Following on from my previous blog where we used the Intel® SCS Add-on for Microsoft* System Center Configuration Manager to discover Intel® Active Management Technology (Intel® AMT) devices, this article discusses a simple method using Microsoft PowerShell cmdlets to locally or remotely get instances and information about WMI classes related to AMT firmware and BIOS versions.
Intel® Setup and Configuration Software (Intel® SCS) will check for an escalation or privilege firmware vulnerability (SA-00075) and will not configure (provision) AMT devices if this is not updated. The objective is to identify Intel vPro platforms that may require an AMT firmware or BIOS update and enable a smoother experience when configuring AMT.
Intel Management Engine (ME) WMI Provider
If the AMT device already has the Intel Management Engine Driver components installed (either from here or the OEM) then the Intel ME WMI provider will be available. This is implemented as a DLL (MeProv.dll) and extends the existing Windows WMI service by abstracting low-level Management Engine Interface (MEI) operations through WMI.
The Intel ME WMI provider creates six classes in the root\Intel_ME namespace.
|Provides information on the Intel Manageability Engine (ME)|
This class provides information on provisioning certificate hashes available within firmware.
|AMT_EthernetPortSettings||Contains all AMT network specific settings i.e. IP, DHCP, VLAN for one network interface in the system|
|AMT_Service||Provides access to AMT features such as KVM, USB-R etc.|
|AMT_SetupAuditRecord||Provides a record of the last ME Activation Event as recorded by ME|
|OOB_Service||Handles AMT provisioning and reports on the OOB configuration|
We focus on the first class in this article, ME_System to gather firmware and host information. Type the following into a Windows PowerShell command line:
Get-WmiObject -Class ME_System -Namespace root\Intel_ME
We’re only really interested in two pieces of information, computername (PSComputerName) and firmware (FWVersion) so we format output for the same command:
Get-WmiObject -Class ME_System -Namespace root\Intel_ME | Format-List PSComputerName,FWVersion
You can run the same command remotely using the -Credential parameter (user account name) of the Get-WmiObject cmdlet. You will be prompted for a password
Get-WmiObject Win32_Service -Credential vprodemo\administrator -Computer vproclient
Microsoft System Center Configuration Manager WMI Provider
If you don’t have the Intel Management Engine Driver components installed (either from here or the OEM) then the Intel ME WMI provider will not be available.
However if you use Configuration Manager then you leverage the SMS_AMTObject WMI class which is used by the Configuration Manager Hardware Inventory client and provides Intel AMT information for reporting purposes.
Type the following into a Windows PowerShell command line:
Get-WmiObject -Class SMS_AMTObject -Namespace root\cimv2\SMS
Again we are only really interested in a couple of pieces of information i.e. computername (PSComputerName) and AMT firmware version and build (AMT and BuildNumber) so we format output for the same command:
Get-WmiObject -Class SMS_AMTObject -Namespace root\cimv2\SMS | Format-List PSComputerName,AMT,BuildNumber
NOTE: Starting in Windows PowerShell 3.0, the Get-WmiObject cmdlet has been superseded by Get-CimInstance.