA512 (aka SHA-2). The reason for that is that the AMT redirection libraries of the Intel AMT SDK only support the SHA-1 signing hash algorithm. This is also mentioned in the Microsoft Technet article - http://technet.microsoft.com/en-us/library/cc161874.aspx

 

How can you tell which signing algorithm you are currently set to use?

  1. Open MMC for your Certificate Authority and select issued certificates, select the certificate that has been issued to the vPro client you are investigating   (alternatively you can select the root CA cert). Open the certificate and view the signature algorithm field in the Detailstab - make sure it is set to sha1RSA

  2. 1.jpg

256.bmp

2. You can also open MMC for your Certificate Authority, righclick and select properties; in the general tab it will state which hash algorithm is used, for example like in the screenshot below:

CA SHA.jpg

 

What are the symptoms of the signing algorithm issue?

The identification of this issue might not be immediate as provisioning will complete successfully without any issues, WebUI access works without a problem, AMT operations through the ConfigMgr Console and the OOB Mgmt Console all work fine. In fact everything works fine apart from SOL and IDER through the OOB Console. This would generally be indicative of either a PKI or Kerberos related issue or both; however the matter here is more subtle.The certificate with which there is an issue, is the Web Server Duplicate based certificate that was signed by the CA using the SHA-2 algorithm. There will be no apparent errors indicating there is an issue, as there is nothing wrong per-se with the certificate. Although, traversing through the OOBConsol.log file (note this is different to the usual log file that is used for vPro troubleshooting - AMTOPMGR.LOG ) will reflect that the certificate being presented by the vPro client is being rejected.

 

Explanation

The issue isn't manifested immediately since it is only when attempting an SOL connection that the certificate that is based on the unsupported hash algorithm is called upon.The AMT redirection libraries that are part of the Intel AMT SDK and are used by the vPro enabled Management Consoles are restricted to SHA-1.

 

What is the solution?

You will need to change the signing algorithm to SHA-1. Normally that would entail building the CA from scratch; however with the CA based on Server 2008, there is a possibility to change this on the fly.

  1. On the Server where you have your CA installed, open a command line prompt and type: certutil -setreg ca\csp\CNGHashAlgorithm SHA1

  2. This will update the MMC CA immediately, but to ensure the CA uses this new algorithm when it issues certificates, you must restart Certificate Services.

  3. Issue a certificate from the root, and verify that the signature uses SHA1 in the details tab / signing algorithm field on the certificate.

  4. Take a vPro machine that hasn't been provisioned before (alternatively unprovision and clear out any traces/residual data on that provisioned system from AD, CA and Management Console/DB) and ensure that as part of the provisioning process a certificate is issued to that vPro machine with a SHA1 signing algorithm.

  5. Attempt to use the SOL function via the OOB Mgmt Console.

 

As a reference, please revert to:http://74.125.155.132/search?q=cache:4A4orLtypUYJ:download.microsoft.com/download/4/7/f/47f81ee5-8593-4b39-871d-2f55eb731ad6/Certificate%2520Services%2520Enhancements%2520in%2520Longhorn%2520Server.doc+SHA-2+algorithm+sub-id+0x800&cd=8&hl=en&ct=clnk&gl=uk

 

- Caution: It should be noted that it might not be able to avoid having to rebuiled the CA, as there might be residual data in the environment and certificate stores that reflects the previous SHA-2 signing algorithm. We have been able to avoid a full rebuild in our particular case.

 

- New Information (1): The IMRSDK.DLL, which is the DLL file necessary for the redirection library being used for SOL funtionality, has been updated to include support for SHA-2. The IMRSDK.DLL file is part of the new AMT 6 SDK however it has also been incorporated into the AMT 5.1 SDK. When you would have installed your Managment Console, it will have had the IMRSDK.DLL file which only supports SHA-1 incorporated into it. Therefore, what you can do to incorporate support for SHA-2, where it has been previously not available, is to copy this new version of the DLL over to where the existing IMRSDK.DLL resides on your management console (you can append to the file extension of the existing/old one '.old', just in case you need to revert back, so don't delete it completely). In Microsoft ConfigMgr for example you can find this in C:\Program Files\Microsoft Configuration Manager\AdminUI\bin\i386. This is not an officially sanctioned and supported fix (i.e. you use this workaround at your own risk) however strictly technically speaking it will work. You can also seek advice from your chosen vPro enabled software vendor whether this would invalidate any support.

 

- New Information (2): There are 2 sides that require alignment for the SHA-2 support: the Management Console and the vPro client. As articulated in the original posting and ensuing thread, the solution for the Management Console is rather simple - substitute the IMRSDK.DLL file. That DLL that supports SHA-2 has been made available in the AMT 5.1 SDK and is also present of course in the AMT 6 SDK.

Note though that the SDK and the AMT Firmware are NOT the same thing. As far as the vPro client and its AMT Firmware, it also needs to be able to support SHA-2. The first iteration of AMT Firmware that supports SHA-2 is AMT 6. Therefore even AMT Firmware 5.1 doesn't support it (even though the SDK 5.1 does, but that is irrelevant). Therefore if you look at the solution in its entirety, the 1st time both server and client side will align to support SHA-2 is with AMT 6 based vPro clients. Any previous versions of AMT do not support SHA-2. Therefore the consequences of that are that if you have a mixed environment, you have to use the lowest common denominator, which will dictate using SHA-1. If you have a green-field AMT 6 and above vPro client estate, then you will be able to deploy using SHA-2.

Whilst it is technically hypothetically possible to backport SHA-2 support into AMT Firmware, just as other fixes have been introduced with interim firmware releases, this is a remote possibility at this point and would take a very long time to filter through the OEM that would need to release the firmware. When dealing with firmware as far back as AMT 2 some OEMs will be very reluctant to release anything, so arguably you as the end customer won't benefit from it even though Intel has done all that it can.

 

The official guidance at this point remains that you need to ensure your CA is set to use SHA-1 algorithm.

 

It would be good though to collect some evidence of regulations that are requiring use of SHA-2 and that could be used to see whether Intel can work on a better solution - but we need that information 1st of all to justify any significant effort - so please get in touch and articulate with as much details requirements / environments that require use of SHA-2.

 

 

Some additional pointers of what to pay attention to with PKI (this is NOT an exhaustive list, there are more):

  1. If you have more than 1 tier in your Enterprise CA (e.g. root and issuing CA) then you will need to have the root certificate but also (and this is where most issues occur) the intermediate certificate in the trusted root certificate storeof the system from which you are running your Management Console. Don't get confused with the chain of trust of the provisioning certificate; this pertains to the chain of trust of the Web Server duplicate template certificate that was issued to the vPro client as part of the provisioning process
  2. When creating a duplicate of the Web Server template, you might intuitively select Windows Server 2008, however you actually need to select Windows Server 2003. Below is a screen shot of the options when right clicking on the Web Server template and selecting duplicate. As mentioned, select Server 2003, as mentioned in the Microsoft Technet article - http://technet.microsoft.com/en-us/library/dd252737.aspx
  3. Previously, there was also a requirement that at no point throughout the entire chain of trust of the CA should there be a certificate with public keys larger than 2048-bits. This requirement is no longer as much of a hurdle, as many of the newer AMT Firmware versions support 4096-bit public keys. All you need to do in this case is to upgrade the AMT Firmware.

                             

                                                                                                                                                          

 

    1.  





These videos show how small-medium businesses have benefited by working with Intel Channel Partners and levering PCs with Intel vPro technology.

PCs for SMBs

This is a highlight video that shows 3 SMB customer testimonials, with the SMB business owners all speaking about how they overcame their IT challenges by working with an Intel Channel Partner and by leveraging vPro enabled PCs! The SMBs are a Dr's office in Nevada, a college prep school in Georgia, and a Sweepstakes marketing firm in New York. All 3 work with Intel Channel Partners.

 

 

Success Story: The US Sweepstakes Company and Brite Computers

A great vPro SMB success story of how The US Sweepstakes Company overcame their IT challenges by working with an Intel Channel Partner and by leveraging vPro enabled PCs.

 

 

Success Story: Brookwood School and Virtual World Technologies

A success story of how a small college prep school overcame their IT challenges by working with an Intel Channel Partner and by installing vPro enabled PCs!

 

 

 

Success Story: Family Tree Medical and Kortek Solutions

A great customer testimonial success story of how Dr. Gumina and Family Tree Medical overcame their IT challenges by working with an Intel Channel Partner and by leveraging vPro enabled PCs.

 

Introduction:

802.1x is a network access control standard that some networks have enabled depending on whether they have 802.1x capable network equipment and also what is called an AAA or RADIUS Server to serve as a gatekeeper for which systems are allowed on to the network. The conundrum with AMT is in order to get Out of Band (OOB) access to a vPro system the network port will be closed unless what is called a supplicant will negotiate versus that RADIUS Server and have the port opened. As vPro will typically be leveraged when the system is powered off or when the OS is broken/unavailable, there needs to be a different mechanism to be able to open the port, so remote network access is possible and doesn't lock out the useful AMT functionality. 802.1x support is enabled in the firmware, however it is necessary to configure it in order to take advantage of it.

 

Earlier this week, a document was posted on the vPro Expert Centre - http://communities.intel.com/docs/DOC-4884which provides a really great introduction to 802.1x and all the associated details. I suggest going through that document as a precursor to the following blog posting as I won't be getting into 802.1x basics here. I will focus on the steps taken to implement what is the 1st AMT 802.1x enablement in a LANDesk environment. That document will have rightfully noted that LANDesk does not support 802.1x. Does that mean that you have hit a road block? - the answer is NO.

 

Just this past week, the steps I am about to describe were implemented and validated to work successfully in a production customer environment, for what can be considered the 1st AMT 802.1x implementation in a LANDesk environment...

 

Components Required:

  1. Microsoft WinRM 2.0 (both on vPro client on Server from which you will be executing a post provisioning script)
  2. Microsoft Active Directory
  3. Microsoft Enterprise Certificate Authority (unless you are using EAP-PEAP with MSCHAP v2)
  4. RADIUS Server(could be Microsoft IAS/NPS or Cisco ACS; in this case we used IAS - make sure it is setup to use AD based authentication)
  5. Intel Genscript tool
  6. Intel WS-MAN Translator (optional - was not used in this instance, but is generally recommended for volume deployment)

 

LANDesk Specific Steps Required:

  1. Latest version of LANDesk is recommended - LDMS 8.8 SP3
  2. vPro systems need to be successfully provisioned in non-TLS mode(TLS mode can also be accommodated, but a step is required thereafter to have certificates ignored as part of the 802.1x configuration; as long as you are willing to accommodate it, I would recommend provisioning in non-TLS mode for the purposes of this 802.1x solution). The reason you need to use non-TLS or circumvent TLS is that the certificates issued by the built-in LANDesk certificate authority don't have a notion of certificate revocation lists (CRL). It is technically possible to craft it in, but that would get quite complicated. Later on when WinRM is used to execute the script, the 1st thing it does when it observes a certificate is to see whether the certificate is still valid or whether it has been revoked. Since there is no CDP (CRL distribution point) field in a LANDesk issued certificate that check fails and the script will never execute. That is why you want to provision in non-TLS mode.
  3. Post provisioning step is required to be performed either in a non-802.1x environment (such as a staging area) or when the 802.1x authentication has already been negotiated(e.g. OS supplicant); otherwise this is a 'chicken and egg' scenario where the 802.1x credentials
    can't be placed on the vPro system because 802.1x is blocking it.

 

Post Provisioning Steps Required:

  1. Configure and generate 802.1x post-provisioning vbs script using the Intel Genscript tool
  2. Execute the vbs script either locally on the vPro client or from another system which has permissions and network connectivity to the provisioned vPro system:

    • If you are executing the script from a remote system, make sure you have Microsoft WinRM installed and properly configured on that remote system as well as on the vPro client. If you use the remote execution approach, it is more conducive for a 1:1 or limited number of systems.
    • If you are executing the script locally on the vPro client you need Microsoft WinRM installed and configured only on the vPro clients. You will also need to have the Intel WS-MAN Translator installed on a system on your network. The reason for that is that the AMT Architecture is set to receive provisioning configuration data from remote over the network through SOAP envelopes. Therefore the translator is used to reflect the configuration from local execution and 'trick' the Intel Management Engine to believe it is coming from remote. The reason you would use this local execution approach in the 1st place is that you could distribute that the script just like any software distribution package and execute it on volume.

 

Configuring Microsoft WinRM:

  1. Make sure you have WinRM version 2.0 (and not 1.1) - if you are using Windows 7 on clients or Windows Server 2008 on Servers it will already be embedded with the OS.
  2. The configuration steps you require on WinRM will allow a smooth execution of the post-provisioning script; they are:
    • winrm set winrm/config/client @{AllowUnencrypted = "True"}


    • winrm set winrm/config/client @{TrustedHosts = "*"}


 

Configuring and Generating the Post Provisioning Script:

  1. Most of the 'magic' takes place with configuring this post-provisioning script...
  2. You will need to use the Intel Genscript tool which has been used in past to introduce not natively support AMT features in the context of other management consoles as well.
  3. The high level steps you will be configuring in the script are:
    • Connection parameters to remote vPro system - in this case it will be http digest credentials over http connection over port 16992 as LANDesk doesn't have a notion of Kerberos.
    • Import root certificate so that any certificate that will be used thereafter can be trusted
    • Pointing to a certificate authority and certificate template to have 802.1x certificates generated on the fly for each vPro system that has the script executed against; alternatively you can point to a single already generated certificate
    • Create an 802.1x credential - this will be used to generate an AD account that will be used for authentication when connecting to the remote vPro system. This is not to be confused with the vbs level script connection that is mentioned 3 steps above which is not AD based.
    • Create a wired 802.1x profile in which you select the appropriate EAP protocol your RADIUS Server is using
  4. Execute the script with the following syntax: cscript 802.1x-script.vbs /host: hostname /domain:domainname  (you can also use /IP:ipaddress  the domainname is required, otherwise the script won't execute)
  5. I have attached a sample script that we have generated which you can use a reference point. It is specifically setup for running on a remote system and imports a certificate rather than points to a certificate template.
  6. A document that provides a step by step guide for configuring the script using Genscript will be made available by a fellow Intel colleague over the next couple of weeks. Stay tuned.

The other thing to mention is that this solution is in parallel to LANDesk and LANDesk LDMS will not be aware per-se. That should generally not cause an issue, but the solution would need to be maintained 'manually' if AD passwords are changed for example. Also, if there are any certificate revocations taking place, LANDesk will not be aware of them, so in general this is to be considered a standalone solution.

    Managed Workplace 2010 by Level Platforms

    Level Platforms delivers managed services software for IT solution providers servicing small and midsized end customers.

    www.levelplatforms.com.

    For the last several years, Level Platforms has been integrating Intel Active management Technology (Intel AMT), built into the all new 2010 Intel® Core™ vPro™ processor family, usages into their Remote Monitoring and Management (RMM) console. Usages include remote power management and the ability to offer off-hours maintenance by using the integrated Power On and Power Off features; the ability to discover Intel vPro assets out-of-band, even when the system is powered off, for more accurate asset discovery; and proactive monitoring and alerting on system-critical boot events for faster remediation and lower operational costs.

    With the recent release of Managed Workplace 2010, Level platforms have integrated support for Intel Serial-over-LAN, and IDE redirection (SOL/IDEr).

    Intel SOL/IDEr terminal for Managed Workplace 2010

    Users of Managed Workplace will be able to create both SOL and IDE-R connections directly from its web-based central dashboard, the Service Center, so that users can use SOL to boot an unavailable device to the BIOS and view start-up POST messages.  These features allow solution providers to rapidly perform tasks remotely for faster remediation of devices that would otherwise be unavailable and require a trip to the customer site.

    With IDE‐R, users can mount an image from a network share drive, CD‐ROM or Floppy Disk image onto an Intel vPro enabled device, over a standard network connection. For the Level Platforms solution, the bootable image is located on the Managed Workplace Onsite Manager, an agentless software component at the customer site. Once an IDE‐R session is established from the management console at the service provider’s central Service Center, the Intel vPro enabled device boots from the remote media as if it were directly attached to one of its own IDE channels. With this capability MSPs can now quickly reboot corrupted systems remotely from an image within their customer network, further eliminating the need for an onsite visit.

    Intel has published a guide that details the specific steps in Managed Workplace 2010, to execute usages that take advantage of Intel vPro Technology:

    http://communities.intel.com/docs/DOC-4892

    More information about Managed Workplace 2010

    Best Practices Monitoring and Alerting

    • Get up-and-running with 24/7 best practices monitoring, alerting and management with our extensive and growing library of comprehensive Policy Modules.

    • Choose from hundreds of Policy Modules from more than 115 vendors.

    • Receive immediate alerting on the things that matter, so you can resolve issues fast.

    • Use group policies to streamline your operations and lower costs.

    Comprehensive Asset Management

    • Benefit from automatic discovery of network assets at customer sites and continually updated, accurate information.

    • Easily identify obsolete, underutilized and over-stressed assets, optimize configurations, and identify maintenance opportunities.

    • Leverage out-of-band monitoring and management for Intel® vPro™ devices and resolve problems on otherwise unavailable machines. Use SOL to boot an unavailable PC to the BIOS, or IDE-R to boot to an image.

    Rapid Remediation

    • Create lightning-fast connections from any computer with an Internet connection to any Windows or network device at any customer site.

    - Fix problems instantly without having to open inbound ports or firewalls.

    - Avoid delays and security risks resulting from traditional remote control software reliance on external websites.

    • Deploy automated scripting from the Level Platforms Script Library to configure self-heal actions, perform routine maintenance, and or automate any support activity, (for example, software deployment).

    Patch Management

    • Use extensive automated patching capabilities for Microsoft systems and software based on WSUS, ensuring customer networks are protected with immediate patching direct from Microsoft.

    • Configure patches for automated deployment or prior approval.

    Automated and On-Demand Reporting

    • Collate and compare data easily with compelling reports, including executive summaries, security, performance, server health, asset-related, and work performed reports.

    • Use reports to demonstrate your value to your customers, justify new product or project sales, and facilitate budget or infrastructure planning.

    Partner Services

    • Build your business quickly based on the best practices of successful MSPs.

    • Leverage award-winning complimentary business support and technical training.

    • Enjoy unlimited access to our comprehensive Partner Portal and forums.

    • Work with a dedicated Level Platforms Partner Development Manager (PDM) whose sole responsibility is to assist you every step of the way to success today and tomorrow.

    This has been a frequent question for many years - when will the Intel vPro capabilities appear on servers and workstations.

     

    Check out http://communities.intel.com/community/openportit/server/blog/2010/02/23/new-platform-from-lenovo--amt-on-servers

     

    The Intel AMT 6 release in 2010 also included workstation and entry-level server platforms.   The Lenovo TS200v is an example.  Other solutions are coming - check with your preferred OEM.

    If you are or about to commence a vPro activation, chances are you are using remote configuration for the provisioning process. That remote configuration process starts with you obtaining a Remote Configuration Certificate from one of the available commercial certificate vendors, such as Verisign, GoDaddy, Commodo or Starfield.

    Recently there have been some changes introduced by Verisign, for which a blog was posted by a colleague of mine -

    http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/12/verisign-provisioning-certs

     

    GoDaddy have also now introduced a change and if you are or were looking to purchase a certificate from them, pay attention:

    If you go to the GoDaddy website - www.godaddy.com you will see that there are either Standard or Premium Certificates advertised on the home page. However - and this is the crucial bit of information pertaining to vPro - you actually need a Deluxe certificate and not a Premium certificate. Premium and Deluxe sound very similar, but the thumbprint for the Premium certificate is different to the thumbprint of the Deluxe certificate and doesn't correspond to the hash that is embedded in the AMT Firmware! Remember the hash = the thumbprint. If the hash is not already embedded in the firmware then it defeats the purpose of obtaining a commercial remote configuration certificate, as you will need to manually enter the corresponding hash through the ME/BX screen on each vPro client (or use a USB Key method).

    You can still contact GoDaddy customer support (over the phone) and request a Deluxe certificate as state in the GoDaddy website: http://help.godaddy.com/article/5260

     

    The other thing to make you aware of is that if you obtain a Trial certificate from GoDaddy, or any other commercial certificate vendor, (because you want to test the process before deciding to spend money) then the thumbprint and hence the hash is different to the hash that is embedded in the AMT Firmware, so you will need to manually enter it through the ME/BX screen on the vPro client. That is ok for testing purposes on a small scale, but probably not what you want for a production deployment.

    For the past couple of years, small businesses have been hunkered down fiscally, purse strings tightly knotted.  Every area felt the impact, including the upgrade to new PCs.  As the downturn ebbs, SMBs may still be hesitant to lay down dollars for new computers.  After all, they still run run the programs I use, right?

    Market research firm Techaisle studied 1000 small businesses in the US, UK, China, Brazil and India, an endeavor funded in part by Intel and Microsoft, that demonstrates that thinking is likely costing businesses big bucks as workers cool their heals waiting for ever more numerous costly repairs.  In addition, the study points out that businesses also take it on the chin from compromised security, and losing advantages from new applications and technologies in new PCs.

    According to Techaisle, laptops and desktop computers older than three years experience 40 percent more downtime – 50 hours per year – and cost 1.5 times more to maintain.  From an example in the study of a representative small business with five PCs – two older and three newer than three years – the study demonstrates that replacing the two oldest computers would save the company $1,500, roughly the cost of a couple of laptops or three desktop PCs.

    Underlying the savings in more efficient maintenance and enhanced productivity, Techaisle pointed to innovations in PC software and hardware.  Techaisle suggested upgrading to Microsoft’s Windows 7, in particular Windows 7 Professional, rather than Home Premium, for its advantages in security, collaboration, manageability and compatibility with older applications.

    Looking at recent hardware innovations, Techaisle sees advantages in PCs with faster, multicore processors, among those the 2010 Core vPro processor family, which also offer improved graphics, energy efficiency and wireless communication.

    After looking at all of these angles, Techaisle concluded that “price conscious small businesses would benefit significantly from replacing older PCs with modern PCs.  I’d be interested in hearing from small-businesses owners and others about their PC refresh experiences.  So, let me have your thoughts.

    There is also more information on Microsoft’s Windows for your Business site from Sandrine Skinner, director, product management for Microsoft.

    Joakim Lialias

    Microsoft Marketing Alliance Manager

    Intel Corporation

    We are glad to announce that the boards listed in the attached document has been verified to be Intel AMT 6.0 ready, in accordance to the test specification as stated in the IBL# 441978).

    Kyle, one of our engineers, was ramping on 802.1x and Radius. He discovered that there really wasn't a lot of information out there on the topic and decided to document his learnings - to make the ramp easier for others. Take a look and let us know what you think. Does it answer your questions?

     

    Knowledge Transfer: 802.1x and Radius Servers

    Want to control your new system with Intel vPro Technology (AMT 6) from your iPhone? All I did was use my Reference Design to enable KVM. Then I installed Real's iPhone viewer the app store. The rest was elementary.

    Reference Design
    http://communities.intel.com/docs/DOC-4795

     

    iPhone Viewer

    http://www.realvnc.com/products/iphone/index.html

     

     

    See what happens when you let me play with the flip camera!?

    Today, RealVNC has launched its VNC Viewer Plus for Intel KVM.

     

    This is a direct link to the website: http://www.realvnc.com/products/viewerplus.

     

    RealVNC has also made a 90-day evaluation version available, so you can get going with your Intel AMT 6.x hardware today without paying a cent!

     

    Happy KVM'ing from us folks here in the UK! 

    Filter Blog

    By author:
    By date:
    By tag: