1

Stefan Richards

Intel Corporation

Business Client Platform Division

stefan.n.richards@intel.com

Lenovo ThinkCentre M90z withIntel® vPro™ Technology

2

Legal Information1. INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY

INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL® PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS.

2. Intel may make changes to specifications and product descriptions at any time, without notice.

3. All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

4. Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

5. Intel® Active Management Technology requires the platform to have an Intel® AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. With regard to notebooks, Intel AMT may not be available or certain capabilities may be limited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. For more information, see http://www.intel.com/technology/manage/iamt.

6. No computer system can provide absolute security under all conditions. Intel® Anti-Theft Technology (Intel® AT) requires the computer system to have an Intel® AT-enabled chipset, BIOS, firmware release, software and an Intel AT-capable Service Provider/ISV application and service subscription. The detection (triggers), response (actions), and recovery mechanisms only work after the Intel® AT functionality has been activated and configured. Certain functionality may not be offered by some ISVs or service providers and may not be available in all countries. Intel assumes no liability for lost or stolen data and/or systems or any other damages resulting thereof.

7. Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. See www.intel.com/products/processor_number for details.

8. Enabling Execute Disable Bit functionality requires a PC with a processor with Execute Disable Bit capability and a supporting operating system. Check with your PC manufacturer on whether your system delivers Execute Disable Bit functionality.

9. Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM), and for some uses, certain platform software enabled for it. Functionality, performance, or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor.

10.No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see http://www.intel.com/technology/security

11.ENERGY STAR denotes a system level energy specification, defined by the US Environmental Protection Agency, that relies upon all of the system's components, including processor, chipset, power supply, HDD, graphics controller and memory to meet the specification. For more information, see http://www.energystar.gov/index.cfm?fuseaction=find_a_product.showProductGroup&pgw_code=CO

12.Intel® vPro™ processor technology (2007) DASH implementation is based on the draft DASH 1.0 specification13.Copyright © 2010 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel. Leap ahead., the Intel. Leap ahead. logo, Intel vPro, the Intel vPro logo, Centrino, the

Centrino logo, Intel Core, Core Inside, Intel SpeedStep, Pentium, Pentium Inside and Celeron are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

14.* Other names and brands may be claimed as the property of their respective owners.

3

Agenda

What is Intel® vPro™ technology?Remote Repair & Diagnostics

KVM Remote Control

Fast Call for Help

4

Processor Chipset Network

Intel® Core™ i5 & i7Processors

Intel® Express

Chipset

Intel® Gigabit Network

Intel® vPro™ TechnologySecurity & Manageability on the Chip

Intel® Anti-Theft

Technology

Intel® Active Management Technology

Intel® Virtualization Technology

Intel® Trusted Execution

Technology

Intel® Core™ vPro™ ProcessorsPlatform is more than the sum of its parts

5

4th Generation Business Platform

AMT 3.0, VT-x, VT-d, TXTRemote configEnhanced system defenseCisco SDN

AMT 2.0Remote diagnosticsRemote repairRemote HW/SW invSystem defense

AMT 2.6, VT-xRemote Config.Cisco SDNWireless support

AMT 4.0, VT-d, TXTMSFT NAPFast Call for HelpRemote Schedule Maint.

2006 2007 2008

Desktop

Mobile

AMT 5.0MSFT NAPFast Call for HelpRemote Schedule MaintenanceRemote PC Assist Technology

2010KVM Remote Control

Intel® Anti-Theft Technology

PC Alarm Clock

Remote Encryption Management

AES-NI

Enterprise

Remote Management

Security,

Virtualization,Wireless

Extend beyond firewall,Remote management

Services

KVM Remote Control,

Data & asset security,

Client convergence

Sustained innovation focused on management and security

6

Intel® vPro™ Technology Client Architecture

Intel® Core™ processor

Intel® TXTIntel® VTAES-NI

Intel® Series 5 Chipset w/ Intel® ME Firmware

Intel® AMTIntel® AT

Intel® GigabitNetwork

Flash

Descriptor BIOSLAN infoME FirmwareME Protected Storage

3rd Party Data Storage

Hardware

SoftwareBIOS

MEBx

Local Setup & Config

HECI Driver

Software APIs to ME

IMSS

Manageability & Security Status Application

Local Mgmt Service

Service for ME to talk to SW

OSV/ISV Software

3rd party software that uses features

7

Intel® Active Management TechnologyHigh-level Capabilities

Setup & Configuration

Remote Diagnosis & Repair (Serial over LAN & IDE redirect)

Remote Power Management

Unattended remote updates

KVM Remote Control

Client-initiated Remote Access (Fast Call for Help, Remote Scheduled Maintenance)

Asset Management - SW/HW inventory

Client Isolation & Recovery

End-point Access Control

Remote Encryption Management

IT Audit

8

• Requirements– Software vendor supporting Intel® Active Management

Technology

– Client based on Intel® vPro™ technology with SOL/IDE-R enabled in BIOS

– Client connected to a power supply and active network

connection, text-based image/diagnostics tool.

• Problem– Platform boot failures can trigger costly, reactive

management processes. Downtime is exacerbated by time-consuming technician visits to diagnose the issue, impacting user productivity and pulling IT resources off of other tasks.

Remote Diagnostics and Repair

ManagementConsole

ServerHelpDeskHelpDesk

Info

DDR2

DDR2

FLASH

NVM

BIOS

Operating System

SW Agents

Intel® Core™ processor

Intel® 5 seriesChipset

= “Out-of-band”

Intel®

Management EngineIntel®

PRO/1000 LAN

Info

• Solution– Step 1: Help desk notified of system problem via

automated alert or phone call

– Step 2a: Help desk uses software diagnostic tools to remotely redirect the system’s boot process (IDE-R)

– Step 2b: Simultaneously commands the systemto redirect text and keyboard information (SOL)

– Step 3a: Software issues resolved remotely

Advanced issues require desk-side visit or KVM remote control (if supported)

9 9

*Requires CPU with Intel® Integrated Graphics capabilities† Steps 1, 3 & 4 constitute user consent which is optional, configurable at provisioning

2

Network

User sees error and calls IT help desk†

1

IT Management Console

Admin initiates remote KVM session(authenticates, encryption setup if desired)

Access code displayed on client PCUser reads code from screen to Admin†

3

4

5Admin controls KVM to fix error

Admin enters code to gain access†

Remotely control client PCs to diagnose & fix issuesFull remote control of client PCs through embedded Keyboard, Video, and Mouse (KVM) redirection provided by Intel® vPro™ technology*

• Skip the desk-side visit, make a “virtual” desk-side visit with KVM

• Fully control & interact with client PC as if physically there, through all OS and power states

10

KVM Screen Flow – User Consent

User’s AMT Machine Management Console

User Consent

Code via Phone

Connected

Synchronized

User Consent

Connection Icon in Corner + 1px red border around screen During Session

11

KVM Remote Control Architecture

Keyboard/Mouse

Video Stream

Video FB

RFB Viewer

LAN

USBrvKeyboard

vMouse

Keyboard

Mouse

ME

LAN

Tile

Compare

Engine

OS

Client System Remote Console

12

Fast Call for Help Outside the Firewall

Internet

Intel® vPro™ Technology

Enabled Gateway

Service Provider Console at

Remote Location or Enterprise IT

Console

Gateway Sends connection events to

Management Console

Firewall

Console runs diagnostic & repair action on the client system

Gateway proxies connection6

User boots PC to BIOS, Enters "heal initiation" screen in BIOS

or presses Help hot-key combination

1

5

Management Console routes SOAP &

Redirection commands to Gateway

Management Console list pre registered in Gateway

3

4

Firewall

2 BIOS/MEBx sends command to Intel®

AMT FW to trigger remote access connection

Quickly Request and Receive Help

DMZ

13

Summary

Intel® vPro™ technology available on select Lenovo ThinkCentre M90z models

Wide set of manageability & security capabilities built right in to the hardware

Great for businesses of all sizes

For more info, please check out these great resources:

Product whitepapers, animations, case studies, etc:

http://www.intel.com/itcenter/products/core/core_vpro/index.htm

Expert community with blogs, expert articles, etc:

http://communities.intel.com/community/openportit/vproexpert

14

Stefan Richards

Intel Corporation

stefan.n.richards@intel.com

Thank you! Questions?