Introducing Intel® Active Management Technology 10

Intel Active Management Technology (Intel AMT) is one of the components of Intel vPro2 technology. Platforms equipped with Intel AMT support remote control, even if the operating system is not available or the computer is turned off.
Independent software vendors were able to create applications that efficiently use Intel AMT functions using the software package for developing software based on Intel AMT. This package includes the high-level Intel AMT API (Intel AMT HLAPI), a very simple, uniform API for all AMT versions and Intel assortment positions.
Now let's look at the capabilities and procedure for configuring Intel AMT in more detail, and finally add a few more words about the AMT SDK.

To use out-of-band Intel AMT management capabilities, you must use Intel Ethernet or a wireless Intel adapter that supports connection to the Intel ME firmware.
Please note that to use the Intel AMT 10.0 release, you must install version 10 of the Intel ME firmware and driver on the platform. Driver 10.0 can be installed on systems that originally used 8.x firmware. 9.x or 10.0. Always use the firmware provided by your system vendor.
Intel AMT supports remote applications running on Microsoft Windows * or Linux *; At the same time, this technology supports local applications only for Windows.

New features introduced in Intel AMT 10.0

The release of Intel AMT 10 is backward compatible with systems that use Intel 7, 8, and 9 series chipsets.

• The most important change. OpenSSL * is now used without a ripple flag. For this reason, in systems upgraded to the AMT10 release, you need to revoke and re-issue certificates, and also change passwords.
• The HLAPI and KVM application tool has an Intel AMT client screen cleaning feature added (with remote access).
• The updated MOF and XSL files, like the class reference, now apply to version 10.0.25.1048.
• The Real VNC * version in Linux and KVM has been updated to 1.2.5.
• Windows Connected Standby / InstantGo is supported for Windows 7 and later (also available in HLAPI).
• Proper power management operations are supported on 32-bit and 64-bit Windows Vista, 7, and 8 platforms, including (in Windows 8) Connected Standby / InstantGo modes, as well as UNS event generation. This feature is also added to the HLAPI API.
• Initialization is now supported in management modes for the administrator and for the client with secure FQDNs.

Preparing an Intel AMT client for use

The process of setting up (initializing) an AMT client involves switching the client from installation and configuration mode to operational mode. To enter configuration mode, it is necessary for the system provider to configure the initial information (which depends on the AMT version). To activate Intel AMT technology, you need the Intel Manageability Engine BIOS (Intel MEBx) extension, implemented by your system vendor. For installation and configuration, you can use the application for remote control. Different versions of AMT have different installation methods.
')

AMT Editions	Installation method
1.x; plus 2.x, 3.x in the old mode	Old
2.x, 3.x, 4.x, 5.x	SMB
2.0 and later versions	Psk
2.2, 2.6, 3.0 and later versions	PKI (remotely)
6.0 and later versions	Manually
7.0 and later versions	Control mode for client and control mode for administrator
10.0	Secure FQDN names are now supported.

Intel Setup and Configuration Software (Intel SCS) can initialize systems using Intel AMT 2.X.

Manual Tips

Manual configuration is performed in the Intel MEBx menu, which becomes available immediately after the display of the BIOS startup screen (usually for this you need to press <Ctrl + P>). Sometimes the BIOS provides the ability to hide the invitation to press <Ctrl + P>.
To manually configure the Intel AMT client, follow these steps:

1. Enter the default Intel MEBx password (admin).
2. Replace your default Intel MEBx password with a new secure password (required). This password must contain at least eight characters and at least one capital letter, one lower case letter, one number and one special character. Note. The management console application can change the Intel AMT password without changing the Intel MEBx password.
3. Select Intel AMT Configuration .
4. Select Manageability Feature Selection .
5. Select ENABLED to enable Intel AMT technology.
6. Select SOL / IDE-R / KVM and activate all these features. Turning on Legacy Redirection Mode ( Legacy Redirection Mode ) ensures compatibility with management consoles designed to work with the old SMB mode, which is not equipped with a receiver switch on mechanism. Note that if the SOL / IDER / KVM features are not enabled in Intel MEBx, they will not be available for management consoles.
7. Select User Consent . Select the desired parameters for KVM and Remote IT operations. If user permissions are enabled, every time you access the Intel AMT client remotely, you will need to obtain user permissions.
8. Enter Network Setup to configure network settings for Intel ME.
9. Enter Activate Network Access to enable Intel AMT.
10. Return to the main menu.
11. Select MEBx Exit to continue the system boot process.

The platform is configured. Additional parameters can be set using the web interface or the remote management console application.

Control mode for client and control mode for administrator

Upon completion of the installation, regardless of the method, Intel AMT 7.0 and later versions move to one of two control modes.
Admin Mode for Administrator — After installation using the Intel MEBx menu or an Intel AMT remote install, it switches to Admin mode for the administrator. In this mode, all Intel AMT features are available due to the high level of trust in the user who applied these installation methods.
Management mode for the client — Intel AMT enters this mode after the basic installation on the server (locally). Some Intel AMT features are not available due to the low level of trust required for installation on the server. The following restrictions apply.

1. The system security feature is not available.
2. To perform redirection actions (IDE-R and KVM, but not initiating a SOL session) and changing download parameters (including loading to SOL), you must first obtain user permission. However, in this case
3. IT professionals can remotely solve end-user problems using Intel AMT.
4. If an auditor's account is created, then an authorization of the auditor is not required to cancel initialization.
5. A number of functions are blocked, so as not to allow an unreliable user to control the platform.

In AMT 9.0 and later versions, the ability to remotely configure a platform that is not equipped with controls, without the permission of a local user, is added.

Access to Intel AMT clients through a web interface

An administrator with user rights can remotely connect to an Intel AMT client via a web interface by typing in the browser's address bar the IP address or FQDN of the client, and then the port number. If TLS is NOT configured, use http and port 16992; otherwise, use https and port 16993.

To access an Intel AMT client using Serial Over LAN (SOL) technology, you must install the SOL driver.

Local Management Services (LMS) and User AMT Notifications (UNS) Intel AMT

The Local Management Service (LMS) runs locally on an Intel AMT device and allows local management applications to send requests and receive device responses. The LMS listens for and intercepts requests directed to the local Intel AMT server, to then transfer them to Intel ME through the Intel ME interface driver.


Note that in Intel AMT 9.0 and later, local management services and user notifications are combined. UNS registers with an Intel AMT device to receive a set of alerts. When UNS receives the alert, it logs it in the Windows Application event log. The source of events is indicated by Intel AMT.

Intel Management Status and Security Tool (IMSS)

To access the IMSS tool, use the blue key icon in the Windows notification area.


The General tab in the IMSS tool indicates the status of Intel vPro services available on the platform, as well as the event history. Other tabs provide additional information.


The Advanced tab of the IMSS tool provides more detailed information about Intel AMT configuration and features. The screenshot below confirms that Intel AMT is configured on the system.

Intel AMT Software Development Kit (SDK)

The Intel AMT - based software development kit provides low-level programming capabilities with which you can create management applications that use all the features of Intel AMT.
The package of tools for developing software based on Intel AMT is a sample code and a set of API interfaces that allow developers to quickly and easily add support for Intel AMT to applications. In addition, the package includes a full set of documentation. This software development toolkit supports C ++ and C # on Microsoft Windows and Linux operating systems. Important information on collecting samples is provided in the User Guide and in the Readme files in each of the directories.
The SDK is provided as a set of directories that can be copied to any selected place in the system for development. Since the components are interrelated, the directory structure must be copied in its entirety. At the top level are three folders, one of which is called DOCS (documentation). The other two contain sample code for Linux and for Windows.

Other Intel AMT SDK Information Resources

The Intel AMT SDK contains platforms and samples for simplified application development using the WS-Management standard. In addition, this package includes examples of the use of advanced features of this product. Additional information is available on the following pages:

• High Level API
• Intel vPro Platform Solution Manager

There are many different development tools for which software is written with Intel AMT support. Intel vPro Enablement Tools are only available in C ++ (the C # shell in the software development kit), and they require a COM object prepared by Microsoft (not just .NET). SOAP support has been completely removed from the software development toolkit in AMT 9.0 and later.