Does enabling vPro disable or conflict with any other functionality?
I'm configuring a Dell Precision T1600 workstation. It will be added to a small network with one server and two desktops:
- CentOS server used for file sharing via Samba and hosting for web development
- Windows Vista used for development and testing
- Windows XP Pro used for development and testing
- Gigabit Switch
- Router which acts as DHCP server, but all computers use assigned IP addresses
The new workstation will have Win 7 Pro with XP mode. It will be used for web development and graphics processing: Eclipse, Netbeans, Visual Studio, Photoshop, etc.
The Out-of-Band options offered for configuration are:
- Intel vPro Technology Enabled
- Intel Standard Manageability
- No Out-of-Band Systems Management
I don't expect to have much need for Out-of Band management at this point, but plan to continue adding workstations in the future. The workstation will have a discrete graphics card, so Remote KVM won't be available.
I'd like to have the capabilities offered by vPro available, but I'd like to know if there are any trade-offs involved.
Should any tags be added or changed for this question?
Here is the information I bookmarked during my research:
I looked at the Intel vPro Technology FAQ
It said there was no impact on performance:
Q6: What is the impact of Intel® vPro™ technology and its Manageability Engine on the PC's performance?
A6: The Intel vPro technology impact on PC performance is not noticeable to the end-user.
I looked at the wikipedia entry Intel Active Management Technology, it didn't mention any downsides.
I looked at Remote PC Management with Intel's vPro on the Tom's hardware site, it didn't mention any trade-offs.
From server fault, there were only about 15 questions for amt and vPro combined. I favorited this one and looked at some of the links suggested. How do I manage PCs with vPro?
Tools and Utilities for Intel vPro Technoloy
I looked at additional pages, but the above are the ones I bookmarked.
Information provided in answers and comments:
My specific case concerns a workstation, but I'll use "client" to represent the system in which vPro is being enabled.
It appears that activating vPro doesn't impose any limitations, but that it can create security issues if the client isn't provisioned properly during installation.
vPro must be enabled at purchase or it's permanently disabled. Can temporarily disable it in MEBx (Management Engine BIOS Extension).
vPro causes increased memory usage, power consumption and decreased networking performance.
(Intel states that the impact on PC performance is not noticeable to the end-user)
Small amount of drive space is used.
System is powered [to some extent] at all times. Important to disconnect A/C power, rather than just powering the machine off to do any hardware installations/replacements.
You need the back-end architecture to support it.
Two IP addresses per machine (one for the OS and one for vPro).
If your machines get their assignments via DHCP, you can use one for both.
If you need a fixed address for a machine, use a DHCP reservation instead.
Security and Privacy Implications:
You are essentially installing a backdoor into your system.
There's no easy way to tell from the client if someone's using this OoB management tool without your consent, but vPro can be configured to provide notification to users when a remote session is active (depending on your company's policies).
You should immediately provision the client if out-of-band management is enabled, because by default, vPro is pre-provisioned with root CA keys from well-known vendors (e.g. VeriSign, GoDaddy).
This means that an attacker with access to your network could purchase an AMT cert and provision your machines without you ever knowing.
vPro uses PKI and an AMT provisioning certificate is required to provision the client. The easiest approach is to purchase an AMT provisioning certificate from a vendor.
You can use a self-signed cert, but you'll need to be knowledgable about PKI before deploying vPro. You will need to either:
1) have the vendor preload the certificate hash in MEBx (There are tools out there that allow you to create the provisioning config and send the custom certificate hash via USB thumbdrive.)
2) manually configure MEBx on EVERY machine with your self-signed certificate hash.
For the AMT provisioning certificate, you have to create the PKI certificate with an OID of 2.16.840.1.113741.1.2.3.
If you use a Windows Server-based CA, you'll need Windows Server Enterprise or better to do custom cert templates.
Technet has instructions to do this with Windows Certification Authority (see link below).
If using Linux: it may be possible to use OpenSSL to create the PKI certificate, can anyone confirm this?
Once the client is properly provisioned, it's quite secure, as it will only trust a caller that possesses the AMT private key that originally associated the machine.
Suggestions:
Manage vPro with SCCM, it's not free, but it makes life with vPro A LOT easier once it's properly configured. You also get all kinds of other configuration management tricks that are very useful.
Links provided in answers and comments:
vPro Prerequisites and Trade-offs for the dc7800p Business PC with Intel vPro Processor Technology (PDF)
vPro security (Wikipedia)
Requesting, Installing, and Preparing the AMT Provisioning Certificate (MicroSoft TechNet)