Re: Disabling AMT

SWood5 · ‎11-27-2017

Most of our HP workstations have AMT. Our management has decreed that we disable AMT based on the recent security advisory. We've never provisioned our systems. We struggled through running the tools in May to pull inventory on affected systems and deployed updated firmware from HP. The whole experience was exhausting.

I've read some posts that suggest to disable AMT we need to remove the LMS service as well as delete LMS.exe. In our inventory, only some of our newer systems are running LMS. Is there an alternative way to disable AMT (short of accessing the BIOS of each system) on all our workstations?

Will ACUConfig.exe offer protection? Should I setup SCS to disable AMT?

Thanks for any help and advice.

idata · ‎11-30-2017

Hi Sandy,

There is a method to disable AMT in HP BIOS using one of their tools. You can pull down the tool here:

http://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html

On the page, there is also an HP BCU User Guide link, you can use this for reference.

1. You'll need to verify the settings on each of the computers because the verbiage in the BIOS differs from model to model. You can run the tool and do a "get" command on each of the models to find out the correct verbiage.

2. Once you find the correct verbiage, you would remotely call WMI to disable AMT on the system. You can use powershell to do this.

An example (this was for an unconfiguration):

$HP_Bios = Get-WmiObject -Namespace root\hp\instrumentedBIOS -Class HP_BiosSettingInterface

$HP_Bios.SetBiosSetting('Unconfigure AMT on next boot', 'Apply')

$HP_Bios.SetBiosSetting('Show Unconfigure ME Confirmation Prompt', 'Disable')

An example for AMT for this specific model (800G2)$HP_Bios = Get-WmiObject -Namespace root\hp\instrumentedBIOS -Class HP_BiosSettingInterface

$HP_Bios.SetBiosSetting('Active Management (AMT)', 'Disable')

Regards,

Michael

PJens · ‎01-19-2018

Question on this solution. If we do this, what is to stop someone from re-enabling it using the default admin password?

If that is a risk, then how can we change the default admin password in a script as well?

Thanks!

idata · ‎01-25-2018

Hi Phil,

If someone has:

1. Physical access to the system

2. Is knowledgeable enough to access MEBx

3. MEBx password is set to default and has not been changed.

then they would be able to re-enable AMT using the default admin password.

There are three ways to change the digest admin default password (in order of simple to complex):

1. Physically on the system, accessing MEBx and changing password.

2. Configuration via USB Key, which begins in section 1.4.2 of the SCS User Guide - Physical access to the system is required for this method.

3. Remote Configuration (best solution if you have many systems or if they are remote but are on your domain). More details begin at section 1.4.4 of the SCS User Guide.

There is no other method for changing the default admin password.

The SCS User Guide can be accessed at this link:

https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf

Information on certificates needed for remote configuration can be accessed at this link:

https://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.html

Intel recommends following best security practices. Please find document at this link:

ttps://www.intel.com/content/dam/support/us/en/documents/technologies/Intel_AMT_Security_Best_Practices_QA.pdf

Question 6 is most appropriate for your question.

Regards,

Michael A

PJens · ‎01-29-2018

I have looked at your pdf link. It seems the 1.4.4 section you referenced says

"To use this method, the Intel AMT device must have at least one active hash

certificate defined in the Intel MEBX. If the manufacturer does this before he sends the computer out, then you

can configure these computers remotely."

So the next question is, what if the manufacturers did not configure this? Does that mean that we can not do it remotely?

Thanks,

Phil

idata · ‎01-30-2018

Hi Phil,

For remote configuration, a specific AMT certificate from one of the certificate authorities is required. As mentioned in the previous post, there is only one way to perform a remote configuration where the MEBx password can be changed, which is the aforementioned method. You will be unable to perform this change remotely without one.

Regards,

Michael

rjt · ‎02-05-2018

How do you know if one of these certificates is in AMT / vPro or not?

PJens · ‎02-06-2018

Yes, that is a good question, how can I confirm if there is a certificate (or more likely that there is not)?

Thanks,

Phil

idata · ‎02-06-2018

If an AMT certificate was purchased from a qualified Certificate Authority, referenced here:

https://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.html

The certificate would reside on the RCS Server in the certificate store of the service account running the RCSServer service. Once you open the certificate snap-in for that account, you will find the certificate in the personal store. You would then be able to look at the certificate subject and match it against the OU string: Intel(R) Client Setup Certificate

or the OID under Enhanced Usage AMT OID: 2.16.840.1.113741.1.2.3

rjt · ‎02-05-2018

Traditional Wake-On-LAN does not work at all with AMT / vPro machines. I am curious if others have found a way to wake them without AMT / vPro?

idata · ‎02-06-2018

I don't quite understand the statement as WOL works with AMT but there are requirements:

1. Must be an Intel NIC

2. Must be wired

3. Must be enabled in the BIOS

Regards

Michael