Intel® Small Business Advantage

Implementation Guide for OEMs

Version 1.0
Document Release Date: January 23, 2012

Intel® SBA, Implementation Guide for OEMs i

 Legal Notices and Disclaimers
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE,
EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS
GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR
SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR
IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR
WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR
INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR
INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A
SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers
must not rely on the absence or characteristics of any features or instructions marked “reserved” or
“undefined”. Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts
or incompatibilities arising from future changes to them. The information here is subject to change without
notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may
cause the product to deviate from published specifications. Current characterized errata are available on
request.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing
your product order.

Copies of documents which have an order number and are referenced in this document, or other Intel
literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm

Any software source code reprinted in this document is furnished under a software license and may only be
used or copied in accordance with the terms of that license.

Intel, Intel vPro, and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries.

Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft
Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright © 2012 Intel Corporation. All rights reserved.

Intel® SBA, Implementation Guide for OEMs ii

Table of Contents
1 Introduction ...................................................................................................................................... 1

1.1 Overview of Intel SBA ...................................................................................................... 1

1.2 Firmware Functionality ..................................................................................................... 2

1.2.1 Power Settings in the Firmware ....................................................................................... 2

1.2.2 How the Intel ME is Configured ....................................................................................... 3

1.2.3 Intel vPro Systems and Intel SBA .................................................................................... 4

1.3 Intel SBA Software ........................................................................................................... 4

1.3.1 Software Monitor .............................................................................................................. 5

1.3.2 PC Health Center ............................................................................................................. 6

1.3.3 USB Blocker..................................................................................................................... 6

1.3.4 Data Backup and Restore ................................................................................................ 7

1.3.5 Energy Saver ................................................................................................................... 7

1.3.6 Intel Wireless Display ...................................................................................................... 7

2 Prerequisites.................................................................................................................................... 8

2.1 Platform Requirements .................................................................................................... 8

2.2 Supported Operating Systems......................................................................................... 8

2.3 Required User Permissions ............................................................................................. 8

2.4 Windows Update Settings ................................................................................................ 9

2.5 Windows Task Scheduler ................................................................................................ 9

2.6 Screen Resolution............................................................................................................ 9

3 Deployment Flow ........................................................................................................................... 10

4 Using the Installer .......................................................................................................................... 11

4.1 Installing Intel SBA ......................................................................................................... 11

4.2 Uninstalling Intel SBA .................................................................................................... 13

5 Using the Customization Wizard ................................................................................................... 15

5.1 Customizing Intel SBA ................................................................................................... 15

5.2 Running the Wizard Multiple Times ............................................................................... 18

5.3 Translating Customized Settings ................................................................................... 19

5.3.1 Supported Languages and Locale IDs .......................................................................... 20

5.3.2 Setting a Specific Language .......................................................................................... 21

Intel® SBA, Implementation Guide for OEMs iii

 5.3.3 PC Health Center Tasks ................................................................................................ 22

5.3.4 Software Monitor Applications ....................................................................................... 23

5.3.5 Custom Applications ...................................................................................................... 24

5.3.6 Other Translations ......................................................................................................... 25

6 Other Customization Options ........................................................................................................ 27

6.1 Command Line Switches ............................................................................................... 27

6.2 End User Help Files ....................................................................................................... 28

6.3 Adding Mail Providers .................................................................................................... 30

6.4 Using a Custom Application as a Website Link ............................................................. 32

7 Signing the XML Files ................................................................................................................... 35

7.1 Code Signing Flow ......................................................................................................... 36

7.2 Supported Certification Authorities ................................................................................ 38

7.3 Which XML Files Must be Signed? ................................................................................ 39

7.4 Using Microsoft Management Console .......................................................................... 40

7.5 Manually Creating the CSR File .................................................................................... 43

7.6 Exporting to a PFX File .................................................................................................. 44

7.7 Using the Code Signing Tool ......................................................................................... 47

7.7.1 Syntax ............................................................................................................................ 47

7.7.2 Examples ....................................................................................................................... 48

7.8 Preparing the Target System ......................................................................................... 49

7.8.1 Creating a P7B File ........................................................................................................ 50

7.8.2 Installing the P7B File .................................................................................................... 51

8 Copying an Intel SBA Installation .................................................................................................. 52

8.1 Resetting File and Folder Permissions .......................................................................... 53

8.2 Resetting the End User Licenses .................................................................................. 54

8.3 Resetting Configuration Data......................................................................................... 55

8.4 Updating the Program Name in the Control Panel ........................................................ 56

9 Known Issues ................................................................................................................................ 57

Intel® SBA, Implementation Guide for OEMs iv

1 Introduction
This guide describes how to install and customize Intel® Small Business Advantage
(Intel® SBA). This guide also describes the limitations of components and other known issues
included in this release of Intel SBA.

1.1 Overview of Intel SBA

Intel® Small Business Advantage (Intel® SBA) provides an out-of-the-box hardware-based
security and productivity suite designed for the small business user. Intel SBA includes a
customizable user interface and several bundled Intel applications. Computer manufacturers,
and suppliers (resellers) of computer hardware/software solutions, can use Intel SBA to give
added value to their customers in the small business market segment.

Intel Processor and Intel Chipset

The computing needs of a small business are different from the needs of home consumers.
For this reason, Intel SBA is supported only on some of the more powerful of Intel
processors. These chipsets include an Intel® Management Engine (Intel® ME).

Firmware
The advanced functionality provided by Intel SBA is defined in the Firmware of the Intel
chipset. The Firmware is the software that controls the Intel ME. For more information, see
Firmware Functionality.

Intel SBA Software

This software, provided by Intel, utilizes the advanced functionality of the Firmware to
provide applications that meet the needs of the small business. For more information, see
Intel SBA Software.

Intel® SBA, Implementation Guide for OEMs 1

1.2 Firmware Functionality
The functionality and capabilities of the Intel ME is determined by the type of Intel processor,
Intel chipset, and Firmware. The Firmware is an image that is stored in the Flash memory.
The Firmware executes on the Intel ME and uses a small portion of the RAM memory for
storage during execution.

This table shows the types of Firmware supported by Intel SBA.

Supported
Type of Firmware Description
by Intel SBA

Intel SBT is the Firmware component of Intel SBA and

includes this hardware functionality:
• Local Maintenance Timer – Enables applications to
“wake-up” the host platform when it is powered down or
Intel® Small Business in a sleep state.
√
Technology (Intel® SBT) • Local Software Monitor – Provides a common reporting
mechanism to monitor applications running on the host
operating system.
• Third Party Data Storage – Not implemented in this
release.

Intel® Active Intel AMT is the Firmware component included with

Management Technology √ Intel® vProTM systems.
(Intel® AMT) For more information, see Intel vPro Systems and Intel SBA.

1.2.1 Power Settings in the Firmware

To use the functionality of the Local Maintenance Timer the SCHEME 1 power scheme
(On in SO, wake in SX) must be set in the Firmware. This power scheme is set by Intel SBA
when the Intel ME is configured (see How the Intel ME is Configured).

If the power scheme is changed, the service cannot wake-up the computer from Sx power
states. In this release of Intel SBA, when the service starts it checks that the power scheme
is set to SCHEME 1. If the power scheme is incorrect, the service sends a warning message
but does NOT reconfigure the power scheme in the Firmware.

Intel® SBA, Implementation Guide for OEMs 2

1.2.2 How the Intel ME is Configured
After installation of the Intel SBA software is complete, the Intel SBA service is started. The
desktop, system tray, and programs menu include shortcuts to the GUI of Intel SBA.

By default, the Intel ME is in an unconfigured state. Before the hardware capabilities of the
Intel ME can be used by Intel SBA software, the Intel ME must be configured. This is done in
the Settings > Password Settings tab in the main menu of the GUI. The first time that the
Save button in the Settings window is clicked, the Intel ME is configured with the hardware
functionality of Intel SBT. This will usually be done by the end user when they want to start
using Intel SBA (so that they will know the password).

If the Intel ME is in a configured state, a message is shown.

Clicking Yes configures the Intel ME with the hardware functionality of Intel SBT.

Intel® SBA, Implementation Guide for OEMs 3

1.2.3 Intel vPro Systems and Intel SBA

Intel AMT is the Firmware component included with Intel® vProTM systems. Intel AMT includes
additional functionality used by enterprise organizations. The additional functionality of
Intel AMT is not used by Intel SBA.

When an Intel vPro system is configured by Intel SBA, the Intel ME is configured with the
hardware functionality of Intel SBT only (see Firmware Functionality). This means that all Out
of Band functionality is blocked.

If you want more information about Intel AMT, refer to the Intel AMT documentation located
on the Intel Manageability website (click here).

1.3 Intel SBA Software

Intel SBA includes several software components:

• Application Manager – The main Graphical User Interface (GUI) of Intel SBA that lets
users configure the settings and applications they want to use in their business.

• Service – A Windows service that runs in the background and provides communication
between the Main GUI, the Applications, and the Firmware.

• Customization Wizard – Lets computer manufacturers customize Intel SBA.

• Applications – Intel provided applications that provide useful features for the small
business. For more information, see:

• Software Monitor

• PC Health Center

• USB Blocker

• Data Backup and Restore

• Energy Saver

• Intel Wireless Display

Intel® SBA, Implementation Guide for OEMs 4

1.3.1 Software Monitor
Computers in a small business need protection from malicious software such as viruses,
worms, spyware, and other unwanted software. This protection is usually given by installing
antivirus and antispyware software applications on the computer. But, these applications are
only effective when they are running. Usually, one of the first things that a virus does is to
disable these applications (also, computer users can accidentally disable them).

The Software Monitor application detects and monitors security-related applications that are
installed on the computer. If a monitored application is disabled or attacked, Software
Monitor sends an alert to tell the user that something has occurred. The user can define
which applications to monitor and how they want to be notified.

The monitoring and reporting mechanism are located with the hardware, and are
independent of the operating system. This gives more security because it is harder for a virus
to attack a monitored application without leaving a trace of the attack.

By default, Software Monitor can monitor these applications:

• Kaspersky* Internet Security 2011

• Kingsoft* Antivirus Software

• McAfee* Internet Security

• McAfee SaaS Endpoint Protection

• McAfee Total Protection

• McAfee AntiVirus Plus

• Microsoft* Security Essentials

• Norton Internet Security*

• Norton 360*

• Trend Micro* Titanium* Internet Security

• Trend Micro Worry-Free*

You can use the customization wizard to define additional applications that Software Monitor
can monitor.

Intel® SBA, Implementation Guide for OEMs 5

1.3.2 PC Health Center
Computers in a small business need to run at their best performance. But, they also need to
be fully productive during business hours. This usually means that necessary maintenance
tasks are not done at frequent intervals. This can cause the performance of the computer to
decrease.

The PC Health Center application lets the user quickly and easily schedule all maintenance
tasks to run outside business hours when the computer is not being used. The user can
define which tasks to run and when to run them. If the computer is turned off, the
PC Health Center application will wake up the computer and run the scheduled tasks. (The
computer must be plugged in to a power source. For automatic software updates, an internet
connection is necessary.)

PC Health Center uses the hardware-based functionality of the Intel SBA to wake up the
computer if it is turned off. After configuration, the tasks will automatically run at the
scheduled time with no user intervention necessary.

By default, PC Health Center can schedule these tasks:

• Windows* updates

• Disk defragmentation

• Delete Internet files

• Delete temporary Internet files

You can use the customization wizard to define additional tasks that PC Health Center can
schedule.

1.3.3 USB Blocker

Computers in a small business need protection from possible security threats caused by the
increased use of USB ports and USB devices. Controlling access to these ports can increase
security. For example, controlled access can:

• Prevent valuable business data from being removed, copied, or even stolen
from the business

• Prevent viruses from being brought into the business on USB keys

The USB Blocker application lets the user quickly and easily define which USB devices can
connect to the computer. The user can define which categories of USB devices to block, and
also define a whitelist of specific devices that are always allowed.

Intel® SBA, Implementation Guide for OEMs 6

1.3.4 Data Backup and Restore

Small businesses must make sure that business data is backed up frequently. But, users often
defer backing up during business hours. Then if they power off their computer overnight, no
backup can occur.

The Data Backup and Restore application lets the user:

• Launch the Microsoft Backup and Restore application from the Intel SBA GUI

• Schedule the backup to run outside of the regular business hours. If the computer is
turned off, Intel SBA will wake up the computer so that the backup can run. (The
computer must be plugged in to a power source.)

Data Backup and Restore uses the hardware-based functionality of Intel SBA to wake up the
computer if it is turned off.

1.3.5 Energy Saver

Computers in a small business are often left powered on at the end of the working day. This
can unnecessarily increase the energy costs of the business.

The Energy Saver application lets the user quickly and easily set a power schedule for the
computer. The computer can be powered down (put into the sleep state) at the end of
business hours, thus saving energy costs. In addition, the computer can be powered up just
before the beginning of business hours, thus improving productivity.

Energy Saver uses the hardware-based functionality of Intel SBA that can “wake-up” a
computer even if it has been shut down. After configuration, the computer will continue to
power up and power down at the scheduled times with no user intervention necessary. (But
the computer user can cancel the power down operation and adjust the schedule when
necessary.)

1.3.6 Intel Wireless Display

This application lets users stream content (presentations, videos, websites, etc.) from their
computer over a wireless connection to a large screen display. This application is only shown
if the Intel® WiDi Widget for Windows* 7 is installed on the computer.

For more information, see:

• Intel WiDi Website

• Intel WiDi Widget Download

Intel® SBA, Implementation Guide for OEMs 7

2 Prerequisites
This section describes the prerequisites and recommendations for Intel SBA.

2.1 Platform Requirements

This table shows the combinations of processor and chipset that are supported by Intel SBA.

Desktop Chipsets Notebook Chipsets

Processor Q77 B75 QM77 HM77 UM77 QS77

Intel® CoreTM i7 Not supported √ √ √ √ √

Intel® CoreTM i5 Not supported √ √ √ √ √

Intel® CoreTM i3 Not supported √ √ √ √ √

Intel® CoreTM i7 vProTM √ √ √ √ √ √

Intel® CoreTM i5 vProTM √ √ √ √ √ √

Note: The Intel® Management Engine software kit must be installed. (The Local Manageability
Service and the Intel® Management Engine Interface must be installed and running.)

2.2 Supported Operating Systems

This release of Intel SBA was validated on these operating systems:

• Windows* 7 Professional 64-bit and 32-bit

• Windows 7 Enterprise 64-bit

Note:

• Although validation was done only on these operating systems and versions, Intel SBA
should also work correctly on other Windows 7 versions.
• Intel SBA also requires Microsoft .NET Framework version 3.5 or higher installed on the
computer. This is usually included in the supported operating systems.

2.3 Required User Permissions

You must run the installer and the customization wizard with a user that has local
administrator permissions on the computer.

Intel® SBA, Implementation Guide for OEMs 8

2.4 Windows Update Settings
In certain conditions, the “Windows Update” task in the PC Health Center application is
disabled and cannot be enabled. This can occur if Intel SBA is installed on a computer where
Windows Update was disabled during installation of the Windows operating system. The
Windows Update task is shown in the GUI but is grayed out (disabled). Even if the end user
enables Windows Update in the operating system, the PC Health Center task cannot be
enabled. This means that the end user cannot use PC Health Center to manage Windows
Update.

To prevent this, make sure that you do NOT select the Never check for updates option
when installing the Windows operating system.

2.5 Windows Task Scheduler

Some PC Health Center tasks are applications that can also be used directly from the
operating system and scheduled via the Windows Task Scheduler. When a task is set via
PC Health Center, an alarm clock is set that will wake up the computer if it is turned off.
Defining a scheduled time for an application/task outside of PC Health Center does not set an
alarm clock. This means that the computer will not be woken up to do the task.
For this reason, it is NOT recommended to define schedules for these applications:
• Windows Updates

• Windows Backup and Restore

• Disk defragmentation

Instead, let the end user set the schedule for all these tasks via PC Health Center.

Note:

The time and date set for these tasks via PC Health Center will replace any setting that
was set outside of PC Health Center. There are exceptions to this behavior:
• Setting a schedule in the Windows Backup and Restore application, adds the “Windows
Backup and Restore” task to the list of tasks. This occurs even if the PC Health Center
application is not configured. If the Intel ME is configured, an alarm clock is also set.
• Setting a schedule for the Disk Defragmentation task in PC Health Center does not
change any setting that was set in the Windows Disk Defragmenter application. This
means that two independent schedules could exist for this task. The computer will only
wake up for the schedule set via PC Health Center.

2.6 Screen Resolution

The 800 x 600 screen resolution is not supported by Intel SBA. If you set this screen
resolution, the end user will not be able to see the main menu of the Intel SBA GUI.

Intel® SBA, Implementation Guide for OEMs 9

3 Deployment Flow
These are the main steps required to deploy computers with Intel SBA.

1. Prepare a computer that includes all the hardware and software that will be included in the
computer when it is sent to the customer (or Reseller).

2. Install Intel SBA (see Using the Installer).

3. Customize Intel SBA (see Using the Customization Wizard).

4. Make all other customizations not available from the wizard.

For more information, see Other Customization Options.

5. Make sure that all the XML files are signed (see Signing the XML Files).

6. Open the GUI and verify that:

• Intel SBA is working correctly

• All the changes that you made with the customization wizard are shown
correctly in the GUI

Note:

When you open the GUI, you are asked to accept two license agreements. These
license agreements are for the end user. After testing is complete, you must reset
these licenses (see Resetting the End User Licenses).

7. Prepare the completed and customized Intel SBA installation for deployment on multiple
computers (see Copying an Intel SBA Installation).

Intel® SBA, Implementation Guide for OEMs 10

4 Using the Installer
Intel SBA is installed and uninstalled using an installer wizard (Setup.exe).

For more information, see:

• Installing Intel SBA

• Uninstalling Intel SBA

4.1 Installing Intel SBA

This procedure describes how to install Intel SBA.

To install Intel SBA:

1. Logon to the computer with a user that has administrator privileges.

2. Copy the Setup.exe file to the computer.

3. Double-click Setup.exe.

Note:

The installer also supports “Silent” install. This is the syntax: Setup.exe –s

The Welcome to the Setup Program window opens.

Intel® SBA, Implementation Guide for OEMs 11

 4. Click Next. The installer starts the installation and the Setup Progress window opens
showing the progress of the installation. When installation is complete, the installer starts
the Intel SBA service and the Next button is enabled.

5. Click Next. The Setup Is Complete window opens.

6. Click Finish. The installer closes.

Intel® SBA, Implementation Guide for OEMs 12

4.2 Uninstalling Intel SBA
This procedure describes how to uninstall Intel SBA.

To uninstall Intel SBA:

1. Logon to the computer with a user that has administrator privileges.

2. From the Control Panel, select Intel® Small Business Advantage (or the new name if
the product name was changed) and click Uninstall.

Note:

• When you uninstall from the Control Panel, a copy of the Setup.exe file containing
the installation settings is used. This file is located in the Uninstall folder in this
location: Program Files\Intel\Intel(R) Small Business Advantage\Uninstall. This file
can only be used from the Control panel, or from a command prompt. If you
double-click the file, an error message is shown.
• This is the syntax if you want to uninstall Intel SBA from a command prompt:
Setup.exe -uninstall.

The Welcome to the Uninstallation Program window opens.

3. (Optional) By default, uninstall deletes the data files used by Intel SBA. If you do not want
to delete these files, clear the Delete data files check box.

Intel® SBA, Implementation Guide for OEMs 13

 4. Click Next. The Password is required to uninstall window opens.

Note:

This window opens even if you did not configure Intel SBA, or configured with a blank
password.

5. Type the password and click Next. (Or just click Next.) The installer starts the
uninstallation and the Uninstallation Progress window opens showing the progress of the
uninstallation. When uninstallation is complete, the Next button is enabled.

6. Click Next. The Uninstallation Is Complete window opens. By default, the installer will
restart the computer when you click Finish. If you want to restart the computer at a later
time, select No, I will restart this computer later.

Note:

To complete uninstallation, the computer MUST be restarted. If you reinstall Intel SBA
without first restarting the computer, the new installation cannot be uninstalled from
the Control Panel. This is because Intel SBA will not be listed in “Programs and
Features” and the Uninstall folder is deleted during reboot after the new installation.

7. Click Finish. The installer closes and the computer restarts (if you did not select to restart
it later).

Intel® SBA, Implementation Guide for OEMs 14

5 Using the Customization Wizard
After Intel SBA is installed on the computer, you can customize the settings using a wizard
(IntelOEMWizard.exe) located in the OEMWizard\bin folder.

Note:

All content referenced by the customization wizard must be pre-installed on the target
system. Before starting the wizard, make sure that:
• All applications, files, and icons that you want to use in the customized
Intel SBA are installed in their final installation location.
• All the final installation locations are accessible to all users of the computer. If
a user does not have permissions in a location, the content will not be
displayed correctly in the GUI.
In the customization wizard, make sure that you load applications, files, and icons, from
their final installation location. The wizard creates paths for the loaded content based on
the location from where you loaded them. The GUI uses these paths to load and display
the content. If the path is incorrect the content will not be displayed correctly in the GUI.

For more information, see:

• Customizing Intel SBA

• Running the Wizard Multiple Times

• Translating Customized Settings

5.1 Customizing Intel SBA

This procedure describes how to customize Intel SBA.

To customize Intel SBA:

1. Logon to the computer with a user that has administrator privileges.

2. Close the GUI by right-clicking the Intel SBA icon in the notification area of the taskbar and
selecting Exit.

3. Copy the OEMWizard folder (including all content and subfolders) to the computer.

4. In the OEMWizard\bin folder, double-click IntelOEMWizard.exe. The Intel Software

License Agreement window opens.

Intel® SBA, Implementation Guide for OEMs 15

 5. After reading the agreement and selecting all the check boxes, click OK. The Welcome
window of the wizard opens.

6. Click Next and follow the instructions in the windows of the wizard. This table gives a brief
description of what you can define in each window.

In this window… You can…

Select the background color scheme of the Intel SBA GUI:

• Light – This is the default
BACKGROUND COLOR
• Dark – If you select this scheme, you must also change the
name of the product that is shown in the GUI
PRODUCT NAME Change the name of the product that is shown in the GUI
LICENSE AGREEMENT Change the end user license agreement
Change the product icon and system tray icons. You can only
change these icons if you change the product name.
PRODUCT ICON Note:
• The optimal size for the desktop icon is 256 * 256 pixels.
• The optimal size for the tray icons is 32 * 32 pixels

Intel® SBA, Implementation Guide for OEMs 16

 In this window… You can…
Define the company logos that will be shown in the GUI:
• OEM Logo – This logo is mandatory (your company logo)
COMPANY LOGOS • Reseller Logo – By default, this is the Intel company logo. You
or the Reseller can change this logo.
Note: The optimal size for a logo is 512 * 356 pixels.
Change the “Accent” color (the default is blue). You can only
ACCENT COLOR
change the accent color if you change the product name.
DATA BACKUP AND Replace the Data Backup and Restore application provided by Intel
RESTORE with an alternative backup and restore application
PC HEALTH CENTER Add additional tasks to the PC Health Center application
Define which applications will be available for the end user to select
in the Software Monitor application. You can remove the default
SOFTWARE MONITOR
applications or add your own applications (up to a maximum of 15
applications).
Remove these default applications (provided by Intel) from the GUI:
• Energy Saver
INTEL® SBA APPS
• USB Blocker
• Intel(R) Wireless Display
Add applications to the Intel SBA GUI. The application must be
installed on the computer before you can use this option. The
CUSTOM APPS optimal size for the icon is 650 * 650 pixels. The recommended size
for the application description image is 471 * 304.
Note: You can only add *.exe files (*.bat files are not supported).
CERTIFICATE See Signing the XML Files
ORDERING OF APPS Define the order in which the applications are shown in the GUI
CONTACT DETAILS Define contact details that will be shown in the GUI

7. The SETUP COMPLETE window is the last window of the wizard. When you get to this
window, do one of these:

• Click Back to go back and make changes if necessary

• Click Finish to close the wizard and save the settings

8. Stop and restart the Intel SBA service.

9. If you changed the product name, press F5 to refresh the desktop. This action is necessary
to update the name and icon of the shortcut to Intel SBA.

10. Open the GUI and make sure that the settings you defined with the wizard are shown
correctly in the GUI.

Intel® SBA, Implementation Guide for OEMs 17

5.2 Running the Wizard Multiple Times
When you run the customization wizard it creates and updates several XML files. Each time
that you run the wizard, the data in most of these files is replaced with the new data. The
wizard does not “remember” data that was defined in previous runs.

This table describes windows of the wizard that behave differently.

Window What

Tasks added in a previous run of the wizard are shown in the list of
tasks. If you add tasks, a new XML file is created for those tasks.
You cannot use the wizard to remove tasks added in a previous run.
PC HEALTH CENTER If necessary, you must do this manually by deleting all the XML files
that begin with “HealthCenterData” and include numbers.
For example: HealthCenterData376604851.839805.xml
Note: DO NOT delete this file: HealthCenterDataIntel.xml.
Applications added in a previous run of the wizard are shown in the
list of applications. If you add applications, a new XML file is
created for those applications. You cannot use the wizard to remove
applications added in a previous run.
SOFTWARE MONITOR
If necessary, you must do this manually by deleting all the XML files
that begin with “SoftwareMonitorData” and include numbers.
For example: SoftwareMonitorData376604862.990606.xml.
Note: DO NOT delete this file: SoftwareMonitorData DataIntel.xml.
Custom applications added in a previous run of the wizard are NOT
shown in the list of applications. If you add applications, a new XML
file is created for each application.
CUSTOM APPS If necessary, you must do this manually by deleting all the XML files
that begin with “UiApplicationsData” and include numbers.
For example: UiApplicationsData376604914.190804.xml.
Note: DO NOT delete this file: UiApplicationsDataIntel.xml.

Note:

When deleting an XML file, you must also delete all the copies of the file in the language
subfolders.

Intel® SBA, Implementation Guide for OEMs 18

5.3 Translating Customized Settings
Intel SBA includes support for 15 languages (see Supported Languages and Locale IDs).
During installation, files with translated text for these languages are automatically installed.
This includes text in the GUI, messages sent by the service, and help files for the end user.

Intel SBA automatically checks the locale ID in the operating system and loads the relevant
language files for each user. Some of these files are XML files located in this folder and its
language subfolders: C:\ProgramData\Intel\Intel(R) Small Business Advantage.

When you run the customization wizard, additional XML files are created. Some of these XML
files include text that you defined in the customization wizard. The wizard automatically
creates 16 copies of each of these files:

• One copy in the root of the C:\ProgramData\Intel\Intel(R) Small Business Advantage

folder. This copy is the default copy that Intel SBA will use if the files in the language
subfolder are missing or corrupted.

• One copy in each of the 15 language subfolders (for example: de-DE). For these files, the
name of the language folder is added to the end of the filename.
For example: UiSettingsData.de-DE.xml.

It is necessary to edit the text values of the files in the language folders with translated
values for each language. (Except for the language folder containing the language that was
used to define the values in the customization wizard.)

For more information, see:

• Supported Languages and Locale IDs

• Setting a Specific Language

• PC Health Center Tasks

• Software Monitor Applications

• Custom Applications

• Other Translations

Note:

• Make sure that you only edit the values of the tags described in the sections above. If
you edit other tags or files, Intel SBA might not operate correctly.
• After editing the XML files, you must re-sign them (see Signing the XML Files).

Intel® SBA, Implementation Guide for OEMs 19

5.3.1 Supported Languages and Locale IDs
This table shows the names and locale IDs used for each of the supported languages.

Folder Filename Language Locale ID

Name Suffix (Hexadecimal Value)
en-US en-US.xml English 0x0409
de-DE de-DE.xml German 0x0407
es-ES es-ES.xml Spanish 0x0C0A
fr-FR fr-FR.xml French 0x040C
id-ID id-ID.xml Indonesian 0x0421
it-IT it-IT.xml Italian 0x0410
ja-JP ja-JP.xml Japanese 0x0411
ko-KR ko-KR.xml Korean 0x0412
pl-PL pl-PL.xml Polish 0x0415
pt-BR pt-BR.xml Portuguese Brazil 0x0416
ru-RU ru-RU.xml Russian 0x0419
tr-TR tr-TR.xml Thai 0x041E
th-TH th-TH.xml Turkish 0x041F
zh-CN zh-CN.xml Chinese Simplified 0x0804
zh-HK zh-HK.xml Chinese Traditional 0x0C04

Intel® SBA, Implementation Guide for OEMs 20

5.3.2 Setting a Specific Language
When the computer boots up, after a short delay, the Intel SBA service is automatically
started and the GUI is minimized in the system tray. Intel SBA automatically starts in the
language of the locale defined in the operating system. If the locale is not supported, the
default language is set to English.

You can force Intel SBA to always start in a specific language of your choice by adding the
“-lang” argument to the desktop icon, the start menu icon, and the Registry. The “–lang”
argument has one parameter that defines the language. Valid values for this parameter are
the “Folder Name” of the language (see the table in Supported Languages and Locale IDs).

For example, adding this argument and parameter will cause Intel SBA to always start in
Spanish:

-lang es-ES

To add the lang parameter to the registry setting:

1. Click Start, type Regedit, and press <Enter>. The Registry Editor opens.

2. Locate the IntelSBA key, in one of these locations:

• On 32-bit systems: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• On 64-bit systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

3. Right-click IntelSBA and select Modify. The Edit String window opens.

4. Add the lang argument and the desired language value, as shown in this example.

5. Click OK and close the Registry Editor.

6. Restart the computer. After the computer has rebooted, wait a few minutes until the icon is
shown in the system tray. Open the application and check that the language in the GUI is
the language you defined in step 4.

Intel® SBA, Implementation Guide for OEMs 21

 To add the lang parameter to the icons:
1. Right-click the icon and select Properties > Shortcut.

2. In the Target location field, add the lang argument and the desired language value, as
shown in this example. To check that the GUI opens in the correct language, stop the
service and then double-click the icon.

5.3.3 PC Health Center Tasks

The text shown in the GUI for the names of PC Health Center tasks is loaded from two XML
files.

File Name Description

Contains data for the default PC Health Center tasks.

HealthCenterDataIntel.xml
Note: Do not make any changes to this file.
When you add tasks in the PC HEALTH CENTER window of the
wizard, a new custom file is created for the additional tasks.
For example: HealthCenterData376604851.839805.xml
The file contains a <HealthCenterTaskData> tag for each
HealthCenterDataXXX.xml
PC Health Center task added in the wizard. The <Name> tag
contains the name of the task that is shown in the GUI. For
each task in the file, edit the value of the <Name> tag.
Note: These are the only tags that you need to translate.

Example

<HealthCenterTaskData>
<Name>Example Task</Name>
<GUID>c03dc9e7-06b8-4430-be61-ab9c9b7b20d2</GUID>
<RecommendedRunInterval>Daily</RecommendedRunInterval>
<ExecutionCommandPath>C:\ExampleTask.bat</ExecutionCommandPath>
<TaskType>WindowsTaskScheduler</TaskType>
</HealthCenterTaskData>

Intel® SBA, Implementation Guide for OEMs 22

5.3.4 Software Monitor Applications
The text shown in the GUI for the names of software applications monitored by the
Software Monitor application is loaded from two XML files.

File Name Description

Contains data for the default applications monitored by the

SoftwareMonitorDataIntel.xml Software Monitor application.
Note: Do not make any changes to this file.
When you add an application in the SOFTWARE MONITOR
window of the wizard, a new custom file is created for the
additional applications.
For example: SoftwareMonitorData376604862.990606.xml
The file contains a <SoftwareData> tag for each
SoftwareMonitorDataXXX.xml
application added in the wizard.
The <ApplicationName> tag contains the name of the
application that is shown in the GUI. For each application in
the file, edit the value of the <ApplicationName> tag.
Note: These are the only tags that you need to translate.

Example

<SoftwareData>
<ExecutableName>example.exe</ExecutableName>
<GUID>1f7265af-ed77-406c-b12e-6929389d2caf</GUID>
<ExecutableType>Process</ExecutableType>
<ApplicationName>Example Application</ApplicationName>
<Ignore>false</Ignore>
</SoftwareData>

Intel® SBA, Implementation Guide for OEMs 23

5.3.5 Custom Applications
The text shown in the GUI for the names and descriptions of applications is loaded from two
XML files.

File Name Description

Contains data for the default applications installed with

UiApplicationsDataIntel.xml Intel SBA.
Note: Do not make any changes to this file.
When you add custom applications to Intel SBA, a new file
is created for each custom application that you add.
For example: UiApplicationsData376604914.190804.xml.
This occurs when you:
UiApplicationsDataIntelXXX.xml • Add a program in the CUSTOM APPS window of the
wizard.
• Replace the default backup application in the DATA
BACKUP AND RESTORE window of the wizard.
See the example and table below.

Example

<Application>
<ApplicationName>Example Custom Application</ApplicationName>
<GUID>34d29d21-7608-41a3-b7e7-dad7a8e9fcfb</GUID>
<LaunchCommand>C:\CustomApplication.exe</LaunchCommand>
<LaunchCommandArguments>-someargument</LaunchCommandArguments>
<ApplicationIconFullPath>file:///C:/customicon.png</ApplicationIconFullPath>
<Description>Description for the custom application</Description>
<DescriptionImageFullPath>file:///C:/image</DescriptionImageFullPath>
<DescriptionLinkUri>http://customappwebpage.com</DescriptionLinkUri>
<DescriptionLinkText>Click here for more information</DescriptionLinkText>
</Application>

This table describes the tags that you might need to translate (in each file):

Tag Description
<ApplicationName> Contains the name of the application
Contains a description for the application that is shown
<Description>
in the status panel when the application is selected

Intel® SBA, Implementation Guide for OEMs 24

 Tag Description

Contains an image that is displayed in the status panel

when the application is selected.
Note:
<DescriptionImageFullPath> • This tag is optional and only exists if you uploaded
an application description image in the wizard.
• You only need to edit this tag if you want to show
different images for different languages.
Contains user-friendly text that will be shown for the
link defined in the <DescriptionLinkUri> tag.
<DescriptionLinkText>
Note: These tags are optional and only exist if you
defined them in the wizard.

5.3.6 Other Translations

The customization wizard includes additional options that make changes to the default text
shown in the GUI. The text shown in the GUI for these options is loaded from a file named
UiSettingsData*.xml. These files do not exist until you run the customization wizard. Each
time that you run the customization wizard, the files are deleted and replaced.

Example

<BackgroundColor>Light</BackgroundColor>
<ProductName>ACME Corp</ProductName>
<DesktopIconFullPath>C:\CustomProgram.ico</DesktopIconFullPath>
<TrayIconSuccessFullPath>C:\TaskTray1.ico</TrayIconSuccessFullPath>
<TrayIconWarningFullPath>C:\TaskTray2.ico</TrayIconWarningFullPath>
<TrayIconErrorFullPath>C:\TaskTray3.ico</TrayIconErrorFullPath>
<OemLogoFullPath>file:///C:/OEMlogo.png</OemLogoFullPath>
<ResellerLogoFullPath>file:///C:/Resellerlogo.png</ResellerLogoFullPath>
<ContactDetails>
<CompanyName>ACME Corp</CompanyName>
<SupportPhoneNumber>001-xxx-xxxxxxxx</SupportPhoneNumber>
<SupportEmail>[email protected]</SupportEmail>
<CompanyWebsite>http://acmecorp.com</CompanyWebsite>
<CompanyMailingAddress>Company mailing address</CompanyMailingAddress>
</ContactDetails>
<AccentColor>
<R>165</R>
<G>42</G>
<B>42</B>
</AccentColor>
<LicenseAgreement>Custom EULA license This is a custom license that will
replace the Intel license</LicenseAgreement>

Intel® SBA, Implementation Guide for OEMs 25

 This table describes the tags that you might need to translate in this file:

Tag Description

Contains the product name that will replace the default product
name of “Intel® Small Business Advantage”. This tag only exists if
<ProductName>
you changed the product name in the PRODUCT NAME window of
the wizard.
Contains the values that you defined in the CONTACT DETAILS
window of the wizard. These values are shown on the Contact
window when the user clicks Contact in the GUI menu.
<ContactDetails>
Note: Some of the fields in the CONTACT DETAILS window are
optional. If you did not define a value in a field, the tag for that
field is not created in the XML file.
Contains the End User License Agreement (EULA) that will replace
the default Intel EULA. This tag only exists if you changed the
<LicenseAgreement> product name in the PRODUCT NAME window of the wizard.
(When you change the product name, you must load a new EULA
in the LICENSE AGREEMENT window of the wizard.)

Intel® SBA, Implementation Guide for OEMs 26

6 Other Customization Options
Intel SBA includes additional customization options:

• Command Line Switches

• End User Help Files

• Adding Mail Providers

• Using a Custom Application as a Website Link

6.1 Command Line Switches

When the end user opens the GUI the default “landing view” is shown. As an alternative to
this landing view, you can use command line switches with the GUI executable. The switch
puts the focus on a selected application and shows the status panel of the application. The
switches work with the carousel and the grid views of the GUI.

This table shows the command line switches available in this release.

Application Switch

PC Health Center –startapplication PCHealth

Software Monitor –startapplication SWMonitor

USB Blocker –startapplication USBblocker

For example, to put the focus on Software Monitor:

IntelSmallBusinessAdvantage.exe –startapplication SWMonitor

Intel® SBA, Implementation Guide for OEMs 27

6.2 End User Help Files
Intel SBA includes documentation for the end user. The documentation is context sensitive
help that opens from the GUI. Pressing F1, the help icons, or links in a window will open a
page in the help with relevant information.

The help is a set of compiled HTML help (*.chm) files. The chm files were created as modular
help files and are linked to each other. This means that you can open any chm file and
always see the content of all the chm files. Only the content of the chm files located in the
same folder is shown. If you remove a chm file from the folder, the content of that file is not
shown in the help. This means that if you remove an application that was provided by Intel,
you can easily remove all traces of the documentation for that application.

For example, if you removed USB Blocker it will not be shown in the GUI. But when the end
user opens the help, the USB Blocker topic will be shown in the Contents tab of the help. To
remove the topic and all references, simply remove the USBBlocker.chm file from the folder
where the chm files are located.

Intel® SBA, Implementation Guide for OEMs 28

 This table shows the chm files.

This chm file… Includes... And is…

IntelSBA.chm The “hub” project file and index Mandatory

GettingStarted.chm The general help topics included in the Mandatory
“Getting Started” section
PCHealthCenter.chm Help for the PC Health Center application Optional
SoftwareMonitor.chm Help for the Software Monitor application Optional
USBBlocker.chm Help for the USB Blocker application Optional
EnergySaver.chm Help for the Energy Saver application Optional
These applications do not have chm files:
• Data Backup and Restore – The user can reference the help provided in the Windows*
Backup application.
• Intel® Wireless Display – The user can reference the help and instructions in the web
page (when they click the link “Learn more about Intel® WiDi”).

The chm files are located in this folder:

C:\Program Files\Intel\Intel(R) Small Business Advantage\UI\Documentation.

The Documentation folder contains a separate folder for each language supported by
Intel SBA. The default language is English (in the folder en-US).

Note:
• If you remove a chm file, you must remove it from each of the language folders.
• In this release, the chm files for all supported languages were added, but they are only
partially translated and are not fully updated.

Intel® SBA, Implementation Guide for OEMs 29

6.3 Adding Mail Providers
Intel SBA includes an option to send alerts via email when important events occur. To use
this option, the end user must first define the email account that Intel SBA will use to send
the email alerts. These settings are defined in the Settings > Send Email Settings tab.

To help the end user define these settings, Intel SBA can automatically populate these fields
with the correct settings. When the user enters a valid email address in the “Email Address”
text box, Intel SBA looks in an XML file named “MailProviders.xml”. If an entry exists for the
mail provider, the settings (marked in yellow in this screenshot) are populated.

By default, the MailProviders.xml file contains settings for Gmail* and Yahoo!* Mail. You can
add settings for additional email service providers to this file.

Intel® SBA, Implementation Guide for OEMs 30

 Example
<SmtpSettings>
<Hostname>smtp.live.com</Hostname>
<Port>25</Port>
<Login>@hotmail.co.uk</Login>
<EnableSsl>true</EnableSsl>
<ServerAuthentication>Password</ServerAuthentication>
</SmtpSettings>

Tag Description
<SmtpSettings> Create a <SmtpSettings> tag for each email service
provider that you want to add to the MailProviders.xml file.
<Hostname> The name given by the email service provider to their server
that accepts emails via the web. The value of this tag is put
in the “Outgoing Mail Server (SMTP)” text box.
<Port> The number of the port that the server of the email service
provider uses to listen for incoming emails. The value of this
tag is put in the “Port” text box.
<Login> The suffix of the email address that can be used to identify
the email service provider (including the @ symbol).
When the end user types an email address in the “Email
Address” text box, Intel SBA looks at the <Login> tags. If a
match is found, the settings are automatically populated.
Note: The value of this tag must match the email address
exactly. This means that for email service providers that use
multiple domains with different suffixes, you must create
more than one set of <SmtpSettings> tags.
<EnableSsl> Defines if the email service provider uses the Secure Sockets
Layer (SSL) to encrypt the connection. The value of this tag
defines if the “Use SSL” check box is selected. Valid values:
• true – the check box is selected
• false – the check box is not selected
<ServerAuthentication> The type of authentication. Valid value: Password

Intel® SBA, Implementation Guide for OEMs 31

6.4 Using a Custom Application as a Website Link
The CUSTOM APPS window of the customization window lets you add applications to the GUI.
In addition to adding useful applications for the small business user, you can also use this
option to add a link to your customer website. You can use your own icon (this example uses
the Internet Explorer icon), and add text that shows in the status panel. When the user clicks
Launch, the web browser will automatically open at the website.

To use a custom application as a website link:

1. Use the customization wizard to make your customizations to Intel SBA, as described in
Using the Customization Wizard. When you get to the CUSTOM APPS window, follow the
instruction in steps 2 through 7 to add an application to open the website.

Intel® SBA, Implementation Guide for OEMs 32

 2. In the APPLICATION NAME field, type the name for the “application”. This name is shown
in the title bar of the status panel and underneath the application icon.

3. In the APPLICATION DESCRIPTION field, type the text that you want to show in the status
panel when this “application” is selected.

4. In the UPLOAD APPLICATION field, click Browse and then select executable file of the
browser that you want to use to open the website. For example:

• Internet Explorer: C:\Program Files (x86)\Internet Explorer\iexplorer.exe

• Mozilla Firefox: C:\Program Files (x86)\Mozilla Firefox\Firefox.exe

5. In the UPLOAD ICON field, click Browse to load an icon to replace the default icon of the
web browser that you selected in step 4.

Intel® SBA, Implementation Guide for OEMs 33

 6. Scroll down and in the APPLICATIONS ARGUMENTS field, type the full address of your
website. For example, http://www.go-to-this-site.com.

Note:
It is not necessary to use the remaining fields. The LINK TO WEB PAGE and TEXT FOR LINK
fields are used to add links to a website for “real” applications. For this “application” the
APPLICATION ARGUMENTS field is used instead (step 6).

7. Click Add App. The application is added to the YOUR CUSTOM APPS list.

8. Continue to the end of the customization wizard and click Finish to create the customized
files.

Intel® SBA, Implementation Guide for OEMs 34

7 Signing the XML Files
For increased security, the files used by Intel SBA are digitally signed by Intel. This includes
the XML files. When you use the customization wizard, additional XML files are created in the
ProgramData folder. Some of the changes that you can make in the customization wizard
require you to sign the XML files with your own code signing certificate.

These changes include:

• Adding a task in the PC HEALTH CENTER window

• Adding an application in the SOFTWARE MONITOR window

• Adding a custom application in the CUSTOM APPS window

Note:
Intel SBA requires the XML files to be signed using a Code Signing Certificate.
Secure Sockets Layer (SSL) Certificates and Self Signed Certificates are not supported.

For more information, see:

• Code Signing Flow

• Supported Certification Authorities

• Which XML Files Must be Signed?

• Using Microsoft Management Console

• Manually Creating the CSR File

• Exporting to a PFX File

• Using the Code Signing Tool

• Preparing the Target System

Intel® SBA, Implementation Guide for OEMs 35

7.1 Code Signing Flow
The code signing flow includes three main steps.

Step #1: Get and Install the Code Signing Certificate

The customized XML files must be signed by a code signing certificate that was issued by a
Certification Authority (CA) supported by Intel SBA. If you already have a code signing
certificate from one of these CAs, you do not need to do this step. To get a code signing
certificate, you must apply to the CA by sending a Certificate Signing Request (CSR). This
table describes the two methods that you can use to create the CSR.

Method #1: Automatically Generate the CSR Method #2: Manually Create the CSR
The latest versions of Microsoft* Internet If the CA that you select does not support
Explorer* and Mozilla Firefox* can generate automatic generation of the CSR, you will
the CSR automatically. If the CA supports this need to create it manually. This process is
option, a private key (and a CSR) will be not as easy as automatic generation, and
generated on the computer that you use to requires the use of third-party tools. For
apply for the certificate. After the CA approves more information, see Manually Creating
the request, you will receive a signed the CSR File.
certificate and installation instructions.
Note: Make sure that you always use the same computer, user, and browser to request
and install the certificate.

For a list of supported CAs, see Supported Certification Authorities.

Step #2: Sign the XML Files

This table describes the two methods that you can use to sign the XML files.

Method #1: Use the Customization Wizard Method #2: Use the Code Signing Tool

The customization wizard can use a PFX file Intel SBA also includes a command line tool
to automatically sign the XML files for you. that you can use to sign the XML files. This
To do this, in the CERTIFICATES window of can be useful if the XML files will be signed
the wizard click Browse and select the PFX at a later stage or by another department in
file. your organization. To use this tool, in the
If you used method #2 in step #1, you CERTIFICATES window of the wizard, select
already have a PFX file that you can use. If the Skip this step check box.
not, you will need to export the certificate This tool can use a PFX file (like the wizard)
into a file in PFX format (see Exporting to a or use the code signing certificate directly in
PFX File). the certificate store. For more information,
see Using the Code Signing Tool.

Intel® SBA, Implementation Guide for OEMs 36

 This figure shows the CERTIFICATES window of the customization wizard.

Step #3: Prepare the Target System

It is highly recommended to prepare the target systems with a certificate containing the full
certificate chain. For more information, see Preparing the Target System.

Intel® SBA, Implementation Guide for OEMs 37

7.2 Supported Certification Authorities
This list shows the Certification Authorities that are supported by Intel SBA, and includes links
to their websites.

• Go Daddy*

http://www.godaddy.com/ssl/code-signing-certificate.aspx?isc=sslqgis01d&ci=13314

• Verisign*

http://www.verisign.com/code-signing/index.html?tid=a_box

• GlobalSign*

http://www.globalsign.com/code-signing/

• Thawte*

https://www.thawte.com/code-signing/index.html

• TrustCenter

http://www.trustcenter.de/en/products/desktop_code_signing.htm

• Comodo*

http://www.comodo.com/

• PGP TrustCenter (ChosenSecurity)

http://www.chosensecurity.com/tc-publisher-id-for-ms-authenticode

Note:

Some of the Certification Authorities websites offer options for several different platforms.
In these websites, select the “Microsoft Authenticode” option.

Intel® SBA, Implementation Guide for OEMs 38

7.3 Which XML Files Must be Signed?
For some XML files used by the GUI, a valid digital signature is mandatory. When the GUI
opens it checks these XML files to make sure that they are signed. If there is a problem with
one of the files, a message like this shows:

The user is allowed to continue and open the GUI, but data from unsigned or compromised
files is NOT loaded in the GUI. If default data exists for the file, the default data is loaded.

For these XML files, a valid digital signature is mandatory:

• UiApplicationsData* (including UiApplicationsDataIntel.xml)

• HealthCenterData* (including HealthCenterDataIntel.xml)

• SoftwareMonitorData* (including SoftwareMonitorDataIntel.xml)

Note:
These files have localized versions that must also be signed. For more information, see
Translating Customized Settings.

It is not mandatory to sign these XML files:

• UiSettingsData.xml

• HealthCenterOrderAndDefaultData.xml

• SoftwareMonitorOrderAndDefaultData.xml

• UiApplicationsOrderData.xml

• IntelEnergySaverData.xml

• MailProviders.xml

The GUI does not warn the end user if changes are made to these files.

Intel® SBA, Implementation Guide for OEMs 39

7.4 Using Microsoft Management Console
The Microsoft* Management Console (MMC) is an administration utility included in the
Windows* operating system. The MMC is a console to which you can add administrative
tools, known as “snap-ins”. The Certificates snap-ins are used to view and manage
certificates:

• #1: “Certificates – Current User” – Use this snap-in on the computer that you are using to
sign the XML files. If you want to use the Code Signing Tool, the certificate with the
private key must be located in this Personal > Certificates store.

• #2: “Certificates (Local Computer)” – Use this snap-in on the target computer that will be
sent to the customer (or Reseller). It is recommended to install a “P7B” certificate in this
Personal > Certificates store (see Preparing the Target System).

This procedure describes how to create a console view for both of the certificates snap-ins.

To add the certificates snap-ins to the console:

1. Login to the computer with an Administrator user.

2. Click Start, type mmc.exe, and then press <Enter>. The Microsoft Management Console
window opens.

3. Select File > Add/Remove Snap-in. The Add or Remove Snap-ins window opens.

Intel® SBA, Implementation Guide for OEMs 40

 4. From the list of available snap-ins (in the left pane of the window), select Certificates
and click Add. The Certificates snap-in window opens.

5. Select My user account and click Finish. The Certificates snap-in window closes and the
“Certificates – Current User” snap-in is added to the list of selected snap-ins.

6. From the list of available snap-ins (in the left pane of the window), select Certificates
and click Add. The Certificates snap-in window opens again.

7. Select Computer account and click Next. The Select Computer window opens.

Intel® SBA, Implementation Guide for OEMs 41

 8. Make sure that Local computer is selected and click Finish. The Certificates snap-in
window closes and the “Certificates (Local Computer)” snap-in is added to the list of
selected snap-ins.

9. Click OK. The Add or Remove Snap-ins window closes and the snap-ins are added to the
Console Root tree (in the left pane of the window).

10. Close the console. When you close the console, you will be asked if you want to save the
settings for this console view. If you save the settings, they are saved in an *.msc file with
a name that you specify. You can then double-click this file to quickly open the console with
the certificates snap-ins already loaded. You can also use this file to open the console on
other computers.

Intel® SBA, Implementation Guide for OEMs 42

7.5 Manually Creating the CSR File
If the Certification Authority (CA) does not support automatic generation of the Certificate
Signing Request (CSR), you will need to create it manually. These are the basic steps:

1. Use a tool to create a file containing a private key (*.key) and another file containing the
CSR (*.csr). For example, using OpenSSL, this command :

OpenSSL.exe req -out MyCSR.csr -new -newkey rsa:2048 -keyout MyKey.key

will create two files:

• MyCSR.csr – A file containing your certificate signing request

• MyKey.key – A file containing your private key. Make sure that you keep this
file secure and do not give access to it to unauthorized persons. Do NOT
send this file to the CA.

2. Go to the website of the CA and start the certificate request process. Follow the instructions
in the website.

3. One of the fields/pages in the website will contain a field in which you will be asked to
supply the CSR. Open the MyCSR.csr file (for example using Notepad) and copy/paste the
contents into this field/page. Complete the request process in the CA website.

4. After the CA approves the request, you will receive a signed certificate from the CA. The
next step is to add the private key to this certificate file and create a PFX file. For example,
using OpenSSL, this command:

OpenSSL.exe pkcs12 –export –inkey MyKey.key –in filefromCA –out certname.pfx

will add the private key (from the MyKey.key file) to the certificate received from the CA
(in this example “filefromCA”) into a pfx file named “certname.pfx”. When you run the
command, you will be asked to define a password for the pfx file. Make sure that you
define a strong password. You will be asked for this password for any operation that you
want to perform using the PFX file (for example, using the customization wizard).

Note:

• You can now use this PFX file with the customization wizard and the code signing
tool. If you want to install the certificate, double-click the PFX file to open the
Certificate Import Wizard. (Click Next in the wizard, accepting the default options,
and then Finish.)
• For more information about OpenSSL, see this webpage: http://www.openssl.org/

Intel® SBA, Implementation Guide for OEMs 43

7.6 Exporting to a PFX File
If you want to use the customization wizard to sign the XML files, you must first create a PFX
file from the certificate. This procedure is not necessary if you already have a PFX file.

To export the certificate to a PFX file:

1. Login to the computer with the user account that was used to install the code signing
certificate.

2. Locate the certificate in the Microsoft Management Console (see Using Microsoft
Management Console).

3. Right-click the certificate and select All Tasks > Export. The Certificates Export Wizard
opens.

4. Click Next. The Export Private Key window opens.

5. Select Yes, export the private key and click Next. The Export File Format window
opens.

Intel® SBA, Implementation Guide for OEMs 44

 6. Select Personal Information Exchange – PKCS #12 (.PFX) and make sure that only
the Include all certificates in the certification path if possible check box is selected.

7. Click Next. The Password window opens.

Intel® SBA, Implementation Guide for OEMs 45

 8. Enter a password. You will be asked for this password when you select the PFX file in the
Intel SBA customization wizard.

9. Click Next. The File to Export window opens.

10. Click Browse to define the name of the PFX file and the location where you want to save
it (or type the full path and name in the File name field).

11. Click Next. The Completing the Certificate Export Wizard window opens.

12. Click Finish and then click OK to close the message stating that the export was
successful.

Intel® SBA, Implementation Guide for OEMs 46

7.7 Using the Code Signing Tool
Intel SBA includes a code signing tool (XmlSignTool.exe) that you can use to sign XML files
used by Intel SBA. The tool is located in the XmlSignTool folder and is similar to the
Microsoft* Signing Tool, but only signs XML files.

The code signing tool can get the necessary data to sign the files from these locations:

• A PFX file that you supply

– OR –

• Directly from the certificate store (from “Certificates – Current User”). To use this option,
you must run the tool with the user that was used to install the code signing certificate.

Note:
For testing purposes, you can use the code signing tool to sign any XML file. After signing,
make a change to the value of a tag in the XML file and then try to verify the file again. You
will see that the code signing tool recognizes that the signature is invalid (and therefore so
will Intel SBA).

7.7.1 Syntax

XmlSignTool.exe <command> <target> [/f <pfxFile>] [/p <password>]

Parameter Description
<command> Mandatory. The command that you want to perform. Valid values:
• Sign – Digitally sign the files
• Verify – Verify the digital signature of files
<target> Mandatory. The target for the command. Valid values:
• The full path to a single XML file
• The full path to a folder containing the XML files
Note: If you provide the full path to a folder, ALL the XML files in the
root of that folder are signed/verified with the digital signature of your
company.
/f <pfxFile> Optional. If supplied, the signing tool uses the supplied PFX file. If not
supplied, the signing tool uses the first code signing certificate that it
finds in the personal certificates store of the current user.
/p <password> Optional. Specifies the password to use when opening a PFX file.

Intel® SBA, Implementation Guide for OEMs 47

7.7.2 Examples
These examples show how to use the code signing tool.

To sign an XML file using a code signing certificate in a certificate store:

XmlSignTool.exe sign TestFile.xml

Note:

• The signing tool expects to find only one valid code signing certificate in the personal
store.
• To use this option, you must run the code signing tool on the computer where the code
signing certificate is located. You must also be logged in as the correct user.

To sign an XML file using a PFX file:

XmlSignTool.exe sign TestFile.xml /f Certificate.pfx /p CertPassword

To sign all XML files inside a folder using a PFX file:

XmlSignTool.exe sign folderpath /f Certificate.pfx /p CertPassword

To verify an XML file:

XmlSignTool.exe verify TestFile.xml

Example output when the signature of a file is valid:

Verifying TestFile.xml: OK
certificate name:
certificate Subject: CN=IntelSmallBusinessAdvantage, OU=Domain Control
Validated, O=IntelSmallBusinessAdvantage
certificate thumb: A5AC4AB5A9BA2576DC9F4A74EE0E0C95D5C9F86E
The operation completed successfully.

Example of the output when the signature of a file is invalid:

Verifying testfile.xml: InvalidSignature
certificate name:
certificate Subject: CN=IntelSmallBusinessAdvantage, OU=Domain Control
Validated, O=IntelSmallBusinessAdvantage
certificate thumb: A5AC4AB5A9BA2576DC9F4A74EE0E0C95D5C9F86E
The operation completed successfully.

Intel® SBA, Implementation Guide for OEMs 48

7.8 Preparing the Target System
The verification that Intel SBA performs on the XML files includes two parts:

• A check that the content of the XML file has not been changed since the file was signed.
This check is always done locally on the computer running Intel SBA.

• A check that the certificate that was used to sign the file was issued by a “trusted” entity.
This check is done locally if possible, and over the Internet if not possible locally.

Each certificate contains data about the organization from which it was issued (the issuer).
This data forms a “certificate chain” that ends in a trusted root certificate of a known CA.
Intel SBA tries to validate this chain locally on the computer. If the chain cannot be validated
locally on the computer, Intel SBA goes out to the Internet to validate the CA.

In certain conditions, validating the certificate chain over the Internet can take a few
minutes. The end user will not know why Intel SBA does not open immediately. Thus, it is
recommended to install a certificate with this chain on the target computer before it is sent
out to the customer (or Reseller). This is done by installing a P7B file on the target system. A
P7B file contains the full certificate chain but does not contain the private key.

Note:

• You should never install the private key on the target system. If you installed the code
signing certificate on the target system, make sure that you delete it from the
“Certificates – Current User” store.
• After installing the P7B file on the target system, it is recommended to check that it was
installed in the correct location (“Certificates (Local Computer)”).
For information about how to view certificates, see Using Microsoft Management Console.

For more information, see:

• Creating a P7B File

• Installing the P7B File

Intel® SBA, Implementation Guide for OEMs 49

7.8.1 Creating a P7B File
This procedure describes how to create a P7B file.

To create a P7B file:

1. Login to the computer containing the code signing certificate using the user account that
was used to install the code signing certificate.

2. Locate the certificate in the Microsoft Management Console (see Using Microsoft
Management Console).

3. Right-click the certificate and select All Tasks > Export. The Certificates Export Wizard
opens.

4. Click Next. The Export Private Key window opens.

5. Select No, do not export the private key and click Next. The Export File Format
window opens.

Intel® SBA, Implementation Guide for OEMs 50

 6. Select Crytographic Message Syntax Standard – PKCS #7 Certificates (.P7B) and
make sure that the Include all certificates in the certification path if possible check
box is selected.

7. Click Next. The File to Export window opens.

8. Click Browse to define the name of the P7B file and the location where you want to save
it (or type the full path and name in the File name field).

9. Click Next. The Completing the Certificate Export Wizard window opens.

10. Click Finish and then click OK to close the message stating that the export was
successful.

7.8.2 Installing the P7B File

After creating the P7B file, install it on the target system using the CertUtil.exe utility
(included in Windows* 7). The file must be installed in the “Certificates (Local Computer)”
store of the target system. For example, this command installs a P7B file named
“MyP7Bfile.p7b” in the correct location:

CertUtil.exe –addstore my MyP7Bfile.p7b

Intel® SBA, Implementation Guide for OEMs 51

8 Copying an Intel SBA Installation
This section includes tasks that must be completed before deploying the customized
installation of Intel SBA.

The procedure below describes how to copy a customized Intel SBA installation to another
computer. If you want to create a deployment image of the customized installation, do the
tasks described in step 1 of the procedure.

To copy a customized Intel SBA installation to another computer:

1. After completing customization on the source computer, delete these files on the source
computer:

• AllUsersGuiData.xml (see Resetting the End User Licenses)

• ServiceData.bin (see Resetting Configuration Data)

To delete the files, you will need to reset the file permissions (see Resetting File and
Folder Permissions).

2. Install Intel SBA on the target computer (see Installing Intel SBA).

3. Reset the file and folder permissions on the target computer (see Resetting File and
Folder Permissions).

4. Copy the contents of this folder from the source computer to replace the contents of this
same folder on the target computer:

C:\ProgramData\Intel\Intel(R) Small Business Advantage

Note:

Copy all the subfolders and files, EXCEPT for the IUM folder. This folder contains data
used by the update mechanism of Intel SBA.

5. If you changed the product name:

a. On the target computer, update the program name (see Updating the Program
Name in the Control Panel).

b. Copy the desktop shortcut created by the customization wizard from the source
computer to the desktop of the target computer.

c. Update the program name and the icon in the Start > All Programs menu.

Intel® SBA, Implementation Guide for OEMs 52

8.1 Resetting File and Folder Permissions
During installation, this folder is created to store the program data files:

C:\ProgramData\Intel\Intel(R) Small Business Advantage.

For increased security, permissions on this folder and the files it contains are limited. Each
time the service starts, it removes all existing permissions for all users on this folder and files
and gives only the Read permission. This means that before you can copy files to this folder,
you must give yourself permissions on the folder. Also, if you want to make changes to a file
in the folder after the service has started, you must give yourself permissions on the file. The
easiest way to do this is to give full control to the Everyone group.

Note:

Opening the customization wizard automatically gives full permissions to all files in the
folder. (Advance to the Welcome window and then close the wizard.)

To manually give full control permissions:

1. Right click the folder or file and select Properties.

2. Select the Security tab.

3. In the list of users, select Everyone and click Edit.

4. Select the Full control check box. (All the check boxes will be selected.)

5. Click Apply and then OK. When you restart the service, the service will automatically
remove the full control permissions from the Everyone user group. If the service does not
start, try running the customization wizard. This will correct any problems that exist in the
folder and file permissions.

Intel® SBA, Implementation Guide for OEMs 53

8.2 Resetting the End User Licenses
When opening the GUI for the first time, two license agreements are shown:

• End User License Agreement – The end user must select the check box to accept the
agreement before they can use Intel SBA. If you changed the product name, the license
that you uploaded in the customization wizard will be shown instead of the Intel license.

• Update Consent Agreement – The end user can select if they want to activate the
optional mechanism to automatically check for updates. If they decline, they will be able
to activate it later from the main menu in the GUI.

The accept/decline data for these licenses is stored in this file:

C:\ProgramData\Intel\Intel(R) Small Business Advantage\Gui Data\AllUsersGuiData.xml.

Note:

• The AllUsersGuiData.xml is not installed during installation. It is created each time the
GUI is opened and the license agreements are shown.
• You must delete the AllUsersGuiData.xml file before sending the completed installation
to the customer (or Reseller). This is a mandatory requirement. If you do not delete the
file, the end user will not be asked to accept the licenses.

Intel® SBA, Implementation Guide for OEMs 54

8.3 Resetting Configuration Data
Data used by the service component is saved in this file:

C:\ProgramData\Intel\Intel(R) Small Business Advantage\ServiceData.bin.

This data includes:

• The service password

• The remediation questions and answers (for authentication to change the service
password if it is forgotten)

• The status of the service (configured/not configured)

• A list of software applications that are being monitored by the Software Monitor
application

• A list of tasks that were configured to run using the PC Health Center application

Note:

• The ServiceData.bin is not installed during installation. It is created when the password
is set and the Intel ME is configured (see How the Intel ME is Configured).
• You must delete the ServiceData.bin file before sending the completed installation to
the customer (or Reseller).

Intel® SBA, Implementation Guide for OEMs 55

8.4 Updating the Program Name in the Control Panel
If you changed the product name, the name you defined in the customization wizard is
shown in the Control Panel (instead of “Intel® Small Business Advantage”).

When you copy the customized installation to another computer, the name in the Control
Panel is not changed. You will need to change it manually. When you change the product
name, the customization wizard creates these registry files that you can use to do this task:

• ProgramFeatures.reg – Use this file for 32-bit systems

• ProgramFeatures64.reg – Use this file for 64-bit systems

The files are located in this folder: C:\ProgramData\Intel\Intel(R) Small Business Advantage

To change the name in Control Panel:

1. Copy the correct file to the target computer system where you installed Intel SBA.

2. Double-click the file and click Yes.

3. Open the Control Panel and check that the correct name is shown.

Intel® SBA, Implementation Guide for OEMs 56

9 Known Issues
This table describes known issues with this release of Intel SBA.

ID Description

In the Settings > Send Email Settings window, sending a test email using a
Hotmail account sometimes fails without giving the correct reason. This can occur if
DE1732 Hotmail uses picture verification during the email sending process (to prevent
spamming). When this happens, the test email will fail and the user will not know
the reason why.
Trying to uninstall Intel SBA while Intel SBA is still checking for updates causes an
DE1719 error message. After clicking OK, the uninstallation continues but the Service\IUM
folder is not deleted.
When uninstalling Intel SBA, you can select to keep the customized data files (by
clearing the Delete data files check box). When reinstalling Intel SBA, the
customized settings should still be available exactly as they were defined before
uninstalling Intel SBA. But, after reinstall:
DE1715 • The applications in Software Monitor and the tasks in PC Health Center are not
shown in the same order that they were defined.
• Applications added to Software Monitor and tasks added to PC Health Center
do not have their check boxes selected. (This means that they will not appear
as “selected” by default in the GUI).
In the Alert Center, users without administrator privileges are incorrectly allowed to
select/unselect the check boxes in the IGNORE column. This only occurs if
DE1701
Intel SBA is configured with an empty password. Non-admin users should not be
allowed to make any configuration/settings changes in Intel SBA.
The customization wizard incorrectly lets you select a *.bat file in the
DE1698 CUSTOM APPS window. Applications based on *.bat files are not supported and will
not be shown in the GUI.
In the Exceptions tag of USB Blocker, adding more than five connected USB
DE1695
devices to the whitelist creates an empty item in the DETECTED USB DEVICES list.
During normal operation of the Energy Saver and PC Health Center applications,
Intel SBA makes changes to the Windows power settings. When the task is
complete, Intel SBA changes the Windows power settings back to the original
DE1694 settings. During uninstall, this reset does not occur if uninstall is started after the
Windows power settings were changed by Intel SBA. This could cause the
computer to go to sleep after Intel SBA is uninstalled (but only if no activity is
detected for 15 minutes).

Intel® SBA, Implementation Guide for OEMs 57

 ID Description
After too many failed login attempts, Intel SBA is locked. But, Intel SBA incorrectly
allows the user to click the “Forgot your password” link and change the password.
DE1693
After the password is changed, Intel SBA is still locked (correctly) until the
allocated time has passed.
After configuring Intel SBA, clicking a button or menu item that opens a new
window in the GUI sometimes shows this critical error:
“A critical error occurred. If restarting the computer does not solve the problem,
please reinstall Intel® Small Business Advantage.”
The error is caused by an issue in the Windows Presentation Foundation (WPF) and
DE1691
.Net Framework layers used by Intel SBA. The error could not be reproduced
consistently and occurs only on some computers. This issue is being investigated
further with Microsoft.
If this error occurs, click OK and then click the same button or menu item again to
open the window correctly (without showing the error message).
Uninstalling Intel SBA does not remove PC Health Center tasks from the Windows
DE1685 Task Scheduler. The tasks and the “Intel(R) Small Business Advantage” folder must
be manually deleted from the Task Scheduler Library.
Adding 14 custom applications to Intel SBA in the CUSTOM APPS window of the
DE1683
wizard creates an empty third page in the grid view of the GUI.
In the Send Email Settings window, typing an email address or an SMTP value that
include a space at the end will cause an invalid field error. The space is incorrectly
DE1677
included in the validation of the value and must be deleted before the value is
accepted.
Repeatedly double-clicking the GUI icon before the GUI has opened causes multiple
DE1659
instances of the GUI to open.
In Software Monitor, the status of a monitored application is not always
immediately changed to “Running” when you configure the application to be
DE1640
monitored. If you click another application in the carousel/grid, and then click
Software Monitor again, the status is updated.
During uninstall, typing an incorrect password and then clicking Next several times
creates multiple invalid password messages. Some of the messages are hidden
DE1625
behind the uninstall window and cannot be seen. This can cause the installer to
move to the “Not Responding” status.
When launching the update from the task tray icon, the Update Consent
DE1615
Agreement is shown a second time, even if it was already accepted.

Intel® SBA, Implementation Guide for OEMs 58

 ID Description
In certain conditions, you cannot make changes to the alternative backup
application that was loaded in the DATA BACKUP AND RESTORE window of the
wizard. An error message shows stating that “An app with this name already
DE1600
exists…”. This only occurs if after uploading the application you continue to the
CUSTOM APPS window and then click Back to go back and make changes.
To solve this problem, exit the customization wizard and start again.
In Energy Saver, 15 minutes before the scheduled SLEEP time Intel SBA changes
the Windows power settings. If the SLEEP time is reconfigured, Intel SBA removes
the changes that it made and restores the original settings. This is the correct
DE1592
behavior. But, if you reconfigure the SLEEP time after Intel SBA has already made
the change, the original Windows power settings are not restored. If no activity is
detected, the computer will go to sleep even if the SLEEP time was cancelled.
In certain conditions, the name of the application in an alert message generated by
Software Monitor is incorrect. This only occurs if the applications use a process or
DE1590 service that have the same name. When uninstalling application A and then
installing application B, the message includes the name of application A. Although
the message is incorrect, application B is monitored correctly.
During uninstall, the Intel ME is unconfigured but the power package in the Intel
DE1578
ME is not restored to the factory default.
An error is sometimes logged in Windows Event Log: “Failed to open the log file:
System.IO.IOException: The process cannot access the file…”. This error is
DE1406 sometimes generated incorrectly when the service starts up and tries to add a
record to the Intel SBA log. By default, the Intel SBA log file is disabled and so the
service will not usually generate these error messages.
PC Health Center tasks that are configured to run at the same daily/weekly time
DE1300 are run simultaneously. A delay/priority mechanism was not implemented to give
priority according to the type of task.
Running the installer after running the customization wizard deletes some of the
customized XML files. If you need to reinstall Intel SBA, copy the contents of the
DE998
C:\ProgramData\Intel\Intel(R) Small Business Advantage folder to another location
before running the installer. After installing Intel SBA, copy the files back.
The installer (Setup.exe) does not very if Intel SBA is already installed (the
DE807
installation overwrites the existing installation).
When an alert occurs, but an email cannot be sent, the user is not notified about
DE696
the problem.
When a USB device is blocked by the USB Blocker application, the notification
DE685
message and log do not specify which type of device was blocked.

Intel® SBA, Implementation Guide for OEMs 59

 ID Description
After installing Intel SBA, in some conditions, the service does not start and cannot
be started manually. This can only occur if both of these conditions are true before
starting the installation:
1. The Chinese version of Kingsoft* Antivirus is installed on the computer.
2. The computer is connected to a LAN, but the internet connection is not working
or blocked.
Because the service does not start, the GUI will return internal errors when you try
DE240 to use it. To solve this problem:
1. Disconnect the LAN cable from the computer.
2. Open the Services window.
3. From the list of Services, select the “Intel(R) Small Business Advantage” service.
4. Click Start to start the service.
5. After the service has successfully started, reconnect the LAN cable to the
computer.

Intel® SBA, Implementation Guide for OEMs 60