Remote Configuration with a Local Agent

The following diagrams and table describe how you can incorporate a local agent on the Intel AMT platform to enable a delayed remote setup and configuration. Note: Starting with Tiger Lake, the On-Die Certificate Authority (ODCA) is used for issuing certificates for Intel CSE applications (e.g., Intel AMT).





The management console requests the local agent to check for Intel AMT capability on the platform and to return key parameters.


The agent detects Intel AMT and requests the UUID and Intel AMT firmware version.


The Intel AMT device returns the values to the agent.


The agent returns the information to the management console.


The management console sends a One Time Password (OTP) to the agent.


The management console sends the identifying information and optionally an OTP to the SCA.


If steps 5 and 6 were executed, the Agent sends OTP to the Intel AMT device and commands it to open the network interface. The Intel AMT device generates a self-signed certificate. This process may take up to seven minutes to generate the necessary keys.


The Intel AMT device starts sending “Hello” messages.


Setup and configuration begins using the PKI-CH protocol (see Remote Setup and Configuration Flow).


After the PKI-CH protocol was successful and before any configuration is sent to Intel AMT, SCA will request Intel AMT to send the OTP and will compare it to the OTP sent by the management console. Note that the SCA does not have to ask for an OTP (even if one was set).

Copyright © 2006-2022, Intel Corporation. All rights reserved.