Remote connection to bios with Intel SGX and Intel AMT (vPro)

gpi · ‎03-06-2025

I have a requirement of both Intel SGX and Intel AMT (vPro) for a new server or workstation.

I cannot see both features in any processor and is desired remote connection to bios

1) Is it possible for a Xeon or similar processor to have both features included?

2) If a Xeon processor has the Intel SGX feature, but not AMT (vPro), is it possible to remotely access the BIOS with Intel?

Thanks in advance

GPI

vij1 · ‎04-25-2025

Hello gpi,

1) Is it possible for a Xeon or similar processor to have both Intel SGX and Intel AMT (vPro) features included?
Answer: Yes, but it depends on the specific Xeon model and platform. Not all Xeon processors support both features. You can verify support for Intel Software Guard Extensions (SGX) and Intel Active Management Technology (AMT) by reviewing the processor specifications on Intel’s ARK database.

Reference:
Intel ARK: https://ark.intel.com

2) If a Xeon processor has the Intel SGX feature, but not AMT (vPro), is it possible to remotely access the BIOS with Intel tools?
Answer: No. Remote BIOS access requires Intel AMT, which is part of the Intel vPro platform. SGX alone does not provide any remote manageability features.

However, if the system is provisioned in Client Control Mode (CCM), limited BIOS access is possible with user consent during the session.

Reference:
Intel AMT Overview: https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-platform-general.html
Intel EMA Guide: https://www.intel.com/content/www/us/en/download/741689/intel-endpoint-management-assistant-intel-ema.html

Additional Notes:

Intel EMA (Endpoint Management Assistant) supports remote management for systems running desktop operating systems only.
To access BIOS remotely via Intel AMT, the entire platform must be Intel vPro-capable (not just the processor).
Only a few mobile Xeon processors (typically found in workstation-class laptops) support AMT/vPro.
If you're building a desktop or server system with a Xeon CPU and need both SGX and AMT features, please ensure the motherboard, chipset, and LAN controller also support vPro/AMT.

We recommend contacting your PC OEM or hardware vendor to confirm whether the complete platform supports both Intel SGX and Intel AMT, especially for remote BIOS access scenarios.

Best regards,

Vijay N.

Intel Customer Support Technician.

vij1 · ‎04-28-2025

Hello GPI,

I am following up on the case and wondering if I can help you with anything else. Look forward to your response.

Regards,

Vijay N

gpi · ‎04-29-2025

First of all, thank you Vijay for your extensive response.

1) After a more advanced search, using more appropriate filters at https://www.intel.com/content/www/us/en/ark/featurefilter.html, I found the correct answer: it does exist.

2) I actually came to the same conclusion. In this case, my lack of experience with the multitude of options in Intel's current UEFI prevented me from realizing that the "CCM" feature could be another remote option; perhaps due to the idea of a connection should be without the OS running.

In this scenario, as I mentioned, where a layer of security is needed for a remote connection without the OS, a new physical server with both features was chosen, with Intel SGX and Intel AMT (vPro).

Regards,
GPI

vij1 · ‎04-29-2025

Hello gpi,

Thank you for your response.

I'm glad to hear that you found the correct answer and confirmed the existence of the features you were looking for.

1. Understanding of "CCM" Feature:

o Your understanding is correct. The "CCM" feature can indeed be used for remote connections without the OS running, and it is understandable that the multitude of options in Intel's UEFI could be overwhelming. Your conclusion about the need for a layer of security for remote connections without the OS is spot on.

2. Installation Prerequisites for Intel® EMA Server:

o Computer Requirements: Ensure you have a computer or virtual machine with sufficient capability for the expected traffic. The recommended configuration is 2 Intel® Xeon® Processors, 16 threads, 24GB RAM, and 1TB Mirrored storage, which should handle over 20k connections.

o Operating System: Refer to the supported operating systems. Note that Intel® EMA currently does not provide internationalization support, so the operating system needs to have English-US Windows display language, English-US system locale, and English-US format (match Windows display language).

o For more details please refer the Intel® Endpoint Management Assistant (Intel® EMA)Server Installation Guide: https://www.intel.com/content/www/us/en/content-details/840810/intel-endpoint-management-assistant-intel-ema-server-installation-guide.html

3. Endpoint Requirements for Full Features:

o All versions of the Intel vPro® platform require an eligible Intel® Core™ processor, a supported operating system, Intel LAN and/or WLAN silicon, firmware enhancements, and other necessary hardware and software to deliver the manageability use cases, security features, system performance, and stability that define the platform. Additional details can be found at Intel vPro.

If you have any further questions or need additional assistance, please feel free to reach out.

Best regards,

Vijay N.

Intel Customer Support Technician

pujeeth · ‎05-02-2025

Hello GPI,

I am following up on the case and wondering if I can help you with anything else. Look forward to your response.

Regards,

Pujeeth

Customer Support Technician

pujeeth · ‎05-06-2025

Hello GPI,

I am following up on the case and wondering if I can help you with anything else. Look forward to your response.

Regards,

Pujeeth

Intel Customer Support Technician