Intel Setup and Configuration Software (SCS) 12.0 now defaults to TLS 1.1 to encrypt communications with Intel AMT. The TLS 1.0 protocol has identified security vulnerabilities, including CVE-2011-3389 and CVE-2014-3566.

 

The Remote Configuration Service (RCS) now uses TLS 1.1 for secure configuration, unconfiguration and maintenance operations of AMT devices. To continue to manage legacy AMT systems, you must opt in for TLS 1.0 support (or add it). With SCS 12.0, the RCS will first attempt to connect using TLS version 1.1 and only if AMT system supports TLS 1.0 will it use that version.

 

You can enable TLS 1.0 protocol support to enable backwards compatibility (for devices running Intel® AMT version 7.0 and newer only) optionally during installation/upgrade of the Remote Configuration Server (RCS) and after installation.

 

During installation the "Support for Transport Layer Security (TLS) Protocol 1.0" check box can be selected (not enabled by default). After pressing Next you will have to confirm that you want to enable TLS 1.0 protocol support.

If you are running Intel SCS 12.0 and experience provisioning errors such as "***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device" when provisioning older AMT devices, check the following registry entry on the system running the RCS:

  • 32-bit Operating Systems: HKLM\SOFTWARE\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
  • 64-bit Operating Systems: HKLM\SOFTWARE\Wow6432Node\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
    • Set the key value for EnableTLS1.0 to 1 the ensure the RCS supports both TLS 1.1 and TLS 1.0 protocols for encryption.
    • If the key value for EnableTLS1.0 equals 0, the RCS defaults to support TLS 1.1 protocol.

Restart the RCSServer service to ensure it rechecks the value of this key.

 

Please reference the Intel® Setup and Configuration Software (Intel® SCS) User Guide for additional information

 

Intel® Manageability Commander 2.0 has also removed TLS 1.0 protocol support and will only support connections to device running Intel® AMT version 7.0 and newer only.

Download Intel® Manageability Commander version 2.0.245

 

If you need to remotely manage older AMT devices (than version 7.0) then an earlier version of Intel® Manageability Commander is available (not sure for how long though!)

Download Intel® Manageability Commander version 1.08

 

Finally AMT 12.0 firmware support for TLS 1.0 has been removed and in TLS 1.2 support has been added its place.