Is it possible to know the provisioning model or state of an AMT machine remotely? That is, to query from the server side on the state of the client AMT machine.
I tried doing local query by using the sample C# code in Intel SDK on GeneralInfo, but they require a password to get the provisioning state of the machine. Im working with mass client AMT machines which have different passwords, so I am looking at ways to get the provisioning state without entering the password.
I have also tried using WMI scripting to do local query. But I am working with AMT version that are older than 6.0. Is there a way to register Intel AMT WMI provider in AMT version 4.0 to 5.0?
On a side note, I find that some machines open both ports 16992 and 16993. Is this possible? I mean if it's TLS-enabled, shouldn't it only listen at port 16993, and vice versa.
However, prior to the WMI provider becoming part of the platform in 6.0, there is a downloadable tool available that will pull AMT information locally on an unprovisioned system, the iAMT Scan tool (located here: http://communities.intel.com/community/openportit/vproexpert/blog/2008/10/03/iamt-scan-custom-invent... ). I've tested this on an AMT 2.6 system, and it does capture information about provisioned state. More generally it can tell you that your machine is an AMT capable system, at which point you can determine what is needed to get it into a provisioned state if it's not responding.
Regarding your question about ports, in 6.0 forward what portsare open depend on how AMT was configured. It is possible to enable just non-TLS traffic on 16992 (and 16994 for redirection), just TLS traffic on 16993 (and 16995 for redirection), or both. There is an "AcceptNonSecureConnections" property in the AMT_TLSSettingData class that controls this behavior.
Thanks for the clarification.
I have tried the iAMT scan on a unprovisioned system. The only field that returns the following
3) chassis type
The provisionserverping returns fail. Since there is no MAC address (AMT Capable HOST MAC Address), am I right to conclude that the system is not provisioned?
Then. from there, how can we further conclude if the system default is set to be SMB-provisioned or enterprise-provisioned?
On the ports issue, then is it true that only either 16992 or 16993 will be opened prior to AMT 6.0? But from AMT 6.0 onwards, both ports can be set to open?
Do you see AMTSetupStatus as an item in the registry after running iAMTScan? If you don't, that's a sign the system isn't provisioned. I did notice that although you got a heciversion and unsversion, you did not see an LMSversion entry, which likely is a problem (the LMS is part of the local software package). What was the model listed?
If the system isn't provisioned, it's in neither SMB provisioned or enterprise provisioned state. At that point the best bet is to either configure it locally in SMB, or use the Activator tool to set it up to start attempting an enterprise configuration.
Yes, prior to AMT 6.0, if you enable TLS, it disables port 16992 (the non-TLS port) for traffic. With AMT 6.0 forward, you can configure AMT to still answer on 16992 after enabling TLS, if you choose.