View - Intel Communities
Contents
1. Corp 2 Woes Global Operations By Logs Log B Actions Status Security Audit BE New Intel AMT Systems 4 Inthe Active Directory Organizational Unit OU box type the OU where the Intel AMT objects will be created For example ma acli mi ema OU IntelAMTOU DC west DC vproprod DC local C ByVersion Release20 ByStatus Un Provisioned rae Edit New Intel AMT Properties 2 xi C By Profle 1D C By yup C Order By AMT Order By Ordinal Number v C From Provisioning Date 2007 0602 v Edit Mew Intel SMT Properties UUID HOI ROK HO OK OK Click Set Props and then in the FQDN box type the FQDN of the Intel AMT Teaser system For example hp 10 vpropov local 29887E 28 4710 11DB BBDA 718048020018 FQDN hp 03 west vproprod local Active Directory Organizational Unit LDAP Distinguished Name format OU x x DC foo DC com OU Intel4MT OU DC west DC vproprod DC local N Profile MTLS 01 OK Cancel Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT In the Profile box click the dropdown arrow to select the profile defined for this Intel AMT system Click OK From the left pane of the SCS console click Actions Status tA Intel AMT Setup and Configuration Service Console Efe Help Q Intel AMT SCS Console Configuration Service Settings y General i Maintenance Policies Prof2. 7 Store configuration information in a shared folder Shared folder pre Browse Preserve existing certificate database Eee em You may accept the default location for the Certificate Database Settings or modify as prescribed by your company policy The configuration information will be stored in Active Directory so leave the Store configuration information in a shared folder option unchecked Click Next Complete the CA Certificate Request as follows Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Windows Components Wizard x Request the certificate for this CA by sending the request directly to a parent CA or CA Certificate Request ra saving the request to a file and sending this file to the C Send the request directly to a CA already on the network Computer name Parent CA x C Save the request to a file Request file a Browse lt Back Next gt Cancel Help a Click the Browse button next to the Computer name window Select Certification Authority Select a Certification Authority to send the request cA Computer 42 PRO VS5 PRO VS5 vproprod local Cancel b The standalone Root CA will be highlighted click OK to select it c The Computer name and the Parent CA fields are auto filled for you d Accept the default Save the request to a file location Windows Co
3. Advanced IDER Settings click this button and a dialog appears in which you can set Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT e The maximum concurrent number of IDER sessions e The session timeout Advanced IDER Settings x Max Concurrent IDER Sessions 5 Session Will Clase 4fker 10 minutes Cancel Note The values set in the Advanced IDER Settings dialog override the values set in the Intel AMT Add on settings Redirection Operations dialog for the next redirection operation only Perform Boot Click the Perform Boot button in the Redirection Operations dialog Caution The Perform Boot command can cause loss of data to users logged on to the system 1 Select the Include subcollections checkbox when the Boot verification message appears optional if selected this action is also performed on sub collections Click OK to boot the selected collections TR eee xl Preparing to book Intel AMT supported systems in the collection From an image This operation will be executed in the background Operation progress will be recorded in the SMS log To include subcollections check the Include subcollections checkbox To continue with this operation click OK Cancel The result of the redirection operation for each system is logged to the SMS log A summary log entry is written to the SMS log when the operation ends les Note Ensure that the syst
4. SIZE 3072KB MAXSIZE UNLIMITED FILEGROWTH 1024KB LOG ON NAME N NewAMTProperties log FILENAME N c Program SIZE 1024KB MAXSIZE 2048GB FILEGROWTH 10 COLLATE 50L Latinl General CPl CI AS GO EXEC dbo sp dbcmptlevel dbname N NewAMTProperties new_cmptlevel 90 GO IF 1 FULLTEXTSERVICEPROPERTY IsFullTextInstalled begin EXEC NewAMTProperties dbo sp fulltext database faction enable end GO ALTER DATABASE NewAMTProperties SET ANSI NULL DEFAULT OFF GO ALTER DATABASE NewAMTProperties SET ANSI NULLS OFF GO ALTER DATABASE NewAMTProperties SET ANSI PADDING OFF GO ALTER DATABASE NewAMTProperties SET ANSI WARNINGS OFF GO ALTER DATABASE NewAMTProperties SET ARITHABORT OFF GO ALTER DATABASE NewAMTProperties SET AUTO CLOSE OFF GO ALTER DATABASE NewAMTProperties SET AUTO CREATE STATISTICS ON GO ALTER DATABASE NewAMTProperties SET AUTO SHRINK OFF GO ALTER DATABASE NewAMTProperties SET AUTO UPDATE STATISTICS ON GO ALTER DATABASE NewAMTProperties SET CURSOR CLOSE ON COMMIT OFF GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties OFF GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties AUTO UPDATE STATISTICS ASYNC OFF GO ALTER DATABASE NewAMTProperties DATE CORRELATION OPTIMIZATION OFF GO ALTER DATABASE
5. C AWINDOWS system32 CertLog Browse 7 Store configuration information in a shared folder Shared folder pa o o ooo Preserve evisting certificate database cect Hee You may accept the default location for the Certificate Database Settings or modify as prescribed by your company policy The configuration information will be stored in Active Directory so leave the Store configuration information in a Shared folder option unchecked Click Next 12 Click Yes on the dialog message informing you that IIS must be stopped temporarily Microsoft Certificate Services x amp To complete the installation Certificate Services must temporarily stop the Internet Information Services Do you want to stop the service now 13 Click Finish and then close the Add or Remove Programs window 14 Configure the CA to issue certificates as follows 1 Click Start gt Administrative Tools gt Certification Authority Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide f Certification Authority olx PRO CAR Properties ey j I File Action View Help o e p Bl2e m m Certificate Managers Restrictions Auditing Security H akhil aAA General Policy Module Esit Module Extensions Storage HEA VPRO CAR FAYVPRO CAR Certification Authority Description of active policy module Name Windows default Descriptio
6. e Amae Certification Authority Local pe WendedPumpese SS RAS and IAS Server Client Authentication Server Authentication fA vPRO VS1 GA Directory Email Replication Directory Service Email Replication FA Router Mffline reouestl Client Authentication Fa C Revoked Certificates EADomain Controller Authentication Client Authentication Server Authenticatio 4 E p C Issued Certificates Galers Recovery Agent File Recovery Pending Requests GABasic EFS Encrypting File System 0 Failed Requests _ hs en Cancel Anai 4 Domain Controller Client Authentication Server Authentication ee Certificate Templates GAweb Server Server Authentication EA computer Client Authentication Server Authentication Galuser Encrypting File System Secure Email Clien GA subordinate Certification Authority lt All gt A EA Administrator Microsoft Trust List Signing Encrypting File 5 Cl IC k OK 3 Certification Authority Oj x File Action Yiew Help X E B eo ee Certification Authority Local Name intended Purpose oo E A vPRO VS1 Intel AMT Client Certificate Server Authentication intel_oid Client Aut aes Revoked Certificates GA Directory Email Replication Directory Service Email Replication ZA Select Certificate Templates in the navigation tree 0 Issued Certificates EADomain Controller Authentication Client Authentication Server Authenticatio 3 Pending Requests GalEFS Recovery Agent File Reco
7. Hewlett Packard Baseboard Serial Number 2URe371FSPF Baseboard Manufacturer Hewlett Packard 0 Baseboard Asset Tag NJA Close 1 Right click on the collections container Compare the displayed information with the physical asset information on 2 Select All Tasks gt Intel AMT Tasks gt Discover Intel AMT via SCS the system They should match 5 If the device did not report the hardware inventory re discover the iAMT capabilities by right click the iAMT device and select All Tasks gt Intel iAMT Tasks gt Discover System 3 The Add on retrieves the systems provisioned by SCS and adds them to the SMS database Asset Inventory Asset Inventory for systems discovered by Intel AMT subsystem is stored in the SMS database To view an Intel AMT system s asset information 1 Select and right click an Intel AMT system 2 Select All Tasks gt Intel AMT Tasks gt Asset Identification Information 3 The asset identification information will be displayed as shown below Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Power Control Operations There are several reasons that a machine may need to be powered on powered off or reset The Power Control feature allows management of systems when the Operating System is not functioning properly or in cases where remote services have been turned off and SMS Remote Control or RDP cannot be used This saves money and
8. Max Concurrent Network Connections 1 60 10 Max Number of Concurrent Operations 1 200 10 10 minutes 30 seconds Collection Operation Lock Timeout 1 30 Client Response Timeout 10 120 Reload Settings Save And Close Close App e Boot Image Base Path Click on Browse to select an image that is located in the repository set by the Boot Images Base Path option in the Intel AMT Add on settings dialog or within the size limits of the CD or medium designed to store it Note If no IDER boot image repository has been set in the Intel AMT Add on settings dialog a warning message is displayed and all the options in the Redirection Operations dialog are disabled System Defense Intel AMT delivers a new category of capabilities called system defense including agent presence and network outbreak containment which allows you to define multiple system defense and heuristics policies and apply them individually to each collection or system in an SMS site These capabilities provide hardware based timers for checking the presence of security agents hardware based filters for inbound and outbound network traffic and isolation circuitry The System Defense feature allows you to apply a System Defense Policy SDP or Heuristics Policy HP to an SMS collection or to a single system You can define multiple policies for different systems and different circumstances You create policies by specifying them in script
9. Named Pipes Enabled E B SQL Native Client Configuration via Disabled Client Protocols a i EY Aliases Make sure that Shared Memory Named Pipes and TCP IP are enabled If they are not select each right click and select Enable 68 m Close the SQL Server Configuration Manager window Enable SQL Server and Windows Authentication Mode 1 2 Logon to the server running SQL server 2005 Click Start gt All Programs From the Microsoft SQL Server 2005 program group select SQL Server Management Studio Enter the server name select Windows Authentication and click Connect Right click on the root node A popup menu is displayed a Select Properties and then select Security ex E9 Script is Help A Memory A Processors r Server authentication A Connections Windows Authentication mode A Database Settings A Advanced A Permissions SOL Server and Windows Authentication mode Login auditing C None Failed logins only C Successful logins only Both failed and successful logins Server proxy account I Enable server proxy account Proxy account SaaS es bel Password Te Options Server YPRO S2 Connection Enable C2 audit tracing VPROPOY Administrator A I Cross database ownership chaining 32 View connection properties Ready b In the Server authentication section verify that SQL Server and Windows Auth
10. e BIB SQL Server Configuration Manager Local Protocol Name Status O O F SQL Server 2005 Services Shared Memory Enabled 4 SQL Server 2005 Network Configuration tamed Pipes Enabled de Protocols for MSSQLSERVER SF TCP IP Enabled H E SQL Native Client Configuration va Disabled e Verify that Shared Memory Named Pipes and TCP IP are enabled f If they are not select each right click and select Enable and click OK at the message g Right click on Protocols for MSSQLSERVER and select Properties Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Protocols for MSSQLSERYER Properties 2 x Flags certificate Force Encryption Hide Instance Force Encryption Turn on or off encryption for selected server instance Cancel Apply Help h In the Force Encryption drop down box select Yes to enable secured database communication using the internal SQL Server encryption option i Click OK and then click OK at the message j Expand the SQL Native Client Configuration branch k Select the Client Protocols branch E SQL Server Configuration Manager es Oj x File Action View Help e 2 SQL Server Configuration Manager Local Order Enabled a SQL Server 2005 Services Shared Memory Enabled El g SQL Server 2005 Network Configuration Y TCP IP Enabled He Protocols for MSSQLSERVER f
11. 6 Place a checkmark next to the Enable Mutual Certificate checkbox Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 7 Inthe Client Certificate Path field enter the path to the Client Certificate Path pem file created above 8 Inthe Client Certificate Password field enter the password of the Client Cancel certificate 9 Itis not necessary to modify the Service Account Password field 10 Click Apply NOTE All certificate paths specified above must be local to the SMS server s where the Add on is installed 6 A list of available SCS profiles configured to work with SMS Add on is displayed Select the profile s needed and click OK SMS Add on Setup and Configuration Tab Add on Settings E x Configure Setup and Configuration tab to determine the authentication About Setup and Configuration Security Performance Advertisement Redirection System Defense USES EO a A Ea a credentials sent to the Intel AMT systems Integrated Setup and Configuration vpro vs9 west vproprod loc Supported Profiles Server Host Name pro s9 west yproprod loc A test il 1 Click the Setup and Configuration tab pees Set Profiles Server Port Number Remove Profile Add on Settings x AD Organizational Unit Computers About Setup and Configuration Security Performance Advertisement Redirection System Defense
12. AMT Setup amp Configuration Server 3 0 or later Detailed account requirements are described in the appropriate sections below This document will not provide instruction for installing the Microsoft SQL database server and or cluster It is assumed the enterprise SQL database administrators will be engaged to provision the appropriate database Microsoft Certificate Authority CA Setup for the CA is rather straight forward and instructions listed below describe how to setup an offline root in addition to a subordinate CA This document will focus on setting up the Microsoft Certificate Authority in Stand alone mode These may be virtual Servers as described elsewhere in the document Active Directory Accounts and Groups Appropriate service accounts and management groups will be created in the proper domains required by the following components in this list SQL DB login configuration will also be performed using the service account s instructions in this step Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 4 Active Directory Schema Extensions amp Supporting Scripts Scripts run from the root domain in the forest by the enterprise administrator to create appropriate schema extensions and create OU s accounts and groups in each subordinate domain Intel AMT Setup amp Configuration Server 3 0 or later These may be virtual servers quantity determined by implementation design as d
13. REM cscript engine REM The VBScript output is redirected to a file for logging and debugging REM purposes In a production environment redirection should be either removed REM or another mechanism added to prevent the log from filling the host drive REM REM Note that a full path to the script is provided to SCS for example REM X aaa bbb ccc script bat REM The path is decomposed to the directory part and to the script part as in REM X aaa bbb ccc REM and REM script bat REM SCS then runs script bat in REM X aaa bbb ccc REM a a a a a cr echo off Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT cscript exe Nologo The contents of the InterimDB Script vbs file is shown below modify as needed Copyright C Intel Corporation 2002 2007 script vbs The script uses uses WMI to connect to a system and resolves FQDN profile and Active Directory OU for Intel AMT In addition the target system UUID is matched with a given UUID to ensure a match The FQDN is discovered but Profile and Active Directory OU must be determined arbitrarily or additional logic implemented DCO accepts profile profileName and profile i1d NNNN in this order of precedence T The script is best used when Intel AMT platforms host a version of windows that supports WMI and a single profile is used The Active Directory OU can be constant or b
14. server Select the type of C4 you want to set up A After installing Certificate Services the machine name and domain membership may not be changed due to the binding of the machine name to CA e E nterprise root CA information stored in the Active Directory Changing the machine name or domain membership would invalidate the certificates issued From the CA a Please ensure the proper machine name and domain membership are configured before installing Certificate Services Do you want to continue C Enterprise subordinate CA Stand alone root CA SAA eee REE EEE ERE EREEREREEEEEEESEEEEEEEEEEEEESEEEEEEEEESEEEE EEE ED HAE eee EERE EERE REEL EEE EESE EES EEE EERE EEE ESESESEEEEEEE EERE EES Description of CA type A standard CA that can issue certificates to users and computers Must obtain a C4 certificate from another CA 7 Click Yes and then click Details Certificate Services xX To add or remove a component click the check box 4 shaded box means that only part of the component will be installed To see what s included in a component click Details Subcomponents of Certificate Services iv E Certificate Services CA Use custom settings to generate the key pair and CA certificate E Certificate Services Web Enrollment Support lt Back Cancel Help i 10 Select Stand alone subordinate CA option on the CA Type screen and click Next Description Sets up a CA that issues and manages digital certifica
15. AMT device it is prudent to check the DNS entries DHCP scope settings and finally make sure the machine is properly plugged into power and the network Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Appendix A The following sections provide links to documentation that may used to attain detailed instructions specific to the named products and technologies These documents are to support full installation configurations of each product mentioned in this document but not fully detailed here It is intended that the reader utilize the information in this appendix research the supporting products Deploying and Configuring Active Directory Deploying Active Directory http technet2 microsoft com windowsserver en library 56764cOc 1f60 4d53 96f8 1aef3efcac021033 mspx mfr true Click on the links below for additional information on Active Directory Deployment resources Using the Active Directory Installation Wizard Creating an additional domain controller Creating a new domain tree Creating a new child domain Creating a new forest Upgrading from Windows NT or Windows 2000 Extending Your Active Directory Schema in Windows Server 2003 R2 http technet2 microsoft com windowsserver en library 509ada1a 9fdc 45c1 8739 20085b20797b1033 mspx mfr true Installing and Configuring DNS Microsoft TechNet Deploying DNS http technet2 microsoft com windowsserver en library 7f6d
16. GetObject WinNT SMSAMTUser NNN objGroup Add objUser ADsPath WScript Echo SMSAMTUser NNN added to local Administrators group The ADScript vbs script will create the following groups and users Groups e Intel R AMT Collections Managers User in this group are allowed to perform Unprovision RCO System Defense or Redirection operations on SMS collections e Intel R AMT Redirection Managers Users in this group are allowed to perform Intel AMT redirection operations either on single systems or SMS collections e Intel R AMT System Defense Managers Users in this group are allowed to perform Intel AMT System Defense operations either on single systems or SMS collections Users SMSAMTUser_NNN where NNN is SMS Site Code The SMS add on service runs under this account and must have the Log on as a Service right A service account must be created for each SMS Primary server that will have the Intel SMS add on feature installed Run ADScript vbs Active Directory User and Groups 1 Logon to the SMS server as an SMS Administrator 2 Locate and edit the adscript vbs as explained previously TS 3 Double click the adscript vbs file 4 Verify that the SMSAMTUser_NNN is added to the Administrators group on the SMS server 5 Verify that the three 3 groups are created on the domain controller NOTE Once the SMSAMTUser_NNW service account is created the add on service updates the password every 28 day
17. NewAMTProperties GO ALTER DATABASE NewAMTProperties OFF GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties GO ALTER DATABASE NewAMTProperties USE NewAMTProperties GO Create Table dbo AmtProperties SET ANSI NULLS ON SET SET SET SET SET SET SET SET SET SET SET SET SET SET SET SET GO SET QUOTED IDENTIFIER ON GO CREATE TABLE dbo AmtProperties UUID nchar 32 NULL FODN nvarchar 256 NOT NULL OU nvarchar 256 NOT NULL ProfileID int NOT NULL CONSTRAINT PK AmtProperties UUID ASC CURSOR DEFAULT GLOBAL CONCAT NULL YIELDS NULL NUMERIC ROUNDABORT OFF QUOTED IDENTIFIER OFF RECURSIVE TRIGGERS OFF ENABLE BROKER TRUSTWORTHY OFF ALLOW SNAPSHOT ISOLATION PARAMETERIZATION SIMPLE READ WRITE RECOVERY SIMPLE MULTI USER PAGE VERIFY CHECKSUM DB CHAINING OFF COLLATE SOU Latinl General CPl CI AS NOT COLLATE SOL Latini General CPl CI AS COLLATE SQL Latini General CPL CI AS PRIMARY KEY CLUSTERED Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide WITH IGNORE DUP KEY OFF ON PRIMARY ON PRIMARY GO The script above performs the following activities 1 The database is created the appropriate infor
18. SCS CONSOLE CONTIQUEATION nsima aaa 89 FIEC UUM tes OOM A da ease desea ecco bette atc eS tees ute uta ce case case etapeettoalueateeasedentotenne dasesedee 103 Provisioning IE AMT SV SECIS eatsescesetes sucatsas taste dicasicuvaten ented teudend ste acevitesh unto techdtu brs esta eecless ovata devavaal ul denbdant Dvbseaaeavtaddvciabcaionsieadbanneniteeans 103 OS CH GEG daO oraa 113 DISCOVER T N 113 ASSCEINVEMTO V ocer oan cctv evant saasieh aleve dete oecncvaretits doa ciec saved cteeun eastanidu ua eanusantd cectoneniataen daaateaeaviaid aniston ainideiumanaiantannel 114 POWER COMO OCT CLOTS saps sscisszeccesssaevastsncvasazsdavessantevsseetsvcbavasiivaandessssoschessnsevteaianitasvndevesbanteatevatevachivisivaaussasesisckadens cviodianltesdtetevasbantev steve vachivisieaa Dessaasteciasontadannniasee 115 WAKE UP OR AGW SESS UCIT saswsavecssslecxssisindehanidzvsvevsintdapuececsaale evsiasansshautsandeeevisubabansisvevsitaasusiecasitale eavsiaes naan ivassdtsanieivaunnidsveuniwintaiai A 118 SOLIDE Redirection Oper AtlOMS sisiiinivaicssiisineintoanisindatenieniainiianiniguinnbialenitiventeiinninddnanuiianinlaniinntielapivnbieninminiinkantievdotquinniedanintn 120 SVEEN D EEE E PA A zune AE IE AAA E ONE overstate AE A EIEE E AEE OEE E E E E OET E E 124 PU ANNE SN ANC PACE UN OS iiris aaa aaa aa aaa 127 STS PG Oi as stesssactecseaa tases scecaec superceded E A A cuca tases becouse AA 127 GIOSS ARR a ee Cer ore oer eer err ECP Core CCRT CCRT PERT CeT Mere
19. account ij Set user objContainer Create User cn SMSAMTUser_ NNN us r Put sAMAccountName SMSAMTUser user Put userPrincipal Name SMSAMTUSse Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide user SetiInfo User SetPassword m user AccountDisabled False user setInfo WScript Echo User SMSAMTUser NNN created Set objGroup GetObject WinNT Administrators group Set objUser GetObject WinNT SMSAMTUser NNN ob jGroup Add objUser ADsPath WScript Echo SMSAMTUser_ NNN added to local Administrators group In addition the IT administrator should create a new AD user account called SMSAMTUser_NNN mentioned below if not added to the script above for creation This is the user under which the add on service will run NNN is the SMS site s 3 letter site code This account should be a domain user and a member of the Administrators group on the local machine The account must have the Log on as a service user right on the local machine This right is added automatically during installation After installing the Add on the IT administrator should ensure that the following types of users are added to the relevant groups these are the groups that must be created and named exactly as they appear a Intel R AMT Collections Managers Users who need to perform these operations i System Defense ii Unprovision iii Power Control
20. i Profiles TA Secuny Keys Users 3a Global Operations E Secuiy Audit New Irtet AMT Systems Intel AMT Systems List of Intel AMT devices FODN Status Provision Data Version hp 10 vpeopoy local Provisianed 2007 06 02 17 30 Release 2 0 Detaste J Dpetabons Export J _fehesh J Apply Fiter Intel AMT Filter C By Version Release 20 C By Status C By Profile I0 C By UUD C Ordes By AMT Order By Ordinal Number T From Provisioning Date 2007 06 02 Un Provistoned bri Page 1 of 3 Discover New Intel AMT Systems using SCS from SMS Console The Intel AMT systems are now fully provisioned and using the SMS Add on we can now retrieve any Intel AMT systems that have been provisioned using SCS 1 Logon to the SMS server as an SMS Admin equivalent 2 From the SMS Administrator Console expand Collections and right click All Systems 3 Select All Tasks gt Intel AMT Tasks gt Discover Intel AMT Systems using SCS Oo W e Messages Expand System Status and click Status Message Queries An SCS Discovery running in the background message Is displayed Click OK In the right hand pane right click All Status message and select Show 7 10 11 12 13 14 15 16 Click OK to accept the default one 1 hour range The status message viewer window Is displayed SMS Status Message Yiewer for lt PR gt lt PRO POY PILOT gt File Edit Yiew
21. systems and SCS This default port may be changed by an OEM The port number must match the TCP Listen Port field on the General tab of the SCS Console Provisioning Intel AMT Systems Provisioning Using USB Key Security keys can be generated using either the SCS console Command line or by the OEM Generate Keys Using the SCS Console Locate a formatted FAT USB key to complete the Security Keys export settings 1 From the SCS Console click Security Keys intel AMT Setup and Configuration Service Console oj xj S W Intel AMT Setup Console Configuration Service Settings Security Keys eres D Ca General Configure Intel AMT Setup and Configuration Service Pre shared key pairs intel E Maintenance Policies H Profil rofiles Wireless Profiles 802 1x Profiles TLS PSK 7A i Users a Intel AMT Systems YFZ Global Operations ogs MEBx Settings Print Selected Import PID Find Refresh 2 Click MEBx Settings Security Key Settings E x View and configure the security keys settings Number of security keys in a USB key 50 H Factory Default MEBs Password New MEBs Password f Random creation Manual creation Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 3 In the Number of security keys in a USB key box type the number of security keys that will be cre
22. within an Active Directory are a way to delegate control over part of the directory to a user or group of users Active Directory Subsets of users groups and or computers can be delegated to different groups allowing a greater degree of control and granularity Organizational Unit without the need to run dedicated domain controllers for that group Intel AMT Intel Active Management Technology is a technology developed by Intel that enables Administrators to remotely manage and repair networked computers even when they are powered down Three primary features of Intel AMT are better asset management reduced downtime and minimized desk side visits also called by Intel the discover heal and protect process API Application Programming Interface A language and message format used by an application program to communicate with the operating system or some other control program such as a database management system DBMS or communications protocol APIs are implemented by writing function calls in the program which provide the linkage to the required subroutine for execution Thus an API implies that some program module is available in the computer to perform the operation or that it must be linked into the existing program to perform the tasks Authentication A security measure designed to establish the validity of a transmission message or originator Authentication Server AS A Kerberos element in a KDS that recognizes a client at log on
23. 2 1 device communicate securely as the SCS generates and sends the device e Certificates from a public key infrastructure PKI e Access control lists ACLs e Other setup parameters as defined in a profile of setup and configuration information specific to the platform or to a family of platforms The SCS also registers the Intel AMT 2 1 device in Active Directory and in its own secure database as depicted in the architecture The SCS is used for various maintenance functions such as updating passwords when Kerberos authentication is not activated and ACLs and keeping logs of all performed transactions It is recommended to have multiple instances of the SCS installed across an enterprise but there is only one SCS database for the enterprise The major elements of the SCS are e Windows Service the SCS Main Service e Secure Database e SOAP API e Console Application the Intel SCS Console The SCS needs a manual DNS registration entry referencing it as ProvisionServer within the appropriate DNS hierarchy It should also be registered by machine in DNS The reason for the manual registration is due to the fact that the Intel AMT 2 1 host utilizes this name to locate the SCS upon the initial activation process The SCS keeps profiles keys and passwords securely within the SQL Server database Requests for activation by the Intel AMT 2 1 hosts are made to the SCS which performs the process of applying policy to the h
24. AML file setup xml C Create USB Key gt 3 To verify the security keys creation type the following at the command prompt USBFile view setup bin a gt j as as Administrator Command Prompt i p A F Eht x s a pi h a a A sC Create USB Key gt USBFile view setup bin cies Intel lt R gt AMT USB file writer and viewer sample setup bin contents Record 1 Current MEBx password admin New MEBx password P Ssword PID 2AKR 9373 PPS N8 amp X6 WWHU DQH X6CT 6KZ3 KUQP UQQW 69YK Record 2 Current MEBx password admin New MEBx password P Ssword PID JUKB J328 PPS SDRH DOG2 BN2E 1124 571D N2HK SW 2 C3C5 Record 3 Current MEBx password admin New MEBx password P Ssword PID PHJE UUA PPS OCG1 E8TT MG N 2ZXC EUUP NKTL SDUL UE20 Record 4 Current MEBx password admin ew MEBx password P Ssword PID 62 7U 1XOM PPS KAQS BICQ OSWK BJP4 358 R6 4JWR UBLB 2954 Record 5 Current MEBx password admin New MEBx password P Ssword PID CGJE 30WU PPS 715D US99 NSUU OL 7U Z GT M9U4 3MN2Y 11 7 C Create USB Key gt 4 You should now see a list of PID PPS security keys 5 Copy the setup bin file to the USB key for use in provisioning Intel AMT systems 6 From the SCS Console click Security Keys 7 Click Import Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 8 9 Sel
25. AMT Microsoft Certificate Services Microsoft Internet Explorer x File Edit View Favorites Tools Help ay Back 9 xj 2 P Search lt Favorites E rE BE a Z Microsoft Certific Advanced Certificate Request Identifying Information Name ypro vs2 vpropov local E Mail Company Department Country Region Type of Certificate Needed Other OID p 2 16 840 1 113741 1 2 1 Key Options Create new key set Use existing key set CSP Microsoft Enhanced Cryptographic Provider v1 0 X Key Usage Exchange Signature Both Key Size 1024 aie Automatic key container name C User specified key container name E Export keys to file a oe a ey A Le SR kn l O Trusted sites 7 12 Click Submit Potential Scripting iolation l This Web site is requesting a new certificate on your behalf You should allow only trusted Web sites to request a certificate for you Do you want to request a certificate now 13 Click Yes Z Microsoft Certificate Services Microsoft Internet Explorer File Edit Yiew Favorites Tools Help G Back x a A J Search e Favorites O a Ge Microsoft Certificate Services Certificate Issued The certificate you requested was issued to you Install this certificate E E EOEA EOE E ee 14 Click Install this certificate Potential Scripting iolation i This Web site is ad
26. Active Management Technology A Solution Guide 6 A dialog box is displayed indicating that the machine name or domain membership of the machine cannot be changed while it acts as a certificate server Microsoft Certificate Services j Es After installing Certificate Services the machine name and domain membership may not be changed due to the binding of the machine name to CA information stored in the Active Directory Changing the machine name or domain membership would invalidate the certificates issued from the CA Please ensure the proper machine name and domain membership are configured before installing Certificate Services Do you want to continue 7 Click Yes and then click Details Certificate Services _ xi To add or remove a component click the check box amp shaded box means that only part of the component will be installed To see what s included in a component click Details SSUES OF CARE SOIC av E Certificate Services CA Certificate Services Web Enrollment Support Description Sets up a CA that issues and manages digital certificates Total disk space required 4 8 MB Details Space available on disk 15021 6 MB Cancel 8 Verify that both the Certificate Services CA and the Certificates Services Web Enrollment Support checkboxes are selected and click OK 38 9 Click Next The CA type screen is displayed x CA Type Select the type of CA you want to set up Enter
27. All Tasks 13 Select the Request Handling tab Properties smplate er 2003 Enterprise Help 10 The properties of a New template is displayed as follows 142 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Properties of New Template EIEI Issuance Requirements Superseded Templates Extensions Security General Request Handling Subject Name 15 Select the Microsoft Strong Cryptographic Provider checkbox 16 Click OK and then click Apply 17 Select the Subject Name tab Properties of New Template 2x Issuance Requirements Superseded Templates Extensions Security General Request Handling Subject Name Purpose Signature and encryption I Archive subject s encryption private key IV Include symmetric algorithms allowed by the subject Delete revoked or expired certificates do not archive Minimum key size 1024 M Allow private key to be exported Select this option to allow a variety of subject name formats or if you do not have access to the domain of which the subject is a member Do the following when the subject is enrolled and when the private key Autoenroliment is not allowed if you choose this option associated with this certificate is used eas trom ibis Active DIROS ADAN Enroll subject without requiring any user input Select this option to enforce consistency among subject names and to simplify certificate administra
28. Down Note Only commands available for the current power state of the system are enabled in the dialog For example if the system is powered down only the power up command is enabled Caution Reset Power Cycle and Power Down commands can cause loss of data to users logged on to the system 5 Select a boot option from the drop down menu of available boot options e NOP Normal Operations standard boot e Force PXE Boot e Force Hard Drive Safe Mode Boot e Force Hard Drive Boot Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide e Force Diagnostics Boot The following table explains the fields in the Power Control Operations dialog box for single systems 6 Under the boot options menu are additional items that can be selected and Host Nam The host name of the system as it is stored in the SMS configured object e Force CD or DVD Boot Lock System durina O ti eciseenaanimcnaeke i IP address The IP address of the system as it is stored in the SMS EE SYSE ANT ere ran TS RE EEE NE eer object The IP address may not be available on some intervention on the system during any of the power operations except occasions for Power Down This checkbox is only enabled if the system supports The SMS object resource ID all options locking the keyboard reset button and power button Current Power State The current power state as retrieved from Intel AMT Power up the system from any
29. For Each objItem in collItems fgqdn objiItem Name amp amp objItem Domain Next dlen 1 currpos 1 While dlen lt len fqdn currpos InStr dlen fqdn dlen InStr currpos 1 fqdn 1 If dlen lt 0 then dlen len fqdn End If ldapstr ldapstr amp DC amp Mid fqdn currpos 1 dlen currpos dlen dlen 1 Wend ou ou amp ldapstr Remove dashes from UUID Dim re uuidWithoutDashes Set re new RegExp re Pattern re Global true uuidWithoutDashes re Replace uuid sql insert into amp tableName _ UUID FQDN ProfileID OU _ values uuidWithoutDashes _ wy tw 7 fqdn wy LA 7 profileld W tw 7 QR RY RA RRRURUR R ou E Wscript Echo sql Open connection to the DB objConnection Open Provider SQLOLEDB 1 amp Server amp sqlServerName amp Data Sourse amp dataSource amp DataBase amp dbName amp Trusted Connection yes 108 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT objConnection Open Provider SQLOLEDB 1 amp Data Source amp dataSource amp DataBase amp dbName amp User Id amtInterimUpdate Password amtInterimPassword Insert new record into DB objRecordSet Open sql objConnection adOpenStatic adLockOptimistic The error handling should be improved If Err number vbEmpty Then Wscript Echo New AMT properties have been inserted su
30. From the right pane right click the new Intel AMT system Select All Tasks gt Intel AMT Tasks gt Retrieve Asset Identification Information The asset information screen similar to the one below will be displayed ke Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Intel AMT Asset Identification Information Host Name HP 10 System IP NjA Working 50 60 Identification Information Resource ID 76 Firmware version 2 1 3 System UID 3961FB14 A86E 11DB BBDA 718109610018 fouses7iFGy System Manufacturer Hewlett Packard Baseboard Serial Number fousesviFGy SS Baseboard Manufacturer Hewlett Packard Baseboard Asset Tag Current Power State System Serial Number Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Testing and Validation Discovery The Intel Systems must be discovered and located before performing any tasks related to Intel AMT There are three methods for discovering Intel AMT systems e Using IP Address Range Scan e Using the SMS Discovery process e Discovering systems provisioned by Intel SCS IP Address Range Scan Immediate discovery of Intel AMT systems can be performed by running a scan for IP addresses using the Intel AMT tools in the SMS Console This discovery method does not require the system to have the SMS Client installed and active To discove
31. Help BEREE ESE Sead Tepe ete ae E Milest 2007 12 38 30 PM Intel AMT Add on for SMS 3996 HP 10 Intel AMT Automatic Disc stem located Milest TEE 12 37 45 PM 8 V52 Intel AMT Add on for SMS 39997 Intel AMT Setup amp Config Services TEN Op 55 completed for 1 D Milest VPR 6 2 2007 12 37 44 PM YPRO S2 Intel AMT Add on for SMS 39997 HP 10 Operation 55 Intel AMT Discovery new system located Milest YPR 6 2 2007 12 37 42 PM YPRO S2 Intel AMT Add on for SMS 39997 5C5 Discovery for Intel AMT systems Operation 55 Operation startec Milest VPR 6 2 2007 12 37 36 PM YPRO Y52 SMS_NETWORK_DISCOYERY 1105 SMS Executive is next scheduled to start this component on 6 2 2007 12 lt miest VPR 6 2 2007 12 37 36 PM_ VPRO YS5S2 SM5S_NETWORK_DISCOYERY 502 This component stopped Milest YPR 6 2 2007 12 37 36 PM YPRO YS52 SMS_NETWORK_DISCOVERY 1308 Network Discovery has stopped D Milest VPR 6 2 2007 12 37 35 PM YPRO Y52 SMS_NETWORK_DISCOYERY 1305 Network Discovery is stopping the Network Discovery protocol modules D Milest VPR 6 2 2007 12 37 34 PM_ VPRO V52 5M5S_MNETWORK_DISCOVERY 1307 Network Discovery is exporting devices and networks to the Discovery Dat D Milest VPR 6 2 2007 12 37 33 PM YPRO S2 SMS_NETWORK_DISCOVERY 1304 Network Discovery is stopping protocol operations Milest VPR 6 2 2007 12 37 00 PM YPRO Y52 SM5S_NETWORK_DISCOYERY 1303 Network Discovery is star
32. IV Event Registration V IDER Operations on collections b Intel R AMT Redirection Managers Users who need to perform these operations l SOL Redirection Il IDER s operations on single systems or collections c Intel R AMT System Defense Managers Users who need to perform these operations l System Defense Il Unprovision Iil Reprovision operations on single systems or collections SCSServiceAccount name is configurable This account is used as the account that runs the Intel AMT Setup amp Configuration Server SCS service service is named AMTConfig It is required to be in the local administrators group of the server on which it runs as well as having the Run As A Service right on the same server a Itis responsible for obtaining and renewing certificates from the Microsoft Certificate Authority on behalf of the Intel AMT devices managed by SCS b It is responsible for creating Active Directory Intel AMT computer objects in the domain and OU configured to manage these computers It receives these rights by being a member of the Enterprise IntelME Setup and Configuration Servers universal group which is then a member of the local domain security group with associated rights to create the AD computer objects IntelAMT SCServers listed below The universal group Enterprise IntelME Setup and Configuration Servers will be a member of each domain local group IntelAMT SCSe
33. Intel AMT 20 Click Properties and select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate Properties zx Request Handling The Windows default policy module controls how this C4 should handle certificate requests by default Do the following when a certificate request is received Set the certificate request status to pending The administrator must Poe issue the certificate Cancel aw a Click OK and a dialog box is displayed indicating that the Certificate services must be restarted for these changes to take effect click OK b Click OK 45 C From the right pane right click on the CA server name select All Tasks gt Stop Service You should notice the server CA icon turning red to indicate that the service is stopped s Certification Authority File Action view Help isis n d DEEE oe O o an m H FA YPRO Y51 Certification Authority Right click on the CA server name again select All Tasks gt Start Service You should notice the CA icon turn green indicating that the service is started Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Exporting and Importing CA Certificate 1 Log on to the Stand alone Subordinate CA server with an The stand alone CA s self signed certificate is not automatically added to the administrative account requeste
34. Key You can choose to export the private key with the certificate Private keys are password protected If you want to export the private key with the certificate you must type a password on a later page Do you want to export the private key with the certificate Nes export the private key rie a a a a No do not export the private key lt Back Cancel 9 Verify that Enable strong protection requires IE 5 0 NT 4 0 SP4 or above is selected and then click Next Certificate Export Wizard i x Export File Format Certificates can be exported in a variety of File Formats Select the Format you want to use DER encoded binary 509 CER Base 64 encoded 509 CER Include all certificates in the certification path if possible V Enable strong protection requires IE 5 0 NT 4 0 SP4 or above Delete the private key if the export is successful lt Back Cancel 10 Enter and confirm a password and click Next This password is kept in the file and does not change 82 11 12 13 14 15 16 17 Enter the file name For example C Certificates Client Auth and the file is saved with a pfx extension Click Next then click Finish and click OK Click Close and then click OK Locate the OpenSSL tool directory as mentioned above can be found at www stunnel org download openssl zip Copy the pfx file created above into the OpenSSL directory Locate the pfx fi
35. N 2 u Intel Active Management Technology Setup and Configuration Server InstallShield Wizard Welcome to the InstallShield Wizard for Intel Active Management Technology Setup and Configuration Server A The InstallShield Wizard will install Intel Active Management Technology Setup and Configuration EP Server on your computer To continue click Nest InstallShield Click Next at the welcome screen Accept the license agreement and click Next From the Setup Type screen select Complete and click Next Intel Active Management Technology Setup and Configuration Server InstallShield Wizard Select Main Service User Windows service you must supply domain name user name and password Select the button below pecify information about a new user that will be created during the installation fasta oti SS In the User name field enter the service account user name in the Domain Username format For example VPROPOV SCSserviceAccount Enter the Password and click Next The Select IIS Web Server Virtual Directory Application Pool and Web Site is displayed Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 10 In the Web Site Name field the Default Web Site is selected but if you have created a dedicated web site for SCS click the drop down arrow to Ti 12 70 Intel Active Management Technology Setup and Configuration Service
36. SCS database using the SOAP API The SOAP API has a method called AddServiceNewAMTProperties that adds an entry to SCS database table An external management console can acquire the platform information using scripts its own database or a local agent and pass the information to the SCS either before or after the Intel AMT device starts sending Hello messages Scripting Option This option acquires the configuration information using a script if the required parameters are not in the New Intel AMT database table The SCS runs a script that retrieves the parameters from an external source The scripting option is the recommended enterprise Intel AMT provisioning solution This requires that a script run on the Intel AMT device after the system has joined the appropriate Active Directory domain Once this occurs the script can be executed to fill in an interim database with the appropriate provisioning 7 information containing at a minimum 2 pieces of information the Intel AMT UUID and the device FQDN This script can be executed in the following ways e Manually executed with the appropriate user account given the ability to update the interim database e Executed as part of the Active Directory logon script with the appropriate user account given the ability to update the interim database e Delivered as part of the standard software delivery mechanism Microsoft Systems Management Server the account used to execute thi
37. but it will help list some of the obscure options that are available to you Technical support from Intel may be obtained by using the email address smsaddonsupport intel com SMS Logging HKEY_LOCAL_MACHINE SOFTWARE Intel Intel R AMT Add on LOG NoLogDetailFailedPerm dword 00000001 This option prevents the SMS Add on from creating un needed entries in the SMS Status log for systems that are not Intel AMT systems This helps to reduce the log size and eliminate entries that are not necessary for normal operations SCS Log Level HKEY_LOCAL_MACHINE SOFTWARE Intel AMTConfServer LOG LogLevel V This creates c scs_server log and c scs_win_server log This option helps to create verbose logging used for internal troubleshooting and these files are often needed by the Intel technical support organization email listed above You may use this to determine what actions SCS is performing and as an example determine if SCS is having trouble creating Active Directory objects SMS Trace Logs amp Status Messages HKEY_LOCAL_MACHINE SOFTWARE Intel Intel R AMT Add on LOG LogLevel 5 This creates IAMTSMSService log in Add on install directory This option is much like the SCS Log Level option above in that it creates extra files to help with detailed issue isolation Also you will use these file to communicate issues to the Intel technical support organization for problems you are unable to diagnose and r
38. certificate chain or CRL k Place a checkmark next to the Show physical stores box and expand Local intranet 2 Trusted Root Certification Authorities d Click Download a CA certificate certificate chain or CRL Click Local Computer and click OK e Click Download CA certificate m Click Next gt Finish A message should display indicating a successful import f Click Save and type a name for the certificate cer file Note where you saved the file n Click OK CickS d then click Close g Click save and then click Close Configure Secure SSL Connection to IIS i EID Seu DOrer VINEN Connection to IIS requires a digital certificate When SSL certificates are installed i Locate the certificate right click and select Install Certificate and Click on IIS communications between client and server is secured through SSL Next encryption Section 4 2 2 1 shows the tasks needed to install and configure IIS if you have not done so Section 4 2 2 2 shows the tasks needed to request and install an SSL certificate from a Standalone CA while section 4 2 2 3 shows the Steps needed from an Enterprise CA Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Install and configure IIS on the SCS server 8 Click Finish to continue 1 Login as a user with Administrative rights to the SCS server 9 When completed make sure all of the following components are installed 2 Fro
39. container name M Mark keys as exportable I Export keys to file I Enable strong private key protection I Store certificate in the local computer certificate store Stores the certificate in the local computer store instead of in the user s certificate store Does not install the root CA s certificate You must be an administrator to generate or use 2 key in the local machine store Additional Options Request Format CMC PKCS10 Hash Algorithm SHA 1 gt Only used to sign request I Save request to a file oe Attributes v 4 gt Friendly Name e Click Submit A dialog indicating a new certificate request is displayed Click Yes f Click Install this Certificate Click Yes when the confirmation message is displayed g A successful certificate installation is displayed close Internet Explorer Create Personal pfx certificate on the SCS Server 1 From the SCS server Click Start and then click Run 2 Enter MMC and click OK The Microsoft Management Console MMC is displayed 3 From the File Menu click Add Remove snap in 4 Click Add 5 Select Certificates and click Add 54 6 Select My user account and click Finish 7 Click Close gt OK 8 From the left pane expand the Certificates Current User branch 9 Expand the Personal branch 10 Click Certificates 11 In the right pane right click on the certificate and select Open Tt Console Console Root Certi
40. default Value after setup Intel Management Engine Disabled Enabled mae atale power policies for Off for S1 S5 Intel Management Engine On for S1 S52 1 The Intel Management Engine and Intel AMT 2 1 must be enabled in order for you to set up configure and use Intel AMT 2 1 2 Setting power policies for the management engine to S1 S5 allows Intel AMT 2 1 to initiate configuration in any power state as soon as the PC is connected to power and plugged into the network Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Sleep states describe the possible power states for a computer as described in 4 the following table Sleep State 5 The computer is on and fully functional Using the appropriate keyboard function key as defined by the PC manufacturer display the MEBx configuration screen Depending on the BIOS you should be prompted to log into MEBx when you access the MEBx configuration screen Typically you will press lt Ctrl gt P to access the MEBx logon screen i refreshed and the computer is running in a low power mode S2 The computer appears to be off with the CPU stopped RAM is refreshed and the computer is running in a lower power mode than S1 S3 Standby The computer appears to be off with no power to the CPU RAM is in slow refresh disk S4 The computer appears to be off with no power to the hardware Hibernate System memory has been saved as
41. files and apply the relevant policies to the collections or systems that you want to protect The System Defense for advertisement feature integrates the Intel AMT System Defense feature with SMS advertisements A System Defense Policy SDP can be 124 applied to an advertisement to move all systems belonging to a collection with a scheduled advertisement to a remediation network until each system is installed with the advertised package This is done by using the Intel AMT System Defense feature The SMS client agent is responsible for the software delivery itself Systems will only be returned to normal network settings after the software has been successfully delivered If you apply a System Defense Policy or Heuristics Policy to a system that is unreachable for any reason the Add on will apply the policy to the system when it becomes reachable A System Defense Policy can be created and enabled using the Advertisement tab in the Intel AMT Add on Settings dialog Once a policy has been loaded and enabled it can be applied to an advertisement which will immediately apply the policy to Intel AMT systems in the target collection The SDP is applied to Intel AMT supported systems belonging to the collection These systems must have been discovered have an SMS Advanced Client installed and active and are reporting to the local Primary site server where the System Defense settings have been applied The policy will be automati
42. information consult certification authority s Web site State province Organization Texas x Pro S City locality Organizational unit Celina v vProAMT v State province and City locality must be complete official names and may not contain abbreviations lt Back Cancel lt Back Cancel 14 Complete the Organization and Organization Unit information and click 16 Complete the Geographical information window and click Next Next 58 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT IIS Certificate Wizard xj Certificate Request File Name Your certificate request is saved as a text file with the file name you Se specify LS Enter a file name for the certificate request File name C Cettiicates webCertiicateRequest tit Browse coca 17 Enter a file name for the certificate hash and click Next IIS Certificate Wizard x Request File Summary You have chosen to generate a request file Se oa To generate the following request click Next File name c certificates webcertificaterequest txt Your request contains the following information Issued To ypro vs4 north yproprod local Friendly Name Default Web Site Country Region US State Province Texas City Celina Organization vPro Organizational Unit vPro AMT Cancel lt Back 18 Review the summary page and click Next 19 Click Finish A Submit C
43. not allow an SDP to block a system from receiving ARP broadcasts or responding to them this is to prevent the system from losing its IP address and becoming undetectable on the network Note System Defense is implemented by the add on integrated with the advertisement functionality of SMS It is not a generic protection for networks and will only protect systems which are expected to download and install a given advertisement IT administrators should not confuse it with other network protection tools such as firewalls which have a much wider scope and are independent of SMS advertisements System Defense Tab To define a System Defense policy to be later applied to Advertisements the System Defense Policy SDP is defined as a script in a text file and the network 126 path to this file is entered into the text box using the Add button The Script is checked for syntax when loaded Any error in the script will terminate the script load and the user will be notified of the line in which the error occurred The script language has a Strictly defined syntax which closely resembles Cisco ACL language Refer to the Intel documentation Intel Active Management Technology Add On for Microsoft SMS 2003 Installation and User s Guide Version 3 0 for syntax and detailed information for creating these policies Add on Settings Eg About Setup and Configuration Security Perfor mance Advertisement Redirection System Defense
44. over HTTS SSL port 443 It is a requirement to run the console on a physical computer when used to deploy provisioning keys via the USB memory Stick This is due to the fact that existing virtual hosting software does not provide robust support for USB ports within hosted virtual operating systems VMWare Workstation 6 0 or higher supports the USB export capability Microsoft SQL Server 2005 This system is best described by following best practices for high availability and performance for access by the Intel SCS It is not required to be configured for high availability however if the database or connectivity to this database is lost the management of the Intel AMT 2 1 hosts is effectively rendered useless The transparent server in the picture in the Component Overview section indicates that it is preferred that this system be configured in a cluster but it is not required Assuming performance and network connectivity are not an issue this system could reside on an existing hosted SQL Server database cluster Best practices and organizational architecture will dictate whether this system should be a stand alone cluster or hosted on a shared database cluster system Microsoft Systems Management Server 2003 SMS with Intel AMT Add on 3 x It is assumed that best practices for an existing fully functional SMS hierarchy are already in place The architecture above does not intend to describe how the SMS hierarchy should be designed and d
45. perform an IDE Redirection operation on a collection 1 2 3 Right click any collection Select All Tasks gt Intel AMT Tasks gt Redirection Operations The Redirection Operations dialog appears Redirection Operations x Collection Mame All Systems VWdaliot Book Imagesipootimg iso Lock System during Operation BIOS Password Bypass Perform Book Advanced IDER Settings Close Set Boot Image Click Set Boot Image to select an image within the size limits of the CD or medium designed to store it that is located in the repository set by the Boot Images Base Path option in the Intel AMT Add on settings dialog referenced in section O Redirection or the section below O To perform a Global Redirection operation Note If no IDER boot image repository has been set in the Intel AMT Add on settings dialog a warning message is displayed and all the options in the Redirection Operations dialog are disabled Lock System during Operation Select this box to lock the keyboard reset button sleep button and power button during a reboot in order to prevent user intervention on the system during the operation optional This checkbox is only enabled if the system supports locking all of these options during a reboot BIOS Password Bypass Select this box to bypass the BIOS password during a reboot optional This checkbox is only enabled if the system supports bypassing the BIOS password during a reboot
46. rece rCerT Corer cece eerr erence reer 129 Troubleshooting BeSt Practices ne ne te ee ne nr one ne en PEON OR A ORT TT Pee eee eee rE rere 132 Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide AV A ne ee 134 DEPIOVING lt aNG COMTIGUN MGC PIE OCTON GY aissi ETOR ET E T A S 134 HSNI aNd Gee muda el Lata DN Smoar Rr TO er eT ee ET 134 atsaecililalsireln aM elaudtalt la iatanD a G ceeeeettee eect tne EEA tee te ee re te et etre 134 RSEN ANG COMTIQUIENG CORTICES SCE VICSS iiss sictasecssxscssvisesusseaveausnusvbevnssveusnsessetzanesiusistisasese stesevousvbdsaushaaseilbeanshnvsbsateteviccisiatietsastssnsaseusvbvessistessdeiutestashuntaden 135 Installing and Configuring Systems Management Server ZOOS cssssssscssssscssssesssssesssssesssssesssssesssssesssssesssssessssessssserssssersssserseseerssseessssessssserssseerssseerseseerseseersssess 135 INStalliNGsand COMNMGULING SOL Serv r ZOO Dusesstiulinnsendianuaniintinnntdiatnnndiilanmnnsosiiamunniinlinnnnitietusnveiinlnmnannenmenilinaiien 136 FAV 8 T 96 DQ Pr ner reer Ere rr err re E gt er Ree ee ro oe oe ee Cre CE EEE Ce EEE Cee cer er cece cere cy eoererer ee 137 Nstaling Aly Enterprise SUDOF AILS CA ssavicuidavssivesorpinasucigevasevusandahsitevousytnsesaisveveottulaecegtavsucpibadsehevavsuusishieshpvvaviaaseitensvivousitieudisbavisvsusisiadasbisiesunpusbesdhessaviielacaiannaeit 137 Create Client Certificate Template for the Enterprise Su
47. root certificates in your enterprise then it is required that you purchase a certificate from your chosen well known provider that enables your enterprise certificate authority to issue certificates against Otherwise you will need to work with your OEM to pre install the appropriate root certificate of the enterprise certificate authority you have installed for your enterprise before the Intel AMT devices are manufactured and delivered to the end user This is the only location within this document that describes remote configuration as the remainder of what is covered here focuses on deployment of pre Intel AMT v2 2 devices It is however the recommendation that enterprises move to implement remote configuration as a matter of best practice at this point in time Intel AMT 2 1 Device Management Infrastructure Installation Overview The following list describes the management infrastructure installation order at a high level Each component will be described in more detail in the next few sections and then fully detailed installation instructions follow This overview will give the preparatory understanding needed to follow the rest of the documentation as it provides increasingly detailed information on each component The list below is in priority order as some dependencies do exist 1 SQL Database Cluster These servers may already exist in the enterprise and capacity permitting may host the database required for the Intel
48. settings change to the new settings automatically even if the reset option is not selected Any non mandatory advertisements are reset to not wake up BIOS Password Bypass on advertisement The BIOS bypass can also be used for those systems where BIOS is locked via a password Note If the BIOS bypass option is checked but is not supported by the system the wake up on the system will not be executed There are four control buttons at the bottom of the Advertisement Tab Reload Settings Refreshes the dialog box with the current setting information Save and Close Saves the current settings and closes the dialog box Close Closes the dialog box without saving the settings Apply Saves the current settings without closing the dialog box Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Override the Global Wake up systems on mandatory advertisements To override the wake up setting for a specific advertisement and prevent it from waking up systems perform the steps below 1 Right Click the advertisement 2 Select All Tasks gt Intel AMT Tasks gt Wake Up Options The following dialog box opens Intel AMT Settings for Advertiseme X Use Default Settings Wake up systems BGS Password Bypass cancel 3 Click Override default settings Ensure the Wake up systems box is not checked and click OK Note Non mandatory advertisements have to be set ma
49. task Request 4 certificate View the status of a pending certificate request Download a CA certificate certificate chain or CRL k d Click Download a CA certificate certificate chain or CRL l e Click Download CA certificate m f Click Save and type a name for the certificate cer file Note where you saved the file n g Click Save and then click Close Select Place all certificates in the following store and click Browse The Select Certificate Store window opens Select Certificate Store 2 x Select the certificate store you want to use J Personal Trusted Root Certification Authorities of Registry 7 of RE Computer J Enterprise Trust 9 Intermediate Certification Authorities s x M Show physical stores coe Place a checkmark next to the Show physical stores box and expand Trusted Root Certification Authorities Click Local Computer and click OK Click Next gt Finish A message should display indicating a successful import Click OK 13 Install the CA certificate in the certificate store as a trusted root certificate on the SMS server h Close Internet Explorer window d Locate the certificate right click and select Install Certificate and Click Next b Login to the SMS server Open Internet Explorer Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT c Enter the address of the Subordinate CA server
50. the Benefits of Intel Active Management Technology A Solution Guide Windows Components Wizard b CA Type Select the type of CA you want to set up x Enterprise root CA Neneaceneeeseeenereenenseneeseneenesenneseanenenneanenenensees Stand alone root CA Stand alone subordinate CA Description of CA type 4 standard CA that can issue certificates to users and computers in the enterprise Must obtain a C4 certificate from another CA in the enterprise Use custom settings to generate the key pair and CA certificate cme Heo 10 Select Enterprise subordinate CA option on the CA Type screen and click Next 11 Complete the CA Identifying Information screen Windows Components Wizard CA Identifying Information Enter information to identify this CA Common name for this CA VPR 0 1 Distinguished name suffix i C vproprod DC local Preview of distinguished name i PRO 51 0C vproprod DC local Validity period Determined by parent CA omei Hob 12 Click Next 13 14 Accept the default Certificate Database Settings window settings and click Next Windows Components Wizard x Certificate Database Settings Enter locations for the certificate database database log and configuration information Certificate database C WINDOWS system32 CertLog Browse Certificate database log CAWINDOWS system32 CertLog Browse
51. time by reducing the need for hands on assistance Below is a description of these features and configurations for an enterprise environment This feature enables remote power state control of Intel AMT supported systems The power control features can be performed on a single system or ona set of machines that belong to a collection The available functions are power up power down power cycle and reset Different boot options are also available depending on the specific system implementation The steps to perform Power control options for both single systems and a collection of systems are listed below Single Systems Power Operations The remote operation is performed immediately with a notification at the end of the operation and the completion status To perform this function for a single System follow these instructions 1 Right click an Intel AMT system 2 Select All Tasks gt Intel AMT Tasks gt Power Control Operations 3 The Power Control Operations window appears as shown below Power Control Operations x Host Mame HP 10 IP address 192 165 66 104 Resource ID e200 Current Power State Soft OFF S5 G2 Command Book Options sees eneeeeeemeeneeeees HOF Giese F Lock System during Operation oie te E E Power Down E BIOS Password Bypass Send Command Refresh Power State Clase 4 Select the required power command from the list available e Power Up e Reset e Power Cycle e Power
52. to the SCS Console with an administrative account 2 Open a web browser 3 Enter the address of the CA Server web interface In the following example ca_machine is the host name of the CA Server http ca_machine certsrv Microsoft Certificate Services Microsoft Internet Explorer File Edit View Favorites Tools Help Q ax amp x a A K Search P Favorites Media 4 SY he Address http vpro vs1 certsry Microsoft Certificate Services Welcome Use this Web site to request a certificate for your Web browser e mail client or other program By using a certificate you can verify your identity to people you communicate with over the Web sign and encrypt messages and depending upon the type of certificate you request perform other security tasks You can also use this Web site to download a certificate authority CA certificate certificate chain or certificate revocation list CRL or to view the status of a pending request For more information about Certificate Services see Certificate Services Documentation Select a task Request a certificate View the status of a pending certificate request Download a CA certificate certificate chain or CRL E Local intranet 4 Click Download a CA certificate certificate chain or CRL 5 Click Download CA certificate 63 6 Click Save and type in a name for the certificate cer file Note where you Saved the certificate 7 Click Save and then c
53. typically sufficient 10 Click Apply Profile Configuration Network Tab TLS Mutual Authentication Settings 1 Click the Network tab Pe Add Edit Profiles 2 x General Network ACL Power Policy NAC Wireless Profiles Wired 802 1 View and Configure the profile Network settings M General TLS Settings V Enable ping response Iv Use TLS Local Interface TLS Server Authentication Use VLAN f TLS Mutual Authentication VLAN Tag E j s z z M Network Interface Enabled Interfaces TLS Server Authentication V Web UI TLS Mutual Authentication M Serial Over LAN Y IDE Redirection TLS Server Certificate Details Issuer VPRO S1 vproprodlocal Peake Name PRO S1 Encrypted Template WebServer al Plain Text C Both Apply o Cancel 2 Click the Enable ping response in the General box to allow the Intel AMT devices to respond to ping Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 3 Ifa VLAN is configured in your environment click the Use VLAN and enter the integer value of the VLAN Tag If not leave blank Must be the correct number 4 Inthe Enabled Interfaces box click to place a checkmark next to Web UI to allow a browser based management of Intel AMT devices 5 Click to place a checkmark next to Serial Over LAN to manage Intel AMT devices remo
54. web interface In the Select Place all certificates in the following store and click Browse The following example ca_machine is the host name of the CA server Select Certificate Store window opens http ca_machine certsrv rp Select Certificate Store 2 xi File Edit View Favorites Tools Help Microsoft Certificate Services Microsoft Internet Explorer DE z Select the certificate store you want to use Q ax amp FEl A py Search Sie Favorites A media Ee Cy Sa Address E http vpro vsifcertsry v Go Links Home Personal Welcome E J Trusted Root Certification Authorities Use this Web site to request a certificate for your Web browser e mail client or other program By using a certificate you can verify a Registry your identity to people you communicate with over the Web sign and encrypt messages and depending upon the type of yt certificate you request perform other security tasks Ga Local Computer Enterprise Trust A Intermediate Certification Ai toorts p b You can also use this VVeb site to download a certificate authority CA certificate certificate chain or certificate revocation list CRL or to view the status of a pending request For more information about Certificate Services see Certificate Services Documentation Select a task Request a certificate View the status of a pending certificate request Iv Show physical stores Download a CA certificate
55. 1 MB Detar Space available on disk 15021 7 MB die me a 6 A dialog box is displayed indicating that the machine name or domain membership of the machine cannot be changed while it acts as a certificate server Microsoft Certificate Services j j xi information stored in the Active Directory Changing the machine name or domain membership would invalidate the certificates issued From the CA mn After installing Certificate Services the machine name and domain membership may not be changed due to the binding of the machine name to CA Please ensure the proper machine name and domain membership are configured before installing Certificate Services Do you want to continue 7 Click Yes and then click Details Certificate Services q xi To add of remove a component click the check box A shaded box means that only part of the component will be installed To see what s included in a component click Details Subcomponents of Certificate Services M E Certificate Services CA V EA Cerificate Services Web Enrollment Support 1 2 MB Description Sets up a CA that issues and manages digital certificates Total disk space required 4 8 MB Space available on disk 15021 6 MB Details 8 Verify that both the Certificate Services CA and the Certificates Services Web Enrollment Support checkboxes are selected and click OK 9 Click Next The CA type screen is displayed Quick Reference Guide Maximizing
56. 21 2007 06 02 17 13 2007 06 02 17 17 2007 06 02 17 16 2007 06 02 17 04 2007 06 02 16 59 2007 06 02 16 54 Status Waiting Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Date and Time C From 2007 06 02 12 30 14 C By User View the status of asynchronous actions initiated by the console or by other SOAP API requests Applied By VPROPOV Wocal VPROPOV bcal VPROPOV local VPROPOW local VPROPOV ocal VPROPOV cal VPROPOV cal VPROPOV ocal 3961FB14 A86E 11DB BBDA 718109610 3961FB14 A86E 11DB BBDA 718109610 VPROPOV ocal VPROPOV ocal VPROPOV local VPROPOV local YPROPOV ocal VPROPOV Vocal CO To UUID 3961 FB14 A86E 11DB 8BDA 718109610 3961FB14 A88E 11DB BBDA 718109610 3961FB14 A96E 11DB BBDA 718103610 3961 FB14 A96E 11DB B8BDA 718109610 3961 FB14 A86E 11DB BBDA 718109610 3961FB14 A85E 11DB BBDA 718109610 Lo poi Page 1 of 9 2007 0602 ov 12303 5 C Order By Request Order By Acti v 10 From the left pane of the SCS console click Intel AMT Systems you should now see the Intel AMT device status as Provisioned PE wi Intel AMI Setup and Configuration Service Console Ble Heb Q Intel AMT SCS Console BP Conliguiation Serice Settings y General Maintenance Policies
57. D g with Intel AMT Add on SS A Z Microsoft SQL Server 2005 SP2 Standard Edition Internet Explorer Web Client pni S Architectural Component Diagram The connections depicted in the diagram above are intended to describe those activities that are not usual and customary in a normal Windows network For example connections for domain name server name resolution is not included as well as a complete depiction of authentication connections is missing too The purpose of this diagram is to explain the interaction of systems as it pertains specifically to adding Intel AMT 2 1 management infrastructure Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Windows Server 2003 Active Directory AD Microsoft Active Directory is assumed to be part of the overall network infrastructure supporting the existing Windows network environment This architecture requires AD as the authentication mechanism allowing the Intel Setup amp Configuration Server Intel AMT Add on for SMS and potential web clients to logon to Intel AMT 2 1 hosts AD should inherently be designed in a high availability configuration as prescribed by the existing environment and geographic requirements as well as best practices for AD in general Domain Name Server DNS A domain name server is used to supply the name to IP resolution for the Intel AMT 2 1 hosts as well as resolving the Setup amp Configuration se
58. EBAMCVVM xD AMBGNVBAQTBYVR 1 EGF ZMQ8wDOYD VQQHEwWZDZwxpbmE xDTALBGNVBAOT BHZQcm8xXETAPBQNVBAS TCHZQcm8TQULUMSYw JAY DVQQDEx12 CHIVLXZ2NC 5ub3 I0ac52cHIVCHIVZC5sb2NhbDCBNZANBgk qhk iG SwOBAQEFAAOB QAwgy kCgYEALPsObLh2uII18251 rLqnjjTmd6us 9ydFJoyllivd Gas IA T a NOE dy ope i res Aula nrg NA EER LAS ese ld wFFk 13b1F9cSuUTF2T9LOGF XxRj r b682Ixd87Rpr Pcwhwj RBCeGwOqaiVGLsg e2 UEAN est pane MN iba a snide al TuMz 5MC4 yYMHSGC1 SGAQQB gj cCAQ4 xbTBrMAs GALUCDWEB WQEAWI ESDBEBgk ghk iG9wOBCQBENZALMA4 GCC YG SIb3 DQMCAgI AGDAOBggghk 1G9wODBAICAT AwBwy Fkw4 DAgcwC gy I KoZIhvcNAwcw EWY DVRO 1 BAwwC gy IKwY BBQUHAWEWw QT 0GC 1 SGAQQBq CNAGI xge4 wqesCAQeewgBN AGK AY WBYAG 8A CWBVAGY ACAAGAF I AUWBBACAAUWBDAG GAY QBUAG4 AZOBs ACAAQWBY AHk ACABOAGSAZWBYAGEACABOAGK AY WAQAFAACGBYV AHY AaQBk AGUACGOBIGQAAAAAA 5 Click Submit a certificate request by using a base 64 encoded CMC or PKCS 10 file or submit a renewal request by using a base 64 encoded PKCS 7 file Microsoft Certificate Services Microsoft Internet Explorer File Edit view Favorites Tools Help Q pack O x e S Search s Favorites 7 GQ B Address a http vpro vs1 certsrv certrqxt asp gt Go r Microsoft Certificate Services PRI 1 Home Submit a Certificate Request or Renewal Request ANGCSYGSIb3DQEB BQUAAS GBAETEDGINCAEP5QxZ28dLU9MxOnI 5 lXbdRNpwPGEsn4 B9Lrw Nnqu2iByY FpciltlagEpPRsknUumu Lj O0QduzZjR8o05kFwabr i e e a SPAM fwsny2
59. EDB 1 amp Data Source amp dataSource amp DataBase amp dbName amp Trusted Connection yes sql select from amp tableName amp where UUID amp inputUUID amp logts Write Running SQL amp sql amp VbCrLf objRecordSet Open sql objConnection adOpenStatic adLockOptimistic If objRecordSet RecordCount lt gt 0 Then ou objRecordSet Fields OU Value profilelId objRecordSet Fields ProfilelId Value fqdn obj RecordSet Fields FQDN Value Else logts Write The AMT with UUID amp inputUUID amp has not been found amp VbCrLf End If Replace Dim profileAttr If USE PROFILE ID Then profileAttr profile id amp profileId amp Else profileAttr profile amp profileName amp End If Dim conf filesystem file ts Cone Tam Configuration T amp W fqdn wey amp fqdn amp wee W amp LA addn wey amp ou amp wee W amp profileAttr _ amp W gt amp VBNewLine sql delete from amp tableName amp where UUID amp inputUUID amp objRecordSet objConnection Execute sql objRecordSet Close objConnection Close Je Wscript Echo Create XML Fi 1 CFF SS SS SS SSS SSS SSS 5 gt gt gt Wscript Echo filename to output amp inputFilename Wscript Echo conf logts Write filename to output amp inputFilename amp VbCrLf logts Write conf amp VbCrLf Set fil
60. EVEN DNS koiaa E A E rete er O 11 Dynamic Host Contiguration ProtOCol DACP SErVET smiaran a guiasisneanarsiaainaidiae 11 Microsol Cerincate AUNO CA sccovtvissesereste sun nna O A ana me atts 11 Intel AMT Setup amp Configuration Server SCS 3 0 or later sssssssssssssscsssssssssssssssssssssssssessssssssssssessssssssssssessssssessssssssssssecsssseessssseerssssecsssseesssssecesssecessseesssssesssssss 12 5 ES CO OE S K r EE O E ee ee re eee en ee 13 MO Oe OGS aN EAO San i eastnven i ieacrasticheae anata ausenvavta tense donana sua ava iatoaa tata acaarrecantnt aT aesanemtst eau necnenneedas 13 Microsoft Systems Management Server 2003 SMS with Intel AMT Add on 3 x wesssssssssssssssscssssssssssssssssssscsssssecssssssessssssssssessssssesessssecssssesesssscessssseesssess 13 MEF ANMI Z TROS isie a ducks ess distaesslgriaesobpbindlviceessicuviua deshyeisaunsdis ducts eversaiiaduhantieaospana dish gonveiaisiia S 14 TSG MET EXO OBST WED CIS UML cea asiaceecectass tana arenststeacstutoso tones vastus tvapaancha sa E in SIA a Tee 15 REGUIFEMENTS and Dependenties sissies snn 15 Windows s6rvef 2003 Standardi RZ SP Zuenean a E nse thaaulnuniaveniadecnen tas itawsenteaa Saastounianaueh aaneaoiatuatecatia 15 Windows Server 2003 Active Directory AD Forest sscssssssssssscssssssssssssesssssssssssssssssssssssssecsssssessssssesssssessssseessssseesssssessssssersssseersssseersssserssssecrssssecessseesssssecrssssessssssess 16 Acuve Directory Schema EXTENSION S svise
61. Guide Intel Centrino with vPro Technology Intel Core 2 Processor with vPro Technology g Leap ahead Getting to Pro An Enterprise Approach to Deploying Intel Active Management Technology aN Prepared by EDS for Intel Corporation December 2007 intel intel ventina j Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Table of Contents WEY EE OU CUNO Oh essences act ecaevee eqcttee cance accuses AN 5 Architecture and Design COMSIG SE ELON cacicecs ceca csc a cecachceiachcaceiacdiececacdaceincdsauucandcauucusdeauecage caumdauteaueusbaastansbaagtensbanaenine 5 PAU GRU MUU cl OY SU WW cs ccecachcsanzscossstndaosnswaceoaay at iaroasaavitsaacctencoautaasdtlceashanetuapas ecu ceuiactdiinte ietuuaat danas baaaa dish a ania sn tenet 5 ante AMT 2 1 Device PEOVISIOMIIG OVET VIEW anisini E A A E OA E OER 6 Intel AMT 2 1 Device Management Infrastructure Installation Overview sssssssssesssssesssssesssssesssssessssesssssssssssesssssessssserssseersoseesssseessssesssseerssssersssterseseerssseersssess 8 COMPO ME DEO VCS roscscestaacdtescresseeacestta cassaacanigen eerste saunter emisicndess ae ananassae eeieceee eae eat a een 10 Windows Server 2003 Active Directory AD isiisisixssiustnacsvesesvatusdusravueisasuesiviginvstiadantsasivueeauiabasyessa leona aussi visu iavavavapiuydic a iuiewniii cdunieiseivastsiehacbuiaaiensiiviavsisaaianisise 11 DOMAINNAME S
62. Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Active Directory Root Domain Requirements There are no root domain requirements needed for the Intel Setup amp Configuration Service However there is one potential scenario that would require objects to be placed in the Active Directory root domain This requirement depends on the need to manage Intel AMT objects that may reside in the root domain In this event then the appropriate OU and Intel computer objects and management accounts used to manage Intel AMT devices are required in the root domain This is not perceived as need but could be required as Intel AMT managed devices may proliferate into the root domain as well Active Directory Domain Requirements There are certain groups accounts Intel computer objects based on schema extension group rights and an OU that needs to be created in each of the AD domains where Intel AMT managed devices exist The following table lists the objects created in the domain and included is the script used to modify rights on the appropriate groups as described below Configurable IntelAMTOU OU X all domains with managed AMT devices Enterprise IntelME Setup Universal SCSServiceAccount and Configuration Servers X recommended Global Group IntelAMT SCServers Domain Local Group Enterprise IntelIME Setup Servers Managers Global Group SMS Admins Managers Global Group SMS Admins enro El T l oo Global Gr
63. IE 5 0 NT 4 0 SP4 or above I Delete the private key if the export is successful lt Back Cancel 16 Select Enable strong protection and click Next 17 Enter and confirm the password which protects the private key and click Next 55 NOTE The password must contain an upper case letter a lower case letter numbers and one of the amp symbols at a minimum Certificate Export Wizard x File to Export Specify the name of the file you want to export File name C Certificates IISProtection Browse 18 Enter a name for the file This is saved as a pfx file and click Next gt Finish 19 Click OK at the successful completion message 20 Click OK 21 Close MMC Install the SSL Certificate in IIS from pfx 1 Click Start gt Programs gt Administrative Tools gt Internet Information Server IIS Manager 2 Expand lt Computer Name gt local computer 3 Click Web Sites 4 Right click the Default Web Site and click Properties 5 Click the Directory Security tab Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 7 8 9 Default Web Site Properties 9 x 6 From the Secure Communications box click Server Certificate The Web Server Certificate wizard is displayed Click Next IIS Certificate Wizard Server Certificate These are the methods for assigning a certificate to a Web site Select Imp
64. Imi ZPyL GQBGRYFSU5URUWXE TAP BgNVBAMMCE 1OVEVMXONBMB4XDTA2MDkwN j EOMDM1LN1OXDTI2MDkwN jEOMTEWNFow PZETMBEGCgmSJomT87 xkARKWAONPTTEVMBMGCgmS J omT87 xkARKWBU IOVEVMMREW DwYDVQQDDAhIT 1RF TF 9DQTCCAS IwDQYIKOZINVCNAQEBBQADgGgEPADCCAQoC ggEB AKtAekVBui J 9mL 2hZeOPQPWgbkZ40MGrcsQmRScVSwyY juLUkkqyLepbRbv2G5wbs WI ar wena E ONZ acer av ume ry VINZON YO 1 inet pee KB IDO XOUHpLh7m5kzTf6xwz8tw6IZzGwC64xbk BNq 1YZ7xJ9BUFCDNC4i1AV1IGOrs5B5 6USIP9Xdj8kMPYfemUzqJ oUCbzYd6j cplAOperfcNGh4xkcDd4 jHsJjtTT j6U4dI uxR6LsqQ0q k7Mh50wiBsOYBVjtdPjtFuu5 7cxXrS8AEFapvfYLEeVpM1VU6e0ZG2 OGILZEW8KkmMu VM6u Aa 3S CAWEAAaOCAWCWgGF j MBMGCSS GAQQBg j CUAGQGHgOA QwBBMAsGA1UdDwQE AwIBh j APBGNVHRMBAF 8EB TADAQH MBOGA1LUdDGQWBBR946UR kPYVSxLIfUjR8bnM7gTZDjJCB AYDVROFBIHOMIHXMIHUOIHrolHohoGwbGRhcDov Ly9DTj1IT IRFTF9DQSXDT j 1 TQOFDRUSUUKFMLENOPUNEUCXDT j 1QdwJsawM1MjBL ZXk IM BTZXJ 2aWwN 1 cyxDTj 1TZXJ2aWN 1 cyxDTj1Db25mawd1cmFOaw9uLERDPU 10 VEVMLERDPUNPTT9j ZXJ OaWZpY2F0ZVJ 1dm9jYXRpb25MaXNOP23hc2U b23qZWNO Q2xhc3M9Y1IMRG 1 zdHIpYnVOaw9uUGIpbnSGM2hOdHAGL y9zY2F jZW5 OcmFsLmlu dGVsLmNvbS9DZXJORW5yb2xsL0O 1OVEVMXONBL mNybDAQBgkrBgEEAYI 3FQEEAWIB ADANBgkqhk7i G9wOBAQUF AAOCAQEA6L xKpGGZRF TyHhod0eGxI ZOYZKtHm4fkKhms WWTV2LeTLI 7 oQWPhxWivm3x6ZqeILSD 70o0pci tSB8i1L1 1 3wWDgDgcS3PRS4iR3 TAR dept sated rect gages dc ing Oar labe ioc Ee ud3cW20A zkheqkHbt5SJ55exeXnNkdCw5 VSMkz7 Zo9ZN2uwZ1J qAyw 6C71DLGpwW nLuQ eJHmLysw YYLXCZvbaZZbf9GDzmI MZWOE J 3n4pubUF TYuTwiCIH 1QQSItw END CER
65. InstallShield Wizard _ x J IIS Configuration Configure IIS Web Server Virtual Directory g y InstallShield select it now In the Virtual Directory Name field the default AMTSCS is selected Click Next The Select Remote Configuration IIS Web Server Virtual Directory x Select IIS Web Server Virtual Directory application pool and Web Site Web Site Name Default Web Site 4 Application Pool Name DefaultAppPool v Virtual Directory Name AMTSCS ed Force Secure Connections HTTPS application pool and Web Site screen is displayed Intel Active Management Technology Setup and Configuration Service InstallShield Wizard IIS Configuration Configure IIS Web Server Virtual Directory Install Shield Select Remote Configuration IIS Web Server Virtual Directory application pool and Web Site Web Site Name Default Web Site gt Application Pool Name AMTSCS Remote Configuration X Virtual Directory Name AMTSCS_RCFG J Force Secure Connections HTTPS 13 In the Web Site Name field the Default Web Site is selected but if you have created a dedicated web site for SCS click the drop down arrow to select it now 14 In the Virtual Directory Name field the default is AMTSCS_RCFG is selected Click Next eee eee j Intel Active Management Technology Setup and Configuration Server InstallShield Wizard Database Server Login Select database server
66. LE1 Host A 192 168 0 231 11 vpro vs1 Host A 192 168 0 21 VPRO vS2 Host A 192 168 0 22 Repeat this procedure at Step 3 12 Replace the name in Step 5 with ProvisionServerDB 13 Replace the IP address in Step 6 with the IP address of the Microsoft SQL Server supporting the SCS server 3 Expand the DNS server name and expand the Forward Lookup zone 14 Close the DNS MMC console 4 Right click the zone name and click New Host A ST 2x Name uses parent domain name if blank ProvisionServer Fully qualified domain name FQDN ProvisionServer vpropov local IP address 192 168 O 22 F Allow any authenticated user to update DNS records with the same owner name Add Host Cancel 5 Inthe Name field type ProvisionServer 6 Type in the IP address of the SCS server Ja Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Intel AMT Add On for Microsoft SMS 2003 Before installing the add on for SMS there must be an SMS 2003 environment installed configured and working properly Installation of SMS Add On Pre Install Activities The SMSAMTAdd onInstaller exe must be extracted to produce all the files needed for the installation Follow the instructions below to extract the files 1 Double click the SMSAMTAdd oninstaller exe 2 On the license agreement select accept and click on Next 3 Select the location for the fil
67. ME File Edit View Favorites Tools Help d File Edit View Favorites Tools Help EE E TE Otek O P seach E ra i Ee Address C Certificates Go Name size Type Date Modified At EJRootcert cer 2KB Security Certifi 11 20 20078 16aM 4 2KB Text Document 11 21 2007 8 57 AM A Folders E Desktop Advanced Certificate Request El My Documents aeee e e as oe SOL Server Management Visual Studio 2005 E z My Computer A 314 Floppy 4 webcertificaterequest txt The policy of the CA determines the types of certificates you can request Click one of the following options to Create and submit a request to this CA E S Local Disk C Submit a certificate request by using a base 64 encoded CMC or PKCS 10 file or submit a 085ff16619d2497361 renewal request by using a base 64 encoded PKCS 7 file ADFs nga Certificates Request a certificate for a smart card on behalf of another user by using the smart card E Documents and Setti certificate enrollment station is Note You must have an enrollment agent certificate to submit a request on behalf of another user install L Program Files Software L temp O VMwarePnP WINDOWS E fa mnuh gt i Done Trusted sites A 7 Open the text file PM webcertificaterequest txt Notepad File Edit Format View Help H BEGIN NEW CERTIFICATE REQUEST MIIDUZCCAr wCAQAWeDELMAKGALU
68. ME Setup and Configuration Servers name is configurable This group will contain the Intel AMT Setup amp Configuration Server SCS service account s This will typically be only one account but may be more if it is deemed necessary to create a Single services account for each SCS This group is recommended to be a Universal security group as its membership may include accounts in different domains This group is also a member of each domain local security group IntelAMT SCServers to provide tts members the rights needed in each domain IntelAMT SCServers name is configurable This is a domain local security group created in each Active Directory domain which contains managed Intel AMT devices This group is given rights to create Intel AMT computer objects intelManagementEngine in the associated OU within its domain This account requires Full Control rights to the OU where the intelManagementEngine objects are place in order to set the Service Principal Name s SPN s on the object Intel R AMT Groups If you have an Active Directory forest make sure the Active Directory groups have Universal scope and not Global scope so that users and groups from other domains in the forest can be added to the group a A sample Visual Basic script ADScript vbs is provided and shown below You can use this script to prepare Active Directory for the installation Before you use the script you need to edit it according to the com
69. Policy Name Reload Settings Save And G z Close Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Note SDP definitions are only noted at the time of the operation of applying the SDP If the SDP is changed while a system is protected by the policy no change will be communicated to the protected system Likewise if the SDP is changed during the application of the SDP to the systems in the collection no change will be noted and all of the systems will be protected using the original SDP Note Changing the SDP file alone will not update the SDP definition The Ul must be made aware of the change either by unchecking and rechecking the Enable System Defense Policy for Advertisements checkbox or by pressing the Browse button and reselecting it Maintenance Activities SMS Add on Duplicate Entries Due to the nature of SMS duplicate entries may be created for the same physical system The add on discovery mechanism can detect these types of duplicate entries and log them Duplicate entries in the SMS repository may be valid or invalid depending on the host setup and configuration For example dual boot systems are a valid case of duplicate entries An example of an invalid duplicate entry is a case where a system was removed from SMS and a different system in SMS was given the name of the removed system If this is the case remove one of the entries and rediscover the system Mo
70. SCS being used to configure Intel AMT 2 1 This provides the ability to eliminate the single touch provisioning described in the Manual and USB key provisioning models This touch was moved into the OEM factory in this case and the keys are generated by the OEM instead of the Intel AMT enterprise management team Because the system has now been set up with the appropriate keys and certificates the system is ready to go through its automatic configuration For 25 Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Setup and Configuration Verifying Existing Network Infrastructure Active Directory While Active Directory is not a mandate for Intel AMT 2 1 technology to function it is highly recommended for ease of administration and security Active Directory will be necessary for configuring Certificate Authority to secure the environment and by extending the Active Directory schema the SCS console can group machines and provide security rights to Active Directory groups for ease of administration For planning and deploying Active Directory and extending the schema refer to Appendix A Active Directory Schema Extensions Active Directory schema extensions are needed to allow for Intel AMT devices to be members of the directory This enables KERBEROS authentication with Intel AMT devices manage with user account authenticated in the Active Directory forest The size of the I
71. Staging area Although possible it is unlikely that the end user receiving the Intel AMT 2 1 host will be the one preparing the device with the PSK This has a high coordination requirement operationally speaking and could potentially pose a security risk depending on the process used to manage the PSK Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Internet Explorer Web Client This client is depicted for completeness Depending upon the configuration of the environment it will communicate in clear text via standard HTTP or encrypted via SSL HTTPS When using SSL to the Intel AMT 2 1 hosts it must be noted that the trusted root certificate of the assigning CA must be loaded on this client in order to eliminate the message indicating it does not recognize the certificate presented for SSL communication Further the user must have the appropriate credentials and access control profile to logon to each individual Intel AMT 2 1 host as defined in the SCS profile for each host The preference is that these hosts be integrated into Active Directory and therefore the client would use his AD credentials for access Otherwise the client would need the proper username and password credentials maintained by the SCS and stored in the SCS SQL Server database Requirements and Dependencies The following table lists the software recommendations required for a successful deployment of Intel AMT 2 1 management te
72. Storage Realm Event Manager Realm Storage Admin Realm Agent Presence Local Realm 10 Click OK and then click Apply Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Profile Configuration Power Policy Tab Users 1 Click the Power Policy tab The Users configured here will have access to the SCS console based on the SORE OEE ER Me OTe Ey defined permissions for each user or group With AD integration these users or iuei i enti groups can be domain based Add Users as follows t Profile Co nfiguration AMT is ON in the following host sleep states 1 From the SCS Console select Users AMT is always ON 50 55 wa Intel AMT Setup and Configuration Service Console Idle Timeout File Help 10 Minutes E Intel AMT Setup Console z a Configuration Service Settings Users a General Configure Intel AMT Setup Configuration a Maintenance Policies System Users Profiles 2 Wireless Profiles User N Z 802 1 Profiles a PA Security Keys VPROPRODSLOCALADMIN Enterprise Administrator Sers VPROPROD SCSROOTSERVICEA Enterprise Administrator Ee Dee see WESTSLOCA4LADMIN Enterprise Administrator Global Operations iS Logs WESTSSMSAMTUSER_VPW Enterprise Administrator Log Actions Status B Security Audit Configuration parameters Apply Contig p 2 Inthe Intel AMT is ON in the followi
73. Sx state during a reboot i Power Up Power up the system from any Sx state e BIOS Password Bypass Selecting this checkbox bypasses the BIOS Reset command reboots the system This is a warm password during a reboot This checkbox is only enabled if the system reset Not available when system is in an Sx state supports bypassing the BIOS password during a boot Power Cycle Perform a power down power up action Not available when system is in an S4 hibernate or S5 soft off State Power Down Power down system This is a cold power down Not available when system is in an S4 hibernate or S5 soft off state this BIOS Bypass upon booting Operation and power buttons during the boot Refresh Power State Manually refresh the power state verifies power state with Intel AMT Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Multiple Systems Collections Power Operations The remote operation is performed in the background and the results for each system are logged to the SMS log along with a summary of the operation Below are the steps and settings available for Collections 1 Right click a collection of Intel AMT Systems 2 Select All Tasks gt Intel AMT Tasks gt Power Control Operations 3 The Power Control Operations for Collection window appears as shown below Power Control Operations for Collection X Collection Mame All Systems Power Control Commands Book Op
74. TIFICATE BEGIN CERTIFICATE MIIFZDCCBEygAWIBAGIKE 9nAfWAAAAAAB j ANBgkqhk7 G9WOBAQUFADA MRMWEQYK CZImi ZPyLGQBGRYDQO9ONMRUWEWYKCZImi ZPyL GOBGRYFSU5URUWXE TAPBgNVBAMM CE 1OVEVMXONBMB4XDTA2MDkKXMTA2MTQXNVOXDTA3MDKXMTA2MjQXNVOWWZE TMBEG CgmSJomT8i xkARKWAONPTTEVMBMGCgmSJomT87 xkARKWBU IOVEVMMRkwFwYKCZIm 1 ZPyLGQBGRYJQVVTVF JBTE IBMRIWEAYDVQQDDA I BVVNFRENFQOEwgZ8wDOY JKoZI hvcNAQEBBQADgGYOAMIGJAOGBAPFWkz lf jZ5TSAn5 ja54uTUyit 2SfcTaq723g m EX 1KSgV1txenrPTL ww92 7712qfwHeyvgObnL yVxRORKdxChIL yxXpA027psrz9H UNmC5bi IdYwaSbyiFOjnirzyfos J005V9xxUxSbDNa3SCqZvRr 5b A1LLtKEfe B aKQ7 AGMBAAG j ggL IMILICXDAPBgNVHRMBAT8EBTADAQH MBOGALUdDgQWBBQi 1ImH SF gf 7YSQZ13XxNCV5 9PNGs ZAL BONVHQ8EBAMCAYYWE GY JKWYBBAGCNXUBBAUCAWEA ATAJBgkrBgEEAYI 3FQIEF gQUphFpFcZuG90F j Itlw8wvqjkoVVcwGQY JKWYBBAGC NxQCBAweCgB TAHUAYGBDAEEWHwYDVROj BBgwFoAUfeO 1EZD2FbMdSHLIOfFG5Z04E 204wgfwGA1UdHwSB 9DCB8TCB7 qCB66CB61aBsSGxkYXAG6L y8VQ049SU5URUXfQ0ES Q049U0NBQOVOVF JIBTCXDT j LDRFASQO49UHV1bG1 j ITIWS2V5 JTIWU2Vydm1 j ZXMs Q049U2Vydm1 jZXMSQ049Q29uZm IndxJhdG1vbi xEQzZ1IT IRFTCxEQzZ1DT00 Y2vy dG lmaWNhdGVSZXZvY2FOaw9uTG 1 zdD97 YXN 1P297 amVj dENs YXNZPWNSTERpC3Ry aWJ1dG1vb 1Bvaw50hjNodHRw07 8vc2NhY2VudHJhbC5pbnR1bC5 jb20vQ2VydEVu cm9sbC9IT1IRFTF9DQSS5 j cmwwggEPBggrBgEFBOCBAQSCAQEwaf 4wgaUGCCs GAQUF BzAChoGYbGRhcDovLy9DTj1LIT IRFTF9DQSxDTj1BSUESQO49UHV1bG1jITIWS2V5 JTIWwU2Vydm1 j ZXMSQ049U2Vydml j ZXMSQ049Q29uZm 1 ndxXJhdG1vbixEQz1ITIRF TCXEQZ1DT00 YOFDZXJ OaWZpY2F0ZT971 YXN1P297 amV
75. V ocal VPROPOV local UUID 3961FB14 A48SE 11DB BBDA 718109610 3961FB14 A85E 11DB BBDA 718109610 3961FB14 A86E 11DB BBDA 718109610 3961FB14 A86E 11D8 88DA 718109610 3961FB14A86E 11DB BBDA 718109610 3961FB14 A86E 11D8 BBDA 718109610 3961FB14 A8SE 11DB BBDA 718109610 3961FB14 485E 11DB BBDA 7181039610 gt gt gt Page 1 of 9 2007 06 02 bg 1230 13 lt C Order By Request Order By Actic v You should now see Waiting in the status column Click Refresh the status should now change to Succeeded od Intel AMT Setup and Configuration Service Console File Help QB Intel AMT SCS Console A Configuration Service Settings y General 442 Maintenance Policies Profiles TA Securty Keys G Users gt A Intel AMT Systems Global Operations B Logs E Log E Secunty Audit SE New Intel AMT Systems Actions Status Name Provision ProvisioningE xce ProvisioningE xce Maintenance ProvisioningE xce ProvisioningE xce ProvisioningE xce Maintenance ProvisioningE xee ProvisioningE xce Maintenance Maintenance Maintenance Maintenance Refresh Apply Filter Actions Filter C By Action ID C By Name C By Status No Operation In Progress Execute Time 2007 06 02 17 30 2007 06 02 17 28 2007 06 02 17 27 2007 06 02 17 26 2007 06 02 17 25 2007 06 02 17 23 2007 06 02 17 21 2007 06 02 17
76. XI OBDObRWOT zv WdN T gZdty 2qmiP1t2xyEItTAGMBAAG qgFZMIIBVTALBQNVHQ8E BARGE MET BW OT ARE a SARE Dy ZOUEINVHGTEE QUrRFK352w 1x210Q3m44 j dOF SwhcwqgECBgNVHRSEgf owgf cwgFf SggrGqqesGgbNsZ2GFwoi 8vLONOPVZQUk 8t QOFSLENOPXZwcm8t 2FyLENOPUNEUCXDT j10dwJs aw 1M BLZxk 1M BTZxI2 awn cyxDT j1T2xI2 awn 1 cyxDTj 1Db2 Smawd1 cmF OawSuLERDPxZwcm9wem9k LERDPwxv 2FSP2N1cnRp2m1j xR1 Umv2b2Nhd6 lvbkxpc30 vmF2ZT9vy mp 1 3RDKGF2cz214 Uk xEaxnNocm idxRpb2 50b2 ludIly2aHROcDoVL3Zwcm amp t 2FyLnZwcm9wem9k Lmxv 2FSLON 1 cnRFbnIvbGwvv 1 BSTYLDOVI UY 3 ISMBAGCSSGAQ0Bq CVAQQDAGEAMANG CSgGSIb3 DQEBBQUAA I BAQBur q8IJqpBulx r64zb 1LHHSs 7D3SQdZNGATHky30Dh doMZj IXar u7QGPIkVRKVF Swgo7 Ak j pB ULKF2vIXxi 7v2P4Holg dIy4ciGakzgeg 163F2zcxdySFHF xak nEe4 b oI rddpyvrirp2 5evvsFrvmMogozcErRr bs 2du63227 gm nr 1 xk 04k 2 FOd8gBZcONMyVLaSfs gn4x dt SvuFofDDCKmnppfpyycpdy pTwy shGam rpJk IPTNHONITS WAQ1OMmeZb 54 AMXMDPONGUORZ ItTyygExwuTt oaH3 1 ew KK8chgaEhnT464B3dI 46Kaik1lzvo8 o gv4 xBhnf8Gao END CERTIFICATE Repeat for each Intermediate CA as exported previously m Locate the Root Cert file created above and drag into the second notepad window n Next copy the contents of the Root notepad window and append to the bottom of the intermediate window E7 m __ all pem Notepad File Edit Format View Help BEGIN CERTIFICATE MITECTCCAImgAwIBAglIQSmxv5FE Pa INxbhxKvhvDTANBgkqhk i GQwOBAQUFADA MRMWEQYKCZImi ZPyL GQBGRYDQOONMRUWEWYKCZ
77. a temporary file on the hard S5 Off The computer is off with no power to the hardware and the operating system has been shut down without saving system memory to disk Manual This procedure explains how to set up Intel AMT 2 1 by manually entering security credentials Credentials are specified through the MEBx management engine BIOS extension screens This procedure assumes that BIOS and MEBx parameters are set to the typical default values described in Table above earlier in this section 1 Using the Intel AMT Setup and Configuration Service SCS request that the SCS generate a provisioning pass phrase PPS and a provisioning ID PID The SCS should generate a TLS premaster secret and store the secret in a database along with other information such as operational mode TLS setting and so on The SCS then provides you with a copy of the PPS and PID 2 Remove the PC from its box connect the PC to a power source and power up the system 3 In BIOS make sure the Intel Management Engine is enabled throughout the BIOS e3 6 Log into the MEBx using the factory default admin username and password The default username and password are provided in the manual or shipping box for the PC 7 Because this is the first login to the device the system will require that you change the default administrator password 8 Change the administrator password to a secure password 9 Using MEBx features make sure the ma
78. algorithm SHA 1 Certificate NNN Explorer os Store IIS Auth SCS Console Local Console User Internet Computer Explorer pem files SMS Server Local Admin Notepad Computer OpenSSL and Convert bat 46 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 5 From the General tab select the certificate and click View Certificate 6 Click the Details tab and then click Copy to file Certificate Show eal gt eerie Certificate Information This certificate is intended for the following purposes version y3 All application policies E Serial number 61 id d5 15 00 00 00 00 00 02 Signature algorithm shal R 5A Issuer YFRO CAR vproprod local Valid From Friday June 08 2007 2 34 07 valid to Sunday June 08 2008 2 44 0 Subject VPRIO VS1 proprod local Public key RSA 1024 Bits Issued to VPRO V51 Issued by YFRO CAR Valid from 6 3 2007 to 6 3 2008 Issuer Statement Edit Properties Copy to File 47 Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 7 Click Next at the Welcome screen Certificate Export Wizard E x Export File Format Certificates can be exported in a variety of file Formats Select the format you want to use SHEE EEE EA AREER EEE EE EEE EEEEEEEE SEES EE EEEEESESESESESEEEEESEE EEE HESS EEEEE EEE EEE E ES Base 64 e
79. an readable name corresponding to the IP address of a network interface as found on a computer router or other networked Fully Qualified Domain Name device It includes both its host name and its domain name In Active Directory a collection of users and objects that share properties and permissions A group may have another group as a member Group The second group is then a sub group of the first group Generic Security Services Application Programming Inter face The generic API for performing client server authentication Independent Software Vendors that develop applications that use Intel AMT capabilities Term GSS API n DO WO Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Kerberos An Access Control System that was developed at MIT in the 1980s The Kerberos concept uses a master ticket obtained at logon which is used to obtain additional service tickets when a particular resource is required It is named after a mythological creature Key A key is a piece of information that controls the operation of a cryptography algorithm In encryption a key specifies the particular transformation of plaintext into cipher text or vice versa during decryption Keys are also used in other crypto graphic algorithms such as digital signature schemes and keyed hash functions also known as MACs often used for authentication Key Distribution Center KDC In the Kerbe
80. and authentication method thentication authentication using Login ID and password below InstallShield 15 In the Database Server field click the drop down arrow to select the NETBIOS name of the database server or a clustered database instance 16 Select Windows Authentication and click Next Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 17 18 19 20 a Intel Active Management Technology Setup and Configuration Server InstallShield Wizard Database Configuration Configure Database Details Database Details Database Name Intel MT Console User Name YPROPOY SAdministrator ipestacsecnssesnansoy InstallShield In the Database Name field enter the name for the SCS database the default is IntelAMT Leave the Console User Name field as the default and click Next Click Install The installer may prompt to add the Run As A Service permission to the User click OK to accept Intel Active Management Technology Setup and Configuration Server InstallShield Wizard InstallShield Wizard Complete Active Management Technology Setup InstallShield w N pn 21 Remove the checkmark next to the Start Intel AMT Config Service checkbox and click Finish AMTConfig Service Verification Verify that the AMTConfig Windows service is running as follows From the SCS Server Click the Windows Start gt Run In the Ope
81. arison of Microsoft applications installed with licenses purchased as well as how those titles were obtained in order to better optimize software use across the organization e Provide IT administrators and management access to data accumulated by SMS e Provide scalable hardware and software management to the growing population of computers running Windows operating systems e Manage security on computers running Windows operating systems while expending a minimum level of administrative overhead 34 For deploying and configuring SMS refer to Appendix A Internet Information Services IIS Internet Information Services IIS must be installed and enabled as part of the Windows Server installation for certain SMS site system roles e Distribution Points using BITS Background Intelligent Transfer Service requires IIS to be installed and enabled on the site system and the distribution point IIS is not required if the distribution point will not be BITS enabled Enable WebDAV extensions for IIS on Windows Server 2003 e Management Points requires the site system to have IIS installed and enabled and requires BITS server extensions installed The Distributed Transaction Coordinator DTC service and the Task Scheduler are required and must be enabled SQL Server named pipes must be enabled also e Reporting Point requires the site system to have IIS installed and enabled Active Server Pages must be installed and enabled also e Serv
82. at the service is started Installing a Stand alone Subordinate CA NOTE To install an Enterprise Subordinate CA proceed to Appendix B Install and configure a Stand alone Subordinate CA as follows Logon to the server that will become the stand alone subordinate CA Verify that Internet Information Services IIS is installed and Active Server Pages is configured on the server From the Control Panel double click Add Remove Programs Click Add Remove Windows Components In the Windows Components dialog box click the checkbox to select Certificate Services Windows Components Wizard Windows Components You can add or remove components of Windows To add or remove a component click the checkbox 4 shaded box means that only part of the component will be installed To see what s included in a component click Details Components C lt gt Active Directory Services Application Server 33 4 MB O id Certificate Services 1 4 MB Ss Distrihuted File Sustem 77MR Description Includes Windows Accessories and Utilities for your computer Details Total disk space required 3 1 MB Space available on disk 15021 7 MB Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 6 A dialog box is displayed indicating that the machine name or domain x membership of the machine cannot be changed while it acts as a certificate CA Type
83. ate Request Click Create and submit a request to this CA Complete the request form as follows a Inthe Name field type the Fully Qualified Domain Name FQDN of the SCS server For example vpro vs9 vproprod local b Inthe Type of Certificate Needed field click the drop down arrow and select Server Authentication Certificate c Inthe Key Options area select the Mark keys as exportable checkbox 53 Microsoft Certificate Services WPRO VS1 Advanced Certificate Request Identifying Information Name vpro vs9 west vproprod lacal E Mail Company Department City State Country Region Type of Certificate Needed Server Authentication Certificate gt Key Options Create new key set Use existing key set CSP Microsoft Enhanced Cryptographic Provider v1 0 hal Key Usage Exchange Signature Both TES Min 384 fe Key Size 1024 Max 16384 common key sizes 512 1024 2048 4096 8192 16384 Automatic key container name User specified key container name M Mark keys as exportable I Export keys to file Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide d Select the Request Format PKCS10 Key Options Create new key set Use existing key set CSP Microsoft Enhanced Cryptographic Provider v1 0 Key Usage Exchange Signature Both Key Size J02 Min se Automatic key container name User specified key
84. ated when the Create Pre Provision Data button is selected Default is 50 4 Inthe Factory Default MEBx Password This is the factory assigned OEM password default value is admin drop down box select admin 5 In the New MEBx Password box select Manual creation type the same password specified in the Profile Configuration General Tab section a Click OK 6 Click Create Pre Provision Data A list of security keys are generated based on the number configured in MEBx settings above 7 Insert the USB key in a USB port and click Export This USB key will be used for provisioning Intel AMT systems Generate Keys Using the Command line CreateUSB Tool Another method of generating security keys is to use the CreateUSB tool located in the Software CreateUSBKey directory A formatted FAT USB key is required to complete the Security Key generation 1 From a command prompt change the directory to Oftware CreateUSBKey 2 Type the following USBFile create setup bin setup xml admin Password 20 Replace Password with the ME password of your choice and the 20 with the number of keys you want to generate GA a Tas Administrator Command Prompt ss ia i EnS a aa h a C Create USB Key gt SUSBFile create setup bin setup xml admin P Ssword 5 see Inte l lt R gt AMT USB file writer and viewer sample Creating USB file setup bin with 5 records Written USB file setup bin Written
85. ation Click Install to begin the installation If pou want to review or change any of your installation settings click Back Click Cancel t wizard Iiz r InstallShield 7 Click Install and click Finish DNS and AMTConfig Verification DNS Configuration ProvisionServer ProvisionServerDB The SCS server must be registered in the DNS for each domain The host record must be replicated to other DNS servers in the domain You can have more than one SCS server in an Active Directory forest but all SCS servers share the same database Create the DNS entry as follows 1 Logon to the domain controller DNS server with an administrative account 2 Click Start gt Administrative Tools gt DNS Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT ae 7 Place a checkmark next to the Create associated pointer PTR record i File Action View Window He e Amx eE noB em ae checkbox z PRO vS1 E a Forward Lookup Zones ad _msdcs vpropov local poe H E a vpropov local sites G Reverse Lookup Zones d 9 Click OK at the completion message f aj Event viewer 8 Click Add Host amp DomainDnsZones ForestDnsZones same as parent folder Start of Authority SOA 1 0 Cl ick Done 27 vypro vs1 vpropoy loc same as parent folder Name Server NS vpro vs1 vpropov local same as parent folder Host 4 192 168 0 21 VPRO CONSO
86. ation and access control Enable anonymous access and edit the authentication methods for this resource Edit IP address and domain name restrictions A Grant or deny access to this resource using IP addresses or Internet domain names Edit Secure communications Require secure communications and enable client certificates when this resource is accessed View Gertificate Edit OK Cancel Apply Help 2 Click Server Certificate 3 Click Next Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide IIS Certificate Wizard Pending Certificate Request pending certificate request is a request to which the certification authority has not yet responded A certificate request is pending What would you like to do SE EEEE EERE EEE EEEESEEEEEEEEEEEEEESEEEEEESEEESERESEEESESESESESESSEESESESEEEESEEEEEESEEEEEEEEEEEEEESEEESEESESESE SESE SEE SE EEE Process the pending request and install the certificate Delete the pending request cuca 4 Select Process the pending request and install the certificate 5 Click Next IIS Certificate Wizard oR Process a Pending Request Process a pending certificate request by retrieving the file that contains Se the certification authority s response LS Enter the path and file name of the file containing the certification authority s response Path and file nam
87. be recorded in the 5M5 log In order to include subcollections check the Include subcollections checkbox To continue vath the operation click OK Lae Cancel Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide The discovery result for each system in the collection is logged to the SMS log and can be viewed in the SMS Console under Status Message Queries Systems that have been provisioned by the Intel AMT SCS can also be discovered The add on retrieves from the SCS all the systems that have been provisioned since the previous check was made Systems retrieved from the SCS that do not already exist as SMS resources example were not discovered by SMS methods are added to the SMS repository by the add on Active Directory Discovery methods via the SMS process works sufficiently for most cases unless immediate results are required Discovering Systems provisioned by Intel SCS The SMS Add on can also retrieve from the System Configuration Service SCS all systems that have been provisioned since the previous check was performed To discover Intel AMT systems provisioned by SCS follow the steps below Host Name HP 10 System IP 197 168 66 104 Current Power Stabe Soft OFF 55 2 Identification Information Resource ID ae Firmware Version 23b System UIID 3961FB14 A86E 1 1DB BBDA 718109610018 System Serial Number 2UN6S71FGF System Manufacturer
88. bordinate CA ssssssssscssssssssssesssssesssssessssserssseesssseessssesssssersssserssseerseseersoseesssseesssuerssseerssseerseseerssseees 141 Add Client Certificate Template to the Enterprise Subordinate CA ssssssssssssssscssssssssssesssssssssssessssserssssesssseesssseessssersssserssseerseseersoseesssserssssersssserssserseseerssseesssss 149 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Introduction This document will explain the approach to organizing and executing a successful Intel Active Management Technology Intel AMT 2 1 implementation project It is written from the perspective of deploying and supporting a full life cycle of enterprise Intel AMT 2 1 technology This document will help the reader construct such an environment from the ground up and it will reference instruction and guidance from Intel on the detail of Intel technology The intended audience of this document is systems integrators and those intending to perform full lifecycle support for any Enterprise deployment of Intel AMT 2 1 technology The reader will gain a comprehensive understanding of the mechanics and support of the Intel technologies and be instructed on the complete infrastructure setup required for this environment This document is not intended to replace Intel AMT 2 1 vendor documentation but rather relies upon it and strives to provide the integrated feel across the required Intel and Microsoft te
89. box guarantees that all the systems in the collection are powered up regardless of the state they were in when the operation was initiated This option is only enabled if the Power Cycle remote control command was selected Note The system s BIOS support determines which boot options are available so systems with different hardware vendors may have different boot options Note The operation is only performed by those systems in the collection that support all of the selected boot options All other systems do not get the command and stay in their current state NOP Normal Operation Caution Ensure that the systems in the specified collection do not run key network operations or server applications as these configurations will apply to every system in the collection The following table explains the fields in the Power Control Operations dialog box for a collection Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Collection Name Name of the collection on which the operation is performed Reset command reboots the system This is a warm reset Does not work on systems in an Sx state Power Cycle Perform as power down power up action Does not work on systems in an S4 hibernate or S5 soft off state unless the Force Power Up option is selected Power Down Power down system This is a cold power down Does not work on systems in an S4 hibernate or S5 soft off State th
90. cally removed from each system in turn when the SMS Site is notified that the advertisement status for the system shows Program Success Note If the system is not accessible because of networking Intel AMT permissions or other issues the SDP will not be removed and a message will be logged to the SMS log The policy can then be manually cleared The add on creates several new fields in the System Resource schema of SMS system objects to store information about the SDP state of systems These are shown below and can be used as attributes in any SMS query on System Resources Below is a list of Intel AMT System Resource Fields Field description IAMTSDPCount The number of times the SDP has been applied to the system If the value is O the system is not protected IAMTActivePolicyld The Id of the SDP currently active and protecting the system AMTOldPolicyld Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT The Id of the SDP which was disabled in order to apply the current active SDP This SDP will be restored when the current active SDP is removed Apply System Defense Policy to Advertisement Follow the steps below to apply a System Defense Policy to an advertisement Right click on the advertisement in the SMS Advertisements window Select All Tasks gt Intel AMT Tasks gt Apply SD PolicySystem Defense Operations The Apply SD Policy menu option is disabled if no poli
91. ccessfully End If objConnection Close The script performs WMI queries to obtain the Intel AMT UUID and operating system fully qualified domain name FQDN The FQDN must be the final FQDN of the operating system as managed by the SMS agent on the operating system This enables the SCS to properly assign the operating system FQDN to the Intel AMT system on the same machine eliminating the confusion of having a system with two separate FQDNs This script executes with the proper domain account given rights to update the ProvisionServerDB with information that it captures There are three main routes through which this script can be executed listed below The method of execution of this script is again dependent upon the enterprise deployment requirements a Manually executed by the appropriate domain account assigned rights to the interim DB logged onto the Intel AMT system s client operating system b Deployed via AD logon script c Deployed via SMS advertisement additional modification to the script is needed to create a proper SMS package ready for distribution This would include better error handling and reporting as necessary The choice here is dependent upon deployment practices and requirements in the enterprise It may be that the enterprise chooses all three methods depending upon local deployment requirements The most secure method is deployment through an SMS advertisement as consideration for interim DB update access is decide
92. certificates are not able to communicate with the Intel AMT 2 1 machines in their collections and do not identify them as Intel AMT 2 1 machines At any site where the add on is installed all the add on functionality is available for all the systems and collections included in it However since the add on conducts its operations from the site where the operations are initiated directly to the systems in the collection it is strongly recommended to always choose a Site as low in the SMS hierarchy as possible to do the operation This prevents a heavy load on both the network and the SMS site In particular it is recommended to avoid initiating operations on collections except on SMS sites which directly manage systems In an SMS hierarchy there can be situations in which an Intel AMT 2 1 machine is not accessible at a higher level in the hierarchy due to domain boundaries network issues security constraints or other reasons This can occur even though it was discovered and identified as an Intel AMT 2 1 machine at a lower level in the hierarchy In that case the machine is not recognized as an Intel AMT 2 1 machine when viewed from that higher level site and the add on functionality cannot be executed on the machine from that site The full suffix of DNS branches must be added to the network controller properties when e Using an Active Directory domain hierarchy e The add on is intended to work with systems in different doma
93. ceseuesstsseisseiteeiszsistrcnsntadtunpstasespvatbuan sha tesstuldaanalisiivnnuteaveysttesialndiasstnasicaunviainss va leevosta a a a S 16 Mutual Tran port tayer SECUNIA MILS orroninisaaa n EE O 16 Microsoft Certificate Authority CA IN Standalone MOGE aina a 17 MICEOSOTE SOL SErVEr Z003 standard EdIUON SP Ca sesississsustass evejecescavssacashuntsusvopenacuchsusuatiovsispastonecauanieiadarsjananiossidacintxeissansitaicadanunidionouaiolnainuseiasotasiantarcnauNte 17 Microsoft Internet Information Server GO US lt cssnscizcetsassssicasazvaceisncaianeioecadvisteisiestiicacs tans tnssee indus batvapuav ivan eawietutev aan ioteaduioipitatescaavtantataavdacneve naan aeap SINTRA STNnawiee 17 Microso Domai Nome SCL CA sasssasesiancsciasicrsgscacacvessacsssssasawsavsaneuseaswsssavnspasnassicasoin vice sutosel eusuareiuadsaaaussnvaseicunyaadungsassaieseavokaasveasssctodsy up ansaensadsatasancossasaeieuauiansannacaiaanenannealee 17 Mis cao aal Blo G aes 2 i 2 eet ert net E tn et te eT ent 17 PPM SOW Ye oe a cause tuacncceos ctactisiatunaenacinon tuateranina tists duiinansae date ectau due estes saavesucosoniia unas natactutcerne ane tacine Tiana einen ee 17 Intel SEEUD ANG COMMGUALION Server SO Ol la G saciassessauaesseassesrssecsvcatelutigh aS 17 Intel AMT AGG OM TOF SMS VEESION 3 0 OF 1a CCL cavsaiatevineceseunsainsevevecstsussiuntisigovnesavaiindavhgieastan iia tevncevetaintevsetsieisinleagoinisespaindivhgieastan iia oa 18 z Quick Reference Guide Get
94. chnologies from a support and deployment perspective Architecture and Design Considerations Architectural Overview The architecture depicted here provides the reader with the guidance needed to understand the Intel AMT 2 1 support and deployment infrastructure This guidance has taken into account changes in later versions of Intel AMT and although not detailed here only minor changes will be needed to support the later versions This is communicated as the best practice for medium to large enterprises and is intended to provide the background and instruction needed to plan design and deploy a successful Intel AMT 2 1 implementation for the enterprise This document contains recommendations for enterprise setup and qualifies those recommendations with the minimum requirements for deployment Depicted in the diagram in the Component Overview section are three pairs of 5 servers with one server in each pair more transparent than the other This is presented in this manner to help the reader understand the minimum requirement for a single server in the pair and also to show that an enterprise deployment requires a second server at a minimum for availability purposes The Intel AMT 2 1 devices specific to this document are hosts that require wired network connectivity This document will only address hosts that are connected to the network via a physical network connection Intel AMT devices that provide support for wired and w
95. chnology configured in enterprise mode These are not the minimum requirements that could be found for each individual component in the enterprise infrastructure supporting management of the Intel AMT 2 1 host devices These recommendations provide guidance for enterprises wishing to employee a successful management infrastructure throughout its network This list is followed by a detailed description of each item with explanations to rationalize each recommendation e Windows Server 2003 Standard R2 e Windows Server 2003 Active Directory AD Forest e Active Directory Schema Extensions e Mutual Transport Layer Security MTLS e Microsoft Certificate Authority standalone configuration at a minimum e Microsoft SQL Server 2005 Standard Edition SP2 e Microsoft Internet Information Server IIS 6 0 e Microsoft Domain Name Server e Microsoft DHCP Server e Microsoft SMS 2003 SP3 e Intel Setup and Configuration Server 3 x e ntel AMT Add on for Microsoft SMS 3 x e Intel AMT 2 1 Managed Devices Windows Server 2003 Standard R2 SP2 Microsoft Windows Server 2003 Standard R2 SP2 is the recommended level of operating system for all services in the enterprise Intel AMT 2 1 deployment This is not the minimally accepted level of the operating system however it is recommended that the production software be kept at the highest level It is not a requirement to update the existing infrastructure to this level of OS although recomm
96. coded BOQUAL4GBAEIEDqQJhc AEPSOxzSadLughxOnd51xXbaR certificate request Fpe1t lagEpPRsKnUumu7Lj0QduZjR805kFwabrLe CMC or WSny2nxRaXSab Zr 4VvEfOnvy Zet km CwTBbCUztm PKCS 10 or END NEW CERTIFICATE REQUEST PKCS 7 Browse for a file to insert Certificate Template Basic EFS gt Basic EFS User Intel AMT Client Certificate Web Server Additional Attrib id Trusted sites A From the Certificate Template drop down box select Web Server O Click Submit Z Microsoft Certificate Services Microsoft Internet Explorer File Edit View Favorites Tools Help 1 Q Back gt x iz A J Search y Favorites g Cir SH Address a http vpro vs1fcertsrv certfnsh asp gt Go Microsoft Certificate Services YPRO VWS1 Home Certificate Issued The certificate you requested was issued to you DER encoded or Base 64 encoded ise Gxuitload certiiate z34 Download certificate chain sd poe tf fl trustedstes 3 1 Click Download certificate 12 Click Save 13 Type aname for the certificate file and click Save 14 Click Close 15 Close Internet Explorer and Notepad Install the Certificate in IIS 1 Return to the IIS Manager on the SCS server Default Web Site Properties 2 x Web Site Performance ISAPI Filters Home Directory Documents Directory Security HTTP Headers Custom Errors BITS Server Extension ASP NET Authentic
97. configuration service as well as any remote management server that attempts to communicate with the system As the BIOS loads it loads BIOS and MEBx settings including enabling the Intel Management Engine setting power policies for management engine sleep states and enabling Intel AMT 2 1 The BIOS then reads the new BIOS administrator password PPS and PID as well as other required information from the USB Storage device When BIOS has finished reading the settings from the USB device the BIOS will display the prompt below Intel AMT Provisioning complete Please power down the system for settings to take effect Or press any key to continue with system boot 1 Power down the PC and remove the power cable from the device 2 Remove the USB storage device The PC is now ready to be sent to the user and go through the self initiated automated Intel AMT 2 1 configuration as described later in this guide Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT OEM PCs whose Intel AMT 2 1 capabilities are already set up the systems can be delivered directly to the user desk Once the user connects the PC to a power source and plugs the system into the network Intel AMT 2 1 will initiate and complete its own configuration process In environments in which security is a high priority concern Intel recommends that initial security credentials for Intel AMT 2 1 be established in house Howe
98. curity Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Technical Reference for Systems Management Server 2003 http www microsoft com technet sms 2003 library techref mspx Deploying Office 2007 with SMS 2003 R2 White Paper Using SMS 2003 SQL Views to Create Custom Reports SMS 2003 SP1 Status Message Documentation Troubleshooting Flowcharts Troubleshooting Management Points for SMS 2003 Installing and Configuring SQL Server 2005 Getting Started with SQL Server 2005 http www microsoft com technet prodtechnol sql 2005 library gettingstarted mspx Database Engine Overview Database Engine Enhancements SQL Server 2005 System Requirements Installing SQL Server 2005 Installing the SQL Server Database Engine SQL Server 2005 Upgrade Handbook An Overview of SQL Server 2005 for the Database Administrator What s New in SQL Server Agent Installing SQL Server Service Pack 2 http www microsoft com downloads details aspx Familyld d07219b2 1e23 49c8 8f0c 63fa18f26d3a amp DisplayLang en SQL Server 2005 Planning amp Architecture http www microsoft com technet prodtechnol sql 2005 library planning mspx 136 Database Engine Analysis Services Integration Services Replication Reporting Services Notification Services Service Broker Full Text Search SQL Server Express Edition SQL Server Mobile Edition Quick Reference Guide Getting to Pro An Enterprise Approac
99. cy has been loaded and enabled tabase MOI Intel Advertisements F Oj x Programi Client Systems 4 32 00 PM 8 14 2006 Never systems 4 44 00 PM 8 14 2006 Never Disable Program Re run 4dyvertisement Delete Properties Intel AMT Tasks ay Wake Up Systems on Advertisement Help Apply SD Policy The SDP has a fixed priority level of 50 This means that if there is also an enabled Agent Presence Policy APP on the Intel AMT system which has a priority higher than 50 the SDP will not be active If there is no APP on the Intel AMT system then the SDP for advertisement will be enabled and activated even if there was a previous SDP set by some other application on the system When the SDP for advertisement is removed by the add on either automatically due to the successful installation of the advertised package or manually via the add on menus the add on will re enable any previous policy that was disabled when the SDP for advertisement was applied If several different advertisements have an SDP applied to their target collections and some systems are thereby multiply protected by the SDP the protection will be removed from these systems when all of the relevant advertised packages have been successfully installed iPass Reapplying an SDP to an advertisement has no effect on the systems in the collection which are still protected from the previous application of the SDP This can be ve
100. d If the interim DB is fed with incorrect information the most damage that could be done is that the Intel AMT system is not configured correctly and another automated re provisioning process is needed Incorrect or malformed data fed into the interim DB will only prevent an Intel AMT system from being fully provisioned for out of band management Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide cid Edit New Intel AMT Properties From the SCS Console Edit New Intel AMT Properties When the Intel AMT systems arrive at the End User location and power is restored the systems will now send a Hello Message to the SCS server From Hexadecimal the SCS console we can now complete the provisioning 3961FB14 486E 11DB BBDA 718109610018 From the SCS Console click Intel AMT Systems FQDN hp 10 vpropov local Click Refresh and highlight one of the newly added Intel AMT system Active Directory Organizational Unit LDAP Distinguished Name format OU xxx DC foo DC com Pa Intel AMT Setup and Configuration Service Console File Help W Intel AMT SCS Console Configuration Service Settings Intel AMT Systems General List of Intel AMT devices 3 Maintenance Policies Profiles TA Security Keys G Users Status Provision Date Version Profile ID Profile Name UnProvisioned 1969 12 31 18 00 Release 2 0 1 default Profile
101. d follow the wizard s instructions Caution The Repair option restores the installation to its default state replacing installed files if they have been changed and all registry settings with their default values However while Repair ensures the existence of the required add on service user account it does not change its settings Note Repair will fail if the dedicated service user name has been changed in Active Directory or the Active Directory settings for the dedicated service user account have been changed to Account is disabled or User cannot change password Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Logs All add on operations are logged in the SMS log Each log entry specifies the operation type and the result of the operation For collection operations the add on logs the operation start the result for each system and a summary of the complete operation A specific Status Message Query can be created on these logs by performing the following steps 1 Right click on System Status Status Message Queries and choose New Status Message Query 2 Click the Edit Query Statement button in the Status Message Query Properties dialog 3 Inthe Query Statement Properties dialog select the Criteria tab 4 Click the button to create a new criterion 5 Inthe Criterion Properties dialog select Simple value from the Criterion type drop down
102. d or OEM models are unavailable It is highly likely that an enterprise will choose a hybrid of the USB Key model and OEM model while primarily dependent on the OEM model The USB Key model will typically be used by enterprise deployments that require or utilize a staging area where OEM equipment is delivered to one or more centralized location where other activities to stage the equipment Is required example operating system and application installation This centralized staging location is Sometimes used as a means to ensure high security provisioning of equipment where relying on OEM and transit security is an unacceptable risk found in high security sectors like government and financial Also the USB Key model may be used in situations that require field personnel to attend to provisioning Intel AMT 2 1 systems that are either new or in a break fix scenario directly deployed in its final production environment example user s desktop This flexibility provides a mechanism by which in place replacement of failed motherboards in an Intel AMT 2 1 system do not require a touch at the OEM before being delivered onsite thus allowing for third party warehousing of common parts Logging onto the Intel AMT BIOS from the system POST prior to provisioning the Intel AMT system will disable the system s ability to USB key provision Finally the USB Key model is recommended in situations where the enterprise is just beginning its deployment T
103. d sends it to the other side during the authentication session RC4 HMAC An encryption type based on the RC4 encryption algorithm that uses an MD5 HMAC for checksum It is included in the Windows implementation of Kerberos Realm In Kerberos a realm is the same as an Active Directory domain Kerberos V5 expects realms to have all capital letters Intel AMT functionality is divided among different realms for example the Storage Realm and the Storage Administration Realm ACLs associate a user or an SID with one or more realms RNG A computer Random Number Generator is a software routine that implements an algorithm to generate random numbers Modern Random Number Generator cryptography rests on the assumption that ciphers can be constructed whose output is indistinguishable from random noise without knowledge of a secret key used in the algorithm See Key Schema A conceptual model of the structure of a database that defines the data contents and relationships The Microsoft Active Directory schema contains formal definitions of every object class that can be created One of these objects is the computer object The Intel Management Engine Class based on the computer object is added to the Active Directory schema and used to define Intel AMT objects The SCS database schema defines the data tables maintained in the database and the relationships of the tables Security Identifier SID A numeric value that identifies a logged
104. der the dedicated user account shown below Please ensure to add it to the relevant Active Directory groups to allow Kerberos access to AMT systems Logon as EMSAMTUser_4P0 Password InstallShield lt Back cancel Select Install to begin the install 85 iis Intel R AMT Add on for SM5 InstallShield Wizard Ready to Install the Program The wizard is ready to begin installation Click Install to begin the installation IF vou Wank to review or change any of your installation settings click Back Click Cancel to exit the wizard InstallShield E Cancel lt Back 10 The status bar will indicate the install progress jin Intel R AMT Add on for SM5 InstallShield Wizard Installing Intel R AMT Add on for SMS The program Features you selected are being installed intel Please wait while the InstallShield Wizard installs Intel R AMT Add on For SMS This may take several minutes Statkus Installshield Back Hext gt 11 When the install finishes click on Finish hee Intel R AMT Add on for SM5 InstallShield Wizard InstallShield Wizard Completed The InstallShield Wizard has successfully installed Intel R AMT Add on For 5M5 Click Finish to exit the wizard In order to see the new menu entries For Intel R AMT Add on For 5M5 you will need to close and reopen the SMS Administrator Console Cancel Back Configure SMS Add on Settings SMS i
105. ding one or more certificates to this computer Allowing an untrusted Web site to update your certificates is a security risk The Web site could install certificates you do not trust which could allow programs that you do not trust to run on this computer and gain access to your data Do you want this program to add the certificates now Click Yes if you trust this Web site Otherwise click No 15 Click Yes 16 Close Internet Explorer window and Logoff SMS Add on Security Tab Configure TLS security settings for communications between the SMS Add on Service and the Intel AMT systems 1 Logon to the SMS server as the SMS Administrator 2 Open the SMS Administrator Console 3 Right click Collections gt All Tasks gt Intel AMT Tasks gt Add on Settings and select the Security tab Add on Settings x About L Setup and Configuration Security o Advertisement Redirection System Defense CA Certificate Path C Certificates RedirPath Issuing Intermediate pem IV Enable Mutual Certificate Client Certificate Path C Certificates PrivateKey3 pem Client Certificate Password kkk Service Account Password eee Reload Settings Say 4 Place a checkmark next to the Enable Intel AMT secure connection TLS checkbox 5 Inthe CA Certificate Path field type the path to the CA Certificate Path pem file previously created in the Creating Pem Files section of this document
106. dit Profiles 2 x View and Configure the Profile ACL User Access Permission Realms CN SCSRootServiceAcct CN Any CN Domain Admins CN User CN DnsAdmins CN Users DC any CN localadmin CN Users DC Any Redirection Realm PT dminist Redirection Realm PT dminist Redirection Realm PT Administ Redirection Realm PT Administ Add Delete Apply 2 Click Add 3 Select Kerberos User 4 Click the browse ellipsis button the Select User or Group dialog box is displayed 5 Select the User or Groups that will have access to SCS and click Check Names This should include the SMSAMTUser_NNN accounts for those Intel AMT boxes that will be managed by the SMS Add on and associated to this profile 6 Click OK 7 Inthe Access Permission drop down box select Any 98 8 Inthe Realms drop down list hold down the Ctrl key and then select click Remote Control Realm PTAdministration Realm and Hardware Asset Realm Add additional realms as needed 9 Click the top double arrow pr icon to add the realms a New ACL Entry Fill in the ACL entry properties Digest User Kerberos User Active Directory User or Group CN SMS A4D Publish CN Users DC vpropov D C local Access Permission Realms Selected Realms PT Administration Realm Hardware Asset Realm Remote Control Realm Redirection Realm
107. e C Certificates WebCert2 cer 6 Click Browse to select the certificate file created previously 62 7 Click Next IIS Certificate Wizard SSL Port Specify the SSL port for this web site SSL port this web site should use lt Back Cancel 8 Click Next to accept the default SSL port 443 IIS Certificate Wizard Certificate Summary You have chosen to install a certificate from a response file To install the following certificate click Next File name C Certificates WebS erverCerttificate cer Certificate details Issued To ypro s4 north vyproprod local Issued By YPRO VS1 Expiration Date 11 7 2008 Intended Purpose Server Authentication Friendly Name Default Web Site Country Region US State Province Texas City Celina Organization Pro Organizational Unit Pro A4MT lt Back Cancel 9 Review the Certificate Summary and click Next 10 Click Finish Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 11 Click OK to close the Default Web Site properties page 12 Close IIS Installing a Trusted Root on the SCS Console The SCS console requires a certificate of the CA in order to authenticate to the IIS therefore you must install a certificate on all PC or server systems that will run the SCS console Install a client issuer certificate in the SCS console s trusted root certificate store using the following procedure 1 Logon
108. e Add flag filename sCommand sCommand amp f amp sFile Add flag for logging sCommand sCommand amp j WScript echo Executing amp sCommand amp Set WshShell Wscript CreateObject Wscript Shell ReturnCode 1 ReturnCode WshShell Run sCommand 1 true If ReturnCode lt gt 0 Then BailOnFailure ReturnCode on ldifde End If WScript echo vbCrLf amp Script executed successfully See ldif log for more information WScript Quit o0 Display subroutines PPPE TTE E PEETRE w EET T E E PEL EEE EET EEE EET E T EET EE T Sub BailOnFailure ErrNum ErrText Hex ErrNum amp amp ErrText WScript echo vbCrLf amp strText vbInformation ADSI Error WScript Quit ErrNum End Sub strText Error 0x amp Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide The LDF file IntelAMT Idf that supply the input parameters to the above script is also shown below dn CN Intel Management Engine Version CN Schema CN Configuration DC x changetype add adminDisplayName Intel Management Engine Version attributeID 1 2 840 113741 1 8 1 2 attributeSyntax 2 5 5 12 cn Intel Management Engine Version description Intel Management Engine Version adminDescription Intel Management Engine Version isMemberOfPartialAttributeSet FALSE isSingleValued TRUE 1DAPDisplayName intelManagementEngineVersion distinguishedName CN Intel Manag
109. e derived from the target system s computer object OU derivation not shown in the script T The Script reads environment variables CS AMT UULD CS AMT ADDRESS and CS OUT FILE NAME for input and outputs an XML file for SCS to the designated output file Option Explicit Const adOpenStatic 3 Const adLockOptimistic 3 Determine if profile is selected by id or by name Const USE PROFILE ID True Const USE PROFILE ID False Const DEFAULT PROFILE NAME MTLS Const DEFAULT PROFILE ID 2 Const DEFAULT AD OU Const ForReading 1 ForWriting 2 ForAppending 8 Const TristateUseDefault 2 TristateTrue l TristateFalse 0 gl Const LOG FILE NAME InterimDB Script log Dim server dataSource dbName tableName sqlServerName sql Dim inputUUID inputFilename inputIP Dim profileName profilelId fgqdn ou uuid Dim objConnection objRecordSet objWMIService collItems objItem oShell Dim logfilesystem logfile logts DateInfo DateInfo Now The following values should be changed by user NOTE If you do not have SQLEXPRESS edition of SQL Server delete SQLEXPRESS string from the server name sqlServerName ProvisionServerDB dataSource i DBName NewAMTProperties tableName AmtProperties ou profileId 2 profileName DEFAULT PROFILE NAME Wscript Echo Create Log Fi les 3 5 Set logfilesystem CreateObject Scri
110. e enterprise The fully un provisioned device is in the state prior to Step 1 in this process and the partially un provisioned device returns it to the state produced in Step 1 However each un provision activity does not reset the administrator password for Intel AMT Consideration for provisioning the Intel AMT 2 1 devices is the coordination of the fully qualified domain name FQDN as defined in the operating system and the Intel AMT system This is best performed after the operating system is provisioned and joined to the Active Directory After the operating system is joined to the domain scripted actions are performed to complete step 3 above This activity is critical to enable proper management behavior of Intel AMT device management with the Intel SMS Add on in coordination with SMS Failure to properly coordinate the FQDN between the Intel AMT device and the operating system will not interfere with normal operating system management activities but will greatly degrade Intel AMT device management The SCS needs identification information for each Intel AMT device to know its FQDN which profile to use and where to put the Intel AMT object in Active Directory The identifying parameter for a device and the platform that It is on is the platform UUID Entering the information manually in an enterprise environment is not practical on a large scale Also the FQDN will change as a machine is moved around in the enterprise and as
111. e reference to the computer object TTET T Set Server GetObject sServer If Err Number lt gt 0 Then BailOnFailure Err Number on GetObject method for amp sserver End If sComputer Server Get ServerReference Ask for confirmation LES aa a a a a n n n a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a strText This script extends the Active Directory Schema to support the Intel Management Engine class and attributes amp vbCrLf strText strText amp Are you sure you want to continue amp vbCrLf strText strText amp Warning selecting Yes will apply irreversible changes to the Schema intAnswer Msgbox strText vbYesNo Make AD Schema Changes If intAnswer vbNo Then WScript Quit 0 End If Display the DN for the computer object sComputerDNSName Server Get DNSHostName strText Schema Master has the following DN amp sComputer strText Schema Master has the following DNS Name amp sComputerDNSName aa WScript echo strText Get Optinal Command line rrrrrrrrrrrrrrrprrrrerrrrprrrrpeprrrrrrrepririgd amp sFile IntelAMT LDF If Wscript Arguments Count gt 0 Then sFile Wscript Arguments Item 0Q End If sFromDN CN Schema CN Configuration DC x sToDN sSchema Add flag replace fromDN with ToDN sCommand ldifde i k c amp sFromDN amp amp sTODN Add flag schema master sCommand sCommand amp s amp sComputerDNSNam
112. ect the setup bin file copied to the USB key and click Open Click OK 10 Click Refresh 11 To view the details of a security key highlight a key and click View ae View Security Key i x View Pre Provisioning Security Keys PID f ZNU G 15 PPS 5076 FTYR ZR6A LAZB WBKC 2UJT 1MwW D11M Factor Default MEBs Password admin New MEBs password This MEBs password is typed in into the MEBs screen or Uploaded from the USB Kep E 09xnhR Print Mark as Used Generate Keys Using the Command line CreateUSB Tool The third method of generating security keys is for the OEM to install the PID PPS keys on the Intel AMT Systems in the factory and then provide the Admin team a list of these keys to be imported into the SCS database 1 2 Obtain the setup bin file from the OEM Logon to the SCS console From the SCS Console click Security Keys Click Import Select the setup bin file copied to the USB key and click Open Click OK Click Refresh 8 To view the details of a security key highlight a key and click View pa View Security Key x View Pre Provisioning Security Keys PID f ZNU GT WS PPS 5076 FTYR ZR6A LAZB WBKC 2UJT 1Mw D11M Factor Default MEBs Password admin New MEBs password This MEBs password is typed in into the MEBs screen or Uploaded from the USB Kep E O9xnhR Print Mark as Used Install Keys into Intel AMT sy
113. ed Authentication checkboxes 8 Remove all other checkmarks 9 Click OK 10 Click the Select All button and then click OK 11 Close IIS Manager 12 Install the CA certificate in the certificate store as a trusted root certificate on the SCS server a Login to the SCS server b Open Internet Explorer Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 50 c Enter the address of the Subordinate CA server web interface In the j following example ca_machine is the host name of the CA server http ca_machine certsrv Microsoft Certificate Services Microsoft Internet Explorer File Edit View Favorites Tools Help Pi Q sx amp x El A Search PZ Favorites media amp a Address E http f vpro vsijcertsry vE o Links Microsoft Certificate Home Welcome Use this VVeb site to request a certificate for your YYeb browser e mail client or other program By using a certificate you can verify your identity to people you communicate with over the Web sign and encrypt messages and depending upon the type of certificate you request perform other security tasks You can also use this Web site to download a certificate authority CA certificate certificate chain or certificate revocation list CRL or to view the status of a pending request For more information about Certificate Services see Certificate Services Documentation Select a
114. eference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT s Certification Authority Ioj x File Action wiew Help J V PRO VS1 Certification Authority Right click on the CA server name again select All Tasks gt Start Service You should notice the CA icon turn green indicating that the service is started Create Client Certificate Template for the Enterprise Subordinate CA During the normal SCS operations including provisioning the SCS request certificates on behalf of the Intel AMY systems In an Enterprise Certificate hierarchy the fields in the certificate requests are pre defined in form of templates Follow the following procedures to create a template on the Enterprise subordinate CA 1 Logon to the Enterprise subordinate CA server 2 Click Start gt Run and then type mmc and click OK 3 From the MMC console select File gt Add Remove Snap in 4 Click Add Add Standalone Snap in 2 x Available standalone snap ins Snap in vendor 4 NET Framework 1 1 Configuration Microsoft Corporation Ractive Directory Domains and Trusts Microsoft Corporation BS Active Directory Schema Microsoft Corporation id Active Directory Sites and Services Microsoft Corporation active Directory Users and Compu Microsoft Corporation ay Activex Control Microsoft Corporation LA ADSI Edit Microsoft Corporation Ed Authorization Manager Microsoft Corporation Certificate Tem
115. efore provisioning No of Worker Threads 10 B Log B Actions Status Allow Remote Configuration No of Slow Worker Threads 10 4 E Security Audit fa Laren cresnpranenuned S Configuration parameters ae nee re First common name CN in SAPRE DEN EES J Minutes certificate subject name Fully qualified domain name x Keep Log Time 60 Days Log Level Warning Sa SE 3025 Keep Security Audit Time 2 Months DB Settings DB Name l Get New Intel AMT Properties From DB Get AMT Configuration from script Script Location Refresh 4 Define the General parameters TCP Listen Port Each instance of Intel SCS listens for Hello messages from the Intel AMT devices on a defined TCP port Accept the default port 9971 Intel AMT 1 0 Provisioning This selection is for backward compatibility purposes only Release 1 0 devices do not support TLS encryption If there are no Release 1 0 devices on your network leave the box blank Place a checkmark next to the Integrate with Active Directory checkbox to enable SCS server to add Intel AMT objects into Active Directory database This also enables the use of Kerberos authentication and the AD user list Log Level Select Warning Selecting the most detailed log level requires more resources and bandwidth Get New Intel AMT Properties This option determines how SCS acquires the necessary information defining the In
116. el AMT Setup and Configuration Service SCS request that the SCS generate a provisioning pass phrase PPS and a provisioning ID PID 2 The SCS should then generate a TLS premaster secret and store the premaster secret in a database along with other setup and configuration information such as operational mode TLS setting and so on 3 The SCS also stores the PPS PID new administrator password and other configuration data in your USB storage device 4 Remove the PC from its box and connect the PC to a power source using the power cable 5 Plug the USB storage device into the PC 6 Power up the PC and press Y when the prompt shown is displayed Intel Management Engine BIOS Extension v2 1 4 0000 Copyright 2003 06 Intel Corporation All Rights Reserved Found USB Key for provisioning Intel AMT Continue with Auto Provisioning Y N 24 Caution Do not power down the PC during this process The BIOS must be allowed to finish loading in order to activate the settings and complete the setup process Caution Do not power down or otherwise interrupt the PC during the setup process Each PC s unique ID is associated with the specific USB key used to provision that PC If the setup process Is interrupted you may have to manually reset that PPS and PID At worst the interruption might have voided a PPS PID pair in the PSK repository and may prevent the PC associated with that PPS PID pair from authenticating the
117. elect the component and install it now ASP NET is a powerful programming Framework For building Web based applications and Background Intelligent Transfer Service BITS Server Extensions services that can karget any browser or device e Common files e Internet Information Services Manager e World Wide Web Service details o World Wide Web Service o Active Server Pages lt Back Cancel Help g o WebDAV Publishing 6 On the Summary of Selections Screen click Next to continue 10 Click OK gt OK gt OK gt Next gt Finish 7 The server will finish loading the IIS services and a screen will pop up 11 Click on Start All Programs Administrative Tools and open Internet indicating the server is an application server Information Services IIS Manager 52 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 12 Click the plus sign next to the server name then click on Web Service Extensions 13 Verify that BITS Server Extensions and ASP NET are set to Allowed 14 Right click on WebDAV and select Allow Request and Install an SSL Certificate from a Standalone CA Create the Certificate Request From the SCS server open Internet Explorer Enter the address of the Subordinate CA Server web interface In the following example ca_machine is the host name of the CA Server http ca_machine certsrv Type in Login credentials Click Request a certificate Click Advanced Certific
118. em targeted by the Redirection Boot is not the system running the SMS console SMS server or any other key network system Note SOL Redirection cannot be carried out on a collection To perform a Global Redirection operation Right click any system and choose All Tasks Intel AMT Tasks Add on Settings The Intel AMT Add on Settings dialog box is displayed Click the Redirection Tab Intel AMT Add on Settings x SOL Redirection Port 1024 65535 56666 IDE Redirection Timeout 2 255 10 minutes Max IDER Concurrent Sessions 1 25 5 Boot Images Base Path Browse Reload Settings The following parameters can be configured SOL Redirection Port Ensure that the port entered is not in use by another application IDE Redirection Timeout Specifies when an IDER session should be automatically terminated e Max IDER Concurrent Sessions Maximum number of IDER redirection sessions that can be open concurrently using the network boot image file used for redirection Note The highest number that can be entered is the maximum number of network connections specified in the Add on Settings dialog box Performance tab See example below in this example the max number is set to 10 Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Add on Settings 7 x About Setup and Configuration Security Performance Advertisement Redirection System Defense
119. emedy on your own Auditing Objects Best practice in auditing object in the Windows server operating system is fairly Standard for other Windows server OS issues This is no exception as auditing object for SCS or the SMS Add on create objects in the Windows security event log helping identify many issues with the most likely issue being security access problems and ACL issues Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Certificate Troubleshooting The basic activity for certificate troubleshooting is to open the appropriate certificate and checking the certificate chain to make sure that the root certificate from the issuing certificate authority is installed correctly Other activities vary according to the issue at hand but it is imperative that the certificates have the appropriate Intel OID assigned as noted earlier in the document as well as client and server authentication purposes assigned to the certificate used for Intel AMT management For example Certificate General Details Certification Path Certification path E VPRO CAR YOO wiew Certificate Certificate status This certificate is OK ADSI Edit This utility will help you determine if the appropriate Service Principal Names SPNs are assigned to the Intel Management Engine Object created in the IntelAMT OU by the SCS The service account running the AMTConfig service on the Setup amp Configurati
120. ement Engine Version CN Schema CN Configuration DC x objectCategory CN Attribute Schema CN Schema CN Configuration DC x objectClass attributeSchema oMSyntax 64 rangeLower 0 rangeUpper 257 name Intel Management Engine Version schemaIDGUID vAtloG5TV02BGOlMbaH6ww searchFlags 0 dn CN Intel Management Engine Host Computer CN Schema CN Configuration DC x changetype add adminDisplayName Intel Management Engine Host Computer attributeID 1 2 840 113741 1 8 1 3 attributeSyntax 2 5 5 1 cn Intel Management Engine Host Computer description Provides a mapping between Intel Management Engine and one or more Operating Systems computer objects running on the same host adminDescription Provides a mapping between Intel Management Engine and one or more Operating Systems computer objects running on the same host isMemberOfPartialAttributeSet FALSE isSingleValued TRUE 1DAPDisplayName intelManagementEngineHostComputer linkID 14910 distinguishedName CN Intel Management Engine Host Computer CN Schema CN Configuration DC x objectCategory CN Attribute Schema CN Schema CN Configuration DC x objectClass attributeSchema oMObjectClass KwwCh3McAIVK oMSyntax 127 rangeLower 0 rangeUpper 257 name Intel Management Engine Host Computer As schemaIDGUID Olzr2qNpe029m2q1ZrAZoA searchFlags 0 dn CN Intel Management Engine Platform UUID CN Schema CN Configuration DC x chan
121. ended to stay consistent and to provide for better enterprise OS maintenance The minimum level of operating system required is Windows Server 2003 SP1 The latest MSI installer is needed if the recommended OS is not used Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide This recommendation is the minimum for standing up new servers hosting the Microsoft Certificate Authority and the Intel Setup and Configuration Server Following are the recommended configurations Recommendation for Setup and Configuration Server and Microsoft Certificate Authority Server Intel Pentium 4 processor 1 5 GHZ minimum 2 4 GHz or faster is recommended PC Processor 512 MB minimum Memory 1 GB or more is recommended Windows Server 2003 R2 Operating System Minimum Windows Server 2003 SP1 Hard Disk 525 MB NET 2 0 Platform Internet Information Server IIS 6 0 Networking Minimum Ethernet 1O0BASE T Windows Server 2003 Active Directory AD Forest This document will not provide guidance on how to design plan or implement the enterprise AD The assumption is that the AD is already in a high availability configuration inherent to its design and deployment footprint This is simply an AD requirement for authentication purposes for the Intel Setup and Configuration Server Microsoft SQL Server Microsoft SMS 2003 Server and if integrated the Intel AMT 2 1 hosts It is also recommended that t
122. ent or a warning message appears and all the IDER options are disabled Redirection Operation for a single system Follow these steps to test a redirection operation for a single system 1 Right click on an Intel AMT system 2 Select All Tasks gt Intel AMT Tasks gt Redirection Operations 3 For BIOS operation place a checkmark to both Serial Redirection Terminal and Enter BIOS Setup Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 8 9 Redirection Operations Host Mame HF 10 IF address 197 168 66 104 2 Soft OFF 55 52 Current Sessions Book Options Resource ID Current Power State SOL W Serial Redirection Terminal tock system during operation Ii Enter BIOS Setu 6105 Password Bypass m IDER Boot from image located at Set IGER Image Post IDER boot None IDE Redirection Timeout 2 255 10 minutes Power Lip Reset Power Cycle Power Down Redirection Book Close You also have option to Lock the System during Operation and bypass the BIOS Password Click the Redirection Boot button A telnet DOS window will now be displayed to replicate what is also displayed on the Intel AMT system Navigate through the BIOS settings and Save Ignore your changes and Exit The Intel AMT system will now reboot itself into a NOP state For IDER Boot from Image operation remove the previous checkmark
123. ent Technology A Solution Guide e BIOS Password Bypass Select this box to bypass the BIOS password during a reboot optional This checkbox is only enabled if the system supports bypassing the BIOS password during a reboot e Current Sessions Click the Current Sessions button to open the Current Sessions dialog This displays any sessions currently running A new session cannot be started if there are currently open sessions x IDER session is not running Stop Session SOL session is nob running Stop Session Refresh e Stop Session Click the Stop Session button next to each running session and then click the Close button Note Clicking the Refresh button checks again for any running sessions Redirection Boot Click this button to perform the boot with the selected options Caution Redirection Boot can cause loss of data to users logged on to the system Note Ensure that the system targeted by the Redirection Boot is not the system running the SMS console SMS server or any other key network system Note Once a redirection session is opened for a system no other redirection session can be opened for that system until the first session is closed To open both SOL and IDER sessions it is required to choose both in the same boot operation It is also not possible to run any other operation example re discover Remote Control on a system which has an open redirection session the system is locked To
124. ent screen select Accept and click Next Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Atie on Oude Gy a TEE le 6 At the Setup Type screen determine which setup will be installed The full installation must be installed on each SMS Primary Site Server including the Central Site Server that will manage Intel AMT capable systems The full installation includes the Intel AMT Add on for SMS Service and the Console plug in The Console Add on will install the add on for the remote console and can be installed on any machine that will connect to the SMS database License Agreement a intel Please read the following license agreement carefully IMPORTANT READ BEFORE COPYING INSTALLING OR USING Do not use or load this software and any associated materials collectively the Software until you have carefully read the following terms and conditions By loading or using the Software you agree to the terms of this Agreement Ifyou do not wish to so agree do not install or use the Software LICENSE You may copy the Software onto your organization s computers for your organization s use and you may make a reasonable number of back up copies of the Sofware subjectto these conditions 1 You may not copy modity rent sell distribute or transfer any part ofthe Software except as provided inthis Agreement and you agree to prevent i Intel R AMT Add on fo
125. entication mode is selected c Click OK Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Grant SQL DB Access to the SCS Service Account NOTE This may not be needed in the case that SCS is installed using a database administrator DBA provided account with the system administration Sysadmin role From the left pane expand Security Right click Logins and create a new Login Select the SCS Service Account user name Click OK Right click the SCS Service User name select Properties select Server Roles and check the sysadmin role Click OK Install SCS Server Components 1 2 p3 Logon to the SCS server using the Administrator ID Verify that the SCS Service account is configured with the following access rights a The service ID is created in the domain that the issuing CA is installed b Member of Local Administrators on the SCS Server c Log on as a Service on the SCS server d If using Windows Authentication on the SQL server the SCS Service account must have the sysadmin role on the database server Otherwise if SQL Authentication you ll need the SA credentials Log on to the SCS server using the SCS Service account Double click AMTConfserver exe This file is obtained by downloading the software distribution from Intel http softwarecommunity intel com articles eng 1025 htm AMTConfserver exe is found within the distribution file
126. eployed but expects a proper instance exists The architecture above does describe its interaction with Intel AMT 2 1 This document will go into the usage of SMS insofar as it relates to the Intel AMT Add on General SMS usage for typical software distribution and configuration is not a topic covered here The add on has two main components Service that runs exclusively on the SMS server e SMS console snap in that extends the SMS console menus to include the Intel AMT 2 1 functionality It can be installed on an SMS server or on an SMS console The Intel AMT Add on installed on SMS is used to provide operational control of the Intel AMT 2 1 host It makes API calls to the Intel SCS in order to gain proper credentials via policy to control and manage the Intel AMT 2 1 host Documentation fully describing the Add on is referenced below The Intel AMT Add on for SMS in conjunction with the Intel SCS is what provides the operational team with the capabilities to manage the Intel AMT 2 1 hosts The add on extension to SMS provides secure access to the capabilities enabling discovery of Intel AMT 2 1 supported systems and managing those systems remotely These capabilities include e Asset Discovery amp Identification e System s Wake up e System s Remote Control o Serial Over LAN SOL text based non GUI remote control e System s Redirection Operations o Integrated Drive Electronics redirection IDE R remote boot Ca
127. equest Handling Subject Name Issuance Requirements Superseded Templates Extensions Security To modify an extension select it and then click Edit Extensions included in this template Application Policies Certificate Template Information Issuance Policies T Key Usage Description of Application Policies Server Authentication OK Cancel Apply 33 Click Apply and then click OK to save the template Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Add Client Certificate Template to the Enterprise 4 From the list of templates select the template created in previous steps Subordinate CA 2x Follow the following procedures to add the newly created template to the Enterprise subordinate CA Select one or more Certificate Templates to enable on this Certification Authority Enrollment Agent Computer Certificate Request Agent d Exchange Enrollment Agent Offline request Certificate Request Agent i i Rea i Exchange Signature Only Secure Email 1 Click Start gt Programs gt Administrative Tools gt Certification Authority Gal Exchange User Secure Ema Gal IPSec IP security IKE intermediate iol x IPSec Offline request IP security IKE intermediate Intel AMT Client Certificate Server 4uthentication intel oid Client Authentication Secur Key Recovery Agent Key Recovery Agent File Action wiew Help
128. er 21 6 840 1 113741 1 2 1 cone pees Client Authentication Encrypting File System Cancel Secure Email 26 In the Name field type intel_oid ae Edit Remove 27 In the Object identifier field type 2 16 840 1 113741 1 2 1 Make this extension critical 28 Click OK OK Cancel 30 Click Add Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Add Application Policy An application policy called enhanced key usage in Windows 2000 defines how a certificate can be used Select the application policy required for valid signatures of certificates issued by this template Application policies Key Recovery Agent License Server Verification Lifetime Signing Microsoft Time Stamping Microsoft Trust List Signing OEM Windows System Component Verification Private Key Archival Qualified Subordination Root List Signer Server Authentication Smart Card Logon Time Stamping Windows Hardware Driver Verification 31 Select Server Authentication and click OK Edit Application Policies Extension An application policy defines how a certificate can be used Application policies Client Authentication Encrypting File System intel oid Secure Email Server Suthentication i Edit Remove Make this extension critical OK Cancel 32 Click OK 146 Properties of New Template 7a xi General R
129. er Locator Point requires the site system to have IIS installed and enabled SQL Server 2005 SQL Server is a pre requisite to installing Systems Management Server 2003 For installing and configuring SQL Server 2005 refer to Appendix A Once SQL Server is installed the interim provisioning database and associated table should be created utilizing the following script This script must be modified before execution and is fully documented This is the database used for mapping the client operating system fully qualified domain name Active Directory AD domain name and profile ID to the Intel AMT universally unique identifier UUID The SQL code in the attached file may be executed in the SQL Server query analyzer and performed by the database administrator Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT This is a sample script that is intended to demonstrate how to create an auxiliary database in SQL Server 2005 This database is purposed to hold the information about Intel AMT systems for future configuration User should perform the following changes to adapt this script to its own environment Line 21 Change location of NewAMTProperties mdf file Line 23 Change location of NewAMTProperties log ldf file USE GO Create Database NewAMTProperties CREATE DATABASE NewAMTProperties ON PRIMARY NAME N NewAMTProperties FILENAME N c Program master
130. ertificate Request CSR to Enterprise CA 1 2 3 4 Open Internet Explorer on the SCS server Type in the CA URL For example http vpro vs4 certsrv Microsoft Certificate Services Microsoft Internet Explorer ae ioj x File Edit View Favorites Tools Help ar Back O x a Search se Favorites 7 5h Address http vpro vsi fcertsrv Go Home Microsoft Certificate Services Welcome Use this Web site to request a certificate for your Web browser e mail client or other program By using a certificate you can verify your identity to people you communicate with over the Web sign and encrypt messages and depending upon the type of certificate you request perform other security tasks You can also use this Web site to download a certificate authority CA certificate certificate chain or certificate revocation list CRL or to view the status of a pending request For more information about Certificate Services see Certificate Services Documentation Select a task Request a certificate View the status of a pending certificate request Download a CA certificate certificate chain or CRL i as rrr Click Request a certificate Click Advanced certificate request Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide A Microsoft Certificate Services Microsoft Internet Explorer _ 10 x C Certificates
131. ertificates are kept Windows can automatically select a certificate store or you can specify a location For C Automatically select the certificate store based on the type of certificate Place all certificates in the Following store Certificate store lt Back Next gt Cancel 17 Select Place all certificates in the following store and click Browse The Select Certificate Store window opens Select Certificate Store 2 x Select the certificate store you want to use _ JJ Personal SEEE Trusted Root Certification Authorities J Enterprise Trust J Intermediate Certification Authorities b J Active Directory User Object A Trusted Publishers ff Show physical stores cn 49 18 Select Trusted Root Certification Authorities and click OK 19 Click Next gt Finish A message should display indicating you are about to install certificates click Yes 20 Click OK a message should display indicating a successful import Configure IIS on the Subordinate CA 1 Click Start gt Programs gt Administrative Tools gt Internet Information Server IIS Manager 2 Expand lt Computer Name gt local computer 3 Click Web Sites 4 Right click the Default Web Site and click Properties 5 Click the Directory Security tab 6 Click Edit in Authentication and access control section 7 Verify that there is a checkmark next to the Enable Anonymous Access and the Integrat
132. es to be extracted or accept the default location Click Next 4 Click Finish This file is obtained by downloading the software distribution from Intel http softwarecommunity intel com articles eng 1356 htm There are three folders extracted from the distribution Open the iAMT addon for SMS folder to view the iAMTAddonSetup exe for the installation and the ADScript vbs script that will need to be edited Active Directory User and Groups A script file adscript vbs is provided for the creation of SMS Add on users and groups in Active Directory The script must be edited prior to running in order to add specific information relating to the environment These edits include the domain name SMS Site Code the SMSAMTUser_NNN User ID and password The script will also add the Log on as a service right for the SMSAMTUser_NNN account on the local machine Below is the VB script scripts found and described in section O Active Directory Domain Requirements NOTE This activity may have been completed at the time of Active Directory preparation as described in the Active Directory Domain Requirements section above This is included here for completeness 74 this section creates the 3 AD groups used for the add on permissions T Const ADS PROPERTY APPEND 3 Set objRootDSE GetObject LDAP rootDSE Set objContainer GetObject LDAP cn Users amp objJRootDSE Get defaultNamingContext Set ob jGroup objConta
133. escribed elsewhere in the document Intel AMT Add on for SMS 3 x This will install an SMS add on and system service to each central site and primary site server in the management hierarchy used Intel AMT Setup amp Configuration Server 3 x Configuration This activity appropriately configures the SCS to operate in the management infrastructure Intel AMT 2 1 Host Provisioning This ts the final activity to prepare and complete operations on the Intel AMT 2 1 devices that enables them for full manageability with the management infrastructure The reader will also find detailed guidance on the minimum requirements for implementation of the Intel AMT 2 1 management components listed above along with enterprise level recommendations The goal here is to provide for a successful deployment Intel AMT 2 1 management capabilities throughout the enterprise Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Component Overview Windows Server 200 Active Directory Forrest corp company com Recommend Minimum 2 Tier Architecture Includes offline root N Pa Microsoft SS C se H Certificate Authority SCS Coxsole Standalone S lt C N p cO Recommend X ee TLS Port 9971 Per Geographic Site wy i T Redundancy Setup amp Configurat Server ad Intel 45 AM 993 T 2 1 Host Ss ots managed clients A 6 Le Microsoft SMS 2003 SP3 N oe
134. ess http vpro vsi certsrvjcertfnsh asp S E co Links gt Microsoft Certificate Services PRO V51 Home Certificate Issued The certificate you requested was issued to you Install this certificate z CE O tedite 7 16 Click Install this certificate Potential Scripting iolation A This Web site is adding one or more certificates to this computer Allowing an untrusted Web site to update your certificates is a security risk The W site could install certificates you do not trust which could allow programs that you do not trust to run on this computer and gain access to your data Do you want this program to add the certificates now Click Yes if you trust this Web site Otherwise click No Yes 17 Click Yes Creating Pem Files Creating a pem file is a process of concatenating certificates paths in reverse order For example in the diagram below the VPRO CAR certificate will be concainated appended to the VPRO VS1 certificate Two 2 pem files CA Certificate pem and the Client Certificate pem will be created for the SCS configuration 7 Nevecssssssesssscssccsesssssccssessscsssesens Certification path VPRO CAR E VPRO VS1 view Certificate Certificate status certificate is OK Create the CA root certificate Path PEM file 1 Logon to the SMS Server as the SMSAMTUser_NNN 2 Click Start gt Programs gt Internet Explorer 3 Click Tool
135. esystem CreateObject Scripting FileSystemObject filesystem CreateTextFile inputFilename Set file filesystem GetFile inputFilename Set ts file OpenAsTextStream ForWriting TristateUseDefault ts Write conf ts Close logts Close WSCript Quit 0 NOTE The SCS Service account must have a login associated with it in the SQL Server database that contains the table accessed by this script default DB NewAMTProperties Table AMTProperties This login must have rights to read and delete records from this table The InterimDB Script vbs script provides a logging feature to enhance debugging provisioning problems The log created is a simple text file that is perpetually amended to include time and date stamps as well as detailed information for each provisioning request It is located in the same directory as specified in the runscript bat file The VB script may also be modified to include business logic selecting which SCS profile to assign to Intel AMT systems SCS profiles are described later in this document or simply hard coded to ignore the information in the interim DB Other modifications may be made to this script to properly identify the OU in which to place each Intel AMT system to complete the provisioning process This activity underscores the flexibility of the scripting methodology to enable automated provisioning of Intel AMT systems The decision made to modify these scripts is guided by t
136. ext Enter the file name for the certificate For example C Certificates Intermediate CA Cert and click Next Click Finish and then click OK for a successful export Repeat steps a thru f for each additional intermediate CA for example if there is a Policy CA that precedes an Issuing CA Click Close gt OK Close Internet Explorer Open separate windows of the Notepad application for each certificate previously exported Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 80 k Locate the Intermediate CA Cert file created above and drag it inside the first notepad window gt Offline Root Cert cer Notepad Fale File Edit Format wiew Help BEGIN CERTIFICATE MITEDTCCALWQAwI BAGIQ4 2 ACm Mc4 ROK ZRZQMPZANBgk ghk 1G9wOBAQUFADBE MRUWEWY KCZIm1ZPYLGQBGRYFbG9 YwwxGDAWBgoJk 1ajk ISsZAEZFgh2 cHIvcHIv ZDERMA8GALUEAXMIV1 BSTYLDOVIWHACNMDCWN A4 M7 AXNDASWHCNMT Twn A4M 7 Ax NZAyw BEMRUWEwY KCZImiZPyLGOBGRYFbG9 YwwxGDAwBgoJkiajk IsZAEZFgh2 CHIVCHIVZDERMA8GALUEAXMIV 1 BSTYLDOVIwggE IMA0GCSqGS1b3 DOQEBAQUAA4SIB DwAwggqEKAOI BAQCxUheHhU4 K2LHxZUQ98zwemUk y3 ebbkwr nz7hzhyR4 cy Z5AcIw P51I3mtyr37Q 0xpbH 1 2wPj CULx1Y4x3SqgFsj Tans Z6tWLOWDWDELyy2 Hm9wdReT 7 Fmz037rsiIDzyvBw k IRF KMOywL 2664 NUWYOL 8uG7mxG4mxCkj FIRUES4 7bZeIuy sP20Ikh2 1 PDAp8Gs exG7 SEh3 gaPDbx5 I ahqzvKo4 j q3f2p4 xe8zucosi Dahkrn5 BmyEAG L 7 905 HC 5dxNMICY3 2zZDxkOZcw wDal Oc9xsrnHy VeeZ JIOCTSHAC
137. ext to the FQDN Suffixes window cial add new FQDN suffix entry x Add new FODN suffix entry FODN Suffix vproprod local OK Cancel 22 Type in the domain suffix for the CA server and click OK g7 SELLE Mutual Authentication Settings View and configure configuration profile TLS Mutual Authentication Settings CRL Update Time No of Certificates fo Description Import zi Hemose FODN Suffixes vproprod local Add Delete Trusted Certificates Issued To Name Expi CN PRO C4A CN VPRO CA4R 2012 23 Click OK a Add Edit Profiles General Network ACL Power Policy NAC Wireless Profiles Wired 802 1 View and Configure the profile Network settings TLS Settings General IV Enable ping response IV Use TLS VLAN Local Interface C TLS Server Authentication Use VEAN TLS Mutual Authentication Network Interface TLS Server Authentication TLS Mutual Authentication VLAN Tag E TLS Server Certificate Details Enabled Interfaces V Web UI Issuer VPRO S1 vproprod local TLS PSK Name PRO VS1 Encrypted Template WebServer Fa Ese V Serial Over LAN V IDE Redirection Plain Text Both 24 Click Apply Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Profile Configuration ACL Tab 1 Click the ACL tab a Add E
138. ficates Current User Personali Certificates E Oj x iti File Action view Favorites Window Help 18 x e 0m B EB E CI Console Root Ea Certificates Current User Personal Sy Certificates C Trusted Root Certification Authorities C Enterprise Trust C Intermediate Certification Authorities m Active Directory User Object Trusted Publishers J Untrusted Certificates C3 Third Party Root Certification Authorities J Trusted People C Certificate Enrollment Requests sued B RO VS1 All Tasks Cut Copy Delete FS Poe poe Properties Help 12 Click the Details tab 13 Click Copy to File The Welcome screen of the Certificate Export Wizard is displayed Certificate General Details Certification Path Show lt All gt Field E version E Serial number 13 a2 14 e4 00 00 E Signature algorithm shaiRSA issuer VPRO VS1 yvpropr Fl valid From Friday July 06 2C E valid to Sunday June 08 E Subject vpro vs9 west vpi E Public key RSA 1024 Bits Certificate Export Wizard x Welcome to the Certificate Export Wizard This wizard helps you copy certificates certificate trust lists and certificate revocation lists From a certificate store to your disk 4 certificate which is issued by a certification authority is a confirmation of your
139. g process Later in the document a more detailed explanation of what is required to prepare an Intel AMT 2 1 device for management capabilities within the enterprise will be provided The Intel AMT 2 1 device is setup and managed in the following order The Intel AMT 2 1 device is prepared in a pre provisioning step either in house or by the OEM Original Equipment Manufacturer This step places specific configuration information on the device in order to prepare it for full automatic provisioning with the infrastructure depicted in the architecture below The Intel AMT 2 1 device is then placed on the network in its final production environment and connected to power and the network The Intel AMT 2 1 device then connects to the Intel Setup and Configuration Server SCS where security information and configuration information are delivered and stored on the Intel AMT 2 1 device Normal day to day operations occur in this step and general operation is performed by the SCS and the Intel SMS Add on initiating management activities on the Intel AMT 2 1 device The last step is performed when the Intel AMT 2 1 device is being redeployed or decommissioned In each case either the SCS or the Intel AMT Add on for SMS is used to partially un provision the Intel AMT 2 1 device in the case of a redeployment scenario internal to the same enterprise or fully un provisioned in the case of a decommission or redeployment outside of th
140. g the request to a file and sending this file to the C4 Send the request directly to a CA already on the network Computer name vpro car yproprod local i Parent CA VPR 0 CAR hd C Save the request to a file Re guest file C WPARO 51 vpro pro d loca y PRO 7 Browse lt Back Next gt Cancel Help a Inthe Computer name field type in the FQDN name of the Stand alone Root Parent CA b The Parent CA field is auto filled for you if you click the Browse button c Click Next 14 Click Yes on the dialog message informing you that IIS must be Stopped temporarily Microsoft Certificate Services x A To complete the installation Certificate Services must temporarily stop the Internet Information Services Do you want to stop the service now 15 Click Finish and then close the Add or Remove Programs window Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 16 Click OK when presented with 19 Click Properties and click the Policy Module tab Microsoft Certificate Services m IYPRO S1 Properties 17 Configure the CA to issue certificates as follows Click Start gt Administrative Tools gt Certification Authority Certification Authority Certification Authority 18 From the right pane right click CA server name 44 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying
141. getype add adminDisplayName Intel Management Engine Platform UUID attributeID 1 2 840 113741 1 8 1 5 attributeSyntax 2 5 5 10 cn Intel Management Engine Platform UUID description Intel Management Engine Platform UUID is the platform GUID adminDescription Intel Management Engine Platform UUID is the platform GUID isMemberOfPartialAttributeSet FALSE isSingleValued TRUE 1DAPDisplayName intelManagementEnginePlatformUUID distinguishedName CN Intel Management Engine Platform UUID CN Schema CN Configuration DC x objectCategory CN Attribute Schema CN Schema CN Configuration DC x objectClass attributeSchema oMSyntax 4 rangeLower 0 rangeUpper 257 name Intel Management Engine Platform UUID schemaIDGUID OMbxeNb08E fqFK50z9eO0w searchFlags 0 dn CN Intel Management Engine Host Computer BL CN Schema CN Configuration DC x changetype add adminDisplayName Intel Management Engine Host Computer BL attributeID 1 2 840 113741 1 8 1 4 attributeSyntax 2 5 5 1 cn Intel Management Engine Host Computer BL description Backward link from host OS computer object to Intel Management Engine adminDescription Backward link from host OS computer object to Intel Management Engine isMemberOfPartialAttributeSet FALSE isSingleValued TRUE 1DAPDisplayName intelManagementEngineHostComputerBL linkID 14911 distinguishedName CN Intel Management Engine Host Computer BL CN Schema CN Configuration DC
142. h to Deploying Intel AMT Appendix B The following sections provide links to documentation that may used to attain detailed instructions specific to the named products and technologies These documents are to support full installation configurations of each product mentioned in this document but not fully detailed here It is intended that the reader utilize the information in this appendix research the supporting products Installing an Enterprise Subordinate CA Install and configure an Enterprise subordinate CA as follows 1 Logon to the server that will become the Enterprise Subordinate CA as an Administrator 2 Verify that Internet Information Services IIS is installed and Active Server Pages is configured 3 From the Control Panel double click Add Remove Programs 4 Click Add Remove Components 5 In the Windows Components dialog box click the checkbox to select Certificate Services Windows Components Wizard j Windows Components You can add or remove components of Windows To add of remove a component click the checkbox A shaded box means that only part of the component will be installed To see what s included in a component click Details Components C amp Active Directory Services Application Server 33 4 MB O fA Cerificate Services 1 4 MB C Ss Distributed File Sustem 77MR Description Includes Windows Accessories and Utilities for your computer Total disk space required 3
143. he AD in place authorized the Microsoft DHCP server and is integrated with the Microsoft DNS server Microsoft Windows 2000 Active Directory is not supported in this infrastructure Active Directory Schema Extensions Allows Kerberos Authentication with the Intel AMT 2 1 management engine this is optional as you may keep the Intel AMT 2 1 device accounts in the Setup amp Configuration Server database However this is a highly recommended addition to the security of the enterprise Implementing the extensions will provide for Kerberos authentication for the Intel AMT 2 1 devices and eliminate the need to maintain another account database Extensions to the Active Directory schema are not reversible a full directory restoration is required to back it out but this activity is typically not performed and must be taken into consideration Detail of this extension can be found in section O Active Directory Schema Extensions When considering the implementation of the schema extensions it must be understood that the Intel AMT devices are added as computer accounts within the AD forest enabling full authentication of management accounts in the AD against the Intel AMT device Without the AD schema extensions Intel AMT devices must maintain their own user accounts and access control lists This is generally un acceptable in the enterprise Mutual Transport Layer Security MTLS Requires a Microsoft Certificate Authority CA at a min
144. he OU can be created in multiple domains 2 Edit the CreateACL vbs located in AdminScripts Active Directory ACL directory 3 Locate line strOU OU AMTOU 4 Change the string to the OU created above and save the file 65 5 Double click the CreateACL vbs 6 Click OK when the script response messages are displayed 7 Open Active Directory Users and Computers 8 Right click the OU created in step 1 above select Properties and click the Security tab 9 If Security tab is not visible then click Cancel From the Top Menu Click View gt Advanced Features General Managed By Object Security coM Group Policy Group or user names 4 ENTERPRISE DOMAIN CONTROLLERS 8 IntelAMT SCServers YPROPOV ntelAMT SCServers 8 Pre Windows 2000 Compatible Access YPROPOV Pre Windo 8 Print Operators YPROPOY Print Operators 7 SYSTEM Add Remove Permissions for IntelMT SCServers Allow Deny Write Create All Child Objects Delete All Child Objects Generate Resultant Set of Policy Logging Generate Resultant Set of Policy Planning BOOOoOO Special Permissions For special permissions or for advanced settings click Advanced 10 In the Group or user names box select IntelAMT SCServers and click Advanced Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Advanced Security Settings for AMTOU 2 x Perm
145. he enterprise deployment requirements Service Maintenance Settings These are the parameters used to tune the performance of the SCS Queue Polling Period This parameter determines how frequently in milliseconds the Intel SCS checks the queue in the database for new tasks Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Max Queue Size Sets the maximum permitted length of the database queue If the queue Is full when the server API attempts to add an additional entry the entry will be lost No of Worker Threads This parameter limits the number of Worker Threads permitted simultaneously No of Slow Worker Threads This parameter limits the number of Slow Worker Threads permitted simultaneously Delayer Polling Time When a process fails it is sent to the Delayer A process may fail because information is missing For example an Intel AMT device sends a Hello message before the device has an entry in the New Intel AMT devices list so there is no profile associated with the device and configuration cannot complete The Delayer is a thread that manages rerunning delayed processes This parameter determines how frequently the Delayer attempts to rerun a process Keep Log Time This parameter determines how long log entries are saved Keep Security Audit Time This parameter determines how long security status entries are saved Maintenance Policies Periodically SCS can perfor
146. he same across all domains within a single AD forest The current default as described in this document is OU IntelAMTOU The OU portion of this value should remain unchanged as it becomes part of a proper LDAP string 2 profilelD this value is used to correspond to the profile identifier number assigned in the SCS This profile is the one to which the Intel AMT systems are assigned and configured in previous sections within this document While the previous two values are used to populate the Intel AMT interim DB for finalize automated provisioning they could potentially be ignored in this script and further modification to the server side script run by the SCS listed in the section describing the configuration on the SCS General page of the SCS console could implement business logic to assign these Further the server side script could be modified to hard code these values to what is needed It should be noted that the scripting mechanism is very flexible and documentation describing exact implementation of these scripts is not possible Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT The interim DB provisioning script shown below must be executed from a fully configured Intel AMT system with a running operating system that has been joined to the Active Directory domain Option Explicit Const adOpenStatic 3 Const adLockOptimistic 3 Dim dataSource dbName tableName sqlSer
147. he standard DNS server mentioned above am Minimum is DHCP support for Option 81 allowing for dynamic FQDN registration in the DNS e E l This is preferred instead of the DCHP server mentioned above X Minimum is SMS 2003 SP1 a Must install all patches a aa 2 1 provides support for USB provisioning Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Network Requirements Checklist General Port Requirements Checklist includes columns for options that are Required Req Preferred Pref and finally a checklist column to note if implemented Impl X SOAP commands with Enterprise TLS mode HTTPS encrypted this port used when PKI infrastructure is utilized in lieu of port 16992 IDE Redirection non encrypted port used when PKI infrastructure is utilized in lieu of port 16992 To simplify the networking components four hardware switches and one router were used to host the network supporting the VM infrastructure and connecting the Intel AMT systems to specific network segments This enables ease of connecting multiple Intel AMT systems to the virtual management infrastructure and easily simulates geographic separation as described below The specifications above may be increased as necessary to increase performance of the supported virtual machines However the above hardware supported the lab environment with very little issues One of the VMWare server host
148. his model lends itself well to pilot and ramp up scenarios where a quick start of provisioning configuration prior to working out a complete delivery system of the OEM model The OEM model is the preferred model in most deployment scenarios and becomes critical when large orders and ongoing consistent delivery of systems is a requirement In other words the OEM model scales to the need of the large enterprise delivering Intel AMT 2 1 hosts that are ready for automatic ee provisioning on the network This model requires an arrangement be made with the OEM to pre configure the Intel Management Engine dependent BIOS with specific management policies and most importantly the provisioning pass phrase and provisioning ID of the system This information along with other pertinent identifying information about the individual system is then delivered back to the enterprise to be uploaded to the Intel Setup and Configuration server to enable automated provisioning in the enterprise Detailed information can be found in the provisioning model discussions below and in the additional documentation Intel Active Management Technology Deployment and Reference Guide The following provisioning model discussions provide setup procedures for Intel AMT 2 1 in different environments automatically and manually These procedures assume that the default BIOS and MEBx parameters are set as described in the table below BIOS or MEBx setting Typical
149. icate hash is already defined in the host This will be covered in later documentation focused on Intel AMT 3 x devices These servers may be considered for virtual hosting environments It is a requirement that the virtual hosting environment be fully supported within the environment through standard operating procedures It is expected that if these servers are virtually hosted they will receive equivalent operational support as if they were hosted in a physical environment Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Intel AMT Setup amp Configuration Server SCS 3 0 or later This server is required for enterprise provisioning activation of Intel AMT 2 1 hosts SCS runs as a service on this Windows server This is the one of the primary management points for the complete lifecycle management of the Intel AMT 2 1 hosts The integral nature of this system dictates a recommendation for high availability scenarios This is depicted above as requiring a single server but showing a transparent server next to it indicating a recommendation to provide high availability in an enterprise deployment scenario and is expanded upon later in this document Once the Intel SCS has been installed and its database has been loaded with initial data setup and configuration starts when an Intel AMT 2 1 host sends a message Called a Hello message to the SCS The SCS and the Intel AMT
150. ide Getting to Pro An Enterprise Approach to Deploying Intel AMT Add Application Policy RES Add Application Policy An application policy called enhanced key usage in Windows 2000 defines how a certificate can be used Select the application policy required for valid signatures of certificates issued by this template An application policy called enhanced key usage in Windows 2000 defines how a certificate can be used Select the application policy required for valid signatures of certificates issued by this template Application policies Application policies Code Signing Digital Rights Directory Service Email Replication IP security end system Document Signing IP security IKE intermediate Embedded Windows System Component Verification IP security tunnel termination File Recovery IP security user IP security end system IP security IKE intermediate IP security tunnel termination Key Pack Licenses Key Recovery IP security user Key Recovery Agent Key Pack Licenses License Server Verification Key Recovery x Lifetime Signing Microsoft Time Stamping New Microsoft Trust List Signing DEM Windows System Component Verification x 25 Click New OK Cancel Type a name for the new application policy and if necessary change the 29 Click OK object identifier X Edit Application Policies Extension Name finte oid An application policy defines how a certificate can be used Object identifi
151. identity and contains information used to protect data or to establish secure network connections 4 certificate store is the system area where certificates are kept To continue click Next j Cancel Edit Properties Copy to File 14 Click Next The Export Private Key screen is displayed Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Certificate Export Wizard x Export Private Key You can choose to export the private key with the certificate Private keys are password protected IF you want to export the private key with the certificate you must type a password on a later page Do you want to export the private key with the certificate No do not export the private key lt Back Cancel 15 Select Yes export the private key and click Next The Export File Format screen is displayed Certificate Export Wizard x Export File Format Certificates can be exported in a variety of file Formats Select the Format you want to use DER encoded binary 509 CER Base 64 encoded 509 CER Gryptographic Message Syntax Standard PKCS 7 Gertificates P7B T Include all certificates in the certification path if possible Tea estennenanennevenenententanensatesnaannenesnensnennseneanenanenesensaneshannenneeneannneensensnannnennentaceennenened Include all certificates in the certification path if possible JV Enable strong protection requires
152. iildSchema VBS Builds the Schema On Error Resume Next Bind to the rootDSE TETTETETT TTT TTF sPrefix LDAP Set root GetObject sPrefix amp rootDSE If Err Number lt gt 0 Then BailOnFailure Err Number on GetObject method End If Get the DN for the Schema TETEE T ETETETT ETET ETETE EETT ETET EET ET ETET sSchema root Get schemaNamingContext If Err Number lt gt 0 Then BailOnFailure Err Number on Get method End If Bind to the Schema container TTET TTT Set Schema GetObject sPrefix amp sSchema If Err Number lt gt 0 Then BailOnFailure Err Number on GetObject method to bind to Schema End If Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Read the fsmoRoleOwner attribute to see which server is the schema master TETTETETT TTT TTF sMaster Schema Get fsmoRoleOwner If Err Number lt gt 0 Then BailOnFailure Err Number on IADs Get method for fsmoRoleOwner End If TTET TTT TTT TTT TTT fsmoRoleOwner attribute returns the nTDSDSA object The parent is the server object Bind to NTDSDSA object and get parent TTET TTF Set NTDS GetObject sPrefix amp sMaster If Err Number lt gt 0 Then BailOnFailure Err Number on GetObject method for NTDS End If sserver NTDS Parent If Err Number lt gt 0 Then BailOnFailure Err Number on TADS si Get Parent method End If TETT TTT TTT Bind to server object and get th
153. ile Action View Help ENE m Certifics ation autho rity Local EA VPRO VS1 RAYPRO 51 Certification Authority 19 From the right pane right click CA server name 20 Click Properties and click the Policy Module tab vPRO vS1 Properties rx Storage Auditing Security General Policy Module Exit Module Extensions Description of active policy module Name Windows default Description Specifies how to handle certificate requests for Enterprise and Stand alone CAs Version 5 2 3790 1830 Copyright Microsoft Corporation All rights reserved Properties Select E Apply Click Properties and select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate Request Handling The Windows default policy module controls how this C4 should handle certificate requests by default Do the following when a certificate request is received C Set the certificate request status to pending The administrator must PE issue the certificate Cancel Apply a Click OK and a dialog box is displayed indicating that the Certificate services must be restarted for these changes to take effect click OK b Click OK c From the right pane right click on the CA server name select All Tasks gt Stop Service You should notice the server CA icon turning red to indicate that the service is stopped Quick R
154. iles Actions Status PA Security Keys G Users B Intel AMT Systems Global Operations Logs B Log E Security Audit gE New Intel AMT Systems Name Provision ProvisioningExce ProvisioningExce Maintenance ProvisioningE xce ProvisioningExce ProvisioningExce Maintenance ProvisioningE xce ProvisioningExce Maintenance Maintenance Maintenance Maintenance Refresh Apply Filter Actions Filter C By Action ID C By Name J By Status tatishcs No Operation In Progress Execute Time 2007 06 02 17 30 2007 06 02 17 28 2007 06 02 17 27 2007 06 02 17 26 2007 06 02 17 25 2007 06 02 17 23 2007 06 02 17 21 2007 06 02 17 21 2007 06 02 17 19 2007 06 02 17 17 2007 06 02 17 16 2007 06 02 17 04 2007 06 02 16 59 2007 06 02 16 54 Status Waiting Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Succeeded Date and Time C From 2007 06 02 v O Ta v 12 30 14 O By User View the status of asynchronous actions initiated by the console or by other SOAP API requests Applied By VPROPOV ocal VPROPOV ocal VPROPOV local VPROPOV ocal VPROPOV ocal _VPROPOV local VPROPOV local VPROPOV local VPROPOV ocal VPROPOV local VPROPOV ocal VPROPOW local VPROPO
155. imum it is recommended that you use the Microsoft CA in standalone mode This will eliminate the need to integrate into or standup a complete CA in enterprise mode example Active Directory integrated This is NOT required for environments where the user does not need encryption over the wire for management communication to the Intel AMT 2 1 device The caveats are that user accounts and passwords along with all session traffic will pass in the clear across the network without TLS Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Microsoft Certificate Authority CA in standalone mode Minimum if implemented Not required for Intel AMT 2 1 for the reason MTLS is not required Recommend high availability considerations be addressed as typical in common and recommended 2 tier CA designs The Microsoft Certificate Authority provides the Public Key Infrastructure PKI for the enterprise and loss of the trusted root or root server represents a complete breach or loss of control throughout the enterprise PKI Thus it is recommended that the 2 tier CA design is implemented to include an offline root CA Proper care and guidance should be taken into consideration when deploying a PKI This document does not provide complete guidance on the design and operations of a PKI It is recommended that the reader seek the proper guidance for its implementation Full implementation of certificate services may be found on
156. in branches The Intel AMT Add on is fully discussed in the Intel Active Management Technology Add On for Microsoft SMS 2003 User Guide Intel AMT 2 1 Host These devices are delivered from the OEM with Intel AMT 2 1 technology inside The functions available are provided via access through a standard web interface the Intel AMT 2 1 device acts as a web server and is why we call this a host over standard clear text HTTP or SSL standard HTTPS conversations recommended Further the communication of control of this device via the Add on or SCS occurs over TLS or MTLS recommended The complete set of functions that the Intel AMT 2 1 technology provides is best described in the Intel Active Management Technology Deployment and Reference Guide When an Intel AMT 2 1 enabled platform is delivered the Intel AMT 2 1 device is present but disabled The Intel AMT 2 1 device must undergo setup and configuration before it is operational In Enterprise environments the setup and configuration must be done over the network interface The process of preparing the host for activation as delivered from the OEM is described later However each device must be prepared with a pre shared key PSK that is shared with the SCS in order to properly activate the device in practice It is recommended that this preparation be negotiated and delivered by the OEM delivering the hardware It is also acceptable to prepare each system in a
157. iner Create Group cn Intel R AMT Collections Managers objGroup Put sAMAccountName Intel R AMT Collections Managers objGroup SetiInfo WScript Echo Group Intel R AMT Collections Managers created Set objGroup objContainer Create Group cn Intel R AMT Redirection Managers objGroup Put sAMAccountName Intel R AMT Redirection Managers objGroup SetiInfo WScript Echo Group Intel R AMT Redirection Managers created Set objGroup objContainer Create Group cn Intel R AMT System Defense Managers objGroup Put sAMAccountName Intel R AMT System Defense Managers objGroup SetiInfo WScript Echo Group Intel R AMT System Defense Managers created this section creates the dedicated user account used for the add on service and adds it to the local Administrators group change domain name to your domain name change NNN in the rest of this script to your Site code change yyy to the password for the SMSAMTUser NNN account Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Set user obj Container Create User Ccn SMSAMTUser NNN user Put sAMAccountName SMSAMTUser NNN user Put userPrincipalName SMSAMTUser NNN Domain user SetInfo User SetPassword yyy user AccountDisabled False user SetInfo WScript Echo User SMSAMTUser NNN created Set ob jGroup GetObject WinNT Administrators group Set objUser
158. io _ Friendly Name J verisign Trust Netw verisign Trust Netw verisign Trust Netw E verisign Trust Netw verisign Trust Netw verisign Trust Netw verisign Trust Netw VPRO CAR E xcert EZ by DST YeriSign Trust Network YeriSign Trust Network VeriSign Trust Network VeriSign Trust Network VeriSign Trust Network VeriSign Trust Network YeriSign Trust Network YPRO CAR xcert EZ by DST 8 1 2028 5 18 2018 8 1 2028 5 18 2018 8 1 2028 8 1 2028 5 18 2018 7 11 2009 VeriSign Class 2 VeriSign Class 3 VeriSign Class 3 VeriSign Class 4 VeriSign Class 1 VeriSign Class 4 VeriSign Class 1 lt None gt Xcert EZ by DST Import Export Remove Advanced Certificate intended purposes lt All gt 7 Click Export and click Next 8 Select Base 64 encoded X 509 CER Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Certificate Export Wizard p x Export File Format Certificates can be exported in a variety of file Formats Select the Format you want to use DER encoded binary X 509 CER gprrsessssssesesesssesesssesssssessssesssssssssesssssssssssresssssssssssssesa Cryptographic Message Syntax Standard PKCS 7 Certificates P7B Include all certificates in the certification path if possible Personal Information Exchange PKGS 12 PFX P Include all certificates in the certification path if pos
159. ion environment is to place the Microsoft Certificate Authority and the Intel AMT Setup and Configuration Server within that environment The caveat is that the environment must be supported just like standard physical server environment Process and procedures should account for standard server support in the virtual environment Note Virtualization of the SQL Server database cluster is not recommended It is assumed that a fully functional Windows networking infrastructure as depicted below in the Component Overview section is in place prior to the deployment of Intel AMT 2 1 management capabilities These assumptions include the highly available configurations most common to enterprise deployments of Windows Active Directory Domain Name Servers DHCP servers and a Microsoft Systems Management Server SMS hierarchy The integration points for these Windows networking services are discussed later in the document However this document will not provide guidance on how to plan design or deploy these components except for where configuration modifications or considerations must be made to integrate the Intel AMT 2 1 management services into the existing enterprise Windows networking infrastructure These exceptions will be described as appropriate in the remainder of the document Intel AMT 2 1 Device Provisioning Overview At this point the reader will need to gain an understanding of the device pre provisioning and provisionin
160. ion parameters to be configured The parameters that can be configured are 88 SOL redirection port The IT administrator must ensure that the port value is not in use by some other application IDE Redirection timeout Determines when an IDER session is terminated automatically Maximum number of IDER concurrent sessions Limits concurrent access to the network image file The highest number that can be entered is the maximum number of network connections entered in the Performance tab Boot Images Base Path The repository from which IDER boot images can be selected The path must be a network path that is accessible to authorized users only The IT administrator must ensure that the dedicated add on user account is authorized to access this path If this path is not set users cannot select a boot image in the Redirection operations dialog Ine To select the repository from which IDER boot images can be selected 1 Open Windows Explorer 2 Create a directory For example IDER 3 Share the directory NOTE This is the directory where IDE Redirect boot images will be stored 4 Return to the SMS Add on Settings Redirection tab 5 Click the Browse button 6 Navigate to and select the directory created above and click OK 7 Click Apply Add on Settings z x About Setup and Configuration Security Performance Advertisement Redirection System Defense SOL Redirection Port 1024 65535 56666 IDE Redirection Time
161. ireless network connections are out of this document scope and will be addressed in later documentation Generally speaking an enterprise wishing to deploy Intel AMT 2 1 will require at minimum three 3 servers in addition to their existing management framework for the Intel AMT 2 1 devices hosts It is highly recommended that for a fully functional enterprise these servers be redundant as appropriate for their service to provide for high availability Most if not all enterprises require the robustness of service that can only be attained via high availability configurations The minimum three 3 additional servers are as follows 1 One to host the Microsoft Certificate Authority 2 One to host the Intel AMT Setup and Configuration Server 3 One to host the Microsoft SQL Server database If an enterprise already has a SQL Server database or database farm in place it could possibly be utilized eliminating the need to standup a separate service Similarly tf an enterprise has an existing PKI in place it could possibly be utilized for the Intel AMT 2 1 deployment However in this case it is likely that a successful startup of a pilot within an enterprise would be bolstered by implementing the PKI in standalone mode and then migrating to the existing PKI Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Another option for the enterprise that has a fully supported virtualizat
162. is BIOS upon booting Force Power Up Only enabled when the Power Cycle power control command is selected It ensures that the system is powered up even if it is currently in an S4 hibernate or S5 soft off state that would ignore a Power Cycle command Send Command Performs the command on this collection Closes the dialog Wake Up on Advertisement The Wake up upon advertisement feature integrates the Intel AMT wake up feature with SMS advertisements This is especially useful for delivery of patches and software during off hours when machines are powered off If the advertisement is set for a collection this feature wakes up the collection s powered down Intel AMT supported machines when the advertisement becomes active When the clients wake up they can contact SMS and apply the program being advertised The advertisement must be a mandatory assignment for the global settings to take effect automatically This global setting has no effect on non mandatory advertisements Note The Wake up is conducted on Intel AMT supported systems belonging to the collection that meet the following criteria Systems are already discovered in the SMS Hierarchy Systems have the SMS Advanced Client agent installed and active Systems are reporting to the Primary SMS site where the wake up is conducted Note If the advertisement is a non recurring advertisement that has already run Wake Up on Advertisement will not wake up the col
163. issions Auditing Owner Effective Permissions To view more information about special permissions select a permission entry and then click Edit Permission entries Inherited From Account Operators Create Delete InetOrgPerson Objects lt not inherited gt Allow Intel MT SCServers Full Control lt not inherited gt IntelQMT SCServers Create Delete intelManagementEngine Objects _ lt not inherited gt Allow IntelAMT SCServers Reset Password lt not inherited gt Allow IntelAMT SCServers Read Write Property lt not inherited gt Allow Administrators MPR Special Enterprise Admins M Full Control DC yvpropoy D DC ypropoy D x b Add Edit Remove Vv Allow inheritable permissions from the parent to propagate to this object and all child objects Include these with entries explicitly defined here To replace all permission entries with the default settings click Default Default Learn more about access control Cancel 11 In the Permission entries box you should now see the special permissions assigned to the SCS Servers group for the OU 12 Close Active Directory Users and Computers 13 Run the CreateACL vbs script in every domain where the OU is created Installing the Intel AMT Setup and Configuration Server SCS The SCS server service AMTConfig is the configuration tool for Intel AMT devices From a high availability perspective it is
164. j dENSYXNZPWN IcnRpZm1j YXRpb25BdxXRob 3 JpdHkwVAYIKwWYBBQUHMAKGSGhOdHA6L y9zY2F j Zw5 OcmFsLmlu dGVsLmNvbS9DZXJORW5S yb2xsL1NDQUNFT IRSQUWUuSU5URUWUuQO9NX0 1OVEVMXONB LmNydDANBgkghk7i G9wOBAQUFAAOCAQEAIJWpCu6QZFtIL6SKZjOF 1SQL WVhdmL 1 AqBmCAzd as 9YoxARasAOy9BctIdai LUNUyYA 1NH2RFf428Gk6sWbAbC7UNLUFWeN DmQ2Bir Wxa0 vsQD KX axJIGtrntrC OZganZ InnE 1DIUD8FIt FeyALwT9xmIw 6y4DHH5 Y8APb7U00 DVUQS4GShHro3RUL 1 DELxGrriKIMehINSbyw9QihzyotsZy KuoCVuD87 Gu 1LDHExt H5 oahhLhnwGu5tV88eh Ep 3xNcjC1PL5 3XBAS I TeTF2pq END CERTIFICATE o Save the combined file as a pem file for example CA Certificate Path pem Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT NOTE The certificate order for the pem file creation is shown below internet Options es General Security Privacy Content Connections Programs Advanced CA Certificate Path Client Certificate Path eevee Intermediate cert Client Personal cert Ratings help you control the Internet content that can be amp viewed on this computer Root CA cert Intermediate cert P Root CA cert ae ca Use certificates to positively identify yourself certification authorities and publishers Create the Client Certificate PEM file Clear SSL State Certificates Publishers Settings gt Personal information The creation of the Client Certificate pem file requires the use of the OpenSSL tool It is an
165. lancing technology 2 Tier PKI offline root Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Minimum and Recommended Software This checklist includes columns for options that are Required Req Preferred Pref and finally a checklist column to note if implemented Impl Windows Server 2003 Standard R2 SP2 Windows Server 2003 Active Directory AD Forest X Active Directory Schema Extensions as Mutual Transport Layer Security MTLS Microsoft Certificate Authority standalone configuration at a minimum Microsoft SQL Server 2005 Standard Edition SP2 Microsoft Internet Information Server IIS 6 0 Domain Name Server DNS Microsoft Domain Name Server DNS DHCP Server Microsoft DHCP Server MicrosoftSMS2003SP3_0 Intel AMT 2 1 ManagedDevices X Minimum OS Level above configuration Recommended to eliminate need for account database managed in SCS os ae E If PKI is implement for security purposes TLS is the minimum requirement PKI is not required for Intel AMT 2 1 management however it is highly recommended for the enterprise to provide secure encrypted management communication minimally required is the Microsoft Certificate Authority Server E E Minimum is Microsoft SQL Server 2000 SP4 Included in Windows 2003 Operating System E E Minimum is Dynamic DNS supporting RFC 2136 supporting dynamic FQDN registrations This is preferred instead of t
166. le created above Create the convert bat file as follows 10 x P convert bat Notepad File Edit Format View Help G ECHO OFF rem del pem stunnel openss pkcsl2 nodes in input pfx out output pem a Replace the input pfx file with the name of the pfx file b Replace the output pem file with what you intend to name your pem file c Save the edited convert bat file d Double click the convertbat file c C WINDOWS system32 cmd exe Enter Import Password e Enter the private key password This is the password specified during the pfx file creation and press Enter f The preliminary Personal Certificate PEM file is now created Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT g Using Notepad open the personal certificate pem file h Open another two instances of Notepad these are the second amp third Notepad windows i Copy the contents of the CA Certificate Path pem file and append to the personal certificate pem file j Save the combined file as a pem file For example Client Certificate Path pem k The path to this pem file will be used as the input to the CA Client Path field in the Security tab of the Intel AMT Add on settings dialog 18 Logoff NOTE The certificate order for the pem file creation is shown below CA Certificate Path Client Certificate Path Intermediate cert Client Personal cert Root CA cert Intermediate cer
167. lection to run it again even if the advertisement is scheduled to re run Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Wake Up Global Setting Follow these steps to configure the Wake up on advertisement global setting 1 Right click on Collections 2 Select All Tasks gt Intel AMT Tasks gt Add on Settings 3 The settings dialog box is displayed 4 Click the Advertisement tab 5 Place a checkmark next to Wake up systems on mandatory advertisements xl About Setup and Configuration Security Performance Advertisement Redirection System Defense Reset all advertisement wake up manual settings to automatic BIOS Password Bypass on advertisement Reload Settings 5 6 Click Apply 7 The following are additional options available for the global Wake up settings e Wake up systems on mandatory advertisements Any mandatory advertisements associated with a collection wakes up the systems in that collection when the mandatory advertisement is set to occur unless the setting is overridden for a specific advertisement e Reset all advertisement wake up manual settings to automatic After the default behavior of this feature is changed all current mandatory advertisements are reset to the new setting recommended It is only necessary to reset advertisements if they have been manually changed from the default settings Advertisements which accept the default
168. lick Close 8 Close Internet Explorer window 9 Locate the certificate right click and select Install Certificate 10 Click Next gt Next gt Finish gt OK Active Directory Modification Schema Extension and User Groups Important Only the Active Directory Security Administration Team can make changes to the Active Directory environment The Active Directory Scripts are located on the SCS server in the lt SCS servername gt C Program Files Intel AMTConfServer AdminScripts directory Login to the SCS server Copy the contents of the C Program Files Intel AMTConfServer AdminScripts directory into a location on the domain controller Extend Active Directory Schema The Active Directory Schema scripts are located in the AdminScripts Active Directory Schema directory 1 Logon to the Root domain controller with an administrative account with schema access 2 Double click the BuildSchema vbs file located in the AdminScripts Active Directory Schema directory This script and supporting files are located in the section above describing Active Directory requirements in section O Error Reference source not found Active Directory Schema Extensions 3 Click Yes at the schema change message Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 4 Click OK gt OK The script window will be displayed 2 From the Active Directory users and Computers console crea
169. list 6 Click the Select button 7 Inthe Select Attribute dialog select Status Message from the Attribute class drop down list 8 Select Component from the Attribute drop down list 9 Click the OK button 10 Click the Values button in the Criterion Properties dialog 11 Select Intel AMT Add on for SMS from the list box in the Values dialog 12 Click the OK button repeatedly until all dialogs are closed Known Issues Detailed information regarding known issues be found in the Intel documentation Intel Active Management Technology Add On for Microsoft SMS 2003 Installation and User s Guide Version 3 0 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Glossary Term Access Control List ACL A set of data associated with a file directory or other net work resource that defines the permissions that users groups processes or devices have for accessing it In Intel AMT a list of users and their access privileges Active Directory AD Active Directory is an advanced hierarchical directory ser vice that comes with Windows 2000 2003 servers It is LDAP Lightweight Directory Access Protocol a protocol used to access a directory listing compliant and built on the Internet s Domain Naming System DNS Workgroups are given domain names just like Web sites and any LDAP compliant client Windows Mac Unix etc can gain access to it AD OU Organizational Units OUs
170. ll the SCS servers installed in your network Configure the SQL server that contains the shared database as follows SQL Server Service Verification 1 From the computer running SQL server Click Start gt All Programs 2 From the Microsoft SQL Server 2005 program group select Configuration Tools gt SQL Server Configuration Manager a From the left pane select SQL Server 2005 Services EF SQL Server Configuration Manager iol xj Fie Action view Help e BBB SQL Server Configuration Manager Local Name OOOO o Cd State Start Mode Log On 4s Process ID SQL Server 2005 Services SOL Server FullText Search MSSQLSERVER Running Automatic LocalSystem H SQL Server 2005 Network Configuration Fy SOL Server MSSQLSERVER Running Automatic LocalSystem SQL Native Client Configuration SOL Server Analysis Services MSSQLSERVER Running Automatic LocalSystem sa Server Browser Running Automatic LocalSystem SQL Server Agent MSSQLSERVER Running Automatic LocalSystem b Inthe right pane check the State column and ensure that SQL Server MSSQLSERVER and SQL Server Browser are both running If they are not running select each service right click and select Start Verify that the start mode is set to Automatic c xpand the SQL Server 2005 Network Configuration d Select Protocols for MSSQLSERVER 6 E SOL Server Configuration Manager File Action View Help
171. m some maintenance tasks on all configured Intel AMT devices The majority of these maintenance tasks are security Password related and communication between the Intel AMT devices and SCS server are sent in clear text unless TLS or MTLS is enabled It is therefore recommended that the password related task be configured in a TLS or MTLS environment only In non TLS environments configure the Intel AMT objects password to Password Never Expires in Active Directory g3 File Help E amp Intel AMT Setup Console H 4 Configuration Service Settings Maintenance Policies sers H S Intel AMT Systems E ioe Global Operations Sonat n inai Ba Logs ne Log l Change Intel AMT Administrator passwor d E Actions Status E Security Audit Every 4 Month S Configuration parameters M Renew Pseudo Random Generator Seed Every i Months 5 x y General Configure the Intel AMT Setup and Configuration intel t Maintenance Policies i i ici Service Maintenance Policies 2 Wir ofiles Sy 8021x Profiles Re provision Intel AMT isi ludes among many other configurations also renew e of all certificates Active Directory object password used by e provision inclu update mutual authentication settings and re issu Intel AMT Synchronize Intel AMT Clock Every 30 Minutes Reissue Intel AMT Digital Certificates Place a checkmark here if you want a new certifica
172. m the Manage Your Server wizard click Add or Remove a Role If you To do that closed the Manage Your Server wizard it will be available from the Start a Open the Control Panel Menu b Open Add Remove Programs 3 On the Configure your Server Wizard Preliminary Information and click Next c Select Add Remove Windows Components to begin d Highlight Application Server and click Details to see the sub components If any one of the following components Is not selected then select the component and install it now 4 On the Server Role screen click on Application Server IIS ASP Net to highlight it and click Next 5 On the Application Server Options screen click Enable ASP Net Click Next to continue e Application Server Console NOTE DO NOT check the box to install Front Page Server Extensions e ASP NET x Enable network COM access Application Server Options 115 COM ASP MET and Microsoft MET Framework are installed automatically For this role 7 Enable network DTC access e Internet Information Services IIS Select the additional tools that you want to install on this server 7 FrontPage Server Extensions e Highlight Internet Information Services IIS and click Details to see the FrontPage Server Extensions are a set of Web server extensions that you can use to publish sub components If any one of the following components iS not content with FrontPage Visual Studio and Web Folders ie selected then s
173. mation in the SQL code must be changed to match the installation requirements of SQL Server implementation 2 The associated table used for storing information is created Detailed configuration instructions for implementation of this database are not provided in this document as final implementation of this database is highly configurable dependent upon full enterprise deployment considerations The scripts found in this document can be successfully deployed to provide the needed Intel AMT provisioning steps and give the framework the infrastructure implementation team may use to customize per enterprise deployment The domain service account used by the SCS server must be allowed read amp write access to the Interim Provisioning database created by the SQL code in the attached file in this section 36 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Windows Components Wizard l Windows Components Installing a Certificate Authority Certificate Authority A Certificate Authority is an entity in a network that issues and manages digital certificates and public keys for data encryption and decryption As part of a public key infrastructure PKI a CA checks with a registration authority to verify information provided by the requestor of a digital certificate If the registration authority verifies the requestor s information the CA then issues a certificate Installing Stand alone Root CA T
174. mbers previously sent to each other is used to generate a secret session key to encrypt the subsequent message exchange In Kerberos a fixed length element that contains a user s SID and includes the user s rights and group memberships UUID A UUID is an identifier standard used in software construction The intent of UUIDs is to enable distributed systems to uniquely identify Universally Unique Identifier information without central coordination Thus anyone can create a UUID and use it to identify something Information labelled with UUIDs can therefore be combined into a single database without need to resolve name conflicts A UUID is essentially a 16 byte number and in its canonical form a UUID may look like this 550 8400 E29B 11D4 A716 446655440000 VLAN A VLAN is a logical subgroup within a local area network that is created via software rather than manually moving cables in the wiring closet Virtual Local Area Network It combines user stations and network devices into a single unit regardless of the physical LAN seg ment they are attached to and thereby allows traffic to flow more efficiently within populations of mutual interest Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Troubleshooting Best Practices There are several troubleshooting activities that can be performed to help determine what issues may exist with the infrastructure This list is not an exhaustive list
175. ments inside the script to add system specific information domain name SMS site code password After you have edited the script you then run it from the first SMS server in your SMS hierarchy this section creates the 3 AD groups used for the add on permissions Const ADS PROPERTY APPEND 3 Set objRootDSE GetObject LDAP rootDSE Set objContainer GetObject LDAP cn Users amp _ obj ROotDSE Get defaultNamingContext Set objGroup objContainer Create Group cn Intel R AMT Collections Managers ob jGroup Put sAMAccountName Intel R AMT Collections Managers ob jGroup SetInfo WScript Echo Group Intel R AMT Collections Managers created Set objGroup objContainer Create Group cn Intel R AMT Redirection Managers objGroup Put sAMAccountName Intel R AMT Redirection Managers ob jGroup SetInfo WScript Echo Group Intel R AMT Redirection Managers created Set objGroup objContainer Create Group cn Intel R AMT System Defense Managers objGroup Put sAMAccountName Intel R AMT System Defense Managers ob jGroup SetInfo WScript Echo Group Intel R AMT System Defense Managers created this section creates the dedicated user account used for the add on service and adds it to the local Administrators group change domain name to your domain name change NNN in the rest of this script to your site code change yyy to the password for the SMSAMTUser VPW
176. mponents Wizard x CA Certificate Request Request the certificate for this CA by sending the request directly to a parent CA or saving the request to a file and sending this file to the C4 Send the request directly to a CA already on the network vpro car ypropred local i Parent CA VPRO CAR v C Save the request to a file Computer name Request file C WPRO 51 vproprod local YPRO VS Browse lt Back Next gt Cancel Help e Click Next 15 Click Yes on the dialog message informing you that IIS must be stopped temporarily Microsoft Certificate Services x A To complete the installation Certificate Services must temporarily stop the Internet Information Services Do you want to stop the service now 16 Click Finish and then close the Add or Remove Programs window 17 Click OK when presented with Microsoft Certificate services The root certificate is untrusted Do you wish to trust the root certificate on this machine and complete the installation 4 certificate chain processed but terminated in a root certificate which is not trusted by the trust provider Ox800b0109 2146762487 Cancel 18 Configure the CA to issue certificates as follows Click Start gt Administrative Tools gt Certification Authority Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide fs Certification Authority F
177. n Specifies how to handle certificate requests for Enterprise and Stand alone CAs Version B2 3790 3959 Copyright Microsoft Corporation All rights reserved Properties Select 2 From the right pane right click CA server name click Properties and click the Policy Module tab 3 Click Properties and select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate 40 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Request Handling The Windows default policy module controls how this CA should handle certificate requests by default Do the following when a certificate request is received C Set the certificate request status to pending The administrator must EN issue the certificate Cancel aw 4 Click OK and a dialog box is displayed indicating that the Certificate services must be restarted for these changes to take effect click OK 5 Click OK 6 From the right pane right click on the CA server name select All Tasks gt Stop Service You should notice the server CA icon turning red to indicate that the service is stopped f amp s Certification Authority File Action View Help gt B m gt E YPRO CAR arr Authority 7 Right click on the CA server name again select All Tasks gt Start Service You should notice the CA icon turn green indicating th
178. n the time elapsed is measured from the time of locking The operation is terminated when this limit is reached e The timeout for a client system to respond to an Intel AMT request In networks with high latency this needs to be a large value while on LANs this can be a small value The operation is terminated if the system fails to respond within this timeout Smaller values will significantly shorten the total time taken by large collection operations to complete BIOS Password Bypass on advertisement The BIOS bypass can also be used for those systems where BIOS is locked via a password Add on Settings Ie About Setup and Configuration Security Performance Advertisement Redirection System Defense NOTE If the BIOS bypass option is checked but is not supported by the system the wake up on the system will not be executed Max Concurrent Network Connections 1 60 10 Max Number of Concurrent Operations 1 200 10 Collection Operation Lock Timeout 1 30 10 minutes Client Response Timeout 10 120 30 seconds Reload Settings Save nd close Clase Apply G Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Add on Settings Reset all advertisement wake up manual settings to automatic BIOS Password Bypass on advertisement Reload Settings Save ond Close Close Apply Redirection The Redirection tab allows several redirect
179. n field type services msc and click OK In the status column check the status of AMTConfig Select AMTConfig and click Start When completed the word Started appears in the Status column Close the Services window and Logoff Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Install Intel AMT Management SCS Console Verify that INET Framework 2 0 is installed on the SCS Console If not refer to Microsoft web site for installation download and instructions 1 2 Ne Vr e fe Log on to the SCS console using the SCS Service account Locate and double click AMTConsole exe This file is obtained by downloading the software distribution from Intel http softwarecommunity intel com articles eng 1025 htm AMTConsole exe is found within the distribution file Intel AMT SCS Console InstallShield Wizard Welcome to the InstallShield Wizard for Intel AMT SCS Console e InstallShield Wizard will install Intel AMT SCS Console on your computer To continue click xt Th Ne InstallShield Click Next at the Welcome screen Click Next at the License Agreement screen Accept the license agreement and click Next Click Next to accept the default C Program Files Intel AMTConsole directory or select a location of your choice Intel AMT SCS Console InstallShield Wizard Ready to Install the Program The wizard is ready to begin install
180. nageability mode is set to Intel AMT 2 1 10 Using the MEBx power control feature verify that the Intel AMT 2 1 power policies for sleep states are set to your operational preference 11 In the MEBx screen now select the PID and PPS option 12 Enter the PPS and PID for the system 13 Exit the MEBx screen The BIOS will then continue to load Caution Do not power down the PC during this process The BIOS must be allowed to finish loading in order to activate the settings and complete the setup process 14 Once the BIOS is fully loaded it is safe to power down the PC The system is now ready to be installed at the user desk and perform its self initiated automated configuration Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide USB Key In this procedure a USB storage device is used to automatically install the administrator password PPS and PID for the Intel AMT 2 1 capabilities The USB device interprets and parses changes of the default password PPS and PID The procedure described here assumes that BIOS and MEBx parameters are set to the typical default values described in the table above Logging onto the Intel AMT BIOS from the system POST prior to provisioning the Intel AMT system will disable the system s ability to USB key provision Follow these steps to enter setup information automatically in each PC via a USB Storage device 1 Using the Int
181. nagement Server 2003 http www microsoft com technet sms 2003 library plan deploy mspx Scenarios and Procedures for SMS 2003 Planning and Deployment SMS 2003 Capacity Planner SMS Technical FAQ Planning and Deployment Active Directory Schema Modification and Publication Deployment Readiness Wizard Procedures for Resolving Test Failures SMS 2003 Configuration and Operation of Advanced Client Roaming Configuring Microsoft SQL Server 2000 Replication for a SMS 2003 Management Point 135 Operating Systems Management Server 2003 http www microsoft com technet sms 2003 library operate mspx Using SMS 2003 SQL Views to Create Custom Reports SMS 2003 Operations Guide SMS Technical FAQ Scenarios and Procedures for SMS 2003 Software Distribution and Patch Management Deploying Windows XP SP2 with SMS 2003 or 2 0 Using Microsoft SMS 2003 to Distribute Microsoft Office 2003 Deploying Exchange 2003 Offline Address Book using SMS 2003 SP1 Windows Installer Source Location Manager SMS 2003 Software Update Management to Mobile Computers Deploying Software Updates Using the SMS Software Distribution Feature Managing Duplicate GUIDs in SMS 2003 Scenarios and Procedures for SMS 2003 Maintenance Backup and Recovery Download Tool To Define and Detect Configuration Models Securing Systems Management Server 2003 http www microsoft com technet sms 2003 library secure mspx Scenarios and Procedures for SMS 2003 Security SMS Technical FAQ Se
182. name FQDN with the DNS If the Microsoft DHCP server is employed it should be configured to automatically register the hosts in the DNS Standard DHCP option 81 should be used to accomplish the task of registering the Intel AMT 2 1 hosts in the DNS as the FQDN is required as part of the PKI certificate generated for the device The DNS is queried by the configuration server or add on to compare against the certificate received in order to properly accept the TLS encryption with the Intel AMT 2 1 host Microsoft Certificate Authority CA It is recommended that at a minimum a stand alone PKI certificate authority be in place to enable encrypted and secure communication with the Intel AMT 2 1 hosts The picture above in the Component Overview section depicts a desired high availability scenario by showing the off line root as a transparent server The Microsoft certificate authority CA is required to properly interoperate with the Intel Setup amp Configuration Server The CA is required to issue certificates to the Intel AMT 2 1 hosts the Setup amp Configuration Server and in the case of Mutual Transport Layer Security MTLS the Intel AMT Add on for SMS 2003 These certificates allow for SSL encryption and Transport Layer Security TLS and MTLS A certificate can be purchased from an outside vendor such as Verisign This enables easier provisioning remote configuration of the Intel AMT 3 x hosts as the Verisign root certif
183. ncoded X 509 CER Cryptographic Message Syntax Standard PKCS 7 Certificates P7B Include all certificates in the certification path if possible Personal Information Exchange PKCS 12 PFX T Include all certificates in the certification path if possible Enable strong protection requires IE 5 0 NT 4 0 5P4 or above F Delete the private key if the export is successful lt Back Cancel 8 Click Next to accept the default format DER encoded binary X 509 CER and click Next 48 9 In the File to Export window type a name for the certificate and click Next Certificate Export Wizard i x File to Export Specify the name of the file you want to export File name C Certificates Root C4 Exported Browse lt Back Cancel 10 Click Finish 11 A message indicates that the export was successful NOTE This is the Root certificate that will be installed on the SCS and SMS servers later on in this document 12 Click OK The Details tab returns to focus 13 Click OK gt OK 14 Install the CA certificate in the certificate store as a trusted root certificate on the CA server 15 Locate the certificate exported above Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 16 Right click the certificate and select Install Certificate and Click Next Certificate Import Wizard l x Certificate Store Certificate stores are system areas where c
184. nd click Properties IIIS Certificate Wizard xj Delayed or Immediate Request 6 Click the Directory Security tab You can prepare a request to be sent later or you can send one Qy immediately Z Default web site Properties T Web Site Performance ISAPIFilters Home Directory Documents Do you want to prepare a certificate request to be sent later or do you want to send it Directory Security HTTP Headers Custom Errors BITS Server Extension ASP NET immediately to an online certification authority E E Prepare the request now but send it later Enable anonymous access and edit the ee i b authentication methods for this resource Edit C Send the request immediately to an online certification authority MIP address and domain name restrictions A Grant or deny access to this resource using IP addresses or Internet domain names Edit Secure communications Require secure communications and A enable client certificates when this resource is accessed view Gertificate lt Back Cancel ox ci aooy te 11 Select Prepare the request now but send it later 12 Click Next 7 Click Server Certificate 5 Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide IIS Certificate Wizard Your Site s Common Name Your Web site s common name is its fully qualified domain name IIS Cer
185. ng host sleep states drop down window select Intel AMT is always ON SO S5 3 In the Idle Timeout window type the number minutes that you want the a ee Intel AMT device remain operable without any activity and click Apply 2 Click Add and then click Select User 4 Click OK to complete profile creation cd Edit User Assign a role Security Keys Security key generation is covered in the Provisioning Intel AMT Systems Ee YPROPOVSSMSASMTUSER VPR section of this document ee Role Enterprise Administrator x 3 Enter the User or Group name and then click Check Names gg Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 4 Click OK 5 From the Role drop down window select a role uid Edit User x Assign a role User Name VPROPOVASMSAMTUSER_VPR Role Enterprise Administrator a Enterprise Administrator Full access to SCS Console b Administrator Same as Enterprise Administrator but cannot create or edit Profiles or access to the Users General and Maintenance functions c Operator Access to Security Keys Logs Security Audit and New Intel AMT Systems d Log Viewer View standard Log and Security Audit 6 Click OK Intel AMT Systems Intel AMT Systems is covered in Provisioning Intel AMT Systems section of this document Logs Intel AMT Systems is covered in Provisioning Intel AMT Systems sec
186. ns that are Required Req Preferred Intel AMT 2 1 Managed Devices Pref and finally a checklist column to note if implemented Impl This is the minimum required for implementing the Intel AMT 2 1 management Setting Req Pref Impi infrastructure Intel AMT 2 1 provides the needed capability of USB provisioning Active Directory RecommEnG senema ome 9 provide Kerberos authentication to to support the enterprise level of management processes Schema Extensions Intel AMT 2 1 host Microsoft DNS recommended but the Domain Name minimum requirement is DNS that Server allows for integration with Microsoft AD allows dynamic updates If not AD authorized requires Option DHCP Server X 81 to enable FQDN registration of Intel AMT 2 1 host in the DNS B eee X Requires SP1 recommend SP3 Hierarchy Highly recommended to provide OOB MS Certificate management traffic encryption over Authority CA the wire TLS MTLS recommend Separate server Highly recommended for CA to ensure business continuance of PKI Separate server SQL Server Xp o o Recommend separate server Recommended to provided high SQL Server Cluster X availability for critical Intel AMT 2 1 management information mese x f Recommend separate sever Recommend separate server for high availability scenarios and Intel AMT SCS x additional servers across diverse Redundant Server geographical locations as needed All front ended by appropriate load ba
187. nse effectively isolates many network systems and in certain cases this isolation can become permanent Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide This section provides the overview needed to get started using system However detailed information on this should be found in the Intel documentation Intel Active Management Technology Add On for Microsoft SMS 2003 Installation and User s Guide Version 3 0 Note Heuristics policies are only available on Intel AMT 3 x systems and later If a system protected by an active SDP is deleted from SMS no warning message Is displayed to the user The deleted system remains permanently protected by the SDP If the Add on is uninstalled while systems are protected by active SDPs a warning message is displayed to the user If this warning is ignored and the Add on is uninstalled anyway the systems remain permanently protected If the operating system of a protected system is reinstalled SMS may lose the connection between the previous entry to which it applied the SDP and the current entry that represents the newly installed operating system If a system protected by an SDP is disconnected from the network the SDP cannot be removed and the system will remain isolated when it is connected to a different network For example this may occur when a machine is moved to a different department within the organization The Add on does
188. nt feature This behavior can be overridden on specific advertisements h ifferently from this global setting e The number of concurrent network connections allowed to be open at once to behave differently from this global setting per collection operation Higher system performance requires more system resources Wake up on Advertisement feature Wake up systems on mandatory advertisements If this box is checked then any advertisement with mandatory settings associated with a collection wakes up the systems in that collection when the mandatory advertisement is set to occur Non mandatory advertisements have to be set manually in order to wake up e The number of concurrent operations permitted When the maximum number of concurrent collection operations has been reached any new collection operation is not accepted until one of the currently running operations has completed Reset all advertisement wake up manual settings to automatic After the default behavior of this feature is changed all current mandatory advertisements are reset to the new setting recommended It is only necessary to reset advertisements if they have been manually changed from the default settings Advertisements which accept the default settings change to the new settings automatically even if the reset option is not selected Any non mandatory advertisement is reset to not wake up e The timeout for an operation retry on a locked system during a mass operatio
189. ntel Management Engine object in the Active Directory database NTDS DIT is approximately 20k or about 20MB per 1 000 Intel AMT system objects This schema extension was jointly designed by Microsoft and Intel When the SCS performs setup for an Intel AMT device the SCS service e Creates an Intel AMT Object with the first three attributes listed below e Creates a link between the attribute Intel Management Engine Host Computer in the Intel AMT Object and the Intel AMT Host object e Creates a link between the attribute Intel Management Engine Host Computer BL found on the Intel AMT Host and the Intel AMT Object e Active Directory will display the Intel AMT Object as the representation of the Intel AMT device itself and show it as having the type Intel Management Engine 26 e Intel Management Engine Version received in the Hello message from the Intel AMT device e Intel Management Engine Host Computer a link to the platform computer object created when the host joins the domain e Intel Management Engine Platform UUID received in the Hello message e Intel Management Engine Host Computer BL added to the computer object class as a back link to an Intel AMT object e Intel Management Engine Host computer BL added to the top computer object class The following is a sample script Buildschema vbs that adds the object class and attributes to Active Directory Bu
190. nually in order to wake up Checking if Advertisement is set to Wake up To check if an advertisement is set to wake up a collection follow the steps below 1 From the SMS Console right click on the advertisement and select All Tasks Intel AMT Tasks Wake Up Options 2 If Use Default Settings is selected the advertisement s Wake Up behavior is determined by the global settings in the Advertisement tab of the Add on Settings dialog box 3 If Override Default Settings is selected the advertisement s Wake Up behavior is determined by the settings in the Intel AMT Settings for Advertisement window SOL IDE Redirection Operations This feature enables remote Serial Over LAN SOL Redirection and IDE Redirection IDER operations for Intel AMT supported systems e SOL Redirection Allows for the remote selection of boot options e IDE Redirection Allows for rebooting from another image SOL Redirection functionality is available for single systems only The boot screen is displayed to the user allowing remote selection of boot options The BIOS can also be redirected forcing entry to the BIOS during the boot and allowing remote changes to the BIOS before the operating system loads optional IDE Redirection functionality is available for both single systems and collections Note An IDER boot image repository must be set in the Intel AMT Add on Settings dialog See SMS Add on Configuration section of this docum
191. nxRaxSabZ2r4wwEFomvZct xm CwT BhCwztm Z11 3vhav4 END NEW CERTIFICATE REQUEST To submit a saved request to the CA paste a base 64 encoded CMC or PKCS 10 certificate request or PKCS 7 renewal request generated by an external source such as a Web server in the Saved Request box Saved Request Base 64 encoded certificate request Insert Text Here CMC or 14 PKCS 10 or PKCS 7 of EIR 8 Copy and paste the contents of the text file into the Saved Request Certificate Template window of the Submit a Certificate Request or Renewal Request page Basic EFS gt Additional Attributes DOO zi ooe LT trustedstes 7 6 Locate the certificate hash text file created previously 60 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 9 1 1 6 lt 4 Microsoft Certificate Services Microsoft Internet Explorer O x File Edit View Favorites Tools Help ae Q Back O x e A Search sy Favorites O 3 Be Address E http vpro vs1 certsrv certrqxt asp JG g Go Links Microsoft Certificate Services PRO V S Home Submit a Certificate Request or Renewal Request To submit a saved request to the CA paste a base 64 encoded CMC or PKCS 10 certificate request or PKCS 7 renewal request generated by an external source such as a VVeb server in the Saved Request box Saved Request ABRAADAAAAADAADAADAAAAAAAADAADAAAAAAAAAAL Base 64 en
192. o configure a secured communication between the Intel AMT devices and the SCS server using TLS or MTLS a Microsoft Certificate Authority must be installed The CA can be configured as an Enterprise CA or a Stand alone CA This document describes the installation and configuration of a Stand alone CA however if a CA is already installed and configured in your network proceed to the Exporting and Importing CA Certificate section below 1 Using a Domain Admin account logon to the server that will become the Standalone Root CA 2 Verify that Internet Information Services IIS is installed and Active Server Pages is configured on the CA server 3 From the Control Panel double click Add Remove Programs 4 Click Add Remove Windows Components 5 In the Windows Components dialog box click the checkbox to select Certificate Services ai You can add or remove components of Windows To add or remove a component click the checkbox A shaded box means that only part of the component will be installed To see what s included in a component click Details Components lt Y Active Directory Services v Application Server 33 4 MB O M Certificate Services 1 4 MB M Ss Distributed File Sustem 77MR Description Includes Windows Accessories and Utilities for your computer Total disk space required 3 1 MB Sai Space available on disk 15021 7 MB Ei Quick Reference Guide Maximizing the Benefits of Intel
193. omain Requirements 1 Login to a Domain Controller in the domain where the SCS server will be installed 64 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 5 Verify that the following OU User amp Groups are created in AD Domain Container Object Object Name Membership where Type Created Where SCS Domain OU IntelAMTOU server and CA is installed Issuing CA IntelAMTOU SCSserviceAccount Server domain SCS Server IntelAMTOU Security Enterprise IntelME SCSserviceAccount domain Group Setup and Universal Configuration Servers All IntelAMTOU Security IntelAMT SCServers Enterprise IntelME domains Group Setup and except Domain Configuration Root Local Servers Note The IntelAMT SCServers group will be created in every domain except the root of the forest while the Enterprise IntelME Setup and Configuration Servers group will only be created in the SCS server domain Also the SCSserviceAccount User will only be created in the domain that contains the CA Create User and Group Security ACL The Active Directory Security ACL scripts are located in the AdminScripts Active Directory ACL directory scripts also found and described in section O Active Directory Domain Requirements The script creates the ACL for the OU created for the Intel AMT systems 1 In AD create an OU for provisioned Intel AMT systems data For example Intel AMTOU T
194. on CATLS Mutual Authentication Settings View and configure configuration profile TLS Mutual Authentication Settings Trusted Certificates CRL Update Time l No of Certificates fo Description A meo z Remove Service Mutual Authentication Certificate m 17 Click Add 96 24 Trusted Root Certificates 2 x Select a trusted root certificate from the table You can import trusted root certificate from a file or directly from a Certificate Authority Import Get from CA Remove OK Cancel 18 If the Active Directory schema is extended a Click Get from CA iSelect Certificate Authority Select a Certificate Authority vpro car yproprod local y PRO CAP YPRO S1 vproprod local V PRO VS1 b Select the Offline Standalone Root CA or Root CA and click OK CA with more than one year validity required Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT cid Trusted Root Certificates izi x Select a trusted root certificate from the table You can import trusted root certificate from a file or directly from a Certificate Authority Issued To Name Expiration CN VPRO CAR CN PRO CAR 2012 06 08 03 1 19 If the Active Directory Schema is NOT extended a Click Import b Browse to the Root CA certificate crt created from the Offline Root CA c Click Open 20 Click OK 21 Click the Add button n
195. on eliminating the need for sysadmin privileges for this domain account It is used to install the Setup amp Configuration Service on the appropriate server For the purposes of installation of the SCS this account can also be a local administrator account on the system on which the SCS is installed but will still an appropriate account for the SQL server as described above DNS Microsoft Windows Server 2003 Domain Name System DNS provides efficient name resolution and interoperability with standards based technologies Deploying DNS in your client server infrastructure enables resources on a TCP IP network to locate other resources on the network by using host name to IP address resolution and IP address to host name resolution The Active Directory service requires DNS for locating network resources For installing and configuring DNS refer to Appendix A DHCP Dynamic Host Configuration Protocol DHCP in the Microsoft Windows Server 2003 family of operating systems enables centralized automatic management of IP addresses and other TCP IP settings for network clients You can reduce administrative overhead in your organization by designing and implementing a reliable and scalable DHCP solution For installing and configuring DHCP refer to Appendix A Configuring a DHCP server other than Microsoft s requires that option 81 is set enabling DNS registration of the AMT DHCP clients by the DHCP server Quick Reference Guide Maximi
196. on Server should have Full Control rights to the IntelAMT OU to properly create and manage the objects it contains If objects have been created in this OU prior to the SCS service account modifying them it is likely that you will have SPN issues This can be fixed by manually deleting objects with another account given appropriate access to do so and then allowing the SCS service account to manage the objects in the IntelAMT OU as described in section 4 of this document The SPN s needed for AD integration to work appropriately are listed in the following screenshot CN W222FP4302 Properties a i he Multi valued String Editor Athibute servicePrncipall ame Value to add rr Values HTT PAW 222F P4302 amer com eds com 16932 Renoy HT TPA 227 F P4302 amer com eds com 16993 HT TPA 222F P4302 amer cop eds com 16994 HTTP Ww 247F P4302 amer comp eds com 16995 DNS Testing The DNS testing is rather straightforward but is worth mentioning There are no tricks to DNS testing as what should be done for this infrastructure is the same as for other infrastructure troubleshooting The primary tool for troubleshooting DNS issues is nslookup and it should be verified the DNS configuration handed out by your DHCP scope It is possible that the DHCP server is handing out an unexpected domain suffix and not registering the hardware FQDN as is expected When the provisioning server or SMS Add on is unable to locate the Intel
197. on user who has been authenticated by Active Directory or a user group SOAP A message based protocol based on XML for accessing ser vices on the Web SOAP employs XML syntax to send text commands across the Simple Object Access Protocol Internet using HTTP SOL IDER The proprietary protocols defined for Intel AMT for redirecting keyboard text or floppy disk CD transfers from a local host to a remote Serial over LAN IDE workstation Redirection SPEGNO SPNEGO is a standard GSS API pseudo mechanism for peers to determine which GSS API mechanisms are shared select one and then Simple and Protected GSS API establish a security context with it Negotiation Mechanism A service principal name the name by which a client uniquely identifies an instance of a service Ticket Granting Server TGS A Kerberos element in a KDC that creates tickets used to by clients to access servers 130 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT TLS A protocol intended to secure and authenticate communications across a public network by using data encryption TLS uses digital Transport Layer Security certificates to authenticate the user as well as authenticate the network in a wireless network the user could be logging on to a rogue access point The TLS client uses the public key from the server to encrypt a random number and send it back to the server The random number combined with additional random nu
198. openssl tool that converts a pfx file to a cer file that can be edited posi shi oo ese ll ATRE with a text editor The tool must be downloaded www stunnel org download openssl zip before completing this section of the document In our example the Lea AEE My Profile Client Certificate pem will consist of three certificates Personal Intermediate and Root as shown below OK Cancel So 2 x 4 Click the Content tab and then click Certificates Certification path vPRO cAR V PRO S1 EJ vpro vs4 west vproprod local 5 Click the Personal tab Intended purpose lt ai gt x Personal other People Intermediate Certification Authorities Trusted Root Certificatior 4 gt pr o vs4 west vp r Tyce P RO S1 6 f 8 200 8 lt None gt view Gertificate Certificate status certificate is OK Import Export Remove Advanced Certificate intended purposes Client Authentication 2 16 840 1 113741 1 2 1 1 While logged on to the SMS Server as the SMSAMTUser_NNN tow 2 Click Start gt Programs gt Internet Explorer 3 Click Tools gt Internet Options 6 Select the Personal certificate for the SMSAMTUser_NNN user 7 Click Export and click Next Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide 8 Select Yes export the private key and click Next x Export Private
199. ored in the personal certificate store of the SMSAMTUser_NNN on the SMS server s The following procedure shows how to acquire a certificate from a stand alone subordinate server 1 Verify settings for log on locally for the SMSAMTUser_NNN amp add account as local administrator on the server 2 Logon to the SMS Server s as SMSUserAMT_NNN 3 Click Start gt Programs gt Internet Explorer 4 Enter the URL of the Subordinate CA http ca_machine certsrv 5 Logon to the certificate server with the SMSUserAMT_NNN credentials 6 Click Request a certificate 7 Click Advanced certificate request 8 Click Create and submit a request to this CA NOTE If you have configured an Enterprise CA a template must be created with the identical OID described below Requesting the certificate and developing the template is detailed in appendix B describing the Enterprise CA activities 9 Inthe Name field type the FQDN of the SMS server 10 In the Type of Certificate Needed field select Other 76 NOTE If you have configured an Enterprise CA see Appendix B for the procedures to create and add a template using 2 16 840 1 113741 1 2 1 OID For step you will select a template and skip step 11 11 In the OID field complete the certificate OID to read 1 3 6 1 5 5 7 3 2 2 16 840 1 113741 1 2 1 12 Select 1024 1536 or 2048 as a key size depending on your company s encryption algorithm 13 Select the Mark keys as e
200. ort Certificate from pfx file and click Next IIS Certificate Wizard Import Certificate You can import a certificate from a PF file C Certificates IIS Protection pfx Brow Click Browse and select the pfx file created previously and click Next Enter the password setup previously and click Next 10 Accept the default SSL port 443 and click Next 56 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT a Click Next 8 Click Next b Click Finish and then click OK x Server Certificate These are the methods for assigning a certificate to a Web site c Restart Default Web Site d Click OK to close Default Web Site Properties window Select the method you want to use for this web site e Close IIS Manager C Assign an existing certificate Import a certificate from a Key Manager backup file Request and Install an SSL certificate from an Enterprise CA C Import a certificate from a pfs file Crea te Cer ti fica te Reques t CSR C Copy or Move a certificate from a remote server site to this site 1 Login as a user with Administrative rights to the SCS server 2 Click on Start gt Programs gt Administrative Tools gt Internet Information Back Next Cancel Server IIS Manager ancel 3 Expand lt Computer Name gt local computer 9 Select Create a new certificate 4 Click Web Sites 10 Click Next 5 Right click the Default Web Site a
201. osts and delivering certificates from the certificate authority and or passwords as well as full provisioning of the host Intel AMT 2 1 capabilities The SCS also accepts commands from the Intel Add on on the Microsoft SMS server The SCS provides appropriate policy information in the form of ACLs passwords if not integrated with Active Directory and appropriate meta data to describing the target Intel AMT 2 1 host to the Add on enabling the host to be managed These servers may be considered for virtual hosting environments It is a requirement that the virtual hosting environment be fully supported within the environment through standard operating procedures It is expected that if these servers are virtually hosted they will receive equivalent operational support as if they were hosted in a physical environment Full documentation describing the setup and details of what the SCS provides can be located in the document Intel Active Management Technology Setup and Configuration Service Installation and User Manual Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT SCS Console 3 x The console is depicted separately here to indicate that it does not have to run on the SCS However the console may also be run on the same server as the SCS service The SCS can be managed remotely with a console installed on another client communicating back to the SCS just like the SMS Add on via a SOAP interface
202. oup SMS Admins Logon as a Service database Intel R AMT System Defense Managers Local Local a Administrators ee Administrators expire Logon as a Service Domain Account or a Local Administrators Sysadmin SMSAMTUser_NNN Domain Account NNN is the SMS site code password does not Account used to install the Intel Setup amp Local Admin Account Or use SA account Configuration Service during installation NOTE The Intel AMT Collections Redirection amp System Defense Managers global groups must include the registered trade mark symbol R in the names It must look as shown above X SCSServiceAccount x Domain Account password does not expire 30 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Description of Objects IntelAMTOU name is configurable This OU may have any name This is an OU created per domain to hold the Intel AMT computer accounts and associated groups and accounts listed below It is understood that certain policies may require that groups user accounts and computer objects reside in different OUs This OU is used to help manage these objects as these objects may exist in any OU as predicated by Active Directory implementation and policy It is recommended to keep the Intel AMT computer objects and associated management groups and accounts in a separate OU Ata minimum this OU should exist to contain the Intel AMT computer accounts Enterprise Intel
203. out 2 255 10 minutes Max Number of IDER Connections 1 25 5 IDER Image Repository Wpro vs4IDER Reload Settings Save And Close Close Apply System Defense The System Defense tab is configured in SMS Add on System Defense Tab section of this document Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT SCS Console Configuration Console Login Login to the SCS Console using the UserID that installed the SCS Server amp Console 1 Click Start gt Intel AMT Configuration gt Intel AMT SCS Console paal Login Type the Intel AMT web service URL 2 Enter the SOAP web service URL path including the virtual directory The entry format is https FQDN lt Virtual Directory gt For example https vpro vs2 vpropov local AMTSCS In this example vpro vs2 vpropov local is the FQDN of the SCS server and AMTSCS is the virtual directory of SOAP web service in IIS If the web service is hosted on a port number other than port 80 include the port number in the URL path For example https vprov vs2 vpropov local 123 AMTSCS 3 Click Login The Intel AMT SCS Console opens 89 ca Intel AMT Setup and Configuration Service Console Fie Help E gA Intel AMT Setup Console Configuration Service Settings Configuration Service Settings Ca General Configure the Intel AMT Setup and Configuration E Maintenance Policies Service
204. pability when internal drive not working e System s Un provisioning e Collection Wake up on Advertisement e System Defense on Advertisement e Add on Configuration The add on supports the SMS model of support for both single systems and system collections Therefore most operations can be done for a collection of systems as well as for a single system Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide The add on can be installed at any Primary Site in an SMS hierarchy including the Central Site It cannot be installed at a Secondary Site However if it is installed at the parent of the Secondary Site all the add on functionality is available for all of the systems managed by the Secondary Site It is recommended that the Intel AMT Add on be installed on all Primary Site servers and the Central Site server throughout the organization This requires other considerations pertaining to domain account site specific and collection dependencies that are described in detail later in the section O Intel AMT Add on for SMS version 3 x Since it is recommended to setup TLS for enterprise Intel AMT 2 1 implementations the certificate files enabling TLS need to be installed locally on every SMS site in the hierarchy that host the Intel AMT Add on This effectively means every Primary and Central Site server due to enterprise recommendations If this is not done those sites without
205. parameters B Profiles 2 Wireless Profiles 802 1 Profiles TA Security Keys CG Users SB Intel AMT Systems Global Operations E Logs Log Actions Status Security Audit B Configuration parameters General Parameters The General settings define the configuration of the Intel AMT Main Service the AMT 1 0 Provisioning and the Integration with Active Directory options All the other parameters in this pane will not take effect until the SCS service is stopped and restarted Configure General settings as follows 1 Open the Intel AMT Setup and Configuration Console 2 Expand the Configuration Service Settings branch 3 Select General The General Settings screen is displayed Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide intel AMT Setup and Configuration Service Console r ioj xj File Help E 8A Intel AMT Setup Console 4 Configuration Service Settings General D y EE Configure the Intel AMT Setup and Configuration inte a Maintenance Policies Service General parameters E Profiles 2 Wireless Profiles Sy 8021x Profiles pora Fives PA Security Keys TCP Listen Port 9971 Queue Polling Period 1 000 ad Mikecond j E Users I Intel AMT 1 0 provisioning B Intel AMT Systems Max Queue Size 1 000 4 Requests Global Operations Integrate with Active Directory a h Logs I AMT requires authorization b
206. plates Microsoft Corporation EF certificates Microsoft Corporation Sa M Description The Certificate Templates snap in allows you to create and manage certificate templates e Select Certificate Templates and click Add Click Close and then click OK From the mmc console click Certificate Templates In the right hand pane select User Ta Console Console Root Certificate Templates Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Console Root og Active Directory Domains and Trusts fhe Active Directory Schema VPRO Y51 vprop Active Directory Sites and Services VPRO a6 Sites C Inter Ste Transports Subnets m E vR Active Directory Users and Computers VPF H S ADSI Edit zi DNS yal Certificate Templates 23 Administrator Gal Authenticated Session Basic EFS CA Exchange CEP Encryption Gal code Signing compie Cross Certification Authority Galbirectory Email Replication goer Controller 24 Domain Controller Authentication GEFs Recovery Agent L aero Agent 4 Enrollment Agent Computer Gelexchange Enrollment Agent Offline request Zl Exchange Signature Only key Recovery Agent GRAS and IAS Server A Root Certification Authority oe Offline request Smartcard Logon GA Smartcard User R Subordnate Certification Authority GA Trust List Signing hr Offline request User Signature Only Web Se
207. prise root CA C Enterprise subordinate CA prresssssssssesessessssssesesssssssssesessssssset Tiessesssssesssesstessssesssssessssssssnssesn Stand alone subordinate CA Description of C4 type The most trusted C4 in a CA hierarchy Use custom settings to generate the key pair and CA certificate lt Back Cancel Help 10 Select Stand alone root CA option on the CA Type screen and click Next Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 11 Complete the CA Identifying Information as follows J4 Windows Components Wizard CA Identifying Information Enter information to identity this CA Common name for this CA VPRO LAR Distinguished name suffis a C local Preview of distinguished name P PAO C4A DC yproprod 0C local Validity period Expiration date lt Back Cancel Help In the Common name for this CA field type in the NETBIOS name of the CA The Distinguished name suffix field is auto filled for you This is the domain suffix of the host The default Validity Period of the CA s self signed certificate is 5 years Accept this value or modify according to your company policy Click Next Windows Components Wizard Certificate Database Settings Enter locations for the certificate database database log and configuration information Certificate database C WINDOWS system32 CertLog Browse Certificate database log
208. pting FileSystemObject if logfilesystem FileExists LOG FILE NAME False Then logfilesystem CreateTextFile LOG FILE NAME End If Set logfile logfilesystem GetFile LOG FILE NAME Set logts logfile OpenAsTextStream ForAppending TristateUseDefault logts Write VbCrLf amp Now amp VbCrLf There must be way for the script to return error WScript Timeout 30 Wscript Echo Starting Script Set oShell WScript CreateObject WScript Shell inputIP oShell ExpandEnvironmentStrings SCS AMT ADDRESS inputUUID oShell ExpandEnvironmentStrings sCS AMT UUID If inputUUID SCS AMT UUID Then logts Write target UUID is a mandatory parameter amp VbCrLf logts Close Wscript Quit 1 End If inputFilename oShell ExpandEnvironmentStrings sCS OUT FILE NAME If inputFilename SCS OUT FILE NAMES Then logts Write output filename is a mandatory parameter amp VbCrLf logts Close Wscript Quit 3 End If Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide logts Write inputIP amp inputIP amp VbCrLf logts Write inputUUID amp inputUUID amp VbCrLf logts Write inputFilename amp inputFilename amp VbCrLf Set objConnection CreateObject ADODB Connection Set objRecordSet CreateObject ADODB Recordset Open connection to the DB objConnection Open Provider SQLOL
209. r s Trusted Root Certification Authorities certificate store Therefore 2 Export the CA certificate using the following procedure the CA certificates must be manually stored locally on the SCS Console SMS servers running the SMS Add On application and the SCS servers Before storage however the certificate must be saved as a file and then installed as a trusted 4 From the right pane right click on the CA server name and select root certificate This involves exporting and importing the certificate on the CA Properties server The table below represents a summary of certificates required for SCS 2 x configuration 3 Click Start gt Administrative Tools gt Certification Authority Storage Auditing Security Cert Type Installed On Location Run As Install Method General Policy Module ExitModule Extensions M Certification authority C4 Certiticate 0 Trusted CA server Trusted Root Admin Certificate Wama VPRO V51 Root Store Import Wizard CA certificates Trusted SCS server Local Admin Certificate Root Computer Import Wizard Trusted SMS Server Local Admin Certificate Root Computer Import Wizard IIS Server SCS Server Local Admin Internet Auth Computer Explorer View Certificate Client Cert SCS Server Personal SCSServiceAcc Internet oe Certificate ount Explorer Fibs cide co Store Cor Microsoft Strong Cryptographic Provider Client Cert SMS Server Personal SMSAMTUser_ Internet Hash
210. r Intel AMT supported systems using IP address scan follow the steps below 1 Right click on the collections container 2 Select All Tasks gt Intel AMT Tasks gt Discover Intel AMT via IP Scan Scan IP Addresses for Intel AMT Systems E s x All Systems 196 169 O0 101 Collection Name MIF Addresses Scan Range Start IF address End IP address Start IF Scan ISS 169 0 111 3 Inthe Scan IP Addresses for Intel AMT systems dialog enter the Start and End addresses of the range to scan 4 Click the Start IP Scan button 5 The results are written to the SMS log and can be viewed in the SMS Console under Status Message Queries Discovery by IP scanning can be performed on a collection of systems SMS Discovery Process Single System Discovery To check a single system for Intel AMT support 1 Right click on the Intel AMT system 2 Select All Tasks gt Intel AMT Tasks gt Check for Intel AMT Support Collection Discovery To discover Intel AMT support for all systems in a specific collection 1 Right click on the collection 2 Select All Tasks gt Intel AMT Tasks gt Discover Systems 3 Select the Include subcollections checkbox if this action is also required to be performed on sub collections 4 Click OK Preparing to scan the collection for Intel AMT supported systems This operation vall be executed in the background Operation progress wall
211. r SM5 InstallShield Wizard Setup Type E C Choose the setup type that best suits your needs intel Taccept the terms in the license agreement Frnt I do not accept the terms in the license agreement Please select a setup type Installshield lt Back Cancel Console Add on Installs Intel R AMT Add on For SMS console plug in to be used in remote SMS consoles Select the Destination Folder By default it is SystemDrive Program Files Intel Intel AMT Add on for SMS Click Next ie Intel R AMT Add on for SM5 InstallShield Wizard Destination Folder i ntel InstallShield Click Next to install to this Folder or click Change to install to a different Folder H cot TS coe Install Intel R AMT Add on For 5M5 to CProgram Files InteliIntel R AMT Add on For SMSY Change 7 Select the Full Installation for the SMS Primary Site Server and click Next If the Full Installation is selected go to Step 8 If just the Console Add on was selected skip to step 9 to begin the installation Installshield lt Back Cancel Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Enter the password for the Intel AMT Service account and Click Next je Intel R AMT Add on for SMS InstallShield Wizard Service Logon Information e Setup Intel R AMT Add on for SMS service logon information intel The Intel AMT service will run un
212. ration Operations SC5 Console Add on Settings 86 About Tab The About tab contains information about the versions of the product add on service and add on console components It also provides a hyperlink to Intel AMT add on support Add on Settings a x About Setup and Configuration Security Performance Advertisement Redirection System Defense Intel AMT Add on For SMS enables discovering configuring and controlling Intel 4MT supported systems using the SMS console Produck version 3 0 13 1 Service Version 3 0 13 1 Extension Version 3 0 135 1 For Intel AMT Add on support visit http jfw intel com software support Save ond close Close pply Setup and Configuration Tab The Setup and Configuration tab is configured in SMS Add on Setup and Configuration tab section of this document This is described in section 0 SMS Add on Setup and Configuration Tab Security Tab The Security tab is configured in SMS Add on Security Tab section of this document This is described in section O Error Reference source not found SMS dd on Security Tab Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Performance Tab Advertisement Tab The Performance tab allows the performance behavior of the add on to be The Advertisement tab contains settings that define the global behavior of the configured by specifying Wake up on Advertiseme
213. ration profile configured in previous sections This information is captured either programmatically or manually and may be entered as such in the following two sections The manual configuration is provided here for a full understanding of how to perform this specifically for testing and troubleshooting purposes It is not expected that an enterprise deployment would utilize the manual method for full scale deployment efforts Previous sections in this document describing the installation of the SQL server and configuration of the SCS on the general configuration page prepare the management infrastructure for the scripting method described in the section below From Interim DB Provisioning Script The script provided here works with the configuration of the infrastructure in previous sections to accept the information it captures from the client operating system running on the Intel AMT systems These scripts are highly configurable 106 and may be changed to match the enterprise deployment requirements These scripts are provided as fully functioning scripts that require minor modification to implement quickly The following script contains documentation describing the two values that must be modified per deployment Those two values are 1 OU the value here is the name of the AD domain to which Intel AMT system accounts are added This is configurable per enterprise deployment and may be changed per requirements This name should be t
214. recommended that you install more than one SCS server in your environment NOTE All SCS servers in an Active Directory forest share a single SQL database Prerequisites Configure the SCS Service Account as a Service ID 1 Login to the SCS Server as an Administrator 66 Click the Windows Start gt Programs gt Administrative Tools gt Local Security Policy Expand Local Policies Click User Rights Assignment From the right pane double click Log on as a service Log on as a service Properties 2 xi Local Security Setting Explain This Setting Log on as a service ASPNET NETWORK SERVICE SQLS erver2005MSFTEUser PRO VS2 MSSOLSERYER SQLS erver2005MSOLAPUser PRO Y S2 MSSOLSERVER SOLS erver2005MSSQLUser VPRO VS2 MSSOLSERYER SOLServer2005N otificationS ervicesUser PRO S2 SOLServer2005S 0LAgentUser VPRO S2 MSSOLSERVER SOLS erver2005SQLBrowserUser PRO VS2 YVPROPOV Administrator VPROPOVASCS User VPROPOVSSMSAMTUserV PR Add User or Group Remove Cancel Apply Click Add User or Group Verify that Locations box displays the domain name Enter the SCS Service Account User name and click Check Name the SCS Service User will be recognized Click OK gt OK Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT SQL Server Configuration Since the SCS servers share the same database Make sure that the SQL server is available to a
215. rified from the SMS logs Reapplying the SDP will apply the SDP only to the systems which have not yet applied the advertisement i e systems which failed to apply the advertisement or new systems in the collection added after the SDP was applied Once a system has successfully installed the advertisement reapplying an SDP to the advertisement will not have any effect on it Applying an SDP policy to a system will fail and an appropriate message will be logged to the SMS log if the system already has the maximum number of filters or policies already defined on it The result of SDP application operation for each system is logged to the SMS log A summary log entry is written to the SMS log when the operation ends Removing System Policies From Collections In order to manually remove a System Defense policy from a collection Right click on the collection targeted by the advertisement and choose All Tasks Intel AMT Tasks Clear System Defense Policy From Single System To manually remove a System Defense policy from a single system Right click on the system and choose All Tasks Intel AMT Tasks Clear System Defense Policy Note This option is only enabled if a System Defense policy applied by the add on to that system Is currently active Considerations before using System Defense System Defense is a powerful feature that can have serious detrimental effects if it is not used with caution This is because System Defe
216. ros protocol a trusted third party that has secret information passwords for all clients and services under its supervision Mutual Authentication Mutual authentication also known as two way authentication is a process whereby two parties typically a client and a server authenticate each other in such a way that both parties are assured of the others identity In mutual authentication the server also requests a certificate from the client Provisioning Provisioning deals with planning setting up and configuring the hardware software and networks that deliver access to data and network resources for the users Proxy A firewall mechanism that replaces the IP address of a host on the internal protected network with its own IP address for all traffic passing through it A software agent that acts on behalf of a user typical proxies accept a connection from a user make a decision as to whether or not the user or client IP address is permitted to use the proxy perhaps does additional authentication and then completes a connection on behalf of the user to a remote destination PSK The use of secret passwords or encryption keys that are entered into both sides of the message exchange ahead of time Pre shared keys Pre Shared Key are typed into the clients and servers authentication servers access points etc or entered via floppy CD ROM or smart card Contrast with server based keys in which one side generates a key an
217. rt the certificates Refresh Export List Creates a new item in this container View OS Version Service Pack Gold Disk Version Help Build Version 4rrange Icons gt Line up Icons 147 Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Other names and brands may be claimed as the property of others Copyright 2008 Intel Corporation All rights reserved Intel the Intel logo Intel AMT Intel vPro Centrino Centrino Inside and vPro Inside are trademarks of Intel Corporation in the U S and other countries Intel Active Management Technology requires the computer system to have an Intel AMT enabled chipset network hardware and software as well as connection with a power source and a corporate network connection Setup requires configuration by the purchaser and may require scripting with the management console or further integration into existing security frameworks to enable certain functionality It may also require modifications of implementation of new business processes With regard to notebooks Intel AMT may not be available or certain capabilities may be limited over a host OS based VPN or when connecting wirelessly on battery power sleeping hibernating or powered off For more information see http www intel com technology manage iamt
218. rver Windows 2000 Windows 2000 Windows 2000 Windows Server 2003 En Windows 2000 Windows 2000 Windows 2000 Windows Server 2003 En Windows Server 2003 En Windows 2000 Windows Server 2003 En Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows Server 2003 En Windows Server 2003 En Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Properties of New Template Ix Issuance Requirements Superseded Templates Extensions Security General Request Handing Subject Name Template display name Intel AMT Client Certificate Minimum Supported CAs Windows Server 2003 Enterprise Edition After you apply changes to this tab you can no longer change the template name Template name IntelAMT ClientCertificate Validity period Renewal period 1 years 7 6 weeks ond V Publish certificate in Active Directory I Do not automatically reenroll if a duplicate certificate exists in Active Directory Cancel Apply Bt certificate templates l 9 Right click User and then select Duplicate Template 11 Type your preferred display name in the Template display name field and GA Subordinate Certification Authority ys then type your preferred name in the Template name field Fa Trust List Signing 12 Click Apply Duplicate Template
219. rver IP address for provisioning purposes The name and IP address of each Intel AMT 2 1 host will be automatically registered in the DNS by the DHCP server Each Intel AMT 2 1 host will try to resolve the static name ProvisionServer during the initial activation process explained later ProvisionServer will be manually registered in the DNS and assigned to the Setup amp Configuration Server IP address ProvisionServerDB will also be utilized during the Intel AMT provisioning process by scripts executing on the client operating system These scripts are used to link the Intel AMT unique identifier with the client operating system s host name and fully qualified domain name ProvisionServerDB will be manually registered in the DNS and assigned to the Microsoft SQL Server mentioned here hosting the Setup amp Configuration Server database DNS is expected to be integral to the existing Windows network infrastructure DNS should inherently be designed in a high availability configuration as prescribed by the existing environment and geographic requirements as well as best practices for DNS in general Also DNS forward and reverse lookup zones should be configured to accept secure and non secure updates Dynamic Host Configuration Protocol DHCP Server DHCP services must be in place to properly register Intel AMT 2 1 hosts within the enterprise The hosts require that the DHCP server register their fully qualified domain
220. rvers for domains which contain Intel AMT managed devices c It must have an Active Directory integrated login account in the Microsoft SQL Server given rights to the SCS database for reading and writing Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT d As of this writing this account must be located in the same domain as the Microsoft Certificate Authority when the certificate authority is configured in Standalone mode and you wish to automatically configure items in the Intel Setup amp Configuration Server SCS If this is not configured in this manner the user is still able to configure SCS manually by typing in the appropriate certificate authority information SMSAMTUser_NNN NNN is the SMS site code The Intel SMS Add on service runs under a dedicated user account The name of the user account is SMSAMTUser_NNN where NNN is the 3 letter site code of the SMS site and is displayed by the wizard during installation The setup application prompts the user for this account s password during the installation procedure Once the Add on has been installed the add on service updates the password every 28 days and whenever the service restarts requiring no intervention by the IT administrator If the IT administrator ever changes the password for this account they should enter the new password into the add on using the Security tab of the Add on Settings dialog box This allows the add on
221. s 10 Place a checkmark in the Boot from Image located at checkbox lz 11 Click Set Boot Image button 12 Select your image of choice and click OK 13 Click Redirection Boot 14 The Intel AMT system will now boot from the image file selected SOL redirection Serial Redirection Terminal Selecting this box will redirect the serial output during the boot Enter BIOS Setup Selecting this box will stop the boot operation at the BIOS entry screen IDER redirection Boot from Image located at This box will allow for booting from an image Click on the Set Boot Image button to select an image that is located in the repository set by the Boot Images Base Path option in the Intel AMT Add on settings dialog Session Close After The value can be overwritten for the IDER session timeout defined in the Redirection tab of the Intel AMT Add on settings dialog by entering a different value in the Session Close After field optional Note Redirection operations that are not supported by a given system BIOS are grayed out Boot Options Lock System during Operation Select this box to lock the keyboard reset button sleep button and power button during a reboot in order to prevent user intervention on the system during the operation optional This checkbox is only enabled if the system supports locking all of these options during a reboot Quick Reference Guide Maximizing the Benefits of Intel Active Managem
222. s gt Internet Options Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Internet Options zx General Security Privacy Content Connections Programs Advanced Content Advisor amp Ratings help you control the Internet content that can be viewed on this computer i TE Settings Certificates Use certificates to positively identify yourself certification authorities and publishers Clear SSL State Certificates Publishers Personal information s AutoComplete stores previous entries AutoComplete and suggests matches for you Microsoft Profile Assistant stores your My Profile personal information OK Cancel Apply 4 Click the Content tab and then click Certificates Certificates zx Intended purpose lt All gt Personal Other People Intermediate Certification Authorities Trusted Root Certificatior 4 gt a EE a ee Friendly Name_ VpFO Isg west Vpr 6 8 Sj 2008 None gt Import Export Remove Advanced Certificate intended purposes Client Authentication 2 16 840 1 113741 1 2 1 78 Scroll down and select the Root CA certificate zx Click the Trusted Root Certification Authorities tab Intended purpose lt All gt Intermediate Certification Authorities Trusted Root Certification Authorities Trusted Publ 4 gt IssuedBy Expirat
223. s and whenever the service restarts requiring no intervention by the IT administrator If the password for this account needs to be changed enter the new password into the add on using the Security tab of the General Settings Dialog This will allow the add on to continue the automatic changing of the password NOTE This service account should never be changed This prevents a scenario in which it is changed to a critical account example administrator permanently locking out the account owner when the password is changed automatically by the service NOTE If the SQL server used by SMS is not installed on the SMS server machine the SMSAMTUser_NNW user account must be added to the Administrators group on the SQL server machine Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Additional Hot fixes If the Intel AMT systems are configured to use Kerberos authentication and Windows Server 2003 SP1 or R2 is being used Microsoft hot fixes KB899900 and KB908209 must be installed to allow the add on to work correctly Note These hot fixes are included in Windows Server 2003 SP2 These hot fixes can be obtained by clicking on the following links http support microsoft com kb 899900 http support microsoft com kb 908209 Install Client Certificate for SMSAMTUser_NNN For mutual authentication between Intel AMT devices and the SCS server a client certificate must be issued and st
224. s in itself a full solution to managing servers and desktops in an environment Intel AMT SMS Add on adds value to the SMS solution with Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide features such as discovering systems that do not have the SMS Client agent installed tracking its assets performing wake up and power down functions as well as resetting systems Below is a description of these features and how they Should be configured Logon to the SMS server as the SMS Administrator Open the SMS Administrator console Expand the SMS Hierarchies Right click Collections gt select All Tasks gt Intel AMT Tasks gt Add On Settings a2 Systems Management Server Ela Site Database w00 QMERLABCOE US Plana EF Central Site Collections Lg Site Hierarchy i ADAPT WKE Test Collection ay n a al Active Directory Security Groups AS P a All Desktops and Servers g A Eal Systems m T 5 Distribute Software a al User Groups F i oe or es Export Objects a al Users aig c a Import Objects a al Windows 2000 Professional Sy F Bs Print Distribute Software Updates Eal Windows 2000 Server Systems H amp s Refresh Distribute Software to Devices a al Windows 95 Systems i s Export List Update Collection Membership a al Windows Mobile Devices r T Properties ee Sal iaa os e i n 7 ii i ae ce one Discover Intel AMT via IP Scan OR CCC Discover Intel AMT via SCS Event Regist
225. s software package has the ability to update the interim database Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide NOTE Future versions of Intel AMT 2 2 3 x and beyond support a provisioning mechanism called remote configuration This eliminates the need to touch the Intel AMT device once it is delivered to its final resting place e g the end user s desk or the enterprise premises The design enables a piece of software the RemoteConfigurationT ool to be delivered with the existing software delivery mechanism e g Microsoft Systems Management Server SMS for the enterprise to initiate provisioning activities on the Intel AMT 2 2 or greater version device at whatever interval is deemed appropriate for enterprise activation of the systems This activity has at its very least requirements of the infrastructure in the document to be installed and working properly Also an appropriate root certificate hash should be installed on the Intel AMT device that is delivered At a minimum the Intel AMT device is delivered by default with several well known root certificates like Verisign and GoDaddy There are others delivered on the device and it is appropriate to check with the OEM of your systems to determine if the appropriate well known root certificates are pre installed on the Intel AMT devices delivered to your organization If you choose to use the preinstalled
226. s supported the following virtual servers VS1 VS2 VS3 VS4 and VS9 The other VMWare server host supported the remaining virtual servers listed in the diagram in the next section Node1 Node2 VS7 VS8 VS10 and VPRO CAR port used for configuration but can be reconfigured x a aa ol Serial Over LAN Redirection SOL a x Standard HTTP port a a E IDE Redirection Enterprise TLS mode this E a Lab Bill of Materials BOM The bill of materials for the lab setup includes 2 servers running Windows Server 2003 R2 SP3 hosting VMWare Server with all 11 virtual machines listed in the diagram below The following diagram lists the hardware specifics but not detailed OEM and model numbers 4 x Intel Pentium 4 processor 2 7 GHz 4 GB Windows Server 2003 R2 Standard Edition VMWare Server 1 0 3 Operating System Hard Disk 135 GB NET 2 0 Internet Information Server IIS 6 0 4 physical ports 2x 10 100 2x1GB Platform 20 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT The following diagram depicts the environment used for model office testing of the enterprise management infrastructure As described in the section above this entire enterprise simulation environment is running on two physical servers hosting these virtual servers with VMWare Server The methodology behind this lab setup is to mimic an enterprise implementation where the AD forest below contains
227. sible F Enable strong protection requires IE 5 0 NT 4 0 SP4 or above F Delete the private key if the export ts successful lt Back Cancel 9 Click Next 10 Enter the file name for the certificate For example C Certificates Root Cert and click Next Certificate Export Wizard x File to Export Specify the name of the file you want to export File name C Certificates Offline Root Cert Browse lt Back Cancel 11 Click Finish and then click OK for a successful export 12 Select the Intermediate Certification Authorities tab IA Certificate intended purposes Select the Issuing CA s certificate In the example below the Subordinate CA s certificate Intended purpose lt All gt Intermediate Certification Authorities Trusted Root Certification Authorities Trusted Publ_4 Friendly Name Ed microsoft Windows Microsoft Root Authority 12 31 2002 lt None gt EJRoot Agency Root Agency 12 31 2039 lt None gt E verisign Class 1 CA Class 1 Public Primary 5 12 2008 lt None gt verisign Class 2 CA Class 2 Public Primary 1 6 2004 lt None gt E vpro car VPRO CAR 6 8 2012 lt None gt PRO CAR 6 8 2008 lt None gt ES www verisign com o Class 3 Public Primary 1 7 2004 lt None gt Import Export Remove Advanced sient View Close Click Export and click Next Select Base 64 encoded X 509 CER Click N
228. signed to different individuals The SCS supports multiple methods for loading configuration information each with its uses advantages and disadvantages Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Source of Configuration Information Database or Script The SCS can be configured to locate Intel AMT device configuration information in one of two ways either from within the SCS database or via a script When the SCS receives a Hello message from a device it will look in the SCS database for a configuration entry matching the UUID in the Hello message If there is no match and there is no script the SCS will revisit the queued Hello message periodically to see if an entry was added to the database If the script option was selected the SCS will activate a script to find the necessary information given the UUID and the source IP in the Hello message When the SCS receives the configuration from the script it stores the information in the database Adding device information to the SCS database manually This is the simplest approach but it is the most difficult for IT personnel They have to manually enter the UUID along with the other parameters into the New Intel AMT Configuration parameters The SCS Console has a page that supports this method See Configuration Parameters per Device in the Intel AMT SCS Installation and User Manual Adding device information to the
229. stems Generating the security keys from the SCS console and by the command line methods requires that the keys be manually copied to each Intel AMT System 1 Locate the USB key that contains the security keys Insert USB key into the Intel AMT system s USB port Power On the Intel AMT system and it should read the keys from the USB drive Press Y to accept the key installation do not press any additional keys When completed there should be a message instructing you to power off the Intel AMT system Power off the Intel AMT system and remove the USB thumb drive Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Move Intel AMT systems to User location When the Intel AMT systems are provisioned using the USB key they can now be moved to their respective user desktop location 1 Remove power and network cables from the Intel AMT system 2 Prepare for shipping to the End User location 3 Upon arrival restore power plug and network cable 4 Power on the Intel AMT systems Final Provisioning Step to Configure New Intel AMT Systems The final step to fully provisioning the Intel AMT systems in the enterprise is to assign the Intel AMT system to the following 1 AD domain and associated OU 2 Fully Qualified Domain Name determined by completely installed and configured AD joined client operating system 3 Intel AMT Setup and Configu
230. structure The DHCP server comes as part of Windows 2003 Server and easily integrates with Microsoft Active Directory and Microsoft DNS It is however a requirement that the DHCP server implemented for the Intel AMT 2 1 management infrastructure support and enable DHCP option 81 allowing it to register FQDNs on behalf of the Intel AMT 2 1 devices DHCP server service supporting these requirements Is expected to be in place prior to installing the Intel AMT 2 1 management infrastructure and implemented in a high availability design Microsoft SMS 2003 SP3 The minimum required software level is Microsoft SMS 2003 SP1 It is highly recommended to implement SMS 2003 SP3 in the enterprise to provide the latest supported software and fixes to SMS 2003 It is expected that a fully functional Microsoft SMS 2003 hierarchy be in place in the enterprise prior to installing the Intel AMT 2 1 management infrastructure and implemented in a high availability design Intel Setup and Configuration Server 3 0 or later This is the recommended version for implementing the Intel AMT 2 1 management infrastructure Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Intel AMT Add on for SMS version 3 0 or later Required vs Optional Infrastructure Components This is the recommended version for implementing the Intel AMT 2 1 Checklist management infrastructure This checklist includes columns for optio
231. t P Root CA cert Intel AMT Add on for SMS Installation The SMS add on can be installed on a Windows Server 2003 or Windows XP Workstation where the SMS 2003 console is installed It must also be installed on each SMS Primary Site Server in the environment The user account performing the installation requires the following rights e A member of the Administrators group on the local machine e Administer rights for Collections Site and Advertisements in the SMS Hierarchy Follow the steps below to install the SMS Add on Logon to the SMS server as an SMS Administrator Double click iAMTAddonSetup exe This file is obtained by downloading the software distribution from Intel http softwarecommunity intel com articles eng 1025 htm IAMT AddonSetup exe is found within the distribution file 83 InstallShield Wizard Preparing to Install Intel R AMT Add on for SMS Setup tt preparing the InstallShield Wizard which will guide you through the program setup process Please wait Extracting 1S Scnptl 1 aa 3 The files will extract Click Next im Intel R AMT Add on for SM5 InstallShield Wizard x Welcome to the InstallShield Wizard for Intel R AMT Add on for SMS The InstallShield R Wizard will install Intel R AMT Add on For SMS on your computer Click Next to continue WARNING This program is protected by copyright law and international treaties E Cancel 4 At the License Agreem
232. t44c 06c3 4b92 ba32 63d895a7924b1033 mspx mfr true Overview of DNS Deployment Examining Your Current Environment Designing a DNS Namespace Designing a DNS Server Infrastructure Designing DNS Zones Configuring and Managing DNS Clients Securing Your DNS Infrastructure Integrating DNS with Other Windows Server 2003 Services Implementing Windows Server 2003 DNS Additional Resources for Deploying DNS Installing and Configuring DHCP Microsoft TechNet Deploying DHCP http technet2 microsoft com windowsserver en library 599241a4 4374 4a98 af9b c38f766fbfbe1033 mspx mfr true Overview of DHCP Deployment Creating Your DHCP Server Design Integrating DHCP with Other Services Defining Scopes Implementing Your DHCP Solution Example DHCP Implementation Additional Resources for Deploying DHCP Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Installing and Configuring Certificate Services Microsoft TechNet Certificate Services http technet2 microsoft com windowsserver en library dO1a80dd 479a 444b 8893 68c40d61dd9c1033 mspx Setting Up a Certification Authority Administering a Certification Authority Deploying a Public Key Infrastructure Certificate Services overview New features in Certificate Services Understanding Certificate Services Using Certificate Services Certificates Resources Installing and Configuring Systems Management Server 2003 Planning amp Deploying Systems Ma
233. tain intelManagementEngineHostComputerBL eg Another sample script ChechSchemaExist vbs that verifies the schema extension is shown below CheckSchemaExists VBS Check if the Schema exists TTET TTF On Error Resume Next Bind to the rootDSE Trrryrprryrpyrirprrprrrreyprryrprrtrrtrrrrryprypyrtrrrrrprrgyy sPrefix LDAP Set root GetObject sPrefix amp rootDSE If Err Number lt gt 0 Then BailOnFailure Err Number on GetObject method End If Get the DN for the Schema as a aes aa Es aE a o s a e a s a e D a a S a o a o a a o s S a a o E s a a o a sSchema root Get SchemaNamingContext If Err Number lt gt 0 Then BailOnFailure Err Number on Get method End If Check that the Intel Management Engine Class exists TTET TTT Set Schema GetObject LDAP CN Intel Management Engine Version amp sSchema If Err Number lt gt 0 Then WScript echo Schema Does not Exists for amp sSchema BailOnFailure Err Number on Get method End If WScript echo Schema Exists for amp sSchema WScript Quit 0 Display subroutines TUTT TTT TTT TTT Sub BailOnFailure ErrNum ErrText Hex ErrNum amp amp ErrText WScript echo vbCrLf amp strText vbInformation ADSI Error WScript Quit ErrNum End Sub Included as a support file to this document is Microsoft s endorsement for these schema extensions MicrosoftSupportStatement pdf strText Error 0x amp Quick Reference
234. te requested from the CA and updated on each Intel AMT device before the current one expires Change Intel AMT Active Directory Password Enable this option if you want to automatically change the password for each Intel AMT object in AD SCS will then update the associated Intel AMT device with the new password Re provision Intel AMT With this option selected SCS will re apply the settings in the profile associated with each Intel AMT device according to your defined interval Change Intel AMT Administrator password When this option is selected the administrator password is changed periodically to either a randomly generated password or to a fixed password The option is defined on the profile associated with each Intel AMT device under the Profiles gt General tab Renew Pseudo Random Generator With the selection of this option SCS generates a new random number generator seed to each Intel AMT device Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide e Synchronize Intel AMT Clock This option synchronizes the clock in each Intel AMT device to the clock on the SCS server This makes sure that the clocks on each Intel AMT device do not differ by more than the Kerberos Max Clock Tolerance that is defined the profile settings Profiles The configuration parameters for Intel AMT devices are contained in the profiles These parameters include features
235. te the ET C WINDOWS system32 Idifde exe following Group objects as stated in the table below Created Where SCS Domain OU IntelAMTOU server will be installed Connecting to UPRO US1 vpropov local Logging in as current user us ing SSPI Importing directory from file Inte lAMT LDF Loading entries Where SCS IntelAMTOU Security Enterprise IntelIME IntelAMT server will be Group Setup and SCServers installed Universal Configuration Servers Some Same eee Root Domain Local SCServers Login to a Domain Controller in the domain where the issuing Certificate Authority CA is installed 5 Click OK at the script executed successfully message 6 To verify the schema extension double click the CheckSchema Exists vbs located in AdminScripts Active Directory Schema directory Windows Script Host x l ene Domain where Container Object Object Name Member Of Schema Exists for CN Schema CN Configuration DC vpropoy DC local ee ae lj ee installed 4 From the Active Directory users and Computers console create the following User object as stated in the table below Where CA is IntelAMTOU User SCSServiceAccount Enterprise 7 Aschema exists message should be displayed Click OK netaiee wa setup Configuration Create SCS Service User Account and Group Accounts Servers The Active Directory User and Group objects for SCS should be created as follows described in section O Active Directory D
236. tel AMT device properties From DB Select this option to populate Intel AMT properties from the Intel AMT table stored in the SCS database This is the default option This default option typically requires that pertinent provisioning information be entered manually through the SCS and a per system basis 90 NOTE For enterprise deployments the following option From Script should be chosen From Script Select this option if you have written a script or plan to utilize the scripts included below The SCS determines the properties of the Intel AMT system by invoking the script specified in the script location This is the option that will be used for enterprise deployments The VB script located below is executed by the OS shell initiated through the following attached batch file You should take the following files and store them in the location on the SCS from which they will run The following option description provides an example where these scripts should execute Script Location This is the full path and file name of the batch file included in the ZIP file below This is not the full path and file name of the VB script The batch file should be modified as necessary to point to the location of the VB script listed below The batch file runscript bat contents are listed below REM Copyright C Intel Corporation 2002 2007 REM runscript bat REM This batch script is needed to ensure that the VBScript is run from the
237. tely by encapsulating keystrokes and character display data in a TCP IP stream 6 Click to place a checkmark next to IDE Redirection to remotely enable disable format or configure individual floppy or IDE CD drives and to reload operating systems and software from remote locations 7 Inthe TLS PSK box click Encrypted 8 In the TLS Settings box place a checkmark next to Use TLS 9 Select TLS Mutual Authentication for both Local and Network Interface 10 Click the Ellipsis browse icon next to the TLS Server Certificate Details window cid Select Certificate Generation Properties Select a Certificates Generation Properties CA Host name Name CA Type Template Add Edit Delete 11 Click Add g5 tid Certificate Generation Properties Add Certificate Generation Properties CA Host Name VPRO VS1 proprod local Name kl VPRO VST Type Standalone Template LDAP Name OK Cancel 12 Click the ellipsis browse icon by the CA Host Name SE Select Certificate Authority Select a Certificate Authority 13 Select the Subordinate CA and click OK 14 Click OK Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide cid Select Certificate Generation Properties Select a Certificates Generation Properties Id CA Host name Name CA Type Template 15 Click OK 16 Click the Mutual Authentication butt
238. tes 11 Complete the CA Identifying Information screen and click Next Total disk space required 4 8 MB Space available on disk 15021 6 MB Details 8 Verify that both the Certificate Services CA and the Certificates Services Web Enrollment Support checkboxes are selected and click OK 9 Click Next The CA type screen is displayed 42 Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT 12 Accept the default Certificate Database Settings window settings and click Next Windows Components Wizard x lt a Certificate Database Settings Enter locations for the certificate database database log and configuration information Certificate database CAWINDOWSS Certificate database log fc WINDOWS system32 CertLog Browse Store configuration information in a shared folder Shared folder pe ooo Browse Preserve existing certificate database cot eo You may accept the default location for the Certificate Database Settings or modify as prescribed by your company policy The configuration information will be stored in Active Directory so leave the Store configuration information in a shared folder option unchecked Click Next 43 13 Complete the CA Certificate Request as follows Windows Components Wizard x CA Certificate Request Request the certificate for this C4 by sending the request directly to a parent CA or savin
239. that are enabled on the device authentication mechanism and which users have access to device features 1 To Adda Profile select Profiles and click Add NOTE Profile configuration changes require a confirmation prior to moving to the next tab Click Apply to confirm on each tab 2 Profile Configuration General Tab 3 Click the General tab Xt Add Edit Profiles Lo S General Network ACL Power Policy NAC Wireless Profiles Wired 802 1x Configure the Profile General Parameters General Administrator Credentials Profile Name User Name MTLS admin Profile Description Password Production MTLS Profile Random Creation Manual Enter Password Re Enter Password Advanced Ay Cancel 4 Inthe Profile Name box enter a descriptive name of the profile 5 For the Profile Description enter a description of the profile 94 6 Inthe Administration Credentials User Name the default name is admin Password 7 Select Random Creation if you want only the SCS to manage the Intel AMT devices 8 Select Manual if you want an Administrator or a third party Management console to have access to the Intel AMT devices If you already configured an admin password information in SMS Add on enter the same information here 9 Click the Advanced button and enter the number of minutes allowed by your company policy in the Kerberos Max Clock Tolerance The default of 5 minutes is
240. the Microsoft website at Certificate Services Microsoft SQL Server 2005 Standard Edition SP2 Minimum recommendation It is recommended that this database be in a cluster configuration for high availability either Standard Edition or Enterprise Edition cluster is sufficient this will require Windows Server 2003 Enterprise R2 Microsoft Internet Information Server 6 0 IIS This is Stated for completeness as it is required for the Intel Setup and Configuration Server This is the web server that supports the management SOAP HTTS calls to the SCS IIS 6 0 is standard and included with Windows Server 2003 Microsoft Domain Name Server It is highly recommended that the Microsoft Domain Name Server DNS is implemented and in most cases is part of the existing Windows network infrastructure The DNS comes as part of Windows 2003 Server and easily integrates with Microsoft Active Directory It is however a requirement that the DNS implemented for the Intel AMT 2 1 management infrastructure be a dynamic DNS supporting RFC 2136 allowing for dynamic registration of fully qualified domain names FQDN DNS service supporting these requirements is expected to be in place prior to installing the Intel AMT 2 1 management infrastructure and implemented in a high availability design Microsoft DHCP Server It is highly recommended that the Microsoft DHCP Server is implemented and in many cases is part of the existing Windows network infra
241. therboard Replacement The add on may report a UUID change when a motherboard has been replaced in a system with an entry in SMS If this is the case rediscover the system to make sure that the current information is used Note The new UUID is not automatically detected when working with Kerberos without an integrated Intel Setup and Configuration Service due to the motherboard replacement In any case rediscovering the system in order to update the entry is recommended after the motherboard is changed vars Note In any case where an add on reports a changed UUID the system must be rediscovered to update the entry SMS Repair and Scheduled Backups The Intel AMT service must be stopped before trying to perform SMS maintenance tasks that must disable SMS services and WMI connections i e running the SMS repair agent or running a scheduled backup More information about this can be found at http www microsoft com technet prodtechnol sms sms2003 maintain spmbrs ms03 spmbr02 mspx Repairing the Intel AMT Add on for SMS Before repairing the add on verify that the SMS Console is closed The user account repairing the add on requires the same permissions needed for installation To repair the add on follow either of the steps below e Open the Add or Remove Programs console and select the Change option for the add on and follow the wizard s instructions e Double click the original installation file setup exe an
242. tificate Wizard Name and Security Settings Your new certificate must have a name and a specific bit length TRE ENA OEE aN Ne ot aaa nt Type the common name for your site If the server is on the Internet use a valid DNS a name If the server is on the intranet you may prefer to use the computer s NetBIOS Name name If the common name changes you will need to obtain a new certificate The bit length of the encryption key determines the certificate s encryption strength Common name Ui greater the bit lenath the stronger the security However a greater bit length may vpro vs4 notth vproprod local ecrease performance Bit length 1024 v Select cryptographic service provider CSP for this certificate lt Back Cancel Cancel 13 Type the name for the new certificate OR accept the defaults and click 15 In the Common name window type the FQDN of the SCS server and click Next Next IIS Certificate Wizard xi IIS Certificate Wizard pixi Organization Information Geographical Information Your certificate must include information about your organization that Se The certification authority requires the following geographical information Se distinguishes it from other organizations LS LS Select or type your organization s name and your organizational unit This is typically the Country Region US United States legal name of your organization and the name of your division or department For further
243. time based on information in its trusted database Authenticator An authentication protocol string created each time authentication occurs and sent with the ticket to the server It contains a time stamp encrypted in the session key that can reliably show that the authentication request actually came from the client identified in the ticket The process of determining what types of activities are per mitted Usually authorization is in the context of authentication once you have authenticated a user the user may be authorized for different types of access or activity CRL The CRL is a list of time stamped entries which indicate which lists have been revoked Certificate Revocation List Domain Part of the DNS domain naming system name that specifies details about a host A domain is the main subdivision of Internet addresses the Authorization last three letters after the final dot and it tells you what kind of organization you are dealing with In the context of Active Directory every host is a member of a domain A user logs in to the domain of which he is a member DNS A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP IP protocol For example when a Web site address is given to the DNS DNS servers return the IP address of the server associated with that name DNS Enterprise Access Control List FPACL Factory Partners Access Control List FQDN The hum
244. ting protocol operations Network Discovery is a G Milest YPR 6 2 2007 12 37 00 PM VPRO S2 SMS NETWORK DISCOVERY 1302 Network Discovery protocol modules are initializing 4 All Status Messages 190 of 190 messages displayed 1 selected NUM Ai Review the Description column and notice that lt AMT System name gt Intel AMT Automatic Discover System located message Close the System Status window From the left pane right click All Systems Select All Tasks gt Update Collection Membership and click OK Click the Refresh icon or right click All Systems and select Refresh hil sms Systems Management Server Site Database PR PRO POY PILOT Collections All Systems File Action View Help e amx EnB em Systems Management Server Site Database VPR VPRO POY PILC i ypRo vs2 System Advanced No f Site Hierarchy Mi ypro vs1 System A B Collections M VPRO CONSOLEI System ay All Active Directory Security a id System Advanced No All Systems System Advanced No All User Groups ca All Users z All Windows 2000 Profession All Windows 2000 Server Sys All Windows 98 Systems All Windows NT Systems All Windows NT Workstation B All Windows Server 2003 Sys All Windows Server Systems ay All Windows Workstation or FY The newly provisioned Intel AMT system will now be displayed in the SMS console
245. ting to Pro An Enterprise Approach to Deploying Intel AMT OT AM eae OG PWC OS eccsavcstesian ss sicet scutes iacncevn cua cs avanti aid obvi Saat lize band wisn locia nh MbasielaeRaaAAaaA a 18 Required vs Optional Infrastructure COMPONENTS CHECKIIST cescsssssssssesssssesssssessssssssssssssssesssssesssseesssseesssssesssseesssseessseerssseerssseerssseerssseessssessssserssseerssseerseseerseseesssss 18 ICICI SANG FX COMMUNE CG SOWAT C vesina E E NENO OEEO ETET 19 NEONOFK REGUIFCMERNIS CRECI U sasecissctecceictinicaatvavcasstiues te oteaebuiuts aerate A S 20 tab Bilo Matenas BOM naasna aa a 20 Mer AMA BIO SP FOV IS OME COST EY hooraa anA E EENET ENE 22 MINUS eee esas nuestros O aesculus keane T TE TT 23 USBIKE ce sasistessseshepus ania aaa 24 CT ia ETE AEE AAE EEA NE PES EEA econ E AEAEE sce ede Vas teas AAE rises ata A E sep AEA EE eterna A E A E E A ERE 25 Setup and COn Noura tO Misiin aaia 26 NECMVING EXISTING NE WOLK INI AS FOCUN E crsa ER A E N 26 VS CMTS ht COTTE Cae FEU L EN EE A AE EETA AAA E E vines attains Deere ee Svea E ATA EAE ia 37 Active Directory Modification Schema Extension ANG USer Grou ps sssscssssssssssesssssesssssesssssesssssesssssessssssssssesssssersssserssssensesserssseesssseessssessssserssseerssseerseseerssseessssess 63 Installing the Intel AMT Setup and Configuration Server SCS araisa 66 intel AMT Add ON TOF MUCHOSOTE SIM Sc OOS nanaisin E O telzess tans tdusuibaetsisasanneldeapnalieialineaiannainae 74
246. tion Prompt the user during enrollment Subject name format Prompt the user during enrollment and require user input when the private key is used To choose which cryptographic service providers CSPs should be used click CSPs ESPs None T include e mail name in subject name Include this information in alternate subject name E mail name M ONS name F User principal name UPN see Apply F Service principal name SPN 14 Click the CSPs button Choose which cryptographic service providers CSPs can be used in requests ox e too C Requests can use any CSP available on the subject s computer 18 Select the Supply in the Request radio button and then click Apply Requests must use one of the following CSPs CSPs Microsoft Base DSS and Diffie Hellman Cryptographic Provider Microsoft DH SChannel Cryptographic Provider Microsoft Enhanced Cryptographic Provider v1 0 Microsoft Enhanced DSS and Diffie Hellman Cryptographic Prov Microsoft Enhanced RSA and AES Cryptographic Provider Microsoft RSA SChannel Cryptographic Provider Microsoft Strong Cryptographic Provider Schlumberger Cryptographic Service Provider Cancel 19 Select the Security tab Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Properties of New Template EJ xi General Request Handling S
247. tion of this document Configuration Parameters Configuration parameters is covered in Provisioning Intel AMT Systems section of this document Installing Client Certificates for TLS Mutual Authentication For mutual authentication between Intel AMT devices and the SCS server a client certificate must be issued and stored in the personal certificate store of the SCS Service Account on the SCS server SCS Service Account refers to the SCS User Account that runs the AMTConfig service Install Client Certificate for SCS Service Account 1 Logon to the SCS Server as the SCS Service Account you may need to configure the log on locally settings for the SCS User 2 Click Start gt Programs gt Internet Explorer 3 Enter the following URL http ca_machine certsrv 4 Click Request a certificate 5 Click advanced certificate request 6 Click Create and submit a request to this CA 7 Inthe Name field type the FQDN of the SCS server 8 In the Type of Certificate Needed field select Other NOTE If you have configured an Enterprise CA select template and skip step 9 9 Inthe OID field complete the certificate OID to read 1 3 6 1 5 5 7 3 2 2 16 840 1 113741 1 2 1 10 Select 1024 1536 or 2048 as a key size depending on your company s encryption algorithm 11 Select the Mark keys as exportable checkbox Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel
248. tions MOF Reset TE T Lock System during Operation T Power Cycle BIOS Password Bypass Power Down eaves Eai Send Command Clase 4 Select the power control command from the list available e Power Up e Reset e Power Cycle e Power Down Note This action is performed on all systems in that collection which support Intel AMT and are in a relevant state For example a power down command is not performed on a system that is already powered down Caution Reset Power Cycle and Power Down commands can cause loss of data to users logged on to the system 5 Select a boot option from the drop down menu of available boot options ae e NOP Normal Operations standard boot e Force PXE Boot e Force Hard Drive Safe Mode Boot e Force Hard Drive Boot e Force Diagnostics Boot e Force CD or DVD Boot 6 Under the boot options menu are additional items that can be selected and configured e Lock System during Operation Selecting this checkbox prevents user intervention on the system during any of the power operations except for Power Down This checkbox is only enabled if the system supports all options locking the keyboard reset button and power button during a reboot e BIOS Password Bypass Selecting this checkbox bypasses the BIOS password during a reboot This checkbox is only enabled if the system supports bypassing the BIOS password during a boot e Force Power Up Selecting this check
249. to continue to change the password automatically If the Intel AMT systems are configured to use KERBEROS authentication the IT administrator needs to ensure that this user account is added to the relevant Active Directory groups that allow Intel AMT access If the add on is configured to work in the Integrated Setup and Configuration Service mode this user account must be added as an administrator to the list of users in the Intel SCS The user account must have access to the protected network path selected for the IDER image repository and the local protected path for TLS certificates If the SQL server supporting the SMS site server is installed on a machine other than the SMS server machine the SMSAMTUser_NNN user account must be added to the Administrators group on the SQL server machine Caution The account under which the service runs must never be changed This prevents a scenario in which it is changed to a critical account e g Administrator permanently locking out the account owner when the password is changed automatically by the service a5 Account used to install the Intel Setup amp Configuration Service SCS This domain account requires sysadmin privileges to create drop a database and create security accounts for its database in the SQL server provided to host the Setup amp Configuration Service database Another option for SQL server installation purposes is to provide the SA account during the installati
250. two sub domains EAST amp WEST The intent on splitting up the AD forest is to simulate geographic separation of the management infrastructure and of the Intel AMT systems themselves This setup contains an SMS hierarchy of a central site and two primaries one in each domain The simulation provided with this setup enables better understanding of deploying the Intel Setup amp Configuration server SCS in a different network and domain than its supporting SQL Server database It provides for the testing of the Intel SMS Add on communicating with the SCS while in different SMS hierarchies and AD domains while Intel AMT systems are provisioned while sitting in different domains and geographical locations VPro Lab VPROPROD LOCAL 192 168 55 0 EAST VPROPROD LOCAL 192 168 77 0 WEST VPROPROD LOCAL 192 169 66 0 Intel Management Engine Provisioning Models A Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide Intel AMT BIOS Provisioning Overview There are three models which can be used to enable provisioning of the Intel AMT 2 1 hosts into Enterprise Mode Manual USB Key and OEM These models provide the enterprise the flexibility to deploy Intel AMT 2 1 hosts in whatever method is necessary It is highly unlikely that the manual model will be used except in extreme circumstances where volume of deployments are low or the greater automation of USB Key an
251. ubject Name Issuance Requirements Superseded Templates Extensions Security Group or user names 8 Authenticated Users f Default Admin Account YPROPROD localadmin 8 Domain Admins Y PROPROD Domain Admins 8 Domain Users YPROPROD Domain Users 8 Enterprise Admins YPROPROD Enterprise Admins Add Remove Permissions for Authenticated Users Allow Deny Full Control go 0O Read O write o O Enroll M O Autoenroll g0 0O For special permissions or for advanced settings Advanced click Advanced ox Ca too 20 Add the Enterprise IntelME Setup and Configuration Servers group 21 Click Apply 22 Select the Extensions tab Properties of New Template Rika General Request Handling Subject Name Issuance Requirements Superseded Templates Extensions Security To modify an extension select it and then click Edit Extensions included in this template tes Application Policies Certificate Template Information ssuance Policies 1 Key Usage Description of Application Policies Client Authentication Secure Email Encrypting File System Edit Application Policies Extension n application policy defines how a certificate can be used Application policies Clent 4uthentication Encrypting File System Secure Email Add Edit Hemoye M Make this extension critical carcel 24 Click Add Quick Reference Gu
252. ver your OEM may choose to set up the default administrator password PPS and PID for you as part of their service The procedure described here assumes that BIOS and MEBx parameters are set to the typical default values described in the table above The hardware vendor will typically use a factory firmware image tool or an ICT in circuit test tool to generate and configure PID and PPS values into a flash device The tool keeps a database of values UUID MACs PID and PPS that are burned into the flash device Factory automated setup which loads the initial security credentials into Intel AMT 2 1 for networking and TLS follows several general steps The OEM enables the Intel Management Engine throughout BIOS sets the power policies for the management engine and enables Intel AMT 2 1 in MEBx 1 A factory firmware image tool or ICT tool generates and configures PID and PPS values into the Intel AMT 2 1 nonvolatile memory 2 The OEM loads the PC s universal unique identifier UUID and MAC s into the Intel AMT 2 1 nonvolatile memory The OEM may also choose to customize other setup parameters during this procedure 3 At the end of a production run or at appropriate intervals the tool uploads its database of values onto a CD DVD ROM 4 The factory ships the CD DVD ROM to the enterprise IT department 5 The IT department loads the database from the CD DVDROM into the the Intel Setup and Configuration Service
253. verName Dim uuid fgqdn ou profilelId host domain Dim shell env strComputer moniker sql Dim objConnection objRecordSet objWMIService collItems objItem Dim errObject Dim connectionString Dim dlen currpos ldapstr The following values should be changed by user NOTE If you do not have SQLEXPRESS edition of SQL Server delete SQLEXPRESS string from the server name sqlServerName j dataSource dataSource DBName NewAMTProperties tableName AmtProperties ou d profileId Set objConnection CreateObject ADODB Connection Set objRecordSet CreateObject ADODB Recordset Set errObject CreateObject ADODB Error Local computer strComputer Path to the wmi on local machine moniker winmgmts _ E TIm amp impersonationLevel impersonate _ amp authentacationLevel PkePrivacy a oN T amp StrComputer _ amp root cimv2 Set ob WMIService GetObject moniker Enumerate wmi objects Set colItems objJWMIService ExecQuery Select from Win32 ComputerSystemProduct Extract UUID For Each objItem in collItems uuid objiItem UUID Next 10 7 Quick Reference Guide Maximizing the Benefits of Intel Active Management Technology A Solution Guide If Err number lt gt vbEmpty Then Wscript Echo Error cannot extract UUID End If Extract FQDN Set colItems objJWMIService ExecQuery Select from Win32 ComputerSystem
254. very i i igi ange 5 a Failed Requests Gal Basic EFS Encrypting File System 3 Right click Certificate Templates and then select New Certificate Template A Certificate Templates Ello controler sic fran Pacis va cient acai Galweb Server Server Authentication to Issue EA Computer Client Authentication Server Authentication Gluser Encrypting File System Secure Email Clien fs Certification Authority Ei EA subordinate Certification Authority lt All gt EA Administrator Microsoft Trust List Signing Encrypting File File Action view Help e m a Be Certification Authority Local Name Intended Purpose A PRO VS1 Gal directory Email Replication Directory Service Email Replication Revoked Certificates Gl Domain Controller Authentication Client Authentication Server Authenticatio a Issued Certificates Galers Recovery Agent File Recovery Pending Requests GABasic EFS Encrypting File System 4 ee GADomain Controller Client Authentication Server Authentication SA Cerificate Templates GAweb Server Server Authentication 6 The template is now listed in the list of templates EA computer Client Authentication Server Authentication GAuser Encrypting File System Secure Email Clien EA subordinate Certification Authority lt All gt 7 Close the M M C console al administrator Microsoft Trust List Signing Encrypting File Manage c a NOTE You can now return to task 4 2 1 3 to expo
255. w Integrated Setup and Configuration z External Setup and Configuration Authentication Method Server Host Name __ vpro vs9 west vproprod loca Supported Profiles Kerberos Authentication Intel AMT User Name 443 ot Set Profiles HTTP Digest 4uthentication Intel AMT Password Server Port Number Remove Profile AD Organizational Unit Computers ts _ Remove Profile Reload Settings Save External Setup and Configuration Authentication Method Kerberos Authentication Intel AMT User Name 7 Since Integrated Setup and Configuration is enabled the External Setup HTTP Digest Authentication Intel AMT Password rts and Configuration Authentication Method is disabled Reload Settings save 4nd Clase apply 8 Click Save and Close 2 Place a checkmark into the Integrated Setup and Configuration checkbox 3 Inthe Server Hostname field type the name of the SCS server 4 Inthe Server Port Number field type 443 5 In the Supported Profiles box click Set Profiles Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Firewall Ports Port Listings This table is listed for completeness It is almost identical to the network requirements checklist earlier in the documentation and the previous list should be used when determining if the network is configured properly 443 1 By default port 9971 is used to establish connection between Intel AMT
256. x objectCategory CN Attribute Schema CN Schema CN Configuration DC x objectClass attributeSchema oMObjectClass KwwCh3McAIVK oMSyntax 127 rangeLower 0 rangeUpper 257 name Intel Management Engine Host Computer BL schemaIDGUID fRefPrsG Uawn1PI 3LArg Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT searchFlags 0 DN changetype modify add schemaUpdateNow schemaUpdateNow 1 dn CN Intel Management Engine CN Schema CN Configuration DC x changetype add adminDisplayName Intel Management Engine defaultHidingValue FALSE defaultObjectCategory CN Computer CN Schema CN Configuration DC x defaultSecurityDescriptor D A RPWPCRCCDCLCLOLORCWOWDSDDTDTSW DA A RPEWPCRCCDCLCLORCWO WDSDDTSW SY A RPLCLORC AU description Intel Management Engine admindescription Intel Management Engine objectCategory CN Class Schema CN Schema CN Configuration DC x objectClass classSchema 1DAPDisplayName intelManagementEngine governsID 1 2 840 113741 1 8 1 1 mayContain intelManagementEngineVersion mayContain intelManagementEnginePlatformUUID mayContain intelManagementEngineHostComputer instanceType 4 objectClassCategory 1 schemaIDGUID mmsxdsxXbOhGLOAAA HW2YA subClassOf Computer DN changetype modify add schemaUpdateNow schemaUpdateNow 1 dn CN Top CN Schema CN Configuration DC x changetype modify add mayContain mayCon
257. xportable checkbox Microsoft Certificate Services Microsoft Internet Explorer Oj x File Edit View Favorites Tools Help a Q Back S x 2 A Search seFavorites O 4 BG Address http vpro vs1 certsrv certrqma asp Go Links gt ROWS Microsoft Certific Advanced Certificate Request Identifying Information Name ypro vs2 vpropoy local E Mail Company Department City State Country Region Type of Certificate Needed Other OID p 2 16 840 1 113741 1 2 1 Key Options Create new key set Use existing key set CSP Microsoft Enhanced Cryptographic Provider v1 0 gt Key Usage Exchange Signature Both Key Size 1024 ea pnd aes common key s Automatic key container name C User specified key container name M Mark keys as exportable I Export keys to file eee ee ee eres ee H za Trusted sites 14 Click Submit Quick Reference Guide Getting to Pro An Enterprise Approach to Deploying Intel AMT Potential Scripting iolation xi This Web site is requesting a new certificate on your behalf You should allow only trusted Web sites to request a certificate for you Do you want to request a certificate now 15 Click Yes 4 Microsoft Certificate Services Microsoft Internet Explorer E ioj x Fie Edit view Favorites Tools Help ay Q pack O x 2 LP Search lt gt Favorites o 58 Addr
258. zing the Benefits of Intel Active Management Technology A Solution Guide CA Certificate Services provides customizable services for issuing and managing certificates that are used in software security systems that employ public key technology A public key certificate usually just called a certificate is a digitally Signed statement that binds the value of a public key to the identity of the person device or service that holds the corresponding private key Most certificates in common use are based on the X 509v3 certificate standard Certificates can be issued for a variety of functions such as Web user authentication Web server authentication Secure e mail using Secure Multipurpose Internet Mail Extensions also called S MIME Internet Protocol security IPSec Transport Layer Security TLS and code signing Certificates are also issued from one certification authority CA to another in order to establish a certification hierarchy For installing and configuring DNS refer to Appendix A Microsoft SMS SMS 2003 is designed to make it easier for an organization to manage support and maintain a distributed network of computer resources SMS 2003 addresses the following key issues that IT administrators face in managing distributed computing environments e Manage computers that roam from one location to another and connect to the network from different geographical locations e Provides Asset Intelligence reports to enable comp
Download Pdf Manuals
Related Search