10 Replies Latest reply on Feb 6, 2018 3:32 PM by Intel Corporation

    Disabling AMT

    Sandy.Wood

      Most of our HP workstations have AMT. Our management has decreed that we disable AMT based on the recent security advisory. We've never provisioned our systems. We struggled through running the tools in May to pull inventory on affected systems and deployed updated firmware from HP. The whole experience was exhausting.

       

      I've read some posts that suggest to disable AMT we need to remove the LMS service as well as delete LMS.exe. In our inventory, only some of our newer systems are running LMS. Is there an alternative way to disable AMT (short of accessing the BIOS of each system) on all our workstations?

       

      Will ACUConfig.exe offer protection? Should I setup SCS to disable AMT?

       

      Thanks for any help and advice.

        • 1. Re: Disabling AMT
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Hi Sandy,

          There is a method to disable AMT in HP BIOS using one of their tools.  You can pull down the tool here:

          http://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html

          On the page, there is also an HP BCU User Guide link, you can use this for reference.

          1.  You'll need to verify the settings on each of the computers because the verbiage in the BIOS differs from model to model.  You can run the tool and do a "get" command on each of the models to find out the correct verbiage.
          2.  Once you find the correct verbiage, you would remotely call WMI to disable AMT on the system.  You can use powershell to do this.

          An example (this was for an unconfiguration):
          $HP_Bios = Get-WmiObject -Namespace root\hp\instrumentedBIOS -Class HP_BiosSettingInterface
          $HP_Bios.SetBiosSetting('Unconfigure AMT on next boot', 'Apply')       
          $HP_Bios.SetBiosSetting('Show Unconfigure ME Confirmation Prompt', 'Disable')

          An example for AMT for this specific model (800G2)

          $HP_Bios = Get-WmiObject -Namespace root\hp\instrumentedBIOS -Class HP_BiosSettingInterface
          $HP_Bios.SetBiosSetting('Active Management (AMT)', 'Disable')

          Regards,
          Michael
          • 2. Re: Disabling AMT
            Phil_from_Ottawa

            Question on this solution. If we do this, what is to stop someone from re-enabling it using the default admin password?

            If that is a risk, then how can we change the default admin password in a script as well?

             

            Thanks!

            • 3. Re: Disabling AMT
              Intel Corporation
              This message was posted on behalf of Intel Corporation

              Hi Phil,
              If someone has:
              1.  Physical access to the system
              2.  Is knowledgeable enough to access MEBx
              3.  MEBx password is set to default and has not been changed.
              then they would be able to re-enable AMT using the default admin password.

              There are three ways to change the digest admin default password (in order of simple to complex):
              1.  Physically on the system, accessing MEBx and changing password.
              2.  Configuration via USB Key, which begins in section 1.4.2 of the SCS User Guide - Physical access to the system is required for this method.
              3.  Remote Configuration (best solution if you have many systems or if they are remote but are on your domain).  More details begin at section 1.4.4 of the SCS User Guide.

              There is no other method for changing the default admin password.

              The SCS User Guide can be accessed at this link:
              https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf

              Information on certificates needed for remote configuration can be accessed at this link:
              https://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.html

              Intel recommends following best security practices.  Please find document at this link:
              ttps://www.intel.com/content/dam/support/us/en/documents/technologies/Intel_AMT_Security_Best_Practices_QA.pdf

              Question 6 is most appropriate for your question.

              Regards,
              Michael A
               

              • 4. Re: Disabling AMT
                Phil_from_Ottawa

                I have looked at your pdf link. It seems the 1.4.4 section you referenced says

                 

                "To use this method, the Intel AMT device must have at least one active hash

                certificate defined in the Intel MEBX. If the manufacturer does this before he sends the computer out, then you

                can configure these computers remotely."

                 

                So the next question is, what if the manufacturers did not configure this?  Does that mean that we can not do it remotely?

                 

                Thanks,

                 

                Phil

                1 of 1 people found this helpful
                • 5. Re: Disabling AMT
                  Intel Corporation
                  This message was posted on behalf of Intel Corporation

                  Hi Phil,

                  For remote configuration, a specific AMT certificate from one of the certificate authorities is required.  As mentioned in the previous post, there is only one way to perform a remote configuration where the MEBx password can be changed, which is the aforementioned method.  You will be unable to perform this change remotely without one.

                  Regards,
                  Michael

                  • 6. Re: Disabling AMT
                    rjt

                    How do you know if one of these certificates is in AMT / vPro or not?

                    • 7. Re: Disabling AMT
                      rjt

                      Traditional Wake-On-LAN does not work at all with AMT / vPro machines.   I am curious if others have found a way to wake them without AMT / vPro?

                      • 8. Re: Disabling AMT
                        Phil_from_Ottawa

                        Yes, that is a good question, how can I confirm if there is a certificate (or more likely that there is not)?

                         

                        Thanks,

                         

                        Phil

                        • 9. Re: Disabling AMT
                          Intel Corporation
                          This message was posted on behalf of Intel Corporation

                          If an AMT certificate was purchased from a qualified Certificate Authority, referenced here:
                          https://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.html

                          The certificate would reside on the RCS Server in the certificate store of the service account running the RCSServer service.  Once you open the certificate snap-in for that account, you will find the certificate in the personal store.  You would then be able to look at the certificate subject and match it against the OU string: Intel(R) Client Setup Certificate

                          or the OID under Enhanced Usage AMT OID: 2.16.840.1.113741.1.2.3
                           

                          • 10. Re: Disabling AMT
                            Intel Corporation
                            This message was posted on behalf of Intel Corporation

                            I don't quite understand the statement as WOL works with AMT but there are requirements:

                            1.  Must be an Intel NIC
                            2.  Must be wired
                            3.  Must be enabled in the BIOS

                            Regards
                            Michael