HOME

TheInfoList



OR:

Intel Active Management Technology (AMT) is hardware and firmware for remote
out-of-band management In systems management, out-of-band management involves the use of management interfaces (or serial ports) for managing networking equipment. Out-of-band (''OOB'') management is a networking term which refers to accessing and managing network infras ...
of select business computers, running on the
Intel Management Engine The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of mod ...
, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems.
Out-of-band Out-of-band activity is activity outside a defined telecommunications frequency band, or, metaphorically, outside of any primary communication channel. Protection from falsing is among its purposes. Examples General usage * Out-of-band agreement ...
(OOB) or hardware-based management is different from software-based (or
in-band In telecommunications, in-band signaling is the sending of control information within the same band or channel used for data such as voice or video. This is in contrast to out-of-band signaling which is sent over a different channel, or even o ...
) management and software management agents. Hardware-based management works at a different level from software applications, and uses a communication channel (through the
TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or a locally installed management agent. Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using
DHCP The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a cli ...
or
BOOTP The Bootstrap Protocol (BOOTP) is a computer networking protocol used in Internet Protocol networks to automatically assign an IP address to network devices from a configuration server. The BOOTP was originally defined in RFC 951. While some part ...
for dynamic IP address allocation and
diskless workstation A diskless node (or diskless workstation) is a workstation or personal computer without disk drives, which employs network booting to load its operating system from a server. (A computer may also be said to ''act as a diskless node'', if its disks ...
s, as well as wake-on-LAN (WOL) for remotely powering on systems. AMT is not intended to be used by itself; it is intended to be used alongside a software management application. It gives a management application (and thus, the system administrator who uses it) access to the PC down the wire, in order to remotely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it. AMT is designed into a service processor located on the motherboard, and uses TLS-secured communication and strong
encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
to provide additional security. AMT is built into PCs with
Intel vPro Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro ...
technology and is based on the
Intel Management Engine The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of mod ...
(ME). AMT has moved towards increasing support for
DMTF Distributed Management Task Force (DMTF) is a 501(c)(6) nonprofit industry standards organization that creates open manageability standards spanning diverse emerging and traditional IT infrastructures including cloud, virtualization, network, s ...
Desktop and mobile Architecture for System Hardware Desktop and mobile Architecture for System Hardware (DASH) is a Distributed Management Task Force (DMTF) standard. Description In April 2007 the Desktop and Mobile Working Group (DMWG) of the DMTF started work on an implementation requirements ...
(DASH) standards and AMT Release 5.1 and later releases are an implementation of DASH version 1.0/1.1 standards for out-of-band management. AMT provides similar functionality to IPMI, although AMT is designed for client computing systems as compared with the typically server-based IPMI. Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core
vPro The VPRO (stylized vpro; originally an acronym for , ) is a Dutch public broadcaster, which forms a part of the Dutch public broadcasting system. Founded in 1926 as a liberal Protestant broadcasting organization, it gradually became more ...
processor family, including Intel Core i5, Core i7, Core i9 and Intel Xeon E3-1000, Xeon E, Xeon W-1000 product family. Intel confirmed a Remote Elevation of Privilege bug (, SA-00075) in its Management Technology on May 1, 2017. Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to
Kaby Lake Kaby Lake is Intel's codename for its seventh generation Core microprocessor family announced on August 30, 2016. Like the preceding Skylake, Kaby Lake is produced using a 14 nanometer manufacturing process technology. Breaking with Intel's ...
in 2017 has a remotely exploitable security hole in the ME. Some manufacturers, like
Purism Purism, referring to the arts, was a movement that took place between 1918 and 1925 that influenced French painting and architecture. Purism was led by Amédée Ozenfant and Charles Edouard Jeanneret (Le Corbusier). Ozenfant and Le Corbusier fo ...
and System76 are already selling hardware with Intel Management Engine disabled to prevent the remote exploit. Additional major security flaws in the ME affecting a very large number of computers incorporating Management Engine,
Trusted Execution Engine The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of mod ...
, and Server Platform Services firmware, from Skylake in 2015 to
Coffee Lake Coffee Lake is Intel's codename for its eighth generation Core microprocessor family, announced on September 25, 2017. It is manufactured using Intel's second 14 nm process node refinement. Desktop Coffee Lake processors introduced i5 and i ...
in 2017, were confirmed by Intel on November 20, 2017 (SA-00086).


Non-free service access

Although iAMT may be included for free in devices sold to the public and to small businesses, the full capabilities of iAMT, including encrypted remote access via a
public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
and automatic remote device provisioning of unconfigured iAMT clients, are not accessible for free to the general public or to the direct owners of iAMT equipped devices. iAMT cannot be fully utilized to its maximum potential without purchasing additional software or management services from Intel or another 3rd party
independent software vendor An independent software vendor (ISV), also known as a software publisher, is an organization specializing in making and selling software, as opposed to computer hardware, designed for mass or niche markets. This is in contrast to in-house software, ...
(ISV) or
value added reseller A value-added reseller (VAR) is a company that adds features or services to an existing product, then resells it (usually to end-users) as an integrated product or complete "turn-key" solution. This practice occurs commonly in the electronics or IT ...
(VAR). Intel itself provides a ''developer's toolkit'' software package which allows basic access to iAMT, but is not intended to be normally used to access the technology. Only basic modes of access are supported, without full access to the encrypted communications of the complete purchased management system.


Features

Intel AMT includes hardware-based remote management, security, power management, and remote configuration features that enable independent remote access to AMT-enabled PCs. Intel AMT is security and management technology that is built into PCs with Intel vPro technology. Intel AMT uses a hardware-based
out-of-band Out-of-band activity is activity outside a defined telecommunications frequency band, or, metaphorically, outside of any primary communication channel. Protection from falsing is among its purposes. Examples General usage * Out-of-band agreement ...
(OOB) communication channel that operates regardless of the presence of a working operating system. The communication channel is independent of the PC's power state, the presence of a management agent, and the state of many hardware components such as
hard disk drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
s and
memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered, ...
. Most AMT features are available OOB, regardless of PC power state. Other features require the PC to be powered up (such as console redirection via
serial over LAN Serial over LAN (SOL) is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP. Details On some managed systems, notably blade server systems, the serial ports on the managed computers are ...
(SOL), agent presence checking, and network traffic filtering). Intel AMT has remote power-up capability. Hardware-based features can be combined with scripting to automate maintenance and service. Hardware-based AMT features on laptop and desktop PCs include: * Encrypted, remote communication channel for
network traffic Network traffic or data traffic is the amount of data moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main c ...
between the IT console and Intel AMT. * Ability for a wired PC (physically connected to the network) outside the company's
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an site that does not have a proxy server. * Remote power up / power down / power cycle through encrypted WOL. * Remote
boot A boot is a type of footwear. Most boots mainly cover the foot and the ankle, while some also cover some part of the lower calf. Some boots extend up the leg, sometimes as far as the knee or even the hip. Most boots have a heel that is cle ...
, via integrated device electronics redirect (IDE-R). * Console redirection, via
serial over LAN Serial over LAN (SOL) is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP. Details On some managed systems, notably blade server systems, the serial ports on the managed computers are ...
(SOL). * Keyboard, video, mouse (KVM) over network. * Hardware-based filters for monitoring
packet Packet may refer to: * A small container or pouch ** Packet (container), a small single use container ** Cigarette packet ** Sugar packet * Network packet, a formatted unit of data carried by a packet-mode computer network * Packet radio, a form ...
headers in inbound and outbound network traffic for known threats (based on programmable
timers A timer is a specialized type of clock used for measuring specific time intervals. Timers can be categorized into two main types. The word "timer" is usually reserved for devices that counts down from a specified time interval, while devices th ...
), and for monitoring known / unknown threats based on time-based
heuristics A heuristic (; ), or heuristic technique, is any approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect, or rational, but is nevertheless sufficient for reaching an immediate, ...
. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters. * Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected. * Agent presence checking, via hardware-based, policy-based programmable
timer A timer is a specialized type of clock used for measuring specific time intervals. Timers can be categorized into two main types. The word "timer" is usually reserved for devices that counts down from a specified time interval, while devices th ...
s. A "miss" generates an event; and this can also generate an alert. * OOB alerting. * Persistent event log, stored in protected memory (not on the hard drive). * Access (preboot) the PC's universal unique identifier (UUID). * Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through
power-on self-test A power-on self-test (POST) is a process performed by firmware or software routines immediately after a computer or other digital electronic device is powered on. This article mainly deals with POSTs on personal computers, but many other embed ...
(POST). * Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information. * Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration. * Protected Audio/Video Pathway for playback protection of
DRM DRM may refer to: Government, military and politics * Defense reform movement, U.S. campaign inspired by Col. John Boyd * Democratic Republic of Madagascar, a former socialist state (1975–1992) on Madagascar * Direction du renseignement milita ...
-protected media. Laptops with AMT also include wireless technologies: * Support for
IEEE 802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commun ...
a/ g/ n
wireless Wireless communication (or just wireless, when the context allows) is the transfer of information between two or more points without the use of an electrical conductor, optical fiber or other continuous guided medium for the transfer. The most ...
protocols *
Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
-compatible extensions for
Voice over WLAN Voice over Wireless LAN (VoWLAN), also Voice over WiFi (VoWiFi), is the use of a wireless broadband network according to the IEEE 802.11 standards for the purpose of vocal conversation. In essence, it is Voice over IP (VoIP) over a Wi-Fi networ ...


History

Software updates provide upgrades to the next minor version of Intel AMT. New major releases of Intel AMT are built into a new
chipset In a computer system, a chipset is a set of electronic components An electronic component is any basic discrete device or physical entity in an electronic system used to affect electrons or their associated fields. Electronic components are ...
, and are updated through new hardware.


Applications

Almost all AMT features are available even if the PC is in a powered-off state but with its power cord attached, if the operating system has crashed, if the software agent is missing, or if hardware (such as a hard drive or memory) has failed. The console-redirection feature ( SOL), agent presence checking, and network traffic filters are available after the PC is powered up. Intel AMT supports these management tasks: * Remotely power up, power down, power cycle, and power reset the computer. * Remote boot the PC by remotely redirecting the PC's
boot A boot is a type of footwear. Most boots mainly cover the foot and the ankle, while some also cover some part of the lower calf. Some boots extend up the leg, sometimes as far as the knee or even the hip. Most boots have a heel that is cle ...
process, causing it to boot from a different image, such as a
network share In computing, a shared resource, or network share, is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another comput ...
, bootable
CD-ROM A CD-ROM (, compact disc read-only memory) is a type of read-only memory consisting of a pre-pressed optical compact disc that contains data. Computers can read—but not write or erase—CD-ROMs. Some CDs, called enhanced CDs, hold both comput ...
or
DVD The DVD (common abbreviation for Digital Video Disc or Digital Versatile Disc) is a digital optical disc data storage format. It was invented and developed in 1995 and first released on November 1, 1996, in Japan. The medium can store any kind ...
, remediation drive, or other boot device. This feature supports remote booting a PC that has a corrupted or missing OS. * Remotely redirect the system's I/O via console redirection through
serial over LAN Serial over LAN (SOL) is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP. Details On some managed systems, notably blade server systems, the serial ports on the managed computers are ...
(SOL). This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes. * Access and change
BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...
settings remotely. This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings. * Detect suspicious network traffic. In laptop and desktop PCs, this feature allows a sys-admin to define the events that might indicate an inbound or outbound threat in a network
packet Packet may refer to: * A small container or pouch ** Packet (container), a small single use container ** Cigarette packet ** Sugar packet * Network packet, a formatted unit of data carried by a packet-mode computer network * Packet radio, a form ...
header. In desktop PCs, this feature also supports detection of known and/or unknown threats (including slow- and fast-moving
computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
s) in network traffic via time-based,
heuristics A heuristic (; ), or heuristic technique, is any approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect, or rational, but is nevertheless sufficient for reaching an immediate, ...
-based filters. Network traffic is checked before it reaches the OS, so it is also checked before the OS and software applications load, and after they shut down (a traditionally vulnerable period for PCs). * Block or rate-limit
network traffic Network traffic or data traffic is the amount of data moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main c ...
to and from systems suspected of being infected or compromised by
computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a compu ...
es, computer worms, or other threats. This feature uses Intel AMT hardware-based isolation circuitry that can be triggered manually (remotely, by the sys-admin) or automatically, based on IT policy (a specific event). * Manage hardware
packet filter In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted ne ...
s in the on-board
network adapter A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. Ear ...
. * Automatically send OOB communication to the IT console when a critical software agent misses its assigned check in with the programmable, policy-based hardware-based
timer A timer is a specialized type of clock used for measuring specific time intervals. Timers can be categorized into two main types. The word "timer" is usually reserved for devices that counts down from a specified time interval, while devices th ...
. A "miss" indicates a potential problem. This feature can be combined with OOB alerting so that the IT console is notified only when a potential problem occurs (helps keep the network from being flooded by unnecessary "positive" event notifications). * Receive Platform Event Trap (PET) events out-of-band from the AMT subsystem (for example, events indicating that the OS is hung or crashed, or that a password attack has been attempted). An alert can be issued on an event (such as falling out of compliance, in combination with agent presence checking) or on a threshold (such as reaching a particular fan speed). * Access a persistent event log, stored in protected memory. The event log is available OOB, even if the OS is down or the hardware has already failed. * Discover an AMT system independently of the PC's power state or OS state. Discovery (preboot access to the
UUID A universally unique identifier (UUID) is a 128-bit label used for information in computer systems. The term globally unique identifier (GUID) is also used. When generated according to the standard methods, UUIDs are, for practical purposes, un ...
) is available if the system is powered down, its OS is compromised or down, hardware (such as a
hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
or
memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered, ...
) has failed, or management agents are missing. * Perform a software inventory or access information about
software Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...
on the PC. This feature allows a third-party software vendor to store software asset or version information for local applications in the Intel AMT protected memory. (This is the protected third party data store, which is different from the protected AMT memory for hardware component information and other system information). The third-party data store can be accessed OOB by the sys-admin. For example, an antivirus program could store version information in the protected memory that is available for third-party data. A computer script could use this feature to identify PCs that need to be updated. * Perform a hardware inventory by uploading the remote PC's hardware asset list (platform,
baseboard management controller The Intelligent Platform Management Interface (IPMI) is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system's CPU, firmware (BIOS or ...
,
BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...
,
processor Processor may refer to: Computing Hardware * Processor (computing) **Central processing unit (CPU), the hardware within a computer that executes a program *** Microprocessor, a central processing unit contained on a single integrated circuit (I ...
,
memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered, ...
, disks, portable batteries, field replaceable units, and other information). Hardware asset information is updated every time the system runs through
power-on self-test A power-on self-test (POST) is a process performed by firmware or software routines immediately after a computer or other digital electronic device is powered on. This article mainly deals with POSTs on personal computers, but many other embed ...
(POST). From major version 6, Intel AMT embeds a proprietary VNC server, for out-of-band access using dedicated VNC-compatible viewer technology, and have full KVM (keyboard, video, mouse) capability throughout the power cycle – including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from
RealVNC RealVNC is a company that provides remote access software. The software consists of a server (VNC Server) and client (VNC Viewer) application for the Virtual Network Computing (VNC) protocol to control another computer's screen remotely. Histor ...
also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).


Provisioning and integration

AMT supports certificate-based or PSK-based remote provisioning (full remote deployment),
USB Universal Serial Bus (USB) is an industry standard that establishes specifications for cables, connectors and protocols for connection, communication and power supply (interfacing) between computers, peripherals and other computers. A broad ...
key-based provisioning ("one-touch" provisioning), manual provisioning and provisioning using an agent on the local host ("Host Based Provisioning"). An OEM can also pre-provision AMT. The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.) Remote deployment, until recently, was only possible within a corporate network. Remote deployment lets a sys-admin deploy PCs without "touching" the systems physically. It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console. As delivery and deployment models evolve, AMT can now be deployed over the Internet, using both "Zero-Touch" and Host-Based methods. PCs can be sold with AMT enabled or disabled. The
OEM An original equipment manufacturer (OEM) is generally perceived as a company that produces non-aftermarket parts and equipment that may be marketed by another manufacturer. It is a common industry term recognized and used by many professional or ...
determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. The setup and configuration process may vary depending on the OEM build. AMT includes a Privacy Icon application, called IMSS, that notifies the system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not. AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology. AMT can be partially unprovisioned using the Configuration Settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings. A partial unprovisioning leaves the PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state. Once AMT is disabled, in order to enable AMT again, an authorized sys-admin can reestablish the security credentials required to perform remote configuration by either: * Using the remote configuration process (full automated, remote config via certificates and keys). * Physically accessing the PC to restore security credentials, either by USB key or by entering the credentials and MEBx parameters manually. There is a way to totally reset AMT and return in to factory defaults. This can be done in two ways: * Setting the appropriate value in the
BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...
. * Clearing the
CMOS memory Complementary metal–oxide–semiconductor (CMOS, pronounced "sea-moss", ) is a type of metal–oxide–semiconductor field-effect transistor (MOSFET) fabrication process that uses complementary and symmetrical pairs of p-type and n-type MOSFE ...
and / or
NVRAM Non-volatile random-access memory (NVRAM) is random-access memory that retains data without applied power. This is in contrast to dynamic random-access memory (DRAM) and static random-access memory (SRAM), which both maintain data only for as lon ...
. Setup and integration of AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from the Intel website.


