Skip to content

One Click Recovery (OCR)

Intel® One-Click Recovery (OCR) enables IT administrators to remotely and securely boot a device into a recovery environment using Intel AMT's out-of-band (OOB) connection. This ensures reliable recovery from system failures, bare-metal states, or connectivity issues.

In cloud deployments, the Management Presence Server (MPS) now supports a secure power action to initiate HTTPS Boot, allowing recovery from a specified network URL.

Supported Recovery Options in OCR

  • UEFI HTTPS Network Boot: Securely boot a recovery image over HTTPS.

  • Windows Recovery Environment (WinRE): Access Windows tools for repair and troubleshooting.

  • Local Pre-Boot Application (PBA): Launch a locally installed recovery or diagnostic tool.

Future Enhancements

  • Currently, MPS supports only the HTTPS Network Boot feature.
  • The HTTPS Boot feature works only when the device is connected via a wired network.

We plan to include Wireless support and add additional One Click Recovery features in future updates.

Prerequisites for HTTPS Boot

Before using HTTPS Network Boot, ensure the following prerequisites are met:

  1. Enable HTTP(S) Boot in BIOS settings. This may be disabled by default on some devices.

    Figure 1: Enable HTTP(S) Boot in BIOS

  2. When recovering a device using an ISO that isn’t signed by a trusted certificate authority, you’ll need to disable Secure Boot in the BIOS settings.

    Figure 2: Disable Secure Boot in BIOS

  3. Set up an HTTPS server to host the ISO.

    HTTPS Server

    • For this guide, the HTTPS server is assumed to be running on the same host as the containers and is serving a full Ubuntu LTS image from: https://192.168.88.250:8500/ubuntu.iso.
    • Setup instructions for the HTTPS server are not included here. Please ensure you have a functional HTTPS server configured beforehand. If needed, numerous online resources are available to help you get started.

  4. Make sure that the device shows as connected in the Sample UI or via the Get Device MPS API

HTTPS Boot using Cloud Deployment

You can use our MPS APIs to perform recovery using HTTPS boot, but for quick demos and to understand how you can first test it, we've also implemented it in the Sample UI.

Triggering HTTPS Boot using Sample UI

  1. Make sure that the target device shows as connected

    Figure 3: Device connected to MPS

  2. Enable OCR feature in General AMT Info Section.

    Is HTTPS Network Boot supported?

    If the HTTPS Network Boot checkbox is unchecked, the device does not support this feature.

    Figure 4: Enable HTTPS Network Boot

  3. Upload the Root Certificate of the HTTPS server hosting the ISO via the Add New certificates option.

    Figure 5: Add Root Certificate of HTTPS Server

  4. Click on the three-dot menu and select Reset to HTTPS Boot (OCR).

    Figure 6: Reset to HTTPS Boot (OCR)

  5. Enter the ISO URL (e.g., https://192.168.88.250:8500/ubuntu.iso).

    Check ISO URL

    Ensure the HTTPS Server ISO URL is accessible to the device.

    Figure 7: URL to the .iso hosted on HTTPS Server

  6. Optionally, enable Enforce Secure Boot to boot only a secure .iso file.

    Secure Boot

    If Secure Boot is enabled, the UEFI BIOS must have the Root Certificate used to sign the ISO's bootloader in its trusted database (DB) to allow execution.

  7. Click OK to start the recovery process. The device will restart and boot from the ISO.

  8. Optionally, Connect to KVM and verify that the device loads the ISO.

    Figure 8: View KVM screen while the ISO boots

    Figure 9: Full Ubuntu LTS Boot

    KVM Keyboard Issue

    If KVM is connected before initiating OCR via HTTPS Boot, the keyboard may not work when entering the URL.

Triggering HTTPS Boot via MPS APIs

  1. Authenticate and Get Login Token:

    First, authenticate with MPS and retrieve a token to use for all subsequent API calls. Save this token to use in the Authorization header for the next steps.

    curl --insecure -X POST https://<IP_ADDRESS_OR_FQDN_OF_SERVER>/mps/login/api/v1/authorize -H "Content-Type:application/json" -d "{\"username\":\"<MPS_WEB_ADMIN_USER>\", \"password\":\"<MPS_WEB_ADMIN_PASSWORD>\"}"

    Expected Response:

    {"token":"<YOUR_JWT_TOKEN>"}

  2. Get Connected Devices:

    Fetch the list of connected devices.

    curl --insecure https://<IP_ADDRESS_OR_FQDN_OF_SERVER>/mps/api/v1/devices -H "Authorization: Bearer <YOUR_JWT_TOKEN>"

    Example Response:

    [
  {
    "guid": "5d52da54-199c-cc3c-3e96-88aedd668dff",
    "hostname": "DESKTOP-VDGKNB5"
    "....."
  }
]

    Next Steps

    Select the GUID of your target device (e.g., 5d52da54-199c-cc3c-3e96-88aedd668dff) for use in subsequent steps.

  3. Check AMT Features and OCR Support:

    Verify that the target device supports OCR and HTTPS Boot. If "ocr": false, proceed to Step 4 to enable it.

    curl --insecure https://<IP_ADDRESS_OR_FQDN_OF_SERVER>/mps/api/v1/amt/features/<DEVICE_GUID> -H "Authorization: Bearer <YOUR_JWT_TOKEN>"

    Look for:

    "ocr": true,
"httpsBootSupported": true

    Is HTTPS Network Boot supported?

    If the httpsBootSupported property is false, the device does not support HTTPS Boot using Intel AMT. This is a read-only value reported by Intel AMT and cannot be modified.

  4. Enable OCR (if not already enabled):

    If OCR is not enabled from Step 3, use this command to enable it:

    curl --insecure -X POST https://<IP_ADDRESS_OR_FQDN_OF_SERVER>/mps/api/v1/amt/features/<DEVICE_GUID> -H "Content-Type: application/json" -H "Authorization: Bearer <YOUR_JWT_TOKEN>" -d "{\"enableIDER\":true,\"enableKVM\":true,\"enableSOL\":true,\"userConsent\":\"none\",\"redirection\":true,\"ocr\":true}"

    Expected Response:

    {"status":"AMT Features updated"}

  5. Upload Trusted Root Certificate:

    This is the HTTPS server certificate hosting the .iso.

    First, generate the base64-encoded string of your certificate. Use this PowerShell command as an example:

    [Convert]::ToBase64String([IO.File]::ReadAllBytes("<PATH_TO_CERTIFICATE_FILE>"))

    base64 -i <PATH_TO_CERTIFICATE_FILE>

    Then, to upload the certificate use the curl command:

    curl --insecure -X POST https://<IP_ADDRESS_OR_FQDN_OF_SERVER>/mps/api/v1/amt/certificates/<DEVICE_GUID> -H "Content-Type: application/json" -H "Authorization: Bearer <YOUR_JWT_TOKEN>" -d "{\"cert\":\"<BASE64_ENCODED_CERT>\",\"isTrusted\":true}"

    Expected Response:

    {"handle":"Intel(r) AMT Certificate: Handle: 2"}

  6. Trigger OCR via HTTPS Boot:

    Send the power action to initiate OCR with the HTTPS ISO:

    curl --insecure -X POST https://<IP_ADDRESS_OR_FQDN_OF_SERVER>/mps/api/v1/amt/power/bootoptions/<DEVICE_GUID> -H "Content-Type: application/json" -H "Authorization: Bearer <YOUR_JWT_TOKEN>" -d "{\"action\":105,\"useSOL\":false,\"bootDetails\":{\"url\":\"<ISO_URL>\",\"username\":\"\",\"password\":\"\",\"enforceSecureBoot\":true}}"

    Expected Response:

    {"Body":{"ReturnValue":0,"ReturnValueStr":"SUCCESS"}}

  7. Optionally, Connect to KVM and verify that the device loads the ISO.

    Figure 10: View KVM screen while the ISO boots

API Reference

Endpoint Method Purpose JSON Structure
/mps/login/api/v1/authorize POST Authenticate and get JWT token {"username":"<MPS_WEB_ADMIN_USER>", "password":"<MPS_WEB_ADMIN_PASSWORD>"}
/mps/api/v1/devices GET List connected devices N/A
/mps/api/v1/amt/features/<GUID> GET Check device AMT features N/A
/mps/api/v1/amt/features/<GUID> POST Enable/disable AMT features {"enableIDER":true,"enableKVM":true,"enableSOL":true,"userConsent":"none","redirection":true,"ocr":true}
/mps/api/v1/amt/certificates/<GUID> POST Upload trusted certificates {"cert":"<BASE64_ENCODED_CERT>","isTrusted":true}
/mps/api/v1/amt/power/bootoptions/<GUID> POST Trigger OCR boot options {"action":105,"useSOL":false,"bootDetails":{"url":"<ISO_URL>","username":"","password":"","enforceSecureBoot":true}}