Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

tampering

idata
Employee
‎05-08-2009 06:31 AM
2,757 Views

In all the documentation online regarding security of vPro, it does not clarify in detail whether the PC's can be tampered with in anyway that would deactivate the vPro setup.

I would like to know, for example, if it's possible to disable vPro by removing the motherboard eprom battery.

0 Kudos

Link Copied

4 Replies
idata
Employee
‎05-11-2009 06:20 AM
786 Views

any Intel vPro experts in this group?

0 Kudos
Copy link
Terry_C_Intel
Employee
‎05-11-2009 08:33 AM
786 Views

What system models do you have?

There are different components of vPro

For the Active Management Technology. Yes - if the BIOS battery is removed and reinserted, the Intel AMT settings will be reset to factory default. In addition, some OEMs provide a setting in BIOS to reset Intel AMT upon the next reboot. The suggest here is lock you BIOS settings and case if that is a concern

For the Anti-Theft Technology (AT-p) - a BIOS battery reset will not affect. Therefore, if someone were to steal a system that is configured with Absolute, Computrace, or other support AT-p security vendor... if the AT-p policy activates and disables the system, only a re-activation key\sequence as defined by the security policy will reactivate the system. A BIOS battery reset will not

Does that help?

0 Kudos
Copy link
idata
Employee
‎05-12-2009 06:23 AM
786 Views
In response to Terry_C_Intel

Thanks Terry for the info. I will be setting up vPro with Altiris Out of Band component. The PC's that I use are HP. Is the (AT-p) Anti-Theft Technology available for HP computers? From what I've read, it's only on Lenovo brand.

Basically, I need to know if there is any other way around disabling AMT vPro other than removing the BIOS battery, however I dont' see anywhere in the Intel vPro documentation regarding the security details.

In response to Terry_C_Intel
0 Kudos
Copy link
Terry_C_Intel
Employee
‎05-12-2009 07:00 AM
786 Views
In response to idata

Correct on AT-p being available for only Lenovo platforms... other's may add the functionality, yet only Lenovo supports at this time.

Regarding the disabling or unconfiguring of AMT - Take a look at http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-4-remotely-resetting-provisioning-state http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-4-remotely-resetting-provisioning-state On the HP laptops (i.e. 2510p, 6910p, 8510p, 2530p, 6930p, 8530p), there is an option in the BIOS to unconfigure AMT on next boot. This option requires a confirmation at the next boot. Thus - it is possible - but can be controlled by BIOS security. Similarly - as mentioned in the article - if an Altiris user has sufficient rights\access, they can unconfigure systems remotely. In both cases - it's a matter of Access Control, rights\permissions, etc.

Just curious - how soon will you be activating vPro\AMT? How many client systems? Key usage model? (if you'd prefer to not answer on blog - send me a private message via vPro Expert center account)

In response to idata
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.