Additional Functionality

The host-based setup and configuration capability adds additional functionality to Intel AMT and modifies some existing features:

   Disabling Host-Based Setup and Configuration

   Local WS-Management Accessibility

   Additional Methods Added to the GeneralInfo Realm

   New Classes

   Local Unprovision

   Provisioning Audit Record

 

Disabling Host-Based Setup and Configuration

An OEM can disable the ability to setup a platform to Client Control mode. There is also an Intel® Management Engine Interface (Intel® MEI) command that can disable this mechanism. Once the mechanism is disabled, it can only be re-enabled via an ME Unconfigure, which returns the ME to factory settings. An OEM may provide a BIOS command to perform the ME Unconfigure operation.

A software application can disable the Client Control mode capability using the IPS_HostBasedSetupService.DisableClientControlMode method. And can detect if the mode is enabled by reading the IPS_HostBasedSetupService.AllowedControlModes property.

Local WS-Management Accessibility

Before Release 6.1, many Intel AMT Realms were only available from a network interface. Starting with Release 6.1, all realms are available locally. Local users still have to authenticate via the Intel AMT Access Control List. See the Functionality to Realm Mapping table. With this change, it is possible to perform all setup and configuration functions from the local host.

Additional Methods Added to the GeneralInfo Realm

Starting with Release 6.1, the following methods can now be invoked by a user with GeneralInfo privileges:

   AMT_SetupAndConfigurationService.Get

   IPS_ProvisioningAuditRecord.Get

   AMT_GeneralSystemDefenseCapabilities.Get

   IPS_ClientProvisioningRecord.Get

   IPS_TLSProvisioningRecord.Get

   IPS_OptInServiceOptInService.Get

Release 7.0 further extends the methods available to users with GeneralInfo privileges. See Table mapping classes and methods to realms for a complete list.

New Classes

The following classes have been added in support of Host-Based Setup and Configuration:

   IPS_HostBasedSetupService

This service returns the configured mode (Client Control mode or Admin Control mode); and which of the control modes is allowed (i.e., it shows whether host-based setup and configuration is allowed).  It also returns a configuration nonce used when the configuration operation is digitally signed. It has methods to initiate host-based setup, direct setup to Admin Control mode and to upgrade from Client Control mode to Admin Control mode. The class includes a method to add elements of a certificate chain and another to disable the Client Control mode option.

   IPS_ProvisioningAuditRecord

Records the results of the last setup and configuration activity. The actual type of an object will be based on the kind of setup performed.

   IPS_ClientProvisioningRecord

Inherited from IPS_ProvisioningAuditRecord. It is created when host-based setup is performed. It also returns the following optional values: an identification value, a hash algorithm, and a provisioning certificate hash.

   IPS_TLSProvisioningRecord

Inherited from IPS_ProvisioningAuditRecord, it identifies which kind of TLS configuration was performed (either TLS-PSK or Remote Configuration, also known as TLS-PKI).

The class also indicates whether the DNS suffix was set via the MEBx, whether setup was initiated by a host agent, and the CN value in the setup and configuration server’s server certificate. These values apply only to a TLS-PKI setup.

   IPS_AdminProvisioningRecord

An object of this type indicates that the platform moved to Admin Control mode without using either the IPS_HostBasedSetupService AdminSetup or UpgradeClientToAdmin method. The class provides some of the parameters used to complete the setup.

   IPS_ManualProvisioningRecord

Inherited from IPS_ProvisioningAuditRecord with no additional information. It indicates that setup and configuration was done manually, either from the MEBx or by using a formatted USB Key.

Local Unprovision

It is possible to perform unprovisioning of an Intel AMT device locally outside the WS-Management authentication framework by using a new Intel ME Interface (Intel MEI) command. This is a way to reverse an undesired or rogue activation of Intel AMT. The user executing this command must have local admin permissions on the platform. The Intel ME WMI provider also has a method for performing unprovision of Intel AMT.

It is also possible to locally perform a WS-Management unprovision command (AMT_SetupAndConfigurationService.Unprovision) or a SOAP Unprovision command. These commands require the password of a user with PT_Administration access and network permissions.

In Client Control mode, unprovision will succeed even if there is a defined auditor and the audit log was not locked.

Provisioning Audit Record

The provisioning audit record has been modified to support different versions of the record depending on the form of setup and configuration performed. The provisioning record classes above implement this feature. See Get Provisioning Audit Record.

Copyright © 2006-2022, Intel Corporation. All rights reserved.