Intel AT was enabled; Device has since been re-imaged, now locks every 10 minutes
A customer had an issue where, having installed and enabled Intel AT functionality, he then re-imaged the device without first applying a different profile to de-enroll or disable Intel Anti-theft functionality.
Now, because the machine has Intel AT running at the BIOS level, and because the machine cannot connect to SES (and due to the new image, it doesn't even know it should try), the Intel AT functionality still "live" in the BIOS has hit the non-communication timeout threshold, and Intel AT (which is still active in the BIOS), continues to force the machine to lock up every 10 minutes.
NOTE: This is surprisingly common - In this case, the customer did not thoroughly understand that Intel AT functionality runs within the BIOS. It therefore must be actively disabled before the device can safely be re-imaged (there may be a training or documentation opportunity here) or it will continue to act within the BIOS to protect the device.
THE FIX:
It is possible to offer the customer a solution (which requires that the user sign a NDA non-disclosure agreement).
He can be sent a "secret" mini-app which can reset information within the BIOS for Intel AT that will change the timer setting so the device can no longer lock up. The following prerequisites apply:
It can only be utilized for a device that is not in a "stolen" state.
The existing AT license key (the one chosen within the Profile and deployed to the client) must be known and will be entered into the tool (it's a command-line tool).
See WinMagic support for use of this tool, however there are other ways to accomplish this.
If able to detect that it is the same machine, then the ??? what's missing here?
Naturally, this is very dangerous as it can be applied to any device running Intel AT to the effect that it can disable the natural lock-up that can take place after a period of non-communication (hence the NDA).
If a customer requires this, contact David Gootman in Development to arrange for it.
Eric Wong in the PSE team is quite expert in using it as well, as are the members of the Support team.
The NDA document the customer must sign is entitled "Mutual Non-Disclosure Agreement" - see Finance for a copy of the NDA to send to the customer.
We may need to have a better (less ad hoc) process for this, which will be documented as it is developed.
PSE Team - see PSE private folder for further information.
README file from the tool:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
This TOOL is WinMagic Confidential and MUST NOT be shared with anyone.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Requirements:
- Be booted into Windows.
- Device must not be stolen.
- Need Intel AT license key from SES
- Need a non-ME protected keyfile to login at preboot after de-enrol
To use:
1. Start DOS box, cd to the directory containing all the files
2. Edit LicenseKey.txt and paste in the Intel AT license key that the system was enrolled with. You can get this from the SES profile or global options. If there is more than one license key, be sure to
get the right one.
3. Run 'IntelATUtil -i' to print information about the system
4. Run 'IntelATUtil -d' to de-enrol the client, by default it uses the test Intel permit server. If using a production license key you must
Run 'IntelATUtil -d -p https://ias.intel.com:443'
5. Securely delete the LicenseKey.txt file
Device should be unenrolled.