Intel Active Management Technology
Is there a way to scan for deployed AMT machines and vPro machines ?
0
Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.
Is there a way to scan for deployed AMT machines and vPro machines ?
Comments
This is what I have so far. It's an Inventory report that looks at driver versions. Unfortunately Inventory doesn't seem to pick up older versions of Intel Management Engine Interface. I have an internal bug ticket open for that.
I updated it to include Intel Management Engine Interface entries that have an empty Driver Version.
Thank you. Question, this looks for the existence of the driver, but is there a way to see if the AMT is provisioned or not ?
I put together a package that parses the output of Intel's Platform Discovery tool. All of my systems are currently not provisioned, so I'm trying to provision one of them to verify the effectiveness of this package.
https://downloadcenter.intel.com/download/25776/Intel-SCS-Platform-Discovery-Utility
Please help, maybe I'm doing something wrong here.
I've imported your .xml into PDQ deploy, I downloaded and copied the PlatformDiscovery tool and placed it into $Repository directory folowing the \Intel\Platform Discovery\ path location..
This is the error I'm getting:
I'm not sure if you noticed, but Intel provided a special tool to check if your system is ATM vulnerable
https://downloadcenter.intel.com/download/26755
Don't you guys considering to create a user-friendly PDQ Invetory collection to allow us to see, if our workstations are vulnerable?
Thank you
It looks like it saved the path of your repository to results.xml instead of running the tool. Try replacing the . with a &.
I will look into that discovery tool.
I updated that package to use Start-Process. Hopefully it works better now :)
Hmm, Start-Process isn't behaving how I thought it would. I switched to & and added some detail to the logging.
That last version you've posted is working just fine. In the output.log I can see what I'm looking for.
Question now is, is this tool really doing what it should?
My system was ATM vulnerable. I change BIOS/UEFI setting to disable ATM support. Started up Windows system again, ran the Intel-SA-00075-GUI utility again, and status has updated to: Unknow
When I ran your latest script, output log says:
Intel AMT is not supported
So I'm wondering, does these tools really telling you actual status? But that's the question for another company (Intel). In my situation I've discovered that only two model lines are vulnerable.
Also wondering, no other admins are debating this security issue? Not interested ?
In any case, thank you for your effort. New BIOS firmwares should be released soon, this is the way we will go and patch our systems