The host-based setup and configuration capability adds additional functionality to Intel AMT and modifies some existing features:
An OEM can disable the ability to setup a platform to Client Control mode. There is also an Intel® Management Engine Interface (Intel® MEI) command that can disable this mechanism. Once the mechanism is disabled, it can only be re-enabled via an ME Unconfigure, which returns the ME to factory settings. An OEM may provide a BIOS command to perform the ME Unconfigure operation.
A software application can disable the Client Control mode capability using the IPS_HostBasedSetupService.DisableClientControlMode method. And can detect if the mode is enabled by reading the IPS_HostBasedSetupService.AllowedControlModes property.
Before Release 6.1, many Intel AMT Realms were only available from a network interface. Starting with Release 6.1, all realms are available locally. Local users still have to authenticate via the Intel AMT Access Control List. See the Functionality to Realm Mapping table. With this change, it is possible to perform all setup and configuration functions from the local host.
Starting with Release 6.1, the following methods can now be invoked by a user with GeneralInfo privileges:
Release 7.0 further extends the methods available to users with GeneralInfo privileges. See Table mapping classes and methods to realms for a complete list.
The following classes have been added in support of Host-Based Setup and Configuration:
This service returns the configured mode (Client Control mode or Admin Control mode); and which of the control modes is allowed (i.e., it shows whether host-based setup and configuration is allowed). It also returns a configuration nonce used when the configuration operation is digitally signed. It has methods to initiate host-based setup, direct setup to Admin Control mode and to upgrade from Client Control mode to Admin Control mode. The class includes a method to add elements of a certificate chain and another to disable the Client Control mode option.
Records the results of the last setup and configuration activity. The actual type of an object will be based on the kind of setup performed.
Inherited from IPS_ProvisioningAuditRecord. It is created when host-based setup is performed. It also returns the following optional values: an identification value, a hash algorithm, and a provisioning certificate hash.
Inherited from IPS_ProvisioningAuditRecord, it identifies which kind of TLS configuration was performed (either TLS-PSK or Remote Configuration, also known as TLS-PKI).
The class also indicates whether the DNS suffix was set via the MEBx, whether setup was initiated by a host agent, and the CN value in the setup and configuration server’s server certificate. These values apply only to a TLS-PKI setup.
An object of this type indicates that the platform moved to Admin Control mode without using either the IPS_HostBasedSetupService AdminSetup or UpgradeClientToAdmin method. The class provides some of the parameters used to complete the setup.
Inherited from IPS_ProvisioningAuditRecord with no additional information. It indicates that setup and configuration was done manually, either from the MEBx or by using a formatted USB Key.
It is possible to perform unprovisioning of an Intel AMT device locally outside the WS-Management authentication framework by using a new Intel ME Interface (Intel MEI) command. This is a way to reverse an undesired or rogue activation of Intel AMT. The user executing this command must have local admin permissions on the platform. The Intel ME WMI provider also has a method for performing unprovision of Intel AMT.
It is also possible to locally perform a WS-Management unprovision command (AMT_SetupAndConfigurationService.Unprovision) or a SOAP Unprovision command. These commands require the password of a user with PT_Administration access and network permissions.
In Client Control mode, unprovision will succeed even if there is a defined auditor and the audit log was not locked.
Provisioning Audit Record
The provisioning audit record has been modified to support different versions of the record depending on the form of setup and configuration performed. The provisioning record classes above implement this feature. See Get Provisioning Audit Record.
Copyright © 2006-2022, Intel Corporation. All rights reserved.