Skip navigation
josh.hilliker

MMS:  Live at the vBar

Posted by josh.hilliker Apr 30, 2008

Brad Anderson & Gregory Bryant took a few moments to talk to a few folks about vPro & SCCM SP1. 

 

Here's a few comments to share out: 

 

GB - 800Million transitors in the chip.  Transistors are focused on solving IT problems now.. (good news to IT folks).  

 

Brad - key message is that users are moving to SCCM & the request is out to join up & give feedback to MS on the new console.   (that's SCCM SP1).

 

GB - ROI's are positive, definitely a focus on changing the biz process is important. 

 

Brad - Config Mgr is making life easier.

 

NOTE:  Tom Quillin did a stellar job of hosting the session.. Kudos Tom.

 

Now onto a few audience questions..   if your not here @ MMS, your missing out..

Have you ever wondered what the optimal provisioning conditions, and if there is anyway to script the event to occur?  The linked article refers to batch files, VBscripts, key learning, and supporting materials for provisioning Intel vPro in an Altiris environment.

 

http://juice.altiris.com/node/4082

 

Take a look, add you insights\comments, and so forth.

josh.hilliker

MMS - day 2

Posted by josh.hilliker Apr 30, 2008

After walking around the booths yesterday the trend was clear - Integration Matters, make it easier.  I couldn't agree more.  Integration is where the value is driven from, understanding, planning & leveraging the right HW/SW solution is the key.

 

Day 2 kicks off - Brad Anderson - The changing desktop landscape.  Discussing Dynamic IT, w/ the focus moving towards User -Focused.  Even here the message keeps ringing "INTEGRATE". 

 

Brad started the discussion around vPro - also that SCCM  SP1 - May, R2 release candidate in July.   He discussed "Comprehensive Management" that focuses in 4 vectors: physical, virtual, User setting/data & Hardware.   

 

Now onto Dave Randall - configuration with vPro. with SCCm SP1 there are 15 OOB mgmt features they are supporting (I will get that list).   He then took a bank of PC's in the comms area & shut them down..  Would you really do that in your enterpise - probably not, but if you lost control of the box this is available.  

 

Dave is showing all the key features of OOB - i.e. SOL into the bios, also discussing the use of IDE-R (IDE redirect).

 

cheers.

Sharing with the community a recent thread I just picked up. 

 

http://abunchofgreens.blogspot.com/2008/04/first-eco-certified-computer-lenovos.html

 

Eco is the first ThinkCentre computer made with recycled, post-consumer plastics and is EPEAT Gold and Energy Star ® 4.0 rated. The system comes with Intel vPro technology, Core 2 Duo E6550 / E8200 / E8400 Processor, 2GB DDR2 RAM, 160GB HDD, Dual Layer DVD Burner, Intel Graphics Media Accelerator X3100, and Windows Vista Business

A user asked us why we didn't have information about buying vPro PCs on the Expert Center. Well, here it is! I am compiling a list of the different manufacturers and their vPro landing pages. It will continue to grow as I find more information.

 

Order an Intel® vPro™ Technology "Activation-Ready" PC or WS

 

As always, let me know if you need additional information. I'm growing these documents, so check back!

Much of the recent news around Microsoft System Center has been focus on the upcoming release of Microsoft System Configuration Manager SP1. However, did you know that MS System Center Operations Manager (SCOM) and System Center Essentials (SCE) also have support for vPro Client management through the use of the Intel Client Manageability Pack for SCOM & SCE?

 

 

 

 

 

First a little background...

 

 

What is MS System Center Operations Manager? SCOM is the third generation of Microsoft's monitoring solution. Operations Manager provides an easy-to-use monitoring environment that monitors thousands of servers, applications, and clients to provide a comprehensive view of the health of an organization's IT environment.

 

 

 

What is MS System Center Essentials? Microsoft System Center Essentials 2007 is a new management solution in the System Center family of IT systems management products. Essentials is specifically designed for IT professionals working in midsize businesses who often face IT challenges similar to those of larger enterprises - troubleshooting end user problems, automating management tasks, managing multiple systems, and diagnosing and resolving IT problems.

 

 

 

 

 

 

 

 

So where does the Intel Client Management Pack for SCOM and SCE fit in?

 

 

The Intel Client Management Pack for Microsoft System Center Operations Manager and System Center Essentials enables the users of these applications to take advantage of the advanced, hardware-based system management capabilities of vPro. These capabilities will help reduce the cost of discovering, managing and securing desktop and mobile PCs in the enterprise and thereby improving compliance with corporate policies. Information Technology support staff can now rapidly and remotely communicate with, power up, reboot, control, inventory assets, and remediate vPro capable clients even if the PC is powered off or the operating system is not functioning.

 

 

 

 

 

For more information and download of the Intel Client Manageability Pack for SCOM and SCE, please visit: http://softwarecommunity.intel.com/articles/eng/3681.htm

 

 

 

 

 

 

 

 

Matt Royer

Top 5 questions from the vPEc booth

#1.  How do you get started

http://communities.intel.com/openport/blogs/proexpert/2008/02/09/high-level-guide-to-installing-sccm-sp1-beta or

http://communities.intel.com/docs/DOC-1499

 

#2.  What about legacy support

http://communities.intel.com/openport/blogs/proexpert/2008/04/16/sccm-sp1-38-wsman-translator-how-vpro-firmware-versions-less-than-321-are-supported

 

#3.  What are the top features that I capture about

Top features are in band client agent provisioning and integration of power control in collection based operation and task sequence support.

 

#4.  Why does SCCM matter for vpro?

Sccm is microsoft's first managiblity software that provides native support for vpro capibility.  You are able to have a single software provide you on on complete software solution for you vpro client fleet.

 

#5.  What is the difference between Wake On LAN

http://softwarecommunity.intel.com/articles/eng/1151.htm#2  (abstract from the site)

 

Q1: Does the Intel® Active Management Technology (Intel® AMT) feature of Intel vPro technology support Wake On LAN* (WOL), Pre-boot eXecution Environment (PXE), and Alert Standard Format* (ASF)?

 

A1: Yes. A PC with Intel® vPro™ Technology can be managed using legacy tools that utilize WOL, PXE, and ASF when Intel® AMT is turned off , so existing tools that use these protocols can be used. However, Intel® AMT provides higher levels of security & functionality. Intel® AMT provides mutual authentication between client and console along with encrypted communication to guard against unauthorized access to networks and PCs, along with the ability to read hardware and software asset information even from PCs that are turned off or down.

 

Q2: How is Intel® Active Management Technology (Intel® AMT) feature of Intel® vPro™ technology different from ASF and Wake-On-LAN?

 

A2: Intel® AMT provides more security and functionality than ASF or Wake-On-LAN. Unlike legacy technologies, the Intel® System Defense feature within Intel ® AMT proactively helps prevent the spread of viruses by blocking transmissions from infected PCs. Intel® AMT also provides authentication and encrypted communication of management traffic so the Intel® AMT features can only be activated by authorized management consoles. Its out-of-band management capabilities include not only the ability to reboot PCs and send alerts, but also allow remote control, remote BIOS updates, and access to event logs and asset information regardless of system state or operating system presence. Alerting is policy based rather than based on preset criteria, allowing additional flexibility in IT processes. And Intel® AMT is designed to ensure management traffic can pass through network routers allowing remote management of a greater portion of your installed base.

 

I would like to invite you to engage in a virtual proof of concept with an emerging compute model technology via this site.  I will award a nice prize to the first five successful proof of concepts that are done over the Emerging Compute Model Forum (for more details send me a message).  If your organization is looking at various compute models and would like to go through the process and share your findings with the world, let's explore this model here.

 

 

-Jason

 

 

 

Intel partnered with ArsTechnica to create an ongoing web based conference / symposium with Intel as the presenting sponsor - and this week the topic is all about emerging compute models! 

 

 

Please take a few minutes and go check out the conversations on their site and join in the discussion.

 

 

-Jason

 

 

josh.hilliker

MMS - Let it begin

Posted by josh.hilliker Apr 28, 2008

Just arrived onsite & was able to check out the booth, talk w/ my fellow Intel folks. The booth looks great, tons of information & pro's onsite.  

 

I'm working on the video of the booth, however have to get back on the floor shortly.. here's a good pix.. off the monitor in the booth.. more to come shortly..

 

Video of the booth.

 

Let the Journey begin..    On my way to MMS (las vegas).  Hopefully to make it to the show floor in a few hours and start to scope out the Intel booth.   I am looking forward to talking with IT shops that are using vPro & the folks that are about to take on their journey.    If you are also interested to learn more make sure you stop by the booth.  

 

As soon as I arrive I’ll shoot a quick video of the booth & post on the Expert Center..  .

In my last 2 posts hereand here I discussed the worsening economy and its impact on the spending behavior of business owners, who tend to tighten their belts during periods of economic uncertainty, and look to cost-cutting measures in order to "hunker down" until the storm blows over.

 

In extreme conditions, these same business owners also look to staff reductions and outsourcing labor-intensive business functions such as HR, Payroll and IT Services, which is an excellent opportunity for the well-prepared Managed Services Provider to capitalize upon.

 

 

With the proper messaging and an effective marketing and sales process, MSPs will be more successful at winning business and more profitable in 2008 than System Builders, reactive break-fix and professional services providers. Let's explore how we can tailor our marketing message, value proposition and sales approach to take advantage of the current economic climate and increase our revenues.

 

 

4 types of service providers

 

 

Remember our 4 types of service providers, and their challenges and strengths?

 

 

  • System Builders

  • Reactive Break-Fix Service Providers

  • Professional Service Providers

  • Managed Services Providers

 

Although each group of these service providers are very different from the others, there are some strategies which can be employed by all groups to maintain and increase profits.

 

Strategies for all Service Groups

 

 

The key to maintaining and growing profits is to target the right clients initially. Generally, the more dependent upon technology a client is, the easier it is to sell them solutions that increase their efficiencies and productivity and mitigate business pain and risk. So we are looking for heavily technology-dependent clients and verticals and technology-strategic clients. Technology-strategic clients are those that see their IT investments as strategic investments to help them achieve their goals. These are the best clients to have, and economic downturns will have less of an effect on their IT purchasing decisions than it will on other clients. In fact, in many cases the effect may be the opposite, as these clients see these periods as an opportunity to gain a competitive advantage by investing in their technology and infrastructure.

 

 

These clients will more readily understand and welcome our requirements for vPro and Centrino Pro enabled desktops and laptops, as they will see these technologies as investments in maintaining their uptime, efficiencies and profitability - especially when TCO is a factor.

 

 

Messaging and Marketing

 

 

True for all service provider groups, effective messaging and marketing is the key to increasing client opportunities, but what messaging is the most effective during uncertain economic periods? Messaging that conveys the following concepts seem to work well when illustrating the benefits of vPro and Centrino Pro technology:

 

 

  • Cost savings

  • Improved efficiency/productivity

  • Pain reduction

  • Risk mitigation

 

A consistent marketing process is crucial to maintaining a consistent sales funnel of opportunities, and increasing marketing activities over historical levels for all service provider groups is recommended in 2008 and beyond. Look to vendor co-sponsoring opportunities and leverage marketing development funds wherever possible in order to defray costs. Include multi-vendor participation for local events where your message can be delivered to large groups, instead of individuals.

 

Final Thoughts

 

 

In order to maximize service revenues during uncertain economic times:

 

 

  • Reduce internal costs wherever possible

  • Look to tools and technology such as vPro and Centrino Pro, process and procedure to increase your internal efficiencies and utilization

  • Partner with other providers and vendors to deliver services as needed

  • Target technology-strategic and technology-dependent clients and verticals

  • Build deep client relationships as your clients' Trusted Advisor and outsourced CIO to ward off competitive threats

  • Leverage Vendor and Distributors' services and support offerings, as well as other benefits such as spiffs and special offers and Marketing Development Funds

  • If your client base averages less than 26 users, move up to the 26-100 user space

  • Add financing as an option to each and every Proposal

 

These are just a few of the things we, as service providers, can due to maintain and grow our profits in 2008 and beyond.

 

Erick Simpson

 

 

Hi all,

 

Tim's Tool team continues to deliver new tools to the community almost weekly.  You can check the latest on the Tool Wiki @ http://communities.intel.com/docs/DOC-1171.   Also if you have a need for a new tool please let him know by responding to the wiki.  

 

If you are trying to use a tool and not having success please let us know as well as your feedback helps shape the tools the team works on.  

 

I also know that Tim is defining a higher level picture of the typical IT infrastructure and how each tool can be used to troubleshoot different connection points.   Stay tuned for this..

A great question was raised whether the Kerberos authentication was most or least restrictive on rights and access.  First a little background - Kerberos authentication in an Intel vPro world allows you to specify an NT user or group for authentication purposes, and to authorize them for Intel AMT realm access on the provisioning Intel vPro device.

 

What if a user is a member of two different groups, both of which are defined in the provisioning profile, with each group having different authorization to the Intel AMT realms?  For example - GroupA can only remotely power a system, while GroupB can only place System Defense filters on a system.  If User1 is a member of GroupA and GroupB - what resulting access does that user get?

 

The answer is "least restrictive" - in that the user has the combination of authorization from both GroupA and GroupB.

 

Interested to hear what the community has experienced.  Keep the questions coming.

Back on the topic of Energy, I received a presentation that Rick Maddox (Symantec) reviewed at ManageFusion that explains Energy Wasting Statistics (for example:  60% of PCs are left on overnight).  Also: 

 

•Typical PC uses 588 kWh of energy per year

–1,000 lbs of CO2

–2/3 of the energy is wasted

–15 PCs = 1 mid-size car

 

Wow!.  very interesting when you compare to a mid-size car.  In this presentation Rick goes on to show how Altiris is making a difference with it's partners as well as showed their Energy Saver toolkit.  I have not used this toolkit as of yet, however here is the info page on their site.  http://www.altiris.com/Products/EnergySaverToolkit.aspx.

 

Here's the full presentation:

Rick Maddox - ManageFusion - Green IT

 

Update on tools, I'm still working to get a set of tools that I can share out or reference from the community around power.  I hope to blog about this in the next 1-2 weeks.  If you are interested to hear what i'm doing check out my last blog.

The ability to provide access to the Real-Time tab of Resource Manager will enable administrators to provide this valuable tool to IT specialists or Helpdesk workers.  Furthermore the ability to configure access to certain functions within the console will allow administrators to grant or restrict what users can do with Real-Time System Manager.  This includes WMI functionality as well as powerful AMT functionality.

 

 

 

 

Introduction

 

Your environment will likely have a unique set of requirements on who can access what in Real-Time System Manager.  It can be as simple as two levels of workers, from an administrator to an IT Specialist, to a complex system of access rights in a multi-tiered environment tightly controlled.  No matter the environment, this article provides the details to customize access to the Real-Time tab, including WMI and AMT access rights.

 

 

 

 

 

RTSM contains limited functionality to configure access via WMI.  AMT, on the other hand, can be configured at a function-granular level.  Whether you're simply trying to give users full access to RTSM, or to provide access to only certain functions, this document assists to achieve this.

 

 

 

 

NS Role Security

 

The first item that must be enabled is creating a role or modifying an existing role to have rights to Real-Time System Manager at the general level.  Without assignment to such a role, a user cannot gain access to RTSM.

 

 

 

 

Overview

 

Briefly I'll explain how NS Role and Scope security work together in Notification Server.  Roles give feature access rights.  For example in Software Delivery Solution there's a role object labeled ‘Item Tasks - Software Delivery Wizard'.  The two options allow use of the Simple or Advanced Software Delivery Wizard.  Without this right, the user cannot launch the Software Delivery Wizard, regardless if they have scope rights to the Wizard and Status node in the console.

 

 

 

 

 

Scope security is much like the Windows File-System security model.  In the Altiris Console the left-hand tree can be accessed like the file system, applying security to folders or to nodes, as opposed to folders and files.  Inherence allows security to be inherited from the containing folder, on up the chain until the root node is reached.

 

 

 

 

Role Configuration

 

The following steps show how to create a user with RTSM permissions. 

 

  1. In the Altiris Console, browse to View > Configuration > Server Settings > Notification Server Settings > Security Roles.

  2. Select an existing Role or Right-click on the Security Roles folder and choose to create a new Role.

  3. Under Privileges, find the following categories and check the indicated option.  After the screenshot the items are details with description of the option:

    1. Altiris System Privileges - Use Real-Time System Management - This is the ability to use the product at the most basic and general level.

    2. Altiris Console Privileges - View Resources Tab - For this example I'm providing the user the ability to see collections so he or she can launch Resource Manager and use the Real-Time tab.

    3. Altiris Console Privileges - View Tasks Tab - Access to the ‘Manage' node allowing launch of Resource Manager requires this privilege.

    4. Item Tasks - Real-Time System Manager - Manage - This is access to the main tree for RTSM.  Most functions are covered by this option.

    5. Item Tasks - Real-Time System Manager - Password Reset - Because of the nature of this function, it has been separated out as a single security role object in Notification Server but belongs to the Real-Time tree.

    6. Item Tasks - Real-Time System Manager - Port Check - The Port Check feature is normally accessed as a separate contextual item in the right-click menu, or launch from an icon under the Real-Time tab.

    7. Item Tasks - Real-Time System Manager - Trace Route - This is treated in the same way as Port Check.

    8. Item Tasks - Real-Time System Manager - Hardware Management - This is one of the objects in the tree that provides basic hardware function, which is greatly extended if the system is Intel vPro capable and Provisioned.

  4. Click the Membership tab.

  5. Use the blue + icon to add users and/or groups to the Role.  These can be digest users or local computer groups, or Domain users or groups.

  6. Click Apply to save the Role.

 

Note: The users will not have access yet to the Altiris Console as the scope-level security has not been set for the new Role.  Complete the below NS Scope Security section to give access to the Altiris Console

 

 

 

 

NS Scope Security

Altiris Console

 

For Altiris Console access, scope security must be configured before a Role can access or login to the console.  The security window is the same for any node, be it a folder or otherwise.  The two screenshots below show the security window and the permission selection screens:

 

 

 

 

 

 

 

Note: Depending on the object type, the available permissions may differ

 

 

 

 

 

To allow access to the ‘Manage' Real-Time Console Infrastructure Task, follow these steps:

 

  1. In the Altiris Console, browse under View > Tasks > Incident Resolution > Tools.

  2. Right-click on the node ‘Manage' and choose Properties.

  3. Click on the Security tab.

  4. Click the ‘Add' button.

  5. Select from the list name of your role (ie: RTSM Workers) and click the ‘Select' button.

  6. Check the option for ‘Full Control' and click ‘Select'.
    Note: Full Control does not give the user the ability to delete or otherwise manipulate the Manage node.  This node can only be accessed for the function alone.

  7. Click ‘Apply' to save the security changes made.

 

 

 

 

To access Collections so the users of the role can view collections so they can use the RTSM right-click contextual menu options for a listed resource, follow these steps:

 

  1. In the Altiris Console, browse to View > Resources > Collections.

  2. Depending on what collections you want to give the user access to, browse to a containing folder or an individual collection.

  3. Right-click on the folder or collection and choose Properties.

  4. Click on the Security tab.

  5. Click the ‘Add' button.

  6. Select from the list name of your role (ie: RTSM Workers) and click the ‘Select' button.

  7. Check the following options:

    1. Altiris System Permissions - Read

    2. Altiris Resource Management Permissions - Read Resource Data

    3. Altiris Resource Management Permissions - Read Resource Association

  8. Click Select, and then click Apply on the permissions window.

 

 

 

 

Now we have allowed the user access to certain parts of the Altiris Console so they can execute Real-Time System Manager on managed systems.  To restrict access to certain parts of the RTSM console, see the previous Role section for what options are available to you.

 

 

 

 

AMT Permissions

 

RTSM takes advantage of powerful functionality available in Intel vPro, AMT technology.  Once a user has access to RTSM, their user account, if permitted, is used to connect to the remote system by WMI.  An AMT connection can either use Kerberos integration or an inputted digest user when prompted.  The credentials must be specified in the destination system's AMT Profile, otherwise authentication will fail.

 

 

 

 

 

To configure who has rights to AMT, follow these steps:

 

  1. In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Provision Profiles.

  2. Double-click on an existing profile, or create a new one.

  3. Click on the ACL tab.

  4. Click Add to add either a digest user or to use Domain users and groups with Kerberos integration.

  5. Once a user is inputted, the ‘Realms' section allows or disallows access to different AMT functions.  The boxes that are of importance to RTSM are:

    1. Circuit Breaker - Now known as System Defense, or Network Filtering

    2. Hardware Asset - For power management capabilities

    3. Redirection - To allow IDE Redirection

    4. Remote Control - Allows Serial Over LAN (SOL) remote connection

    5. Event Manager - Allows viewing of AMT logs

    6. General Info - Allows viewing of AMT data on the system

  6. The ‘Access Permission' dropdown should be used to select either Network Access or Any.  The Local Access option gives that user rights to log into the Intel ME locally when the system boots and isn't needed for RTSM function, however if you wish to allow the user to have access to both, choose ‘Any'.

  7. Click OK to save the changes.

 

 

 

 

To apply the updated or new profile to an AMT system Provisioning must occurred.  If the system was already provisioned with this same profile previously, a reprovision will update the profile.

 

 

 

 

 

This will not limit access to see the functions available in the Real-Time tab for AMT, but will throw a not authorized message if an applicable function is attempted with a user who does not have the rights to execute it.

 

 

 

 

Conclusion

 

The Real-Time tab, a one-to-one solution for system access, data gathering, or troubleshooting, provides a powerful tool to IT administrators and IT professionals alike.  Providing this ability to users you do not want to have full access to Altiris is essential for any secure environment.  With the additional ability to configure granular AMT rights for vPro capable and configured systems, an administrator has the ability to get very specific on what users or groups of what rights.

While at ManageFusion, Symantec Director of Strategic Alliances Kevin Unbedacht discussed some of the future directions on Intel vPro technology that Symantec is taking advantage of. In the video below, learn how Symantec is taking advantage of the upcoming Intel Centrino 2 with vPro Technology.

 

 

 

While at ManageFusion, we had Symantec Director of Strategic Alliances Kevin Unbedacht discuss how Intel vPro Technology enhances the Symantec Altiris Client Management Suite. The videos below include demonstrations around power management with secure power-on, remote diagnosis and repair of troubled PCs, isolation and repair of infected PCs, and discovery of PC assets.

 

  • Hardware-assisted Power Management with Secure Power-On

 

 

  • Hardware-assisted Diagnosis and Repair of PCs Remotely (by getting into PC's BIOS settings):

 

 

  • Hardware-assisted Diagnosis and Repair of PCs Remotely (by remote booting PC to fix-it image on the network):

 

 

 

  • Hardware-assisted Isolation and Recovery of Infected PCs:

 

 

  • Hardware-assisted Discovery of PC Assets

 

 

Click here to learn more about the combination of Symantec products with Intel vPro technology: http://www.earlyroi.com/

Just published - a new wiki that outlines the high level steps for activating your vPro systems. Each step lists the corresponding training and documentation that will help you complete it.

 

Activation Cheat Sheet

While in Atlanta, I was able to get a few minutes with Brian Duckering from AppStream to have him show us his latest. 

 

 

Here is the video.  (I also learned that I need to do lighting different in this video...novice mistake on my part about having the window in the background - beyond the window is the Atlanta Braves stadium, which would have been a nice backdrop). 

 

 

 

 

 

I just posted a new YouTube video on my own Intel AMT 3.0 computer that runs under my television. It runs Microsoft Media Center, has 4 cores, 4 tuners, 4 hard drives, 3 Gigs of RAM, 2 DVD's... Certainly the most powerful computer I have ever owned. Most importantly, it has Intel AMT 3.0 using an Intel DQ35JO motherboard. This is very useful for me to work on Intel AMT Commander on my spare time and also to remotely manage my computer from anywhere in the world.

 

If you guys have your own computer project that runs Intel AMT, please let me know. Better yet, if you have pictures it would be great to share with the community.

 

Ylian (Intel AMT Blog)

We just finished our live radio show on blogtalkradio with Matt Royer. Listen to it below, or visit www.blogtalkradio.com/openport to download previous shows.

 

Topic: We are going to have Matt Royer join us again on the show. Josh, Russ, & Jeff Torello will be getting the latest information on WS-MAN translator integration and SMS/SCS to SCCM Migration.

 

Just click play!

 

For those looking for a little extra help on System Center Configuration Manager, Microsoft has a great forum resources on a variety of System Center Configuration Manager topics...

 

Configuration Manager - General
     General Discussion on the topics or features not already covered by one of the other forums for System Center Configuration Manager.

Configuration Manager - Announcements
     General Announcements for System Center Configuration Manager Forums

Configuration Manager - Admin Console
     Discussion on the Admin Console for System Center Configuration Manager

Configuration Manager - Asset Intelligence
     Discussion on the Asset Intelligence feature for System Center Configuration Manager

Configuration Manager - Backup and Recovery
     Discussions on Backup and Recovery for System Center Configuration Manager Sites

Configuration Manager - Desired Configuration Management
     Discussion on the Desired Configuration Management feature for System Center Configuration Manager

Configuration Manager - Documentation
     Discussion on the Help and Documentation for System Center Configuration Manager

Configuration Manager - Internet Clients and Native ModeDiscussion on the Internet Based Clients and running sites in Native Mode, certificate and SSL issues for System Center Configuration Manager

Configuration Manager - Inventory
     Discussion on the Inventory feature for System Center Configuration Manager

Configuration Manager - Operating System Deployment
     Discussion on the Operating System Deployment feature for System Center Configuration Manager

Configuration Manager - SDK
     Discussion on the Software Development kit for System Center Configuration Manager

Configuration Manager - Setup/Deployment
     Discussion on the Setup and Deployment of Clients and Servers for System Center Configuration Manager

Configuration Manager - Software Distribution
     Discussion on the Software Distribution feature for System Center Configuration Manager

Configuration Manager - Software Updates Management
     Discussion on the Software Updates Management feature for System Center Configuration Manager

Matt Royer

Intel and Symantec value having interactions with the IT community on a year-round basis. Listen to two of the most prominent and prolific bloggers on Intel vPro technology - Terry Cutler from Intel and Joel Smith from Symantec talk about how they communicate with the community via the Altiris Juice or the vPro expert center community websites. 

