Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

Beginning with AMT enterprise mode.

raul_sanchez
Beginner
1,512 Views

Hi, I'm beginning with enterprise mode

Can somebody explain me the steps to start. I've read the Development Guide but I don't understand how it works.

Thanks.

0 Kudos
20 Replies
Gael_H_Intel
Moderator
1,485 Views

Hi Raul,

What are you starting to do? Are you wanting to provision a system in enterprise mode? I would suggest downloading the AMT DTK and play with the AMT Director - you can provisionwith or without TLS and the Director doesn't use IIS, AD, SQL as the Intel SCS does. Once you are comfortable with the AMT Director, then move on to trying out the Intel SCS. Or are you wanting to write your own Set up and Config Server using the Setup and Configuration Sample from the SDK?

You will also find Videos at the link for the AMT DTK. In fact Ylian (theAMT DTK owner) has a lot of videos on just about everything "Intel AMT" that you might want to watch.

I hope this helps.

0 Kudos
Ylian_S_Intel
Employee
1,485 Views

Here is a guide I wrote for someone else, I hope this is useful.

Performing One-Touch Configuration

  • In order to perform this scenario a network with DNS and DHCP is recommended. Any generally available home router will work but a real DNS server works best.
  • Open up Intel AMT Director and go under Security Profiles on the left pane and click Add Security Profile and give it a name (for example: "BasicProfile")
  • Set Intel AMT Features by clicking the button on the right side and check all features.
  • Optionally, this profile can be adjusted as needed to add user accounts, TLS security and more.
  • Select the "One-Touch Configuration" node in the tree view and press the "Generate Key..." button.
  • Select the key strength using the slider bar. On a private network, move it completely to "weak".
  • Set the Administrative Password to a secure password (such as P@ssw0rd). This password must be the MEBx password of the Intel AMT computer.
  • Select the "BasicProfile" as the security profile used when using this key and hit OK.
  • On the left pane, click Remote Configuration to look at the configuration log.
  • Now, Intel AMT Director is ready to configure Intel AMT computers.
  • Reboot the Intel AMT computer and enter the Intel AMT configuration screen using CTRL-P.
  • If already setup, perform a "Full Un-provision" of Intel AMT
  • Once done, make sure the computer is setup in Enterprise Mode.
  • Enter the IP address of the computer that is running Intel AMT Director as the provisioning server and 9971 as the provisioning server port.
  • Enter the PID and PSK of the key generated above.
  • Make sure IDE redirect and SOL are both enabled.
  • Save the setting and the computer will reboot.
  • In a minute or two, Intel AMT Director will receive a message from Intel AMT and start the configuration process.
  • The computer will appear in the list of know computers configured with the "BasicProfile" settings.
Hope this helps,
Ylian (Intel AMT Blog)
0 Kudos
raul_sanchez
Beginner
1,485 Views

Hi!!:

I have done all these steps, but in AMT Director AMT Cliente doesn't appear. I try to find it with Network Discory and it finds computer, but when I try to connect it doesn't works.

Never connect with AMT Client.

I don't know what is happening!!:(

Thanks.

0 Kudos
Gael_H_Intel
Moderator
1,485 Views

Hi,

In order to be able to connect to an AMT client, it must have been provisioned, either in Small Business Mode or in Enterprise Mode. AMT commander/director won't be able to actually connect to it unless it detects that it has AMT Capabilities and AMT has been enabled (the system has been provisioned.) Until then, AMT Director/Commander will simply see a system out there that may or may not be of interest.

When you went through all the Steps that Ylian sent, did you get the "Hello" packet? Did the screen that shows the PID/PPS keys display as "used"? or still as "pending?" If they are still showing up as "Pending," your system is not provisioned and therefore cannot be connected as an AMT Client.

Did you correctly set the listening port number in the AMT Configuration on the AMT clientto 9971 (which is the default port that the AMT Director uses?)

Did you correctly set the provisioning Server to the ip address of the system you are running AMT Director from?

How did you set up your profile that AMT Director uses for it's provisioning process?

Perhaps if you could send us some screen shots of how you are setting up the AMT Director, we might be able to be of more assistance.

0 Kudos
raul_sanchez
Beginner
1,485 Views
Hi,

we have PID/PPS keys pending, but we don't know why. We attach an image.

And in AMT BIOS we are configured correctly IP and 9971 port.

We attach info.

Please, it is urgent.

Thanks in advance.

Best regards.
0 Kudos
raul_sanchez
Beginner
1,485 Views
Informationa attached.
0 Kudos
raul_sanchez
Beginner
1,485 Views
Information attached II.
0 Kudos
Sreelekshm_S_Intel
1,485 Views

Hi,

Could you make sure that you have changed the admin password? Do you have SCS loaded on this system? if so, it will hog port 9971 and the Director won't be able to use it. In that case, you can change the port the Director uses to something like 9981 and type that one to MEBx. Also, please confirm that you have added PID/PPS into the BIOS configuration screen as well.

Thanks,

Sree

0 Kudos
Gael_H_Intel
Moderator
1,485 Views

Please veryify Sree's questions and in the Director's menus that you sent says that the admin password is unchanged - I always go in there and set it just to make sure it is using the right password.

If everything is entered correctly then you should get the "Hello" packet as soon as you reboot your AMT system- after you save your MEBx settings - you will allow your system to boot - I find that about when Window's starts to load that is when the "hello" packet comes (Unless some other process on your system is already using port 9971 - in that case the Hello packet will never be received by the AMT Director.)

One more thing - (just for a test)if you quickly set up the AMT system in Small Business Mode, have you verified that you can access this system's WebUI from your Management console? (Make sure Firewalls are not activated on either system.)

Basically, we are looking for anything that might be blocking packets on port 9971 from being received by your system that is running the AMT Director (if everything has been entered correctly.)

0 Kudos
raul_sanchez
Beginner
1,485 Views
Hi, i attach a new image for AMT Director for the password changed, but the result is the same...???????

I answer your questions:
- In SMB mode, we can access to web page without problems.
- We don't use SCS.
- We have put correct PID/PPS in BIOS.



0 Kudos
raul_sanchez
Beginner
1,485 Views
AMT DIRECTOR with the password changed.
0 Kudos
Gael_H_Intel
Moderator
1,486 Views

Well your AMT director side looks good. The only thing I might question is the strength of the PPS key. I have not tried it with all 0's. You could try setting it at the next higher security setting (all 0's except for the last four digits.)

Have you tried doing a full unprovision on your AMT system and entering everything again (and with a new PID/PPS pair?)

Are there any errors that you are seeing on your AMT system? Can you tell us exactly what in the AMT MEBx you are setting and what the values are? And you are booting the system after entering the PID/PPS and the other provisioning fields, correct?

If this doesn't work, I would also change the port to 9981 on both the AMT Director and in the MEBx.

0 Kudos
raul_sanchez
Beginner
1,486 Views
We have tried with higher security, not all 0's, then unprovision and entering new PID/PPS, rebooting the system, but the result is the same.
How can we change port to 9981 in AMT Director?
0 Kudos
raul_sanchez
Beginner
1,486 Views
With TCPView SW, we view we are listening in port 9971, but we don't obtain any answer.
0 Kudos
raul_sanchez
Beginner
1,486 Views
Port 9971.
0 Kudos
Gael_H_Intel
Moderator
1,486 Views

Hi Raul,

You can change the port on AMT Director by selecting "Configuration Server" which is on the left panel of the GUI - it is the first entry of the tree structure. When you select "Configuraiton Server" you will see "Server Port" in the "Provisioning Server" are in the main portion of the GUI - it is here where you select a different port. Once you change it there, get a new PID/PPS pair and start over on your provisioning on your AMT System. Make sure you enter the same port in the MEBx as you did in the AMT Director.

If this doesn't work, please respond with everything you are setting on your AMT System in the provisioning process.

We also need to understand how your network is set up - are you using DHCP? Static IP?IF DHCP, is the AMTsystem getting registered in DNS (you should be able to see the AMT Clientin DNS during this process - if you don't, it will not be able to communicate with it.)

And just to make sure, you did go through all of Ylian's steps for the AMT Client, correct?

  • Reboot the Intel AMT computer and enter the Intel AMT configuration screen using CTRL-P.
  • If already setup, perform a "Full Un-provision" of Intel AMT
  • Once done, make sure the computer is setup in Enterprise Mode.
  • Enter the IP address of the computer that is running Intel AMT Director as the provisioning server and 9971(enter what you changed it to)as the provisioning server port.
  • Enter the PID and PSK of the key generated above.
  • Make sure IDE redirect and SOL are both enabled.
  • Save the settings and exit the BIOS -the computer will reboot.
  • In a minute or two, Intel AMT Director will receive a message from Intel AMT and start the configuration process.
  • The computer will appear in the list of know computers configured with the "BasicProfile" settings.
  • 0 Kudos
    raul_sanchez
    Beginner
    1,486 Views

    Hi,

    all about DNS and DHCP work perfectly, and i viewed message Hello in AMT Director, too, but only in one occasion with 9981 port, and now i can not reproduce it, i dont know why

    But other thing, can we access to web page, for example with IP:9971, like SMB with IP:16992?

    Best regards.

    0 Kudos
    Gael_H_Intel
    Moderator
    1,486 Views

    Ok if you could get the hello packet with using port 9981 it looks like something on your system was already using port 9971 (did you or anyone else install the Intel SCS onto your provisioning system if this is installed and the service is running, AMT Director will not be able to use port 9971.

    Once provisioned with enterprise mode you would connect via the web ui with the following http://:16992 or if you are using TLS, you would use 16993 as the port. The 9971 or 9981 is just the listening port used for provisioning.

    When you say you can not reproduce getting the hello packet with 9981 are you trying other systems? Or are you trying to re-provision the same system? Remember if you are using the same system you may need to disconnect from it from the AMT Commander (if you connected to it) or from the Web UI and you would have to fully un-provision your AMT system and make sure you set the port to match what is in the AMT Director (and make sure it is 9981 still.)

    Also, remember that once you use a PID/PPS pair, you will need to generate a new one - once one has been marked as used, it can not be used again.

    0 Kudos
    Gael_H_Intel
    Moderator
    1,486 Views

    Hello Raul,

    I am just updating the forum with your latest news that you did get your problem resolved (this was communicated outside the forum.) I wanted to let folks know that the problem was indeed due to having the SCS installed and that was why there was success with using port 9981.

    0 Kudos
    raul_sanchez
    Beginner
    1,326 Views
    HI ALL,

    YES NOW IT WORKS PERFECTLY WITH PORT 9971.

    THANKS.

    BEST REGARDS.
    0 Kudos
    Reply