| Last Modified On : | December 1, 2008 9:29 AM PST |
Rate |
|
FAQs
Are there any commercial Intel® AMT tools available for modifying the BIOS settings on an Intel® AMT system?
You could try Intel® AMT Manageability Commander included in Intel® AMT Manageability DTK for this. Under Remote Control tab, you can start an SOL session and boot into the BIOS options of your Intel® AMT client.
You can also use IMRGUI in the Redirection sample included in the Intel® AMT SDK. There is a video tutorial on this at http://softwarecommunity.intel.com/videos/home.aspx?fn=1455
Are there any commercial Intel® AMT tools available for modifying the BIOS settings on an Intel® AMT system?
You could try Intel® AMT Manageability Commander included in Intel® AMT Manageability DTK for this. Under Remote Control tab, you can start an SOL session and boot into the BIOS options of your Intel® AMT client.
You can also use IMRGUI in the Redirection sample included in the Intel® AMT SDK. There is a video tutorial on this at http://softwarecommunity.intel.com/videos/home.aspx?fn=1455
Are there any limitations of Intel® AMT?
One limitation is that you can only remote the display in text mode. For example, in the preboot environment in MS DOS or when you go into the BIOS, you can take that screen and view it remotely. As soon as you go into graphics mode you can’t see it remotely anymore. A remote display capability with graphics is being considered for a future release.
Can multiple administrators through various tools connect to Intel® AMT on one machine at the same time?
The SOAP and WS-Man protocols used by Intel® AMT are request/response protocols, so it will seem like everybody is getting connected at the same time. But really what's happening underneath is that Intel® AMT is responding to the requests one by one. You cannot perform multiple instances of Serial Over LAN or IDE Redirection at the same time.
How to detect computers with Intel® AMT Technology without SCS or similar tools?
Assuming the Intel® AMT enabled systems are provisioned, you can send a SOAP command for GetCoreVersion API that can be found in the SDK. Intel® AMT enabled systems will provide a response containing the Intel® AMT firmware version. Non-Intel® AMT systems will not respond to the SOAP request.
How can I find the Intel® AMT MAC address of my client system?
If the Intel® AMT device is configured to work in DHCP mode, you can be sure that its MAC address is exactly the same as the host LAN. Another way is to use the MEInfo tool on the Intel® AMT local machine. The MEInfo tool comes with the utilities for upgrading the firmware (contact your OEM for this). If you use this tool, just make sure you are using the right version for your firmware. MEInfo exists in both Windows™ and DOS versions.
Can I force my system to boot to a local CD using IDE-R?
Booting to a local CD-ROM is not supported by Intel® AMT. You can use ASF for doing that.
Will the flash update utility work remotely?
The flash update utility only works remotely. This is a security feature of Intel® AMT.
Can an AMT application be developed for an older version of AMT using a newer version of the AMT SDK?
Yes, as long as the application is aware of the AMT version and does not try to perform operations only available on newer AMT systems. Differences between the different versions are generally called out in the SDK documentation and the Network Interface Guide lists APIs supported in the different versions of AMT. Additionally, many older APIs have been deprecated.
Can an application compiled with an older version of the AMT SDK manage newer AMT Firmware versions?
Yes. There is one caveat though – setup and configuration changed drastically between 1.0 and 2.0+, so make sure you know how to configure the AMT 2.0+ systems to comply to AMT 1.0 configuration. Additionally, there is an AMT 1.0 Compatibility mode that should be set in the MEBx screen under the Provisioning Model.
What are the limitations of using Intel® AMT in a wireless environment?
Here is a high-level list detailing Wireless usage in AMT. For more information please take a look at http://software.intel.com/en-us/articles/technical-considerations-for-intel-amt-in-a-wireless-environment
- Setup and Configuration is not supported over a wireless interface.
- There is no host wireless connection in link-sensitive flows (i.e. SOL/IDE-R redirection use-cases); therefore, local agents will not be able to connect unless there is a LAN connection.
- System Defense filters are software based – not hardware based as in the wired interface.
- Static IP is not supported on the wireless management interface.
- The wireless management interface may not be enabled by default depending on which setup and configuration tool is being used (even if valid wireless profiles are configured in the Management Engine and Intel® AMT is enabled).
- Wired and wireless management interfaces cannot be on the same subnet concurrently.
- 802.1x profiles are applied independently on wired and wireless.
What is the difference between IDE-R and PXE?
