Can someone tell me how to get the Keystore from intel or there email address

Hi, I have some question about iAMT and IPMI.
I know the IPMI is targetted at server systems, and AMT is targetted at business systems.
But their functions are similarly. What is the main difference between them? Design? Develop for engineer?

Thanks!

Hi all,

I'm tyring to install Intem AMT in our environment, we've chosen to use the plugin for SCCM and followed this installation in a lab environment: https://sccmguru.wordpress.com/2013/12/20/integrating-configuration-manager-2012-r2-with-intel-scs-9-0-part-1/. Using Intel SCS 10 though.

However, when arriving to part 7: https://sccmguru.wordpress.com/2014/01/30/integrating-configuration-manager-2012-r2-with-intel-scs-9-0-part-7-deploying-intel-amt/. We get the following error while executing Intel AMT Configuration at the client: "Failed to load <SCSVersion>: XML error. The value of the SCSVersion tag in the profile is not applicable to this Intel(R) SCS version." in the SMSTS.log after running the Configuration task sequence on the client.

I've Googled this error and I've found some things in an Intel doc at the troubleshooting part; however they did not help me fix the error. I've done the following:

- Profile is between quotes in task sequence --> YES, OK.

- Try and open the profile using the Intel AMT Configurator Utility --> OK, I can see the profile so it's valid.

- Intel AMT system is not XP, it's W7 --> Found hotfix for this issue, downloaded it. Failed installation with: Not applicable for your device.

- Deleted the profile and made a new one from scratch --> Did not solve the issue.

Anyone got some ideas?

Kind regards,

Sander.

Good Day!

I`m trying to configure a MPS Server using the advice from this site: https://ru.intel.com/business/community/?automodule=blog&blogid=6516&showentry=4974

After the configuration of STunnel and Apache I`m getting the MPS error message stated below:

C:\AMT_SDK_11.0.0.35\Windows\Intel_AMT\Bin\MPS>MPS.exe
[Fri Jan 29 2016 15:38:47.965000] [LM_ERROR] Static config file is missing mandatory section: Management_Interface.
[Fri Jan 29 2016 15:38:47.965000] [LM_ERROR] Error while reading static configuration file.

Are there any options that should be given to mps.exe so that it can find the configuration file?

Thanks,

Mi

Guys i need your help in this 

i am new for using AMT technology, and i want to know if it's applicable or not 

Is MEBx Password can be randomly as KVM "user consent" 

IF the answer is NO 

Am i able to change the multi Machines 100X remotely ? 

i tried intel AMT profile Design and already created test profile but i don't know how to deploy it over those number of machines 

conclusion**

I need to change the MEBx password many times in case its being knowing from colleagues 

Hi,

A customer has a Lenovo M93p with AMT 9.1.0. I have set it up for remote KVM and it works fine.

Last week, I restored this system from a Windows backup. While the restore was running, I left the customer site and returned to my office. When I got back to my office, I was able to connect to the machine using the Intel Manageability Commander Tool, start the remote VNC Viewer, watch the restore complete, and click OK to initiate the required reboot. So far so good.

However, after the reboot, the machine did not start properly; it needed a startup repair. I saw error 0xc00000e as white text on a black background. I believe it was at this point that I tried to use Take Control to reboot the machine. Soon I was no longer able to connect remotely to the machine using the Commander Tool. The machine was not even responding to ping. It was like AMT it was no longer pulling an IP address for the machine. I had to drive back on site to complete the startup repair.

Once I completed the startup repair, AMT remote KVM started working again.

Obviously this is the exact situation where you want out-of-band manageability, and the reason to pay a premium for advanced AMT machines. But it failed.

Is there a known issue with controlling a machine that is displaying a boot error? Is there something I could have done to restore connectivity while off-site?

Thanks,

Mark Berry
MCB Systems

Hello,

I have 2 problems about the way ACU Wizard works:

First, i encountered a strange behavior of ACU Wizard program while using it to create a configuration profile and configure Intel AMT.

Here is the steps i did and what i obtained:

1. I create a profile using ACU Wizard, i.e i launch it with administrator's privileges, open "Configure/Unconfigure this System", i set an admin password, modify network and system settings (desactivate all management interface). At the end, i enter a password to encrypt the Profile.xml file and configure my computer. I obtain a encrypted file Profile.xml.This is done only one time.
2. I copy the generated and encrypted Profile.xml to another computer in the same folder as ACU Wizard, in order to use it and configure this second computer.
3. So, I launch ACU Wizard with admin's privileges on this second computer, open "Configure/Unconfigure this System", ACU Wizard asks me the password for decryption. I enter it, then ACU Wizard loads the profile. And i only change the admin password from the original profile,and proceed the configuration, which succeed.

At this point, ACU Wizard produce a new Profile.xml (with the updated admin password), which is normaly encrypted, but sometimes it is not, and Profile.xml appears to be in plain text. I suppose this is not a normal behavior. I mean, if i repeat this same procedure (2&3), sometimes ACU Wizard produce an encrypted file and sometimes a plain text file.

And i didn't manage to find why this behavior occurs. All computer run Windows Server 2012 R2. (I tried to create the profile on Windows 7, and then do step 2 and 3 on WS2012R2, i obtain same random behavior). Could you enlighten me?

Second, it is a question: Is there a way to only change the password of the Profile.xml used to encrypt it by ACU Wizard?

If you have any questions, or need details about anything, ask me, i'll answer it.

Rafael.

Software developers sometimes struggle with how to integrate Intel AMT/vPro commands into their Management Consoles, since most environments have a mix of Intel AMT and non AMT clients, the first step is to identify the manageable devices and their current state.

There are two modes of Intel AMT - Intel Standard Manageability (ISM) and Intel vPro and each generation has added features. Discovery must identify the Intel AMT devices and its current configuration state (ProvisioningState, sleep state and OS) before a management console can take advantage of the remote manageability features that Intel AMT has to offer. 

Note: This blog will cover Windows only.

Discovery Process

There are at least three processes that will perform a discovery of Intel AMT devices running Windows*.

• Tools from Intel SCS - systemdiscovery.exe or acuconfig.exe 
• Tools from the Intel AMT SDK: RMCP Ping
• Custom Tools made from the Intel AMT SDK - WMI Provider or Intel HLAPI

Depending on which tool is used and the system’s configuration state, the discovery process can be run locally or remotely,

Local Discovery: Local discovery can be performed at the system or by pushing a script out to the system. This method uses the Windows OS drivers to communicate with the firmware, which generates the requested data. Each target system must be powered up into a running Windows state (s0) with the MEI driver and LMS service (Intel Management and Security Application Local Management Service) running. The system does NOT have to be provisioned yet to supply the requested configuration data. 

Note that systems that are not Intel AMT capable will not have a provisioning state.

Remote Discovery: is performed via a remote network query of the Intel AMT firmware and the system can be in any sleep state, but is subject due to the client being configured or not the results will very. This method assumes they system is Intel AMT Capable as it will attempt to do this discovery "out of band", meaning the system does not need to be operational.

Using the Data to Determine Capabilities

Once the tool of choice has collected the data, the information needs to be returned to a management server for further processing in order to determine a device's feature-set.

Regardless of the discovery method used, a few key data points are required to determine features and the configuration potential of a given device. The firmware needs to return the following information: 

ProvisioningState, ME Firmware version and Intel AMT SKU

• ProvisioningState can be Pre, Post, In, or Unknown
  • Pre (configuration): the firmware can only reply when through a running OS. The firmware version and provisioning state will be sent in reply to an RMCP Ping.
  • Post (configuration): The firmware is configured to communicate on the network, so a remote connection to the Firmware is possible regardless of sleep state.
  • In: the firmware is in the process of being configured
  • Unknown: Will be returned for Intel AMT 5.1 and older clients
• ME Firmware Version is used to determine various levels of Intel AMT Features supported such as:
  • Host based Provisioning (Client Control Mode) available - Intel AMT 7.x 
  • Intel AMT KVM compatible - Intel AMT 6.x and above, Only available on full vPro technology systems
  • AMT SKU: Value can be AMT (full vPro), Standard Manageability (limited features), and SBT/SBA (not configurable)

Using Pre-existing Intel AMT Discovery Tools

Intel SCS Discovery Tools

Key Resource: Intel Setup and Configuration Software:  Intel SCS.

Intel SCS has a pair of tools available that can be used for discovery operations: AcuConfig.exe and SystemDiscovery.exe. Both of these tools yield the same results. They gather information from the firmware and then write that information to the registry and .xml file by default.

Using these tools will result in performing a local discovery action.  

Example: >acuconfig.exe systemdiscovery

Creating Custom Discovery Tools

Key Resources:

• Intel AMT SDK.
• Intel WMI Provider 
• AMT Implementation and Reference Guide.
• Intel HLAPI documentation .

If none of the above provide the flexibility that you need, discovery tools can be created that will allow full control of the operation, including local or remote - although remote discovery requires that the system be configured. 

There are two main methods of crafting a custom discovery tool:

Intel WMI Provider:

Use of the WMI provider allows for use of WS-Management commands and is documented in the Intel AMT Implementation and Reference Guide. The use of this method allows for flexibility in the design of the code for a given project.

There is a code sample named SystemProperties.vbs, in the Intel AMT SDK files after installation at: \Windows\Intel_AMT\Samples\WMI

Writing code for Intel AMT is not always straight-forward and requires extensive knowledge of the usage of CIM objects and the differences between Intel AMT releases. These challenges can be addressed by the use of the AMT HLAPI (High Level API) SDK, which is discussed next.

Intel AMT HLAPI:

Like using the above Intel AMT SDK samples, the Intel AMT HLAPI library can be used to create custom tools.. The Intel AMT HLAPI provides an easier development process, because commonly used features have been streamlined, increasing your efficiency while decreasing your time required for development.

In order to implement Intel AMT Discovery, the primary API is the Discovery API. The application using HLAPI creates an object for each target system, using the AMTInstanceFactoryCreate  and the IAMTInstance interface. Upon connection, read the values and decode using HLAPI.GeneralInfo.SKU

Determining the feature set of the device

Now that you have the data from your systems, the question is how to use that information. At minimum, filter on the following physical characteristics and xml tags. Values that don't match means the system is not configurable.

Note: This presentation assumes use of the command: acuconfig.exe systemdiscovery.

Key Characteristics:.

1. CPU (not provided by acuconfig.exe): Only core i3, i5, i7, core M and Xeon are potentially configurable. 
2. LMS.exe service. This is the WMI Provider that lets the discovery tools communicate with the system firmware. May not be installed if a custom driver image is used. Can be obtained by downloading the MEI driver package from the OEM website.  Tip: generally classified as a "Chipset Driver" by the OEM's.
   • To determine if the LMS.exe is running, look for the service or by parsing the verbose output log of acuconfig.exe. 
3. IsMEIEnabled. Set by the system manufacturer, value must be True for AMT to work. Value is from the generated XML and is not dependent on LMS.exe.
4. IsAMTEnabledInBIOS. Must be set to true. Some OEM's allow Intel AMT to be disabled in the BIOS, requiring it be enabled in the BIOS to activate Intel AMT. Value is from the generated XML and is dependent on LMS.exe
5. AMTSKU which can be Intel Standard Manageability (ISM) or Intel Full AMT (vPro) or Small Biz (SBA). This value will declares the feature set.  Value is from the generated XML and is dependent on LMS.exe.

Summary

Performing a discovery for a device isn't necessarily difficult or complex, however it does take some planning on the part of the developer. There are existing tools, or you can create custom tools or just add a few additional commands to whatever inventory agent is already running on the management console.

Other Resources

I have written some other blogs on Intel AMT to help with basic enabling tasks.

• Intel AMT Configuration
• Intel AMT Remote Power Management

Management Console Integration for Intel AMT

Frequently, developers ask "How to integrate Intel AMT/vPro commands into their Management Console?" To manage Intel AMT clients, they must first be enabled and provisioned. 

What is AMT configuration and why is it important?

When a system is shipped from the OEM that supports configurable Intel AMT, features will depend on if the system is Intel Standard Manageability or Intel vPro Technology. Regardless of the Intel AMT type, configuration is the process of setting up the firmware so that it be accessed remotely on the corporate network.

In basic setup and configuration the process will establish a connection to the Intel AMT device and will supply the Master Digest Password and network settings. There are many additional features that can be enabled, including; Active Directory Integration, Alarm Clock, AMT Events, Hardware Asset inventory, KVM, Remote Power Management, Storage Redirection, System Defense, TLS, wireless profiles and 802.1x

Passwords

Intel AMT uses a minimum of three passwords as listed below:

• Management Engine BIOS Extension (MEBx) - This password can be thought of as the physical access password. It is only used when you are sitting at the system to access the MEBx during the Boot Process. This password can be changed during access via the MEBx or USB Configuration or SCS configuration. 
• AMT Master Digest Password- This password is the default "admin" password and used for all remote connections to the Intel AMT firmware. During initial provisioning this password is the same as the MEBx password (stored as two separate values).  
• RFB5900 - This password is optional and only used if you are configuring to use a traditional VNC client on port 5900

Control Mode Choice affects redirection permissions 

The configuration process will establish the Intel AMT device in one of two modes; Client Control Mode (CCM) or Admin Control Mode (ACM). The difference is primarily that CCM requires User Consent for redirection operations and ACM does not.

The User Consent feature adds another level of security for remote users. When a redirection is required of the remote client, a User Consent code must be submitted. Accessing via KVM or executing an IDEr command is considered a redirection operation, but performing a get power state or reboot is not.

Management Console Integration

Configuration process can be simply integrated by providing a basic configuration profile or utilizing Intel SCS to create highly configurable profiles.

Basic Console Integration

The most basic console integration uses Host Based Configuration (HBC). HBC allows for configuration from within the Windows OS leaving the device in CCM. The console will provide the profile and script for configuring the remote AMT device.

A typical minimal integration would require the Management Console to perform the following:

1. Provide the AMT password.
2. Determine if the AMT client is DHCP Enabled or has a Static IP.
3. Create a profile.xml file and encrypt it with a password <decryptionpassword>
4. Push the profile.xml to the client along with acuconfig.exe, acu.dll and script
5. Launch the script (.bat or .ps1) on the Intel AMT device.
   1. Example: acuconfig.exe configamt profile.xml decryptionpassword <password>

Creating the profile

Determine the Intel AMT features that are to be supported by the console. Then use the ACUWizard from the SCS package to create a sample profile.xml. Unfortunately the file will be encrypted and you will need to decrypt it using the SCSEncyption tool from the SCS package "utils" folder. Once decrypted, open in a XML editor and use this sample to determine which xml tags are required for your needs. Then create your own XML in your console's XML creator. Encryption of your final profile.xml file is optional. 

Decryption syntax: SCSEncryption.exe Decrypt <input_filename>  <password> /Output <output_filename>

Why Intel SCS is considered the Premier Tool for Configuration

Intel's SCS utility is the only method that allows for remote configuration into Admin Control mode (ACM).  Intel SCS does not provide APIs, there is no console integration. Instructions are available in the Intel SCS download package.

Other Configuration Solutions

The Intel AMT Implementation and Reference Guide provides sample code and additional resources if you choose to use the already mentioned tools.  

Other Resources

Host Based Set-up and Configuration

Setup and Configuration of Intel AMT

AMT Device Discovery

AMT Remote Power Management

Summary

In order for an AMT device to be remotely managed, it requires configuration to communicate over the corporate network. At the very minimum, the device must have an AMT Master Digest Password (User: Admin) assigned and the local network connection information applied to the firmware. Until this has been accomplished, remote management cannot occur.

Remember that Control Mode (Client or Admin) affects the ease of redirection operations.

Create a Power Management application using Intel AMT

Systems with Intel AMT allow for remote management of their power state. There are multiple ways to execute the remote power commands via a management console. Developers can create their own tools that use WS-Management commands or Intel AMT's High Level API library (HLAPI.)  The following sections describe each of these methods.

Note: Any of these solutions require the managed device to be configured. Fir configuration information see my AMT Configuration Blog

Option 1: Use the Intel AMT WMI Provider

Key ResourceWS-Management Sectionof the Intel AMT Implementation and Reference Guide

Required Software: Microsoft Visual Studio, and the Intel AMT SDK.

Unfortunately, writing code for Intel AMT requires extensive knowledge of C# plus an understanding of specific Intel AMT objects and the variations between Intel AMT releases. The AMT HLAPI SDK can help..