 

 

 

At ManageFusion, we had the Intel vPro technology Challenge at the event - a competition where teams of two competed to find and fix a troubled PC. Each team had an opportunity to interact with Intel vPro technology based PCs from the Symantec Altiris Client Management Suite, and most had fun in the process! Check out the highlights from the Challenge.

 

At Intel, we're always looking for feedback on the way IT should be.  Therefore, at ManageFusion, we had Intel customers, partners, and technical experts from Symantec and Intel tell us their meaning of IT Utopia. Hear their responses in the video below.

 

 

 

 

Jeff talked about this in the last show on vPro Radio (http://blogtalkradio.com/openport) about his latest Intel vPro training modules.  We finally have those posted and here is the link to get started..

 

 

 

http://download.intel.com/business/vpro/ActivationClass/main.html

 

I believe he posted six out of nine, with the final three still in progress.   If you have any questions please let Jeff know.

Here it is! Samsung info. Samsung desktops are available in Korea. Their notebooks are available in Korea, Europe, and China.

 

Order an Intel® vPro™ Technology "Activation-Ready" PC or WS

 

Coming soon: Acer.

I am looking forward to joining my fellow vPro experts out at MMS in Las Vegas in a week.   Here's a quick video we shot while Frank was driving.   If your headed out to Vegas let us know.. 

 

 

- Josh H

I am glad you inform everyone that the Intel AMT DTK is back online and once again, my apologies for the interruption. Version v0.52x was released, with just a few fixes over the previously posted v0.51x. It's mostly the same as before, not many new features, but if you have experiences problems in the past, try this version.

 

Probably the area where the DTK is improving most is with general stability and WSMAN. When using Intel AMT 3.0, Intel AMT Commander and Intel AMT Outpost will use WSMAN instead of SOAP. Since all the calls are different, many new bugs showed up. As we get the benefit of more testing and feedback, the code keeps improving. Users can force Commander to use SOAP by going to the "View" - "Advanced properties". The second tab has a check box to remove using WSMAN first. WSMAN will of course still be used if Commander determines that WSMAN is the only available option.

 

Next week I am once again heading to Israel to meet with this Intel AMT firmware development team. Last year I had a pretty shaky flight over, something I had blogged about. Hopefully this year will be better. At Intel, this is going to be the ultimate meeting of everyone related to AMT, so I will get to meet some of the other people that post on the forums, and many of the people that I get the most complicated answers from.

 

Ylian (Intel AMT Blog)

Coming Up:

We are going to have Matt Royer join us again on the show. Josh, Russ, & Jeff Torello will be getting the latest information on WS-MAN translator integration and SMS/SCS to SCCM Migration. Hope you are able to join us!

When: April 21st @ 3:30 PM

Call-in Number: (347) 326-9831


Check out these blog posts from Matt Royer to get an insight on what our show will be about:

SCCM SP1 & WS-MAN Translator: How vPro firmware versions less than 3.2.1 are supported

Overview of SMS/Intel SCS migration to SCCM SP1


http://www.blogtalkradio.com/openport

Here's the scoop, yet again, for those who haven't heard...

Hosted by Josh Hilliker, Russ Pam, & Jeff Torello this bi-weekly informal show will be covering a variety of topics and is a perfect avenue to get your questions answered. Listen in live, give your two cents, or just download the show after it has aired. Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts. Can’t join us live? Have no fear, blogtalkradio let’s you listen to the show whenever you have the time. Visit the Open Port Radio site (link is above) to hear previous shows and even catch a glimpse of what’s to come!

Sometimes within Intel Marketing, we're told that our description of Intel Centrino with vPro technology or Intel Core 2 with vPro technology is a bit lengthy. Therefore, while at ManageFusion, we asked Intel customers as well as technical experts from Intel and Symantec to give us their best, most concise acronym that best describes Intel vPro Technology. Listen to their responses below.    

 

 

 

While at ManageFusion, Intel had an opportunity to talk with four leading Symantec Service Integrators who have started deploying and activating PCs with Intel vPro technology within their customers' environment. 

 

In the video below, listen to their thoughts on:

  • When to activate Intel vPro technology

  • How Intel vPro technology seamlessly compliments the Symantec Altiris Client Management Suite

  • How Intel vPro technology delivers on the promise of Wake-On-Lan by being both much more secure and more reliable

  • Thoughts on increased customer service levels and return on investment with Intel vPro technology

 

 

 

Remote Configuration is the zero-touch configuration mechanism that allows Intel vPro AMT systems to be setup for AMT management without any manual intervention. This article covers the Best Practices for setting up Remote Configuration and using the Out of Band Delayed Provisioning Task to remotely and automatically provision systems for use within the Altiris infrastructure.

 

 

 

 

Introduction

In an ideal environment, vPro systems will automatically Provision without any interaction with the Administrator, allowing the versatile and robust functionality of AMT to be available immediately out of the gate. In this article we'll cover how to setup just such a scenario, but also how to use Out of Band Management's Delayed Provisioning Task to ‘kick-start' any AMT system that is no longer sending out configuration requests. Reasons for this need include:

 

  1. The system is powered on in a location that does not have access to the Provisioning Server

  2. The system is unable to be Provisioned due to changing identities while being setup in its Fully Qualified Domain Name (FQDN)

  3. The IP Address changes during the Provisioning process and the Provision Server is unable to contact it back to Provision

 

Remote Configuration

Remote Configuration uses a certificate-based authentication model with preloaded certificate hashes to allow quick and automated process to Provision the AMT systems in the environment. The certificates require a vendor-certified cert from Verisign, GoDaddy, Komodo. While you can set your own cert and load your own hashes in the firmware of AMT systems, it turns the ease of Remote Configuration into a cost, whether by having the OEM load the proprietary cert for a fee, or requiring a configuration step to load the hashes manually into the firmware.

 

 

 

Certificates

The firmware will already contain the hashes for Verisign, GoDaddy, and Komodo certificates (more vendors will be added in later versions of AMT). Server-side certificates need to be loaded and registered on the Provision Server, and within Out of Band Management on the Altiris Notification Server. Please see the following article for more information on Remote Configuration:

 

http://juice.altiris.com/article/3866/frequently-asked-questions-about-remote-configuration

 

 

 

 

 

 

For a specific reference for what items are required, review the section labeled:

 

 

What core items MUST be defined in the provisioning certificate?

 

 

Also look at the section pointing to how to acquire a certificate (other links):

 

 

What resources or guidance are available for acquiring one of the core external certificates?

 

 

 

 

 

 

Additional information:

 

 

The Provision Server must be registered with DNS, accessible by the Intel AMT device via a CNAME value of ‘ProvisionServer' pointing to the IP address of the Notification. Note that in a multi-domain (including root-child domain infrastructures) multiple CNAME entries must be setup to include the suffixes to include all network segments the server will be managing.

 

 

 

 

 

 

The Provision Server requires a certificate with the appropriate OID or OU detailing directions to a certificate Authority (CA), which CA must have a root certificate hash stored on the Intel AMT Systems. The OID must be of the type ‘Server Authentication Certificate' with the Intel setup extension: 1.3.6.1.5.5.7.3.1, 2.16.840.1.113741.1.2.3, OR, the OU value in the Subject field must be "Intel(R) Client Setup Certificate".

 

 

 

 

 

 

The Subject CN must be either the fully qualified domain name (FQDN) of the platform running the service (example: Provisionserver.symantec.us), or the domain suffix of the platform (example: *.symantec.us.com or *.symantec.com).

 

 

 

 

Remote Configuration Process

The following process documents how the Remote Configuration Process works. This high-level overview will be referenced in the subsequent sections covering Delayed Provisioning. The following process assumes that the AMT System can reach the Provision Server and won't change identity through typical setup methods such as imaging or configuration scripts that changes the FQDN and/or Hostname of the system (including adding the system to a Domain).

 

 

 

 

 

The following steps must be completed before Remote Configuration will work in the environment. They are detailed with step-by-step processes in the Out of Band Management 6.2 Administrator's Guide, located here: http://www.altiris.com/upload/outofbandrefsep18.pdf

 

 

  • Setting up Intel AMT using Remote Configuration - Page 44

    • Certificate provider - Page 44

  • Preparing a Certificate Template - Page 45

  • Issuing a New Template - Page 46

  • Preparing a Certificate Request - Page 47

  • Acquiring a Certificate from an External Certificate Vendor - Page 48

  • Installing the Remote Configuration Certificate - Page 48

  • Loading the Certificate into Intel SCS - Page 49

  • Enabling the Remote Configuration Feature - Page 49

 

 

 

 

Note that not all the sections need to be accomplished depending on what method you use. If you're creating your own certificate:

 

 

  • Preparing a Certificate Template

  • Issuing a New Template

  • Preparing a Certificate Request

 

...should be used. Otherwise use the ‘Acquiring a Certificate from an External Certificate Vendor' section, including the previous links provided on the subject, should be consulted. Remember this is the recommended method since it requires no special processes to be in place to ready the AMT systems for Provisioning.

 

Delayed Provisioning

The purpose of Delayed Provisioning is to Provision those systems that failed the original Provision attempt. The includes failure at any part of the Remote Configuration/Provisioning process. Failure points include:

 

  • Hello Packet does not reach the Provision Server during the 24-hour period hello packets are sent

  • The IP Address changes after the Provision Server initially receives the hello packet and hasn't sent down a profile to complete the provisioning process

  • The FQDN changes, forcing an IP Address change from DHCP so when the OS is up, the Provisioning Server can't reach the system

  • The Provision Server is unable to complete the process due to a number of causes, including network access problems, firewalls, subnet locations, etc...

 

 

 

 

The following items must be in place for Delayed Provisioning to work:

 

 

  1. AMT System must be in Setup Mode (pre-provisioned). This means the system must be in the state where it is using Remote Configuration and will use the provided hashes.

  2. The system must have a functioning Windows Operating System.

  3. The Altiris Agent must be installed and functioning within the OS.

  4. The Out of Band Task Agent must be installed within the Altiris Agent.

  5. The Delayed Provisioning Task must be enabled to target the AMT systems in question.

 

Delayed Provisioning Process

The following process details how Delayed Provisioning works from start to finish. In essence the process ‘kick starts' the hello packet process, allowing the Provision Server to receive fresh data on the system, allowing it to properly contact and provision it. The following diagram shows a high-level view of the Delayed Provisioning Process:

 

 

 

 

 

 

 

Full steps:

 

 

  1. The AMT System must be in Remote Configuration setup mode. This is the default mode for AMT 2.2, 2.6, and 3.0.

  2. Install the Altiris Agent on the system. Check the Notification Server reference guide for methods.

  3. In the Altiris Console, go to View > Solution > Out of Band Management > Out of Band Discovery.

  4. Enable the Out of Band Discovery Policy. This will help with the Provision process after the Delayed Provisioning Task executes.

  5. Now go up a level and browse down into Out of Band Task Agent Rollout.

  6. Add the collection: Non-Provisioned Intel® AMT Computers to the Policy by clicking on the Collections listed under ‘Applies to Collections' and browsing to it under ‘Out of Band Management', ‘Provisioning'.

  7. Enable the Out of Band Task Agent Install Policy.
    !oobagentinst.JPG!

  8. Browse in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Delayed Provisioning > and select the ‘Delayed Provision' Task.

  9. Concerning the options:

    1. Override OTP: - If you don't want to use a random AMT password, check this option.

    2. Switch to AMT: - Unless you're using ASF and want to keep using it on those computers that have it enabled, check this option.

    3. Ignore intermediate errors: - Don't check this option unless there's a reason to ignore DNS and OTP errors.

  10. Leave it on a Daily Schedule. Systems that run this and provision will drop out of the collection and not run the policy again.

  11. Enable the Policy.

 

 

 

 

Once the above steps have been completed, the process should be automated as long as steps 1 and 2 are met. The collections will properly target each system so that the right steps occur in the right order.

 

 

 

 

Conclusion

The Delayed Provisioning Task allows an administrator to catch those systems that have not provisioned due to a number of reasons. This allows the systems to get provisioned in a targeted fashion, and if properly configured make it completely automated. As of version 6.2 of Out of Band Management, this only applies to provisioning by Remote Configuration. Please check these other articles for details on how to provision systems if not using Remote Configuration:

 

http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning

 

 

 

 

 

 

Lastly, this process does not touch on certificates used to encrypt AMT management traffic. This is the TLS option set in a Profile for any communication after the AMT system has been properly setup and configured. The certificate obtained for Remote Configuration is only for the Setup and Configuration process (also known as Provisioning).

 

 

Note: This information is based off Microsoft System Center Configuration Manager 2007 SP1 RC and is subject to changes between now and RTM.

 

 

 

 

 

With the upcoming release of Microsoft SCCM SP1 and native support for vPro manageability, there may be a scenario where you have vPro Clients that are activated (provisioned) under Microsoft SMS with the Intel SMS Add-on / Intel SCS that you need to migrate to SCCM SP1. As may have read in the previous blog, Microsoft does not use the Intel SCS for provisioning and configuration of the vPro Clients. Instead, Microsoft as part of their SCCM SP1 implementation, have chosen to develop and integrate their own code base for provisioning and configuration management of vPro Clients. So to migrate vPro Clients from SMS / Intel SCS to SCCM, Intel will be providing a migration utility to help make this transition.

 

 

Before we get into the details of the migration utility, let us first discuss at a high level the overall SMS to SCCM migration process. The first thing to keep in mind is that the vPro client migration from SMS to SCCM SP1 is just a post step after you perform the recommend steps that Microsoft provides for upgrading your SMS environment to SCCM. Microsoft has created an excellent Configuration Manager Upgrade, Interoperability Planning and Deployment guide that walks a customer through the planning and upgrade path from SMS to SCCM. Once these steps are completed, the migration of the vPro Client from the Intel SCS to SCCM SP1 can be initiated.

 

 

(Click picture for higher resolution image)

 

 

 

 

 

 

 

 

Now let us talk a little about the migration utility… At the most fundamental level, the migration utility prepares the vPro Client to be natively reprovisioned by SCCM SP1. The process can be broken into several key steps.

 

  1. Extract list of vPro Clients from the Intel SCS to be migrated to SCCM (List used to track migration progress)

  2. Generate a vPro Client list import file that can be natively used by SCCM SP1

  3. Using the "Import Computer for Out of Band Management wizard" within SCCM SP1, import the list of vPro Clients to be provisioned by SCCM

  4. Connect to each vPro Client to be migrated and prepare it for reprovisioning by SCCM SP1.

  5. Once the vPro provisioning hello packet is received, SCCM SP1 will begin its native provisioning process for the vPro Client

 

(Click picture for higher resolution image)

 

 

 

 

 

You may conclude that “preparing the vPro Client to migrated” is basically performing an unprovision. For the most part that is correct; however, as part of the preparation step we are setting some critical values to allow it to be reprovision without having to physically touch the client. For example, we are setting values such as Remote Configuration Certification hash used by SCCM, PID/PPS pair (used for WS-MAN Translator for firmware version that do not support Remote Config), and Provisioning Server FQDN / Port (if different then provisionserver DNS entry and 9971).

 

 

At the time you initially run the migration tool, there may be a chance that not every vPro Client will be accessible (for example mobile clients that are not on the network when you initiate the migration). The migration utility will have the ability to log and track which vPro clients have been successfully prepared for migration and which ones where unable to be contacted. Re-running the migration utility at a future dates will attempt to connect to vPro clients that were inaccessible at previous runs. If you still have vPro Clients that are being logged as inaccessible after a couple runs of the migration utility, you may be required to investigate the root cause on why those vPro Clients are not accessible.

 

 

For those that have vPro Clients deployed in your environment but not activated and you are planning on deploying SCCM SP1, Microsoft has enabled their SCCM SP1 Client agent to initiate and authorize the provisioning process through policy. This provides a fairly straight forward and easy mechanism for provisioning your non-activated vPro Clients. To take advantage of this in a no physical touch scenario, your vPro Clients will be required have a firmware version that supports remote configuration (2.2, 2.6, 3.x). If you are not able to upgrade your firmware to a version that supports remote configuration, you will be required to configure (either manually in the MEBx or USB one touch) the PSK PID/PPS pair expected by the WS-MAN translator.

 

 

In the upcoming weeks, we will post our initial beta version of the SMS/Intel SCS to SCCM Migration Utility for vPro Expert Center community review along with a deeper drive into the configuration and usage of the migration utility. Please keep tuned for more detail to come.

 

 

Matt Royer

Have you seen this?   if you have I bet your wondering why.. This error can be seen during a SOL session with Altiris when there is a BIOS password set on the notebook.  

 

 

 

 

Recently out on a visit we found this error & were checking between a known good system.

   

We did a little research and saw that default for Terminal Emulation Mode was set to VT100 through the BIOS, instead of using the tool that HP has for windows.  After we returned to the plant we used the tool to snap these pixs of the BIOS. 

