Here is a list of ports used by vPro:
80 Standard HTTP Port (Web UI)
443 Standard HTTPS Port (Web UI in SSL mode)
9971 Default port used by SCS/SCA (configurable)
16992 SOAP commands in SMB mode
16993 SOAP commands in TLS/Enterprise mode
16994 IDE-Redirection in SMB mode
16995 IDE-Redirection in TLS/Enterprise mode
56666 Serial over LAN (SOL)
Hope that helps....
There is no simple way to block management traffic to AMT when the OS is up.
However, you may be able to create some rules on your network that block the above ports when the OS is up.