Query on Provisioning Model/State

david921 · ‎11-02-2010

Hi,

Is it possible to know the provisioning model or state of an AMT machine remotely? That is, to query from the server side on the state of the client AMT machine.

I tried doing local query by using the sample C# code in Intel SDK on GeneralInfo, but they require a password to get the provisioning state of the machine. Im working with mass client AMT machines which have different passwords, so I am looking at ways to get the provisioning state without entering the password.

I have also tried using WMI scripting to do local query. But I am working with AMT version that are older than 6.0. Is there a way to register Intel AMT WMI provider in AMT version 4.0 to 5.0?

On a side note, I find that some machines open both ports 16992 and 16993. Is this possible? I mean if it's TLS-enabled, shouldn't it only listen at port 16993, and vice versa.

Many thanks!

Andrew_S_Intel2 · ‎11-02-2010

In AMT version 6.1 forward, it is possible to detect unprovisioned AMT systems remotely with an RMCP. But prior to that, you'll need todiscover that locally. In 6.0 forward the WMI provider is available, of course like you've mentioned that currently isn't available for

However, prior to the WMI provider becoming part of the platform in 6.0, there is a downloadable tool available that will pull AMT information locally on an unprovisioned system, the iAMT Scan tool (located here: http://communities.intel.com/community/openportit/vproexpert/blog/2008/10/03/iamt-scan-custom-inventory-helps-with-enterprise-activations ). I've tested this on an AMT 2.6 system, and it does capture information about provisioned state. More generally it can tell you that your machine is an AMT capable system, at which point you can determine what is needed to get it into a provisioned state if it's not responding.

Regarding your question about ports, in 6.0 forward what portsare open depend on how AMT was configured. It is possible to enable just non-TLS traffic on 16992 (and 16994 for redirection), just TLS traffic on 16993 (and 16995 for redirection), or both. There is an "AcceptNonSecureConnections" property in the AMT_TLSSettingData class that controls this behavior.

david921 · ‎11-02-2010

Hi,

Thanks for the clarification.

I have tried the iAMT scan on a unprovisioned system. The only field that returns the following
1) assettag
2) biosversion
3) chassis type
4) fqdn
5) heciversion
6) make
7) model
8) provisionserverping
9) serialnumber
10) smssitecode
11) systemname
12) unsversion
13) uuid

The provisionserverping returns fail. Since there is no MAC address (AMT Capable HOST MAC Address), am I right to conclude that the system is not provisioned?

Then. from there, how can we further conclude if the system default is set to be SMB-provisioned or enterprise-provisioned?

On the ports issue, then is it true that only either 16992 or 16993 will be opened prior to AMT 6.0? But from AMT 6.0 onwards, both ports can be set to open?

Thanks!

Andrew_S_Intel2 · ‎11-03-2010

Do you see AMTSetupStatus as an item in the registry after running iAMTScan? If you don't, that's a sign the system isn't provisioned. I did notice that although you got a heciversion and unsversion, you did not see an LMSversion entry, which likely is a problem (the LMS is part of the local software package). What was the model listed?

If the system isn't provisioned, it's in neither SMB provisioned or enterprise provisioned state. At that point the best bet is to either configure it locally in SMB, or use the Activator tool to set it up to start attempting an enterprise configuration.

Yes, prior to AMT 6.0, if you enable TLS, it disables port 16992 (the non-TLS port) for traffic. With AMT 6.0 forward, you can configure AMT to still answer on 16992 after enabling TLS, if you choose.