When attempting to configure or reconfigure Intel vPro Technology using Intel SCS 5.x or Intel SCS 7.x, if you are receiving a number of “SOAP”, “AMT Connection”, “getFullCoreVersion”, or “tcp_connect()” related errors in the logs, this blog provides insights to understand and resolve the situation.

 

The following screenshot comes from an Intel SCS 5.x environment

error log - scs.png

 

The sections below provide a summary interpretation of the errors, common reasons these errors may be generated, insights on tools to help troubleshoot, and suggestions on how to fix.

 

What is the cause of the error?

These errors indicate a TCP\IP communications failure between Intel SCS and the target Intel AMT device.   An incorrect FQDN-to-IP resolution of the TCP\IP address as known by the management engine is the most common reason.   The error could occur before or after Intel AMT was configured.

Note: Communications to the local operating system may be working correctly.   In a DHCP environment, the Intel AMT firmware will use the same IP address.   In a static environment, Intel AMT firmware may be assigned to a different static IP address than the host operating system.   Mixed setups where the local host operating system IP is assigned via DHCP and the Intel AMT firmware is assigned via static IP are not recommended.

How do I confirm a TCP\IP connection error?

Two approaches can be used to help confirm a TCP\IP connection error.

 

First, a simple test for Intel AMT clients awaiting configuration.  From the Intel SCS server attempt to open a telnet session to the target client on port 16993.   If you are using Microsoft Windows 2008 Server or Windows 7 client, you will need to add “Telnet Client” to your features list.   The IP address of the target client should be used.

 

The following example telnet request and response indicates the target client is not listening on the stated IP address:

 

telnet 192.168.0.102 16993

Connection to 192.168.0.102… Could not open connection to the host, or on port 16993.   Connect failed

The second test is to determine what wired IP address is assigned to the Management Engine (ME) of the target Intel AMT client.   Using the Systemdiscovery tool available at http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/, on a target client experiencing the TCP\IP communication errors run the following sequence:

 

Net stop lms

SCSDiscovery.exe systemdiscovery

Net start lms

When the SystemDiscovery command completes, an XML file will be located in the same directory as the ACU_Config.exe utility.   The results are also written to the Windows registry.   (See the SystemDiscovery User Guide PDF for more information.)   Among the collected data is a field labeled “WiredIPv4”.

 

The example below shows the WiredIPv4 address to be 0.0.0.0 whereas the OSIP (Operating System IP address) is 192.168.0.102.

WiredIPv4 address.png

 

The expected results should show the same IP address between the WiredIPv4 (i.e. the management engine wired network interface) and the OSIP values.

 

Note: Using the SystemDiscovery tool and custom inventory capabilities in your environment, an environment wide assessment could be obtained.   At minimum, the environment assessment would include the host FQDN, Intel AMT version, configuration state, host operating system IP address, and the wired IP address of the management firmware.   A larger assessment report could include all SystemDiscovery fields as referenced in the SystemDiscovery User Guide.

If your output shows different yet valid IP addresses for your environment, retry the simple telnet test using the IP address listed as WiredIPv4.   If successful, this indicates the IP address resolution is incorrect within the environment or that a simple “IPconfig /renew” command on the client will refresh and synchronize the IP addresses.

 

If your output is similar to the results shown above, this indicates the management engine network interface never received an IP address.  Without an IP address, configuration and subsequent communication sessions will not occur.

 

Before proceeding - ensure the latest system BIOS and Intel AMT firmware are applied to the client.   If you need a tool for multiple updates and prefer to create a single software package, see http://communities.intel.com/docs/DOC-4078

 

Why is Intel AMT firmware IP address 0.0.0.0?

If the management firmware has a blank IP address and the WiredLinkStatus is Up (see example above), this may indicate an incorrect environment detection policy has been set.   The Environment detection firmware policy determines whether the out-of-band management network interface is open or not.   The feature is set based on Home Domains in the configuration profile and detected domains to which the device is connected. 

 

Note: For more information on Environment Detection within Intel, go to http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/ and search for "Environment Detection".   The "Detail Description" and "Utilizing the Host VPN" topics provide good insights.   Environment Detection is required for Remote Access (out-of-band management to internet-based clients) and for Wireless Profile synchronization between host\firmware.

