SCCM / vPro FAQ

Version 1

     

    Q1: Where can I find PCs with Intel® vPro^TM ^technology?

    A1: PCs with Intel® vProTM technology are available from leading PC manufacturers worldwide. For a listing of manufacturers who are supporting Intel® vProTM technology visit http://www.intel.com/buy/.

     

     

     

     

     

    Q2: Are the benefits of PCs with Intel® vPro^TM ^technology lost if I don't have this platform in 100% of my installed base?

    A2: No. You will receive immediate benefit from the energy-efficient performance of the Intel® CoreTM2 Duo Processor, and your PCs will be ready for the Windows Vista* Premium experience. You can also begin managing PCs with Intel® vProTM technology at a higher level than PCs with earlier management technologies, likely with a simple addition to the management console you use today. As the portion of your installed base containing Intel® vProTM technology grows, the benefits will accelerate through the potential to further reduce manual processes.

     

     

     

     

     

    Q3: What software supports Intel® vPro^TM ^technology?

    A3: Intel® vProTM technology is supported by a large selection of the leading management consoles and other software. For a listing of software vendors who are supporting Intel® vProTM technology visit Software Vendor Support for Intel® vPro technology

     

     

     

     

     

    Q4: What IT Service Providers are supporting Intel® vPro^TM ^technology?

    A4: Intel® vProTM technology is supported by a large selection of the leading IT outsourcers. For a listing of IT Service Providers who are supporting Intel® vProTM technology visit Software Vendor Support for Intel® vPro technology

     

     

     

     

     

    Q5: How is Intel® Active Management Technology (Intel® AMT) feature of Intel® vPro^TM ^technology different from ASF and Wake-On-LAN?

    A5: Intel® AMT provides more security and functionality than ASF or Wake-On-LAN. Unlike legacy technologies, the Intel® System Defense feature within Intel ® AMT proactively helps prevent the spread of viruses by blocking transmissions from infected PCs. Intel® AMT also provides authentication and encrypted communication of management traffic so the Intel® AMT features can only be activated by authorized management consoles. Its out-of-band management capabilities include not only the ability to reboot PCs and send alerts, but also allow remote control, remote BIOS updates, and access to event logs and asset information regardless of system state or operating system presence. Alerting is policy based rather than based on preset criteria, allowing additional flexibility in IT processes. And Intel® AMT is designed to ensure management traffic can pass through network routers allowing remote management of a greater portion of your installed base.

     

     

     

     

     

    Q6: How do these capabilities compare to DASH?

    A6: vPro is DASH compliant and is a superset of the DASH standard. DASH provides some similar functionality as vPro - remote boot control, HW inventory, SW inventory and alerting. In addition to DASH, vPro provides remote diagnostics and repair capabilities, hardware-based agent monitoring ability to remotely isolate a PC or many PCs and remote configuration. In the near future we will be adding the ability to access systems outside the corporate network and hardware-based hard drive encryption.

     

     

     

     

     

    Q7: I have vPro in my environment and will be transitioning to SCCM. When should I activate?

    A7: Regardless of whether the sequence is Activate and then Migrate or vice versa, we have tools and recommendations to support both scenarios. Within the context of SMS and System Center, if vPro activation is deferred until after SCCM SP1 is deployed, then the SP1 install process will ensure all tools required to activate vPro are available. If vPro activation occurs prior to migration to SCCM SP1, then the use of Intel's Migration Tool will ensure that SCCM SP1 can natively activate the vPro systems. Since Activation and Migration are projects that require well planned resource commits, allowing for a buffer if Activation precedes Migration, is important. The actual buffer time will depend on the size and complexity of the IT environment

     

     

     

     

     

    Q8: I understand that vPro version 3.2.1 is supported at SCCM SP1 RTM. Do I needy anything else to support legacy systems?

    A8: Legacy systems have two dependencies: (1) Intel WS-MAN translator and (2) SCCM SP1 HotFix 1 expected to be released July 2008. Even without the hotfix, provisioning and collections based power operation for legacy vPro are not impacted. All vPro usage scenarios using AMT clients with firmware 3.2.1 can be implemented out-of-box.

     

     

     

     

     

    Q9: How does Network Access Protection (NAP) work with vPro?

    A9: Beginning with AMT 4.0 in July 2008, network security credentials can be embedded in vPro. This capability allows the Microsoft posture profile to be stored in hardware (in protected, persistent memory), and presented to the network even if the OS is absent. The network can now authenticate a PC before the OS and applications load, and before the PC is allowed to access the network. This capability also allows IT administrators to use their existing PXE infrastructure within a Microsoft NAP network. Statement of Health information for vPro clients including the System Boot Log, Approved Firmware versions & Security Parameters, and a digitally signed certificate can be sent back to the NAP Policy Server.

     

     

     

     

     

    Q10: How can a vPro machine be remote repaired if it has been encrypted by Bitlocker?

     

     

    Short Answer: When Bitlocker is deployed in Transparent mode (expected to be the majority of deployments) remote repair scenarios are fully supported since the only dependency is the on-board TPM. If Bitlocker is deployed in User Authentication or USB Key mode, either the User or a USB Key must be available to support remote repair.

     

     

    Detailed Response: Intel AMT and BitLocker are fully compatible when Bitlocker is configured in the Transparent operation mod (see below for a summary of BitLocker modes of operation). The Transparent operation mode does not require the presence of the user to boot the system so there are no issues with Intel AMT or remote management. IT administrators desiring remote unattended manageability (such as with Intel AMT) will need to deploy BitLocker in this mode. Most expect that the vast majority of those who deploy BitLocker, will choose to do so in this Transparent operation mode.

     

     

    If BitLocker is configured with either User authentication mode or USB Key, the user is required to be present (e.g. Help Desk scenario) if attempting to remote-boot to an OS using Intel AMT. Intel AMT cannot be used in an "unattended state" in either of these BitLocker modes.

     

     

    For example, AMT can be used remotely to reboot a failed system if the user is present and has their USB key attached. On the other hand, if the user goes home at night and takes the USB key with them, AMT will not be able to remotely boot the system. (Again these limitations apply only with the User authentication mode or USB Key mode of operations.)

     

     

    IT administrators deploying BitLocker in these two modes need to plan their deployments accordingly and balance remote manageability using AMT with the security provided by USB key or User authentication modes.

     

     

    There are Three Modes of BitLocker Operation

     

     

    The first two Bitlocker modes of operation require a cryptographic hardware chip called a Trusted Platform Module (version 1.2 or later) and a compatible BIOS:

     

     

    (1) Transparent operation mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent user experience-the user logs onto Windows Vista as normal. The key used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. The pre-OS components of BitLocker achieve this by implementing a Static Root of Trust Measurement-a methodology specified by the Trusted Computing Group. This mode is vulnerable to a cold boot attack, as it allows a machine to be booted by an attacker.

     

     

    (2) User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the OS. Two authentication modes are supported: a pre-boot PIN entered by the user, or a USB key.

     

     

    The third/final mode does not require a TPM chip:

     

     

    (3) USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment.

     

     

     

     

     

    Q11: I have activated vPro in my SMS environment and will be migrating to SCCM in the near future. Are there any special considerations I should take into account?

    A11: Yes, there is a migration utility posted on the vPro Expert Center that eases the vPro transition. It can be found here: http://communities.intel.com/community/vproexpert/microsoft-vpro.

     

     

    This migration utility will help automate the vPro migration process from SMS to SCCM.

     

     

     

     

     

    Q12: How does SCCM SP1 make vPro activation easier?

    A12: MS has developed and integrated their own vPro configuration tool within SCCM designed to ease deployment. Remote Configuration is the latest. It's the ability to activate vPro without manually touching the machine. This can be administered on systems purchased today, by working with your OEM to enable this feature from the factory, or systems deployed in your environment but not activated, by also going to your OEM for the updated firmware package. Remote Configuration details are provided on vPro Expert Center. Microsoft has also incorporated their own provisioning and will provide full customer support.

     

     

     

     

     

    Q13: Why is the WS-MAN Translator required for legacy vPro clients?

    A13: SCCM only communicates to vPro Clients in WS-MAN (Web Service Management). Prior to vPro firmware version 3.x, vPro clients only knew how to communicate in a protocol called EOI (External Operations Interface). The WS-Translator translates WS-MAN calls to EOI and from EOI to WS-MAN between the SCCM SP1 OOB Service Point and the vPro Client.

     

     

     

     

     

    Q14: If vPro 3.x clients know how to communicate in WS-MAN, why does SCCM SP1 require WS-MAN Translator for vPro firmware 3.0 and 3.1?

    A14: Microsoft was the first ISV to implement support for WS-MAN in AMT with SCCM SP1. This required additional enhancements that were introduced in 3.2.1.

     

     

     

     

     

    Q15: What AMT features are supported in SCCM?

    A15: A comprehensive list of the vPro use cased supported by SCCM SP1 can be found here: http://technet.microsoft.com/en-us/library/cc161963(TechNet.10).aspx