Remote Screen Blanking (RSB) is a feature introduced in Intel Active Management Technology (AMT) version 10.0 to help with those situations where you want the display of a client system to be off while remote operations are being performed on it. RSB is intended for embedded, publically visible systems like digital signage, kiosks, and Automated Teller Machines but other systems within an enterprise may benefit from this feature too. RSB only affects the display and does not block any local user input like mouse, keyboard, touchscreen, or power button. Scenarios where patches are being installed, IDE-redirection sessions are in progress, or BIOS settings are being changed would typically be better if not displayed to the public or an unknown audience. RSB provides the curtain for an IT administrator to perform remote operations with discretion.

Before you get started using RSB, there are some prerequisites that must be met:

• Must have Intel AMT version 10.0 or later

• User Consent must be Off on the client

• Must be Enabled before use

• Must be allowed in the firmware (typically will be available in embedded systems and not available for business clients)

The first three items can be controlled by an administrator via software but the last one is controlled by the system manufacturer. The Intel AMT version number can be queried via API. User Consent is always needed for systems configured in Client Control Mode and optional in Admin Control mode. To be able to utilize RSB the system must be configured into Admin Control Mode with User Consent disabled. Finally you can use an API to Enable RSB. If enabling RSB fails with an Internal Processing error then most likely it is not available in the firmware installed on that system by the OEM.

Once you have satisfied the prerequisites you can incorporate RSB into your usages. The class IPS_ScreenConfigurationService provides the interface for controlling the feature via one method and three properties.

The properties:

• EnabledState – read/write property that allows you to query and enable or disable the state of RSB.

• CurrentState – read only property that provides the current state of an RSB session as either open/blanking or closed/not-blanking.

• RemainingConsecutiveRebootsNum – read only property that indicates the number of reboots that remain that will allow the blanking to persist. The initial value is set in the SetSesssionState method. If this number is 0 then a reboot will cause the blanking session to stop and the display to be shown again. The value can also be 1 through 3 which would allow a blanking session to continue during a reboot, which is useful for scenarios that require a reboot like Boot-to-BIOS or IDE-Redirection. Note that this works with resets only, a shutdown or hibernate will cancel a blanking session and reset this value to 0. Putting the system in Connected Standby will not change any RSB settings.

The method:

• SetSessionState – takes two parameters to allow you to turn screen blanking On or Off and set a value for the number of reboots that it will persist.

The PowerShell script below provides snippets of code that show how to utilize the RSB feature. For information on running PowerShell scripts with the Intel vPro module please refer to the AMT SDK and related documentation.

After establishing a connection (note: you will need to enter the proper credentials and machine address for your client system), the script checks the version of AMT which must be 10.0 or greater to have the feature. It then checks if User Consent is required on the system, which must be false for RSB to work.

Next there is a section that reports the current properties of RSB on the client. If the feature is not enabled, then it will enable it. The other properties are queried to show the current Blanking state and the number of reboots for which the current session will persist.

The final section illustrates how to start a screen blanking session that would persist through two reboots. It then pauses for 20 seconds and stops the screen blanking session.

# Begin flow template

Import-Module 'IntelvPro'

########################################

#   Create a Wsman Connection Object   #

########################################

$wsmanConnectionObject = new-object 'Intel.Management.Wsman.WsmanConnection'

$wsmanConnectionObject.Username = "admin"

$wsmanConnectionObject.Password = "**********"

$wsmanConnectionObject.Address = "http://" + "192.168.10.108" + ":16992/wsman"

########################################

function GetCoreVersion

{

    $softwareIdentityRef = $wsmanConnectionObject.NewReference("SELECT * FROM CIM_SoftwareIdentity WHERE InstanceID='AMT FW Core Version'")

    $softwareIdentityInstance = $softwareIdentityRef.Get()

    $versionString = $softwareIdentityInstance.GetProperty("VersionString")

    return $versionString

}

########## Check the pre-requisites ##########

#Check the AMT version; Need AMT 10 or greater for Remote Screen Blanking

Write-Host "AMT version is: "  $(GetCoreVersion)

#Check if User Consent is required; Remote Screen Blanking will not operate when User Consent is required

$optInServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM IPS_OptInService WHERE Name='Intel(r) AMT OptIn Service'")

$optInServiceInstance = $optInServiceRef.Get()

$optInRequired = $optInServiceInstance.GetProperty("OptInRequired")

Write-Host "User Consent Required: "  $OptInRequired

########## Report the current properties and enable if needed ##########

#Read the configuration settings for Remote Screen Blanking which are in the class IPS_ScreenConfigurationService

$screenPropRef = $wsmanConnectionObject.NewReference("SELECT * FROM IPS_ScreenConfigurationService")

$screenPropInstance = $screenPropRef.Get()

#Check if Remote Screen Blanking is enabled; If it is not, then set it to enabled

$enabledState = $screenPropInstance.GetProperty("EnabledState")

Write-Host "Enabled state: "  $enabledState

If ($enabledState.ToString() -eq "0")

{

    Write-Host "Remote Screen Blanking was not enabled, so enabling it now"

    $screenPropInstance.SetProperty("EnabledState", "1")

    $screenPropRef.Put($screenPropInstance)

}

#Check if the screen is currently being blanked

$screenState = $screenPropInstance.GetProperty("CurrentState")

Write-Host "Screen state is (0=Not Blanked, 1=Blanked): "  $screenState

#Check how many reboots can occur while maintaining an actively blanked screen

$rebootsRemaining = $screenPropInstance.GetProperty("RemainingConsecutiveRebootsNum")

Write-Host "Remaining reboots: "  $rebootsRemaining

########## Blank the screen, pause, then un-blank the screen ##########

#Start blanking the screen with 2 reboots allowed, wait for 30 seconds, then stop blanking

$screenPropRef = $wsmanConnectionObject.NewReference("SELECT * FROM IPS_ScreenConfigurationService")

$screenPropInstance = $screenPropRef.Get()

$inputObject = $screenPropRef.CreateMethodInput("SetSessionState")

$inputObject.SetProperty("SessionState", "1")

$inputObject.SetProperty("ConsecutiveRebootsNum", "2")

$outputObject = $screenPropRef.InvokeMethod($inputObject)

$returnValue = $outputObject.GetProperty("ReturnValue")

Write-Host "Blank the screen. Return (0 = success):   "  $returnValue

Start-Sleep -s 20

$inputObject.SetProperty("SessionState", "0")

$inputObject.SetProperty("ConsecutiveRebootsNum", "0")

$outputObject = $screenPropRef.InvokeMethod($inputObject)

$returnValue = $outputObject.GetProperty("ReturnValue")

Write-Host "Stop blanking the screen. Return (0 = success): "  $returnValue

########################################

Remove-Module 'IntelvPro'

# End flow template

Hi,

I have a working (demo) server with Intel AMT (version 9.0.31, bios version 1107, current setup mode is enterprise and TLS security is working). I am using the manageability director tool (v0.1.33).

Now I want to introduce Agent Authentication, as to authenticate remote users before they are allowed to remote control this demo server. I start by adjusting the security profile (to TLS Security + Agent Authentication, using the same self signed certificates used for the TLS security), but when trying to push this to the AMT box (by 'Set this profile on computers...") I get a message box (see attached) full with error messages, the first one being 'the request failed with HTTP status 404: not found'.

Any tips / hints or further 'how to' guides for me to read?

Much appreciated,

Chris

I have an unsolvable problem: I am unable to login into AMT through WEB interface and OpenMDTK tools (commander and director). Instead I am able to log into MEBx.

All this as a result of some experiments made in the past through the configuration tool for linux (ACUConfig) with an unsupported OS (Ubuntu 12.04) and an unprovisioning made by the OpenMDTK tools and after changing some parameters of AMT in the BIOS and in MEBx interface.
All this happened a long time ago and I can not remember exactly what I did.
Following this, I fear that my AMT is rather messy so I think to re-flash the BIOS of the motherboard to "reset" AMT completely then clear CMOS.
However I don't Know if this will HELP therefore I'm here to ask it to You.

What I recently did:

- Disabled AMT in BIOS (then re-enabled) and resetted CMOS (Otherwise I was unable to enter MEBx menu with CTRL-P)

- To be sure unprovisioning secceded, I've also unprovisioned AMT through "AMT Configuration ---> Un-Configure ME" item in BIOS menu (this option allows to Un-Configure ME without a password).

- Reconfigured AMT through MEBx interface after having entered a new password (tried: P-ssw0rd, P@ssw0rd, and some other pwds)

- Tried to login in AMT through Web Interface (http://ip_address:16992) with user "admin" and password entered during MEBx configuration with no success. DHCP is enabled in AMT configuration therefore ip_address is shared with host ip_address.

- Tried to login also through OpenMDTK tools (commander and director) with same credentials but no success.

I've also tried setting a static address in MEBx interface (and I've also setted my host address as static as explained in AMT reference guide) however I was unable to access "logon" web page with this new address while I was still able to access "logon" web page with my host ip address.
To be precise, my AMT static address as setted in MEBx was "192.168.1.5 - 255.255.255.0" and my host address was "192.168.1.2 - 255.255.255.0". I was able to enter "logon" web page with 192.168.1.2 address but not with 192.168.1.5 address. I think this is abnormal behavior.

Therefore I think to reset AMT completely but I don't know how to do. I hope this is possible reflashing BIOS but I'm not sure this will reset/clear everything.

My AMT version is 8.0.10. My motherboard is SUPERMICRO X9SAE and no AMT firmware updates have been released by Supermicro neither BIOS updates in last 18 months.

I know AMT minor releases upgrades are possible only through OEM. Is there any unofficial way to update AMT bypassing OEM (Supermicro)?

Excuse me for my poor English (I hope you understood what I tried to say). Thanks in advance.

I am not able to build the linux sample code for WS-Managed. got following error.

 /usr/bin/ld: cannot find -lsynclibUbuntu_X64
/usr/bin/ld: cannot find -lxerces-depdomUbuntu_X64
/usr/bin/ld: cannot find -lxerces-cUbuntu_X64
/usr/bin/ld: cannot find -lwsman_clientppUbuntu_X64
/usr/bin/ld: cannot find -lwsman_clientUbuntu_X64
/usr/bin/ld: cannot find -lwsman_curl_client_transportUbuntu_X64
/usr/bin/ld: cannot find -lwsmanUbuntu_X64
collect2: error: ld returned 1 exit status
make: *** [eventLogReader] Error 1

All ubuntu files are missing from the SDK folders.

Thanks

Sumedh

Thousands of software developers visited the Intel® Software booth at the sold-out Microsoft Build conference April 29^th– May 1^st in San Francisco’s Moscone Center. Developers engaged with Intel SW developer tools experts, Intel® RealSense™ technology, Intel® Iris™ Graphics, Intel® Iris™ Pro graphics  & 2 in 1 tech demos to experience these technologies first hand. They also learned about how the Intel® Developer Zone provides world-class  knowledge, tools and support for Windows 10 cross platform apps. Also during Build, Intel announced the Intel® INDE, Professional Edition, a $299.00 value for FREE. 

The Intel Software exhibit demonstrated the latest Intel technologies (2 in 1, All-in-One, RealSense™) as well as Intel software development tools, programs, and resources that speed/ease development and optimize Windows apps on IA. Intel: Intel® RealSense™ SDK, Intel® System Studio & Intel® INDE experts were onsite to answer developer questions and demonstrate these technologies. 

The exhibit also demonstrated Intel tools including Intel® INDE, A native cross-platform development suite which includes Easy-to-Use: C++/Java* native tools & samples for Microsoft Windows* and other platforms.

View additional conference photos on our Intel® Developer Zone Facebook page and follow us on twitter @Intelsoftware. 

Download Document

Intel® Identity Protection Technology (Intel® IPT) provides a more secure environment for RSA SecurID* software token.

Introduction

This paper presents an overview of the token provider for EMC’s RSA SecurID* software token implemented using Intel® Identity Protection Technology (Intel® IPT) with public key infrastructure (PKI). Intel IPT with PKI provides hardware-enhanced protection of RSA cryptographic keys in specific Intel® Core™ vPro™ processor-powered systems. The token provider for EMC’s RSA SecurID based on Intel IPT provides hardware-enhanced protection of the RSA token seed by using Intel IPT with PKI cryptographic functions to encrypt and sign the token seed. This signed and encrypted token seed is used by the RSA SecurID software token to generate the OTP token. The token provider based on Intel IPT provides an additional layer of protection to the RSA OTP solution. This whitepaper explains how the Intel IPT with PKI hardware-enhanced cryptographic functions are used to provide a more secure environment for RSA SecurID software token.

Table of Contents

• Introduction.
• Intel Core vPro Processor Platforms and Features.
• Intel IPT with Public Key Infrastructure.
• Overview of RSA SecurID Software Token.
• RSA SecurID Software Token for Microsoft Windows*.
  • Features.
• Overview of the Intel IPT-based token provider for RSA SecurID software token.
  • Provisioning the RSA SecurID software token Seed.
  • Using the Hardware-Protected RSA SecurID software Token Seed to Generate the OTP Token.
• Summary.
  • Related Links for Intel IPT with PKI

Intel Core vPro Processor Platforms and Features

Intel Core vPro processor technology addresses many IT security and platform management needs through its broad set of security, manageability, and productivity-enhancing capabilities. This technology is built into the new Intel Core vPro processor family, some smaller form-factor devices based on the Intel® Atom™ processor, and some Intel® Xeon® processors.

Among the notable security features included in Intel Core vPro processor platforms is the Intel Identity Protection Technology described in the next chapter. Additional features found on Intel Core vPro processor platforms and platforms based on the 4th generation Intel Atom processor for business include:

• Improved device manageability with Intel® Active Management Technology
  • Out of band system access
  • Hardware-based host agent status checking
  • Remote diagnostics and repair tools such as hardware-based KVM, IDE redirection, power control and more
• Hardware-assisted secure boot coupled with platform trust technology
  • Hardware-assisted secure boot, along with early launch anti-malware drivers, enable a boot in a known trusted environment.
  • Credential storage and key management capability to meet Windows 8 CSB requirements, optimized for low power consumption in S0ix environment.
• Improved data encryption performance with Intel® AES New Instructions (Intel® AES-NI)
  • Intel AES-NI provides a faster, more secure AES engine for a variety of encryption apps, including whole disk encryption, file storage encryption, conditional access of HD content, Internet security, and VoIP. Consumers benefit from increased protection for Internet and email content, plus faster, more responsive disk encryption.
• Improved operating system security with Intel® Secure Key
  • A hardware-based random number generator that can be used for generating high-quality keys for cryptographic (encryption and decryption) protocols. Provides quality entropy that is important in the cryptography world for added security.
• Improved operating system security with Intel® OS Guard
  • An enhanced hardware-based security feature that better protects the OS kernel. Intel OS Guard protects areas of memory marked as user mode pages and helps prevent attack code in a user mode page or a code page, from taking over the OS kernel. Intel OS Guard is not application-specific and can protect the kernel from any application.

To find out more about the features included in Intel Core vPro processor platforms, visit http://intel.com/vpro.

Intel Identity Protection Technology with Public Key Infrastructure

Intel IPT with PKI uses the Intel® Management Engine (Intel® ME) in specific Intel Core vPro processor-powered systems to provide a hardware-based security capability. Intel IPT with PKI provides hardware-enhanced protection of RSA 1024 and 2048 asymmetric cryptographic keys. The Intel IPT with PKI capability is exposed as a crypto service provider (CSP) via the Microsoft CryptoAPI* software layer. Software that supports the use of cryptographic features through CryptoAPI can use Intel IPT with PKI to:

• Securely generate tamper resistant, persistent RSA key pairs in hardware
• Generate PKI certificates from hardware-protected RSA key pairs
• Perform RSA private key operations within a protected hardware environment
• Protect key usage via PINs that use the Intel IPT with PKI protected transaction display (PTD)

Both the RSA key-pair and the PKI certificates generated by Intel IPT with PKI are stored on the hard drive. The RSA keys are first wrapped within the hardware with something called the platform binding key (PBK) before being stored on the hard drive. The PBK is unique for each platform using Intel IPT with PKI and cannot be exported from the Intel ME. When the RSA key is needed, it must be brought back into the Intel ME to be unwrapped.

The hardware enhancements of Intel IPT with PKI focus on enhanced RSA private key protection; but it should be noted that the installed CSP can be used for any algorithms typically supported by software-based CSPs. Non-RSA operations are performed in software and provide the same level of protection as existing software-based CSPs shipped with Microsoft Windows 7 and above. Applications based on CryptoAPI should be able to transparently use Intel IPT with PKI and derive the benefits of enhanced private key protection with little, if any, modification.

The RSA keys and certificates created by Intel IPT with PKI support existing PKI usage models. Some typical usage scenarios include:

• VPN authentication
• Email and document signing
• SSL web site authentication

Intel IPT with PKI provides a PC-embedded 2^nd factor of authentication to validate legitimate users in an enterprise. Compared to a hardware security module, external reader, or a TPM, Intel IPT with PKI can be less expensive and easier to deploy. Compared to a software-based cryptographic product, Intel IPT with PKI is generally more secure. Intel IPT with PKI provides a good balance between security, ease of deployment, and cost.

Overview of RSA SecurID Software Token

RSA SecurID software tokens use the same algorithm (AES-128) as RSA SecurID hardware tokens while eliminating the need for users to carry dedicated hardware key fob devices. Instead of being stored in hardware, the symmetric key is securely safeguarded utilizing Intel IPT with PKI. RSA SecurID software authenticators reduce the number of items a user has to manage for safer and more secure access to corporate assets. Software tokens can help the enterprise cost-effectively manage secure access to information and streamline the workflow for distributing and managing two-factor authentication for a global work force. Additionally, software tokens can be revoked and recovered when someone leaves the company or loses a device, eliminating the need to replace tokens.

