Intel AMT 7 introduces Host Based Configuration

Configuring Intel AMT via a software delivery job, over wireless or VPN, or even when the system is not physically connected is now possible with Intel AMT 7.    The new capability - Host Based Configuration - uses a local application and configuration file to apply the settings into the firmware.

The following simplified diagram provides an overview:

HBP simplified diagram.jpg

Instead of depending upon a central application - such as Intel SCS 6.x - to authenticate out-of-band and apply the settings over a secure tunnel, the Host Based Configuration approach occurs more like a normal software delivery job.  The configuration process is effectively distributed out to the individual client systems.  If the Intel AMT configuration requires Kerberos, TLS, or other infrastructural settings, the ACU_configurator application running on the target client negotiates the necessary certificates or settings with the infrastructure based on the contents of the XML file.

In the past, a wired LAN connection was required due to the security architecture of traditional AMT configuration models.   This is no longer a requirement if host based configuration is used.   The requirements of provisioning certificates and keys do not apply to host based configuration.

My first experience with host based configuration was a client system that had no network connection.   All I was given was the ACU_configurator application for the client and an XML file.  Using a single and simple command, I was able to configure AMT via the local host operating system.

The traditional methods of provisioning certificates and keys still exist.   The security model and some features were changed to allow for host based configuration.   To help differentiate, there are two configuration statesmodes as described below:

  • Client Control Mode: Host Based Configuration was used to configure the client.  This mode applies ONLY to host based configuration capable systems.   All Intel AMT functionalities are accessible except for System Defense which is disabled.   User consent is mandatory for KVM remote control, IDE Redirect, Serial-over-LAN, and boot options (i.e. force PXE, force local CDDVD boot, etc). 
  • Admin Control Mode: Also referred to as legacy configuration, this mode applies to ALL generations of Intel AMT.   It requires out-of-band authentication via certificates, preshared keys, or physically configuring the client via pre-boot methods.   All AMT functionality is available, and the user consent option can be disabled for KVM remote control sessions.

During early customer trials, some were perfectly satisfied with Client Control Mode while others preferred admin control mode.   More on switching between these two modes with Intel SCS 7 will be shared later.

A common question: Will Host Based Configuration be available for previous generations of Intel AMT?    The short answer is that the firmware capabilities have been backported to Intel AMT 6.2.   Adoption and availability of this firmware release is to the discretion of each individual OEM.   With that - all Intel AMT 7.x and higher systems will support host based configuration.

More information on the ACU_configurator commands and Intel SCS 7 availability will be posted shortly.  If you are actively introducing Intel AMT 7.x systems into your environment today and are anxious for more information - leave a comment below or send a private message via the community email.