Intel vPro: Three Generations Of Remote Management

Unique vPro Hardware Requirements

Intel vPro-enabled processor and motherboard combinations look very similar to their consumer counterparts. However, the hardware is only part of the equation. There's a software component involved as well, which exposes the comprising features to IT managers working remotely. A vPro-capable platform doesn't affect performance. Rather, the technology bundle is focused on improving security and augmenting manageability.

One thing you'd need to keep in mind before building a PC able to expose vPro's feature set is that compatible processors and motherboards are a requisite. You can't just go out and buy an H67- or Z68-based board and hope to flip a switch to turn vPro on. Instead, you'd need a board based on the Q67 chipset, which is specifically designed to enable vPro.

Additionally, there are a lot of processors in Intel's lineup that don't support vPro. For a list of the CPUs that are certified vPro-compatible, check this list on Intel's site. You'll notice a complete absence of Core i3 processors there, for starters. Intel does facilitate a great set of features. However, you end up paying a premium due to the Q-series chipset and higher-end processor requirements.

For our purposes, Intel sent along a Core 2 Duo E8500, a Core i5-670, and a Core i5-2500, along with motherboards to go along with each. The Core 2 Duo E8500 represents the now 15-quarter-old Wolfdale generation. It's a fairly common processor in systems nearing a three- to four-year replacement cycle (incidentally, it was also a fairly popular enthusiast chip, thanks to its modest overclockability). Intel's Clarkdale design is represented by the Core i5-670, which is the 32 nm follow-up based on Intel's Nehalem architecture with an on-package graphics/memory/PCIe controller etched at 45 nm. Representing the newest Sandy Bridge architecture is Intel's Core i5-2500.

These CPUs are neither the fastest in their respective product families, nor are they the slowest. Businesses, unlike enthusiasts, tend not to purchase as many top-of-the line CPUs due to ever-present budget constraints. 

Intel vPro CPU Comparison
CPU
Core 2 Duo E8500
Core i5-670
Core i5-2500
Socket
LGA 775LGA 1156
LGA 1155
Process
45 nm32 nm
32 nm
Max TDP
65 W
73 W
95 W
Cores
2
2
4
Threads
2
4
4
Base Clock
3.16 GHz
3.46 GHz
3.3 GHz
Max Turbo Clock
N/A
3.73 GHz
3.7 GHz
AES-NI
No
Yes
Yes
VT-d
Yes
Yes
Yes
TXT
Yes
Yes
Yes

If you want a better idea of how these processor perform, check out Tom's CPU Charts. Performance isn't the issue here, though. Instead, we're interested in how the technologies these have evolved across three generations of hardware.

Along with a compatible CPU, exploiting vPro also requires a compatible motherboard. Generally speaking, the technology is enabled through Q-series motherboards. However, it's worth noting that not all Q-series chipsets support all of the features under the vPro umbrella. This is one of those areas where Intel could really help clarify for its partners, as it's currently difficult to get a clear bead on the precise demands for each piece of the vPro puzzle.

vPro Motherboard Comparison
Motherboard
Intel DQ45CBIntel DQ57TM
Intel DQ67SW
Socket
LGA 775LGA 1156
LGA 1155
Form Factor
MicroATXMicroATX
MicroATX
Memory Type
DDR2DDR3
DDR3
Graphics Output
DVI-I, DVI-DDVI-I, DVI-D, DisplayPort
DVI-I, DVI-D, DisplayPort
USB 2.0 Ports
12
14
12
USB 3.0 Ports
0
0
2
SATA II Ports
6
5
2
SATA III Ports
0
0
2
eSATA Ports
1
1
2
AMT Version
5.x
6.x
7.x
TPM
Yes
Yes
Yes
10/100/1000 NIC
Intel 82567LMIntel 82578DM
Intel 82574LM


Intel’s Q-series boards utilize Intel-branded network controllers to support vPro's out-of-band management capabilities (that is to say, features that still work, even when a PC is powered down). A quick glance at the controllers on the boards Intel submitted for evaluation reveals that each platform provides on-board gigabit-class connectivity. As part of the vPro platform, Intel requires that the system use the company's networking hardware instead of controllers from other vendors like Realtek, Marvell, and Broadcom.

Create a new thread in the US Reviews comments forum about this subject
This thread is closed for comments
21 comments
    Your comment
  • cngledad
    Can I suggest an article comparing different remote access tools we can use? From the freeware TeamViewer, VNC Viewer to such things like WebEx? I think that would be a very good topic.
    7
  • Anonymous
    ^^Don't forget Logmein Rescue which has vPro support.
    3
  • pro-gamer
    intel man please give me a job.
    Intels rock
    -4
  • NirXY
    Glad to see you made it to publish day, was waiting for this piece.
    Looking great !
    0
  • Anonymous
    One correction: DQ57TM *does* contain a v1.2 TPM, the same as found on DQ67SW and DQ67EP. It's required to be vPro compliant (necessary for Intel TXT).
    0
  • jhansonxi
    Nifty but I don't like the single-vendor lock-in. I can see real improvements in IT efficiency if this was combined with AoE. Would like to see SSH support, however.
    0
  • extremepcs
    Hopefully they have improved the activation mechanism. Kind of a PITA if you don't buy a certificate from a trusted CA. I used an internal cert and had to activate each machine by booting from a flash drive.
    1
  • chovav
    If my hard drive is encrypted using TrueCrypt pre-boot authentication, would I be able to fill in the password using Intels vPro?
    1
  • jowunger
    The voice of the guy in the video is bad. The guy talks like he is speedreading a book...
    0
  • cangelini
    cdw-vproOne correction: DQ57TM *does* contain a v1.2 TPM, the same as found on DQ67SW and DQ67EP. It's required to be vPro compliant (necessary for Intel TXT).


    Fixed, thanks!
    0
  • chovav
    Chris can you answer my question?
    0
  • pjkenned
    chovavIf my hard drive is encrypted using TrueCrypt pre-boot authentication, would I be able to fill in the password using Intels vPro?


    Generally you don't want to do this. Pre-boot authentication on encrypted drives is a security measure so that someone gaining access to a shut-down PC cannot cold boot onto the contents of the disk. For example, one shuts down a notebook that is subsequently stolen in an airport.

    In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.
    0
  • kevikom
    HP insight manager is better. Weird thing is I found out about it from a whitepaper on Dells site. I thought HP and Dell hated each other?? but we use it for PCs, servers, and it has a plugin for Vmware.... AND IT IS FREE.
    0
  • dj christian
    pjkennedFor example, one shuts down a notebook that is subsequently stolen in an airport. In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.


    So you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?
    0
  • Anonymous
    Hi, does anybody know if Intel Dq67sw motherboard Support 8Gb ddr3 Single Modules . Because Intel Technical product specification states " Support for 32GB of System Memory with four DIMMS using 4GB memory technology ".

    Are there any other Intel boards which support vPro ( VT-X , VT-D ) with 32GB for i7 2nd Generation.

    As i want to build one myself for VM.
    0
  • omerl
    pjkennedGenerally you don't want to do this. Pre-boot authentication on encrypted drives is a security measure so that someone gaining access to a shut-down PC cannot cold boot onto the contents of the disk. For example, one shuts down a notebook that is subsequently stolen in an airport. In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.

    dj christianSo you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?


    Chovav, pjkenned and dj christian - yes, you can use Intel vPro AMT to fill the Pre-Boot Authentication. You can do this either with AMT KVM (which is the simple way, but requires AMT 6 and above) or with AMT SOL (assuming TrueCrypt allows SOL.
    pjkenned - there are several scenarios which it would makes much sense to send the password for PBA remotely: 1. Support agent trying to recover a user's password. 2. Trying to boot to a computer you left in the office. The idea is not that the password is pre-filled, it is filled on real-time.
    It's actually can be a very powerful tool for the service-desk at your organization.
    0
  • omerl
    qwer5678So you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?

    I didn't really understand what you mean. If you utilize this feature correctly you can gain real value to your organization. Note my 2 suggestion of usage. If you have it kept in a DB or something similar, you must make sure this DB is encrypted and secured properly, since this is sensitive information, but you can still get it and send it to your computer using vPro encrypted over TLS/SSL channel.
    1
  • omerl
    okokpkpk - I'm saying DO NOT PRE-FILL THE PASSWORD. This is not what's vPro is all about.
    I'm saying, create a solution for your organization that allow real time password push to your clients, in case a password is forgotten. Passwords are stored securely inside the organization and are only used in case of password forgotten. Nothing else. Do no bypass the pre-boot authentication mechanism.
    0
  • masi87
    Why does noboy complain about the missing SSL for the logon page of the Web-Interface? (even thought not only logon but everything after that should also be encrypted to prevent cookie theft).
    0
  • michealPW
    I'm not sure what's more unsettling... The fact that this technology's being rolled out in so many mainstream Intel CPUs and Chipsets or the fact that I seem to be the only one that sees this as a major attack vector :|

    Good gawd what a frightening world we're marching into. Security and Privacy is becoming an unattainable dream.
    0