Use the Intel vPro Scripting library from the SDK, which is composed of f Intel.WsMan.Scripting.DLL, imrsdk.dll,  and KVMlib.dll. 

The scripting library includes Managed Object Format (MOF) files that include full descriptions of the Common Information Model (CIM) data objects defined and implemented by Intel AMT.  Per industry standards, there are three types of MOF files: CIM, AMT, and IPS classes.

• CIM – Standard Distributed Management Task Force (DMTF) classes
• AMT – Intel AMT specific classes
• IPS – Additional Intel proprietary classes

This tutorial will use the CIM and/or IPS classes.

WS-Management Process Flow

 The basic process steps are:

1. Make the connection
2. Get Boot Configuration Options
3. Set Boot Configuration
4. Initiate the reboot

The Intel AMT SDK has a sample file that demonstrates some of the Remote Control capabilities from an application. These files can be found within the Intel AMT SDK download package - <SDK_root>\Windows\Intel_AMT\Samples\WS-Management\RemoteControl. 

Note: Sample files are not for production use and may not exercise all of the capabilities of a given feature, nor  provide robust error messaging.

Using the Intel AMT HLAPI

Key Resource: Intel AMT High Level API documentation

Use of Intel AMT HLAPIs will ease development by providing libraries of commonly used features making it a quick and easy way to create applications that take advantage of Intel AMT features. Power API is an extremely simple .NET API that transparently supports all versions of Intel AMT, starting with Release 2.2. The key steps include:

1. Making the Connection - Code Sample:Connection:  Allows an application to connect to the remote Intel AMT client by creating an object for each Intel AMT device. The instance is created using the AMTInstanceFactoryCreate method and the IAMTInstance interface.
2. Issuance of the command -  Code Sample: Power Reset (Select the drop down for "Reboot the system" on that page for a code sample).

In summary, the Intel AMT HLAPI provides the developer with an easy to use, robust API toolset for Intel AMT management in comparison to using WS-Management commands. 

Other Resourses

I have written some other blogs on Intel AMT to help with basic enabling tasks.

• AMT Discovery
• AMT Configuration

Recently, Our servers appears abnormal performance.

So, I tested performance with Intel MLC v2.3 after reboot.

First result is very good.

However, I returned strange result after 3~5 times repeat mlc.

I think last result is credible data.

Finally, I replaced memory and performance becomes good.

In question, Why mlc result is good when immediately reboot?

Why the origin result is show later?

Please help me.

Machine : Lenovo x3950 x6 4 computer book / 1 TB memory (each book = 256GB)

------- first test --------

Using buffer size of 200.000MB
Measuring idle latencies (in ns)...
        Memory node
Socket       0       1       2       3
     0   108.7   187.4   224.6   185.4
     1   187.7   108.5   185.7   224.4
     2   224.2   185.6   116.6   185.6
     3   185.0   224.6   189.8   108.8

Measuring Peak Memory Bandwidths for the system
Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec)
Using traffic with the following read-write ratios
ALL Reads        :      202381.1
3:1 Reads-Writes :      174073.8
2:1 Reads-Writes :      167462.2
1:1 Reads-Writes :      158554.0
Stream-triad like:      159076.0

Measuring Memory Bandwidths between nodes within system
Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec)
Using Read-only traffic type
        Memory node
 Socket      0       1       2       3
     0  50558.5 12117.5 12069.9 12712.5
     1  12351.6 50751.4 12728.7 12055.4
     2  12268.8 12710.1 50661.5 12173.9
     3  12732.0 12054.1 12104.0 50675.2

-------------End of first test ----------

---------Fourth result------

Using buffer size of 200.000MB
Measuring idle latencies (in ns)...
        Memory node
Socket       0       1       2       3
     0   147.3   261.6   272.1   244.0
     1   247.7   108.7   204.6   236.9
     2   270.2   202.6   108.5   183.8
     3   246.0   236.3   208.3   108.7

Measuring Peak Memory Bandwidths for the system
Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec)
Using traffic with the following read-write ratios
ALL Reads        :      189662.5
3:1 Reads-Writes :      166338.1
2:1 Reads-Writes :      160815.7
1:1 Reads-Writes :      152592.7
Stream-triad like:      31839.4

Measuring Memory Bandwidths between nodes within system
Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec)
Using Read-only traffic type
        Memory node
 Socket      0       1       2       3
     0  37788.7  7831.2 12066.2 12714.4
     1   9098.5 50648.0 12686.3  6726.6
     2   9153.9  8003.7 50749.6 12258.4
     3   9191.7  7923.7 12079.6 50702.9

I am using Intel AMT version 9.5.35. I used the ACU_Wizard.exe in package IntelSCS_download_package_11.0.0.214\ACU_Wizard to configure Intel AMT password ( I have not enabled AMT vPro in BIOS setting ). I got the IPv4 address from ACUConfig_xxx.log for instance 192.168.1.1. Then I used HLAPI to connect to my AMT to query Hardware Info and the result is successful in our company WiFi network. But after one day, when we came back to work, the IPv4 address was changed. I must use ACU_Wizard.exe to get IPv4 again and the result is 192.168.1.8.

My question is how can I configure the IPv4 is static? 

My computer has FQDN static for instance IT100.it.com.

Thanks for your help.

How can I control or Manage the SSD through AMT vPro using High Level API or SDK 11.0.0.35 ?

I am studying HLAPI of Intel AMT but I do not see the code to query SSD info. I also read the paper Intel(R)_SSD_Pro_Series_Plugin.

Thanks for your help.

Mesh Commander 0.1.6 was just released. This is the latest version of our next generation Intel® AMT software that is entirely built using web based technologies. In this version we made many more bug fixes but more importantly, we added Agent Presence support so that Intel AMT can now track and take actions based on applications running in the operating system. This is our first pass at Agent Presence support, so there is more features to be added moving forward. Still, this allows users of Web Commander to get stared with it.

Agent Presence allows an administrator to setup watchdogs (GUID’s) in Intel® AMT that will be tracked. When OS applications signal watchdogs at regular intervals, it indicates to Intel AMT that they are alive and working. When an application stops signaling, Intel® AMT can log and take actions based on state transitions. For this first version, we only support logging watchdog transitions, but more to come in the future.

You can get the latest version of Mesh Commander and the new Mesh Commander Agent Presence Monitor at http://meshcommander.com.

Feedback appreciated,
Ylian Saint-Hilaire
meshcommander.com

The latest Mesh Commander 0.1.6 has many bug fixes and for the first time, the addition of Agent
Presence support. You can now monitor applications running in the OS from Intel AMT.

This new version of Mesh Commander includes a new Watchdog Monitor tool that
you can run locally to heartbeat watchdogs at regular intervals.

Hi ,

I have see following  error at device manager :

Intel management engine interface device cannot start code 10

I was getting the same error earlier in Windows 7 and now in Windows 10 Pro after upgrade .

Here are my Intel Hardware details :

Board Model - DH67CL

Board Version - AAG10212 -210

Bios version - BLH6710H.86A.0146.2011.1222.1415

Though, it hasnt affected the functionality of my PC specifically , I was wondering if this is an indication of any serious issue and can this be resolved ..

Thanks

Rajeev

First, I am sorry if this is in the wrong forum!   I have gotten the run-around trying to get help on this! 

Bought a new HP 800 G2 PC that has Intel Vpro and "HP Collarobaration PC" software which is just Intel Unite.

HP EliteDesk 800 35W G2 Desktop Mini PC (ENERGY STAR)
Model #: P5W25UT with latest Firmware (Version N21 dated 1/25/16)

Version is 1.0.13.39 and am running the Firmware that is included with download.  (Suspecting it is required to enable Unite?).   However, I have enabled both Intel TXT & I/O in Bios and still get the error below.   HP will not help!   Any suggestions how to troubleshoot or resolve?   PC was bought specifically for Intel Unite.   Thanks in Advance.

Creating a KVM connection

One of the most popular features of an Intel^® vPro™ device is remote access via KVM (remote Keyboard, Video, Mouse). KVM allows remote control of a client even if the OS isn't running or if the system is asleep. While traditional KVM requires additional hardware and software to access a client system, the Intel vPro KVM feature provides KVM over IP with no additional equipment required.

The KVM feature was first introduced with Intel AMT 6.0 and has improved in each release, including screen resolution and multiple monitor support. The capabilities of each Intel AMT version can be found on the supported screen resolution and multiple monitor support change page of the SDK documentation.

Like all the other features of Intel AMT, the client must first be enabled and configured. The process of configuration is discussed in one of my previous blogs called, "Intel vPro Setup and Configuration Integration". NOTE: Intel vPro branded systems are the only Intel AMT clients that support the KVM feature. "Standard Manageability" and "SMB" versions of Intel AMT do not include the KVM feature.

Additional Resources: KVM Features

Client Configuration

Additional Resources: Enable/Disable KVM Interface

While the KVM Remote Control feature can be configured as a part of the AMT configuration process, the feature parameters can also be configured at a later time. It is best practice to run a script or application to check and update the KVM status prior to making a KVM connection to the client.

1. The KVM Redirection Settings
2. The MEBx Settings
3. The KVM Redirection Listener
4. The access Port and Security settings 

The KVM Redirection Settings needs to be inspected by retrieving the instance of CIM_KVMRedirectionSAP and evaluating/setting the following property CIM_KVMRedirectionSAP.EnabledState = true

The MEBx and Port Settings needs to be validated by retrieving the instance of IPS_KVMRedirectionSettingData and evaluating/set the following properties: IPS_KVMRedirectionSettingData.EnabledByMEBx = true & IPS_KVMRedirectionSettingData.Is5900PortEnabled = true

The KVM Redirection Listener needs to be validated by retrieving the instance of AMT_RedirectionService and evaluating/setting the AMT_RedirectionService.ListenerEnabled property for True

Making the Connection

Making an Intel AMT KVM connection involves a management system utilizing an application to communicate over a wired or wireless network directly to the client's Intel AMT firmware management ports. The ports utilized will determine the type of VNC viewer that must be used.

There are two general types of applications that can be used by the management system: HTTPS from a web browser or a VNC viewer.

The HTTPS option, as utilized by the open source project Mesh Commander, has a web server to make the connection to the client and displays the results within a web page.

The typical VNC viewer option come in many flavors, but all except connection on port 5900, commonly this is referred to as the RFB (Remote Frame Buffer) port. Common VNC viewers are either RFB version 3.8 (Ultra VNC, Tight VNC and RealVNC), or RFB 4.0 (RealVNC Plus, KVMview, MeshCommander.) The RFB 3.8 protocol uses port 5900 exclusively.

Intel AMT also used ports other than port 5900. The default AMT ports for authentication is 16992 and the redirection port is 16994. If your using TLS the authentication and redirection ports change to 16993 and 16995, respectively. When using the Intel AMT redirection ports, authentication will be with the digest user and optionally Kerberos authentication can be used. TLS is also an option.

If you use a Management Console, using HTML, consider additional TLS security when launching a viewer. For additional information on integrating a KVM application into a Console, see the Intel KVM Application Developers Guide

Network Consideration

The network must be handled differently depending on whether it is a 'local' corporate network or going across open internet connections. Intel AMT only communicates on the local wired or wireless networks and any properly configured device and VNC application combination can make the connection. But anytime a connection comes from outside the network an Intel AMT proxy or Management Presence Server (MPS) must be used.

Proxy Configuration

Additional Resource: Intel AMT KVM Proxy 

The proxy application for Intel AMT KVM must be installed on the local network with the clients. It must have the correct port open for the VNC viewer application.

The basic flow for connection through a proxy is:

1. The VNC client application viewer library directs the KVM Proxy to listen for KVM connections.
2. The same library then opens an Intel KVM Remote Control connection to the Intel AMT Proxy listener.
3. The VNC client application sends the AMT platform connection/authentication data to the Intel AMT Proxy 
4. The Intel AMT proxy opens the connection to the Intel AMT platform with the provided settings to the required port (redirection or VNC port).
5. The Proxy relays the Intel KVM data between the viewer library and the Intel AMT client.
   Example of using the KVM Proxy Library API from within PowerShell

Additional resources and source code locations: 

• Intel AMT SDK example application instructions for making the proxy connection
• Example source code: \Windows\Intel_AMT\Src\KVM\KVMProxy\
• Example source code: \Linux\Intel_AMT\Src\KVM\KVMProxy\
• Example source code for proxy connection library: kvmlib.dll
• Example Source Code: \Windows\Intel_AMT\Samples\KVM\KVMCustomTransportSample

Summary

AMT KVM connections are a valuable resource for the technician. By allowing out of band communication we enlarge our tool set and reduce our need for desk side visit after a bit of setup of the clients and our management console. As developers it is our task to enable our software to exercise Intel AMT features such as Intel KVM.

