On May 1st 2017, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies.

Summary

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products.  This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

Description

There are two ways this vulnerability may be accessed, please note that Intel® Small Business Technology is only vulnerable to the second method:

• An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
• An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).

Threat level

Severe.

• A system with unpatched ME firmware, running the Intel Local Manageability Service, is affected, whether or not vPro is provisioned.
• A system with unpatched ME firmware, with vPro provisioned, is affected, whether or not the Local Manageability Service is running.

Recommendations

Our customer's security is paramount, to that end Stone are working with key vendors to provide firmware updates which close this vulnerability as quickly as possible. Those updates will be able available to download from this article as soon as they are made available to us

Intel has released a discovery tool which will analyse your systems for the vulnerability.

Actions:

1. Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable systems. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

2. Utilize the INTEL-SA-00075 Detection Guide to assess if your system has the impacted firmware.

3. Stone highly recommends updating affected systems Management Engine (ME) firmware as soon as they become available. Please review the affected products section of this article for ME firmware update availability.

• Management Engine (ME) Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Example: 8.1.71.3608.
• After the BIOS or ME patch update, to completely mitigate any risks, any previously configured AMT functionality should be de-provisioned and then re-configured. This prevents any compromised machines from retaining "hacked" logins.

4. If a firmware update is not yet available, mitigations are provided by the INTEL-SA-00075 Mitigation Guide. It is recommended that unpatched systems should have the steps detailed in the mitgation guide applied to them until such time as an ME firmware update becomes available.

• De-provision AMT
• Fully disable the Local Management / Manageability Service within the operating system

Affected Products

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.

Where possible, updated BIOSes or patches for Management Engine Firmware are shown below. This article will be updated as more BIOSes or patches become available.

StonePC Lite/Tower / All In One

Legacy Desktop Products

Further information regarding Intel’s release schedule for their own branded desktop products can be found here.

StonePC Micro

Stone Notebooks

Applies to:

• Stone Desktop, Notebook and NUC products with Intel AMT (such as B or Q series chipsets),

Intel Management Engine (Intel ME 11.0.0-11.7.0), Intel Trusted Execution Engine (Intel TXE 3.0), and Intel Server Platform Services (Intel SPS 4.0) vulnerability (Intel-SA-00086)

Summary
On November 20th 2017, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize ME Firmware versions 11.0 / 11.5 / 11.6 / 11.7 / 11.10 / 11.20, SPS Firmware version 4.0, and TXE version 3.0.

Please download and view the document attached to this article for further information and firmware / BIOS patch availability.

Note: The attached document will be updated as new information becomes available.

Applies to:

• Stone branded products

What is BitLocker automatic device encryption

BitLocker is a security technology incorporated into Microsoft Windows operating systems starting from Windows 8, which is intended to protect users by encrypting data stored on a device, or external storage media (such as USB hard disk drives).

During the ongoing development of Windows 10, Microsoft made a change which sought to automatically provide this data security to its customers by activating BitLocker for devices which were designed to meet modern hardware standards.

With the continued evolution of hardware standards, alongside the release of Windows 11 24H2 Microsoft have now introduced a reduced set of hardware requirements which devices need to meet to become eligible for BitLocker automatic encryption.
 

Which devices are eligible?

Going forward from Windows 11 24H2 the requirements will be:

• The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
• UEFI Secure Boot is enabled.
• Platform Secure Boot is enabled

This essentially means all Stone brand devices which already meet the hardware requirements for Windows 11 (external link), are now in-scope for BitLocker automatic encryption.
 

When does BitLocker automatic encryption occur?

Following a clean installation of Windows 11 24H2 (Home, Professional, Enterprise and Education) and the completion of OOBE (Out Of Box Experience) where users go through the initial Windows setup, BitLocker will initialise and prepare to encrypt data on all fixed internal storage drives.
However, data encryption will not take effect until the first time a user logs into the device using a Microsoft Account (available for individual users) or an Azure Active Directory Account (likely to be provided by an education institution or employer).
Once either of these two scenarios occur, BitLocker will arm, link the encryption keys to your account and store them in the cloud.

We strongly recommend that all users or administrators ensure that BitLocker keys are backed up, as they will be required if a device enters BitLocker Recovery Mode for any reason.

BitLocker recovery mode

BitLocker recovery mode can occur for many reasons including hardware or software changes, below are some examples:

Authentication errors:

• Forgetting the PIN.
• Entering incorrect PIN too many times (activating the anti-hammering logic of the TPM).
• Using a keyboard with a different layout that doesn’t enter the PIN correctly, or one that doesn’t map as assumed by the pre-boot environment.

Boot/BIOS changes:

• Changes to the master boot record (MBR) on the disk.
• Changes to the boot manager (Bootmgr) on the disk.
• Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
• Turning off BIOS support for reading USB devices in the pre-boot environment when using USB-based keys.
• Changing the BIOS boot order to boot another drive ahead of the hard drive (such as giving a CD or DVD drive boot sequence priority).
• Failing to boot from a network drive before booting from the hard drive.

Hardware, software and firmware changes:

• Adding or removing hardware.
• Upgrading main system firmware.
• Upgrading TPM firmware.
• Turning off, disabling, deactivating, or clearing the TPM.
• Updating option ROM firmware
• Docking or undocking a portal computer if the computer was (respectively) undocked or docked when BitLocker was turned on.
• Changes to NTFS partition table on the disk including: Creating, Deleting, Resizing primary partition.

Other triggers:

• Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile.
• Hiding the TPM from the operating system.
• Moving the BitLocker-protected drive to a different system.
• Upgrading the motherboard to a new one with a new TPM.
• Disabling the code integrity check or enabling test signing on Windows Bootmgr.

If BitLocker recovery mode occurs, you'll be prompted to input a BitLocker recovery key, which is a 48-digit number.

Prompting for the recovery key will either occur during start-up, due to a security risk or hardware change:

Or you may be prompted to input the recovery key for data and/or external drives, for example if you forgot the unlock password:

Where can I find a BitLocker recovery key?

When you are prompted to enter a BitLocker recovery key, take note of the first 8 digits of the recovery key ID.

The recovery key ID helps identifying which recovery key to use, in case you have more than one. 

Where BitLocker automatic encryption has occurred, there are primarily two places where your recovery key might be.

What if I can't find the recovery key?

If your device is managed by an organisation, check with their IT department to retrieve the recovery key.

If you can’t find the BitLocker recovery key and are unable to undo any changes that caused it to be needed, you’ll have to reset your device.

Resetting your device will remove all of your files.

Affected products:

• Any Windows 11 compatible Stone branded desktop, notebook or workstation product, where a clean installation of Windows 11 24H2 has occurred.