If you load up a full management console, the Intel SCS console, and so forth - the capability exists to create a setup.bin file with a predefined number of records containing the PID, PPS, and new password. This file is used to "pre-provision" Intel AMT clients. This is done by placing the setup.bin file on a FAT-16 formatted USB flash drive, inserting that drive into the Intel AMT system, powering it up, and accepting prompts to pre-provision the system. A previous post talks about when a setup.bin file might be too large - http://communities.intel.com/thread/1181
However, this raises a number of questions
- What if the default password is not "admin"? The SCS console and some system management console does not allow the default admin password to be anything except "admin"
- What if a VAR or a pre-staging environment ONLY wants to pre-provision systems, yet does want to setup the SCS console or other management console? All that is desired is to generate the setup.bin file
- What if the target system is Intel AMT 3.0 or higher, and distribution of non-persistent certificate hashes is desired?
- What if other properties in the MEBx (management engine BIOS extension) need to be set, such as a custom setting for the ProvisionServer in a specific domain?
- What if the Intel AMT 3.0 or higher system needs to be set to pre-shared key instead of remote configuration (difference of TLS-PSK vs. PKI-CH)?
- What if an existing setup.bin file needs to be checked for valid records?
These are all viable questions from real-world experience. Are you familiar with the updated version of the USBfile.exe utility?
To obtain - download the Intel AMT DTK source code available at http://www.intel.com/software/amt-dtk/. This will require accepting a license agreement and so forth.
Extract all the files\folders, and locate "USBFile.exe".
A few important notes:
- Both version 1 and 2 setup.bin files can be created, viewed, or summarized with this utility
- Version 2 of the setup.bin file works ONLY with Intel AMT 3.0 and higher
- Version 2 of the file enables pre-provisioning for both pre-shared key and remote configuration modes
- Version 2 of the file enables for custom settings of Intel MEBx fields (e.g. ProvisionServer FQDN, certificate hash management, etc)
- Intel AMT systems that are ALREADY in a setup or configured will not respond to a setup.bin file
- As each record of the setup.bin is used, it is invalidated.
- Once created, save an unused copy of the setup.bin file to import the keys into Intel SCS or target system management console.
- If needed, export the provisioning keys from an existing Intel SCS or system management console to generate a distributable setup.bin. Note that only unused keys can be exported. (If a future resource or post needed on setup.bin file handling, how to export used keys, and so forth - add a comment\reply)
If you run the file at a command prompt, the following guidance will be provided
A handy tool to have with you - especially in the pre-staging process of Intel AMT systems.