In all the documentation online regarding security of vPro, it does not clarify in detail whether the PC's can be tampered with in anyway that would deactivate the vPro setup.
I would like to know, for example, if it's possible to disable vPro by removing the motherboard eprom battery.
What system models do you have?
There are different components of vPro
For the Active Management Technology. Yes - if the BIOS battery is removed and reinserted, the Intel AMT settings will be reset to factory default. In addition, some OEMs provide a setting in BIOS to reset Intel AMT upon the next reboot. The suggest here is lock you BIOS settings and case if that is a concern
For the Anti-Theft Technology (AT-p) - a BIOS battery reset will not affect. Therefore, if someone were to steal a system that is configured with Absolute, Computrace, or other support AT-p security vendor... if the AT-p policy activates and disables the system, only a re-activation key\sequence as defined by the security policy will reactivate the system. A BIOS battery reset will not
Does that help?
Thanks Terry for the info. I will be setting up vPro with Altiris Out of Band component. The PC's that I use are HP. Is the (AT-p) Anti-Theft Technology available for HP computers? From what I've read, it's only on Lenovo brand.
Basically, I need to know if there is any other way around disabling AMT vPro other than removing the BIOS battery, however I dont' see anywhere in the Intel vPro documentation regarding the security details.
Correct on AT-p being available for only Lenovo platforms... other's may add the functionality, yet only Lenovo supports at this time.
Regarding the disabling or unconfiguring of AMT - Take a look at http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-4-remotely-resetting-provisioning-state http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-4-remotely-resetting-provisioning-state On the HP laptops (i.e. 2510p, 6910p, 8510p, 2530p, 6930p, 8530p), there is an option in the BIOS to unconfigure AMT on next boot. This option requires a confirmation at the next boot. Thus - it is possible - but can be controlled by BIOS security. Similarly - as mentioned in the article - if an Altiris user has sufficient rights\access, they can unconfigure systems remotely. In both cases - it's a matter of Access Control, rights\permissions, etc.
Just curious - how soon will you be activating vPro\AMT? How many client systems? Key usage model? (if you'd prefer to not answer on blog - send me a private message via vPro Expert center account)