4 Replies Latest reply on May 12, 2009 8:00 AM by TerryCutler

    tampering

    core000

      In all the documentation online regarding security of vPro, it does not clarify in detail whether the PC's can be tampered with in anyway that would deactivate the vPro setup.

       

      I would like to know, for example, if it's possible to disable vPro by removing the motherboard eprom battery.

        • 1. Re: tampering
          core000

          any Intel vPro experts in this group? 

          • 2. Re: tampering
            TerryCutler

            What system models do you have?

             

            There are different components of vPro

             

            For the Active Management Technology.  Yes - if the BIOS battery is removed and reinserted, the Intel AMT settings will be reset to factory default.  In addition, some OEMs provide a setting in BIOS to reset Intel AMT upon the next reboot.  The suggest here is lock you BIOS settings and case if that is a concern

             

            For the Anti-Theft Technology (AT-p) - a BIOS  battery reset will not affect.  Therefore, if someone were to steal a system that is configured with Absolute, Computrace, or other support AT-p security vendor... if the AT-p policy activates and disables the system, only a re-activation key\sequence as defined by the security policy will reactivate the system.  A BIOS battery reset will not

             

            Does that help?

            • 3. Re: tampering
              core000

              Thanks Terry for the info.   I will be setting up vPro with Altiris Out of Band component.    The PC's that I use are HP.    Is the (AT-p) Anti-Theft Technology available for HP computers?   From what I've read, it's only on Lenovo brand.

               

              Basically, I need to know if there is any other way around disabling AMT vPro other than removing the BIOS battery, however I dont' see anywhere in the Intel vPro documentation regarding the security details.

              • 4. Re: tampering
                TerryCutler

                Correct on AT-p being available for only Lenovo platforms... other's may add the functionality, yet only Lenovo supports at this time.

                 

                Regarding the disabling or unconfiguring of AMT - Take a look at http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-4-remotely-resetting-provisioning-state  On the HP laptops (i.e. 2510p, 6910p, 8510p, 2530p, 6930p, 8530p), there is an option in the BIOS to unconfigure AMT on next boot.  This option requires a confirmation at the next boot.  Thus - it is possible - but can  be controlled by BIOS security.  Similarly - as mentioned in the article - if an Altiris user has sufficient rights\access, they can unconfigure systems remotely.  In both cases - it's a matter of Access Control, rights\permissions, etc.

                 

                 

                Just curious - how soon will you  be activating vPro\AMT?  How many client systems?  Key usage model?   (if you'd prefer to not answer on blog - send me a private message via vPro Expert center account)