Communication

All access to the Intel AMT features is through the Intel Management Engine in the PC's hardware and firmware. AMT communication depends on the state of the Management Engine, not the state of the PC's OS. As part of the Intel Management Engine, the AMT OOB communication channel is based on the
TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...
stack designed into system hardware. Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before communication is passed to the OS. Intel AMT supports wired and
wireless Wireless communication (or just wireless, when the context allows) is the transfer of information between two or more points without the use of an electrical conductor, optical fiber or other continuous guided medium for the transfer. The most ...
networks. For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based
virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
(VPN) when notebooks are awake and working properly. AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall. In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication.(Intel developer's blog) The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site
proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a request ...
or management appliance. Technology that secures communications outside a corporate
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
is relatively new. It also requires that an
infrastructure Infrastructure is the set of facilities and systems that serve a country, city, or other area, and encompasses the services and facilities necessary for its economy, households and firms to function. Infrastructure is composed of public and priv ...
be in place, including support from IT consoles and firewalls. An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate "
whitelist A whitelist, allowlist, or passlist is a mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition i.e. it is a list of things allowed when everything is denied by default. It is ...
" management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN, AMT sends the stored information to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help
authenticate Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
the PC. The MPS then mediates communication between the laptop and the company's management servers. Because communication is authenticated, a secure communication tunnel can then be opened using TLS encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC.


Design


Hardware

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current () Intel chipsets. Starting with ME 11, it is based on the
Intel Quark Intel Quark is a line of 32-bit x86 SoCs and microcontrollers by Intel, designed for small size and low power consumption, and targeted at new markets including wearable devices. The line was introduced at Intel Developer Forum in 2013, and d ...
x86-based 32-bit CPU and runs the
MINIX 3 Minix 3 is a small, Unix-like operating system. It is published under a BSD-3-Clause license and is a successor project to the earlier versions, Minix 1 and 2. The project's main goal is for the system to be fault-tolerant by detecting and rep ...
operating system. The ME state is stored in a partition of the SPI flash, using the
Embedded Flash File System Embedded or embedding (alternatively imbedded or imbedding) may refer to: Science * Embedding, in mathematics, one instance of some mathematical object contained within another instance ** Graph embedding * Embedded generation, a distributed ge ...
(EFFS). Previous versions were based on an ARC core, with the Management Engine running the ThreadX
RTOS A real-time operating system (RTOS) is an operating system (OS) for real-time applications that processes data and events that have critically defined time constraints. An RTOS is distinct from a time-sharing operating system, such as Unix, which ...
from Express Logic. Versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and 16-bit
instruction set architecture In computer science, an instruction set architecture (ISA), also called computer architecture, is an abstract model of a computer. A device that executes instructions described by that ISA, such as a central processing unit (CPU), is called an ' ...
). Starting with ME 7.1, the ARC processor could also execute signed
Java applets Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launched the Java applet from a ...
. The ME shares the same network interface and IP as the host system. Traffic is routed based on packets to ports 16992-16995. Support exists in various Intel Ethernet controllers, exported and made configurable via
Management Component Transport Protocol Management Component Transport Protocol (MCTP) is a protocol designed by the Distributed Management Task Force (DMTF) to support communications between different intelligent hardware components that make up a platform management subsystem, provid ...
(MCTP). The ME also communicates with the host via PCI interface.Igor Skochinsky (
Hex-Rays The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. ...

Rootkit in your laptop
Ruxcon Breakpoint 2012
Under Linux, communication between the host and the ME is done via /dev/mei or more recently /dev/mei0. Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the
Memory Controller Hub In computing, a northbridge (also host bridge, or memory controller hub) is one of two chips comprising the core logic chipset architecture on a PC motherboard. A northbridge is connected directly to a CPU via the front-side bus (FSB) to han ...
(MCH) layout. With the newer Intel architectures (
Intel 5 Series Intel 5 Series is a computing architecture introduced in 2008 that improves the efficiency and balances the use of communication channels in the motherboard. The architecture consists primarily of a central processing unit (CPU) (connected to the ...
onwards), ME is included into the
Platform Controller Hub The Platform Controller Hub (PCH) is a family of Intel's single-chip chipsets, first introduced in 2009. It is the successor to the Intel Hub Architecture, which used two chips - a Northbridge (computing), northbridge and Southbridge (computing), ...
(PCH).


Firmware

*Management Engine (ME) - mainstream chipsets *Server Platform Services (SPS) - server *Trusted Execution Engine (TXE) - tablet/mobile/low power


Security

Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern. Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (
TLS-PSK Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of cryptographic protocols that provide secure communication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys shared in advance among the communicatin ...
), or administrator password. Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed. Because the software that implements AMT exists outside of the operating system, it is not kept up-to-date by the operating system's normal update mechanism. Security defects in the AMT software can therefore be particularly severe, as they will remain long after they have been discovered and become known to potential attackers. On May 15, 2017, Intel announced a critical vulnerability in AMT. According to the update "The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies". Intel announced partial availability of a firmware update to patch the vulnerability for some of the affected devices.


Networking

While some protocols for in-band remote management use a secured network communication channel (for example
Secure Shell The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on a ...
), some other protocols are not secured. Thus some businesses have had to choose between having a
secure network Secure Network is a small offensive security and security research company focusing on Information Security based in Milano, Italy. Besides having notability in Italy, it received international exposure with a research project on Bluetooth secur ...
or allowing IT to use remote management applications without secure communications to maintain and service PCs. Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports
IEEE 802.1x IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines t ...
,
Preboot Execution Environment In computing, the Preboot eXecution Environment, PXE (most often pronounced as ''pixie'', often called PXE Boot/''pixie boot''.) specification describes a standardized client–server environment that boots a software assembly, retrieved from ...
(PXE),
Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
SDN, and
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
NAP A nap is a short period of sleep, typically taken during daytime hours as an adjunct to the usual nocturnal sleep period. Naps are most often taken as a response to drowsiness during waking hours. A nap is a form of biphasic or polyphasic sl ...
. All AMT features are available in a secure network environment. With Intel AMT in the secure network environment: * The network can verify the security posture of an AMT-enabled PC and
authenticate Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
the PC before the OS loads and before the PC is allowed access to the network. *
PXE PXE may refer to: * Preboot Execution Environment, booting computers via a network * Proof and Experimental Establishment, an Indian defense laboratory * Pseudoxanthoma elasticum, a genetic disease * Pentium Extreme Edition, a variant of Pentium D ...
boot can be used while maintaining network security. In other words, an IT administrator can use an existing PXE infrastructure in an
IEEE 802.1x IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines t ...
,
Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
SDN, or
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
NAP A nap is a short period of sleep, typically taken during daytime hours as an adjunct to the usual nocturnal sleep period. Naps are most often taken as a response to drowsiness during waking hours. A nap is a form of biphasic or polyphasic sl ...
network. Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in. The plug-in collects security posture information, such as
firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...
configuration and security parameters from third-party software (such as
antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
and
antispyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...
),
BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...
, and protected
memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered, ...
. The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the
hard disk drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
. Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also
authenticate Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network. Support for different security postures depends on the AMT release: * Support for
IEEE 802.1x IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines t ...
and
Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
SDN requires AMT version 2.6 or higher for laptops, and AMT version 3.0 or higher for desktop PCs. * Support for
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
NAP A nap is a short period of sleep, typically taken during daytime hours as an adjunct to the usual nocturnal sleep period. Naps are most often taken as a response to drowsiness during waking hours. A nap is a form of biphasic or polyphasic sl ...
requires AMT version 4.0 or higher. * Support for
PXE PXE may refer to: * Preboot Execution Environment, booting computers via a network * Proof and Experimental Establishment, an Indian defense laboratory * Pseudoxanthoma elasticum, a genetic disease * Pentium Extreme Edition, a variant of Pentium D ...
boot with full
network security Network security consists of the policies, policies, processes and practices adopted to prevent, detect and monitor unauthorized access, Abuse, misuse, modification, or denial of a computer network and network-accessible resources. Network securi ...
requires AMT version 3.2 or higher for desktop PCs.


Technology

AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during
deployment Deployment may refer to: Engineering and software Concepts * Blue-green deployment, a method of installing changes to a web, app, or database server by swapping alternating production and staging servers * Continuous deployment, a software en ...
and during remote management. AMT security technologies and methodologies include: *
Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
, including pre-shared key TLS (
TLS-PSK Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of cryptographic protocols that provide secure communication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys shared in advance among the communicatin ...
) *
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
authentication * Single sign-on to Intel AMT with
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
domain
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
, based on
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ...
and Kerberos * Digitally signed
firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...
*
Pseudo-random number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generate ...
(PRNG) which generates session keys * Protected memory (not on the
hard disk drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
) for critical system data, such as the
UUID A universally unique identifier (UUID) is a 128-bit label used for information in computer systems. The term globally unique identifier (GUID) is also used. When generated according to the standard methods, UUIDs are, for practical purposes, un ...
, hardware asset information, and
BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...
configuration settings *
Access control list In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on giv ...
s (ACL) As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.


Known vulnerabilities and exploits


Ring −3 rootkit

A ring −3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset, as Intel implemented additional protections. The exploit worked by remapping the normally protected memory region (top 16 MB of RAM) reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The "−3" designation was chosen because the ME coprocessor works even when the system is in the S3 state, thus it was considered a layer below the
System Management Mode System Management Mode (SMM, sometimes called ring −2 in reference to protection rings) is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate ...
rootkits.) For the vulnerable Q35 chipset, a
keystroke logger Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
ME-based rootkit was demonstrated by Patrick Stewin.


Zero-touch provisioning

Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the "zero touch" provisioning mode (ZTC) is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from
Go Daddy GoDaddy Inc. is an American publicly traded Internet domain registrar and web hosting company headquartered in Tempe, Arizona, and incorporated in Delaware. , GoDaddy has more than 21 million customers and over 6,600 employees worldwide. The co ...
a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers.


Silent Bob is Silent

In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege-escalation vulnerability (). The vulnerability, which was nicknamed " Silent Bob is Silent" by the researchers who had reported it to Intel, affects numerous laptops, desktops and servers sold by
Dell Dell is an American based technology company. It develops, sells, repairs, and supports computers and related products and services. Dell is owned by its parent company, Dell Technologies. Dell sells personal computers (PCs), servers, data ...
,
Fujitsu is a Japanese multinational information and communications technology equipment and services corporation, established in 1935 and headquartered in Tokyo. Fujitsu is the world's sixth-largest IT services provider by annual revenue, and the la ...
,
Hewlett-Packard The Hewlett-Packard Company, commonly shortened to Hewlett-Packard ( ) or HP, was an American multinational information technology company headquartered in Palo Alto, California. HP developed and provided a wide variety of hardware components ...
(later
Hewlett Packard Enterprise The Hewlett Packard Enterprise Company (HPE) is an American multinational information technology company based in Spring, Texas, United States. HPE was founded on November 1, 2015, in Palo Alto, California, as part of the splitting of the H ...
and
HP Inc. HP Inc. is an American multinational information technology company headquartered in Palo Alto, California, that develops personal computers (PCs), printers and related supplies, as well as 3D printing solutions. It was formed on Novembe ...
), Intel,
Lenovo Lenovo Group Limited, often shortened to Lenovo ( , ), is a Chinese Multinational corporation, multinational technology company specializing in designing, manufacturing, and marketing consumer electronics, Personal computer, personal computers, ...
, and possibly others. Those researchers claimed that the bug affects systems made in 2010 or later. Other reports claimed that the bug also affects systems made as long ago as 2008. The vulnerability was described as giving remote attackers: The remote user authorization process included a programmer error: it compared the user-given authorization token hash (user_response) to the true value of the hash (computed_response) using this code: strncmp(computed_response, user_response, response_length) The vulnerability was that response_length was the length of the user-given token and not of the true token. Since the third argument for strncmp is the length of the two strings to be compared, if it is less than the length of computed_response, only a part of the string will be tested for equality. Specifically, if user_response is the empty string (with length 0), this "comparison" will always return true, and thus validate the user. This allowed any person to simply log into the admin account on the devices by editing their sent HTTP packet to use the empty string as the response field's value.


PLATINUM

In June 2017, the
PLATINUM Platinum is a chemical element with the symbol Pt and atomic number 78. It is a dense, malleable, ductile, highly unreactive, precious, silverish-white transition metal. Its name originates from Spanish , a diminutive of "silver". Platinu ...
cybercrime group became notable for exploiting the serial over LAN (SOL) capabilities of AMT to perform data exfiltration of stolen documents.


SA-00086

In November 2017 serious flaws were detected in the Management Engine (ME) firmware by security firm Positive Technologies, who claimed to have developed a working
exploit Exploit means to take advantage of something (a person, situation, etc.) for one's own end, especially unethically or unjustifiably. Exploit can mean: *Exploitation of natural resources *Exploit (computer security) * Video game exploit *Exploitat ...
of this system for someone having physical access to a USB port. On November 20, 2017 Intel confirmed that a number of serious flaws had been found in the Management Engine, Trusted Execution Engine, Server Platform Services and released a "critical firmware update".


Avoidance and mitigation

PCs with AMT typically provide an option in the BIOS menu to switch off AMT, though OEMs implement BIOS features differently, and therefore the BIOS is not a reliable method to switch off AMT. Intel-based PCs that shipped without AMT are not supposed to be able to have AMT installed later. However, as long as the PC's hardware is potentially capable of running the AMT, it is unclear how effective these protections are. Presently, there are mitigation guides and tools to disable AMT on Windows, but Linux has only received a tool to check whether AMT is enabled and provisioned on Linux systems. The only way to actually fix this vulnerability is to install a firmware update. Intel has made a list of updates available. Unlike for AMT, there is generally no official, documented way to disable the Management Engine (ME); it is always on, unless it is not enabled at all by the OEM. In 2015, a small number of competing vendors began to offer Intel-based PCs designed or modified specifically to address potential AMT vulnerabilities and related concerns.


See also

*
Backdoor (computing) A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment (e.g. part of a cryptosystem, algorithm, chipset, or even a "homunculus compu ...
*
Host Embedded Controller Interface Host Embedded Controller Interface (HECI) is technology introduced in 2006 used for Active Management Technology (AMT) in Intel chipsets that support Core 2 Duo microprocessors. Details The HECI bus allows the host operating system (OS) to co ...
*
HP Integrated Lights-Out Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard Enterprise which provides out-of-band management facilities. The physical connection is an Ethernet port that can be found on most ProLian ...
*
Intel CIRA Intel CIRA enables out-of-band management systems, such as Intel AMT. It is intended to enable centralized corporate management and administration of laptops that are not attached to the corporate LAN, but rather are located off-site (homes, hotel ...
*
Intel Core Intel Core is a line of streamlined midrange consumer, workstation and enthusiast computer central processing units (CPUs) marketed by Intel Corporation. These processors displaced the existing mid- to high-end Pentium processors at the time ...
*
Internet kill switch An Internet kill switch is a countermeasure concept of activating a single shut off mechanism for all Internet traffic. The concept behind having a kill switch is based on creating a single point of control (i.e. a switch) for a single authority ...
*
Platform Controller Hub The Platform Controller Hub (PCH) is a family of Intel's single-chip chipsets, first introduced in 2009. It is the successor to the Intel Hub Architecture, which used two chips - a Northbridge (computing), northbridge and Southbridge (computing), ...
* Lights out management *
Southbridge (computing) The southbridge is one of the two chips in the core logic chipset on a personal computer (PC) motherboard, the other being the northbridge. The southbridge typically implements the slower capabilities of the motherboard in a northbridge/southbr ...
*
System Service Processor {{no footnotes, date=April 2016 The System Service Processor (often abbreviated as SSP) is a SPARC-based computer that is used to control the Sun Microsystems Enterprise 10000 platform. The term SSP is often used to describe both the computer hard ...
* Intel AMT versions *
Intel Management Engine The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of mod ...
*
Intel vPro Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro ...


References


External links


Open AMT Cloud Toolkit

MeshCentral2

Intel Manageability Commander

Implementing Intel AMT



Intel Active Management Technology

Intel Manageability Developer Community

Intel vPro Expert Center



ARC4 Processor

AMT videos (select the desktop channel)

Intel AMT Client - Radmin Viewer 3.3



AMT Over the Internet Provisioning (OOB Manager)

Intel ME Secrets: Hidden code in your chipset and how to discover what exactly it does
by Igor Skochinsky, talk at
Code Blue Hospital emergency codes are coded messages often announced over a public address system of a hospital to alert staff to various classes of on-site emergencies. The use of codes is intended to convey essential information quickly and with minimal ...
2014
Using Intel AMT and the Intel NUC with Ubuntu
{{Intel technology
Active Management Technology Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitorin ...
Out-of-band management System administration