Skip navigation

Periodically the question comes up “Can I use Intel vPro Technology to remotely unlock an encrypted hard drive ?”, either because unattended encrypted systems need to be booted outside of business hours and patched or because there is a significant cost associated with IT helpdesk calls when helpdesk technicians must remotely guide end users through a recovery process if they forgot their drive encryption passphrase or PIN.

 

Here are some available solutions for remotely unlocking encrypted drives using Intel vPro Technology…

 

Intel Hardware KVM Technology: Using Intel AMT and a hardware KVM viewer like VNC RealVNC Viewer Plus or McAfee KVMView (part of McAfee ePO Deep Command), it is possible for an IT helpdesk technician to remotely connect to an encrypted Intel vPro system and manually enter the recovery password at the pre-boot authentication screen to unlock the encrypted drive so Windows can boot. The remote connection to the Intel vPro system can be made over a wired or wireless LAN and the system can be connected directly to the internal enterprise network or through a Client Initiated Remote Access (CIRA) session. The recovery password needs to have been previously escrowed to a backup database (usually done automatically as part of standard IT policy) such as Microsoft Active Directory, McAfee Managed Native Encryption (MNE) or Microsoft BitLocker Administration and Monitoring (MBAM) and the helpdesk technician needs access to that database. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios but it is not suitable for automated 1:Many type scenarios.

 

Windows PowerShell: Using Intel AMT and Windows PowerShell it is possible to execute a PowerShell script on a central server or IT helpdesk workstation and have that script automatically retrieve previously escrowed BitLocker recovery passwords from a backup database, remotely connect to an encrypted Intel vPro system and use Serial-over-LAN (SOL) functionality to automatically input the recovery password to the pre-boot authentication screen to unlock the encrypted drive so that Windows can boot. This scripted approach automates the entire encrypted drive unlock process and can be invoked on-demand by a helpdesk operator or scheduled to run when systems need to be patched. This solution can be used with systems connected over a wired or wireless network and connected directly to the internal enterprise network or through a CIRA session. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios and automated 1:Many type scenarios. The video at http://www.youtube.com/watch?v=2ioN5BlD96Q shows an example of such a solution working. A consideration for using this with BitLocker is that when the recovery password is being automatically entered into the pre-boot authentication screen, the password is momentarily visible to the end user. If this is an issue then the recovery password could be programmatically changed as part of the IT procedure associated with unlocking systems.

 

McAfee Drive Encryption: Using Intel AMT, McAfee ePO Deep Command and McAfee Drive Encryption (MDE) 7.X it is possible to configure MDE policies so that the MDE pre-boot authentication code automatically retrieves a disk unlock password from the centralized McAfee EPO server using a Serial-over-LAN (SOL) connection and uses this password to unlock the encrypted drive so Windows can boot. The Serial-over-LAN connection between Intel vPro systems and the McAfee EPO server can be made over a wired or wireless LAN and systems can be connected directly to the internal enterprise network or through a Client Initiated Remote Access (CIRA) session. MDE supports a variety of unlock policies including the ability to limit the number of consecutive unlock operations, the ability to control the times and weekdays when unlock operations are valid and the ability to configure unlock operations to operate inside our outside the enterprise network. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios and automated 1:Many type scenarios. It is worth noting that this solution operates automatically with Intel vPro systems regardless of whether they require user consent or not.

There are some situations in which it would be nice to be able to export and import Intel Setup and Configuration Service (Intel SCS) provisioning profiles...

 

  • Environments with multiple Intel RCS servers to accomodate provisioning workload where profiles need to be duplicated across servers
  • Environments with multiple Intel RCS servers because of organization administration demands (i.e. politics, segregation...) where profiles need to be copied across servers
  • Situations in which it is required to simply backup and restore profiles

 

 

Exporting profiles from Intel RCS is simple enough; from the Intel SCS console you use the toolbar to export profiles to an encryted XML format file. But there is no import function on the Intel SCS console to import profiles from a backup file or another Intel RCS server.

 

So here's a simple solution; Intel RCS supports a WMI provider which is used to communicate with other software such as the SCS console and ACUConfig utility. Intel SCS provisioning profiles (amongst other things) can be read and written using this WMI provider. Windows PowerShell includes built-in cmdlets to provide easy access to WMI providers. With a little effort we can construct a couple of lines of PowerShell script to do everything we need to export, backup, restore and import profiles with Intel RCS servers.

 

The following code reads all Intel SCS profiles from an Intel RCS server and stores them in a PowerShell variable...

 

# Configure source RCS server
$SourceRCSServer = "SourceRCSServerHostname"


# Read profiles from source RCS server
$RCSProfiles = Get-WmiObject -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $SourceRCSServer

 

Once we've read all the profiles, we may want to back them up. The following code copies our prevously read profiles to a backup file...

 

# Save profiles to backup file

$RCSProfiles | Export-Clixml .\ProfilesBackup.xml

 

Sometime later we may want to restore our profiles. The following code restores our profiles from the backup file to a PowerShell variable...

 

# Restore profiles from backup file

$RCSProfiles = Import-Clixml .\ProfilesBackup.xml

 

And finally, if we want to write our profiles to one or more Intel RCS servers, the following code writes our profiles from a PowerShell variable to Intel RCS...

 

# Configure one or more destination RCS servers
$DestinationRCSServers = "DestinationRCSServer1", "DestinationRCSServer2", "DestinationServerN"


# Write profiles to destination RCS servers
foreach ($DestinationRCSServer in $DestinationRCSServers)
{
   # Read and delete any existing profiles on the destination RCS server
   Get-WmiObject -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $DestinationRCSServer | Remove-WmiObject

 

   # Write all profiles to the destination RCS server
   foreach ($RCSProfile in $RCSProfiles)
   {
      Set-WmiInstance -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $DestinationRCSServer -Arguments @{ElementName=$RCSProfile.ElementName;InstanceId=$RCSProfile.InstanceId;Text=$RCSProfile.Text;ProfileDescription=$RCSProfile.ProfileDescription;SolutionGUID=$RCSProfile.SolutionGUID;SolutionName=$RCSProfile.SolutionName} | Out-Null
   }
}

 

All of the above code assumes the currently logged on Windows user has access to the Intel_RCS_Editor WMI namespace and appropriate DCOM permissions on the Intel RCS server (see the Intel SCS Users Guide for information on configuring these permissions during Intel RCS installation). The example code can easily be enhanced, for example scheduling it to run regularly to automatically synchronize profiles across multiple Intel RCS servers or by using PowerShell's filtering capabilities to save some profiles and delete others.

 

Two cautionary notes:

 

  1. The code shown above to backup profiles to a file does not encrypt those files, therefore any plaintext credentials in the profile (e.g. the MEBX password, a fixed AMT admin password, AMT digest credentials or KVM RFB password) will be visible in the backup file. The Intel SCS package includes a file encryption utility called SCSEncryption that can be used to encrypt/decrypt profile backup files or the files can be stored such that they are only accessible to authorized personnel.
  2. Profiles containing Microsoft Active Directory domain accounts, domain groups or certificate template information are tied to specific Active Directory installations because profiles store domain account, domain group and certificate template information by SID information rather than by name. SID's are specific to individual Active Directory installations therefore profiles cannot be transported between installations if they contain domain accounts, domain groups or certificate template information. So this means you can use the above scripts with Intel RCS servers if they are all part of the same Active Directory structure (which is typically the case with most organizations). But profiles containing domain accounts, domain groups or certificate templates cannot be copied between different customer environments or between customer test environments and production environments if they are based on different Active Directory installations.

 

Details of the Intel SCS WMI provider classes and methods are available in the downloadable Intel SCS SDK at https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921

 

Filter Blog

By date: By tag: