I am in the process of starting a new sccm sp2 deployment and i would like to add out of bound management functionality to it. I have been reading up on the vpro technology and there are several questions that i would really appreciate if someone could help with;
1) As i understand it, to provide zero-touch configuration of the vpro you need 2 certificates, 1 for provisionning which can be either a certificate generated by an internal CA(but then it is no longer zero-touch), or a 3rd party CA (verisign, godaddy, comodo, starfield). The other certificate is for the TLS communication with the AMT. So can someone confirm this is the case, and for the 2nd certificate you need an internal PKI, or in our case we need a Windows Certificate Service running to issue those certs?
2) For the 3rd party CAs mentioned above, i have contacted each one and there is some areas that need some clarification;
2.1) On the godaddy site they say you can use their standard SSL, however i have seen several website stating that you need to use the deluxe or premium cert. Can anyone verify that the standard cert does or does not work with AMT v6.0?
2.2) The verisign webpage that talks about vpro seems to say you need their 'Secure Site Pro' cert which at $1000/year seems a little expensive compared to the $117 for comodo, godaddy at $50 or $100 depending on which works. If anyone can verify these prices and report about which cert they use it will help.
3) In configuring SCCM you have the choice of setting up a native mode configuration which necessitates having a PKI within the network, which we don't have at the moment. So if i need a PKI to run vpro then i suppose it can also be used to run sccm in native mode? Are there any alternatives of running vpro without a PKI?
4) If i need to set up a PKI using Windows 2008 R2 certificate services it seems that the CS needs to issue version 2 type templates? Most of the websites I found skip over the steps of installing a PKI, i would appreciate if someone could relate their setups or point me to a place of the steps and design of a PKI in a Windows network.
Thanks very much
1) Correct, there are two areas that certs come into play. The first, as you identified is for the zero-touch provisioning model SCCM uses. This is is also known as the remote configuration certificate. As for the other certificate requirement for SCCM, you are also correct. SCCM requites that each AMT device have it's own cert that is used to encrypt the management traffic going to the AMT over the network. These certs would be issued directly from your own internal certificate authority, no 3rd party certs required. This actual cert is assigned to AMT during the provisioning process by the SCCM server.
2) I have a coworker who's done a lot of work with the CA vendors. Let me ask him about it when I get in the office tomorrow and I will reply to this thread with more info.
3) You can use mixed or native mode with in SCCM with vPro and AMT, it doesn't have any direct impact on SCCM's AMT support.
4) Yes, you will need to set a PKI (CA) server. Since you will have to create and publish a cert template you will need an Enterprise CA. The actual instructions from Microsoft have you make a copy of the standard web server template that comes with the CA for AMT to use. Take a look at this link for more specifics on what needs to be done to set up this template:http://technet.microsoft.com/en-us/library/dd252737.aspx# BKMK_AMTwebserver2008 http://technet.microsoft.com/en-us/library/dd252737.aspx# BKMK_AMTwebserver2008
On question 2...
2.1) You should be able to use the standard cert. Just make sure you follow the process on Godaddy's website.
2.2) The Secure Site Pro certificate type is a little more backward compatable with previous vPro generations as it's issed by their G1 CA. Verisign offers other choices for certificates at lower prices, but these certs would requrie firmware updates for AMT in order to work.
Thanks so much Dan
I did some testing with SCCM but I got held up with the aspect of setting up a PKI and external certs.
I've got 2 production machine that i'm almost ready to start installation, however i'm trying to get the PKI infrastructure in place before.
Your information will be very helpful in the cert section. I'll report back with my progress with whichever cert i get, i'm tempted to just get the godaddy standard ($50) and see if it works with that, according to Godaddy i can always upgrade to the premium version if the standard doesn't work.
Perhaps one more question is i just installed an issuing CA on one server that has 2008R2 Enterprise, i still need to authorize it from the intermidiate CA, but as i understand it, the key length cannot be more than 2048 since the vpro chips can only handle that lenght?
Also when installing the CA service (Active Directory Certificate Service - ADCS) there are a few roles that can be installed;
Certification Authority Web Enrollment
Network Device Enrollment Service
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
Do any other of these roles need to be installed for the CA to issue the vpro certs?
I'd say stick with the 2048 bit key length unless you have specific security requirement for something larger. Newer versions of AMT firmware do have support for 4096 bit keys. You'll need to check with your OEM to see if they have made those firmware updates available.
As for the CA rolls, all you need to get started is the certificate authority role itself. I personally like to add the web enrolment role as well. It makes it easy to grab a copy of the CA's cert should you need, it but is not required for AMT.
The only big requiremet for CA's and vPro is that it be on an enterprise version of Windows so that you can create and publish your own cert templates. The CA that comes with standard editions of Windows does not allow you to create new CA templates.
Here's a link to Microsoft's documentation on setting up a CA to support vPro clients:
I just wanted to post again for anyone reading this that i did install the GoDaddy regular cert and it does work with vPro when you follow their instructions.
We finally decided not to implement native mode on sccm, it was already enough work to get a PKI infrastructure in place for setting up a root & issuing CA, so decided to forego the added complications of native mode.
SCCM and vpro have been great with a few hassles but it really allows for some great control over the machines.
One of the best has been the VNC viewer on certain vpro machines that allows us to view in the VNC Plus viewer the complete bootup sequence including BIOS. the only downside of that is that it is only applicable to the computers that have the onboard intel graphics, which in our case is only about 1/3 of the machines, the others including the notebooks have ATI or Nvidia chips as graphics controllers.
So a word of caution for anyone hoping to get that kvm feature - verify that your model supports kvm, having the vpro chip is not enough.
Thanks again Dan for all your help!
I'm happy to hear that things are working for you! Thank you for following up and sharing with us. We'll be here if you have any more questions.