I'm deploying the SA-00086 detection console in SCCM using the steps outlined here Using ConfigMgr to Monitor Intel Vulnerability INTEL-SA-00086 | Microsoft Cloud Solutions | Windows Management Experts

I've noticed that many of the installs are coming back as errors with a return code of 100.  I can't find a list of valid return codes for the detection console so I was wondering if anyone knew what that return code means or if there is a log on the client that I can check to see what the error is about.

Thanks!

How does one obtain Intel ME updates for q77 and q87 chipset systems not provided by Vendor eg ASUS ?

My Intel Desktop Board DB75EN is affected by the AMT vulnerability.

I found a firmware update here:

Intel® Active Management Technology Escalation of Privilege Advisory...

However, when I try to install it, I encounter two problems.

First: I'm running Linux -- and the firmware update utility runs on Windows only. So is there also a utility available to update the FW under Linux?

As a workaround, I created a Windows 10 Recovery Drive (on a USB stick) and copied the update to that USB stick. I then booted the PC using that USB stick and tried to run the firmware update from within that Windows Recovery (WinPE) environment. I then got the following output:

D:\EN-FW-Update\EN-FW-Update-64bit>FWUpdLcl64.exe -f ME8_5M_Production.bin -generic

Intel (R) Firmware Update Utility Version: 8.1.40.1456

Copyright (C) 2007 - 2013, Intel Corporation.  All rights reserved.

Error 8743: Unknown or Unsupported Platform

Cannot locate hardware platform identification

This program cannot be run on the current platform.

Any idea why this does not work? And how to resolve it?

Hi,

I've patched the ME vulnerability using Intel's SA-00086 detection tool. However a message is saying an Intel service is obsolete (see screenshot). There's no link to a patch and I could not find anything on Intel's support site.

Any ideas on what I should do next?

Thks,

jfg

Hello,

I am about to scan our enviroment in order to check the status on the client. I downloaded the tool from .Download INTEL-SA-00075 Detection and Mitigation Tool . At first glance it seems to work correctly. The Gui version, the xml file and the console version shows the vulnerability status. The problem is about registry. The system information is missing.

How am I supposed to collect the inventory information at large scale if the vulnerability status is not written in registry ?

Here is the exported values from the registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]

"Scan Date"="30/11/2017 13:34:52"

"Computer Name"="Test"

"Application Version"="1.0.1.39"

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]

"Computer Manufacturer"="HP"

"Computer Model"="HP ZBook 15 G3"

"Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]

"ME Version"="11.0.18.3003"

"ME Version Major"=dword:0000000b

"ME Version Minor"=dword:00000000

"ME Version Build"=dword:00000bbb

"ME Version Hotfix"=dword:00000012

"ME SKU"="Intel(R) Full AMT Manageability"

"ME Provisioning State"="Provisioned"

"ME Driver Installed"="True"

"LMS State"="NotPresent"

"Micro LMS State"="Running"

"EHBC Enabled"="False"

"Control Mode"="Admin"

"Is CCM Disabled"="False"

And from WoW3264 node

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]

"Scan Date"="30/11/2017 13:34:52"

"Computer Name"="WPLCND708524T"

"Application Version"="1.0.1.39"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]

"Computer Manufacturer"="HP"

"Computer Model"="HP ZBook 15 G3"

"Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]

"ME Version"="11.0.18.3003"

"ME Version Major"=dword:0000000b

"ME Version Minor"=dword:00000000

"ME Version Build"=dword:00000bbb

"ME Version Hotfix"=dword:00000012

"ME SKU"="Intel(R) Full AMT Manageability"

"ME Provisioning State"="Provisioned"

"ME Driver Installed"="True"

"LMS State"="NotPresent"

"Micro LMS State"="Running"

"EHBC Enabled"="False"

"Control Mode"="Admin"

"Is CCM Disabled"="False"

Any ideas ?

Thanks

Tomasz

system

  HP ProDesk 600 G3 SFF

  ram: 4gb

  OS: Windows 10 Pro ver. 1709

   build 16299.125

AMT release 11.6.12.1201

Two issues

1) unable to use manual or usb key configuration to set admin mode

2) unable to set expiration action on host machine when using agent presence

background

Have used SCS software to configure for client control mode.

Used AMT SDK HLAPI software samples to remotely create agent, display agent info, detect

when agent is running, stopped, expired. Used local samples 1 and 2 to start and stop/expire.

Additionally tested power changes: power on, power off successfully.

When trying to call SetExpirationActionOnAgentPresenceWatchDog function, fails at

SetExpirationAction (message simply says failed to set expiration action).

Does this require admin configuration as opposed to client control?

Would like to have Admin Control Mode, so have been attempting to set configuration using

usb key, albeit unsuccessfully. Setting up of the usb works using the SCS software, but

nothing happens when booting, (no prompt for whether to provision) no configuration

happens when booting with the usb plugged in.

When booting and pressing CTRL-P, no entry to MEBX menu. There is a ME setup in the BIOS

menu, but no options for changing the AMT configuration.

Subject article posted January 12 2018

see Researchers Found Another Major Security Flaw in Intel CPUs - ExtremeTech

From what I can tell the VPRO and AMI interfaces are accessible from the internet. From other posts there have been "issues" reported previously!

So how can a user be certain that the cloud server they get from a Digital Ocean, RackSpace or similiar vendor can not be breached?

I was told by Digital Ocean that their KVM technology takes care of the Meltdown and Spectre problems but then I read that VPRO technology includes KVM interfaces. This is very troubling since there seems to be no credible information source!

Hi All,

Currently we have a scenario,

To prevent the Intel AMT attacks, we are following the below manual steps on the machines.

1. Login to MEBx with default password "admin" by pressing Ctrl-P during system boot.

2. Change the password to standard password.

3. Disabling "Manageability Feature Selection" under Intel AMT configuration.

And it is not feasible to mitigate thousands of machines manually, could any one help me to whether we can create any kind of script or utility tool to automate this steps.

We are using Microsoft System Center Configuration Manager, so we can deploy the script remotely to all machines.

Appreciate any help on this.

Thanks in advance,

RV

Most of our HP workstations have AMT. Our management has decreed that we disable AMT based on the recent security advisory. We've never provisioned our systems. We struggled through running the tools in May to pull inventory on affected systems and deployed updated firmware from HP. The whole experience was exhausting.

I've read some posts that suggest to disable AMT we need to remove the LMS service as well as delete LMS.exe. In our inventory, only some of our newer systems are running LMS. Is there an alternative way to disable AMT (short of accessing the BIOS of each system) on all our workstations?

Will ACUConfig.exe offer protection? Should I setup SCS to disable AMT?

Thanks for any help and advice.

Good morning,

We need to change the AMT password on 40k machines in SCCM from admin to something secure. How can we do this? I cant seem to find a way to make this work in a script. Someone must have done this, I cant imagine the answer is to do each system manually.

Thanks!

Phil

I am looking to find some concrete information on what steps will need to be taken in order to mitigate the AMT vulnerability (CVE-2017-5689) in our environment and would appreciate any help/information that can be provided.

1. We have never provisioned Intel AMT. Does this mean we are not vulnerable, or does the existence of AMT in the BIOS automatically make a device vulnerable to exploit?
2. I do see the UNS and LMS services running on well over a hundred devices in our environment. Does any potential exploit target these services? Will simply disabling these services mitigate any vulnerability?
3. We have many devices that I am sure have AMT that appear not to have these services even installed. Are they vulnerable?

My goal is to not have to update the BIOS on 1500 or more systems, especially since we have never made use of AMT. If I can simply disable services on devices by script within Windows, and ignore devices that don't have the services, that is the ideal outcome.

Thank you for any help provided.

Sean

Have a server dropped off and it has boot up issues. Could someone send me to a link or something that tells me what the setup process is for booting up a Precision T5400 with two hard drives. Raid? not Raid? In bios the sata hard drives are not present. Do I configure them as RAID? I just need to be pointed in the right direction. Thanks anyone

Hello Intel vPro experts!

I remember seeing vPro live when Intel used to do Technical Solutions Trainings (TST) on the road

That was 4/5 years ago on the 3rd generation NUC!

Being able to remote to a computer at a BIOS level is a huge asset to an IT guy

I want to do vPro on the 7th generation NUC

Obviously, I need a NUC with vPro

QUESTION is, what else do I need?

If I want to access NUCs on the LAN, do I just need an AMT server?

What if I want to access NUCs remotely without VPN to the network?

I see demos using Labtech RMM, but thats like 4 years old

I greatly appreciate the help...

Hi,

I've patched the ME vulnerability using Intel's SA-00086 detection tool. However a message is saying an Intel service is obsolete (see screenshot). There's no link to a patch and I could not find anything on Intel's support site.

Any ideas on what I should do next?

Thks,

jfg

On my HP ProDesk G3 600 SFF PC, I am able to use some of the AMT functionality: power functions, agent presense, system defense, etc.

It seems like the SOL is partially working because when connecting using either MeshCommander or a powershell cmdlet, I see on the target machine an icon in the upper right corner of the screen. The terminal interface is simply blank with no interaction using the keyboard. I have changed the BIOS settings back and forth for ANSI terminal to VT100 and back to no effect. I have contacted HP support to see if some BIOS updates have changed or removed some of the AMT features, but have heard nothing back so far.

Computer is running Windows 7 x64 in Legacy/BIOS mode with Dells latest driver for ME, BIOS and ME firmware.

2018-02-14 09:11:21: Thread:2308(DETAIL) : ACU.dll, Category: SetCompatibilityMode Source: ACUDll.cpp : SetCompatibilityMode Line: 196: 11.2.0.35

2018-02-14 09:11:21: Thread:2308(DETAIL) : ACU.dll, Category: SetCompatibilityMode Source: ACUDll.cpp : SetCompatibilityMode Line: 228: Set compatibility mode to 10.0.

2018-02-14 09:11:21: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : CheckAMT Line: 85: Entering

2018-02-14 09:11:21: Thread:2308(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.7.0.1032

2018-02-14 09:11:21: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : FWUpdateData Line: 46: Entering

2018-02-14 09:11:21: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : FWUpdateData Line: 64: Exiting

2018-02-14 09:11:21: Thread:2308(INFO) : ACU Configurator , Category: AMT Mode Source: HECIDiscovery.cpp : CheckAMT Line: 426: Intel(R) AMT  in PROVISIONING_MODE_ENTERPRISE

2018-02-14 09:11:21: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetPKIDNSSuffix Line: 960: Entering

2018-02-14 09:11:21: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetPKIDNSSuffix Line: 989: Exiting

2018-02-14 09:11:22: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : CheckAMT Line: 548: Exiting

2018-02-14 09:11:24: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetAmtFQDN Line: 1448: Entering

2018-02-14 09:11:24: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : GetAmtFQDN Line: 1529: Exiting

2018-02-14 09:11:24: Thread:2308(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 432: Calling function Discovery...

2018-02-14 09:11:24: Thread:2308(INFO) : ACU Configurator , Category: Local System Account Source: HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 217: Calling function GetLocalSystemAccount over MEI...

2018-02-14 09:11:24: Thread:2308(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.7.0.1032

2018-02-14 09:11:24: Thread:2308(INFO) : ACU Configurator , Category: Local System Account Source: HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 255: Function GetLocalSystemAccount over MEI ended successfully

2018-02-14 09:11:24: Thread:2308(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 479: Host Based Setup is supported

2018-02-14 09:11:24: Thread:2308(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 518: Current Control Mode: 0 (Not provisioned)

2018-02-14 09:11:24: Thread:2308(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 557: Allowed Control Modes: 2 (Admin) and  1 (Client)

2018-02-14 09:11:24: Thread:2308(INFO) : ACU Configurator , Category: Discovery Source: HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 561: Function Discovery ended successfully

2018-02-14 09:11:26: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : UuidDiscovery Line: 1536: Entering

2018-02-14 09:11:26: Thread:2308(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : UuidDiscovery Line: 1554: Exiting

2018-02-14 09:11:26: Thread:2308(DETAIL) : ACU Configurator , Category: Returned data Source: ACUDll.cpp : GetHostAndMEInfo Line: 4479: GetHostAndMEInfo output data:     IsAMT:True,     isEnterpriseMode:True,     configurationMode:0,     isRemoteConfigEnabled:False,     AMTversion:9.5.61.3012,     isMobile:True,     provisioningTlsMode:2,     uuid:4C4C4544-XXXX-XXXX-XXXX-XXXXXXXXXXXX,     isClientConfigEnabled:True,     hostBasedSupport:True,     configurationState:0,     FQDN:62ZHD12.XXXXXXX.XXX,     embeddedConfigurationAllowed:False.     isLANLessPlatform:False.     PKIDNSSuffix: Empty.

I want to be able to use the KVM feature of AMT, but the machine I have (HP ProDesk G3 600 SFF) doesn't allow KVM (it seems to be disabled). Are there some machines out there that have a proven track record with KVM that I can try out?

How does one obtain Intel ME updates for q77 and q87 chipset systems not provided by Vendor eg ASUS ?

Intel's ME toolkit founder Ylian Saint-Hilaire openly describes AMT as "Hacker Software" in this video here (same as above).  Recently his statements have been demonstratively proven. 1a. What are the various methods Intel offers their users to disable this "hacker software" built into our computers, IE. How can we disable Intel ME? 1b. How effectively will an aftermarket NIC protect Intel users against this Intel ME "hacker software." 2. Can Intel ME bridge or interface with after market network cards over Serial, USB, PCI or PCI express bus, or through a live O/S? 3. How effectively will using an aftermarket NIC protect its users against a compromised ME chip? I have an older system, its firmware has not been supported by the OEM manufacturer since 2009. It hosts an ICH10R chipset. I have considered using methods like ME_Cleaner to permanently remove the bulk of ME from my system. However this requires hardware flashing with external after market components and comes with the risk of bricking the system. If Intel or the community working around the clock to mitigate this serious threat do not come out with a simple patch to effectively disable Intel ME, like the HAP bit (High Assurance Program) given to the NSA when Intel ME was first created, this leaves its users no choice but to hard flash their chip. Given the inherent dangers this could easily far outweigh the cost. As of the time of this post Intel users are forced to buy an entirely new system or wait for Intel to release a patch. A patch to maintain "hacker software" practically no Intel users actually want, use or need.  Its all fine and great for those who actually do, but I'll leave it to you to guess the percentage that actually use it. Patching "hacker software" to make it "safer". Wow that doesn't sound like it'll end very well.It is a cat and mouse game that will go on and on ad-infinitum until the bulk of Intel ME is disabled altogether. If there is nothing to fix, why break it. Seeing as this affects billions of devices around the globe including ATM's, industrial applications, banks, corporations, literally everything... it is clearly becoming the single greatest computer security threat in existence. I highly doubt for example, nuclear plant operators will be siting around waiting for Intel to release the next patch while their facilities are undergoing a full blown meltdown.

In my efforts to mitigate this threat I have ordered an aftermarket Ethernet card which I bought for its OPT (one time flash memory) qualities. There is no on board flash ROM to hack. I don't want to bypass Intel ME with an after market NIC that could be reprogrammed to do something similar or to allow OOB pass through; Chips like RLT8111Gimplement ECMA-393, Intel's ProxZzzy [1]; This standard has ME like qualities. It allows the ethernet card to remain connected on a network and send and receive packets while the computer is powered off in "sleep" mode.  Intel ProxZzzy has an inbuilt packet sniffer that is triggered by specific bits to perform specific functions. ECMA disclosed that Intel's ProxZzzy standard is insecure by design, and ECMA's standard does not "address" the security holes. [1] Quote "This Standard does not specifically address Security concerns arising out of the proposed proxy protocol design." They admittedly do not disclose the security risks that are currently present. [1] They will disclose that Intel ProxZzzy can be hijacked and used to generate rogue packets and attack the host machine and the network. [1]Quote "It is possible that an adversary may assume control of the proxy and use the Proxy to launch attacks on the system, on the network, or on other Internet connected machines. " [1] According to their documentation "The 802.11 host and the Access Point (AP) are configured to use a common “Profile” – a set of connection parameters such as band, channel, security, etc. The profile is configured out of band and prior to the host going to sleep." The diagram in the above documentation exhibits out of band signals as bypassing all hardware, enabling direct kernel access. Sounds as bad as Intel ME.

4. Does Intel's ProxZzzy OOB on aftermarket network cards allow interfacing with onboard Intel ME/AMT?

I have only one suggestion. That is for Intel to offer the public a simple tool to disable the "hacker tool" built into our computers permanently, that leaves only components necessary to allow the computer to boot and run properly.

Thank you so much for your time.

Message was edited by: walle

Hi,
I have some difficulties to perform deployment on some Dell Precision systems. Can someone help me with to following error message I get when running the command
“ACUConfig.exe ConfigViaRCSOnly <fqdn> <profile>”:

2018-03-11 12:25:10: Thread:8656(ERROR) : ACU.dll, Category: StartConfiguration Source: ACUDll.cpp : RemoteConfiguration Line: 3662: AMT Status code - Management controller has not progressed far enough in its initialization to process the command.