Skip navigation

Following on from my previous blog where we used the Intel® SCS Add-on for Microsoft* System Center Configuration Manager to discover Intel® Active Management Technology (Intel® AMT) devices, this article discusses a simple method using Microsoft PowerShell cmdlets to locally or remotely get instances and information about WMI classes related to AMT firmware and BIOS versions.


Intel® Setup and Configuration Software (Intel® SCS) will check for an escalation or privilege firmware vulnerability (SA-00075) and will not configure (provision) AMT devices if this is not updated. The objective is to identify Intel vPro platforms that may require an AMT firmware or BIOS update and enable a smoother experience when configuring AMT.


Intel Management Engine (ME) WMI Provider

If the AMT device already has the Intel Management Engine Driver components installed (either from here or the OEM) then the Intel ME WMI provider will be available. This is implemented as a DLL (MeProv.dll) and extends the existing Windows WMI service by abstracting low-level Management Engine Interface (MEI) operations through WMI.


The Intel ME WMI provider creates six classes in the root\Intel_ME namespace.


Class NameDescription


Provides information on the Intel Manageability Engine (ME)

This class provides information on provisioning certificate hashes available within firmware.

AMT_EthernetPortSettingsContains all AMT network specific settings i.e. IP, DHCP, VLAN for one network interface in the system
AMT_ServiceProvides access to AMT features such as KVM, USB-R etc.
AMT_SetupAuditRecordProvides a record of the last ME Activation Event as recorded by ME
OOB_ServiceHandles AMT provisioning and reports on the OOB configuration

We focus on the first class in this article, ME_System to gather firmware and host information. Type the following into a Windows PowerShell command line:

Get-WmiObject -Class ME_System -Namespace root\Intel_ME


We're only really interested in two pieces of information, computername (PSComputerName) and firmware (FWVersion) so we format output for the same command:

Get-WmiObject -Class ME_System -Namespace root\Intel_ME | Format-List PSComputerName,FWVersion


You can run the same command remotely using the -Credential parameter (user account name) of the Get-WmiObject cmdlet. You will be prompted for a password

Get-WmiObject Win32_Service -Credential vprodemo\administrator -Computer vproclient


Microsoft System Center Configuration Manager WMI Provider

If you don't have the Intel Management Engine Driver components installed (either from here or the OEM) then the Intel ME WMI provider will not be available.

However if you use Configuration Manager then you leverage the SMS_AMTObject WMI class which is used by the Configuration Manager Hardware Inventory client and provides Intel AMT information for reporting purposes.



Type the following into a Windows PowerShell command line:

Get-WmiObject -Class SMS_AMTObject -Namespace root\cimv2\SMS


Again we are only really interested in a couple of pieces of information i.e. computername (PSComputerName) and AMT firmware version and build (AMT and BuildNumber) so we format output for the same command:

Get-WmiObject -Class SMS_AMTObject -Namespace root\cimv2\SMS | Format-List PSComputerName,AMT,BuildNumber


NOTE: Starting in Windows PowerShell 3.0, the Get-WmiObject cmdlet has been superseded by Get-CimInstance.



Is anyone aware if there is any way to trigger BIOS recovery (normally available by long power button press) remotely through AMT? I have remote unattended system (NUC7i5DNHE). There i have left small USB memory plugged in - just in case something would be needed for BIOS recovery. BUT, is there any way to trigger it via AMT (/MeshCommander)?? Anything maybe through custom boot action??


My problem is that the remote update of BIOS to version DNKBLi5v.86A.0053.2018.0903.2245 fails with the following screen:



Kind regards,



Intel® Manageability Commander (IMC) is a lightweight console used to connect and use the features of Intel® Active Management Technology (Intel® AMT). Authenticated and authorised users are able to connect to configured AMT devices to access services such as power control, remote hardware-based keyboard, video, mouse (remote desktop), hardware inventory and more.


Additionally IMC integrates with Microsoft* System Center Configuration Manager (SCCM) version 1511 and to provide reliable, TCP based mass wake capabilities for collections of configured AMT systems.

The IMC console extensions will automatically perform an AMT power-on action against collections of AMT systems for deployments triggered in SCCM. Additionally you can use IMC to manually power on collections of supported AMT systems directly from the SCCM console using the right-click context menu (see below).


Download and extract Intel® Manageability Commander. During installation, ensure that "Microsoft* SCCM Console Extension" is selected.

NOTE: This component can only be selected when installing on a Microsoft* SCCM primary site and when wake-on-LAN is enabled for scheduled tasks.


During installation you will be asked to specific the logon account for the "Intel(R) Managebility Commander SCCM Partner Notification File Service".

Console Extensions.GIFService_Account.GIF

The specified account should have "Logon As A Service" user rights as the installation creates a system service.


NOTE: Digest authentication credentials cannot be used when utilising IMC from SCCM against a collection, only Kerberos authentication is supported.


In the example below we've used the service account responsible for running the Intel Remote Configuration Service. Intel SCS is a seperate component installed to support remote configuration of Intel AMT.


Please see this link for information on Intel® Setup and Configuration Software (Intel® SCS)


If the account doesn't have  "Logon As A Service" privileges then the warning below will be displayed during installation. Use the Local Security Policy to assign the required user right to the service account.

Intel MC WoL Service.PNGLogon As A Service.GIF


Once installation has been completed on the primary site, the SMS_EXECUTIVE service must be restarted to ensure features show up in Microsoft* SCCM.


Additionally, if the Microsoft* SCCM console was open during installation, then this will need to be closed and re-opened.


From the SCCM console right-cick against a collection and the option to "Power on with Intel Managebility Commander" is available.


It is recommended that you test the functionaility manually first if you have configured AMT systems in the collection.


When performing a mass wake from SCCM on a collection, IMC will prompt the user for the optional use of TLS for the remote connections.

NOTE:When AMT wake is used as part of a deployment, IMC will default to using TLS for all remote connections.

Power On with Intel Manageability Commander.GIFPower On with Intel Manageability Commander - TLS option.GIF

When performing a mass wake from SCCM on a collection, IMC will remain open so that the per-system status can be reviewed (see below)

Perform a bulk power operation.GIF

The final step will be to logon on using the service acccount that runs the "Intel(R) Managebility Commander SCCM Partner Notification File Service" specified earlier. Once logged in run Intel Manageability Commander and connect to a provisioned AMT device, then disconnect and logoff.


This saves configuration changes for that account and ensures the "Intel(R) Managebility Commander SCCM Partner Notification File Service" is able to power on AMT devices unattended.

NOTE: A new version of the Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager (SCCM) is now available.


The Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager (SCCM) is a configuration wizard that creates collections, packages and task sequences that can be used to automatically discover, configure and maintain Intel Active Management Technology (Intel® AMT) within your organisation directly from the Configuration Manager Console.

This document details how to automatically discover AMT devices within your client estate to determine platform manageability capabilities and whether AMT firmware updates are required.


Subsequent articles will detail how to automatically configure, unconfigure and maintain Intel Active Management Technology (Intel® AMT)

Intermediate certificates act as a proxy for a Root certificate authority (CA) which is traditionally kept behind several layers of security i.e. “offline”, kept in a highly secure environment with limited access to ensure its keys are inaccessible.


Hence the Root CA is not used to directly sign SSL certificates but delegates these tasks to intermediate CA’s. The Root certificate signs the intermediate certificate which in turn is used to sign digitial SSL certificates and maintain the "Chain of Trust."


Traditionally an Intel® AMT system could only use trusted root certificates or a full certificate chain i.e. intermediate, leaf certifcates in it's own certifccate store to authenticate correctly. Intel SCS 12 now has support to enable the use of intermediate certificates to support authentication for any of the features below:

  • 802.1x Setups
  • Remote Access using a Management Presence Server
  • Mutual authentication in Transport Layer Security


You may say "so what" however this capability is becoming increasingly important where, for example the 802.1x network protocol is used to provide an authentication mechanism to devices wishing to connect to a corporate LAN or WLAN. The variety of RADIUS servers available i.e. Microsoft Network Policy Server (NPS), Aruba Clearpass, Cisco Identity Services Engine etc. means authentication is not always performed using a complete certificate chain, rather using an intermediate and leaf.


This feature enhancement should enable Intel AMT to integrate easier into 802.1x environments to support robust network authentication and still be available to support out-of-band services such as KVM (keyboard, video, mouse) or power control when the OS isn't running or the system is powered off/down/hibernate within an enterprise environment.

Intel Setup and Configuration Software (SCS) 12.0 now defaults to TLS 1.1 to encrypt communications with Intel AMT. The TLS 1.0 protocol has identified security vulnerabilities, including CVE-2011-3389 and CVE-2014-3566.


The Remote Configuration Service (RCS) now uses TLS 1.1 for secure configuration, unconfiguration and maintenance operations of AMT devices. To continue to manage legacy AMT systems, you must opt in for TLS 1.0 support (or add it). With SCS 12.0, the RCS will first attempt to connect using TLS version 1.1 and only if AMT system supports TLS 1.0 will it use that version.


You can enable TLS 1.0 protocol support to enable backwards compatibility (for devices running Intel® AMT version 7.0 and newer only) optionally during installation/upgrade of the Remote Configuration Server (RCS) and after installation.


During installation the "Support for Transport Layer Security (TLS) Protocol 1.0" check box can be selected (not enabled by default). After pressing Next you will have to confirm that you want to enable TLS 1.0 protocol support.

If you are running Intel SCS 12.0 and experience provisioning errors such as "***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device" when provisioning older AMT devices, check the following registry entry on the system running the RCS:

  • 32-bit Operating Systems: HKLM\SOFTWARE\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
  • 64-bit Operating Systems: HKLM\SOFTWARE\Wow6432Node\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
    • Set the key value for EnableTLS1.0 to 1 the ensure the RCS supports both TLS 1.1 and TLS 1.0 protocols for encryption.
    • If the key value for EnableTLS1.0 equals 0, the RCS defaults to support TLS 1.1 protocol.

Restart the RCSServer service to ensure it rechecks the value of this key.


Please reference the Intel® Setup and Configuration Software (Intel® SCS) User Guide for additional information


Intel® Manageability Commander 2.0 has also removed TLS 1.0 protocol support and will only support connections to device running Intel® AMT version 7.0 and newer only.

Download Intel® Manageability Commander version 2.0.245


If you need to remotely manage older AMT devices (than version 7.0) then an earlier version of Intel® Manageability Commander is available (not sure for how long though!)

Download Intel® Manageability Commander version 1.08


Finally AMT 12.0 firmware support for TLS 1.0 has been removed and in TLS 1.2 support has been added its place.

We experience irrelevant ATM event log on HP 800 G2 machines. We have arount 1000 of such machines and bout 30% displays in AMT event log: system boot failure events. But this event means nothing as windows 7 installed on these computers boots normally. This event apperas in event log after normall reboot of computer from Windows 7 OS. Anyone experience similar problem?

There are some situations in which it would be nice to be able to export and import Intel Setup and Configuration Service (Intel SCS) provisioning profiles...


  • Environments with multiple Intel RCS servers to accomodate provisioning workload where profiles need to be duplicated across servers
  • Environments with multiple Intel RCS servers because of organization administration demands (i.e. politics, segregation...) where profiles need to be copied across servers
  • Situations in which it is required to simply backup and restore profiles



Exporting profiles from Intel RCS is simple enough; from the Intel SCS console you use the toolbar to export profiles to an encryted XML format file. But there is no import function on the Intel SCS console to import profiles from a backup file or another Intel RCS server.


So here's a simple solution; Intel RCS supports a WMI provider which is used to communicate with other software such as the SCS console and ACUConfig utility. Intel SCS provisioning profiles (amongst other things) can be read and written using this WMI provider. Windows PowerShell includes built-in cmdlets to provide easy access to WMI providers. With a little effort we can construct a couple of lines of PowerShell script to do everything we need to export, backup, restore and import profiles with Intel RCS servers.


The following code reads all Intel SCS profiles from an Intel RCS server and stores them in a PowerShell variable...


# Configure source RCS server
$SourceRCSServer = "SourceRCSServerHostname"

# Read profiles from source RCS server
$RCSProfiles = Get-WmiObject -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $SourceRCSServer


Once we've read all the profiles, we may want to back them up. The following code copies our prevously read profiles to a backup file...


# Save profiles to backup file

$RCSProfiles | Export-Clixml .\ProfilesBackup.xml


Sometime later we may want to restore our profiles. The following code restores our profiles from the backup file to a PowerShell variable...


# Restore profiles from backup file

$RCSProfiles = Import-Clixml .\ProfilesBackup.xml


And finally, if we want to write our profiles to one or more Intel RCS servers, the following code writes our profiles from a PowerShell variable to Intel RCS...


# Configure one or more destination RCS servers
$DestinationRCSServers = "DestinationRCSServer1", "DestinationRCSServer2", "DestinationServerN"

# Write profiles to destination RCS servers
foreach ($DestinationRCSServer in $DestinationRCSServers)
   # Read and delete any existing profiles on the destination RCS server
   Get-WmiObject -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $DestinationRCSServer | Remove-WmiObject


   # Write all profiles to the destination RCS server
   foreach ($RCSProfile in $RCSProfiles)
      Set-WmiInstance -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $DestinationRCSServer -Arguments @{ElementName=$RCSProfile.ElementName;InstanceId=$RCSProfile.InstanceId;Text=$RCSProfile.Text;ProfileDescription=$RCSProfile.ProfileDescription;SolutionGUID=$RCSProfile.SolutionGUID;SolutionName=$RCSProfile.SolutionName} | Out-Null


All of the above code assumes the currently logged on Windows user has access to the Intel_RCS_Editor WMI namespace and appropriate DCOM permissions on the Intel RCS server (see the Intel SCS Users Guide for information on configuring these permissions during Intel RCS installation). The example code can easily be enhanced, for example scheduling it to run regularly to automatically synchronize profiles across multiple Intel RCS servers or by using PowerShell's filtering capabilities to save some profiles and delete others.


Two cautionary notes:


  1. The code shown above to backup profiles to a file does not encrypt those files, therefore any plaintext credentials in the profile (e.g. the MEBX password, a fixed AMT admin password, AMT digest credentials or KVM RFB password) will be visible in the backup file. The Intel SCS package includes a file encryption utility called SCSEncryption that can be used to encrypt/decrypt profile backup files or the files can be stored such that they are only accessible to authorized personnel.
  2. Profiles containing Microsoft Active Directory domain accounts, domain groups or certificate template information are tied to specific Active Directory installations because profiles store domain account, domain group and certificate template information by SID information rather than by name. SID's are specific to individual Active Directory installations therefore profiles cannot be transported between installations if they contain domain accounts, domain groups or certificate template information. So this means you can use the above scripts with Intel RCS servers if they are all part of the same Active Directory structure (which is typically the case with most organizations). But profiles containing domain accounts, domain groups or certificate templates cannot be copied between different customer environments or between customer test environments and production environments if they are based on different Active Directory installations.

Things are changing around here! Do you want to receive support direct from an Intel engineer? Intel® Business Support is a new portal designed to provide faster, more personalized assistance. Users submit tickets, track their tickets’ progress, and get their environment up and running faster within the Intel® Business Support website. Users are eligible to submit tickets by filling out a quick enrollment form.


If you choose not to enroll, you can access community-based support at the Intel® vPro™ Expert Center. The community, however, will no longer be supported by Intel experts. The only way to get assistance direct from Intel will be by enrolling. Enroll now and get your environment back on the fast track to success!


Intel® Business Support

Getting your business back to what’s important, faster.

Implementing Intel vPro in a production environment is "easy" in comparison to a major project such as domain migration, email setup\migration, ERP setup\update, or changes due to business acquisition or divestiture.  A successful project requires disciplines across IT operations, business processes and governance, project management, client systems management, and understanding of the vPro\AMT technology.


That said - there are a few roles\responsibilities that might help.


Project Sponsor or Champion

The executive or project sponsor with the vision of success, ability to get "buy-in" from others, and has the foresight to navigate internal non-technical challenges.


Project Management

Coordination of resources, schedules, expectations, and so forth. A key role for any successful project, which often has representation both inside and outside a production environment.


Business Process Change Management

Intel vPro extends the reach of client system management with out-of-band capabilities. Understanding the current and future business processes and IT governance is key. Understanding the capabilities of Intel vPro and how it will augment and extend the environment is key. Understanding the desired future state of the environment and associated metrics is paramount.


IT Infrastructure

Intel vPro is focused on the security and manageability of the client systems. It leverages many of the infrastructural capabilities which exist as a foundation to build upon. Understanding the impacts, interactions, troubleshooting, and so forth is important technologically.


Client Systems Management

Understanding the usage models requires some technical experience with the platform. Combined with the roles above, along with the functionality of client system management and Intel vPro technology - this project team role\responsibility is critical.


Principal and Strategic Architects

Individual or team with a holistic understanding of the current and future state of the environment, upcoming technological advances, and so forth. Perhaps a superset of previously stated roles. This role\team assists in making visions become reality.


Agree or disagree?  Please share

Filter Blog

By date: By tag: