We're preparing to receive new HP systems with vPRO / AMT release 3.0 built in. (Hurray). As the SMS 2003 guy here in our office this is the best news to me in my world of software update / management that I've had in a long time.
I'm preparing to install SCS in our network to begin the provisioning process. I've run across an item that someone may help to clarify. AMT 3.0 offers Remote Configuration as a new way to install a PID/PSK pair to enable setup. This appears to be the best way to get going for us. My concern is that it appears that we need to cert from one of the vendors whose root cert hashes are built into the AMT firmware. Is there any way to work with our vender (HP) to add our root CA to the firmware?
Indeed there is!
Intel provides tools to give OEMs the ability to add customer certificate hashes to the AMT firmware at the end of the manufacturing process. Up to 23 certificate hashes can be added in this way. The advantage of having the OEM install the hash instead of having the IT shop add the hash after receipt of the machine, apart from the fact that you don't have to type them in , is that the OEM added hashes survive resets back to the "default factory" state.
Why would you use your own root hash instead of going with one of the default hashes from one of the provided certificate authorities like VeriSign or Go Daddy?
This is actually a complicated question. Like most things in IT the goal is to minimize cost and complexity.
The Subject Name in the remote Configuration certificate must match the DHCP domain name on the network segment (DHCP option 15) to which the AMT device is attached. So the more DCHP naming zones you have, the more Subject Names you need in the certificate. The more names you have the more the certificate authority will charge (as they have to do work to verify you own all of the names). Intel is working to lower this cost in upcoming releases of AMT, and in AMT 2.6 added a feature to allow a match for only the last two fields of the CN (e.g. intel.com). So all DHCP naming zones "below" intel.com such as a.intel.com and b.intel.com would be considered a match. This applies only to ".com" and ".net" names.
On the other hand the your OEM may charge to add your certificate hash to each AMT device you buy. So both options will need to be investigated to get the most cost effective solution for your company.
Thanks for the clarification Garth. I'm glad to see we can work with HP to add our hash to the AMT firmware in advance. We're a fairly small organization with only one DHCP domain name so adding our own hash should be pretty easy and hopefully not too expensive. I'm trying to get my head around the entire SCS / SMS 2003 Integration and setup to prepare for the onslaught of machines and have AMT ready to go. This helps us considerably!
The vPro Quick Start Guide (http://communities.intel.com/openport/docs/DOC-1085) along with the SMS add-on documentation\resources - including some video tutorials (http://softwarecommunity.intel.com/articles/eng/1356.htm) may be a great place to start.
We are looking into creating more video or screencast based content.
May you be successful in your endeavors.
Thanks very much for the links. I hadn't seen these before and they should be a good addtion to my rollout plans. I've been digesting the info from the "Intel AMT SCS Installation and User Manual" as well as the "Intel ADMT Add-on for Microsoft SMS 2003 Installation and User Guide". Theres a lot of good info here that should get me going in the right direction.
Please add more tutorials for the average admin like myself. They offer inestimable value and help illuminate this whole new area of focus for us.
Hello swood and others,
I work for HP on vPro among other things. The most reasonable way to approach this is to let your HP account manager know that you are interested in what we call PC Customization Services (PCCS) to pre-populate your cert hash. This is not a standard service we offer currently, as with the PSK method, but we do have some tools that should support this. Feel free to use my name (Paul Broyles in Houston, TX) as a reference if they don't know what you are asking for.
As always, it is good to get customer feedback on this.
This is getting a bit beyond my area. The only AMT-related standard service that we currently offer is to pre-populate the PSK triplet. We have internal tools that can do more, obviously, and offer other standard services such as changing system BIOS settings, image deployment, etc. If a customer needs a service that is not standard, I think we can consider those requests on a case-by-case basis. The customer's account team should be familiar with what we can do.
One question about the multiple DHCP domains before the *.intel.com wide card features is available. It may be because my misunderstanding about this remote configuration feature. If there are two domains, a.intel.com and b.intel.com, and the two SCS certs are generated accordingly. So, should those two certs need to loaded in AMT clients together since the clients are not sure which domain is belonged to during the set up time? Also, which one should be activated or doesn't matter as long as they both exist?
If you have two DHCP domains, then you need two SCS client certificates. These certificates are installed on the SCS server. Currently only one certificate can be installed at any one time. The certificate that needs to be loaded onto the AMT client is the root certificate of the chain that issued the a.intel.com and b.intel.com leaf node certificates. If the two certificates were issued from different certificate chains (a different root) then both root certificates would need to be added to the hash table on the AMT client. All of the root certificates that you intend to use do need to be marked as active on the AMT system.