 

In the example below, a domain value of “bogus.local” was set in the configuration profile although the true connection-specific DNS suffix is “vprodemo.com”.

 

Note: The connection-specific DNS suffix is the DHCP option 15 setting of the environment.   In some environments, it may not align to the BIND or Active Directory DNS root domain value.   If unsure what DHCP option 15 settings apply across your environment, use the SystemDiscovery tool reference earlier.   A common mistake is to assume the Active Directory root domain is the home domain setting used with Intel SCS.   This may lead to an incorrect configuration where "ad.company.local" was used in the Intel SCS configuration profile whereas the true connection-specific DNS suffix was "company.com".

 

Intel SCS 5.x example

bogus domain SCS5.png

 

Intel SCS 7.x example (Note: Warning added to help emphasize correct setting of the Home Domain value)

bogus domain SCS7.png

 

The Domain setting within the profile is set into the firmware during the configuration process along with enabling environment detection.   This firmware option was first introduced in Intel AMT 3.x (circa 2008).   Once environment detection is enabled, the firmware will check the firmware settings against the connected network settings.  If they match, the system is considered inside the enterprise, the out-of-band management network interface is assigned an IP address, and so forth.   If they do not match, the out-of-band management network interface is closed and subsequent out-of-band communications are blocked.

 

How do I check if Environment Detection is the underlying issue?

On a suspected client, download the Intel® AMT Diagnostics Tool available at http://communities.intel.com/docs/DOC-5582.   For simplicity, run the “DiagToolGUI.exe” and select “Intel® vPro™ Technology Platform”.   Click on “Start Scans”.

AMTdiagtool.png

 

 

Once completed, click on “Proceed to Tests”.   You do not need to run the full list of tests.   Simple click on “See Results”.   The results are in an NFO file which can be directly accessed or viewed within the Intel® AMT Diagnostics Tool.

 

Within the results, expand “Scans” followed by “AMT”.   Select “Get Remote Access Connection Status” similar to the example below:

environment detect enabled.png

 

The above example shows this particular client has Environment Detection enabled and the system believes it is outside the enterprise.   In this state, the Intel AMT firmware will not receive an IP address.

 

How do I fix an incorrect Environment Detection setting?

 

If the Domains setting in the configuration profile was incorrectly configured thus causing an expected Environment Detection setting, currently the only method to correct is a full Intel AMT firmware reset.   This is also called “Full Unconfiguration”.    Some OEM platforms provide a BIOS option to reset Intel AMT at next reboot.   This approach often requires a confirmation by the local user.   If a BIOS reset of Intel AMT option is not available for your particular device, use the Ctrl-P boot option locally on the device to enter the MEBx (Management Engine BIOS eXtension) screens and select the appropriate options to fully unconfigure Intel AMT.

How awesome would it be to have live, graphical, windows based OS that could be used to repair systems? And double the awesome factor if it could be used remotely? Use WinPE and it's variants plus vPro and you can do just that. You see, WinPE is live, graphical, and windows based. And it can booted and used remotely with vPro systems. To aide readers in doing this, I've been working diligently on use case reference designs that step readers through building Enhanced Remote Repair with Microsoft* Windows* PE, WinRE, and Use Intel vPro Technology and MSDaRT to Recover Remote Systems. The instructions include options for adding services like network support, a built in VNC server (for vPro systems that don't support KVM Remote Control), and a communications back channel to integrate with Remote ISO Launcher (RIL)for automation.

 

Here's a quick overview of the various PEs and related UCRDs:

 

Enhanced Remote Repair with Microsoft* Windows* PE

This is the most basic WinPE OS and is part of Microsoft's Windows Automated Install Kit. When booted, it provides a GUI with a window opened to CMD. At the prompt you can run tools like bcdedit, diskpart, regedit, and many more. It can be booted remotely with IDEr. Using Accelerate the Intel vPro Technology IDER Boot Process, remote boot times can be decreased. With Out-of-Box Configuration for KVM Remote Controlit can be easily accessed remotely. By adding network drivers, WinPE can map a a network share to backup files, or access repair tools, new files, OS images, and more. By adding a VNC server, WinPE can be accessed remotely on vPro systems that do NOT have KVM Remote Control.

 

WinRE*

This is WinPE with Microsoft's standard Recovery Tools. This is included with Windows 7, which means anyone with Windows 7 can use WinRE. The tools include system startup repair, system rollback, restore from a backup image, and more. When launched, a GUI for the repair tools is opened. From there tools are run, or a CMD prompt may be opened. At the CMD prompt all tools available in WinPE are also available here.

 

Use Intel vPro Technology and MSDaRT to Recover Remote Systems

This is WinRE with even more recovery and diagnostic tools from Microsoft. This is included with Microsoft's Desktop Optimization Pack and is also known as ERD Commander. MSDaRT requires volume licensing from Microsoft. It includes everything that WinPE and WinRE does, and more. Extras include a file browser, a system scanner, and a system crash analysis wizard. When booted, all these tools are available from the GUI, and there is the familiar CMD prompt option.

 

When used with vPro, these WinPE variants greatly improves the ability to solve windows issues remotely. The Use Case Reference Designs are geared towards making it easy for readers to put these tools into practice. So, download the reference designs and give it a try. Then, let me know what you think? Can you any of these WinPEs up and working with vPro? Have you been able to solve any problems remotely? If not, what it missing?

 

*Note: the WinRE UCRD is in it's final review. I will update this post with links once WinRE is ready.

ATM-Kiosk-DigitalSignage.png

     ATMs, kiosks and digital signage are types of embedded devices, a computer system designed to do one or more dedicated functions, with or without user interaction. Usually these devices are located in public areas with restricted network infrastructure and and have  multiple  locations (e.g. shopping malls, gas stations, libraries, etc.). For this type of machine, remote diagnosis and repair has a tremendous value, so that the administrator can avoid unnecessary visits to  reboot a machine or restore an operating system image. You can even remotely diagnose  hardware problems, such as hard disk failure and then send the technician with the correct spare part for replacement.

 

The latest Intel® vPro™ release (i.e. with ME firmware 7.1), brings some improvements and capabilities to address this market segment:

 

  • Linux support: Until now, only Microsoft Windows was officially supported on Intel® vPro™ machines, but now, Intel is productizing the Intel SCS and ME drivers; thus, tools will be launched for the Linux OS also. They will not be  at the same maturity level that you can find in the Windows world, but hopefully enough to address the embedded market - where Linux adoption is higher than the regular PC market;

 

  • Wireless support on desktop motherboards: Yes, vPro now supports wireless on the desktop motherboard.  Of course, it is not mandatory, but some motherboards may support it,  such as DQ67EP and, in this case, you must use an Intel® Centrino® Advanced-N 6205 wireless NIC to be compliant with ME 7.1;

 

  • Simplified configuration tool: Host Based Configuration (HBC) method, is by far the simplest method for vPro configuration, however the main adoption barrier of this method for embedded devices relies on fact that User Consent (aka. Client Control Mode) is not a viable option. To overcome this limitation, the ME 7.1 firmware kit used by OEM to assemble the motherboard/machine, now comes with a tool capable of provisioning the machine while unattended  and place the machine in administrative control mode.

 

     I would appreciate to hear from you if you have any initiative to adopt Intel® vPro™ and what kind of usage are you thinking to adopt. Thanks in advance for feedback.

I have talked about the Intel vPro hardware based KVM. I received feedback on my post about starting KVM that it would be nice to have a short Cmdlet to

easily turn the KVM feature on and off. So here it is!

 

There are many different ways to perform the action of toggling the KVM enabled state - I decided to use the Intel vPro AmtSystem PowerShell drive provider. Please don't think that this is the easiest, elegant-ist or only way...it is just the one I chose. Your feedback is always welcome.

 

For efficiency I started with the get-amtfirmwareversion.ps1 source located at C:\Program Files\Intel Corporation\PowerShell\Modules\IntelvPro...assuming the default install location. This source was used so I can leverage all of the parameter passing and AmtSystem drive provider logic.

 

First I removed the function header and the signature block and renamed the file "set-AMTKVM.ps1".

 

Now, what parameters do we need? Just a verb for on and off. but those seem a little informal and vague. Let's settle on enable and disable.

 

First add the new enable/disable parameter. Mandatory, yes. And let's only accept the strings "enable" and "disable":

[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$false, position=1,

HelpMessage="Intel vPro KVM 'enable' or 'disable'")][ValidateSet("enable","disable")][String] $StateToset

 

Next, remove the lines we do not need:

Get-Item $tempAMTPSDrive":\Config\Etc\CodeVersions\AMT FW Core Version" | ForEach-Object {
                $obj = New-Object PSObject
                $obj | Add-Member -MemberType noteproperty -Name Name -value $_.Name
                $obj | Add-Member -MemberType noteproperty -Name Value -value $_.Value
                $obj | Add-Member -MemberType noteproperty -Name ComputerName -value $Comp
                $obj | Add-Member -MemberType noteproperty -Name Properties -value $_.Properties
               $Results += $obj
            }

 

In this code's place we need to connect to the already mounted $tempAMTPSDrive AmtSystem drive.

 

The item we want to change is AccessPointEnabled

$tempAMTPSDrive":\Config\KVM\AccessPointEnabled

 

if ($StateToset -eq "enable")
     {             
                Set-Item $tempAMTPSDrive":\Config\KVM\AccessPointEnabled" $true
                $obj = New-Object PSObject
                $obj | Add-Member -MemberType noteproperty -Name ComputerName -value $Comp
                $obj | Add-Member -MemberType noteproperty -Name "AMT KVM State" -value Enabled
                $results += $obj
     }
     else
     {
               Set-Item $tempAMTPSDrive":\Config\KVM\AccessPointEnabled" $false
                $obj = New-Object PSObject
                $obj | Add-Member -MemberType noteproperty -Name ComputerName -value $Comp
                $obj | Add-Member -MemberType noteproperty -Name "AMT KVM State" -value Disabled
                $results += $obj
       }

That's it! The full source is included below.

run setAMTKVM.jpg

 

I want to explain the other items int he KVM folder.

If you have an amt drive mounted,

New-PSDrive -Name AMT -PSProvider amtsystem -Root "/" -ComputerName yourSystem name -Credential $yourPScredential

go ahead and get the child items to see what is there

cd amt:\Config\KVM

ls

get-childitem KVM directory.jpg

 

AccessPointEnabled:

  determines if the AMT endpoint can serve KVM data.

EnabledByMEBX:

  is an information flag relating if the KVM feature was enabled in the Intel ME BIOS eXtension.

ConsentRequired:

  determines if the user's consent is required and the sprite is displayed. For security, I recommend this be left on.

ConsentDisplayTimeout:

  the amount of time the Intel hardware displays the user consent sprite. I recommend the default.

SessionTimeout:

  the amount of time the session consent persists after a disconnect - useful for handling connectivity issues. I recommend the default.

DefaultScreen:

  which screen to display the sprite on. I recommend the primary.

RFBPassword:

  the remote frambuffer protocol password, which of course we cannot see.

UseStandardPort:

  determines which port KVM uses - I recommend this be left as is.

 

 

 

 

 

 

jake_friz

More Secure VPN Login

Posted by jake_friz Apr 26, 2011

I'm very excited about Intel Identity Protection Technology (IPT). It simplifies something as seemingly complex as security. In this video, I show how IPT may be used to enhance the security of a VPN login. Specifically, this uses Symantec's Verisign Identity Protection service with a Cisco SA540 Small Business appliance's internet portal based VPN. However, the basic concept may be applied to just about any web portal or VPN login.

 

 

This video is a teaser for a Use Case Reference Design that I have in the works. It will step readers through setting up what is shown in the video. I also hope to add some other VPN solutions. So, what do you think about using IPT for VPN login security? Also, are there any specific VPN solutions + IPT you'd like to see a Use Case Reference Design for?

Engineers love to talk geeky.  High speed interconnects, parallel processing, SSDs, and advanced instruction sets.  Only Wally, Alice, and Dilbert really care about these things, right?  I don’t think that’s totally true, but MSPs occasionally chide Intel by saying that Moore’s Law (which says the speed of technology doubles every 18 months to 2 years) really means that confusion around technology features doubles approximately every two years.

So even though the new generation PCs and laptops built with the second generation Intel® Core processor family provide a faster, more robust and secure experience than a three year old system built with an Intel Core 2 processor, you have to find a way to actually show that to your customers.  Because if your customers can’t see a visible difference, they’re probably not going to consider refreshing or upgrading their equipment.

That’s why at Intel, we are striving to give you proof of the smart investment and smart performance of the 2nd generation Intel® Core™ vPro™ processor family, so that you can show your customers both the tangible and intangible value they get from refreshing their technology.

 

With the 2nd generation Intel® Core™ vPro™ processor family, you’ll see improved security, manageability, and cost-effectiveness.[i] Your customers will enjoy enhanced multitasking and better adaptive performance, along with stunning graphics, all from one processor.[ii],[iii]   An MSP who had the opportunity to work with the new processor family said, “Our customers expect us to bring them new solutions that will make their business better. Intel vPro technology is that kind of solution.”

 

Second generation Intel® Core™ vPro™ processors have intelligent, hardware-assisted security features to help you quickly deploy security patches across PCs, remotely unlock encrypted drives, and manage data security settings, even when the PC is off.[iv] You can also help protect sensitive data with optional Intel® Anti-Theft Technology.[v]  By deploying PCs based on the 2nd generation Intel® Core™ vPro™ processor family, you’re giving your customers systems that have the performance and features they need to maximize their effectiveness today, as well as the headroom to handle the applications of tomorrow that will affect their competitiveness.

The second generation of smart performance runs 4,000 times faster and uses 4,000 times less energy per transistor than Intel’s first processor, the 4004 which was introduced in 1971.  While your customers probably aren’t using technology that’s 40 years old, you can still show your customer significant power savings because the remote power-on capabilities of PCs based on 2nd generation Intel® Core™ vPro™ processors allow you to turn systems off after hours and then back on before the start of the next day’s business—often saving more than $150 per year, per PC.[vi]

Don’t just take my word on all this, though.  I’m a marketing guy and I know that some people inherently distrust the people in marketing, figuring we’re just trying to sell you something (Although, I bet some of you hear the same things from your customers!).  Here’s what another MSP I met with said, “Once we’ve shown the prospective customer vPro’s capabilities and how they are integrated into our management tools, it really stands out. We simply have a deeper and better reach into the customer’s infrastructure than our competitors do.”

Eric Townsend is Director of MSP and SMB Marketing for Intel Corporation. You can contact Eric at activation@intelmsp.com.


 


[i] Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and

results will depend upon the setup and configuration of your hardware, software, and IT environment.

To learn more visit: http://www.intel.com/technology/vpro/.

[ii] Requires a system with Intel® Turbo Boost Technology capability. Intel Turbo Boost Technology

2.0 is the next generation of Turbo Boost Technology and is only available on 2nd gen Intel® Core™

processors. Consult your PC manufacturer. Performance varies depending on hardware, software, and

system configuration. For more information, visit http://www.intel.com/technology/turboboost.

[iii] Available on the 2nd gen Intel® Core™ processor family. Includes Intel® HD Graphics, Intel® Quick Sync

Video, Intel® Clear Video HD Technology, Intel® InTru™ 3D Technology, and Intel® Advanced Vector

Extensions. Also optionally includes Intel® Wireless Display depending on whether enabled on a given

system or not. Whether you will receive the benefits of built-in visuals depends upon the particular

design of the PC you choose. Consult your PC manufacturer whether built-in visuals are enabled on

your system. Learn more about built-in visuals at http://www.intel.com/technology/visualtechnology/

index.htm.

[iv] Requires activation and a system with a corporate network connection, an Intel® AMT-enabled chipset,

network hardware, and software. For notebooks, Intel AMT may be unavailable or limited over a host

OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating, or powered off.

Results dependent upon hardware, setup, and configuration. For more information, visit http://www.

intel.com/technology/platform-technology/intel-amt.

[v] No system can provide absolute security under all conditions. Requires an enabled chipset, BIOS,

firmware and software, and a subscription with a capable service provider. Consult your system

manufacturer and service provider for availability and functionality. Intel assumes no liability for lost or

stolen data and/or systems or any other damages resulting thereof. For more information, visit http://

www.intel.com/go/anti-theft.

[vi] Source: Green Light Business Technologies

One of the powerful features of vPro is our hardware based KVM.

 

The easiest way to invoke an Intel vPro KVM session?

 

Install VNC Viewer Plus(built in Intel vPro amt support) from http://www.realvnc.com/products/viewerplus/index.html, apply a trial license, then call from PowerShell:

 

PS C:\Windows\system32> Import-Module intelvpro
PS C:\Windows\system32> cd 'C:\Program Files (x86)\RealVNC\VNCViewerPlus'
PS C:\Program Files (x86)\RealVNC\VNCViewerPlus> \vncviewerplus.exe 192.168.1.100 -amtusername=admin -amtusefqdn=0

call VNCviewerplus.png

 

After calling I type in my digest password:

starting VNCviewerplus.png

 

There you go! Hardware KVM.

 

So let me explain how I called VNC Viewer Plus. My demo system is provisioned with a digest user name of (you guessed it) "admin". So I must pass that to VNC Viewer Plus via the -amtusername parameter. I also do not have TLS security on my (demo) network so therefore I set the parameter -amtusefqdn=0 to indicate I do not want to use a fully qualified domain name for TLS. Of course if you are using TLS when managing your Intel vPro endpoints, you will need to change this.

 

Locker.png

This article is a continuation to “Identity Protection, Built into the Chip” where I discussed the principles of IPT technology, now moving toward something more practical: Build an IPT capable system. Basically, the required ingredients are a 2nd generation Intel Core processor and a motherboard with Intel Q67 Express chipset or B65 Express chipset along with AMT version 7.1. The Intel DQ67OW, DQ67SW, DQ67EP and DB65AL are four such boards. ASUS also has the P8Q67-M DO, Foxconn has the Q67M and Gigabyte has the GA-Q67M-D2H-B3 and GA-P65A-UD3.


If your intention is to build an IPT capable machine, along with the manageability provided by Intel® vPro™, then you need the Intel Q67 Express chipset. Read Jake Gauthier’s post about  “Build your own PC with the 2nd generation Intel® Core™ vPro Processor Family” to make sure that you select the correct CPU in order to have also KVM capability enabled in your PC.


If by any chance you decide to buy a ready-to-wear PC instead of build your own, you also have some good options available in this list, which includes desktops and notebooks, for consumer or enterprise usage (not all vPro capable).


If you are looking for websites that use this technology, remember that this kind of technology is usually an opt-in service, so you must actively choose to link the PC to authenticate the account, and nowadays here is the most updated list of websites that are supporting IPT.

So, if you want further details, read also “Access Accounts More Securely with Intel® Identity Protection Technology

Ever wonder what platforms were in your environment?  Want to find out what machines are AMT Capable, AMT Configured and Provisioned, AMT Configured and Not Provisioned, and Non-AMT Platforms.  Now you can find and categorize the machines in your environment by using SCS System Discovery Tool.  This use case will explain how to use the system discovery standalone tool.  This tool gathers all the information from the ME (Management Engine) and the BIOS and stores that information into a registry key.  Edit the MOF files in SCCM to read this custom data, then create custom collections to categorize them.  For more information check out the use case link:

 

Finding Intel AMT Capable Machines in Your Environment

 

Tony Plasker talks to host Michele Gartner about the Dell Integrity Secure Continuous Client in this episode. You can find more info about this product at http://content.dell.com/us/en/fedgov/fed-solutions-dell-integrity-secure-client-solution.aspx.

PGWard

One Lost Laptop is All it Takes

Posted by PGWard Apr 20, 2011

A few weeks ago, an employee lost a company-issued laptop during regular business travel containing critical personal information of more than 13,000 people. Even though the laptop had standard password-protection in place, it was not encrypted, and the whereabouts of these 13,000 individuals’ Social Security numbers, addresses and birthdates are now unknown.

 

The loss of just one laptop could affect thousands of people and thousands of laptops like this one are lost by organizations annually. In December of 2010, Intel Corporation and the Ponemon Institute released “The Billion Dollar Lost Laptop Study,” which surveyed 329 organizations in the U.S. about laptop loss. The report found that over the course of a year participants had lost more than 86,000 laptops, valuing the total cost at $2.1 billion.

 

Intel commissioned the study to aid in improving its security technologies, but also to help advance industry-wide efforts among others with a stake in the problem. The corporation continues to advance industry-wide efforts in the U.S. and abroad, and today Intel and the Ponemon Institute released the findings of a similar study conducted on 275 European organizations. Results of the study show that participating organizations lost over 72,000 laptops during a 12-month period, for a staggering total economic impact of €1.29 billion, or $1.79 billion.

 

Combining the value of laptop loss between the participating organizations in the U.S. and those of the United Kingdom, Germany, France, Netherlands, Belgium, Italy, Sweden and Spain, yields $3.9 billion in damages from almost 160,000 lost laptops. Costs come not only from the replacing these laptops, but also from lost intellectual property, lost productivity or legal, consulting and regulatory expenses among others.

 

What’s interesting is that the two studies have very similar findings.  Both found that the most common environment for laptop loss was off-site (working from a home office, hotel room or conference), while laptop theft tended to occur in-transit (in an airport or cab or train).  Like the U.S., the education and research, and health and pharmaceutical industries in Europe experienced the highest rate of laptop loss.  This is most likely due to the fact that both industries have similar characteristics like high mobility.  Both also determined that companies with 5,000 – 25,000 employees experienced the highest rate of laptop loss.  Even the chance of a lost laptop in its useful life stood between seven to eight percent for both studies.

 

Particularly discouraging is that both studies reported that roughly 30 percent of the lost laptops contained confidential data that was not encrypted.  For the European study, that is 22,856 laptops.  Any one of those laptops could have contained your personal information.

 

In both the U.S. and abroad, the amount of laptops lost signals a need for action. As companies transition their employees from desktop to laptops, management needs to take a more proactive role in assuring that appropriate safeguards are in place to protect sensitive data contained on the computer. In fact, the cost of a data breach represents 80 percent of the $49,246 total cost of a single lost laptop, compared to the two percent of the total cost necessary for replacing the computer, according to the Ponemon Institute. They also found that encryption on average can reduce the cost of a lost laptop by nearly half.

 

In addition to encryption, anti-theft and other data protection solutions, management can also implement training and awareness programs for all employees who have laptops.  Policies should be set in place that require employee to report a lost or stolen laptop. Finally, employees can keep a careful watch over their laptops, especially while in-transit. For more tips on how you can keep your laptop safe, check out these tips from Intel’s security expert.

Ever wanted to find a way to deploy a Windows 7 image using SOL and IDER without having the impact of network bandwidth?  With the help of WinPE, a light ISO image can be created that maps a network drive and allows for ghost32 or Imagex to run and load an image to the client machines.  Included in this use case is also using RealVNC to allow you access to connect and use the KVM (Keyboard Video and Mouse) capabilities to see what WinPE is doing in case your image has user intervention.

 

OS Reimaging with SOL-IDER and WinPE

One of the features we added in the 3.0 Intel vPro PowerShell module was the ability to securely store and safely retrieve user credentials.

 

AMT credentials can be securely stored in a PowerShell encrypted string using the Write-AMTCredential Cmdlet. This allows the privileged administrator to store the AMT credentials without then being exposed in plaintext for any user to view.

Once stored an Intel vPro Cmdlet in a later Powershell session can read the AMT credentials with Read-AMTCredential without exposing them.

 

So what is the deal? This secure storage lets us put the AMT credentials safely into PowerShell to be retrieved later when someone is running the Cmdlets. Someone whom we might not want to have the AMT credentials – let alone other administrative rights.

 

Putting the credentials directly into a script is a bit of a security hole. Also assuming that every operator of a Powershell script knows the credentials is a big assumption.

 

So, we used the Powershell secure string to store our AMT credentials.

 

$AMTCreds = get-credential

get-credential.png

 

Write-AmtCredential -Username $AMTCreds.UserName -Password $AMTCreds.Password

write-amtcredential.png

 

Now, in a different session we can load and use the credentials. (first I have to import the module)

Import-Module intelvpro

$AMTCreds = Read-AmtCredential

Get-AMTFirmwareVersion -computername 192.168.1.100 -Credential $AMTCreds

read-amtcredential.png

 

But loading the module and setting a variable in every session gets tiring.

So let’s modify the basic profile located at %my documents%/WindowsPowerShell/Microsoft.PowerShell_profile.ps1 so that after we launch a PowerShell session we can then  type in vpro to have the IntelvPro module loaded and the AMT credentials set.

 

function vpro

{

    Import-Module IntelvPro

    New-Variable -Scope 1 -Name AmtCreds -Value (Read-AmtCredential)

}

 

Nice. Now all of the Cmdlets can be called passing –credential $AMTCreds to them.

 

This article is an update to "Build your own PC with KVM Remote Control Support". Now that the new core CPUs are out, along with AMT version 7, I wanted to share what is needed to build your own desktop PC with these new technologies. First, you need a motherboard with an Intel Q67 Express Chipset. For KVM Remote Control, also be sure the motherboard supports Intel Integrated Graphics. The Intel DQ67OW, DQ67SW, and DQ67EP are three such boards. Asus also has the P8Q67-M DO and Foxconn has the Q67M.

 

Next, you need a 2nd generation Intel® Core™ vPro Proccessor. Further, if you want KVM Remote Control support, you also need a CPU with Intel Integrated Graphics. An Intel Core vPro processor without Intel Integrated Graphics will still give you AMT 7.x, but you won't be able to use KVM Remote Contol. This document has an up to date list. All CPUs with numbers in the 1000's are from the 2nd generation Intel Core vPro Processor Family.

 

Now onto wireless. Yes, wireless. With AMT 7.x, vPro now supports wireless on desktop. This, of course, is optional, but if you'd like to use AMT over wireless on your new system, there are extra requirements. First, your motherboard needs support for AMT wireless. This means a mini-PCI express connector with wiring for AMT communications. The only one I know for sure to support it is the DQ67EP. If I find more I will add them to this list. Next, you need to find an Intel® Centrino® Advanced-N 6205 Wireless NIC. Lastly, you'll need a wireless antenna.

 

So go out and build your systems. Then post your system specs and your favorite vPro feature or use case.

     As previous discussed in my last post about what is Intel TXT (aka Trusted Execution Technology), showing how this technology can Measure Launch the OS/Hypervisor, now I would like to show you something practical, how to use it with Linux.

 

     In this demonstration, I used an HP 8440p box, but it works with any Intel vPro with AMT 3.0 and superior, and Linux Fedora 14 (kernel 2.6.38).


Praparing the BIOS:

 

     Enable Intel VT/VTd, TPM and TXT in BIOS;

 

Updating Linux:

 

     Some tools and updates are required in order to configure and enable Trusted Boot in Linux and in this particular demo, I used the following commands:

 

     # yum update yum hg openssl openssl-devel trousers trousers-devel rpmdevtools yum-utils ncurses-devel

     # yum groupinstall 'Development Tools'

 

Configuration:

 

     I created a 15:06 video long showing configurations steps:

 

 

     At this point, if you completed successfuly these steps, you enabled the Trusted Boot with ANY Policy, that means that now you have it ready to define policies about TXT measurement and behavior. It'll be a subject of a future post.

 

Further references can be found here:

     Intel Trsuted Execution Technology Software Development Guide

 

 

Best Regards!

Josh Copeland joins me to recap the launch of the newest Intel vPro platform. Get more details about added security and performance features.

 

itc_cs_grovecity_core_library_preview.jpgDedicated to using technology to enhance the academic experience, Pennsylvania’s Grove City College has been providing all incoming freshmen with laptop computers for more than 15 years. To reduce hard drive failures that can halt productivity, and to minimize the impact of theft, the school’s IT group distributes Intel® Core™ i7 vPro™ processor-based HP EliteBook* tablet computers with Intel® Solid-State Drives and Intel® Anti-Theft Technology. The Intel Solid-State Drives cut system imaging time in half and could reduce drive failures by 90 percent. Intel Anti-Theft Technology helps the IT group prevent information from falling into the wrong hands.


“The tablets arrived only two weeks before the students,” said Vincent DiStasi, chief information officer for Grove City College. “Fortunately, the performance of the Intel Solid-State Drives enabled us to image all 750 tablets in just two days. We had all systems ready in time, and we didn’t have to spend the summer loading software.”


To learn more, read our new Grove City College business success story. As always, you can find this one, and many others, in the Intel.com Reference Room and IT Center.

Filter Blog

By date:
By tag: