Weird. It's there in the zip but not on my hard drive. I guess that directory magically wasn't extracted by the Window zip open file thing. ugh.

I guess one alternative to provisioning over the internet would be to have the computer provision itself. Is that possible?

I'm not sure what you mean about having the system provision itself.. You have to use some tool to provision it, either via writing your own Setup and Config Server, using the DTK "Director", using the SCS Lite (6.0) for basic Enterprise, no TLS, or you can use the full SCS 5.1 or 6.0 - all these tools are available on our Manageability community. The SCS Lite is very easy to use - I would suggest downloading them and reading through the documents and then see which one fits your needs the best. The SCS Lite tool uses the Activator too during the provisioning process and it has it's own utility for creating the setup.bin file for the USB key. You can also use the Activator GUI to provision your system locally. Again, there are quite a few different ways to provision a system so I would suggest downloading these tools and reading through their documentation so that you can get a feel for how they are different.

How many systems are you needing to provision? Are you requiring them to be in Enterprise Mode? (with or without TLS?) I need to test this, but I don't think you need to have a domain controller in order to provision.

I would like to provision thousands of computers in remote locations around the world which are not on my LAN. I cannot use Small Business Mode because I need the communications be safe (TLS). This should all preferably fit into an automatic service which doesn't require administration interaction to provision things. I'll try reading through more of the DTK stuff I guess.

By "provision itself" I mean running the SCA server on the box that is being provisioned so it can provision itself.

Using the Activator to provision locally sounds promising, i'll look into that, thanks.

While for local provisioning I would technically have to touch every system, I can use a local agent to touch them as long as I don't have to do something complicated like rebooting and editing the BIOS.

Using a certificate for Enterprise sounds great, I just got scared at the documentation which suggested it was only possible over a LAN. In particular in the SCA guid section 4.1.1: Initial Conditions, condition 4 is makes it sound like the SCA and AMT device must be on the same LAN.

Hi mugwump,

How exactly are you planning on talking to each system once it's configured if they aren't on your network?

Regards,
Roger

Ohhhhh yeah.. You are correct about having to be connected on the same lan. darnit! And I'm pretty sure that using the Activator locally is an SMB mode only deal.

Hopefully using CIRA

Then I would say that you've got problems. The usage model for AMT is that the system gets configured on your enterprise LAN, and then (post-configuration) it can communicate with the management system through CIRA. There really isn't a way to get your systems configured without getting access to the network where each system resides. The ME needs hardware access to the configuration server in order for the process to complete, not just a tunneled connection in the OS. If you could get access to a system on each of the resident networks, you could run the SCA, and configure the systems, and shutdown the SCA on that network. The communication would be secure, and once the systems were configured, they could use CIRA to communicate back to a central management console. Mostly, you would need to pay very close attention to the certificates that were used in the process of configuring the systems.

Hello,

I'm a bit confused of how I can setup remotely Intel AMT machines that are in factory setup mode.
In 3.7.3 (page 33) section of security configuration guide document states that it needs a host named "ProvisionServer", so an un-configured machine will query for this host through the LAN ?

Moreover I tried to catch up reading the docs of IntelAMTSCS but I cannot clearly find some info on how to setup remotely an Intel AMT machine without USB or manually configure the settings.

As I understood there are many that a machine can be configured remotely over LAN ?


Thanks.

If you haven't changed the name of the server in MEBx, or specified the IP address of your configuration server, then yes, the system will look for a configuration server named "provisionserver". So, you do need to give your configuration server that name.

If you have a remote configuration certificate, then you can tell the system in a remote call that you want it to start the remote configuration process. If you haven't purchased a cert from one of the default providers, then you will need to touch each system and apply the hash for your own root cert server to each system. Or, if your OEM offered pre-provisioning of AMT, and you bought it, then you just need to setup the configuration server on the network with the name of "provisionserver" and the systems will get configured.

Thanks for your reply.

Do you know which tools I can use for provisioning?
An sdk sample maybe?

The DTK has provisioning tools: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/

More provisioning info: http://software.intel.com/en-us/blogs/2007/06/13/Intel-SCS-SCA-AMT-Director-Youve-Been-Provisioned/

Yup, the DTK is one possible source for a provisioning mechanism (as always with the DTK, it's intended as a development tool as opposed to a production ready deployment)

Other possibilities are the Configuration code that is part of the SDK (in the /WindowsIntel_Manageability_ConfigurationConfigurationConfigurationServer directory), if you're interested in creating your own provision server. If you're not interested in creating your own provision server, the SCS that is available is a robust implementation built using the Configuration server example.