In order for us to do that we need to configure the device, enable the KVM feature set and then set up the connection as needed by our users.

Other Resources

• Host Based Set-up and Configuration
• Setup and Configuration of Intel AMT
• Intel AMT Device Discovery
• Intel AMT Remote Power Management
• Intel AMT SDK Implementation and Reference Guide

I have two laptops which have the same configuration. Two laptops used Wireless as usual for working or for entertainment ( check mail, or skype...). Only one laptop sees Wireless Setting when I used the command: 127.0.0.1:16992 as figure below.

(note: laptop see Wireless Setting do not install the Intel®_PROSet_Wireless_Software

and laptop does not see Wireless Setting installed Intel®_PROSet_Wireless_Software)

(Sorry, I tried to update image but I cannot because this tool does not set my permission to upload image )

Mesh Commander 0.1.7 was just released. This time around, we are adding a significant new feature. Everyone seriously using Intel AMT knows that automation is essential to get management working smoothly on a large scale. You need to be able to quickly configure, modify, gather data and perform custom management operations. To do this quickly and on many machines, you need to be able to script Intel AMT.

Ever since my work on Commander and the DTK over 12 years ago, scripting has always been something that was needed but difficult to do in practice. Today, we are releasing our own new lightweight scripting language specifically built for Intel AMT. All versions of Mesh Commander will be able to run scripts, and some versions will also have the script authoring tool included. Once you build a script, running it is as easy as drag & dropping the script file on the Mesh Commander web page.

As part of the new Mesh Commander package, we included the new language documentation, but moving forward, we expect for have collections of pre-existing scripts to make it easy for everyone.

You can get the latest version of Mesh Commander is at http://meshcommander.com.

Feedback appreciated,
Ylian Saint-Hilaire
meshcommander.com

The new scripting language comes with a JavaScript compiler and turns the script into
binary. This makes it very easy for the running code to parse & run the commands.

The latest Mesh Commander 0.1.7 now includes a simple script editor. The language is designed
to be easy to parse so that running the script requires very little code.

If you are working on developing your own Intel AMT Manageability Console you can find important release notes inside the SDK root-level folder.  Look for a HTML file called “Intel AMT Release 11.0 SDK Release Notes”.

If you are facing issues in your integration process, you should check the notes to verify where your issues are occurring.  Here are the notes associated with the Intel AMT 11 release.

Notes:

• WLAN provisioning with USB Key will not allow TLS enablement on LAN-less platforms in Intel AMT Release 9.5. 
• The C++ samples fail to compile on Windows* 7 and Windows Server 2008 R2 due to a bug in the Windows SDK function mt.exe. For further information and workaround see the Windows 7 SDK: Beta Release Notes. Note that a file compiled on other Windows operating systems, such as XP or Vista, will also execute on Windows 7 and Windows Server 2008 R2.
• The "Configure Default KVM Port" script sets the RFB password. This script contains WinRM commands and may change the user's WinRM configuration.
• Microsoft WinRM - Intel AMT interrupt on associations: The WinRM client fails to perform a retrieval or delete of an instance of an association class using an EPR when its selectors are also EPRs. An example where this capability is needed in Intel AMT is the System Defense association  AMT_ActiveFilterStatistics.
• Redirection library provides AES 256 cipher suites as an option although only AES 128 ciphers are supported by Intel AMT.
• UCT Tool: Cannot delete or update the application settings file while the application is running.
• Because of limitations within the Tight VNC application (a third-party application for KVM), asterisks will not appear when entering the opt-in code. In addition, while Intel AMT will respond to keyboard and mouse actions, these will not show in the client until the user refreshes the display.
• Samples and other applications which use signed DLLs are loaded very slowly. This can occur because .NET Framework repeatedly attempts to verify the signed DLL files, even when there is no internet connection.