Overview of PSK/PKI/Automatic Configuration Flow

The following diagram and table describe the flow of PSK/PKI/Automatic setup and configuration using a configuration server to configure Intel AMT.




IT sets initial configuration data in Intel AMT to enter Setup Mode – Initial configuration data vary according to the method used:

     If TLS-PSK is used, IT needs to set PID/PPS pairs and change the MEBx password.

     If TLS-PKI is used, IT may need to set additional data (SCA FQDN or PKI DNS Suffix) and may need to run a local agent to transfer Intel AMT to Setup Mode.

A USB key can be used to enter the configuration data.


The Intel AMT device locates the SCA – Locating the configuration server is dependent on parameters set in Intel AMT:

4.  If SCA Static IP is set (MEBx/USB), Intel AMT will use this IP to contact the SCA.

5.  If DNS Server IP is set (either manually when Intel AMT is using Static IP or acquired from DHCP using options 5 or 6):

a.   If SCA FQDN is set, Intel AMT will send a DNS query for this FQDN and will use the returned IP.

b.   If internal domain is set, Intel AMT will send a DNS query for provisionserver.<internal domain>

If DHCP option 15 (domain suffix) is set, Intel AMT will send a DNS query for provisionserver.<DHCP option 15>

If DHCPv6 option 24 (domain suffixes) is set, Intel AMT will send a DNS query for provisionserver.<DHCPv6 option 24> . Intel AMT supports up to five domain suffixes.

Note: These steps are mutually exclusive. Method 2b is the “default” locating method.


AMT sends a "Hello" message to the SCA – Intel AMT will periodically send Hello messages with the required configuration data (PSK/PKI).


The SCA contacts Intel AMT – Once the SCA is aware of the Intel AMT presence (i.e. it received Hello message from Intel AMT) it will try to contact Intel AMT using the appropriate configuration method (according to the Hello message).


AMT verifies the SCA according to method used:

     If PSK is used, the SCA won’t be able to contact Intel AMT unless it uses the same PID/PPS.

     If PKI is used, Intel AMT will verify the SCA certificate (see PKI Certificate Verification Methods).

     The sample SCA uses the default admin credentials for Digest authentication during setup and configuration. Starting in Release 6.1, Intel AMT ignores the HTTP header on the TLS-secured connection.


The SCA configures the Intel AMT – Once trust has been established, the SCA can configure the Intel AMT.


The Intel AMT device moves to Operational Mode.

Copyright © 2006-2022, Intel Corporation. All rights reserved.