This article provides three examples of how Intel® AMT capable and configured systems help to extend the reach of your existing Altiris Client Management Suite environment. If the reader is not already familiar with the basics of Intel® AMT such as how to configure and deploy it, there are a variety of resources available online with a collection of data points available at http://communities.intel.com/docs/DOC-2032.
I am always interested to hear from others about how they are using the Intel® Active Management Technology (AMT). Intel® AMT was first introduced in the Intel® vPro™ business line of desktops and laptops. In recent months, computers supporting Intel Standard Manageability have been introduced - these are systems which are Intel® AMT capable and are more common in mainstream systems not requiring the advanced performance or security within a complete Intel® vPro™ technology system.
All of the examples shown below are targeted at Intel® AMT capable computers. In addition, I have attached the source video files from the training event, the PDF documents for the hands-on labs,, along with updated videos used at ManageFusion 2009 for further reference.
Power-on and Deliver Software
If attempting to deploy software to a collection of clients, you may have faced one of the common challenges that the target systems are not powered on, the Wake-on-LAN (WoL) capabilities of your environment either do not exist or are unreliable, or that you simply hope that users adhere to your request to leave systems powered on during maintenance and software delivery windows. In dealing with these challenges, your patch saturation may be in the range of 80% successful within 2-3 business days.
With Intel® AMT capable systems in your environment, a direct TCP\IP connection can be made to the management firmware directing a power-on sequence prior to the software delivery. The example shown in the video below uses Altiris TaskServer to combine the Intel® AMT power-on with software delivery, followed by a graceful shutdown of the system.
Isolate and Patch
The lab demonstration was shown at ManageFusion Orlando 2008. The core idea is to build upon the Power-on and Deliver Software idea shown above, with a small twist. The difference is this scenario utilizes the network filtering option with a custom defined and publicly available filter configuration which allows software delivery via the TaskServer agent.
A potential use of this approach is migration from one security solution to another. During the migration, the client may be temporarily exposed to attacks. According to the following news article, even 5 minutes in the open could be sufficient to compromise a client computer (see http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1224564910237820.xml&coll=7)
Network filters utilizes the System Defense capability of Intel® AMT, which was originally called "Circuit Breaker". Network filters change the allowed in-bound and out-bound communications on the physical network interface card. Since this occurs below the operating system, rebooting the unit, reinstalling the operating system, or performing related actions will not change the network filter setting. However, defined traffic is still allowed as will be shown in the following video:
System Boot Override
IDE-Redirection overrides the local boot order, presenting the defined boot device to the local BIOS. This lab demonstration provides one example how IDE-Redirection can be used to remotely remediate a corrupted Microsoft Windows XP boot situation. The redirection capabilities of Intel® AMT provide a number of interesting and exciting options, which were only summarized in a previous article.
The general idea to keep in mind: If you have a bootable utility disk today, convert it over to a bootable ISO and utilize remotely with IDE-Redirection. Some have used IDE-Redirection to initiate a Ghost Imaging session, converting their existing ghost boot disk to a bootable ISO or IMG file used by IDE-Redirection. Since you or your technicians have this ability to utilize boot disks or boot utilities remotely, you may need to include some form of remote desktop such as PC Anywhere in the boot image. This is primarily for graphic interfaces which are not supported by the current Serial-over-LAN console redirection in the Intel® AMT firmware.
Some have asked about support to define a particular partition on a client drive. Although this is not supported within IDE-Redirection, some have chosen to build a bootable ISO with the GRand Universal Bootloader (GRUB - http://www.gnu.org/software/grub/), thus defining a custom service or recovery boot partition option. The GRUB interface is ANSI\VT100 compliant and will work with the Serial-over-LAN option supported by Intel® AMT redirection.
To provide you with just a sample of what is possible with IDE-Redirection, take a look at the following video:
Concluding Thoughts
The real value of Intel® AMT is combining the out-of-band management with existing in-band management capabilities. Altiris Client Management Suite provides the combination of these capabilities, extending your reach and enhancing your options to effectively manage client computers in an environment. The three lab demonstrations shown were selected to target some of the most common ideas and requests on how to combine in-band and out-of-band management. As indicated earlier, I am always interested to hear the "from the trenches" experiences out there in how Intel® AMT with Altiris has dramatically helped you. Post a comment, send me a private message via the community... even if you have a question, a request or new idea, etc.
Lastly - for those unable to view the embedded videos or those wanting an offline copy of the videos - see the attached files.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.