Intel vPro

Intel vPro is a brand name for a set of PC hardware features. PCs that support vPro have a vPro-enabled processor, a vPro-enabled chipset, and a vPro-enabled BIOS as their main elements. A vPro PC includes: • Multi-core, multi-threaded Xeon or Core processors. • Intel Active Management Technology (AMT), a set of hardware-based features targeted at businesses, allow remote access to the PC for management and security tasks, when an OS is down or PC power is off. Note that AMT is not the same as Intel vPro; AMT is only one element of a vPro PC. • Remote configuration technology for AMT, with certificate-based security. Remote configuration can be performed on "bare-bones" systems, before the Operating System and software management agents are installed. • Wired and wireless network connection. which verifies a launch environment and establishes the root of trust, which in turn allows software to build a chain of trust for virtualized environments. Intel TXT also protects secrets during power transitions for both orderly and disorderly shutdowns (a traditionally vulnerable period for security credentials). • Support for IEEE 802.1X, Cisco Self Defending Network (SDN), and Microsoft Network Access Protection (NAP) in laptops, and support for 802.1x and Cisco SDN in desktop PCs. Support for these security technologies allows Intel vPro to store the security posture of a PC so that the network can authenticate the system before the OS and applications load, and before the PC is allowed access to the network.). Intel VT-x accelerates hardware virtualization which enables isolated memory regions to be created for running critical applications in hardware virtual machines in order to enhance the integrity of the running application and the confidentiality of sensitive data. Intel VT-d exposes protected virtual memory address spaces to DMA peripherals attached to the computer via DMA buses, mitigating the threat posed by malicious peripherals. • Execute disable bit that, when supported by the OS, can help prevent some types of buffer overflow attacks. The 12th generation of Intel Core processors introduced four distinct platforms: vPro Essentials, vPro Enterprise for Windows, vPro Enterprise for Chrome and vPro Evo Design. The difference of vPro Essentials is that it does not support some features: Out-of-band KVM remote control, Wireless Intel® AMT, Fast call for help, Intel® Remote Secure Erase with Intel® SSD Pro. Intel processors that support vPro Essentials are using Intel Standard Manageability (a subset of Intel AMT) which supports out-of-band management and can be monitored with the "Access Monitor" feature. ==Remote management==

Intel AMT is the set of management and security features built into vPro PCs that makes it easier for a sys-admin to monitor, maintain, secure, and service PCs. VNC-based KVM remote control Starting with vPro with AMT 6.0, PCs with Core i5 or i7 processors and embedded Intel graphics, now contains an Intel proprietary embedded VNC server. Users can connect out-of-band using dedicated VNC-compatible viewer technology, and have full KVM (keyboard, video, mouse) capability throughout the power cycle—including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER). Not all Core i5 and i7 processors with vPro may support KVM capability. This depends on the OEM's BIOS settings as well as if a discrete graphics card is present. Only Intel integrated HD graphics support KVM ability. ==Wireless communication==

Intel vPro supports encrypted wired and wireless LAN communication for all remote management features for PCs inside the corporate firewall. AMT wireless communication Intel vPro PCs support wireless communication to the AMT features. vPro PCs version 4.0 or higher support security for mobile communications by establishing a secure tunnel for encrypted AMT communication with the managed service provider when roaming (operating on an open, wired LAN outside the corporate firewall). Secure communication with AMT can be established if the laptop is powered down or the OS is disabled. The AMT encrypted communication tunnel is designed to allow sys-admins to access a laptop or desktop PC at satellite offices where there is no on-site proxy server or management server appliance. Secure communications outside the corporate firewall depend on adding a new element—a management presence server (Intel calls this a "vPro-enabled gateway")—to the network infrastructure. This requires integration with network switch manufacturers, firewall vendors, and vendors who design management consoles to create infrastructure that supports encrypted roaming communication. So although encrypted roaming communication is enabled as a feature in vPro PCs version 4.0 and higher, the feature will not be fully usable until the infrastructure is in place and functional. ==vPro security==

vPro security technologies and methodologies are designed into the PC's chipset and other system hardware. During deployment of vPro PCs, security credentials, keys, and other critical information are stored in protected memory (not on the hard disk drive), and erased when no longer needed. Security and privacy concerns According to Intel, it is possible to disable AMT through the BIOS settings, however, there is apparently no way for most users to detect outside access to their PC via the vPro hardware-based technology. Moreover, Sandy Bridge and future chips will have, "...the ability to remotely kill and restore a lost or stolen PC via 3G ... if that laptop has a 3G connection" Many vPro features, including AMT, are implemented in the Intel Management Engine (ME), a distinct processor in the chipset running MINIX 3, which has been found to have numerous security vulnerabilities. Unlike for AMT, there is generally no official, documented way to disable the Management Engine (ME); it is always on unless it is not enabled at all by the OEM. Security features Intel vPro supports industry-standard methodologies and protocols, as well as other vendors' security features: • Intel Total Memory Encryption (Intel TME) • Intel Trusted Execution Technology (Intel TXT) • Support for IEEE 802.1x, Preboot Execution Environment (PXE), and Cisco SDN in desktop PCs, and additionally Microsoft Network Access Protection (NAP) in laptops Intel Boot Guard was first released in Haswell processors in June 2013. Although there are some isolated cases of successful circumvention of Intel Boot Guard technology, these are rather exceptions that prove the rule. Technologies and methodologies Intel vPro uses several industry-standard security technologies and methodologies to secure the remote vPro communication channel. These technologies and methodologies also improve security for accessing the PC's critical system data, BIOS settings, Intel AMT management features, and other sensitive features or data; and protect security credentials and other critical information during deployment (setup and configuration of Intel AMT) and vPro use. • Transport layer security (TLS) protocol, including pre-shared key TLS (TLS-PSK) to secure communications over the out-of-band network interface. The TLS implementation uses AES 128-bit encryption and RSA keys with modulus lengths of 2048 bits. • HTTP digest authentication protocol as defined in RFC 2617. The management console authenticates IT administrators who manage PCs with Intel AMT. • Single sign-on to Intel AMT with Microsoft Windows domain authentication, based on the Microsoft Active Directory and Kerberos protocols. • A pseudorandom number generator (PRNG) in the firmware of the AMT PC, which generates high-quality session keys for secure communication. • Only digitally signed firmware images (signed by Intel) are permitted to load and execute. • Tamper-resistant and access-controlled storage of critical management data, via a protected, persistent (nonvolatile) data store (a memory area not on the hard drive) in the Intel AMT hardware. • Access control lists for Intel AMT realms and other management functions. ==vPro hardware requirements==

The first release of Intel vPro was built with an Intel Core 2 Duo processor. • 22 nm Intel 4th Generation Core i5 Mobile processors • Mobile QM87 chipsets • For Intel AMT release 8.0 (3rd Generation Intel Core i5 and Core i7): • 32 & 45 nm Intel 3rd Generation Core i7 Mobile processors • 32 & 45 nm Intel 3rd Generation Core i5 Mobile processors • Mobile QM77 & Q77 chipsets • 45 nm Intel Core2 Duo processor T, P sequence 8400, 8600, 9400, 9500, 9600; small form factor P, L, U sequence 9300 and 9400, and Quad processor Q9100 • Mobile 45 nm Intel GS45, GM47, GM45 and PM45 Express chipsets (Montevina with Intel Anti-Theft Technology) with 1066 FSB, 6 MB L2 cache, ICH10M-enhanced • For Intel AMT release 4.0 (Intel Centrino 2 with vPro technology): • Intel Core2 Duo processor T, L, and U 7000 sequence3, 45 nm Intel Core2 Duo processor T8000 and T9000 • Mobile Intel 965 (Broadwater-Q) Express chipset with ICH8M-enhanced Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases. Desktop PC requirements Desktop PCs with vPro (called "Intel Core 2 with vPro technology") require: • For AMT release 5.0: • Intel Core2 Duo processor E8600, E8500, and E8400; 45 nm Intel Core2 Quad processor Q9650, Q9550, and Q9400 • Intel Q45 (Eaglelake-Q) Express chipset with ICH10DO • For AMT release 3.0, 3.1, and 3.2: • Intel Core2 Duo processor E6550, E6750, and E6850; 45 nm Intel Core2 Duo processor E8500, E8400, E8300 and E8200; 45 nm Intel Core2 Quad processor Q9550, Q9450 and Q9300 • Intel Q35 (Bearlake-Q) Express chipset with ICH9DO Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases. • For AMT release 2.0, 2.1 and 2.2: • Intel Core 2 Duo processor E6300, E6400, E6600, and E6700 • Intel Q965 (Averill) Express chipset with ICH8DO ==vPro, AMT, Core i relationships==

There are numerous Intel brands. However, the key differences between vPro (an umbrella marketing term), AMT (a technology under the vPro brand), Intel Core i5 and Intel Core i7 (a branding of a package of technologies), and Core i5 and Core i7 (a processor) are as follows: The Core i7, the first model of the i series was launched in 2008, and the less-powerful i5 and i3 models were introduced in 2009 and 2010, respectively. The microarchitecture of the Core i series was code-named Nehalem, and the second generation of the line was code-named Sandy Bridge. Intel Centrino 2 was a branding of a package of technologies that included Wi-Fi and, originally, the Intel Core 2 Duo. The Intel Centrino 2 brand was applied to mobile PCs, such as laptops and other small devices. Core 2 and Centrino 2 have evolved to use Intel's latest 45-nm manufacturing processes, have multi-core processing, and are designed for multithreading. Intel vPro is a brand name for a set of Intel technology features that can be built into the hardware of the laptop or desktop PC. These operations include remote power up/down (via wake-on-LAN), remote / redirected boot (via integrated device electronics redirect, or IDE-R), console redirection (via serial over LAN), and other remote management and security features. ==See also==