Intel vPro: Three Generations Of Remote Management

AMD's DASH Wild Card

The original aim of this piece was to compare successive generations of Intel’s vPro technology in order to track how the feature suite has evolved over the past several years. After all, Intel has more history in remote desktop management tools than any other company.

But before we button this one up, we wanted to get AMD’s input and feedback to see if it had its own plans to enable remote manageability across its desktop processor and chipset portfolio. As it turns out, AMD is working with an industry consortium called DMTF (Distributed Management Task Force) on a standard you’ve probably heard of called DASH (Desktop and Mobile Architecture for System Hardware).

Now, the company launched its Business Class technology for desktops back in 2009 hoping to enable an infrastructure of processors, chipsets, and graphics cards similar to what Intel has in its vPro lineup, hoping it'd be well-suited to SMB installations. Because it didn’t have its own networking technology, it relied on third-party network controller vendors to enable out-of-band manageability. Since then, the company has continued honing its implementations, and AMD is now on its fifth revision of plug-ins for Microsoft’s System Center Configuration Manager, which facilitates the configuration of DASH-compliant hardware. 

Of course, the benefit of AMD’s approach is that DASH is an open standard. There’s a long list of board members that belong to DMTF (even Intel is listed), participating in its evolution. According to company representatives, OEMs were willing to back the standard because they didn’t have any control over vPro. There was no way to customize it or to add functionality, which they thought inhibited innovation.

As Intel’s AMT evolved, it eventually picked up DASH support as well (after AMT 5.0, according to posts on the company’s software blogs). Especially now, AMD sees this as a boon because IT support staff can manage Intel and AMD platforms side by side in a very similar way. What you have to remember, though, is that vPro and AMT expose a number of features that you simply can’t get through DASH. Remote KVM, for instance, isn’t yet possible through DASH—principally because Broadcom doesn’t support it yet through its controller. There are also no provisions for managing remote clients that are networked wirelessly, though AMD says there haven’t been many customer requests for such a feature. AMD says it’s able to offer a capability very similar to Anti-Theft technology, which works with some of the same ISVs (like Absolute Software’s Computrace). But Intel’s advantage is that customers can use an SMS message to brick a machine.

Here’s another cool characteristic of DASH: AMD’s Valerie Kane says support is independent of its CPUs, APUs, or chipsets. So, whereas vPro exacts some fairly specific requirements, you could potentially see a wider variety of AMD configurations with DASH support. More critical to compliance is the Broadcom networking hardware with manageability support built-in.

And then the story comes to a somewhat screeching halt. Where does an enthusiast buy a motherboard with DASH support? He doesn’t. There used to be a couple models out there, but they didn’t sell well, so successive boards with newer chipsets didn’t pick up support. How about system integrators looking to build DASH-capable machines for SMB customers? Sorry, no dice there, either. You’d really have to go through a tier-one vendor to find a DASH-enabled machine.

And so, while we’re working with AMD to, perhaps, report in when a consumer board becomes available, there’s really no way to set up a story like this one using AMD-based hardware. An enthusiast or system builder interested in remote management really only has one game in town. When that changes, AMD knows we’re interested and its reps committed to letting us know.

This thread is closed for comments
21 comments
    Your comment
  • cngledad
    Can I suggest an article comparing different remote access tools we can use? From the freeware TeamViewer, VNC Viewer to such things like WebEx? I think that would be a very good topic.
  • ^^Don't forget Logmein Rescue which has vPro support.
  • pro-gamer
    intel man please give me a job.
    Intels rock
  • NirXY
    Glad to see you made it to publish day, was waiting for this piece.
    Looking great !
  • One correction: DQ57TM *does* contain a v1.2 TPM, the same as found on DQ67SW and DQ67EP. It's required to be vPro compliant (necessary for Intel TXT).
  • jhansonxi
    Nifty but I don't like the single-vendor lock-in. I can see real improvements in IT efficiency if this was combined with AoE. Would like to see SSH support, however.
  • extremepcs
    Hopefully they have improved the activation mechanism. Kind of a PITA if you don't buy a certificate from a trusted CA. I used an internal cert and had to activate each machine by booting from a flash drive.
  • chovav
    If my hard drive is encrypted using TrueCrypt pre-boot authentication, would I be able to fill in the password using Intels vPro?
  • jowunger
    The voice of the guy in the video is bad. The guy talks like he is speedreading a book...
  • cangelini
    cdw-vproOne correction: DQ57TM *does* contain a v1.2 TPM, the same as found on DQ67SW and DQ67EP. It's required to be vPro compliant (necessary for Intel TXT).


    Fixed, thanks!
  • chovav
    Chris can you answer my question?
  • pjkenned
    chovavIf my hard drive is encrypted using TrueCrypt pre-boot authentication, would I be able to fill in the password using Intels vPro?


    Generally you don't want to do this. Pre-boot authentication on encrypted drives is a security measure so that someone gaining access to a shut-down PC cannot cold boot onto the contents of the disk. For example, one shuts down a notebook that is subsequently stolen in an airport.

    In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.
  • kevikom
    HP insight manager is better. Weird thing is I found out about it from a whitepaper on Dells site. I thought HP and Dell hated each other?? but we use it for PCs, servers, and it has a plugin for Vmware.... AND IT IS FREE.
  • pjkennedFor example, one shuts down a notebook that is subsequently stolen in an airport. In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.


    So you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?
  • Hi, does anybody know if Intel Dq67sw motherboard Support 8Gb ddr3 Single Modules . Because Intel Technical product specification states " Support for 32GB of System Memory with four DIMMS using 4GB memory technology ".

    Are there any other Intel boards which support vPro ( VT-X , VT-D ) with 32GB for i7 2nd Generation.

    As i want to build one myself for VM.
  • omerl
    pjkennedGenerally you don't want to do this. Pre-boot authentication on encrypted drives is a security measure so that someone gaining access to a shut-down PC cannot cold boot onto the contents of the disk. For example, one shuts down a notebook that is subsequently stolen in an airport. In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.

    dj christianSo you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?


    Chovav, pjkenned and dj christian - yes, you can use Intel vPro AMT to fill the Pre-Boot Authentication. You can do this either with AMT KVM (which is the simple way, but requires AMT 6 and above) or with AMT SOL (assuming TrueCrypt allows SOL.
    pjkenned - there are several scenarios which it would makes much sense to send the password for PBA remotely: 1. Support agent trying to recover a user's password. 2. Trying to boot to a computer you left in the office. The idea is not that the password is pre-filled, it is filled on real-time.
    It's actually can be a very powerful tool for the service-desk at your organization.
  • omerl
    qwer5678So you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?

    I didn't really understand what you mean. If you utilize this feature correctly you can gain real value to your organization. Note my 2 suggestion of usage. If you have it kept in a DB or something similar, you must make sure this DB is encrypted and secured properly, since this is sensitive information, but you can still get it and send it to your computer using vPro encrypted over TLS/SSL channel.
  • omerl
    okokpkpk - I'm saying DO NOT PRE-FILL THE PASSWORD. This is not what's vPro is all about.
    I'm saying, create a solution for your organization that allow real time password push to your clients, in case a password is forgotten. Passwords are stored securely inside the organization and are only used in case of password forgotten. Nothing else. Do no bypass the pre-boot authentication mechanism.
  • masi87
    Why does noboy complain about the missing SSL for the logon page of the Web-Interface? (even thought not only logon but everything after that should also be encrypted to prevent cookie theft).
  • michealPW
    I'm not sure what's more unsettling... The fact that this technology's being rolled out in so many mainstream Intel CPUs and Chipsets or the fact that I seem to be the only one that sees this as a major attack vector :|

    Good gawd what a frightening world we're marching into. Security and Privacy is becoming an unattainable dream.
  • Use on of the worst 500 passwords for extra security............................................................................