The Intel SCS 8 Deployment Guide provides an accelerated view into getting Intel AMT configured, how to adjust\maintain the configuration, 4 common deployment models, and summarized steps on how to apply the most common configuration options. Common Intel AMT configuration options include adjusting the FQDN of the firmware, customized authentication\authorization, Active Directory integration, securing communications via TLS, and Intel AMT over wireless.
How are you using the Intel SCS 8 Deployment guide for your environment?
Hi Terry, As I am still learning the vpro stuff,
You might have to forgive my inexperience in the field of the Intel vpro technology platform as compared to the experts that you guys are. Its been about 2 months since I first started experimenting on the vpro implementation. The vpro technology has really caught my attention as I have never before been so excited about a technology like this one. I have studied / seen most of the user guides, videos etc available off the Intel website and elsewhere. I suppose I have gathered enough knowledge to get on with my first lab experience with great confidence.
There is this one little thing that still seems to be a challenge towards acheiving my goals with the vpro testing before we can go live. I hope you can help me get over this obstacle which I call Remote configuration using provisioning Certficate. Certificates part has really got me confused to the core and this is what I need to clarify. All I ask of you is to walk me through step by step on creating a certificate authority as one of the server roles on Win server 2008 followed by creating a certificate template and then creating the required certificates for provisioning as well for TLS communication. I recently found some new videos "Setup and Configuration Software 8.0 training" posted by Dan Brunton and it was treat watching him walk us through the steps for provisioning and maintenance. However the certificate part was already setup and hence was not explained, so I had no clue about how to get the certificate stuff setup and ready to go.
So far my infrastructure that I have planned is as follows (Active Directory, DNS, DHCP, IIS, CA for creating internal certificates + SCS 8.0):
I have a small private network on a domain with one Windows server 2008 computer with the following server roles ADS, DNS, DHCP, IIS and WDS (I hope this is OK for testing purposes?). I have also enabled DHCP option 15, 6, 81 (are these really required if I am going to be using SCS 8.0) and also made sure that the alias name has been created for ProvisionServer in the DNS records. I will install SCS 8.0 only after I have installed the Active Directory Certificate services and that is where I need your help. Since I want to perform remote configuration I suppose I need to create provisioning and TLS certificates from our internal CA? Right? For certificate, I need to have the PKI infrastructure setup across my network for which I need to install Active Directory Certificate Services on my windows server 2008? Right? Remind you once again, I am not going to be using the generic certificates embedded into the MeBX from the SSL certificate providers like GoDaddy, Verisign, Comodo and hence would have to insert the certificate hash into the MeBX manually? Correct?
I have attached the document for step by step installing the Active Directory Certificate services and enterprise RootCA on a windows server 2008. I hereby request you to kindly review the same and suggest if I am on the right track? Also feel free to correct me with any possible suggestions that you might have.
Thanks in advice.
Hi Mohammed - I have a few questions for you and will provide further guidance in in response to your inquiries.
- What management console and Intel AMT operations are you planning to use?
- Did you know the "ProvisionServer" DNS record is actually not required? (In fact - I often recommend that it not be used)
- Have you reviewed the SCS 8 Deployment Guide? Focus specifically on sections 3-5 - determine what you have, configuration options, and apply only ONE configuration approach. Section 4.3 in particular provides a simplified decision tree on what method to use.
In my view - if you must touch each system to enter a custom root certificate hash, why not configure Intel AMT with basic settings instead? You can then use the "Delta Configuration" options mentioned in section 6 of the Deployment Guide to adjust the Intel AMT configuration as needed.
However, if you must use request and install a remote configuration certificate from an internal CA, see http://technet.microsoft.com/en-us/library/cc161804.aspx# BKMK_AMTprovisioning http://technet.microsoft.com/en-us/library/cc161804.aspx# BKMK_AMTprovisioning. (Specifically the section "To request and install the AMT provisioning certificate from an internal CA").
I reviewed your attachment and the steps look correct overall. On the "Configure CA Name", you can adjust the common name to an easier string such as "testCA". This will help later on when select TLS certificates as part of the Intel AMT configuration profile.
More information on TLS in the Intel AMT configuration profile available in section A.4 (4th main section of the Appendix) in the SCS8 deployment guide.
I hope that helps in your testing of Intel AMT.
Appreciate your response along with the clarifications. As to your questions, please find my response as below:
- 1. What management console and Intel AMT operations am I planning to use?
- A. What do you suggest? Having weighed my options, I have been able to shortlist to VNC and SCCM, with VNC as my probable and preferred Mgmt Console. Would you care to throw some light on these two products and may be share your inputs (pros and cons) for both of them? For the AMT operations, I want to be able to use KVM, IDER, SOL, FCFH etc for sure.
2. Did I know the "ProvisionServer" DNS record is actually not required?
A. No. I was really not aware of that. If that is case, then why do we have so many documents talk about it as a requirement? But anyways, since you have confirmed that it is not required, I guess, I am keep that out of the context here.
3. Have I reviewed the SCS 8 Deployment Guide?
A. Yes, I have. The problem is that I have a mix of AMT 6 and the newly acquired AMT 7 machines. Since I wish to implement MTLS/TLS kerberos based secure communication with Admin control mode, I must use either of the following provisioning methods:
(i) SMB/Manual Config for both AMT 6 and AMT 7 machines
(ii) Remote PKI for both AMT 6 and AMT 7 machines
(iii) SMB for AMT 6 machines and Remote PKI provisioning for AMT 7 machines.
I dont mind using the SMB / Manual provisioning method for the entire mix of vPro machines available provided that I can still implement MTLS / TLS kerberos based secure communication as security measures.
A quick question for you:
Q: Dont I need a PKI infrastructure, if I were to implement remote client management with MTLS/TLS kerberos based secure communication.
If your answer is YES, then why not use the PKI infrastructure to start with for remote provisioning as well? Thats the only reason why I was thinking of using certificate based remote provisioning created from an internal root CA from our existing AD CS infrastructure.
I dont mean to confuse you at all, and I hope I am able to express my objectives and viewpoints to the best of my ability. Please advice the best possible way to achieve the goals that I seek. In great anticipation.
Thanks once again for all your help.
As you are already aware that I had already setup the ADCS on my windows server 2008 from the last conversation we had, I am now trying to figure out where to find the thumbprint that is to be inserted into the MeBX? I wish to achieve TLS based AMT management and communication.
I did find the two thumbprints / certificate hash on the certificate store however I am Not sure, which of the two thumbprints to insert into the MeBX of the vPro client? Please refer to the document attached and advice accordingly. I would like to remind you that I have already done the basic provisioning of my vPro systems and I am able to manage them using VNC Viewer without TLS over the LAN. The reason for implementing the certificate hash is the purpose of integrating AD and TLS for AMT management and communication alongwith Kerberos authentication.
Thanks in advance
The root certificate thumbprint (ArrowImage, starting with 6a)
Before you proceed with that - please understand that your Intel AMT client is configured. Once the initial configuration has been completed, you can adjust the configuration to add AD\Kerberos and TLS using the Intel SCS8 Delta Configuration process. For more information, see the Deployment Guide linked from http://www.intel.com/go/scs http://www.intel.com/go/scs and attached for convenience
The remote configuration approach with the certificate is used ONLY if the other initial configuration approaches are not possible\preferred in your environment. In my view - if you must enter the MEBx to insert a custom certificate hash, you might as well complete the initial Intel AMT configuration.
In the Intel SCS8 deployment guide, focus on sections 4 through 6, and the necessary Appendix sections for the additional options desired. Section A.3 focuses on AD\Kerberos integration, and section A.4 focuses on TLS.
Now that I got the AMT Audit logging enabled with the Auditor user in place. I am able to pull up the logs on the console and also able to extract them in csv or txt files. However I need your help in going a step further whereby I can integrate and sync the Audit logs with the Active Directory in my environment. Is there a way to extract all the audit logs to be saved in the Active Directory within the respective data store or AD objects? Please help me with either a PS script that could extract the audit logs into respective data stores in a DB server or setup an environment where the respective audit logs for respective vPro clients automatically update / append their respective txt log files on a file server say
\\vproserver\vpro\vproLogs\client3_log.txt? and so on
Thanks in advance.