Skip navigation

Hello again! My team has been working on a use case reference design called the Intel vPro Platform Solution Manager (quite a mouthful i know!). So what is it? Well, we were sitting around one day after an epic nerf gun war asking ourselves “how can we make management with Intel® vPro™ even easier to use?” (yes we actually say “circle-R” and “T-M” while we discuss this, but it’s mostly as a joke… unless you’re one of our legal or marketing folks; in that case we’re very serious). We’ve made great strides in simplifying the setup and configuration of vPro (if you’re not familiar with Host Based Configuration you must check it out!).


So, how can we make management of a platform easier? We write some software of course! The Platform Solution Manager (PSM) is a plugin-based framework that allows us to connect to a vPro based platform and exercise the various AMT features of that platform. For starters we can:

  • View and set Alarm Clock settings
  • View the AMT Event log
  • Perform IDE-Redirection
  • View Hardware Inventory
  • Connect via Remote KVM (on supported platforms)
  • Power Management
  • Serial-Over-LAN
  • And More!

 

PSM allows you to connect to multiple vPro platforms concurrently and quickly switch between them. If you don’t want to continually switch, you can “pop-out” any of the plugins above into a separate window!

BRDSS.png

“But what about all my existing management tools?” Well I’m glad you asked. You can launch PSM from your existing management tool (just pass the hostname and credentials, or only hostname if using Kerberos) to PSM and it will automatically connect for you!

 

If you’re using vPro, download PSM and give it a shot and let me know what you think! (Oh, and I was just kidding about the epic nerf gun battle)

 

Thanks

 

--Richard

Hi everyone,

 

When you try to configure a system running the ACU configurator you may receive the following error:

 

Intel(R) AMT connection error  0xc000520d: A Soap Fault occurred.  (0xc000520d).

 

error8.PNG

 

When you run the ACU configurator again it succeeds. The only way to reproduce the error again on the same system is to run a full unconfiguration, delete it from SCS and run the ACU Configurator again.

 

The issue occurred for me when I had selected home domain's but did not include the DNS Suffix that option 15 returned. I assumed it only required the domain.

Capture.PNG

 

Now alot of people will not have this issue because 90% of the time Option 15 will be set to your domain.

 

Hope this helps,

 

You can see my other blogs at my blog spot http://blogs.bamits.com.au/

Last week in my Blog I mentioned the Active Directory AMT Objects and things to watch for when working with them. Today I want to share a possible temporary solution.

 

So to recap, current objects that are created by the SCS are not being treated as true “computer” objects. They end up being returned by queries as user objects, and that leads to some confusion.

 

One way that I have dealt with these objects is to restrict “list” access to them. This way they do not show up in AD searches and users (like me) are less likely to select them on accident.

 

So let’s take a look at the object again. I provisioned this client using AD integration and TLS using SCS 8.1.4.16.

Here is the AD Object that was created:

1.jpg

And remember when we search for this particular computer name, it is returned as a user object (notice how I do not have Computer objects selected for object types in the search below)

2.png

One way I have found to prevent this from returning in queries is to specifically deny “list contents” for the AMTOU container and all the descendant objects.

In this example, I am logged in with a user account “amt\Josh”, which happens to have full control of the AMT device.

 

Now we modify the permissions on the OU, and Deny List Contents for This object and all descendant objects for the accounts and groups we do not want to find the AMT objects:

 

**Keep in mind that the SCS service account still needs Full Control in this OU for provisioning/unprovisioning**

**I would treat this as a temporary workaround and be very careful about making any changes to the OU in your production envronment!**

3.png

This will basically “hide” the AMT AD objects from that certain group or user (amt\josh in this case).

Now when we query for the machine name:

2.jpg

We get the above error message, which forces us to add the “Computer” object types to the query:

3.jpg

4.jpg

And finally we only get our true computer AD object returned from the query.

 

This is just a simple test method we have used in the lab to prevent the AMT objects from showing up in AD searches. You will want to consult with your network/active directory owner for best practices of hiding AD objects in your production environment.

 

To show that the account is still able to authenticate and connect to AMT, here is a screenshot showing a successful command from the AMT vPro PowerShell Module:

 

4.png

If you have any other creative ways of hiding these objects, I would love to hear about them!

First some general background:

Cisco have a Wireless LAN Controller (WLC) configuration that holds a setting named “DHCP Address Assignment Required" (also known as  “DHCP Required” option). This option allows the end-user to force a client DHCP address request/renew every time they associate to the WLAN before they are allowed to send or receive other traffic to the network, and is targeted to enhance the security policy through extreme strict IP addressees control (for further information look in Cisco's web page)

 

“DHCP Required” affects the total time for roaming before traffic is allowed to pass again. This does not affects regular windows client reconnections, but may cause issues to time sensitive flows that prefer not to perform DHCP renew until the lease time expires.

When “DHCP Required” is enabled, a DHCP renewal is required when there is a reboot or a reload of the WLAN driver during a AMT healing session. The Cisco's WLC will block any traffic to and from this client until the DHCP renewal completes.

 

So what is the problem?

 

In cases where DHCP renewals take too long, 5 seconds or more, (for example in environments with DHCP relay agents) the Wireless AMT TCP connection might disconnect and break the healing session.

 

What can be recommended to avoid the problem?

 

So actually Intel recommends just to follow Cisco’s instructions that can be seen in above web page: “In general, it is a good idea not to use this [DHCP required] option if the WLAN has non-Windows clients", and disable this option for Wireless AMT environments.

Air Force Research Institute.jpgDownload Now

 

Client strategies for the U.S. Government must be affordable and readily deployable while meeting the most stringent requirements for data security and operational efficiency. At the request of a customer, the Air Force Research Laboratory (AFRL) engaged with Intel and Citrix to create SecureView*, a solution that expands on capabilities in Citrix XenClient* and 2nd- and 3rd-generation Intel® Core™ i5 and i7 vPro™ processors to meet these requirements. SecureView, which has been deployed at more than a dozen federal agencies, is less vulnerable to modification or corruption than traditional software-based security solutions. It also provides high performance for mission-critical collaboration and saves the government tens of millions of dollars in total cost of ownership (TCO) for every 10,000 users to which it is deployed.


“SecureView is vital to the nation’s security," explained Dr. Ryan J. Durante, chief of cross-domain solutions and innovation for AFRL. "It improves the productivity and effectiveness of intelligence analysts and other key users while saving millions of dollars. The use of COTS technologies and the close teamwork and commitment from Intel and Citrix allowed us to deliver the solution within months.”

 

To learn more, download our new AFRL business success story. You can find more like this one on Intel.com and iTunes. And to keep up to date on the latest business success stories, be sure to follow ReferenceRoom on Twitter.

 

*Other names and brands may be claimed as the property of others.

Lafarge.jpgTo get performance for the most demanding PC tasks, many companies are choosing Intel® Core™ i7 processors. You can learn why in two new business success stories:

 

You can find more real-world success stories like these on Intel.com and iTunes. And to keep up to date on the latest business success stories, be sure to follow ReferenceRoom on Twitter.

Filter Blog

By date: By tag: