Cover page goes here
Contents
1. Lock system during Operation Host Mame IF address Resource ID Current Power Skate Command f Power Up Reset Power Cycle f Power Gown Bias Password Bypass Send Command Refresh Power State Close 10 HOW TO WAKE UP ON ADVERTISEMENT Wake on Advertisement use cases can only be performed on PCs with Intel vPro technology with an SMS Advanced Client agent installed and active PCs with Intel vPro technology Should belong to a local SMS site 1 From the System Management Server console create a Package using SMS instructions Create a Program that will execute the package Create an Advertisement to launch the program Select the Advertisement Properties A new window Advertisement Properties should appear Fill the Advertisement start time fields and create a Mandatory Advertisement by pressing icon on the right Press OK in sms Systems Management Server site Database PRO Intel Corp Advertisements File Action View Help es Gimn x a B e m Systems Management Server Meme dala regres ___ AOR Site Database PRO Intel Corp SM A0D with SDP _Usetase Microsoft SMS Advanced Clien E fj Site Hierarchy EJM Y ADD Microsoft SMS Advanced Cen Er S Collections SNAGIT SNAGIT SNAGI setup exe H All Active Directory Security Groups ee All AMT Systems av All Systems SNAGIT rtisement Propertie 2 x a All User Groups m All Users E All Windows 2000 Professional Systems Specify2. INTEL CLIENT MANAGEABILITY ADD ON FOR MICROSOFT SMS 2003 USE CASE GUIDE HP EDS TECHNICAL DOCUMENT Table of Contents Table OF CONTEN anren a aA nn Cacontendnembien dkeontedtitanaen ChGrndeaietonetedaenntendatn 2 EOU edie ee ee tt E E ee ee ee ee ee re 1 Common Uses Covered in THS 0 ogee ene nnn ene ee nae 1 SEE and eS IO UN Sete cats a EE EE E 1 ASEIN USE CASCs wageescrscervadevcentcanv cen saon ves EEE 2 Imaging and Re imaging Use Case cccce seen eee e eee eeeee ee eeee ene n nnn n ne ee eeeeeeeeeeeannnnnaaneeeeeeenegs 6 POWEr a VING Se Case trccsnestscctuentcowoerbicenavends peter r E E a e 8 Remote Diagnostic and Repair Use Case ssssssssssssrsrsnrerenrrrrnnrrrnrrnrnnrrrnnrnrerrnrrrrnrrrrne 14 Security Timely isolation off the networK sssssssssssssssssnessnnssnsnssnsnennsssnnssennessnnessnnne 20 Security Patch Management isolation off the network sssesesssssseressnsrsnrnrensnrnrnrnrnnenrns 25 HP EDS TECHNICAL DOCUMENT Introduction Common Uses Covered in This Guide Intel vPro technology in conjunction with the Intel Client Manageability Add on for Microsoft SMS 2003 improves system management capabilities of Microsoft Systems Management Server 2003 and enables endpoints management even in power off states It also allows better power saving security Support and diagnostics This document presents the following use cases which demonstrate these enhancements and is inte
3. Send Command DELL 55 03 Mame Resource Class Domain System x Sleeping processor amp Hw context lost Book Options Nor A M ok System during Speration Bos Password Bypass Refresh Power State Close HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 11 9 2 In the Power Control dialog box select Power Up or Power Down radio button Press Send Command m sms Systems Management Serveri Site Database PRO Intel Corp Collections A AMT Fie Action Help am x amp ei Ble T fae Systems Management Server I Site Database PRO Intel Corp H E Site Hierarchy eee Collections egg Al Active Directory Security Groups Bl AMT Systems af All Systems m All User Groups m All Users m All Windows 2000 Professional Systems fey All Windows 2000 Server Systems cor All Windows 96 Systems or All Windows NT Systems fey All Windows NT Workstation 4 0 Systems coy All Windows Server 2003 Systems for All Windows Server Systems vee All Windows Vista Systems yee All Windows Workstation or Professional Syste oy All Windows P Systems MY ree Packages Ge Advertisements Software Metering Rules lL Reporting La Product Compliance H A Queries ie View H E H E H H E H E H E HP EDS TECHNICAL DOCUMENT Mame Resource Class Dg DELL 55 03 System Power Control Operations DELL 755 03 Nia 30 Working S0 G0 Boot Options nor T
4. Corp Advertisements File Action view Help qh xX fh Be m Systems Management Server E Cia Site Database PRO Intel Corp fj Site Hierarchy i L Collections GP all Active Directory Security Groups a All AMT Systems ey All Systems ay All User Groups P All Users a All Windows 2000 Professional Systems All Windows 2000 Server Systems ey All Windows 98 Systems ey All Windows NT Systems E All Windows NT Workstation 4 0 Systems P All Windows Server 2003 Systems ey All Windows Server Systems P All Windows Vista Systems gy All Windows Workstation or Professional Systems P All Windows XP Systems My S4 Software Metering Rules Reporting L Product Compliance a Queries G3 Software Updates H E System Status i Security Rights H E Tools Online Library MADD with SDP_UseCase2 Imy ADD i ISNAGIT Intel AMT Settings for Advertisement Use Default Settings Override default settings MV Wake up systems BIOS Password Bypass HP EDS TECHNICAL DOCUMENT Microsoft 5 Microsoft 5 SNAGIT SNA 13 Remote Diagnostic and Repair Use Case ACTORS 1 Support Staff responsible for customer call resolution often located in a central location 2 End User uses the PC for day to day activities within the enterprise SCENARIO Most end user data resides on server resources or server based applications via network file shares or hosted applications During an end user PC failure a call is pl
5. Settings Save And Glose Close pply HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 22 3 Select System Defense tab and click Add Navigate to the system defense policies directory c systemdefense and select the policy file Sdp_usecasel sdp Click Apply Add on Settings x About Setup and Configuration Security Performance Advertisement Redirection System Defense SDP UseCasel Remove Preview Reload Settings Save nd Close Close Apply 4 In the SMS Administrator Console navigate to the specific machine under test Site Database vPro Intel Corp gt Collections gt All AMT Systems gt Dell755 03 gt All Tasks gt Intel AMT Tasks gt System Defense Operations 5 In the dialog box click Set in the System Defense Policy section and select the policy SDP_UseCasel1 which was loaded into SMS on the previous step System Defense Operations x fast Name DELL755 03 System Defense Policy Preview Activate Heuristics Policy Preview Reset Engine Set Clear Srd Party Policies Clear 3rd Party Policies Advertisement Policy Preview Glear System s policy settings differ From those of the collection Apply collection s settings to system Cancel OK HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 23 System Defense Operations _ l Host Mame DELL755 03 System D
6. Timeout 2 255 g Reporting Power Up 10 minutes a Product Compliance oo Queries G3 Software Updates Power Cycle a G System Status C Power Down 4 Security Rights Tools i A Online Library Redirection Boot Close Security Timely isolation off the network ACTORS 1 Workplace Administration and Operation Teams are responsible for applying configuration updates to workplace endpoints 2 Network Security Administration and Operation Teams are responsible for defining policies which should be implemented by Workplace Administration Team 3 Endpoint Threat Management team is responsible for diagnostic and remediation of the end points exhibiting a suspicious worm like behavior SCENARIO In certain situations a user s PC should be isolated from a corporate network in a timely manner It may be a situation with a terminated employee or with a temporary unattended PC which is creating undesirable traffic on the network Assuming control and isolating these PCs in a timely manner via corporate network may be a challenge HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 20 SOLUTION System Defense provides a solution for isolating an endpoint from a corporate network by controlling it out of band OOB as long as this endpoint is powered on and connected to the network Network Security or Workplace Administration and Operation teams should be capable to identify a targeted PC on the ne
7. Vista Intel Manageability DTK HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 21 Policy design In Notepad or another text editor prepare a policy file SDP_UseCasel sdp HHHEHHHEHFHEHEH Version 3 0 Manually Isolate a PC of enterprise network Policy_ Start Policy_Type SDP Policy_Name SDP_UseCasel AntiSpoofing TRUE Allow ARP Protocol permit Ethernet 2054 Allow access to SMS Management Point SMS Server and Domain Controller permit IP 192 168 0 20 permit IP 192 168 0 10 Deny access to from the rest of the systems DefaultRxFilter Deny_all DefaultTxFilter Deny_all Policy_end Policy Installation 1 Place the policy file in any directory on the server with the Intel Client Manageability Add on for Microsoft SMS it will be c systemdefense in this example 2 Start the SMS Administrator Console and navigate to System Management Server gt Site Database vPro Intel Corp gt Collections gt All Tasks gt Intel AMT Tasks gt Add on Settings The following dialog box will appear Settings x About Setup and Configuration Security Performance Advertisement Redirection System Defense Intel AMT Add on For M5 enables discovering configuring and controlling Intel AMT supported systems using the 5M5 console Froduct version 3 0 15 24 Service Version 3 0 15 24 Extension version SiO lE aE For Intel AMT Add on support visit Gceto uta intel comisoftwarelsupport Reload
8. after that the green progress bar in the Intel Traffic Tool on the receiving PC will start moving because the network isolation of the sender was removed when the policy was cleared HP EDS TECHNICAL DOCUMENT 24 Security Patch Management isolation off the network ACTORS 1 Workplace Administration and Operation Teams are responsible for applying configuration updates to workplace endpoints 2 Network Security Administration and Operation Teams are responsible for defining policies which should be implemented by Workplace Administration Team 3 Endpoint Threat Management team is responsible for diagnostic and remediation of the end points exhibiting a suspicious worm like behavior SCENARIO When a serious vulnerability is disclosed and a corporation is making its efforts to obtain and apply a critical security patch Workplace Administration along with Endpoint Threat Management teams may need to decide how to minimize the risk until the patch is really applied Because of the nature of SMS and SCCM infrastructure time interval between a critical patch package advertisement and its real installation may be significant Some limited network isolation may be a compromise for this situation but it should address the vulnerability as precise as possible and also should apply to each individual machine only until the critical patch is installed Any network restriction applied to a machine should be lifted as soon as it is
9. for the Use Case 1 Once the advertised package is installed repeat steps 1 2 The result should duplicate the results of the step 3 for the Use Case 1 HP EDS TECHNICAL DOCUMENT 27
10. this company is simple Leave all of the workplace systems perpetually powered on The Facilities Management Team needs to ensure that corporate objectives for energy conservation and savings are met In order to do this the team has instituted policies to turn off unused lighting heating ventilation and air conditioning systems where not being used In order to achieve its next milestone the Facilities Management Team has recommended that all workplace personal computers be turned off when the user is not in the office These two group s mandates are diametrically opposed The Workplace Team cannot patch workplace systems during off hours because the machines must be powered on Patching during working hours results in productivity losses due to workplace system reboots Working hour patches also allows users to delay the patching sequence causing lower patch compliance percentages The facilities team desire to not run the systems at off hours is purely an economic decision and their monetary savings requirement is fundamental to corporate strategy HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 11 g SOLUTION In order to meet both sets of requirements Intel vPro technologies and associated workplace software technologies can be used to power on or off workplace machines at designated times to meet a company s energy savings requirements Furthermore Intel vPro technology can be employed to power on workplace platforms allo
11. 33 4M Tuesday August 12 2008 Schedule Maximum custom MIF file size kb 250 Cancel Apply Help HP EDS TECHNICAL DOCUMENT 4 3 From the MIF Collection tab for Legacy and Advanced clients specify whether to collect IDMIF or NOIDMIF files from clients Click OK g a Systems Management Server L L Site Database PRO Intel Corp ee a00 Site Hierarchy Hardware Inventory Client Agent Properties i ag PRO Intel Corp i S E Site Settings G Addresses 2 Client Installation Methods Component Configuration H E Connection Accounts E7 Discovery Methods B Senders C9 Site Maintenance QF Site Systems G3 Status Filter Rules i Gi Status Summarizers H Collections 3 Packages GA Advertisements sh Software Metering Rules Ga Reporting i Product Compliance Esmee Queries G3 Software Updates GE System Status i Security Rights H Tools Online Library HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 11 5 Imaging and Re imaging Use Case ACTORS 1 Field Service Support person s responsible for putting the PC on the end user s desk and connecting power and network and installing the Operating System O S and any additional application 2 Service desk personnel responsible for Management Software administration for the environment SCENARIO With companies today having employees located all over the globe and the need to support this global wor
12. GNOSIS SOL 1 Select the PC with Intel vPro technology that requires a diagnosis operation Right click on the selected system in the right pane and select All Tasks gt Intel AMT Tasks gt Redirection Operations Redirection Operations window pops up im sms Systems Management Server Site Database PRO Intel Corp Collections All AMT Systems File Action Yiew Help alm x B e m A A a Redirection Operations O E Ban best E Ca Site Database PRO Intel Corp No No H A Site Hierarchy Host Name DELL755 03 a L Collections All Active Directory Security Groups IP address Nia ey All AMT Systems Redirai aooo P All Systems ey All User Groups Current Power State Sleeping processor amp HW context lost Sz P All Users ey All Windows 2000 Professional Systems Refresh Power State Current Sessions P All Wind 2000 5 Syst in ows erver Systems SOL Boot Options P All Windows 98 Systems All Windows NT Systems IV Serial Redirection Terminal ey All Windows NT Workstation 4 0 Systems ey All Windows Server 2003 Systems ey All Windows Server Systems IDER P All Windows Vista Systems Boot from image located at P All Windows Workstation or Professional Sy y All Windows XP Systems WWprodemodc IDER thinstation KIOSK RC3 i Set IDER Image My F Lock system during operation M Enter BIOS Setup BIOS Password Bypass J i l G Packages Post IDER boot GF Advertisements G a So
13. IT SNAGIT SMAGI setup exe All AMT System f All AMT Systems f All Systems fll User Groups fll Users fll Windows 2000 Professional Systems fll Windows 2000 Server Systems b All Windows 98 Systems fll Windows NT Systems E All Windows NT Workstation 4 0 Systems fll Windows Server 2003 Systems fll Windows Server Systems fll Windows vista Systems fll Windows Workstation or Professional Systems b All Windows XP Systems m MY H ackages vel Advertisements feo Software Metering Rules Ee Reporting ss Le Product Compliance Fla Queries les 3 Software Updates H A System Status System Defense on Advertisement q xj System Defense Policy Preview SDP _UseCasel Set Clear as LA Security Rights E Tools fs Online Library HP EDS TECHNICAL DOCUMENT 26 2 Press OK and the policy is applied to the advertisement It will appear in the Advertisement policy field in of the System Defense Operations window for the collection it was applied which is All AMT Systems System Defense Operations x Collection Mame All AMT Systems System Defense Policy Preview Reapply Heuristics Policy Preview Reapply Set Reset Engine Glear Advertisement Policy 3rd Party Policies SDP_UseLasel Preview Advertisement ID PROZOO01 Clear 3rd Party Policies Cancel l Test Please see Test steps 1 2
14. Systems WWprodemodc IDER thinstation KIOSK RC3 i Set IDER Image e MY Redirection operations xi Ste Code ciet Assi No No 7 BIOS Password Bypass Enter BIOS Setup 5 Packages Post IDER boot oi Advertisements i Software Metering Rules None IDE Redirection Timeout 2 255 1 3 Reporting Power Up 10 minutes Product Compliance r hest La Queries G3 Software Updates Power Cycle L System Status Power Down CA Security Rights Tools A Online Library Redirection Boot Close HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 18 2 Check Boot from image location at box Press the button Set IDER Image and select the iso image file to use as an IDE R source Press OK and return to Redirection Options window Systems Management Server a Site Database PRO Intel Corp H A Site Hierarchy a i Collections E a All Active Directory Security Groups All Systems All User Groups All Users ay All Windows 2000 Professional Systems All Windows 2000 Server Systems All Windows 98 Systems Select IDER Gourde ay All Windows NT Systems All Windows NT Workstation 4 0 Systems All Windows Server 2003 Systems All Windows Server Systems ay All Windows Vista Systems All Windows Workstation or Professional S All Windows XP Systems ae MY 43 Packages G Advertisements D Software Metering Rules H a Reporting i Product Compliance ERES Queries G3 Software Updates L j System St
15. T 16 4 Modify or view the BIOS configuration as needed When completed Save Ignore changes as needed The system then reboots into normal operation Telnet 127 0 0 1 Dell System 755 EEEE a HP EDS TECHNICAL DOCUMENT 17 HOW TO REMOTE BOOT IDE R i In the SMS Console select the PC with Intel vPro technology that requires a diagnosis operation Right click on the selected system in the right pane and select All Tasks gt Intel AMT Tasks gt Redirection Operations Redirection Operations windows pops up vm sms Systems Management Serveri Site Database PRO Intel Corp Collections All AMT Syste File Action View Help e m X EB e Systems Management Server err Site Database PRO Intel Corp Lj Site Hierarchy Host Name DELL755 03 Collections H All Active Directory Security Groups IP address NjA I All AMT Systems a a a All Systems All User Groups Current Power State Sleeping processor amp Hw context lost Sz ey All Users ey All Windows 2000 Professional Systems Refresh Power State Current Sessions ey All Windows 2000 Server Systems SOL Boat Options ay All Windows 98 Systems P All Windows NT Systems I Serial Redirection Terminal F Lock system during operation W All Windows NT Workstation 4 0 Systems P All Windows Server 2003 Systems ey All Windows Server Systems P All Windows Vista Systems All Windows Workstation or Professional Sy All Windows xP
16. aced to the Support staff for resolution In most cases the initial support staff personnel are not local to the end user s PC which presents challenges to problem resolution resulting in either Shipping the PC back to second level support or dispatch of a regional service technician This situation can significantly impact an end user s productivity level and drive support costs up as every physical touch to an end user PC can increase support costs SOLUTION Increase end user productivity and reduce physical touch via Intel vPro technologies By using IDE R or IDE Redirection the end user PC can now boot to remotely stored files providing both remote diagnostic repair and alternate user desktop capabilities In the remote diagnostic repair scenario the support staff would now have the ability to boot the troubled PC into a special diagnostic OS allowing the remote technician to perform detailed troubleshooting or OS repair activities during the initial support call Additionally if it is determined that a hardware problem with the PCs physical hard drive to be the culprit Support staff now have the option to boot the troubled PC into a temporary environment with basic end user services such as Terminal Server Client Citrix Client and web browser Support while hardware is being dispatched Average desk side visits for software fix Average desk side visits for hardware fix HP EDS TECHNICAL DOCUMENT 14 HOW TO REMOTE DIA
17. allation Services RIS or Windows Deployment Services WDS should be installed and running on a supporting infrastructure server 1 Select the system with Intel vPro technology that requires a diagnosis operation Right click and select All Tasks gt Intel AMT Tasks gt Power Control From Command select Reset or Power Cycle From the Boot Options select Force PXE Boot Click Send Command button File Action View Help e Alm xeE nh B ee fe Systems Management Server ia Site Database PRO Intel Corp E G Site Hierarchy S i Collections H ae 4ll Active Directory Security Groups gi AIL AMT Systems All Systems Hae All User Groups Fla All Users Host Name H IP all Windows 2000 Professional Systems H IP All Windows 2000 Server Systems IP address sae All Windows 98 Systems Ha All Windows NT Systems All Windows NT Workstation 4 0 Systems Current Power State Working 50 30 E All Windows Server 2003 Systems j All Windows Server Systems All Windows vista Systems a All Windows Workstation or Professional Syste Power Up Force PxeBoot 7 Force Pxe Boot hd J a All Windows XP Systems Reset Resource ID Command Book Options B a e D Lock System during Operation ga Advertisements Power Down MV BIOS Password Bypass Software Metering Rules Eee Reporting A Product Compliance Send Command Refresh Power State Close Eee Queries G3 Software Updates Eji System Status Ca Se
18. atus oly Security Rights 48 Tools Online Library HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 19 3 Press the button Redirection Boot AMT device starts booting from the selected image To verify the status press Current Sessions button The IDE R session can be stopped by pressing Stop Session and Close buttons Action view Help e m XEBE Systems Management Server 3 x ain Site Code Client Assior 1 LQ Site Database PRO Intel Corp No No H Q Site Hierarchy Host Name DELL755 03 Collections A All Active Directory Security Groups IP address Nia ey All AMT Systems AEEA E H All Systems All User Groups Current Power State Sleeping processor amp HW context lost Sz H a All Users All Windows 2000 Professional Systems Refresh Power State Current Sessions E4 All Windows 2000 Server Systems SOL 42 Basak ien All Windows 98 Systems z O E E All Windows NT Systems IDER session is running Stop Session a All Windows NT Workstation 4 0 Systems SOL session is not running Stop Session ay All Windows Server 2003 Systems Refresh 1 ey All Windows Server Systems E All Windows Vista Systems E4 All Windows Workstation or Professional Sy E4 All Windows XP Systems a MY Packages Ge Ge E qls aa ae Rules None IDE Redirection
19. curity Rights Fag Tools fi Online Library HP EDS TECHNICAL DOCUMENT 7 2 The managed PC should start booting by executing Pre Boot execution environment Its black screen should display a text similar to one on the right On the screen there should be progress Initializing Intel Boot Agent GE v1 2 50 PXE 2 1 Build 086 WfM 2 0 CLIENT MAC ADDR GUID CLIENT IP TFTP PXE Power Saving Use Case ACTORS 1 Workplace Administration Team is responsible for workplace patch testing consolidation distribution and reporting 2 Facilities Management Team is responsible for energy conservation programs and has budgetary responsibility for paying energy bills SCENARIO Each month the Workplace Administration Team downloads and tests the patch set from the operating systems vendor They also consolidate the resulting tested patch set into a bundle for distribution via the centralized workplace management system Upon release of the patch bundle onto the workplace systems the Workplace Administration Team collects and reports compliance metrics to management This team also responds to emergency patch releases from the operating systems vendors In this instance the team completes the same planning testing distribution and reporting cycle only using a much shorter completion timeline In order to ensure patches are distributed to the most workplace personal computers as possible the power policy for
20. efense Policy Heuristics Policy fol Dn ees Preview Preview Select Polic x activate t Ea Set SDP UseCasel i Preview Gea Cancel Advertisement Policy Clear 3rd Party Policies System s policy settings differ From those of the collection Apply collection s settings to system Cancel OK 6 After OK the policy will be installed on the managed AFT device It should essentially isolate this device from the network leaving just access to from SMS server Test 1 On the PC with Intel vPro technology source start the Intel Network Traffic Tool and set the Operation Target to the address of another client on the same test network Click Start A green progress bar Operation Status should display 2 Start the same tool on the other machine target but do not press the Start button Neither progress bar should be displayed because currently the outgoing traffic from the source AMT machine is blocked by the applied policy see Policy Design Intel Network Traffic Tool Baa ay Operation Type Single IP amp port af i Operation Target 192 168 0102 meih Speed S o aa 100 per sec Packet Type UDP Packet Transmit 1 byte w Operation Status Coo Receive Status CO 3 Open System Defense Operations by navigating within SMS Administration Console as described above Click Clear in the System Defense Policy section and then click OK Shortly
21. fication of specific hardware configurations such as what slot contains a stick of memory and what type it contains requires an accurate and current inventory based on the above criteria or a desk side visit HP EDS TECHNICAL DOCUMENT 2 SOLUTION PCs with Intel vPro technology can be utilized to collect hardware inventories verify service tags or serial numbers and check hardware configurations without interrupting the end user or visiting desk side 1 From the System Management Server Administrative Console navigate to Systems Management Server gt Site Database gt Site Hierarchy gt lt site code gt lt site name gt gt Site Settings gt Client Agents In the right pane right click Hardware Inventory Client Agent and select Properties Tt sms Systems Management Server Site Database PRO Intel Corp Site Hierarchy PRO Intel Corp Sit File Action View Help 7 amene Be ne Mangane Server NSO eee o E Site Database PRO Intel Corp a Site Hierarchy mi Software Inventory Client Agent 4 PRO Intel Corp ai Advertised Programs Client Agent ad Cea ag fai Software Metering Client Agent Sy Addresses 38 Client Agents Client Installation Methods 7 E Component Configuration a i Connection Accounts i a Discovery Methods be a Senders are Site Maintenance GA Site Systems z B Status Filter Rules Gi Status Summarizers w Collections HG3 Packages GA Advertisements 7 a Software Me
22. ftware Metering Rules None IDE Redirection Timeout 2 255 Reporting Power Up io minutes L Product Compliance C Reset La Queries c G3 Software Updates Power Cycle H E System Status Power Down ogg Security Rights hg Tools ly Online Library Redirection Boot Close HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 11 15 2 In the Redirection Operations window check SOL and Enter BIOS Setup box and uncheck all others Press the button Redirection Boot A Telnet session starts and Serial Connection Text menu will pop up on the screen of Telnet 127 0 0 1 loj x Dell System 755 HEE HES SE SEE ESE SE HEHEHEHE HEHEHEHE HEHEHEHE Sustem Info Processor tInfoa Setup info 5 voted setup Info Using Text Ssetuy far gt al iwer Fil egege Ti Prese Uy Pow arrow ta elect different Press Enter to modifw a field sett ing Pre Left Right arrowe to change cetting Pres hss ro Ewx Setup 3 Using buttons as instructed on the previous Telnet screen menu navigate to the item of interest Telnet 127 0 0 1 ioj x g csc el Dell System 755 HEEE EE SESE SEE ESE SE IEH AE AE PE AE HE H H HEHE IEE HEIE HEHEHE IIA AR ET Sucter Setup Info Sustem Info Processor Info Fj l Sunten info ys tem Opt tat T95 IOS Version AiG 84 36 08 gt t b Service tag 4H QD1 Express Service Code 16771899355 Asset lag inone Mone of these fields ave changeahie HP EDS TECHNICAL DOCUMEN
23. kforce with a few strategic locations of Field Service Support staff the need to be able to perform imaging time and cost effectively is paramount The Field Service Support resource brings the new PC with Intel vPro technology to the end user s office takes it out of the box places it on the desk and connects the power and network cables to the device Then the Field Service Support resource spends 1 to 4 hours per device installing and configuring the operating system and any additional applications from a CD or DVD HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 11 6 SOLUTION This process will enable the Field Support staff to deliver the device to the end user s desk and connect it to the company network and power Once powered on the device will automatically configure the vPro capabilities by registering the device with the Management Software Using the capabilities of Intel vPro technology and the Management Software the Service Desk resource will initiate the device to PXE boot starting the automated deployment of the base operating system image and additional applications This frees up the Field Support and Service Desk resources to address a higher number of service requests In addition to a single machine being imaged this process can support reimaging to a group of devices An example is reimaging a bank of training room systems after each class to ensure students receive a clean build PREREQUISITES Remote Inst
24. nded for those who will be implementing Intel vPro technologies in a Microsoft SMS management infrastructure e Asset Inventory e Imaging and Re imaging e Power saving e Remote diagnostic and repair e Enforced administrative isolation off the network e Automatic isolation off the network e Patch Management isolation off the network Setup and Assumptions Software Management server and console Microsoft Windows 2003 Server R2 SP2 Microsoft SMS 2003 v3 6 Intel Client Manageability Add on for Microsoft SMS 2003 Managed Intel vPro enabled client with Microsoft Vista SP1 Hardware PC with Intel vPro technology Firmware version 3 2 1 under test is DELL 755 Optiplex although the same results should be observed with machines from other OEM s Basic Intel Client Manageability Add on for Microsoft SMS 2003 and vPro assumptions enabled endpoint are operating in Microsoft infrastructure with Domain Controller and Active Directory Intel SCS has been installed and configured according to the Intel SCS Installation and User Manual Intel vPro enabled client machines were provisioned before the use cases described below have been tested i Intel Active Management Technology requires the computer system to have an Intel R AMT enabled chipset network hardware and software as well as connection with a power source and a corporate network connection Setup requires configuration by the purchaser and may require scri
25. ndows 2000 Professional Systerns joe ll Windows 2000 Server Systems vee All Windows 98 Systems joe ll Windows NT Systems jae All Windows NT Workstation 4 0 Systems joe All Windows Server 2003 Systems joe All Windows Server Systems jae All Windows Vista Systems jae All Windows Workstation or Professional Systems jae ll Windows sP Systems ae MY Ea g H H g H ae ae a 8 H Advertisements Software Metering Rules Esme Reporting ia Froduct Compliance Ese Queries E Software Updates H E System Status ER Security Rights E off Online Library HP EDS TECHNICAL DOCUMENT FADD with SDP_Usecase 2 My ADD IEJ SNAGIT m oe Listini aes Microsoft SMS Microsoft SMS SNAGIT SMAGI SNAGIT Advertisement Properties General Schedule Advanced Client Security Specify when the program will be advertised to members of the target collection You can also create assignments to make the program mandatory Assignment Schedule a Assign to the following schedule Occurs on 12 26 PM Friday August 15 2008 Schedule As soon as possible Cancel Help Medium r OF Cancel Apply Help Priority 12 3 From the selected Advertisement right click and select All Tasks gt Intel AMT Tasks gt Wake Up Option Intel AMT Settings for Advertisement box pops up Make selections as shown and press OK ym sms Systems Management Server Site Database PRO Intel
26. pting with the management console or further integration into existing security frameworks to enable certain functionality It may also require modifications of implementation of new business processes With regard to notebooks Intel AMT may not be available or certain capabilities may be limited over a host OS based VPN or when connecting wirelessly on battery power sleeping hibernating or powered off For more information see www intel com technology platform technology intel amt Other names and brands may be claimed as the property of others HP EDS TECHNICAL DOCUMENT 1 Asset Inventory Use Case ACTORS 1 Asset Inventory Team is responsible for tracking assets 2 Field Service Team is responsible for repairing maintaining and upgrading systems SCENARIO Asset Inventories are conducted using software tools that sweep an enterprise network The success of this has traditionally been dependent on multiple factors 1 Installed operating system 2 Installed management tool agent 3 System is powered on Failures to meet any of the above criteria lead to inaccuracies in asset reporting and require substantial effort to remedy Examples are e Systems that tend to be powered off for extended periods of time such as those located in remote or infrequently occupied locations can end up in a lost status by dropping off the inventories because they are not available during the automatic inventory sweeps e Veri
27. remedied Intel vPro System Defense for Advertisement which works out of band may help SOLUTION System Defense Policy SDP can be developed to partially isolate the machines waiting for a critical patch System Defense for Advertisement integrates System Defense with System Management Advertisement It applies the developed SDP to the machines which are receiving advertisements for security patch installation So the SDP isolates the systems according to the filters included in the SDP until the patches are delivered downloaded and installed HOW TO IMPLEMENT SYSTEM DEFENSE ON ADVERTISEMENT Network Lab Layout Same as Use Case 1 Prerequisites Same as Use Case 1 Policy design Same as Use Case 1 HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 11 25 Policy Installation 1 In the Advertisement windows of SMS Administrator Console select the advertisement and navigate to All Tasks gt Intel AMT Tasks gt System Defense Operations In the dialog box see below press the Set button and select the policy SD_UseCase1 which was loaded into SMS at the beginning of the Use Case 1 5 x File Action view Help e amixs aeea Systems Management Server Elia Site Database PRO Intel Corp ff Site Hierarchy H 4 Collections ae Al Active Directory Security Groups FADD with SDP_UseCase Microsoft SMS Advanced Clien All AMT System IEJMY ADC Microsoft SMS Advanced Clien MY 2 SNAG
28. tering Rules E Ga Reporting La Product Compliance a gt Queries 8B Software Updates E Ei System Status HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT o 11 3 2 From the Hardware Inventory Client Agent Properties dialog box General tab enable and schedule hardware inventory Configure the Maximum custom MIF file size KB that will be processed by the site as needed Click the MIF Collection tab vm sms Systems Management Server Site Database PRO Intel Corp Site Hierarchy PRO Intel Coe File Action wiew Help e m EE Be m Systems Management Server 5 3 Site Database PRO Intel Corp Site Hierarchy EQ PRO Intel Corp Site Settings a Addresses AZ Client Agents a Client Installation Methods i Component Configuration camer Connection Accounts mer Discovery Methods La Senders E8 Site Maintenance 2 8A Site Systems G Status Filter Rules i Status Summarizers HL Collections H E Packages GA Advertisements Ey Software Metering Rules 3 Reporting ge Product Compliance comes Queries G3 Software Updates H System Status Security Rights H Tools En Online Library m Hardware Inventory Client Agent Hardware Inventory Client Agent Properties General MIF Collection ai Hardware Inventory Client Agent IV Enable hardware inventory on clients Inventory schedule Simple schedule Run every fi Weeks 7 Occurs every 7 day s effective 11
29. twork either by the machine name or by the source of malicious traffic The Workplace Administration and Operation should be able to find that PC on the management console GUI and apply to it a System Defense policy which would deny at least any outbound network traffic The isolation policy for this type of situations may be prepared and tested in advance If the situation was related to a Suspicious malicious behavior of that individual endpoint that endpoint can be physically attended by the Endpoint Threat Management team for further investigation HOW TO IMPLEMENT SYSTEM DEFENSE POLICY Network Lab Layout vPro System Defense Testing Lab DELL 755 biS Vista Intel DTK 5 visa and wH MS PRO Management Intrastrucure 192 169 0 10 aS 192163 0100R8 MS Vindones 2003 lintractrucre Servers p me AD DC ONS DHCP Standalone PRIA me 192 169 0 1 0023 M aa Intel DTK WS SWS Inte sk AMT Add ON MS S L Server 2005 Prerequisites Network Lab Layout Microsoft Vista VM with following virtual Infrastructure and SMS with AMT add on servers machines Infrastructure with DC AD DHCP DNS SMS with SMS server with the Intel Client Manageability Add on Microsoft SQL Server Managed vPro machine configured and managed Microsoft Vista Intel Manageability Developer s within current infrastructure with Intel Client Toolkit DTK Manageability Add on for Microsoft SMS Test supporting client machine Microsoft
30. when the program will be advertised to members of the target E All Windows 2000 Server Systems collection fou can also create assignments to make the program jee All Windows 98 Systems mandatory m All Windows NT Systems ag All Windows NT Workstation 4 0 Systems Advertisement start tine 3 All Windows Server 2003 Systems a 7 2008 5 17 Pht eo jee All Windows Server Systems coe All Windows Vista Systems Mandatory Assignments s ep pa vey All Windows Workstation or Professional Systems af All Windows XP Systems piy H 3 Fackages jg Advertisements i Software Metering Rules Sesignments are not mandaton over slow links eee PERDEM E Allow users to run the program independently of assignments a Product Compliance EA Queries L Software Updates 2 5 2009 TA S 7 Greenwich Mean lime G System Status i Z EF Security Rights Priority Medium L Online Library General Schedule Advanced o Security T Advertisement will expire HP EDS TECHNICAL DOCUMENT HP EDS TECHNICAL DOCUMENT 11 2 Setting controls in a new Assignment Schedule dialog box as presented on the picture will appear Select the Assignment option or click Schedule and then click OK File Action View Help fee Systems Management Server Elia Site Database PRO Intel Corp f Site Hierarchy Collections a All Active Directory Security Groups fall AMT Systems p All Systems f All User Groups jee All Users jae All Wi
31. wing patching at any time the Workplace Management Team chooses and upon patch completion will shut the workplace platform down upon patch completion HOW TO POWER ON OFF 1 From the System Management Server console navigate to System Management Server gt Site Database lt site name gt gt Collections gt lt collection name gt Select one or more AMT systems on the right pane Right click and navigate to All Tasks gt Intel AMT Tasks gt Power Control Operations in sms Systems Management Server site File e am x Eee e E Systems Management Server a Site Database PRO Intel Corp H E Site Hierarchy H Collections E All Active Directory Security Groups ib All AMT Systems All Systems All User Groups ib All Users E All Windows 2000 Professional Systems i All Windows 2000 Server Systems All Windows 98 Systems fll Windows NT Systems fll Windows NT Workstation 4 0 Systems fll Windows Server 2003 Systems fll Windows Server Systems fll Windows Vista Systems fll Windows Workstation or Professional Syste fll Windows P Systems lg MY Eee Packages Ag Advertisements i Ei Software Metering Rules H a Reporting Gal Product Compliance mee Queries 3 Software Updates i i System Status ER Security Rights Tools ien a Online Library Action View Help DELL755 03 Host Mame IF address Resource ID Current Power Skate Command i Power Up H o Reset Power Cycle Power Bown
Download Pdf Manuals
Related Search