Granite River Labs, GRL
The COVID-19 pandemic disrupted the global labor market and disrupted traditional work patterns, and in the process normalized concepts of "remote work" and "hybrid work". Exploring new ways to keep productivity levels high in this evolving labor landscape by providing the software and hardware capabilities is therefore one hurdle that management must overcome to keep remote and hybrid workforces sustainable.
What is the Intel vPro® platform?
The Intel vPro® goes as far back as 2006, when Intel astutely anticipated the evolving business needs. A platform ahead of its time, the Intel vPro® supports business and IT needs through four key pillars: Performance, Security, Manageability, and Stability. By 2011, the platform was already fully deployed on Intel client computers, laying the foundation for remote work requirements to be met.
Intel vPro® enabled remote device repairs and efficient management of PC fleets by providing out-of-band (OOB) management through Intel® Active Management Technology (AMT). Fast forward to last year's release of the 12th generation Alder Lake processors paired with the Intel vPro® platform, and we witness the emergence of a hybrid architecture that further amplifies computer performance and productivity.
How the Intel vPro® platform works
The hybrid architecture of Intel's 12th generation processor, Alder Lake, balances performance and power consumption/heat between the Performance Cores (P-Cores) and Efficient Cores (E-Cores). This enables users to engage in multitasking and use IT applications with greater flexibility.
When combined with computers designed with the Intel vPro platform, Alder Lake processors integrate Intel Wi-Fi 6/6E and Thunderbolt™ 4 technologies. In addition to enhancing responsiveness for cloud and collaboration applications, Thunderbolt™ 4 technology enables the extension of multiple 4K displays and peripheral devices, as well as laptop charging. For remote workers, this helps create a clutter-free work environment that is conducive for multitasking.
Types of Intel vPro® processors
Intel has developed a diverse range of processors to address different needs, including power optimization, graphics performance, memory, and form factor. These processors offer a wide array of choices for both enterprises and individual users. Let's take a closer look at Intel's 13th generation processor, Raptor Lake, as an illustrative example for mobile devices. Certain processors within this lineup provide support for Intel vPro® design. For more information and details about other processors and their compatibility with Intel vPro®, please visit the Intel website.
Table 1: Overview of Intel® Active Management Technology
Intel AMT is a feature of Intel vPro® that operates independently of the operating system, providing a wide range of built-in functionalities and add-on modules for management and security applications. Its presence allows IT personnel to discover, repair, and protect networked computing assets. Even when a computer is in a powered-off state, as long as it remains connected to a power source and network, IT personnel can still access Intel AMT and perform remote management and operations.
1. Port usage
Intel AMT uses four pre-defined IANA network ports to transmit and receiver data:
- 16992 - HTTP traffic
- 16993 - TLS Secured HTTPS traffic
- 16994 - Serial-over-LAN and IDE Redirect
- 16995 - TLS Secured Serial-over-LAN and IDE Redirect
In Intel AMT applications, data transmission and reception take place through ports 16992/16994 when no security certificate (Transport Layer Security, TLS) is configured. If a security certificate is configured, ports 16993/16995 are used. The presence of a security certificate does not impact valid network traffic. In other words, the traffic for data transmission and reception remains the same for ports 16992 and 16993. The distinction lies in the fact that data transmission via port 16993 requires a security certificate negotiation. This same principle applies to ports 16994/16995, but these ports employ a proprietary binary protocol that requires special software for usage.
Figure 1: OS accepts all data traffic except ports 16992 to 16995 (source: Active Platform Management Demystified: Unleashing the Power of Intel VPro® Technology)
2. Identity authentication and authorization
After Intel AMT is configured, two ports will be opened and ready to receive connection instructions from the management console. Transmission Control Protocol (TCP) connections can be established on these two ports at any time. Before accepting commands from the management console, Intel AMT performs identity authentication and authorization using either HTTP-Digest or Kerberos. The authorization phase determines which entity acts as the management console and whether it has the necessary permissions to carry out operations. This authentication and authorization process ensures the security of data transmission and safeguards against potential external attacks by third parties.
Here is a brief overview of the Intel AMT authentication and authorization process, using TLS configuration as an example:
- A connection on port 16993 is received.
- Intel AMT sends credentials to the management console for authentication (this step is skipped if TLS is not configured).
- Intel AMT checks if the management console has a valid and trusted certificate (this step is skipped if TLS is not configured).
- Perform identity authentication and authorization using HTTP-Digest or Kerberos.
- If the user is not listed in the authorization list of Intel AMT, the connection is refused.
- If the user does not have permission to perform the requested operation, the operation is refused.
- The management operation is executed.
What are the remote operations of Intel AMT?
So, what are the remote operations that authorized IT administrators can perform with Intel AMT? Here are a few examples of common operations:
- Debugging and maintenance of devices, including remote control to power on/off and restart the system.
- Remote viewing and modification of BIOS settings on the system.
- Setting up network traffic filtering to protect the system.
- Monitoring applications running on the system (e.g., checking if antivirus software is active).
- Redirecting the boot process to an image located within the IT administrator's system for remote debugging and maintenance.
- Configuring network environments for accessing Intel AMT management functions.
- Identifying user systems through Universal Unique Identifiers (UUIDs).
- Establishing remote connections to the system through Client Initiated Remote Access (CIRA) profiles, even when devices are outside the corporate network.
For more information and additional applications, please refer to the Intel® Active Management Technology website.
How to run Intel vPro® via Thunderbolt™ 4
In the Thunderbolt™ 3/4 Host Functional Compliance Test Specification 1.4 released by Intel, a new test item for 3.5.6 vPro® (AMT) was introduced. This test item is designed for devices that support Intel vPro® and use Ethernet over Thunderbolt™, a feature that enables the use of Intel AMT via a Thunderbolt™ cable.
To enable Intel AMT through the Thunderbolt™ interface, it is necessary for the laptop hardware to support the Intel vPro® platform. Additionally, a Thunderbolt™ 4 dock that supports vPro® (AMT) is required. The following instructions will guide you on how to leverage the Intel vPro® platform for remote software and hardware maintenance through a Thunderbolt™ cable.
A. Setting up the environment
- Connect the vPro® platform laptop with a Thunderbolt™ interface to a Thunderbolt™ 4 dock that supports vPro® (AMT) using a Thunderbolt™ cable.
- Connect the Thunderbolt™ 4 dock to another vPro® (AMT) supported laptop using an Ethernet cable.
Figure 2: Schematic diagram of vPro® (AMT) test environment setup
B. Machine test configuration
- BIOS installation
- Access the BIOS setup interface and locate MEBx (Intel® Management Engine BIOS Extension).
- Enable the Intel AMT feature option.
- Enable the Intel AMT Configuration feature option.
- Set the Network Access State option to Network Active.
- Configure a static IP address
- Set the IPv4 Address, ensuring that TBT Host1 and Host2 are set to the same network domain (e.g., TBT Host1 set to 192.168.1.151, Host2 set to 192.168.1.150).
- Save the settings and return to the OS.
C. Perform remote control
- Open a browser on both TBT Host1 and Host2.
- In the browser of TBT Host1, enter the local IP address, and in the browser of Host2, enter the TBT Host1 IP address (e.g., TBT Host1 enters localhost:16992, Host2 enters 192.168.1.151:16993).
- Once successfully connected, the Intel® Active Management Technology page will appear on the web, and in the System Status interface of TBT Host1, the configured local IP address can be viewed.
- On the Intel® Active Management Technology page of Host2, there will be a Remote Control interface that allows remote operations such as shutting down and restarting TBT Host1.
- Select the desired operation and click Send Command; after a countdown of 20 seconds, the chosen operation will be performed on TBT Host1.
Figure 3: Intel AMT interface on TBT Host1, displaying the configured local IP address
Figure 4: Intel AMT interface on Host2, showing the options for Remote Control
Test your Thunderbolt™ hosts and devices at GRL
As the first certification lab in the world qualified by Intel, GRL provides comprehensive testing services for Thunderbolt™, including electrical validation and functional validation testing on system, dock, monitor, and more. Our team possesses extensive testing experience, in-depth domain knowledge, and robust industry connections, positioning us to deliver unparalleled support to our customers.
- Active Platform Management Demystified - Chapter 11: Connecting and Communicating with Intel® Active Management Technology
- Top 8 Reasons the Intel vPro® Platform Is Great for the Remote Workplace
- What Is the Intel vPro® Platform?
- Intel® Active Management Technology
- 618475_Thunderbolt3_4 host certification collateral rev2.7.3
Reese Li, Test Engineer of GRL
Reese is a GRL Thunderbolt Certification Test Engineer. He is acquainted with test specifications and principles of Thunderbolt and assists customers in solving challenging test problems and attaining certification.