Skip navigation

The Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager (SCCM) is a configuration wizard that creates collections, packages and task sequences that can be used to automatically discover, configure and maintain Intel Active Management Technology (Intel® AMT) within your organisation directly from the Configuration Manager Console.


This document details how to automatically discover AMT devices within your client estate to determine platform manageability capabilities and whether AMT firmware updates are required.

 

Subsequent articles will detail how to automatically configure, unconfigure and maintain Intel Active Management Technology (Intel® AMT)

Intermediate certificates act as a proxy for a Root certificate authority (CA) which is traditionally kept behind several layers of security i.e. “offline”, kept in a highly secure environment with limited access to ensure its keys are inaccessible.

 

Hence the Root CA is not used to directly sign SSL certificates but delegates these tasks to intermediate CA’s. The Root certificate signs the intermediate certificate which in turn is used to sign digitial SSL certificates and maintain the "Chain of Trust."

 

Traditionally an Intel® AMT system could only use trusted root certificates or a full certificate chain i.e. intermediate, leaf certifcates in it's own certifccate store to authenticate correctly. Intel SCS 12 now has support to enable the use of intermediate certificates to support authentication for any of the features below:

  • 802.1x Setups
  • Remote Access using a Management Presence Server
  • Mutual authentication in Transport Layer Security

 

You may say "so what" however this capability is becoming increasingly important where, for example the 802.1x network protocol is used to provide an authentication mechanism to devices wishing to connect to a corporate LAN or WLAN. The variety of RADIUS servers available i.e. Microsoft Network Policy Server (NPS), Aruba Clearpass, Cisco Identity Services Engine etc. means authentication is not always performed using a complete certificate chain, rather using an intermediate and leaf.

 

This feature enhancement should enable Intel AMT to integrate easier into 802.1x environments to support robust network authentication and still be available to support out-of-band services such as KVM (keyboard, video, mouse) or power control when the OS isn't running or the system is powered off/down/hibernate within an enterprise environment.

Intel Setup and Configuration Software (SCS) 12.0 now defaults to TLS 1.1 to encrypt communications with Intel AMT. The TLS 1.0 protocol has identified security vulnerabilities, including CVE-2011-3389 and CVE-2014-3566.

 

The Remote Configuration Service (RCS) now uses TLS 1.1 for secure configuration, unconfiguration and maintenance operations of AMT devices. To continue to manage legacy AMT systems, you must opt in for TLS 1.0 support (or add it). With SCS 12.0, the RCS will first attempt to connect using TLS version 1.1 and only if AMT system supports TLS 1.0 will it use that version.

 

You can enable TLS 1.0 protocol support to enable backwards compatibility (for devices running Intel® AMT version 7.0 and newer only) optionally during installation/upgrade of the Remote Configuration Server (RCS) and after installation.

 

During installation the "Support for Transport Layer Security (TLS) Protocol 1.0" check box can be selected (not enabled by default). After pressing Next you will have to confirm that you want to enable TLS 1.0 protocol support.

If you are running Intel SCS 12.0 and experience provisioning errors such as "***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device" when provisioning older AMT devices, check the following registry entry on the system running the RCS:

  • 32-bit Operating Systems: HKLM\SOFTWARE\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
  • 64-bit Operating Systems: HKLM\SOFTWARE\Wow6432Node\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
    • Set the key value for EnableTLS1.0 to 1 the ensure the RCS supports both TLS 1.1 and TLS 1.0 protocols for encryption.
    • If the key value for EnableTLS1.0 equals 0, the RCS defaults to support TLS 1.1 protocol.

Restart the RCSServer service to ensure it rechecks the value of this key.

 

Please reference the Intel® Setup and Configuration Software (Intel® SCS) User Guide for additional information

 

Intel® Manageability Commander 2.0 has also removed TLS 1.0 protocol support and will only support connections to device running Intel® AMT version 7.0 and newer only.

Download Intel® Manageability Commander version 2.0.245

 

If you need to remotely manage older AMT devices (than version 7.0) then an earlier version of Intel® Manageability Commander is available (not sure for how long though!)

Download Intel® Manageability Commander version 1.08

 

Finally AMT 12.0 firmware support for TLS 1.0 has been removed and in TLS 1.2 support has been added its place.

Filter Blog

By date: By tag: