Action the Fixlet: Invoke - Intel SA 00075 Probe - Windows against your devices. This populates some information in the Registry.
Activate the Analysis: Vulnerabilities - Intel SA 00075 - Windows. This will populate with Vulnerable and Exposed information for your endpoints.
Use the Fixlet: Invoke - Intel SA 00075 Unprovision Active Management Technology - Windows to unprovision AMT on the Computers.
Reboot the Computers and re-run the Probe.
Use the Fixlet: Invoke - Intel SA 00075 Remove Local Management Service - Windows to remove the LMS Service
The reason you should reboot between un-provisioning AMT and removing LMS is to verify that AMT has been unprovisioned prior to removing LMS per-Intel’s remediation guide. You cannot reliably run the Intel SA 00075 Probe after un-provisioning until a reboot has occurred per-Intel’s Unprovisioning guide.
Thanks for making this available for us!
If I understand correctly the probe would download INTEL SA 00075 to all computers as it only checks if its windows and has Intel processor, but isn’t there a relevance to just check if INTEL SA 00075 is already installed first?
I can utility cache the zip if you’re concerned about repeat downloads but as far as I can tell you can’t install the Intel tool? It seems to be a bunch of executables in a zip – is there an installer?
it is possible that some servers already have the Intel SA 00075 and I’m trying to check that with relevance, like:
exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information” of registry
Actually I didn’t know if there is an installer or not. But it definitely needs to output to the registry right?
That’s all my concern and I’m grateful you wrote this fixlet and launched the topic
So that is just the results of the last scan. Unfortunately Intel doesn’t pop the Exposed/Vulnerable information into the registry – you only get that information from the command line output.
You will need to re-run the scan periodically to capture newly vulnerable/exposed machines as well as patched/remediated machines.
This Fixlet runs the tool with command line output, gathers the vulnerable/exposed result into the registry, and makes that info available for the analysis. For this reason just running the original tool isn’t enough to pull the data into BigFix.
The Tool itself just puts the versions of the components and service states into the registry – if someone knows the exact combo of components and service states that yield exposed and vulnerable then we can start using the output from the original tool