IDE-Redirect (IDE-R) is an Intel® AMT feature that allows the management console to remotely mount CDROM and Floppy disk drives on an Intel® AMT computer and cause a remote boot on the remote drives. PXE (Pre-boot Execution Environment) is a form of remote boot that has been used for a long time before IDE-R. Here are the main differences between the two:
- PXE is a BIOS technology and has access to the entire system RAM and loads the entire disk image from a remote TFTP server before booting. IDE-R, being an Intel® AMT technology, does not have access to the entire system RAM and can’t pre-load the entire disk image, so it forwards each disk request to the console. The console must then answer back to each disk request. Due to this, PXE may be slower at first, but faster later and does not need a permanent connection to the server.
- IDE-R is console initiated, PXE is client initiated. PXE is generally used for diskless workstations, and IDE-R used by administrators to remotely fixing problems.
- IDE-R is routable, PXE is not. Because PXE gets it’s instructions from DHCP, each DHCP server on each subnet must support PXE. No particular DHCP infrastructure is required for IDE-R.
- When Intel® AMT is set up in TLS mode, IDE-R is more secure than PXE.
Is the Intel® AMT terminal compatible to telnet?
Not really. You can use Telnet or Hyperterm as terminals for Intel® AMT, but they are not very good. Suggest you use IAmtTerm.exe from the Intel® AMT Manageability DTK.
How much memory is available in the 3rd Party Data Store?
Intel® AMT 1.0 systems have 96k of NVRAM. All computers with Intel® AMT 2.0 and beyond have 192k of NVRAM. This said, vendors can probably change this and it's generally accepted that any single application should not use more than 48k of it so that several applications can share this space.
You could also try to use some type of compression when placing data into the 3rd Party Data Store (3PDS) so that this space can be most efficiently.
Does Intel® AMT provide an API for ISVs that to modify the PRTC timer remotely?
You can find it in the Network Interface Guide (in the SDK documentation) under Network Time Interface (see SetHighAccuracyTimeSynch and GetLowAccuracyTimeSynch).
How can one discover an Intel® AMT machine before a user goes into the Intel® AMT configuration screen at boot-time and sets a new username/password from the default password?
You can use a tool as described in this blog: http://software.intel.com/en-us/blogs/2008/11/03/do-you-know-where-your-intel-amt-systems-are/ .
Can one get the host UUID run before registration?
Yes, the ISVS_GetHostUUID API call can be used after library initialization and before registration. It's one of a very few calls that can be used prior to registration.
Can I access my 3rd Pary Data Store block by name later as a named block?
Yes, please refer to the Storage Design Guide in the latest version of the AMT SDK.
Can 3rd Party Data Store blocks smaller than 4K be allocated? What about the scratchpad?
No, please refer to the Storage Design Guide in the latest version of the AMT SDK.
Does one need to lock while reading? What happens if one does not lock?
To ensure the data is consistent, lock before performing reads. If a lock is not done before reading you may get inconsistencies in data, partially from before and partial from after a write that has taken place may result.
Will Intel be supplying a library or code to translate the PCI Vendor and Device ID values to human friendly strings?
No, there are no plans to add this functionality to the library. In the meantime, ISVs can go to standard sources to get PCI string tables, e.g., http://pciids.sourceforge.net*.
When an event filter is created, the FW returns a handle. When the handle is lost (system failure, etc.), how can a console recover the handle? Does the firmware clean up?
Event handles live forever, but they can be recovered An application can use the SDK CircuitBreakerService interface to enumerate the filters and determine which filters belong to it. To do this, use the EnumerateEventFilters method to return an EventFilterHandleArrayType that lists the filter handles. A loop that applies GetEventFilter SOAP function to each handle can then be created to get the properties of each filter which allows the application to determine which filters are of interest.
Is there a license restriction that would not allow redistribution of the IMRSDK.DLL allowed with our product?
The IMRSDK.dll can be distributed with you product.
What is the maximum size of the Intel® AMT event log?
The maximum number of event log entries is 390.
How does one set up authentication?
To establish a SOAP over HTTPS connection (i.e., TLS authentication), all that needs to be done is specify the proper endpoint. https://<hostname>:16993 Windows* security mechanisms will be employed to perform the proper certificate checking to establish the encrypted session. Once the encrypted session is established, the credentials are then passed to perform the userid authentication. This means there will be no change to any cod e except to when a specification of the new endpoint is needed.
When accessing the local storage on an Intel® AMT machine, there is a specification of the URL (e.g. http://localhost:16992/StorageService.) If the machine is in TLS mode, is it necessary to have the certificate on the local machine that's normally on the core server only?
Yes, please keep in mind one would then be specifying the URL as https://localhost:16993/StorageService. Remember that TLS mode is defined on an interface level. This means that one can configure the Intel® AMT device to utilize TLS communications on the network (remote) interface and utilize non-TLS communications on the local interface.
Is there a specific API that will indicate which version(s) of Intel® AMT that a device supports?
Yes, the function that will be called is: GeneralInfoService::GetCodeVersions
Is it possible to recover the AMT ID/Password without re-programming the device?
No - the password is not recoverable (this is a security feature.)
How can I tell whether or not an API can be executed locally (on the AMT Client) or remotely (from the management console via network access?)
You can determine this by finding the API in the Network Interface Guide (one of the documents in the Intel® AMT SDK.) Each API has an entry called “Default Interface Access Permissions” followed by a box that specifies Local Access and Network Access Permissions. Note that these permissions cannot be changed.
Where can we get a Linux driver for LMS/SOL and HECI?
You can get Linux drivers here: http://www.openamt.org
How can I solve performance issues with IDE-R over internet?
You can use Intel® AMT Switchbox to speed this up. A network administrator can upload disk images to a remote Switchbox located on a different network over the Internet. Once uploaded, the network administrator can, at any time, make use of this disk image to reboot and remotely fix problems. Switchbox is offered as a part of Intel® AMT Manageability DTK.
We want to upgrade our Intel® AMT firmware. Where we can get new firmware?
Your OEM should be able to tell you if firmware upgrades are available for your system and provide them for you.
What is the BIOS update process for Intel® Desktop Boards DQ965CO, DQ965GF and DQ965WC ?
Please refer to the documentation at:
http://support.intel.com/support/motherboards/desktop/sb/CS-025681.htm
What are the different options available to setup PID/PPS into Intel® AMT?
- At manufacturing time: Some vendors could probably push a firmware on a computer with some settings pre-loaded.
- Manually: Going into the BIOS or MEBx and entering these values yourself. This is rather time consuming.
- Using USB Flash: You put these settings into a "setup.bin" file on a USB flash drive (512M or less, will not work on larger sticks).
What happens if a local application tries to bind to port 16992 or 16993?
This is not recommended. Intel has registered these ports at IANA and nobody else is allowed to use them.
How to disable the Intel® AMT privacy notification popup?
There are registry settings to do this. Disable.reg has [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] “atchk”=””
This will prevent the privacy icon application from ever running again.
If you want to keep the app running, but, minimized to get rid of the “popup”, then
[HKLMSOFTWAREIntelNetwork_Servicesatchk] “MinimizePrivacyIconAtStart”=dword:00000001
This can also be done by altering the oementry.reg file which contains this entry. The atchk (privacy icon) app gets installed when you install the SOL/LMS driver software.
The disable.reg and oementry.reg files should be shipped on the OEM driver CDs.
You can refer to this blog: http://software.intel.com/en-us/blogs/2007/04/26/instructions-to-disable-the-intel-amt-privacy-notification-popup/
What is a UUID to FQDN mapping?
A UUID is a Universally Unique Identifier assigned to each machine. This identifier is apart of the machines BIOS and can be used to identify the machine independent of its host OS or host name. Before provisioning can be completed you must provide a mapping of the machines UUID to its host name. The can be done using the SCS UI by setting the Intel® AMT properties.
Can the SCS be used for maintenance once a system is setup and configured?
Yes. The SCS can be used for updating passwords and ACLs and keeps logs of all performed transactions.
What must be done to the SCS server database prior to using the SCS?
Before any setup and configuration can begin, the SCS server database must be configured with the following information:
- SCS service configuration parameters
- Profiles that define the setup parameters for the Intel® AMT-enabled platforms to be configured
- Entries identifying each Intel® AMT device to be configured, with a link to the profile
- A list of valid TLS-PSK keys that match what is installed on the Intel® AMT devices awaiting configuration.
What other software must be loaded in order to run the Intel SCS?
The Intel SCS requires the following environment/software in order to run. They can be installed on a single computer or on separate computers.
- Windows Server 2003 with Service Pack 1
- .NET Framework 2.0.
- Internet Information Services (IIS) 6.0
- Microsoft IE 5.5 or 6.0
- Microsoft Certificate Authority (If TCPIP Layer Security is required in an installation.)
- Microsoft SQL Server Express
- Microsoft’s Active Directory (AD) – optional. The Intel SCS uses AD for Kerberos authentication using AMT objects and for user lists.
Does the Intel SCS communicate securely with the Intel® AMT device?
Yes. Intel® AMT supports Transport Layer Security (TLS) for secure communications between Intel® AMT devices and management console applications.
What information does the Intel SCS send to the Intel® AMT device?
The Intel SCS sends the following to the Intel® AMT device:
- Certificates from a public key infrastructure (PKI)
- Access Control Lists (ACLs)
Other setup parameters, as defined in a profile of setup and configuration information specific to the platform or to a family of platforms.
