Referenced from /docs/DOC-1680 http://communities.intel.com/docs/DOC-1680

Q10: How can a vPro machine be remote repaired if it has been encrypted by Bitlocker?

 

 

Short Answer: When Bitlocker is deployed in Transparent mode (expected to be the majority of deployments) remote repair scenarios are fully supported since the only dependency is the on-board TPM. If Bitlocker is deployed in User Authentication or USB Key mode, either the User or a USB Key must be available to support remote repair.

 

 

Detailed Response: Intel AMT and BitLocker are fully compatible when Bitlocker is configured in the Transparent operation mod (see below for a summary of BitLocker modes of operation). The Transparent operation mode does not require the presence of the user to boot the system so there are no issues with Intel AMT or remote management. IT administrators desiring remote unattended manageability (such as with Intel AMT) will need to deploy BitLocker in this mode. Most expect that the vast majority of those who deploy BitLocker, will choose to do so in this Transparent operation mode.

 

 

If BitLocker is configured with either User authentication mode or USB Key, the user is required to be present (e.g. Help Desk scenario) if attempting to remote-boot to an OS using Intel AMT. Intel AMT cannot be used in an "unattended state" in either of these BitLocker modes.

 

 

For example, AMT can be used remotely to reboot a failed system if the user is present and has their USB key attached. On the other hand, if the user goes home at night and takes the USB key with them, AMT will not be able to remotely boot the system. (Again these limitations apply only with the User authentication mode or USB Key mode of operations.)

 

 

IT administrators deploying BitLocker in these two modes need to plan their deployments accordingly and balance remote manageability using AMT with the security provided by USB key or User authentication modes.

 

 

There are Three Modes of BitLocker Operation

 

 

The first two Bitlocker modes of operation require a cryptographic hardware chip called a Trusted Platform Module (version 1.2 or later) and a compatible BIOS:

 

 

(1) Transparent operation mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent user experience-the user logs onto Windows Vista as normal. The key used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. The pre-OS components of BitLocker achieve this by implementing a Static Root of Trust Measurement-a methodology specified by the Trusted Computing Group. This mode is vulnerable to a cold boot attack, as it allows a machine to be booted by an attacker.

 

 

(2) User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the OS. Two authentication modes are supported: a pre-boot PIN entered by the user, or a USB key.

 

 

The third/final mode does not require a TPM chip:

 

 

(3) USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment.

Although you may not be able to see what is occuring on the screen, using the AMT SOL interface you should still be able to type in PIN.

--Matt Royer