Intel(R) SCS 8 Deployment Guide

7/31/2019 Intel(R) SCS 8 Deployment Guide

1/77

Intel Setup and Configuration Software(Intel SCS)

Deployment Guide

Version 8

Document Release Date: May 2, 201

Document Version: 1


2/77

ii

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO

LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUALPROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'STERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITYWHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TOSALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATINGTO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANYPATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOTDESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTELPRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers mustnot rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intelreserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilitiesarising from future changes to them. The information here is subject to change without notice. Do not finalize adesign with this information.

The products described in this document may contain design defects or errors known as errata which may cause

the product to deviate from published specifications. Current characterized errata are available on request.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing yourproduct order.

Copies of documents which have an order number and are referenced in this document, or other Intel literature,may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm.

Intel Active Management Technology requires activation and a system with a corporate network connection,an Intel AMT-enabled chipset, network hardware and software. For notebooks, Intel AMT may be unavailableor limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating orpowered off. Results dependent upon hardware, setup & configuration.

For more information, visit http://www.intel.com/technology/platform-technology/intel-amt.

Intel vPro Technology is sophisticated and requires setup and activation. Availability of features and resultswill depend upon the setup and configuration of your hardware, software and IT environment.

To learn more visit: http://www.intel.com/technology/vpro.

Systems using Client Initiated Remote Access require wired LAN connectivity and may not be available in

public hot spots or "click to accept" locations. For more information on CIRA, visithttp://software.intel.com/en-us/articles/fast-call-for-help-overview.

Intel, the Intel logo, and Intel vPro, are trademarks of Intel Corporation in the U.S. and/or other countries.

* Other names and brands may be claimed as the property of others.

Copyright 2012, Intel Corporation. All rights reserved.


3/77

iii

1 Introduction ............................................................................................52 Intel AMT Overview ...........................................................................62.1 Intel SCS Overview................................................................................................... 62.2 Infrastructure Starting State ......................................................................................... 73 Intel AMT Discovery .............................................................................93.1 Purposes and Prerequisites ........................................................................................... 93.2 Local Query of Intel AMT Status................................................................................. 103.3 Local SystemDiscovery of Intel AMT ......................................................................... 104 Deciding on a Configuration Path ........................................................124.1 Why is Setup and Configuration Necessary? ............................................................... 124.2 Configuration Process Overview.................................................................................. 134.3 Configuration Methods ................................................................................................ 144.4 Domain User Account .................................................................................................. 154.5 Install the Intel SCS Server Components ..................................................................... 155 Configuration Options ...........................................................................175.1 Host-Based Configuration ............................................................................................ 17

5.1.1Create Intel AMT Configuration Profile ............................................................... 175.1.2Export the Profile and Run the ACUConfig Utility .............................................. 19

5.2 SMB/Manual Configuration ......................................................................................... 205.3 Remote Configuration Using PKI ................................................................................ 22

5.3.1Configure Certificates for Intel AMT ................................................................... 225.3.1.1 Task: Get SSL Certificate for Remote Intel AMT Configuration .......... . 225.3.1.2 Task: Export SSL Certificate for Remote Intel AMT Configuration...... 295.3.1.3 Task: Import SSL Certificate for Remote Intel AMT Configuration to

User Certificate Store ..................................................................................... 315.3.2Create and Apply Configuration Profile via Remote Configuration using PKI .... 34

5.4 Verify the Setup and Configuration ............................................................................. 36


4/77

iv Intel SCS Deployment Guide

6 Delta Configurations ..............................................................................376.1 Infrastructure Considerations ....................................................................................... 376.2 Change Control Management ........... .......... ........... .......... .......... ........... .......... ........... ... 40

6.2.1Defining and Applying a Delta Configuration ...................................................... 416.2.2Changing Configuration Mode ............................................................................. 43

7

Configuration Maintenance ..................................................................44

8 Deployment Scenarios ...........................................................................468.1 Enterprise Wired Deployment ...................................................................................... 48

8.1.1Overview ............................................................................................................... 488.1.2Intel AMT Configuration Methods and Options ................................................... 48

8.2 Enterprise Wireless Deployment .................................................................................. 498.2.1Overview ............................................................................................................... 498.2.2Intel AMT Configuration Methods and Options ................................................... 50

8.3 Clients Outside the Enterprise ...................................................................................... 508.3.1Overview ............................................................................................................... 508.3.2Intel AMT Configuration Methods and Options ................................................... 50

8.4 Service Provider Deployment ...................................................................................... 518.4.1Overview ............................................................................................................... 518.4.2Intel AMT Configuration Methods and Options ................................................... 52

8.5 Permissions Required for ACUconfig and Accessing the RCS ................................... 52 A Appendix A: Common Configuration Options ..................................57A.1 Defining the Intel AMT FQDN Source .......... .......... ........... .......... .......... ........... .......... 57A.1.1Purpose of Intel AMT FQDN Value ........................................................................... 57A.1.2Prerequisites to Determining Intel AMT FQDN Value ............................................... 57A.1.3Defining, Applying, and Validating Intel AMT FQDN Value .................................... 58A.2 Defining Access Authorization via Intel AMT ACL ................................................... 58A.2.1Purpose of Intel AMT Access Control List ................................................................. 58A.2.2Prerequisites in Determining Level of Authorization .......... ........... .......... ........... ........ 59A.2.3Defining, Applying, and Validating Intel AMT ACLs .......... .......... ........... .......... ....... 60A.3 Active Directory Integration ........................................................................................ 60A.3.1Purpose of Active Directory Integration ..................................................................... 61A.3.2Prerequisites and Dependencies for Active Directory Integration .............................. 61A.3.3Defining, Applying, and Validating Intel AMT Value .......... .......... ........... .......... ....... 64A.4 Transport Layer Security (TLS) ................................................................................... 66A.4.1Purpose of TLS with Intel AMT Configuration .......................................................... 66A.4.2Overview and Prerequisites for TLS ........................................................................... 67A.4.3Environmental Preparations ........................................................................................ 67A.4.3.1Enabling Web Enrollment for Microsoft Certificate Authority .......... .......... ........... . 68A.4.3.2Granting Service Account Privileges to Microsoft Certificate Authority .......... ....... 69A.4.4Defining, Applying and Validating a TLS Profile Configuration ............................... 71A.5 Wireless LAN .............................................................................................................. 73A.5.1Purpose of Intel AMT over Wireless ........... .......... ........... .......... ........... .......... ........... . 74A.5.2Prerequisites for Intel AMT over Wireless ........... .......... ........... .......... .......... ........... ... 74A.5.3Defining, Applying and Validating Intel AMT over Wireless Configuration .......... ... 74A.6 Intel AMT Configuration Options Not Covered .......................................................... 77


5/77

5

This deployment guide is an instructional document for those new to the Intel

Active

Management Technology (Intel

AMT) configuration process. Information provided

within this deployment guide is meant to complement the Intel

Setup and Configuration

Software (Intel

SCS) User Guide (filenameIntel(R)_SCS_8.0_User_Guide.pdf,

available in the Intel SCS 8 download package), and will refer to that guide for a

complete listing of features and settings within Intel SCS.

Readers who want guidance on obtaining a baseline implementation of Intel AMT willbenefit by reviewing this deployment guide. Once a baseline configuration is completed,

the deployment guide explores common configuration options, how to amend and

maintain the Intel AMT configuration, and includes common deployment scenarios.

The guide has three main components across multiple chapters and appendix sections.

The structure of the guide is as follows:

Foundational Concepts: Chapters 2 through 5 introduce Intel AMT, how to

discovery if Intel AMT exists on a system, and common configurations of Intel

AMT via Intel SCS.

Production Planning: Chapters 6 through 8 focus on how to extend an existing

configuration of Intel AMT, configuration maintenance considerations of Intel

AMT, and common deployment scenarios. Common Configuration Options: The appendix sections include common

configuration options for Intel AMT. The purposes, prerequisites, and examples

provide you with a core understanding of frequently used options.

You are encouraged to complete the Foundational Concepts before exploring the other

sections of this deployment guide. Less common configuration options for Intel AMT

are outside the scope this guide, and you are encouraged to review the Intel SCS User

Guide or related resources for further information.


6/77

6 Intel SCS Deployment Guide

Intel AMT provides out-of-band management within the physical chipset of a client

computer. It is a component of the Intel

Management Engine (Intel

ME). The

simplified diagram shown below is a summary on how Intel AMT works. In wired modeon the corporate network, Intel AMT traffic shares the same physical network interface as

the host operating system.

Figure 1: Intel AMT communication overview

Communications to Intel AMT commonly occur on the same IP address, specifically

when the system is using DHCP issued IPv4 addresses. Once Intel AMT is in a

configured and operational state, network traffic on ports 16992-16995 is directly

intercepted by Intel AMT within the chipset before being passed to the host operating

system.

In a wired mode, the Intel AMT traffic occurs below the operating system and the client

firewall. If the host operating system is not available, Intel AMT will continue to operate

as long as power is attached and a network connection is present.

Intel SCS enables the initial setup, configuration changes, and configuration maintenance

of systems where Intel AMT is present. To ensure Intel AMT is properly configured only

for the target environment, the firmware is commonly delivered in an unconfigured state.

Intel SCS allows you to complete the setup and configuration process which enables

access to the Intel AMT features.


7/77

Intel SCS Deployment Guide 7

After configuration, systems can be managed via software solutions that include support

for Intel AMT.

Intel SCS can be obtained athttp://www.intel.com/go/scs

In order to assist you with a baseline implementation of Intel AMT, this deployment

guide assumes an initial starting state environment. Three key components will be

required. For initial setup purposes a closed wired network is recommended:

Infrastructure ServicesMicrosoft* Active Directory Domain Controller with

DHCP and DNS services.

Intel RCS serverSystem for Intel Remote Configuration Service (RCS)

Intel AMT clientNetwork wire connected client system

The summary architecture diagram below shows the starting state for the purposes of this

deployment guide.

Figure 2: Summary Architecture Diagram
http://www.intel.com/go/scshttp://www.intel.com/go/scshttp://www.intel.com/go/scshttp://www.intel.com/go/scs


8/77


For initial testing or portable demonstration environment purposes, the above architecture

can be simplified using two direct connected systems as shown below. The server on

the left hosts a single virtual machine environment with Infrastructure and Intel RCS

server components. The client on the right is an Intel AMT capable system. The client

system is direct connected to the server via a network cable. The server has a static IP

address, as required by the Infrastructure Services, and the client is assigned a dynamic IP

address.

Server

Environment

Intel AMT

Laptop

Infrastructure Components

AD DNS DHCP Intel RCS

Figure 3: Simplified or Portable Demonstration Environment


9/77


This section addresses common methods to detect Intel AMT locally on the system with

brief references how to collect the information centrally.

The primary objective of this section is to determine what platforms have Intel AMT, the

current configuration state, and specific firmware version. Knowing the exact Intel AMT

versions in the environment will assist in determining what configuration approach is

appropriate in addition to available platform capabilities.

Many client management solutions that are Intel AMT capable have a base inventory

capability that is commonly dependent upon the Intel

Management Engine Interface

(Intel

MEI) driver. The locally obtained Intel AMT information shared in this section

can be especially helpful if the Intel MEI driver is missing or if no solution exists in the

environment to detect and inventory Intel AMT capable systems.

Before you begin, make sure the complete Intel SCS package has been downloaded and

extracted to the target environment. Intel SCS can be downloaded at

http://intel.com/go/scs.

Copy the Configurator directory, selected in the example below, to the Intel AMT client.

Figure 4: The Configurator Directory


10/77


On the Intel AMT client system, open a command prompt to the Configurator directory.

For systems running Microsoft Vista, Microsoft Windows* 7, or newer operating

systems, the command prompt must be opened with elevated privileges due to interaction

with a kernel level driver. This is done by right clicking on the command prompt icon

and selecting Run as Administrator.

Run the following command to determine the current Intel AMT configuration state.

Refer to the Intel SCS User Guide section Verifying the Status of an Intel AMT System

for more information.

ACUconfig.exe /output console status

Figure 5: The ACUconfig Command

In the above example, the output of the ACUconfig.exe Status command shows:

- Intel AMT version 7.1.30

- System is currently unconfigured

- Expected mode of configuration is PKI

- System supports host-based configuration

- Current Intel AMT configuration state is Pre-Provision

For a single system, information provided by the Status command provides a simple view

of the Intel AMT configuration state. If additional information is required or needs to be

obtained across multiple systems in the environment, the SystemDiscovery command

may be preferred.

Additional information about Intel AMT can be captured to a local file or Windows

registry using the SystemDiscovery command as explained in the Discovering Systems

section of the Intel SCS User Guide.

At the same command prompt, run the following:

ACUconfig.exe SystemDiscovery


11/77


As explained in the Intel SCS User Guide, the resulting data provides more in depth

information about the Intel AMT platform in a format which can be centrally collected

via custom inventory solutions. The following example shows the resulting XML file in

the Configurator directory along with a preview of the file contents. The combined

information is helpful with initial configuration and troubleshooting when needed.

Figure 6: XML File Generated by ACUconfig


12/77


This section helps you understand the Intel AMT Discovery data and determine which of

the common Intel AMT configuration methods is most appropriate for your situation:

Host-Based Configuration

Remote Configuration using Public Key Infrastructure (PKI)

SMB\Manual Configuration

At the conclusion of this section, the server component of Intel SCS will be installed.

The factory default state for Intel AMT firmware is unconfigured and unusable. This is

important to ensure unauthorized users cannot access the features of Intel AMT. It also

means that before authorized system administrators can use Intel AMT powerful

management features, they must first set up and configure Intel AMT.

There are three main purposes of setup and configuration:

Securely deliver a profile to the target client firmware Ensure that only intended users have access to managed clients

Enable Intel AMT features and specify their behavior

Establishing initial trust for configuration must be accomplished between the Intel AMT

firmware and the target environment.


13/77


The following diagram is a simplified overview of the Intel AMT configuration process

for enterprise deployment. Some steps of the process will vary for individual

environments and configuration methods. Intel AMT starts in an unconfigured state and

gets an IP address from the infrastructure. The previous chapter summarized local Intel

AMT discovery techniques to identify key characteristics including the Intel AMT

version. Review of the discovered data in connection with configuration approaches is

the next step of this guide. Once you select a configuration approach, you will then

create a configuration profile, initiate the configuration process, apply the settings, and

validate the configuration.

Figure 7: Configuration Process Overview


14/77


This guide summarizes three common approaches to establish initial trust for the

purposes of Intel AMT configuration. The decision flow below provides a simplified

view in selecting a particular configuration approach.. All approaches result in a

configured Intel AMT state. More information is available in the Configuration

Methods and Intel AMT Versions and Control Modes sections of the Intel SCS User

Guide.

Intel AMT Version

6.2?

Start

Determine Intel

AMT Version

Client Control

Mode Ok?

Host-Based

Configuration

Yes

No

Remote Configuration

using PKI

No

Physically Touch

each system?

Yes

SMB\Manual

Configuration

No

Yes

Figure 8: Choosing a Configuration Method

Determining your preferred approach will vary based on needs of the environment. Host-

Based Configuration is often recommended for ease of deployment and least number of

infrastructure changes. For lab testing or small office deployment purposes, the

SMB\Manual method may be preferred. For production post-deployment configurationof Intel AMT across a variety of firmware versions, Remote Configuration using PKI

may be preferred.


15/77


For the purposes of this deployment guide, a defined Domain User Account will be used.

In the example below, a suggested domain account AMTconfigservice was created.

Figure 9: Create a Domain User Account

The account will be used to log on as a Service, as well as be a Local Administrator on

the server where Intel SCS is installed and more. For a complete listing of permissions

and rights access for this Domain User Account and other accounts which can be used to

access the Intel SCS services, refer to sections of the Intel SCS User Guide on RCS User

Access Account Requirements and User Permissions Required to Access the RCS.

Intel SCS is comprised of multiple components as summarized in the Intel SCS

Components section of the Intel SCS User Guide. For the initial purposes of this

deployment guide, Intel SCS will be installed in Non-Database Mode with Remote

Configuration Service (RCS) and Console loaded on the server. More information is

available in Selecting the Type of Installation of the Intel SCS User Guide.

The following summarized steps rely upon the Setting up the RCS section of the Intel

SCS User Guide. To complete these steps the Domain User Account amtconfigservice

which you previously created will be used.

1. Make this service account a local administrator on the server that will run the Intel

Remote Configuration Service (RCS).

2. Login to the server and launch Server Manager. Expand Configuration > Local

Users and Groups. Right click on Administrators and select Add to Group.


16/77


3. Open the RCS folder and select IntelSCSInstaller.exe.

4. At the Welcome screen, retain default options. Unselect the Database options, and

retain the selections for Service and Console.

5. Accept the License agreement.

6. When prompted for a Service Logon Authentication, use the AMTConfigService

account.

Figure 10: Intel SCS Login

7. Accept the remaining default selections, including Launch the Intel SCS Console.


17/77


This section provides step-by-step instructions for each of the three setup and

configuration methods to achieve a baseline level of configuration so that you can begin

using Intel AMT.

Note: Each of the following subsections are alternative methods. Choose onemethod based on your environmental analysis in the previous section.

This section provides step by step instructions for configuring your managed client using

Host-Based Configuration.

1. Within the Intel SCS Console, click the icon to create a new profile

2. In the Configuration Profile Wizard window, change the Profile Name to

HBPProfile.

3. ClickNext.

4. Leave all Optional Settings unselected.

5. ClickNext.


18/77


6. In the System Settings screen, provide settings similar to the following. For more

information on the password format requirements, see Password Format in the

Intel SCS User Guide.

RFP Password: P@ssw0rd

Enable option: ME will go into lower power state when idle

Set Timeout if Idle to 65535

MEBx Password: P@ssw0rd

Intel AMT Admin Password: P@ssw0rd

Enable Intel AMT to respond to ping requests

Figure 11: Systems Settings Screen

7. ClickOK, Next, and Finish to complete the profile.


19/77


Perform the following steps:

1. In the Intel SCS console, select the HBPprofile and clickExport to XML.

2. Save the profile XML file to a location accessible by the client without encrypting or

defining domain credentials.

Figure 12: Export Profile to XML File

3. Copy the HBPprofile.xml file to the Configurator directory on the target client

system.

Note: See section 3.1, Purposes and Prerequisites above if the Configurator

directory is not already on the client.

4. Open a command prompt on the client, usingRun as Administrator.

5. Change to the Configurator directory

6. Run the following command on the client:

ACUconfig ConfigAMT HBPprofile.xml

Note: The Configuration directory with exported configuration profile and

command can be sent to all Host-Based Configuration capable systems

in the target environment.


20/77


7. When the Intel Management and Security Status (IMSS) dialog appears, the Intel

Management Engine (Intel

ME) configuration is complete.

Figure 13: IMSS Screen

Note: The ConfigAMT command is commonly used during the Unified

Configuration Process., which is further explained in Intel SCS UserGuide

At this point, proceed to section 5.4,Verify the Setup and Configuration.

Detailed instructions for performing SMB/Manual Configuration are provided in the Intel

SCS User Guide, Chapter 4 Using the Console, section titled Defining Manual

Configuration (Multiple Systems). The following is a summarized version.

1.

Insert a blank USB key into the computer where the Intel SCS console is loaded.2. On the Intel SCS console, select Tools > Prepare a USB Key for Manual

Configuration.

3. Enter the desired settings for your environment. The Intel SCS User Guide provides

a good explanation of the options in addition to the following guidance:

For Intel AMT systems 4.x to 6.x, use All systems are Intel AMT 6.0

or higher

The resulting USB key with setup.bin file must meet the configuration

requirements as stated. For mixed environments, a separate setup.bin

file must be created for each type of configuration. For example, if

some systems are desktops with Intel AMT 7.x this will require a

different setup.bin file from systems that are Intel AMT 6.x and mobile.


21/77


Figure 14: Manual Configuration Settings

4. After the USB key has been initialized with the generated setup.bin file, insert the

USB key into the target Intel AMT system.

5.

Power-on on the system and during the pre-boot system check a prompt will bedisplayed to configure Intel AMT.

6. Press Y to accept the configuration. Once the configuration is applied, remove the

USB key and complete the system boot process.

Figure 15: Configuration Confirmation Prompt

7. At this point, proceed to section 5.4,Verify the Setup and Configuration.


22/77


This section provides step-by-step instructions for configuring your managed client via

Remote Configuration using Public Key Infrastructure (PKI). Remote Configuration

consists of the following high level steps:

Configure Certificates for Intel AMT

Export the Certificates to the Client

Import the Certificates in the context of the Intel AMT service user

Create a Remote Configuration profile in Intel SCS console

Run the ACUConfig command on the managed client using the certificate and

profile you created in previous steps

These high-level steps are explained in detail in the following subsections.

This section provides step-by-step instructions for obtaining and configuring certificates

for Intel AMT. Additional information is available in the Intel SCS User Guide under the

section Setting up Remote Configuration.

Note: If you are planning to create an internal self-signed remote

configuration certificate, remember that the custom root certificate hash

must be applied to each Intel AMT system. Before pursuing creation of

your own remote configuration certificate, consider using SMB\Manual

Configuration or Host-Based Configuration to minimize the number of

steps required to complete the configuration task.

An SSL certificate is used to establish initial trust between your Intel AMT clients andIntel RCS when initiating client configuration. All Intel AMT systems have root hashes

for defined vendors (VeriSign, GoDaddy, Comodo, Starfield, Entrust, Cybertrust, etc.)

embedded in the firmware. Therefore, a certificate from one of these vendors is required

to configure Intel AMT clients. This single certificate is completely separate from the

one-per-client TLS certificates that will be issued by your Microsoft Certificate

Authority.

Note: This SSL certificate is commonly referred to as the Remote

Configuration Certificate. Different versions of Intel AMT will vary as

to what root certificate hashes are in the firmware. More information is

available via the Certificates links at the Intel SCS download page.

(http://www.intel.com/go/scs)
http://www.intel.com/go/scshttp://www.intel.com/go/scshttp://www.intel.com/go/scshttp://www.intel.com/go/scs


23/77


Getting the SSL certificate is a three step process:

Create a certificate signing request.

Complete the certificate request.

Export the SSL certificate so that it can be used in Intel AMT configuration.

To start the process, generate a certificate signing request (CSR). The following example

uses Microsoft Internet Information Services* (IIS) in a Microsoft Windows 2008 Server

environment.

1. Login to a server with IIS installed. Launch Server Manager and expand Roles >

Web Server (IIS) and select Internet Information Services (IIS) Manager. Select

your server in the Connections column and open Server Certificates.

Figure 16: IIS Manager Screen

2. In the Actions column, select Create Certificate Request.

Figure 17: Server Certificates Screen

3. Complete the Certificate Request wizard. Be sure that the Common Name field

includes the correct DNS suffix as defined by the DHCP option 15 value for your

environment. This can be verified on clients by running ipconfig and looking at the

connection-specific DNS suffix.


24/77


4. Once the fields are completed similar to the example below, clickNext to proceed.

Figure 18: Distinguished Name Properties Screen

Note: The Organization unit value must be set toIntel(R) Client Setup

Certificate. This value must be entered exactly as shown in this note.

5. In the Cryptographic Service Provider Properties screen, use the default values of

Microsoft RSA SChannel Cryptographic Provider with Bit length of2048. Click

Next to proceed.

Figure 19: Cryptographic Service Provider Properties

Note: The bit length can be 1024 or 2048. Most Certificate Authorities will

prefer 2048 bit length.
https://community.mcafee.com/servlet/JiveServlet/showImage/23203/Microsoft+RSA+2048bit.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23059/step3c03.png


25/77


6. In the File Name screen, give the certificate request a name and save it on the

Desktop. Then clickNext to proceed.

Figure 20: File Name Screen

7. The resulting file can be sent to an approved certificate authority, and they will

provide a certificate response file.

Note: For more information on valid Certificate Authorities, seehttp://communities.intel.com/docs/DOC-1277

8. When the certificate authority provides a certificate response file, go back into IIS

and select Complete Certificate Request.

Figure 21: Server Certificates Screen
https://sa-live.com/l?v=0&ui=0&p=000c00000000000000000000400000000000&spid=mcafee-forums&url=-+64706e6e766f6a756a66742f6a6f75666d2f64706e/docs%2FDOC-1277https://community.mcafee.com/servlet/JiveServlet/showImage/23061/step3c05.pnghttps://sa-live.com/l?v=0&ui=0&p=000c00000000000000000000400000000000&spid=mcafee-forums&url=-+64706e6e766f6a756a66742f6a6f75666d2f64706e/docs%2FDOC-1277


26/77


9. In the Certificate Authority Response screen, select the file that was provided by the

external certificate authority. Give the certificate a friendly name (AMT Remote

Configuration Certificate is used in this example). ClickOK to proceed.

Figure 22: Specify Certificate Authority Response Screen

10. The SSL certificate will now appear in IIS.

Figure 23: The SSL Certificate Appears

Note: You must also have valid root and intermediate certificates from the

external CA. If not already present on your system, contact your

certificate authority.

11. Double click on the certificate to open and visually inspect, ensuring key properties

and settings have been applied.
https://community.mcafee.com/servlet/JiveServlet/showImage/23063/step3c07.png


27/77


12. The General tab will show the certificate is valid for specific purposes with a clear

statement of You have a private key that corresponds to this certificate.

Figure 24: General Tab of Certificate Properties

13. Select the Details tab. Select the Subject under the Field column. The CN value

must show the expected DNS suffix as aligned to your DHCP option 15 value used

within the environment. The OU value must showIntel(R) Client Setup Certificate.

Note: The OU value may be different for certificates signed by Comodo.

Comodo certificates use a specific OID value to designate an Intel(R)

Client Setup Certificate.
https://community.mcafee.com/servlet/JiveServlet/showImage/23065/step3c08b.png


28/77


Figure 25: Details Tab of Certificate Properties

Note: An additional validation step is to confirm the root certificate

thumbprint hash value against a list of known root certificates stored

within the Intel AMT firmware. If the previous two validation points

are correct, the root certificate is commonly valid.

14. ClickOK to close the certificate. Close IIS to complete this process.
https://community.mcafee.com/servlet/JiveServlet/showImage/23066/step3c08c.png


29/77


The SSL certificate must now be exported so that it can be imported into the server where

Intel RCS will be installed.

1. To export the SSL certificate, launch MMC and add the certificates snap-in (choose

Computer Account). Expand Certificates (Local Computer) > Personal and

select Certificates. Then right-click on the certificate and choose All Tasks >

Export.

Figure 26: Export Certificate

Note: Do not export the certificate from IIS, as the full certificate chain may

not be included.

2. In the Export Private Key screen choose Yes, export the private key. ClickNext to

proceed.

Figure 27: Export Private Key Screen
https://community.mcafee.com/servlet/JiveServlet/showImage/23069/step3c08g.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23068/step3c08f.png


30/77


3. In the Export File Format screen, select Personal Information ExchangePKCS #12

(.PFX). Select options to Include all certificates in the certification path if possible

and Export all extended properties. ClickNext to proceed.

Figure 28: Export File Format Screen

4. In the Password screen, enter a strong password. ClickNext to proceed.

Figure 29: Password Screen

5. In the Certificate Export Wizard screen, provide path and file name for the resulting

PFX file. In the example below, the file will be saved to the desktop of the server.

Figure 30: File to Export Screen
https://community.mcafee.com/servlet/JiveServlet/showImage/23079/step3c09.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23078/step3c08i.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23070/step3c08h.png


31/77


6. In the Completing the Certificate Export Wizard, choose Finish to complete the

process.

The remote configuration certificate must be installed in the correct user certificate store

on the server that is running the Intel Remote Configuration Service. The previously

created service account will be used in this example.

1. To ensure the certificate is placed in the correct personal certificate store, open

Microsoft Management Console (MMC) using the following command:

runas /user:vprodemo\AMTConfigService mmc.exe

Figure 31: Runas Command

Note: In this example the domain is vprodemo. Adjust the command

according to your domain and environment.

2. The users password can then be entered into the command window that appears.

3. Add the certificates snap-in with My user account selected and clickFinish to

proceed.

Figure 32: Certificates snap-in Screen
https://community.mcafee.com/servlet/JiveServlet/showImage/23083/step3a06.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23082/step3c11.png


32/77


4. In the Microsoft Management Console, expand CertificatesCurrent User and

select Personal. Then right-click and select All Tasks > Import.

Figure 33: Import Certificates

5. In the Welcome to the Certificate Import Wizard, clickNext to proceed.

6. In the File to Import screen, browse to the exported remote configuration certificate

(AMT_configuration_cert.pfx in this example). ClickNext to proceed.

Figure 34: File to Import Screen

Note: If the certificate file is not in the user profile path, remember that you

are running MMC as the service account. You may need to browse to

another location (e.g. the desktop of your administrators account) to

find the certificate file.

7. In the Password screen, enter the password and also select Include all extended

properties.

Note: Enable Strong Private Key Protection must notbe selected. If

selected and unchangeable, check the group policy settings for the

server.
https://community.mcafee.com/servlet/JiveServlet/showImage/23086/step3c15.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23084/step3c13.png


33/77


8. ClickNext to proceed.

Figure 35: Password Screen

9. In the Certificate Store screen, select Automatically select the certificate store

based on the type of certificate. ClickNext to proceed.

Figure 36: Certificate Store Screen

10. On the Completing the Certificate Import wizard, clickFinish to proceed.

11. The certificate will now appear in the certificate store.

Figure 37: The Certificate Appears in Store
https://community.mcafee.com/servlet/JiveServlet/showImage/23090/step3c19.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23088/step3c17.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23087/step3c16.png


34/77



1. Within the Intel SCS Console, click the icon to create a new profile.

2. In the Configuration Profile Wizard window, change the Profile Name to

ACMProfile.

3. ClickNext.

4. Leave all Optional Settings unselected.

5. ClickNext.

6. In the System Settings screen, provide settings similar to the following. For more

information on the password format requirements, see Password Format in the


RFP Password: P@ssw0rd

Enable option: ME will go into lower power state when idle

Set Timeout if Idle to 65535

MEBx Password: P@ssw0rd

Intel AMT Admin Password: P@ssw0rd

Enable Intel AMT to respond to ping requests

Figure 38: Systems Settings Screen

7. ClickOK, Next, and Finish to complete the profile.


35/77


8. On the target client system with Configurator directory, open a command prompt

usingRun as Administrator.

9. Run the following command (immediately following the note below) using the name

or IP address of the server where Intel RCS was installed.

Note: The sample command includes the Domain User used as the logon

account for RCSserver. More information will be shared in the

Appendix on network accounts and permissions required for

communications between ACUconfig and RCSserver.

ACUconfig.exe ConfigViaRCSonly 192.168.0.15 ACMprofile /WMIuser

vprodemo\AMTconfigService /WMIuserpassword P@ssw0rd

Note: More information on the ACUconfig.exe ConfigViaRCSonly command

is available in the Configuring Systems Using the RCS section of the




36/77


To verify configuration of Intel AMT on the managed client, do the following:

1. On the client, open a command prompt to the Configuration directory usingRun As

Administrator

2. Run the following command:

ACUconfig /output console status

3. The sample screen below shows the system is configured in Admin Control Mode.

Figure 39: Sample Screen

4. On the Intel SCS console system, open a web browser.

5. In the address box, enter the URL for the clients Intel ME WebUI, shown below:

http://hostname:16992

6. If the login page displays, the Intel ME on the managed client is configured.

Figure 40: Intel AMT Web UI Login

7. ClickLog On.

8. Enter user admin with password used in configuration. Following the example

above, the password was P@ssw0rd.


37/77


A delta configuration is one that is modified from the baseline configuration described

in the preceding foundational sections of this deployment guide. The intent of this

section is to expand the scope of the Intel AMT configuration to include features and

capabilities beyond the initial configuration. For a production deployment, the additional

configuration options shown can be applied in a single profile when using Host-Based or

Remote Configuration via PKI approaches.

A key phrase to remember is Once configured, Intel AMT is a network service awaiting

an authenticated and authorized request.

This implies that Intel AMT must be able to exist on a network whether or not the host

operating system is available. Within the Intel Management Engine (Intel ME) of the

chipset, if Intel AMT is present and configured a small network communications stack is

present and able to maintain communications with the network. For Intel AMT to be a

network service, key features must be configured specific to the target environment. In

addition, some Intel AMT capable management applications will expect specific

configuration options to be set within the Intel AMT firmware and network settings.

The diagram below provides a summary of key infrastructure considerations when

configuring and deploying Intel AMT in an environment. Some of the options are

configurable; other options are inherently built into the technology and not customizable.


38/77


Figure 41: Considerations for Intel AMT network communications

More detail on each quadrant is provided below:

Network Interface

Wired LAN within a corporate environment is preferred and often is the required

interface for initial configuration. Since Intel AMT sees traffic below the operating

system, certain environmental variables can be set to designate internal versus

external traffic. The received DHCP option 15 value compared with configured

Home Domains designates whether Intel AMT network communications are

allowed.

Wireless LAN, specifically 802.11ABGN, is supported and can also be used for delta

configuration changes. Network security settings are required along with defining or

replicating the wireless profile into the firmware. If a wireless LAN requires userintervention for access, Intel AMT may be unable to negotiate a connection.

All communications occur across IANA.org registered ports for Intel AMT,

specifically 16992-16995.


39/77


Network Protocol

By default, Intel AMT shares the same physical network interface as the host

operating system. DHCP IPv4 addresses are shared, with only the destination port

differentiating how traffic is routed within the chipset.

Static IP is supported and will require additional setup and configuration.

Intel AMT will have an IP address on the network and respond to traffic even whenthe host operating system is unavailable. For optimal experience in an IPv4

environment, it is recommended that Intel AMT have the same FQDN as the host

operating system, helping to ensure DHCP leases and DNS resolution are correct.

Exceptions may occur for environments with disjointed namespaces. Correct IP

address resolution is required, with most applications expecting internal DNS

solutions to correctly resolve the target FQDN to an IP address. In some

circumstances, Intel AMT may have an IP address yet the requesting application is

unable to identify the correct address.

Most Intel AMT communications are initiated by a requesting application over

TCP\IP based communication. Intel AMT is a service awaiting an authenticated

request. In certain situations, such as a hardware alert, Intel AMT will send out a

message via SNMP or WS-Event. IPv6 is supported on Intel AMT 6.x and higher versions. Currently, Intel AMT

requires a unique IPv6 address, different than the host operating system. Correct

resolution of FQDN-to-IP is an important consideration when using IPv6 with

Intel AMT.

Authentication and Authorization

All inbound Intel AMT session requests must be authenticated and authorized.

Within the Intel AMT firmware settings is an Access Control List (ACL).

Authentication occurs via MD5 Digest or Kerberos. Authorization is defined by

access to realms or capabilities within the firmware. See section A.2, Defining

Access Authorization via Intel AMT ACL in Appendix A.

User consent refers to the graphics overlay screen with 6 random digits. This is

commonly used for KVM Remote Control as defined by the configuration profile.

Intel AMT platforms configured via Host-Based Configuration will also require User

Consent for boot redirection actions.

Network Security

Intel AMT communications can be secured and encrypted via Transport Layer

Security (TLS). TLS will also authenticate the session. With Intel AMT as the

"service", a TLS certificate with private key is created for each Intel AMT device

and stored in its firmware. The certificate is issued to the FQDN value obtained as

defined in the configuration profile.

Intel AMT devices can be set to ONLY communicate with defined consoles or

requesting applications via Mutual TLS. In summary, in addition to the requesting

application establishing a TLS session with Intel AMT, the Intel AMT device

establishes a TLS session with the requesting application. This configuration is not

common and is rarely supported by Intel AMT capable applications.


40/77


Environments that require port authentication or secure Wireless Access Point

communications will commonly have a form of 802.1x. For Intel AMT to operate

on an 802.1x enabled network, it must be configured with the correct posture

information. Additional configuration settings can be applied for environments

using Endpoint Access Control (EAC).

WPA\WPA2 refers to industry standard wireless security and protection. This is

required for Intel AMT operations over wireless, and can be defined within the Intel

AMT configuration profile.

Trusted Domains provides a list of home domains for Intel AMT to correctly detect

to which environment it is connecting. Trust Domains refers to the DHCP option

15 value returned with a DHCP lease reply. If no match is found based on the

domain list configured into Intel AMT, the firmware network interface will be

closed. This is called Environment Detection.

Remote Access refers to the Intel AMT ability to connect over the Internet to a

defined Management Presence Service. This connection can occur on-demand, per a

defined schedule, or when a hardware alert occurs per the configuration of Intel

AMT.

Admittedly, the information outlined above can be somewhat intimidating. Therefore, itis recommended that, especially for initial trial implementations, you start with the

basics, including defining a password for the Intel AMT admin account and using DHCP

IP v4 (default option). This approach is covered in the earlier sections of the guide.

Adding the security layers, Kerberos authentication, wireless settings, or use of

configuration options outside of the base Out-of-Band Management configuration

interface are not recommended for first time users of Intel AMT. You are encouraged to

start with the baseline configuration covered earlier before pursuing common

configuration options or more advanced materials.

See the Appendix sections of this guide for information on how to configure the most

common options as experienced in production environments. Each Appendix section

provides an overview on the purpose of the configuration option, the reason andcommonality in using the option, key prerequisites, references to the Intel SCS User

Guide for additional information, and summary explanation how to apply the

configuration.

Before adjusting the Intel AMT configuration, identify applications used in connection

with Intel AMT. Changes to a single configuration option such as authentication,

encryption, or other settings specific to requesting applications may disrupt existing

solutions.


41/77


A simple example is shown below with the Intel AMT WebUI connection to the same

client. The example on the left uses HTTP on port 16992, whereas the example on the

right uses HTTPS on port 16993. This change is due to the TLS option added into the

Intel AMT configuration. Applications or scripts attempting to communicate with the

configuration on the left may be disrupted and require adjustments in order to work with

the same system as configured on the right.

Figure 42: Configuration option change may impact Intel AMT communications

Find a common set of options and requirements across the applications and scripts used

within your own environment. The ability to adjust the Intel AMT configuration still

requires proper testing and change control.

When defining a Delta Configuration profile, as described in the Appendix sections ofthis guide, the same approach is used to apply the changes into the Intel AMT firmware.

The difference occurs during the initial steps in creating the profile, by selecting how the

profile will be used.

In the example shown below, the Delta Configuration option is selected.

Figure 43: Selecting Delta Configuration in Profile Settings

The ACUconfig command used can be either ConfigAMT or ConfigViaRCSonly. The

first requires the profile to be exported and saved locally to where ACUconfig is

executed. The second command option is considered more secure since the profile

remains on the Intel RCS server. For the purposes of this guide, the ConfigViaRCSonly

command will be used.

As a simple example in defining and applying a Delta Configuration, a change to the

existing configuration will remove the requirement for User Consent on KVM sessions.

This change can only be made when Intel AMT is in Admin Control Mode.

1. In the SCS Console, define a new profile called DeltaProfile and select the Delta

Configuration option.

2. ClickNext to see the Profile Scope options.


42/77


3. Clear all selections, and select only the KVM Redirection option.

4. ClickNext to define the new KVM redirection options.

5. Enter the desired RFB Password.

6. Select KVM Settings button to open the User Consent options.

7. Deselect the option for User Consent required before beginning KVM session.

Figure 44: KVM Redirection Settings

8. Save the profiles settings and return to the main Intel SCS console screen.

9. On the target client, run the following command using the host or IP address of your

system running Intel RCS, the designated delta configuration profile, and the WMI

user credentials for Intel RCS authentication:

ACUconfig ConfigViaRCSonly 192.168.0.15 DeltaProfile /Adminpassword

P@ssw0rd /WMIuser vprodemo\amtconfigservice /WMIuserpassword P@ssw0rd

Note: The Intel AMT admin password, shown as /Adminpassword

P@ssw0rd, must be included in non-database deployments of Intel

RCS. If Intel RCS is installed with database mode, a secure real-time

lookup of the Intel AMT admin password can occur based on the last

known configuration profile for that system.

10. The changed profile setting is now applied to the Intel AMT firmware.


43/77


Systems with Intel AMT 7.x or higher that are configured in Client Control Mode

can be changed to Admin Control Mode. More information is available in the Intel

SCS User Guide, in the section Moving from Client Control to Admin Control.

This will require Remote Configuration using PKI to be prepared as described in

Section 5.3 of this guide.

The following screenshot is only an example how this operation is performed. The

commands used in the example below include:

ACUconfig.exe /output console status

ACUconfig.exe MoveToACM 192.168.0.15 /WMIuser vprodemo\amtconfigservice

/WMIuserpassword P@ssw0rd

Figure 45: Changing Client Control Mode to Admin Control Mode


44/77


It is important to periodically perform maintenance tasks such as synchronizing the Intel

AMT clock, synchronizing network settings, reissuing certificates, among others. Intel

SCS does not automatically maintain these configuration settings.

For information about maintaining your configuration, refer to the Intel SCS 8 UserGuide, Chapter 1 Introduction, section titled Maintenance Policies for Intel AMT.

The section About Maintenance Tasks highlights common settings or attributes of the

Intel AMT configuration that must be maintained to ensure operations are not disrupted.

As stated in Section 6.1 Infrastructure Considerations in this guide (as well as in the

Appendix sections), if certain Intel AMT configuration settings are not maintained

communications will be disrupted.

A common configuration maintenance operation is required for system name changes.

When the operating system name is changed, the new name is updated within the

Microsoft Active Directory and DNS infrastructure. However, the new name is not set

into the Intel AMT firmware.

The following example demonstrates the situation:

1. The network infrastructure resolved to the new name, HP8460p in this example.

The FQDN of the client is HP8460p.vprodemo.com.

2. The Intel AMT firmware has hostname ofCHANGEME, with an FQDN of

CHANGEME.vprodemo.com. If the system were powered off, the DHCP lease

assignments would be changed to the Intel AMT firmware hostname.

3. The IP address of the Intel AMT firmware is currently 192.168.0.104.

4. The same IP address is recognized on the network. Using nslookup, the IP address

resolves to the new name. If the nslookup command were repeated using the Intel

AMT Firmware name, no record and resolution would appear.


45/77


Figure 46: Name Alignment

Although newer versions of Intel AMT support settings for shared FQDN and Dynamic

DNS, the above scenario can be further complicated with Active Directory integration,

TLS setting in the firmware, and so forth. The Intel AMT firmware system name does

not align to the expected infrastructure.

Running the following command on the client with the target configuration profile, RCS

address, Intel AMT admin password, and RCS authentication credentials will perform the

necessary maintenance operations on the Intel AMT firmware:

ACUconfig.exe MaintainViaRCSonly 192.168.0.15 ACMprofile AutoMaintain

/Adminpassword P@ssw0rd /WMIuser vprodemo\amtconfigservice /WMIuserpassword

P@ssw0rd


46/77


Four common deployment scenarios are shown in the subsections below. The fifth

subsection provides additional insights on local permissions required for ACUconfig and

when accessing RCS. The scenarios are provided as a reference point. A basic hands-onunderstanding of the materials within this deployment guide will assist you in

understanding the prerequisites and approaches with each scenario.

For each scenario subsection, a brief description is provided, review of support methods

for Intel AMT configuration, and common configuration options. Using Intel RCS in

Database Mode is recommended if a particular scenario requires remote configuration via

PKI, TLS, Active Directory Integration, or regular maintenance of configuration settings.

More information on the different installation types of Intel RCS is available in the Intel

SCS User Guide section titled Selecting the Type of Installation.

Each deployment scenario includes common components as shown in the following

diagram. Below the diagram is a brief summary of required and optional component

characteristics.

Intel RCS with

Microsoft SQL

Intel AMT

Computers


AD DNS DHCP CA

Figure 47: Required and Optional Component Characteristics


Active Directory (AD)Required only if Active Directory

integration will be used in the Intel AMT configuration.

Domain Name Server (DNS)Recommended for correct IP

resolution in the environment.

Dynamic Host Configuration Protocol (DHCP) server

Required if DHCP IP addresses will be assigned to clients.


47/77


Start with IPv4 addresses. Recommend synchronization with

DNS. Required for Remote Configuration using PKI.

Microsoft Certificate Authority (CA) ServerRequired if

TLS will be used in the Intel AMT configuration.

Intel RCS

Required for Remote Configuration, Configuration

Maintenance, and Delta Configuration operations.

If only Host-Based or Manual\SMB configuration will be

used, only the Intel SCS Console is required.

Microsoft SQL database is optional for small environments or

simple demonstration environments. For large deployments

with infrastructure dependent configuration options,

installation of Intel RCS with an associated database is

recommended. Refer to the types of installation in the Intel

SCS User Guide.

Intel AMT Computers

Client systems must support Intel AMT. Refer to Section 3 of

this guide, Intel AMT Discovery..For each deployment scenario, consider the requirements of the management applications

and scripts to be used with Intel AMT. Configuration methods and options will be a

dependency on compatible management applications.


48/77


Enterprise Wired environments will provide the best experience in using Intel AMT.

The most common deployment scenario (and a recommended setup for initial

testing) is an internal wired environment. As highlighted in section 6.1 of this guide,

Intel AMT communications are TCP\IP based enabling them to be routed throughout

the wired environment.

Intel RCS with

Microsoft SQL

Intel AMT

Computers


AD DNS DHCPCA

Figure 48: Enterprise Wired Environment

All configuration methods and configuration options are supported in an Enterprise

Wired Deployment. If a valid remote configuration certificate cannot be obtained for

the environment, use a two-step process. First configure Intel AMT using either

Host-Based Configuration or SMB/Manual configuration. If further configuration is

needed, use a Delta Configuration with a designated Intel AMT admin password in

the ACUconfig.exe command. More information is available in the Intel SCS Guide

under Configuring Systems with RCS.

If Remote Configuration using PKI will be used, an internal wired enterprise

environment is required. The initial configuration can include settings for wireless

and remote access. Once the initial configuration has occurred and settings have

been applied into Intel AMT, communications via wireless or remote access are

possible.


49/77


If 802.11 wireless is common within the enterprise environments and with embedded

solutions, configuration and usage of Intel AMT over wireless is a deployment

option. A fundamental understanding of Intel AMT in a wired environment is

recommended before pursuing wireless deployment.

Figure 49: Enterprise Wireless Environment

Intel AMT over wireless is primarily available in laptop platforms. In the currently

available platforms, communications directly to Intel AMT in a wireless

environment occur only when the host operating system is unavailable. If the host

operating system is communicating with the network, Intel AMT communications

first pass through the host operating system and are redirected into the firmware.

This is a key difference from a wired enterprise environment where communications

to Intel AMT are direct regardless of the host operating system state. In an

enterprise wireless environment, communications to Intel AMT may be temporarily

interrupted when transitioning from operating system to Intel AMT networkinterfaces.


50/77


If initial configuration of Intel AMT must occur over enterprise wireless, only Host-

Based Configuration is supported. All configuration options are supported and Intel

AMT will be in Client Control Mode.

If configuration of Intel AMT occurs first in an enterprise wired environment,

wireless settings can be applied in the initial or delta configuration.

Intel AMT over wireless requires WPA or WPA2 to secure the communications.

Enterprise wireless environments commonly use 802.1x or Endpoint Access Control

(EAC) to authenticate the client device and user for the enterprise network.

Configuration of 802.1x and EAC into the Intel AMT firmware is supported. More

information is available in the Intel SCS User Guide.

Properly configured Intel AMT clients with supporting infrastructure are able to

communicate into the enterprise environment. The connection originates at the Intel

AMT client. Once the connection is established, applications within the enterprise

environment are able to communicate via Intel AMT to the external devices.

Figure 50: Clients Outside the Enterprise

Communicating with Intel AMT outside the enterprise is an advanced configuration

beyond the scope of this guide. In the above architecture, the Manageability

Presence Server (MPS) is an additional component and requirement.

If initial configuration of Intel AMT must occur outside the enterprise only Host-

Based Configuration is supported. All configuration options are supported and Intel

AMT will be in Client Control Mode.


51/77


If configuration of Intel AMT occurs first in an enterprise wired environment, all

configuration options are supported. Both Home Domains and Remote Access must

be configured, with more information available in the Intel SCS User Guide.

Communication to Intel AMT can occur across a Virtual Private Network (VPN) if

the configuration option is enabled in the Home Domains profile option.

For environments where multiple remote offices are managed from a central

location, Intel AMT communications generally occur locally within the remote office

via a local management appliance or application. This deployment model applies to

embedded solution architectures, managed service providers, outsource management

solutions, and related environments.

Figure 51: Service Provider Deployment

A foundational understanding of Intel AMT configuration within an enterprise wired

or wireless deployment is recommended.


52/77


Configuration of Intel AMT may occur locally at the customer or remote office.

SMB\Manual configuration is a common approach for small office environments.

Host-based configuration for compatible Intel AMT platforms in the remote office

via the local management appliance is a favorable approach if the appropriate

prerequisites are met. See section 4.3 of this guide.

If remote configuration is used, the Intel RCS server must be able to communicate to

the target client system similar to an enterprise wired environment meeting the

requirements of that configuration approach. An Intel RCS instance can reside

within the remote office environment to handle configuration requests within a

specific location.

Additional understanding of the local and network permissions required to run

ACUconfig.exe, especially when interacting with the Intel RCS across the network, will

help in defining your own deployment model. By understanding the required

permissions, an IT administrator is able to better understanding the minimal security

requirements. Before proceeding, it is recommended that you review the Intel SCS User

Guide section User Permissions Required to Access the RCS.

When ACUconfig.exe executes, it runs in the context of the local user account and must

interact with a Windows kernel driver, HECI.sys.

ACUconfig

RCSserver

WMI Permissions to Intel_RCS NameSpace

(Execute Methods, Full Write, Remote Enable)

Heci.sys

Figure 52: Required Permissions

Earlier in this guide, a requirement toRun as Administratorwas stated when opening a

command prompt before using ACUconfig.exe. This is a command prompt with elevatedprivileges, a requirement applicable to Microsoft Windows Vista or higher versions of

the operating system. Similarly, if using a Windows Scheduled Task, it must be run with

Highest Privileges. This requirement is true even when logged in as a local administrator

due to the Microsoft Windows security architecture when interacting with a kernel level

driver.


53/77


Figure 53: Using Elevated Privileges for ACUconfig.exe

In addition to accessing the local HECI.sys driver file, if ACUconfig.exe must interactwith an Intel RCS instance over the network than WMI namespace and Distributed

Component Services (DCOM) access must be allowed. Refer to the Intel SCS User

Guide sections titled Defining DCOM Permissions and Defining WMI Permissions.

The sample AMTconfigService domain user account defined earlier in this guide was

granted Local Administrator rights. If Local Administrator rights cannot occur for this

service account, it must be granted access to the Intel_RCS WMI Namespace as shown

below. As stated in the Intel SCS User Guide, users allowed access this Namespace are

able to perform operations on Intel AMT systems.

Note: If running Intel RCS on a system protected by a firewall, review the

Intel SCS User Guide section Connecting to an RCS behind aFirewall.

Shown below, the AMTconfigService account has been granted Execute Methods, Full

Write, andRemote Enable access to the Intel_RCS namespace.

Figure 54: AMTconfigService Account


54/77


For DCOM access, the AMTConfigService account can be added to the local Distributed

COM User group as shown below

Figure 55: Add Account to local DCOM group

By granting this access, the following two command prompt examples have the same

level permissions locally and to the RCS. The key differences between the command

prompts include:

The first example is logged in as system1\demouser, a local system

administrator. ACUconfig.exe will run in the context of this user.

The first example requires the AMTconfigService domain credentials

to be included in the ACUconfig.exe command. This exposes the

domain user password when executing the command

The second example shows the command prompt running as the

AMTconfigService domain user. A similar approach is accomplished

via Windows Scheduled Tasks or software delivery solutions whichallow a specific domain user account to be defined. This example

requires the Domain Account to be a local system administrator.

The second example shows the ACUconfig.exe command does not

require the /WMIuser parameter to be defined. ACUconfig.exe will

run under the context of AMTconfigService, the logged on user.

Figure 56: Command Prompts


55/77


When either of the above commands is executed on the client, the Windows Security

Event Log on the server where the RCSServer windows services is running will show a

Special Logon event. In the example below, the vProDemo\AMTconfigService domain

user account performed a Special Logon as part of the ACUconfig.exe command due to

the logged on or specified user account.

Figure 57: Event Properties

The Local System account can also be used when running ACUconfig.exe and granted

appropriate permissions to the RCS. This approach may be preferred instead of using a

Domain User as a service account for all ACUconfig.exe operations requiring

communications to RCS. If ACUconfig.exe will be executed on multiple domain

computers, add the Domain Computers Group to the Intel_RCS WMI Namespace as

shown below.

Figure 58: WMI Namespace


56/77


In addition, the Domain Computers must be added to the local Distributed COM User

group where RCSserver is installed.

Figure 59: DCOM User Properties

The following command prompt shows the logged on user is the Local System account,

designated as NT Authority\System. The ACUconfig.exe command will run in that

context.

Figure 60: ACUconfig Command


57/77


Once Intel AMT is configured, it is a service on the network awaiting an authenticated

and authorized request. By default, DHCP IPv4 and FQDN settings of Intel AMT will be

the same as the host operating system. The settings may vary in situations where the

DNS lookup of a machine is different from the actual machine name, or how that

machine is identified within Microsoft Active Directory.

The value of the Intel AMT FQDN will be a dependency for Microsoft Active Directoryintegration, TLS certificate properties, and other settings within the firmware. If the

assigned firmware FQDN value cannot be resolved on the network, Intel AMT

communications will fail. If the assigned Intel AMT FQDN value must be updated due

to a system name change, a Configuration Maintenance routine as described in section 7

is recommended to avoid communication failures. More information on the settings is

available via the Intel SCS User Guide sections Defining IP and FQDN Settings and

Disjointed Namespaces.


58/77


The IP address and FQDN settings can be customized as shown in the following screen.

Figure 61: Intel AMT FQDN

Once the desired value is determined, it can be set in the base or delta configuration

profiles. To apply the change, refer to the example sequence in section 6.2.1 Defining

and Applying a Delta Configuration. A simple way to confirm that the Intel AMT

FQDN source value is correct is to connect via the Intel AMT WebUI when the system is

powered on or off.

Connections to Intel AMT must be authenticated and authorized before the desired action

can be performed. Within the Intel AMT firmware is an Access Control List (ACL) used

to determine who is authorized. The default user, Intel AMT admin, has full access and

permissions. More information is available in the Intel SCS User Guide under the

Defining the Access Control List (ACL) section.

The Intel AMT ACL allows an administrator to define appropriate levels of authorization

into the firmware. As mentioned in the Intel SCS User Guide, up to 7 Digest users and

32 Active Directory users/groups can be defined. Some applications and scripts will

expect full authorization and rely primarily on the Intel AMT admin account which is

granted PT Administration Realm access by default. A complete listing of the Intel AMT

Realms and their purposes is provided in the Intel SCS User Guide.


59/77


Before restricting access, use the Intel AMT admin account to validate desired Intel AMT

functions within the target environment. The majority of enterprise applications

interacting with Intel AMT often use the Intel AMT admin account as a service account

across the environment. If the Intel AMT admin password is randomized or a digest

master password is used, ensure the desired enterprise applications are able to securely

determine the correct password per system.

Environments with multiple applications, scripts and users interacting directly with Intel

AMT may desire a diminishing level of access. The following example highlights three

accounts and user types for an example environment.

Figure 62: Access Control List Settings

In addition to the three Digest User accounts shown, the Intel AMT admin account is

available on the platform. The Intel AMT admin account cannot be disabled, but the

password can be randomized and maintained per system.


60/77


Refer to the Intel SCS User Guide to define desired Intel AMT ACLs for a target

environment. Once the desired profile has been created, use the steps similar to section

6.2.1 of this document to apply the changes.

Using the example users above, once the Intel AMT ACLs have been applied, a simpletest via the Intel AMT WebUI will show whether features and actions have been

authorized or not. The following example (which assumes the Asset user is logged on)

shows certain features are locked out as defined by the Intel AMT ACL.

Figure 63: Features Locked by Intel AMT ACL

Active Directory integration is recommended for environments desiring pass through

authentication of a domain user interacting with Intel AMT. The authentication will

occur via Kerberos.

Active Directory integration is required for environments desiring 802.1x, EAC, and

other advanced features that are beyond the scope of this deployment guide.

Once Intel AMT is configured, it is a service on the network. Integration with Microsoft

Active Directory creates a User object for the computer with a User Principal Name(UPN) that matches the hostname of the device. Properties of the object include a

Service Principal Name (SPN). Both the Domain Computer object and the SPN must

exist within the Microsoft Active Directory Forest. More information is available in the

Intel SCS User Guide section titled Defining Active Directory Integration. In addition,

a basic overview of Kerberos authentication within Microsoft Active Directory is

available athttp://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc772815(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc772815(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc772815(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx


61/77


Authentication of Domain user accounts to the Intel AMT device, or allowing the device

to negotiate an 802.1x handshake to be accessible on the network, are two main reasons

for Microsoft Active Directory Integration. Most applications and scripts that are Intel

AMT capable support Kerberos authentication.The following simplified diagram shows a Kerberos handshake used to authenticate to

Intel AMT. First a token request for the target system, which is a service on the network,

is sent to the Microsoft Active Directory domain controller. The request is for the

hostname$iME, and the Service Principal Name (SPN) in Active Directory will have a

value similar to HTTP/vprosystem.domain:16992. The user account for the request is

authenticated by Microsoft Active Directory to access the target service. The approved

request is then sent from the requesting application to the target Intel AMT client.

Figure 64: Kerberos Handshake

Active Directory integration requires the client to be joined to the domain with an

associated Computer object. When an Intel AMT Active Directory integrationconfiguration event occurs, a service account is created for the system. The service

account will have the same system hostname as the Computer object. To help organize

and separate the two objects, a separate Active Directory Organization Unit (OU) should

be created. If the hostname of the client is changed, the UPN and SPN associated to the

service object for Intel AMT authentication must be updated.


62/77


In the example below, the AMT_OU has been created. The Log On account of the

RCSserver must have access to Create and Delete objects within the target OU.

1. Right click on the create AMT_OU and select Delegate Control.

Figure 65: Delegate Control

2. Using the example account in this guide, namely AMTconfigService, add the

designated Log On account in the Delegate Control prompts. When prompted for

Task to Delegate, select Create a custom to task to delegate.

Figure 66: Tasks to Delegate


63/77


3. Delegate control of the folder, existing objects, and creation of new objects.

Figure 67: AD Object Type

4. Grant Full Control to the target Active Directory OU. The designated account is

now able to create, delete, and maintain the Intel AMT system accounts.

Figure 68: Permissions


64/77


Note: If Intel SCS was not installed in database mode, the target Active

Directory OU must be specified in the commandline when maintaining

or unconfiguring Intel AMT.

When creating the configuration profile, select the Active Directory Integration and

Access Control List (ACL) options.

Figure 69: Optional Settings

Select the target Active Directory OU where objects for Intel AMT will be stored.

Figure 70: Select the AD OU for Intel AMT


65/77


At the Access Control List prompt, add at least one Domain Group or User with Intel

AMT Realm access. In the following example, the Domain Admins group will be

granted PT Admin realm access.

Figure 71: User/Group Details

Once the desired profile has been created, use steps similar to section 6.2.1 above to

apply the changes.

After the configuration event, a new object will appear in the designated Active Directory

OU. The properties of the object will show the hostname$iME value.

Figure 72: Active Directory OU


66/77


If the current logged in user is a member of the group specified in the Intel AMT ACL

then pass through authentication will occur.

If not, the login prompt will show the FQDN. Enter valid domain user credentials similar

to the example below.

Figure 73: Enter Valid Credentials

Note: After the

Date post:	05-Apr-2018
Category:	Documents
Upload:	adil-medarhri
View:	223 times
Download:	0 times

Intel(R) SCS 8 Deployment Guide

Documents