Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

How to vPro Remote config using SCCM???

idata
Employee
2,414 Views

Hi Friends, I regeret to infor you that there arent any clearcut documents about remote provisioning vPro clients using SCCM especially when it comes to using self created certificate from an internal CA. There is this one thing that has been troubling me for long, and that is the certificate based authentication and I just cant get the Remote Configuration to work. As you are already aware that the Intel MeBX are preloaded with a few standard certificates from external vendors like GoDaddy, Verisign, Comodo and so on but thhen there are a lot of people like myself who do not wish to purchase certificates from the above mentioned vendors. We really want to use a certificate from an internal CA based on our existing Windows Active Directory Infrastructure if possible. I would really appreciate if you could help me with the steps of using self generated certificate from an Internal CA for remotely provisioning the vPro enabled clients. My objective is to be able to Remotely provision vPro enabled clients out of the box (either in the workgroup or even across a Domain). I am new to the vPro technology and have studied most of the resources from the web and ofcourse the user guides available off the Intel website and so on. I want to learn Remote configuration using the PKI or the PSK infrastructure. I am trying to implement the vPro remote provisioning in my Lab here, to no avail. I have a small private network on a domain with one Windows server 2008 computer with the following roles ADS, DNS, DHCP, IIS, WDS and SCCM as well. I have also enabled DHCP option 15, 6 and also made sure that the alias name has been created for ProvisionServer in the DNS records. I have a few HP 2540P laptops with Intel AMT firmware version 6.0.3. Would you please clarify my queries on the following:

1. If I am going to be using SCCM to do OOB Provisioning and managing vPro enabled clients, do I still need to install SCS / RCS on the DC server 2008? If yes, why?

2. Are there any basic out of the box configuration / setup that I need to do in the MeBX of the vPro clients before they can be remotely provisioned via SCCM using TLS? Or is it that the Remote Configuration can be done by simply connecting the out of the box vPro client to the network and power supply? I am suppose, there are. Could you please give me the detailed steps that we need to perform in the MeBX of the vPro clients with AMT >= 6 before connecting to the network?

3. I dont wish to use the certificates from the external CA like GoDaddy, Verisign, Comodo etc, however I would rather use the certificate created from an internal CA based on our existing AD infrastructure and certification authority instead. I have also exported a copy of the .pfx certificate file as per http://technet.microsoft.com/en-us/library/cc161804.aspx# BKMK_AMTprovisioning2 http://technet.microsoft.com/en-us/library/cc161804.aspx# BKMK_AMTprovisioning2 .

 

Per the documentation, now that we have created a provisioning certificate, we need to insert the certificate hash into the MeBX. Is there a way to burn in the certificate hash into the MeBX using a USB flash drive. Which tool would I use and what command/syntax would prepare a USB flash drive for burning in the certificate hash into the MeBX?

4. For the environments with only AMT version 6 and above, do we still need to install and configure wsman Translator for provisioning based PSK keys? I suppose wsman translator is only required for provisioning vPro client with earlier AMT versions. Right?

In simple words, I just want to implement remote provisioning vPro client with AMT versions 6 and above with SCCM using the PKI infrastructure (certificate from an Internal CA). Can you please walk us through the detailed steps that havent been discussed else where.

Thanks In advance

0 Kudos
6 Replies
idata
Employee
623 Views

I think that this PDF will answer your questions.

http://www.intel.com/en_US/Assets/PDF/general/cg_MicrosoftConfigMgr_vPro.pdf http://www.intel.com/en_US/Assets/PDF/general/cg_MicrosoftConfigMgr_vPro.pdf

If I am going to be using SCCM to do OOB Provisioning and managing vPro enabled clients, do I still need to install SCS / RCS on the DC server 2008? If yes, why?

You only need SCS if you are not going to use SCCM's internal provisioning server to provision the clients.

Are there any basic out of the box configuration / setup that I need to do in the MeBX of the vPro clients before they can be remotely provisioned via SCCM using TLS? Or is it that the Remote Configuration can be done by simply connecting the out of the box vPro client to the network and power supply? I am suppose, there are. Could you please give me the detailed steps that we need to perform in the MeBX of the vPro clients with AMT >= 6 before connecting to the network?

If you have a workable provisioning certificate from a 3rd party vendor and the clients are not currently provisioned, there should not be anything that needs to be done in MEBX…assuming that the systems arrived from the OEM with a default configuration within what we understand to be 'normal'.

I dont wish to use the certificates from the external CA like GoDaddy, Verisign, Comodo etc, however I would rather use the certificate created from an internal CA based on our existing AD infrastructure and certification authority instead. I have also exported a copy of the .pfx certificate file as per http://technet.microsoft.com/en-us/library/cc161804.aspx# BKMK_AMTprovisioning2 http://technet.microsoft.com/en-us/library/cc161804.aspx# BKMK_AMTprovisioning2 .

 

Per the documentation, now that we have created a provisioning certificate, we need to insert the certificate hash into the MeBX. Is there a way to burn in the certificate hash into the MeBX using a USB flash drive. Which tool would I use and what command/syntax would prepare a USB flash drive for burning in the certificate hash into the MeBX?

Yes.

/thread/2573 http://communities.intel.com/thread/2573

For the environments with only AMT version 6 and above, do we still need to install and configure wsman Translator for provisioning based PSK keys? I suppose wsman translator is only required for provisioning vPro client with earlier AMT versions. Right?

In simple words, I just want to implement remote provisioning vPro client with AMT versions 6 and above with SCCM using the PKI infrastructure (certificate from an Internal CA). Can you please walk us through the detailed steps that havent been discussed else where.

No translator needed in this case.

Greg

idata
Employee
623 Views

Hi Greg, Thanks for the quick response, but you got to bare with me as I am still learning the vpro stuff.

You might have to forgive my inexperience in the field of the Intel vpro technology platform as compared to the experts that you guys are. Its been about 2 months since I first started experimenting on the vpro implementation. The vpro technology has really caught my attention as I have never before been so excited about a technology like this one. I have studied / seen most of the user guides, videos etc available off the Intel website and elsewhere. I suppose I have gathered enough knowledge to get on with my first lab experience with great confidence.

There is this one little thing that still seems to be a challenge towards acheiving my goals with the vpro testing before we can go live. I hope you can help me get over this obstacle which I call Remote configuration using provisioning Certficate. All I ask of you is to walk me through step by step on creating a certificate authority as one of the server roles on Win server 2008 followed by creating a certificate template and then creating the required certificates for provisioning as well for TLS communication. I recently found some new videos "Setup and Configuration Software 8.0 training" posted by Dan Brunton and it was treat watching him walk us through the steps for provisioning and maintenance. However the certificate part was already setup and hence was not explained, so I had no clue about how to get the certificate stuff setup and ready to go.

As yoy are already aware of that my infrastructure that I have planned is as follows (this time without SCCM):

I have a small private network on a domain with one Windows server 2008 computer with the following server roles ADS, DNS, DHCP, IIS and WDS (I hope this is for testing purposes). I have also enabled DHCP option 15, 6, 81 (are these really required if I going to be using SCS 8.0) and also made sure that the alias name has been created for ProvisionServer in the DNS records. I will install SCS 8.0 only after I have installed the Active Directory Certificate services and that is where I need your help. Since I want to perform remote configuration with the help of certificate created by our internal CA, I need to have the PKI infrastructure setup across my network for which I need to install Active Directory Certificate Services on my windows server 2008. Remind you once again, I am not going to using the external certificates from SSL certificate providers and hence would have to insert the certificate hash into the MeBX manually. I have attached the document for step by step installing the Active Directory Certificate services and enterprise RootCA on a windows server 2008. I hereby request you to kindly review the same and suggest if I am on the right track? Also feel free to correct me with any possible suggestions that you might have.

Thanks in advice.

Regards

Mohammed

0 Kudos
idata
Employee
623 Views

Looks like your headed in the right direction, the link I sent you pretty much gives the step by step instructions on how to set it all up.

Greg

0 Kudos
idata
Employee
623 Views

Hi Greg,

As you are already aware that I had already setup the ADCS on my windows server 2008 from the last conversation we had, I am now trying to figure out where to find the thumbprint that is to be inserted into the MeBX? I wish to achieve TLS based AMT management and communication.

I did find the two thumbprints / certificate hash on the certificate store however I am Not sure, which of the two thumbprints to insert into the MeBX of the vPro client? Please refer to the document attached and advice accordingly. I would like to remind you that I have already done the basic provisioning of my vPro systems and I am able to manage them using VNC Viewer without TLS over the LAN. The reason for implementing the certificate hash is the purpose of integrating AD and TLS for AMT management and communication alongwith Kerberos authentication.

Thanks in advance

Mohammed

0 Kudos
idata
Employee
623 Views

The second thumbprint that you show is the correct one for TLS communication, but I did not see the provisioning certificate that's thumbprint is to be put in the mebx.

IF you are able to provision then the only certificate that you need is the one for TLS communication.

Good luck

Greg

0 Kudos
idata
Employee
623 Views

Greg,

Thanks for all your help but I find myself so confused at this moment and cannot help but ask for some clarification on a few things.

Are you saying that we need Two different certificates (one for provisioning and another one for TLS communication) ?

What If my systems are already provisioned, do I still need a provisioning certificate or is the TLS certificate enough to be able to implement TLS connection between the management console and AMT cPro device?

Thanks and regards

Mohammed

0 Kudos
Reply