3 Replies Latest reply on Jul 13, 2015 3:03 AM by dariusz.wittek@intel.com

    Vpro, AMT, Intel ME

    Surferby

      The cpu is a  Core i5 4590 which is Vpro enabled. [ http://ark.intel.com/products/80815/Intel-Core-i5-4590-Processor-6M-Cache-up-to-3_70-GHz ]

      The motherboard is a MSI B85M Gaming where Vpro is absent. [ http://ark.intel.com/products/75019 ] and [ http://us.msi.com/support/mb/B85M_GAMING.html ]

       

      What this means to me as a desktop user at home who has no interest of any kind of remote management of THAT KIND?

       

      As the motherboard does NOT support Vpro, is it free from the risk of any kind of out-of-band remote connection including remote provisioning? Or does it still under the risk just because the processor has it?

       

      If yes, how can I have the control or preferably disable that in all possible ways?

       

      If no, then why there is Intel ME version listed in the Uefi [BIOS]?

       

      Wise men are requested to shed light on the issues.

       

       

      ---Added later----

       

      After installing several tools from intel, I finally found out that Vpro of i5 is up on that "not supported" chipset! Please correct me if I am wrong. But the chipset information in intel site says that B85 it is not Vpro supported. If Vpro is not up, how Intel Anti Theft is running?

      What this means to me as a desktop user at home who has no interest of remote management of THAT KIND and not subject to be managed by anyone else using those remote wake up on s0,s1,s2,s3... sleeping mode?

      If the motherboard does NOT support Vpro, is it free from the risk of any kind of out-of-band remote connection including remote provisioning? Or is it still under the risk just because the processor has it?

      If yes, how can I have the control or preferably disable that in all possible ways?

      If no, then how can "Intel management and Security Status" can show the below listed information including AT service? How can I disable any sort of remote connection attempt by or attempted to my pc which uses Vpro or ME or AT or AMT? The target is to element all sorts of provisioning or pre-os communication.

       

       

      Additional information

       

      UEFI [Bios shows no option to enter Intel Vpro MEBx or ME. Only ME version number is available]

      On windows 7 "Intel management and Security Status" gives information like -

       

      Item Value

      ME Control Mode Not Provisioned

      Provisioning Mode Pre Provisioning
      BIOS boot NA
      Last ME reset reason Power Up
      Local FWUpdate NA
      Power Policy Desktop: ON in S0, ME Wake in S3, S4-5
      Cryptography Support NA

       

      [FW Capabilities]

      Item Value
      Intel(R) Small Business Technology Enabled

      Intel(R) Anti-Theft Technology PC Protection Enabled
      Intel(R) Capability Licensing Service Enabled
      Intel(R) Dynamic Application Loader Enabled

      Protect Audio Video Path Enabled



      [Intel(R) Small Business Technology]

      Item Value
      Intel(R) SBT State Enabled
      Intel(R) SBT Status Not Configured

      [Intel(R) Anti-Theft Technology PC Protection]

      Item Value
      Intel(R) AT State Enabled
      Intel(R) AT Status NA

      Item Value
      MEBx Version NA
      FW Version 9.0.30.1482 LMS Version 9.0.0.1323
      MEI Driver Version 9.0.0.1287
      SOL Driver Version NA
      SOL DeviceID NA

       

       

      [Network information]

      Item Value
      LAN MAC Address NA
      LAN Configuration state NA
      LAN Link Status NA
      LAN IPv4 Address NA
      LAN IPv6 Enablement NA
      WLAN MAC Address NA
      WLAN Configuration state NA
      WLAN Link Status NA
      WLAN IPv4 Address NA
      WLAN IPv6 Enablement NA

      I will very much appreciate your input.

        • 1. Re: Vpro, AMT, Intel ME
          kevin_intel

          Hello Surferby,

           

          Let me help you with this.

           

          Based on the product description, the processor supports Intel® vPro Technology but the motherboard does not meaning that there is no way to have incoming threads through that feature.

           

          My best recommendation is for you to contact the motherboard manufacturer so they can explain what features are included on the motherboard and the function of each.

           

          Here you can get the contact information:

          http://www.intel.com/support/oems.htm

           

          Kevin M

          • 2. Re: Vpro, AMT, Intel ME
            Surferby

            Thank you Kevin M. I understand that. But it is surprising that intel is selling a vpro processor without printing anything on the package. I didn't need vpro processor but mistakenly purchased one just because there was nothing printed on the package. Anyways, thank you for your time.

            • 3. Re: Vpro, AMT, Intel ME
              dariusz.wittek@intel.com

              Surferby,

               

              Vast majority of current Intel chipsets contain Intel ME - Manageability engine BUT in its features cut down version  - it runs platform HW maintenance (system clocks) and some security features.

               

              Only Intel vPro enabled chipsets (ex Q87) contain full featured Intel ME with ability to suport remote OOB manageability.

               

              Intel vPro is PC platform features definition, it consists of  3 mandatory HW technologies:

              1. Intel VT-x2 (HW virtualization suport with EPT (HW suport for memory virtualization) - this is Intel Core procesor feature
                PLUS
                Intel VT-d - HW suport for I/O device virtualization - this is unique feature of Intel Core i5 vPro or Intel Core i7  vPro  procesosors only.

                You can use those features with VMMs (like Hyper -V or VMWare) as long as your board BIOS /BIOS Setup allows to enable those features.
                If virtualization is not to be used -it is adviced to disable those features in BIOS setup.

                BTW MS Windows 10 Enterprise Data Protection will require and use those two Intel VT flavours to execute code in secure container.

              2. Intel TXT (Trusted Execution Technology) - HW supported dynamic root of trust - provides ability for HW measured and verified (against system state whitelist) platform boot.
                this is as well unique feature of of Intel Core i5 vPro or Intel Core i7  vPro  procesosors only.
                To use it you will need board with discrete TPM module (mandatory part of vPro chipset enabled boards), BIOS to contain Intel ACM modules and SW solution to enable, configure and use this feature - for Linux you may look for references to Intel tboot  (trusted boot).
                This feature is pretty widely used on servers to secure VM Hosts in the Cloud (with HyTrust or Parallels) but in Client OS space it is not used. MS Windows OS does NOT use this feature for its Secure Boot.
              3. Intel AMT - Active Managemet Technology - remote HW based out of band management over TCP/IP network.
                Intel AMT is unique feature of Intel vPro enabled chipsets ONLY accompanied wih Intel AMT enabled LAN controller (and Intel AMT enabled WiFi controller for laptops). It is not procesor feature.
                So with Non vPro chipset -there is no HW components (chipset HW, AMT LAN/WLAN & Full ME FW image ) to allow remote Intel AMT management.

                Intel vPro contains also one OPTIONAL technology:
              4. Intel IPT - Identity Protection Technology - ability to use Intel ME ucontroller embeded in the Intel chipset as isolated execution environment for ex. One Time Password token generation. (IPT with OTP) or displaying randomized pin pad on the screen in protected (encrypted) way - IPT with PTD.

                This feature is element of Intel chipsets  only

                Intel Anti-Theft was simillar Optional technology -delivered by Intel chipset only but it End of Life now - it may still exist in Intel chipsets but Intel supporting service to enable/enroll it was disabled -so this technology can't be enabled anymore.

                So as you see Intel Core i5 vPro or Intel Core i7 vPro procesor suports even more technologies (VT-d) than non vPro model, but without Intel vPro (AMT) enabled chipset there is no suport for remote OOB management. (and even in vPro chipset enabled boards Intel AMT factory default state is : unprovisioned -not configured with security credentials so not reacheable over network).

                Intel SBA
                is local management/maintenance technology -not supporting OOB remote network access.

               

              So as you can see - Intel vPro procesor does not make full Intel vPro platform on its own - it will still require Intel vPro /or ISM enabled chipset and Intel AMT activation (Configuration).

               

              Hope it helps to clarify your concerns?

               

              rgds

              Darek