Periodically the question comes up “Can I use Intel vPro Technology to remotely unlock an encrypted hard drive ?”, either because unattended encrypted systems need to be booted outside of business hours and patched or because there is a significant cost associated with IT helpdesk calls when helpdesk technicians must remotely guide end users through a recovery process if they forgot their drive encryption passphrase or PIN.

 

Here are some available solutions for remotely unlocking encrypted drives using Intel vPro Technology…

 

Intel Hardware KVM Technology: Using Intel AMT and a hardware KVM viewer like VNC RealVNC Viewer Plus or McAfee KVMView (part of McAfee ePO Deep Command), it is possible for an IT helpdesk technician to remotely connect to an encrypted Intel vPro system and manually enter the recovery password at the pre-boot authentication screen to unlock the encrypted drive so Windows can boot. The remote connection to the Intel vPro system can be made over a wired or wireless LAN and the system can be connected directly to the internal enterprise network or through a Client Initiated Remote Access (CIRA) session. The recovery password needs to have been previously escrowed to a backup database (usually done automatically as part of standard IT policy) such as Microsoft Active Directory, McAfee Managed Native Encryption (MNE) or Microsoft BitLocker Administration and Monitoring (MBAM) and the helpdesk technician needs access to that database. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios but it is not suitable for automated 1:Many type scenarios.

 

Windows PowerShell: Using Intel AMT and Windows PowerShell it is possible to execute a PowerShell script on a central server or IT helpdesk workstation and have that script automatically retrieve previously escrowed BitLocker recovery passwords from a backup database, remotely connect to an encrypted Intel vPro system and use Serial-over-LAN (SOL) functionality to automatically input the recovery password to the pre-boot authentication screen to unlock the encrypted drive so that Windows can boot. This scripted approach automates the entire encrypted drive unlock process and can be invoked on-demand by a helpdesk operator or scheduled to run when systems need to be patched. This solution can be used with systems connected over a wired or wireless network and connected directly to the internal enterprise network or through a CIRA session. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios and automated 1:Many type scenarios. The video at http://www.youtube.com/watch?v=2ioN5BlD96Q shows an example of such a solution working. A consideration for using this with BitLocker is that when the recovery password is being automatically entered into the pre-boot authentication screen, the password is momentarily visible to the end user. If this is an issue then the recovery password could be programmatically changed as part of the IT procedure associated with unlocking systems.

 

McAfee Drive Encryption: Using Intel AMT, McAfee ePO Deep Command and McAfee Drive Encryption (MDE) 7.X it is possible to configure MDE policies so that the MDE pre-boot authentication code automatically retrieves a disk unlock password from the centralized McAfee EPO server using a Serial-over-LAN (SOL) connection and uses this password to unlock the encrypted drive so Windows can boot. The Serial-over-LAN connection between Intel vPro systems and the McAfee EPO server can be made over a wired or wireless LAN and systems can be connected directly to the internal enterprise network or through a Client Initiated Remote Access (CIRA) session. MDE supports a variety of unlock policies including the ability to limit the number of consecutive unlock operations, the ability to control the times and weekdays when unlock operations are valid and the ability to configure unlock operations to operate inside our outside the enterprise network. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios and automated 1:Many type scenarios. It is worth noting that this solution operates automatically with Intel vPro systems regardless of whether they require user consent or not.