Skip navigation
1 2 3 Previous Next

Intel vPro Expert Center Blog

35 Posts authored by: jake_friz

With the release of Intel 4th generation core vPro processors comes new AMT versions, 9.0 and 9.5. This means that some of our favorite Use Case Reference Designs (UCRD) need driver updates. Well, fret no longer; 2 stage boot (iFast) and Remote Drive Mount (RDM) have been updated.

 

For those not in the know, RDM is a remote repair use case. Basically a technician can access the hard drive(s) of a remote system at the block level, even if Windows will no longer start.

 

iFast is a "building block" use case that makes remote booting faster, making it feasible to use larger ISOs, like WinPE, for remote repair and/or OS imaging. Check them out below

 

Remote Drive Mount

2 stage boot

 

Jake Fritz, vPro Expert

Read other posts from Jake

You may recall that, last year, I was very excited about Intel Identity Protection Technology (IPT). Then it was all about One Time Password (OTP); basically using the 2nd generation Intel Core processor as an OTP key FOB. This year, IPT is getting some new, and even cooler features. I've already written about PKI and one aspect of Protected Transaction Display. Today, let's talk briefly about another aspect of Protected Transaction Display.

 

Protected Transaction display provides a method to get secure input from a user. It works by giving the Management Engine (ME) the ability to draw on the screen. When it does this, any software running in windows does not see what's on the screen. All it sees it a black square. For input, there is a key pad with the numbers in a randomized location. The user uses the mouse to enter a number by clicking the key pad. Although windows can tell where on the screen the mouse is, only the ME knows that numbers where actually typed.

PIN_pad_user.png

What the user sees.

Pin_Pad_Hacker.png

What malicious software sees.

 

OK, that sounds a little complicated just to get a number from a user. So how's it useful? Well, one way is to get a PIN code. When PIN codes are entered using Protected Transaction Display, malicious software will be unable to determine the code entered. This protects the code from spying eyes.

 

Another use is for transaction verification. For example, let's say you want to transfer $100 from your bank to your friend. It's possible that malicious software could change the $100 dollar value without you, or the bank knowing it. However, using the ME, the bank can verify the transaction amount like so; the bank asks to ME to verify the number it thinks you want. The ME pops up and asks you to enter the amount. If what you enter matches what the bank asked for, the ME will respond to the bank with that it matches. Otherwise ME responds that it doesn't match and the bank can then deny the transaction.

 

Of course, there are probably many other possible uses for Protected Transaction Display. That's what excites me the most about it. It's a totally new technology. I think we're just beginning to imagine all that may be possible.

This article is an update to "Build your own PC with the 2nd generation Intel® Core™ vPro Processor Family". Now that the new core CPUs are out, along with Intel AMT version 8, I wanted to share what is needed to build your own desktop PC with these new technologies. First, you need a motherboard with an Intel Q77 Express Chipset. For KVM Remote Control, also be sure the motherboard supports Intel Integrated Graphics. The Intel DQ77KB and DQ77MK are two such boards. ASRock has the Q77M vPro. Gigabyte has the Q77M-D2H. Jetway has the NF9E-Q77.

 

Next, you need a 3rd generation Intel® Core™ vPro Processor. Further, if you want KVM Remote Control support, you also need a CPU with Intel Integrated Graphics. An Intel Core vPro processor without Intel Integrated Graphics will still give you Intel AMT 8.x, but you won't be able to use KVM Remote Control. This page has an up to date list. From there you can apply a filter to show only processors with vPro technology and Intel Graphics if you like.

 

Now onto wireless. Starting with Intel AMT 7.x, vPro added support for wireless on desktop. This, of course, is optional, but if you'd like to use Intel AMT over wireless on your new system, there are extra requirements. First, your motherboard needs support for Intel AMT wireless. This means a mini-PCI express connector with wiring for AMT communications. The Intel DQ77KB is the only one I know for sure to support this. If I learn of others, I will add them to this list. Next, you need to find an Intel® Centrino® Advanced-N 6205 Wireless NIC. Lastly, you'll need a wireless antenna.

 

One other interesting development in the build your own system area is that new standardized All-in-One chassis are coming on the market. They use a half height mini-ITX form factor. Although this is not specific to vPro, I for one am excited to get to build my own All-in-One vPro system for the first time! The Intel DQ77KB is an ITX board and will fit into one of these new chassis.

 

So go out and build your systems. Then post your system specs and your favorite vPro feature or use case.

You may recall that Intel Identity Protection with One Time Password (OTP) was first introduced last year. It was geared towards embedding hardware based OTP tokens into the platform. This year, the 3rd Generation Core vPro Processors aim to expand Intel IPT with two new features. They are:

  • Intel IPT with Private Key Infrastructure (PKI)
  • Intel IPT with Protected Transaction Display

 

For those that don't know, PKI is used for authentication, kind of like a user name and password. However, it uses certificates to authenticate a user. A certificate is kind of like your driver's license. It proves you are who you say you are. A certificate can identify a user, a computer, a document, software, and more. A certificate can also be used when encrypting information. One use for this is when connecting to a VPN. The VPN may ask you for a user name and password, and then may ask for a certificate. So, if someone else figured out your username and  password, they still couldn't get in because they don't have your certificate. Other uses include document signing, email signing and encryption, and secure access to web applications.

 

Today, PKI is in wide use and comes in two flavors; hardware and software. If you've ever seen or used a Smart Card or another Hardware Security Module (HSM), that's hardware PKI. The certificates are stored on the card and the card does all certificate-related (crypto) operations. For software, certificates are stored on the computer and the CPU does all crypto operations through software.

 

OK, great, but how does Intel IPT with PKI fit into all this? Well, Intel IPT with PKI is essentially a HSM embedded in the platform. This provides the security of an HSM with the cost effectiveness and ease of use of software based certificate management. This is achieved by using the Intel Manageability Engine (ME) to perform all cryptographic operations. In this way, keys are never exposed to software running on the main CPU. Further, all certificates are tied to the platform on which they are created.

 

The ease of use of Intel IPT with PKI is achieved in a number of ways. First, since keys are tied to the PC hardware, the PC itself becomes part of the authentication scheme. Compare this to a smart card where each card has a cost, and may need to be replaced over time. Further, Intel IPT with PKI software is exposed as a Cryptographic Service Provider (CSP) via the Microsoft CryptoAPI software layer. In other words, software like Internet Explorer, Outlook, Anyconnect, and many more just work with Intel IPT with PKI, no changes required.

 

Intel® Identity Protection Technology (IPT) with Protected Transaction Display allows for secure PIN input. This is accomplished by allowing the ME to draw the input window and accept mouse clicks as input. In this way, software running on the main CPU does not have access to what is actually on the screen. However, the user can see it. Further, number keys on the PIN pad are randomized such that on ever PIN entry the mouse position will be different.

 

What the user sees:

PIN_pad_user.png

What software on the CPU (E.G. process implanted by a hacker) sees:

Pin_Pad_Hacker.png

 

Since certificates can be password protected, Intel IPT with PKI and Protected Transaction display can be coupled to offer the ultimate in certificate security.

 

We've partnered with Symantec to offer this feature through their Managed PKI Service. Check out this video to see an example of Intel IPT with PKI in action.

 

 

 

I recently blogged about using More Secure VPN Login. In the demonstration video I used a Cisco SA540 Small business appliance. But what about Enterprise VPNs? Well, since then one of my colleagues has configured a Citrix Access Gateway to use IPT as well. Here it is in action.

 

 

Be on the lookout for more information on this and other VPNs that can be used with IPT. Do you have a favorite VPN you'd like to try? Oh, and if you need a system that supports IPT, check out Build your own PC with Identity Protection Technology (IPT) capable.

How awesome would it be to have live, graphical, windows based OS that could be used to repair systems? And double the awesome factor if it could be used remotely? Use WinPE and it's variants plus vPro and you can do just that. You see, WinPE is live, graphical, and windows based. And it can booted and used remotely with vPro systems. To aide readers in doing this, I've been working diligently on use case reference designs that step readers through building Enhanced Remote Repair with Microsoft* Windows* PE, WinRE, and Use Intel vPro Technology and MSDaRT to Recover Remote Systems. The instructions include options for adding services like network support, a built in VNC server (for vPro systems that don't support KVM Remote Control), and a communications back channel to integrate with Remote ISO Launcher (RIL)for automation.

 

Here's a quick overview of the various PEs and related UCRDs:

 

Enhanced Remote Repair with Microsoft* Windows* PE

This is the most basic WinPE OS and is part of Microsoft's Windows Automated Install Kit. When booted, it provides a GUI with a window opened to CMD. At the prompt you can run tools like bcdedit, diskpart, regedit, and many more. It can be booted remotely with IDEr. Using Accelerate the Intel vPro Technology IDER Boot Process, remote boot times can be decreased. With Out-of-Box Configuration for KVM Remote Controlit can be easily accessed remotely. By adding network drivers, WinPE can map a a network share to backup files, or access repair tools, new files, OS images, and more. By adding a VNC server, WinPE can be accessed remotely on vPro systems that do NOT have KVM Remote Control.

 

WinRE*

This is WinPE with Microsoft's standard Recovery Tools. This is included with Windows 7, which means anyone with Windows 7 can use WinRE. The tools include system startup repair, system rollback, restore from a backup image, and more. When launched, a GUI for the repair tools is opened. From there tools are run, or a CMD prompt may be opened. At the CMD prompt all tools available in WinPE are also available here.

 

Use Intel vPro Technology and MSDaRT to Recover Remote Systems

This is WinRE with even more recovery and diagnostic tools from Microsoft. This is included with Microsoft's Desktop Optimization Pack and is also known as ERD Commander. MSDaRT requires volume licensing from Microsoft. It includes everything that WinPE and WinRE does, and more. Extras include a file browser, a system scanner, and a system crash analysis wizard. When booted, all these tools are available from the GUI, and there is the familiar CMD prompt option.

 

When used with vPro, these WinPE variants greatly improves the ability to solve windows issues remotely. The Use Case Reference Designs are geared towards making it easy for readers to put these tools into practice. So, download the reference designs and give it a try. Then, let me know what you think? Can you any of these WinPEs up and working with vPro? Have you been able to solve any problems remotely? If not, what it missing?

 

*Note: the WinRE UCRD is in it's final review. I will update this post with links once WinRE is ready.

jake_friz

More Secure VPN Login

Posted by jake_friz Apr 26, 2011

I'm very excited about Intel Identity Protection Technology (IPT). It simplifies something as seemingly complex as security. In this video, I show how IPT may be used to enhance the security of a VPN login. Specifically, this uses Symantec's Verisign Identity Protection service with a Cisco SA540 Small Business appliance's internet portal based VPN. However, the basic concept may be applied to just about any web portal or VPN login.

 

 

This video is a teaser for a Use Case Reference Design that I have in the works. It will step readers through setting up what is shown in the video. I also hope to add some other VPN solutions. So, what do you think about using IPT for VPN login security? Also, are there any specific VPN solutions + IPT you'd like to see a Use Case Reference Design for?

This article is an update to "Build your own PC with KVM Remote Control Support". Now that the new core CPUs are out, along with AMT version 7, I wanted to share what is needed to build your own desktop PC with these new technologies. First, you need a motherboard with an Intel Q67 Express Chipset. For KVM Remote Control, also be sure the motherboard supports Intel Integrated Graphics. The Intel DQ67OW, DQ67SW, and DQ67EP are three such boards. Asus also has the P8Q67-M DO and Foxconn has the Q67M.

 

Next, you need a 2nd generation Intel® Core™ vPro Proccessor. Further, if you want KVM Remote Control support, you also need a CPU with Intel Integrated Graphics. An Intel Core vPro processor without Intel Integrated Graphics will still give you AMT 7.x, but you won't be able to use KVM Remote Contol. This document has an up to date list. All CPUs with numbers in the 1000's are from the 2nd generation Intel Core vPro Processor Family.

 

Now onto wireless. Yes, wireless. With AMT 7.x, vPro now supports wireless on desktop. This, of course, is optional, but if you'd like to use AMT over wireless on your new system, there are extra requirements. First, your motherboard needs support for AMT wireless. This means a mini-PCI express connector with wiring for AMT communications. The only one I know for sure to support it is the DQ67EP. If I find more I will add them to this list. Next, you need to find an Intel® Centrino® Advanced-N 6205 Wireless NIC. Lastly, you'll need a wireless antenna.

 

So go out and build your systems. Then post your system specs and your favorite vPro feature or use case.

It’s no secret that KVM Remote Control is one of my favorite vPro features. Why make a house call to fix someone’s PC when you can use KVM Remote Control to do it from your own desk? With a feature this awesome, it’s challenging to make improvements. However, we’re doing just that. With the next generation Intel Core vPro Processors, KVM Remote Control now supports resolutions up to 1920x1200 at 16 bits per pixel color depth. In addition, four core CPUs are supported due to the integration of processor graphics. This means a larger number of end users will have systems capable of KVM Remote Control, making it more widely available to the help desk.

 

For those not familiar with KVM Remote Control, check out these links.

 

KVM Remote Control - it's here!

Out-of-Box Configuration for KVM Remote Control

KVM Remote Control Technical Overview

One of the great use cases for vPro is the ability to troubleshoot and fix issues remotely on systems that will no longer boot into Windows. Using features such as KVM Remote Control, IDE Redirection, and Remote Power Control, the help desk agent can remotely view, control, reboot a failing system. However, before they can do those things, the agent must first locate the system on the network. That is, figure out the system’s name or IP address.

For many large businesses, this is not a problem. For example, an agent may ask the caller for their user ID or employee number. Then the agent can look up the caller’s system in an inventory database. But what about businesses that don’t have such an inventory database? Do users know their machine names or IP addresses?

Fortunately, with Intel AMT 7, they don’t need to. Instead, all they need to do is press a series of key strokes during boot. When Intel AMT senses these keys, it will pause and display the PC’s current IP address and FQDN. The caller can then read it over the phone to the agent. I don’t know about you, but this is one of my favorite features of vPro. It’s so simple, yet it solves such a challenging issue. I included a screen shot below so you can see how it looks.

3704_FCFH_png-550x0.png

Enabling this ability is also super easy. In fact, once Intel AMT is setup and configured, this feature is on by default. To use it, just reboot and press the keystrokes for a Fast Call for Help; the same key strokes will trigger this message. On many machines this is ctrl-alt-f1, but it can vary based on the machine’s BIOS, so check with the machine vendor or BIOS messages to be sure.

So, let me know what you think. Is this feature useful in general? Do you have a specific use for it? What else would you like to see?

Terry Cutler wrote a really nice article about hardware-based alerts in Intel AMT and the Symantec Management Platform. He included information and a video on using Fast Call for Help with Symantec to create a Self Help Portal. Here’s Terry’s post: Using Out-of-Band Alerts with Symantec Management Platform.

 

This inspired me to extend my “Using Intel AMT Remotely from a Command Line” series. You see, in order to use Terry’s Self Help Portal, Fast Call for Help from inside the intranet must first be enabled. One easy way to automate this would be via a batch file using WinRM. I’ll assume you’re familiar with the basic concepts:

 

Using AMT Remotley from a Command Line with WinRM

 

WinRM command line for Kerberos and TLS

 

From an AMT perspective, enabling Fast Call for Help in the Intranet requires two things. First, you must turn it on. Second, you must tell AMT where to send the alerts generated by Fast Call for Help. These can be done in any order. The second part is easy with Symantec. Terry covers this here: Part 1 - Using Out-of-Band Events and Alerts with Intel vPro Technology. Just subscribe to the AMT Notification alert.

 

The first part is a little harder. The good news is that, if you configure AMT for Fast Call for Help from the Internet, then it’s also automatically turned on for the Intranet. But what if you don’t use Fast Call for Help from the Internet? Try this WinRM command:

 

winrm invoke RequestStateChange http://intel.com/wbem/wscim/1/amt-schema/1/AMT_UserInitiatedConnectionService @{RequestedState="32771"} -remote:192.168.1.106:16992/wsman -u:admin -p:P@ssw0rd -a:Digest -encoding:utf-8

 

Be sure to replace the IP with your system’s IP or FQDN and adjust the credentials as needed. Take note of RequestedState="32771”. This is the on/off value for Fast Call for Help. There are actually four options:

32768 – Disable Fast Call for help from the BIOS and the Operating System

32769 – Enable Fast Call for help from the BIOS interface only

32770 – Enable Fast Call for help from the Operating System Interface only

32771 – Enable Fast Call for help from the BIOS and the Operating System interfaces

 

One you have a working command to turn on Fast Call for help, use Symantec to schedule it to run on all you AMT systems.

 

Now that you can turn on Fast Call for Help for all your AMT >=4 systems, add Symantec Management Platform and you have everything you need to deploy an out of band self help portal. Please let us know if you have any questions or if you get your self help portal up and running. Anyone have any other ideas for ways to use Fast Call for Help?

KVM Remote Control is certainly one of vPro's most compelling features. The challenge is how to use it if your favorite management console does not support it. Fortunately RealVNC created VNC Viewer Plus with just this in mind. They are compatible with almost any configuration setting one can apply to AMT. So, I wanted to share with this community a new Use Case Reference Design that steps readers through how to use VNC Viewer Plus with vPro when AMT has been configured by Config Manager: http://communities.intel.com/docs/DOC-6035.

 

This UCRD covers the basics like settings required to connect and advanced topics like AMT configuration for help desk level credentials. It builds on other UCRDs, creating a framework for taking advantage of KVM Remote Control. And, finally, it provides reusable concepts that could be applied to any KVM Remote Control Capable viewer just in case Viewer Plus is not your cup of tea. So, check it out and let me know what you think. Is there value in UCRDs that help with features that are not natively supported by a management console? Does this UCRD have the right level of detail help with a successful deployment? What other UCRD topics would you like to see?

I've been sitting on this one for a while now, hoping that I'd have time to write a full Use Case Reference Design, but figured I'd better just put it out there. I recently ran across something called "Portable apps". Yes, I know they are not new, but they were certainly new to me. Portable apps are designed to run from USB thumb drives as stand alone applications. That way you can bring your thumb drive with you and no matter what computer you use, you have your favorite apps, settings, docs, etc.

 

While perusing, I noticed quite a few remediation tools. For example, ClamWin virus scanner has a portable version. So I began to wonder...these apps run stand alone. They don't mess with the registry, they don't need run time libraries, they just run. Maybe they'd work in Windows PE. So, I built a 32 bit WinPE following these instructions. Between sections 3.3.2 & 3.3.3 I copied in ClamWin and Firefox portable. I continued on and ended up with a WinPE ISO file. I then IDEr booted one of my AMT 6 systems, and what do you know, ClamWin and Firefox worked! I can scan for viruses. I can surf the Internet. All from WinPE. All remotely. This could be the beginning of a great recovery OS for help desk use.

 

Since then I've tried a few other portable apps. Not everything works, but so far most of them do. Eventually, I hope to post more detailed instructions and lists of the most useful portable apps for remote remediation. In the mean time, here's a few links to some portable apps. Give it a try and let me know what works, and which apps are your favorites.

 

http://portableapps.com/

http://www.portablefreeware.com/

 

PStart makes a simple, easy GUI for WinPE so you don't have to start your apps from a command line: http://www.pegtop.de/start/

In our quest to make vPro great for remote remediation, we took the concept of a small linux iso, added in a little ROS_trigger, and poof; a new reference design code named 2 stage boot. Our goal was to make remote booting faster by placing the remote image as close to the vPro system as possible. However, even we were surprised at how much faster this really is.

 

The gist is this; using IDEr, a vPro system boots a ~4Meg linux image. This image maps a share and then dowloads a bigger image into a RAM disk. Then it triggers a reboot to the RAM disk. Hence the name "2 stage boot". Check out the reference design here, which includes a step-by-step guide as well as a builder that will customize the stage 1 linux image for your environment, no linux experience needed.

 

Don't believe it's fast? Wanna see how it works? Check out the latest tech 10 episode (below). I walk Michele through using 2 stage boot and do a side-by-side speed comparison of pure IDEr vs IDEr with 2 stage boot.

 

I've been reading up on how to manually remove malware. It seems the process is usually something like; stop the malware process(es), delete the files, and delete the reg keys. In theory, this could be remotely and out of band. For example, boot RDS, delete malware files and reg keys. So my question is to those who have experience removing malware. Is there a benefit to doing it out of band?

 

My take is that being out of band could make removal easier since the malware processes are not running and hence can't battle with you as you try to delete files and reg keys.

 

What do you think about remote, out of band virus removal? Are there benifits? Anyone had success or failures to report?

Filter Blog

By date: By tag: