Community
cancel
Showing results for 
Search instead for 
Did you mean: 
GRile
New Contributor I
2,415 Views

Intel SCS + SCCM integration - where to start?

Jump to solution

Hi, we have SCCM 1606 and we would like to deploy Intel SCS in order to be able to remotely wake and control our clients via SCCM. I am completely new to Intel vPro / SCS so I need to understand where to start with this. I have read somewhere that all clients need to have a certificate installed and they can get this certificate from an internal PKI server (which we have). Is there a guide that covers the whole thing or can someone give me the basic steps that we need to work through to get this up and running? So far I have Installed "Intel Manageability Commander 1.0.8" on my own PC and I can see "Intel AMT Power-On" when I right click on computer device collections.

Kind regards,

Graham

0 Kudos
1 Solution
Dariusz_W_Intel
Employee
164 Views

Graham,

You need:

  1. Select Intel AMT Configuration method that will fit your needs – via Remote Configuration Method (requires Intel AMT build-in LAN interface on each Intel vPro platform + single Remote Configuration certificate for internal domain name) or Host Based Configuration (no LAN neither certificate required but use of Redirection features will require end user to be present and provide 6 digit Consent Code over phone to IT Help Desk technican).

     

     

    See Intel SCS user guide contains all information although is is not so easy to consume ;-(

     

     

    Download required package for Intel SCS (smaller one download package contains only Host Based Configuration components)

     

    https://downloadcenter.intel.com/download/26505/Intel-Setup-and-Configuration-Software-Intel-SCS- https://downloadcenter.intel.com/download/26505/Intel-Setup-and-Configuration-Software-Intel-SCS-
  2. For SCCM you will need to configure Intel AMT with TLS encryption and Kerberos Authentication.

     

     

    TLS encryption means during Intel AMT configuration each end point vPro PC will get its separate unique Web Server TLS certificate (Private key and CSR are generated by Intel AMT FW inside HW) with PC FQDN in cert CN. Those certs are issued by your own MS AD PKI CA.

     

    Kerberos Authentication means each end point vPro PC Intel AMT FW will be represented in additional/separate AD OU by computer type object (yes it will look like duplicate of MS OS Computer object). There is need to create and maintain separate AD OU.

     

     

    Requirements and process for TLS & AD Integration are described in Intel SCS user guide. Those requirements are identical for both configuration methods.
  3. Once you prepared Intel AMT configuration setup (SCS's RCS service is required for Remote Configuration) test it on single system (with script/RDP)
  4. It everything works OK you can download and install https://downloadcenter.intel.com/download/26506/Intel-SCS-Add-on-for-Microsoft-System-Center-Configu... https://downloadcenter.intel.com/download/26506/Intel-SCS-Add-on-for-Microsoft-System-Center-Configu...

     

     

    During installation you will have to chose configuration method and point to your AMT settings profile (XML File for Host Based Configuration or AMT profile in Intel RCS for Remote Configuration).

     

     

    Intel® SCS Add-on for Microsoft* System Center Configuration Manager extends MS SCCM Client HW inventory with Intel AMT related classes and installs ready to activate task sequences for Intel AMT discovery, configuration and maintenance + Intel AMT related Collections.
  5. Once Intel AMT is configured you can manage it with https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander?

     

    Multiple systems Intel AMT based Power On requires to install Manageability Commander Wake Service component.
  6. You may also like to give a try a Intel® vPro™ Technology module for Windows* PowerShell https://downloadcenter.intel.com/download/25891/Intel-vPro-Technology-module-for-Windows-PowerShell?... https://downloadcenter.intel.com/download/25891/Intel-vPro-Technology-module-for-Windows-PowerShell?...

     

    Good luck!

Dariusz Wittek

 

Intel EMEA Biz Client Technical Sales Specialist

View solution in original post

4 Replies
GRile
New Contributor I
164 Views

OK I have downloaded and started to work my way through "Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager" which seems like a a good place to start!

I have another question regarding the client certificates: As we already using certificates to ensure HTTPS connectivity between the client and the SCCM server, will the same certificate be sufficient for the AMT or will the clients need another, separate certificate?

Can I also check that no additional server is required for SCS and that we will be able to install the add-on directly on to the SCCM server?

Thanks, Graham

Dariusz_W_Intel
Employee
164 Views

Graham,

Intel AMT TLS certificates private key & CSR are created inside Intel AMT/ME FW/HW so you will need to use separate certificates issued using standard WebServer certificate template (or its duplicate).

 

Keep in mind Intel AMT is HW/FW based Web Service.

 

MS SCCM Client may require some more usages in its certificate template (Intel SCS may probably work with SCCM Client cert template if it contains Server Authentication)

Intel® SCS Add-on for Microsoft* System Center Configuration Manager is just a helper for easier integration and has to be installed on SCCM primary site server.

 

Intel® SCS itself (RCS Remote Configuration server) may be installed on same server as SCCM Primary Site server (makes sense from perspective of keeping all Pc management components on same server) but does not have to.

rgds

Darek

GRile
New Contributor I
164 Views

Thanks for your comprehensive reply Darek . That is exactly the sort of thing I was looking for.

Graham

Dariusz_W_Intel
Employee
165 Views

Graham,

You need:

  1. Select Intel AMT Configuration method that will fit your needs – via Remote Configuration Method (requires Intel AMT build-in LAN interface on each Intel vPro platform + single Remote Configuration certificate for internal domain name) or Host Based Configuration (no LAN neither certificate required but use of Redirection features will require end user to be present and provide 6 digit Consent Code over phone to IT Help Desk technican).

     

     

    See Intel SCS user guide contains all information although is is not so easy to consume ;-(

     

     

    Download required package for Intel SCS (smaller one download package contains only Host Based Configuration components)

     

    https://downloadcenter.intel.com/download/26505/Intel-Setup-and-Configuration-Software-Intel-SCS- https://downloadcenter.intel.com/download/26505/Intel-Setup-and-Configuration-Software-Intel-SCS-
  2. For SCCM you will need to configure Intel AMT with TLS encryption and Kerberos Authentication.

     

     

    TLS encryption means during Intel AMT configuration each end point vPro PC will get its separate unique Web Server TLS certificate (Private key and CSR are generated by Intel AMT FW inside HW) with PC FQDN in cert CN. Those certs are issued by your own MS AD PKI CA.

     

    Kerberos Authentication means each end point vPro PC Intel AMT FW will be represented in additional/separate AD OU by computer type object (yes it will look like duplicate of MS OS Computer object). There is need to create and maintain separate AD OU.

     

     

    Requirements and process for TLS & AD Integration are described in Intel SCS user guide. Those requirements are identical for both configuration methods.
  3. Once you prepared Intel AMT configuration setup (SCS's RCS service is required for Remote Configuration) test it on single system (with script/RDP)
  4. It everything works OK you can download and install https://downloadcenter.intel.com/download/26506/Intel-SCS-Add-on-for-Microsoft-System-Center-Configu... https://downloadcenter.intel.com/download/26506/Intel-SCS-Add-on-for-Microsoft-System-Center-Configu...

     

     

    During installation you will have to chose configuration method and point to your AMT settings profile (XML File for Host Based Configuration or AMT profile in Intel RCS for Remote Configuration).

     

     

    Intel® SCS Add-on for Microsoft* System Center Configuration Manager extends MS SCCM Client HW inventory with Intel AMT related classes and installs ready to activate task sequences for Intel AMT discovery, configuration and maintenance + Intel AMT related Collections.
  5. Once Intel AMT is configured you can manage it with https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander?

     

    Multiple systems Intel AMT based Power On requires to install Manageability Commander Wake Service component.
  6. You may also like to give a try a Intel® vPro™ Technology module for Windows* PowerShell https://downloadcenter.intel.com/download/25891/Intel-vPro-Technology-module-for-Windows-PowerShell?... https://downloadcenter.intel.com/download/25891/Intel-vPro-Technology-module-for-Windows-PowerShell?...

     

    Good luck!

Dariusz Wittek

 

Intel EMEA Biz Client Technical Sales Specialist

View solution in original post

Reply