About Intel AMT > Important Announcements

Important Announcements

Note: This page includes a list of recently added and deprecated features. For a detailed list of deprecated and removed features by program and date, see Deprecated and Deleted Features.

New Feature: UEFI BIOS/Intel® CSME WiFi Profile Sharing

UEFI BIOS/ Intel CSME Wi-Fi Profile Sharing allows the passing of the currently connected Intel® AMT WiFi profile to the UEFI BIOS to enable the BIOS to coexist with Intel AMT, so that both can use the wireless connection. Available from Intel® CSME 16.0. (Document update: March 2021)

New Feature: Intel® One-Click Recovery

Intel® One-Click Recovery allows initiating a recovery process with a single command from a remote Management Console to return a device’s operating system to its last good known state in a secure manner with minimum down time and effort for the user. Available on vPro SKUs, starting with Tiger Lake platforms using Intel® CSME 15 firmware. (Document update: December 2020)

New Feature: On-Die Certificate Authority (ODCA)

The On-Die Certificate Authority is a feature added to Intel CSME hardware starting from Tiger Lake. It replaces the existing Intel® EPID signing algorithm, which is planned for deprecation. The On-Die Certificate Authority is used for issuing certificates for Intel CSE applications (e.g., Intel AMT). (Document update: December 2020)

Deprecation of Intel® Setup and Configuration Software (Intel® SCS)

Support for Intel SCS will end on December 31, 2022.
Intel SCS will no longer be available for public download after March 31, 2021.
After March 31, 2021, the Intel SCS download webpage will only reflect evergreen errata, containing a full list of known issues, workarounds, or mitigations.

Intel® Endpoint Management Assistant (Intel® EMA) will replace Intel SCS going forward as the Intel-supported solution for activating and configuring Intel® Active Management Technology (Intel® AMT).

For more details on this deprecation, see the End of Life Announcement. (Document update: March 2021)

Deprecation of Embedded Host Based Configuration (EHBC)

The Embedded Host Based Configuration (EHBC) feature is being deprecated. Starting from Intel CSME 15.0.35.1879, Intel CSME 16.0 and Intel CSME 17.0 firmware, the feature will no longer be available. (Document update: July 2021)

Deprecation of Non-TLS Mode

Intel strongly recommends that customers use TLS mode to benefit from its enhanced security in communication. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

Starting from Intel CSME 17.0 firmware, connecting to Intel AMT without TLS (non-TLS mode) will no longer be supported. (Document update: September 2021)

Deprecation of SHA1 Root Certificates and RSA Key Sizes Smaller than 2048 Bits for Intel® AMT Provisioning

In Intel ME 11.0 the default SHA1 certificate hashes were removed from the firmware. Hashes could still be added in manufacturing, or through the MEBX or WS-MAN commands.

Starting from Intel ME 15.0 firmware for H platform, and Intel ME 16.0 firmware for all platforms, Intel is removing support of SHA1 root certificates and RSA key sizes smaller than 2048 bits for Intel AMT provisioning. In those releases and later, it is no longer possible to add SHA1 hashes, and none of the certificates in the certificate chain can be SHA1-based, including the root certificate. (Document update: February 2021)

Deprecation of System Defense

The System Defense feature is being deprecated. Starting from Intel ME 18.0 firmware, the feature will no longer be available. (Document update: October 2020)

Deprecation of SNMP PET Alerts in Intel® AMT

The Intel AMT Event Manager SNMP PET Alerts feature is being deprecated. Starting from Intel ME 18.0 firmware, the feature will no longer be available. The WS-Events feature remains, and will be used instead of SNMP PET alerts. (Document update: October 2020)

Deprecation of DDNS Support from Intel® AMT

Dynamic DNS Update support is being deprecated. Starting from Intel ME 18.0 firmware, the feature will no longer be available. (Document update: October 2020)

Deprecation of Web UI

Intel plans, in future platforms, to remove the option of connecting to Intel AMT via the Web UI application. Instead, customers will have the option of downloading a web application to the Intel CSME firmware and interacting with the web application via a browser. This will provide similar functionality to that of the Web UI, but will require the additional initial step mentioned. The date for removal of the Web UI has not yet been decided. (Document update: January 2021)

vPro Platform Solution Manager is no longer supported

(Document update: October 2020)

Deprecation of Endpoint Access Control (EAC)

Intel plans to remove the Endpoint Access Control (EAC) feature, including Intel AMT support for Network Access Protection (NAP), from the Intel CSME firmware. Starting with Intel CSME 18.0, the feature will no longer be supported. (Document update: July 2021)

Deprecation of TLS 1.1

Starting from Intel CSME 15.0 firmware for desktops, and Intel CSME 16.0 firmware for all platforms, Intel has removed support for TLS 1.1. TLS 1.1 can no longer be used to connect to Intel AMT. Customers should use TLS 1.2. (Document update: June 2021)

Deprecation of TKIP (Temporal Key Integrity Protocol) and WEP (Wired Equivalent Privacy) Encryption Methods

Intel has removed Intel AMT support for the WEP and TKIP 802.11 encryption methods, starting from Intel CSME firmware running on Tiger Lake-H platforms. This also means that mixed TKIP/CCMP WiFi access-point mode is no longer supported by the Intel CSME WiFi stack. To allow Intel CSME WiFi connectivity, all crypto modes utilizing TKIP must be disabled in the AP.

Note: In "pipe" mode the WiFi connection (including encryption/decryption algorithm selection on WiFi connection establishment) is handled by the host operating system WiFi stack. In this mode, the data packets are sent to Intel AMT after they have been decrypted by the host side WiFi. In this mode there is currently no restriction in Intel CSME on the WiFi encryption protocols selected by the operating system. However, switching an TKIP or WEP based Intel AMT connection from the host to Intel CSME side WiFi will cause WiFi connection termination. (Document update: July 2021)

Copyright © 2006-2022, Intel Corporation. All rights reserved.