I have questions that are no where on this website. Please do not answer my questions with a link, I just need the answers to these questions:
How does the screen sharing work?
Looks like you have to have AMT 6.0 in order to do screen sharing, is this correct?
How can I load images using vPro?
How do you control computers (laptop & PCs) over a private network?
How do you control computers (laptop & PCs) over a public network?
How does it work with different OSs?
Will it work if your intergraded NIC stops working & you add a NIC card?
Is there any software agent installed?
I have some computers that have AMT 3.0, & all I can do is shutdown the computer using a web browser, can I upgrade to AMT 6.0, if not why?
If I have a computer on my domain in LA, how will I be able to control that computer, what kind of protocol is being used?
Is there a manager console that Intel provides to control vPro computers in a network?
- Intel® vPro™
Most of the forums will provide links for the person to find the answer there, but they might not provide specific answers like the ones that you are expecting.
If the answers that you are looking for are not located on this link you might want to keep posting the questions to see if someone can answer you:
Screen Sharing (aka KVM Remote Control) is essentially a VNC server embedded in the chipset. So, you turn it on and set a password, then you can connect with a VNC viewer. RealVNC has a nice viewer (Viewer Plus) with additional vPro features to make it a "one stop shop" but any VNC compliant viewer should work.
KVM Remote Control require AMT 6 or higher and Intel Integrated Graphics.
I'm not sure what you mean by "load images". Please clarify.
To controll a computer on a private network, first turn on KVM Remote Control (details /docs/DOC-4795 here or /docs/DOC-4910 here), and then connect with a viewer.
On a public network things can get complicated. Essentially, the process is the same. The complications are that you may not know the system's IP when it's on a public network and can't rely on DNS. For this, you could try Dynamic DNS. Another complication is a firewall. For this one option is to open port 5900 and/or use port forwarding. A final complication is AMT has loads of security features like the ability to turn KVM off (called Environment Detection) when it detects its on a public network. It also has "Fast Call for Help" which is essentially a VPN connection established from the chipset that allow working through firewalls. I'm sure I'm forgetting something as well...public networks are just complicated. Every deployment requires custom tailoring so if you have something specific in mind let me know.
Since the server is in the hardware, it is mostly OS agnostic. There's always an exception, right? In this case, KB and Mouse control work by exposing a virtual USB KB & mouse device. So, if your OS doesn't have USB drivers and doesn't work with "legacy USB" support, you won't be able to use the keyboard and mouse remotely. In my experience DOS, Windows, and Linux work fine, unless something is wrong with the USB drivers (EG I forgot to compile them into the kernel).
It only works with the Intel NIC, both wired and wireless. Other add-in NICs will not work.
No software agent is needed. If you like, there an AMT driver that will alert the local user that they are being controlled and let them disconnect. But, this is not required.
AMT can be upgraded on dot releases (eg 3.0 -> 3.2) but not full releases (eg 3.0 -> 6.0). This is because the firmware is tied to the chipset. A chipset that came with 3.0 is not capable of running a firmware with 6.0...they literally have different parts. As such, the chipset won't allow this type of upgrade. Another thing to note about KVM is that is gets video by using a special back channel into the video memory. This is not present on all chipsets prior to that of AMT 6, so even if you could upgrade, KVM would not work. This is also why add-in graphics cards do not work with KVM, they don't have the video memory back channel.
However, AMT 3 can do much more than just "shut down using a web browser". For example: using a management console you can do SOL and IDER. SOL gives you a serial console (you can see DOS and BIOS) and IDER let's you boot the AMT system to a disk that is on your remote system.
The remote control protocol is VNC
Intel has /docs/DOC-1171 sample management consoles which your free to use. Try the Manageability Developer's Toolkit. RealVNC has a nice one as well (http://www.realvnc.com/products/viewerplus/index.html Viewer Plus). There are, of course, http://www.intelsalestraining.com/vprosoftwareguide/content.htm many choices. Note, they don't all support KVM.
Hope that wasn't too many links for you. Let me know if you have other Qs.
First, thanks for taking your time to answer my questions. I tried to get some of these answers from a live person at Intel, & they informed me that I have to ask on this site. Please try to bear with me, I am writing a report on vPro, how it works & what can it do, my company is interested in it.
I just want to state the obvious to ensure I understand your answers, please feel free to correct me.
- Screen sharing is called "KVM" & to look at the client's computer screen I would need to view it in a VNC viewer
- KVM requires AMT 6.0 or higher, which AMT 6.0 is based on hardware, so that is the reason why upgrading AMT is a bit limited (due to hardware constrict)
- All three parts (NIC, Chipset, & Processor) of vPro have to be functioning in order for it to work
- There is no software agent that is being ran in order for vPro to work, just turn on the features in AMT
I do have some comments/questions:
- When I talk about images, let's say I am using a WDS server, I have a Windows 7 .wim file, is there a way I can deploy it to my vPro computers, right out of the box?
- When I asked about the Public network from what I can tell vPro allows you to make a laptop obsolete if they are stolen, how will my company use this & other features, if you are saying it "gets complicated"?
- Is it safe to say that AMT in relation to vPro is the same as BIOS is to a PC?
- As far as my AMT 3.0 computers, you are telling me that I can do more if I download one of the management consoles you provided?
I want to thank you again in advance for taking your time to help me to understand vPro better. I know I will have more questions if I do should I just continue here?
For the first 4 items, you're right on! The only clarifications I can add are on # 3: For KVM you also need Intel Graphics. All other AMT feature will work with or without Intel Graphics. Also, AMT supports WiFi on Laptops if you have Intel WiFi card.
For the next set:
1 - Installing OSs can be enhanced with vPro. The main thing to note is that before AMT can be used, it must be turned on (aka Provisioned or Setup and Configured). To do this either requires interacting with BIOS or setting up a remote Setup & Config Server. I mostly bring this up because you mention "right out of the box". To use AMT, you'd take the system out of the box, then turn on AMT, then trigger the OS deployment. It's similar to unboxing, pressing F12 for network boot, and then letting PXE/WDS take over.
The other challenge here is that most OS Deployment tools are build for local install or PXE. To using AMT you'll need to do a little engineering work to bridge the gap. It's not hard, but it does need to be done. That's why we're here, to answer Qs as you figure it out. If you AMT 3 systems, you could try it. Most likley you would use IDEr in place of PXE. BTW - vPro still supports PXE (w/o the need to turn on AMT) so if you currently use that and are satisfied, it may be easiest just to keep using it.
2 - Sorry, I misunderstood your Q. You're asking about "Anti-Theft". Essentially you sign up with an Anti-theft service. This will include a software agent. Then, your vPro system will check in periodically. If the system can not check in after a grace period it will lock down. Also, if you see the system has been stolen, you can flag it and when it checks in, it will lock down. By locked down, I mean that they system will not boot...it basically stops at BIOS. Now, if you recover the laptop or it was locked down accidentally, you can use a recovery password to get in. This link describe Anti-Theft better: /docs/DOC-2384# comment-6355 http://communities.intel.com/docs/DOC-2384# comment-6355. I'm not an expert on it, so let me know if you have more Qs and I'll find someone smarter than me in this area ;-)
3 - Interesting question. vPro is really just a brand name, like Core i5. AMT is a feature that all vPro systems have, just like L2 Cache is a feature all Core i5's have. A better relation to BIOS is the Manageability Engine's (ME's) firmware. This firmware is the heart of AMT and Anti-Theft. And, it can be flashed, just like a BIOS. When you talke about AMT 18.104.22.1689 (for example), that's really the version # of the ME firmware. BTW - ME actually runs on it's own CPU, which is why it can run when the system is off.
4 - Yes. If you have an AMT 3 system, give this a try: /docs/DOC-4785 http://communities.intel.com/docs/DOC-4785. It'll step you through using SOL/IDEr as a help desk tool. If you have an AMT 6, this will step you through trying KVM: /docs/DOC-4795 http://communities.intel.com/docs/DOC-4795. This page has more step-by-step examples: /docs/DOC-4080 http://communities.intel.com/docs/DOC-4080, and we're adding more all the time.
Please, let me know if you have more Qs.
Since you are writing up a report on vPro, you may want to check out a new website that we launched: http://www.intel.com/go/vpro101 http://www.intel.com/go/vpro101. If you click "What are the advantages to using Intel vPro Technology," it will display information about the different way you can use vPro - including animations. These can be helpful when trying to explain the benefits of vPro to management.
Welcome to the community!
Thanks for answering my questions.
So for my first set of questions, when you say KVM also needs Intel Graphics, this is integrated Intel video, it will not work with let's say NVIDIA integrated video?
Second set of questions,
- When I get any new computers with vPro, all I have to do is turn on the Provisioning & just deploy my image? Would you guy happen to have a PDF on this or video?
- So to do Anti-Theft my company needs to sign up with, another company that provides this service? Or sign up with Intel? If so do you guys have a list of companies that provide this service?
- So AMT is a feature of vPro, got it.
- Thanks for the link since I installed the Manageability Developer Toolkit, I can do a bit more with my AMT 3.0 computers like get into the BIOS, Thanks for that. I haven't tried the KVM link because I do not have AMT 6.0 computers just yet, but will try the link once I have a computer with AMT 6.0.
I can't think of any more question at the moment, but I know my boss will have some, when he gives me his questions I will be sure to post again. So for now I think most of my questions are answered. Thanks again Jake, you seem to be the only one who doesn't mind answering questions as opposed to just giving someone a link.
1st set: yes, it has to be Intel graphics. NVidia, Ati, etc. won't work with KVM.
# 1: Sorry, I didn't mean to over simplify it. vPro/AMT provides a set of building blocks which one *could* use to make a solution like that. It sorta depends on your needs and how much you want to develop vs using an off-the-shelf tool. Of course, OS deployment is a complex topic, even without vPro. Rather than go on and on about what you might be able to do, here's a couple links to get you thinking. Let me know if you have any more Qs on this.
Video showing using MS Config Manager and vPro to deploy OSs: /docs/DOC-3232 http://communities.intel.com/docs/DOC-3232
A step-by-step guide for using MS Config Manger + vPro to migrate XP -> Win7 over night: /docs/DOC-4079 http://communities.intel.com/docs/DOC-4079
# 2: It looks like Absolute's Computrace series and Winmagic's Secure Doc are the two options out there today. More info here: http://antitheft.intel.com/get-service.aspx http://antitheft.intel.com/get-service.aspx
# 3 & 4: :-)
Glad I can help. I like answering Qs.
I have a few more questions.
My company is now using the SCCM server, & we can see there a few more vPro computers than we thought. I used the "Manageability Commander Tool" to discover vPro computers in my company. However that tool did not find all of the vPro computers.
1.) So my question is why, could the tool be buggy or am I doing something wrong? (I put in the IP address range & it found about 5 computers but not all of them, my computer is on the same network as far as IPs go)
2.) I do understand that the ME allows me to adjust/enable the AMT features of my vPro computers, question is how come the ME version is different from the actual AMT version (I know because my ME version is 3.1, but my AMT version 3.0.9)
Please let me know what you think or if you need more information, I thank you in advance.
In commander, you have to set both a CD and floppy. Check the screen shot...circle on top is where to set them. Bottom circle is the current setting at a glance. Once you set those, then you can set Redirect Active. Note: most user oriented apps will hide much of this from you. Commander is for developers so they can get a sence of what each API call does. The good part about using it is you get to see everything. The challenging part is, it's not always user friendly.
On WIM files, Commander only understands .iso (CD) and .img (floppy). .Wim images are really neither CD or Floppy. They are more like .zip files...a compressed archive made with imagex. With that said, I'm not sure what you're .wim files are, but, SCCM (and WinPE) uses .wim files to create a bootable environemt for OS deployment. If that's what you're trying to use, just export the boot file as a .iso. By doing this, it'll work with commander. Also by doing this you can burn the .iso to a CD and boot a system locally. That is generally the rule...if you can boot the system locally, you can also boot it over IDEr. BTW - if you open such a .iso, you'll find the .wim file in the sources directory. When the CD is booted, MS's boot loader will extract the .wim into a RAM disk, and then boot to it from there.
On discovery, I'm not exactly sure why commander doesn't discovery everything, but my experience matches yours. My guess is that, since AMT is not provisioned, it has timed out and basically gone to sleep. But, I'm honestly, not sure. The best way I know of to discover all your AMT systems (besides walking around and looking at them ) is to push out something like /docs/DOC-2060 AMTScan. It runs in the system's OS. It will check PCI IDs, WMI, drivers, etc., and then send the info back to a database. Unfortunatly I am not that familiar with AMTScan so I won't be able to help if you do decide to try it. I do know folks have much success with it.
On ME vs AMT version, think of ME as the OS and AMT as an application that runs on ME. So, they each have thier own version. While this holds true, it's confusing so I believe that on newer systems the version numbers became syncronized. I deal with it by ignoring the ME version. AMT version is most important in almost every case.
Thanks again for the answers.
- With regards to IDE redirect I am able to get my client computer to start to boot off of the CD ("Press any key to boot off of CD", & "then setup is inspecting your computer" at this point I am assuming the CD is taking over), however after that the screen remains black (bytes being sent & received are not moving). Is there something I am doing incorrect?
- Just want to make sure because everything I am looking at indicates that a lot of features have to go through a third-party provider or software (I am talking about the "Virus Protection" you did state that for Anti-Theft I have to go through a service provider) is this true?
Sorry for taking so long to answer, I thought I had responded already.
1 - sounds like you're doing everything correcty. My guess is the CD is hanging when loading some driver. You may try a different CD. My favorite for a quick test is Memtest++ http://www.memtest.org/# downiso http://www.memtest.org/# downiso. Use the prebuilt ISO.
2 - Anti-theft does need a 3rd party provider. Other features can also use a 3rd party, or you can make your own solution, or a combination. vPro has many great features, but just like any technology, you need some kind of software and/or scripts to take advantage of them.
Thanks again for getting back to me. Not an issue witht the late response. I will paly around with trying to redirect, & image out computers just don't think I will persue it all that much, being that I have a WDS server, but thanks anyway. Also just so you know ,my report went very well thanks to you, we now have a SCCM server & we have been playing around with that, 7 will use that to manage all of our vPro computers. It seem to me that the "Manageability Commander Tool" is good for workgroups & the SCCM server is a better fit for computers on a Domain.
Anyway, I wanted to end this dicussion/post. You have answered all of my questions about vPro & how it works, so not real sure how to give you 5 stars but I want everyone to know that you are the man to talk to about vPro questions, it seems like everyone else agree as I see more & more views to our discussion, thanks. Please give Jake his credit because without his input I would not know as much I do now about vPro, great technology.
Once again thanks for all the answers you have supplied, I finally feel like I an getting some where with this vPro.
Anyway, so I have the "Manageability Commander Tool" installed an "Helpdesk" computer. I am trying to see how the "Disk Redirect" works. I notice/know that you select the "Redirect Active" option first in order to turn the "Disk Redirect" option. However when I do, I get a error message(posted below) telling me to ensure that "both image files need to be enabled". I can see that I somehow have the CDROM pointed to the "D" drive (which I assume is my "D" drive), but not the "Floppy". I see all of this in the "Manageability Terminal Tool" window.
Question is, how do I "enable" the "Redirect/Floppy" option? (I am just trying to see how I can get the computer to "redirect")
Also notice that the type of files are .img & .iso, so if I have .wim files these are not valid, or do I need to setup a Config Server? (just so you know, I am trying to see what can be done to vPro computers by themselves & when I get a Config server)