Intel just released Version 3.0 of the PowerShell Module for Intel vPro Technology. I am new to the team and I am excited about being asked to be the one talk about it.

 

The first feature in the 3.0 version of vPSM (Intel vPro PowerShell Module) I would like to talk about is the finished implementation of the amtsystem PowerShell drive provider. We had a beta version of the PS-Drive provider in the 2.0 release, and I am pleased that we have finished the implementation. PowerShell Drives provide the ability to map a logical data store just like a physical data store. A good example of a drive provider is the Windows registry and the Certificate stores.

 

Intel has implemented a drive provider (amtsystem) to expose AMT. A remote Intel vPro client can be mapped with a New-PSdrive command, and the local system is mapped to the HECI PS-Drive when the intelVpro module is imported.

 

If you don't have the 3.0 module yet, download at http://software.intel.com/file/34909

To get started using the amtsystem PowerShell drive provider, the first thing to do is import the IntelvPro Module:

 

Import-Module IntelvPro

 

The local HECI drive is mapped when the Intelvpro modules loads. Go ahead and list the drives:

 

Get-PSdrive

get-psdrive.png

 

Now, change to the HECI drive and list its contents

 

CD HECI:

Get-ChildItem (or dir)

HECI.png

 

On my un-provisioned system, I only see the config directory. So to see the versions of the different components on my system, I run:

 

Get-ChildItem .\Config\Etc\CodeVersions

codeversions.png

 

 

Now, on to the more interesting (and in my mind useful) remote PS-Drive mapping.

 

Let’s map a New-PSDrive to a remote vPro system.  To do so, run the following command from the PowerShell console:

 

New-PSDrive -Name AMT -PSProvider amtsystem -Root "\" -ComputerName vproclient.vprodemo.com -Credential $myPScredential

 

If your AMT client is configured in TLS mode (TLS encrypted traffic over AMT Port 16993), add the –TLS switch to the command.

The name of the drive can be whatever you would like, we have settled on a name of AMT for consistency, but feel free to change this.

 

If you type Get-PSDrive again you will see the PS-Drive with the name (in our case AMT) you gave it. /servlet/JiveServlet/downloadImage/38-13732-27907/PSDrive2.jpg

get-psdrive with AMT mapped.jpg

 

 

Now that the AMT PowerShell Drive is mapped, you can browse and navigate the remote system in a similar fashion as a normal file system drive:

Set-Location AMT:\ (or cd AMT:)
Get-ChildItem (or dir) (or ls)

get-childitem.jpg

/servlet/JiveServlet/downloadImage/38-13732-27908/setlocation.jpg

 

What can we do then with this newly mapped drive? We can perform a Get-Content and display the AMT Event log:


Get-Content AMT:\logs\EventLog

get-eventlog.jpg

/servlet/JiveServlet/downloadImage/38-13732-27910/eventlog.jpg

 

And the same for the AMT Access Monitor (Audit Log):

 

Get-Content AMT:\logs\AccessMonitor

get-auditlog.jpg/servlet/JiveServlet/downloadImage/38-13732-27911/AccessMonitor.jpg

 

We can enumerate the system Hardware Inventory and dump the data to a file for auditing purposes:

 

Get-ChildItem -Recurse AMT:\HardwareAssets | Out-File C:\PS\HWInv.txt

 

If that is too much info we could focus on the BIOS:
Get-ChildItem -Recurse AMT:\HardwareAssets\BIOS

get-bios.png

 

To turn IDE-R on:

Set-Item AMT:\Config\Redirection\IderEnabled -value "True"

 

To turn KVM User consent off:

Set-Item AMT:\Config\KVM\UserConsent -value “False"

 

To change the AMT hostname:

Set-Item AMT:\Config\etc\Hosts\HostName “NewHostName”

 

Add a new user and give them rights:

New-Item AMT:\Config\ACL\Digest\NewDigestUser -Password P@ssw0rd

Set-ItemProperty AMT:\Config\ACL\Digest\NewDigestUser -Name Privileges -Value RC,REDIR,EVTLOG

newdigestuser.png

Then let us check the properties:

Get-ItemProperty NewDigestUser

newdigestuser properties.png

 

Please do not hesitate to give me your feedback and ideas for examples you would like to me cover.

 

Related Content:

itc_carselect_cs_accenture_core.jpgPCs with built-in manageability enabled can reduce software-related deskside visits by up to 58 percent. And when global management consulting, technology services and outsourcing company Accenture wanted to deliver a solution that could cut response time, deliver better user productivity, and start automation immediately after connection, it turned to the Intel® Core™ vPro™ processor family.


Accenture got the intelligent performance, cost-saving manageability, and smart security it needed for ARROW*, its remote resolution online workforce solution.


“It’s a fantastic marriage of Intel and ARROW to push up capability and service and drive down the cost of delivering,” said Roy Vera, partner, technology consulting service, Accenture.


For the whole story, watch our new Accenture video. As always, you can find this one, and many others, in the Intel.com Reference Room and IT Center.

 

 

*Other names and brands may be claimed as the property of others.

 

Matt Wallington and Chris Piper talk to host Michele Gartner about version 3 of the vPro PowerShell module. Check it out to learn about the new features they included this time - secure credential storage, vPro PowerShell Drive, and more cmdlets than you can shake a stick at.

How to shut down a laptop – the wrong way

When you want to quickly shut down a laptop, how do you do it? Shut the lid down and let it go into hibernation mode? Shutting a laptop down in this manner has many benefits; one of the greatest is the ability to resume work quickly. If you merely open the lid, the laptop resumes right where you were, with applications and files open and ready to use. The downside is that this method also  inserts a big problem when it comes to your laptop protection – especially if you use disk encryption tools.

 

 

If you use hard disk encryption, closing the lid of the laptop leaves your laptop in a state that has greater potential for unauthorized access. It moves to stand-by state, with applications ready to run and the hard drive un-encrypted. When you normally boot up your laptop, the encryption software requires a Pre-OS boot authentication (PBA) – its own login process. This allows the encryption software to decrypt the drive for authenticated access. When you shut your laptop, though, and later open it back up, this authentication through the PBA is bypassed, leaving the laptop user at the Windows login screen, the hard drive unencrypted and not protected.

 

 

Intel® Anti-Theft Technology – helping wrong become right

     Intel® Anti-Theft Technology version3.0 (available on 2nd generation Intel® Core™ and Intel® Core™ vPro™ laptops) uses hardware based timers to return the laptop to a state that requires PBA authentication.  This provides enhanced security and further strengthens software based encryption solutions. Here’s a breakdown of the secure solution:

 

  • The laptop is powered on but in a standby state (lid closed).  When work is resumed (laptop lid is lifted) the laptop will reroute to a safe state in which the operating system and applications are removed from memory and encryption is enabled.
  • At this point the disk encryption application will extend the windows login for proper authentication.  If this is not entered properly the system will again shut down with all security in place and active.
  • If the authentication is entered correctly then the encryption software allows user access to the laptop.

 

This solution fixes a few issues -

  • End user noncompliance - If the user removes the password protection of having the Windows logon window, then the system will also be shut down.
  • The time a malicious user has to force a password is very limited. Intel AT minimizes the opportunity for entering multiple passwords to unlock the Windows logon.
  • The time that someone can copy memory is limited. In Standby mode, the operating system and applications are in memory; applying this type of security limits that opportunity.

 

Intel AT provides advancements in laptop encryption and theft deterrence solutions. We continue to research the impacts to individuals and business, and help you understand the cost of laptop loss and theft and the value of security solutions. I’ll be here for the next few months, talking about Intel Anti-Theft Technology and end point security – stay tuned for updates on more technical capabilities and research in the cost and impact of lost laptops.

itc_ul_core_carousel_preview.jpgAs part of a comprehensive modernization project, Underwriters Laboratories’ IT organization is developing a state-of-the-art productivity environment that demands the performance capabilities of leading-edge PCs. To give all employees the benefits of the new environment, IT needed to upgrade users from Microsoft Windows* XP to Windows* 7 and either replace or retrofit nearly two-thirds of the company’s PCs. After calculating the costs of labor and parts to upgrade older systems, IT found it could save an estimated USD 1 million over three years—and support critical business goals—by replacing them with new PCs based on the Intel® Core™ i5 vPro™ processor.

 

IT replaced 90 percent of the company’s PCs within a year and increased the share of laptops from 70 to 90 percent. The company chose Lenovo ThinkPad* T410 and X Series* laptops powered by the Intel Core i5 and i7 vPro processors. UL’s field service engineers, its heaviest users and most frequent travelers, received laptops with Intel® Solid State Drives for enhanced performance and reliability.

 

“There’s hardly a day that goes by, and certainly not a week, where we’re not hearing from our colleagues how much better the technology is, how much more effective they are in doing their jobs, and ultimately how much more effective as an enterprise we are in fulfilling our mission,” explained  Christian Anschuetz, chief information officer for Underwriters Laboratories.

 

To learn more, check out our new Underwriters Laboratories business success story and video. As always, you can find these, and many others, in the Intel.com Reference Room and IT Center.

 

 

*Other names and brands may be claimed as the property of others.

Service providers can't turn a profit when they're stuck in traffic, running around town making desk side visits or by sitting idle in a client’s office while security patches install. But that’s just the name of the IT game. You've got to put the transportation time in to get the job done, right? Not anymore thanks to the remote management capabilities of Intel® vPro™ Technology.

 

Remote management allows you to virtually monitor, manage and repair your clients systems, no matter the state of their PC or where they are located. The multitasking efficiencies of vPro allow you to support more clients in less time. Imagine running antivirus for one system and diagnosing another while simultaneously reloading an OS on a third. It’s all about streamlining your process.

 

The remote management capabilities of vPro drastically reduce truck rolls and hardware repair times, making your job easier and your clients more at ease. Simplifying the support process will save you and your client’s time and money. You'll be able to supply them with the support they need in less time, thus increasing your productivity and increasing their satisfaction.

 

My client base has multiplied since I've enhanced my level of service with vPro. See for yourself how I get way more done than the average MSP in The Legend of Geoff Bradshaw>>

 

vPro: It’s not magic, but it’s close.

 

It’s no secret that KVM Remote Control is one of my favorite vPro features. Why make a house call to fix someone’s PC when you can use KVM Remote Control to do it from your own desk? With a feature this awesome, it’s challenging to make improvements. However, we’re doing just that. With the next generation Intel Core vPro Processors, KVM Remote Control now supports resolutions up to 1920x1200 at 16 bits per pixel color depth. In addition, four core CPUs are supported due to the integration of processor graphics. This means a larger number of end users will have systems capable of KVM Remote Control, making it more widely available to the help desk.

 

For those not familiar with KVM Remote Control, check out these links.

 

KVM Remote Control - it's here!

Out-of-Box Configuration for KVM Remote Control

KVM Remote Control Technical Overview

Self Encrypting Drives and software based encrypted drives are becoming more and more common in the enterprise.  Government regulations and intellectual property protection are making encrypted drives more critical.  Encrypted drives make balancing security and manageability challenging.

 

AMT 7 supports remote encryption management.  In summary, remote encryption management enables authorized users to remotely unlock encrypted hard drives and to reset encryption passwords.  Encrypted hard drives require a user to be present to enter a password before the system will boot to the OS.  This is a problem if the remote system requires patching or maintenance and is in a powered down state.  A user would need to be present to enter the password to boot the system.  Imagine if you had 1000’s of systems with encrypted hard drives.  Patching would become impossible unless all of the systems were left in a powered on state.  vPro with remote encryption management enables IT to remotely wake a system from a powered down state and securely transmit the password to the system.   The system can then continue to boot normally and be patched.  This capability allows enterprises to encrypt hard drives and power down systems to conserve energy while still maintaining the systems.

 

Without Remote Encryption Management, the system would need to remain powered on, consuming energy, and potentially vulnerable to attack.  Remote encryption management can also be used to change a password on a system remotely.  vPro’s Remote encryption management works with both self encrypting drives as well as software based encryption.  Find out more by downloading the Intel AMT SDK at http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/.

One of the great use cases for vPro is the ability to troubleshoot and fix issues remotely on systems that will no longer boot into Windows. Using features such as KVM Remote Control, IDE Redirection, and Remote Power Control, the help desk agent can remotely view, control, reboot a failing system. However, before they can do those things, the agent must first locate the system on the network. That is, figure out the system’s name or IP address.

For many large businesses, this is not a problem. For example, an agent may ask the caller for their user ID or employee number. Then the agent can look up the caller’s system in an inventory database. But what about businesses that don’t have such an inventory database? Do users know their machine names or IP addresses?

Fortunately, with Intel AMT 7, they don’t need to. Instead, all they need to do is press a series of key strokes during boot. When Intel AMT senses these keys, it will pause and display the PC’s current IP address and FQDN. The caller can then read it over the phone to the agent. I don’t know about you, but this is one of my favorite features of vPro. It’s so simple, yet it solves such a challenging issue. I included a screen shot below so you can see how it looks.

3704_FCFH_png-550x0.png

Enabling this ability is also super easy. In fact, once Intel AMT is setup and configured, this feature is on by default. To use it, just reboot and press the keystrokes for a Fast Call for Help; the same key strokes will trigger this message. On many machines this is ctrl-alt-f1, but it can vary based on the machine’s BIOS, so check with the machine vendor or BIOS messages to be sure.

So, let me know what you think. Is this feature useful in general? Do you have a specific use for it? What else would you like to see?

With the release of Intel AMT 7 comes an updated version of Intel SCS.   Intel SCS 7 is sometimes referred to as "Unified Provisioning" since all Intel AMT configuration models are supported within a single software package.

 

If you have been configuring Intel AMT prior to version 7, then you are likely familiar with the out-of-band authentication processes required via remote configuration certificate, preshared keys, USB one-touch, or manual configuration.   For the purposes of this artcile and in the Intel SCS 7 documentation, these approaches are all referred to as "Admin Control Mode".   Sometimes we call it legacy provisioning.

 

With the advent of Intel AMT 7, Host based configuration was introduced along with "client control mode".   A summary is provided at Intel AMT 7 introduces Host Based Configuration.

 

The title "Unified Provisioning" refers to the single set of command that are run on the client to check the status, perform a system discovery, initate provisioning, or maintain the configuration of Intel AMT.   One of the beauties of Intel SCS is that the client side application - ACU_Config.exe - handles most of the logic of the discovery and configuration process.   For legacy, or admin control mode, operations to complete the requests must be bounced off the remote configuration service (RCS) for the out-of-band connection to occur.

 

A video demonstration of Intel SCS 7 was posted at http://www.blip.tv/file/4829946

 

The video shows Host based configuration via graphic interface (it can also be done via command line), side-by-side run of legacy and host based configuration using the same command, and a new capability called SystemDiscovery.

 

The base architecture and flow is shown below (click to enlarge)

 

Unified provisioning.jpg

 

The Intel SCS 7 architecture and Unified Provisioning was introduced and tested by select customers during the past few months.   An overwhelming positive response was received.

 

Intel SCS 7 was original designed to be integrated into and adopted by various independent software vendors.   When it is available for download at ISN's Manageability and Security community, there will be a licensing statement indicating such.   Enterprise customers can download and use in their environment with the understanding that the software is provided AS-IS for now, does include development\integration reference materials, and so forth.   Work is underway to make an enterprise customer facing version with an associated support model.   For those that are willing to accept the licensing agreement as stated and use on their own - give it a try.

 

More information will be posted about Intel SCS 7 in the near future.

jgardner

Intro to Drive Encryption

Posted by jgardner Mar 9, 2011

     There are many different flavors of drive encryption on the market today. Just what is drive encryption you say? Your hard drive (rotational or solid state) stores application and OS executable files as well as your user data. As more of our personal and business data resides in electronic form we need a way of “locking your desk” to keep prying eyes from our files. The most common way of doing that today is with username and passwords to keep people from viewing our information through the OS. You can also apply a hard drive password for more protection to your data. However, as in the case of your desk being locked, an enterprising person could use some common handyman tools to dismantle your desk to get to your paper files, an enterprising person could use other common tools to dismantle your hard drive and get to your electronic files. In our paper files example, all our files could be encoded so that only you could read what was on the paper. In much the same way, you can encrypt your electronic files so that only you can read what is on the hard drive. Your data can be encoded and only decoded if you supply the proper key in the form of a password or passphrase.

 

     What this means is that we need a mechanism to encode this data that can only be decoded with the proper key and this has to happen in real time while you’re working with your data. This real time encryption can either be done by software or by the hardware in your hard drive. Most hard drives do not have this ability but more and more drives are being made that conform to an “Opal” standard that hard drive manufacturers can follow to provide hard drive encryption. Seagate had a format called “Drive Trust” a few years ago but it has been folded into the “Opal” standard. Hardware based Full Disk Encryption (FDE) has the ability to be much faster than software based solutions but they still need software to configure the drive. This software will setup what is called a Pre Boot Authentication (PBA) area that will boot before any OS and ask for your encryption credentials. You will be asked for these credentials anytime the hard drive is powered up. Soft reboots do not normally require that you re-enter your credentials.

 

     For non FDE hard drives you can use one of a number of software solutions to encrypt and decrypt your hard drive data in real time. These do not perform as well as a hardware based solution but have the advantage of working on almost any computer and hard drive. Windows 7 and Vista in their Enterprise and Ultimate version can use the built-in BitLocker to encrypt partitions and full volumes except for the boot volume. For systems that don’t support BitLocker you can use a commercial product from PGP which can encrypt partitions, volumes, and individual files. There is also an Open Source project called True Crypt which will also encrypt partitions, volumes, and individual files.

 

     With the data on your hard drive encrypted and being protected from prying eyes, it will also be protected from utilities that are used to repair the hard drive outside of the native operating system. Using hardware based encryption you will have the ability to enter a passphrase during the boot to allow access to the hard drive utility and the encrypt/decrypt occurs on drive itself so no other software is required for encryption. Software based encryption will require that the hard drive utility either run in the native OS or load encrypt/decrypt drivers for the particular encryption method. Most of these solutions offer tools for the enterprise to centrally manage the encryption of clients and support methods to recover or reset forgotten passphrases. You need to review the needs of your environment when choosing which encryption method to use.

Knowing that Intel AMT exists in your environment has been possible for several years now.   Knowing exactly what version of Intel AMT, current configuration, network settings of the management engine (i.e. FQDN, IP address, etc), whether or not certain interfaces or features are enabled, and even more – this is very desirable.

 

A few years ago, Will Ditto at HP wrote a handy utility – iAMT SCAN.  A gap still existed.  Where was the Intel generated, publicly available utility that works even on the latest generation of Intel AMT systems?    In addition, a utility that worked even if the Intel AMT drivers were not loaded or Intel AMT had been disabled within the BIOS.

 

This is the summary of what SystemDiscovery allows with the introduction of the SCS_Discovery utility.  SCS_Discovery is a standalone component of the new Intel SCS 7.x application.   SystemDiscovery is the common command used by both utilities – SCS_Discovery and SCS 7.x.   It can be used to locally detect and collect over 60 data points of Intel AMT 2.x or higher systems.

 

Gathering this information locally on the client via XML file or Microsoft Windows registry enables the information to be collected via a custom inventory solution to a central database.   Having a central inventory of all Intel AMT systems provides a tremendous capability in making decisions to help realize the success of the technology.

 

To utilize this feature:

  • Obtain SystemDiscovery.zip from ISN's Manageability and Security community.
  • Copy files to a target client (SCSDiscovery.exe, xerces-c_2_7.dll)
  • Run the command “SCSDiscovery SystemDiscovery”
  • View the data collected in the newly created XML file in the same directory (i.e. <fqdn>.xml)
  • View the data collection in the Microsoft Windows Registry
    • 32-bit Windows - HKLM\SOFTWARE\Intel\SCS7.0\System_Discovery
    • 64-bit Windows - HKLM\SOFTWARE\Wow6432Node\Intel\SCS7.0\System_Discovery

 

For a best case scenario in collecting all data regardless of the Intel AMT version, stopping the Intel AMT Local Management Service is recommended.

 

The above steps would be modified as follows:

  • Net stop lms
  • SCS_Discovery systemdiscovery
  • Net start lms

 

The following image excerpts provide a visual preview:

  • Example of data collected in to XML file

          SystemDiscovery XML.png

  • Example of data collected into registry

SystemDiscovery registry.png

 

Examples how this data could be used:

  • Determining key data points about the platform: whether AMT is supported, whether KVM remote control is support\enabled, exact versions of firmware and drivers, current configuration state, and so forth.
  • Troubleshooting assistance by knowing certain values within the management engine firmware: current IP address of the management engine (wired and wireless), current hostname and domain of both the operating system and management engine, what mode of configuration, and so forth.
  • Custom inventory collection to a central management database.   Once collected centrally, able to search across multiple systems, define custom collections, and so forth.

 

More information is available in the PDF file included with SCS_Discovery.

For those interested in learning more about Intel vPro Technology in a Symantec\Altiris environment, come to the Sacramento Altiris User Group event on March 11th (this next Friday)

 

Register at http://www.symantec.com/connect/events/sacramento-endpoint-management-user-group-mtg-friday-march-11-2011

Hopefully by now you’ve heard about Host Based Configuration. If not, Host Based Configuration allows you configure Intel® Active Management Technology by running a configuration application on that system. Previous versions of Intel AMT required that you remotely configure the system or configure it via a BIOS-like configuration screen. With Intel AMT 7.0 you have a new option!

 

Because Host Based Configuration has less security related requirements, there are now two control modes that Intel AMT operates in depending on how it’s configured.

 

If you use one of the previous configuration methods your system will be in Admin Control Mode. If you use the new Host Based Configuration method, then your system will be in Client Control Mode. In Client Control Mode there are a couple security related limitations such as:

 

  • System Defense is disabled
  • User Consent is required for all redirection operations and changes to the boot process

 

If you’ve used Intel Remote KVM you should be familiar with the User Consent screens. If not the User Consent screen is a video overlay that presents a six digit PIN that must be relayed to the management console is order to complete certain operations (This is done to ensure that the end user grants permission before certain actions can be completed).

 

Now, on to provisioning. Included in the Intel Setup and Configuration Service is a program called ACUWizard (ACU == AMT Configuration Utility). This utility will allow you to configure AMT settings on the local machine with just a few clicks.

 

If you want you can also save off your configuration to an XML file and use those settings to configure other machines in your network. You can package up an installer and push it to your machine as you would a normal system update.

 

Here is a link to a video with a quick demo (around 3:30 through):

 

 

Thanks!

 

--Richard

We often hear that online identity protection is becoming more and more critical. But what exactly does that mean? Imagine a typical online banking scenario. Before the bank lets you in, they want to verify that you are really you. They do this by asking for a password. But what if your password was stolen? Phishing is a common attack, with about 50,000 new phishing sites going online every day. With password theft being such an issue, your bank can’t rely on passwords alone. In the USA, if someone gets into your bank account and steals your money, the bank is on the hook to replace it. But what if someone gets in your Facebook account and sends spam as you. Or if someone gets into your medical records and makes them public? No one can undo that damage.

 

Introduction.PNG

Therefore, adding a second factor for authentication, also known as two-factor authentication, can improve security and mitigate attacks that steal logins and passwords. To make it work, the system should be beyond what user knows (i.e. login and password) and incorporate it into the system what user has (e.g. One-Time Password token – aka OTP).

 

Enter identify protection. This is accomplished by adding a second factor for authentication, also known as two-factor authentication. Continuing with our example, the bank would ask for something you know (i.e. login and password) and incorporate something you have (e.g. One-Time Password token – aka OTP).

 

Obviously, giving something to the user is not an inexpensive approach, there are lots of logistics to deploy and maintain a solution like this. There are many technologies out there that can be used, one of cheapest method available is a token table, a rudimentary OTP challenge/response solution, where service provide besides login and password, request user to insert, for instance, the code 10 of his token table

 

TokenTableREAL.png

 

I can’t say that this method is ineffective, but of course has its limitations due to the nature of limited number of codes, easy to scan, etc.

 

Some banks use an OTP token, a six-digit code that is time-based, where you press the button and the token generates is valid for a period (i.e. usually 1 minute). As you can imagine, it’s not a cheap solution and it doesn’t scale from the user’s perspective. Take my own example where I have an account in two different banks and each one offered me these tokens… Can you imagine having one for each bank, one for Facebook, one for Twitter, one for Amazon, etc.. at the end I’ll carry dozen of these tokens or even more.

 

TokenUnibanco.png

 

Introducing Intel® Identity Protection Technology


Intel® Identity Protection Technology (IPT) uses the same principle as a hardware token (even the same algorithms). However, the main differences are that it is embedded in the chipset, can be used by multiple service providers, and it has the potential to use a time-based token (i.e., the token is valid for just 30 seconds) or a challenge/response mechanism. It means that the service provider can send a challenge to the token based on the fact that only the correct token can provide the right answer, proving the presence or possession of the token by the user.

 

Intel Identity Protection Technology is part of the 2nd generation Intel Core™ processors and latest release of Intel® vPro™ Technology – service providers can take advantage of this capability without additional costs related with physical tokens.

 

Of course, IPT can be used for consumers to protect their assets, but also to protect: employee’s remote connection, healthcare services, financial transaction and multiple SaaS application that are proliferating, can all benefit from this affordable protection.

 

There are couples of solutions out there using this technology, as Symantec/Verisign’s VIP authentication service and VASCO’s DIGIPASS… and more to come.

In this episode of Tech 10, I chat with Wolverine - I  mean Richard Foote - about what's new with Intel AMT 7.0. Watch Richard  provision a system using host based configuration - watch closely, it  goes fast!

 

Learn how the Intel® Core™ vPro™ processor family can help by disabling  lost or stolen PCs via a poison pill, and how they can be easily  reactivated via server-generated passwords thanks to Intel® Anti-Theft  Technology and WinMagic*.

 

Configuring Intel AMT via a software delivery job, over wireless or VPN, or even when the system is not physically connected is now possible with Intel AMT 7.    The new capability - Host Based Configuration - uses a local application and configuration file to apply the settings into the firmware.

 

The following simplified diagram provides an overview:

HBP simplified diagram.jpg

 

Instead of depending upon a central application - such as Intel SCS 6.x - to authenticate out-of-band and apply the settings over a secure tunnel, the Host Based Configuration approach occurs more like a normal software delivery job.  The configuration process is effectively distributed out to the individual client systems.  If the Intel AMT configuration requires Kerberos, TLS, or other infrastructural settings, the ACU_configurator application running on the target client negotiates the necessary certificates or settings with the infrastructure based on the contents of the XML file.

 

In the past, a wired LAN connection was required due to the security architecture of traditional AMT configuration models.   This is no longer a requirement if host based configuration is used.   The requirements of provisioning certificates and keys do not apply to host based configuration.

 

My first experience with host based configuration was a client system that had no network connection.   All I was given was the ACU_configurator application for the client and an XML file.  Using a single and simple command, I was able to configure AMT via the local host operating system.

 

The traditional methods of provisioning certificates and keys still exist.   The security model and some features were changed to allow for host based configuration.   To help differentiate, there are two configuration states\modes as described below:

 

  • Client Control Mode: Host Based Configuration was used to configure the client.  This mode applies ONLY to host based configuration capable systems.   All Intel AMT functionalities are accessible except for System Defense which is disabled.   User consent is mandatory for KVM remote control, IDE Redirect, Serial-over-LAN, and boot options (i.e. force PXE, force local CD\DVD boot, etc). 
  • Admin Control Mode: Also referred to as legacy configuration, this mode applies to ALL generations of Intel AMT.   It requires out-of-band authentication via certificates, preshared keys, or physically configuring the client via pre-boot methods.   All AMT functionality is available, and the user consent option can be disabled for KVM remote control sessions.

 

During early customer trials, some were perfectly satisfied with Client Control Mode while others preferred admin control mode.   More on switching between these two modes with Intel SCS 7 will be shared later.

 

A common question: Will Host Based Configuration be available for previous generations of Intel AMT?    The short answer is that the firmware capabilities have been backported to Intel AMT 6.2.   Adoption and availability of this firmware release is to the discretion of each individual OEM.   With that - all Intel AMT 7.x and higher systems will support host based configuration.

 

More information on the ACU_configurator commands and Intel SCS 7 availability will be posted shortly.  If you are actively introducing Intel AMT 7.x systems into your environment today and are anxious for more information - leave a comment below or send a private message via the community email.

The rate of change in business computing workloads is faster than ever, and customers are seeking innovations that cost-effectively manage end point devices, improve worker productivity, and secure business assets without compromise. Given these demands, I am thrilled to announce Intel’s 2nd Gen Core vPro processor family.  Intel has teamed with industry leaders to build Core vPro-based solutions that prepare businesses of all sizes for today’s challenges and whatever tomorrow may bring.

 

Judging from the enthusiastic response we are already receiving from IT organizations, press and analysts, I am pleased to note that the “reports of the PC’s death have been greatly exaggerated”.  Just as Mark Twain blasted his naysayers, the fantastic portfolio of new vPro-based hardware, software, services, and solutions from an ecosystem of >550 strong, showcases the vitality of the PC and the outstanding business value it delivers. Quite simply, the reason the PC remains the hub for business computing during this period of dramatic change in businesses’ computing is its unmatched ability to adapt.

 

Our aim with this latest version of Core vPro PCs is to provide the perfect balance of capabilities benefiting workers and IT that will bring about this revolutionary new workplace.  On the productivity front, our ecosystem, optimizing for smart Intel processor features like Turbo Boost and integrated HD processor graphics, prepares customers for demands of what some call the “The Consumerization of IT”, but what we see it as the need for “enterprising of consumer technologies.”

 

 

This trend includes usages that debuted in peoples’ personal environments, but are quickly ramping in businesses (often without IT’s knowledge).  Workers are multitasking nonstop. HD video conferencing, immersive media, and social networking are now being fully integrated into familiar productivity tools, with enhancements to make them “business class”.  For IT, we provide the control and confidence that comes from the world’s most secure and manageable PCs.  Capabilities include proven silicon-based features like AES-NI (Advanced Encryption Standard-New Instructions that accelerates data encryption and Trusted Execution Technology (TxT), which helps protect virtual environments, as well as the platform flexibility to deploy a variety of compute models, including the full spectrum of desktop virtualization and cloud computing options.

 

I mention a spectrum of choices because each business has different needs based on employee task requirements, compliance regulations, geographic considerations, etc. which are in a constant state of flux.  With vPro as the design point, our PC OEMs and software innovators including Citrix, VMware, Symantec and Microsoft are delivering great desktop virtualization solutions utilizing the performance, capability, and flexibility of intelligent clients.

 

With regard to cloud computing, some of you may be thinking… “aren’t those applications just accessed through a browser, so why does the end point matter?” It’s because the cloud is increasingly becoming “client-aware”… And that awareness stems from what we call “the 3 C’s”… Compute, Context, and Capabilities!

 

 

Read more about the 3 C's:

 

 

Along with industry standards like HTML5, Intel has developed and demonstrated Cloud API interfaces that provide enhancements based on client features. This enables the cloud providers to deliver the best possible user experience through secure and policy-based application and services delivery models versus designing for the lowest common denominator.

 

The Enterprising of the Consumer Technologies also addresses requirements for PC companion devices like smartphones and tablets being introduced into the work environment. As PC Companion devices are providing additional reach and mobility options for the enterprise, the PC is adapting to complement new baby brothers and sisters.  Now, of course with any “first born”, it takes a little time to learn how to be the best big brother, being faster, stronger, more capable, more secure, and more self-manageable than the new arrivals… and we in the PC ecosystem are excited by the role and the responsibility of teaching, protecting, and storing the secrets of the new compute continuum family members.

 

This ever growing spectrum of Web-enabled devices can utilize the trusted attributes of the PC as a HUB that enhances and compensates for the devices’ limitations, while enabling customers to benefit from their ultra-mobility.

 

To wrap up, Business PCs with Intel Core vPro processors deliver no compromise with capabilities that enable businesses to address these evolving expectations and future proof their organizations for even more changes to come.  Performance matters to business… ensuring workers are as productive as possible and enjoy a great user experience, while confidently balancing the needs of IT control with the most secure and manageable systems.

itc_cs_mktbank_vpro_carousel_preview.jpgFor Europe’s MKB Bank, fail-safe disaster recovery systems are essential to protect its own and its customers’ valuable data. The bank implemented Intel® vPro™ technology to provide remote management of its disaster recovery clients, and then decided to roll the technology out across its entire desktop PC and laptop fleet in its Hungarian operations.


The bank uses Intel® Active Management Technology (Intel® AMT) to optimize remote management, maintenance, repair, and hardware and software inventory. Intel vPro technology and Intel AMT provide comprehensive security for both desktop PCs and laptops including quarantine functions that protect the network by filtering data traffic.


“If systems are breached or customers can’t contact the bank, the damage can only be calculated in the aftermath,” explained Istvan Elek, head of IT operations for MKB Bank. “But now we can ensure this does not happen thanks to Intel vPro technology.”


To learn more, read our new MKB Bank business success story. As always, you can find this one, and many more, in the Intel.com Reference Room and IT Center.

Citrix and Intel are presenting a joint online event for you and your customers on March 17. Virtual Desktops: From Wow to How will include presenters from both companies, including Mark Templeton, Citrix president and CEO, and Intel’s Etay Bogner – Chief Strategist- Desktop Virtualization and Jesus Garcia, desktop virtualization marketing manager both from Intel Business Client Platform Division.

 

The online event will provide an insider’s view on how to make desktop virtualization a reality, including how to jumpstart your desktop virtualization. Full of practical information, this one-hour session features:

 

  • A real-world demonstration showing how desktops and applications can be delivered as a service to any user, on any device — Intel based intelligent clients, Mac* iPhone* BlackBerry*, iPad*
  • An insider’s look at the new features of Citrix XenDesktop* 5 and how it benefits both users and you.
  • A moderated Q&A session to learn how to get started, plus best practices from virtualization experts.

 

There will be separate sessions for ASMO and EMEA. You can get more information and register here:

 

Register here for the Americas Region.

 

Register here for Europe, Middle East, and Asia Region.

Filter Blog

By author:
By date:
By tag: