Intel vPro Technology: Creating a custom setup.bin file

Version 7

    If you load up a full management console, the Intel SCS console, and so forth - the capability exists to create a setup.bin file with a predefined number of records containing the PID, PPS, and new password.  This file is used to "pre-provision" Intel AMT clients.  This is done by placing the setup.bin file on a FAT-16 formatted USB flash drive, inserting that drive into the Intel AMT system, powering it up, and accepting prompts to pre-provision the system.  A previous post talks about when a setup.bin file might be too large - http://communities.intel.com/thread/1181

     

    However, this raises a number of questions

    • What if the default password is not "admin"? The SCS console and some system management console does not allow the default admin password to be anything except "admin"
    • What if a VAR or a pre-staging environment ONLY wants to pre-provision systems, yet does want to setup the SCS console or other management console?  All that is desired is to generate the setup.bin file
    • What if the target system is Intel AMT 3.0 or higher, and distribution of non-persistent certificate hashes is desired?
    • What if other properties in the MEBx (management engine BIOS extension) need to be set, such as a custom setting for the ProvisionServer in a specific domain?
    • What if the Intel AMT 3.0 or higher system needs to be set to pre-shared key instead of remote configuration (difference of TLS-PSK vs. PKI-CH)?
    • What if an existing setup.bin file needs to be checked for valid records?

     

    These are all viable questions from real-world experience.  Are you familiar with the updated version of the USBfile.exe utility?

     

    To obtain - download the Intel AMT DTK source code available at http://www.intel.com/software/amt-dtk/.  This will require accepting a license agreement and so forth.

     

    Extract all the files\folders, and locate "USBFile.exe".

     

    A few important notes:

    • Both version 1 and 2 setup.bin files can be created, viewed, or summarized with this utility
    • Version 2 of the setup.bin file works ONLY with Intel AMT 3.0 and higher
    • Version 2 of the file enables pre-provisioning for both pre-shared key and remote configuration modes
    • Version 2 of the file enables for custom settings of Intel MEBx fields (e.g. ProvisionServer FQDN, certificate hash management, etc)
    • Intel AMT systems that are ALREADY in a setup or configured will not respond to a setup.bin file
    • As each record of the setup.bin is used, it is invalidated.
    • Once created, save an unused copy of the setup.bin file to import the keys into Intel SCS or target system management console.
    • If needed, export the provisioning keys from an existing Intel SCS or system management console to generate a distributable setup.bin.  Note that only unused keys can be exported.  (If a future resource or post needed on setup.bin file handling, how to export used keys, and so forth - add a comment\reply)

     

    If you run the file at a command prompt, the following guidance will be provided

     

    USBFile2.gif

    A handy tool to have with you - especially in the pre-staging process of Intel AMT systems.