Intel® Active Management Technology Overview

Intel® Active Management Technology (Intel® AMT) is a capability embedded in Intel-based platforms that enhances the ability of IT organizations to manage enterprise computing facilities. Intel AMT operates independently of the platform processor and operating system. Remote platform management applications can access Intel AMT securely, even when the platform is turned off, as long as the platform is connected to line power and to a network. Independent software vendors (ISVs) can build applications that take advantage of the features of Intel AMT using the application programming interface (API).

The following use cases show some of the power of Intel AMT as a platform management and protection tool.

Discover all of your computing assets

Intel AMT stores hardware and software information in non-volatile memory (Intel AMT stores hardware information automatically. A software agent running on the host platform is required to capture and store software asset information.) With built-in manageability, Intel AMT allows IT personnel to discover hardware and software assets even while PCs are powered off.

Heal systems remotely regardless of system state

The built-in manageability in Intel AMT provides out-of-band management capabilities that allow IT to remotely heal systems after OS failures. Alerting and event logging help IT detect problems quickly to reduce downtime. Systems can be diagnosed and re-booted remotely, reducing the need for on-site visits.

Protect against malicious software attacks

Intel AMT helps to protect an organization’s network by making it easier to keep software and virus protection consistent and up-to-date across the enterprise. Third party software can store version numbers or policy data in non-volatile memory for off-hours retrieval or updates.

Contain the effect of malware and platform misuse

Intel AMT with System Defense reduces exposure to virus infections by containing outbreaks and software tampering on the managed client, sealing the infected network element from the rest of the network. The Agent Presence capability detects whether critical applications such as anti-virus or software inventory programs are running. If they are not, Intel AMT can send a report immediately to an IT console and, if necessary, isolate the platform until an IT technician remedies the problem.

These use cases are only samples of what Intel AMT can do to advance the state-of the-art in managing Enterprise computing.

The architecture of Intel AMT is made up of the firmware that implements the functionality of the product as well as the hardware environment where the firmware executes. It also includes the security and networking environment and elements of the Intel AMT software development kit (SDK).

AMT has a basic architecture that has variations that implement new functionality with different releases of the product.

Intel AMT Release 2.0 is a component of the Intel® vPro workstation platform. It uses a number of elements in the Intel vPro platform architecture. Figure 1 shows the relationship between these elements.

Figure 1 Intel AMT Release 2.0 Architecture

 

The Intel AMT functionality is contained in the firmware (ME FW).

• The firmware image is stored in the Flash memory.
• The Intel AMT capability is enabled using the Intel® Management Engine (Intel® ME) BIOS extension as implemented by an OEM platform provider. Enterprise setup and configuration is performed by a remote application (See Authentication and Authorization, below).
• On power-up, the firmware image is copied into the Double Data Rate (DDR) random-access memory (RAM).
• The firmware executes on the Intel ME ARC processor and uses a small portion of the DDR RAM (Slot 0) for storage during execution. RAM slot 0 must be populated and powered on for the firmware to run.

Intel AMT stores the following information in the Flash (ME Data):

• OEM-configurable parameters
• Setup and configuration parameters such as passwords, network configuration, certificates, and access control lists (ACLs)
• Other configuration information, such as lists of alerts and System Defense policies
• The hardware configuration captured by the BIOS at startup

Intel AMT also manages third-party data storage (3PDS), which can be allocated by independent software vendor (ISVs) for local storage of information critical to their applications.

The Flash also contains the BIOS executable code (BIOS), as well as the executable code for the Intel® 82566DM Gigabit Network Connection (GbE Ntwk FW).

The Flash is protected against unauthorized host access by a hardware mechanism activated by the OEM during manufacturing.

The ICH8 interface controller holds the filter definitions that are applied to incoming and outgoing in-band network traffic (the message traffic to and from the CPU). These include both internally-defined filters and the application filters defined using the System Defense and Agent Presence capabilities.

The Intel® 82566 Gigabit Network Connection identifies out-of-band (OOB) network traffic (traffic targeted to Intel AMT) and routes it to the Intel ME instead of to the CPU. Intel AMT traffic is identified by dedicated IANA-registered port numbers.

The following elements interact with Intel AMT:

• The BIOS can be used to initialize Intel AMT or to reset it to its initial state. It captures platform hardware configuration information and stores it in NVM so that Intel AMT can make the information available out of band.
• The ICH8 sensor capability detects the state of various platform sensors, such as temperatures, fan status, and chassis integrity. Intel AMT can be configured to store and/or forward an alert when the state of any selected sensor changes or crosses a threshold.
• Software Agents (typically written by management ISVs) executing on the CPU can register with Intel AMT and report their presence to Intel AMT and to a management console using “heartbeats”. Intel AMT monitors the heartbeats and can take action when there is a problem with Agent execution.
• ISV Applications on the CPU can communicate locally with Intel AMT using dedicated drivers that are compatible with the host operating system.

Intel AMT Release 2.1 enhances the Intel AMT power savings option by enabling waking the Intel AMT device on receipt of a message on the network interface when the device is asleep in an Sx power state.

Intel AMT Release 2.2 adds Remote Configuration (also known as Zero-Touch Configuration, or ZTC), which simplifies the setup and configuration process while maintaining the security of the Intel AMT device.

Intel AMT Release 2.5 extends active management to enterprise wireless mobile computing. As shown in Figure 2 below, the architecture has a mobile version of ICH8, the Crestline MCH and a wireless NIC.

Figure 2 Intel AMT Release 2.5 Architecture

Intel AMT Release 2.5 adds the following features to Release 2.0/2.1:

• Support for a second, wireless, network interface. Out-of-band management of Intel AMT can be done over this interface. System Defense packet filtering can also be done on traffic sent and received over this interface.
• Support for 802.1x EAP options so that Intel AMT can continue to process in-band and OOB wireless traffic even when the host OS is not active.
• Detection of whether a wireless connection is inside or outside the enterprise network.
• User notification capability, allowing registration for and receipt of alerts on the local CPU. Intel AMT Release 2.5 also includes the User Notification Service (UNS), a Windows service which defines a set of Intel AMT alerts (such as a System Defense alert). When it receives alerts from Intel AMT, the UNS logs them in the Windows event log, where they are available for general viewing.
• Support for the Cisco Network Admission Control (NAC) standard. The release includes a plug-in that captures posture information and forwards it to a Cisco NAC device.

Intel AMT Release 2.6 adds Remote Configuration and several other features to the mobile platform.

The Intel AMT Release 3.0 architecture is similar to the Release 2.0 architecture. The Broadwater MCH has been upgraded to the Bear Lake MCH and the ICH8 has been upgraded to ICH9. These changes, combined with a new version of firmware, support all the features of Intel AMT Release 2.5 (except for the wireless and mobile features) and provide the following additional capabilities (described in more detail in the Network Interface Guide):

• Heuristic System Defense: a basic capability for catching and blocking worm attacks emanating from the host platform before they spread widely across the enterprise network.
• Support for WS-Management: This emerging standard is available as a method for managing the Intel AMT platform, in addition to the SOAP based API in previous versions. See the WS-Management_Classes directory in the Documents folder for related documentation.
• Remote Configuration: Simplifies the setup and configuration process while maintaining the security of the Intel AMT device.

Intel AMT has two types of interfaces: remote interfaces (Intel AMT Release 2.5 supports a wireless, along with a wired, remote interface) and a local interface. Remote interfaces send and receive traffic via a LAN network connection. The Intel AMT firmware functionality can be configured only via a remote interface so that a local user or application is prevented from changing critical settings.

There are three methods that a remote application uses to communicate with Intel AMT:

Simple Object Access Protocol (SOAP) Messages

SOAP is a lightweight network protocol for information exchange in a decentralized, distributed environment. It is an XML-based protocol consisting of three parts:

• An envelope that defines a framework for describing what is in a message and how to process it
• A set of encoding rules for expressing instances of application-defined data types
• A convention for representing remote procedure calls and responses

The Intel AMT Programmatic Interface is a SOAP-based API exposed by the Intel AMT firmware to communicate with ISV Management Console software running on remote hosts. The API is described in Web Service Description Language (WSDL). There is a WSDL file for each firmware service, also called an interface.

Proprietary Redirection Protocol

Using Intel AMT functions, an ISV application can configure the platform to send console text to a remote destination and to receive keystrokes from a remote source. This is referred to as the Serial over LAN capability. The platform can also be configured to read from or write to a remote floppy disk or CD by redirecting the platform IDE interface. Both of these features use a proprietary protocol. The Redirection Library, included in the SDK, implements this protocol.

The Intel AMT SDK includes extensive sample code that shows the use of the remote interface functionality.

WS-Management

“Web services for management” is an emerging DMTF standard for uses an object oriented approach to managing devices across a network. The standard is based on the Common Information Model (CIM) as extended by Intel to support all Intel AMT features. Release 3.0 supports full management using CIM objects. Note that WS-Management is another layer over SOAP. See the SDK WS-Management documentation for details.

Applications running locally on the platform communicate with Intel AMT Revision 2.0 and later releases in the same way that remote applications do – via SOAP over HTTP or with WS-Management over SOAP over HTTP. As shown in Figure 3 below, when a local application sends a SOAP/HTTP message addressed to the local Intel AMT host name, the Local Manageability Service (LMS), which listens for traffic directed to the host name, intercepts the message and routes it to the Intel® Management Engine Interface.

The LMS provides the following advantages:

• It unifies the local and remote interfaces to both being SOAP/WSDL-based, simplifying the API.
• It capitalizes on all of the built-in advantages of HTTP including username and password authentication and the possibility to use HTTPS to add certificate-based authentication and encryption.

This interface incorporates a multi-threaded connection-based driver that communicates with the Intel ME, where the counterpart driver receives the information and passes it to the Intel AMT embedded IP stack.

Figure 3: Routing Local Messages to Intel AMT

Local applications can use the storage library to save information (for example, a software inventory) to non-volatile memory for future retrieval by a remote management console.

The User Notification Service (UNS) is a Windows service installed on the host on a platform that has Intel AMT Release 2.5 or greater. The UNS registers with the Intel AMT device to receive a set of alerts. When UNS receives an alert it logs the alert in the Windows “Application” event log. To view the alerts, right-click on My Computer, select Manage/System Tools/Event Viewer/ Application.

The Event Source will be “Intel(R) AMT”. The following table shows the Category Event ID and Event Description for all of the defined alerts.

Category	Event ID	User Message
System Defense	1001	Security policy invoked. Some or all network traffic (TX) was stopped.
System Defense	1002	Security policy invoked. TX Network connectivity was reduced.
System Defense	1003	Security policy invoked. Some or all network traffic (RX) was stopped.
System Defense	1004	Security policy invoked. RX Network connectivity was reduced.
Remote Diagnostics	1201	A remote Serial Over LAN session was established.
Remote Diagnostics	1202	Remote Serial Over LAN session finished. User control was restored.
Remote Diagnostics	1203	A remote IDE-Redirection session was established.
Remote Diagnostics	1204	Remote IDE-Redirection session finished. User control was restored.
WLAN	1102	WLAN Profile insufficient for management session over WLAN interface.
WLAN	1104	Management session was established over WLAN interface.
WLAN	1103	Security parameters insufficient for management session over WLAN interface.
WLAN	1105	Management session over WLAN interface has finished.

 

The Intel AMT Release 1.0 architecture is similar to the architecture for Releases 2.0 and up, but it does not have all of the features associated with the later releases. Also, the Intel AMT Release 1.0 local interface uses a synchronous, single-thread scheme (based on KCS/WMI) for local communications. To support applications created using the Intel AMT Release 1.0 SDK, Releases 2.0 and up can be configured for Legacy Mode. This mode provides the necessary backward compatibility. See the Network Interface Guide for the feature differences between Intel AMT Release 1.0 and later releases and the specifics of Legacy mode.

Each use case described in Section 2, above, depends on portions of the firmware functionality. Each of the use cases is described briefly here with references to the firmware services that an ISV would use to implement the use case. The following section lists all of the Intel AMT firmware services or interfaces.

Discover

The Hardware Asset Interface can be used to retrieve the latest platform hardware inventory. A software application running locally on the platform can store information in non-volatile third-party data storage using the Storage Interface and the Storage Library.

Heal

Besides using the Discover use-case to determine the current hardware and software configuration of a platform, an IT technician can monitor performance of a platform remotely by using the Event Management Interface to create event filters and to log events and send alerts of critical occurrences. The technician can take over control of the platform and boot remotely using the Redirection Interface and Remote Control Interface.

Protect

A local application can use the Storage Interface to save version information for firewall and anti-virus applications. A remote application can read this information to determine if the firewall and anti-virus programs are up-to-date. If they are not, the remote application can use the Redirection Interface and Remote Control to update them, even if the platform is powered down. The System Defense (Circuit Breaker) Interface can limit the network access of the platform until the updates have been completed. A remote application can also use the Storage Interface to save information on the platform when the host is powered down. When the platform is powered up, a local application can read the saved data and perform directed updates.

Contain

An IT administrator uses the Remote Agent Presence Interface to register applications that are required by IT policy to run on client platforms, such as Anti-virus, firewall, or software installation tracking programs. ISVs develop these applications incorporating calls to the Local Agent Presence Interface. When the application starts executing, it sends “heartbeat” messages to Intel AMT. If the application fails to start or stops running due to a virus interrupting its operation or due to a user shutting it down, Intel AMT detects the problem and can send an alert to a Management Console using the Event Management Interface. A System Defense policy, created with the Circuit Breaker Interface can limit workstation access to the network until the interrupted application is operational.

Infrastructure

The Security Administration Interface, the Network Administration Interface, and the Network Time Interface are used to configure the Access Control Lists, network settings, and security parameters. Most of the associated functions are used during the setup and configuration process.

The Intel AMT functionality is partitioned into services or interfaces. As described in the Network Interface Guide, each service can be accessed either via the remote network interface or via the local interface, or both. A user must have access to the corresponding realm in order to have permission to use the functions that are included in the service. See Access Control Lists and Realms, below, for a description of realms as part of Intel AMT access control lists. Table 1 below lists the Intel AMT services. There are two services that have a special status:

• The Storage Interface is supported by the Storage Library, part of the SDK. The functions in the Storage Library manage user connections to Intel AMT, the storage allocation process, and writing to and reading from blocks of third party data storage. Although storage commands and responses use a SOAP connection, there is only a single binary message format, built by and interpreted by the Storage Library. The Storage Administration Interface is in a separate realm, used by IT administrators to specify which ISV applications have permission to write to and read from third party data storage. See the Storage Design Guide for a description of the Storage Library functionality.
• The Redirection Library uses a proprietary message format for transferring data in support of the redirection function. See the Redirection Library Design Guide for details.

Table 1. Intel AMT Services

Service	Realm	Function	Local	Remote	Release
Security Administration Interface	PTAdministrationRealm	Manages security control data, such as Access Control Lists, Kerberos parameters, Transport Layer Security, Configuration parameters, power saving options and power packages.		√	1.0 and up
Network Administration Interface	PTAdministrationRealm	Configures local network options. These are usually configured with a DHCP server, but can be configured directly using this interface.		√	1.0 and up
Hardware Asset Interface	HardwareAssetRealm	Used to retrieve information about the hardware inventory of the platform.		√	1.0 and up
Remote Control Interface	RemoteControlRealm	Enables powering a platform up or down remotely. Used in conjunction with the Redirection capability to boot remotely.		√	1.0 and up
Storage Interface	StorageRealm	Used to configure, write to and read from non-volatile user storage. The actual commands are in the Storage Library.	√	√	1.0 and up
Event Management Interface	EventManagerRealm	Allows configuring hardware and software events to generate alerts and to send them to a remote console and/or log them locally.		√	1.0 and up
	EventLogReader	Allows definition of a user with privileges only to read the Intel AMT system log.	√	√	2.6 and up
Storage Administration Interface	StorageAdminRealm	Used to configure the global parameters that govern the allocation and use of non-volatile storage.		√	1.0 and up
Redirection Interface	RedirectionRealm	Enables and disables the redirection capability and retrieves the redirection log. The redirection interface itself is a separate proprietary interface that does not depend on HTTP/SOAP. See the Redirection Library Design Guide.		√	1.0 and up
Local Agent Presence Interface	AgentPresenceLocal Realm	Used by an application designed to run on the local platform to report that it is running and to send heartbeats periodically.	√		2.0 and up
Remote Agent Presence Interface	AgentPresenceRemote Realm	Used to register Local Agent applications and to specify the behavior of Intel AMT when an application is running or stops running unexpectedly.		√	2.0 and up
Circuit Breaker Interface	CircuitBreakerRealm	Used to define filters, counters, and policies to monitor incoming and outgoing network traffic and to block traffic when a suspicious condition is detected (The System Defense feature).		√	2.0 and up
NetworkTime Interface	NetworkTimeRealm	Used to set the clock in the Intel AMT device and synchronize it to network time.		√	2.0 and up
GeneralInfo Interface	GeneralInfoRealm	Returns general setting and status information. With this interface, it is possible to give a user permission to read parameters related to other interfaces without giving permission to change the parameters.	√	√	2.0 and up
FirmwareUpdate Interface	FirmwareUpdateRealm	Used only by OEMs via Intel-supplied tools to update the Intel AMT firmware. These functions are not for general ISV use.	√	√	2.0 and up
EIT	Admin	Implements the Embedded IT service (not intended for ISV use).	√	−	2.1 and up
Wireless Configuration Interface	Admin	Manages wireless interface settings.	−	√	2.5 only
Endpoint Access Control Interface	EndpointAccessControl	Returns settings associated with NAC posture.	√	−	2.5 and up
Endpoint Access Control Admin Interface	EndpointAccessControl Admin	Configures and enables the NAC posture	−	√	2.5 and up
Local User Notification Interface	LocalUN	Provides alerts to a user on the local interface	√	−	2.5 and up

 

Network communications with an Intel AMT-enabled platform should be performed in the most secure way available. An IT administrator can configure for certificate-based authentication and optionally select mutual authentication. Intel AMT has an Access Control List used to authorize all access requests. Intel AMT can use the Kerberos option of Microsoft Active Directory to simplify the authorization process. A remote setup and configuration server is required to prepare Intel AMT for secure operations.

Both the Intel AMT platform and the Setup and Configuration (S&C) Server start with two pieces of shared information – a platform ID and a pre-shared key (PSK). The first communication between Intel AMT and the setup and configuration server is an unencrypted “hello” message from Intel AMT to the server that contains the platform identifier. The S&C Server then performs the setup and configuration process using the PSK and the TLS-PSK protocol for authentication and encryption of the configuration traffic. The S&C Server downloads Certificates to the Intel AMT platform, which stores them in non-volatile memory. The certificates trace to an enterprise certificate authority and are used by Intel AMT to authenticate to Management Console applications. If Intel AMT is configured for mutual authentication, the S&C Server must provide a client certificate for each application that will communicate with Intel AMT.

The S&C server also establishes an Access Control List, enables certain Intel AMT features, and configures device settings. At the end of the setup and configuration process, the keys generated and used during the process are deleted. All subsequent communications use the certificates and Transport Layer Security (TLS) for authentication, confidentiality (encryption), and integrity (mutual authentication). Intel AMT performs authorization using the Access Control List, as described in the following section. HTTP Digest authentication is used for the SOAP over HTTP communications. The Redirection feature uses secure sockets layer (SSL) to establish a secure connection between the remote console and the Intel AMT platform. See the User’s Guide to the Sample Setup and Configuration Application for additional information.

The Intel AMT Access Control List (ACL) manages who has access to which capabilities within the device. An ACL entry has a user ID and a list of realms to which a user has access. This access is required to use the functionality associated with a realm. In the table above, each interface or service is listed with its realm. A user can be granted access to one or more realms.

The single default user is named “admin” and has “PTAdministrationRealm” privileges, which includes privileges for all Intel AMT realms. The admin user can use the commands in the Security Administration interface to create additional ACL entries for additional users. As part of the setup and configuration process, create the users necessary for an ISV application, subject to the limits on the number of available ACL entries.

There are two kinds of ACL entries: Kerberos and non-Kerberos. The main difference between them is that Kerberos entries have an Active Directory SID to identify a user or group of users. Non-Kerberos entries have a username and password for user identification. See Intel AMT Integration with Active Directory for a description of the difference between these entries.

The

SDK User Guide points to all of the information in the Intel AMT Software Development Kit. The documents are listed there, as well as system requirements and a summary of the sample code that demonstrates the features of Intel AMT.

The Network Interface Guide is the central reference document for the SOAP-based interface.

The Storage Design Guide describes the structures, functions, and use of the ISV storage library.

The Redirection Library User Guide describes the functions of this interface and the sample application that supports it.

See the WS-Management_Classes folder in the SDK Documents directory for detailed information about Intel AMT WS-Management interface. Also see the Intel AMT WS-Management Flows document.

Each sample in the SDK has a readme file. The readme should be reviewed before activating the sample.