Intel vPro

Advanced security features in Intel vPro hardware can be leveraged by operating system (OS) and security software features across system attack surfaces to optimize mitigations against cyber threats. These mappings demonstrate the practical application of hardware features by capabilities in Microsoft Windows 11 with Defender and CrowdStrike Falcon to assist defenders in understanding how these integrated capabilities can help mitigate real-world adversary behaviors as described in MITRE ATT&CK®.

ATT&CK Versions: 15.1 ATT&CK Domain: Enterprise

Security Stack Mapping Methodology

Capability Groups

All Mappings

Loading, please wait
Capability ID
Capability Description
Enables
Category
Value
ATT&CK ID
ATT&CK Name
Notes
intel-ptt Intel Platform Trust Technology Win 11, System Guard Secure Launchprotectsignificant T1542 Pre-OS Boot
Comments
Windows Secure Boot leverages Intel PTT (TPM) to safeguard settings stored in UEFI, while Intel Boot Guard prevents unauthorized modifications to UEFI firmware. It verifies the signatures of the UEFI firmware, bootloader, and boot drivers before loading the operating system. When the PC starts, the firmware checks the signature of each piece of boot software, including Unified Extensible Firmware Interface (UEFI) firmware drivers (also known as Option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Rollback protection also prevents the system from rolling back to older versions of firmware. Secure Boot employs Intel PTT (TPM) to thwart attacks that attempt to alter the signature policy at the boot level in real-time or modify components involved in the boot process before the boot process. Intel Boot Guard ensures the integrity of the boot-level code before it is executed on the processor, preventing the system from proceeding with malicious boot code. Secure Boot is able to address threats pre-os that change the signature of the loaded boot component. System Guard Secure Launch uses a technology called Dynamic Root of Trust Measurement (DRTM). It leverages Intel PTT (TPM) and TXT to provide secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. System Guard Secure Launch ensures that the system can freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early code to boot the system but then being able to securely transition into a trusted and measured state. The ability to transition in real-time to a secure state justified the score of significant for this feature and its corresponding protection (E.g., bootkit, rootkit, firmware corruption, etc.).
References
intel-ptt Intel Platform Trust Technology Win 11, System Guard Secure Launchprotectsignificant T1542.001 System Firmware
Comments
Windows Secure Boot leverages Intel PTT (TPM) to safeguard settings stored in UEFI, while Intel Boot Guard prevents unauthorized modifications to UEFI firmware. It verifies the signatures of the UEFI firmware, bootloader, and boot drivers before loading the operating system. When the PC starts, the firmware checks the signature of each piece of boot software, including Unified Extensible Firmware Interface (UEFI) firmware drivers (also known as Option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Rollback protection also prevents the system from rolling back to older versions of firmware. Secure Boot employs Intel PTT (TPM) to thwart attacks that attempt to alter the signature policy at the boot level in real-time or modify components involved in the boot process before the boot process. Intel Boot Guard ensures the integrity of the boot-level code before it is executed on the processor, preventing the system from proceeding with malicious boot code. Secure Boot is able to address threats pre-os that change the signature of the loaded boot component. System Guard Secure Launch uses a technology called Dynamic Root of Trust Measurement (DRTM). It leverages Intel PTT (TPM) and TXT to provide secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. System Guard Secure Launch ensures that the system can freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early code to boot the system but then being able to securely transition into a trusted and measured state. The ability to transition in real-time to a secure state justified the score of significant for this feature and its corresponding protection (E.g., bootkit, rootkit, firmware corruption, etc.).
References
intel-ptt Intel Platform Trust Technology Win 11, System Guard Secure Launchprotectsignificant T1542.002 Component Firmware
Comments
Windows Secure Boot leverages Intel PTT (TPM) to safeguard settings stored in UEFI, while Intel Boot Guard prevents unauthorized modifications to UEFI firmware. It verifies the signatures of the UEFI firmware, bootloader, and boot drivers before loading the operating system. When the PC starts, the firmware checks the signature of each piece of boot software, including Unified Extensible Firmware Interface (UEFI) firmware drivers (also known as Option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Rollback protection also prevents the system from rolling back to older versions of firmware. Secure Boot employs Intel PTT (TPM) to thwart attacks that attempt to alter the signature policy at the boot level in real-time or modify components involved in the boot process before the boot process. Intel Boot Guard ensures the integrity of the boot-level code before it is executed on the processor, preventing the system from proceeding with malicious boot code. Secure Boot is able to address threats pre-os that change the signature of the loaded boot component. System Guard Secure Launch uses a technology called Dynamic Root of Trust Measurement (DRTM). It leverages Intel PTT (TPM) and TXT to provide secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. System Guard Secure Launch ensures that the system can freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early code to boot the system but then being able to securely transition into a trusted and measured state. The ability to transition in real-time to a secure state justified the score of significant for this feature and its corresponding protection (E.g., bootkit, rootkit, firmware corruption, etc.).
References
intel-ptt Intel Platform Trust Technology Win 11, System Guard Secure Launchprotectsignificant T1495 Firmware Corruption
Comments
Windows Secure Boot leverages Intel PTT (TPM) to safeguard settings stored in UEFI, while Intel Boot Guard prevents unauthorized modifications to UEFI firmware. It verifies the signatures of the UEFI firmware, bootloader, and boot drivers before loading the operating system. When the PC starts, the firmware checks the signature of each piece of boot software, including Unified Extensible Firmware Interface (UEFI) firmware drivers (also known as Option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Rollback protection also prevents the system from rolling back to older versions of firmware. Secure Boot employs Intel PTT (TPM) to thwart attacks that attempt to alter the signature policy at the boot level in real-time or modify components involved in the boot process before the boot process. Intel Boot Guard ensures the integrity of the boot-level code before it is executed on the processor, preventing the system from proceeding with malicious boot code. Secure Boot is able to address threats pre-os that change the signature of the loaded boot component. System Guard Secure Launch uses a technology called Dynamic Root of Trust Measurement (DRTM). It leverages Intel PTT (TPM) and TXT to provide secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. System Guard Secure Launch ensures that the system can freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early code to boot the system but then being able to securely transition into a trusted and measured state. The ability to transition in real-time to a secure state justified the score of significant for this feature and its corresponding protection (E.g., bootkit, rootkit, firmware corruption, etc.).
References
intel-aes-ni Intel Advanced Encryption Standard - New Instructions Win 11, BitLockerprotectpartial T1110 Brute Force
Comments
BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. Windows 11 Personal Data Encryption (PDE) uses Intel PTT (TPM), Intel AES-NI, Intel BootGuard to ensure operating system components are not compromised until the Windows Sign-in screen at which point Windows Hello for Business is used in conjunction with Microsoft Entra to authenticate the user and open the container with the encryption keys used to secure the user's personal data. Bitlocker features are used to then encrypt or decrypt that data utilizing those keys. PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. PDE refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. PDE provides real-time protection against adversaries exfiltrating data at rest in removable media. In some cases, data is protected at rest until the user logs in, and is marked partial for such cases.
References
intel-aes-ni Intel Advanced Encryption Standard - New Instructions Win 11, PDEprotectpartial T1110 Brute Force
Comments
BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. Windows 11 Personal Data Encryption (PDE) uses Intel PTT (TPM), Intel AES-NI, Intel BootGuard to ensure operating system components are not compromised until the Windows Sign-in screen at which point Windows Hello for Business is used in conjunction with Microsoft Entra to authenticate the user and open the container with the encryption keys used to secure the user's personal data. Bitlocker features are used to then encrypt or decrypt that data utilizing those keys. PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. PDE refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. PDE provides real-time protection against adversaries exfiltrating data at rest in removable media. In some cases, data is protected at rest until the user logs in, and is marked partial for such cases.
References
intel-aes-ni Intel Advanced Encryption Standard - New Instructions Win 11, BitLockerprotectpartial T1565.001 Stored Data Manipulation
Comments
BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. BitLocker can protect against manipulation of stored data on the drive until it is unlocked.
References
intel-aes-ni Intel Advanced Encryption Standard - New Instructions Win 11, BitLockerprotectpartial T1552 Unsecured Credentials
Comments
BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. BitLocker can protect against manipulation of stored data on the drive until it is unlocked. Windows 11 Personal Data Encryption (PDE) uses Intel PTT (TPM), Intel AES-NI, Intel BootGuard to ensure operating system components are not compromised until the Windows Sign-in screen at which point Windows Hello for Business is used in conjunction with Microsoft Entra to authenticate the user and open the container with the encryption keys used to secure the user's personal data. Bitlocker features are used to then encrypt or decrypt that data utilizing those keys. PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. PDE refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. PDE provides real-time protection against adversaries exfiltrating data at rest in removable media. In some cases, data is protected at rest until the user logs in, and is marked partial for such cases.
References
intel-aes-ni Intel Advanced Encryption Standard - New Instructions Win 11, PDEprotectpartial T1552 Unsecured Credentials
Comments
BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. BitLocker can protect against manipulation of stored data on the drive until it is unlocked. Windows 11 Personal Data Encryption (PDE) uses Intel PTT (TPM), Intel AES-NI, Intel BootGuard to ensure operating system components are not compromised until the Windows Sign-in screen at which point Windows Hello for Business is used in conjunction with Microsoft Entra to authenticate the user and open the container with the encryption keys used to secure the user's personal data. Bitlocker features are used to then encrypt or decrypt that data utilizing those keys. PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. PDE refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. PDE provides real-time protection against adversaries exfiltrating data at rest in removable media. In some cases, data is protected at rest until the user logs in, and is marked partial for such cases.
References
intel-aes-ni Intel Advanced Encryption Standard - New Instructions Win 11, BitLockerprotectpartial T1552.001 Credentials In Files
Comments
BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. BitLocker can protect against manipulation of stored data on the drive until it is unlocked.
References
Showing 1 to 10 of 261 rows
rows per page