Skip navigation

You may recall that, last year, I was very excited about Intel Identity Protection Technology (IPT). Then it was all about One Time Password (OTP); basically using the 2nd generation Intel Core processor as an OTP key FOB. This year, IPT is getting some new, and even cooler features. I've already written about PKI and one aspect of Protected Transaction Display. Today, let's talk briefly about another aspect of Protected Transaction Display.


Protected Transaction display provides a method to get secure input from a user. It works by giving the Management Engine (ME) the ability to draw on the screen. When it does this, any software running in windows does not see what's on the screen. All it sees it a black square. For input, there is a key pad with the numbers in a randomized location. The user uses the mouse to enter a number by clicking the key pad. Although windows can tell where on the screen the mouse is, only the ME knows that numbers where actually typed.


What the user sees.


What malicious software sees.


OK, that sounds a little complicated just to get a number from a user. So how's it useful? Well, one way is to get a PIN code. When PIN codes are entered using Protected Transaction Display, malicious software will be unable to determine the code entered. This protects the code from spying eyes.


Another use is for transaction verification. For example, let's say you want to transfer $100 from your bank to your friend. It's possible that malicious software could change the $100 dollar value without you, or the bank knowing it. However, using the ME, the bank can verify the transaction amount like so; the bank asks to ME to verify the number it thinks you want. The ME pops up and asks you to enter the amount. If what you enter matches what the bank asked for, the ME will respond to the bank with that it matches. Otherwise ME responds that it doesn't match and the bank can then deny the transaction.


Of course, there are probably many other possible uses for Protected Transaction Display. That's what excites me the most about it. It's a totally new technology. I think we're just beginning to imagine all that may be possible.

This article is an update to "Build your own PC with the 2nd generation Intel® Core™ vPro Processor Family". Now that the new core CPUs are out, along with Intel AMT version 8, I wanted to share what is needed to build your own desktop PC with these new technologies. First, you need a motherboard with an Intel Q77 Express Chipset. For KVM Remote Control, also be sure the motherboard supports Intel Integrated Graphics. The Intel DQ77KB and DQ77MK are two such boards. ASRock has the Q77M vPro. Gigabyte has the Q77M-D2H. Jetway has the NF9E-Q77.


Next, you need a 3rd generation Intel® Core™ vPro Processor. Further, if you want KVM Remote Control support, you also need a CPU with Intel Integrated Graphics. An Intel Core vPro processor without Intel Integrated Graphics will still give you Intel AMT 8.x, but you won't be able to use KVM Remote Control. This page has an up to date list. From there you can apply a filter to show only processors with vPro technology and Intel Graphics if you like.


Now onto wireless. Starting with Intel AMT 7.x, vPro added support for wireless on desktop. This, of course, is optional, but if you'd like to use Intel AMT over wireless on your new system, there are extra requirements. First, your motherboard needs support for Intel AMT wireless. This means a mini-PCI express connector with wiring for AMT communications. The Intel DQ77KB is the only one I know for sure to support this. If I learn of others, I will add them to this list. Next, you need to find an Intel® Centrino® Advanced-N 6205 Wireless NIC. Lastly, you'll need a wireless antenna.


One other interesting development in the build your own system area is that new standardized All-in-One chassis are coming on the market. They use a half height mini-ITX form factor. Although this is not specific to vPro, I for one am excited to get to build my own All-in-One vPro system for the first time! The Intel DQ77KB is an ITX board and will fit into one of these new chassis.


So go out and build your systems. Then post your system specs and your favorite vPro feature or use case.

I’m the social media manager for IT@Intel. Part of my job is to share Intel IT group’s best practices with the industry through social media. Our Intel IT experts write white papers, post blogs and are often featured in videos sharing their knowledge. There’s an amazing stash of best practices on our web site,  I always dig through and finding great stuff there.


I also work with Intel product teams launching new products like the 3rd Generation Intel® Core™ vPro™ processors. When I heard about the security features of this new platform, I remembered an IT@Intel Brief entitled, “Enterprise Security Benefits of Microsoft Windows 7*.” The brief was from 2010 when Intel IT started deploying 64-bit Microsoft Window 7 Enterprise on employee PCs with Intel Core vPro processors to improve PC manageability across the enterprise. By the end of 2011, we completed the transition to Windows 7 on mobile business clients based on Intel vPro technology.


This 2010 Intel Core vPro processor provided key security capabilities that complemented Microsoft Windows 7 security; these include secure remote management, more-effective deployment of patches, and isolation of infected PCs. Our technical evaluation of Microsoft Windows 7 that preceded this new platform roll out, included an extensive security assessment by Intel IT, including an analysis of capabilities designed to address existing threats. More details are included in the brief.


I was excited to see that there are even more security features in the new 3rd Generation Intel Core vPro processors rolling out. If you are considering deploying platforms with this newest vPro technology, there are tons of new product guides in the  You may also want to refer to the IT@Intel Windows 7 and Intel vPro technology brief as you design your own security assessment for this new platform. And we'd love to know - what other methods are you using?


If you have questions about what Intel IT is doing around PC security assessment, let me know. I will dig through our papers or get the right IT@Intel experts to join the discussion. Also, if you want to get regular PC updates on best practices from IT@Intel, register for the Intel IT Center newsletter on, or join our Intel IT Center LinkedIn Group, or follow us on Twitter @IntelITS.



     Under the Intel Identity Protection Technology (aka IPT) umbrella, there is one component getting some well-deserved attention with the Ivy Bridge platform (3rd Generation Core Technology). It is the Protected Transaction Display (aka PTD). This is especially attractive among Brazilian banks where the fraud rate still high due lack of legislation on cybercrime. Financial institutions have a pragmatic approach and try to adopt technology that will prevent fraud against their online banking customers.

     There are two main approaches to get money fraudulently in an online transaction: getting in the middle of transaction, i.e. “man in the middle” (MITM), such as creating a site phishing that gathers user information - even if One Time Password (OTP) generated the user’s tokens in a second factor authentication and executed the desired transaction with the bank in real-time. Hackers also conduct fraudulent bank activity by gaining access to control the user’s machine without it even being noted, referred to as “man in the browser” (MITB).

     Until now, protecting users from MITB attacks and guaranteeing a high level of security for online transaction was extremely hard and nearly impossible from merely the operating system level or the banks’ online security features. To protect against this kind of attack, it is required to add a 3rd party component to confirm the authenticity of each transaction.

     In order to protect online transactions from both MITM and MITB methods of fraud, a tamper-proof hardware component that is isolated from the OS comes into play. PTD can store a cryptographic key shared in the back-end of the online banking server. This makes it so that sensitive information such as password, account details, confirmation of transactions etc. can be presented to user without the OS being able to read what has been passed; only PTD will be able to decrypt and send to the Intel GPU in a secure way to be rendered.

     On May 15th at IDF Brazil, I presented in a session about “Rethinking Information Security” and showed a demo in collaboration with Banco do Brasil, where they made an amazing job, integrating securing the entire flow, since the provisioning up to complete a transaction. As soon as a user of Banco do Brasil’s online banking opens the Banco do Brasil web site, the site can detect that the user’s Ultrabook is IPT capable and suggests that he or she activate this technology in order to improve security and eventually expand online transaction limits. The provisioning process is fairly quick and easy. Once the cryptographic key was generated and sent to the bank, this user can select to confirm the process and identify his or herself through already trusted channels, i.e. ATMs or my mobile phone. Only the first time you access the site will you be required to create this trusted relationship between your personal machine and the online bank. After that, you can conduct all your online banking transactions in the usual manner, but much more securely.

     The following picture is what users will see


     Note that the page appears somewhat normal; however a hacker that is capturing the screen to gather user entries will not be able to read these protected windows and will see this same screen like this:


     This is absolutely bringing another level of security to online transactions and will create a stronger barrier for hackers using such increasingly popular conventional methods to collect users’ information.

     I would like to take this opportunity to say thank you to Banco do Brasil’s security team that did an awesome job preparing the demo for IDF Brasil... These guys really rocks!

Have you downloaded the latest Intel® Setup and Configuration Software? Well Intel SCS 8.0 is out and we've got Dena Lumbang, from the Business Client Platform Division,here on a brand new episode of Tech 10 to tell us all about this software's most recent update. Listen in below to learn about the new features and why Intel SCS 8.0 is the best way to implement Intel vPro technology in your IT environment!


Enjoy and be sure you stay tuned for our next Tech 10 episode!

Tech 10: Intel Setup and Configuration Software 8.0 - It`s here!


The manageability and security features of the Intel Core vPro Processor platform always garner a lot of attention, as they should.  But, there’s a lot more under the covers to be aware of that helps make the vPro platform the best one for business.  I’ll be highlighting some of these features today that are part of our third generation Core vPro Processors.


Let’s start with graphics.  You will see up to a 2x increase in graphics performance compared to our previous generation platform.  The latest generation of our Intel HD Graphics also includes DirectX 11 support.  With both the cost and complexity of doing video work shrinking, and social networking expanding, video is becoming a very common tool for businesses of all sizes.  The process of encoding video for different sources can be time consuming.  Intel Quick Sync Video helps to make this process a lot faster.  This technology leverages the capabilities in Intel HD Graphics to accelerate the process of converting video into different formats.  Here’s a brief overview video:


Check out the Intel Quick Sync Video website for additional details, including a list of software products that make use of this technology.


Energy efficient performance is still one of the big cornerstones of the 3rd Generation Core vPro processor family.  You get Intel Turbo Boost Technology 2.0, which will automatically speed up the CPU when heavy workloads are detected and there’s thermal headroom.  This allows you to get work done faster and maintain great battery life compared to previous generations that would have to run the CPU maxed out for longer periods of time to get you the same results.  In addition to Intel Turbo Boost Technology, there’s also Intel Hyper-Threading Technology on supported processors.  This allows each processor core to run two tasks at the same time.


Here’s a video that give you a good visual of how Intel Hyper-Threading Technology works.


You may recall that Intel Identity Protection with One Time Password (OTP) was first introduced last year. It was geared towards embedding hardware based OTP tokens into the platform. This year, the 3rd Generation Core vPro Processors aim to expand Intel IPT with two new features. They are:

  • Intel IPT with Private Key Infrastructure (PKI)
  • Intel IPT with Protected Transaction Display


For those that don't know, PKI is used for authentication, kind of like a user name and password. However, it uses certificates to authenticate a user. A certificate is kind of like your driver's license. It proves you are who you say you are. A certificate can identify a user, a computer, a document, software, and more. A certificate can also be used when encrypting information. One use for this is when connecting to a VPN. The VPN may ask you for a user name and password, and then may ask for a certificate. So, if someone else figured out your username and  password, they still couldn't get in because they don't have your certificate. Other uses include document signing, email signing and encryption, and secure access to web applications.


Today, PKI is in wide use and comes in two flavors; hardware and software. If you've ever seen or used a Smart Card or another Hardware Security Module (HSM), that's hardware PKI. The certificates are stored on the card and the card does all certificate-related (crypto) operations. For software, certificates are stored on the computer and the CPU does all crypto operations through software.


OK, great, but how does Intel IPT with PKI fit into all this? Well, Intel IPT with PKI is essentially a HSM embedded in the platform. This provides the security of an HSM with the cost effectiveness and ease of use of software based certificate management. This is achieved by using the Intel Manageability Engine (ME) to perform all cryptographic operations. In this way, keys are never exposed to software running on the main CPU. Further, all certificates are tied to the platform on which they are created.


The ease of use of Intel IPT with PKI is achieved in a number of ways. First, since keys are tied to the PC hardware, the PC itself becomes part of the authentication scheme. Compare this to a smart card where each card has a cost, and may need to be replaced over time. Further, Intel IPT with PKI software is exposed as a Cryptographic Service Provider (CSP) via the Microsoft CryptoAPI software layer. In other words, software like Internet Explorer, Outlook, Anyconnect, and many more just work with Intel IPT with PKI, no changes required.


Intel® Identity Protection Technology (IPT) with Protected Transaction Display allows for secure PIN input. This is accomplished by allowing the ME to draw the input window and accept mouse clicks as input. In this way, software running on the main CPU does not have access to what is actually on the screen. However, the user can see it. Further, number keys on the PIN pad are randomized such that on ever PIN entry the mouse position will be different.


What the user sees:


What software on the CPU (E.G. process implanted by a hacker) sees:



Since certificates can be password protected, Intel IPT with PKI and Protected Transaction display can be coupled to offer the ultimate in certificate security.


We've partnered with Symantec to offer this feature through their Managed PKI Service. Check out this video to see an example of Intel IPT with PKI in action.




One feature about Intel AMT that I feel is quite valuable is the ability to get different logs from Intel AMT. The logs available are Event, AccessMonitor (audit), Redirection and Setup.


If you don’t have the Intel vPro PowerShell module yet, download at

The first thing to do is import the IntelvPro Module:

PS C:\Users\cdpiper> Import-Module IntelvPro


Now let us map a New-PSDrive to a remote vPro system.  To do so, run the following command from the PowerShell console:

PS C:\Users\cdpiper> New-PSDrive -Name AMT -PSProvider amtsystem -Root "/" -ComputerName -Credential $myPScredential


If your AMT client is configured in TLS mode (TLS encrypted traffic over AMT Port 16993), add the –TLS switch to the command. The name of the drive can be whatever you would like, I have settled on a name of AMT for consistency, but feel free to change this. Now the PSDrive is mapped, so let’s get some event log data.

PS C:\Users\cdpiper> Get-Content amt:\Logs\EventLog

get-content to prompt.PNG



Looks like I booted this machine on May 8th.


Great! …but… how do I save this data?


There are several ways to do this.

PS C:\Users\cdpiper> Get-Content amt:\Logs\EventLog > out.txt


Will send the data to a text file named out.txt. But it will overwrite anything that is there. So use the out-file cmdlet:

PS C:\Users\cdpiper> Get-Content amt:\Logs\AccessMonitor | Out-File .\out.txt -Append



What if we wanted to get this data into excel?




PS C:\Users\cdpiper> Get-Content amt:\Logs\EventLog | Export-Csv out.csv


Now I just type PS C:\Users\cdpiper> .\out.csv and since I have Excel installed, it pops right up!



excel output.PNG

We live in curious times. People are doing more things online than ever before. Many employees telecommute instead of driving to work. We communicate more often through email. As a result, life is much more convenient. For example, if I am not feeling well or am buried in the snow, I don’t have to choose between infecting my coworkers and tackling a giant pile of tasks that had to wait; instead, it will be business as usual, except I will be at home. I don’t have to hand-carry or use “snail mail” to send or receive sensitive documents anymore; I can get them where they need to be in seconds via email. I, for one, would not want to go back to the way things were. However, all of this convenience comes with a price: It opens the enterprise to additional security risks. In response to this, the industry has come up with some great solutions that companies use to mitigate these risks.


In order to be productive, telecommuting employees must be able to use network resources as if they were physically in the office. This means that all network traffic, including sensitive information, must travel over the internet where it might be snooped. In order to safely access company networks, enterprises set up Virtual Private Network (VPN) connections for their employees to use. VPN connections authenticate the user with a Public Key Infrastructure (PKI) key and login information, and then establish a secure, encrypted connection between the employee and the company network.


Email is a great way to communicate with people both inside and outside of your organization. It delivers almost instantly and you can attach files or documents. However, email can be insecure and email senders can be spoofed. For these reasons, when you send an email you can optionally sign and/or encrypt the email. When you sign an email, you use a PKI key to create a digital signature of the email which is verified by the receiver. This signature confirms to the recipient both that you are the person who sent the email and that the email has not been altered since you sent it. Your email client usually does this process in the background, and will notify you, loudly, if an email’s signature is invalid. Signing prevents an attacker from either sending you an email pretending to be someone you trust, or altering a message sent by someone you trust before it gets to you. Encrypting uses a PKI key to encrypt the email and any attachments, which are decrypted by the sender on the other end. It prevents anyone but who you send the email to from reading it.


The point of commonality between these solutions is the Public Key Infrastructure. PKI key pairs are made up of two parts: the public key and the private key. These two keys are mathematically related so that anything encrypted by the public key can only be decrypted by the private key and anything encrypted by the private key can only be decrypted by the public key. The public key is freely available to anyone who wants it. The private key is kept secret. The strength of this system lies in the fact that people don’t have to share private keys (which could be intercepted) to communicate securely. However, the system is only as secure as the private key. If the private key is compromised, the entire system breaks down. An attacker who steals a person’s private key can impersonate them (through false digital signatures), read their private documents (such as encrypted email), and any number of other equally disturbing things.


Many companies mitigate this risk by using smart cards to provide additional protection for the private key by separating the private keys and sensitive PKI operations from the operating system. Smart cards can store some data and process cryptographic operations on the card. Another security benefit is a second factor of authentication: “Something you have” (a smart card) and “Something you know” (a user PIN). Smart Cards do provide added security, but with added expense of a smart card for each employee and smart card readers for each computer. These cards must be replaced if employees lose them, break them, or run them through the washing machine. All in all, this system, while good, creates added expense and complexity for an organization.


Intel® Identity Protection Technology with public key infrastructure (or Intel® IPT with PKI), is a new product from Intel designed to enhance the security of PKI operations. It uses the Intel® Management Engine (or ME) available on 2012 Intel® vPro™ systems to protect the private key and perform sensitive PKI operations at the firmware level. Protecting the key this way prevents malware or other forms of attack from compromising the private key. You can think about it like a smart card built in to your computer; a smart card that you can’t leave in your pocket and put through the wash (unless you have really big pockets); a smart card that you probably won’t forget (at least not if you remembered your computer). Also, for companies that already use Intel® vPro™ systems and PKI certificates, no additional infrastructure is required, and you can use it out of the box.


Intel® IPT with PKI was designed from the ground up for ease of use. It integrates directly into Microsoft’s CryptoAPI, which is a mature interface for cryptographic operations in the Windows operating system. CryptoAPI is an extensible framework that uses plugins (called Cryptographic Service Providers, or CSPs) to do the actual cryptographic operations. Many applications are designed to work with CryptoAPI, and thus are able to support Intel® IPT with PKI with little to no changes to the program. As far as applications are concerned, Intel® IPT with PKI works the same way as Microsoft’s cryptographic service providers, but the real magic happens behind the scenes. Unlike Microsoft’s implementation, where PKI operations are done within Windows (where they can be snooped by malware), Intel® IPT with PKI works with the ME, which is a small, self-contained platform embedded in the chipset. This platform has an internal processor and some storage space—much like a smart card does—and is completely segregated from the operating system. All sensitive operations that involve the private key are performed at this level and are protected from hackers or malicious software that might try to steal the private key.


As a final security measure, PKI keys can optionally be PIN protected. When you try to use the key, you will be prompted to enter the PIN. This prevents someone from accessing your computer and using one of the Intel® IPT with PKI protected keys without your knowledge. This additional layer of security uses a product called Intel® IPT with protected transaction display, to render a PIN pad on the screen in such a way that the operating system cannot see it. Malicious software like screen scrapers will only see a black square in the area where the PIN pad is displayed.  This is a new technology developed by Intel which makes use of Intel branded integrated graphics and Protected Audio Video Path (PAVP) to securely display a PIN pad to the screen. PAVP creates a secure connection from the graphics card to the monitor, bypassing the operating system entirely. It was originally developed to display high definition video from Blu-Ray disks while protecting them from being copied, but can also be used to make passwords secure from host based malware.


Below is a video that shows a Intel(R) IPT with PKI being used to sign an email in Outlook. It also demonstrates the protected transaction display.





Intel® IPT with protected transaction display works by reserving screen space with the operating system, then filling it with an encrypted image that was rendered in the ME. The user can see the image on the screen, but the operating system doesn’t know what is there. The result is that any attempt to snoop at what is on the screen (such as a malicious screen scraper, a hacker mirroring the user’s screen, or even a simple “Print Screen”) will see a black square instead of a protected pin pad. The two real screenshots below demonstrate the concept. The first image is what the user sees, and the second is what a hacker would see.



This is what the user sees. This screenshot was taken specifically using an IP/KVM connection

to a remote computer (essentially, a photograph of the moniter),

otherwise, the PIN-pad would not be visible.




This is what a hacker would see. Actual screenshot using Windows’ Print Screen button while the

Intel® IPT with protected transaction display window was on screen.



To protect against key-logging malware, the user interacts with Intel® IPT with protected transaction display via the mouse only, no keyboard input is accepted. The numbers zero through nine are arranged in a random order, and the user clicks the numbers that make up their PIN. Every time Intel® IPT with protected transaction display is used, the order of these numbers is randomized, making it unlikely that a hacker would guess a PIN simply by location. All of the processing is done in the hardware. This produces a PIN that was never exposed in the clear to the operating system or a hacker.


Over the course of development of IPT with PKI, the engineering team worked closely with Symantec, one of the leaders in managed PKI tools to integrate this product with their solution, The Symantec Managed PKI Service. The collaboration with Symantec allowed Intel® IPT with PKI to be tested with a live piece of software, one that is actually used by the target market. This sort of real-world exposure from day one was important to make sure we weren’t developing something that wouldn’t work or have value in the wild. Intel® IPT with PKI will be distributed with the next release of the Symantec Managed PKI Solution.


Intel® IPT with PKI and Intel® IPT with protected transaction display are two of the Intel® Identity Protection Technology family of products. Another product in this family is Intel® IPT with one-time password (OTP)—a system that uses the ME to provide secure two-factor authentication to websites, such as eBay or PayPal. On the Enterprise side of the fence, Intel® IPT with OTP can be used to make a company’s intranet more secure. By providing the same functionality as one-time password generating tokens issued to employees by enterprises (such as key fobs that periodically generate new passwords), Intel® IPT with OTP can provide the same security without the additional cost of managing and replacing those tokens. The one time passwords generated by OTP can be used in the enterprise environment to help secure access to company websites, VPN connections, and more. The Identity Protection Technology suite represents a collaborative effort between several groups within Intel. PC Client Architecture developed the common infrastructure used by the IPT family of products, the Chipset and SoC IP Group built the protected environment found on the ME, and Business Client Platform Division Engineering developed Intel® IPT with PKI.


It is ironic that while businesses are adopting cloud solutions, accommodating their employees’ needs to work anywhere on any device, the internet is simultaneously becoming more and more unsafe. There is really no such thing as privacy on the internet any more. Attackers are getting more skilled and focused and their tools more advanced. Private information (both business and personal) is now a commodity to be bought and sold to the highest bidder. The only way for an organization to be safe is to continually improve and upgrade their security systems and processes. Intel® Identity Protection Technology with public key infrastructure makes an organization more secure by pulling sensitive information out of the software in to tamper-resistant hardware and gives people the tools to better protect themselves.

Using Intel’s Active Management Technology for remote support and reliable security updates

This is a guest post from Ed Metcalf at McAfee


You are not scanning your enterprise for malware often enough. Nobody is. Informal polls of customers and security professionals show that “Wednesday at noon” is the typical schedule for a full virus scan. The explanation for this timing boils down to “people are usually in the office on Wednesday and eating lunch around noon.” Some outlier responses are “at night” or “every day at noon.”


Why aren’t more people scanning at night? Because IT finds users are shutting desktop systems down, so the scans cannot take place.


Why is “every day” not an acceptable practice? Performance. Users complain when they feel their systems are affected by security products. Oddly enough, they don’t complain when their computers are slow due to 18 open web browser windows, but that’s part of the challenge you face managing operational security.


Another sticky issue that IT operations have to deal with involves resolution of end-user issues. Anyone who has spent any amount of time trying to troubleshoot a problem over the phone knows how much more difficult it is than being physically at the device. Remote access applications offer some utility, but with major limitations:


  • Connectivity
  • Misconfiguration
  • No help during a reboot loop


All of these limitations can be overcome with the appropriate systems management technology.  While waking systems to scan and providing remote repair capabilities seem like very different issues, they are both solved through McAfee integration with Intel® Active Management Technology (Intel®AMT). Leveraging the McAfee® ePolicy Orchestrator® (McAfee ePO™) agent and centralized management environment, McAfee ePO Deep Command™ runs on desktops and laptops with the third generation Intel Core™ i5 and i7 vPro technologies.


Intel AMT is a component of Intel vPro technology available on business laptops and desktops.  It provides a secure method for businesses to monitor, maintain, update, and repair PCs without direct hands-on contact.


The third generation Intel vPro technology gives administrators complete remote control over the power state of a system. Or the ability to remotely redirect the boot sequence of a system to a networked image.  McAfee ePO Deep Command allows IT and security operations to take the features available in Intel AMT and deploy them into the enterprise.


Intel AMT is a great tool, but needs a management infrastructure to make it beneficial to enterprises.  Managing tens of thousands of systems from one central location is a McAfee ePO strength. Bringing Intel AMT management into McAfee ePO provides a way for organizations to take full advantage of the tools provided by Intel in the vPro chipset. Click here to get more information on Intel’s 3rd generation Intel vPro technology or McAfee’s ePO Deep Command.

Today we are pleased to announce our 3rd generation Intel® Core™ vPro processors. I wanted to spend a few moments blogging about how Intel is enabling the future of personal computing in the PC Plus era.  PC Plus is a term coined by Bob O’Donnell at IDC and gets to the heart of what’s going on in the market, where PCs will co-exist with a growing number of devices.  With emerging devices like tablets, new compute models like cloud, and more users “Bringing Their Own Devices,” it can feel like the Wild West.


Fortunately, 3rd generation Intel® Core vPro processors are designed to bridge the gap between what CIOs need and what business users want. Our role is to lead to the way in this new era by empowering everyone with the security to ensure complete confidence in the compute experience, the confidence to automate complex business processes and IT tasks for maximum efficiency and the ability to take advantage of ongoing innovation in both business PC performance as well as in exciting new form factors.


Of course, computing with confidence and making the most of this opportunity still means addressing the real challenges facing IT and businesses. Let’s just recap the most important ones. For IT managers the top priorities reflect an ongoing need for control in an increasingly complex computing environment. That means developing ways to simplify, consolidate and securely automate tasks that drain valuable resources and time and a secure, no-compromise means to support the consumerization trend balancing user expectations with IT accountability.


For business users, the priorities are even more fundamental; it’s about the quality of the experience…in system performance, form factors, and being able to balance their business and personal lives across their devices. Clearly, everyone is looking for a lot more from business PCs these days. So let’s dig in and see how Intel is defining and delivering the next generation Intel Core vPro Processors to bridge the gap between CIO’s and business users.


At Intel we believe that security is the foundation to build this bridge; that’s why it’s at the core of everything we do—and built right into the processor. 3rd generation Core vPro processors make the most of embedded security by allowing any business to protect themselves in four ways through:


  • Threat Management
  • Identity & Access
  • Data & Asset Protection and
  • Monitoring & Remediation


Let’s take a look at just a few of these areas to show how Intel has raised the bar in embedded security. As one example, McAfee’s EPO Deep Command and Intel Core vPro processors are integrated to reduce security management costs and to ensure protection even when PCs are disabled or powered off.


McAfee’s ePO Deep Command utilizes Intel’s Active Management Technology to deliver beyond-the-operating system management. With local and remote connections, administrators can install security updates and put protection in place ahead of threats—even when systems are powered off or using encryption. IT can also enforce compliance by ensuring that powered off, remote, and mobile endpoints adhere to policies and configurations. There’s even the ability to discover and quickly identify which PCs are utilizing Intel® vPro™ Technology.


Cyber threats continue to become more sophisticated and global.  According to McAfee, Symantec, The Guardian and other security sources:


  • More than 600,000 social media IDs are compromised every day
  • There are 31,000 new phishing attempts every month
  • And last year, 11 million people fell victim to identity heft in the US alone


Phishing alone costs the economy $1-2 billion each year according to the FBI. To help address identity theft, we developed Intel Identity Protection Technology to provide embedded two-factor authentication…allowing systems to employ hardware-based credentials while validating user presence. We’ve already delivered this secure, easy-to-use solution based on One Time Password. Now we have expanded IPT capabilities even further with a hardware-based embedded PKI capability. This level of security takes computing with confidence to a whole new level.  Building Identity Protection into the hardware has raised the bar for security broadly and it’s made 3rd generation Intel Core vPro processors the most secure computing platform available for business…


From the desktop to digital displays to ATM machines, security remains the number one concern for IT departments…but right on its heels is the ongoing pressure to do more with less. In the current environment there are simply more PCs, more IT processes, more devices, just more of everything to manage. On top of that, tech-savvy users have come to expect more in client performance, secure mobility, and faster IT response times when problems do arise.


All of this makes the need for IT flexibility and agility more crucial than ever. Managing IT environments must continue to be a win-win…both for those who create the business and those who protect the business. That’s why Core vPro processors continue to attract so many followers…with capabilities that significantly reduce cost and increase uptime.


We have a true “better together” solution with Microsoft & Windows 7… and whenever customers are ready to deploy Windows 8, rest assured that we will have the best platform to implement it, thanks to our close alignment and optimization efforts together.


In the area of automation, we continue to provide easy tools to enable anyone to automate their business and speed up the ROI on their PC investments—even when those systems number in the hundreds of thousands as it does for a multi-national corporation like CITI Group. The continued evolution of Intel Core vPro is precisely what a global enterprise like CITI Group needs in order to do more with less with tools like Windows PowerShell to automate essential IT and business processes.


Improving the end user support experience while reducing costs is the goal and a clear win-win for both CIOs and end users. That’s why Core vPro processors extend the reach of IT support and remote management by taking the whole help desk experience to the next level. To maximize both IT support and the growing trend of user-based self-support which is becoming more common, Accenture has been partnering with Intel to provide one-click, 24x7 computer diagnostics and repair services to enterprise clients by virtually transporting technicians to remote PCs using ARROW…the Accenture Remote Resolution Online Workforce solution which puts the user in the drivers seat.  And the timing couldn’t be better—with users wanting more control and empowerment in their computing. Solutions like Accenture’s ARROW will enable a new level of self-support that gives everyone what they need most—faster resolution of issues and return to productivity. It’s the simplicity and flexibility everyone needs as we move into an era of more devices, new compute models, and greater innovation in PC forms factors…


Last year we talked about virtualization, client-aware cloud service delivery, and compute model flexibility. We are continuing to innovate in these areas…but in terms of immediate innovation, we want to give you a first-hand look at what is taking place right now as users look for consumer-like capabilities in their business systems.


From the desktop to next generation notebooks there’s a renaissance going on in business computing. From Big Data applications to thin and light form factors, business users should be excited about being able to create and consume content anywhere, anytime—without compromise.


Let’s start with performance. Core vPro processors continue to enhance the computing experience in all areas including the use of Business Intelligence and Big Data. With serious data crunching and high-performance graphics, we’re at a point where big data applications are finally finding their way from the data center to the end point and back again. It not only ushers in an era of greater access to data for everyone, it means high-end simulations, data mining, and business intelligence are now another routine capability right at your fingertips.


Big Data has become a top-tier concern for businesses that need to make sense of all the data accumulating in their data banks. Core vPro processors put greater performance in the hands of more information workers giving them the ability to access and glean insights from the data right in their PC With the power to handle bigger data sets and manipulate them faster, familiar PC tools like Excel are evolving to support this process of creating, collaborating, and sharing big data insight,


As we mentioned earlier, with all this talk about “consumerization” and “bring your own device,” IT can sometimes feel like the Wild West—with everyone running off in their own direction. At Intel, we see this as an opportunity to deliver value. That’s why we are actively driving innovation in form factors while continuing to deliver the business-grade security and automation that we’ve been describing.


Let’s start with the desktop and All-In-One’s.  Business AIOs give users a sleek, powerful way to transform their workspace, not only by saving space and reducing clutter, but by supercharging productivity with touch screen technology, secure HD video conferencing, and energy-efficient high performance. For IT, All-In-Ones with Intel Core vPro processors offer superior performance on the desktop with the added benefit of being able to combine collaboration and communication on a single system. By literally replacing the cost and clutter of the phone and its network infrastructure, businesses can accelerate ROI and achieve ongoing cost savings. Does it really make sense to spend over $500 for a phone when you can simplify and integrate through an All-In-One solution? The answer is obvious.


Now, moving beyond the desktop brings us to our next area of innovation. Mobility defines the way many of us work today. So the industry has stepped up—recognizing that thinner and lighter devices aren’t just nicer to look at, they’re a necessity to get the job done anywhere, anytime. Sleek and attractive systems are going to be available from a range of OEMs in increasingly slim and powerful form factors, many less than one inch in height. But Intel is taking mobility even one step further… We’re pleased to introduce the first Ultrabooks with vPro technology specifically designed for business.


They feature the full capabilities of Intel Core vPro processors, with the responsiveness and sleek form factors of the best consumer systems. Rapid start technology so applications are ready in seconds. Smart response technology with frequently used apps and files stored in Solid State Drives. Smart Connect technology so apps are always updated with fresh content.


Later this year, a number of Ultrabooks will also include touch . . .the ultimate in no compromise computing.  Ultrabooks based on Intel Core vPro processors are a great example of platforms that are “Built for Business and Engineered for Security” while delivering a no compromise user centric experience.



With 3rd generation Intel Core vPro processors, Intel is leading the way in this new era, bridging the needs of IT and the desires of business users as never before. With embedded security at every layer while delivering cost saving automation to help IT do more with less and with sleek form factors like AIO and thinner and lighter systems, including vPro Ultrabooks to enhance productivity,  vPro  is giving IT and end users what they want most… The excitement of “no compromise computing” in the most innovative PCs ever.

For years now, everyone (including yours truly) has been predicting the massive mainstream adoption of client virtualization.  But for various business and technical reasons (that I won’t bore you with) - the promise of client virtualization has eluded the benefits of scale.  Today, however, I see a new glimpse of hope…


Citrix and Virtual Computer have both been great and long standing partners of ours in the hypervisor space.  We’re very excited about today’s announcement to combine efforts and double down.  Bringing VCI’s PC management tools in with Citrix’s application delivery model really brings the best of both worlds together.  Additionally, with this acquisition, Citrix has obtained a top-notch engineering team to supplement their own.  And, of course, they’re both already on an Intel-optimized Xen hypervisor utilizing our hardware acceleration and security.  Great to see the renewed effort to truly get all the benefits of centralized management without sacrificing the user experience.


So I’m renewing my prediction that the massive adoption of client virtualization will happen.  Citrix and Intel will make that hockey stick reality on top of XenClient and business Ultrabooks™ with Intel Core vPro processors.  Look for some additional joint announcements in 2012!

Your users want to be productive from any device, anywhere, anytime.  You want to give them access to their own personalized corporate desktops while the desktops are running in a secure, well-managed environment.  You can do this today with desktops running in the datacenter using Citrix XenDesktop.  But many users will continue to run their desktops on physical PCs.  Now they too can access their physical desktops remotely and securely with a new feature of Flexcast, Remote PC.  With Remote PC, your employees can access their own physical PC desktops from any device running Citrix Receiver.


Citrix and Intel are working to ensure that the user can use Remote PC and XenDesktop to connect to their remote desktop even if their PC is powered off or in a sleep state.  This remote Power On capability will work with Intel Core vPro processor-based PCs by using their built-in out-of-band remote power on and management features.   The remote Power On occurs automatically, without the user having to do anything other than initiate the Citrix Receiver connection.


Citrix Remote PC on Intel Core vPro processor-based PCs gives users the flexibility to be productive from any device running Citrix Receiver, and connected to the internet, by giving secure access to their physical PC when the PC is left in the office, secured behind the corporate firewall.  So, check it out, put that PC to work for you even more!

Are you wishing for just one page to discover all of your Intel® Setup and Configuration Software (Intel® SCS) needs? Look no futher. Here you can find a collection of the most recent blogs, community posts and updates related to Intel® SCS. Also find more information as well as the most recent Intel® SCS download at Or join the conversation in our community: Intel® Setup and Configuration Software Enjoy!




Community Forum & Discussions








I like using the Get-AMTHardwareAsset to get information about the target Intel vPro platform. But I want the data in another program. Powershell is great for giving us options. One reason I like it so much!


Let’s get some data from a client:


PS C:\Users\cdpiper> Get-AMTHardwareAsset -Credential $amtCred




You can see that this is a Lenovo Laptop with a core i7!


Great! …but… kinda hard to browse all that info. So let’s pipe to a different PowerShell formatter out-gridview.

PS C:\Users\cdpiper> Get-AMTHardwareAsset -Credential $amtCred | Out-GridView


get-amtfirmwareverion out-gridview.PNG


Nice! I can copy and paste the data into excel.

…but… that does not scale. Good for a single machine, but not if I want to save the data or do this regularly.


What else can do? Again, PowerShell to the rescue. Those guys at Microsoft thought of everything! Export-csv!

PS C:\Users\cdpiper> Get-AMTHardwareAsset -Credential $amtCred | Export-Csv output.csv


Done! Now I just type PS C:\Users\cdpiper> .\output.csv and since I have Excel installed, it pops right up!

get-amtfirmwareversion export-csv.PNG



Imperial College London.jpgDownload Now 

Since 2008, Imperial College London has been upgrading the desktop computing resources available to its staff and student body with new Windows* 7 machines supplied by HP and powered by Intel® Core™ vPro™ processors. From the outset, it planned to harness the built-in remote management capabilities of the processors to streamline the way its IT team maintains the computers. Using the Intel® Setup and Configuration Service (Intel® SCS) software and Intel® vPro™ technology module for Microsoft Windows PowerShell*, the College quickly activated the remote connectivity features to work in its existing management environment. The ability to remotely switch machines on and off makes it easier for IT administrators to prepare computers for use each day and lets the college deliver software upgrades simultaneously and consistently across all PCs. Now Imperial College is considering extending the use of the remote connectivity features to deliver remote helpdesk services to mobile laptop users.

To learn more, download the new Imperial College London business success story. As always, you can find many more like this one on the Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes.  And to keep up to date on the latest business success stories, follow ReferenceRoom on Twitter.


*Other names and brands may be claimed as the property of others.

IAT.jpgDownload Now 

Based in the United Arab Emirates, Institute of Applied Technology (IAT) is working to provide distinctive secondary school programs that integrate career and technical education with a rigorous academic core. It engaged with the Intel World Ahead Program, a global initiative designed to bring the benefits of the digital world to the next generation. Nearly 6,000 Apple MacBook Pro* computers with Intel® Core™ i5 processors were deployed across five campuses, to 400 teachers and over 5,000 students. Other 1:1 eLearning elements included rich-media local content, new teaching methods and a professional development curriculum—all designed to drive technology-based collaborative learning.

“Technology is now supporting the teacher-student relationships,” explained Shadi O. Ayoub, curriculum developer for ICT, “enabling a collaborative approach to study.”

To learn more, read our new IAT business success story. As always, you can find many more like this one on the Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes. And to keep up to date on the latest business success stories, follow ReferenceRoom on Twitter.


*Other names and brands may be claimed as the property of others.

Filter Blog

By date: By tag: