Processors
Intel® Processors, Tools, and Utilities
14536 Discussions

Vpro, AMT, Intel ME

SBy
Beginner
‎12-12-2014 03:46 PM
2,777 Views
Solved Jump to solution

The cpu is a Core i5 4590 which is Vpro enabled. [ http://ark.intel.com/products/80815/Intel-Core-i5-4590-Processor-6M-Cache-up-to-3_70-GHz http://ark.intel.com/products/80815/Intel-Core-i5-4590-Processor-6M-Cache-up-to-3_70-GHz ]

The motherboard is a MSI B85M Gaming where Vpro is absent. [ http://ark.intel.com/products/75019 http://ark.intel.com/products/75019 ] and [ http://us.msi.com/support/mb/B85M_GAMING.html http://us.msi.com/support/mb/B85M_GAMING.html ]

What this means to me as a desktop user at home who has no interest of any kind of remote management of THAT KIND?

As the motherboard does NOT support Vpro, is it free from the risk of any kind of out-of-band remote connection including remote provisioning? Or does it still under the risk just because the processor has it?

If yes, how can I have the control or preferably disable that in all possible ways?

If no, then why there is Intel ME version listed in the Uefi [BIOS]?

Wise men are requested to shed light on the issues.

---Added later----

After installing several tools from intel, I finally found out that Vpro of i5 is up on that "not supported" chipset! Please correct me if I am wrong. But the chipset information in intel site says that B85 it is not Vpro supported. If Vpro is not up, how Intel Anti Theft is running?

What this means to me as a desktop user at home who has no interest of remote management of THAT KIND and not subject to be managed by anyone else using those remote wake up on s0,s1,s2,s3... sleeping mode?

If the motherboard does NOT support Vpro, is it free from the risk of any kind of out-of-band remote connection including remote provisioning? Or is it still under the risk just because the processor has it?

If yes, how can I have the control or preferably disable that in all possible ways?

If no, then how can "Intel management and Security Status" can show the below listed information including AT service? How can I disable any sort of remote connection attempt by or attempted to my pc which uses Vpro or ME or AT or AMT? The target is to element all sorts of provisioning or pre-os communication.

Additional information

UEFI [Bios shows no option to enter Intel Vpro MEBx or ME. Only ME version number is available]

On windows 7 "Intel management and Security Status" gives information like -

Item Value

ME Control Mode Not Provisioned

Provisioning Mode Pre Provisioning

 

BIOS boot NA

 

Last ME reset reason Power Up

 

Local FWUpdate NA

 

Power Policy Desktop: ON in S0, ME Wake in S3, S4-5

 

Cryptography Support NA

[FW Capabilities]

Item Value

 

Intel(R) Small Business Technology Enabled

Intel(R) Anti-Theft Technology PC Protection Enabled

 

Intel(R) Capability Licensing Service Enabled

 

Intel(R) Dynamic Application Loader Enabled

Protect Audio Video Path Enabled

 

 

[Intel(R) Small Business Technology]

Item Value

 

Intel(R) SBT State Enabled

 

Intel(R) SBT Status Not Configured

[Intel(R) Anti-Theft Technology PC Protection]

Item Value

 

Intel(R) AT State Enabled

 

Intel(R) AT Status NA

Item Value

 

MEBx Version NA

 

FW Version 9.0.30.1482 LMS Version 9.0.0.1323

 

MEI Driver Version 9.0.0.1287

 

SOL Driver Version NA

 

SOL DeviceID NA

[Network information]

Item Value

 

LAN MAC Address NA

 

LAN Configuration state NA

 

LAN Link Status NA

 

LAN IPv4 Address NA

 

LAN IPv6 Enablement NA

 

WLAN MAC Address NA

 

WLAN Configuration state NA

 

WLAN Link Status NA

 

WLAN IPv4 Address NA

 

WLAN IPv6 Enablement NA

I will very much appreciate your input.

0 Kudos
1 Solution
Kevin_M_Intel
Employee
‎12-15-2014 10:02 AM
1,726 Views
Solved Jump to solution

Hello Surferby,

Let me help you with this.

Based on the product description, the processor supports Intel® vPro Technology but the motherboard does not meaning that there is no way to have incoming threads through that feature.

My best recommendation is for you to contact the motherboard manufacturer so they can explain what features are included on the motherboard and the function of each.

Here you can get the contact information:

http://www.intel.com/support/oems.htm http://www.intel.com/support/oems.htm

Kevin M

View solution in original post

Copy link

Link Copied

3 Replies
Kevin_M_Intel
Employee
‎12-15-2014 10:02 AM
1,727 Views
Solved Jump to solution

Hello Surferby,

Let me help you with this.

Based on the product description, the processor supports Intel® vPro Technology but the motherboard does not meaning that there is no way to have incoming threads through that feature.

My best recommendation is for you to contact the motherboard manufacturer so they can explain what features are included on the motherboard and the function of each.

Here you can get the contact information:

http://www.intel.com/support/oems.htm http://www.intel.com/support/oems.htm

Kevin M

Copy link
SBy
Beginner
‎12-26-2014 07:14 PM
1,726 Views
Solved Jump to solution
In response to Kevin_M_Intel

Thank you Kevin M. I understand that. But it is surprising that intel is selling a vpro processor without printing anything on the package. I didn't need vpro processor but mistakenly purchased one just because there was nothing printed on the package. Anyways, thank you for your time.

In response to Kevin_M_Intel
0 Kudos
Copy link
Dariusz_W_Intel
Employee
‎07-13-2015 02:02 AM
1,726 Views
Solved Jump to solution

Surferby,

Vast majority of current Intel chipsets contain Intel ME - Manageability engine BUT in its features cut down version - it runs platform HW maintenance (system clocks) and some security features.

Only Intel vPro enabled chipsets (ex Q87) contain full featured Intel ME with ability to suport remote OOB manageability.

Intel vPro is PC platform features definition, it consists of 3 mandatory HW technologies:

  1. Intel VT-x2 (HW virtualization suport with EPT (HW suport for memory virtualization) - this is Intel Core procesor feature

     

    PLUS Intel VT-d - HW suport for I/O device virtualization - this is unique feature of Intel Core i5 vPro or Intel Core i7 vPro procesosors only.

     

     

    You can use those features with VMMs (like Hyper -V or VMWare) as long as your board BIOS /BIOS Setup allows to enable those features.

     

    If virtualization is not to be used -it is adviced to disable those features in BIOS setup.

     

     

    BTW MS Windows 10 Enterprise Data Protection will require and use those two Intel VT flavours to execute code in secure container.

     

     

  2. Intel TXT (Trusted Execution Technology) - HW supported dynamic root of trust - provides ability for HW measured and verified (against system state whitelist) platform boot.

     

    this is as well unique feature of of Intel Core i5 vPro or Intel Core i7 vPro procesosors only.

     

    To use it you will need board with discrete TPM module (mandatory part of vPro chipset enabled boards), BIOS to contain Intel ACM modules and SW solution to enable, configure and use this feature - for Linux you may look for references to Intel tboot (trusted boot).

     

    This feature is pretty widely used on servers to secure VM Hosts in the Cloud (with HyTrust or Parallels) but in Client OS space it is not used. MS Windows OS does NOT use this feature for its Secure Boot.
  3. Intel AMT - Active Managemet Technology - remote HW based out of band management over TCP/IP network.

     

    Intel AMT is unique feature of Intel vPro enabled chipsets ONLY accompanied wih Intel AMT enabled LAN controller (and Intel AMT enabled WiFi controller for laptops). It is not procesor feature. So with Non vPro chipset -there is no HW components (chipset HW, AMT LAN/WLAN & Full ME FW image ) to allow remote Intel AMT management.

     

     

    Intel vPro contains also one OPTIONAL technology:
  4. Intel IPT - Identity Protection Technology - ability to use Intel ME ucontroller embeded in the Intel chipset as isolated execution environment for ex. One Time Password token generation. (IPT with OTP) or displaying randomized pin pad on the screen in protected (encrypted) way - IPT with PTD.

     

     

    This feature is element of Intel chipsets only

     

     

    Intel Anti-Theft was simillar Optional technology -delivered by Intel chipset only but it End of Life now - it may still exist in Intel chipsets but Intel supporting service to enable/enroll it was disabled -so this technology can't be enabled anymore.

     

     

    So as you see Intel Core i5 vPro or Intel Core i7 vPro procesor suports even more technologies (VT-d) than non vPro model, but without Intel vPro (AMT) enabled chipset there is no suport for remote OOB management. (and even in vPro chipset enabled boards Intel AMT factory default state is : unprovisioned -not configured with security credentials so not reacheable over network).  Intel SBA is local management/maintenance technology -not supporting OOB remote network access.  

So as you can see - Intel vPro procesor does not make full Intel vPro platform on its own - it will still require Intel vPro /or ISM enabled chipset and Intel AMT activation (Configuration).

Hope it helps to clarify your concerns?

rgds

Darek

Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.