Getting Started with Intel® Active Management Technology

ID 标签 671980
已更新 2/18/2021
版本 Latest
公共

author-image

作者

Introduction

This document contains information on how to get started with Intel® Active Management Technology (Intel® AMT). It provides an overview of the features, as well as information on minimum system requirements, configuration of an Intel AMT client, tools to use Intel AMT features on a PC, and the developer tools available to help create applications for Intel AMT.

There are many tools available in the market from Intel, third party and open source communities to help you utilize Intel AMT features on PCs. Intel currently provides and supports both Intel® System Configuration Software (Intel® SCS), Intel® Manageability Commander (Intel® MC) and Intel® Endpoint Management Assistant (Intel® EMA). This quick start guide focuses on using Intel SCS and Intel MC to provision and use Intel AMT features on PCs. If you are interested to use the cloud-based Intel EMA solution, please refer to the quick start guide for Intel EMA, which is included in the Intel EMA download package on Intel.com.

Getting Started

Intel AMT is available on PCs built on the Intel vPro® platform. You can identify those by looking for the Intel vPro sticker on the PC. In order to manage an Intel AMT client, you need to use management tools on a different PC which does not need to be a vPro platform. Refer to the Intel AMT Implementation and Reference Guide located in the Docs folder of the Intel AMT SDK for more details.

What is Intel Active Management Technology?

Intel AMT is part of the Intel vPro technology offering. Platforms equipped with Intel AMT can be managed remotely, regardless of its power state or if it has a functioning OS or not.
The Intel® Converged Security and Management Engine (Intel® CSME) powers the Intel AMT system. As a component of the Intel vPro platform, Intel AMT uses a number of elements in the Intel vPro platform architecture. Figure 1 shows the relationship between these elements.

Figure 1 Intel Active Management Technology Architecture

Note the network connection associated with the Intel® Management Engine (Intel® ME). The LAN component on the motherboard changes according to which Intel vPro platform you are using, which can affect what Intel AMT features are available.

  • The Intel CSME firmware contains the Intel AMT functionality.
  • Flash memory stores the firmware image.
  • The Intel AMT capability can be enabled by using Intel CSME as implemented by the PC manufacturer. A remote Setup and Configuration server performs the enterprise setup (provisioning) and configuration.
  • On power-up, the firmware image is copied into the Double Data Rate (DDR) RAM.
  • The firmware executes on the Intel® processor with Intel® ME and uses a small portion of the DDR RAM (Slot 0) for storage during execution. RAM slot 0 must be populated and powered on for the firmware to run.

Intel AMT stores the following information in flash (Intel ME data):

  • PC manufacturer-configurable parameters:
    • Setup and configuration parameters such as passwords, network configuration, certificates, and access control lists (ACLs)
    • Other configuration information, such as lists of alerts and Intel AMT System Defense policies
    • The hardware configuration captured by the BIOS at startup

Features with the Intel Active Management Technology SDK

  • Intel CSME started with Intel AMT 11. Prior to Intel AMT 11 Intel CSME was called Intel® Management Engine BIOS Extension (Intel® MEBX).
  • MOFs and XSL files: The MOFs and XSL files in the \DOCS\WS-Management directory and the class reference in the documentation are at version 14.0.0.1139.
  • WS-Eventing and PET table argument fields: Additional arguments added to the CILA alerts provide a reason code for the UI connection and the hostname of the device which generates the alert.
  • OpenSSL version: The OpenSSL version is at v2.0. The redirection library has also been updated.
  • Xerces version: Both Windows* and Linux* have v2.12.1 of the Xerces library.
  • HTTPS support for WS events: Secure subscription to WS Events is enabled.
  • Remote Secure Erase through Intel AMT boot options: The Intel AMT reboot options has an option to securely erase the primary data storage device.
  • DLL signing with strong name: The following DLLs are now signed with a strong name: CIMFramework.dllCIMFrameworkUntyped.dllDotNetWSManClient.dllIWSManClient.dll, and Intel.Wsman.Scripting.dll
  • Automatic platform reboot triggered by HECI and Agent Presence watchdogs: An option to automatically trigger a reboot whenever a HECI or Agent Presence watchdog reports that its agent has entered an expired state.
  • Storage redirection now works over the USB-R protocol rather than the IDE-R protocol.
  • A series of SHA256 certificates are implemented.

Provisioning an Intel Active Management Technology Client

Preparing your Intel Active Management Technology Client for Use

Figure 2 shows the modes, or stages, that an Intel AMT device passes through before it becomes operational.

Figure 2 Configuration Flow

Before configuring an Intel AMT device from a setup and configuration application, such as Intel® Setup and Configuration Sofware (Intel® SCS) Console or Intel Endpoint Management Assistant (Intel EMA), it must be prepared or provisioned with initial setup information and placed into Setup Mode. The initial information will be different depending on the available options in the Intel AMT release, and the settings performed by the PC manufacturer.

Manual Setup and Provisioning Overview

During power up, the Intel AMT platform displays the BIOS startup screen, then it processes the Intel MEBX (Intel CSME). During this process, access to the Intel MEBX can be made; however the method is BIOS vendor-dependent. Please refer to PC manufacturer instructions for correct method to enter Intel MEBX for different PC models. Some common methods are:

  • Most BIOS vendors add entry into Intel CSME via the one-time boot menu. Select the appropriate key (Ctrl+P is typical) and follow the prompts.
  • Some PC manufacturer platforms prompt you to press <Ctrl+P> after POST. When you press <Ctrl+P>, control passes to the Intel MEBX (Intel CSME) main menu.
  • Some PC manufacturers integrate the Intel CSME configuration inside the BIOS (uncommon).
  • Some PC manufacturers have an option in the BIOS to show/hide the <Ctrl+P> prompt, so if the prompt is not available in the one-time boot menu check the BIOS to activate the CTRL+P.

Manual Provisioning Tips

There are no feature limitations when configuring a platform manually since the Intel AMT 6.0 release, but there are some system behaviors to be noted:

  • TLS communication between Intel AMT client and management tools can be enabled or disabled. TLS is disabled by default under manual provisioning. It can be re-enabled later by changing AMT configurations and must be enabled during configuration
    • Intel strongly recommends that customers use TLS mode to benefit from its enhanced security in communication. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. Non-TLS mode is not secure. 
  • The local platform clock will be used until the network time is remotely set. An automatic configuration will not be successful unless the network time was set (and this can only be done after configuring TLS or Kerberos). Enabling TLS or Kerberos after the configuration will not work if the network time was not set.
  • The system enables WEB UI by default.
  • The system enables SOL and USB-R by default.
  • If KVM is enabled locally via Intel CSME, it still will not be enabled until an administrator activates it remotely.

Starting with Intel AMT 10, some devices are shipped without a LAN adapter. These devices cannot be configured using the current USB Drive solution provided by Intel® Setup and Configuration Software or Intel Endpoint Management Assistant (Intel EMA). They need to be provisioned via a remote configuration method.

Client Control Mode and Admin Control Mode

At setup completion, Intel AMT devices go into one of two operational modes:

  • Client Control Mode. Intel AMT enters this mode after performing a basic host-based (local) setup. It limits some of Intel AMT functionality, reflecting the lower level of trust required to complete a host-based setup.
  • Admin Control Mode. After performing remote configuration, USB configuration, or a manual setup via Intel CSME, Intel AMT enters Admin Control Mode. In Admin Control Mode there are no limitations to Intel AMT functionality. This reflects the higher level of trust associated with these setup methods.

There is also a configuration method that performs an upgrade from Client to Admin Control Mode. This procedure presumes the Intel AMT device is in Client Control Mode, and moves the Intel AMT device to Admin Control Mode.

Client Control Mode Security and Privacy

When a simple host-based configuration completes, the platform enters Client Control Mode and imposes the following limitations:

  • The System Defense feature is not available.
  • Redirection (IDE-R, USB-R and KVM) actions (except initiation of a SOL session) and changes in boot options (including boot to SOL) requires advanced consent. This still allows remote IT support to resolve end-user problems using Intel AMT.
  • With a defined Auditor, the Auditor’s permission is not required to perform un-provisioning.
  • A number of functions are blocked to prevent an untrusted user from taking control of the platform.

Table 1 summarizes the host-based provisioning methods on the different releases of Intel AMT.

Provisioning Type Precondition Network or HBC Final Mode Zero Touch LAN-less Static IPv4
Admin Control Mode (ACM)
  • Certificate hash
  • LAN connected
  • DHCP OTP-15/24
Host-based Configuration ACM Yes No No
Client Control Mode (CCM) upgrade to ACM (PKI)
  • Certificate hash
  • LAN connected
  • DHCP OTP-15/24
HBC or over network ACM Yes No No
CCM upgrade to ACM with secured FQDN suffix Secured FQDN
Added in Release 10.0
HBC or over network ACM No No but it can be available No but it can be available
ACM (PKI) with secured FQDN suffix Secured FQDN
Added in Release 10.0
HBC ACM No No but it can be available No but it can be available
CCM   HBC CCM Yes Yes Yes
USB drive or manufacturing   Over network ACM No No but it can be available No but it can be available
Embedded
Enabled by manufacturing
  HBC ACM Yes Yes Yes

Table 1 Setup and Configuration Methods for Intel Active Management Technology

Two applications that can perform Intel AMT setup and configuration are Intel Setup and Configuration Server (Intel SCS) Console, and Intel Endpoint Management Assistant (Intel EMA). Intel EMA is available on the Intel website here.

Manually Configuring an Intel Active Management Technology Client

The Intel AMT platform displays the BIOS startup screen during power up, then processes the BIOS Extensions. Entry into the Intel AMT BIOS Extension is BIOS vendor dependent.

Manual Configuration for Intel AMT Clients with Built-in LAN Connection

Enter the Intel CSME default password (“admin”).

  1. Enter the MEBX (Intel CSME) by following the instructions listed in prior section.
  2. You will be prompted for the MEBX password. If this is the first time MEBX is entered, the default password is "admin". You will be prompted to change the default password (required to proceed). The new value must be a strong password. It should contain at least one uppercase letter, one lowercase letter, one digit, and one special character, and be at least eight characters. A management console application can change the Intel AMT password without modifying the Intel CSME password.
  3. Select Intel AMT Configuration.
  4. Select/Verify Manageability Feature Selection is Enabled.
  5. Select Activate Network Access.
  6. Select “Y” to confirm Activating the interface.
  7. Select Network Setup.
  8. Select Intel ME network Name Settings.
    1. Enter Host Name.
    2. Enter Domain Name.
  9. Select User Consent.
    1. By default, this is set for KVM only; can be changed to none or all.
  10. Exit Intel CSME.

Manual Configuration for Intel AMT Clients with Wi-Fi*-Only Connection

Many systems no longer have a wired LAN connector. You can configure and activate the Intel ME using the instructions above, then use Intel AMT Web UI or some alternate method to push the wireless settings.

  1. Change the default password to a new value (required to proceed). The new value must be a strong password. It should contain at least one uppercase letter, one lowercase letter, one digit, and one special character, and be at least eight characters.
    1. Enter Intel CSME during startup.
    2. Enter the Default Password of “admin”.
    3. Enter and confirm New Password.
  2. Select Intel AMT Configuration.
  3. Select/Verify Manageability Feature Selection is Enabled.
  4. Select Activate Network Access.
  5. Select “Y” to confirm Activating the interface.
  6. Select Network Setup.
  7. Select Intel® ME network Name Settings.
    1. Enter Host Name.
    2. Enter Domain Name.
  8. Select User Consent.
    1. By default, this is set for KVM only; can be changed to none or all.
  9. Exit Intel CSME.
  10. Synchronize WiFi profiles via the Intel ME driver, WebUI, or an alternative method.

Accessing Intel Active Management Technology via the WebUI Interface

An administrator with user rights can remotely connect to the Intel AMT device via the Web UI by entering the URL of the device. Depending on whether TLS has been activated, the URL will change:

  • Non-TLS - http:// <IP_or_FQDN>:16992
  • TLS - https:// <FQDN_only>:16993

You can also use a local connection using the host’s browser for a non-TLS connection. Use either localhost or 127.0.0.1 as the IP address. Example: http://127.0.0.1:16992

Intel strongly recommends that customers use TLS mode to benefit from its enhanced security in communication. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. Non-TLS mode is not secure. 

Accessing Intel Active Management Technology remotely via Intel Manageability Commander

If you want access functions not supported with the Intel AMT Web UI, you need to use a remote management software from Intel or third party with Intel AMT support. Intel Manageability Commander is one of the options and it can be downloaded from Intel

Remotely Configuring Intel Active Management Technology

Host-Base Configuration (HBC) and Remote Configuration are methods to activate Intel AMT and putting Intel AMT configuration into Intel CSME remotely. HBC provisions Intel AMT client into Client Control Mode (CCM); while Remote Configuration provisions Intel AMT client into Admin Control Mode (ACM).

Intel AMT Host-based Configuration

Host-based Configuration is the simplest way to remotely configure Intel AMT clients without physically touching them. HBC requires an Intel AMT profile to be created first using ACU Wizard inside Intel SCS. An Intel AMT profile contains the AMT configuration that will be set in Intel CSME during the activation process. The profile is in the format of an encrypted XML file protected by a password. The following are steps to configure Intel AMT using HBC and Intel SCS:

  1. Create an Intel AMT profile with your desired settings using ACU Wizard inside Intel SCS. (Please refer to Intel SCS user guide for details of different Intel AMT settings and options inside an Intel AMT profile. It is advisable to start with a simple profile to get familiar with the process first.)
  2. Make sure the latest Intel Management Engine driver is installed on the Intel AMT client. This is required for the Intel AMT provisioning tools running at the operating system to communicate with the Intel CSME. The ME firmware should be patched to the latest version as well. Both the ME driver and ME FW update can be download from website of the corresponding PC manufacturer.
  3. Transfer the Intel AMT profile XML file and ACU Configurator (ACUConfig.exe) inside the Intel SCS package to the target Intel AMT client.
  4. Execute the following command line (example) with administrator right at the target PC to activate Intel AMT. (Please refer to the Intel SCS documentation for detail information about the command line parameters for ACUConfig.exe)
    ACUConfig.exe ConfigAMT profile.xml /DecryptionPassword P@ssw0rd

After the HBC configuration is completed successfully, Intel AMT features can be access via the Intel AMT Web UI, Intel Manageability Commander, or other solutions supporting Intel AMT. Transferring the Intel AMT files and executing the ACUConfig.exe command line can be automated using any software distribution mechanism supported in the organization.

Intel Active Management Technology Remote Configuration

Remote Configuration provides a method to remotely configure Intel AMT clients into ACM without physically touching them. Prerequisites to beginning the Remote Configuration process include: 

  • Remote Configuration Server (RCS). During the Remote Configuration process, Intel AMT clients talk to this server to validate the Intel AMT provisional certificate (see below) and pull the stored Intel AMT profile for provisioning. RCS is included in the Intel SCS download package.
  • Dynamic Host Configuration Protocol (DHCP). Intel AMT client must be configured to receive its IP address from a DHCP server. The DHCP server must have option 15 enabled and matching the local domain suffix of the Intel AMT client.

Intel AMT Provisioning Certificate. The computer running the RCS must have an Intel AMT provisioning certificate. The certificate is purchased from a support public CA. The Subject Name of the provisioning certificate must match the domain suffix of the Intel AMT client. You can find more information about purchasing Intel AMT provisioning certificate at Intel Active Management Technology Implementation.

  • Wired LAN. Remote Configuration requires the Intel AMT client to have a wired LAN port. To remotely configure a LAN-less client into ACM, Intel AMT on the client needs to be provisioned first using HBC with Intel AMT profile containing valid WiFi profiles and then to be move to ACM using ACU Configurator in a two-stage process.

