I'm trying to setup ATM/KVM on a brand new PC build:

ASUS Q87M with i7-4785T (vPro enabled) with AMT enabled in BIOS (AMT v9.0). No PCI graphics card. I downloaded the latest IntelSCS today (v10.0).

At first ACUWizard allowed me to configure AMT and reported no errors, and subsequently running ACUWizard to view the systemstatus showed AMT as "configured".

But a few hours (and reboots) later I tried to connect VNCViewerPlus running on a PC in the same lab (connected to same LAN via Ethernet). VNC correctly identifies the hostname based on the IP address I entered, but then reports that it failed to connect (12007).

Trying to diagnose this I ran ACUWizard again but now I'm always getting the error msg "Call to function failed with return code" - without an error code number, whenever I click on "Configure/Unconfigure this System".

I haven't found any similar error reports on this forum or when googling, but I've attached the XML output of SCSDiscovery.exe (but had to rename it to .txt extension as .xml isn't allowed) - as far as I can see all KVM features are enabled and AMT is configured, so I don't see anything obvious there.

Thank you!

Davorin

PS: I should mention that after initially configuring AMT with ACUWizard I temporarily disabled AMT in the BIOS, booted into Windows and then re-enabled it in the BIOS. If this somehow corrupted my AMT configuration then how can I start over?

Hello,

What is the operating conditions of the Intel Secure Key chip in regards to an Intel Xeon Processor E5-1650 v2?

The following doc states the following in section 3.5.
https://software.intel.com/sites/default/files/managed/4d/91/DRNG_Software_Implementation_Guide_2.0.pdf

"As described in section 3.2.1, the hardware is designed to function across a range of process voltage and
temperature (PVT) levels, exceeding the normal operating range of the processor."

What are the voltages and temperature levels that exceed the normal operating range of the processor.

I'm specifically looking for temperature conditions of where the entropy source would fail.

Thanks,
Eric

Hello,

The following doc states the following in section 3.2.1.

https://software.intel.com/sites/default/files/managed/4d/91/DRNG_Software_Implementation_Guide_2.0.pdf

"The ES runs asynchronously on a self-timed circuit and uses thermal noise within the silicon to output a random stream of bits at the rate of 3 GHz. "

The doc doesn't describe how the entropy source works.  How are these features of the entropy source measured and how do they contribute to entropy?

Thanks,

Eric

Hi

I am using Intel vPro solution manager its only copy the ISO image to that INTEL machine but unable to boot the system.

What could be the problem?

Thanks,

Nis

Web applications have gotten very powerful and when it comes to computer management, the industry is moving to the web. This makes sense, web application are instantly deployed, cross-platform and run with strict security rules. For years, I have been working on the MDTK and its most famous tool, the Manageability Commander. Today, we are releasing a first version of the Manageability Commander Web Edition that is completely built in Javascript. The goal here is simple, make it possible for anyone to interact with Intel® Active Management Technology (Intel® AMT) using only code that runs in a web browser. Imagine going to a web site and being able to manage all of your small business or corporate computers.

To make this happen, we built a Javascript WSMAN stack along with redirection protocol, remote desktop (KVM) and remote terminal libraries. We then used these libraries to write a fully web based Intel AMT console. Commander Web Edition runs within a node-webkit (nw.js) frame as a standalone tool, but can also be adapted to run on web servers. It’s an early version, but the most difficult parts are already present. The WSMAN stack allows us to interact with Intel AMT for configuration, power control and much more. We then have remote desktop and terminal for live management of the remote machine.

Moving forward, there are many opportunities for Intel® AMT as we make web based & cloud management a new option. We are looking for testing and feedback on this new software. If you are interested in adding Intel AMT capabilities to your own web applications, the source code includes samples that can get you started.

Downloads: http://opentools.homeip.net/open-manageability/web-management
Demonstration Video: https://www.youtube.com/watch?v=M22RQelBFA4
Presentation: http://info.meshcentral.com/downloads/mdtk/WebMDTK-Presentaion.pptx

Feedback appreciated,
Ylian Saint-HIlaire

Manageability Commander Web Edition tool allows you to connect and manage computer
that support Intel® Active Management Technology (Intel® AMT) all in Javascript

This is an early release, but the most complicated features are already present and working.
WSMAN, Hardware KVM and Serial-over-LAN is all web based.

The web application is built using a set of new JavaScript libraries that communicate directly with
Intel AMT.  No need for a server to do anything, the smarts is all in the web application.

Hi,

The TightVNC don't supports anymore Intel KVM for firmware version 9? I have a machine with fw version 7 and I can get remote access using Tight, but in version 9 I always face a timeout problem.

With Real VNC (only Intel KVM connection mode) works perfectly.

Tks

Thank you for your interest in the Intel® Active Management Technology (Intel® AMT) Software Development Kit. The Intel® AMT SDK (Software Development Kit) contains the building blocks and documentation material needed to develop software that interacts with Intel® AMT systems.

Overview

Intel® Active Management Technology (Intel® AMT) is a capability embedded in Intel-based platforms that enhances the ability of IT organizations to manage enterprise computing facilities. Intel AMT operates independently of the platform processor and operating system. Remote platform management applications can access Intel AMT securely, even when the platform is turned off, as long as the platform is connected to line power and to a network. Independent software vendors (ISVs) can build applications that take advantage of the features of Intel AMT using the application programming interface (API).

The Intel AMT SDK includes the Intel® AMT High Level API (Intel AMT HLAPI) as well as the Intel vPro Platform Solution Manager. The Intel AMT HLAPI provides a very simple and consistent API across all Intel AMT versions/SKUs enabling software developers to easily build support for Intel AMT features into their applications. For more information, see the HLAPI documentation.  The Intel vPro Platform Solution Manager is a Management console that was built from the Intel AMT High Level APIs. The source code is included in this package.

Click on the license acceptance link below to download the most recent version of the Intel® AMT SDK and get everything you need to develop manageability applications.

Release Notes

New Features included with Intel AMT/SDK Release 11.0: 

• The MOFs and XSL files in the \DOCS\WS-Management directory and the class reference in the documentation are updated to version 11.0.0.1139.
• New WS Eventing and Pet Table Argument Fields : Additional arguments were added to the CILA alerts to provide the reason for the UI connection and the hostname which generated the alert.
• The OpenSSL version has been updated to v1.0.1p. The redirection library has also been updated to use this version.
• The Xerces library has been updated to v3.1.2 in both Windows and Linux.
• HTTPS Support for WS Events: Secure subscription to WS Events has been enabled.
• The option to securely erase the primary data storage device has been added to the AMT reboot options.
• DLLs  signed with a strong name:
  • CIMFramework.dll
  • CIMFrameworkUntyped.dll
  • DotNetWSManClient.dll
  • IWSManClient.dll
  • Intel.Wsman.Scripting.dll
• Automatic Platform Reboot Triggered by HECI and Agent Presence Watchdogs: An option has been added to automatically trigger a reboot whenever a HECI or Agent Presence watchdog reports that its agent has entered the Expired state.
• Replacement of the IDE-R Storage Redirection Protocol: Storage Redirection now works over the USB-R protocol 
• Updated SHA. The SHA1 certificates have been deprecated. A series of SHA256 cerficates has been implemented in their stead.

Notes:

• WLAN provisioning with USB Key will not allow TLS enablement on LAN-less platforms in Intel AMT Release 9.5.
• The C++ samples fail to compile on Windows* 7 and Windows Server 2008 R2 due to a bug in the Windows SDK function mt.exe. For further information and workaround see the Windows 7 SDK: Beta Release Notes. Note that a file compiled on other Windows operating systems, such as XP or Vista, will also execute on Windows 7 and Windows Server 2008 R2.
• The "Configure Default KVM Port" script sets the RFB password. This script contains WinRM commands and may change the user's WinRM configuration.
• Microsoft WinRM - Intel AMT interrupt on associations: The WinRM client fails to perform a retrieval or delete of an instance of an association class using an EPR when its selectors are also EPRs. An example where this capability is needed in Intel AMT is the System Defense association AMT_ActiveFilterStatistics.
• Redirection library provides AES 256 cipher suites as an option although only AES 128 ciphers are supported by Intel AMT.
• UCT Tool: Cannot delete or update the application settings file while the application is running.
• Because of limitations within the Tight VNC application (a third-party application for KVM), asterisks will not appear when entering the opt-in code. In addition, while Intel AMT will respond to keyboard and mouse actions, these will not show in the client until the user refreshes the display.
• Samples and other applications which use signed DLLs are loaded very slowly. This can occur because .NET Framework repeatedly attempts to verify the signed DLL files, even when there is no internet connection.

Known Issues:

1. Redirection library: Cannot write to a floppy diskette.
2. Redirection library: Trying to connect without first configuring the CIRA settings may result in a Timeout error after the CIRA settings are configured.
3. Redirection library: A Storage Redirection session may close unexpectedly in the following scenario: Storage Redirection and SOL sessions are open and sending data from the console to the Intel AMT in S3. The user then wakes up the Intel AMT to S0 and during the wake up, the user enables the Storage Redirection registers.
4. KVM: The KVM Control application uses the firmware version to determine how many display pipes are supported, rather than how many are actually available.
5. KVM: When working with Linux library and using the scancode extension, the caps lock; number lock and Alt+ key events on the console side are not forwarded to the server.
6. KVM: When opening the Windows Start menu on a remote console, the menu opens on both the management and remote consoles when KVMControlApplication is implemented over default or redirection ports.
7. KVM: Rapid changes in display color levels while a KVM session is running could result in a session disconnection. Restart the KVM session to reconnect.
8. KVM:  A KVM session may return a 404 error resulting in a session disconnect. This can occur after sending HTTP traffic over CIRA and wireless connection or if the KVM session is left open but inactive. Restart the KVM session to reconnect.
9. WS-EVENTING: In AMT 5.2 the HLAPI does not parse the header to 63 characters. As a result, when a long string is entered, the HLAPI will fail to create a subscription. 

• Need more help? Refer to the FAQs or get expert advice from the Developer Discussion Forum

Additional Information

• Intel® AMT SDK Documentation
• Download Microsoft Windows* Platform SDK

Resources

• The Intel Business Client Developer's Community
• The Intel Business Client Community Forum
• Intel® Active Management Technology Use Cases
• Intel® Active Management Technology (Intel AMT) Software Development Kit (SDK) Start Here Guide
• Intel® Active Management Technology Brief

Thank you for your interest in the Intel® Active Management Technology (Intel® AMT) High-level API Technology.

Introduction

Introduction to the High-level API Intel Management Library Technology

Intel® Active Management Technology (Intel® AMT) is a capability embedded in Intel-based platforms (in an Intel AMT device). Intel AMT enables remote access to platforms even when the operating system is not available or the platform is turned off. The only requirement is that the platform must be connected to a power supply and a network.

Software developers can include support for Intel AMT features in their applications to enhance the ability of organizations to manage their computing facilities.

The Intel AMT High Level Application Programming Interface (HLAPI) provides software developers with a simple interface to the Intel AMT features.

Supported Features:

This version of the Intel AMT High Level API is also included in the latest Intel AMT SDK and supports the following Intel AMT features:

1.  ACL (Access Control List) Management
2. PET -event subscription
3. PET-event/ WS-event listener
4. Simplify events subscription API
5. Agent Presence remote and local
6. Power & Boot Operations
7. Get Intel AMT/Host FQDN
8. Redirection (SOL & IDER)
9. KVM Administration
10. Alarm Clock
11. Hardware Asset
12. System Defense
13. Time synchronization
14. WS-Event subscription
15. Network Administration
16. Agent Presence
17. Certificate Management
18. Wireless
19. Remote Access (also known as CIRA)

The API download includes C# samples for all features. There are also JavaScript samples that demonstrate the COM interfaces. Compatible with Intel AMT versions 2.2 and above.

Documentation

• Intel® AMT High Level API Guide (v10) : Unzip the documentation and open default.htm in the root directory.
• For more information please see the Release Notes (v10).
• HLAPI Demo Learn how to include support for Intel AMT features in you application

* Please note that the terms of the software license agreement included with any software you download will control your use of the software.

Download

Intel® AMT SDK  https://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/

Intel® AMT HLAPI : https://software.intel.com/en-us/articles/intel-amt-high-level-api-intel-manageability-library-to-manageability-webpage

Dear all,

I am using a Lenovo ThinkPad T420 and Windows 7 prof. x64 as my main workstation. Yesterday I did a reinstallation of Windows 7 (ISO image from MSDNAA and not the Lenovo DVD). After the OS and all drivers (using Lenovo System Update) were installed, I had a look at the device manager and recognized the "Intel management engine interface". Since I don't need this function I researched how this device can be disabled. First I had a look in the System BIOS which stated that AMT is disabled:

So I went back to Windows and had a look in the device manger. The device was still there. I decided to use the "Management and Security Status" Tool which stated, that AMT is active ("Aktiviert" in german):

...but that the connections are disconnected ("Verbindung getrennt"):

I did some further googling which led me to the conclusion, that I have to use the "Management Enging BIOS Extension" (MEBx) to disable AMT. I went back to BIOS, reenabled AMT (otherwise you can't enter MEBx), pressed Ctrl+P on restart and used MEBx to disable AMT:

After exiting MEBx and restarting Windows 7 "Management and Security Status" said, that AMT is disabled ("Deaktiviert"):

...and also the details looked different ("Informationen nicht verfügbar" -> information not available)

I thought that I've finally got rid of AMT, restarted the ThinkPad, entered BIOS and set "Intel AMT Control" back to "disabled". While restarting, the BIOS prompted "Intel ME unconfiguration in progress..."

BUT then this flashed up and stated that AMT is "enabled" (I had to take a movie, sorry for bad quality):

And when Windows 7 was started this happend...

...also the "Management and Security Status" states, that AMT is ACTIVATED

So my question is:

Is it necessary that the BIOS Option "Intel AMT Control" stays "Enabled" to get rid of AMT? Sound strange to me!

Thanks a lot,

Simon

Sometime ago I wrote a post titled "Developing a C# Plugin for The Intel® vPro™ Platform Solution Manager" -PSM-. Everything in that post is still relevant. The goal of this post is updating the source code to make it work with the latest version of PSM. In that time I wanted to share the different aspects to consider when writing a component for the PSM. Back then (01/20/2014) PSM extension points were provided via a base WPF control and  base (abstract) class. In other words, you needed to create a custom WPF control extending from Intel.Ucrd.SolutionManagerAPI.ctrlWPFBase as seen in the following code snippet.

    public partial class ctrlAgentMonitor : ctrlWPFBase
    {
        //...
    }

Other tasks related with the WPF control (e.g.: adding UI elements via XAML, adding functionality via code behind) had nothing special except by the method Loaded which was useful to load run your code. The second major part of building a plug-in was related with the control's life cycle management. This management was possible thanks to the class Intel.Ucrd.SolutionManagerAPI.SolutionManagerPlugin. By extending from that class you could handle the creation of the control and set different properties as illustrated in the following code snippet.

    public class AgentMonitor_Impl : SolutionManagerPlugin
    {
        //..

        public override SolutionManagerPlugin CreateInstance()
        {
            return new AgentMonitor_Impl();
        }
    }

After that introduction, the next step is getting the project to compile in the latest version of PSM, which is 2.0.0.12 (link to download here) - 03/30/2015. Then you can compile the new source files to get the binaries that will be referenced from your projects. The main library to reference is SolutionManagerAPI.dll. You won't need SolutionManagerWPF.dll unless you plan re-use some of the WPF forms used by PSM.

The last step is compiling your project. This should work since the new and updated changes are backward compatible, so you can start using the new functionalities of PSM like the "Upload list of systems", displayed below. Finally copy/paste the library in the PSM bin folder and run your plug-in.

You can get the source code of this post in github: https://github.com/jacace/Plug-inPlatformSolutionManager

Also, you can get the source code of the library referenced by this plug-in here:  https://github.com/jacace/SimpleAgentMonitorUI

Cheers,

Javier Andres Caceres Alvis
Blog: https://jacace.wordpress.com/
Twitter: https://twitter.com/jacace
Linkedin:https://ie.linkedin.com/in/jacace
Intel: https://software.intel.com/en-us/user/320820

I am having issues provisioning a workstation with Windows 7 Pro x64 with vPro v9 via LabTech.  I have tried uninstalling and re-installing MEI as well as installing the needed driver updates to the computer but none of these made any difference.  I have attached the screen shot of the full error to this topic.  Any help would be greatly appreciated.  Thanks in advance.

I recently upgrade IPT with PKI  from v3.1.0.182 to v4.0.5.25, then I can not use CryptImportKey  any more.

Because it returns 0x000000b7(maybe ERROR_ALREADY_EXISTS) after PIN setting PTD displayed.

Only container created.

I set dwFlags as CRYPT_USER_PROTECTED to use PKI with PTD.

I did not change any source codes, but only changed provider from Intel IPT Enhanced Cryptographic Provider to Intel IPT CSP - Non-Exportable Keys. 

What is wrong with it? or any misuse?

Is there any solution to it? 

Thank you in advance.

Hi,

Our goal is to change the initial admin password for the computers from Windows via software deployment / operating system deployment.

I have tried to use this method:

Created a profile with the ACUWizard and used the following syntax to configure the VPro

ACUConfig.exe /Output File C:\windows\debug\intelamtinstalllog.txt ConfigAMT AMTSet1.xml /DecryptionPassword "decryption_password" /AbortOnFailure /AdminPassword "admin"

but I get these errors

2015-09-03 09:55:54:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2015-09-03 09:55:54
2015-09-03 09:55:54:(INFO) : ACU Configurator, Category: -Unknown Operation-: computername: Starting to configure AMT...
2015-09-03 09:58:45:(ERROR) : ACU Configurator , Category: ConfigAMT failed: A call to this function has failed - (0xc000278b) (Connection to the Remote Configuration Service is necessary, but the RCSParameters tag is missing in the profile. (RCSAddress))
2015-09-03 09:58:45:(ERROR) : ACU Configurator, Category: Exit: ***********Exit with code 68. Details: Invalid parameter was found.  (RCSAddress)

Any suggestions what I am doing wrong. This computer has not been configured via remote configuration service and it still tries to contact it

Is there other possibilities than ACUConfig.exe to set the password? seems that the command enables the VPro network and tries to connect using the FQDN name

Dear all,

I hope, I am asking in the correct place: My question is regarding Intel AMT v9 technology. I have only one PC which is app 300 KM far from me. To have as good control over it as possible, I have decided to control it using Intel AMT. My configuration uses Intel AMT 9.

I can access the PC without problems through Intel AMT KVM through un-encrypted connection. However, I want to be able to access the PC securely. Here are my questions:

• To my knowledge, standard procedures to configure encrypted Intel AMT KVM is using provisioning server. Is it possible to configure Intel AMT communication through TLS-PSK or TLS-PKI without installing provisioning server, please? For one remote PC it does not make too much sense to install a server. I would like to configure one PC manually.
• If I have to install a provisioning and configuration server, is it enough to let the server running during remote PC provisioning only? After the Intel AMT PC is provisioned, I do not wish to have the server running all the time just for this PC, and I would like to shut it down. 
• Are TLS-PSK and TLS-PKI equally secure? I know that TLS-PSK will be discontinued, which looks like it is less secure encryption standard. However, I have also heard, that after both encryption standards are configured, they are equally safe.
• Is it safe to use Intel AMT v9 over the Internet if the connection is encrypted?

As I use software firewall on the remote PC, I can not use a VPN channel through a router or a firewall, which would protect the Intel AMT communication. I would really take advantage of encrypted Intel AMT technology.

Thank you very much for your responses. 

Kind regards,