diff --git a/internal/amt/commands.go b/internal/amt/commands.go
index 7a0e10f9..451095ee 100644
--- a/internal/amt/commands.go
+++ b/internal/amt/commands.go
@@ -80,6 +80,9 @@ func (r ChangeEnabledResponse) IsAMTEnabled() bool {
 func (r ChangeEnabledResponse) IsNewInterfaceVersion() bool {
 	return ((r >> 7) & 1) == 1
 }
+func (r ChangeEnabledResponse) IsTlsEnforcedOnLocalPorts() bool {
+	return ((r >> 6) & 1) == 1
+}
 
 type Interface interface {
 	Initialize() error
diff --git a/internal/local/activate.go b/internal/local/activate.go
index 87d168dc..3ae75c4e 100644
--- a/internal/local/activate.go
+++ b/internal/local/activate.go
@@ -33,7 +33,15 @@ func (service *ProvisioningService) Activate() error {
 		return utils.UnableToActivate
 	}
 
-	service.CheckAndEnableAMT(service.flags.SkipIPRenew)
+	tlsEnforced, err := service.CheckAndEnableAMT(service.flags.SkipIPRenew)
+	if err != nil {
+		return err
+	}
+
+	if tlsEnforced {
+		log.Error("TLS is enforced on local ports, unable to activate")
+		return utils.UnsupportedAMTVersion
+	}
 
 	// for local activation, wsman client needs local system account credentials
 	lsa, err := service.amtCommand.GetLocalSystemAccount()
diff --git a/internal/local/lps_test.go b/internal/local/lps_test.go
index 490ccc21..74f61048 100644
--- a/internal/local/lps_test.go
+++ b/internal/local/lps_test.go
@@ -641,6 +641,8 @@ type MockAMT struct{}
 const ChangeEnabledResponseNewEnabled = 0x82
 const ChangeEnabledResponseNewDisabled = 0x80
 const ChangeEnabledResponseNotNew = 0x00
+const ChangeEnabledResponseNewTLSEnforcedEnabled = 0xC2
+const ChangeEnabledResponseNewTLSEnforcedDisabled = 0xC0
 
 var mockChangeEnabledResponse = amt2.ChangeEnabledResponse(ChangeEnabledResponseNewEnabled)
 var errMockChangeEnabled error = nil
diff --git a/internal/local/opstate.go b/internal/local/opstate.go
index f0aa873b..7181b2e4 100644
--- a/internal/local/opstate.go
+++ b/internal/local/opstate.go
@@ -22,29 +22,34 @@ func (service *ProvisioningService) EnableAMT() error {
 	return nil
 }
 
-func (service *ProvisioningService) CheckAndEnableAMT(skipIPRenewal bool) error {
-	rsp, err := service.amtCommand.GetChangeEnabled()
+func (service *ProvisioningService) CheckAndEnableAMT(skipIPRenewal bool) (bool, error) {
+	resp, err := service.amtCommand.GetChangeEnabled()
+	tlsIsEnforced := false
 	if err != nil {
 		log.Error(err)
-		return utils.AMTConnectionFailed
+		return tlsIsEnforced, utils.AMTConnectionFailed
 	}
-	if !rsp.IsNewInterfaceVersion() {
+	if !resp.IsNewInterfaceVersion() {
 		log.Debug("this AMT version does not support SetAmtOperationalState")
-		return nil
+		return tlsIsEnforced, nil
 	}
-	if rsp.IsAMTEnabled() {
+	if resp.IsTlsEnforcedOnLocalPorts() {
+		tlsIsEnforced = true
+		log.Debug("TLS is enforced on local ports")
+	}
+	if resp.IsAMTEnabled() {
 		log.Debug("AMT is already enabled")
-		return nil
+		return tlsIsEnforced, nil
 	}
 	err = service.EnableAMT()
 	if err != nil {
-		return err
+		return tlsIsEnforced, err
 	}
 	if !skipIPRenewal {
 		err := service.RenewIP()
-		return err
+		return tlsIsEnforced, err
 	}
-	return nil
+	return tlsIsEnforced, nil
 }
 
 func (service *ProvisioningService) RenewIP() error {
diff --git a/internal/local/opstate_test.go b/internal/local/opstate_test.go
index 96d024b7..29a55120 100644
--- a/internal/local/opstate_test.go
+++ b/internal/local/opstate_test.go
@@ -21,6 +21,7 @@ func TestCheckAndEnableAMT(t *testing.T) {
 		name             string
 		skipIPRenewal    bool
 		expectedRC       error
+		expectedTLS      bool
 		rsp              amt.ChangeEnabledResponse
 		errChangeEnabled error
 		errEnableAMT     error
@@ -42,6 +43,12 @@ func TestCheckAndEnableAMT(t *testing.T) {
 			expectedRC: nil,
 			rsp:        ChangeEnabledResponseNewEnabled,
 		},
+		{
+			name:        "expect 1 if TLS is enforced",
+			expectedRC:  nil,
+			expectedTLS: true,
+			rsp:         ChangeEnabledResponseNewTLSEnforcedEnabled,
+		},
 		{
 			name:         "expect AmtNotReady for enable if error occurs",
 			expectedRC:   utils.AmtNotReady,
@@ -76,7 +83,8 @@ func TestCheckAndEnableAMT(t *testing.T) {
 			mockRenewDHCPLeaseerr = tc.renewDHCPLeaseRC
 			f := &flags.Flags{}
 			lps := setupService(f)
-			err := lps.CheckAndEnableAMT(tc.skipIPRenewal)
+			tlsForced, err := lps.CheckAndEnableAMT(tc.skipIPRenewal)
+			assert.Equal(t, tc.expectedTLS, tlsForced)
 			assert.Equal(t, tc.expectedRC, err)
 			mockChangeEnabledResponse = origRsp
 			errMockChangeEnabled = origChangeEnabledErr
diff --git a/pkg/utils/constants.go b/pkg/utils/constants.go
index d8b0eec4..1e6d1339 100644
--- a/pkg/utils/constants.go
+++ b/pkg/utils/constants.go
@@ -126,6 +126,7 @@ var ActivationFailedGetControlMode = CustomError{Code: 134, Message: "Activation
 var ActivationFailedControlMode = CustomError{Code: 135, Message: "ActivationFailed", Details: "recieved invalid control mode"}
 var DuplicateKey = CustomError{Code: 136, Message: "DuplicateKey", Details: "Key pair already exists"}
 var WiredConfigurationFailed = CustomError{Code: 137, Message: "WiredConfigurationFailed"}
+var UnsupportedAMTVersion = CustomError{Code: 138, Message: "UnsupportedAMTVersion"}
 
 // (150-199) Maintenance Errors
 var SyncClockFailed = CustomError{Code: 150, Message: "SyncClockFailed"}