 

 

 

After changing the Terminal Emulation Mode to ANSI we were able to achieve this..

 

of course after the change the new option was selected "ANSI"..

 

This is the right result you should see..

 

 

Success!!   give this a shot if you are using a BIOS Password on a HP 2510P with Altiris..

Note: This information is based off Microsoft System Center Configuration Manager 2007 SP1 RC and is subject to changes between now and RTM

 

 

 

 

 

So as you read through the Microsoft documentation for SCCM SP1, you will most likely notice that Microsoft SCCM SP1 states they have native support for vPro clients with firmware versions 3.2.1 or higher. If Microsoft only natively supports vPro clients 3.2.1 or higher, you may be asking how vPro clients that are running firmware versions 2.x, 3.0, and 3.1 are supported.

 

 

Not to worry; through the use of the Intel WS-MAN translator, SCCM SP1 will be able to provide provisioning and manageability support for earlier versions of vPro firmware. As part of SCCM SP1 Release Candidate, Microsoft has introduced integration support for the WS-MAN Translator (It was not available as part of the initial SCCM SP1 Beta release).

 

 

In a future blog, we will provide a little more detail on the Install, Configuration, and SCCM Enablement of the WS-MAN translator; however, let us take this opportunity to talk little more about SCCM SP1 interaction with the WS-MAN Translator.

 

 

So why doesn't SCCM support earlier vPro firmware versions? The core reason is that SCCM only know how to communicate to vPro Clients in WS-MAN (Web Service Management). Prior to AMT firmware version 3.0, vPro Client only knew how to communicate in a protocol called EOI (External Operations Interface). So just like one person speaking English to another person that only understands French, when SCCM SP1 tries to communicate with a vPro client with a firmware version of 2.x, the vPro client does not understand what the management console wants it to do. So, simular to a person translating for our French and English speaking persons, the WS-Translator translates WS-MAN calls to EOI and from EOI to WS-MAN.

 

 

Ok, so vPro clients with AMT version 3.0 know how to speak WS-MAN. Why do you need the translator for firmware version 3.0 and 3.1? Well without getting into the excessively technical details, there were some changes required in the AMT 3.x firmware to make SCCM SP1 work properly with vPro client running firmware 3.x; these changes were introduced in vPro firmware version 3.2.1. To allow for vPro firmware 3.0 and 3.1 to be supported, we were able to mask those changes that SCCM SP1 required in the WS-MAN Translator.

 

 

The other thing that the WS-MAN translator enables is support for PSK vPro Client provisioning. Natively, Microsoft SCCM SP1 only supports PKI (also commonly referred to as Remote Configuration) for provisioning. vPro firmware version 3.0 supported PKI provisioning from the initial release; however, vPro firmware version 2.x did not received PKI provisioning support until versions 2.2 & 2.6. Although we recommend that you upgrade your vPro firmware to the latest version supported by the OEM, there may be some cases were upgrading 2.2 or 2.6 is not a viable option. So to support clients that are running 2.0, 2.1 and 2.5 firmware, the WS-MAN translator offers a means of supporting PSK provisioning. The key item to keep in mind about PSK support within the WS-MAN translator is that it only supports one PID/PPS pair; the same PID/PPS will be used for all your vPro Clients using PSK for provisioning.

 

 

If desired, you can use PSK provision through the WS-MAN translator for all vPro firmware versions; however, since SCCM SP1 only uses the WS-MAN Translator for firmware versions less then 3.2.1 you are required to use PKI provisioning for any vPro Client firmware version 3.2.1 or higher. It is for this reason (and the fact that you can take advantage of vPro Remote Configuration) that we recommend you upgrade your vPro Clients to 2.2, 2.6, and 3.2.1 were supported by the OEM.

 

 

If you have no vPro Clients in your environment that are less then firmware version 3.2.1, there is no need to use the WS-MAN translator; SCCM SP1 will natively provision and manage vPro clients without the need for the WS-MAN Translator.

 

 

As previously noted, stay tuned for more information on vPro Expert Center about the WS-MAN translator in the next couple weeks.

 

 

Matt Royer

 

Note: This information is based off Microsoft System Center Configuration Manager 2007 SP1 RC and is subject to changes between now and RTM.

 

Microsoft has just release System Center Configuration Manager 2007 SP1 Release Candidate. As previously noted in a past blog, SCCM SP1 is Microsoft's first release that provides native manageability support for vPro Technology.

 

 

 

 

 

Some of the high level changes associated to vPro between SCCM SP1 Beta and RC1 are:

 

  • Kerberos support for Out of Band Console

  • Maintenance Tasks for Certificate Expiration and Kerberos Master Key renewal

  • Update Out of Band Console UI

  • Integration support for the Intel WS-MAN Translator (provides legacy support for firmware version less then 3.2.1)

  • Active Directory Integration

 

 

 

 

 

 

 

To gain access to Microsoft System Center Configuration Manager 2007 SP1 RC, you can request access by:

 

Set-up an account. on MS Connect.
MS Connect Website
http://www.connect.microsoft.com/
After you've logged in, select "Available Connections" from the menu on the left side of the screen.
Select "System Center Configuration Manager 2007". You will be asked to fill out a questionnaire so they can get some background and demographic information.

Matt Royer

If you are interested in learning more on each specific use case, what they are, what they do & the AMT architecture overall,check out this link. 

 

http://softwarecommunity.intel.com/articles/eng/1032.htm

 

Key Items in here:

  • capabilities overview

  • use case features

  • hardware architecture

 

I find this helpful when discussing the interfaces, architecture & use cases.

Order an Intel® vPro™ Technology "Activation-Ready" PC or WS was updated to include LG, for Korea market. Samsung is in progress and coming soon!

While at ManageFusion, we had a chance to talk with Lee Bender, Senior Technical Strategist for the Intel Alliance at Symantec Corporation.

 

 

Lee showed off how the Symantec Backup Exec System Recovery (BESR) takes advantage of Intel vPro technology.  Intel vPro technology extends the reach of BESR, and helps prevent an IT administrator from visiting an end-user's desktop or notebook by enabling remote diagnosis and repair of a downed PC with an unavailable Operating System.

 

Watch Lee's demonstration of Intel vPro technology with Symantec BESR below:

 

 

 

We might have an answer.  If  you still have a question after reading FAQ - please ask.

 

Check out the FAQ posted by

clicking here

 

FrankEngelman

Day 2 at ManageFusion

Posted by FrankEngelman Apr 10, 2008

 

The Norton Backup Exec looks very promising as a receovey tool now that it uses WinPE...Maybe we can take a recovery point and convert to VMware or MS VM image- possibly use this as temporary system for users while their system is being worked on?

 

 

The Altiris CMS version 7 (beta) integrates many of the Norton suite features- of interest to me was the choice of PCanywhere, RDP OR VNC as a remote control

 

 

Symantec announced at the event that they purchased AppsStream and plan to intogetrate it into Altiris NS.

 

 

The next gen Ghost product includes many new features including Ghconfig, which can be used to rename a system.. this may be useful for easily renaming waterfalled (hand me down) systems...

 

 

 

 

 

FrankEngelman

Day 1 at ManageFusion

Posted by FrankEngelman Apr 10, 2008

 

There were two sessions at ManageFusion 2008 in saving energy on clients in the corporate environment. Almost all hands when up when the question was asked "How many of you have a corporate initiative for green IT?"

 

HP is pursuing a "top down" power management tool from Verdiem Surveyor for the corporate environment as well as a "bottoms up" tool (HP Power Manager" for installation on clients that lets employees see the actual $ impact of their energy savings using a simple slider bar. I will post the HP link for the client tool on my BLOG when it becomes available

 

 

Gartner says PCs consume 40% of the power, servers are 22% even though most enterprises think it's the servers

 

 

"It's really neat that HP and others are offering tools to shut down systems to save power, but I want my users to be able to use their system as soon as they come to work without waiting for patches..."   and the answer from the presenter was "...what you need is Intel AMT... it can wake systems for patching and put them back to sleep..." The audience had not heard of this...

 

 

The hard drive password issue that many companies are facing doing wakeup&patch can be solved by Danbury and a good ISV console

 

 

The Altiris Backup Exec Recovery solution using WinPE looks very promising

 

 

I'm on my way to the Altiris Manage Fusion conference in Las Vegas...I know, I know, tough duty ... but after just getting off 24 hours of continuous air travel with layovers to meet with Intel vPro design engineers and the Intel IT Operations support staff in the Middle East, I am a bit tired.

