What ports REALLY need to be open for AMT in SCCM?

The question came up recently about what ports are really needed for AMT in SCCM.  The documentation (https://technet.microsoft.com/en-us/library/bb632618.aspx) indicates a list of ports that are used by AMT for various communication that takes place between various AMT components during management.  The documentation is correct but is also potentially confusing. 

One thing to understand is that on the client AMT function is  handled in the firmware – the operating system really is secondary.  It’s possible to fully manage a system via AMT even when it is powered down or the OS is failing to load.  Why is this important?  The Windows firewall.  Based on the documentation we provide listing the required ports a natural thought is that these ports need to be opened on the Windows firewall.  This generally isn’t the case but there is one exception and that is on the Out of Band service point (OOBSP).  The OOBSP, an SCCM site system role, listens for incoming hello messages from AMT systems on port 9971, Since this component IS part of the running operating system we do need to have port 9971 opened in the Windows firewall or hello packets will be blocked and out of band provisioning will not work.  So are the ports documented in the link above relevant?  Absolutely.  if there are firewalls in place other than the Windows client firewall between AMT components you do need to ensure the ports listed are opened and accessible.  Hope this clears up any confusion.