Skip navigation


I had the pleasure of sitting in on a presentation that Josh Hilliker and Todd Christ for some clients this last week about vPro. As I was sitting there, it dawned on me I didn't realize how good the maintenance is. It really came to me because of Josh's passion and Todd's Knowledge drove it home during this presentation.






The chipset has a lot to do with it. Active Management Technology (AMT) is the featured product. I know I have mentioned a lot about AMT but I never really dove into this subject. It is such a vital part of vPro. This little chipset makes sure that the Operating System (OS) is not jeopardized by outside sources. No matter what state the OS is in, AMT will go in and protect it. AMT would tell the server that its needs help then IT would "cut" most of the connection to only enough to communicate remotely between the server and the client. To make this user friendly on the sever side IDE-Redirection (IDE-R) and Serial over LAN (SOL) are there to help the operator with remotely diagnosing and repairing client systems. To go further on how it has been done Brad Lund did a blog called Using SOL/IDE-R to Diagnose and Repair vPro Clients on the vPro expert center site.






AMT is a force of nature in the chip world. Not only does it help with the protection of the hardware it also makes sure the hardware is up to date, nothing is wrong with it, if there was a problem with it then it would let the server know about it. All of the points are below which tells its main benefits. The name and link is Intel® Active Management Technology.





Features and Benefits


Intel® Active Management Technology (Intel® AMT)


Out-of-band system access

Discover. With built-in manageability, Intel AMT allows IT to discover assets even while PCs are powered off.¹ Plus, remote consoles don't rely on local software agents, helping to avoid accidental data loss.

Remote trouble-shooting and recovery

Diagnose. Providing out-of-band management capabilities, Intel AMT allows IT to remotely isolate and recover systems after OS failures while alerting and event logging helps reduce downtime.

Hardware-based agent presence checking

Verify. Ensuring better protection for your enterprise, hardware-based agent presence checking proactively detects that software agents are running while missing agents are automatically detected and alerts are sent to the management console.

Proactive alerting

Isolate. Proactively blocking incoming threats, Intel AMT System Defense contains infected clients before they impact the network while alerting IT when critical software agents are removed.

Remote hardware and software asset tracking

Update. Helping to keep software and virus protection up-to-date across the enterprise, Intel AMT also enable third-party software to store version numbers or policy data in non-volatile memory for off-hours retrieval or updates.





For a business, this is solid reasoning to insure that your information isn't going to be destroyed. That could cost a company millions in time and money if the information is gone. Think for a moment that I was sitting here, writing on a blog and suddenly my computer caught a virus. With out this featured product to protect my computer from hazards then all my work would be gone. That would make for a very unhappy intern. Computers just might fly through the air. Ahhh, but the pleasure of having such a luxury like vPro makes life so much better. I wouldn't have to worry about my work being gone. And I wouldn't feel bad because I wouldn't get anybody else infected with that pesky virus.






There was another thought in all of this, I am really bad at keeping up to date on my hardware and software. Even if it give me the sign saying that I need to update my items, I tend to either ignore them or I just plain forget them (of course I check all the time on my work computer, J). It would be even better for employees and me to have our computers update while we are not at our computers. While the employees are gone, IT can set up a script for vPro to check all of the points and update the licenses, then shut down the computer once again (or restart the computers; however, the company would like to do it). When the employees come back, everything would be as if they never left. That would save companies a lot alone because they are getting more productivity time.






This little piece of equipment is so vital to the pulse of vPro. The three words that come best that I found through my research is that AMT "Discovers, heals, and protects".



Listen in as your hosts talk with Dave McCray, Intel's IT Program Manager. Intel IT is a leader in the activation and use of AMT. They have activated & provisioned over 10k machines - hear how they did it, why they are doing it & how to make your integration better based on Intel IT's best known methods. Also get a scoop on what you'll find in the coming year.

Date/Time: 8/4/2008 3:30PM

Call-In Number: (347) 326-9831

You can also visit Open Port Radio or Stream this Show Online



UNTIL THEN...Be sure to download our prior segments of the show. You can find them on iTunes by searching for "Intel vPro" or on the Open Port Radio site,[|]. Thanks for listening!

I got to enjoy a hand's on experience with vPro this morning, I got tired of just reading everything. Another intern, Nick Molina showed me some capabilities that I have only read in whitepapers and postings from vPro experts. I am not sure on how you like to learn, but one of the best ways for me to learn is to see the product in action. Plus I didn't really understand it until it was put in front of me.


Nick was able to show me different remote capabilities, how the server is able to power on and off the client computers, and how to read the hardware from the client computer through the server. He also showed me how you can apply filters to the network interface that would cut out any outside source (e.g. through the WLAN) that would put the client and/or server in harm.



To be able to see this better you should see this YouTube video which shows the same thing as what I was learning from Nick. It's a bit shorter than what I have experienced, but it gives you the same idea. Watching this, and after reading my blogs of course, it gives you a better understanding of what vPro can do.



Intel vPro Technology integration w/Symantec Backup&Restore




Chapter 4 should be coming soon. It will be on trusted environments. Stay tuned!!




Understanding vPro: Chapter 1- What is it?



Understanding vPro: Chapter 2-What is it used for/ why should I use it



Understanding vPro: Chapter 3- Proactive Security- Does it have a tiny guard dog???


















Blog on! Erick Simpson has posted a three part series up on the vPro Expert Center about how we can minimize the effect that our economic situation is having on service revenue. See the links to these insightful blogs below.


Erick is a co-founder and CIO of MSP University in Southern California, and directs the creation and development of corporate business relationships and represents the organization at key Industry Events and Conferences. Erick is a recognized Managed Services Author, Speaker and Trainer, and contributor to numerous industry publications and events. You can find out more about MSP university at


2008, The Economy and minimizing its impact on Service Revenue with vPro

2008, The Economy and minimizing its impact on Service Revenue with vPro Part 2

2008, The Economy and minimizing its impact on Service Revenue with vPro Part 3

My name is Brad Lund; I work in the Enterprise End User Integration Lab (EIL) as a Senior Systems Engineer. This article is the first in a series of blogs I plan to deliver describing how, with the aid of some very useful tools, we can use IDE Redirection (IDE-R) and Serial over LAN (SOL) to provide the console operator with a more user friendly approach to remotely diagnosing and repairing client systems.


SOL is a great technology that has been around for a number of years. It is generally used in data centers for taking control of a computer in order to make changes to its BIOS. Since output from BIOS is by nature "pure text", SOL, whose interface is based on VT-100 terminal emulation, works fine. But what if the problem requires the console operator to interact with the client in a manner that dictates a graphic interface be present to load and run diagnostic applications?


Since the Enterprise Integration Lab are End User focused, we have had several customers ask us how they could leverage this Usage Scenario to take control of an AMT client while providing the operator with a more intuitive and useful interface. Additionally, every one of the End Users we interact with has a set of tools they use to perform diagnostics and repair. But if the client system is out-of-band, meaning no O/S present, it is NOT a BIOS related issue and the diagnostic tools require the operator to have a graphic view of the client system, how can we deliver on this request?


This series of blogs will attempt to show various ways to address these questions and more. I will start this blog series with the client residing inside the Enterprise using AMT to contact the console operator and utilizing very basic tools - take control. Upcoming blogs will show how to do this for clients residing outside the Enterprise (in the internet cloud) using Client Initiated Remote Access (CIRA) to contact the console via of a Management Presence Server in the DMZ and more robust tools - very cool!


So let's get on with it shall we?


The Tool Set

For this first installment I am using AMT Commander from the AMT DTK to initiate a client connection and perform console redirection (IDE-R). The client platform is Montevina (AMT v4.0). I will also push a Pre-installation Environment (PE) down the wire to boot the client into a graphic environment; either WinPE 2.0 or BartPE can be used. Whichever the choice, the greatest thing about a PE is its ability to be customized. You can build a PE to include not only the necessary drivers to bring a system up, but also all the required software for a technician to truly diagnose and practically correct any problem. A full explanation of PE's is beyond the scope of this blog but easily searchable via your favorite search engine. Lastly, to complete the process I will use UltraVNC, a publicly available application that gives the console operator the ability to view the remote client screen; graphically!


The Scenario

In this setting we have a client system where the O/S fails to boot-up (see Figure 1 - left image). This could happen if the client did something to their system which caused the registry to become unreadable by the O/S. Or perhaps the owner of the system accidentally deleted a critical file(s) required by the O/S to boot properly. In any case, the client calls their support center and is walked thru the required steps to perform BIOS initiated AMT. Once initiated, the console operator can then connect to the client; Figure 1 - right image.


Figure 1: Remote client screen on left - Console operator screen on right









After connecting to the client, the console operator opens the SOL/IDE-R mapping interface and assigns the appropriate .iso images for Floppy and CD-R redirection (see Figure 2 - left image). Note: You must assign both a Floppy and a CD image for SOL/IDE-R to operate properly. Also, while you can use IDE devices physically attached to the console system, working with .iso images are faster and more flexible.



Figure 2: Point device mapping to .iso images, start SOL/IDE-R, take control of client system.









The next step after starting redirection is to take control of the remote client as shown in Figure 2 - right image and indicate which image to boot from. In this case since we have our PE stored as a CD-R .iso image we tell it to "Remote Reboot to Redirected CD" Figure 3.




Figure 3: Remote reboot to CD-R image









At this point the client system has started a reboot and loading the PE image from the console. However, because we are using SOL the console operator can only see the "text" generated information. Notice the screen in the foreground of Figure 3 titled "PuTTY", this is the SOL interface and portrays only the "please wait" line from the boot loader; not very intuitive or useful. As a result the console operator will have to ask the client to inform them when the PE has finished loading on their system (see Figure 4).



Figure 4: Client system completed boot to PE and ready for remote control









Here is where the fun begins. After the PE loads onto the client system, the console operator starts UltraVNC; pointing it to the client, Figure 5 - left image. Part of the PE build includes the necessary network drivers to give this system an IP stack so it can be accessed via UltraVNC Once UltraVNC connects it opens a graphic window where we can actually see and control the client as though we are sitting at their machine, Figure 5 - right image. Again, we are using the SOL interface to show us text information and the TCP/IP protocol to allow UltraVNC to connect an OOB client - pretty cool huh?



Figure 5: UltraVNC to display client screen on console operator system









From here we can invoke a whole series of commands and view the results in real-time. In the example shown in Figure 5 - right image, I am running regedit - OK I realize it is showing the PE registry but with the right tools we can load and analyze the client registry or any other application and/or device.


Remember I said the beauty of PE's lie in their ability to be customized? If your shop use specific diagnostic tools you can include them into the PE at build time and use them here by simply clicking on the orange "GO" button (different PE's have different ways to access applications).


What I have shown here is the ability to use some very rudimentary protocols along with widely available tools to perform very powerful diagnostic and repair functions on a broken client. Keep in mind however this is only one of many ways to achieve this capability. In fact, this particular example can take a fair amount of time to load depending on network traffic and size of .iso image. But it is much better than the down time required to bring the remote system into the support center.


EIL are constantly finding solutions to answer the hard questions for our End Users. In upcoming blogs I plan to show similar capabilities using different techniques to minimize load times while maximizing efficiency. I hope you found this blog useful if you have any questions please feel free to ask. See you soon...


Hi everyone. A few days ago, I did a demonstration of Intel AMT at an Intel event. This is a standard demonstration of Intel AMT with reboot, remote BIOS edit and the  unique TCP-over-SOL to perform a VNC session on a computer that has the operating system network stack disabled.


This video is also available in high quality within the YouTube site. You have to go into YouTube and click ont the high quality link. I am pretty impressed how must better the quality is when viewing it in high quality.


The VNC-over-SOL demonstration is probably my number one demonstration for WOW'ing an audience with Intel AMT. I sometimes also do demonstration on agent presence that is also unique to the DTK.




Listen in as your hosts talk with Dave McCray, Intel's IT Program Manager. Intel IT is a leader in the activation and use of AMT. They have activated & provisioned over 10k machines - hear how they did it, why they are doing it & how to make your integration better based on Intel IT's best known methods. Also get a scoop on what you'll find in the coming year.


8/4/2008 3:30PM

Call-In Number:

(347) 326-9831

You can also visit Open Port Radio or Stream this Show Online



The vPro Expert Center's BlogTalkRadio show is hosted by Josh Hilliker, Russ Pam, and Jeff Torello. This bi-weekly informal show covers a variety of topics and is a perfect avenue to get your questions answered. Listen in live, give your two cents, or just download the show after it has aired. Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts. Can’t join us live? Have no fear, blogtalkradio let’s you listen to the show whenever you have the time. Visit the Open Port Radio site (link is above) to hear previous shows and even catch a glimpse of what’s to come!

New info! I just added BIOS setting config notes for the Dell 630c - check'em out!


BIOS Settings for Intel® Active Management Technology (Intel® AMT) versions 2.5 and 3.0

Nick & I got together this week and evaluated a few platforms for their AMT settings in the BIOS.  In this video, Nick explains how to get into each BIOS and where the options for AMT are ( or for that case where they are NOT ).  



Here are a few screen shots of two of the platforms.  We are also going to publish out a matrix of the systems with drivers, bios settings that Frank has been working on.. stay tuned for the link.



After much talking with end users and industry thought leaders, a group of us developed this utility the help people decide which compute model is best for a specific user segment. There are many items to consider when trying determining which compute model is best for your users. I believe this utility does a decent job at calling out the most common questions that help to determine the ones that would be well suited and lists the ones that may not be appropriate.



In this application, you walk through a compute model decision by answering a series of questions for a specific user segment (the user segment you enter is a free form text field and does not change the output). You are presented with a summary screen that will give you recommendations and concern areas based on your inputs. When you mouse over the compute model name, reasons why that model is or is not recommended are in the notes section.

I welcome any feedback.

-Jason A. Davidson

p.s. For compute model reference, please refer to this document:


Since the previous blog was [Proactive Security|p-11339] I feel it is only suiting to discuss the trusted environment. What the trusted environment comes down to is the hardware. Even though trusted environments are virtual, the hardware is needed to feed out any of the potential problems that can occur. Items such as viruses and hackers that can take over the PC and destroy any information we have on there, vPro will be able to, as I said in previous blog, weed out any problems. This is so cool, just think about it, it would be like a six foot, hammering crazy man, finding problems and taking care of them with his deadly hammers. (If I was a bug, I would be scared!)











This trusted environment is very much an issue in today's world. With vPro technology, it will help reduce this vulnerability. The trusted execution technology (TXT) is a new technology that helps within the virtualized computing environments. It will help on getting less software issues to come up. How this works is the TXT work with the virtualization technology for Directed I/O, the hardware will protect or isolate assigned memory to make the virtual machine less prone to attacks.






I came across a case study in my research: a huge hospital by the name of Nottingham University Hospitals (NHS) that has two different primary sites that are 30 min apart. With 6,000 desktops that are there imagine how much they would spend in IT alone. Once this was implemented in the two primary sites, it takes them only 10 minutes to deal with support calls, which would even mean when the client is powered down, instead of two hours. If you would like to read more about this case study go to [The Future of IT Support.|d-1131]






Where else would you want a trusted environment to happen? Make sure nobody can get your personal information that you do not want to, but when other physicians and/or staff that need to get to your records, they are able to. If that computer that has all your information is not working properly then other problems can occur and it would be a domino effect. vPro will be able to let the server have access this information and plug it into another client.






Let us look beyond this; how about Financial institutes'? They have a lot of personal information there. If the clients went down at a branch, a main server can come in and fix most software problems from a main site. Less desk side service would mean more money that would be distributed. I like more money also I like having reliability in an area that is holding my money. For some reason I like to retrieve what I put in. Stock markets have many people with computers, which would mean that there could be potential problems. If that happens instead of trying to figure out where that person is, they can fix the problem remotely. The main server that IT works on would make sure that all of the clients are protected from harmful outside sources.






See now don't you wish you always had a big guy with hammers to destroy anything bad!!




Understanding vPro: Chapter 1- What is it?



Understanding vPro: Chapter 2-What is it used for/ why should I use it



Understanding vPro: Chapter 3- Proactive Security- Does it have a tiny guard dog???



I often get questions about the Intel AMT serial port. Ever since the DTK started to make heavy use of it, serial-over-LAN has gotten a lot of attention. First, how do you change the COM port number of the Intel AMT serial port? The COM number (COM3: for example) is assigned by the operating system, so you don’t see that is any AMT/BIOS/MEBx option. You have to go into Microsoft Windows Device Manager, go to the properties of the “Intel(R) Active Management Technology – SOL” port. Then go into the “Port Settings” tab and press the advanced button. There, you can change the COM port.


Also, it’s often useful for application to be able to automatically detect the AMT serial port. In Intel AMT Outpost, I scan the device drivers looking for the “Intel(R) Active Management Technology – SOL” device and read the COM port number that follows in that string. Sofar, it seems to work great, even in non-English countries, something I am always worried about.


The Intel AMT serial port is much like any other serial port, but it has a PCI device identifier that is not normally known to Microsoft Windows and so, Windows does not know what to do with this device. On Intel’s web site, there is an SOL driver available. The serial driver itself is just a small .INF that tells Microsoft Windows to load and use the standard serial driver. In fact, one can manually force the standard Windows serial driver to be used for this device. You need to go in the device manager and pick a driver from the list, select Microsoft as the manufacturer and you will see it. Even if it’s possible, I don’t recommend it because the DTK code will no longer recognize that COM port as being the AMT port, it’s going to work but will have the wrong name for auto-detection.


Lastly, if someone needed to know if a computer is AMT enabled without having to load any drivers, one way to do it would be to detect the presence of the Intel AMT serial port. It is always present even when AMT is un-provisioned, and it can’t be turned off, unless AMT is disabled entirely in MEBx. This can be a good way to figure out if you need to start considering a computer for AMT setup.



(Intel AMT Blog)



If your headed to IDF (Intel Developers Forum) in San Francisco this year we will have a booth, classes and great folks to talk with about Integration, Activation & tools.



I will post out a list of Client classes in the next few days.

This document contains links to BIOS updates and available utilities to some of the OEMs out there. Take a look - this is helpful stuff if you are getting a vPro deployment off the ground!


BIOS Settings for Intel® Active Management Technology (Intel® AMT) versions 2.5 and 3.0

New additions to the  User Docs and Training for Intel vPro Technology include:


Microsoft SCCM - Quick Start Guide and Migration Utility Download


HP Out of Bound Management - Solution Brief and Registration Link




The 2008 Microsoft World Partner Conference (WPC) was hosted in Houston, TX on July7-10, 2008, with global participation.  The WPC provides an online and in-person forum to learn more about business growth opportunities and product innovation from Microsoft executives. 


This year the ECMF team participated at the event and provide a showcase that incorporated the manageability of Intel vPro in a real world scenario that utilized application virtualization and steaming.  For the showcase the team used SCCM SP1 R2 beta as an enterprise management console with Microsoft's App-V (Soft grid 4.5 beta) to stream and manage applications to the vPro clients. 


This provides the ability to:


  • Dynamically deliver application on the world's most manageable clients

  • Enable greater business agility with an enhanced end-user experience

  • Achieve IT "Green Computing" and reduced TCO objectives via fine-grained update controls.


After the event, I sat down with Craig Pierce to record the demonstration.  I think it is a very compelling 4 minutes of video.  In the demo he shows both the server console and the client experience, and launches 2 versions of Microsoft Word (2007 & 2003), which share drivers and normally wouldn't be able to run on the same machine.  This concept can be extended to many other applications. 



Application Virtualization and streaming allows you to no longer go through the entire install process, but simply stream and execute the applications you need when you need them - and the licenses for these applications can then be reclaimed when your not using them.  This should become a defacto standard over time, as it works well in all compute models (from the rich client models to thin clients). 


Questions?  Comments?  Funny remarks?


-Jason A. Davidson

p.s. Thank you to Chris Kaneshiro, Sophia Stalliviere, Nicole Trent, and Gunitika Dandona for your help in filming & editing this video.

As referenced in the Overview of SMS/Intel SCS migration to SCCM SP1 blog post, Intel has developed a utility to easy the migration of vPro Client that have been activated on SMS/SCS to SCCM SP1.


The Production version of the Intel SCS to SCCM Migration Utility has been released and will be available for downloaded from the following location shortly:


A User Guide on how to use the migration utility has been included in the download.


--Matt Royer



Hi all,


Olde Fashion Shout out..  I wanted to personally thank the community for making vPro Expert Center a great community.  Thank you.. 




We’re almost a year old in the community and I have a few exciting things to share.   The vPro Radio show is now listed in the Itunes directory, search for Intel vPro and you will see the show.  So if your on the go and want to hear us talk about vPro. 





We have also started a blossoming partnership with which they have created an email distribution list that you can subscribe to.  Click here and you can subscribe to the list, we just started this and already the dialogue last week was great.  




Also we are working on fixing it so providing feedback, wiki updates and Ask the Experts thread is better for the community. Stay tuned as we fix this over the next week (or so)..


If you have additional feedback please post a comment here, or send me an email.  


Thank You


Josh H

Intel Architect / Community Manager

Hi all,  While Terry is out I wanted to highlight this new 4 Part series on deployment scenarios over on the Altiris Juice site.   thank you Terry for posting.

Read about the ROI benefits reaped by Calgary Health Region once vPro technology and LANDesk software was implemented in their organization.


ROI Analysis - Transforming IT Support with Intel® vPro™ Technology

I have recently posted a new Quick Start guide to help you quickly setup your SCCM SP1 lab environment and start testing the Out of Band management capabilities for your vPro systems.



As always, feedback is highly encouraged and appreciated.








Centrino 2 - Highlights

Posted by josh.hilliker Jul 15, 2008

Highlights of the new Centrino 2 platform and the impact to the IT shops.




A few weeks back at the BriForum I attended a session called The Future of Client Computing, where the audience participated in an open discussion around where client computing is headed.  It was amazing to see a group of very smart people come to a single consensus...with various interpretations of that consensus I am sure.  Being that I am back from the show, and back from vacation, I wanted to take a few minutes to recap what my interpretation of the future...



Therefore, the future from my eyes looks something like the following.  I welcome your comments, disagreements, agreements, or snarky remarks.  I will try to keep this write-up as vendor agnostic as possible...all characters appearing in this work are fictitious, any resemblance to real persons, living or dead, is purely coincidental, no animals were harmed in the making of this blog...and if this future plays out, I am not responsible for the results. 



Let me start by explaining where many of us are now.  We typically live in a world where we boot a computer to a rich operating system that has many features we may or may not use, then we install applications off CD/DVD, downloading installers over the internet, or have it pushed as a local install over the corporate network.  We all run local virus scanners, firewalls, and patch/update everything often - less we fall behind and become vulnerable.  Each of these software programs we use have been tested to work with our operating system (or we hope), but very few of them are tested to work with other applications, and some are just not compatible with each other (they didn't make it out of kindergarten with the "plays well with others" moniker).  Many programs are installed on a ton of computers, with much of the data being the same across those computers, but being that content belongs to the person next to you, it is redundant but not accessible (across a given large group of people the amount of duplicate data is enormous...larger than having copies of the US library of congress in digital format).  Some people have started moving away from this model, but often come up with solutions that are either too awkward to become mainstream, or too limited to become useful.



Next, the path to the future...  With several compute model choices, people have started using the modern day compute and network resources to revisit solutions that had limited success in the past (I say limited as none of them won out over the model described above, many were very successful in specific environments).  To help with the large amount of redundant data, people moved the data to server rooms.  To deal with application conflicts people gave each of these programs their own virtual sandbox to play in (now they don't have to play well with others...they get their own sandbox instead).  To deal with patches and updates, people developed utilities to maintain compliance with a few button clicks (and several scripts, settings, and close monitoring).  And the list goes on...



The future...  Now I will put on my rose colored glasses and look at where things are other words, I believe they are taking a turn for the better.  Going back to the discussion that was had during the BriForum class, the basic architecture was a "dial-tone OS" with virtual containers that can be streamed and executed locally or presented over the network.  The term dial-tone OS was new to me, and as I believe Ron Oglesby described it, the operating system would give a basic level of functionality similar to when you pick up a phone and hear the dial tone.  We all have grown to expect a dial tone when you pick up the receiver, and if there is a pause or delay we are very confused as we have grown a very high level of expectation for the quality of service on this device (not talking about coverage areas here - just the basic features).  With a dial-tone OS, the client device would quickly respond with some basic features - a GUI (graphical user interface)/window manager, a scheduler, I/O mapper, device drivers, and a virtual machine manager (I may be missing a few OS fundamentals, but the idea here is a truly minimal/microkernel type OS that has a high level of reliability).  All application that execute in the environment would work in their own virtual sandbox, which may contain an entire OS emulation, or simply the basics to execute - or in other words virtual containers.  These applications would interact with the GUI via the window manager, and negotiate the layout within the systems capabilities.  The Virtual Container would execute either locally, on a server, or in the network/cloud based upon the negotiated policies and client device capabilities.  For containers executing locally, differences of the container would be archived and ready for use on other machines or as backup (depending on connectivity, etc).



The key here is an environment that from the base up is built with device capabilities in mind - if you're executing a spreadsheet calculation and your device is going to take days to calculate it, have another location process that for you.  If you're using the same data as everyone else, make one image of it in the community of users, and everyone works from that image - when the image is upgraded, everyone migrates over time. If the device has Intel vPro capabilities, the virtual containers and dial-ton OS can take advantage of the energy-efficient performance, manageability, and security features.  If the device is ATOM based, then a whole new set of features are exposed.  Etc... (I had to add in my own Intel fanboy comments, but comments I really believe in).



The road to get from here to there involves a ton of non-trivial solutions, and I believe the good news is that many of the solutions are being thought about by some great minds - however I am sure there are some new and exciting "change the world" ideas left to solve... 



The future looks both responsive and reliable, and environment where we are not encumbered by the limitations of our environment, but simply a click away from doing our next task.



-Jason Davidson



Facebook, Twitter




During my lab setup of SCCM and trying to get Agent Initiated Provisioning to work for a vPro system, I was running into a basic issue of the SCCM agent being able to auto-discover the SCCM Site Server.  After installing the SCCM Agent on the vPro system, I would initiate, from the vPro Client, Control Panel > Configuration Manger > Advanced Tab > Configurations Settings > Discover Button, and would receive an error that the client was unable to discover the SCCM server.



So I started looking at the SCCM Help file.  I ran into the section about extending the active directory to enable this site discovery (  But not only do you need to extend the active directory, you also need to Create the System Management container, set security permissions on this container, and enable Active Directory publishing for the Configuration Manager site to this container.  These steps will allow clients to automatically detect the server locator points and management points (which must be added to your SCCM Site Server). 



After following these steps, I was able to immediately discover the SCCM server with my Agent installed on my vPro system.  Now I can move on with the AMT provisioning process.



TechNet also provides alternative steps that allow you to update your WINS environment without extending the schema and/or publishing this information to the System Management container.  You will need to determine if this WINS update is acceptable for your environment or extending the AD is the right solution (see link below).  I'm curious on feedback from the community if the updating of WINS would be acceptable in your environment and what issues this would create.


Related links from Microsoft TechNet to enable this capability.

How to extend Active Directory for SCCM:
Create the System Management container in AD:
Set security permissions on the System Management container in the AD
Enable Active Directory publishing for the Configuration Manager site:
Verify that Configuration Manager has published the site information to AD:
How to Manually Add Configuration Manager Site Information to WINS:


vPro radio was live this morning and our topic was on SCE/SCOM and vPro support through the vPro Management Pack. Matt Royer joined us alongside one of the original developers (Nachman Israel) to discuss the use cases, the market focus, and more!


Visit Open Port Radio or Stream this Show Online



In today's world we want top notch security to protect our lives. Since our computer holds a cornucopia of our information that if lost or stolen would become detrimental to our lively hood. We need to do all we can to make sure our information is not going to be in the wrong hands. Companies have to ensure that private information is protected from malicious attacks from people who are trying to make a quick buck, or revenge, or whatever latest motivation tomorrows hacker may have (just ask around at defcon 16 to find some motivations). For me, security is a big issue so I want to dive into this one a little early compared to some of the other topics that I will get into.






Intel vPro addresses these concerns with the chipset (a tiny processor on the motherboard) and processor features along with the capabilities of Active Management Technology (AMT). I have been reading several whitepapers on the subject this last week, and have learned a lot about the security system that vPro provides.









As I understand it, vPro has three layers of security:





  • Filtering threats and isolating PC's

  • Nonvolatile memory and third party data storage for software agents

  • Virtualization and Trusted Execution Technologies





Filtering Threats (the tiny guard dog)









vPro can identify threats before they reach the Operating System (OS) by inspecting the network traffic to your computer. When something looks fishy, IT can isolate your computer quickly, and use the remote management features of vPro to fix your computer. After your computer is working again, they then restore your connection, and all is well with your system. IT can specify certain system agents stay active, and if these are disabled (either by you, or bad software), they can fix it without corrupting the system. The vPro hardware filters are programmable and watch the characteristics of the traffic that comes in and out of the OS (it doesn't know that you're writing an email to a long lost friend - but does know if your system is trying to infect the rest of the network). When a problem has been identified, IT has the ability to flip a "switch" and limit your network connection so that only they can access your computer (and you no longer pose a risk to the rest of the environment).









Nonvolatile Memory and Third Party Data Storage for Software Agents









Ok - that's a mouth full!!! What is a third party software agent? A third party agent would be a piece of software which runs on your computer to make sure things are working well (thin firewall, antivirus, or any of those hundreds of little icons on the taskbar). These software agents can store information in the nonvolatile memory (memory that stays around when the computer is powered off), and then remote applications can read or update this information even when the computer is frozen or turned off. Other information which can be stored in the third party data storage can be anything from system configuration (making sure someone hasn't compromised your system) to how many times you booted your computer without having the keyboard plugged in... By knowing this information, the security experts in the world are able to help ensure your cornucopia of information stays safe! For example, lets say your virus scanner stored information about how up-to-date your protection is, the IT department can check this information and figure out if your system needs updated (even when the computer is turned off).









Trusted Execution Technology and Virtualization









This, I feel, is the most interesting. It is a simple but complex thought. With vPro, servers can access any vPro enabled computer. With virtualization, the computer now is able to run multiple OS environments at the same time. If you were to run two operating systems on the same computer, you can layers the access to core parts of the computer and in turn increase security. With Trusted Execution Technology (TXT) programs can execute in an secure memory space and not allow other programs to modify it - done at a hardware level making it much more safe.









What other things would you expect for security? Post it!
















The BriForum Experiance:Through the eyes of the intern







“The Intern’s” Understanding vPro: Chapter 2-What is it used for/ why should I use it?



I am sitting here contemplating what does ECMF have to do with me?






Lately I have been really into the future of virtualization. The concepts that I have been learning in school really didn't sink in until I was thrown into it. It's funny how that works. I am not saying getting a higher education that you wouldn't learn anything. I am not saying that, you learn a lot. But what I am saying is that some people's passion goes beyond than what you learn from books. I can go to a French class everyday and learn the language. If I go to France then I can learn the culture and the language. What I am talking about here is Immersive Studies in Virtualization!







One trend that has become clear to me with all the cool hardware I get to see in my internship at Intel is that the hardware gets stronger while the size and power requirements gets small - and this is not going away. But one thing we have to realize, there is always going to be the equipment no matter what, and that equipment is going to have more and more features for us to pound on. Virtualization has been my new love, and not just for server consolidation, but application and desktop virtualization are the next killer ideas. The concept really sunk in after a few talks with Jason Davidson (my guide through the galaxy, you are my virtualization 42!) and also during the BriForum (I am still on a high from that one!!).







In my other blog series on the vPro Expert Center, I am on a journey of learning vPro (links), and feel like intellectually I am on a roller coaster ride of knowledge. Now that I am on this virtualization roller coaster I have to wonder how wild and crazy this ride will be - am I going to get off it alive? Application and desktop virtualization I believe will soon start to take over our lives.







As this old Commodore 64 advertisement below portrayed...25 years ago, people wanted to be the "movers of this world" with the power at their fingertips. This was typically used to simply play games and create a few documents. Now, 25 years later, the world has changed - we have mobility, we still have fun, but we stay connected. Yet, we are still on this ride of looking for the next faster, smaller, cute, reliable, and fun, device - it almost has to be our non-emotional twin.










The computer reflects who we are as a person. The applications that is on our systems fit to how we like them. Is it going to come to a point where we can just think of what we want and the computer will know automatically what it is? (I guess that's what Google is for but you still have to type it out) it's to the point where we won't need to have the computer in front of us. We will be able to talk into a "Bluetooth" type deal and all the information will come up on a mobilized screen in front of us. (Huh, okay nobody take that idea I am going to go out and patent it right now! A great reference is the video about St. Agnes Academy. (Check it out on Jason Davidson's area St. Agnes Prep School use Emerging Compute Models with Video.) Will the operating system become less important, and provide just the basics we need to launch any application in a virtual environment - an environment that we can have upgraded & managed with ease. Will future computer users never install application - but simply click the icon to launch them and boom you have it? How easy is streaming going to make things?







Add to this the vPro features and I can see a day when IT doesn't have to physically be in front of your computer to diagnose or fix it, and when it is broken you can migrate to a new one with some simple streaming...







Pretend for a moment that you had the opportunity to come up with anything in the world, anything at all. You had all the equipment and can make anything. What would be your item that you would make to revolutionize this world?



In prior posts I shared out the CIRA (Client Initiated Remote Access) technology.  Since the release is coming closer it's time to start talking about what this means for the IT shop and what the exact touch points are.   here is a quick flow that shows the touch points, whic highlights this new MPS (Management Presence Server), which sits in your DMZ and acts like a proxy between the client and the management console.   this is that final mile of connecting your notebooks when they are out of your corporate enterprise.   I listed out the limitations in my last post that I reference below. 


(note:  Thanks to Kyle in Brand Promise Validation for this great flow..)





Here are the prior posts on CIRA

Client Initaitied Remote Access - vPro in 2008 - IDF


Here is the Centrino2 one stop shop wiki

  Centrino 2 vPro -  One Stop Shop Wiki



I'm working on posting a video to showcase CIRA and also will be looking to post who supports this capability in their console.


Our topic will be around SCE/SCOM and vPro support through the vPro Management Pack. We'll have Matt Royer alongside one of the original developers, Nachman Israel, to discuss the use cases, the market focus, and more! Tune in live!

Date: 7/14/2008 9:30 AM Call-in Number (Listen live!): (347) 326-9831

Visit Open Port Radio or Stream this Show Online



Incase you weren't aware...vPro Expert Center's BlogTalkRadio is hosted by Josh Hilliker, Russ Pam, and Jeff Torello. This bi-weekly informal show, produced by me, covers a variety of topics and is a perfect avenue to get your questions answered. Listen in live, give your two cents, or just download the show after it has aired. Make sure not to miss out on this awesome opportunity to learn and engage with the vPro experts. Can’t join us live? Have no fear, blogtalkradio let’s you listen to the show whenever you have the time. Visit the Open Port Radio site (link is above) to hear previous shows and even catch a glimpse of what’s to come!

Community Members,


I can't tell you how excited I am to share this with you as I have been waiting awhile to showcase more about CIRA & what is coming in Montevina from a vPro stand point.  I remember awhile back I was asked by a group of students if this capability would exist like this in the future & finally I can showcase more of the pieces of the puzzle to the world.  For the folks out there that asked me about this & I just smiled.. well.. here's more of the puzzle..


Here is the AMT 4.0 (Cira, Montevina) Platform User Guide that explains the MEBx settings in detailed screen views.  

Intel(R) Management Engine User Guide (Intel(R) AMT 4.0)


Also here is my first post on CIRA about what it does in picture format.

Client Initaitied Remote Access - vPro in 2008 - IDF


If you have any questions let me know & hopefully soon to follow will be a youtube video to show off these new capabilites of the new mobile platform.


Please watch out for this new platform to hit the news wire in the near future.....


NOTE: If you have not read parts 1 through 3, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases







Security is only as tight as the weakest link in your environment. More often than not it's internally where the security holes are created, either inadvertently from carelessness or intentionally from a disgruntled or disillusioned employee. The hardware and software security can be top of the line, but if the human factor doesn't adhere to policy, it may not make any difference. This part follows the IT team for Mighty Modern Marketing as they try to track down a security hole where productivity is taken down through the very tools used to defend and manage the network.





Mighty Modern Marketing HQ - Boston, Massachusetts

Somehow the air inside the building congealed hotter than the heavy, humid swelter wallowing outside. Tevita, sweat running down the sides of his face, fanned himself with an empty binder. He stared at his screen, the image thereon frozen.


"I think one of the servers seized up," he said. Jessica Langley glanced at her Remote Desktop window. The previously blinking text icon in the script she edited no longer blinked, and as she watched the disconnected icon appeared, the remote screen graying-out. She closed it with a quick click of the white on red X.



She took a long drink of water. "If they don't fix the AC soon, I'm going home," she announced.



"They'll have it up soon. Besides, it's never been so quiet here. I only have one system running, and I think I'm approaching something like Zen. Either that or I'm about to pass out."



"Any more missing application tickets?"



Tevita groaned. "Oh yeah. Five so far today. It's like the uninstall faerie ran around randomly touching computers with her magic star-wand. I've taken care of it."



Jessica stood, feeling sodden. "Thanks. I'll check on Bobby to make sure he hasn't suffered from heat stroke."



The server room actually felt cooler despite the cacophony of running servers that reminded her of the sound and feel of a jet engine escalating towards takeoff. Somehow Bobby had created a wind tunnel with large fans, and she felt her hair whip away from her as she stepped directly in the wind's path. She shielded her eyes and walked to the developer's cube area. The pull of the moving air seemed to try and yank her off her feet by her dress-suit jacket. She folded her arms as she stepped into the relative stillness of the cube.



Bobby looked like a wilted plant. He looked up, and sighed. "What, IM down again?"



"Of course not," she responded with a smile. "You holding up in here?"



He shrugged. "I'll survive, though it reminds me of Phoenix, Arizona, except here it's like standing in front of a vat of boiling water. Phoenix is like standing in front of the open door to a blast furnace."



"The SQL Server locked again."



Bobby nodded. "I did a hard reset just a minute ago. I had to open the case and point a fan right at the CPUs. I think it'll stay up this time."






Bobby shrugged again. He looked back at his screen, then back up at her. "You need something else?"



"Not really. You want to go to lunch with Tevita and I? The local Italian place has great AC."



"No, I'm good. My lunch cooked itself in this heat, so I ate already."



"Alright. See you later."



When she returned Tevita still sat in front of his computer, sweating profusely. He looked up as she passed by, a frown on his face.



"The facilities guy just passed by," he said as she sat down. "He says someone deliberately messed with the AC. He's fixed and says it'll be up and running any time now."



"Someone sabotaged the AC?" she inquired.






She sighed. "Just when I thought we were done with the underhanded antics."



Tevita nodded. "The AC guy put thick padlocks on all the control panel cases. Too bad we don't have any way to track who goes in and out of that room. A magnetic badge reader would work."



The next hour passed in receding misery as the AC kicked on and began liberating the employees in Might Modern Marketing's Headquarters from oppressive heat. Jessica checked the Altiris Notification Server Logs, ignoring the SQL errors for the times the SQL server seized up. Except for an occasional error where an event arrived for a package already deleted from the Notification Server, the logs looked clean.



"Mrs. Langley," Edgar's dry tones greeted.



Right on cue, she thought. Despite the heat things had been going too smoothly. She turned around and stood.



"Hello Edgar."



"I wanted to let you know that the budget we set aside for the mess with New Nifty Networks is on target, thanks to everyone's diligence," he said, eyes briefly moving down to the papers clasped in his hands. "We've even been able to devote some resources to Legal. It won't be long before we can put this whole ordeal behind us."



Tevita rolled over in his chair. "What, and I've done nothing?" The expression on his face and tone of his voice took away any sting of the words.



"Both of you have performed exceptionally," Edgar said, shuffling the papers in his hands. "Though it's not official, I believe you will both receive a merit increases for your performances."



"You're kidding!"



"I do not kid, Mr. Tatafu."



"So be honest, was it hard to allow that through?"



The barest hint of a smile touched the corners of Edgar's thin lips. "Yes, adding my approval felt much like pulling out stitches. Now don't you both have work to do?"



He shuffled away, his posture a little bent.



Tevita gave Jessica a thumbs up. "Ha! So some good is coming from this whole competition nightmare."



"Perhaps," she said noncommittally, having trouble suppressing a smile. "It's not over yet, not until this school-friend of Mr. Johnson's finally gives up. I'm hoping it happens soon so we can go back to normal."



"Normal?" countered Tevita. "When is IT work normal? It changes faster than the seasons."



She opened her mouth to respond when her telephone rang. The caller ID noted Johnson. She quickly picked up the handset.



"Mighty Modern Marketing, this is Jessica," she greeted as cheerily as she could.



"Jessica, this is Mr. Johnson," greeted the CEO. "Can you please come up to my office immediately? We have a sensitive matter to discuss."



"Of course. I'll be up right away."



"Please have Tevita join us as well. See you in a minute."



"Will do. Thanks. Bye."



When she looked up Tevita had his day planner in one hand, the other locking his computers.



"Ready for lunch?" he inquired.



"Change of plans," she said, rising. "Mr. Johnson wants to see us in his office immediately."



Tevita stared at her for a moment, then tossed in planner onto his chair, a wry smile twisting his mouth. "Wonderful. Somehow even though everything he says sounds enthusiastic and wonderful, we end up with a pile of work."



"Job security," she responded.



The CEO's office, remarkably, looked very much like the other offices in the entire building. She glanced through the window on the door, then knocked politely. Mr. Johnson, looking as refreshed and lively as ever, waved her in. The building continued to cool, but still hovered near eighty degrees. Though she felt sweaty and rumpled, Mr. Johnson appeared completely unaffected by the heat, his hair perfectly combed and his clothing pressed and clean. He smiled warmly as they sat down in the two chairs set before his desk.



A man sat next to him, and though she knew she should know who he was, she couldn't place his face in her memory.



"Thank you for coming up so quickly," he said, rising to shake their hands. "This is Dan Williams, Chief Security Officer."



She said hello, shaking Dan's hand. Funny how she knew the name so well from countless emails and conference calls. She felt she knew him despite only seeing him on rare occasions, all from electronic or audio correspondence. Somehow she'd never put that voice with this face.



"Jessica, Tevita," he said in way of greeting in that familiar voice. "We need to meet more often, especially with how much I depend on both of you."



"Definitely," Tevita responded as he sat down.



Jessica had trouble controlling a laugh that threatened to escape. "Mr. Williams, you don't look like I imagined."



Dan smiled, amusement dancing in his eyes. "What did you think I looked like?"



She blushed. "Well... you sound like Chuck Norris. But you're more like..."



Mr. Johnson started. "Chuck...?" He burst into laughter. Tevita's booming laughter joined in as Dan's smile grew wry. Jessica wondered if someone could faint from embarrassment, and imagined she looked as red as a tomato.



"Sorry, I like yoga, but not much of a martial arts guy," Dan said, trying not to laugh.



"Alright," Johnson said with a deep calming breath. "Without further preamble, I'll let Dan discuss the situation."



Dan nodded. "As you are well aware of our situation with our friends over at New Nifty Networks, what I'm about to show you shouldn't come as much of a surprise. We have a plant."



"A plant?" Tevita inquired. "Like a house plant?"



Jessica covertly elbowed him in the ribs as he chuckled.



Dan continued, undaunted. "Someone here is feeding information to our competitor. We're tracking this using email, etc, but the trail is long and convoluted. We think this spy, for lack of a better term, is also sabotaging our business here. While we're pretty sure he or she disabled the air conditioning, we don't have enough data to even begin to narrow down who it could be. There are other things happening that I believe you'll be able to help us with.



"You see, we believe he's somehow obtain access to your management tools. We've had increased cases where vital software has been mysteriously uninstalled from systems."



Jessica exchanged a look with Tevita. "We have had a large amount of emergency software deployment tickets," she said.



"The tickets always say the shortcut is missing," Tevita added.



"Exactly," Dan continued. "Depending on the user, this can severely hamper our productivity. Since some of the computers are locked behind office doors I'm assuming they're using management software to accomplish this. Is Altiris capable of this?"



"Yes," Jessica answered. "However you need rights to do anything."



"And that will be to our advantage. Please look through any auditing or logging done by Altiris and see if you can figure out how this individual is uninstalling applications, what credentials he or she is using. Any evidence or data you capture please forward to me."



"We will," Tevita responded.



Back at her desk, Jessica pulled up the Altiris Console. Events would allow her to see if any Software Delivery or similar jobs had been schedule to run on the affected systems. They had uninstall-programs setup for most of their managed applications. She browsed in the Altiris Console under View, Solutions, Software Delivery, Tasks, Windows, Software Delivery Tasks. The first task she choose uninstalled their accounting software, one application the spy or whatever he or she was liked to target. She did a quick scan to ensure no new tasks showed up.



She clicked on the Status tab. Once the tab loaded she used the dropdown labeled, "Display computers on which this task ran:" to set it to "All". Once the grid loaded she clicked on the top of the "Attempt Time" column to sort by date, and looked at the last week's runs. Only three showed up, and all of them had been scheduled by either her or Tevita.



"Any luck?" Tevita asked, his head rising above his cube's wall.



"Nothing yet. I guess it's possible they created a task and then deleted it after each execution."



"Yeah, but there's an ItemDeleted table that we can look at to see if that's occurred."



He walked into her cube and sat down on the spare chair. He used her secondary system to open SQL Enterprise Manager and launch a query window. He used the query:



SELECT ItemName FROM ItemDeleted



WHERE ItemName LIKE ‘%Accounting%'



AND ItemClassGuid = ‘D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'



"This class-guid here represents Software Delivery Tasks," Tevita explained as he ran the query. "Nope, nothing. Let me try one more query, this one more generic..."



SELECT * FROM ItemDeleted



WHERE ItemClassGuid = ‘D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'



ORDER BY DeletedDate



"Okay," he continued. "I don't think he used Software Delivery. I don't see any Tasks deleted recently enough to account for all the uninstalls reported."



Jessica nodded. "Hmm. If he didn't use this, then the only other two options I can think of are Deployment Server and Task Server."



Tevita smiled. "No chance with Deployment Server. I've changed the management credentials recently and blocked everyone else out. Since only you and I use it, I figured with all the security stuff going on I'd better be safe, not sorry."



She blinked. "I didn't know you'd locked... I guess DS is your baby."



"You know it. So, do you think Task Server could really be it? Wouldn't he need to know scripting?"



"Not necessarily. There's a ‘Deliver Software' task available that can run any Package-Program we have available in Software Delivery. Let me look through here... I don't see any Jobs or Task Server tasks that reference the uninstall program. The ItemDeleted would have deletions if he'd done that. But you used the standard Software Delivery Tasks, right? Can you do one for Task Server Tasks?"



Tevita scratched his chin. "I think so. In fact we don't delete things that often. Let's try this..."



SELECT * FROM ItemDeleted



ORDER BY DeletedDate



"Okay. A few deletions, but they all look straight-forward. Computers purged, a couple of Software Portal Requests... but nothing that looks like a Task Server task. Wait... what's this? Bobby deleted a task named WOfW? This was last week. If I didn't know better, I'd say he's been playing with Software Delivery and Worlds Of Warcraft."



Jessica grinned. "You think he wants to roll it out company-wide? I can see it now. ‘Productivity hits an all-time low, though the average level of Mighty Modern Marketing exceeds fifty'!"



Tevita laughed, pointing at her. "I didn't know you knew enough about gaming to make a joke like that!"



"Right. Like you don't bring it up every week. It was bound to rub off on me at least a little."



"This looks clean. That doesn't make sense. Perhaps Dan's wrong, and whoever's responsible for this isn't using Altiris."



Jessica shook her head. "He's right, I don't think this could be done at this rate any other way. Either they're using a different method, or they have intimate knowledge of Altiris."



Tevita leaned back, looking up at the ceiling. Jessica placed a fingertip on her lips, thinking furiously. If Software Delivery and Task Server wasn't used, and the evidence suggested such, what other method could you use to remove software? They planned on using PC Anywhere for remote control, but it wasn't up and running yet in the Altiris environment. Tevita used the simple Remote Control feature in Deployment Server, and she still used Carbon Copy. She'd disabled access to it in Altiris and used the stand-alone product that only existed on her system for security reasons. Could they have a rogue copy of Carbon Copy installed...?



"What about vPro?" Tevita inquired abruptly, interrupting her thoughts.



"Serial-Over-LAN doesn't work in Windows currently," she responded. "No other remote application abilities... it's really considered an out of band management interface."



"Yeah, but if you built a remote tool into an ISO, using IDER, couldn't you use that?"



"In theory, yes... In fact if you ran an IDE redirect with something like that you could do whatever you wanted to the system."






Jessica smiled. "And we have an actual activity log."



In the Altiris Console she browed in View, Solutions, Real-Time Console Infrastructure, Tools, and clicked on "Activity Log". She scanned down the entries.



"Well, well," Tevita said, leaning forward. "Our friend has been busy."



The icon showing a redirection session appears like two plugs plugged together. The other pertinent columns appeared as "client": showing what computer by IP Address is being accessed, "user": what credentials were used to execute the action, Host: as in the hostname of the destination computer, Description: showing the path to the ISO, and lastly Technology showing what method was used. Multiple RTSM sessions showed a redirection to an ISO labeled: RemoteControl.iso. The path led to a UNC share.



Jessica pulled up the contents. "Jackpot."



Tevita shook his head. "Too easy. If they know how to create ISOs of that nature and use RTSM to deploy them, did they actually think there wouldn't be some sort of logging?"



"I don't know. RTSM is unique in that it isn't dependent on an agent at all, so there is no logging client-side. Still... perhaps whoever's doing this didn't create the ISOs and is just in charge of running it. And we aren't done yet. Note that the User is all listed as admin. This means he or she is using the AMT credentials available on all systems."



"Oh. Can't exactly blame the invisible AMT admin..."



"No, but we can change the password easily. Before I do that, I'll send Dan the information on the share. That share should have some sort of user footprint his team can get to."



She quickly sent the email with all the information. She explained that she would change the admin password so that this rogue user could no longer use this method. After sending it she browsed in the Altiris Console to View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and selected Provision Profiles. She double-clicked on the profile they used for all systems. Under the Administrator Credentials section to the right, she changed the password under the Manual radial option. She clicked OK to save the changes.



Next she browsed back up to Provisioning, and into Intel AMT Systems, selecting the node Intel AMT Systems. When the frame loaded, she clicked on the icon on the icon bar that looked like a system with refresh green arrows surrounding it, labeled: Re-provision. She hadn't selected any systems so she selected the only live option, "All systems". She clicked OK to execute.



"That should do it," she said aloud.



"A re-provision?" Tevita asked.



"It's a simple way to send down the changes in a profile to the systems. It'll take some time to cycle through all the systems, but soon all systems will have the new AMT admin password set."



Tevita leaned back. "So we're done?"



"For now, unless you have any ideas for further tracking this guy...?"



The rest of the day proceeded smoothly, with only one more reinstall helpdesk ticket coming in. By the next day no new tickets had developed, and things had settled down to normal. Dan said he had enough to identify the perpetrator, but said no more on the subject.



He did say one thing very firmly. "All the security we can muster is worthless if those with the right privileges are not careful with their credentials."



Further, he requested they review their procedures concerning the AMT admin password. Was it written down anywhere? Did they ever say it out-loud? Though neither knew how the password got originally stolen, the increased care with which they handled passwords became a driving program within the company. Security was everyone's job.



At the end of the week, as Jessica headed away from Boston on the Redline Commuter Train, she hoped they'd seen the end of the targeted attacks, but in her mind she already looked through her current policies and processes to see where she could increase security.





End Part IV

Altiris provided not only an audit trail to track potential rogue usage of RTSM, but it also provided a very quick and efficient way to change security within AMT when somehow the credentials are compromised. Is this the end of the threats against Mighty Modern Marketing? Only time will tell. is a community of worldwide IT professionals. membership and visitors are made up of IT Administrators and IT Managers from several countries, in small, medium, and large companies around the world.   Close to 50,000 people visit each day to find solutions to problems they face.  These answers come in the form of articles, self-help forum posts, self-help email discussion lists, a Frequently Asked Questions (FAQs) database, blog posts, and online media such as videos and podcasts.


So today I decided to put some of our vPro efforts out onto another website designed to aide the IT community. I re-created our "[Known Issues|]" wiki as well as the "[Tools for vPro and Centrino Pro|]" wiki onto a vPro Expert Wiki. I wanted to let the expert center aware of this so that any of you can help out in our cross-linking efforts. Feel free to visit the vPro wiki that I have created over there and add whatever docs you think might be helpful. The wiki markup that they use is slightly different than ours, so let me know if you're interested and I can help explain it all to you

Within SCCM there are two primary ways to provision a vPro Client: Using the Import Out of Band Computers Wizard and the In-band provisioning with the Configuration Manager client Agent. Because of the ease and automated provision, it is typically recommended that you leverage the In-band provisioning with the Configuration Manager client agent; however, there may be cases where this method may not work based on your environment or business process. This may leaves you with the only option of using the Import Out of Band Computers Wizard for vPro Client provisioning.


To provision clients with Import Out of Band Computer Wizard, you are required to supply at a minimum the Computer Name, FQDN, and UUID for the vPro client you are trying to provision. Hand retrieving and entering this data for a few vPro clients may be fairly straight forward; however, if you are in a scenario where you are trying to provision a large number of vPro clients it may become very time consuming. As part of the Import Out of Band Computer Wizard, you are able to specific a comma-separated values (CSV) formatted file that has these required attributes listed. With this capability available, you can technically mass import a large number of vPro clients to be provisioned; the challenge then becomes automating the retrieval of this Computer Name, FQDN, and UUID.


Example CSV File











Select Source - Choose Mapping



Select Source - Data Preview



Select Source - Summary



There can be a variety of sources such as the Active Directory, Local Computer Operating System, alternate software inventory agent, etc (your imagination is the limitation) where you could potentially pull this information.



For example, this UUID Resolver is an example utility that will query your Active Directory for computers, determine if they are vPro Capable, connects to the OS, and Exports the Computer Name, FQDN, and UUID to a CSV files that can be imported through Import Out of Band Computer Wizard; once the hello packet is received, SCCM will provision the vPro Client (Special Thanks to Ariel Toporovsky for developing this example).



Another example may be to use a Software Agent or other remote execution capability to run a localized VBS, Perl Script, exe, etc that grabs the Computer Name, FQDN, and UUID locally from the client and copies the contents to a remote share to be consolidated; once there it can be imported through the SCCM Import Out of Band Computer Wizard.



What else can you think of? If you have any thoughts or tricks on how to automate this, please post your idea / exampls in the comments. Thanks.






















--Matt Royer




If you have not read parts 1 and 2, please read these before reading this part as this is a continuation of the story begun previously.










From the OS level vPro has tools to help quarantine and remediate compromised systems as demonstrated in part 2. This section explores the capabilities at the hardware layer, completely below the OS and any related dependencies. Can the IT staff continue to respond well to threats and avoid outages and threats to the businesses wellbeing? When the gloves come off sometimes even the most secure networks are vulnerable to threats.





Mighty Modern Marketing HQ - Boston, Massachusetts

"This is Jessica, how can I help you?"


The voice that spoke through the headset caused her to flinch, and she moved the earpiece two inches away from her ear.



"This can't be happening now!" the voice exclaimed loudly.



"What's the problem?" she responded calmly, hoping the user would match her volume.



He didn't. "The timing is the worst possible, since the end of quarter is only two days away! I need my computer up and running two hours ago!"



"Let me see... I'm speaking to Mitch Cavanaugh, correct?"



"Yes," he responded, his voice dropping a trifle. "My computer isn't booting, and I have sales to approve and record. If I don't get this up quick, we may not be able to add this revenue this quarter!"



"I understand," she said as she used the Altiris Console under the All Computers Collection to find his computer. She double-clicked on it, bring up Resource Manager.



"I see you're using an HP 7800..." she began.



"I need this problem fixed pronto," he interrupted.



"Of course," she said, clicking on the ‘Real-Time' tab. "Give me just a moment."



She smiled, feeling a warmth from the fact that she'd made sure those with the most business critical functions got the vPro systems first. The Real-time tab loaded, revealing the function tree in the left-hand pane. She noted immediately that only the AMT functions loaded, and that the system's powerstate was on.



"I can see," she said when she heard a sound of irritation on the other line, "that while there is power to your computer, the operating system is not loading."



A pause followed her comment. "Really?" Mitch responded, the edge on his voice disappearing. "You can tell me that already? Usually I have to tell you IT people everything... that's great. So do you know what's going on?"



"Give me another moment," she said in her most pleasant voice. She clicked on the Hardware Management node in the left tree. After the page loaded, she choose the reboot radial under the Remote power management section. Under Redirection options she check the box, "Display task progress and remotely control computer". Next she clicked "Run Task Now". When the page began to refresh a new window popped up, showing her the boot of the computer.



"Wait, my computer just rebooted..." Mitch said, sounding suspicious.



"Yes, I just initiated a reboot," she responded. "I'm going to watch the boot from here."



"You can do that? I thought I had to be in Windows for that to work."



When the boot verified devices on the system she noticed that no hard drive was detected. The message "No boot device" appeared.



"Okay Mitch, the computer isn't recognizing the hard drive for some reason. Give me a moment to check a few more things."



"Is that fixable?" Mitch inquired.



"I don't know yet. Give me a moment."



She rebooted again, but also added the "Enter BIOS on startup" option by checking the box. The remote window reappeared, this time entering the BIOS. She looked under the IDE channels, but no hard drive was listed.



"Okay Mitch, I've determined that your hard drive isn't being detected at all by the computer. Since you have critical work to perform, we'll immediately image and restore your data to a backup system using Deployment Server and Symantec's Backup Exec. It should take about 30 minutes. Tevita Tatafu will bring it by then. It's about lunchtime. Can you take a short break?"



"Well... it is a little early for lunch, but that should work."



"Alright Mitch. Anything else?"



"No... I just hope the backup had all my files on it."



"It should."






She leaned back as she hung her headset by the phone. "Tevita?"



He swung out of his cube, a huge smile on his face. "Mr. Cavanaugh having problems?"



"Yeah," she responded.



"He's such a joy. Did you know he was the one who got impatient waiting in line at the vending machine so he ran to the nearest Dunkin Donuts, opening the door fast enough to knock Edgar flat on his back?"



"You be nice," scolded Jessica with a stern look. "He may have anxiety issues, but he's a spot on accountant."



Tevita laughed richly. "Spot on, eh? And what do you know about Accounting?"



"I got a Masters from University of Chicago's Graduate School of Business, in Accounting."



"You did?"



"Yes. Now don't make me a liar and get that machine to Mitch ‘pronto'."



Tevita laughed, but got up and headed to the equipment room. Jessica sorted through her email. She wanted to clear out her inbox but only halfway through the process Tevita returned, no longer smiling. His mouth bent down in a frown she rarely saw, and usually only when he was about to explode with anger. His eyes didn't seethe, but looked down at a computer in his hands. He sat down and rolled his chair over towards her cube.



"It really is missing the hard drive," he said, expertly using the buttons on the side to open the case. He pointed to an empty bay. "It should be in here, but... well... the IDE cable was cut, right here. Seems stupid, since they had to unscrew the drive, but..."



She stared at the empty bay. "Someone stole his hard drive?"



Tevita nodded. "It looks that way. Mitch said he only left to take a restroom break, and when he came back the system was off and wouldn't boot."



"This isn't good..." Jessica started to say.



"Guys!" Bobby said loudly, his voice piercing through the area like a gunshot. They both stood up, staring at the gangly developer loping towards them from the door to the server room.



"The sky must be falling," Tevita said, but despite the amusement in his voice his mouth only twitched once in an upward smile.



"What's wrong?" Jessica asked.



Bobby took a deep breath. "It's a ninja. I swear by my grandma's heirloom earrings that a ninja just showed up in the server room!"



"A ninja!!?" Jessica exclaimed.



Tevita looked down a the computer he held. "Bobby, that's not funny..."



Bobby threw his hands up. "You know I don't have an imagination, or much of a sense of humor. Didn't you used to call me Cardboard Boy?"



"Yeah, but I stopped after you randomly locked out my user account at the worst possible moments..."



"I'm not kidding."



Jessica, feeling like she'd just stepped off a rollercoaster, reached out and put a hand on the wall. "Bobby, you mean to tell me there's a ninja loose in the building?"



"Well.. no. He's lying unconscious in the server room."



Tevita gave her a quick look, then bee-lined towards the door to the server room. Jessica wanted to run the other way, but Bobby gave her a helpful shove on the back towards the room. She glanced behind at him, and he blushed.



"Sorry, but the more witnesses the better."



The figure sprawled out on the floor clutched a hard drive in his back-gloved hands. He didn't look like a real ninja, but a black ski mask that looked similar to a ninja wrap covered his face. A goose-egg on his forehead the size of a golf ball, halfway hidden by the mask, seemed to say loudly why he wasn't conscious. Jessica found herself staring, her mouth hanging open and her hand moving up to cover it.



"Oh my gosh," she said, her voice embarrassingly high-pitched. Her heart hammered in her chest as if she'd just jumped off a cliff



Tevita gave Bobby a searching look. "Do you know martial arts or something?" he asked.



"No. I thought I heard something while I was bringing back the two new demo laptops, so I went to check it out. When I saw him, I just reacted."



"What did you do?"



"Well... I had a MacBook Air in my left hand, and a Panasonic Toughbook in the right. The MacBook might be thin enough to decapitate a ninja, but more likely it would have bounced off his skull without slowing him down, so I threw the Toughbook."



Tevita reached out with his toe and nudged the intruder.



"We should leave and call the police," Jessica said, edging towards the door.



"He's out cold," Tevita said, reaching down to pick up the Toughbook. The screen gleamed beautifully, no sign of damage despite being used as a blunt weapon. "Too bad these aren't vPro yet," he said.



"I called the police," Bobby said. "They should be here soon."



The next half-hour moved as if in a dream. Jessica felt like she'd stepped out of the real world and into some crazy movie. Slowly the facts of the intruder came to light, and like wiping away the mist on a foggy window things didn't seem as ridiculous as they first seemed.



The man had been hired to steal a specific hard drive. He was fully cooperative with police, apologetic for getting caught and worrying everyone. He indicated he wore the mask not as an intimidation method, but to remain incognito to security cameras. The policy cuffed him and off he went, leaving everyone standing there in disbelief.



"Is that Mitch's hard drive?" she finally asked Tevita, who had retrieved the hard drive the "ninja" held.



Tevita pointed to connector of a cut IDE cable sticking out the back. "It looks like it..."



Bobby took the drive, hefting it, his small eyes squinting. "No, this is a RAID drive. He ‘raided' a server..."



Jessica stared at him as he chuckled. Tevita stared for a moment, and broke into a wide grin.



"And you say you have no sense of humor," he said with a laugh.



"My Dad told me puns don't count," Bobby responded.



"What about the data on Mitch's hard drive?" Jessica inquired. "I know he had confidential, sensitive information on it."



Bobby shrugged. "Nothing we can do about it unless we can find it. It wouldn't be the first time."



She shook her head. "Too bad vPro doesn't have disk encryption yet. I know they're working on it."



Bobby's head perked up. "vPro with disk encryption? Nice."



The receptionist motioned to Jessica, and she walked over.



"Mr. Johnson has called a meeting in the executive briefing room," she explained, a phone held between her ear and her raised shoulder. "He says it's urgent, but not to worry."



"Not to worry," she echoed, feeling a surreal sense of amusement at the statement. "Right."



She rounded up Tevita and Bobby and they headed upstairs. The executive briefing room flooded with light, with the impeccable CEO standing by the floor to ceiling window showing the bottom half of the skyline to downtown Boston. He smiled casually, his hands clasped behind his back. When they'd all entered and sat down, he turned around, his smiling increasing.



"The mighty defenders arrive," he said. "I had a call from Mitch Cavanaugh concerning your ability to quickly resolve the theft of his hard drive. I commend you on a lightning-fast response. I can tell by your expressions that you're a bit shaken."



He paused, the smile abating. "Let me assure you that we are permanently stepping up our security. I blame myself for not taking steps against blatant thievery. I guess I'd hoped my former colleague had gotten past that type of criminality."



Bobby raised his hand, and Mr. Johnson gestured at him. He cleared his throat, folding his skinny arms.



"So don't we have enough evident now to get the police involved?"



Mr. Johnson shook his head. "No, and even with the thief in hand I doubt they'll be able to link this to New Nifty Networks. For all we know this isn't related to them, though our situation and the probability point in that direction. No, we won't be making any effort to link the thief with Nifty. Your job is to continue tightening our security.



"First, let me commend you, Tevita, for your mastery of providing mirror systems to people when theft occurs. Second, I commend you, Bobby, for always delivering when issues arrive. Lastly, I commend you, Jessica, for your insistence on vPro. I know Edgar and others have given you are hard time about it, but it seems you prove it's worth daily."



"Thank you," she said.



"Our next step is to find out if any other systems have had their hard drives stolen. I'll leave this task in your capable hands. If you have any questions or concerns, please come see me in my office."



As quickly as the meeting started, it ended.



When they reached their cube area, Tevita didn't sit down at his, but followed her into hers. He stared at the Altiris Console idling on her screen, his arms folded and his expression pinched in thought. She sat down, eyeing him, as she reached for her keyboard.

"Let me guess," Tevita said, "you already have a plan?"



She let her hands fall into her lap. "Well... yeah. It shouldn't difficult to find out which systems no longer have HDDs even if the systems have been off for a while. I just..."



Her voice faded away. She stared at Tevita, trying to sort through her emotions.



"You're freaked," Tevita offered.



"No... well... yeah. I kind of am. Cyber attacks are one thing, but Bobby's ninja..."



Tevita retrieved his chair from his cube, sitting down and leaning back at the entrance of her cube. "With computers thieves usually only break into places for the hardware. Some of the servers Bobby runs cost more than a new BMW. Stealing the hard drives means they're after data. It's really no different, except we're using software to block software attacks, and we use guards, locks, and other such things for the hardware attacks. You heard Johnson. I don't think you have to worry."



She sighed. "We should get occupational hazard pay. I'll get over it, though I may bring pepper spray tomorrow."



"That'll work."



She cracked her knuckles by clasping her fingers and pushing her arms out. "Let's get into this. First off, we can't rely on Inventory Solution to know if the hard drive is there or not, since the OS obviously has to be up and running to get an updated Inventory. We might be able to use the Altiris Agent's last check-in time to note those systems that are no longer reporting, but that won't tell us if those machines are simply off or something similar."



Tevita nodded. "Fun. Without the hard drive we have no manageability capability."



"Except for the one thing that runs outside of the hard drive."



"Intel vPro."



"Exactly. All capabilities are still available even when the hard drive's been yanked."



"So we can use RTSM to remote into those systems not responding in Altiris using Serial-Over-LAN to see if the hard drive is there, like you did for Mitch."



Jessica nodded, smiling. "That would work, but I have a faster, much easier way."



Tevita rolled closer as she put her hand on the mouse and started using the Altiris Console, his eyes focused on the screen. "I like easy," he said.



She browsed under Manage and clicked on Jobs. When the left-pane tree loaded, she browsed under Tasks and Jobs, Server Tasks, Real-Time Console Infrastructure, and clicked on ‘Get Intel® AMT Inventory'. She clicked the Run Now button.



On the resulting window that popped up she gave the Run name: Ninja stolen hard drive, and clicked on the ‘Select computers' link. Within the ‘Select Computers' dialog in the left-most pane, she browsed in the tree from Collections, Out of Band Management, Provisioning, and double-clicked on ‘Provisioned Intel® AMT Computers. The middle pane showed a list of all vPro capable systems in the environment, and the right-most pane showed the Provisioned collection she'd selected. She clicked OK. She then clicked the Run Now button.



"That's it," she said, leaning back. "In the next minute or two we should have inventory from all vPro capable systems."



The Tongan shook his head. "You're going to outsmart us all out of a job," he said.



She raised an eyebrow at him. "Are you kidding? We might, just might, get to all the stuff on our plates we normally leave forever on the backburner."



She browsed in the Altiris Console under View, Reports, Incident Management, Real-Time Console Infrastructure, and selected Intel® AMT Hardware Inventory. When the report home page loaded, she clicked the Run this report link. For the parameters she left ‘System' to Any, and changed ‘Hardware Type' to ‘Media'. She clicked the ‘Refresh' button to load the report.



"Okay, this shows us all systems that have a hard drive reported with AMT Inventory. We could manually compare the list, but why not create a new report that shows us systems that do not have anything in the Media table?"



She right-clicked on the ‘Real-Time Console Infrastructure' folder and choose New, Report. She gave it the name: Intel vPro Computers Without a Hard Drive. She choose ‘Enter SQL Directly' and then rolled back from her desk.



"Alright SQL guru, I'll give you what I need and you can figure out the query."



He scooted around her, reaching for the keyboard. "Alright. Shoot."



"Okay, we need to have a list of all computers that either do not have an entry within the table Inv_AMT_Media_Device. That's it."



"That's it? That's easy enough..."



Tevita entered in the SQL, and saved the report. When they ran it, only two systems showed up.



Jessica looked at the names of the computers. "These are both from accounting, but Joe is in New York doing his accounting work on his laptop, and this other... he's here, but hasn't reported anything yet.



Tevita stood, dragging his chair back to his cube. "I'll take care of these two. Why don't you go home?"



"And leave you here..."



He laughed. "I'll be fine. It's almost five, and you probably want to take a nice relaxing evening trying not to think about thieves and ninjas."



"Thanks for that," she commented dryly, but with no conviction. "Only if you're sure..."



"I'm sure. I'll see you tomorrow."



"Thanks. Have a good evening."





End Part III

Recognizing the need for better physical security, and using vPro to minimize the effects of theft, the IT team continue to rise to meet the challenges facing them.


Version 3.3 of the Intel Client Manageability Add-on has been released to bring more vPro manageability features to SMS. The following new features have been added:


  • Scheduled power command operations on collections. (Note that scheduled power commands are not executed on subcollections.)

  • Graceful shutdown (attempting to shut down a platform via its operating system) for Power Down operations on collections

  • Changes in the way the Add-on interprets and applies IP site boundaries within SMS, including an optional registry switch. If the switch is set, if the platform's subnet does not appear in the SMS properties for the platform, the platform will be considered as being in the site boundaries. Note: There is no change in the way the Add-on interprets and applies Active Directory site boundaries.


Intel Client Manageability Add-on version 3.3 can be downloaded from the following location: :






--Matt Royer

Filter Blog

By date: By tag: