Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | adil-medarhri |
View: | 223 times |
Download: | 0 times |
of 77
7/31/2019 Intel(R) SCS 8 Deployment Guide
1/77
Intel Setup and Configuration Software(Intel SCS)
Deployment Guide
Version 8
Document Release Date: May 2, 201
Document Version: 1
7/31/2019 Intel(R) SCS 8 Deployment Guide
2/77
ii
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO
LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUALPROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'STERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITYWHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TOSALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATINGTO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANYPATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOTDESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTELPRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers mustnot rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intelreserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilitiesarising from future changes to them. The information here is subject to change without notice. Do not finalize adesign with this information.
The products described in this document may contain design defects or errors known as errata which may cause
the product to deviate from published specifications. Current characterized errata are available on request.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing yourproduct order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature,may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm.
Intel Active Management Technology requires activation and a system with a corporate network connection,an Intel AMT-enabled chipset, network hardware and software. For notebooks, Intel AMT may be unavailableor limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating orpowered off. Results dependent upon hardware, setup & configuration.
For more information, visit http://www.intel.com/technology/platform-technology/intel-amt.
Intel vPro Technology is sophisticated and requires setup and activation. Availability of features and resultswill depend upon the setup and configuration of your hardware, software and IT environment.
To learn more visit: http://www.intel.com/technology/vpro.
Systems using Client Initiated Remote Access require wired LAN connectivity and may not be available in
public hot spots or "click to accept" locations. For more information on CIRA, visithttp://software.intel.com/en-us/articles/fast-call-for-help-overview.
Intel, the Intel logo, and Intel vPro, are trademarks of Intel Corporation in the U.S. and/or other countries.
* Other names and brands may be claimed as the property of others.
Copyright 2012, Intel Corporation. All rights reserved.
7/31/2019 Intel(R) SCS 8 Deployment Guide
3/77
iii
1 Introduction ............................................................................................52 Intel AMT Overview ...........................................................................62.1 Intel SCS Overview................................................................................................... 62.2 Infrastructure Starting State ......................................................................................... 73 Intel AMT Discovery .............................................................................93.1 Purposes and Prerequisites ........................................................................................... 93.2 Local Query of Intel AMT Status................................................................................. 103.3 Local SystemDiscovery of Intel AMT ......................................................................... 104 Deciding on a Configuration Path ........................................................124.1 Why is Setup and Configuration Necessary? ............................................................... 124.2 Configuration Process Overview.................................................................................. 134.3 Configuration Methods ................................................................................................ 144.4 Domain User Account .................................................................................................. 154.5 Install the Intel SCS Server Components ..................................................................... 155 Configuration Options ...........................................................................175.1 Host-Based Configuration ............................................................................................ 17
5.1.1Create Intel AMT Configuration Profile ............................................................... 175.1.2Export the Profile and Run the ACUConfig Utility .............................................. 19
5.2 SMB/Manual Configuration ......................................................................................... 205.3 Remote Configuration Using PKI ................................................................................ 22
5.3.1Configure Certificates for Intel AMT ................................................................... 225.3.1.1 Task: Get SSL Certificate for Remote Intel AMT Configuration .......... . 225.3.1.2 Task: Export SSL Certificate for Remote Intel AMT Configuration...... 295.3.1.3 Task: Import SSL Certificate for Remote Intel AMT Configuration to
User Certificate Store ..................................................................................... 315.3.2Create and Apply Configuration Profile via Remote Configuration using PKI .... 34
5.4 Verify the Setup and Configuration ............................................................................. 36
7/31/2019 Intel(R) SCS 8 Deployment Guide
4/77
iv Intel SCS Deployment Guide
6 Delta Configurations ..............................................................................376.1 Infrastructure Considerations ....................................................................................... 376.2 Change Control Management ........... .......... ........... .......... .......... ........... .......... ........... ... 40
6.2.1Defining and Applying a Delta Configuration ...................................................... 416.2.2Changing Configuration Mode ............................................................................. 43
7
Configuration Maintenance ..................................................................44
8 Deployment Scenarios ...........................................................................468.1 Enterprise Wired Deployment ...................................................................................... 48
8.1.1Overview ............................................................................................................... 488.1.2Intel AMT Configuration Methods and Options ................................................... 48
8.2 Enterprise Wireless Deployment .................................................................................. 498.2.1Overview ............................................................................................................... 498.2.2Intel AMT Configuration Methods and Options ................................................... 50
8.3 Clients Outside the Enterprise ...................................................................................... 508.3.1Overview ............................................................................................................... 508.3.2Intel AMT Configuration Methods and Options ................................................... 50
8.4 Service Provider Deployment ...................................................................................... 518.4.1Overview ............................................................................................................... 518.4.2Intel AMT Configuration Methods and Options ................................................... 52
8.5 Permissions Required for ACUconfig and Accessing the RCS ................................... 52 A Appendix A: Common Configuration Options ..................................57A.1 Defining the Intel AMT FQDN Source .......... .......... ........... .......... .......... ........... .......... 57A.1.1Purpose of Intel AMT FQDN Value ........................................................................... 57A.1.2Prerequisites to Determining Intel AMT FQDN Value ............................................... 57A.1.3Defining, Applying, and Validating Intel AMT FQDN Value .................................... 58A.2 Defining Access Authorization via Intel AMT ACL ................................................... 58A.2.1Purpose of Intel AMT Access Control List ................................................................. 58A.2.2Prerequisites in Determining Level of Authorization .......... ........... .......... ........... ........ 59A.2.3Defining, Applying, and Validating Intel AMT ACLs .......... .......... ........... .......... ....... 60A.3 Active Directory Integration ........................................................................................ 60A.3.1Purpose of Active Directory Integration ..................................................................... 61A.3.2Prerequisites and Dependencies for Active Directory Integration .............................. 61A.3.3Defining, Applying, and Validating Intel AMT Value .......... .......... ........... .......... ....... 64A.4 Transport Layer Security (TLS) ................................................................................... 66A.4.1Purpose of TLS with Intel AMT Configuration .......................................................... 66A.4.2Overview and Prerequisites for TLS ........................................................................... 67A.4.3Environmental Preparations ........................................................................................ 67A.4.3.1Enabling Web Enrollment for Microsoft Certificate Authority .......... .......... ........... . 68A.4.3.2Granting Service Account Privileges to Microsoft Certificate Authority .......... ....... 69A.4.4Defining, Applying and Validating a TLS Profile Configuration ............................... 71A.5 Wireless LAN .............................................................................................................. 73A.5.1Purpose of Intel AMT over Wireless ........... .......... ........... .......... ........... .......... ........... . 74A.5.2Prerequisites for Intel AMT over Wireless ........... .......... ........... .......... .......... ........... ... 74A.5.3Defining, Applying and Validating Intel AMT over Wireless Configuration .......... ... 74A.6 Intel AMT Configuration Options Not Covered .......................................................... 77
7/31/2019 Intel(R) SCS 8 Deployment Guide
5/77
5
This deployment guide is an instructional document for those new to the Intel
Active
Management Technology (Intel
AMT) configuration process. Information provided
within this deployment guide is meant to complement the Intel
Setup and Configuration
Software (Intel
SCS) User Guide (filenameIntel(R)_SCS_8.0_User_Guide.pdf,
available in the Intel SCS 8 download package), and will refer to that guide for a
complete listing of features and settings within Intel SCS.
Readers who want guidance on obtaining a baseline implementation of Intel AMT willbenefit by reviewing this deployment guide. Once a baseline configuration is completed,
the deployment guide explores common configuration options, how to amend and
maintain the Intel AMT configuration, and includes common deployment scenarios.
The guide has three main components across multiple chapters and appendix sections.
The structure of the guide is as follows:
Foundational Concepts: Chapters 2 through 5 introduce Intel AMT, how to
discovery if Intel AMT exists on a system, and common configurations of Intel
AMT via Intel SCS.
Production Planning: Chapters 6 through 8 focus on how to extend an existing
configuration of Intel AMT, configuration maintenance considerations of Intel
AMT, and common deployment scenarios. Common Configuration Options: The appendix sections include common
configuration options for Intel AMT. The purposes, prerequisites, and examples
provide you with a core understanding of frequently used options.
You are encouraged to complete the Foundational Concepts before exploring the other
sections of this deployment guide. Less common configuration options for Intel AMT
are outside the scope this guide, and you are encouraged to review the Intel SCS User
Guide or related resources for further information.
7/31/2019 Intel(R) SCS 8 Deployment Guide
6/77
6 Intel SCS Deployment Guide
Intel AMT provides out-of-band management within the physical chipset of a client
computer. It is a component of the Intel
Management Engine (Intel
ME). The
simplified diagram shown below is a summary on how Intel AMT works. In wired modeon the corporate network, Intel AMT traffic shares the same physical network interface as
the host operating system.
Figure 1: Intel AMT communication overview
Communications to Intel AMT commonly occur on the same IP address, specifically
when the system is using DHCP issued IPv4 addresses. Once Intel AMT is in a
configured and operational state, network traffic on ports 16992-16995 is directly
intercepted by Intel AMT within the chipset before being passed to the host operating
system.
In a wired mode, the Intel AMT traffic occurs below the operating system and the client
firewall. If the host operating system is not available, Intel AMT will continue to operate
as long as power is attached and a network connection is present.
Intel SCS enables the initial setup, configuration changes, and configuration maintenance
of systems where Intel AMT is present. To ensure Intel AMT is properly configured only
for the target environment, the firmware is commonly delivered in an unconfigured state.
Intel SCS allows you to complete the setup and configuration process which enables
access to the Intel AMT features.
7/31/2019 Intel(R) SCS 8 Deployment Guide
7/77
Intel SCS Deployment Guide 7
After configuration, systems can be managed via software solutions that include support
for Intel AMT.
Intel SCS can be obtained athttp://www.intel.com/go/scs
In order to assist you with a baseline implementation of Intel AMT, this deployment
guide assumes an initial starting state environment. Three key components will be
required. For initial setup purposes a closed wired network is recommended:
Infrastructure ServicesMicrosoft* Active Directory Domain Controller with
DHCP and DNS services.
Intel RCS serverSystem for Intel Remote Configuration Service (RCS)
Intel AMT clientNetwork wire connected client system
The summary architecture diagram below shows the starting state for the purposes of this
deployment guide.
Figure 2: Summary Architecture Diagram
http://www.intel.com/go/scshttp://www.intel.com/go/scshttp://www.intel.com/go/scshttp://www.intel.com/go/scs7/31/2019 Intel(R) SCS 8 Deployment Guide
8/77
8 Intel SCS Deployment Guide
For initial testing or portable demonstration environment purposes, the above architecture
can be simplified using two direct connected systems as shown below. The server on
the left hosts a single virtual machine environment with Infrastructure and Intel RCS
server components. The client on the right is an Intel AMT capable system. The client
system is direct connected to the server via a network cable. The server has a static IP
address, as required by the Infrastructure Services, and the client is assigned a dynamic IP
address.
Server
Environment
Intel AMT
Laptop
Infrastructure Components
AD DNS DHCP Intel RCS
Figure 3: Simplified or Portable Demonstration Environment
7/31/2019 Intel(R) SCS 8 Deployment Guide
9/77
Intel SCS Deployment Guide 9
This section addresses common methods to detect Intel AMT locally on the system with
brief references how to collect the information centrally.
The primary objective of this section is to determine what platforms have Intel AMT, the
current configuration state, and specific firmware version. Knowing the exact Intel AMT
versions in the environment will assist in determining what configuration approach is
appropriate in addition to available platform capabilities.
Many client management solutions that are Intel AMT capable have a base inventory
capability that is commonly dependent upon the Intel
Management Engine Interface
(Intel
MEI) driver. The locally obtained Intel AMT information shared in this section
can be especially helpful if the Intel MEI driver is missing or if no solution exists in the
environment to detect and inventory Intel AMT capable systems.
Before you begin, make sure the complete Intel SCS package has been downloaded and
extracted to the target environment. Intel SCS can be downloaded at
http://intel.com/go/scs.
Copy the Configurator directory, selected in the example below, to the Intel AMT client.
Figure 4: The Configurator Directory
7/31/2019 Intel(R) SCS 8 Deployment Guide
10/77
10 Intel SCS Deployment Guide
On the Intel AMT client system, open a command prompt to the Configurator directory.
For systems running Microsoft Vista, Microsoft Windows* 7, or newer operating
systems, the command prompt must be opened with elevated privileges due to interaction
with a kernel level driver. This is done by right clicking on the command prompt icon
and selecting Run as Administrator.
Run the following command to determine the current Intel AMT configuration state.
Refer to the Intel SCS User Guide section Verifying the Status of an Intel AMT System
for more information.
ACUconfig.exe /output console status
Figure 5: The ACUconfig Command
In the above example, the output of the ACUconfig.exe Status command shows:
- Intel AMT version 7.1.30
- System is currently unconfigured
- Expected mode of configuration is PKI
- System supports host-based configuration
- Current Intel AMT configuration state is Pre-Provision
For a single system, information provided by the Status command provides a simple view
of the Intel AMT configuration state. If additional information is required or needs to be
obtained across multiple systems in the environment, the SystemDiscovery command
may be preferred.
Additional information about Intel AMT can be captured to a local file or Windows
registry using the SystemDiscovery command as explained in the Discovering Systems
section of the Intel SCS User Guide.
At the same command prompt, run the following:
ACUconfig.exe SystemDiscovery
7/31/2019 Intel(R) SCS 8 Deployment Guide
11/77
Intel SCS Deployment Guide 11
As explained in the Intel SCS User Guide, the resulting data provides more in depth
information about the Intel AMT platform in a format which can be centrally collected
via custom inventory solutions. The following example shows the resulting XML file in
the Configurator directory along with a preview of the file contents. The combined
information is helpful with initial configuration and troubleshooting when needed.
Figure 6: XML File Generated by ACUconfig
7/31/2019 Intel(R) SCS 8 Deployment Guide
12/77
12 Intel SCS Deployment Guide
This section helps you understand the Intel AMT Discovery data and determine which of
the common Intel AMT configuration methods is most appropriate for your situation:
Host-Based Configuration
Remote Configuration using Public Key Infrastructure (PKI)
SMB\Manual Configuration
At the conclusion of this section, the server component of Intel SCS will be installed.
The factory default state for Intel AMT firmware is unconfigured and unusable. This is
important to ensure unauthorized users cannot access the features of Intel AMT. It also
means that before authorized system administrators can use Intel AMT powerful
management features, they must first set up and configure Intel AMT.
There are three main purposes of setup and configuration:
Securely deliver a profile to the target client firmware Ensure that only intended users have access to managed clients
Enable Intel AMT features and specify their behavior
Establishing initial trust for configuration must be accomplished between the Intel AMT
firmware and the target environment.
7/31/2019 Intel(R) SCS 8 Deployment Guide
13/77
Intel SCS Deployment Guide 13
The following diagram is a simplified overview of the Intel AMT configuration process
for enterprise deployment. Some steps of the process will vary for individual
environments and configuration methods. Intel AMT starts in an unconfigured state and
gets an IP address from the infrastructure. The previous chapter summarized local Intel
AMT discovery techniques to identify key characteristics including the Intel AMT
version. Review of the discovered data in connection with configuration approaches is
the next step of this guide. Once you select a configuration approach, you will then
create a configuration profile, initiate the configuration process, apply the settings, and
validate the configuration.
Figure 7: Configuration Process Overview
7/31/2019 Intel(R) SCS 8 Deployment Guide
14/77
14 Intel SCS Deployment Guide
This guide summarizes three common approaches to establish initial trust for the
purposes of Intel AMT configuration. The decision flow below provides a simplified
view in selecting a particular configuration approach.. All approaches result in a
configured Intel AMT state. More information is available in the Configuration
Methods and Intel AMT Versions and Control Modes sections of the Intel SCS User
Guide.
Intel AMT Version
6.2?
Start
Determine Intel
AMT Version
Client Control
Mode Ok?
Host-Based
Configuration
Yes
No
Remote Configuration
using PKI
No
Physically Touch
each system?
Yes
SMB\Manual
Configuration
No
Yes
Figure 8: Choosing a Configuration Method
Determining your preferred approach will vary based on needs of the environment. Host-
Based Configuration is often recommended for ease of deployment and least number of
infrastructure changes. For lab testing or small office deployment purposes, the
SMB\Manual method may be preferred. For production post-deployment configurationof Intel AMT across a variety of firmware versions, Remote Configuration using PKI
may be preferred.
7/31/2019 Intel(R) SCS 8 Deployment Guide
15/77
Intel SCS Deployment Guide 15
For the purposes of this deployment guide, a defined Domain User Account will be used.
In the example below, a suggested domain account AMTconfigservice was created.
Figure 9: Create a Domain User Account
The account will be used to log on as a Service, as well as be a Local Administrator on
the server where Intel SCS is installed and more. For a complete listing of permissions
and rights access for this Domain User Account and other accounts which can be used to
access the Intel SCS services, refer to sections of the Intel SCS User Guide on RCS User
Access Account Requirements and User Permissions Required to Access the RCS.
Intel SCS is comprised of multiple components as summarized in the Intel SCS
Components section of the Intel SCS User Guide. For the initial purposes of this
deployment guide, Intel SCS will be installed in Non-Database Mode with Remote
Configuration Service (RCS) and Console loaded on the server. More information is
available in Selecting the Type of Installation of the Intel SCS User Guide.
The following summarized steps rely upon the Setting up the RCS section of the Intel
SCS User Guide. To complete these steps the Domain User Account amtconfigservice
which you previously created will be used.
1. Make this service account a local administrator on the server that will run the Intel
Remote Configuration Service (RCS).
2. Login to the server and launch Server Manager. Expand Configuration > Local
Users and Groups. Right click on Administrators and select Add to Group.
7/31/2019 Intel(R) SCS 8 Deployment Guide
16/77
16 Intel SCS Deployment Guide
3. Open the RCS folder and select IntelSCSInstaller.exe.
4. At the Welcome screen, retain default options. Unselect the Database options, and
retain the selections for Service and Console.
5. Accept the License agreement.
6. When prompted for a Service Logon Authentication, use the AMTConfigService
account.
Figure 10: Intel SCS Login
7. Accept the remaining default selections, including Launch the Intel SCS Console.
7/31/2019 Intel(R) SCS 8 Deployment Guide
17/77
Intel SCS Deployment Guide 17
This section provides step-by-step instructions for each of the three setup and
configuration methods to achieve a baseline level of configuration so that you can begin
using Intel AMT.
Note: Each of the following subsections are alternative methods. Choose onemethod based on your environmental analysis in the previous section.
This section provides step by step instructions for configuring your managed client using
Host-Based Configuration.
1. Within the Intel SCS Console, click the icon to create a new profile
2. In the Configuration Profile Wizard window, change the Profile Name to
HBPProfile.
3. ClickNext.
4. Leave all Optional Settings unselected.
5. ClickNext.
7/31/2019 Intel(R) SCS 8 Deployment Guide
18/77
18 Intel SCS Deployment Guide
6. In the System Settings screen, provide settings similar to the following. For more
information on the password format requirements, see Password Format in the
Intel SCS User Guide.
RFP Password: P@ssw0rd
Enable option: ME will go into lower power state when idle
Set Timeout if Idle to 65535
MEBx Password: P@ssw0rd
Intel AMT Admin Password: P@ssw0rd
Enable Intel AMT to respond to ping requests
Figure 11: Systems Settings Screen
7. ClickOK, Next, and Finish to complete the profile.
7/31/2019 Intel(R) SCS 8 Deployment Guide
19/77
Intel SCS Deployment Guide 19
Perform the following steps:
1. In the Intel SCS console, select the HBPprofile and clickExport to XML.
2. Save the profile XML file to a location accessible by the client without encrypting or
defining domain credentials.
Figure 12: Export Profile to XML File
3. Copy the HBPprofile.xml file to the Configurator directory on the target client
system.
Note: See section 3.1, Purposes and Prerequisites above if the Configurator
directory is not already on the client.
4. Open a command prompt on the client, usingRun as Administrator.
5. Change to the Configurator directory
6. Run the following command on the client:
ACUconfig ConfigAMT HBPprofile.xml
Note: The Configuration directory with exported configuration profile and
command can be sent to all Host-Based Configuration capable systems
in the target environment.
7/31/2019 Intel(R) SCS 8 Deployment Guide
20/77
20 Intel SCS Deployment Guide
7. When the Intel Management and Security Status (IMSS) dialog appears, the Intel
Management Engine (Intel
ME) configuration is complete.
Figure 13: IMSS Screen
Note: The ConfigAMT command is commonly used during the Unified
Configuration Process., which is further explained in Intel SCS UserGuide
At this point, proceed to section 5.4,Verify the Setup and Configuration.
Detailed instructions for performing SMB/Manual Configuration are provided in the Intel
SCS User Guide, Chapter 4 Using the Console, section titled Defining Manual
Configuration (Multiple Systems). The following is a summarized version.
1.
Insert a blank USB key into the computer where the Intel SCS console is loaded.2. On the Intel SCS console, select Tools > Prepare a USB Key for Manual
Configuration.
3. Enter the desired settings for your environment. The Intel SCS User Guide provides
a good explanation of the options in addition to the following guidance:
For Intel AMT systems 4.x to 6.x, use All systems are Intel AMT 6.0
or higher
The resulting USB key with setup.bin file must meet the configuration
requirements as stated. For mixed environments, a separate setup.bin
file must be created for each type of configuration. For example, if
some systems are desktops with Intel AMT 7.x this will require a
different setup.bin file from systems that are Intel AMT 6.x and mobile.
7/31/2019 Intel(R) SCS 8 Deployment Guide
21/77
Intel SCS Deployment Guide 21
Figure 14: Manual Configuration Settings
4. After the USB key has been initialized with the generated setup.bin file, insert the
USB key into the target Intel AMT system.
5.
Power-on on the system and during the pre-boot system check a prompt will bedisplayed to configure Intel AMT.
6. Press Y to accept the configuration. Once the configuration is applied, remove the
USB key and complete the system boot process.
Figure 15: Configuration Confirmation Prompt
7. At this point, proceed to section 5.4,Verify the Setup and Configuration.
7/31/2019 Intel(R) SCS 8 Deployment Guide
22/77
22 Intel SCS Deployment Guide
This section provides step-by-step instructions for configuring your managed client via
Remote Configuration using Public Key Infrastructure (PKI). Remote Configuration
consists of the following high level steps:
Configure Certificates for Intel AMT
Export the Certificates to the Client
Import the Certificates in the context of the Intel AMT service user
Create a Remote Configuration profile in Intel SCS console
Run the ACUConfig command on the managed client using the certificate and
profile you created in previous steps
These high-level steps are explained in detail in the following subsections.
This section provides step-by-step instructions for obtaining and configuring certificates
for Intel AMT. Additional information is available in the Intel SCS User Guide under the
section Setting up Remote Configuration.
Note: If you are planning to create an internal self-signed remote
configuration certificate, remember that the custom root certificate hash
must be applied to each Intel AMT system. Before pursuing creation of
your own remote configuration certificate, consider using SMB\Manual
Configuration or Host-Based Configuration to minimize the number of
steps required to complete the configuration task.
An SSL certificate is used to establish initial trust between your Intel AMT clients andIntel RCS when initiating client configuration. All Intel AMT systems have root hashes
for defined vendors (VeriSign, GoDaddy, Comodo, Starfield, Entrust, Cybertrust, etc.)
embedded in the firmware. Therefore, a certificate from one of these vendors is required
to configure Intel AMT clients. This single certificate is completely separate from the
one-per-client TLS certificates that will be issued by your Microsoft Certificate
Authority.
Note: This SSL certificate is commonly referred to as the Remote
Configuration Certificate. Different versions of Intel AMT will vary as
to what root certificate hashes are in the firmware. More information is
available via the Certificates links at the Intel SCS download page.
(http://www.intel.com/go/scs)
http://www.intel.com/go/scshttp://www.intel.com/go/scshttp://www.intel.com/go/scshttp://www.intel.com/go/scs7/31/2019 Intel(R) SCS 8 Deployment Guide
23/77
Intel SCS Deployment Guide 23
Getting the SSL certificate is a three step process:
Create a certificate signing request.
Complete the certificate request.
Export the SSL certificate so that it can be used in Intel AMT configuration.
To start the process, generate a certificate signing request (CSR). The following example
uses Microsoft Internet Information Services* (IIS) in a Microsoft Windows 2008 Server
environment.
1. Login to a server with IIS installed. Launch Server Manager and expand Roles >
Web Server (IIS) and select Internet Information Services (IIS) Manager. Select
your server in the Connections column and open Server Certificates.
Figure 16: IIS Manager Screen
2. In the Actions column, select Create Certificate Request.
Figure 17: Server Certificates Screen
3. Complete the Certificate Request wizard. Be sure that the Common Name field
includes the correct DNS suffix as defined by the DHCP option 15 value for your
environment. This can be verified on clients by running ipconfig and looking at the
connection-specific DNS suffix.
7/31/2019 Intel(R) SCS 8 Deployment Guide
24/77
24 Intel SCS Deployment Guide
4. Once the fields are completed similar to the example below, clickNext to proceed.
Figure 18: Distinguished Name Properties Screen
Note: The Organization unit value must be set toIntel(R) Client Setup
Certificate. This value must be entered exactly as shown in this note.
5. In the Cryptographic Service Provider Properties screen, use the default values of
Microsoft RSA SChannel Cryptographic Provider with Bit length of2048. Click
Next to proceed.
Figure 19: Cryptographic Service Provider Properties
Note: The bit length can be 1024 or 2048. Most Certificate Authorities will
prefer 2048 bit length.
https://community.mcafee.com/servlet/JiveServlet/showImage/23203/Microsoft+RSA+2048bit.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23059/step3c03.png7/31/2019 Intel(R) SCS 8 Deployment Guide
25/77
Intel SCS Deployment Guide 25
6. In the File Name screen, give the certificate request a name and save it on the
Desktop. Then clickNext to proceed.
Figure 20: File Name Screen
7. The resulting file can be sent to an approved certificate authority, and they will
provide a certificate response file.
Note: For more information on valid Certificate Authorities, seehttp://communities.intel.com/docs/DOC-1277
8. When the certificate authority provides a certificate response file, go back into IIS
and select Complete Certificate Request.
Figure 21: Server Certificates Screen
https://sa-live.com/l?v=0&ui=0&p=000c00000000000000000000400000000000&spid=mcafee-forums&url=-+64706e6e766f6a756a66742f6a6f75666d2f64706e/docs%2FDOC-1277https://community.mcafee.com/servlet/JiveServlet/showImage/23061/step3c05.pnghttps://sa-live.com/l?v=0&ui=0&p=000c00000000000000000000400000000000&spid=mcafee-forums&url=-+64706e6e766f6a756a66742f6a6f75666d2f64706e/docs%2FDOC-12777/31/2019 Intel(R) SCS 8 Deployment Guide
26/77
26 Intel SCS Deployment Guide
9. In the Certificate Authority Response screen, select the file that was provided by the
external certificate authority. Give the certificate a friendly name (AMT Remote
Configuration Certificate is used in this example). ClickOK to proceed.
Figure 22: Specify Certificate Authority Response Screen
10. The SSL certificate will now appear in IIS.
Figure 23: The SSL Certificate Appears
Note: You must also have valid root and intermediate certificates from the
external CA. If not already present on your system, contact your
certificate authority.
11. Double click on the certificate to open and visually inspect, ensuring key properties
and settings have been applied.
https://community.mcafee.com/servlet/JiveServlet/showImage/23063/step3c07.png7/31/2019 Intel(R) SCS 8 Deployment Guide
27/77
Intel SCS Deployment Guide 27
12. The General tab will show the certificate is valid for specific purposes with a clear
statement of You have a private key that corresponds to this certificate.
Figure 24: General Tab of Certificate Properties
13. Select the Details tab. Select the Subject under the Field column. The CN value
must show the expected DNS suffix as aligned to your DHCP option 15 value used
within the environment. The OU value must showIntel(R) Client Setup Certificate.
Note: The OU value may be different for certificates signed by Comodo.
Comodo certificates use a specific OID value to designate an Intel(R)
Client Setup Certificate.
https://community.mcafee.com/servlet/JiveServlet/showImage/23065/step3c08b.png7/31/2019 Intel(R) SCS 8 Deployment Guide
28/77
28 Intel SCS Deployment Guide
Figure 25: Details Tab of Certificate Properties
Note: An additional validation step is to confirm the root certificate
thumbprint hash value against a list of known root certificates stored
within the Intel AMT firmware. If the previous two validation points
are correct, the root certificate is commonly valid.
14. ClickOK to close the certificate. Close IIS to complete this process.
https://community.mcafee.com/servlet/JiveServlet/showImage/23066/step3c08c.png7/31/2019 Intel(R) SCS 8 Deployment Guide
29/77
Intel SCS Deployment Guide 29
The SSL certificate must now be exported so that it can be imported into the server where
Intel RCS will be installed.
1. To export the SSL certificate, launch MMC and add the certificates snap-in (choose
Computer Account). Expand Certificates (Local Computer) > Personal and
select Certificates. Then right-click on the certificate and choose All Tasks >
Export.
Figure 26: Export Certificate
Note: Do not export the certificate from IIS, as the full certificate chain may
not be included.
2. In the Export Private Key screen choose Yes, export the private key. ClickNext to
proceed.
Figure 27: Export Private Key Screen
https://community.mcafee.com/servlet/JiveServlet/showImage/23069/step3c08g.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23068/step3c08f.png7/31/2019 Intel(R) SCS 8 Deployment Guide
30/77
30 Intel SCS Deployment Guide
3. In the Export File Format screen, select Personal Information ExchangePKCS #12
(.PFX). Select options to Include all certificates in the certification path if possible
and Export all extended properties. ClickNext to proceed.
Figure 28: Export File Format Screen
4. In the Password screen, enter a strong password. ClickNext to proceed.
Figure 29: Password Screen
5. In the Certificate Export Wizard screen, provide path and file name for the resulting
PFX file. In the example below, the file will be saved to the desktop of the server.
Figure 30: File to Export Screen
https://community.mcafee.com/servlet/JiveServlet/showImage/23079/step3c09.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23078/step3c08i.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23070/step3c08h.png7/31/2019 Intel(R) SCS 8 Deployment Guide
31/77
Intel SCS Deployment Guide 31
6. In the Completing the Certificate Export Wizard, choose Finish to complete the
process.
The remote configuration certificate must be installed in the correct user certificate store
on the server that is running the Intel Remote Configuration Service. The previously
created service account will be used in this example.
1. To ensure the certificate is placed in the correct personal certificate store, open
Microsoft Management Console (MMC) using the following command:
runas /user:vprodemo\AMTConfigService mmc.exe
Figure 31: Runas Command
Note: In this example the domain is vprodemo. Adjust the command
according to your domain and environment.
2. The users password can then be entered into the command window that appears.
3. Add the certificates snap-in with My user account selected and clickFinish to
proceed.
Figure 32: Certificates snap-in Screen
https://community.mcafee.com/servlet/JiveServlet/showImage/23083/step3a06.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23082/step3c11.png7/31/2019 Intel(R) SCS 8 Deployment Guide
32/77
32 Intel SCS Deployment Guide
4. In the Microsoft Management Console, expand CertificatesCurrent User and
select Personal. Then right-click and select All Tasks > Import.
Figure 33: Import Certificates
5. In the Welcome to the Certificate Import Wizard, clickNext to proceed.
6. In the File to Import screen, browse to the exported remote configuration certificate
(AMT_configuration_cert.pfx in this example). ClickNext to proceed.
Figure 34: File to Import Screen
Note: If the certificate file is not in the user profile path, remember that you
are running MMC as the service account. You may need to browse to
another location (e.g. the desktop of your administrators account) to
find the certificate file.
7. In the Password screen, enter the password and also select Include all extended
properties.
Note: Enable Strong Private Key Protection must notbe selected. If
selected and unchangeable, check the group policy settings for the
server.
https://community.mcafee.com/servlet/JiveServlet/showImage/23086/step3c15.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23084/step3c13.png7/31/2019 Intel(R) SCS 8 Deployment Guide
33/77
Intel SCS Deployment Guide 33
8. ClickNext to proceed.
Figure 35: Password Screen
9. In the Certificate Store screen, select Automatically select the certificate store
based on the type of certificate. ClickNext to proceed.
Figure 36: Certificate Store Screen
10. On the Completing the Certificate Import wizard, clickFinish to proceed.
11. The certificate will now appear in the certificate store.
Figure 37: The Certificate Appears in Store
https://community.mcafee.com/servlet/JiveServlet/showImage/23090/step3c19.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23088/step3c17.pnghttps://community.mcafee.com/servlet/JiveServlet/showImage/23087/step3c16.png7/31/2019 Intel(R) SCS 8 Deployment Guide
34/77
34 Intel SCS Deployment Guide
12. At this point, proceed to section 5.4,Verify the Setup and Configuration.
1. Within the Intel SCS Console, click the icon to create a new profile.
2. In the Configuration Profile Wizard window, change the Profile Name to
ACMProfile.
3. ClickNext.
4. Leave all Optional Settings unselected.
5. ClickNext.
6. In the System Settings screen, provide settings similar to the following. For more
information on the password format requirements, see Password Format in the
Intel SCS User Guide.