 

Since I work in the Intel IT Innovation Centre where I test new vPro console offerings from various vendors and well as developing support models for Intel IT OPs, I'm looking forward to reviewing the new Altiris offerings and will post my findings here... good night- my body clock says 4 AM

Here's a single picture view from IDF On Code name:  "CIRA".  There's more info to come.. but check out the latest on vPro..    I'm looking forward to showcasing this technology & putting video's on youtube, etc..   stay tuned for more and start your questions.. 

 

 

 

Available for download and use is the SCS Setup Wizard, a tool designed to automate the installation of the Intel® Setup and Configuration Service (SCS) along with the third party pre-requisite components automatically. This beta level aplication is fully configurable to meet your specific installation requirements.

 

Here's a video overview (2.5 min.) External link to video:

 

Background -

 

The Intel Setup and Configuration Service for Intel® Active Management Technology (Intel® AMT) is a free toolset that simplifies the preparation of hardware that supports Intel AMT for remote administration.

 

Intel SCS automates the process of populating Intel AMT managed platforms with the usernames, passwords, and network parameters that enable the platforms to be administered remotely.

 

The automation of these activates provide an efficient means of implementing Intel AMT hardware for enterprise customers.

 

The Intel SCS service works with other services in order to provide a secure setup and configuration infrastructure for Intel AMT devices.

 

To successfully take advantage of the functionality that the Intel SCS service can provide, all of the other needed services must be correctly installed and configured. These services include:

 

Microsoft SQL* Server

Internet Information Services (IIS) 6.0

Microsoft Certificate Authority

Active Directory

 

Installing and configuring all of the services needed to utilize the Intel SCS can take an experienced user 2+ hours to complete. Using the automation provided by the SCS Setup Wizard, this process can take less than 30 minutes.

 

SCS setup Wizard Performs the following functions -

 

Install/configure MS SQL Server 2005 Express* Edition and MS SQL Server Management Studio Express

Install/configure Internet Information Services (IIS) 6.0

Install/configure MS Certificate Authority*

Install/configure Active Directory Services

Install certificate for IIS

Install certificate for Intel AMT Client

Install/configure Intel SCS service

 

Download here:

Download SCS Setup Wizard Binary

Download SCS Setup Wizard Source

 

DOPD Software Engineering Team

 

The application & desktop virtualization forums for Atlanta (March 20) and Washington DC (April 3) went off well.  Here is my recap. 

 

 

Atlanta:

 

 

When we arrived in Atlanta, the town had just survived a tornado on March 14th and was in repair mode (the hotel that many of us were staying at had extensive damage and was doing everything it could to get back in working order).  We had a few interesting times as passage to & from the hotel was often stopped due to the amount of falling glass (we passed the time in the nearby malls and downtown businesses).  One person checked into their room to find that moments later a crack in the window gave way to a breezy view.  The round the clock crews that were repairing the hotel made for some less than desired sleep patterns (3 am hammering in the room next to you is bound to wake the heaviest of sleeper).  The people in Atlanta were as hospitable as ever, confirming that Atlanta is big city with small-town hospitality - even in the aftermath of a tornado!

 

 

We held the event at the 755 club at Turner Field (the Atlanta Braves stadium); the venue was awesome!  The day of the event, started at 8:30 for attendees with a very enjoyable southern breakfast.  At 9 am, Ketan Sampat of Intel gave the opening address, followed by presentations from Citrix, , and Microsoft.  During the lunch time, there were demos and deep dives with experts from Intel, AppStream, Citrix, Dell, Microsoft, and Symantec.  As the attendees left the event, they received a USB thumb drive with all the presentations and collateral here:

 

 

I personally had several great discussions with the Atlanta attendees, and found that the attendees are definitely looking at various compute models to deliver the needs of their business and are eager to see which ones will emerge as the best complete solution - great perspectives and insight received from these talks.  In addition, the team was happy to see the city recover quickly, and as we all left, we look forward to a return visit to a restored Atlanta, and the continued contact with the attendees from the event as they move forward exploring these topics.

 

 

Washington DC:

 

 

We arrived in Washington DC during cherry blossom season, a fantastic time of year.  The venue for the event was the Marriott Hotel in Bethesda Maryland.  The hotel staff was very helpful, the hotel was enjoyable, and the event went off without any major issues.  The agenda was very similar to Atlanta with breakfast/registration time at 8:30 am, and at 9 am Chuck Brown of Intel giving the opening address. This was followed by presentations from Citrix, , and Microsoft.  During the lunch time, there were demos and deep dives with experts from Intel, AppStream, Citrix, Dell, Microsoft, and Symantec.  As the attendees left the event, they received a USB thumb drive with all the presentations and collateral here:

 

 

 

 

 

Many great talks with the attendees in DC as well, confirming a similar message that was received in Atlanta.  We are definitely on the edge of something big in this space - as can be seen by the various acquisitions that have occurred in the past year.  A fantastic first two events for 2008, if you have not been able to attend either of these, see if one of these matches your location. 

 

Pittsburgh\

May 06

Register: Members\ \

Non-Members\

Columbus\

May 28

Register: Members\ \

Non-Members\

Baltimore\

June 10

Register: Members\ \

Non-Members\

Tampa\

June 12

Register: Members\ \

Non-Members\

Austin\

June 24

Register: Members\ \

Non-Members\

Denver\

June 26

Register: Members\ \

Non-Members\

 

Hope to see you at one (or more) of these events in the near future. 

 

 

-Jason Davidson

 

 

What is interesting is that I spent a few years prior to Intel in the Gas & Electric industry, spending time with customers & internal electric troubleshooters.   During this time I spent a few dedicated months talking about saving Kilowatts, how to do it, tips, tricks, tools & breaking bills down to specific pieces of hardware in the house that are good suspects.  I remember at this time (early 90's) that we received an update about computers and their impact on the customers bills, and at that moment I was wow'd by the impact.  Well, since then things have changed and it feels like for the better, of course even better with vPro and yes I do believe..  

 

So over the next 2 months I'm working on doing a few power tests on vPro to show the value of having a vPro system & what we see in the End user labs that we've setup.  If you are as interested as I am let me know, it would be great to run these tests in parallel to see what results we get and the # of kilowatt hours we save collectively.  

 

so how can you let me know?  2 way's.. 

1.  blog me back here with your comments

2.  shoot me an email at Josh@Intel.com - Yep. Josh@intel.com 

 

If you think there's no way you can save Kilowatt hours with vPro, let me know that to.. i'm interested in your thougthts, opinion, etc..

 

Looking forward to comments..

On April 8th, Intel Vice-President Gregory Bryant was part of the opening ManageFusion keynote led by Symantec's Steve Morton.

 

In the first part of the keynote, Steve talked about his travels to Intel to learn more about Intel vPro technology. Then Gregory talked about about how customers are realizing value today with Intel vPro technology through better remote management, better power management and better security policies - essentially allowing IT administrators to "levitate." View the first part of the keynote below:

 

 

 

 

Then, Gregory (along with Steve) introduced Ted Wilkinson, an IT Vice-President at Bank of NY-Mellon. He talked about his infrastructure of 47,000 PCs after the integration of Bank of NY with Mellon Bank, and how Intel vPro technology helps his new infrastructure with enhanced remote power control and remote remediation - which eliminates costs within his new infrastructure.

 

Also, Gregory discussed future Intel vPro technology directions - including:

 

    • The dynamic virtual client - which blends the manageability of thin clients with the ability to take advantage of the performance of thick clients

    • The ability to manage laptops and desktops that are outside of the corporate firewall starting with Intel vPro technology that come out mid 2008

    • The integration of hard drive encryption with Intel vPro technology starting in Q3'08 that is easy to manage

 

View the second part of the keynote with Gregory below:

 

 

 

I was excited to hear that in this morning's ManageFusion keynote, Symantec Chief Operating Officer Enrique Salem announced that Symantec has signed a definitive agreement to acquire industry-leading application streaming vendor AppStream.  This should make the SVS Professional product all the stronger, as AppStream has been providing the streaming component of this product already. 

 

 

You can read the blog from Scott Jones on the Juice site as well. 

 

 

In my last post I discussed the worsening economy and its impact on the spending behavior of business owners, who tend to tighten their belts during periods of economic uncertainty, and look to cost-cutting measures in order to "hunker down" until the storm blows over.

 

In extreme conditions, these same business owners also look to staff reductions and outsourcing labor-intensive business functions such as HR, Payroll and IT Services, which is an excellent opportunity for the well-prepared Managed Services Provider to capitalize upon.

 

With the proper messaging and an effective marketing and sales process, MSPs will be more successful at winning business and more profitable in 2008 than System Builders, reactive break-fix and professional services providers. Let's break down the reasons why:

 

 

System Builders:

 

 

Of the four types of service providers mentioned (system builders, reactive break-fix, professional service providers and MSPs), the system builder's profit margins are generally the lowest, and worsening this initial disadvantage is the reality that orders tend to slow down during economic downturns.

 

 

Reactive Break-Fix Service Providers

 

 

This group's profit margins may be higher than the system builder's, but the challenge will be in maintaining and growing revenues while clients and prospects are attempting to cut costs. Existing clients may not be quite so willing to authorize a billable service call, instead choosing to attempt to troubleshoot matters themselves, and in many cases exacerbating the issue and creating an even more expensive problem to solve. This doesn't do much to engender goodwill with the reactive break-fix service provider, who must now attempt to collect on an invoice that has become a high, unexpected expense for their client.

 

 

In terms of winning new business, the reactive break-fix service provider has their work cut out for them, as business owners are less likely to switch vendors for critical services when times are tight, instead opting to "ride it out" with existing relationships, especially when there is not a compelling differentiator to tip the decision in the new vendor's favor. In these situations, many reactive break-fix service providers resort to cutting their rates in order to win new business, further eating away at their profits, and creating a service relationship that becomes increasingly difficult to sustain.

 

 

Professional Services Providers

 

 

When times are good, delivery of professional services is an ideal way to win new client business, and create a consistently sustainable revenue stream as clients' business needs can be effectively identified and properly managed through quarterly business reviews and yearly technology road-mapping activities, allowing for budgeting and forecasting of regular infrastructure and service upgrades over time.

 

 

But, as mentioned earlier, unless critical to a business' operation or profitability, IT projects are among the first to be put on hold during economic downturns, so the professional service provider may find themselves resorting to cost-cutting measures themselves; in order to weather the uncertain economic climate, just like the clients they serve.

 

 

Managed Services Providers

 

 

Of all of the previous groups mentioned, the MSP enjoys the highest profit potential of all, based on their ability to illustrate real cost savings to their clients and prospects. As business owners look to reduce their costs in 2008, the ability to outsource the management of their IT infrastructure for a fraction of the cost of maintaining their own internal staff for this purpose is very attractive.

 

 

With the right tools and technology, processes and procedures, the MSP will benefit from the highest profit margins for their services as well. Implementing and extending the capabilities of technologies such as vPro gives the MSP the competitive advantage to increase profits in 2008 and beyond. Extending the remote management and remediation capabilities of the MSP's existing tools and technology to reduce truck rolls to 8% of all service calls or better*, vPro technology augments the MSP's efficiency and utilization significantly, netting additional profits to their bottom line.

 

 

Last time I said I would discuss how to shape our marketing message and value proposition to take advantage of our current economic downturn, but this topic will have to wait until next time...

 

 

 

 

 

 

*Source: Zenith Infotech

 

 

PodTech recently conducted a video interview about the Emerging Compute Model Forum with Chuck Brown, Jason Davidson, and Mike Ferron-Jones from Intel.  Here is the video, please give us any feedback you may have. 

 

           

           

 

PodTech wrote:

 

 

There are now possibilities in enterprise computing that have the potential to solve mainstream problems and become widely adopted. These "Emerging Compute Models" are creating a lot of buzz, but also a lot of confusion in the IT community. That's why this video podcast focuses on Intel's Emerging Compute Model Forum. Jason Davidson, technical evangelist for the forum, says IT shops are experimenting with new ways to deliver applications and operating systems, but there's no consensus on the best model, or models, to use.

 

 

In this podcast, Davidson and his colleagues Mike Ferron-Jones, marketing manager for Intel's Emerging Compute Models program, and Chuck Brown, who directs the program, lay out the basic questions IT managers need to ask before choosing new compute models, discuss some of the pros and cons of different models, and preview some Intel and industry developments in the ECM space.

Recently, Mike Ferron-Jones did an interview with Scott Smith from Intel's feed room. Mike did a great job at explaining the views he expressed in his blog.

 

 

On February 12, I was at a Intel team event in Hillsboro, Oregon.  I was able to snag a few minutes with Ketan Sampat, Marianne Jackson, and Arjun Batra to do video interviews about the Intel streamed computing initiative. 

 

 

Here is my video interview with Ketan Sampat.  He gives an overview of the recent events in the industry that have been contributing to Intel forming the streamed computing initiative, and in turn form the Emerging Compute Model Forum community.   It runs just over 1 minute. 

 

Next, I was able get Arjun Batra behind the camera to invite you to attend one of our upcoming application & desktop virtualization forums.  Follow this link if you would like to register for one of these events.  It runs around 3 minutes.

 

Also, I was able to sit down with Marianne Jackson, who talked about some of the various events, activities, and products that Intel has planned for 2008. It runs around a minute and a half.

 

We just finished our live radio show on blogtalkradio with Jeff Torello. Listen to it below, or visit www.blogtalkradio.com/openport to download previous shows.

 

Topic: Russ & Josh are hosting and their guest, Jeff Torello, is coming on the show! We'll be discussing the vPro Expert Training program & recently posted Activation training materials.

 

 

For those pursuing remote configuration in an Altiris environment, take a look at the article posted at http://juice.altiris.com/article/3866/frequently-asked-questions-about-remote-configuration

 

Some parts of the article are applicable even outside an Altiris environment

How do you decipher RCT Codes?   Great question.  In the Intel AMT SCS Installation and User Maual there is a section of the document focused on the RCT.  Here's the sample uses.

 

 

This is on Page 70 of the[User Manual.|http://softwarecommunity.intel.com/isn/downloads/Manageability/Intel_AMT_SCS_Installation_and_UserManual.pdf

 

Also here are the Codes that come back after running.

 

If your receiving an Error #7 specifically.  Here's more information:

 

ERROR #7.

Unable to connect to the SCS. This may be due to a number of causes, such as TCP error, HTTP error, or server not

found. This may result from:

• An incorrect FQDN for the SCS in the command line.

• A failed HTTPS connection due to a missing trusted root certificate.

• IIS is stopped on the SCS platform.

 

If you are interested in where this tool is located, Bill York explained in this post

 

Hope this helps......

On my travel's out of the factory and on the road with vPro users, I was able to see a new tool that I had not seen to date.   When the User pulled up resource manager he showed me a new way to fast track to a machine.  The Screen looked like this.

 

 

I asked where the tool was and was given this link on Altiris Juice.

 

 

Here is the code you will see in the VBS file.

 

REM Authored by: Benjamin Palmer

REM Company: <Your Company Here>

 

strAnswer = InputBox("Please enter a computer name you would like to view the resource information for:",".oO - Quick View Resource Manager - Oo.")

 

If strAnswer = "" Then

    Wscript.Quit

Else

    strURL = "http://Deploy1/Altiris/Resource/ResourceManagerConsole.aspx?Name="&strAnswer

    Set objShell = CreateObject("Wscript.Shell")

    objShell.Run(strURL)

End If

 

I found this a very useful tool for Altiris Users that know the machine and want to fast track to the notebook/desktop.   Or you could give this tool to your help desk for them to easily get to a machine vs. navigating through the console. 

 

NOTE:  please make sure you change out the "DEPLOY1" with your console name.

 

If you have a great tool like this that you use, please share out.. 

 

Cheers..

In my last blog I mentioned a group of us got together to showcase the technology in the Intel Labs.  This video Frank, which will be at ManageFusion & myself showcased the Patching use case of how you can wake a system up, patch & then return to powered off state.   The value is in the effectiveness of powering the machine, patching and then shutting it down as quickly as it started.

 

 

The same note here, if you are interested in how we specifically wrote the job please let us know and we can add that detail out here as well.  I also have a detailed screen by screen view if of interest.

In case you haven't already heard - our vPro Expert Community has been up and running with their show on Blogtalkradio. Feel free to visit www.blogtalkradio.com/openport to view past & upcoming shows from big time pros, Josh Hilliker & Russ Pam.

 

So now, we'd like to hear what you've got to say about it. We want to open up and see what you all think. How's the length? Is 15 minutes too short or would 30 minutes be too long? Would you rather hear about upcoming or past technologies? Would you want to hear some outside ideas during the show - like a guest from one of Intel's ISVs perhaps? Got any other suggestions for topics you'd like to see on the show?

 

Just a few questions there to get your brain moving - but the floor is wide open.

Tell us what you think!

 

A group of us got together in the lab and made a few video's on showing real life scenarios with vPro and how to apply the technology to the problem.   Here's our first one on Remote Repair, with Todd Christ on the control's.   NOTE: we are really breaking stuff & fixing it..

 

 

If you are intersted in the screen shots let me know.  I also am working to share out either how we created the repair iso or just give the ISO out.   If you are interested in more data around the ISO (what's in it, how it works, etc..) please let me know as well.  

 

I will be posting a few more on HW Inventory, Midnight Patching, & system defense.   I also was able to talk with Jason Davidson on the Emerging Computing forum & he shared out a usage of vPro that I think is very interesting.

Filter Blog

By date: By tag: