"Experience the new age in PC Management" says Altris.
The next generation of remote PC management, Intel vPro is unique in its much higher level of hardware integration. Previous PC management was heavily dependent on software agents resident within the operating system, requiring that both the software agent and the operating system to be powered and functional for effective management. Intel, HP, and Altris refer to this as "in-band" management.
Intel vPro adds a hardware layer to this, capable of responding to management commands even when the PC is locked up or powered off, and to control a PC's network access. Intel, HP, and Altris refer to this communication ability contained solely within the hardware as "out of band" management, provided by Intel Active Management Technology (AMT).
With the key change being the addition of a hardware layer-- a motherboard with AMT support including onboard flash memory, an Intel processor with VT (Virtualization Technology) support, networking capablities to work with vPro's secure communication, and the appropriate BIOS hooks for management software from an ISV (Independent Software Vendor) such as Altris to access, vPro has some important hardware considerations to take full advantage of it. The existing base of installed PCs is not vPro compatible, so initial benefits from vPro will be more limited. The backers of vPro claim that this should not stop anyone from rolling out vPro now, as the existing software management tools can still be deployed and will work alongside vPro enabled machines.
The ultimate benefit pushed by vPro backers is the reduction in maintance costs with vPro. Even in a mixed environment of vPro and non-vPro capable machines, the improved remotely manage machines, particularly vPro ones, will reduce the number of service calls and deskside visits required. Numbers quoted included an EDS survey that vPro would result in a 90% manual inventory reduction, an Atos survey that saw a 55% reduction in deskside visits, a Gander study that showed 10% out of band machines were 55% of the budget, and that 10-20% of systems that are out of band make up 90% of IT problems. Heavily emphasized was that a key benefit of vPro enabled hardware was to help reduce the 10% of out of band systems that cannot be managed under current remote management solutions.
Finally, this demonstration of vPro was only for the remote management aspect. According to Intel, the virtual machine part of vPro will not be ready until Q3 2007.
Intel headquarters in Santa Clara is RBN, the Robert B. Noyce building, which contains the executive conference center and the Intel museum, in addition to the offices, plus a fab onsite at the same location. I head inside, check in, and enter the seperate lobby and series of conference rooms that makes up the executive conference center. In the common area there are three PCs setup with vPro; two HP SFF systems running Windows XP as clients: one with the Altris software agent also loaded and one without the Altris software agent. An HP minitower is running the Altris console management software, and a 42" LCD is also mirroring the console screen.
It's a very simple setup that is too small to show many of the real benefits of vPro in a large-scale corporate environment, but by bringing us here to Intel, Intel/HP/Altris hopes to give us a much more complete demonstration of vPro than we would get otherwise.
L to R: Kevin Unbedacht from Altris, Kurt from HP, Ketan Sampat from Intel, Jeremy Nicholes from Intel.
Present were Kevin Unbedacht (Senior Platform Strategist-Intel) from Altris, Ketan Sampat (Director, Client Platform Innovation), Scott E. Smith, and Jeremy Nicholes from Intel, Tiffany Smith (PR Manager) and Kevin from HP.
Existing remote PC management solutions are traditionally software-based agents that exist on the installed OS. With WMI (Windows Management Instrumentation), even without a third-party agent installed, limited real-time, secure remote management is possible. Hardware-based remote management has been traditionally limited to power-cycling via WOL (Wake-On-LAN), which lacks even reasonable security features and does not span across subnets, or ASF (Alert Standard Format), which is limited in scope and security.
When the software agent is removed or disabled, existing remote management loses much of its functionality, particularly in its ability to enforce patches and security policy. When the operating system is disabled or crashed completely, remote management capablities are reduced to a very primitive state. Power-cycling via WOL or ASF is very limited in deployment due to their practical limitations, and the lack of remote access into the system makes troubleshooting extremely difficult.
There were six demos shown to demonstrate the capabilities of vPro. One vPro client system had the Altris management agent installed, one did not.
First, they powered off one of the vPro client systems. Then using the Altris Console, they did a scan of systems on the network. Both systems were found by the console, the powered-off system still reporting in complete with some motherboard and component information that was stored in flash memory while the system was previously powered on. The powered-on system reported much more extensive information including some software configuration despite lacking any management agent being installed.
This was perhaps the most striking feature of vPro: the ability to probe for systems, even those in powered-off states. The basic utility there is limited; the utility that such a capability allows is vast.
The least impressive of the capabilities demonstrated, using the management console to remotely login to each system one at a time to gather system configuration information. The vPro system without the management agent installed was still accessible via WMI, and on both systems, hardware-level data was accessible via AMT. The management console stored the data gathered, which is useful for future analysis. Compared to a system without vPro, the presence of vPro's on-board flash memory to store system configuration data meant significantly more data could be gathered from a system, particularly when in a power-off state.
The biggest expansion for hardware management was shown in the next exercise, where remote power-on and power-off was demonstrated, allowing much more comprenhensive inventorying.
Secure remote power control of vPro equipped systems was demonstrated, including the scheduling of tasks to run on power-up or power-off, and the scheduling of times for events to control power. The management console reported task status as the systems rebooted.
Power control ties together most of the remote capablities demonstrated; scheduling a remote power on of powered-off systems at unobtrusive times to do inventory is potentially very useful, then being able to power them off as well to minimize power consumption and user impact.
To demonstrate the expanded capability that vPro's hardware-based "out of band" capability gives, one of the vPro client systems was deliberately loaded with a corrupted DLL file that caused Windows to hang upon reboot.
Using the management console with IDE-Redirection (IDE-R) to boot the system to a non-native OS in the management console, the system was remote booted to a CD image defined by the management console to recover it. Using Serial Over LAN (SOL), which provides a text-based connection to view the terminal window, the CD image containing the repair for the corrupted DLL was run remotely. The system was then rebooted and worked normally-- it was very impressive to see a task that normally requires a deskside visit done completely remotely.
Altris was the only ISV present at this demo, so no comparison of other remote management tools was done. They specifically emphasized their remote boot abilities and the ability to boot off of ISO images stored on the console including images such as:
Similar to the previous exercise, only demonstrating BIOS access and remote boot capabilities. An expansion on the previous capabilities makes vPro feel much more complete in its abilities as an out-of-band management solution, although by itself it does not seem to be a capability that would be used that often aside from BIOS updates and the occasional system failure where BIOS access is needed.
In slightly more words, the ability to isolate a vPro system from the network via the hardware control provided by vPro. Using the management console, network filtering can be applied to a vPro client. Filtering, at least in the current release of the Altris management console, is fully configurarable via an XML file, or a handful of preselected options.
The emphasis from Altris and HP was that the ability to enable network filtering through their management console made it a very simple, easy-to-execute task that a lower-level technician could handle, rather than having to shut down the affected system's network access at the switch.
They also emphasized the improved security this could offer, with Zero Day virus protection and reduced network exposure from compromised systems. The ability to quickly isolate a system infected by a virus or hijacked by a trojan seemed particularly valuable in providing additional protection against Zero Day exploits.
vPro offers two major benefits compared to current remote management systems: the ability to securely access and control a system, even in an off power state (what vPro refers to as "Out of Band"), and the ability easily isolate systems from the network (Intel calls this "Network filtering", while Altris calls this "System Defense").
The ability to manage any system plugged into the wall and plugged in to the network, regardless of its power state, is a significant improvement in the reach of remote management. Pushing out updates can be done to systems that are powered off thanks to remote power control, and they can be scheduled at unobtrusive times, which means reaching much closer to 100% of affected systems can be done now that power-states are no longer a decisive obstacle. Remote boot with the ability to boot off of other devices (IDE-R) and the ability to see terminal windows such as BIOS via SOL are not as groundbreaking in importance, but they are very useful additions to remote management.
Network filtering being enabled at a very simple lower-level has the potential to significantly reduce vulnerability to viruses, security exploits, and the like, and is likely to be extremely useful in reducing the cost associated with such outbreaks, both monetarily and with labor.
For medium and large organizations, or any organization spread over multiple discrete locations, vPro is significant improvement over traditional in-band management tools that depend on software agents and their host OS to be functioning properly.
The costs of vPro are potentially offset by improved remote management, reducing deskside visits. In the current specification of vPro, a vPro capable PC will cost approximately US$20 more in hardware according to HP, plus setup and configuration of the access keys for security, which the end-user can load themselves, or the system OEM can load for you. HP claims to be one of the only vendors offering this service as of press time. Altris charges US$18 per seat for their agent software. Core 2 Duo E4xxx-series owners, you're out of luck, as only the E6xxx and higher are VT enabled, and hence capable of earning the vPro label. As a consequence, the "cost" they would like you to see is only US$38, while in reality it may be much more expensive if it forces organizations to buy higher-end systems.
For any organization who has several years to see significant migration to vPro capable systems, vPro is still worth seriously considering, as exisiting remote management systems do co-exist with vPro, and in many ways in-band software agents are complimentary to vPro's out of band capabilities.
For smaller organizations, particularly those with just single sites, vPro's value is not nearly as intriguing, because the advantages it offers are offset by the additional hardware cost. At current pricing, US$50 more for an E6300 over an E4300 for a desktop box that does not need the extra speed of the E6300 means vPro's premium becomes US$88 rather than US$38 that vPro proponents claim.
A significant letdown was the lack of Lightweight Virtual Machine support in the current rollout of vPro. While virtualization is not yet a mainstream feature, having to pay extra for an E6300 or faster CPU to support virtualization, then not having the feature available for use with vPro, was disappointing.
Additional pics:
