1 2 3 Previous Next

Intel vPro Expert Center Blog

1,209 posts

Hi,

 

I am trying to setup an Intel SCS server to deploy AMT profiles to HP Intel vPro PCs.

 

In order to do this, I need to provision a Certificate, I got one from Comodo, but Intel SCS is asking for a CA Plugin couldn't find this anywhere

Is only giving me the option to use Domain Internal CA Certificates.

 

Any help

An enterprise customer wanted to enable Active Directory integration with Intel AMT on their large Intel vPro client estate. However their security team wanted the permissions for the Intel SCS service account against the Organisational Unit (OU) where Intel AMT computer objects are stored to support Kerberos, to be as restrictive as possible.

 

As defined in the Intel® Setup and Configuration Software User Guide, permissions for the SCS service account on the OU container are “Create Computer objects”, “Delete Computer objects” and “List content” (the latter seems to be default) and full control on descendant computer objects. The latter was not acceptable so ...

 

SCS_AD_Perms_OU_Create_Delete.jpgSCS_AD_Perms_OU_List.jpg

... to support AMT maintenance tasks such as updating the password of the AD object representing the Intel AMT device and ensuring the Kerberos clock remains synchronised, the following explicit permissions are required on all descendant computer objects within the OU.

SCS_AD_Perms_Descendant_Change_Password.jpgSCS_AD_Perms_Descendant_Write_All_Properties.jpg

The customers security team were happier with these permissions and they are now activating their Intel vPro systems to enable the powerful manageability and security capabilities that Active Management Technology, available on Intel vPro Technology platforms provides.

Take from an original (deleted) post by TerryCutler.

 

Intel AMT Remote Configuration enables the authentication of the firmware for an initial Intel AMT configuration event.  Remote configuration supports Admin Control Mode configuration of the Intel AMT firmware and is typically done using valid provisioning certificate for the customers environment.

 

This authentication process has to be completed without user interaction. If the requesting application i.e. Intel SCS is prompted every time access to the private key is required, the autonomy is lost.

 

When importing the certificate to your target server, if the strong key protection option is selected and grayed out, this indicates a conflicting group policy for cryptography has been applied to the server.

 

Changing the group policy setting of the server will remove this barrier, so set the System Cryptography policy to the "User input is not required when new keys are stored and used"

Periodically the question comes up “Can I use Intel vPro Technology to remotely unlock an encrypted hard drive ?”, either because unattended encrypted systems need to be booted outside of business hours and patched or because there is a significant cost associated with IT helpdesk calls when helpdesk technicians must remotely guide end users through a recovery process if they forgot their drive encryption passphrase or PIN.

 

Here are some available solutions for remotely unlocking encrypted drives using Intel vPro Technology…

 

Intel Hardware KVM Technology: Using Intel AMT and a hardware KVM viewer like VNC RealVNC Viewer Plus or McAfee KVMView (part of McAfee ePO Deep Command), it is possible for an IT helpdesk technician to remotely connect to an encrypted Intel vPro system and manually enter the recovery password at the pre-boot authentication screen to unlock the encrypted drive so Windows can boot. The remote connection to the Intel vPro system can be made over a wired or wireless LAN and the system can be connected directly to the internal enterprise network or through a Client Initiated Remote Access (CIRA) session. The recovery password needs to have been previously escrowed to a backup database (usually done automatically as part of standard IT policy) such as Microsoft Active Directory, McAfee Managed Native Encryption (MNE) or Microsoft BitLocker Administration and Monitoring (MBAM) and the helpdesk technician needs access to that database. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios but it is not suitable for automated 1:Many type scenarios.

 

Windows PowerShell: Using Intel AMT and Windows PowerShell it is possible to execute a PowerShell script on a central server or IT helpdesk workstation and have that script automatically retrieve previously escrowed BitLocker recovery passwords from a backup database, remotely connect to an encrypted Intel vPro system and use Serial-over-LAN (SOL) functionality to automatically input the recovery password to the pre-boot authentication screen to unlock the encrypted drive so that Windows can boot. This scripted approach automates the entire encrypted drive unlock process and can be invoked on-demand by a helpdesk operator or scheduled to run when systems need to be patched. This solution can be used with systems connected over a wired or wireless network and connected directly to the internal enterprise network or through a CIRA session. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios and automated 1:Many type scenarios. The video at http://www.youtube.com/watch?v=2ioN5BlD96Q shows an example of such a solution working. A consideration for using this with BitLocker is that when the recovery password is being automatically entered into the pre-boot authentication screen, the password is momentarily visible to the end user. If this is an issue then the recovery password could be programmatically changed as part of the IT procedure associated with unlocking systems.

 

McAfee Drive Encryption: Using Intel AMT, McAfee ePO Deep Command and McAfee Drive Encryption (MDE) 7.X it is possible to configure MDE policies so that the MDE pre-boot authentication code automatically retrieves a disk unlock password from the centralized McAfee EPO server using a Serial-over-LAN (SOL) connection and uses this password to unlock the encrypted drive so Windows can boot. The Serial-over-LAN connection between Intel vPro systems and the McAfee EPO server can be made over a wired or wireless LAN and systems can be connected directly to the internal enterprise network or through a Client Initiated Remote Access (CIRA) session. MDE supports a variety of unlock policies including the ability to limit the number of consecutive unlock operations, the ability to control the times and weekdays when unlock operations are valid and the ability to configure unlock operations to operate inside our outside the enterprise network. This solution is compatible with Windows Vista, Windows 7 and Windows 8 and is suitable for on-demand 1:1 type scenarios and automated 1:Many type scenarios. It is worth noting that this solution operates automatically with Intel vPro systems regardless of whether they require user consent or not.

There are some situations in which it would be nice to be able to export and import Intel Setup and Configuration Service (Intel SCS) provisioning profiles...

 

  • Environments with multiple Intel RCS servers to accomodate provisioning workload where profiles need to be duplicated across servers
  • Environments with multiple Intel RCS servers because of organization administration demands (i.e. politics, segregation...) where profiles need to be copied across servers
  • Situations in which it is required to simply backup and restore profiles

 

 

Exporting profiles from Intel RCS is simple enough; from the Intel SCS console you use the toolbar to export profiles to an encryted XML format file. But there is no import function on the Intel SCS console to import profiles from a backup file or another Intel RCS server.

 

So here's a simple solution; Intel RCS supports a WMI provider which is used to communicate with other software such as the SCS console and ACUConfig utility. Intel SCS provisioning profiles (amongst other things) can be read and written using this WMI provider. Windows PowerShell includes built-in cmdlets to provide easy access to WMI providers. With a little effort we can construct a couple of lines of PowerShell script to do everything we need to export, backup, restore and import profiles with Intel RCS servers.

 

The following code reads all Intel SCS profiles from an Intel RCS server and stores them in a PowerShell variable...

 

# Configure source RCS server
$SourceRCSServer = "SourceRCSServerHostname"


# Read profiles from source RCS server
$RCSProfiles = Get-WmiObject -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $SourceRCSServer

 

Once we've read all the profiles, we may want to back them up. The following code copies our prevously read profiles to a backup file...

 

# Save profiles to backup file

$RCSProfiles | Export-Clixml .\ProfilesBackup.xml

 

Sometime later we may want to restore our profiles. The following code restores our profiles from the backup file to a PowerShell variable...

 

# Restore profiles from backup file

$RCSProfiles = Import-Clixml .\ProfilesBackup.xml

 

And finally, if we want to write our profiles to one or more Intel RCS servers, the following code writes our profiles from a PowerShell variable to Intel RCS...

 

# Configure one or more destination RCS servers
$DestinationRCSServers = "DestinationRCSServer1", "DestinationRCSServer2", "DestinationServerN"


# Write profiles to destination RCS servers
foreach ($DestinationRCSServer in $DestinationRCSServers)
{
   # Read and delete any existing profiles on the destination RCS server
   Get-WmiObject -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $DestinationRCSServer | Remove-WmiObject

 

   # Write all profiles to the destination RCS server
   foreach ($RCSProfile in $RCSProfiles)
   {
      Set-WmiInstance -Class "RCS_Profile" -Namespace "root/Intel_RCS_Editor" -Authentication PacketPrivacy -ComputerName $DestinationRCSServer -Arguments @{ElementName=$RCSProfile.ElementName;InstanceId=$RCSProfile.InstanceId;Text=$RCSProfile.Text;ProfileDescription=$RCSProfile.ProfileDescription;SolutionGUID=$RCSProfile.SolutionGUID;SolutionName=$RCSProfile.SolutionName} | Out-Null
   }
}

 

All of the above code assumes the currently logged on Windows user has access to the Intel_RCS_Editor WMI namespace and appropriate DCOM permissions on the Intel RCS server (see the Intel SCS Users Guide for information on configuring these permissions during Intel RCS installation). The example code can easily be enhanced, for example scheduling it to run regularly to automatically synchronize profiles across multiple Intel RCS servers or by using PowerShell's filtering capabilities to save some profiles and delete others.

 

Two cautionary notes:

 

  1. The code shown above to backup profiles to a file does not encrypt those files, therefore any plaintext credentials in the profile (e.g. the MEBX password, a fixed AMT admin password, AMT digest credentials or KVM RFB password) will be visible in the backup file. The Intel SCS package includes a file encryption utility called SCSEncryption that can be used to encrypt/decrypt profile backup files or the files can be stored such that they are only accessible to authorized personnel.
  2. Profiles containing Microsoft Active Directory domain accounts, domain groups or certificate template information are tied to specific Active Directory installations because profiles store domain account, domain group and certificate template information by SID information rather than by name. SID's are specific to individual Active Directory installations therefore profiles cannot be transported between installations if they contain domain accounts, domain groups or certificate template information. So this means you can use the above scripts with Intel RCS servers if they are all part of the same Active Directory structure (which is typically the case with most organizations). But profiles containing domain accounts, domain groups or certificate templates cannot be copied between different customer environments or between customer test environments and production environments if they are based on different Active Directory installations.

 

Details of the Intel SCS WMI provider classes and methods are available in the downloadable Intel SCS SDK at https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921

 

Hi All,

 

First time posting, so hopefully I give enough information.  The environment is a SCCM 2012 R2 / HP EliteDesk 800 and HP Folio 1040 G1.  I am wanting to get Out Of Band Management working so that clients can KVM at a BIOS level and initiate PXE boots remotely.

 

I have roughly followed this guide (with input from this community and technet) ;

 

http://sccmguru.wordpress.com/2013/12/20/integrating-configuration-manager-2012-r2-with-intel-scs-9-0-part-1/


I have created internal certificates as per the guide.  I have deployed the configuration profile as per the guide.


I have not used a third party certificate as i'm not sure where to load it into (I do have a GoDaddy Certificate if required).


I have installed SCS / Vpro integration with SCCM and have the collections / task sequences and packages. 


The problems I am facing are;


1) In SCCM, machines are not changing status from "Detected" or "Not Supported", I only have about three that say "externally provisioned"

2) The ones that do show as externally provisioned - I am unable to Vpro to, they have done a few different behaviors (probably depending on the tweaking i've been doing) and will either a) Connect and prompt for user permssion  (only had this on one machine and can't replicate it.  Also would like to not use user consent).

                    b) either connect and then disconnect straight away

                     c) not connect - host not found

                    d) not connect - machine actively refused connection.

3) SCCM seems to be adding the wrong computer object, example machine name PC1234, SCCM is adding PC1234ime.  I have excluded the AD container that houses the IME objects, from SCCM discovery so it shouldn't be seeing them.  The problem with IME objects being in SCCM, is that it stops it's native remote control from working as it should be looking for it's real hostname.


I have been at this for about 4 weeks on and off for a client and it is driving me crazy.  Please help and let me know if any log files are required etc.


Thanks in advance,


Luke




With the release of Intel 4th generation core vPro processors comes new AMT versions, 9.0 and 9.5. This means that some of our favorite Use Case Reference Designs (UCRD) need driver updates. Well, fret no longer; 2 stage boot (iFast) and Remote Drive Mount (RDM) have been updated.

 

For those not in the know, RDM is a remote repair use case. Basically a technician can access the hard drive(s) of a remote system at the block level, even if Windows will no longer start.

 

iFast is a "building block" use case that makes remote booting faster, making it feasible to use larger ISOs, like WinPE, for remote repair and/or OS imaging. Check them out below

 

Remote Drive Mount

2 stage boot

 

Jake Fritz, vPro Expert

Read other posts from Jake

WA07

Intel Control Center software

Posted by WA07 Feb 17, 2014

I need to download Intel Control Center software to replace what I inadvertently uninstalled.  What version of Intel Control Center software is compatible with a notebook, Windows 7, 64 bit.?

Things are changing around here! Do you want to receive support direct from an Intel engineer? Intel® Business Support is a new portal designed to provide faster, more personalized assistance. Users submit tickets, track their tickets’ progress, and get their environment up and running faster within the Intel® Business Support website. Users are eligible to submit tickets by filling out a quick enrollment form.

 

If you choose not to enroll, you can access community-based support at the Intel® vPro™ Expert Center. The community, however, will no longer be supported by Intel experts. The only way to get assistance direct from Intel will be by enrolling. Enroll now and get your environment back on the fast track to success!

 

Intel® Business Support

Getting your business back to what’s important, faster.

bizsupport.intel.com

This simple Infographic illustrates the benefits of utilizing Intel Setup and Configure Software (Intel SCS) in your enterprise IT environment. Discover, configure & manage many Intel capabilities in your environment. For more in depth details, visit> http://intel.ly/1gq07yA

 

 

Intel_SCS_Infographic_Final.png

Intel® SCS with SSD Pro Series Plug-in

Unlock the potential!

 

The value you find in an Intel® Solid-State Drive Professional 1500 Series (Intel® SSD Pro 1500 Series) is built-in. Get even more value from your drives with a new plug-in from Intel® Setup and Configuration Software (Intel® SCS). This allows IT departments to easily access information and configure the drives in your managed devices.

 

Intel® SCS’s new modular framework allows you to add “plug-in” functionality and feature sets into an existing Intel SCS installation (v9.0 and above). With one such plug-in, you can use Intel SCS to tune your Intel® SSD Pro 1500 Series drives and collect drive health data and allow IT to make proactive business decisions.

 

Manageability

Discoverable and configurable through Intel® SCS

Rollup of drive health statistics for proactive health management & monitoring

 

Enhanced Security

Protects Data (Self-Encrypting)

No Encryption Overhead

OPAL Key Management

 

Download Intel® SCS & Get Started!

Follow us @IntelvPro

If the configuration of Intel AMT is compatible, multiple applications are able to communicate and utilize the technology.    A common example is an environment with Microsoft SCCM for PC lifecycle management and McAfee ePO for endpoint security.   Both consoles can communicate to Intel AMT if the underlying configuration is compliant.

 

Two articles have been posted to summarize the main steps for the following scenarios (click on the title\words for the respective document)

 

The materials intentionally point to McAfee ePO Deep Command in connection with Intel SCS for the configuration of Intel AMT. 

McAfee ePO Deep Command provides beyond-the-operating-system security management.    The product is well aligned with Intel AMT for discovery, configuration and usage of the technology.   Plus - once Intel AMT is configured other capable applications can utilize.

 

What might not be known by all - there are different features and functions supported by Intel AMT.   Not only a generation or version difference, but a level of manageability.

 

The following article on McAfee Community walks through the good, better, and best scenarios.

 

McAfee Communities: Deep Command - Good, Better, and Best Scenarios

Understanding AMT, UEFI BIOS and Secure boot relationships

Notes from the lab.

 

As part of AMT validation, our functional testing lab verifies AMT use cases with UEFI BIOS. I found that many questions popped up by AMT users, so I decided to write this brief explanation about the relationships between AMT, UEFI and Secure boot.

This is not a comprehensive explanation of UEFI, as I focused only on the details which are necessary in order to understand the AMT related subjects.

If you want to learn more about UEFI, refer to UEFI page in Intel.com and the UEFI forum page.

 

Let’s start with the basic definitions:

 

UEFI

UEFI stands for Unified Extensible Firmware Interface, which is a specification of interfaces for modern BIOS firmware.

 

UEFI disk devices handling

Part of the UEFI specification is the disk device handling. The UEFI specification defines a "boot manager" that is in charge of loading the OS loader. Auto-detection of the boot loader relies on a standardized file path to the OS loader, depending on the actual architecture to boot (\EFI\BOOT\BOOT[architecture name].EFI, e.g. \EFI\BOOT\BOOTx64.EFI).

 

Compatibility Support Module (CSM)

The UEFI boot manager is able to load legacy BIOS environment using the Compatibility Support Module (CSM). This module is able to emulate legacy BIOS environment and allow booting legacy operating  systems or new operating systems which were installed without UEFI boot loader.

 

Secure boot

Secure boot can secure the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature. The BIOS maintains a list of platforms keys which are used to verify that the OS loader and drivers are secure. Secure boot is supported by Windows 8, Windows Server 2012, and selected Linux distributions. In order to use it, BIOS must have the public key which signed the OS. When using Secure boot, Compatibility Support Module (CSM) must be disabled.

 

Key points:

 

UEFI

  • In order to use the UEFI based OS loader,
    the disk media has to contain the loader that must be located in the standard
    file path to enable auto detection.
  • If we want to use the UEFI OS loader in
    our OS, we need to boot the installation media through the UEFI based OS
    loader so that it will install the OS with a UEFI OS loader.
  • Compatibility Support Module (CSM)
  • Secure boot can be used in order to verify that
    the loaded OS is signed. In order to use Secure boot, you must disable the CSM
    in BIOS settings.

 

AMT

AMT Remote control operations offers boot control capabilities that allow the IT administrator to perform boot from different Media types like local hard disk, or local CD. It also supports boot from virtual CD or virtual floppy through IDE redirection session(IDEr). The same rules of the UEFI BIOS devices handling applies when boot options and operations are done by AMT with the exception of Secure boot during IDEr session.

 

Secure boot disable on IDEr

In order to allow IT administrator to use a non signed OS’s to heal the system, when boot from IDEr media is performed, AMT communicates to the BIOS to disable Secure boot of the IDEr media. This should not affect Secure boot of non IDEr devices. Disable of Secure boot does not necessary means that Compatibility Support Module(CSM) is enabled. This depends on the BIOS manufacturer implementation.

It is possible to enforce secure boot during IDEr session from the management console by using WSMAN command to set the EnforceSecureBoot  property of the AMT_BootSettingData  class to ‘true’ as documented in the AMT SDK. This boot capability must be This boot capability must be supported by the OEM in order that Secure boot disable on IDEr will work.

 

Disabling secure boot on IDEr is supported in AMT version 8.1 and above.

 

 

Testing

In case you want to test your platform or management console application operation with UEFI based disk handling capabilities and AMT, first verify that your platform’s BIOS settings and OS media are correct:

 

Configure the desired settings in BIOS like compatibility Support Module(CSM) enable/disable, Secure boot enable/disable and Secure boot keys. Verify that the Media you are attempting to boot installed according to the desired boot loader type.

When all the settings are defined, attempt to load the media on the platform local devices and make sure that the platform’s behavior is as expected. Only then try to perform remote control operations or IDEr boot.

 

Q & A

 

Q: Do I have to disable Compatibility Support Module (CSM) in order to boot with UEFI based OS loader?

A: No. a UEFI BIOS should be able to detect and boot from Media that has a UEFI based OS loader

 

Q: Can I configure Secure boot when with Compatibility Support Module (CSM) enabled?

A: No. You must disable Compatibility Support Module (CSM) in order to configure secure boot. BIOS may configure it automatically, depending on implementation.

 

Q: Why can’t I boot from my legacy bootable CD during IDEr session although Secure boot should be disabled during when booting an IDEr CD?

A: When Secure boot is configured in BIOS, Compatibility Support Module (CSM) is disabled too. BIOS writers are required to disable Secure boot on IDEr, but are not required to enable CSM, so this behavior may vary between BIOS types and versions.

In case you want to use legacy media with IDEr and BIOS does not enable CSM on IDEr automatically, you may configure the BIOS to enable CSM before reboot. This can be done from the remote console using AMT KVM or SOL capabilities.

ci5vpro_h_rgb_3000.pngci7vpro_h_rgb_3000.png

Intel® 4th Gen Core™ vPro™ Processor &

Intel® Active Management Technology (version 9.0)

Configuration Management Product Implications

 

Intel® vPro™ Technology

Product Advisory                                                                       

 

Summary:

Customers using IT configuration management products with support for Intel® AMT may be affected by a change in version 9.0.  Intel® 4th Gen Core™ vPro™ Processors ship with Intel® AMT version 9.0 in 2013.

 

1. What specifically is different about Intel’s 4th gen Intel® Core™ Processor platforms with Intel® AMT?

Intel’s Core™ Processor Platforms prior to 4th generation with Intel® AMT supported the EOI communication protocol.  Starting with Intel® AMT 3.2, an industry standard protocol for out-of-band management was adopted.  That protocol is WS-Management (WS-MAN).   Intel supported both protocols from Intel® AMT 3.2 until 8.x.   Plans to remove the older EOI protocol were stated in 2009 with Intel® AMT 9.x as the first generation that only supports the WS-MAN protocol.

 

2. How do I know if I am affected? 

There are IT configuration management products that have not made the transition to WS-MAN for Intel® AMT.  These products may require that the customer perform an upgrade to their configuration management product, to maintain compatibility with new platforms starting with Intel® 4th Gen Core™ vPro™ Processors.  Please check with your ISV to see if an upgrade is required to maintain compatibility.

 

3. How will this change impact customers’ experience?

If a customer is using an IT configuration management product that is not affected, then there is no change to the customer experience.  For customers using an IT configuration management product that requires an upgrade, there will be changes to the customers’ business processes.

 

4. In the meantime, what is the impact with current Intel® vPro™ customers?

Existing Intel® vPro™ Platforms with Intel® AMT that have already been provisioned will continue to be managed with IT configuration management products.  Customers with Intel® vPro™ Platforms that have not provisioned Intel® AMT should check with their ISV for specific list of supported Intel® AMT features and prior versions.

 

5. How will customers be supported? 

Customers are encouraged to contact their ISV directly for support.

 

6. Who can I contact with questions or for more information?

  • Intel Customer Support: www.support.intel.com
  • For information about: Intel® vPro™ Platforms: www.intel.com/go/vpro

Filter Blog

By date:
By tag: