Security Admin Events

Intel AMT Features > Access Monitor > Detailed Description > Event Groups and Event IDs > Security Admin Events

Security Admin Events

The following table describes the Security Admin events (App ID = 16). Beginning in Release 8.0, all Security Admin events are enabled by default except Flash Wear-Out Counters Reset (ID=15) and Power Package Modified (ID=16) events.

Event Name	ID	Description	Parameters		Trigger
AMT Provisioning Started	0	Intel AMT transitioned to setup mode (also called “in provisioning”). Note: This event is flagged as super_critical from Release 12.0 onward. Prior to Release 12.0, it is always written to the Log and cannot be flagged as critical.	None		The platform is connected to a network and has a PID-PPS pair, or a remote configuration local agent commanded Start Configuration, or a “bare metal” configuration sequence started. The event will be logged also in SMB mode. (Manual Mode in Release 6.0) Note: This event is always logged, even if auditing is not enabled. The timestamp of the event will always be 12:00 Jan 1, 2004 if the time had never been initialized when this event occurred. Otherwise, with Release 6.0, it will be the time just before the previous unconfiguration. Note: This event is NOT triggered by the Release 6.2/7.0 and later Host-Based (Local) Setup feature and is deprecated from Release 6.1. ISV software should obtain information about configuration occurrences from the following classes (via IPS_ProvisioningAuditRecord): IPS_AdminProvisioningRecord IPS_ClientProvisioningRecord IPS_ManualProvisioningRecord
AMT Provisioning Completed	1	Intel AMT transitioned to operational mode (also called “post provisioning”). Note: This event is flagged as super_critical from Release 12.0.30 onward. Prior to Release 12.0.30, it is always written to the Log and cannot be flagged as critical.	UINT8 ProvisioningMethod: 2 – Remote Configuration 3 – Manual Provisioning via MEBX 5 – Host-Based Provisioning Admin Mode Note: Additional methods may be added in the future.		WS-MAN: AMT_SetupAndConfigurationService.CommitChanges completed successfully. Note: Prior to Intel® AMT release 12.0.30, this event is NOT triggered by the Release 6.2/7.0 and later Host-Based (Local) Setup feature or by the Release 6.0 Manual Configuration feature. This event is deprecated from Release 6.1. ISV software should obtain information about configuration occurrences from the following classes (via IPS_ProvisioningAuditRecord): IPS_AdminProvisioningRecord IPS_ClientProvisioningRecord IPS_TLSProvisioningRecord IPS_ManualProvisioningRecord In Intel AMT 12.0.30 and later, this event is generated by provisioning in Admin mode.
			UINT8 HashType (Irrelevant for PSK) 1 – SHA1_160 2 – SHA_256 3 – SHA_384
			For SHA1_160: UINT8 TrustedRootCertHash[20] For SHA_256: UINT8 TrustedRootCertHash[32] For SHA_384: UINT8 TrustedRootCertHash[48] (Irrelevant for PSK)
			UINT8 NumberOfCertificates (Irrelevant for PSK)
			UINT8 CertSerialNumbers[], each number 16 bytes length, up to 3 serial numbers. (Irrelevant for PSK)
			UINT8 AdditionalCaSerialNums (Irrelevant for PSK) 0 – There are additional certificates. 1 – There are no additional certificates.
			UINT8 ProvServFQDNLength (Irrelevant for PSK)
			UINT8 ProvServFQDN[], up to 255 bytes. (Irrelevant for PSK)
ACL Entry Added	2	User entry was added to the Intel AMT device	InitiatorType Type		Functions called and executed successfully: WS-MAN: AMT_AuthorizationService.AddUserAclEntryEx CIM_AccountManagementService.CreateAccount CIM_RemoteIdentity.Create WebUI: Calling new user account. Log may be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR or PT_STATUS_FLASH_WRITE_LIMIT_ EXCEEDED return values.
			UINT8 Username_Length	UINT32 SID
			UINT8 Username	UINT8 Domain_Length
			UINT8 Username	UINT8 Domain[]
ACL Entry Modified	3	User entry in the Intel AMT device was updated	UINT8 ParameterModified (Bit combination): 0x01 Username 0x02 Password 0x04 Local realms 0x08 Remote realms 0x10 Kerberos domain 0x20 SID		Functions called and executed successfully: WS-MAN: AMT_AuthorizationService.UpdateUserAclEntryEx CIM_Account.Put CIM_Privilege.Put WebUI: Calling Change User Account. Calling Change Admin Account. Log May be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR or PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED return values.
			InitiatorType Type
			UINT8 Username _Length	UINT32 SID
			UINT8 Username[]	UINT8 Domain_Length
			UINT8 Username[]	UINT8 Domain[]
ACL Entry Removed	4	User entry in the Intel AMT device was removed	InitiatorType Type		Functions called and executed successfully: WS-MAN: AMT_AuthorizationService.RemoveUserAclEntry CIM_Account.Delete CIM_RemoteIdentity.Remove WebUI: Calling “remove user account”. Log may be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR return value.
			UINT8 Username _Length	UINT32 SID
			UINT8 Username[]	UINT8 Domain_Length
			UINT8 Username[]	UINT8 Domain[]
ACL Access With Invalid credentials	5	User attempted to access Intel AMT or MEBx with invalid username or password	UINT8 Type 0 - AMT 1 - MEBx		MEBx invalid access – Event is logged after 3 invalid access attempts. AMT invalid access - The event is logged each time the user is blocked due to numerous authentication failures.
ACL Entry Enabled	6	ACL entry state was changed (Enabled or Disabled)	UINT8 ACL Enabled 0 - disabled 1 - enabled		Change anonymous access via WebUI. WS-MAN: CIM_Account.RequestStateChange Log may be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR or PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED return values.
			InitiatorType Type
			UINT8 Username _Length	UINT32 SID
			UINT8 Username []	UINT8 Domain_Length
			UINT8 Username []	UINT8 Domain[]
TLS State Changed	7	TLS options changed	UINT8 RemoteStatus 0 - NoAuth 1 - Server 2 - Mutual		WS-MAN: AMT_TLSSettingData.Put
TLS State Changed	7	TLS options changed	UINT8 LocalStatus 0 - NoAuth 1 - Server 2 - Mutual		WS-MAN: AMT_TLSSettingData.Put
TLS Server Certificate Set	8	TLS Server Certificate was defined	UINT8 CertSerialNum[20]		WS-MAN: AMT_TLSCredentialContext.Create AMT_TLSCredentialContext.Put
TLS Server Certificate Removed	9	Attempted to remove certificate	UINT8 CertSerialNum[20]		WS-MAN: AMT_TLSCredentialContext.Delete
TLS Trusted Root Certificate Added	10	Trusted root certificate added. Note: This event cannot be flagged as critical.	UINT8 CertSerialNum[20]		WS-MAN: AMT_PublicKeyManagementService.AddTrustedRootCertificate
TLS Trusted Root Certificate Removed	11	Trusted root certificate removed. Note: This event cannot be flagged as critical.	UINT8 CertSerialNum[20]		WS-MAN: AMT_PublicKeyCertificate.Delete
TLS Pre-Shared Key Set	12	PreShared Key was defined	None		WS-MAN: AMT_SetupAndConfigurationService.SetTLSPSK Note: This trigger was removed in release 11.0.
Kerberos Settings Modified	13	Kerberos was enabled (Kerberos options set) or disabled. Note: This event cannot be flagged as critical (Release 5.1 and later).	UINT8 TimeTolerance		WS-MAN: AMT_KerberosSettingData.Put is invoked and returns success.
Kerberos Master Key or Passphrase Modified	14	Kerberos master key or passphrase was modified. Note: This event cannot be flagged as critical (Release 5.1 and later).	None		WS-MAN: AMT_KerberosSettingData.Put is invoked and returns success.
Flash Wear-Out Counters Reset	15	Flash Wear-out counter was reset. Note: This event cannot be flagged as critical.	None		WS-MAN: AMT_SetupAndConfigurationService.ResetFlashWearOutProtection Starting with Release 6.2, the WS-MAN triggers are not actually perform a reset and the event is not logged. This trigger was removed entirely in Release 11.0.
Power Package Modified	16	Active power package was set	UINT8 PolicyGUID[16]		MEBx: Power package changed WS-MAN: AMT_SystemPowerScheme.SetPowerScheme WebUI: Power Policies page If the power package is changed via the MEBx, the event will not be logged.
Set Realm Authentication Mode	17	Realm authentication mode changed.	UINT32 realm		WebUI: Anonymous access option is changed. Log may be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR or PT_STATUS_FLASH_WRITE_LIMIT_ EXCEEDED return values.
Set Realm Authentication Mode	17	Realm authentication mode changed.	UINT8 Authentication mode 0 - NoAuth 1 - Auth 2 - Disable
Upgrade Client To Admin	18	The control mode of the Intel AMT was changed from Client Control to Admin Control	None		WS-MAN: (Release 7.0 and later releases) IPS_HostBasedSetupService.UpgradeClientToAdmin
AMT UnProvisioning Started	19	Intel AMT transitioned to unprovisioned state (also called preprovisioning) Note: This event is flagged as super_critical from Release 12.0.30 onward. Prior to Release 12.0.30, it is always written to the Log and cannot be flagged as critical.	UINT8 UnprovisioningInitiator 1 – BIOS 2 - MEBx 3 – Local MEI 4 – Local WSMAN 5 – Remote WSMAN		WS-MAN: AMT_SetupAndConfigurationService.Unprovision AMT_SetupAndConfigurationService.PartialUnprovision started successfully. HECI: CFG_Unprovision()started successfully.