Intel® Active Management Technology Developers Guide

ID 772055
Date 1/05/2021
Public
Document Table of Contents

Intel® Active Management Technology 10

Introduction

Intel® Active Management Technology1 (Intel® AMT) is part of the Intel® vPro™ technology2 offering. Platforms equipped with Intel AMT can be managed remotely, even if the operating system is unavailable or the system is turned off. Intel® AMT-enabled systems have special out of band network access through the Intel® Wireless(or wired) network connection allowing remote platform management applications secure access as long as the platform is connected to line power and to a network. Independent software vendors (ISVs) can build applications that take advantage of Intel AMT features using the Intel AMT SDK which includes the Intel AMT High Level API (Intel AMT HLAPI) which provides a very simple and consistent API across all AMT versions and Intel SKUs. For more information, see the HLAPI documentation in the SDK.  The SDK also contains the Intel vPro Platform Solution Manager, which is a management console that was built from the Intel AMT HLAPIs. Intel AMT uses a number of elements in the Intel vPro platform architecture, most notably the Intel® Management Engine (Intel® ME), part of the firmware (supplied by the system manufacturer with the BIOS). The firmware uses a small portion of system RAM, which is why slot 0 must be populated and powered on for the firmware to run. It also has its own Flash storage that holds the configuration settings among other information.

Note: To use Intel AMT out of band management, the system must have an Intel® Ethernet or Intel Wireless Network Connection that supports connections to the Intel ME firmware. Note that for Intel AMT 10.0, the platform will require a 10.x version of the Intel ME Firmware and driver. The 10.0 driver set can be loaded on systems that shipped with 8.x. 9.x or 10.0 firmware.  You should always use the firmware provided by your system manufacturer.

Intel AMT supports remote applications running on Microsoft Windows* or Linux* but supports only Windows-based local applications. For a complete list of system requirements, please refer to the documentation in the latest Intel® AMT Software Development Kit (SDK) and the Intel® AMT Implementation and Reference Guide located in the Docs folder.

What is new in the Intel AMT Release 10.0:

 Note: Intel AMT 10 is backward compatible to systems using the Intel® 7, 8, and 9 series chipsets.

  • The most important change:   OpenSSL* is now implemented with no heartbeat flag. So on systems being upgraded to AMT10, please revoke and reissue the certificates and change passwords. 
  • Blanking the Screen of the Intel AMT client (during remote access) was added in the HLAPI and KVM application tool.
  • Updated MOFs and XSL files as well as the class reference are now version 10.0.25.1048.
  • The Real VNC* version has been updated to v1.2.5 in Linux and KVM.
  • Windows Connected Standby*/Instant Go are supported in Windows 7 and above (also available in the HLAPI)
  • Graceful power operations are supported on Windows Vista, 7, and 8 32 and 64-bit platforms, including from Windows 8 connected standby / Instant Go, and generate UNS events. This capability was also added in the HLAPI
  • Provisioning in both Admin and Client Control Modes with secured FQDN is now supportedFor more information, see the release notes.

Preparing your Intel AMT Client for use  

Configuration (provisioning) of an AMT client involves moving the client through setup and configuration mode into operational  mode. To get into SetupMode requires initial information (which varies by AMT versions) set by the system manufacturer.  The Intel AMT capability is enabled using the Intel® Manageability Engine BIOS extension (Intel® MEBx) as implemented by the system provider. A remote application can be used to perform enterprise setup and configuration. Various setup methods exist based on the AMT version. For more information see the Setup and Configuration documentation.

AMT Releases                                       

Setup Method   1.x; plus 2.x, 3.x in legacy mode           

Legacy 2.x, 3.x, 4.x, 5.x                                     

SMB 2.0 and later                                          

PSK 2.2, 2.6, 3.0 and later                            

PKI  (remote) 6.0 and later                                          

Manual 7.0 and later                                          

Client Control Mode and Admin Control Mode 10.0 Secured FQDN is now supported

 Intel® Setup and Configuration Software (Intel® SCS) is capable of provisioning systems back to Intel AMT 2.X. For more information about the Intel SCS and provisioning methods as they pertain to the various Intel AMT Releases, visit: Download the latest version of Intel® Setup and Configuration Service (Intel® SCS)

Manual Configuration Tips

Manual configuration can be accomplished though the Intel MEBx menu which should be available right after the BIOS startup screen - usually by pressing <Ctrl+P>. Some BIOS provide the option to hide the <Ctrl+P> prompt. 

To manually set up an Intel AMT client, perform these steps:

  1. Enter the Intel MEBx default password (“admin”).
  2. Change the default Intel MEBx password to a new strong password (required).  It must be at least eight characters and contain at least one upper case letter, one lower case letter, one digit and one special character. Note: A management console application can change the Intel AMT password without modifying the Intel MEBx password.
  3. Select Intel® AMT Configuration.
  4. Select Manageability Feature Selection.
    1. Select ENABLED to enable Intel® AMT.
  5. Select SOL/IDE-R/KVM and enable all of these features. Enabling Legacy Redirection Mode ensures compatibility with management consoles created to work with the legacy SMB mode that did not have a mechanism implemented to enable the listener. Note that if SOL/IDER/KVM features are not enabled in the Intel MEBx, they will not be available to management consoles.
  6. Select User Consent
    1. Select desired options for KVM and Remote IT operations. Enabling User consent means that anytime the Intel AMT Client is to be accessed remotely the user will need to agree.
  7. Enter Network Setup to enter network preferences for the Intel ME.
  8. Enter Activate Network Access to enable Intel AMT.
  9. Exit to the Main Menu.
  10. Select MEBx Exit to continue booting your system.

The platform is now configured. You can set some additional parameters using the Web User Interface (Web UI) or a remote console application.

Admin Control Mode(ACM) and Client Control Mode (CCM)

When any method of setup completes, Intel AMT 7.0 and later versions are placed into one of two control modes:

Admin Control Mode – After performing setup using the Intel MEBx menu or remote configuration, Intel AMT enters Admin Control Mode. In this mode, there are no limitations to Intel AMT functionality since there was a high level of trust associated with these setup methods.

Client Control Mode – Intel AMT enters this mode after performing a basic host-based (local) setup . This mode limits some of Intel AMT functionality, reflecting the lower level of trust required to complete a host-based setup. The following limitations apply:

  1. The System Defense feature is not available.
  2. Redirection actions (IDE-R and KVM but not the initiation of an SOL session) and changes in boot options (including boot to SOL) require user consent in advance. This still enables IT support personnel to remotely resolve end-user problems using Intel AMT.
  3. If an Auditor is defined, the Auditor’s permission is not required to perform unprovisioning.
  4. A number of functions are blocked from execution to prevent an untrusted user from taking over control of the platform. Note: The ability to configure a headless platform remotely without the need for local user-consent was added as of AMT 9.0.

Accessing Intel® AMT Clients

An administrator with user rights can remotely connect to an Intel AMT client via the Web UI by entering the IP address or FQDN of the client followed by the port number into the browser URL:  Use http and port 16992 when TLS is NOT configured and https and port 16993 with TLS. :      

           For example: http://134.134.176.1:16992     or     https://amtsystem.domain.com:16993

To access the Intel AMT client using Serial Over LAN (SOL), you must ensure the SOL driver is installed. 

Intel AMT Local Manageability Service (LMS) & User Notification Service (UNS)

The Local Manageability Service (LMS) runs locally in an Intel AMT device and enables local management applications to send requests and receive responses to and from the device. The LMS listens for and intercepts requests directed to the Intel AMT local host and routes them to the Intel ME via the Intel ME Interface driver.

Note that as of Intel AMT 9.0, the User Notification Service is combined with the Local Management Service. The UNS registers with the Intel AMT device to receive a set of alerts. When UNS receives an alert, it logs it in the Windows “Application” event log. The Event Source will be Intel® AMT.

The Intel Management and Security Status (IMSS) tool

The IMSS tool can be accessed by the “blue key” icon in the Windows tray.

The General tab of the IMSS tool shows the status of Intel vPro services available on the platform and an event history. Other tabs provide additional details.

 

The Advanced tab of the IMSS tool shows more detailed information on the configuration of Intel AMT and its features. The following screen shot verifies that Intel AMT has been configured on this system.

 

Intel AMT Software Development Kit (SDK)

The Intel® AMT Software Development Kit (SDK) provides the low-level programming capabilities to enable developers to build manageability applications that take full advantage of Intel AMT.

The Intel AMT SDK provides sample code and a set of APIs that let developers easily and quickly incorporate Intel AMT support into their applications. The SDK also has a full set of documentation. The SDK supports C++ and C# on Microsoft Windows and Linux operating systems. Refer to the User Guide and the Readme files in each directory for important information on building the samples. 

The SDK is delivered as a set of directories that can be copied to a location of the developer's choice on the development system. Because of interdependencies between components, the directory structure should be copied in its entirety. There are three folders at the top level: one called DOCS (documentation), and one each for Linux and Windows (sample code.) For more information regarding how to get started and how to use the SDK, see the "Intel® AMT Implementation and Reference Guide.”

Below is a screen shot of the Intel AMT Implementation and Reference Guide. For more information on system requirements and how to build the sample code, read through the “Using the Intel® AMT SDK” section. The documentation is available on the Intel® Software Network here: Intel® AMT SDK (Latest Release)

 

Other Intel AMT SDK Resources

The Intel AMT SDK provides frameworks and samples that simplify WS-Management development and demonstrates how to take advantage of the advanced product features. For more information, see the following:

There are a variety of development environments for which to write software that supports Intel AMT. The Intel vPro Enablement Tools are available only in C++ (C# wrapper in SDK) and require COM object by Microsoft. (not just .NET). Also note: SOAP support has been completely removed from the SDK as of AMT 9.0. 

About the Author

Colleen Culbertson is an Application Engineer in Intel’s Developer Relation Division Scale Enabling in Oregon. She has worked for Intel for more than 15 years. She works with various teams and customers helping developers optimize their code.

 

Intel, the Intel logo, and vPro are trademarks of Intel Corporation in the U.S. and/or other countries.

Copyright © 2014 Intel Corporation. All rights reserved. *Other names and brands may be claimed as the property of others. 1 Intel AMT requires activation and a system with an Intel network connection, an Intel® AMT-enabled chipset,  and software. For notebooks, Intel AMT may be unavailable or limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Results dependent upon hardware, setup and configuration. For more information, visit Intel® Active Management Technology.

2Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software and IT environment. To learn more visit: http://www.intel.com/technology/vpro.

 

*No product or component can be absolutely secure.