Download Article
Download Intel® Business Client Community Frequently Asked Questions [PDF 380KB]
Getting Started
General
Troubleshooting
Other
Remote Encryption Management
Getting Started
This section contains answers for those new to the Intel® Manageability and Security Developer Community (now called Intel® Business Client Community) and Intel® Active Management Technology[1].
Q1 What is the Intel Business Client Community?
A1 This is an online site (previously known as the Manageability and Security Developer Community) created to increase the expertise for developers of Intel® Active Management technology and security features in Intel® vPro™ technology[2]-based solutions. It contains articles, blogs, videos, downloads, a forum, and other items to help developers reduce the time required to create manageability and security solutions for business client systems.
Q2 What is Intel® Active Management Technology (Intel® AMT)?
A2 Intel® notebooks and desktops with Intel AMT combine high-end performance with security and manageability integrated within the chip. Optimized for business, Intel vPro technology allows IT to reduce desk-side visits by remotely monitoring and diagnosing PCs and notebooks even when the OS is off or unresponsive.
- Discover. With built-in manageability, IT can discover assets even while PCs are powered-off.
- Diagnose. Providing out-of-band management capabilities, IT can remotely diagnose and recover systems reducing downtime.
- Verify. Hardware-based agent presence checking proactively detects the software agents that are running while missing agents are automatically detected and alerts are sent to the management console.
- Isolate. Proactively block incoming threats, and isolate infected systems while containing infected clients before network impact and alerting IT to the critical software agents removed.
- Update. Help keep patches and virus protection software up-to-date. Intel AMT provides the capability to store version numbers or policy data in non-volatile memory for off-hours retrieval.
Q3 What is Intel vPro technology?
A3 Intel vPro technology is “IT” embedded into the HW platform. Intel vPro technology is a platform brand that enables business-class PCs with capabilities to help address the needs and requirements faced by business today. Intel vPro technology comprises a processor, chipset, networking, Intel AMT, and other components working together to enable enhanced remote management capabilities for PCs. With Intel AMT a feature of Intel vPro technology, IT personnel can use a third-party manageability and/or security software controller to collect inventory information, remotely diagnose problems, and provide remote services even to PCs that are turned off or have an inoperable OS. Administrators can also better protect individual PCs and the network from threats.
Q4 What are the following Intel AMT tools for: SDK, Open Manageability DTK, SCS, WS-ManTranslator, JavaLib ?
A4 These are all tools that can be used when experimenting with or writing applications for Intel AMT. Here are some brief descriptions and when to use them:
Intel AMT SDK: Software Development Kit - Provides sample code and all the APIs needed for implementing Intel AMT. The Open Manageability DTK uses the APIs provided in the SDK. Be sure to use the most recent release of the SDK to integrate Intel AMT into your application.
Open Manageability DTK: Developer Tool Kit - This is a solution written in C# using the Intel AMT SDK. Use this to get an idea of how Intel AMT works. Many engineers use the DTK to verify if a certain feature is working. The source code is also available.
Intel® SCS: Intel(r) Setup and Configuration Software– allows you to discover, set up and configure, and maintain a secure connection to every managed device on your network. Using Intel SCS is an easy process for unlocking the features and the value of systems with Intel® processors with Intel vPro technology.
Intel® WS-Man Translator: WS-Management Translator - makes it possible for WS-Management-based software to be used in conjunction with Intel AMT platforms older than version 3.0.
JavaLib: Intel® WS-Management Java Client Library– is a lightweight WS-Management protocol library designed for software developers who want to quickly and easily support WS-Man but want to avoid the complexity of writing their own Java*-based WS-Man client library.
Q5 How do I get started writing Intel AMT software using WS-Management?
A5 Download the latest Intel® AMT SDK and look at the documentation. Starting with version 6.0, WS-Management is the only interface that supports new features. Also take a look at this article on WS-Management development.
Q6 What are the guidelines for Intel® AMT Management Engine (ME) passwords?
A6 You have to change the default ME password (admin) to a strong password the first time you log in to the Management Engine BIOS Extensions (MEBx). Follow these guidelines. The ME password should contain:
- 7-bit ASCII characters, in the range of 32-126, excluding ':', ',' and '"' characters.
- No more than 32 characters.
- At least one number ('0', '1', .... '9')
- At least one 7-bit ASCII non alpha-numeric character, above 0x20, (e.g., '!', '$', ';'...). Note that '_' is considered alpha-numeric.
- At least one lower-case letter ('a', 'b',...,'z') and one upper case letter ('A', 'B', ...'Z')
Q7 Is there some type of software I can install on my computer or server to remotely manage computers with Intel vPro technology?
A7 This detailed document, Intel® AMT SDK Start Here Guide, will help you get started.
Q8 Will my management console be helpful when deployed without any systems with Intel vPro Technology?
A8 To take advantage of the usage models supported by Intel AMT, you need the support from PCs with Intel vPro Technology and a Management console.
Q9 Why can’t I connect to the Intel AMT system locally through WebUI?
A9 Intel AMT versions prior to 7.0 cannot serve web pages locally. The Intel AMT system was not accessible locally through the WebUI or ping, even if it has a static IP.
Q10 Is there a utility to check if my system supports Intel vPro technology?
A10 The Intel® Setup and Configuration Service version 7.0 and later has a discovery module called the SCS Discovery Tool. Here is a blog on How to Run the SCS Discovery Tool.
Q11 Which systems support Intel vPro technology?
A11 Refer to this blog: Intel® vPro Technology™ Release 9.0: Platform Requirements for information on what processors and SKUs are Intel AMT 9+ capable.
Q12 What hardware components make up an Intel AMT 4.0 system?
A12 The main hardware ingredients that are present in an Intel AMT 4.0 system include:
- Intel® Wireless Wi-Fi* Link 5000 Series AGN adapters
- Processor: Intel® Centrino® 2 with vPro™ Technology
- Chipset: Intel® M45 series chipset with Intel® ICH09DO
- CPUs: Intel® Core™ 2 Duo mobile processor T9600, T9400, P9500, P8600, and P8400 series
Note: Intel AMT 4.0 systems are no longer being supported. The oldest version of Intel AMT being supported is AMT 7.0 and newer.
Q13 What hardware components make up an Intel AMT 5.0 system?
A13 The main hardware ingredients that are present in an Intel AMT 5.0 system include:
- Intel Wireless Wi-Fi Link 5100 or 5300 AG
- Processor: Intel® Core™ 2 processor with vPro™ Technology
- Chipset: Intel® Q45 Express Chipset with Intel® ICH10DO
- CPUs: Intel® Core™ 2 Quad Q9xxx and Duo E8xxx series CPUs.
Note: Intel AMT 5.0 systems are no longer being supported.
Q14 What hardware components make up an Intel AMT 6.0 System?
A14 The main hardware ingredients that are present in an Intel AMT 6.0 system include:
- Networking:
- Intel® 82577LM Gigabit network connection
- Notebooks: Intel® Centrino® Ultimate-N 6300 (3x3) 802.11a/b/g/n
- Notebooks: Intel® Centrino® Advanced-N 6200 (2x2) 802.11a/b/g/n
- Chipsets:
- Mobile: QM57
- Desktop: Q57
- Small Form Factor (SFF) QS57
- Intel® Core™ i7/i5 processors
- Desktop: i5-650, i5-660, i5-670
- Laptop: i7-620M, i7-640LM, i7-620LM , i7-640UM, i7- 620UM, i5-540M, i5-520M, i5-520UM
Q15 What hardware components make up an Intel AMT 7.0 system?
A15 The main hardware ingredients that are present in an Intel AMT 7.0 system include:
- Networking
- Intel® 82579LM Gigabit Ethernet PHY
- Intel Wi-Fi Adapters supporting vPro technology:
- Intel Centrino Ultimate-N 6300
- Intel Centrino Advanced-N 6230
- Intel Centrino Advanced-N 6205
- Chipsets supporting Intel vPro/ Intel AMT technologies 7.0
- Q67 for Desktop Systems; QM67 and QS67 for Mobile chipsets
- Intel® Core™ i7/i5 processors
- Desktop: i7-870, i7-860, i7-860s, i5-650, i5-660, i5-670, i5-680
- Laptop: i7-840, i7-820, i7-740, i7-720, i7-660, i7-640, i7- 620, i5-580, i5-560, i5-540, i5-520
Refer to this Blog post for additional information like support for KVM Remote Control.
Q16 What hardware components make up an Intel AMT 8.0 system?
A16 The main hardware ingredients that are present in an Intel AMT 8.0 system include:
- Networking
- Intel® 82579LM Gigabit Ethernet PHY
- Intel Wi-Fi adapters supporting Intel vPro technology:
- Intel Centrino Ultimate-N 6300
- Intel Centrino Advanced-N 6230
- Intel Centrino Advanced-N 6205
- Intel Centrino Advanced-N 6200
- Intel Centrino Advanced-N + WiMAX 6250
- Chipsets supporting Intel vPro/AMT technologies 8.0
- Q77 for Desktop Systems; QM77 and QS77 for Mobile chipsets
- Intel® Core™ i7/i5 processors
- Desktop: i7-3770, i7-3770T, i7-3770S, i5-3550, i5-3550S, i5-3570T
- Laptop: i7-3920XM, i7-3820QM
Q17 What hardware components make up an Intel AMT 9.0 system?
A17 Refer to this blog: Intel® vPro Technology™ Release 9.0: Platform Requirements for information on what processors and SKUs are Intel AMT 9+ capable.
Q18 What are the allowed network setup modes?
A18 Intel AMT supports DHCP and static IP. It is advised that the Intel AMT network settings coincide with the system network settings.
• When using DHCP – Intel AMT hostname should be set to the same hostname as the host.
• When using static IP – Intel AMT host name AND IP address should differ from the host IP and hostname.
Q19 Does Intel AMT support Windows Vista*?
A19 Intel AMT is generally OS independent. Intel AMT supports drivers for Windows Vista starting with AMT 2.1 for features that use local drivers.
Q20 What features do the various versions of AMT support?
A20 Refer to the AMT SDK Start Here Guide to see a list of versions and features http://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9 .
Q21 Does Intel AMT support Linux*?
A21 Intel AMT is generally OS independent. Please refer to this post on Intel AMT with Linux.
Q22 Can I control Intel AMT clients from a Management Console running on a non-Intel AMT computer with Windows* or Linux?
A22 The computer that runs the Intel AMT Management console does not have to have AMT installed.
Q23 Will Intel AMT technology be coming to Apple Macintosh* computers?
A23 Intel® Centrino® Pro processor technology on the Macintosh would be Apple's version of their mobile platforms with Intel Core 2 Duo processors. There are currently no plans to have Intel AMT on Apple systems.
Q24 Do I need a server (such as Windows Server 2003) to manage and control AMT PC clients?
A24 No. If you use the Intel Manageability Commander, any Microsoft Windows computer is ok.
Q25 Are there any software applications available to perform hardware inventory on Intel AMT systems?
A25 You can do it in two ways:
1. Log on to your Intel AMT system through web URL http://<ipaddress>:16992. On the left side, you will see hardware Information and under that are system, processor, memory, and disk. You can click on each of them and see the details.
2. Through Intel Manageability Commander, which comes with the Intel AMT Manageability DTK. You can download the latest version from http://www.intel.com/software/amt-dtk .
Q26 Which versions of Intel AMT can be configured using the Intel SCS?
A26 Please refer to the latest release of the Intel SCS for information on supported Intel AMT versions and configuration methods.
Q27 What is the “Hello” message?
A27 This is a message that an Intel AMT device sends once it has been loaded with a PID/PPS key pair and had its default password changed. This indicates the start of the setup and configuration process. Note that “Hello” messages start once a PID/PPS is entered though the MEBx or USB key. They can start even if the Setup and Configuration Service is not installed.
Q28 What is Host Based Configuration?
A28 Host Based Configuration (HBC) is a feature introduced with Intel AMT 7.0 that allows configuration of Intel AMT systems locally through the host operating system. More info is available in this video.
General
This section contains answers to common questions for those developing management solutions based on Intel® Active Management Technology(Intel® AMT).
Q29 Are there any commercial Intel AMT tools available for modifying the BIOS settings on an Intel AMT system?
A29 Use the “Open” Intel AMT Manageability Commander included in the Open Manageability DTK for this. Under the Remote Control tab, you can start an SOL session and boot into the BIOS options of your Intel AMT client. You can also use IMRGUI in the Redirection sample included in the Intel® AMT SDK.
Also try the Intel® vPro Platform Solution Manager.
Q30 Can multiple administrators through various tools connect to Intel AMT on one machine at the same time?
A30 The SOAP and WS-Man protocols used by Intel AMT are request/response protocols, so it will seem like everybody is getting connected at the same time. But really what's happening underneath is that Intel AMT is responding to the requests one by one. You cannot perform multiple instances of Serial over LAN or IDE Redirection at the same time.
Q31 How do you detect computers with Intel AMT Technology without SCS or similar tools?
A31 Assuming the Intel AMT-enabled systems are provisioned, you can send a SOAP command for GetCoreVersion API that can be found in the SDK. Intel AMT-enabled systems will provide a response containing the Intel AMT firmware version. Systems without Intel AMT will not respond to the SOAP request.
Q32 How can I find the Intel AMT MAC address of my client system?
A32 If the Intel AMT device is configured to work in DHCP mode, check to see that its MAC address is exactly the same as the host LAN. Another way is to use the MEInfo tool on the Intel AMT local machine. The MEInfo tool comes with the utilities for upgrading the firmware (contact your OEM for this). If you use this tool, just make sure you are using the right version for your firmware. MEInfo exists in both Windows and DOS versions.
Q33 Can I force my system to boot to a local CD using IDE-R?
A33 Booting to a local CD-ROM is not supported by Intel AMT. You can use ASF for doing that.
Q34 Will the flash update utility work remotely?
A34 The flash update utility only works remotely. This is a security feature of Intel AMT.
Q35 Can an Intel AMT application be developed for an older version of Intel AMT using a newer version of the Intel AMT SDK?
A35 Yes, as long as the application is aware of the IntelAMT version and does not try to perform operations only available on newer IntelAMT systems. Differences between the versions are generally called out in the SDK documentation. Additionally, many older APIs have been deprecated.
Q36 Can an application compiled with an older version of the Intel AMT SDK manage newer Intel AMT Firmware versions?
A36 Yes, most all interfaces are forward compatible. But you need to be wary of items that are deprecated. Refer to the documentation in the Intel AMT SDK.
Q37 What are the limitations of using Intel AMT in a wireless environment?
A37 Here is a high-level list detailing wireless usage in IntelAMT. For more information please take a look at http://software.intel.com/en-us/articles/technical-considerations-for-intel-amt-in-a-wireless-environment
- Setup and Configuration is not supported over a wireless interface.
- There is no host wireless connection in link-sensitive flows (i.e., SOL/IDE-R redirection use-cases); local agents will not be able to connect unless there is a LAN connection.
- System Defense filters are software based, not hardware based as in the wired interface.
- Static IP is not supported on the wireless management interface.
- The wireless management interface may not be enabled by default depending on which setup and configuration tool is being used (even if valid wireless profiles are configured in the Management Engine and Intel AMT is enabled).
- Wired and wireless management interfaces cannot be on the same subnet concurrently.
- 802.1x profiles are applied independently on wired and wireless.
Q38 What is the difference between IDE-R and PXE?
A38 IDE-Redirect (IDE-R) is a feature of Intel AMT that allows the management console to remotely mount CDROM and floppy disk drives on an Intel AMT computer and cause a remote boot on the remote drives. PXE (pre-boot execution Eenvironment) is a form of remote boot that has been used for a long time before IDE-R. Here are the main differences between the two:
- PXE is a BIOS technology and has access to the entire system RAM and loads the entire disk image from a remote TFTP server before booting. IDE-R, being part of Intel AMT, does not have access to the entire system RAM and can’t pre-load the entire disk image, so it forwards each disk request to the console. The console must then answer back to each disk request. Due to this, PXE may be slower at first, but faster later and does not need a permanent connection to the server.
- IDE-R is console initiated; PXE is client initiated. PXE is generally used for diskless workstations, and IDE-R is used by administrators to remotely fix problems.
- IDE-R is routable, PXE is not. Because PXE gets it’s instructions from DHCP, each DHCP server on each subnet must support PXE. No particular DHCP infrastructure is required for IDE-R.
- When Intel AMT is set up in TLS mode, IDE-R is more secure than PXE.
Q39 Is the Intel AMT terminal compatible with telnet?
A39 We do not recommend using Telnet or Hyperterm as terminals for Intel AMT. You may use IAmtTerm.exe from the Open Manageability DTK.
Q40 How much memory is available in the 3rd Party Data Store?
A40 Intel AMT 1.0 systems have 96k of NVRAM. All computers with Intel AMT 2.0 and beyond have 192k of NVRAM. This said, vendors can probably change this, and it's generally accepted that any single application should not use more than 48k of it so that several applications can share this space.
You could also try to use some type of compression when placing data into the 3rd Party Data Store (3PDS) so that this space can be used most efficiently.
Q41 Does Intel AMT provide an API for ISVs to modify the PRTC timer remotely?
A41 You can find it in Intel AMT SDK documentation in the AMT_TimeSynchronizationService. To learn more about this clock refer to this post.
Q42 How can one discover an Intel AMT machine before a user goes into the Intel AMT configuration screen at boot-time and sets a new username/password from the default password?
A42 The Intel® Setup and Configuration Software version 7.0 and later has a discovery module. You can use a tool as described in this blog: http://software.intel.com/en-us/blogs/2008/11/03/do-you-know-where-your-intel-amt-systems-are/ .
Q43 Can one get the host UUID to run before registration?
A423Yes, the ISVS_GetHostUUID API call can be used after library initialization and before registration. It's one of a very few calls that can be used prior to registration.
Q44 Can I access my 3rd Party Data Store block by name later as a named block?
A44 Yes, please refer to the Storage feature in the latest Intel AMT SDK documentation.
Q45 Can 3rd Party Data Store blocks smaller than 4K be allocated? What about the scratchpad?
A45 No, please refer to the Storage feature in the latest Intel AMT SDK documentation.
Q46 Does one need to lock while reading from 3rd Party Data Store? What happens if one does not lock?
A46 To ensure the data is consistent, lock before performing reads. If a lock is not done before reading you may get inconsistencies in data, partially from before and partially from after a write that has taken place.
Q47 Will Intel be supplying a library or code to translate the PCI Vendor and Device ID values to human friendly strings?
A47 No, there are no plans to add this functionality to the library. In the meantime, ISVs can go to standard sources to get PCI string tables, e.g., http://pciids.sourceforge.net*.
Q48 When an event filter is created, the FW returns a handle. When the handle is lost (system failure, etc.), how can a console recover the handle? Does the firmware clean up?
A48 Event handles live forever, but they can be recovered. An application can use the SDK CircuitBreakerService interface to enumerate the filters and determine which filters belong to it. To do this, use the EnumerateEventFilters method to return an EventFilterHandleArrayType that lists the filter handles. A loop that applies GetEventFilter SOAP function to each handle can then be created to get the properties of each filter, which allows the application to determine which filters are of interest.
Q49 Is there a license restriction that would not allow redistribution of the IMRSDK.DLL allowed with our product?
A49 The IMRSDK.dll can be distributed with your product.
Q50 What is the maximum size of the Intel AMT event log?
A50 The maximum number of event log entries is 390.
Q51 How does one set up authentication?
A51 To establish a SOAP over HTTPS connection (i.e., TLS authentication), all that needs to be done is specify the proper endpoint. https://<hostname>:16993. Windows security mechanisms will be employed to perform the proper certificate checking to establish the encrypted session. Once the encrypted session is established, the credentials are then passed to perform the userid authentication. This means there will be no change to any code except to when a specification of the new endpoint is needed.
Q52 When accessing the local storage on an Intel AMT machine, an URL (e.g. http://localhost:16992/StorageService) is specified. If the machine is in TLS mode, is it necessary to have the certificate on the local machine that's normally on the core server only?
A52 Yes, please specify the URL as https://localhost:16993/StorageService. Remember that TLS mode is defined on an interface level. This means that one can configure the Intel AMT device to utilize TLS communications on the network (remote) interface and utilize non-TLS communications on the local interface.
Q53 Is there a specific API that will indicate which version(s) of Intel AMT that a device supports?
A53 Yes, call: GeneralInfoService::GetCodeVersions.
Q54 Is it possible to recover the Intel AMT ID/Password without re-programming the device?
A54 No - the password is not recoverable (this is a security feature).
Q55 How can I tell whether an API can be executed locally (on the Intel AMT Client) or remotely (from the management console via network access?)
A55 Please refer to the Functionality on the Realm Mapping page in the latest Intel AMT SDK documentation.
Q56 Where can we get a Linux driver for LMS/SOL and HECI?
A56 You can get Linux drivers here: http://www.openamt.org
Q57 We want to upgrade our Intel AMT firmware. Where we can get new firmware?
A57 Your OEM should be able to tell you if firmware upgrades are available for your system and provide them for you.
Q58 What is the BIOS update process for Intel® Desktop Boards DQ965CO, DQ965GF, and DQ965WC ?
A58 Please refer to the documentation at:
http://support.intel.com/support/motherboards/desktop/sb/CS-025681.htm
Q59 What are the different options available to setup PID/PPS in Intel AMT?
A59
- At manufacturing time: Some vendors could probably push firmware on a computer with some settings pre-loaded.
- Manually: Going into the BIOS or MEBx and entering these values yourself. This is time consuming.
- Using USB Flash: You put these settings into a "setup.bin" file on a USB flash drive (512M or less, will not work on larger sticks).
Q60 What happens if a local application tries to bind to port 16992 or 16993?
A60 This is not recommended. Intel has registered these ports at IANA and they should not be used.
Q61 How do you disable the Intel AMT privacy notification popup?
A61 There are registry settings to do this. Disable.reg has [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] “atchk”=””
This will prevent the privacy icon application from ever running again.
If you want to keep the app running, but minimized to get rid of the “popup,” then
[HKLMSOFTWAREIntelNetwork_Servicesatchk] “MinimizePrivacyIconAtStart”=dword:00000001
This can also be done by altering the oementry.reg file that contains this entry. The atchk (privacy icon) app gets installed when you install the SOL/LMS driver software.
The disable.reg and oementry.reg files should be shipped on the OEM driver CDs.
You can refer to this blog: http://software.intel.com/en-us/blogs/2007/04/26/instructions-to-disable-the-intel-amt-privacy-notification-popup/
Q62 What is a UUID to FQDN mapping?
A62 A UUID is a Universally Unique Identifier assigned to each machine. This identifier is a part of the machines BIOS and can be used to identify the machine independent of its host OS or host name. Before provisioning can be completed, you must provide a mapping of the machines UUID to its host name. This can be done using the SCS UI and setting the Intel AMT properties.
Q63 Does the alarm clock support multiple alarms?
A63 Starting with Intel AMT 8.0, the PC alarm clock will support an additional 5 alarms with unique identifiers.
Q64 What happens when an alarm clock is scheduled to wake a mobile system that is in an inappropriate location (e.g., a briefcase in airplane overhead bin)?
A64 Intel AMT does not operate on mobile systems that are not plugged into AC power. So the alarm clock feature would not wake the system.
Q65 How can someone determine if a system was booted up due to the alarm clock?
A65 An event is created in the event log that states the alarm clock feature powered up the system. The event also indicates what the previous power state was. Starting with Intel AMT 8.0 the IPS_HostBootReason call can be used to determine the reason for last boot.
Q66 Does the Intel AMT alarm clock feature put the system back to sleep?
A66 No, the intention is to allow local agents to perform tasks on the system at the specified time. When the local agent is finished with its tasks, it should put the system back into the previous state it was in before the alarm.
Q67 What’s different regarding power policies in Intel AMT 6.0 vs. previous generations?
A67 In version 6.0 there are only two power polices supported (Desktop/Mobile on in S0, Desktop/Mobile on in S0 with Wake On ME in S3-S5). The default power policy is Desktop/Mobile on in S0 with Wake on ME in S3-S5. The Idle wake timeout is set to ~45 days. This means the Manageability Engine should always be awake and ready to respond to manageability requests unless ISV software explicitly configures Intel AMT to enter lower power states by reducing the Idle Wake timeout.
Q68 Will the Manageability Engine accept multiple KVM Remote Control connections?
A68 No.
Q69 Can unattended KVM Remote Control sessions (no user consent) be enabled without touching the machine?
A69 Yes, if the OEM enables this option. This may have privacy issues in some countries or user environments. In most cases, the user will have to select this option in the MEBx or the IT administrator will have to set it with a USB key during pre-provisioning.
Q70 Is the KVM Remote Control proxy required to connect to a system with Intel® vPro™ technology?
A70 No. The ME will listen on port 5900 for a standard VNC viewer (RFB 3.8 and above). In this model, extensions such as TLS and Kerberos authentication are not supported even if configured for Intel AMT.
Q71 How does the user give consent for a KVM Remote Control connection when consent is required for each session?
A71 Upon a connection attempt, sprite is used to display a key that the user must read to the remote operator. The user may opt to disable the per-session consent requirement in MEBx.
Q72 What is a "sprite"?
A72 The term "sprite" in the context of a platform with Intel vPro technology enabled refers to a graphic that is drawn directly to the local display by the integrated hardware. Sprites are independent of any host software or operating system.
Q73 Is the Intel® Management and Security Status (IMSS) service required to use KVM Remote Control?
A73 No. IMSS provides additional notifications to the user, the ability for the user to terminate a KVM Remote Control session and control over the sprite behavior (e.g., language selection).
Q74 What Remote Frame Buffer (RFB) protocol version is supported?
A74 RFB 3.8 and 4.0 are both supported. RFB 4.0 offers some performance, usability, and extensibility enhancements.
A74 What is the "RFB (or VNC) Password"?
A74 The RFB password is part of the RFB protocol's "VNC Authentication." The KVM viewer is required to provide the RFB password when it establishes a session. By default, the RFB password is set to the MEBx password. Anyone with access to the Intel AMT Redirection Realm can change the RFB password.
Q75 Can the KVM Remote Control feature be enabled / disabled remotely?
A75 Yes, unless the feature is explicitly disabled in MEBx.
Q76 Can the local keyboard and mouse be blocked during a KVM Remote Control session?
A76 Yes.
Q77 Can you disable the standard VNC port 5900?
A77 Yes. During configuration, you must enable either the Intel AMT redirection ports (16994/16995) or the standard VNC port (5900).
Q78 What RFB versions does the proxy support?
A78 The proxy will support both RFB 3.8 and RFB 4.0 with equal functionality. The protocols themselves may have differences independent of the proxy.
Q79 Does the proxy use GPL?
A79 No.
Q80 What WS-Events are created by KVM Remote Control?
A80 Local KVM Remote Control events are generated when a session starts or stops.
Q81 How complex is the user consent password?
A81 The user consent password is a 6-digit number.
Q82 What resolutions are supported by the AMT 6.0 hardware?
A82
- 640x480 (4:3 aspect ratio)
- 800x600
- 1024x768 (4:3 aspect ratio)
- 1280x1024 (5:4 aspect ratio)
- 1280x800 (16:10 aspect ratio)
- 1366x768 (16:9 aspect ratio)
- 1440x900 (16:10 aspect ratio)
- 1600x1200
Q83 What resolutions are added by the AMT 7.0 hardware?
A83Release 7.0 also supports screens with a resolution of 1920x1200 with 16 bits of color depth.
Q84 What do I need to do to use the Intel ME WMI provider?
A84 It will come pre-loaded on a system with Intel AMT version 6.0 or later (it should also be part of driver installation kit that comes from OEMs). For some of the discovery information (like Intel AMT and firmware versions), Intel AMT doesn’t even need to be provisioned to make calls to the provided WMI provider. There are some example scripts in the SDK that call the WMI provider, but in general if you already know how to use WMI, you’ll understand how to call the provider.
Q85 What is the Intel ME WMI Provider?
A85 The WMI provider gives access to several pieces of functionality that were previously only accessible with separately downloaded tools such as the Activator or the Intel AMT Scan Tool, or where the data could be read locally from the IMSS, but not obtained programmatically locally.
Q86 What advantages are there to using the WMI provider over existing tools?
A86 The Intel ME WMI provider will be part of the installation that goes to OEMs, so the WMI provider should be present on all Intel AMT 6 systems (in the same way that the Intel Management and Security Status program is part of all the previous generation of AMT systems that launched in 2008). Primarily it was created to give developers more flexibility in how they develop their apps (and hopefully make it easier to develop).
Q86.1 What is the Intel Manageability Firmware Recovery Agent?
A86.1 The Intel Manageability Firmware Recovery Agent is part of the Intel AMT driver stack provided to OEMs. Starting in 2011, it is relevant for any platform that has a Manageability Engine (ME). For more information, refer to the following blog: http://software.intel.com/en-us/blogs/2013/02/06/intel-manageability-firmware-recovery-agent
Q86.2 Does Intel AMT 9 still support the SOAP (EOI) interface?
A86.2 No. From Release 3.2, Intel AMT added WS-Management as a management layer over SOAP. From Release 6.0, SOAP was deprecated and no longer supports new Intel AMT features. With Intel AMT 9, no SOAP APIs are supported and as a result, older management consoles developed under older versions of Intel AMT will no longer work (for the features implemented with the SOAP interface.) Refer to the following blog: http://software.intel.com/en-us/blogs/2012/12/01/intel-amt-wsman-interface-is-replacing-the-soapeoi-interface
Troubleshooting
This section contains answers to some common issues encountered when developing and implementing solutions that use Intel® Active Management Technology (Intel® AMT).
Q87 Intel AMT/ME is setup correctly, but my password is always rejected when trying to connect through the WebUI or the Manageability DTK tools. What is wrong?
A87 The problem could be with your keyboard mapping. MEBx thinks that you are typing on a QWERTY keyboard and if you are using an operating system that has a different keyboard mapping, the password will not match.
Q88 How do I submit a bug on the Manageability DTK (a.k.a. AMT Commander?)
A88 Send an email to Support_DOPD_SWE@intel.com and ask for a bug report.
Q89 Is there something in Intel AMT that blocks remote desktop traffic?After installing the chipset drivers (Intel® AMT HECI, Intel® AMT SOL, and Intel® Chipset Software) I am no longer able to remote desktop to or from this system. I have a Dell Optiplex* 755 system.
A89 There aren’t any settings in Intel AMT that could block the remote desktop traffic. The problem could be due to the wrong video driver. The Dell driver CD comes with RADEON HD 2400 PRO* and RADEON HD 2400 XT. You have to make sure that you install the correct one. The Device Manager does not show any issues with the wrong driver. So, go to your Event Viewer and see if you have any errors with RDPDD.dll. If so, try installing the correct driver from the CD or support.dell.com.
Q90 Is it possible to have a null or invalid GUID on an Intel AMT system?
A90 The GUIDs are initialized, stored, and handled by the BIOS. So it is possible that an Intel AMT device gets a null or invalid GUID, but Intel AMT will detect it as invalid and won't use it.
Q91 Can malware detection in Intel AMT replace antivirus applications?
A91 No, you want to have both at the same time. When you put policies in Intel AMT for malware detection, they cannot be circumvented in any way from the host. The drawback is that Intel AMT is located underneath the host operating system and doesn't have all the information that a host application would have. So really a combination of the two is ideal.
Q92 Is there a way to install an operating system on 20 computers at the same time with Intel AMT?
A92 Yes. Intel AMT provides the ability to boot a disk remotely on the computer. The first step is to mount a CD-ROM drive onto the remote computer and then boot off of the remote CD-ROM drive. The rest of it is up to the administrator to build an ISO image that performs all the operations the administrator wants to perform.
Q93 What if the DHCP server is not working? There is no way to connect to the machine, right?
A93 When Intel AMT is configured for DHCP mode, if the DHCP server is not working, Intel AMT will never be able to obtain a valid IP address and you will not be able to connect to it remotely. If Intel AMT is configured in static IP mode, you can connect to it using the static IP address.
Q94 I am getting an error message about communication to the Intel Manageability Engine. I have an Intel DQ35MP motherboard and an Intel® Core™ 2 Quad. I had previously updated to the latest BIOS and it was working fine. I have re-flashed the BIOS but the problem persists?
A94 You should do a CMOS reset. For this, disconnect the power cord and LAN cable. Remove the CMOS battery for 15 seconds and insert it back in. When you power on, the Manageability Engine settings will revert to their factory defaults. The default user name and password is admin/admin. Please remember to change it to a strong password before configuring the ME further.
Q95 The system is unresponsive and won't boot. How can this be resolved?
A95
- Unplug the power cord, wait 20 seconds, and boot the system again.
- DIMM 0 must be populated with memory for AMT to work. AMT firmware is uncompressed and run in DIMM 0.
Q96 I am having difficulties with building the Sample Code in the AMT SDK.
A96 Please refer to the “Using the Intel AMT SDK” section in the Intel AMT SDK documentation. Also, review this video: http://software.intel.com/en-us/videos/how-to-compile-intel-amt-sdk-sample-code
Q97 The Intel AMT system will not boot on USB key.
A97
- The USB boot partition needs to be 256MB or smaller.
- Format the USB key to be DOS bootable.
Q98 After a few successful writes to Intel AMT storage, write errors occurred for all subsequent writes. Re-flashing the AMT memory did not help, but leaving the system on overnight did help. Why is this?
A98 Flash write limits may have been exceeded. Optimize writes to see if this resolves the problem. Flash wear out protection is enforced by Intel AMT to avoid permanent damage to flash by malware. Once the limit is exceeded, there is a time limit (40 minutes) that must be satisfied in order to write again.
Q99 Hello packets are sent only when OS is on.
A99 This is probably because the Intel AMT has been configured to only be active in S0 state. Try changing the Intel AMT communicate when the system is in Sx state (when the OS is not up). Look for Power Policy configuration settings in the MEBx.
Q100 When working in DHCP and setting a block-all policy in System Defense, after a certain amount of time Intel AMT will be inaccessible.
A100 When in DHCP mode, the Intel AMT system relies on the host operating system (OS) to respond to IP network traffic requests (ARP requests). These requests are cached, so the OS will continue to respond to the ones from the cache even after the filter has started to block new ones coming in.
Workaround: When defining a block-all policy, make sure to define 2 extra filters.
1. Pass Tx filter on Ethernet header for 0x806 (ARP)
2. Pass Rx filter on Ethernet header for 0x806 (ARP)
3. Make sure these filters are part of the policy.
This will ensure that the host will answer ARP requests.
Q101 I just provisioned my Intel AMT system; why doesn't SOL/IDER work?
A101 There may be a couple of reasons why your system is not allowing SOL/IDER sessions. First, you must make sure that both SOL and IDER are enabled in the BIOS (check the configuration settings in the ME/AMT menus). Secondly, if you have just moved from provisioning your systems in SMB mode to Enterprise mode, then you will need to programmatically enable the Redirection Port (SMB mode provisioning does this automatically for you.) Even though you selected that you wanted SOL and IDER to be enabled interfaces in your profile (another requirement), the Setup and Configuration Service will not enable the port for you (this is considered a security issue so it is left closed.)
There are a couple of ways you can enable this port:
- Connect to your Intel AMT system using the Manageability DTK, go into the "Remote Control" menu and enable the Redirection Port (you will probably see that it is disabled.) Remember when doing this, you should disable the port when finished with your SOL/IDER session. It is not a good idea to leave this port open.
- Add the appropriate API calls to your own Management Console Software: GetRedirectionListenerState or SetRedirectionListenerState. When you are ready to perform a SOL/IDER session, have your software open the port and then when finished, close the port. This makes for a more secure implementation.
Q102 What happens if the flash images update crashes in mid-update?
A102 There isn't an issue re-flashing the device if there is a flash write error. There is no dependency between corrupt data and the ability to re-flash the device with a good image.
Q103 How can I make sense out of the Intel AMT Event Log messages?
A103 There is a conversion in the IPMI (Intelligent Platform Management Interface) Specification that takes the event data number and turns it into text. You can get the IPMI Specifications at the following link: http://www.intel.com/design/servers/ipmi/spec.htm
Q104 How do you reset the password for the Intel Management Engine BIOS if you have forgotten the password?
A104 To reset the password of ME BIOS, disconnect the power cord and LAN cable. Remove the CMOS battery for 15 seconds and re-insert it. This time when you power on, the ME settings will revert to the factory defaults. The default user name and password is admin/admin. Please remember to change it to a strong password before configuring the ME further.
Q105 Where is the SCS getting it’s time from? Windows time is set correctly, but the SCS’s time is different.
A105 The SCS gets the time from the OS (displays as UTC.) The Intel AMT Clock can be synchronized from within the SCS.
Other
This section contains answers to questions that are not common or frequently asked, but still may be of interest to developers using Intel® Active Management Technology (Intel® AMT).
Q106 Is Intel AMT aware of Virtual Machine Hosts installed on a machine?
106 Intel AMT is neither aware of nor does it control any of the software installed on the system including virtual machines. Intel AMT allows remote management consoles to connect to it and manage the system as a whole not the individual software components. Host-based software components need to be managed the same way with or without Intel AMT.
Q107 What market segment does Intel AMT address?
A107 Intel AMT has initially been targeted at the corporate environment. Large IT shops that manage lots of computers that want to reduce the number of desk side visits. But there are a lot of other markets that love Intel AMT. The embedded market has actually been really big (e.g., cash registers and ATM machines). They have computers at remote sites and it is a big cost to remotely fix those systems. Intel AMT is also helping a lot with smaller businesses, the internet cafes, schools, and elsewhere where management of computers remotely is important.
Q108 Can Intel AMT be standalone or integrated with other applications? Please give a specific example?
A108 Intel AMT is much like an agent that is located in the hardware. Any management application can integrate with Intel AMT to provide additional and enhanced features. ISVs that address manageability are encouraged to supplement their solution with Intel vPro technology. A specific example would be software asset inventory, where an application running on the host would store inventory information in Intel AMTs 3rd party data store where it could be retrieved by a remote management console via Intel AMT calls, even when that system is off or disabled.
Q109 Is Intel vPro technology available in laptops and handheld devices?
A109 It is available on laptops and on any platform that is branded Intel® vPro™ technology (refer to this link for available systems). Handheld devices are not currently supported.
Q110 Is Intel AMT disabled by default on Intel vPro devices? If not, can it be disabled or have any default passwords changed by end users not part of the IT-supported network?
A110 All Intel vPro computers come with Intel AMT turned off by default. Some OEMs configure their Intel vPro computers to attempt to find a configuration server when first attached to a network. If they don't find this configuration server, they will remain off. This is a very important security precaution. The default password in the Manageability Engine is changed the first time it is accessed, before it is provisioned and operational. If a configuration server is found and authenticated correctly, Intel AMT can be setup and configured, but that requires certificates and so on.
Q111 Whenever an SOL session is opened using the IMRGUI, 100% of the CPU resources are taken.
A111 Check if the Windows firewall is blocking communication. IMRGUI should start working once HyperTerminal is working properly.
Q112 When I use Intel AMT IDE-R and SOL to boot a remote Intel AMT client with a Linux rescue boot image, I cannot receive any messages through SOL after the image begins to boot. Is there any Linux rescue boot image that can keep sending messages to SOL while booting?
A112 The reason why the Linux boot image stops sending messages to the SOL terminal could be that the image isn't configured to send messages to the serial console. To enable the boot image to do so, pass some parameters to the boot image when it begins to boot. You can find more details in the Linux Configuration section in this doc:
http://download.intel.com/support/motherboards/server/sb/solsetupguide.pdf
Q113 Can you transfer the private key to the system wrapped by the ISV in their public key?
A113 No
Q114 Is there a way to determine if the user has correctly selected a valid floppy and CD boot drive and/or image file?
A114 There isn't any way from Intel AMT to determine this.
Q115 Why are there events in the event log when running in an unprovisioned state?
A115 There are default filters defined even in the unprovisioned state.
Remote Encryption Management
This section contains answers to some common questions encountered when developing solutions that utilize the Remote Encryption Management capability available with Intel AMT systems.
Q116 How do I get started with the code and documentation on Remote Encryption Management?
A116 It depends on whether your solution already manages encrypted hard drives (or is being developed to do so), or you simply want to request unlocked drives provisioned by another solution. In the Remote Encryption Management documentation, a company with a solution that manages encrypted hard drives (including the initial provisioning) is referred to as an Encryption (or Security) ISV, and one that interacts with that solution to request an unlock is a Manageability ISV. There is documentation targeted at both use models in the “SDK Resources” section of the Intel AMT SDK documentation.
Q117 Do I need to use the included ISO file and IDE Redirection to use Remote Encryption Management?
A117 No, a developer can incorporate the functionality into an already existing pre-boot authentication (PBA) implementation that handles a local user unlocking the hard drive. This of course assumes that the developer’s solution has a PBA that unlocks the drive before the system boots into the OS.
Q118 What is the difference between developing a solution with Remote Encryption Management using the provided ISO file, compared to including the functionality into a pre-boot authentication (PBA) implementation?
A118 There are two primary differences. First, incorporation into a PBA will likely require more development work. But more importantly, incorporation into a PBA will result in a solution that can unlock systems substantially faster. Using the ISO image, the system will need to go through a reboot to load the ISO over the network, which takes time and bandwidth.
Q119 Is the source code for the ISO image available?
A119 Yes, it is provided in the folder .\Windows\Remote_Encryption_Management\src\linux-sources in the Intel AMT SDK.
Q120 What is the Manageability Interface that is documented in the SDK?
A120 The Manageability interface is an example of a programmatic interface that allows an Intel vPro system to be powered on and unlocked by a separate management solution (or possibly scripting). Since many IT shops often have a different solution that manages the computers in their environment than the one that manages the encrypted hard drives (or potentially even multiple solutions that manage the computers in their environment), this gives a mechanism to the management solution to allow an unlock and manage blocks of systems (which is a common use case of Intel vPro technology). The provided example shows a way to implement this functionality that is structured very close to how a management ISV implements Intel vPro technology calls. Note that it is important to implement authentication on this interface, typically with either Digest or Kerberos authentication.
Q121 If I want to develop a solution that will request an unlock from another ISV’s encryption solution, what do I need to do?
A121 That partially depends on the ISV, but as a first step you should refer to the Manageability Interface document in the SDK. Intel is recommending that encryption ISVs implement a solution (and use the provided Manageability Interface example as a template), but it is up to the individual solution vendors for how (and whether) they implement.
Notices
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.
The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark* and MobileMark*, are measured using specific computer systems, components, software, operations, and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.
Any software source code reprinted in this document is furnished under a software license and may only be used or copied in accordance with the terms of that license.
Intel, the Intel logo, Centrino, Core, and vPro are trademarks of Intel Corporation in the U.S. and/or other countries.
Copyright © 2013 Intel Corporation. All rights reserved.
*Other names and brands may be claimed as the property of others.
[1] Requires activation and a system with a corporate network connection, an Intel® AMT-enabled chipset, network hardware and software. For notebooks, Intel AMT may be unavailable or limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Results dependent upon hardware, setup and configuration. For more information, visit Intel® Active Management Technology.
[2] Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software and IT environment. To learn more visit: http://www.intel.com/technology/vpro.