1. Windows Deployment Integration
Windows
Deployment Services (WDS), which is included with Microsoft WAIK and
Windows Server 2003 SP 2, is the new version of Microsoft Remote
Installation Services (RIS). WDS, similar to RIS, is used to deploy
Windows operating systems to client PCs without requiring an
administrator present. WDS uses a hook into DHCP to allow PXE booting
of PCs, and it leverages the Trivial File Transfer Protocol (TFTP) to
network boot clients into WinPE and apply images to them.
Windows Deployment Services provides the following benefits:
Reduces the complexity of deployments. Also, the cost is built in to the licensing of Microsoft Windows Server.
Empowers users to reimage their own PC.
Allows network-based installation of Windows operating systems.
Supports the New PC scenario.
Supports mixed environments that include Windows XP/Vista and Microsoft Windows Server 2003/2008.
Provides an end-to-end solution for the deployment of Windows operating systems to client computers and servers.
Builds on standard Windows Server 2008 setup technologies, including WinPE, WIM files, and image-based setup.
When
ConfigMgr 2007 shipped, it lacked a method of supporting the New PC
scenario without IT administrators having to touch the ConfigMgr
Administrator console for each PC they needed to image. ConfigMgr 2007
Release 2 (R2) resolved this issue. The issue was that an administrator
could not image a PC using the New PC scenario without ConfigMgr first
knowing about the PC. This meant that new PCs—either coming right from
the OEM or without having had the ConfigMgr client on them—could not be
imaged without a ConfigMgr admin going into the ConfigMgr console and
creating the computer association.
Although
PXE booting a PC and connecting to WDS works as expected, another issue
arises when you introduce ConfigMgr into the equation. If the computer
is unknown to the local ConfigMgr site, ConfigMgr will not respond to
the PXE request. MDT offers a PXE filter, which hooks into WDS and
ConfigMgr, allowing WDS to add PCs to the ConfigMgr database prior to
ConfigMgr seeing the request.
Several other
integration points exist between WDS/MDT and ConfigMgr. You can
customize WinPE builds in the Deployment Workbench within MDT and then
use them in ConfigMgr. You can use task sequences from the Workbench in
ConfigMgr, but not without some modifications. Keep in mind the
environment used for deployments in MDT does not exist in ConfigMgr,
nor does a ConfigMgr client know about the MDT environment.
2. AMT and vPro
Intel
Corporation, the world’s largest semiconductor company and inventor of
the vast majority of computer processors in PCs today, has created a
technology known as vPro. vPro is a set of features and logic built in
to a PC motherboard, similar to how the MMX instruction set was built
in Intel’s processors. Intel vPro is a combination of processor
technologies, hardware enhancements, management features, and security
technologies that allow remote access to the PC. This includes
monitoring, maintenance, and management—all accomplished independently
of the state of the operating system or power state of the PC. Intel
vPro is intended to help businesses gain certain maintenance and
servicing advantages, improve security, and reduce costs.
Intel systems that support vPro technology were originally branded with the logo depicted in Figure 1.
Since the vPro release, Intel has updated its processors and motherboards, also known as system boards,
to include vPro technologies. The Core 2 Duo or Quad processors are the
most recognizable new processors released by Intel. Since these new
technologies have come out, Intel has released a new logo in 2008 for
vPro, which is illustrated in Figure 2.
Intel
has also created Active Management Technology, known as AMT. Intel AMT
is a hardware-based technology for remotely managing and securing PCs
that are “out of band.” Currently, Intel AMT is available in
ConfigMgr
2007 with Service Pack 1 supports the AMT vPro clients, leveraging the
integration between the Intel OOB Management console and the ConfigMgr
console. Intel’s AMT and vPro technology make it possible for ConfigMgr
to provision vPro clients without an OS deployed in scenarios where the
client is down, the hard drive is corrupt, and so on—all while the PC
is powered off.
Intel AMT is part of the
Intel Management Engine, built in to PCs with Intel vPro technology.
Intel AMT is built in to a secondary processor located on the
motherboard. AMT is not intended for use by itself; it is intended for
use with software management applications such as ConfigMgr. AMT
performs hardware-based management over the TCP/IP protocol, which is
unlike software-based management in ConfigMgr, because there is no
dependency on the operating system. Examples of hardware-based
management include DHCP (Dynamic Host Configuration Protocol), BOOTP
(Bootstrap Protocol), and WOL (Wake On LAN).
Intel
AMT includes hardware-based remote management features, security
features, power-management features, and remote-configuration features.
These features allow an IT technician to access an AMT PC when
traditional techniques such as Remote Desktop or WOL are not available.
Intel AMT operates on an independent hardware-based OOB communication
channel, which operates regardless of whether the OS is running,
functional, or even powered on. The hardware-based AMT features in
laptop and desktop PCs include the following:
Encrypted, remote communication channel between the IT console and Intel AMT.
Ability
for a wired PC outside the company’s firewall on an open local area
network (LAN) to establish a secure communication tunnel (via AMT) back
to the IT console. Examples of an open LAN include a wired laptop at
home or at an SMB (small/medium business) site without a proxy server.
Remote power up/power down/power cycle through encrypted WOL.
Remote boot via integrated device electronics redirect (IDE-R).
Console redirection, via serial over LAN (SOL).
Hardware-based
filters for monitoring packet headers in inbound and outbound network
traffic for known threats and for monitoring known/unknown threats
based on time-based heuristics. Laptops and desktop PCs have filters to
monitor packet headers. Desktop PCs have packet-header filters and
time-based filters.
Isolation circuitry to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.
Agent
presence checking, via hardware-based, policy-based programmable
timers. A “miss” generates an event; you can specify that the event
generate an alert.
OOB alerting.
Persistent event log, stored in protected AMT memory for software tools such as ConfigMgr to access while the OS is down.
Access (preboot) the PC’s Universal Unique Identifier (UUID).
Access
(preboot) hardware asset information, such as a component’s
manufacturer and model; this is updated every time the system goes
through Power-On Self-Test (POST).
Access
(preboot) to a third-party data store (TPDS), a protected memory area
that software vendors can use for version information, .DAT files, and
other information.
Remote configuration
options, including certificate-based zero-touch remote configuration,
USB key configuration (light-touch), and manual configuration.
Additional AMT features in laptop PCs include the following:
Intel vPro platform features include the following:
Support for IEEE 802.1x, Cisco Self Defending Network (SDN), and Microsoft Network Access Protection (NAP)
Gigabit network connection or network wireless connection (on laptops)
Intel Trusted Execution Technology (Intel TXT) and an industry-standard Trusted Platform Module (TPM), version 1.2
Intel Virtualization Technology (Intel VT)
64-bit processors optimized for multitasking and multithreading
64-bit
integrated graphics to provide enough performance that the PC does not
need a discrete (separate) graphics card, even for graphics-intensive
operating systems such as Microsoft Windows Vista
Industry
standards, such as ASF, XML, SOAP, TLS, HTTP authentication, Kerberos
(Microsoft Active Directory), DASH (based on draft 1.0 specifications),
and WS-MAN
Quiet System Technology (QST), formerly called advanced fan speed control (AFSC)
Architecture,
package design, and technologies for power coordination and better
thermals, in order to operate at very low voltages, use power more
efficiently, and help meet Energy Star requirements
Because
Intel AMT allows access to the PC below the OS level, security for the
AMT features is a key concern. Security for communications between
Intel AMT and the provisioning service and/or management console can be
established in different ways, depending on the network environment.
Security can be established via certificates and keys (TLS public key
infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or
administrator password. Security technologies that protect access to
the AMT features are built in to the hardware and firmware. As with
other hardware-based features of AMT, the security technologies are
active even if the PC is powered off, the OS has crashed, software
agents are missing, or hardware (such as a hard drive or memory) has
failed.
