Skip navigation

In our quest to make vPro great for remote remediation, we took the concept of a small linux iso, added in a little ROS_trigger, and poof; a new reference design code named 2 stage boot. Our goal was to make remote booting faster by placing the remote image as close to the vPro system as possible. However, even we were surprised at how much faster this really is.


The gist is this; using IDEr, a vPro system boots a ~4Meg linux image. This image maps a share and then dowloads a bigger image into a RAM disk. Then it triggers a reboot to the RAM disk. Hence the name "2 stage boot". Check out the reference design here, which includes a step-by-step guide as well as a builder that will customize the stage 1 linux image for your environment, no linux experience needed.


Don't believe it's fast? Wanna see how it works? Check out the latest tech 10 episode (below). I walk Michele through using 2 stage boot and do a side-by-side speed comparison of pure IDEr vs IDEr with 2 stage boot.


itc_cs_kmvs_core_carousel_preview.jpgKMVS is a legal firm, based in Prague,Czech Republic,specializing in copyright and intellectual property law; personal data protection; and commercial, employment, and contract law. Personal data protection is especially important, since employees often need to transport confidential client information on their laptops. KMVS needed to secure this information to prevent unauthorized access—a need that became even more urgent when one of the company’s partners lost a laptop with sensitive client information.


KMVS purchased Lenovo T510 ThinkPad* laptops powered by the Intel® Core™ i7 vPro™ processor with Intel® Anti-Theft Technology (Intel® AT). Now if an employee’s laptop is lost or stolen, KMVS can remotely disable it by sending a ‘poison pill’ through its standard Internet connection or via its integrated 3G receiver—rendering the laptop useless and ensuring the information it contains is secure. This can also be triggered if the laptop fails to check in with the central server or if it registers too many failed log-in attempts. If the company later recovers the laptop, it can quickly reactivate it with no damage to hardware or software.


“Intel Anti-Theft Technology helps us ensure that the sensitive client information stored on our laptops can only be accessed by those authorized to do so, even in the event of a theft or loss of a laptop,” explained Libor Štajer, a lawyer for KMVS.


For the whole story, read our new KMVS business success story. As always, you can find this one, and many others, in the Reference Room and IT Center.



*Other names and brands may be claimed as the property of others.

Note: The contents in this post are on topics that are not fully released or implemented.  Content is subject to change at any time.


With this part of 3 of the PowerShell Drives Beta that came with version 2 of the PowerShell Module for Intel vPro Technology, we are going focus on working with the AMT 3rd Party Data Store (3PDS) through the AMT PowerShell Drive.


For those familiar with PowerShell Module for Intel vPro Technology, you already know that there are some built in CMDLets and Functions that allow you to work with the AMT 3PDS (Get-AMT3PDS, Set-AMT3PDS, Clear-AMT3PDS).  Although these still remain a viable way to work with the AMT 3PDS, we have also extended the PowerShell Module to allow the AMT 3PDS to be accessible via the PowerShell AMT Drive.


Before you begin, you need to import the module and mount the AMT PowerShell drive.

Import-Module IntelvPro

$myPSCredential = Get-Credential admin

New-PSDrive -Name AMT -PSProvider amtsystem -root "/" -computername -Credential $myPSCredential



If you set-location to AMT:\Config\3PDStorage, you will see 3 key folders:

Enterprises: Designated for top level 3PDS ACL

Allocations: Location of Physical storage location

Registers: Correlations between the Enterprises and Allocation



If you do a Get-ItemProperty AMT:\Config\3PDStorage, you can see the associated properties including the max and current allocated storage of the 3PDS.



So to create a 3PDS location, the first thing you need to do is create a new Enterprise that the 3PDS ACLs are associated to (however, i could use an existing one if I so choose).

New-Item AMT:\Config\3PDStorage\Enterprises\Example


Then you create a new Allocation where the data will be stored.

New-Item AMT:\Config\3PDStorage\Allocations\venExample\DemoText


Then, similar to mounting a device in Linux / Unix, you mount the storage location to a virtual location

New-Item AMT:\3PDStorage\DemoText -StoragePath \\Example\venExample\DemoText


If you do a set-location to AMT:\3PDStorage and perform a get-childitem, you will see there is a newly mounted item.


At this point, you can do a normal Set-Content and then Get-Content on the data location

Set-Content .\DemoText -Value "Hello World"

Get-Content .\DemoText





This is not just limited to ASCII text, you can use the same process for writing binary data to the storage location and then read it back out into a file (the example below is just using a jpg file, but it can be any file that does not exceed the storage location size.)


New-Item AMT:\Config\3PDStorage\Allocations\venExample2\DemoFile -TotalAllocationSize 102400

New-Item AMT:\3PDStorage\DemoFile -StoragePath \\Example\venExample2\DemoFile

[byte[]] $x = Get-Content -encoding byte -path C:\PS\\MyPic.jpg

Set-Content -encoding byte $x -path AMT:\3PDStorage\DemoFile

Get-Content -enc byte amt:\3PDStorage\DemoFile | Set-Content c:\PS\MyPic-From3PDS.jpg -enc byte




Related Content:


--Matt Royer

Note: The contents in this post are on topics that are not fully released or implemented.  Content is subject to change at any time.


As we began discussing in PowerShell Module for Intel vPro Technology: PowerShell Drives Beta - Part 1 blog, included as part of the PowerShell Module for Intel vPro Technology version 2 we introduced a beta capability of accessing AMT through PowerShell Drives.  The previous blog focused mainly on getting data from AMT through the PowerShell Drive (predominately access the Hardware Inventory, Access Monitor / Audit Log, and Event Log); this blog will looks at a couple examples of getting and setting  AMT configuration from within PowerShell Drive.


Before we get too deep into the AMT Configuration within the PowerShell Drive, let take a closer look at the how the data within the AMT PowerShell drive is laid out.  Off the root of the AMT PowerShell Drive, you see four folders:

  • Config
  • HardwareAssets
  • 3PDSStorage
  • Logs



HardwareAssets and Logs were discussed in the previous blog which stores the information on the AMT Hardware Inventory, the AMT Audit / Access Log, and AMT Event Log.  The content within these folders store read only data directly from the AMT firmware.  3PDSStorage is a mounting location for the accessing the AMT non-volatile memory; however, in a future post, we will cover this in a little more detail.  For now, let’s talk about the Config folder.



The Config folder is designed for getting and setting items that are directly related to the AMT configuration.  Within the beta implementation, you will see several key folders:

  • AccessMonitor: Configuration setting for AMT Audit log / Access Monitor and identify which AMT events to track
  • ACL: Managing digest and Kerberos users and their associated AMT permissions
  • Etc: General AMT configuration items such as network settings, AMT hostname, protocol to use, and so forth
  • KVM: How KVM Remote Control should behave
  • Redirection: Enabling and disabling of Serial of LAN and IDE-Redirection
  • Setup: Performing the initial AMT setup up
  • 3PDSStorage: Configuration of the AMT non-volatile memory



Manipulating the AMT configuration is easy with use of just a couple core PowerShell commands: New-Item, Set-Item, Get-Item, Remove-Item, Set-ItemProperity, and Get-ItemProperity.


Examples on how to set a couple of configuration attributes:

Updating or setting the AMT HostName

Set-Item AMT:\Config\Etc\Hosts\HostName -value:"vproclient"



Disabling AMT IDE-Redirection:

Set-Item AMT:\Config\Redirection\IderEnabled "False"



Examples of working with AMT Users:

Creating a New Digest User

New-Item AMT:\Config\ACL\Digest\MyNewUser -Password P@ssw0rd



Updating the permissions on an AMT user with platform admin rights

Set-ItemProperty AMT:\Config\ACL\Digest\MyNewUser -Name Privileges -Value ADMIN,RESERVED



Updating the permissions on an AMT user with Remote Control, Redirection, and Event Log rights

Set-ItemProperty AMT:\Config\ACL\Digest\MyNewUser -Name Privileges -Value RC,REDIR,EVTLOG



Listing the Permission associate to an AMT User

Get-ItemProperty AMT:\Config\ACL\Digest\MyNewUser -Name Privileges



Removing AMT User:

Remove-Item AMT:\Config\ACL\Digest\MyNewUser



Related Content:



--Matt Royer

In this episode, Matt Primrose, Intel engineer, shows how Citrix XenClient and Intel vPro technology work together to simplify desktop virtualization.


Note: The contents in this post are on topics that are not fully released or implemented.  Content is subject to change at any time.


As previously noted in an earlier blog, we just released Version 2 of the PowerShell Module for Intel vPro Technology.  However, what was not mentioned is that version 2 of the PowerShell Module for Intel vPro Technology has undocumented beta features that can expose AMT as a PowerShell Drive.  Much of the vPro / AMT PowerShell Drive functionality works today; however, we do expect minor changes and additions between now and the final implementation.  Never the less, we wanted to get it out there to allow the PowerShell Community access to it so that you start playing with it and provide feedback.


PowerShell Drives provides the ability to "map” logical data stores the same as a physical data stores, such as a network drive or a directory on the local computer.  You can change locations into the drive (using "set-location", "cd", or "chdir") and access the contents of the drive (using "Get-Item", "Get-Content", or "dir").”  A prime example of this capability is the native support of Windows Registry and Certificate Store as a PowerShell Drive.



We have taken this same concept and exposed AMT (Remotely, Locally, and via HECI) as a PowerShell Drive.



To get started with AMT PowerShell Drives, the first thing we need to do is import the IntelvPro Module:


Import-Module IntelvPro


Second, create a New-PSDrive associated to the remote vPro / AMT system.  To do so, run the following command from the PowerShell console:


New-PSDrive -Name AMT -PSProvider amtsystem -Root "/" -ComputerName -Credential $myPScredential


Note: If your AMT client is configured in TLS mode (TLS encrypted traffic over AMT Port 16993), add the –TLS switch to the command.


If you run a Get-PSDrive, you should see a the newly created PS Drive label as the name you gave it.PSDrive2.jpg


Now that you have the New AMT PowerShell Drive created, you can browse and navigate the remote AMT System in a similar fashion as a normal file system drive:

Set-Location AMT:\


Note: cd AMT:\ and dir work as well




So you may be asking… “That is great, but what can I do with it?”  Well for one, you can perform a Get-Content and pull the AMT Event.

Get-Content AMT:\logs\EventLog




… or perhaps, the AMT Access Monitor (Audit Log)


Get-Content AMT:\logs\AccessMonitor



…or even enumerate the AMT Hardware Inventory and dump the data to a file for auditing purposes


Get-ChildItem -Recurse AMT:\HardwareAssets | Out-File C:\PS\HWInv.txt


…or perhaps just pull the BIOS manufacturing information remotely

Get-ChildItem -Recurse AMT:\HardwareAssets\BIOS





This just scratches the surface on the many things you can do with accessing AMT within PowerShell as a PowerShell Drive.  Keep a look out on the vPro Expert Center for more usages and information on this topic.


Related Content:



--Matt Royer

For those that followed our previous release of the PowerShell Module for Intel vPro Technology, you know version 1 brought the following vPro / AMT Out of Band Use to PowerShell:


  • Power Control: AMT Power Management allows you to power up, power down, or perform a power reset on a client remotely independent of Operating System state or hardware sleep state.
  • Force Boot: AMT Force boot allows you to remotely over the network reboot a client to an alternative boot device such as PXE, CD/DVD, or Local HardDrive.
  • Alarm Clock Configuration: A configurable option that allows you to set a specific or periodical interval to wake the Intel AMT Client out of sleep states.
  • System Defense: System Defense allows you to define network security policies, such as filtering out / preventing network traffic from getting to the operating system, while still having the ability to manage the client out of band.
  • 3PDS: 3PDS is a persistent, nonvolatile memory space accessible to write and read data to even when the OS is unresponsive or management agents are missing.


With the second release of the PowerShell Module for Intel vPro Technology, we have extended the PowerShell Out of Band Scenarios within the Module to included:


  • Remotely booting a client from a Remote DVD/CD ISO and floppy IMG via AMT IDE-Redirection
  • Ability to interact with AMT Serial Over LAN through the PowerShell Console
  • Light Weight Graphical User Interface built completely through PowerShell


For those that are unfamiliar with vPro / AMT IDE-Redirection functionality, IDE-R allows you to boot a client from an bootable DVD/CD ISO or Floppy IMG image remotely stored on file share or off the computer running PowerShell Console.  The bootable media can range from bootable windows install, WINPE images, Live CDs, diagnostic tools like MS Dart, or any custom bootable media you roll on your own.  To perform a Force boot IDE-R from within the PowerShell, the PowerShell Command would look something like this:


Invoke-AMTForceBoot -ComputerName: -port:16992 -Operation:PowerOn -Device:IDER -IDERPath C:\PS\MyBootableISO.iso -Credential $MyPSCredential



In terms to AMT Serial Over LAN (SOL), SOL allows you to send console text to a remote destination and to receive keystrokes from a remote source.  Serial Over LAN can be used to interact with the BIOS or Console based Operating (Text Based) remotely on an vPro / AMT based client.


Invoke-AMTSOL -ComputerName: -port:16992 -Credential $MyPSCredential


As for the Light Weight Graphical User to invoke Out of Band PowerShell command, we have an invoke cmdlet within the vPro PowerShell module name Invoke-AMTGUI.  Now our intention with including this was predominately as a reference design on how you could invoke Out of Band PowerShell commands from within a GUI (maybe if you wanted to extend an existing solution with vPro Out of Band Capabilities) ; never the less, if get bored of typing in PowerShell Console, you can click instead .  One interesting feature, is that GUI will regenerate the console code (including parameters) for you.  So, you could copy and paste out of band powershell commands instead of looking at the integrated help (Get-Help).




You can download version 2 of the PowerShell Module for Intel vPro Technology from the following location.


--Matt Royer

I've been reading up on how to manually remove malware. It seems the process is usually something like; stop the malware process(es), delete the files, and delete the reg keys. In theory, this could be remotely and out of band. For example, boot RDS, delete malware files and reg keys. So my question is to those who have experience removing malware. Is there a benefit to doing it out of band?


My take is that being out of band could make removal easier since the malware processes are not running and hence can't battle with you as you try to delete files and reg keys.


What do you think about remote, out of band virus removal? Are there benifits? Anyone had success or failures to report?

You may have previously read that the Intel Developer Forum was held at the Moscone Center in San Francisco last month, where thousands of your closest friends attended this annual event, which included keynote addresses, classes and a product showcase.


I'd like to share the following video with you in case you weren't able to attend.  You'll see one of our Anti-theft Technology marketing team members describe Intel Anti-theft Technology along with a demonstration of an AT-enabled Lojack for Notebooks* product from Absolute Software.



*Other names and brands may be claimed as the property of others.

In this episode, Dena Lumbang and I chat about the Intel Setup and Configuration Service. Dena talks about the improvements to Intel SCS 7 and how these improvements simplify activation. Find more Tech 10 episodes at You can find Intel SCS downloads here:



Being a vPro Uber geek I know loads about AMT. And, while I know a fair amount about Windows, it's certainly not as much as it should be. So, I've been taking the time to brush up on my Windows debugging skills...let's fix it instead of just reinstalling . One of my favorite tools so far is Autoruns from Sysinternals. Briefly, it shows everything that windows is starting and allows you to disable drivers, services, start key, etc. If you don't know it, check the link. After playing with it for a bit, I realized, it can be used remotely, even for a system that will not boot. Here are the 3 ways I can think of:


1 - Safe Mode

Place autoruns.exe on a .iso image. Map the image to your vPro system. Using KVM Remote Control, reboot into safe mode. The .iso should be mounted under My Computer, where you can run autoruns.exe


2 - Remote Drive Share

Boot your vPro system to the Remote Drive Share .iso and map to it. On your help desk console open autoruns.exe. Under file choose Analyze Offline System and point it to the appropriate folders on your mapped drive.


3 - Win PE

Build a basic WinPE image. During the build process add autoruns.exe to the system32 directory. Use IDEr either directly or with Trigger a Recover OS or 2 Stage Boot) to boot your vPro system to WinPE. At the command prompt type autoruns. Under file choose Analyze Offline System and point it to the appropriate folders on the vPro system's hard drive.


So, does anyone out there (plan to) use Autoruns? Any other tools folks like and would want to use remotely?


Linux boot discs over IDER

Posted by jake_friz Oct 6, 2010

A question I've often heard is, why don't some linux boot disks, like Knopix, work or IDEr? And, is Intel going to fix it? At first, this confounded me. However, after some testing, research, and talking to folks who may be geekier than, no one is geekier than me...I have the answers.


The reason some discs work, and others do not is as a simple as a driver. IDEr works by exposing a virtual IDE device through BIOS. This device, like all devices, needs drivers. Windows has had this driver for a very long time. However, Linux has not. So, once the Linux kernel takes control and begins looking for the CD it's booting from, it can't find it, and thus, it stops. However, some linux boot disks never actually access the CD after the Kernel loads. Instead, they run in RAM drives. Those linux boot disks work over IDEr.


So, to the second question, the answer is yes. Up to now, the driver could actually be downloaded and patched into a kernel. However, starting with kernel version 2.6.37 the patch will be added into the main source tree. Here's a link to the patch submittal.


So, as Linux boot disk kernels are upgraded, they should start working. However, it is important that those who maintain the boot discs compile this driver into the kernel or as a kernel module. So, if you have a favorite Linux boot disk that has upgraded to 2.6.37 and its still not working, verify that it has the IDEr driver.


Once 2.6.37 is out, I'll give some Linux boot disks a go and add them to my favorite IDER boot disk list. So now I'm curious, who uses Linux based recovery disks? What are they? Do they work with IDEr? Do you want them to work with IDEr?

Had a great time with Jonathan Walz & Hal Rottenberg from PowerScripting Podcast ( talking about the Intel vPro PowerShell Module.  Jonathan and Hal are great guys to chat with and they continue to be excellent sources of information within the PowerShell community.

If you missed the live PowerScripting Podcast where we talked about vPro and PowerShell, you can catch it here.(


For a refresher on the Intel vPro PowerShell Module, please visit the following blog.


--Matt Royer

If you’re a CEO or CFO you should sit down and steady yourself before reading further.  I can’t make this easy, so I’ll just say it.  According to a 2009 study by the Ponemon Institute, the average cost of a data breach, most of which result from a lost or stolen laptops, is $6.75 million per case in the U.S. and $3.4 million globally.  Deep breath.  I’ll give you a moment.


I’m not addressing CIOs here because while they may not know the exact cost, they’re already well aware that missing laptops are an expensive and difficult problem.  They’re also doing whatever they can to mitigate the risks, one thing possibly being the use of Intel Anti-Theft Technology to completely disable PCs that may have gone astray with a “poison pill” – brick ‘em, we like to say.  Down comes the liability associated with losing customer information, corporate secrets and other data you can’t afford to have on the loose.  And, yes, that laptop can be securely unbricked remotely when Bob the  accountant discovers the missing PC under the dry cleaning in the back seat of his car.


Intel and PGP, now part of Symantec, have been fighting for some time for the rights of CEOs and CFOs to lead normal lives without the shakes that come with worrying about some sales guy leaving his laptop and the plans for the company’s next widget in a Starbuck’s.


Symantec, having acquired PGP, has taken the next step today by expanding its security solution set with the introduction of PGP Whole Disk Encryption with support for Intel Anti-Theft Technology. Combining the two technologies makes data very darn secure.  It even deters thieves, who after trying to fence of few of these high-tech bricks will likely turn to more profitable work boosting cars. PGP Whole Disk Encryption also increases security when shipping PCs and lowers the cost of decommissioning older hardware.  Intel’s hardware-based Anti-Theft Technology is available in many of the latest notebooks with Intel Core i3, i5, i7 and vPro processors.


By the way, the PGP Whole DiskEncryption with Intel Anti-Theft Technology also will support new Intel instructions for the Advanced Encryption Standard, which can decrease the time to encrypt a laptop by up to 40 percent while increasing throughput on solid state drives, according to Symantec internal testing.  This may sound like technobabble, but this feature isn’t for your IT operations.  it’s for the people who use PCs and bridle every time the hourglass brings their work to a halt.  It means your PC runs faster when it’s encrypting and decrypting stuff.  So to simplify things, I’m taking the liberty of renaming it Intel Anti-Hourglass Technology.



Finally, CEOs and CFOs, talk to your CIOs about Symantec PGP Whole Disk Encryption with Intel vPro and figure out what the cost of missing laptop is for your company.  Feeling better?

I loaned a test system to a co-worker and just got it back. Unfortunately the OS is not exactly as stable as it was when I lent it. Rather than getting upset I took this as an opportunity to show case my new reference design, Trigger a Recovery OS Remotely. This reference design includes trigger_ros.iso file that, when booted, locates ros.iso on the hard drive and then boots it as a ram disk. In this way, help desk users can use IDER to trigger recovery OSs, test tools, and OS imaging partitions that are already resident on the client, all without modifying the default boot loader or partition scheme that’s on the hard drive.


Back to the issue at hand. My system is an HP 8440p. It has AMT 6 and can do KVM Remote Control. Also, the default HP hard drive scheme includes an OEM factory OS image on a 2nd partition. This partition is marked by including an empty file titled HP_WINRE. Using information in the appendix of the UCRD, I modified trigger_ros.iso to search for HP_WINRE and then have it boot that partition. I renamed trigger_ros.iso to trigger_hpre.iso and then ider booted to my ailing HP 8440p. The attached video is the result. Suffice to say, from there it was pretty easy to reimage my system remotely, getting it back up and ready for someone else to destroy it.


itc_cs_valleyhealth_vpro_carousel_preview.jpgValley Health provides healthcare services for residents in Virginia, West Virginia, and Maryland through six hospitals and related facilities. It  wanted a reliable way to send 12-lead electrocardiogram (EKG) data between ambulances and hospitals to notify the catheterization lab before a patient’s arrival. This would enable Valley Health to treat patients sooner and minimize muscle damage during a heart attack.


Valley Health enabled wireless, two-way transmission of EKG data, electronic health records, and other lab tests using an IT architecture based on Dell PowerEdge* servers and Dell Latitude*  tablets and laptops with Intel® vPro™ technology.


Get the details in Dell’s new Valley Health business success story.  As always, you can find this one, and many others, in the Reference Room and IT Center.



*Other names and brands may be claimed as the property of others.

itc_cs_southcarolinappp_vpro_carousel_preview.jpgSouth Carolina’s Department of Probation, Parole, and Pardon Services (PPP) had already equipped 90 percent of its workers with tablet computers and implemented a multilayer security infrastructure. For its second-generation mobile environment, PPP wanted to increase business efficiencies, security, and manageability even more, so it upgraded all workers to high-performance laptops. The move generated more than USD 550,000 in what David O’Berry, PPP's director of IT systems and services, calls annual personal productivity savings (PPS). As PPP prepares to activate Intel® vPro™ technology, its IT team expects to make the client environment even more cost-effective, secure, and environmentally friendly.


Get all the details in our new PPP success story. As always, you can find this one, and many others, in the Reference Room and IT Center.

Intel® Active Management Technology (Intel AMT) is no longer just for business clients – now you can securely manage your servers and workstations remotely. Using built-in platform capabilities and popular third-party management and security applications, Intel AMT allows you to better discover, heal, and protect your networked assets.


In addition, Intel is piloting the Intel Hybrid Cloud, an innovative new server solution for managed service providers to offer to small-medium businesses.  It’s a subscription-based service that gives small businesses the flexibility and pay-as-you-go model of the cloud with the peace of mind of having their data on-site.  Intel AMT capabilities enable the managed service provider to remotely manage the server, saving time and money, and letting the customer focus on their business, not their IT.


Join the conversation with our experts on October 7, 2010 at 12 pm PST. You’ll have the opportunity to chat with Josh Hilliker, Jason Davidson, and Wes Shimanek.


Click to add to your calendar.

Filter Blog

By date: By tag: