Skip navigation

Intel vPro Expert Center Blog

August 2007 Previous month Next month


Traditionally speaking - if security is improved, manageability suffers.  The reverse of this is true also - traditionally.



Intel vPro presents a different approach and perspective to this common understanding - consider some of the usage models and scenarios described at the follow link.  (see the "improve security" and "extend manageability" links on this page under Resources - lower right side)



The above links demonstrates and introduces the usage models and capabilities.  But - what about ensuring the security of the platform.  As commonly inquired - "Could vPro be used maliciously?".  Considering that any tool of value - even the screwdriver sitting in a garage or a desk drawer - could be used maliciously, the question might be better phrased - "What are the built-in security features of Intel vPro?"  The following is only a summary and overview - yet should provide some comfort in the platform.  (BTW: Are you aware of all the security features in current environments, or would introducing vPro perhaps expose a long term policy or technological oversight?  Just a thought.)


  • Internal security - Use of Intel digitally signed firmware. In some cases, the OEM will also require their digital signature for firmware updates. The non-volatile RAM (NVRAM) has strict security and access control. There is a small section referred to as "3rd party datastore" or 3PDS. Access to this area requires registration with Intel and granting of a token. Communications into the management engine occur through secure channels - whether from the operating system or from the network interface. Generally speaking - compromising the internal security would indicate there are bigger problems in the environment.

  • Enterprise setup and configurationsecurity - Enterprise mode setup and configuration is handled via either a pre-shared secret or certificate based authentication. (see related blog on the latter). The configuration uses secure handshakes, authentication, and so forth. Replay attacks are prevented. With the latest configuration service, option to require authentication or approval of systems to be provisioned\configured. Pre-shared keys are changed after configuration, and subsequently based on definable schedules. Minimal setup rights can be used to limit exposure of accounts to perform setup\configuration. Security audit logs and event logs monitor activities. The process also has dependencies on the enterprise DHCP, DNS, PKI\CA, and so forth. Generally speaking - if the enterprise setup and configuration service is compromised, there are bigger problems wtihin the environment (whether technological, social networking, policy\procedure, etc)

  • Operator Security - Roles, permissions, and AMT security realm access control come into play here. This effectively defines who is allowed to configure the "configuration services", who is allowed to authorize or change vPro configurations, and who is allowed to utilize functions on configured vPro systems. The "who" could be defined by a user, group, service, etc.In addition - use of Kerberos for user rights mgmt and so forth provides an integration into the Microsoft Active Directory. Thus a group of users can be defined withe various levels of access control and capability. Plus - all security related actions and configuration changes can be logged. Generally speaking - if an operator compromising vPro security, there are likely bigger problems in the environment (eg. policies, procedures, etc)

  • Communication Security - Once a system configured, transport layer security (TLS) or Mutual TLS can used to secure management traffic. User sessions can authenticated using a digest protocol or Kerberos.

  • Infrastructure Security - Since vPro effectively hasa separate management computer inside, this management engine can be configured for environments supporting wireless profiles (WPA or WPA2), VLAN, Network Access Control, 802.1x, etc.

  • Operational Client Security - On top of all the configuration security items is the end-user usage and capabilities. Items such as System Defense, Agent Presence, remote power management, and so forth.


This returns to the first question - Can manageability and security be raised together for client management? 



Open to hear from the community on your thoughts - whether in agreement or disagreement.



We just released the Intel AMT Developer Tool Kit (DTK) v0.37 . Here are the highlights of the changes in v0.37:

  • Intel AMT Monitor in Japanese. Improved Japanese internalization and now, Intel AMT Monitor is also in Japanese. Thanks to 3 Intel employees Intel Japan, the Intel AMT DTK and Intel vPro products are much more successful in Japan. For people who did not know, English, Japanese and Simplified Chinese are all included in the standard Intel AMT DTK package.

  • Improved Commander support for Switchbox. Intel AMT Commander can be used to connect to Intel AMT Switchbox in TLS mode, and now, Commander will show connection warnings if the certificate is invalid and can also be used to issue a new certificate to Intel AMT Switchbox. This makes using Intel AMT Switchbox with full TLS security easier than ever.

  • Intel AMT Commander Network Feature. Now includes NIC info, environment discovery & VPN routing. Intel AMT Commander can how display all of the network configuration settings of the ME, set ME's Sx state ping response, set the VPN routing flag (AMT 2.5 only) and now fully supports setting the environment detection parameters (AMT 2.5 and 3.0 only). Now Intel AMT Commander can be used to fully experiment with these new platform features.

  • First attempt at running Commander on Linux and MacOS. This new version for DTK includes a new folder called "MonoEdition" and source code includes a new "Debug-Mono" compiler target in an attempt to run Intel AMT Commander on the MONO framework. MONO is an open source project  attempting to build a compatible Microsoft .NET framework on Linux. So far, only a very limited version of Commander can run on MONO 1.2.4 within Microsoft Windows, and no luck running on Linux yet.  It's likely that with the release for MONO 2.0 later this year, Commander will run pretty well.


In addition to these, we made many more changes and bug fixes. For example: The terminal will now show if a laptop is connected on AC or is using battery. As usual, we encourage people to test and submit bugs & feedback on Intel AMT Commander, Director, Outpost, Monitor & Switchbox.




Audio blog: Ylian's audio blog on the Intel AMT DTK v0.37 (.mp3)



Updated screens:





Ylian (Intel AMT Blog)

Filter Blog

By date: By tag: