4 Replies Latest reply on Jan 12, 2017 6:15 AM by grahamriley

    Intel SCS + SCCM integration - where to start?

    grahamriley

      Hi, we have SCCM 1606 and we would like to deploy Intel SCS in order to be able to remotely wake and control our clients via SCCM.  I am completely new to Intel vPro / SCS so I need to understand where to start with this.  I have read somewhere that all clients need to have a certificate installed and they can get this certificate from an internal PKI server (which we have).  Is there a guide that covers the whole thing or can someone give me the basic steps that we need to work through to get this up and running?  So far I have Installed "Intel Manageability Commander 1.0.8" on my own PC and I can see "Intel AMT Power-On" when I right click on computer device collections.

       

      Kind regards,

      Graham

        • 1. Re: Intel SCS + SCCM integration - where to start?
          grahamriley

          OK I have downloaded and started to work my way through "Intel® Setup and Configuration Software (Intel® SCS) Add-on for Microsoft* System Center Configuration Manager" which seems like a a good place to start!

           

          I have another question regarding the client certificates: As we already using certificates to ensure HTTPS connectivity between the client and the SCCM server, will the same certificate be sufficient for the AMT or will the clients need another, separate certificate?

           

          Can I also check that no additional server is required for SCS and that we will be able to install the add-on directly on to the SCCM server?

           

          Thanks, Graham

          • 2. Re: Intel SCS + SCCM integration - where to start?
            dariusz.wittek@intel.com

            Graham,

             

            You need:

             

            1. Select Intel AMT Configuration method that will fit your needs – via  Remote Configuration Method (requires Intel AMT build-in LAN interface on each Intel vPro platform + single Remote Configuration certificate for internal domain name) or Host Based Configuration (no LAN neither certificate required but use of Redirection features will require end user to be present and provide 6 digit Consent Code over phone to IT Help Desk technican).

              See Intel SCS user guide   contains all information although is is not so easy to consume ;-(

              Download required package for Intel SCS (smaller one download package contains only Host Based Configuration components)
              https://downloadcenter.intel.com/download/26505/Intel-Setup-and-Configuration-Software-Intel-SCS-
            2. For SCCM you will need to configure Intel AMT with TLS encryption and Kerberos Authentication.

              TLS encryption means during  Intel AMT configuration each end point vPro PC will get its separate unique Web Server TLS certificate (Private key and CSR are generated by Intel AMT FW inside HW) with PC FQDN in cert CN. Those certs are issued by your own MS AD PKI CA.
              Kerberos Authentication means each end point vPro PC  Intel AMT FW will be represented in additional/separate AD OU by computer type object (yes it will look like duplicate of MS OS Computer object). There is need to create and maintain separate AD OU.

              Requirements and process for TLS & AD Integration are described in Intel SCS user guide. Those requirements are identical for both configuration methods.
            3. Once you prepared Intel AMT configuration setup (SCS’s RCS service is required for Remote Configuration) test it on single system (with script/RDP)
            4. It everything works OK you can download and install https://downloadcenter.intel.com/download/26506/Intel-SCS-Add-on-for-Microsoft-System-Center-Configuration-Manager

              During installation you will have to chose configuration method and point to your AMT settings profile (XML File for Host Based Configuration or AMT profile in Intel RCS for Remote Configuration).

              Intel® SCS Add-on for Microsoft* System Center Configuration Manager extends MS SCCM Client HW inventory with Intel AMT related classes and installs ready to activate task sequences for Intel AMT discovery, configuration and maintenance + Intel AMT related Collections.
            5. Once Intel AMT is configured you can manage it with https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander?
              Multiple systems Intel AMT based Power On requires to install Manageability Commander Wake Service component.
            6. You may also like to give a try a Intel® vPro™ Technology module for Windows* PowerShell https://downloadcenter.intel.com/download/25891/Intel-vPro-Technology-module-for-Windows-PowerShell?product=2354
              Good luck!

            Dariusz Wittek
            Intel  EMEA Biz Client Technical Sales Specialist

            • 3. Re: Intel SCS + SCCM integration - where to start?
              dariusz.wittek@intel.com

              Graham,

               

              Intel AMT TLS certificates private key & CSR are created inside Intel AMT/ME FW/HW so you will need to use separate certificates issued using standard WebServer certificate template (or its duplicate).
              Keep in mind Intel AMT is HW/FW based Web Service.
              MS SCCM Client may require some more usages in its certificate template (Intel SCS may probably work with SCCM Client cert template if it contains Server Authentication)

              Intel® SCS Add-on for Microsoft* System Center Configuration Manager is just a helper for easier integration and  has to be installed on SCCM primary site server.
              Intel® SCS  itself (RCS Remote Configuration server) may be installed on same server as SCCM Primary Site server (makes sense from perspective of keeping all Pc management components on same server) but does not have to.

               

              rgds

              Darek

              • 4. Re: Intel SCS + SCCM integration - where to start?
                grahamriley

                Thanks for your comprehensive reply Darek .  That is exactly the sort of thing I was looking for.

                 

                Graham