RSA SecurID Software Token for Microsoft Windows

Features

• Strong two-factor authentication to protected network resources
• Software token automation for integration with available RSA SecurID partner applications
• Silent, secure installation
• Multiple token provisioning options including dynamic seed provisioning (CT-KIP)
• Web plug-in for faster access to protected web sites with Microsoft Internet Explorer*
• Interoperability with Windows screen readers for visually impaired users

Overview of the Intel Identity Protection Technology based token provider for RSA SecurID software token

The Intel IPT-based token provider provides two functions: 1) the initial encryption, signing, and storage of the token seed using a platform binding key when it is provisioned to the system, and 2) the signature validation, decryption, and calculation of the OTP token.

Provisioning the RSA SecurID software token Seed

Provisioning the RSA SecurID software token involves the following functions:

• Import the token seed from a file or from the web.
• Use the Intel® Hardware Cryptographic Service Provider (Intel® CSP) that is included in the Intel IPT with PKI binaries to generate a platform binding key, which is unique per platform.
• Encrypt the token seed using the platform binding key.
• Use the Intel CSP to sign the encrypted token seed using the platform binding key.
• Store the signed and encrypted token seed in the Intel® Persistent Storage Manager device.

Figure 1 – Token Seed Provisioning Architecture

Figure 2 – The Token Storage Devices screen [or UI]

Using the Hardware-Protected RSA SecurID software Token Seed to Generate the OTP Token

RSA SecurID software OTP token generation involves the following functions:

• Read the signed and encrypted token seed from the Intel Persistent Storage Manager device.
• Use the CSP-based platform binding key from Intel IPT with PKI to validate the signature on the signed and encrypted token seed.
• Use the CSP from Intel IPT with PKI to decrypt the token seed.
• Call the RSA token library to generate the next OTP token.

Figure 3 – Using the hardware-protected token seed to generate the OTP token

Summary

The token provider for EMC’s RSA SecurID software token based on Intel IPT provides hardware-enhanced protection of the RSA token seed by using Intel IPT with PKI cryptographic functions to encrypt and sign the RSA SecurID software token seed and bind it to the specific Intel platform.

Related Links for Intel Identity Protection Technology with PKI

For more information on Intel IPT with PKI and protected transaction display visit:

• Intel Identity Protection Technology:
  • http://ipt.intel.com/welcome/protect-business-data.aspx
• Microsoft CryptoAPI interface:
  • http://technet.microsoft.com/en-us/library/cc962093.aspx
• RSA SecurID software tokens for Microsoft Windows Page:
  • http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/ms-windows.htm
• RSA SecurID/RSA Authentication Manager Page:
  • http://www.emc.com/security/rsa-securid.htm
• RSA Ready (Integration Partner) page:
  • https://community.emc.com/community/connect/rsaxchange/rsa-ready

I enabled AMT on a client and I cannot add the client in the Platform Solution Manager software on my system.  When I add the client, put in the username and password, I get "Unauthorized".  I even created another user account through the http://ip:16992 address and tried that versus the admin account which just resulted in the same error. This web access also doesn't allow you to remote access, which would be nice. However, really want to get this vPro Platform Solution Manager up and running.  I have tried just about everything.  Also, does this Platform Manager use vnc for remote access?

Posting on behalf of one of my customers.

We have a PCIE card with 4 indemendent Broadwell-U processor complexes. Since we don't have a physical serial console connected to the Broadwell-U processors, so we relay on AMT to provide the serial console using the AMT SOL feature.

AMT is provisioned directly on each Broadwell-U via a utility that uses the AMT SDK. It follows the procedures indicated in the AMT SDK for EHBC, configuring each Broadwell-U to AdminControl Mode. AMT SOL and VNC are enabled as well.

We used a Linux utility "amtterm" to connect to the Boadwell-U AMT SOL console. Once connected to the console, we can reboot the cards and access the BIOS screens.

We have noticed that after several hundred power cycles of the system, the "amtterm" utility no longer stays connected to the broadwell-U AMT SOL console after a reboot. By this I mean, that if I am connected to the Broadwell-U AMT SOL console, at the Linux OS prompt on a Broadwell-U, I enter reboot, and the SOL console disconnects. Before, the power cycles, it would stay connected after a reboot.

Trying to debug the scenario described above, my first thought was to unprovision AMT and reprovison it. The same utility used to provision AMT allowes me to unprovision AMT successfully, but when attempting to re-provison AMT, it fails in the call to IPS_Host BasedSetupService.AdminSetup, with a return code of 6 (FLASH_WRITE_LIMIT_EXCEEDED).

We need to understand why this occurs and what we can do to avoid this issue.

Regards,
Bryce S.