Managing a fleet of computers can be a complex task with computers in hard to reach places, powered off, or with their physical whereabouts unknown. While those are just a few of the on-site challenges, management service providers (MSP) have the added challenge of servicing the computers remotely and often find themselves sending a technician out to handle the issues. Intel® Active Management Technology (Intel® AMT) is designed to make remotely managing computers easier with full access from anywhere resulting in reduced truck rolls, saved time and energy, and proactive management. The computer can even be powered off or blue screened and Intel® AMT can tell it to power on or supply a new iOS image to it. This paper will go over some of the features and capabilities of Intel® AMT as well as an overview of the configuration and manageability tools available. Additionally, Intel® AMT ecosystem components will be discussed with how to plan for deployment and get started configuring a system.
Intel® AMT is available on Intel® vPro™ brand chips which are based on either the Intel® Core™ processor or select versions of the Intel® Xeon® processor. Find a list on Processors Built on the Intel® vPro™ Platform. However even though the chip is compatible with the Intel® vPro™ platform, it doesn’t mean Intel® AMT is enabled: check with the system or hardware supplier, look for the Intel® vPro™ name on the chip, or reboot the computer and hit CTRL+P to enter the Intel® Management Engine BIOS Extension (Intel® MEBX). The Intel® MEBX BIOS is a separate BIOS screen used to enable Intel® AMT capability. More detail on how to configure it will be discussed later in Configuration Tools section.
Figure 1. Intel® vPro™ Chips
Intel® AMT lies below the OS at the hardware level and uses out-of-band (OOB) communications. Essentially it is built into the device itself but separate from the OS and other software applications. Intel® AMT is not a stand-alone management system, but designed to be incorporated into and leveraged by a management system to enhance and amplify the system’s capabilities without replacing them. Devices can be fully accessed remotely without the disruption of a physical repair as long as it is connected to a power source and connected to the network via LAN cable or wireless. This will aid in monitoring devices, shortening downtime, and reducing truck rolls.
Connecting wirelessly has a few additional requirements and differences, more detail can be found in this article An Introduction to Intel® Active Management Technology Wireless Connections.
Notable features and use cases:
Intel® AMT allows for remote KVM (keyboard, video, and mouse) control of a PC. Therefore the need for physical visits and intervention becomes almost unnecessary. Note that the PC must be hooked up to a monitor or physical KVM switch to display the screen through Intel® AMT by design.
Remote Power Control
If trying to KVM to the device or push a critical patch only to find the PC is off, Intel® AMT can be used to turn the device on for servicing. Intel® AMT grants full power control to the device like power on, power off, reboot, sleep, boot to BIOS, and more. In addition, the Alarm Clock feature will allow power on to be scheduled at a specific time. Hence an alarm can be set during off-hours to turn on all the PCs for an update or patch to be pushed remotely to them.
Bare-metal Restore and Disk Reimaging
There is also the case of accessing a PC that has undergone a critical error or has no OS running. As Intel® AMT is below the OS, it can still access the PC and can send a new ISO or IMG to the device through IDE redirect (USB redirection in AMT 11.0). This makes remote remediation in the case of an OS failure or a virus easy.
Hardware and Software Inventory
Intel® AMT can also be used to track hardware and software inventory, both of which are stored in non-volatile memory for access when powered off. By default, Intel® AMT can remotely access the hardware specifications of the computer. For software, the application has to make use of the Third Party Data Storage (3PDS) to store application name, vendor, and version info (Web Storage in Intel® AMT 11.5).
Remote alerting through Intel® AMT enables automated error messages in addition to audit and event logging. In the case where the customer is using the machine and needs help, there is Intel® AMT Fast Call for Help feature which allows them to request IT support. This can be set up for either remote or local (eg. within the enterprise network) access using Client-Initiated Remote Access (CIRA) or Client-Initiated Local Access (CILA). More about CIRA will be discussed in later in the Remote Connectivity section.
With these features Intel® AMT can improve customer satisfaction and allow for fewer interruptions which cost time and money on systems that require complex continual maintenance and management from day to day.
The three basic components needed for an Intel® AMT ecosystem are a Management Console machine, a configuration method, and the Intel® AMT Client machines. It is not required for the Management Console machine to be Intel® AMT capable. For remote configuration additional components needed are a Remote Configuration Service (RCS) server and a signed certificate. There are other optional and required components as well based on how AMT needs to be configured and set-up, the above just outlines the minimum needed to get started.
Figure 2. Basic Components for Intel® AMT setup
There are multiple ways to configure and provision devices to use Intel® AMT, this paper will go over the main methods.
Intel®AMT can be manually configured on a machine through the MEBX, a bios extension. It can be accessed by hitting CTRL+P on the keyboard while the machine boots. For a basic configuration, the MEBX password for Intel® AMT needs to be set, change user consent for KVM access if desired, and activate ‘Network Access’.
Intel also provides the Intel® Setup and Configuration Software (Intel® SCS) for Intel® AMT configuration that can be used in multiple ways. The ACU Wizard (Intel® AMT Configuration Utility) application that comes with it can be used to configure Intel® AMT directly on the local system or save a XML configuration profile to USB to deploy to multiple systems.
It is important to pause now and talk about Client Control Mode and Admin Control Mode as they are tied closely to the method of configuration. Host based, meaning local OS level configuration, is an example of Client Control mode while remote configuration (using Intel® AMT) is an example of Admin Control Mode. The differences between the two are outlined below in Table 1 with the main being Client Control Mode requires user consent and does not support System Defense capability. Intel® AMT can also support Enterprise networks and Public domain networks. Enterprise mode can be integrated with Active Directory and provides secure authentication with certificates to internal systems inside the corporate domain.
Table1. Client Control Mode vs. Admin Control Mode
|Client Control Mode||Admin Control Mode|
|Does not use a provisioning certificate||Requires a provisioning certificate|
|Provisions through the OS||Provisions over the network out-of-band|
|Supported on the Intel® vPro™ platform with Intel® AMT 7||Supported on every Intel® vPro™ Platform|
|User consent for boot redirection and KVM Remote Control is mandatory||User consent is not required for boot redirection, option for KVM Remote Control|
|Does not support Intel® System Defense Utility capability||Supports Intel® System Defense Utility capability|
|Can be migrated to admin control mode||Cannot be migrated to client control mode|
Hence using the ACU Wizard to configure the local system is host based as it is using the OS layer to configure the system. Host-based configuration can also be done remotely using a software deployment tool with the XML configuration profile using the ACUConfig.exe that comes with Intel® SCS.
Intel® SCS also allows for remote configuration through Intel® AMT with a Remote Configuration Service (RCS) server and a signed certificate from a public Certificate Authority (CA). If a more secure setup of Intel® AMT is needed then remote configuration provides the option of using TLS-PKI (Transport Layer Security- Public Key Infrastructure) configuration. It uses the same XML configuration profile as mentioned previously, but will then perform a hand-shake with the Intel® AMT client it is provisioning. The hand-shake starts the same as Host-based configuration by running the ACU configurator (ACUConfig.exe), but then the ACU configurator will request a provisioning certificate from the RCS. The RCS will then send its configuration certificate back for the local client’s Intel® AMT to verify. Then the RCS will apply the XML configuration profile to the client. For more detail on how to set up the RCS and use the certificates, please refer to the ‘Intel(R)_SCS_User_Guide.pdf’ in the ‘SCS download package’ Intel® Setup and Configuration Software (Intel® SCS).
Table 2. Configuration Method’s compatible versions of Intel® AMT
|Configuration Method||Intel AMT Versions|
|Host-based Configuration||6.2 and higher|
|Manual Configuration||6.x and higher|
|One-Touch Configuration using PSK||2.1 - 10|
|Remote Configuration using PKI||2.2, 2.6, 3.0 and higher|
Now that the Intel® AMT client has been configured, a management console is needed to maintain and manage the computer or computers.
Intel provides the Intel® Manageability Commander (Intel® MC) as a lightweight console to utilize some of the capabilities of Intel® AMT. It is downloadable Intel® Manageability Commander. It is available on Windows*. It enables the user to KVM, control power, see hardware information, and more.
Figure 3. Intel® Manageability Commander view of devices
Similar to Intel® Manageability Commander is MeshCommander* that has a few more features like subscriptions, wake alarms etc. It is completely open-source and released under the Apache 2.0 License. Developers are free to download the source code and samples for MeshCommander to develop their own manageability tool. The creator of MeshCommander has a good video tutorial and overview of how to use the source code and create a new version.
Figure 4. MeshCommander System Status View
Also from the creator of MeshCommander is MeshCentral (Figure 5). MeshCentral is available at MeshCentral.com or as MeshCentral 2 (beta) for download to run an independent instance within a domain. MeshCentral is available on a wide range of devices that do not have to be Intel® AMT devices. It can leverage the OOB Intel® AMT communication on those Intel® AMT capable devices and communicate In-Band to the other devices. Devices can be grouped into meshes which are configured to control what access is allowed to the devices (Figure 6). To add a device to the mesh there is a Mesh Agent installer which is available for a long list of OS and devices. The Mesh Agent installer can also be configured to do automatic provisioning of Intel® AMT in client control mode.
Figure 5. MeshCentral
Figure 6. Creating a new Mesh in MeshCentral
The Intel® Active Management Technology SDK is also available that provides an API (application programming interface) and sample code for developers. It is designed to help companies build their own Intel® AMT management software. It supports C++ and C# for Microsoft Windows* and Linux* operating systems. Out of the box, it requires the samples to be compiled with Microsoft Visual Studio* 2013, so if you just want to play around Intel® AMT in the beginning, you might want to try another manageability console first.
Last but not least, there are other third-party management consoles available from various Managed Service Providers (MSP): Integrates Easily With Your Existing Management Console
Remote Connectivity to Remote Sites
By default Intel®AMT works on clients in the same local network as the management console. In order to access the clients remotely on a different network then a proxy or virtual private network (VPN) is required. One of the ways to access Intel® AMT Clients outside of a corporate network is to use the demilitarized zone (DMZ) to handle routing traffic from the internal corporate network’s management console to the remote client machines. This is done with another Intel® AMT enabled gateway in the demilitarized zone (DMZ) called the Management Presence Server (MPS) that will serve as the broker between the management console and the Intel® AMT clients. MeshCentral can be used as an MPS and other third-party solutions are available for purchase. The main key of how the MPS creates a connections is through Client Initiated Remote Access (CIRA), previously referenced for its Fast Call For Help capabilities, can also initiate a connection from the client-side. The MPS then authenticates the client and notifies the management console of the available connection. From there the management console can then connect through the MPS to the client using a secure tunnel.
Figure 7. Intel® AMT Remote Environment
Communication between the Intel® AMT systems and the management systems can be configured to use Transport Layer Security (TLS) with a digital certificate from a Certification Authority (CA). TLS can be used during configuration for remote set-up and after configuration for secure communication.
Inbound and outbound network traffic can be monitored for threats at a hardware level using time-based filters. This can monitor for threats and detect suspicious network traffic. If a thread is detected, the network can be blocked or limit packets before they reach the OS.
Intel® AMT adds a hardware base security level below the OS enabling the device to be reclaimed with remote remediation by deploying a new image of OS if the machine even if the OS has been compromised.
It is important to first evaluate the features and capabilities of Intel® AMT. This paper has addressed some key features and uses cases of Intel® AMT, but does not encompass all of them. The best place to start integrating Intel® AMT into a solution is to look at the current pain points in day to day maintenance and repair. From there identify use cases based on the capabilities of Intel® AMT and how it can solve the issues. Keep in mind that Intel® AMT can be leveraged to be combined with other non- Intel® AMT features, from third parties or developed yourself, to create a more robust and complete solution for the issue. In addition, evaluate the tools and configuration methods of Intel® AMT for some hands-on experience. Then Intel® AMT capable devices can be inventoried or purchased if needed for a small pilot deployment phase. The pilot should be separate from production or done with non-critical systems. Make sure the network infrastructure is set up as needed and identify user groups and roles. If enterprise mode and Fast Call for Help is needed for an IT help desk, set those up as well in the pilot as additional configuration and certificates will be needed. Any third party software and management tools can be included as well. Once the pilot has started, planning for updates, upgrades, and maintenance tasks should also be thought out.
Let’s walk through setting up Intel® AMT on the Intel® NUC Kit NUC5i5MYHE with a LAN connection, assuming that it already has memory and hard-drive installed with Windows 10 installed.
As the Intel® SCS tool’s local configuration requires user consent as it is a Client Control method of configuration, we will use the MEBX to configure Intel® AMT. If you installed Windows® 10 on the Intel® NUC yourself you will need to install the Intel® Management Engine driver. The drivers for this NUC can be found Intel® Management Engine Corporate Driver for Windows 7*/8.1*/10* for NUC5i5MY, otherwise search for the driver relevant to your Intel® AMT capable device.
Boot into the MEBX screen with CTRL+P. First change the Manageability Engine (ME) password. The default Admin password is ‘admin’, set up a new strong password and remember it. This will be needed to access the Intel® AMT features later from the management console. Next edit the configuration by navigating to the ‘Intel® AMT Configuration’ option. Change User Consent to disabled and activate network access. Test that Intel® AMT has been activated by going to localhost:16992 in the browser on the machine. If you forget the MEBX password, you need to disconnect the RTC CMOS battery inside the device. This will reset the MEBX back to factory default with password admin and Intel® AMT will need to be reconfigured.
Figure 8. Intel® AMT WebUI
To manage your newly configured Intel AMT device download the Intel® Manageability Commander as your management console on another computer on the same local network.
Open it and go to File > Add Intel AMT Computer and choose a name for your Intel AMT computer, enter in the IP address for Hostname, and the ME password you just set up.
Figure 9. Adding a computer to the Manageability Console
Your Intel® AMT computer will now show up in the list of devices and you can click connect to access it.
Figure 10. Intel® Manageability Commander View of devices
Experiment using remote desktop to access your Intel® AMT device, powering it on and off, and look at all the other features.
This article has covered the basics of Intel® AMT capabilities, how to configure a system, and how to manage that system. Implementing an Intel® AMT manageability solution can help with efficiency and reduce cost of support.
About the Author
Whitney Foster is a software engineer at Intel in the Software Solutions Group working on scale enabling projects for Internet of Things.