Up to Discussions in Intel® vPro™ Expert Center

This Question is Answered

1 "correct" answer available (4 pts) 2 "helpful" answers available (2 pts)
10 Replies Last post: Oct 23, 2007 4:09 PM by Gareth Bevan
Reply

Remote Configuation and AMT release 3.0

Sep 27, 2007 1:34 PM

Click to view swood's profile swood 79 posts since
Sep 27, 2007

We're preparing to receive new HP systems with vPRO / AMT release 3.0 built in. (Hurray). As the SMS 2003 guy here in our office this is the best news to me in my world of software update / management that I've had in a long time.

I'm preparing to install SCS in our network to begin the provisioning process. I've run across an item that someone may help to clarify. AMT 3.0 offers Remote Configuration as a new way to install a PID/PSK pair to enable setup. This appears to be the best way to get going for us. My concern is that it appears that we need to cert from one of the vendors whose root cert hashes are built into the AMT firmware. Is there any way to work with our vender (HP) to add our root CA to the firmware?

Average User Rating
(0 ratings)
Click to view Gareth Bevan's profile Gareth Bevan 2 posts since
Sep 5, 2007
Reply 1. Re: Remote Configuation and AMT release 3.0 Sep 28, 2007 10:56 AM
Indeed there is!

Intel provides tools to give OEMs the ability to add customer certificate hashes to the AMT firmware at the end of the manufacturing process. Up to 23 certificate hashes can be added in this way. The advantage of having the OEM install the hash instead of having the IT shop add the hash after receipt of the machine, apart from the fact that you don't have to type them in ;) , is that the OEM added hashes survive resets back to the "default factory" state.
Why would you use your own root hash instead of going with one of the default hashes from one of the provided certificate authorities like VeriSign or Go Daddy?

This is actually a complicated question. Like most things in IT the goal is to minimize cost and complexity.
The Subject Name in the remote Configuration certificate must match the DHCP domain name on the network segment (DHCP option 15) to which the AMT device is attached. So the more DCHP naming zones you have, the more Subject Names you need in the certificate. The more names you have the more the certificate authority will charge (as they have to do work to verify you own all of the names). Intel is working to lower this cost in upcoming releases of AMT, and in AMT 2.6 added a feature to allow a match for only the last two fields of the CN (e.g. intel.com). So all DHCP naming zones "below" intel.com such as a.intel.com and b.intel.com would be considered a match. This applies only to ".com" and ".net" names.

On the other hand the your OEM may charge to add your certificate hash to each AMT device you buy. So both options will need to be investigated to get the most cost effective solution for your company.

Click to view swood's profile swood 79 posts since
Sep 27, 2007
Reply 2. Re: Remote Configuation and AMT release 3.0 Sep 28, 2007 11:35 AM
in response to: Gareth Bevan
Thanks for the clarification Garth. I'm glad to see we can work with HP to add our hash to the AMT firmware in advance. We're a fairly small organization with only one DHCP domain name so adding our own hash should be pretty easy and hopefully not too expensive. I'm trying to get my head around the entire SCS / SMS 2003 Integration and setup to prepare for the onslaught of machines and have AMT ready to go. This helps us considerably!
Click to view Terry Cutler's profile Terry Cutler 27 posts since
Aug 1, 2007
Reply 3. Re: Remote Configuation and AMT release 3.0 Oct 1, 2007 1:44 AM
in response to: swood
The vPro Quick Start Guide (http://communities.intel.com/openport/docs/DOC-1085) along with the SMS add-on documentation\resources - including some video tutorials (http://softwarecommunity.intel.com/articles/eng/1356.htm) may be a great place to start.

We are looking into creating more video or screencast based content.

May you be successful in your endeavors.
Click to view swood's profile swood 79 posts since
Sep 27, 2007
Reply 4. Re: Remote Configuation and AMT release 3.0 Oct 1, 2007 9:30 AM
in response to: Terry Cutler

Terry,

Thanks very much for the links. I hadn't seen these before and they should be a good addtion to my rollout plans. I've been digesting the info from the "Intel AMT SCS Installation and User Manual" as well as the "Intel ADMT Add-on for Microsoft SMS 2003 Installation and User Guide". Theres a lot of good info here that should get me going in the right direction.

Please add more tutorials for the average admin like myself. They offer inestimable value and help illuminate this whole new area of focus for us.


Thanks again!

Click to view pbroyles's profile pbroyles 2 posts since
Oct 1, 2007
Reply 5. Re: Remote Configuation and AMT release 3.0 Oct 1, 2007 1:43 PM
in response to: swood

Hello swood and others,

I work for HP on vPro among other things. The most reasonable way to approach this is to let your HP account manager know that you are interested in what we call PC Customization Services (PCCS) to pre-populate your cert hash. This is not a standard service we offer currently, as with the PSK method, but we do have some tools that should support this. Feel free to use my name (Paul Broyles in Houston, TX) as a reference if they don't know what you are asking for.

As always, it is good to get customer feedback on this.

Regards, Paul


Click to view josh.hilliker's profile josh.hilliker 84 posts since
Aug 1, 2007
Reply 6. Re: Remote Configuation and AMT release 3.0 Oct 1, 2007 1:55 PM
in response to: pbroyles
HI Paul.

What other vPro / AMT options are available to customize through the PCCS you mention?

Josh H
Click to view swood's profile swood 79 posts since
Sep 27, 2007
Reply 7. Re: Remote Configuation and AMT release 3.0 Oct 1, 2007 3:16 PM
in response to: pbroyles

Paul,

Thanks a bunch for the inside tip. This would make our rollout easier and cheaper with our own hash pre-configured.

Click to view pbroyles's profile pbroyles 2 posts since
Oct 1, 2007
Reply 8. Re: Remote Configuation and AMT release 3.0 Oct 5, 2007 2:06 PM
in response to: josh.hilliker

Hi Josh,

This is getting a bit beyond my area. The only AMT-related standard service that we currently offer is to pre-populate the PSK triplet. We have internal tools that can do more, obviously, and offer other standard services such as changing system BIOS settings, image deployment, etc. If a customer needs a service that is not standard, I think we can consider those requests on a case-by-case basis. The customer's account team should be familiar with what we can do.

Thanks, Paul

Click to view mchang3's profile mchang3 5 posts since
Oct 18, 2007
Reply 9. Re: Remote Configuation and AMT release 3.0 Oct 18, 2007 6:47 PM
in response to: Gareth Bevan

Gareth,

One question about the multiple DHCP domains before the *.intel.com wide card features is available. It may be because my misunderstanding about this remote configuration feature. If there are two domains, a.intel.com and b.intel.com, and the two SCS certs are generated accordingly. So, should those two certs need to loaded in AMT clients together since the clients are not sure which domain is belonged to during the set up time? Also, which one should be activated or doesn't matter as long as they both exist?

Click to view Gareth Bevan's profile Gareth Bevan 2 posts since
Sep 5, 2007
Reply 10. Re: Remote Configuation and AMT release 3.0 Oct 23, 2007 4:09 PM
in response to: mchang3

Hi Mark,

If you have two DHCP domains, then you need two SCS client certificates. These certificates are installed on the SCS server. Currently only one certificate can be installed at any one time. The certificate that needs to be loaded onto the AMT client is the root certificate of the chain that issued the a.intel.com and b.intel.com leaf node certificates. If the two certificates were issued from different certificate chains (a different root) then both root certificates would need to be added to the hash table on the AMT client. All of the root certificates that you intend to use do need to be marked as active on the AMT system.

Actions

More Like This