The following are steps to configure Intel AMT using Remote Configuration method and RCS:

  1. Setup Intel RCS on a system meeting the minimum specification described in the Intel SCS documentation
  2. Ensure the DHCP and DNS pre-requisites for Remote Configuration are met
  3. Install Intel AMT provisioning certificate into the system running RCS.
  4. Open the RCS console and create an Intel AMT profile with your desired settings. (Please refer to Intel SCS user guide for details of different Intel AMT settings and options inside an Intel AMT profile. It is advisable to start with a simple profile to get familiar with the process first.)
  5. Make sure the latest Intel Management Engine driver is installed on the Intel AMT client. This is required for the Intel AMT provisioning tools running at the operating system to communicate with the Intel CSME. The ME firmware should be patched to the latest version as well. Both the ME driver and ME FW update can be download from website of the corresponding PC manufacturer.
  6. Transfer the ACU Configurator (ACUConfig.exe) inside the Intel SCS package to the target Intel AMT client.
  7. Execute the following command line (example) with administrator right at the target PC to activate Intel AMT. (Please refer to the Intel SCS documentation for detail information about the command line parameters for ACUConfig.exe).
    ACUConfig.exe ConfigViaRCSOnly rsc.acme.com profile.xml

After the Remote Configuration is completed successfully, Intel AMT features can be access via the Intel AMT Web UI, Intel Manageability Commander, or other solutions supporting Intel AMT. Transferring the Intel AMT files and executing the ACUConfig.exe command line can be automated using any software distribution mechanism supported in the organization.
Below is an overview of the process steps that automatically take place when remote configuration is initiated.

Remote Setup and Configuration Flow

The following steps describe the setup and configuration flow using TLS-PKI.

  1. The Setup and Configuration server and the Intel AMT system perform a complete mutual authentication session key exchange:
    1. The Intel AMT system uses a self-signed certificate, sending its public key.
    2. The Setup and Configuration server creates a TLS session master key, encrypts it with the Intel AMT system public key, and sends it to the Intel AMT system. The Setup and Configuration server also sends a certificate chain that includes a root certificate matching one of the received hashes.
    3. The Intel AMT system decrypts the master key with its private key. The key is the shared secret used to establish the setup and configuration TLS session.
    4. The Intel AMT system validates the Setup and Configuration server certificate. It checks that the Object Identifier (OID) or the Organizational Unit (OU) is correct, that it is derived from a Certification Authority (CA) that matches one of the root certificate hashes and that it is a Server certificate.
    5. To acquire a server SSL certificate, contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. Dependent upon the Intel AMT release, the firmware contains root certificate hashes from a number of commercial Certificate Authorities including GoDaddy, Comodo, Entrust, Starfield, Cybertrust or VeriSign. Additional details on supported root certificate hashes is available in the Intel AMT Implementation and Reference Guide at Intel® AMT SDK Implementation and Reference Guide
    6. The Intel AMT system verifies that the domain suffix matches the FQDN suffix in the Setup and Configuration server certificate.
  2. The Intel AMT system gets domain from DHCP Option 15 setting and verifies this suffix matches the Common Name (CN) field from the certificate. The way a match is determined depends on the client computer’s Intel Management Engine (Intel ME) firmware version and the CA certificate type used. Provisioning stops here if no match is found.
  3. Remote Configuration certificate is now successfully verified and provisioning process continues as normal.
  4. At some point before the Setup and Configuration server sends a CommitChanges command to complete the setup and configuration process, it sends a Set Intel MEBX password command to change the password from its default, if it was not already changed.
  5. The final steps include creating an Intel AMT profile within the Setup and Configuration server. Next is to the apply the Intel AMT profile. When the Intel® Management and Security Status (Intel® MSS) toast notification appears (shown below), the Intel® ME configuration is complete and the Intel AMT system moves to operational mode.

Note that the remote configuration certificate is only used in the initial provisioning of an Intel AMT system. The remote configuration certificate is separate from the certificates needed for secure communications such as certificates for TLS, 802.1x or SSL certificate for web services.
The following diagram illustrates the flow of remote automatic setup and configuration using a Setup and Configuration server to configure Intel AMT system.

Intel Active Management Technology Troubleshooting Tips

In addition to having the BIOS and Intel CSME configured correctly, the Wireless adapter needs to be Intel AMT compliant. Specific drivers and services must be present and running in order to use the Intel AMT to manage the host OS.
To verify that the Intel AMT drivers and services are loaded correctly, look for them in the Device Manger and Services in the host OS. Frequently check the PC manufacturer’s download site for upgraded versions of the BIOS, firmware, and drivers.

Note: The version level of the drivers must match the version level of the Intel AMT firmware and BIOS. If non-compatible versions are installed, Intel AMT will not work with the features that require those interfaces. You can find the latest version of the drivers from websites of corresponding PC manufacturer.

Physical Device – Wireless Connection

By default, any wireless Intel vPro platform will have an Intel AMT enabled wireless adapter installed, such as an Intel® Dual Band Wireless-AX 201. Any wireless adapter other than one from Intel will not have wireless Intel AMT capabilities. You can use Intel® Product Specifications to verify whether the wireless adapter is Intel AMT compliant.

Windows* OS Required Software

Device drivers are not necessary for remote management; however, they are essential for local communication to the firmware. Functions like discovery or configuration via the OS will require the Intel® Management Engine Interface (Intel® MEI) driver, SOL driver, Intel® Local Manageability Service (Intel® LMS), WiFi profile synchronization, and Intel Management and Security Status (Intel MSS).

Device Drivers - Intel Management Engine Interface

Intel MEI is required to communicate to the firmware. The Windows automatic update installs the Intel MEI driver by default.
The Intel MEI driver is in the Device Manager under “System devices” as “Intel Management Engine Interface.”

Device Drivers - Serial-Over-LAN Driver

The SOL driver is used during redirection operation where a remote CD drive is mounted during an IDE or USB redirection operation.
The SOL driver is in the Device Manager under “Ports” as “Intel Active Management Technology – SOL (COM3).”

Serial-Over-L A N driver


Figure 3 Serial-Over-LAN Driver.

Intel Active Management Technology LMS Service

The Intel Local Manageability Service (Intel LMS) runs locally in an Intel AMT device and enables local management applications to send requests and receive responses. The Intel LMS responds to the requests directed at the Intel AMT local host and routes them to the Intel® ME via the Intel MEI driver. This service installer is packaged with the Intel MEI drivers on the PC manufacturer websites.
Please note that when installing the Windows OS, the Windows Automatic Update service installs the Intel MEI driver only. Intel Management and Security Status and the Intel LMS are not installed. The Intel LMS communicates from an OS application to the Intel MEI driver. If the Intel LMS is not installed, go to the PC manufacturer website and download the Intel MEI driver, which is usually under the Chipset Driver category.

Intel Management Engine Interface driver


Figure 4 Intel Management Engine Interface Driver.

The Intel LMS is a Windows service installed on the host platform that has Intel AMT Release 9.0 or greater. The Intel LMS receives a set of alerts from the Intel AMT device. Intel LMS logs the alert in the Windows Application event log. To view the alerts, right-click My Computer, and then select Manage>System Tools>Event Viewer>Application.

Intel Management and Security Status Tool

The Intel Management and Security Status tool can be accessed by the blue-key icon in the Windows tray. If this tool is not found on the system, it can be installed from the Microsoft Store.

Figure 5 Sys Tray Intel Management and Security Status Icon.

General Tab

The General tab of the Intel MSS tool shows the status of Intel vPro features available on the platform and an event history. Each tab has additional details.

Intel Management and Security Status General


Figure 6 Intel Management and Security Status General Tab.

Intel AMT Tab

This interface allows the local user to terminate KVM and Media Redirection operations, perform a Fast Call for Help, and see the System Defense state.

Intel Management and Security Status Intel A M T tab


Figure 7 Intel Management and Security Status Intel AMT tab

Advanced Tab

The Advanced tab of the Intel Management and Security Status tool shows more detailed information on the configuration of Intel AMT and its features. The screenshot in Figure 8 verifies that Intel AMT has been configured on this system.

Intel Management and Security Status Advanced tab


Figure 8 Intel Management and Security Status Advanced Tab

Intel Active Management Technology Software Development Kit (SDK)

The Intel AMT Software Development Kit (SDK) provides low-level programming capabilities so developers can build manageability applications that take full advantage of Intel AMT.
The Intel AMT SDK provides sample code and a set of APIs that let developers easily and quickly incorporate Intel AMT support into their applications. The SDK also includes a full set of HTML documentation.
The SDK supports C++ and C# on Microsoft Windows and Linux operating systems. Refer to the User Guide and the Readme files in each directory for important information on building the samples.
The SDK, as delivered, is a set of directories that can be copied to any location. The directory structure should be copied in its entirety due to the interdependencies between components. There are three folders at the top level: DOCS (contains SDK documentation), and one each for Linux and Windows (sample code.) For more information on how to get started and how to use the SDK, see the Intel AMT Implementation and Reference Guide.
As illustrated by the screenshot in Figure 9 of the Intel AMT Implementation and Reference Guide, you can get more information on system requirements and how to build the sample code by reading the Using the Intel AMT SDK section. The documentation is available on the Intel® Software Network here: Intel AMT SDK.

Intel AMT Implementation and Reference Guide


Figure 9 Intel AMT Implementation and Reference Guide

Other Intel Active Management Technology Resources

Intel AMT Implementation and Reference Guide
Intel AMT SDK Download
High-level API Article and download
Intel® Platform Solutions Manager Article
Power Shell Module download
KVM Application Developer’s Guide
Redirection Library
C++ CIM Framework API
C# CIM Framework API
Intel® ME WMI Provider
System Health Validation (NAP)
Use Case Reference Designs

Appendix

The following table provides a snapshot of features supported by Intel AMT Releases 10 through 14.
Read about all the features in the Intel AMT SDK Implementation and Reference Guide (“Intel AMT Features” section).

Feature Intel Active Management Technology (Intel AMT) 10 Intel AMT 11 Intel AMT 11.8 Intel AMT 12 Intel AMT 14
Hardware Inventory X X X X X
Persistent ID X X X X X
Remote Power On/Off X X X X X
Power Policies X X X X X
Graceful Shutdown X X X X X
InstantGo Support   X X X X
Event Log Reader Realm X X X X X
SOL/ USB-R IDER X X X X
Event Management X X X X X
Fast Call for Help (CIRA) X X X X X
Access Monitor/ Audit Log X X X X X
PC Alarm Clock X X X X X
Boot Control X X X X X
Intel® ME Wake-on-LAN X X X X X
Wake on Wireless LAN co-existence X X X X X
Remote Schedule Maintenance (outside firewall) X X X X X
Remote alerts (outside firewall) X X X X X
HW KVM redirection: # of screens Up to 3 Screens
HW KVM Screen Resolution Support Increased 2560 x 1600 4096 x 2160
Remote Screen Blank during KVM X X X X X
KVM for Headless Configurations       X X
KVM Remote Control X X X X X
3rd Party Data Storage X Deprecated Deprecated Deprecated Deprecated
Remote Secure Erase- Intel® SSD Pro   X X X X
Built-in Web Server X X X X X
Web Application Hosting   X X X X
Environment Detection X X X X X
System Defense Heuristics X X X X X
System Defense X X X X X
Agent Presence X X X X X
Virtualization Support for Agent Presence X X X X X
Flash Protection X X X X X
Firmware Update X X X X X
Wireless Link Protection X X X X X
802.1x EAP X X X X X
ME Firmware Rollback X X X X X
Enforce BIOS Secure Boot with Disable Redirection Reboot X X X X X
Mutual Authentication X X X X X
Kerberos X X X X X
TLS-PSK X Deprecated Deprecated Deprecated Deprecated
Privacy Icon X X X X X
Intel® Trusted Device Setup         X
Manual Configuration via ME BIOS extension (MEBX) menu X X X X X
Local (host-based) Configuration X X X X X
Local Setup using PKI X X X X X
Remote Configuration: PKI X X X X X
Wireless Configuration X X X X X
Configuration for LAN-less Devices X X X X X
Host-Based Provisioning X X X X X
Wireless Profile Synchronization X X X X X
WS-MAN Interface X X X X X
Endpoint Access Control (EAC) 802.1 X X X X X
Network Interfaces X X X X X
TLS 1.0 X X X    
TLS 1.1 X X X X X
TLS 1.2       X X
WS-MAN API X X X X X
SOAP Commands Deprecated Deprecated Deprecated Deprecated Deprecated
Support for Internet Protocol Version 6 X X X X X
DNS Environment Detection X X X X X
HTTP Digest/ TLS X X X X X
Static and Dynamic IP X X X X X
Microsoft NAP Support X X X X X
Admin Control Mode X X X X X
Client Control Mode X X X X X
Direct Upgrade for Client Control Mode to Admin Control Mode X (Secured FQDN Suffix)

 

 

Product and Performance Information

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.