RFP Password: P@ssw0rd
Enable option: ME will go into lower power state when idle
Set Timeout if Idle to 65535
MEBx Password: P@ssw0rd
Intel AMT Admin Password: P@ssw0rd
Enable Intel AMT to respond to ping requests
Figure 38: Systems Settings Screen
7. ClickOK, Next, and Finish to complete the profile.
7/31/2019 Intel(R) SCS 8 Deployment Guide
35/77
Intel SCS Deployment Guide 35
8. On the target client system with Configurator directory, open a command prompt
usingRun as Administrator.
9. Run the following command (immediately following the note below) using the name
or IP address of the server where Intel RCS was installed.
Note: The sample command includes the Domain User used as the logon
account for RCSserver. More information will be shared in the
Appendix on network accounts and permissions required for
communications between ACUconfig and RCSserver.
ACUconfig.exe ConfigViaRCSonly 192.168.0.15 ACMprofile /WMIuser
vprodemo\AMTconfigService /WMIuserpassword P@ssw0rd
Note: More information on the ACUconfig.exe ConfigViaRCSonly command
is available in the Configuring Systems Using the RCS section of the
Intel SCS User Guide.
10. At this point, proceed to section 5.4,Verify the Setup and Configuration.
7/31/2019 Intel(R) SCS 8 Deployment Guide
36/77
36 Intel SCS Deployment Guide
To verify configuration of Intel AMT on the managed client, do the following:
1. On the client, open a command prompt to the Configuration directory usingRun As
Administrator
2. Run the following command:
ACUconfig /output console status
3. The sample screen below shows the system is configured in Admin Control Mode.
Figure 39: Sample Screen
4. On the Intel SCS console system, open a web browser.
5. In the address box, enter the URL for the clients Intel ME WebUI, shown below:
http://hostname:16992
6. If the login page displays, the Intel ME on the managed client is configured.
Figure 40: Intel AMT Web UI Login
7. ClickLog On.
8. Enter user admin with password used in configuration. Following the example
above, the password was P@ssw0rd.
7/31/2019 Intel(R) SCS 8 Deployment Guide
37/77
Intel SCS Deployment Guide 37
A delta configuration is one that is modified from the baseline configuration described
in the preceding foundational sections of this deployment guide. The intent of this
section is to expand the scope of the Intel AMT configuration to include features and
capabilities beyond the initial configuration. For a production deployment, the additional
configuration options shown can be applied in a single profile when using Host-Based or
Remote Configuration via PKI approaches.
A key phrase to remember is Once configured, Intel AMT is a network service awaiting
an authenticated and authorized request.
This implies that Intel AMT must be able to exist on a network whether or not the host
operating system is available. Within the Intel Management Engine (Intel ME) of the
chipset, if Intel AMT is present and configured a small network communications stack is
present and able to maintain communications with the network. For Intel AMT to be a
network service, key features must be configured specific to the target environment. In
addition, some Intel AMT capable management applications will expect specific
configuration options to be set within the Intel AMT firmware and network settings.
The diagram below provides a summary of key infrastructure considerations when
configuring and deploying Intel AMT in an environment. Some of the options are
configurable; other options are inherently built into the technology and not customizable.
7/31/2019 Intel(R) SCS 8 Deployment Guide
38/77
38 Intel SCS Deployment Guide
Figure 41: Considerations for Intel AMT network communications
More detail on each quadrant is provided below:
Network Interface
Wired LAN within a corporate environment is preferred and often is the required
interface for initial configuration. Since Intel AMT sees traffic below the operating
system, certain environmental variables can be set to designate internal versus
external traffic. The received DHCP option 15 value compared with configured
Home Domains designates whether Intel AMT network communications are
allowed.
Wireless LAN, specifically 802.11ABGN, is supported and can also be used for delta
configuration changes. Network security settings are required along with defining or
replicating the wireless profile into the firmware. If a wireless LAN requires userintervention for access, Intel AMT may be unable to negotiate a connection.
All communications occur across IANA.org registered ports for Intel AMT,
specifically 16992-16995.
7/31/2019 Intel(R) SCS 8 Deployment Guide
39/77
Intel SCS Deployment Guide 39
Network Protocol
By default, Intel AMT shares the same physical network interface as the host
operating system. DHCP IPv4 addresses are shared, with only the destination port
differentiating how traffic is routed within the chipset.
Static IP is supported and will require additional setup and configuration.
Intel AMT will have an IP address on the network and respond to traffic even whenthe host operating system is unavailable. For optimal experience in an IPv4
environment, it is recommended that Intel AMT have the same FQDN as the host
operating system, helping to ensure DHCP leases and DNS resolution are correct.
Exceptions may occur for environments with disjointed namespaces. Correct IP
address resolution is required, with most applications expecting internal DNS
solutions to correctly resolve the target FQDN to an IP address. In some
circumstances, Intel AMT may have an IP address yet the requesting application is
unable to identify the correct address.
Most Intel AMT communications are initiated by a requesting application over
TCP\IP based communication. Intel AMT is a service awaiting an authenticated
request. In certain situations, such as a hardware alert, Intel AMT will send out a
message via SNMP or WS-Event. IPv6 is supported on Intel AMT 6.x and higher versions. Currently, Intel AMT
requires a unique IPv6 address, different than the host operating system. Correct
resolution of FQDN-to-IP is an important consideration when using IPv6 with
Intel AMT.
Authentication and Authorization
All inbound Intel AMT session requests must be authenticated and authorized.
Within the Intel AMT firmware settings is an Access Control List (ACL).
Authentication occurs via MD5 Digest or Kerberos. Authorization is defined by
access to realms or capabilities within the firmware. See section A.2, Defining
Access Authorization via Intel AMT ACL in Appendix A.
User consent refers to the graphics overlay screen with 6 random digits. This is
commonly used for KVM Remote Control as defined by the configuration profile.
Intel AMT platforms configured via Host-Based Configuration will also require User
Consent for boot redirection actions.
Network Security
Intel AMT communications can be secured and encrypted via Transport Layer
Security (TLS). TLS will also authenticate the session. With Intel AMT as the
"service", a TLS certificate with private key is created for each Intel AMT device
and stored in its firmware. The certificate is issued to the FQDN value obtained as
defined in the configuration profile.
Intel AMT devices can be set to ONLY communicate with defined consoles or
requesting applications via Mutual TLS. In summary, in addition to the requesting
application establishing a TLS session with Intel AMT, the Intel AMT device
establishes a TLS session with the requesting application. This configuration is not
common and is rarely supported by Intel AMT capable applications.
7/31/2019 Intel(R) SCS 8 Deployment Guide
40/77
40 Intel SCS Deployment Guide
Environments that require port authentication or secure Wireless Access Point
communications will commonly have a form of 802.1x. For Intel AMT to operate
on an 802.1x enabled network, it must be configured with the correct posture
information. Additional configuration settings can be applied for environments
using Endpoint Access Control (EAC).
WPA\WPA2 refers to industry standard wireless security and protection. This is
required for Intel AMT operations over wireless, and can be defined within the Intel
AMT configuration profile.
Trusted Domains provides a list of home domains for Intel AMT to correctly detect
to which environment it is connecting. Trust Domains refers to the DHCP option
15 value returned with a DHCP lease reply. If no match is found based on the
domain list configured into Intel AMT, the firmware network interface will be
closed. This is called Environment Detection.
Remote Access refers to the Intel AMT ability to connect over the Internet to a
defined Management Presence Service. This connection can occur on-demand, per a
defined schedule, or when a hardware alert occurs per the configuration of Intel
AMT.
Admittedly, the information outlined above can be somewhat intimidating. Therefore, itis recommended that, especially for initial trial implementations, you start with the
basics, including defining a password for the Intel AMT admin account and using DHCP
IP v4 (default option). This approach is covered in the earlier sections of the guide.
Adding the security layers, Kerberos authentication, wireless settings, or use of
configuration options outside of the base Out-of-Band Management configuration
interface are not recommended for first time users of Intel AMT. You are encouraged to
start with the baseline configuration covered earlier before pursuing common
configuration options or more advanced materials.
See the Appendix sections of this guide for information on how to configure the most
common options as experienced in production environments. Each Appendix section
provides an overview on the purpose of the configuration option, the reason andcommonality in using the option, key prerequisites, references to the Intel SCS User
Guide for additional information, and summary explanation how to apply the
configuration.
Before adjusting the Intel AMT configuration, identify applications used in connection
with Intel AMT. Changes to a single configuration option such as authentication,
encryption, or other settings specific to requesting applications may disrupt existing
solutions.
7/31/2019 Intel(R) SCS 8 Deployment Guide
41/77
Intel SCS Deployment Guide 41
A simple example is shown below with the Intel AMT WebUI connection to the same
client. The example on the left uses HTTP on port 16992, whereas the example on the
right uses HTTPS on port 16993. This change is due to the TLS option added into the
Intel AMT configuration. Applications or scripts attempting to communicate with the
configuration on the left may be disrupted and require adjustments in order to work with
the same system as configured on the right.
Figure 42: Configuration option change may impact Intel AMT communications
Find a common set of options and requirements across the applications and scripts used
within your own environment. The ability to adjust the Intel AMT configuration still
requires proper testing and change control.
When defining a Delta Configuration profile, as described in the Appendix sections ofthis guide, the same approach is used to apply the changes into the Intel AMT firmware.
The difference occurs during the initial steps in creating the profile, by selecting how the
profile will be used.
In the example shown below, the Delta Configuration option is selected.
Figure 43: Selecting Delta Configuration in Profile Settings
The ACUconfig command used can be either ConfigAMT or ConfigViaRCSonly. The
first requires the profile to be exported and saved locally to where ACUconfig is
executed. The second command option is considered more secure since the profile
remains on the Intel RCS server. For the purposes of this guide, the ConfigViaRCSonly
command will be used.
As a simple example in defining and applying a Delta Configuration, a change to the
existing configuration will remove the requirement for User Consent on KVM sessions.
This change can only be made when Intel AMT is in Admin Control Mode.
1. In the SCS Console, define a new profile called DeltaProfile and select the Delta
Configuration option.
2. ClickNext to see the Profile Scope options.
7/31/2019 Intel(R) SCS 8 Deployment Guide
42/77
42 Intel SCS Deployment Guide
3. Clear all selections, and select only the KVM Redirection option.
4. ClickNext to define the new KVM redirection options.
5. Enter the desired RFB Password.
6. Select KVM Settings button to open the User Consent options.
7. Deselect the option for User Consent required before beginning KVM session.
Figure 44: KVM Redirection Settings
8. Save the profiles settings and return to the main Intel SCS console screen.
9. On the target client, run the following command using the host or IP address of your
system running Intel RCS, the designated delta configuration profile, and the WMI
user credentials for Intel RCS authentication:
ACUconfig ConfigViaRCSonly 192.168.0.15 DeltaProfile /Adminpassword
P@ssw0rd /WMIuser vprodemo\amtconfigservice /WMIuserpassword P@ssw0rd
Note: The Intel AMT admin password, shown as /Adminpassword
P@ssw0rd, must be included in non-database deployments of Intel
RCS. If Intel RCS is installed with database mode, a secure real-time
lookup of the Intel AMT admin password can occur based on the last
known configuration profile for that system.
10. The changed profile setting is now applied to the Intel AMT firmware.
7/31/2019 Intel(R) SCS 8 Deployment Guide
43/77
Intel SCS Deployment Guide 43
Systems with Intel AMT 7.x or higher that are configured in Client Control Mode
can be changed to Admin Control Mode. More information is available in the Intel
SCS User Guide, in the section Moving from Client Control to Admin Control.
This will require Remote Configuration using PKI to be prepared as described in
Section 5.3 of this guide.
The following screenshot is only an example how this operation is performed. The
commands used in the example below include:
ACUconfig.exe /output console status
ACUconfig.exe MoveToACM 192.168.0.15 /WMIuser vprodemo\amtconfigservice
/WMIuserpassword P@ssw0rd
Figure 45: Changing Client Control Mode to Admin Control Mode
7/31/2019 Intel(R) SCS 8 Deployment Guide
44/77
44 Intel SCS Deployment Guide
It is important to periodically perform maintenance tasks such as synchronizing the Intel
AMT clock, synchronizing network settings, reissuing certificates, among others. Intel
SCS does not automatically maintain these configuration settings.
For information about maintaining your configuration, refer to the Intel SCS 8 UserGuide, Chapter 1 Introduction, section titled Maintenance Policies for Intel AMT.
The section About Maintenance Tasks highlights common settings or attributes of the
Intel AMT configuration that must be maintained to ensure operations are not disrupted.
As stated in Section 6.1 Infrastructure Considerations in this guide (as well as in the
Appendix sections), if certain Intel AMT configuration settings are not maintained
communications will be disrupted.
A common configuration maintenance operation is required for system name changes.
When the operating system name is changed, the new name is updated within the
Microsoft Active Directory and DNS infrastructure. However, the new name is not set
into the Intel AMT firmware.
The following example demonstrates the situation:
1. The network infrastructure resolved to the new name, HP8460p in this example.
The FQDN of the client is HP8460p.vprodemo.com.
2. The Intel AMT firmware has hostname ofCHANGEME, with an FQDN of
CHANGEME.vprodemo.com. If the system were powered off, the DHCP lease
assignments would be changed to the Intel AMT firmware hostname.
3. The IP address of the Intel AMT firmware is currently 192.168.0.104.
4. The same IP address is recognized on the network. Using nslookup, the IP address
resolves to the new name. If the nslookup command were repeated using the Intel
AMT Firmware name, no record and resolution would appear.
7/31/2019 Intel(R) SCS 8 Deployment Guide
45/77
Intel SCS Deployment Guide 45
Figure 46: Name Alignment
Although newer versions of Intel AMT support settings for shared FQDN and Dynamic
DNS, the above scenario can be further complicated with Active Directory integration,
TLS setting in the firmware, and so forth. The Intel AMT firmware system name does
not align to the expected infrastructure.
Running the following command on the client with the target configuration profile, RCS
address, Intel AMT admin password, and RCS authentication credentials will perform the
necessary maintenance operations on the Intel AMT firmware:
ACUconfig.exe MaintainViaRCSonly 192.168.0.15 ACMprofile AutoMaintain
/Adminpassword P@ssw0rd /WMIuser vprodemo\amtconfigservice /WMIuserpassword
P@ssw0rd
7/31/2019 Intel(R) SCS 8 Deployment Guide
46/77
46 Intel SCS Deployment Guide
Four common deployment scenarios are shown in the subsections below. The fifth
subsection provides additional insights on local permissions required for ACUconfig and
when accessing RCS. The scenarios are provided as a reference point. A basic hands-onunderstanding of the materials within this deployment guide will assist you in
understanding the prerequisites and approaches with each scenario.
For each scenario subsection, a brief description is provided, review of support methods
for Intel AMT configuration, and common configuration options. Using Intel RCS in
Database Mode is recommended if a particular scenario requires remote configuration via
PKI, TLS, Active Directory Integration, or regular maintenance of configuration settings.
More information on the different installation types of Intel RCS is available in the Intel
SCS User Guide section titled Selecting the Type of Installation.
Each deployment scenario includes common components as shown in the following
diagram. Below the diagram is a brief summary of required and optional component
characteristics.
Intel RCS with
Microsoft SQL
Intel AMT
Computers
Infrastructure Components
AD DNS DHCP CA
Figure 47: Required and Optional Component Characteristics
Infrastructure Components
Active Directory (AD)Required only if Active Directory
integration will be used in the Intel AMT configuration.
Domain Name Server (DNS)Recommended for correct IP
resolution in the environment.
Dynamic Host Configuration Protocol (DHCP) server
Required if DHCP IP addresses will be assigned to clients.
7/31/2019 Intel(R) SCS 8 Deployment Guide
47/77
Intel SCS Deployment Guide 47
Start with IPv4 addresses. Recommend synchronization with
DNS. Required for Remote Configuration using PKI.
Microsoft Certificate Authority (CA) ServerRequired if
TLS will be used in the Intel AMT configuration.
Intel RCS
Required for Remote Configuration, Configuration
Maintenance, and Delta Configuration operations.
If only Host-Based or Manual\SMB configuration will be
used, only the Intel SCS Console is required.
Microsoft SQL database is optional for small environments or
simple demonstration environments. For large deployments
with infrastructure dependent configuration options,
installation of Intel RCS with an associated database is
recommended. Refer to the types of installation in the Intel
SCS User Guide.
Intel AMT Computers
Client systems must support Intel AMT. Refer to Section 3 of
this guide, Intel AMT Discovery..For each deployment scenario, consider the requirements of the management applications
and scripts to be used with Intel AMT. Configuration methods and options will be a
dependency on compatible management applications.
7/31/2019 Intel(R) SCS 8 Deployment Guide
48/77
48 Intel SCS Deployment Guide
Enterprise Wired environments will provide the best experience in using Intel AMT.
The most common deployment scenario (and a recommended setup for initial
testing) is an internal wired environment. As highlighted in section 6.1 of this guide,
Intel AMT communications are TCP\IP based enabling them to be routed throughout
the wired environment.
Intel RCS with
Microsoft SQL
Intel AMT
Computers
Infrastructure Components
AD DNS DHCPCA
Figure 48: Enterprise Wired Environment
All configuration methods and configuration options are supported in an Enterprise
Wired Deployment. If a valid remote configuration certificate cannot be obtained for
the environment, use a two-step process. First configure Intel AMT using either
Host-Based Configuration or SMB/Manual configuration. If further configuration is
needed, use a Delta Configuration with a designated Intel AMT admin password in
the ACUconfig.exe command. More information is available in the Intel SCS Guide
under Configuring Systems with RCS.
If Remote Configuration using PKI will be used, an internal wired enterprise
environment is required. The initial configuration can include settings for wireless
and remote access. Once the initial configuration has occurred and settings have
been applied into Intel AMT, communications via wireless or remote access are
possible.
7/31/2019 Intel(R) SCS 8 Deployment Guide
49/77
Intel SCS Deployment Guide 49
If 802.11 wireless is common within the enterprise environments and with embedded
solutions, configuration and usage of Intel AMT over wireless is a deployment
option. A fundamental understanding of Intel AMT in a wired environment is
recommended before pursuing wireless deployment.
Figure 49: Enterprise Wireless Environment
Intel AMT over wireless is primarily available in laptop platforms. In the currently
available platforms, communications directly to Intel AMT in a wireless
environment occur only when the host operating system is unavailable. If the host
operating system is communicating with the network, Intel AMT communications
first pass through the host operating system and are redirected into the firmware.
This is a key difference from a wired enterprise environment where communications
to Intel AMT are direct regardless of the host operating system state. In an
enterprise wireless environment, communications to Intel AMT may be temporarily
interrupted when transitioning from operating system to Intel AMT networkinterfaces.
7/31/2019 Intel(R) SCS 8 Deployment Guide
50/77
50 Intel SCS Deployment Guide
If initial configuration of Intel AMT must occur over enterprise wireless, only Host-
Based Configuration is supported. All configuration options are supported and Intel
AMT will be in Client Control Mode.
If configuration of Intel AMT occurs first in an enterprise wired environment,
wireless settings can be applied in the initial or delta configuration.
Intel AMT over wireless requires WPA or WPA2 to secure the communications.
Enterprise wireless environments commonly use 802.1x or Endpoint Access Control
(EAC) to authenticate the client device and user for the enterprise network.
Configuration of 802.1x and EAC into the Intel AMT firmware is supported. More
information is available in the Intel SCS User Guide.
Properly configured Intel AMT clients with supporting infrastructure are able to
communicate into the enterprise environment. The connection originates at the Intel
AMT client. Once the connection is established, applications within the enterprise
environment are able to communicate via Intel AMT to the external devices.
Figure 50: Clients Outside the Enterprise
Communicating with Intel AMT outside the enterprise is an advanced configuration
beyond the scope of this guide. In the above architecture, the Manageability
Presence Server (MPS) is an additional component and requirement.
If initial configuration of Intel AMT must occur outside the enterprise only Host-
Based Configuration is supported. All configuration options are supported and Intel
AMT will be in Client Control Mode.
7/31/2019 Intel(R) SCS 8 Deployment Guide
51/77
Intel SCS Deployment Guide 51
If configuration of Intel AMT occurs first in an enterprise wired environment, all
configuration options are supported. Both Home Domains and Remote Access must
be configured, with more information available in the Intel SCS User Guide.
Communication to Intel AMT can occur across a Virtual Private Network (VPN) if
the configuration option is enabled in the Home Domains profile option.
For environments where multiple remote offices are managed from a central
location, Intel AMT communications generally occur locally within the remote office
via a local management appliance or application. This deployment model applies to
embedded solution architectures, managed service providers, outsource management
solutions, and related environments.
Figure 51: Service Provider Deployment
A foundational understanding of Intel AMT configuration within an enterprise wired
or wireless deployment is recommended.
7/31/2019 Intel(R) SCS 8 Deployment Guide
52/77
52 Intel SCS Deployment Guide
Configuration of Intel AMT may occur locally at the customer or remote office.
SMB\Manual configuration is a common approach for small office environments.
Host-based configuration for compatible Intel AMT platforms in the remote office
via the local management appliance is a favorable approach if the appropriate
prerequisites are met. See section 4.3 of this guide.
If remote configuration is used, the Intel RCS server must be able to communicate to
the target client system similar to an enterprise wired environment meeting the
requirements of that configuration approach. An Intel RCS instance can reside
within the remote office environment to handle configuration requests within a
specific location.
Additional understanding of the local and network permissions required to run
ACUconfig.exe, especially when interacting with the Intel RCS across the network, will
help in defining your own deployment model. By understanding the required
permissions, an IT administrator is able to better understanding the minimal security
requirements. Before proceeding, it is recommended that you review the Intel SCS User
Guide section User Permissions Required to Access the RCS.
When ACUconfig.exe executes, it runs in the context of the local user account and must
interact with a Windows kernel driver, HECI.sys.
ACUconfig
RCSserver
WMI Permissions to Intel_RCS NameSpace
(Execute Methods, Full Write, Remote Enable)
Heci.sys
Figure 52: Required Permissions
Earlier in this guide, a requirement toRun as Administratorwas stated when opening a
command prompt before using ACUconfig.exe. This is a command prompt with elevatedprivileges, a requirement applicable to Microsoft Windows Vista or higher versions of
the operating system. Similarly, if using a Windows Scheduled Task, it must be run with
Highest Privileges. This requirement is true even when logged in as a local administrator
due to the Microsoft Windows security architecture when interacting with a kernel level
driver.
7/31/2019 Intel(R) SCS 8 Deployment Guide
53/77
Intel SCS Deployment Guide 53
Figure 53: Using Elevated Privileges for ACUconfig.exe
In addition to accessing the local HECI.sys driver file, if ACUconfig.exe must interactwith an Intel RCS instance over the network than WMI namespace and Distributed
Component Services (DCOM) access must be allowed. Refer to the Intel SCS User
Guide sections titled Defining DCOM Permissions and Defining WMI Permissions.
The sample AMTconfigService domain user account defined earlier in this guide was
granted Local Administrator rights. If Local Administrator rights cannot occur for this
service account, it must be granted access to the Intel_RCS WMI Namespace as shown
below. As stated in the Intel SCS User Guide, users allowed access this Namespace are
able to perform operations on Intel AMT systems.
Note: If running Intel RCS on a system protected by a firewall, review the
Intel SCS User Guide section Connecting to an RCS behind aFirewall.
Shown below, the AMTconfigService account has been granted Execute Methods, Full
Write, andRemote Enable access to the Intel_RCS namespace.
Figure 54: AMTconfigService Account
7/31/2019 Intel(R) SCS 8 Deployment Guide
54/77
54 Intel SCS Deployment Guide
For DCOM access, the AMTConfigService account can be added to the local Distributed
COM User group as shown below
Figure 55: Add Account to local DCOM group
By granting this access, the following two command prompt examples have the same
level permissions locally and to the RCS. The key differences between the command
prompts include:
The first example is logged in as system1\demouser, a local system
administrator. ACUconfig.exe will run in the context of this user.
The first example requires the AMTconfigService domain credentials
to be included in the ACUconfig.exe command. This exposes the
domain user password when executing the command
The second example shows the command prompt running as the
AMTconfigService domain user. A similar approach is accomplished
via Windows Scheduled Tasks or software delivery solutions whichallow a specific domain user account to be defined. This example
requires the Domain Account to be a local system administrator.
The second example shows the ACUconfig.exe command does not
require the /WMIuser parameter to be defined. ACUconfig.exe will
run under the context of AMTconfigService, the logged on user.
Figure 56: Command Prompts
7/31/2019 Intel(R) SCS 8 Deployment Guide
55/77
Intel SCS Deployment Guide 55
When either of the above commands is executed on the client, the Windows Security
Event Log on the server where the RCSServer windows services is running will show a
Special Logon event. In the example below, the vProDemo\AMTconfigService domain
user account performed a Special Logon as part of the ACUconfig.exe command due to
the logged on or specified user account.
Figure 57: Event Properties
The Local System account can also be used when running ACUconfig.exe and granted
appropriate permissions to the RCS. This approach may be preferred instead of using a
Domain User as a service account for all ACUconfig.exe operations requiring
communications to RCS. If ACUconfig.exe will be executed on multiple domain
computers, add the Domain Computers Group to the Intel_RCS WMI Namespace as
shown below.
Figure 58: WMI Namespace
7/31/2019 Intel(R) SCS 8 Deployment Guide
56/77
56 Intel SCS Deployment Guide
In addition, the Domain Computers must be added to the local Distributed COM User
group where RCSserver is installed.
Figure 59: DCOM User Properties
The following command prompt shows the logged on user is the Local System account,
designated as NT Authority\System. The ACUconfig.exe command will run in that
context.
Figure 60: ACUconfig Command
7/31/2019 Intel(R) SCS 8 Deployment Guide
57/77
Intel SCS Deployment Guide 57
Once Intel AMT is configured, it is a service on the network awaiting an authenticated
and authorized request. By default, DHCP IPv4 and FQDN settings of Intel AMT will be
the same as the host operating system. The settings may vary in situations where the
DNS lookup of a machine is different from the actual machine name, or how that
machine is identified within Microsoft Active Directory.
The value of the Intel AMT FQDN will be a dependency for Microsoft Active Directoryintegration, TLS certificate properties, and other settings within the firmware. If the
assigned firmware FQDN value cannot be resolved on the network, Intel AMT
communications will fail. If the assigned Intel AMT FQDN value must be updated due
to a system name change, a Configuration Maintenance routine as described in section 7
is recommended to avoid communication failures. More information on the settings is
available via the Intel SCS User Guide sections Defining IP and FQDN Settings and
Disjointed Namespaces.
7/31/2019 Intel(R) SCS 8 Deployment Guide
58/77
58 Intel SCS Deployment Guide
The IP address and FQDN settings can be customized as shown in the following screen.
Figure 61: Intel AMT FQDN
Once the desired value is determined, it can be set in the base or delta configuration
profiles. To apply the change, refer to the example sequence in section 6.2.1 Defining
and Applying a Delta Configuration. A simple way to confirm that the Intel AMT
FQDN source value is correct is to connect via the Intel AMT WebUI when the system is
powered on or off.
Connections to Intel AMT must be authenticated and authorized before the desired action
can be performed. Within the Intel AMT firmware is an Access Control List (ACL) used
to determine who is authorized. The default user, Intel AMT admin, has full access and
permissions. More information is available in the Intel SCS User Guide under the
Defining the Access Control List (ACL) section.
The Intel AMT ACL allows an administrator to define appropriate levels of authorization
into the firmware. As mentioned in the Intel SCS User Guide, up to 7 Digest users and
32 Active Directory users/groups can be defined. Some applications and scripts will
expect full authorization and rely primarily on the Intel AMT admin account which is
granted PT Administration Realm access by default. A complete listing of the Intel AMT
Realms and their purposes is provided in the Intel SCS User Guide.
7/31/2019 Intel(R) SCS 8 Deployment Guide
59/77
Intel SCS Deployment Guide 59
Before restricting access, use the Intel AMT admin account to validate desired Intel AMT
functions within the target environment. The majority of enterprise applications
interacting with Intel AMT often use the Intel AMT admin account as a service account
across the environment. If the Intel AMT admin password is randomized or a digest
master password is used, ensure the desired enterprise applications are able to securely
determine the correct password per system.
Environments with multiple applications, scripts and users interacting directly with Intel
AMT may desire a diminishing level of access. The following example highlights three
accounts and user types for an example environment.
Figure 62: Access Control List Settings
In addition to the three Digest User accounts shown, the Intel AMT admin account is
available on the platform. The Intel AMT admin account cannot be disabled, but the
password can be randomized and maintained per system.
7/31/2019 Intel(R) SCS 8 Deployment Guide
60/77
60 Intel SCS Deployment Guide
Refer to the Intel SCS User Guide to define desired Intel AMT ACLs for a target
environment. Once the desired profile has been created, use the steps similar to section
6.2.1 of this document to apply the changes.
Using the example users above, once the Intel AMT ACLs have been applied, a simpletest via the Intel AMT WebUI will show whether features and actions have been
authorized or not. The following example (which assumes the Asset user is logged on)
shows certain features are locked out as defined by the Intel AMT ACL.
Figure 63: Features Locked by Intel AMT ACL
Active Directory integration is recommended for environments desiring pass through
authentication of a domain user interacting with Intel AMT. The authentication will
occur via Kerberos.
Active Directory integration is required for environments desiring 802.1x, EAC, and
other advanced features that are beyond the scope of this deployment guide.
Once Intel AMT is configured, it is a service on the network. Integration with Microsoft
Active Directory creates a User object for the computer with a User Principal Name(UPN) that matches the hostname of the device. Properties of the object include a
Service Principal Name (SPN). Both the Domain Computer object and the SPN must
exist within the Microsoft Active Directory Forest. More information is available in the
Intel SCS User Guide section titled Defining Active Directory Integration. In addition,
a basic overview of Kerberos authentication within Microsoft Active Directory is
available athttp://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc772815(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc772815(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc772815(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx7/31/2019 Intel(R) SCS 8 Deployment Guide
61/77
Intel SCS Deployment Guide 61
Authentication of Domain user accounts to the Intel AMT device, or allowing the device
to negotiate an 802.1x handshake to be accessible on the network, are two main reasons
for Microsoft Active Directory Integration. Most applications and scripts that are Intel
AMT capable support Kerberos authentication.The following simplified diagram shows a Kerberos handshake used to authenticate to
Intel AMT. First a token request for the target system, which is a service on the network,
is sent to the Microsoft Active Directory domain controller. The request is for the
hostname$iME, and the Service Principal Name (SPN) in Active Directory will have a
value similar to HTTP/vprosystem.domain:16992. The user account for the request is
authenticated by Microsoft Active Directory to access the target service. The approved
request is then sent from the requesting application to the target Intel AMT client.
Figure 64: Kerberos Handshake
Active Directory integration requires the client to be joined to the domain with an
associated Computer object. When an Intel AMT Active Directory integrationconfiguration event occurs, a service account is created for the system. The service
account will have the same system hostname as the Computer object. To help organize
and separate the two objects, a separate Active Directory Organization Unit (OU) should
be created. If the hostname of the client is changed, the UPN and SPN associated to the
service object for Intel AMT authentication must be updated.
7/31/2019 Intel(R) SCS 8 Deployment Guide
62/77
62 Intel SCS Deployment Guide
In the example below, the AMT_OU has been created. The Log On account of the
RCSserver must have access to Create and Delete objects within the target OU.
1. Right click on the create AMT_OU and select Delegate Control.
Figure 65: Delegate Control
2. Using the example account in this guide, namely AMTconfigService, add the
designated Log On account in the Delegate Control prompts. When prompted for
Task to Delegate, select Create a custom to task to delegate.
Figure 66: Tasks to Delegate
7/31/2019 Intel(R) SCS 8 Deployment Guide
63/77
Intel SCS Deployment Guide 63
3. Delegate control of the folder, existing objects, and creation of new objects.
Figure 67: AD Object Type
4. Grant Full Control to the target Active Directory OU. The designated account is
now able to create, delete, and maintain the Intel AMT system accounts.
Figure 68: Permissions
7/31/2019 Intel(R) SCS 8 Deployment Guide
64/77
64 Intel SCS Deployment Guide
Note: If Intel SCS was not installed in database mode, the target Active
Directory OU must be specified in the commandline when maintaining
or unconfiguring Intel AMT.
When creating the configuration profile, select the Active Directory Integration and
Access Control List (ACL) options.
Figure 69: Optional Settings
Select the target Active Directory OU where objects for Intel AMT will be stored.
Figure 70: Select the AD OU for Intel AMT
7/31/2019 Intel(R) SCS 8 Deployment Guide
65/77
Intel SCS Deployment Guide 65
At the Access Control List prompt, add at least one Domain Group or User with Intel
AMT Realm access. In the following example, the Domain Admins group will be
granted PT Admin realm access.
Figure 71: User/Group Details
Once the desired profile has been created, use steps similar to section 6.2.1 above to
apply the changes.
After the configuration event, a new object will appear in the designated Active Directory
OU. The properties of the object will show the hostname$iME value.
Figure 72: Active Directory OU
7/31/2019 Intel(R) SCS 8 Deployment Guide
66/77
66 Intel SCS Deployment Guide
If the current logged in user is a member of the group specified in the Intel AMT ACL
then pass through authentication will occur.
If not, the login prompt will show the FQDN. Enter valid domain user credentials similar
to the example below.
Figure 73: Enter Valid Credentials
Note: After the