Skip navigation

Intel® vPro™ Platform

4 Posts authored by: martin.lloyd

Intel® Manageability Commander (IMC) is a lightweight console used to connect and use the features of Intel® Active Management Technology (Intel® AMT). Authenticated and authorised users are able to connect to configured AMT devices to access services such as power control, remote hardware-based keyboard, video, mouse (remote desktop), hardware inventory and more.

 

Additionally IMC integrates with Microsoft* System Center Configuration Manager (SCCM) version 1511 and to provide reliable, TCP based mass wake capabilities for collections of configured AMT systems.

The IMC console extensions will automatically perform an AMT power-on action against collections of AMT systems for deployments triggered in SCCM. Additionally you can use IMC to manually power on collections of supported AMT systems directly from the SCCM console using the right-click context menu (see below).

 

Download and extract Intel® Manageability Commander. During installation, ensure that "Microsoft* SCCM Console Extension" is selected.

NOTE: This component can only be selected when installing on a Microsoft* SCCM primary site and when wake-on-LAN is enabled for scheduled tasks.

 

During installation you will be asked to specific the logon account for the "Intel(R) Managebility Commander SCCM Partner Notification File Service".

Console Extensions.GIFService_Account.GIF

The specified account should have "Logon As A Service" user rights as the installation creates a system service.

 

NOTE: Digest authentication credentials cannot be used when utilising IMC from SCCM against a collection, only Kerberos authentication is supported.

 

In the example below we've used the service account responsible for running the Intel Remote Configuration Service. Intel SCS is a seperate component installed to support remote configuration of Intel AMT.

 

Please see this link for information on Intel® Setup and Configuration Software (Intel® SCS)

 

If the account doesn't have  "Logon As A Service" privileges then the warning below will be displayed during installation. Use the Local Security Policy to assign the required user right to the service account.

Intel MC WoL Service.PNGLogon As A Service.GIF

 

Once installation has been completed on the primary site, the SMS_EXECUTIVE service must be restarted to ensure features show up in Microsoft* SCCM.

 

Additionally, if the Microsoft* SCCM console was open during installation, then this will need to be closed and re-opened.

 

From the SCCM console right-cick against a collection and the option to "Power on with Intel Managebility Commander" is available.

 

It is recommended that you test the functionaility manually first if you have configured AMT systems in the collection.

 

When performing a mass wake from SCCM on a collection, IMC will prompt the user for the optional use of TLS for the remote connections.

NOTE:When AMT wake is used as part of a deployment, IMC will default to using TLS for all remote connections.

Power On with Intel Manageability Commander.GIFPower On with Intel Manageability Commander - TLS option.GIF

When performing a mass wake from SCCM on a collection, IMC will remain open so that the per-system status can be reviewed (see below)

Perform a bulk power operation.GIF

The final step will be to logon on using the service acccount that runs the "Intel(R) Managebility Commander SCCM Partner Notification File Service" specified earlier. Once logged in run Intel Manageability Commander and connect to a provisioned AMT device, then disconnect and logoff.

 

This saves configuration changes for that account and ensures the "Intel(R) Managebility Commander SCCM Partner Notification File Service" is able to power on AMT devices unattended.

NOTE: A new version of the Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager (SCCM) is now available.

 

The Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager (SCCM) is a configuration wizard that creates collections, packages and task sequences that can be used to automatically discover, configure and maintain Intel Active Management Technology (Intel® AMT) within your organisation directly from the Configuration Manager Console.


This document details how to automatically discover AMT devices within your client estate to determine platform manageability capabilities and whether AMT firmware updates are required.

 

Subsequent articles will detail how to automatically configure, unconfigure and maintain Intel Active Management Technology (Intel® AMT)

Intermediate certificates act as a proxy for a Root certificate authority (CA) which is traditionally kept behind several layers of security i.e. “offline”, kept in a highly secure environment with limited access to ensure its keys are inaccessible.

 

Hence the Root CA is not used to directly sign SSL certificates but delegates these tasks to intermediate CA’s. The Root certificate signs the intermediate certificate which in turn is used to sign digitial SSL certificates and maintain the "Chain of Trust."

 

Traditionally an Intel® AMT system could only use trusted root certificates or a full certificate chain i.e. intermediate, leaf certifcates in it's own certifccate store to authenticate correctly. Intel SCS 12 now has support to enable the use of intermediate certificates to support authentication for any of the features below:

  • 802.1x Setups
  • Remote Access using a Management Presence Server
  • Mutual authentication in Transport Layer Security

 

You may say "so what" however this capability is becoming increasingly important where, for example the 802.1x network protocol is used to provide an authentication mechanism to devices wishing to connect to a corporate LAN or WLAN. The variety of RADIUS servers available i.e. Microsoft Network Policy Server (NPS), Aruba Clearpass, Cisco Identity Services Engine etc. means authentication is not always performed using a complete certificate chain, rather using an intermediate and leaf.

 

This feature enhancement should enable Intel AMT to integrate easier into 802.1x environments to support robust network authentication and still be available to support out-of-band services such as KVM (keyboard, video, mouse) or power control when the OS isn't running or the system is powered off/down/hibernate within an enterprise environment.

Intel Setup and Configuration Software (SCS) 12.0 now defaults to TLS 1.1 to encrypt communications with Intel AMT. The TLS 1.0 protocol has identified security vulnerabilities, including CVE-2011-3389 and CVE-2014-3566.

 

The Remote Configuration Service (RCS) now uses TLS 1.1 for secure configuration, unconfiguration and maintenance operations of AMT devices. To continue to manage legacy AMT systems, you must opt in for TLS 1.0 support (or add it). With SCS 12.0, the RCS will first attempt to connect using TLS version 1.1 and only if AMT system supports TLS 1.0 will it use that version.

 

You can enable TLS 1.0 protocol support to enable backwards compatibility (for devices running Intel® AMT version 7.0 and newer only) optionally during installation/upgrade of the Remote Configuration Server (RCS) and after installation.

 

During installation the "Support for Transport Layer Security (TLS) Protocol 1.0" check box can be selected (not enabled by default). After pressing Next you will have to confirm that you want to enable TLS 1.0 protocol support.

If you are running Intel SCS 12.0 and experience provisioning errors such as "***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device" when provisioning older AMT devices, check the following registry entry on the system running the RCS:

  • 32-bit Operating Systems: HKLM\SOFTWARE\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
  • 64-bit Operating Systems: HKLM\SOFTWARE\Wow6432Node\Intel\Intel(R) Setup and Configuration Software\12\RCS\GeneralSettings\
    • Set the key value for EnableTLS1.0 to 1 the ensure the RCS supports both TLS 1.1 and TLS 1.0 protocols for encryption.
    • If the key value for EnableTLS1.0 equals 0, the RCS defaults to support TLS 1.1 protocol.

Restart the RCSServer service to ensure it rechecks the value of this key.

 

Please reference the Intel® Setup and Configuration Software (Intel® SCS) User Guide for additional information

 

Intel® Manageability Commander 2.0 has also removed TLS 1.0 protocol support and will only support connections to device running Intel® AMT version 7.0 and newer only.

Download Intel® Manageability Commander version 2.0.245

 

If you need to remotely manage older AMT devices (than version 7.0) then an earlier version of Intel® Manageability Commander is available (not sure for how long though!)

Download Intel® Manageability Commander version 1.08

 

Finally AMT 12.0 firmware support for TLS 1.0 has been removed and in TLS 1.2 support has been added its place.

Filter Blog

By date: By tag: