Intel® AMT Configuration Utility User Guide
Contents
1. scsccssesseeeeeseeseeeeereeeeeeeees 2 Host Based Configuration ccccccccsccccesscesceseeesceeeeeeceseeneecaeeaeceeeaeeneeeeeeens 3 SMB Manual Configuration ccccccceseesecseesceseecsecesecseceaeeseceeeneeneeeeeenneeaes 3 Intel AMT and Security Considerations ccccsceeseeeecesceeeeeseeseeseeceeeseenaeeneenseees 4 Password Formats 2 20 525i ixscecessvscgus noaea eas Ei aE nN EEA EE EEE 4 File Encryption srir isseire iiinn rein sia ipsias 5 Digital Signing of Files ingne ii 6 Control Modes tanoa ane ia a r E a eea Ri irie RES 7 User Consent aires a ene et E E E E E ES 7 Recommendations for Secure Deployment sssssssesseeeesessrsesseeresreersersesees 8 Security After Comfiguration c c s c ccscccescscdececcececcasecccssedsesscseecsncedvecnencsessevess 8 Access to the Intel MEBX 00 ccc eceececsecseeeeesecsecaeeseeaecaeeeceeceaeeesesenenesaesenaes 9 Admin Permissions in the Intel AMT Device cccccceeceeseeeseesceseeeeeeseeeeeeaeenaes 10 Default Admin User Digest cccccccessesssesseesecseceseeseceseeeceeesesereseeseeeeaes 10 User Defined Admin User Kerberos 0 ccccceccesceesseeeeseceeeeeceeeneenseneeeaes 11 Maintenance Policies for Intel AMT cc ce cccceccseeseceecesceseceeeeeeeeeeeseeseeeaeentenaees 12 Synchronizing the Glock si c c ccsseess seesesecedeeecsescsacectaesiedesaes ead eovtesreeacectenetes 12 Synchronizing Network Settings ccccccseeseceeceeee2. characters 3 Inthe SSID field enter the Service Set Identifier up to 32 characters that identifies the specific WiFi network If left empty the device will try to connect to all WiFi networks that use Data Encryption as defined in this WiFi Setup 4 From the Key Management Protocol drop down list select one of these e WiFi Protected Access WPA Robust Security Network RSN 5 From the Encryption Algorithm drop down list select one of these e Temporal Key Integrity Protocol TKIP e Counter mode CBC MAC Protocol CCMP 6 Inthe Authentication section select one of these e Passphrase Enter a Passphrase for the WiFi setup The Passphrase must contain between 8 and 63 printable ASCII characters 802 1x Setup From the drop down list select the 802 1x setup to use in this WiFi setup Optionally you can also edit an existing 802 1x setup by clicking Edit or create a new 802 1x setup by clicking Add see Creating 802 1x Setups on page 67 7 Click OK The WiFi setup appears in the WiFi setup list Intel AMT Configuration Utility User Guide 66 Chapter 5 Defining Configuration Profiles Creating 802 1x Setups The IEEE802 1x network protocol provides an authentication mechanism to devices wishing to attach to a LAN either establishing a point to point connection or preventing it if authentication fails It is used for most wireless 802 11 access points and is based on the Extensible Authentica
3. intel AMT Configure via USB Key Define the settings you want to apply to this system and click lt Next gt MEBx Password Power Settings 4_ WY _____ _ a Current Password Sa Specify the system power states Always On 50 55 x IT Show password in which the Management Engine is ational New Password ri ME is oper Confirm Password T Network Settings Hostname myhostname Domain name fexamplecom IV DHCP Enabled IP Subnet mask Vv Display advanced settings Gateway Primary DNS Ceranderu MAIC Figure 7 Configure via USB Key Window 2 In the MEBx Password section enter the password for the Intel MEBX Current Password The Configuration Utility always puts the default password of unconfigured systems admin in this field If this is not the password in the Intel MEBX enter the correct password If you do not supply the correct password configuration will fail New Password The new password to put in the Intel MEBX For the first configuration it is mandatory to change the Intel MEBX password For reconfiguration you must also enter a value here but it can be the same as the Current Password For information about the required format see Password Format on page 4 Note The passwords are not encrypted on the USB key Make sure that you restrict access to the USB key Intel AMT Configuration Utility User G
4. cececcceccecscessessecsceeseceeaecseceaeceeceseeseeeeeeseeeeeeaeeesecaeeeaeeaeenaees 95 Required Permissions on the CA ssissisrissisisirisiriscesieisiiesisiti nseri sisesta 96 Defining Enterprise CA Templates c cccccccecscceseeseceeceseeeeceseeeeeeeeeseeneeeseeneeenees 96 Defining Common Names in the Certificate tee eeeesseeeeneeeeeeeseeeseeeerenee 101 Using Predefined Files Instead of a CA Request eccccccssessecssesteeeeeeteeseeeeees 103 CRE XML Format sic sisecsicsescsvcevescecevccvescencvacouceessvacenuecuava cease ceavecenteceatecentecestes 104 Intel AMT Configuration Utility User Guide iv Table of Contents Appendix B Troubleshooting cesceeseeeeeeeeeeeeeeeeeeeeeeeeeeeneaeeeeees 105 Configuration Utility Error Cannot Configure Intel AMT ee 106 The Configuration Utility Takes a Long Time to Start eee eeeeeeeee 106 Problems Using Configuration Utility on a Network Drive eee 107 Remote Connection to Intel AMT Fails csescceseeescerceeeeereeeeeeseeseeeees 107 Error with XML File or Missing SCS Version Tag ccccccsesceseeseeteesees 108 Reconfiguration of Dedicated IP and FQDN Settings ee eeeeeeeeeeeeeee 108 Disjointed Namespaces sscsccssesessecesceeceeseesessecaeeecaecaeeeceeesaeeesseeatenee 109 Kerberos Authentication Failure ceseseeccesceecseeseeseeseeseeeseeceaeneeneees 110 Error Kerberos User is not Permitted to Configure
5. Note Removing the WiFi Connection settings from a profile does not always disable the wireless interface of Intel AMT For more information see Disabling the Wireless Interface on page 112 amp Configuration Profile Wizard Optional Settings Network Configuration WiFi Connection Allow WiFi connection without a WiFi setup Allow WiFi connection with the following WiFi setups 4 WF setup Name 802 ix fe Add Authentication Compatibility 4 Getting Started Profile Scope Optional Settings AD Integration Access Control List Home Domains Remote Access T Enable synchronization of Intel AMT with host platform WiFi profiles Enable WiFi connection also in 51 55 operating system power states Transport Layer Security Network Configuration System Settings P Wired 802 1x Authentication Finish 802 1x Setup Name ada Advanced End Point Access Control EAC Add or edit a WiFi profile or the wired 802 1x setup to define an EAC compatible 802 ix protocol Figure 26 Network Configuration Window Intel AMT Configuration Utility User Guide 63 Chapter 5 Defining Configuration Profiles To define network setups 1 From the WiFi Connection section select one of these e Allow WiFi connection without a WiFi setup If you want to allow WiFi connection without a WiFi setup using the hosts WiFi settings You can select this opti
6. a In the Name of XML file field enter a name for this profile The profile name e Can be a maximum of 32 characters e Cannot be empty or include only whitespace characters e Must include only 7 bit ASCII characters in the range of 32 126 not including these characters s 2 C2 CS CF CG C amp C C5 CD b In the password fields enter a password that will be used to encrypt the profile For information about the required format see Password Format on page 4 Note Remember this password You will need to supply it each time you want view edit or use this profile 2 Ifthe profile includes any of these settings e Active Directory Integration e Requesting certificates from a Certification Authority these optional fields are shown Enter the credentials of a domain user to use when communicating with a CA or creating an Active Directory object This is required when running the Configurator with a user that does not have sufficient privileges to perform these operations Username eg Domain Username Password Make sure that the Configuration Utility runs under a user with permissions to communicate with the CA or create Active Directory objects On operating systems with User Account Control UAC the local administrator account does not have sufficient permissions If you supply a username and password here the Configuration Utility uses them to do these tasks 3
7. Version 8 2 Document Release Date March 7 2013 License Intel Setup and Configuration Software Intel SCS is furnished under license and may only be used or copied in accordance with the terms of that license For more information refer to the Exhibit A section of the Intel R SCS License Agreement rtf located in the Licenses folder Legal Notices and Disclaimers INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS NO LICENSE EXPRESS OR IMPLIED BY ESTOPPEL OR OTHERWISE TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT EXCEPT AS PROVIDED IN INTEL S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY RELATING TO SALE AND OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE MERCHANTABILITY OR INFRINGEMENT OF ANY PATENT COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT A Mission Critical Application is any application in which failure of the Intel Product could result directly or indirectly in personal injury or death SHOULD YOU PURCHASE OR USE INTEL S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES SUBCONTRACTORS AND AFFILIATES AND THE DIRECTORS OFFICERS AND EMPLOYEES OF EACH HARMLESS AGAINST ALL CLAIMS COSTS DAMAGES AND EXPENSES AND REASONABLE ATTORNEYS FEES ARISING OUT
8. Intel AMT Configuration Utility User Guide 68 Chapter 5 Defining Configuration Profiles 5 To request the certificate from a CA do these steps a From the Certificate Authority drop down list select the Enterprise CA that the Configuration Utility will use to request a certificate that the RADIUS server can authenticate b From the Client Certificate Template drop down list select the template that will be used to create the client certificate The templates shown are templates where the Subject Name is supplied in the request and the usage is Client Authentication For information how to create a template see Defining Enterprise CA Templates on page 96 Note If the Profile Designer is located on a computer that does not have access to the CA the drop down lists will not display the CA or the templates If necessary you can manually supply the CA name in the format FQDN CA Name and the name of the template c Define the Common Names that will be included in the Subject Name of the generated certificate For more information see Defining Common Names in the Certificate on page 101 6 Optional To enable roaming select the Roaming Identity check box The user will connect to the RADIUS server with an identity of Anonymous 7 Ifa trusted root certificate is required see the table in step 3 select it from the list of trusted root certificates If it does not appear in the list click Edit List
9. e Using the Profile Designer on page 39 e Configuring Systems on page 82 2 The Intel AMT Versions in the Network The versions of Intel AMT in your network will define which configuration methods you can use see Configuration Methods and Intel AMT Versions on page 2 3 The Security Requirements The Intel AMT device gives access to the computer even when the operating system is not running This means that a virus person could use the Intel AMT device to bypass the security measures defined in the operating system and take over the computer For more information about security see Intel AMT and Security Considerations on page 4 4 The Requirements of Your Network You can configure several optional Intel AMT features using the configuration profiles But before you create a the profile refer to the Getting Started Checklist on page 18 Note The SMB Manual Configuration method does not use configuration profiles Intel AMT Configuration Utility User Guide 26 4 Using the Configuration Utility This chapter describes how to use the Configuration Utility For more information see Starting the Configuration Utility Configuring Unconfiguring Individual Systems Configuring a System SMB Manual Configuration Unconfiguring a System Using the Profile Designer Defining Manual Configuration Multiple Systems Intel AMT Configuration Utility User Guide 27 Chapter 4 Using t
10. Defining IP and FQDN Settings on page 75 FileToRun The Configurator can use these parameters to run a script after the lFileHash MaintainA MT command has completed successfully For more information S see Running Scripts with the Configurator on page 91 FileUser FilePassword Intel AMT Configuration Utility User Guide 88 Chapter 6 Using the Configurator Unconfiguring Intel AMT Systems Command Unconfigure Description Unconfigures Intel AMT features on configured Intel AMT systems There are two types of unconfiguration e Partial Removes the configuration settings from the system and disables the Intel AMT features on the system The PID PPS admin ACL settings host name and domain name are not deleted Note that if the manufacturer defined the SOL and IDE interfaces to be closed by default then a partial configuration operation will close them and they cannot be reopened without physical access to the Intel MEBX This is a known Firmware limitation Full Deletes all the Intel AMT settings from the system and disables the Intel AMT features on the system Note e Systems in Client Control mode are always unconfigured with a Full unconfiguration The default unconfiguration type for systems in Admin Control mode is Partial Syntax Note The CLI does not support passwords that start with a forward slash ACUConfig exe global options U
11. cccseseereetees 110 Error when Removing AD Integration Error in SetKerberos 111 Failed Certificate Requests via Microsoft CA cccceccesesseseeseesteeeeeeees 111 Delta Profile Fails to Configure WiFi Settings ccccceeeseeeereeseeeees 112 Disabling the Wireless Interface cccecesceesecseeseceeeeseeeeceeeeeeeeeeeeeeeneesees 112 Intel AMT Configuration Utility User Guide v 1 Introduction This guide describes how to use the Intel AMT Configuration Utility referred to in this guide as the Configuration Utility The Configuration Utility lets you configure systems to use Intel Active Management Technology Intel AMT Note The Configuration Utility is a component of Intel Setup and Configuration Software Intel SCS This guide only includes information about options available when the Configuration Utility is used on its own or with the Configurator component of Intel SCS For information about the other components and features of Intel SCS refer to the Intel R _SCS_8 2_User_Guide pdf This chapter describes Intel AMT For more information see e About the Intel AMT Environment e Configuration Methods and Intel AMT Versions e Intel AMT and Security Considerations e Admin Permissions in the Intel AMT Device e Maintenance Policies for Intel AMT e Support for KVM Redirection Intel AMT Configuration Utility User Guide 1 Chapter 1 Introduction About the Intel
12. Intel AMT Configuration Utility User Guide 76 Chapter 5 Defining Configuration Profiles 3 From the IP section select the source for the IP settings Get the IP from the DHCP server Use the same IP as the host for static IP only Get the IP from the dedicated network settings file 4 Inthe DNS section define how Intel AMT 6 0 and higher will update the Domain Name System DNS with the FQDN and IP Do not update Disables all DNS updates by the Intel AMT device Update only via DHCP option 81 The device will use the DHCP option 81 to request that the DHCP server update the DNS on its behalf On Intel AMT 6 x and 7 x systems Intel SCS only supports this option on the latest firmware versions Update the DNS directly or via DHCP option 81 Intel AMT 6 0 and higher includes the Intel AMT Dynamic DNS Update DDNS Update Client When enabled this client can periodically update the DNS with the FQDN and IP address configured in the Intel AMT device When selected the device uses option 81 to ask the DHCP for permission to update the DNS Intel AMT will send DDNS updates based on the policy configured in the DHCP server returned in the DHCP option 81 flags Note All systems that have Intel AMT 5 x or lower are always configured to update the DNS via DHCP option 81 This is the only option that those versions support 5 Click OK The Network Settings window closes Intel AMT Configuration
13. Secure communications between a configured Intel AMT system and a management console depend on the security settings you define in your network Transport Layer Security TLS is a protocol that secures and authenticates communications across a public network The Public Key Infrastructure PKI lets users of an unsecured network securely and privately exchange information using an asymmetric public and private cryptographic key pair The key pair is retrieved and shared through a trusted authority known as a Certification Authority CA The CA supplies digital certificates that can identify an individual or an organization You can use TLS PKI in your network to ensure secure communication with all versions of Intel AMT systems When the Configuration Utility Configurator configures an Intel AMT system with TLS they request a certificate for that system To do this they must have access to the Microsoft Certification Authority CA The Microsoft CA can be installed as a Standalone CA or as an Enterprise CA An Enterprise CA can be configured only in conjunction with Active Directory Note TLS PKI is not available to Intel AMT devices in SMB mode Intel AMT Configuration Utility User Guide 8 Chapter 1 Introduction Access to the Intel MEBX The Intel Management Engine BIOS Extension Intel MEBxX is a BIOS menu extension on the Intel AMT system This menu can be used to view and manually configure some of the Intel AMT
14. Select the method for creating the certificate Use certificate from a file Path to certificate Browse Path to private key Browse Note For each file you can click Browse to locate and select it or enter the path to it from the Intel AMT system However make sure that you put both files in a location that can be accessed from the Intel AMT system Two such files are required per Intel AMT system Required Format for Certificate and Key Files The files that you supply must be in the base64 format known as the PEM format The information in each file must be enclosed between a correct BEGIN header line starting with five dashes and an END footer line For certificate files For key files you must use only the PKCS 1 RSAPrivateKey format BEGIN RSA PRIVATE KEY Key in RSA PKCS 1 format END RSA PRIVATE KEY Note If necessary for your network environment you can encrypt the private key file see File Encryption on page 5 Intel AMT Configuration Utility User Guide 103 Appendix A Certification Authorities and Templates CRL XML Format If required the information from a Certificate Revocation List CRL is included inside the configuration profile The Configuration Utility does not use the original CRL file supplied by the Certification Authority The information from the CRL file must be placed in the lt CRLs gt tag The Prof
15. Templates snap in is added to the Console Root tree From the Console Root tree double click Certificate Templates The list of templates appears in the right pane Intel AMT Configuration Utility User Guide 96 Appendix A Certification Authorities and Templates Ht Console1 Console Root Certificate Templates C Console Root Gad Certificate Templates Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows 2000 Windows Server 2003 Enterprise Edition Figure 35 Microsoft Management Console 5 In the right pane right click the User template and select Duplicate Template Note If the CA is installed on a server running Windows Server 2008 all x32 64 versions and R2 the Duplicate Template window opens Ensure that you select Windows Server 2003 Enterprise and click OK The Properties of New Template window opens Properties of New Template Capot User oo mj Bonot automatically reenrall ifa duplicate certificati sts In Active Directory To cw ey Figure 36 Properties of New Template Window Intel AMT Configuration Utility User Guide 97 Appendix A Certification Authorities and Templates 6 Make sure that the Publish certificate in Active Directory check box is NOT selected 7 Inthe Template display name field enter a meaningful name For example name a template used to generate 802 1x client certificates 802 1x 8 Change th
16. cccccecceeeseeesceseeesceeceseeesecseenseeeensees 48 Defining the Access Control List ACL cccceecceccesseesseeseeeeseecseceeecaeenseneeneens 49 Adding a User to the ACL cccccccesessecesceseeeeceseeeeeeeeeeeeeseeseecsecseesaeeneenseens 49 Using Access Monitorin ici aides cadciteaiteuediiicvieses daisies 52 Defining Home Domains c cccececeseesecsecesceseeeecesceeeeeeeneeeseeseecaeceecaeenseneeneees 53 Defining Remote ACCess ivescessecsveccesestesbeassstcercctatevicsccestavs a E aes 54 Defining Management Presence Servers cccesceeseeteeseceeceseeeeeeteeeeeeeeeaes 55 Defining Remote Access Policies cccceccesssesecseesseceseeseceeceeeeeseseserseeeeaes 57 Defining Trusted Root Certificates ceeceeccesceeeeeseeeecseeeeeceaeeeeeeceaseeeeseeneeas 58 Defining Transport Layer Security TLS ccececceeseeseeeseeeeseecseessecseeseeeaeentens 60 Defining Advanced Mutual Authentication Settings ceeeseecsseetereees 62 Defining Network Setups y iisaetiiiidnaiiinamnidcnsin a ei 63 Creating WiFi Setups cccccescescessessceseeesceseeesecaeesaecseceaeeeeceesesesereeerseeeenes 65 Creating 802 1 Setups isisisi eisiea aE E EEE EE EEE i 67 Defining End Point Access Control ccccccescecceseessceseeeseeseeeeeeeeeeeeeseeneeeaes 70 Defining System Setting S isinisi eren ein beware 72 Defining IP and FQDN Settings 2 0 0 ccceccecseesseseeeceneecaeceseeeeneeeeeeeneeeaes 75 Chapter 6 Using the
17. e You must NOT add the credentials of a domain user to the profile see Saving the Configuration Profile on page 45 e Some reconfiguration and maintenance tasks reset the password of the AD object If this happens you must clear the ticket of the Kerberos user before this user can do more configuration operations You can do this by restarting the Intel AMT system or logging off and on again Note When using a Kerberos user always make sure that this Kerberos user exists in the ACL of the profile you use to do reconfiguration Intel AMT Configuration Utility User Guide 11 Chapter 1 Introduction Maintenance Policies for Intel AMT After a system is configured it is recommended to maintain and periodically update the configuration settings in the Intel AMT device If you do not your management console might lose connection with the Intel AMT device For systems where this occurs the Intel AMT features will not be available from your management console Also for increased security it is recommended to periodically renew the passwords used by Intel AMT Any password that is not changed regularly causes a risk that it might be discovered by persons without approval If a password is discovered it could be used to get access to the system via the Intel AMT device It is the responsibility of the network administrator to define and schedule the necessary maintenance tasks for their network environment Maintenance
18. lt filename gt file The sample_files folder includes an application SHA256 exe that you can use to generate the hash value For example SHA256 exe MyFile bat will return the hash value of MyFile bat The hash value is marked in blue Copy the value and supply it in the lt SHA256 hash gt variable FileUser It is recommended to use this parameter to supply a user with the lt username gt minimum permissions required to run this file FilePassword Contains the password required to run the file Valid only if lt password gt FileUser was also specified This table describes the parameters and the sequence in which the Configurator sends them to the file that you specify in the FileToRun parameter Table 9 Parameters Sent by the Configurator to the Script 1 The user defined in the FileUser parameter 2 The password defined in the FilePassword parameter 3 The hostname defined in the Intel AMT device 4 The FQDN defined in the Intel AMT device 5 The UUID of the Intel AMT device 6 The Intel MEBX password of the Intel AMT device 7 The password of the default Administrator admin user in the Intel AMT device String Example fileusername fileuserpassword myhostname myhostname example com 88888888 8887 8888 8888 878888888888 mebxpassword adminpassword Parameters marked with an asterisk are sent to the script in Base64 format Intel AMT C
19. lt guid gt Power Package GUID see Power Package GUIDs on page 86 Intel AMT Configuration Utility User Guide 84 Chapter 6 Using the Configurator OutputFile lt filename gt The name of the file and the path to the location where you want to save it If this parameter is not used by default the file is created in the same folder as the Configurator The file must be named Setup bin and must be placed in the root folder of the USB key To make sure that Setup bin is the first file that the BIOS will find during reboot requirement format the USB key before creating copying the file If the Intel AMT system does not successfully reboot with the USB key you prepared try this e Make sure that the file name starts with a capital S Format the USB key using FAT16 Note The Setup bin file is NOT encrypted so make sure that you restrict access to it After configuration the Configurator deletes the data it contains This means that you must create a new file for each system you want to configure The Configurator overwrites any existing file with the same name without giving a warning UsingDhcp HostName lt host_name gt Sets the DHCP mode to enabled in the Intel MEBX Intel AMT system hostname 1 32 characters DomainName lt domain_name gt Intel AMT system domain name 0 63 characters lt subnet_mask gt LocalHostIp lt ip gt The IP address IPV4 to set i
20. window click Add The User Group Details window opens Intel AMT Configuration Utility User Guide 49 Chapter 5 Defining Configuration Profiles ax User Type Digest User Active Directory User Group User Group Name l Browse Access Type Remote X Realms C Redirection PT Administration Hardware Asset Remote Control Storage Event Manager Storage Administration Agent Presence Remote OOOUOOOOU Figure 17 User Group Details Window 2 Inthe User Type section select the required type of user Digest User Enter the username and password see Password Format on page 4 The usernames admin and administrator are not permitted these names are reserved for the default admin user The username must be unique in this profile a maximum of 16 characters and cannot contain these characters C amp lt or gt Usernames starting with are not permitted e Active Directory User Group Click Browse and select the user or group Note You cannot select the default user groups from the Active Directory Builtin folder Instead either add the required users individually or create and add a new group containing the users 3 From the Access Type drop down list specify an access type This parameter defines the locations from where the user is allowed to do an action A user might be limited to local actions or might also be able to do actio
21. you can integrate Intel AMT with your AD Intel AMT supports the Kerberos authentication method This means that Intel SCS and management consoles can authenticate with the Intel AMT device using Kerberos users The users are defined in the Intel AMT device using the Access Control List If integration is enabled during configuration Intel SCS creates an AD object for the Intel AMT device Some of the entries in this object define parameters used in Kerberos tickets Before you can integrate Intel AMT with your AD you must e Create an Organizational Unit OU in AD to store objects containing information about the Intel AMT systems In a multiple domain environment Intel recommends that you create an OU for each domain e Give Create Delete permissions in the OU you created to the user account running the Intel SCS component doing the configuration After the OU is created you must define it in the configuration profile see Defining Active Directory Integration on page 48 Intel AMT Configuration Utility User Guide 19 Chapter 2 Prerequisites 6 CA Does your network use a Certification Authority CA g For these Intel AMT features a CA is a prerequisite TLS 802 1x EAC and Remote Access If you have a CA and want to use these features this is the data that you need to collect e Which type of CA do you have Standalone or Enterprise e On which operating system is the CA installed
22. 1x protocol used in your network supports End Point Access Control EAC you can use NAC NAP authentication with a RADIUS server to authenticate the Intel AMT device If you need to define EAC this is the data that you need to collect e Which authentication method does your EAC vendor use NAC NAP or NAP NAC Hybrid e What is the highest algorithm method supported by your authentication server SHA 1 SHA 256 or SHA 384 Note that SHA 256 and SHA 384 are only supported on Intel AMT 6 0 and higher EAC is defined in the Transport Layer Security window of the configuration profile see Defining End Point Access Control on page 70 Note These are prerequisites for EAC e Integration with Active Directory item 5 in this checklist e An Enterprise Certification Authority item 6 in this checklist e 802 1x item 8 in this checklist Intel AMT Configuration Utility User Guide 21 Chapter 2 Prerequisites 10 Remote Does your network have a Management Presence Server MPS g Access The remote access feature lets Intel AMT systems versions 4 x and higher located outside an enterprise connect to management consoles inside the enterprise network The connection is established via an MPS located in the DMZ of the enterprise If you need to define Remote Access this is the data that you need to collect e What is the location FQDN or IP address and listening port of the MPS e Do you want
23. AMT Environment Intel AMT lets you remotely access computers when the operating system is not available or the computer is turned off The only requirement is that the computer must be connected to a power supply and a network The Intel AMT environment includes Intel AMT Systems Computers with an Intel AMT device The Intel AMT device contains the hardware and software that control the Intel AMT features The device includes an Intel Management Engine Intel ME and a BIOS menu called the Intel Management Engine BIOS Extension Intel MEBX The Intel ME operates independently of the Central Processing Units CPUs of the computer e Management Console A software application used to remotely manage computers in a network The management console must include an interface that can use the features of Intel AMT Configuration Methods and Intel AMT Versions There are many different versions of Intel AMT This table gives the configuration methods available for the different Intel AMT versions Table 1 Intel AMT Configuration Methods 1 Host Based Configuration 6 2 and higher 2 SMB Manual Configuration 4 0 and higher 3 One Touch Configuration PSK 2 1 and higher 4 Remote Configuration PKI 2 2 2 6 3 0 and higher Configuration methods 3 and 4 are not supported by the Configuration Utility These configuration methods use the Remote configuration Service RCS component of Intel SCS For more infor
24. Configuration Utility User Guide 12 Chapter 1 Introduction Synchronizing Network Settings After configuration the Intel AMT device contains IP and FQDN settings that management consoles use to connect to the device Changes in the network environment or the host operating system might make it necessary to change the settings in the device To do this task use the SyncNetworkSettings parameter of the MaintainAMT command Note To use the SyncNetworkSettings parameter you must use the same profile that was used the last time the device was configured If you made changes to the settings in the profile do a reconfiguration instead Re issuing Certificates Intel AMT Devices can be configured to use certificates for authentication when using TLS EAC Remote Access or 802 1x When certificates are issued by a Certification Authority they are valid for a specified time These certificates must be reissued before they expire Intel recommends that you schedule this maintenance task to run a minimum of 30 days before the certificate expiration date To do this task use the ReissueCertificates parameter of the MaintainAMT command Note To use the ReissueCertificates parameter you must use the same profile that was used the last time the device was configured If you made changes to the certificate related settings in the profile do a reconfiguration instead Replacing Active Directory Object Passwords If an Intel A
25. DNS However if the NetworkSettingsFile parameter is supplied and FQDN data is included in the file the FQDN is taken from the file NetworkSettingsFile lt file gt This parameter tells the Configurator to get the IP and or the FQDN from a dedicated network settings file For information about the required XML format see the NetworkSettings xml example file located in the sample_files folder Intel AMT Configuration Utility User Guide 90 Chapter 6 Using the Configurator Running Scripts with the Configurator The Configurator includes options that you can use to run scripts These scripts can be batch files or executables created using scripting languages Before the script starts to run the Configurator sends parameter values about the Intel AMT system to the script The script can then use these parameter values For example you could use a script to send data to your management console about each Intel AMT system after it is configured Note The parameter values are sent as a string Parameters without values are sent as empty strings Each parameter value is separated by a space Scripts run by the Configurator are only run on Intel AMT systems that support host based configuration Intel AMT 6 2 and higher The script must be put in a location that the Configurator can access from the Intel AMT system The Configurator can run a script after configuration reconfiguration and maintenance op
26. Intel AMT Configuration Utility User Guide 9 Chapter 1 Introduction Admin Permissions in the Intel AMT Device This section describes how administrator permissions are defined in the Intel AMT device Default Admin User Digest Each Intel AMT device contains a predefined administrative user named admin referred to in this guide as the default admin user Intel AMT uses the HTTP Digest authentication method to authenticate the default admin user The default admin user e Has access to all the Intel AMT features and settings on the device e Is not contained in the Access Control List with other Digest users and cannot be deleted Thus for security reasons it is important how you define the password for this user even if you do not use it The password is defined in the Network Settings section of the configuration profile see Defining System Settings on page 72 These are the methods for defining the password of the default admin user Defined Passwords This method is the easiest method to use and has no prerequisites However the password you define in the profile is set in all devices configured with this profile If the password is discovered all the devices can be accessed If you use this method define a very strong password To increase security you can also configure systems with profiles containing different passwords Random Passwords The Configuration Utility generates a different random pa
27. PEM format see Using Predefined Files Instead of a CA Request on page 103 Note You can only add a certificate from a CA if the certificate is self signed and the CA is a root CA You cannot add a certificate from a subordinate CA 4 Click OK The Path to Root Certificate window closes and the certificate shows in the Trusted Root Certificates Used In Profile window 5 Select the check box of at least one of the trusted root certificates in the list 6 Click OK The Trusted Root Certificates Used In Profile window closes Intel AMT Configuration Utility User Guide 59 Chapter 5 Defining Configuration Profiles Defining Transport Layer Security TLS The Transport Layer Security TLS window of the Configuration Profile Wizard lets you define TLS settings to apply to the Intel AMT system When TLS is enabled the Intel AMT device authenticates itself with other applications using a server certificate If mutual TLS authentication is enabled any applications that interact with the device must supply client certificates that the device uses to authenticate the applications E Configuration Profile Wizard Profile1 Optional Settings Transport Layer Security TLS System Authentication Basic Security Select the method for creating the certificate Request certificate from Microsoft CA x Certificate Authority x Enterprise CA Stand alone CA Server Certificate Template x Refre
28. Programs gt Administrative Tools gt Certification Authority From the Console Root tree select Certificate Authority gt Certificate Templates Right click in the right pane and select New gt Certificate Template to Issue The Enable Certificate Templates window opens Select the template that you just created and click OK The Enable Certificate Templates window closes and the template now appears in the right pane with the other certificate templates Restart the CA to publish the new template in the Active Directory Intel AMT Configuration Utility User Guide 100 Appendix A Certification Authorities and Templates Defining Common Names in the Certificate When defining these settings for the Intel AMT device you can define that authentication is certificate based e Remote Access Transport Layer Security e 802 1x Setups e End Point Access Control If you also select the Request certificate from CA option the Configuration Utility sends a request to the Certification Authority CA to create the certificate The certificate is created based on the certificate template that you select for each setting The Subject Name and Subject Alternative Name fields of the certificate include Common Names CNs Note Due to Microsoft limitations creation of the certificate might fail in these situations If the FQDN of the Intel AMT is longer than 64 characters e If the certificate Subject Name is longer th
29. Redirection on page 16 2 Optional When the KVM Redirection check box is selected the RFB Password for KVM sessions field is enabled This password is only necessary if your VNC client uses port 5900 see VNC Clients on page 16 If you enter a password it must be EXACTLY eight characters see Password Format on page 4 Power Management Settings 1 From the drop down list select one of these Always on S0 S5 If the system is connected to the power supply the Intel AMT manageability features are available in any of the system power states This is the recommended setting Host is on S0 The Intel AMT manageability features are available only if the operating system of the Intel AMT system is up and running You cannot select this setting if the Enable WiFi connection also in S1 S5 operating system power states check box is selected in the Network Configuration window 2 Optional If you selected Always on SO S5 you can select the ME will go into a lower power state when idle check box If the Intel AMT device supports this feature the device will go to sleep when there is no activity When a request arrives the device automatically wakes up The Time out if idle field defines the number of minutes the device must wait before it can go to sleep Intel AMT Configuration Utility User Guide 73 Chapter 5 Defining Configuration Profiles Network Settings 1 When you edit a profile for multiple s
30. Select all Clear All Figure 13 Profile Scope Window To limit the profile scope 1 Select the check boxes of all the settings that you want to configure unconfigure on the systems using this profile Settings that are not selected will not be shown in the Configuration Profile Wizard when you continue to edit the profile 2 Click Next to continue to the Optional Settings window Intel AMT Configuration Utility User Guide 46 Chapter 5 Defining Configuration Profiles Defining Profile Optional Settings The Optional Settings window of the Configuration Profile Wizard lets you select which optional settings to configure unconfigure in the Intel AMT device using this profile E Configuratio n Profile Wizard Optional Settings Select the settings that you want to configure On configured systems settings that are not selected will be removed from the system during configuration Getting Started Profile Scope I Active Directory Integration Allow the Intel AMT systems to use security features of the Active Directory Optional Settings I Access Control List ACL AD Integration Assign customized access levels to the systems based on users and groups Access Control List Home pd is Define trusted domains where the Intel AMT functionality will be available 8 T Remote Access Enable Intel AMT systems outside of the enterprise network to communicate with management consoles via a Ma
31. This is a known issue and only occurs on Intel AMT 5 x or lower when Intel AMT is disabled in the MEBX Solution Enable Intel AMT in the Intel MEBX The Configuration Utility Takes a Long Time to Start To use the Configuration Utility Microsoft NET Framework must be installed on the computer Some versions of the INET Framework include limitations that can cause the Configuration Utility to take a long time to start To prevent these problems the ACUWizard exe config file includes this setting lt runtime gt lt generatePublisherEvidence enabled false gt lt runtime gt However not all versions of NET support this setting Solution Make sure that the version of NET Framework installed on the computer supports the generatePublisherEvidence setting For example Version 2 0 service pack 1 or version 3 0 service pack 1 Intel AMT Configuration Utility User Guide 106 Appendix B Troubleshooting Problems Using Configuration Utility on a Network Drive Due to security measures built into NET Framework if you try to start the Configuration Utility on a network drive you might receive this error message Intel Active Management Technology Configuration Utility has encountered a problem and needs to close Solution Give Full Trust to the network share as shown in this example cd c WINDOWS Microsoft NET Framework v2 0 50727 CasPol exe m ag 1 2 url file N your network path FullTrust Rem
32. Wizard lets you define a list of between one and five home domains If configured these home domains are the only domains in which access to Intel AMT is permitted When Intel AMT detects that the systems is located outside these home domains remote access to Intel AMT is blocked Note Configuring a system with incorrect home domains might cause remote access to Intel AMT to be permanently blocked If this occurs it will also not be possible to remotely reconfigure Intel AMT on these systems E Configuration Profile Wizard Optional Settings Home Domains Home Domains List Getting Started Use the following list to define at least one home domain where the Intel AMT functionality will be available Profile Scope oe Optional Settings Add AD Integration Edit Access Control List Remove amp WARNING Verify that the list of home domains is complete and accurate Remote Access If this profile is applied to a platform that does not operate in a domain in this list you will not be able to configure or access Intel AMT functions on that platform Transport Layer Security Network Configuration E Allow Intel AMT functionality via VPN System Settings Finish Figure 18 Home Domains Window To define the domains 1 Click Add The Domain Properties window opens 2 Enter the DNS suffix name and click OK The Domain Properties window closes and the domain appears in the list of domains Note Make
33. any applications that interact with the device must supply client certificates that the device uses to authenticate the applications TLS is defined in the Transport Layer Security window of the configuration profile see Defining Transport Layer Security TLS on page 60 Note An Enterprise or Standalone CA is a prerequisites for TLS item 6 in this checklist Intel AMT Configuration Utility User Guide 20 Chapter 2 Prerequisites 8 802 1x Does your network use the 802 1x protocol g If your network uses the 802 1x protocol you must define 802 1x setups in the configuration profile If you do not do this you will not be able to connect to the Intel AMT device after it is configured If you need to define 802 1x setups this is the data that you need to collect e Which 802 1x protocol is used in your network e Do you want to verify the certificate subject name of the RADIUS Server You can verify using the FQDN or the domain suffix of the RADIUS server make a note of the correct value that you want to use 802 1x is defined in the Transport Layer Security window of the configuration profile see Defining End Point Access Control on page 70 Note These are prerequisites for 802 1x e Integration with Active Directory item 5 in this checklist e An Enterprise Certification Authority item 6 in this checklist 9 EAC Does your network use End point Access Control EAC If the 802
34. are NOT permitted in these passwords The Intel MEBX password e Digest user passwords including the Admin user e Remote Frame Buffer RFB password Used for KVM sessions using port 5900 see VNC Clients on page 16 Note e The underscore _ character is counted as an alphanumeric character e The RFB password must be EXACTLY 8 characters long e The Configurator CLI does not accept passwords that start with a forward slash Intel AMT Configuration Utility User Guide 4 Chapter 1 Introduction File Encryption The Configuration Utility uses XML files for the host based configuration method These files can contain passwords and other information about your network To protect this data each profile created or edited by the Configuration Utility is encrypted with a password that you supply The XML profiles are encrypted using this format e Encryption algorithm AES128 using SHA 256 on the provided password to create the key e Encryption mode CBC e Initialize Vector IV is the first 16 bytes of the Hash Some advanced options of Intel SCS use additional XML files for example the dedicated network settings file If you want to use these optional XML files it is highly recommended to encrypt them The encryption must be done using the same format used by Intel SCS This example shows how to encrypt an XML file using OpenSSL 1 Use SHA 256 on the password to create a Hash of 32 bytes For ex
35. computers that have these operating systems e Windows XP Professional x32 SP3 e Windows 7 Professional x32 x64 e Windows 7 Ultimate x64 e Windows 7 Enterprise x32 e Windows 8 PRO x32 x64 The Configuration Utility includes an option to prepare settings to use when configuring multiple systems In addition to the operating systems above you can use these options on computers that have these operating systems but you cannot configure Intel AMT e Windows Server 2008 x32 64 SP2 e Windows Server 2008 R2 e Windows Server 2003 x32 x64 SP2 Note The Configuration Utility also requires Microsoft NET Framework version 2 0 SP1 or higher installed on the computer The Configuration Utility can run on operating systems installed with these languages Czech Danish Dutch English Finnish French German Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese Portuguese Brazilian Russian Simplified Chinese Spanish Swedish Traditional Chinese Turkish The Configuration Utility does not support Non Latin or Extended Latin characters in filenames or values in the XML files e A minimum screen resolution of 1024 x 768 is necessary to use the Configuration Utility The 800 x 600 screen resolution is not supported Intel AMT Configuration Utility User Guide 23 Chapter 2 Prerequisites Support for a Workgroup Environment You can configure and use most Intel AMT settings on systems
36. defined in the Intel AMT device To define the RFB password see Defining System Settings on page 72 e Port 5900 must be open on the Intel AMT device The Configuration Utility does not open this port Note The VNC Client must use version 3 8 or 4 0 of the Remote Frame Buffer RFB protocol Intel AMT Configuration Utility User Guide 16 2 Prerequisites This chapter describes the prerequisites for using the Configuration Utility to configure Intel AMT For more information see e Getting Started Checklist Supported Intel AMT Versions e Supported Operating Systems Support for a Workgroup Environment e Required User Permissions Intel AMT Configuration Utility User Guide 17 Chapter 2 Prerequisites Getting Started Checklist Before you can use Intel SCS to configure Intel AMT you will need to collect some data about your network and make some decisions In many organizations responsibilities and knowledge about the network is located in several departments You can print out this checklist and use it as a reference as you collect the necessary data 1 FQDN How is Domain Name System DNS resolution done in your network On an Intel AMT system the host platform and the Intel AMT device both have a Fully Qualified Domain Name FQDN These FQDNs are usually the same but they can be different Intel SCS configures the FQDN of the Intel AMT device This is one of the most importa
37. failures can be related to e Configuration Reconfiguration e Authentication using Kerberos users in the Access Control List ACL e Authentication using Transport Layer Security TLS Solution If integration with Active Directory AD is enabled during configuration the Configuration Utility creates an AD object for the Intel AMT device Some of the entries in this object define parameters used in Kerberos tickets For example the DNS Host Name and the Service Principal Names SPNs If these entries in the AD object are configured using the correct DNS name problems with disjointed namepsaces can be avoided For example Object 2 in this diagram was created by Configuration Utility using an FQDN in the Intel AMT device System1 DDC com that matches the DNS name Intel AMT system Domain Name System Host Operating System lb a AD Name D3 com e DNS Name DDC com Intel AMT Device 10 0 0 7 System1 DDC com FQDN System1 DDC com IP 10 0 0 7 a Figure 41 Disjointed Namespace and Configuration Utility To implement this solution 1 Check in the DNS to find the correct name that can be resolved using DNS resolution This name needs to be inserted into the FQDN of the Intel AMT device 2 Use the Configuration Utility to configure reconfigure the Intel AMT device with the required FQDN The Configuration Utility includes several options for the source it can use when inserting the FQDN into the Intel A
38. has permissions to connect to the AD CA Method 2 Prepare the necessary data in files 1 In the Profile Designer create a profile with the settings that you want to configure 2 To define Active Directory Integration select the Path to file containing ADOU information option see Defining Active Directory Integration on page 48 3 For each setting with which you want to use certificate based authentication select the Use certificate from a file option see Using Predefined Files Instead of a CA Request on page 103 Intel AMT Configuration Utility User Guide 24 Chapter 2 Prerequisites Required User Permissions The permissions required by the user account running the Configuration Utility or the Configurator depend on the state of the Intel AMT device Unconfigured Systems The local user account running the Configuration Utility must have administrator permissions in the operating system On operating systems with User Account Control UAC the Configuration Utility must be Run as administrator If the Configuration Utility will be required to request certificates from a Certification Authority CA or create Active Directory AD objects the user account must have sufficient permissions to do these tasks If the user account does not have the required permissions you must add the credentials of a domain user with these privileges to the profile see Saving the Configuration Profile
39. have mobile and desktop systems you must prepare a different USB key for each type This is because mobile and desktop systems have different power settings Select the type of system that this USB key will configure e Mobile Systems Desktop Systems 5 Select the versions of Intel AMT that this USB key will configure All systems are Intel AMT 6 0 and higher If selected you can use this USB key to configure systems that have Intel AMT 6 x and 7 x All systems are Intel AMT 7 0 and higher If selected you can use this USB key to configure only systems that have Intel AMT 7 x The data in the USB key is scrambled so it cannot easily be read Note Make sure that you keep this USB key in a secure location The data in the USB key is NOT encrypted even if it is scrambled 6 In the Configuration Settings section enter the password for the Intel MEBX Old MEBx Password The Configuration Utility always puts the default password of unconfigured systems admin in this field If this is not the password currently defined in the Intel MEBX enter the correct password If you do not supply the correct password configuration will fail New MEBx Password The new password to put in the Intel MEBX For the first configuration it is mandatory to change the Intel MEBX password For reconfiguration you must also enter a value here but it can be the same as the Current Password For information ab
40. interfaces where Fast Call for Help will be enabled OS interface BIOS Interface OS and BIOS interfaces Note e You cannot make changes to this setting if a Fast Call For Help trigger was defined in a Remote Access policy The setting in the policy will be used for remote and local connection requests e To enable the Fast Call for Help feature from outside the enterprise network see Defining Remote Access on page 54 Intel AMT Configuration Utility User Guide 74 Chapter 5 Defining Configuration Profiles 4 When you edit a profile for multiple systems this additional field is shown in the Network Settings section Edit IP and FQDN settings Set Optional Click Set to define the source that the Configuration Utility will use to define the IP and FQDN of the Intel AMT device This step is only required if you need to change the default settings see Defining IP and FQDN Settings on page 75 Note The default network settings that Configuration Utility puts in the device will operate correctly for most network environments Defining IP and FQDN Settings Each Intel AMT device can have its own IP and FQDN settings The IP and FQDN settings are usually the same as those defined in the host operating system but they can be different The Configuration Utility puts these settings into the Intel AMT device oxi FQDN Specify the source of the FQDN that will be set in the Intel AMT devi
41. must not contain lt gt characters 3 From the Protocol drop down list select the required protocol The options in the Authentication section are enabled disabled according to the protocol selected as described in this table Table 6 Authentication Options Per Protocol EAP TLS Required Required Not available EAP TTLS Optional Required Optional MS CHAP v2 EAP PEAP Optional Required Optional MS CHAP v2 EAP GTC Not available Not available Not available EAP FAST Optional Required Optional MS CHAP v2 EAP FAST GTC Optional Required Optional EAP FAST TLS Required Required Optional 4 From the Select the method for creating the certificate drop down list select the source for the certificate that will be installed in the Intel AMT device e Request certificate from Microsoft CA To use this option the Configuration Utility must have access to the CA during configuration Continue from step 5 Use certificate from a file For information about this method and the necessary file format see Using Predefined Files Instead of a CA Request on page 103 If you select this option define the file locations and continue from step 6 Do not use a certificate Instead of using a certificate authentication is done with a username and password This option is shown only if client certificates are optional for the Protocol selected in step 3 Continue from step 6
42. on external files run by the Configurator This is the default behavior of the Configurator but it can be changed per command see CLI Global Options on page 80 When running CLI commands remotely or in a deployment package it is not recommended to change this default The digital signature is authenticated against a trusted root certificate supplied by the Equifax Secure Certificate Authority The certificate is located in the user trusted root certificate store of the operating system on the Intel AMT system The certificate is automatically included in the operating systems supported by the Intel SCS components Note e In some environments authentication of the digital signature can increase the configuration time by up to two minutes The Configuration Utility does not authenticate the signature of the ACU dll Intel AMT Configuration Utility User Guide 6 Chapter 1 Introduction Control Modes After configuration all Intel AMT devices are put in one of these control modes e Client Control Mode This mode was added to Intel AMT 6 2 and higher devices Intel AMT devices in this mode have these security related limitations The System Defense feature is not available User consent is required for all redirection operations and changes to the boot process Permission from the Auditor user if defined is not required to unconfigure Intel AMT To make sure that untrusted users cannot get control of t
43. settings The menu is only displayed if you press a special key combination when the computer is rebooting usually lt Ctrl P gt Access to the Intel MEBX is controlled by a password referred to in this document as the Intel MEBX password Entry to the Intel MEBX menu for the first time requires a new password to replace the default password usually admin When an Intel AMT system is configured by the RCS or using a USB key it is put in the Admin Control mode In Admin Control mode if the default password is detected during configuration it is replaced with a password that you define This new password is defined in the configuration profile or when creating the USB key When a system is configured using the host based configuration method it is put in the Client Control mode Client Control mode does not support changing the Intel MEBX password This means that systems configured in Client Control mode will remain with the default Intel MEBX password if it is not changed manually If you use the Unified Configuration process you can define the control mode for Intel AMT systems that support host based configuration For these systems the RCS will only replace the default Intel MEBX password if you select this check box when exporting the profile Put locally configured devices in Admin Control mode Note For information about the RCS and the Unified Configuration process refer to the Intel R _SCS_8 2_User_Guide pdf
44. tasks are done using the Configurator CLI For more information about the Configurator see Using the Configurator on page 78 Note The maintenance tasks described in this section are not applicable to systems configured using the SMB Manual Configuration method For more information about the main maintenance tasks see e Synchronizing the Clock on page 12 e Synchronizing Network Settings on page 13 e Re issuing Certificates on page 13 e Replacing Active Directory Object Passwords on page 13 e Changing the ADOU Location on page 14 e Changing the Default Admin User Password on page 14 e Automating the Maintenance Tasks on page 14 Synchronizing the Clock The Intel AMT device contains a clock that operates independently from the clock in the host operating system For devices configured to use Kerberos authentication it is important to synchronize the device clock with the clock of a computer in the network The clock of the computer must also be synchronized with the Key Distribution Center This is not done by Intel SCS When the clock is not synchronized Kerberos authentication with the device might fail For Kerberos enabled devices Intel recommends to synchronize the clock at two week intervals To do this task use the SyncAMTTime parameter of the MaintainAMT command This parameter synchronizes the device clock with the clock of the host operating system Intel AMT
45. this default name and location by supplying the lt filename gt parameter Example SCSDiscovery exe SystemDiscovery C MyXMLFile xml This example creates an XML file named MyXMLFile in the root of C In addition a log file is created see Configurator Log Files on page 80 NoFile Do not save data in an XML file If you use this parameter do not use the lt filename gt parameter NoRegistry AdminPassword lt password gt Do not save data in the registry of the system The current password of the default Digest admin user defined in the Intel AMT device The SystemDiscovery command gets some of the data about Intel AMT using the WS Man interface To use this interface administrator permissions in Intel AMT are necessary Without administrator permissions this data cannot be retrieved and a warning message will be recorded in the log This parameter is NOT necessary if one of these are true e The device is in an unconfigured state The user account running the Configurator is a Kerberos account that is configured in the Intel AMT device with administrator permissions Configuring Systems Command ConfigAMT Description Configures the Intel AMT system with settings in a configuration profile XML file Configured systems are reconfigured Syntax ACUConfig exe global options ConfigAMT lt filename gt DecryptionPassword lt password gt AbortOnFailure Note The CLI d
46. to define the location of the trusted root certificate see Defining Trusted Root Certificates on page 58 This certificate will be used in the 802 1x setup to authenticate with a RADIUS server 8 From the RADIUS Server Verification section select one of these Do not verify RADIUS server certificate subject name e Verify server s FQDN Enter the FQDN of the RADIUS server e Verify server s domain suffix Enter the domain name suffix of the RADIUS server 9 Click OK The 802 1x Setup window closes and the 802 1x setup is saved Intel AMT Configuration Utility User Guide 69 Chapter 5 Defining Configuration Profiles Defining End Point Access Control If the 802 1x profile s protocol supports End Point Access Control EAC you can use NAC NAP authentication along with the RADIUS server to authenticate the Intel AMT device Note EAC requires integration with Active Directory see Defining Active Directory Integration on page 48 and an Enterprise root CA To define EAC 1 From the Network Configuration window click Configure EAC The Configure End Point Access Control window opens E Configure End Point Access Control Specify End Point Access Control EAC service provider details below EAC vendor NAC NAP or NAP NAC Hybrid Both NAC and NAP Highest hash algorithm supported by authentication server x Select the method for creating the certificate Request certificate f
47. to run this command on the Intel AMT system to immediately update the IP address ipconfig renew After the IP address is correctly defined in the Intel AMT device all remote connections should work without any problems Intel AMT Configuration Utility User Guide 107 Appendix B Troubleshooting Error with XML File or Missing SCSVersion Tag Errors 37 or 38 are returned by the Configurator if problems exist with the configuration profile XML file These errors usually occur when the Configurator cannot find the file or read the data that it contains Solutions Inthe command line make sure that you supplied the correct name for the XML file For example if the filename contains spaces you must supply the filename in quotes like this My Profile e Make sure that the profile is a valid profile Profiles created using Intel SCS 7 0 are NOT supported These profiles do not have the mandatory lt SCSVersion gt tag Even if you add the missing lt SCSVersion gt tag the profile is still invalid because it contains tags and values not supported by Intel SCS 8 2 Profiles created using Intel SCS 7 1 include this tag and are valid for use by Intel SCS 8 2 Note Try and open the profile using the Intel AMT Configurator Utility supplied in Intel SCS 8 2 To do this select Create Settings to Configure Multiple Systems and browse to the folder containing the profile If the profile is not shown in the list of profiles it
48. to use certificate based authentication or password based authentication Remote Access is defined in the Remote Access window of the configuration profile see Defining Remote Access on page 54 Note A Home Domain is a prerequisite for Remote Access item 3 in this checklist Supported Intel AMT Versions You can use the Configuration Utility to configure Intel AMT on systems that have Intel AMT 4 0 and higher Each system that you want to configure using the Configuration Utility must have these drivers and services installed and running in the operating system Intel MEI The Intel Management Engine Interface Intel MEI driver also known as HECTI is the software interface to the Intel AMT device This driver is usually located under System devices e LMS The Local Manageability Service LMS exe enables local applications to send requests and receive responses to and from the device The LMS listens for and intercepts requests directed to the Intel AMT local host and routes them to the device via the Intel MEI The Intel MEI and the LMS are usually installed by the manufacturer If they are missing or you need to reinstall them contact the manufacturer of your system to get the correct versions for your system Intel AMT Configuration Utility User Guide 22 Chapter 2 Prerequisites Supported Operating Systems You can use the Configuration Utility to configure Intel AMT on
49. with the security infrastructure of your network s Active Directory AD This integration includes the ability to e Use Domain user accounts for Kerberos authentication with the Intel AMT device e Use the 802 1x protocol for wired and wireless access e Use End Point Access Control EAC E Configuration Profile Wizard i Optional Settings Active Directory Integration Active Directory Integration Getting Started Active Directory OU Profile Scope Optional Settings Path to file containing ADOU information AD Integration Access Control List Home Domains Remote Access Transport Layer Security Network Configuration System Settings Finish Figure 15 Active Directory Integration Window You can define integration with the Active Directory by selecting one of these e Active Directory OU Click and select the Active Directory Organizational Unit ADOU where the object will be stored in AD During configuration Intel SCS sends a request to the AD to create a Computer object representing the Intel AMT device The object is added to the ADOU you defined in this field Path to file containing ADOU information This is an advanced option not necessary in most network environments and requires knowledge about creating AD objects Before you can use this option you must manually create an object for the Intel AMT device For more information refer to the ADObjectFile xml example in the sampl
50. 802 1x certificates the RenewADPassword task is automatically done as well RenewADPassword Change the password of the Active Directory object representing the Intel AMT system RenewAdminPassword Changes the password of the default Digest admin user in the Intel AMT device according to the password setting defined in the profile AutoMaintain Automatically does only the maintenance tasks listed here that are necessary for this Intel AMT system For more information see Automating the Maintenance Tasks on page 14 DecryptionPassword lt password gt Mandatory if any of the files that the Configurator will use are encrypted see File Encryption on page 5 Intel AMT Configuration Utility User Guide 87 Chapter 6 Using the Configurator AdminPassword The current password of the default Digest admin user defined in the lt password gt Intel AMT device This parameter is NOT necessary if one of these are true The XML profile contains the Digest admin password The user account running the Configurator is a Kerberos account that is configured in the Intel AMT device with administrator permissions NetworkSettingsFile The path to a file that contains the network settings FQDN and or IP to put lt file gt in the Intel AMT device Only use this parameter if you defined the source for at least one of these settings as a dedicated network settings file For more information see
51. Click Finish Intel AMT Configuration Utility User Guide 45 Chapter 5 Defining Configuration Profiles Defining the Profile Scope The Profile Scope window of the Configuration Profile Wizard lets you limit the settings that will be configured on systems when using this profile Note The Profile Scope window is only shown in delta configuration profiles Only settings defined in the Profile Scope window will be changed on the systems during configuration All other settings will stay in their current condition on the systems Thus you can use this profile e To configure systems without making changes to Intel AMT settings configured using third party applications To make changes to specific Intel AMT settings on configured systems E Configuration Profile Wizard Profile Scope Select the settings you want to manage using this profile Settings that are not Getting Started selected here will not be changed on the systems during configuration System Settings Optional Settings Vv Management Interfaces AD Integration V KVM Redirection Access Control List OM Power Management Home Domains Remote Access Optional Settings Transport Layer Security OM Active Directory Integration Network Configuration ov Access Control List ACL re OM Home Domains gigas OM Remote Access and Fast Call for Help OM Transport Layer Security TLS OM wiFi Connection BM wired 802 1x Authentication BM End Point Access Control EAC
52. Click Yes The Configuration Utility creates a configuration file Setup bin on the USB key When complete the USB Key Ready window opens with information about the success or failure of the process 9 Click Finish The Configuration Utility closes 10 Make sure that only the USB key that you selected in step 6 is connected to the system and reboot the system During the reboot a message is shown on the screen Found U inue 11 Type Y and press lt Enter gt The settings are put in the device and a new message is shown on the screen 12 Remove the USB key from the system and press a key to continue the reboot The system is now configured with Intel AMT and can be accessed by management consoles Note After configuration the data in the Setup bin file on the USB key is deleted but the file is not deleted Thus you must do all the steps of this procedure for each system that you want to configure using a USB key Intel AMT Configuration Utility User Guide 37 Chapter 4 Using the Configuration Utility Unconfiguring a System This procedure describes how to use the Configuration Utility to unconfigure Intel AMT on a system Note If the system was configured with Active Directory integration the Configuration Utility does not delete the object representing the system Delete the object manually To unconfigure a system 1 From the Configuration Options window select Unconfigure The U
53. Common Names DNS Host Name FODN Host Name SAM Account Name UUID User Principal Name Distinguished Name Service Principal Name Select the CN that will be used in the Subject Name Figure 40 Advanced Common Name Window 3 From the Available Common Names list select the required CNs and click to add them to the Selected Common Names list All the selected CNs will be put in the Subject Alternative Name field of the certificate 4 From the drop down list select a CN from the list of Selected Common Names This CN will be put in the Subject Name field of the certificate in addition to the Subject Alternative Name field 5 Click OK The Advanced Common Name window closes Intel AMT Configuration Utility User Guide 102 Appendix A Certification Authorities and Templates Using Predefined Files Instead of a CA Request Usually during configuration of Intel AMT features defined to use certificate based authentication the Configuration Utility requests the certificate from a CA To do this the Configuration Utility must have access to the CA during configuration However in some network environments the CA cannot be accessed from all computers The host based configuration method supplies a solution to this problem When defining certificate based authentication you can now use predefined certificates and private key files used for the encryption To do this select the Use certificate from a file option
54. Configurator cceecceceseeenneeeeeeeeereeeeeeeeeeeeneees 78 Abotit the Configurator eE EEEE dicate rE 79 CE SYMA E EEE E AR E AE RN 79 Configurator Log Piles csccisexssasecevesschiesvssts E Er EEEE 80 CLI Global Options s sssssssssenessensreessseessststrrtsreressrssssrerssresenrtstntestnrestesestrststessee 80 Verifying the Status of an Intel AMT System ssssessssesesessesssseeresrrrssrersrsseerssen 81 Discovering SySstems ccccccceccsescessesseeeescecsececeeecnecaeeeeseseseseseeaeeeseceesaeeneeaees 81 Configuring System Seerne fades tseisce EESE AETERNE ENEE 82 Configuring a System Using a USB Key cccccesesseesscesceeeceseeeeseeeeeeeseesseenneeaees 84 Power Package GUID Sirera tintin ete ee 86 Maintaining Configured Systems cccccceccesseescesceeseeeceeeeeseeseecseceecaeenseeaeeneens 87 Unconfiguring Intel AMT Systems 0 ccccecccescesccesceeeeeeceseeseceseeeseceesaeeeenaees 89 Running Scripts with the Configurator cecccescesceeseeseeeseeeeseecsecesecseeseeeaeeneees 91 What if a Failure OCCUIS 00 0 ssesseeecseccnsesensessnenenveronensenevonsnsenenonseneneas 93 Script Runtime and Timeout ccececcccseesecsecsceeseceecesecereeeeeeesseeeseesseeseeeaees 93 Parameters Sent in Base64 Format ceccescecsecscesseceseeeceeeeeceeeeeeeeeneeeeeaes 93 Appendix A Certification Authorities and Templates scce 94 Standalone or Enterprise CA iccirco i ia 94 Request Handling
55. MB Mode Intel AMT 4 x and 5 x devices are put in this mode Advanced optional Intel AMT features are not available to devices in this mode e Manual Mode Intel AMT 6 x and higher devices are put in this mode All Intel AMT features are available to devices in this mode if a third party application can configure them You can use the Configuration Utility to create the Setup bin file For more information see e SMB Manual Configuration on page 35 e Defining Manual Configuration Multiple Systems on page 40 Alternatively you can use the ConfigViaUSB command of the Configurator see Configuring a System Using a USB Key on page 84 Note This method is not available for systems with Intel AMT 2 x and 3 x because they cannot read the Setup bin file Intel AMT Configuration Utility User Guide 3 Chapter 1 Introduction Intel AMT and Security Considerations This section includes these security related topics e Password Format e File Encryption e Digital Signing of Files e Control Modes e User Consent e Recommendations for Secure Deployment e Security After Configuration e Access to the Intel MEBX Password Format Most passwords you define must be between 8 32 characters with a minimum of one of each of these A number e Anon alphanumeric character e A lowercase Latin letter e An uppercase Latin letter Note The colon comma and double quote characters
56. ML Format Standalone or Enterprise CA If you require a Certification Authority in your network and which type you require depends on the Intel AMT features you want to implement These features require a Standalone root CA or an Enterprise root CA Transport Layer Security including mutual authentication e Remote Access with password based authentication These features require an Enterprise root CA e Remote Access with certificate based authentication e 802 1x setups Wired or WiFi e EAC settings Intel AMT Configuration Utility User Guide 94 Appendix A Certification Authorities and Templates Request Handling Certification Authorities include settings that define how they handle certificate requests Configuration Utility does not support pending certificate requests If during configuration the CA puts the certificate into the Pending Requests state the Configuration Utility returns an error 35 Thus you must make sure that the CA and the templates used by the Configuration Utility are not defined to put certificate requests into a pending state For Enterprise and Standalone CAs request handling is defined in the Request Handling tab right click the CA and select Properties gt Policy Module gt Properties Make sure that the correct option is selected shown in yellow in this figure fe Certification Authority File Action View Help e SAB m gt m Certification Authority N
57. MT device see Defining IP and FQDN Settings on page 75 Intel AMT Configuration Utility User Guide 109 Appendix B Troubleshooting Kerberos Authentication Failure If integration with Active Directory AD is enabled during configuration the Configuration Utility creates an AD object for the Intel AMT device The values of the Service Principal Name SPN attribute in this object are used in Kerberos tickets during AD authentication If the AD forest contains more than one object representing the same Intel AMT device the Kerberos authentication will fail This is because identical SPN values exist for different objects The AD does not know which SPN to use and thus returns an error Multiple objects can be created during reconfiguration when you change the AD Organizational Unit ADOU defined in the profile see Defining Active Directory Integration on page 48 Solution Make sure that the AD forest contains only one AD object for each Intel AMT device If not 1 Manually delete the object from the old ADOU 2 Wait approximately 15 minutes or manually purge the Kerberos tickets You can use the Klist exe application to purge the tickets Error Kerberos User is not Permitted to Configure Usually this error will occur if all these conditions are true The requested operation will change the FQDN setting in the Intel AMT device or the Intel AMT Active Directory object e The requested op
58. MT device is configured to use Active Directory AD Integration an object is created in the AD Organizational Unit specified in the profile The object contains a password that is set automatically not user defined If the ADOU has a maximum password age password policy defined in AD the password must be replaced before it expires Intel recommends that you schedule this maintenance task to start a minimum of 10 days before the password is set to expire To do this task use the RenewADPassword parameter of the MaintainAMT command Note To use the RenewADPassword parameter you must use the same profile that was used the last time the device was configured If you made changes to the AD related settings in the profile do a reconfiguration instead Intel AMT Configuration Utility User Guide 13 Chapter 1 Introduction Changing the ADOU Location If you change the location of the ADOU containing the objects representing the Intel AMT devices you must reconfigure the systems This makes sure that all settings that use the object are reconfigured to use the new object To change the ADOU location 1 Define the new ADOU in the configuration profile see Defining Active Directory Integration on page 48 2 Use the ConfigAMT command of the Configurator CLI see Configuring Systems on page 82 Note Make sure that you include the ADOU flag with the path to the old ADOU so that the Configurator can del
59. OF DIRECTLY OR INDIRECTLY ANY CLAIM OF PRODUCT LIABILITY PERSONAL INJURY OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN MANUFACTURE OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS Intel may make changes to specifications and product descriptions at any time without notice Designers must not rely on the absence or characteristics of any features or instructions marked reserved or undefined Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them The information here is subject to change without notice Do not finalize a design with this information The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications Current characterized errata are available on request Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order Copies of documents which have an order number and are referenced in this document or other Intel literature may be obtained by calling 1 800 548 4725 or go to http Avww intel com design literature htm Intel Active Management Technology Intel AMT requires activation and a system with a corporate network connection an Intel AMT enab
60. T Profile Designer Z7 Profies Folder B 0020 B Profile Details Profile2 Network Settings FQDN will be the same as the Primary DNS FQDN IP will be taken from DHCP Figure 10 Profile Designer Window This table describes the options available from the Profile Designer Table 4 Profile Designer Options Define the folder where the profiles are located Create a new profile see Creating Editing Configuration Profiles on page 43 Duplicate the profile selected in the left pane Delete the profile s selected in the left pane Edit the profile selected in the left pane Close the Profile Designer and go back to the Welcome window I BB elle Create a USB key for manual configuration see Defining Manual Configuration Multiple Systems on page 40 SO j 4 Intel AMT Configuration Utility User Guide 39 Chapter 4 Using the Configuration Utility Defining Manual Configuration Multiple Systems You can prepare a USB key with identical configuration settings to use with multiple Intel AMT systems When the systems are rebooted with the USB key Intel AMT is configured on them Note e This option is available only for systems with Intel AMT 6 0 and higher For other Intel AMT systems you must prepare a new USB key for each system see SMB Manual Configuration on page 35 The Configuration Utility does not restrict the size of USB key you ca
61. Utility User Guide TT 6 Using the Configurator This chapter describes how to use the Configurator For more information see About the Configurator CLI Syntax Configurator Log Files CLI Global Options Verifying the Status of an Intel AMT System Discovering Systems Configuring Systems Configuring a System Using a USB Key Maintaining Configured Systems Unconfiguring Intel AMT Systems Running Scripts with the Configurator Intel AMT Configuration Utility User Guide 78 Chapter 6 Using the Configurator About the Configurator The Command Line Interface CLI of the Configurator component lets you automatically do tasks on multiple Intel AMT systems The Configurator can be run locally on the Intel AMT system using a script or a batch file The Configurator A CUConfig exe is located in the Configurator folder Note The Configurator folder also contains dll files that are necessary for the Configurator to operate CLI Syntax The Configurator CLI is not case sensitive To view a list of the available CLI commands type ACUConfig with no parameters and press lt Enter gt Note This guide only includes commands related to the configuration methods that are supported by the Configuration Utility The syntax and descriptions of the commands in this guide include only the parameters that are supported by the Configuration Utility For information about the full list of commands and parameters su
62. XML file named Profile xml and is located in the same folder as the Configuration Utility If Profile xml does not exist it is created with default settings Optionally you can edit the settings in the profile before starting the configuration If you make changes they are saved in Profile xml and will be available for the next systems you configure You can use the same profile for all systems in your network or edit the settings for each system E Intel R AMT Configuration Utility intel AMT Configure via Windows To configure this system enter the Admin Password and click lt Next gt Admin Password Configuration Details Current password ef pi New password mandatory e Confirm password FQDN will be the same as the Primary DNS FQDN TP will be taken from DHCP Network Configuration WiFi Enable synchronization of Intel AMT with host platform WiFi profiles System Settings Enabled Management Interfaces Web UI Serial Over LAN IDE Redirection KVM Eeoae Figure 3 Configure via Windows Window Intel AMT Configuration Utility User Guide 30 Chapter 4 Using the Configuration Utility To configure an Intel AMT system 1 From the Configuration Options window select Configure via Windows The Configure via Windows window opens 2 Inthe Admin Password section enter the password for the default Administrator user in the Intel AMT device Current password This field is enabled only
63. additional settings are required they must be performed by a third party application This command puts the Intel AMT device in the Admin Control mode see Control Modes on page 7 e You can use this option to define certain KVM parameters not available in Client Control Syntax Note The CLI does not support passwords that start with a forward slash ACUConfig exe global options Config ViaUSB NewMEBxPass lt password gt CurrentMEBxPass lt password gt OutputFile lt filename gt PowerPackage lt guid gt UsingDhcp HostName lt host_name gt DomainName lt domain_name gt LocalHostIp lt ip gt SubnetMaskIp lt subnet_mask gt GatewayAddrlIp lt ip gt DnsAddrIp lt ip gt SecondaryDnsAddrIp lt ip gt Enablek VM lt false true gt EnableUserConsent lt none kvm_only all_redirection gt EnableRemoteITConsent lt false true gt Parameters global options See CLI Global Options on page 80 NewMEBxPass The new password to put in the Intel MEBX see Password Format on lt password gt page 4 This parameter is mandatory even if the Intel MEBX password has already been changed from the default of admin CurrentMEBxPass The current Intel MEBX password The default password of lt password gt unconfigured systems is admin This parameter is not required for systems that have the default password PowerPackage
64. al Unit ADOU containing the AD object of configured systems If this parameter is supplied the Configurator will delete the existing AD object representing the system A new AD object is created in the ADOU defined in the configuration profile NetworkSettingsFile The path to a file that contains the network settings FQDN and or IP to lt file gt put in the Intel AMT device Only use this parameter if you defined the source for at least one of these settings as a dedicated network settings file For more information see Defining IP and FQDN Settings on page 75 FileToRun The Configurator can use these parameters to run a script after the lFileHash ConfigAMT command has completed successfully For more information see Running Scripts with the Configurator on page 91 FileUser FilePassword Intel AMT Configuration Utility User Guide 83 Chapter 6 Using the Configurator Configuring a System Using a USB Key Command ConfigViaUSB Description Creates a file containing configuration settings When the Intel AMT system is rebooted with a USB key containing this file Intel AMT is configured on the system For more information see SMB Manual Configuration on page 3 The Configurator does not restrict the size of USB key you can use But the computer BIOS must fully support the selected USB key and be able to do a reboot from it Note The settings you can define are limited If
65. ame Revoked Certificates n CiPending Requests Certificate Managers Restrictions Auditing Recovery Agents Securty Failed Requests General Policy Module Ext Module Extensions Storage Certificate Templates p Description of active policy module Properties xl The Windows default policy module controls how this CA should handle certificate requests by default Do the following when a certificate request is received Set the certificate request status to pending The administrator must explicitly issue the certificate Figure 33 Request Handling Tab For Enterprise CAs you must also make sure that the templates used by the Configuration Utility are not defined to require approval Make sure that CA certificate manager approval check box is NOT selected shown in yellow in this figure RemoteTemplate Properties Generel Request Handling SubjectName Issuance Requirements Superseded Templates Extensions Securty Require the following for enrollment J This number of authorized signatures p if you require more than one signature autoenrollment is not allowed Policy type required in signature Figure 34 Issuance Requirements Tab Intel AMT Configuration Utility User Guide 95 Appendix A Certification Authorities and Templates Required Permissions on the CA These permissions are required on the CA by the user account running the Configuration Utility e Iss
66. ample echo set p lt password gt openssl exe dgst sha256 hex Note The password that you supply in this step must be the same password that was used to encrypt the exported profile 2 Use AES128 with the encryption mode of CBC to encrypt the file where e The key is the first 16 bytes of the Hash e Initialize Vector IV is the second 16 bytes of the Hash e Salt None For example openssl aes 128 cbe e in lt file to encrypt gt out lt output file gt K lt first 16 bytes of the Hash gt iv lt last 16 bytes of the Hash gt nosalt Note OpenSSLparameters are case sensitive Make sure that you use the parameters exactly as they are shown in this example Intel AMT Configuration Utility User Guide 5 Chapter 1 Introduction Digital Signing of Files The executable and DLL files of the Intel SCS components are digitally signed by Intel and include a time stamp This does not include third party files such as xerces c_2 8 dll Using digital signatures increases security because it gives an indication that the file is genuine and has not been changed The ACU dil is a library used by the Intel SCS components to do configuration tasks on Intel AMT devices When running a command from the Configurator CLI the Configurator tries to authenticate the signature of the ACU dil If authentication fails the task is not permitted and the Configurator returns an error message This authentication is also done
67. an 256 characters e If the CN in the Subject Name field is Distinguished Name and the Distinguished Name is longer than 256 characters You can use these options in the profile to define the CNs for each setting Common Names CNs in certificate DefaultCNs User defined CNs Figure 39 Common Name Options Default CNs When you select Default CNs the generated certificate will include these CNs Inthe Subject Name field DNS Host Name FQDN e Inthe Subject Alternative Name field e DNS Host Name FQDN e Host Name e SAM Account Name Active Directory account name for the Intel AMT object e User Principal Name e UUID of the Intel AMT system Intel AMT Configuration Utility User Guide 101 Appendix A Certification Authorities and Templates User defined CNs This option lets you control which CNs will be included in the generated certificate and which CN will be put in the Subject Name field Note Some servers require a specific CN in the Subject Name field e The Cisco Access Control Server ACS requires the SAM Account Name The Funk Odyssey Server requires the Host Name To define user defined common names 1 Select User defined CNs 2 Click Edit CNs The Advanced Common Name window opens ioii Determine the Common Names CNs that will appear in the Subject Alternative Name field of the certificate that will be generated Select at least one CN Selected Common Names Available
68. ce Use the following as the FQDN Primary DNS FQDN 7 Get the FQDN from the dedicated network settings file V The device and the OS will have the same FQDN Shared FQDN IP Specify the source of the IP that will be set in the Intel AMT device Get the IP from the DHCP server Use the same IP as the host for static IP only Get the IP from the dedicated network settings file DNS Define how the device will update the DNS with the FQDN and IP Do not update Update only via DHCP option 81 Update the DNS directly or via DHCP option 81 Figure 32 Network Settings Window Intel AMT Configuration Utility User Guide T5 Chapter 5 Defining Configuration Profiles To define the IP and FQDN settings 1 From the FQDN section select the source for the FQDN hostname suffix e Use the following as the FQDN Primary DNS FQDN The hostname part of the FQDN is the hostname from the host operating system The suffix is the Primary DNS Suffix from the host operating system This is the default setting and is correct for most network environments On board LAN connection specific DNS FQDN The hostname part of the FQDN is the hostname from the host operating system The suffix is the Connection specific DNS Suffix of the on board wired LAN interface Host Name Takes the host name from the operating system The suffix is blank Active Directory FQDN The hostname part of the FQDN is
69. define in lt ADOU path gt DomainUser lt username gt The name in the format domain username of a domain user with permissions to delete the AD object representing the Intel AMT system If you supply this parameter the AD object is deleted using the credentials of this user By default the credentials of the user running the Configurator are used to delete the AD object DomainUserPassword lt password gt The password of the domain user SourceForAMTName lt source gt Defines how the FQDN hostname suffix for the Intel AMT device is constructed Valid values DNS The hostname part of the FQDN is the hostname from the host operating system The suffix is the Primary DNS Suffix from the host operating system This is the default setting and is correct for most network environments SpecificDNS The hostname part of the FQDN is the hostname from the host operating system The suffix is the Connection specific DNS Suffix of the onboard wired LAN interface e AD The hostname part of the FQDN is the hostname from the host operating system The suffix is the AD domain of which the host operating system is a member DNSLOOKUP Takes the FQDN returned by an nslookup on the IP address of the onboard wired LAN interface HOST Takes the hostname from the host operating system The suffix is blank Note When this parameter is not supplied the default source for the FQDN is
70. e Intel AMT device when using option 81 of the DHCP server to update DNS When this setting is true the Intel AMT device will send broadcast queries only when the operating system is not running This is the default behavior of all Intel AMT versions that do not support the Shared FQDN setting When this setting is false the device will always send its own broadcast queries even when the operating system is running For Intel AMT 6 0 and higher devices that will be configured with a dedicated FQDN clear this check box The device and the OS will have the same FQDN Shared FQDN 4 From the IP section select the source for the IP settings Use the same IP as the host for static IP only Get the IP from the DHCP server e Use the following settings Enter the IP and subnet address 5 Inthe DNS section define how Intel AMT 6 0 and higher will update the Domain Name System DNS with the FQDN and IP Do not update Disables all DNS updates by the Intel AMT device e Update only via DHCP option 81 The device will use the DHCP option 81 to request that the DHCP server update the DNS on its behalf On Intel AMT 6 x and 7 x systems Intel SCS only supports this option on the latest firmware versions Update the DNS directly or via DHCP option 81 Intel AMT 6 0 and higher includes the Intel AMT Dynamic DNS Update DDNS Update Client When enabled this client can periodically update the DNS with the FQDN and IP addr
71. e What is the name and location of the CA in the network Will the same CA be used for all Intel AMT features What Common Name CN to put in the certificate created for each feature Intel SCS sends a request to the CA to create certificates The certificates issued by the CA include CNs The CNs are defined in the configuration profile for each feature By default Intel SCS puts the DNS Host Name in the Subject Name field In addition the Subject Alternative Name will include these CNs DNS Host Name Host Name SAM Account Name User Principal Name and the UUID of the Intel AMT system Some RADIUS servers require a specific CN in the Subject Name field If you need to define a different CN in the Subject Name field you can do this by selecting the User defined CNs option for each feature How does the CA handle certificate requests Intel SCS does not support pending certificate requests This means that the CA must be setup to issue certificates immediately without requiring approval If you have an Enterprise CA you must create certificate templates in the CA before you define the profile For more information see Certification Authorities and Templates on page 94 7 TLS Does your management console require the Intel AMT system to use Transport Layer Security TLS Q When TLS is enabled the Intel AMT device authenticates itself with other applications using a server certificate If mutual TLS authentication is enabled
72. e _files folder Intel AMT Configuration Utility User Guide 48 Chapter 5 Defining Configuration Profiles Defining the Access Control List ACL The Access Control List ACL window of the Configuration Profile Wizard lets you define users and their access privileges in the Intel AMT device If you enable ACL you must define at least one user or group but no more than seven digest users and 32 Active Directory users groups User identification and realm selection must be coordinated with the requirements and instructions of third party management consoles E Configuration Profile Wizard Optional Settings Access Control List ACL Access Control List ACL Getting Started Use the following list to customize the level of system access for specific users or groups Profile Scope Optional Settings Add AD Integration Access Control List Home Domains Remote Access Transport Layer Security Network Configuration System Settings Finish Figure 16 Access Control List ACL Window You can do these tasks to define the users in the ACL e Create a new user by clicking Add See Adding a User to the ACL on page 49 e Edit an existing user by clicking Edit e Remove a user from the list by clicking Remove Adding a User to the ACL The User Group Details window enables you to add a new user or user group to the profile s Access Control List To add a user 1 From the Access Control List ACL
73. e certificate subject with the domains listed below Remove Figure 25 Advanced Mutual Authentication Settings Window 2 Optional Define the CRL you want to use in this profile a Select Use CRL b Click Load File The Open window opens c Browse to the location of the CRL XML file select it and click Open The information in the file is imported into the configuration profile and the name of the file is added to the list Intel AMT Configuration Utility User Guide 62 Chapter 5 Defining Configuration Profiles 3 Optional Define the trusted domains to use in mutual authentication To add a domain to the list click New and specify the domain in the Domain Properties window The Intel AMT system will validate that any client certificates used by the management consoles have one of the listed suffixes in the certificate subject Ifno FQDN suffixes are defined the Intel AMT system will not validate client certificate subject names 4 Click OK The Advanced Mutual Authentication Settings window closes Defining Network Setups The Network Configuration window of the Configuration Profile Wizard enables you to define several network setups that the Intel AMT device must use A network setup includes encryption and authentication protocol settings and can be used for wired or wireless connections If you define WiFi Connection settings in the profile the wireless interface of Intel AMT is enabled during configuration
74. e validity and renewal periods as required by local policy and click Apply 9 Click the Request Handling tab The Request Handling tab opens 802 1 User Properties Signature and encryption E Ej M E Delete revoked or evpired certi s do not archive 1024 Figure 37 Request Handling Tab 10 Click the CSPs button The CSP Selection window opens Intel AMT Configuration Utility User Guide 98 11 12 13 14 15 Appendix A Certification Authorities and Templates Choose which cryptographic service providers CSPs can be used in requests C Requests can use any CSP available on the subject s computer Requests must use one of the following CSPs CSPs Microsoft Base DSS and Diffie Hellman Cryptographic Provider Microsoft DH SChannel Cryptographic Provider Microsoft Enhanced Cryptographic Provider v1 0 Microsoft Enhanced DSS and Diffie Hellman Cryptographic Prov Microsoft Enhanced RSA and AES Cryptographic Provider Microsoft RSA SChannel Cryptographic Provider Microsoft Strong Cryptographic Provider Schlumberger Cryptographic Service Provider Cancel lt Figure 38 CSP Selection Window In the list of requests select the Microsoft Strong Cryptographic Provider check box and click OK The CSP Selection window closes Click the Subject Name tab and select Supply in the request Click the Security tab The Securit
75. eceseeeeeeeeeseeneeeaeeneeeaees 13 Re issuing Certificates cn aime noku wei aoe aes 13 Replacing Active Directory Object Passwords cccesscesseesserseeseeteeseeenes 13 Changing the ADOU Location 0 cccceccceeceseceeceseeeeceseeeeneeeeeeeeeeeeeseeseeeaes 14 Changing the Default Admin User Password c csssscessessesecteeeeeeeeeneees 14 Automating the Maintenance TaskS cccceccesseececeeseeseeeecsecnsecaeensenseees 14 Support for KVM Redirection cccccccsesseceeeseeeecesceeeeeeeeeeeeeecseesaeceecsaeeeeserees 16 Chapter 2 PrereGQuiSite ssc qciccciice cots cienceteveeiceins Sites nie 17 Getting Started Checklist ccc icscscsiescasceetsssenseessesenssuctecnstesuensceunsyacsegeesedesscueeels 18 Supported Intel AMT Versions ecescesesssescesecseeeeeececaeeseeeecaecaeeeeeaeeaeaveneerenes 22 Supported Operating Systems eccecsessesesseceeeeceeceeeseeeeceesaeeaeeeeeaeeaeeeeeeeeaeees 23 Support for a Workgroup Environment ccccccccessesseeseesseceeeceeeeceseeneeeseeeeeees 24 Required User Permissions iii ccccnitiinsaticsinaiiniea nviemennsaaeneiasch 25 Unconfigured Systems ccccecceescesseseeesecseceseeseceseeseceeeaceeeceseseeeeaeeeseeaeesaes 25 Configured Systems cccivesiniancinnianddacindianisiieadiakiemnaes 25 Chapter 3 Quick Start Guide 0 cceceeesesseeeeeeseeeeeeeeeeseseeeeeeeesseeneeees 26 Chapter 4 Using the Configuration Utility ccccsssseeeeeeeseeeeeeee
76. eration is run using a Kerberos admin user The password of the default Digest admin user is not defined in the profile or supplied in the CLI command AdminPassword This is to prevent losing connection to the device when changing these settings Solution Define the Digest admin password in the profile or the CLI command Intel AMT Configuration Utility User Guide 110 Appendix B Troubleshooting Error when Removing AD Integration Error in SetKerberos For some Intel AMT 4 x and 5 x systems this warning can occur during reconfiguration with a profile that contains TLS settings but disables Active Directory AD integration error in SetKerberos 1 Failed while calling WS Management call SetKerberosSettings This warning occurs only if the system was initially configured with a profile containing TLS settings and AD integration enabled The result is that configuration is completed including TLS but the AD integration is not disabled Solution This is a known limitation that was solved in versions 4 2 30 and 5 2 30 of the Intel AMT firmware For systems with this problem 1 Reconfigure the system using a profile that disables TLS and Active Directory 2 Reconfigure the system using a profile that enables and defines the required TLS settings Failed Certificate Requests via Microsoft CA Due to Microsoft limitations creation of the certificate might fail in these situations e Ifthe FQDN of the Intel AMT dev
77. erations done with these commands e ConfigAMT e MaintainAMT This table describes the CLI parameters of these commands used to run scripts Table 8 CLI Parameters FileToRun lt filename gt If this parameter is supplied the Configurator will run this executable file batch script or executable after the command has completed If the FileToRun parameter is used without the LowSecurity global option the file must be digitally signed see Digital Signing of Files on page 6 If the file is not signed the Configurator will NOT run the CLI command or the file In addition if the LowSecurity parameter is not used the file must be located in the same folder as the ACUConfig exe file Intel AMT Configuration Utility User Guide 91 Chapter 6 Using the Configurator Table 8 CLI Parameters Continued These additional optional parameters are valid only if FileToRun was specified FileHash When this parameter is supplied the Configurator runs a hash lt SHA256 hash gt function on the file supplied in the FileToRun parameter The result of the hash function is then compared with the original hash value of the file supplied in this parameter If the values of the hashes are different the Configurator will NOT run the CLI command or the file If any change was made to the file the hash values will not be the same Before you can use this option you must generate a SHA256 hash value from the
78. es 27 Starting the Configuration Utility ccecceescecceeeeseeseecseeeseceeceseeeceteeeeseseeereess 28 Configuring Unconfiguring Individual Systems ccseeeeeseeeeeeeeteneeeeeeeeneees 29 Configuring a System ese cinaeaniansinmcinniaduan ete 30 Defining IP and FQDN for a Single System ccceseeseceeceeeeeeeeeeeeeeeeeeees 32 Encrypting the Profile lassie a a E E 34 SMB Manual Configuration ccccccssesseeseeesceeeeeeeeseeseecaeeseecaeeeaeeaeeeseeeeseeeeteees 35 Unconfiguritig a Syste Mi sissen nrn E ENERE EER 38 Using the Profile Desigmer cccecceccesscesseesecseceseesececeaeeesseseseeseseseeeeseeeaeeaeeaaes 39 Defining Manual Configuration Multiple Systems ccscseecessesteeeeeceeeneees 40 Intel AMT Configuration Utility User Guide ili Table of Contents Chapter 5 Defining Configuration Profiles ccccssssseeeeeeseeeeeeeeees 42 About Configuration Profiles iiccsc ccc caccensesciacccckdeesaseccsdaseeesidecsectestdesacatestecssevees 42 Creating Editing Configuration Profiles ccccccecceeseesseeseerseseeeseeeseceenseeeeneens 43 Saving the Configuration Profile 00 00 00 ccccccsesseeseeeeceeeceeeeeeeeeeeeeeaeeseeeeeeaees 45 Defining the Profile ScOpe cccceeccesseescesceseeesecceesecaeeaeceeceeseeseeeeseseseeaeeeseeaees 46 Defining Profile Optional Settings c ccccccsccsseeseceeceeeceeceseeeeeeeeeseeeeeeseeneeeaees 47 Defining Active Directory Integration
79. ese features e Remote Access using a Management Presence Server e Mutual authentication in Transport Layer Security e Most types of 802 1x setups To define the trusted root certificates 1 From the relevant feature window click Edit List The Trusted Root Certificates Used In Profile window opens EI Trusted Root Certificates Used In Profile loj x All the trusted root certificates selected in the following list will be configured to the Intel AMT system and used to authenticate servers when using the following features Mutual authentication in Transport Layer Security TLS Mutual Most types of 802 1x setups When defining a Management Presence Server MPS for Remote Access Select at least one trusted root certificate but not more than four to be used for all features Figure 22 Trusted Root Certificates Used In Profile Intel AMT Configuration Utility User Guide 58 Chapter 5 Defining Configuration Profiles 2 To add a trusted root certificate click Add The Add Trusted Root Certificate window opens EI Add Trusted Root Certificate loj x From Certificate Authority x From File Figure 23 Add Trusted Root Certificate Window 3 Select one of these From Certificate Authority From the drop down list select the Enterprise Certification Authority CA From File Enter the path to the file or click Browse to locate and select a certificate The file must be in base64
80. ess configured in the Intel AMT device When selected the device uses option 81 to ask the DHCP for permission to update the DNS Intel AMT will send DDNS updates based on the policy configured in the DHCP server returned in the DHCP option 81 flags Note All systems that have Intel AMT 5 x or lower are always configured to update the DNS via DHCP option 81 This is the only option that those versions support 6 Click OK The Network Settings window closes and the Profile xml is updated with the changes that you made Intel AMT Configuration Utility User Guide 33 Chapter 4 Using the Configuration Utility Encrypting the Profile The Profile xml file used by the Configuration Utility contains passwords and other data about your network environment To protect this data each profile created or edited by the Configuration Utility is encrypted with a password that you supply When configuring a system if the profile is not encrypted yet you must define a password in the Profile Encryption window E Intel R AMT Configuration Utility intel AMT Profile Encryption The profile that will be created as part of the configuration process contains sensitive data and must be encrypted Encrypt the XML file using this password ej Confirm Password To configure this system dick Configure Figure 5 Profile Encryption Window To encrypt the profile 1 In the password fields enter a password that will be used t
81. ete the old objects Changing the Default Admin User Password For increased security it is recommended to change the password of the default Digest admin user at regular intervals To do this task use the RenewAdminPassword parameter of the MaintainAMT command Note The RenewAdminPassword parameter changes the password according to the password method defined in the profile For more information about these methods see Default Admin User Digest on page 10 Automating the Maintenance Tasks The MaintainAMT command includes a parameter named AutoMaintain You can use this parameter to automate maintenance of Intel AMT systems in your network This is possible because the Configurator saves some configuration related data in the registry of each Intel AMT system The data is updated each time the Configurator does a task on the system configuration reconfiguration maintenance and unconfiguration The data is saved in this registry key e 32 bit operating systems HKLM SOFTWARE Intel Setup and Configuration Software SystemDiscovery ConfigurationInfo e 64 bit operating systems HKLM SOFTWARE Wow6432Node Intel Setup and Configuration Software SystemDiscovery ConfigurationInfo When you use the AutoMaintain parameter 1 The Configurator uses the data in the registry to make the decision which maintenance tasks are necessary for each Intel AMT system 2 The Configurator automatically does only the necessary ta
82. ettings P Subnet DNS Define how the device will update the DNS with the FODN and IP Do not update Update only via DHCP option 81 Update the DNS directly or via DHCP option 81 Figure 4 Network Settings Window 2 From the FQDN section select the source for the FQDN hostname suffix Use the following as the FQDN Primary DNS FQDN The hostname part of the FQDN is the hostname from the host operating system The suffix is the Primary DNS Suffix from the host operating system This is the default setting and is correct for most network environments On board LAN connection specific DNS FQDN The hostname part of the FQDN is the hostname from the host operating system The suffix is the Connection specific DNS Suffix of the card Host Name Takes the host name from the operating system The suffix is blank Intel AMT Configuration Utility User Guide 32 Chapter 4 Using the Configuration Utility e Active Directory FQDN The hostname part of the FQDN is the hostname from the host operating system The suffix is the AD domain of which the host operating system is a member DNS Look Up FQDN Takes the name returned by an nslookup on the IP address of the card Use the following FQDN Enter the FQDN you want to set in the device 3 Optional Intel AMT 6 0 and higher includes a setting called Shared FQDN This setting can change the behavior of th
83. f the generated certificate For more information see Defining Common Names in the Certificate on page 101 9 Click OK The settings are saved and the Management Presence Server window closes Intel AMT Configuration Utility User Guide 56 Chapter 5 Defining Configuration Profiles Defining Remote Access Policies A Remote Access policy defines what will cause the Intel AMT device to start a connection with an MPS the trigger and to which MPS it will connect If Remote Access is enabled you must define at least one Remote Access policy To define a remote access policy 1 From the Remote Access Policy List section of the Remote Access window click Add The Remote Access Policy window opens oxi General Policy Name I Tunnel lifetime limit NoLimit E H Minutes Trigger I Fast Call For Help OS interface BIOS Interface OS and BIOS interfaces T Alerts I Scheduled Maintenance every jo hours zj Management Presence Server Preferred server Available Servers lt example com 80 Alternative server D e Figure 21 Remote Access Policy Window 2 Inthe Policy Name field enter a descriptive name for the policy 3 Inthe Tunnel lifetime limit field enter an interval in minutes When there is no activity in an established tunnel for this period of time the Intel AMT device will close the tunnel Selecting No Limit means the tunnel will not time out but will stay open unti
84. guration window of the profile Enable WiFi connection also in S1 S5 operating power system states This solves the problem because the power management settings for the wireless NIC can now be configured using a delta profile During upgrade migration this check box is not added to delta profiles to support backwards compatibility To add the check box and reconfigure the system 1 Open the delta profile in Intel SCS 8 2 When you open the profile the check box is added 2 Inthe Network Configuration window verify that the status of the new check box is what you require selected not selected 3 Save the profile 4 Reconfigure the system using the Delta profile Disabling the Wireless Interface Intel AMT includes a wireless interface that can be enabled or disabled during configuration You can define this setting in the profile using the WiFi Connection check box see Defining Profile Optional Settings on page 47 To disable the interface after it has been enabled you can remove the WiFi Connection settings from the profile and then reconfigure the system But reconfiguration does not always disable the wireless interface This is a known limitation of some versions of the Intel AMT Firmware Solution If reconfiguration did not close the wireless interface 1 Unconfigure the system 2 Reconfigure the system using a profile containing the settings that you want Intel AMT Configuration Utility User Gu
85. he Configuration Utility Starting the Configuration Utility The Configuration Utility does not require installation You can run the Configuration Utility from a local drive a mapped network drive or a USB key Note Each window of the Configuration Utility includes context sensitive help that shows when you press F1 To start the Configuration Utility open the ACU_Wizard folder and double click ACUWizard exe The Welcome window opens E Intel R AMT Configuration Utility Welcome to the Intel AMT Configuration Utility Version 8 1 Figure 1 Welcome Window The Welcome window includes these options e Configure Unconfigure this System This option lets you directly configure Intel AMT systems You can only select this option if the computer is an Intel AMT system For more information see Configuring Unconfiguring Individual Systems on page 29 e Create Settings to Configure Multiple Systems This option available when you run the Configuration Utility from any location lets you e Create configuration profiles See Using the Profile Designer on page 39 e Create a USB key for manual configuration See Defining Manual Configuration Multiple Systems on page 40 Intel AMT Configuration Utility User Guide 28 Chapter 4 Using the Configuration Utility Configuring Unconfiguring Individual Systems The Configuration Options window lets you define Intel AMT settings on individua
86. he Intel AMT system some Intel AMT configuration functions are blocked During configuration the Intel MEBX password will not be changed if it is the default password see Access to the Intel MEBX on page 9 e Admin Control Mode In this mode all Intel AMT features supported by the Intel AMT version are available Note By default the host based configuration method puts the device in the Client Control mode All other configuration methods automatically put the device in the Admin Control mode User Consent User consent is a new feature available in Intel AMT 6 0 and higher If user consent is enabled when a remote connection to a computer starts a message shows on the computer of the user The message contains a code that the user must give to the person who wants to connect to his computer The remote user cannot continue the operation until he supplies this code Intel AMT 6 x The user consent feature is available only for KVM Redirection Intel AMT 7 x For devices in Admin Control mode you can define which operations require user consent For devices in Client Control mode user consent is mandatory for these operations Serial Over LAN to redirect BIOS screens and OS Boot text screens IDE Redirection IDE R KVM Redirection To remotely set BIOS boot options To change the source for remote boot for example boot from PXE Intel AMT Configuration Utility User Guide 7 Chapter 1 Int
87. icate Authority Client Certificate Template Refresh CAs amp Templates Common Names CNs in certificate Default CNs User defined CNs System authentication is password based Username Password ej IE Show password Figure 20 Management Presence Server Properties Window 2 Inthe Server FQDN or IP Address field enter the FQDN or IP address of the Management Presence Server 3 Inthe Port field enter the Port that the Management Presence Server listens on for connections from Intel AMT systems 4 Click Edit List to define the location of the trusted root certificates that will be used by Intel AMT systems configured with this profile see Defining Trusted Root Certificates on page 58 Intel AMT Configuration Utility User Guide 59 Chapter 5 Defining Configuration Profiles 5 If you entered an IP address in the Server FQDN or IP Address field you need to enter the FQDN in the Common Name field If you entered the FQDN in the Server FQDN or IP Address field the Common Name field is disabled 6 Define the required type of authentication To define authentication based on a password select System authentication is password based enter a username and password and continue from step 9 To define authentication based on certificates select System authentication is certificate based and continue from step 7 7 From the Select the method for creating the certificate drop down list selec
88. ice is longer than 64 characters e Ifthe certificate Subject Name is longer than 256 characters e Ifthe CN in the Subject Name field is the Distinguished Name and this Distinguished Name is longer than 256 characters Solution Make sure that the values in the generated certificate will not exceed the maximum values listed above A possible solution for large values in the Subject Name field is to define a CN that will contain less characters see User defined CNs on page 102 Intel AMT Configuration Utility User Guide 111 Appendix B Troubleshooting Delta Profile Fails to Configure WiFi Settings In certain conditions reconfiguring a configured system using a Delta profile containing WiFi Connection settings does not enable WiFi in the Intel AMT device The configuration will complete with warnings and the log file will include this error A WSMAN command returned an error GetField no such field named LinkPolicy This can occur if both these conditions are true The system was configured using a profile that disabled WiFi in the Intel AMT device the profile did not include WiFi Connection settings e The system was then reconfigured using a Delta profile that included WiFi Connection settings but did NOT include Power Management settings The Delta profile was created in a version of Intel SCS earlier than Intel SCS 8 1 Solution From Intel SCS 8 1 a new check box was added to the Network Confi
89. ide 112
90. if the system is configured The password that you supply here is used to gain access to the Intel AMT device If the user account running the Configuration Utility is defined in the device as an administrator you do not need to supply this password New password Confirm password If the system is unconfigured you must define a password in these fields The Configuration Utility sets this password in the Intel AMT device during configuration and then saves it in the Profile xml file Each time that you run the Configuration Utility the password from the Profile xml file is automatically put in these fields You can use the same password for all systems or change the password for each system that you configure If you want to change the password of a configured system enter the new password in these fields For information about the required format see Password Format on page 4 3 Optional If necessary you can change the default network settings that the Configuration Utility will put in the Intel AMT device To do this select Override default Settings and click Network Settings see Defining IP and FQDN for a Single System on page 32 Note The default network settings that the Configuration Utility puts in the device will operate correctly for most network environments 4 Optional You can change the default settings in Profile xml before you start configuration To do this click Edit Configuration see C
91. ile Designer can import the CRL into the configuration profile see Defining Advanced Mutual Authentication Settings on page 62 Note The profile can contain a maximum of four CRLs that contain a maximum total together of 64 serial numbers This is an example of the XML format required by the Profile Designer lt xml version 1 0 encoding UTF 8 gt lt This file maps the untrusted certificates serial number to the URI of the issuer The URI value represents a valid CRL distribution point of a Certificate Authority gt lt crl gt lt uri name http certification authority example 1 CRL gt lt cert serialnumber 15 27 82 20 00 00 00 00 00 01 gt lt cert serialnumber 15 27 82 20 00 00 00 00 00 02 gt lt cert serialnumber 15278220000000000003 gt lt uri gt lt uri name http certification authority example 2 CRL gt lt cert serialnumber 15 27 82 20 00 00 00 00 00 04 gt lt cert serialnumber 15 27 82 20 00 00 00 00 00 05 gt lt uri gt lt crl gt For the serial number attribute e Use exactly two hexadecimal characters for each byte a byte with a single character will be ignored The serial number can be represented as a single hexadecimal number If the bytes are separated from each other use any printable non hexadecimal character separator between each pair Intel AMT Configuration Utility User Guide 104 B Troubleshooting This appendix describes problems yo
92. in a peer to peer network a Workgroup This table shows settings that require services that are not usually available in a Workgroup Table 3 Intel AMT Settings 1 Active Directory Integration Access to an Active Directory AD 2 Kerberos Users Note 3 802 1x Setups e You must configure setting 1 if you want to configure settings 2 3 or 4 4 Endpoint Access Control EAC Settings 3 and 4 also need access toa CA 5 Transport Layer Security TLS Access to a Certification Authority CA 6 Remote Access Note If you define Remote Access to use password based authentication access to a CA is not necessary Note In a Workgroup without access to a Domain you cannot configure settings 1 4 on Intel AMT systems You can configure settings 5 and 6 but only on systems with Intel AMT 6 2 and higher Users in a Workgroup do not have the necessary permissions to connect to the AD or the CA This means that the Configuration Utility which is running on a computer in the Workgroup cannot access the AD CA Thus to configure these settings in a Workgroup you must use one of these methods available only on Intel AMT 6 2 and higher Method 1 Supply a user with the necessary permissions 1 In the Profile Designer create a profile with the settings that you want to configure 2 When you save the profile in the Finish window supply the username and password of a user that
93. is not a valid profile e Ifthe Intel AMT system is running Windows XP make sure that service pack 3 is installed e Ifthe profile is encrypted these errors can occur on Intel AMT systems running Windows 7 and Windows Server 2008 This is because of a known Microsoft issue Install this hotfix http support microsoft com kb 981118 Reconfiguration of Dedicated IP and FQDN Settings Reconfiguration can fail when all these conditions are true 1 The Intel AMT device was configured with an FQDN and IP different from the host operating system for example by using a dedicated network settings file 2 The dedicated network settings file contains FQDN and IP values different from those currently defined in the Intel AMT device 3 Intel SCS needs to reconfigure the device using the new values in the dedicated network settings file Solution Make sure you supply the current IP address or FQDN of the Intel AMT device in the lt CurrentAMTAddress gt tag of the dedicated network settings file Intel AMT Configuration Utility User Guide 108 Appendix B Troubleshooting Disjointed Namespaces A disjointed namespace occurs when the primary Domain Name System DNS suffix of a computer does not match the DNS domain of which it is a member Defining a network environment with disjointed namespaces intentionally or accidentally can cause many different types of communication and authentication failures For Intel AMT these
94. l Intel AMT systems To configure unconfigure Intel AMT 1 From the Welcome window click Configure Unconfigure this System The Configuration Options window opens amp Intel R AMT Configuration Utility intel AMT Configuration Options Select the task you want to perform on this system Configure via Windows Configure Intel AMT using Windows no reboot required Configure via a USB key Create a setup file on a USB key to configure Intel AMT when the system is rebooted Unconfigure Unconfigure Intel AMT Intel AMT is configured on this system System Info Figure 2 Configuration Options Window 2 Select the task and click Next e Configure via Windows Use the host based configuration method or the unified configuration process to configure this system see Configuring a System on page 30 Configure via a USB Key Use the SMB Manual method to configure this system see SMB Manual Configuration on page 35 e Unconfigure Unconfigures the system see Unconfiguring a System on page 38 Intel AMT Configuration Utility User Guide 29 Chapter 4 Using the Configuration Utility Configuring a System The Configure via Windows window lets you configure systems with Intel AMT 6 2 and higher Configured systems are reconfigured Configuration is done locally host based configuration using the settings in a configuration profile The configuration profile is an
95. l it is closed by the user or when a different policy with higher priority needs to be processed 4 In the Trigger section select the trigger or triggers for this policy e Fast Call For Help The Intel AMT device establishes a tunnel with the MPS when the user initiates a connection request If required you can limit when the user can access this option only from the operating system or only from the BIOS By default both options are available to the user Intel AMT Configuration Utility User Guide ST Chapter 5 Defining Configuration Profiles e Alerts The device establishes a connection when an event occurs that generates an alert addressed to the network interface Scheduled Maintenance every The device connects to the MPS based on the number of hours minutes or seconds defined here Note A policy can include one or more triggers but two different policies cannot contain the same trigger 5 Inthe Management Presence Server section select the MPSs that apply to the policy up to two When a trigger occurs the Intel AMT device attempts to connect to the server listed in the Preferred server field If that connection does not succeed the device tries to connect to the server listed in the Alternative server field if one was specified 6 Click OK The Remote Access Policy window closes Defining Trusted Root Certificates An Intel AMT system must have a trusted root certificate to use any of th
96. ld change the password of the Active Directory object RenewADPassword task LastSyncClock The last time that the clock of the Intel AMT device was synchronized If this date is more than 3 months old synchronize the clock SyncAMTTime task Note The SyncAMTTime task is also done every time that one of the other tasks is done Note e Always run the Configurator under a user that has permissions to create and update these registry keys on the Intel AMT system The AutoMaintain parameter will fail and return an error if it cannot access the registry Configuration reconfiguration maintenance and unconfiguration tasks will complete but with warnings If the registry keys do not exist the first time the AutoMaintain parameter is used all the maintenance tasks will be done according to the profile Intel AMT Configuration Utility User Guide Chapter 1 Introduction Support for KVM Redirection Intel AMT 6 0 and higher includes support for third party applications to operate Intel AMT systems using remote Keyboard Video and Mouse K VM Redirection KVM Redirection lets you remotely operate a system as if you are physically located at the remote system KVM Redirection uses Virtual Network Computing VNC to share the graphical output of the remote system The results of keyboard and mouse commands transmitted to the remote system over the network are displayed on the screen of the local sy
97. led chipset network hardware and software For notebooks Intel AMT may be unavailable or limited over a host OS based VPN when connecting wirelessly on battery power sleeping hibernating or powered off Results dependent upon hardware setup and configuration For more information visit Intel Active Management Technology Intel vPro Technology is sophisticated and requires setup and activation Availability of features and results will depend upon the setup and configuration of your hardware software and IT environment To learn more visit http www intel com technology vpro Client Initiated Remote Access CIRA may not be available in public hot spots or click to accept locations For more information on CIRA visit Fast Call for Help Overview Intel the Intel logo and Intel vPro are trademarks of Intel Corporation in the U S and or other countries Microsoft Windows and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the U S and or other countries Other names and brands may be claimed as the property of others Copyright 2006 2013 Intel Corporation All rights reserved Table of Contents Table of Contents Chapter 1 IMtrOGuGto Mie a iies sence cocscsnaccescesians cdsccnassvecteceniccseesetassassenaccccens 1 About the Intel AMT Environment cccccceeseesseescesceesceseeeeeceeceeeaecnseeseeneenseees 2 Configuration Methods and Intel AMT Versions
98. lowed for completion of an 802 1x authentication This parameter can be set only when an 802 1x profile has been selected If the 802 1x profile is deleted this value will be forced to zero c Click OK The Advanced Wired 802 1x Settings window closes and the settings are saved 6 Ifrequired define the End Point Access Control EAC parameters see Defining End Point Access Control on page 70 Creating WiFi Setups The WiFi setups defined in the Intel AMT device are required to enable communication with the Intel AMT device over a wireless network These WiFi setups can also be used to enable Remote Access via a Management Presence Server MPS even when the computer is not in the enterprise network You can define up to 15 profiles in the WiFi setup list Intel AMT Configuration Utility User Guide 65 Chapter 5 Defining Configuration Profiles To create a WiFi setup 1 From the WiFi Connection section of the Network Configuration window click Add The WiFi Setup window opens x General Setup Name ssID Data Encryption Key Management Protocol wri Protected Access WPA 7 Encryption Algorithm Temporal Key Integrity Protocol TKIP Authentication C Passphrase Confirm Passphrase 302 1x Setup Ed Figure 28 WiFi Setup Window 2 Inthe Setup Name field enter a name for the WiFi setup The setup name can be up to 32 characters and must not contain lt gt
99. mation about Intel SCS refer to the Intel R _SCS_8 2_User_Guide pdf Intel AMT Configuration Utility User Guide 2 Chapter 1 Introduction Host Based Configuration The host based configuration method is available from Intel AMT 6 2 and higher This method lets an application running locally on the Intel AMT system configure the Intel AMT device All configuration is done locally using the settings in an XML configuration profile see Defining Configuration Profiles on page 42 Because this method has less security related requirements than earlier configuration methods after configuration the Intel AMT device is put in the Client Control mode see Control Modes on page 7 You can use the Configuration Utility to quickly define a profile and then immediately configure the system see Configuring a System on page 30 Alternatively you can use the Profile Designer to create an XML profile and then use the Configurator to do the configuration For more information see e Using the Profile Designer on page 39 e Configuring Systems on page 82 SMB Manual Configuration The SMB Manual configuration method lets you configure the Intel AMT device with basic configuration settings Configuration is done locally at the Intel AMT system with a USB key containing a configuration file Setup bin After configuration the Intel AMT device is put in one of these modes Small Medium Business S
100. n the Intel MEBX If you supply this parameter the SubnetMaskIp parameter is mandatory the remaining IP parameters are optional SubnetMaskIp The subnet mask IP address to set in the Intel MEBX Gateway AddrIp lt ip gt The default gateway IP address to set in the Intel MEBX DnsAddrIp lt ip gt The preferred DNS IP address to set in the Intel MEBX SecondaryDnsAddrlp lt ip gt EnableK VM lt false true gt An alternate DNS IP address to set in the Intel MEBX Enable Disable support for KVM redirection Note This parameter is mandatory on systems with Intel AMT 6 0 and higher If you do not supply it configuration will fail on those systems EnableUserConsent lt none kvm_only all_redirection gt Defines for which redirection operations user consent is mandatory For more information see User Consent on page 7 Note You can use the all_redirection option only on systems with Intel AMT 7 x and higher EnableRemote ITConsent lt false true gt Defines if it is permitted to remotely make changes to the user consent setting in the Intel AMT device Intel AMT Configuration Utility User Guide 85 Chapter 6 Using the Configurator Power Package GUIDs The optional PowerPackage parameter enables you to define power management settings of the Intel AMT device during manual configuration If not supplied the default power settings defined by the manufact
101. n then be collected by third party hardware and software inventory applications Intel SCS also includes a standalone System Discovery utility that you can use for this task instead of the Configurator The utility contains only the SystemDiscovery command The utility is located in the SCS_Discovery folder The data is saved in the registry of each system at e 32 bit and 64 bit operating systems HKLM SOFTWARE Intel Setup and Configuration Software SystemDiscovery e In addition on 64 bit operating systems HKLM SOFTWARE Wow6432Node Intel Setup and Configuration Software SystemDiscovery For information about the data format see the System Discovery Data Format section of the SCS_Discovery Intel R SCS_8 2_Discovery pdf For information about how to collect this data from the systems refer to the documentation of your hardware software inventory application Note On systems that do not have Intel AMT this command gets data from the host platform only Syntax ACUConfig exe global options SystemDiscovery lt filename gt NoFile NoRegistry AdminPassword lt password gt Parameters global options See CLI Global Options on page 80 Intel AMT Configuration Utility User Guide 81 Chapter 6 Using the Configurator lt filename gt By default the name of the XML file is the FQDN of the system and it is saved in the same folder as the Configurator You can change
102. n use But the computer BIOS must fully support the selected USB key and be able to do a reboot from it To prepare the USB key 1 Put a USB key in the computer 2 From the Welcome window click Create Settings to Configure Multiple Systems The Profile Designer opens 3 Select Tools gt Prepare a USB Key for Manual Configuration The Settings for Manual Configuration of Multiple Systems window opens Specify the type of systems for which to create the configuration USB Key Mobile Systems Desktop Systems Specify the Intel AMT version for which to create the configuration USB Key All systems are Intel AMT 6 0 and higher All systems are Intel AMT 7 0 and higher Configuration Settings The configuration settings below will be applied to Intel AMT systems after inserting the USB key with these definitions and rebooting the system Old MEBx Password New MEBx Password ej Confirm MEBx Password Specify the system power states in which the Management Engine ME is operational always On 50 55 a I User consent required for redirection sessions USB Drive Select the relevant USB drive from the list below ic USB Drive F Refresh List of USB Drives Note Ensure that the USB drive is supported by the system s BIOS Figure 11 Settings for Manual Configuration of Multiple Systems Window Intel AMT Configuration Utility User Guide 40 Chapter 4 Using the Configuration Utility 4 Ifyou
103. nConfigure AdminPassword lt password gt Full ADOU lt ADOU path gt DomainUser lt username gt DomainUserPassword lt password gt SourceForAMTName lt source gt NetworkSettingsFile lt file gt Parameters global options See CLI Global Options on page 80 AdminPassword The current password of the default Digest admin user defined in the lt password gt Intel AMT device This parameter is NOT necessary if one of these are true e The XML profile contains the Digest admin password e The user account running the Configurator is a Kerberos account that is configured in the Intel AMT device with administrator permissions Full For systems in Admin Control mode does a full unconfiguration the default is partial unconfiguration Intel AMT Configuration Utility User Guide 89 Chapter 6 Using the Configurator ADOU lt ADOU path gt During unconfiguration the Configurator deletes the Active Directory AD object that was created to represent the Intel AMT system The object was created by Intel SCS only if AD integration was enabled By default the Configurator uses the settings configured in the Intel AMT device to find the location of the AD Organizational Unit ADOU containing the object In large enterprise networks the search for the ADOU can take some time If you supply this parameter the Configurator will only look for the object in the Organizational Unit that you
104. nagement Presence Server MPS O Transport Layer Security TLS Use the TLS protocol to encrypt and authenticate communication with the systems 7 Network Configuration Select at least one of the following items IT WiFi Connection WiFi network settings wired 802 1x Authentication 802 1x authentication settings for wired LAN only BI End Point Access Control EAC EAC settings used to authenticate system status Home Domains Remote Access Transport Layer Security Network Configuration System Settings Finish Figure 14 Optional Settings Window To select the optional settings 1 Select the check boxes of the optional settings you want to configure using this profile Intel SCS will remove unconfigure any existing settings from the Intel AMT system of options that are not selected in this window 2 Click Next to continue in the Configuration Profile Wizard and define the configuration settings as described in these topics e Defining Active Directory Integration on page 48 e Defining the Access Control List ACL on page 49 e Defining Home Domains on page 53 e Defining Remote Access on page 54 Defining Transport Layer Security TLS on page 60 e Defining Network Setups on page 63 Intel AMT Configuration Utility User Guide 47 Chapter 5 Defining Configuration Profiles Defining Active Directory Integration The Active Directory Integration window lets you integrate Intel AMT
105. nconfigure System window opens a j Intel R AMT Configuration Utility intel AMT Unconfigure System To unconfigure this system click Unconfigure Unconfigure this system using current user Unconfigure this system using admin password Figure 9 Unconfigure System window 2 Ifthe system is in Admin Control mode you must select the user credentials to use during unconfiguration e Unconfigure this system using current user Select this option if the user running the Configuration Utility is defined in the Intel AMT device as an administrator e Unconfigure this system using admin password Select this option to unconfigure using the default admin user You must supply the password of the admin user Note If the system is in Client Control mode this step is not required the fields are not shown 3 Click Unconfigure The Configuration Utility deletes all the Intel AMT settings from the system and disables the Intel AMT features on the system Intel AMT Configuration Utility User Guide 38 Chapter 4 Using the Configuration Utility Using the Profile Designer The Profile Designer window lets you create profiles with configuration settings for multiple systems These profiles are used by the Configurator The location of the profiles is shown in the top left section Profiles Folder The right pane shows the configuration settings of the profile selected in the left pane E Intel R AM
106. ne the file locations and continue from step 3 2 To request the certificate from a CA do these steps a From the Certificate Authority drop down list select the certification authority The Configuration Utility automatically detects if the selected CA is a Standalone root CA or an Enterprise root CA b If you are using an Enterprise root CA you must select the template that will be used to create the certificate From the Server Certificate Template drop down list select the template that you defined for TLS For information how to create a template for TLS see step 15 of Defining Enterprise CA Templates on page 96 Note If the Configuration Utility is located on a computer that does not have access to the CA the drop down lists will not display the CA or the templates If necessary you can manually supply the CA name in the format FQDN CA Name and the name of the template When entering these values manually you must also select the type of CA Enterprise CA or Stand alone CA c Define the Common Names that will be included in the Subject Name of the generated certificate For more information see Defining Common Names in the Certificate on page 101 3 Optional To enable mutual TLS S a Select Use mutual authentication for remote interface b If you enabled mutual TLS you must define the trusted root certificates that will be used by Intel AMT systems configured with this profile see Defini
107. ng Trusted Root Certificates on page 58 c Optional Define advanced mutual TLS settings see Defining Advanced Mutual Authentication Settings on page 62 Intel AMT Configuration Utility User Guide 61 Chapter 5 Defining Configuration Profiles Defining Advanced Mutual Authentication Settings The Advanced Mutual Authentication Settings window lets you define a Certificate Revocation List CRL The CRL is a list of entries usually supplied by a CA that indicate which certificates have been revoked see CRL XML Format on page 104 for the required format You can also define the Fully Qualified Domain Name FQDN suffixes that will be used by mutual authentication The Intel AMT device will validate that any client certificates used by management consoles have one of the listed suffixes in the certificate subject If no FQDN suffixes are defined the Intel AMT device will not validate client certificate subject names To define advanced mutual TLS settings 1 From the TLS window Figure 24 click Advanced The Advanced Mutual Authentication Settings window opens E Advanced Mutual Authentication Settings Certificate Revocation List CRL Specify whether you want to apply a CRL for Mutual Authentication The CRL file selected will be loaded into the Intel AMT device and overwrite any existing CRL I Use CRL Current CRLs taken from Trusted Domains Increase security by matching the suffixes in th
108. ns from the network Select one of these Local The user can access the Intel AMT system only via the local host e Remote The user can execute an action only via the network Both The user can execute an action either locally or from the network Intel AMT Configuration Utility User Guide 50 Chapter 5 Defining Configuration Profiles 4 From the Realms section select the check boxes of the realms that you want to make available to this user The realms define specific functional capabilities as described in this table Note that not all realms are available on all versions of Intel AMT Table 5 Intel AMT Realms Redirection Enables and disables the redirection capability and retrieves the redirection log PT Administration Manages security control data such as Access Control Lists Kerberos parameters Transport Layer Security Configuration parameters power saving options and power packages A user with PT Administration Realm privileges has access to all realms Note If this user will be used to run the Configurator to do host based configuration the Access Type must be Local or Both Hardware Asset Used to retrieve information about the hardware inventory of the Intel AMT system Remote Control Enables powering a system up or down remotely Used in conjunction with the Redirection capability to boot remotely Storage Used to configure write to and read from non volatile user s
109. ns with the CLI commands e LowSecurity Disables authentication of the ACU dll digital signature For more information see Digital Signing of Files on page 6 e Verbose Creates a detailed log e KeepLogFile Appends the current log to the existing log file e Output Console File lt ogfile gt Silent Defines where errors and other log messages will be recorded Console Shows log messages only on the console screen e File lt ogfile gt Lets you change the default name and location of the log file Supply the full path and name for the log file in the lt ogfile gt parameter e Silent Do not record any log messages console or log file Note To save log messages to a file and also display them on the console screen use the Output parameter twice For example Output File lt logfile gt Output Console Intel AMT Configuration Utility User Guide 80 Chapter 6 Using the Configurator Verifying the Status of an Intel AMT System Command Status Description Provides details about the status of the Intel AMT system Syntax ACUConfig exe global options Status Parameters global options See CLI Global Options on page 80 Discovering Systems Command Description SystemDiscovery Gets data from the Intel AMT device and the host platform of the system The data is saved in an XML file and or in the registry of the system The data ca
110. nt configuration settings You must define an FQDN that can be resolved by the DNS in your network If you do not after configuration you will not be able to connect to the device By default this is how Intel SCS configures the FQDN hostname suffix The hostname part of the FQDN is the hostname from the host operating system The suffix is the Primary DNS Suffix from the host operating system If this default is not correct for your network change the setting in the configuration profile For information about the available settings see Defining IP and FQDN Settings on page 75 How does your network assign Internet Protocol IP addresses On an Intel AMT system the host platform and the Intel AMT device both have an IP address These IP addresses are usually the same but they can be different Intel SCS configures the IP address of the Intel AMT device By default Intel SCS configures the Intel AMT device to get the IP address from a DHCP server If this default is not correct for your network change the setting in the configuration profile For information about the available settings see Defining IP and FQDN Settings on page 75 Q Intel AMT Configuration Utility User Guide Chapter 2 Prerequisites 3 Domains Do you want to limit access to Intel AMT based on domain location g Intel AMT includes an option to limit access to the Intel AMT device based on the location of the host s
111. o make changes to specific settings only Only settings defined in the Profile Scope window will be changed on the systems during configuration All other settings will stay in their current condition on the systems 3 Click Next to continue in the Configuration Profile Wizard and define the settings as described in these topics e Defining the Profile Scope on page 46 e Defining Profile Optional Settings on page 47 Defining Active Directory Integration on page 48 Defining the Access Control List ACL on page 49 Defining Home Domains on page 53 Defining Remote Access on page 54 Defining Transport Layer Security TLS on page 60 Defining Network Setups on page 63 e Defining System Settings on page 72 4 When you have defined all the required settings for this profile save the profile see Saving the Configuration Profile on page 45 Intel AMT Configuration Utility User Guide 44 Chapter 5 Defining Configuration Profiles Saving the Configuration Profile The Finish window is the last step when you create a new profile or edit an existing profile The type of profile and the settings you define in the profile cause different fields to show in the Finish window To save the profile 1 When you create or edit a profile in the Profile Designer these fields are shown Name of XML file Encrypt the XML file using this password Confirm Password
112. o encrypt the profile For information about the required format see Password Format on page 4 2 Click Configure The profile is encrypted using the password you entered The system is then configured with Intel AMT and can be accessed by management consoles After the profile is encrypted this window will show each time that you use the Configure via Windows option of the Configuration Utility E Enter Password Enter the password with which the XML file was encrypted or choose to overwrite the existing profile with a profile containing default values Figure 6 Enter Password Window To use the encrypted profile you must enter the password used during encryption and then click OK Alternatively you can click Overwrite If you do this the Profile xml file is deleted and replaced with a new Profile xml file that contains default settings Intel AMT Configuration Utility User Guide 34 Chapter 4 Using the Configuration Utility SMB Manual Configuration This procedure describes how to configure an Intel AMT system using a USB key Note This option is available only for systems with Intel AMT 4 0 and higher For more information see SMB Manual Configuration on page 3 To configure an Intel AMT system 1 From the Configuration Options window select Configure via USB Key The Configure via USB Key window opens Intel R Active Management Technology Configuration Utility gt 05 x
113. oes not AdminPassword lt password gt ADOU lt ADOU path gt support passwords that start NetworkSettingsFile lt file gt with a forward slash FileToRun lt filename gt FileHash lt SHA256 hash gt FileUser lt username gt FilePassword lt password gt Intel AMT Configuration Utility User Guide 82 Chapter 6 Using the Configurator Parameters global options See CLI Global Options on page 80 lt filename gt The XML file containing the configuration parameters for this Intel AMT system DecryptionPassword Mandatory if any of the files that the Configurator will use are lt password gt encrypted see File Encryption on page 5 AbortOnFailure If configuration fails put the Intel AMT device in the Not Provisioned mode This parameter is applicable only for systems that were unconfigured when the command started during reconfiguration this parameter is ignored AdminPassword The current password of the default Digest admin user defined in the lt password gt Intel AMT device This parameter is NOT necessary if one of these are true e The device is in an unconfigured state The XML profile contains the Digest admin password The user account running the Configurator is a Kerberos account that is configured in the Intel AMT device with administrator permissions ADOU lt ADOU path gt The path to the Active Directory Organization
114. on Provides alerts to a user on the local interface Endpoint Access Control Returns settings associated with NAC posture Endpoint Access Control Configures and enables the NAC posture Administrator Event Log Reader Allows definition ofa user with privileges only to read the Intel AMT system log Access Monitor Allows a system auditor to monitor all events Before assigning this realm see Using Access Monitor on page 52 User Access Control Groups several ACL management commands into a separate realm to enable users to manage their own passwords without requiring administrator privileges Using Access Monitor The access monitor serves as a deterrent to rogue administrator activity by tracing attempts to execute damaging actions The feature is implemented by means of two elements an Audit Log and a special Auditor user that you assign the Access Monitor realm The Intel AMT system writes selected events to the Audit Log that is accessible only to the Auditor Only the Auditor can define which events the Intel AMT system writes to the Audit Log You can assign the Access Monitor realm to one user only and only that user can then relinquish it By default the default admin user account has access to this realm Intel AMT Configuration Utility User Guide 52 Chapter 5 Defining Configuration Profiles Defining Home Domains The Home Domains window of the Configuration Profile
115. on only if you define a home domain in the Home Domains list and do not select a WiFi setup Allow WiFi connection with the following WiFi setups If you select this option you can define up to 15 profiles in the WiFi setup list see Creating WiFi Setups on page 65 After creating WiFi setups you can also do these tasks e Edit an existing WiFi setup by clicking Edit e Remove a WiFi setup from the list by clicking Remove e Select a WiFi setup and click the Up or Down arrows to change the priority of the WiFi setup in the list Note If you enable support for WiFi synchronization step 2 it is not mandatory to define WiFi setups in the profile 2 Optional Intel AMT 6 0 and higher includes a Wireless Profile Synchronization feature This feature enables synchronization of the wireless profiles in the operating system with the WiFi setups defined in the Intel AMT device When the Enable Synchronization of Intel AMT with host platform WiFi profiles check box is selected support for this feature is enabled To use this feature to synchronize profiles the Intel PROSet Wireless Software must be installed on the operating system For more information refer to the documentation of the Intel PROSet Wireless Software 3 Optional By default connection to the Intel AMT device via the WiFi connection is available only when the operating system is in the SO power state Enabling WiFi connection in all power states uses m
116. on page 45 Configured Systems After an Intel AMT device is configured reconfiguration and maintenance tasks can only be done by a user defined in the device with administrator permissions The user account running the Configuration Utility is not required to have administrator permissions in the operating system Note If the Intel AMT device is in Client Control mode you can unconfigure Intel AMT without requiring administration privileges in the device To do this you must run the Configuration Utility with a local user account with administrator permissions on the Intel AMT system On operating systems with UAC the Configuration Utility must be Run as administrator Intel AMT Configuration Utility User Guide 25 3 Quick Start Guide This is a quick start guide to help you decide how to use the Configuration Utility to configure Intel AMT systems How you use the Configuration Utility depends on these four conditions 1 The Number of Systems to Configure The Configuration Utility is the easiest deployment method and is recommended when a small number of systems need to be configured To use this method see e Starting the Configuration Utility on page 28 e Configuring Unconfiguring Individual Systems on page 29 When a large number of systems need to be configured use the Profile Designer to create an XML profile and then use the Configurator to do the configuration For more information see
117. onfiguration Utility User Guide 92 Chapter 6 Using the Configurator What if a Failure Occurs Scripts that run after configuration reconfiguration and maintenance operations only tun if the operation is successful or completes with warnings If a script fails Intel SCS does not make any changes to the Intel AMT settings set by the operation that ran before the script The ConfigAMT command includes a parameter called AbortOnFailure This parameter is applicable only for systems that were unconfigured when the command started during reconfiguration this parameter is ignored If you supply this parameter Intel SCS will put the Intel AMT device in the Not Provisioned mode unconfigured if the post configuration script fails This means that if the script fails unconfigured systems that were configured successfully will be automatically unconfigured Only use this parameter if it is critical that the post configuration script will complete successfully Script Runtime and Timeout The maximum permitted runtime for scripts is 60 seconds If the script does not complete within 60 seconds an error is returned The error is recorded in the log file and will contain an error code OxC0003EAA and a description like this The supplied script has not finished in the time out period defined by Intel SCS If your script requires more than 60 seconds to complete you must make sure that your script returns a success code 0
118. ore battery power If you want to enable the WiFi connection in all SO S5 power states select Enable WiFi connection also in S1 S5 operating system power states 4 Ifrequired from the 802 1x Setup Name drop down list select the 802 1x setup to use on a wired LAN This setup will be used when the Intel AMT device is active in S3 S4 or S5 power states Optionally you can also edit an existing 802 1x setup by clicking Edit or create a new 802 1x setup by clicking Add see Creating 802 1x Setups on page 67 Intel AMT Configuration Utility User Guide 64 Chapter 5 Defining Configuration Profiles 5 Optional Define advanced wired 802 1x authentication options a Click Advanced The Advanced Wired 802 1x Settings window opens E Advanced Wired 802 1x Settings 15 x T Enable 802 1x for Intel AMT even if host is not authorized for 802 1x CT Keep 802 1x session after boot to allow PXE boot for a minutes Figure 27 Advanced Wired 802 1x Settings Window b Select the check boxes of the options you want to enable Enable 802 1x for Intel AMT even if host is not authorized for 802 1x Manageability traffic is enabled even if the host is unable to complete 802 1x authentication to the network Keep 802 1x session open after boot to allow PXE boot for minutes The 802 1x session is kept alive after a PXE boot for the number of minutes that you specify up to 1440 minutes 24 hours This is the period al
119. osture signing b From the Certificate Template drop down list select the template that will be used to create the client certificate The templates shown are templates where the Subject Name is supplied in the request For information how to create a template see Defining Enterprise CA Templates on page 96 Note If the Profile Designer is located on a computer that does not have access to the CA the drop down lists will not display the CA or the templates If necessary you can manually supply the CA name in the format FQDN CA Name and the name of the template c Define the Common Names that will be included in the Subject Name of the generated certificate For more information see Defining Common Names in the Certificate on page 101 6 Click OK The Configure End Point Access Control window closes Intel AMT Configuration Utility User Guide 71 Chapter 5 Defining Configuration Profiles Defining System Settings The System Settings window of the Configuration Profile Wizard lets you define several settings in the Intel AMT device E Configuration Profile Wizard System Settings Management Interfaces Getting Started Select which management interfaces to enable Profile Scope M webut M Serial Over LAN M IDERedirection M KVM Redirection Optional Settings RFB Password for KVM sessions ri I Show password AD Integration Power Management Settings Access Control List Specify the system power sta
120. ote Connection to Intel AMT Fails During configuration an IP address is set in the Intel AMT device This IP address is used by management consoles to remotely connect to Intel AMT If the IP address is incorrect your management console will not be able to connect to the device Solutions The first step is to check the IP address that is defined in the Intel AMT device To do this use the standalone System Discovery utility or the SystemDiscovery command For more information see Discovering Systems on page 81 The value of the IP address is located in this tag registry key Configurationinfo gt AMTNetworkSettings gt AMTWiredNetworkAdapter gt IPv41PSettings gt IP If this tag registry key contains the correct IP address Inthe Domain Name System DNS make sure that this IP address is associated with the correct FQDN for the Intel AMT system e Ifyou have a Firewall in your network make sure that the ports used by Intel AMT are not blocked 16992 16993 16994 16995 5900 If this tag registry key contains a value of 0 0 0 0 this means that the device is waiting to be updated by the DHCP server This can occur after you do any of these e Configure a system to use DHCP but the system was already configured to use a static IP e Runa Full unconfiguration on a system this sets the system back to the default which uses an IP address from the DHCP server To fix this problem it is recommended
121. out the required format see Password Format on page 4 7 From the drop down list define in which power states of the host system the Intel AMT device will operate e Always on S0 S5 If the system is connected to the power supply the Intel AMT manageability features are available in all of the system power states This is the recommended setting e Host is on S0 The Intel AMT manageability features are available only if the operating system of the Intel AMT system is up and running 8 Optional By default the user consent feature is not enabled for systems configured using this configuration method see User Consent on page 7 If you want to define that user consent is mandatory for redirection sessions select User consent required for redirection sessions 9 From the USB Drive drop down list select the drive letter of the USB key you cannot select a USB key if you are using it to run the Configuration Utility 10 Click Next The Formatting USB drive window opens 11 Click Yes if you are sure you want to continue and format the USB key The Configuration Utility creates a configuration file on the USB key Intel AMT Configuration Utility User Guide 41 5 Defining Configuration Profiles This chapter describes how to define configuration profiles For more information see e About Configuration Profiles e Creating Editing Configuration Profiles Defining the Profile Scope e Defining P
122. pported by Intel SCS refer to the ntel R _SCS_8 2_User_Guide pdf This is the general syntax ACUConfig exe global options command command arguments and options To view syntax of a specific command type the command name followed by These conventions are used in the command syntax of the examples e Optional parameters are enclosed in square brackets e User defined variables are enclosed in angled brackets lt gt e Mutually exclusive parameters are separated with a pipe e Where necessary braces are used to group elements together to eliminate ambiguity in the syntax Note The CLI does not support passwords that start with a forward slash Intel AMT Configuration Utility User Guide 79 Chapter 6 Using the Configurator Configurator Log Files The Configurator records errors and other log messages in two locations e Inthe Windows Event Viewer Application log of the Intel AMT system e Ina log file By default e A new log file is created each time you run the Configurator You can use the KeepLogFile global option to change this default e The log file is saved in the folder where the Configurator is located and has this format ACUlog_HostName_YYYY MM DD HH MI SS Log For example ACUlog_ ComputerX_2010 05 01 11 05 57 log You can use the Output File global option to change the default name and location of the log file CLI Global Options You can use any of these global optio
123. reating Editing Configuration Profiles on page 43 Note If you want to cancel all changes that were made to the profile and revert to the default profile click Restore to Default Profile 5 Ifthe profile is not encrypted click Next and define an encryption password in the Profile Encryption window see Encrypting the Profile on page 34 6 Ifthe profile is already encrypted click Configure The system is configured with Intel AMT and can be accessed by management consoles Intel AMT Configuration Utility User Guide 31 Chapter 4 Using the Configuration Utility Defining IP and FQDN for a Single System Each Intel AMT device can have its own IP and FQDN settings The IP and FQDN settings are usually the same as those defined in the host operating system but they can be different The Configuration Utility puts these settings in the Intel AMT device To change the default IP and FQDN settings 1 From the Configure via Windows window click Network Settings The Network Settings window opens oxi FQDN Specify the source of the FQDN that will be set in the Intel AMT device Use the following as the FQDN Primary DNS FQDN x Use the following FQDN M The device and the OS will have the same FQDN Shared FQDN IP Specify the source of the IP that will be set in the Intel AMT device Use the same IP as the host for static IP only Get the IP from the DHCP server Use the following s
124. rms specific maintenance tasks based on settings in the lt filename gt XML file For more information about maintaining Intel AMT see Maintenance Policies for Intel AMT on page 12 Syntax ACUConfig exe global options MaintainAMT lt filename gt Note The CLI does not support passwords that start with a forward slash lt task gt lt task gt DecryptionPassword lt password gt AdminPassword lt password gt NetworkSettingsFile lt file gt FileToRun lt filename gt FileHash lt SHA256 hash gt FileUser lt username gt FilePassword lt password gt Parameters global options See CLI Global Options on page 80 lt filename gt The XML file containing the original configuration settings that were used to configure the Intel AMT system Settings in the XML file not related to the specified maintenance tasks are ignored lt task gt Define at least one of these maintenance tasks e SyncAMTTime Synchronize the clock of the Intel AMT device with the clock of the host This task is performed automatically when any of the other tasks are performed SyncNetworkSettings Synchronize network settings of the Intel AMT device as defined in the lt NetworkSettings gt tag of the lt filename gt XML file see Defining IP and FQDN Settings on page 75 ReissueCertificates Reissue the certificates stored in the Intel AMT device If the device contains
125. roduction Recommendations for Secure Deployment The Configuration Utility and the Configurator use XML files for the host based configuration method These files can include passwords and data that persons without approval must not access Intel recommends these standard security precautions Encrypt all the files that the Configuration Utility Configurator will use Use a Strong password with a minimum of 16 characters see File Encryption on page 5 e Make sure that deployment packages and the encryption password are stored in a location that only approved personnel can access Send deployment packages to the Intel AMT systems with a communication method that prevents access to persons without approval e When configuration unconfiguration is complete delete all configuration files remaining on the Intel AMT system that were used by Intel SCS components e Ifthe Configuration Utility Configurator will need to communicate with a CA or create an AD object give permissions only to the specific CA template or the specific Active Directory Organizational Unit e Always use the default requirement for digital signature authentication when using the Configurator CLI remotely see Digital Signing of Files on page 6 e XML files created using the Discovery options are not encrypted Make sure that you delete these files on the Intel AMT systems after collecting the data that they contain Security After Configuration
126. rofile Optional Settings e Defining Active Directory Integration Defining the Access Control List ACL Defining Home Domains e Defining Remote Access Defining Trusted Root Certificates Defining Transport Layer Security TLS Defining Network Setups Defining System Settings About Configuration Profiles Configuration profiles created by the Configuration Utility are in XML format Configuration profiles contain the settings that will be put into the Intel AMT devices during configuration using the Configuration Utility Configurator You can also create Delta Profiles that can be used to make changes to specific settings only Only settings defined in the Delta Profile will be changed on the systems during configuration All other settings will stay in their current condition on the systems Note Profiles created using the Configuration Utility can only be used with the Host Based Configuration method supported from Intel AMT 6 2 and higher Intel AMT Configuration Utility User Guide 42 Chapter 5 Defining Configuration Profiles Creating Editing Configuration Profiles The Configuration Profile Wizard lets you create and edit configuration profiles This wizard starts when you e Click Edit Configuration in the Configure via Windows window see Configuring a System on page 30 e Click or in the Profile Designer window see Using the Profile Designer on page 39 When you start
127. rom Microsoft CA x Certificate Authority Certificate Template Refresh CAs amp Templates Common Names CNs in certificate DefaultCNs User defined CNs Figure 30 Configure End Point Access Control Window 2 Inthe EAC vendor section select one of these e NAC NAP or NAC NAP Hybrid Both NAC and NAP 3 From the Highest hash algorithm supported by the authentication server drop down list select one of these SHA 1 e SHA 256 supported from Intel AMT 6 0 e SHA 384 supported from Intel AMT 6 0 Intel AMT Configuration Utility User Guide 70 Chapter 5 Defining Configuration Profiles 4 From the Select the method for creating the certificate drop down list select the source for the certificate that will be installed in the Intel AMT device Request certificate from Microsoft CA By default the settings for this option are displayed To use this option the Configuration Utility must have access to the CA during configuration Continue from step 5 Use certificate from a file For information about this method and the necessary file format see Using Predefined Files Instead of a CA Request on page 103 If you select this option define the file locations and continue from step 6 5 To request the certificate from a CA do these steps a From the Certificate Authority drop down list select the Enterprise CA that the Configuration Utility will use to request a certificate for EAC p
128. ser consent required for all redirection operations Ka Select the settings Enable KVM Redirection Enables support for KVM redirection Allow IT to change user consent setting Enables changes to the user consent setting in the Intel AMT device to be done remotely e User consent setting Defines for which redirection operations user consent is mandatory For more information see User Consent on page 7 4 Puta USB key in the Intel AMT system this USB key will be formatted in step 7 Note The Configuration Utility does not restrict the size of USB key you can use But the computer BIOS must fully support the selected USB key and be able to do a reboot from it Intel AMT Configuration Utility User Guide 36 Chapter 4 Using the Configuration Utility 5 Click Next The Create Configuration USB Key window opens E Intel R AMT Configuration Utility Create Configuration USB Key Use a USB drive to assign configuration data to this computer Select the relevant drive from the list below USB Drive ba Refresh List of USB Drives Note Ensure that the USB drive is supported by the system s BIOS Figure 8 Create Configuration USB Key Window 6 From the USB Drive drop down list select the drive letter of the USB key you cannot select a USB key if you are using it to run the Configuration Utility 7 Click Next A message is shown warning that the USB key will be formatted 8
129. sh CAs amp Templates Getting Started Profile Scope Optional Settings AD Integration Access Control List Home Domains Remote Access Transport Layer Security Common Names CNs in certificate DefaultCNs User defined CNs Network Configuration System Settings Mutual Authentication Advanced Security Finish T Use mutual authentication for remote interface The trusted root certificates used to authenticate requests to the system must appear in the list below If they do not use the Edit List option example example domain Edit List Figure 24 Transport Layer Security TLS Window Note You cannot use a configuration profile containing TLS settings to configure Intel AMT systems that have Cryptography disabled Intel AMT Configuration Utility User Guide 60 Chapter 5 Defining Configuration Profiles To configure TLS settings 1 From the Select the method for creating the certificate drop down list select the source for the certificate that will be installed in the Intel AMT device Request certificate from Microsoft CA By default the settings for this option are displayed To use this option the Configuration Utility must have access to the CA during configuration Continue from step 2 Use certificate from a file For information about this method and the necessary file format see Using Predefined Files Instead of a CA Request on page 103 If you select this option defi
130. sks that were identified in step 1 If no tasks are necessary nothing is done Intel AMT Configuration Utility User Guide 14 Chapter 1 Introduction This table describes the registry keys and values and how they are used by the AutoMaintain parameter Table 2 Keys and Values used by AutoMaintain Certificates Contains data of up to three different certificates that were configured in the Intel AMT device The CertificateExpirationDate key contains the date when the certificate will expire If there are less than 30 days before one of these expiration dates reissue all the certificates ReissueCertificates task NetworkSettings String values located in the root of the ConfigurationInfo key Contains data about the network settings configured in the Intel AMT device The values in the registry are compared with the settings defined in the profile If they are not the same the new settings from the profile are configured in the device SyncNetworkSettings task LastRenewAdminPassword The last time that the password of the default Digest admin user was configured in the Intel AMT device If this date is more than 6 months old change the password according to the password setting defined in the profile RenewAdminPassword task LastRenewADPassword The last time that the password was configured in the Active Directory object representing the Intel AMT system If this date is more than 6 months o
131. ssword for each device These passwords are not saved Because the password is not known to you or any application after configuration you will not be able to connect to the device with the default admin user Note Do NOT use the random password method unless you define a Kerberos admin user see User Defined Admin User Kerberos on page 11 e In the Configuration Utility you can only select this option if the profile contains at least one user in the Access Control List Intel AMT Configuration Utility User Guide 10 Chapter 1 Introduction User Defined Admin User Kerberos If your network has Active Directory AD you can also define your own administrative user in the device that will be authenticated using Kerberos You can then use this user instead of the default admin user To use a dedicated Active Directory Admin User Kerberos 1 Define an AD user in the Intel AMT device with the PT Administration realm see Defining the Access Control List ACL on page 49 2 Define a password for the default admin user see Default Admin User Digest on page 10 The application communicating with the Intel AMT device using the AD user will not use or require this password 3 Run the Configurator using the credentials of the user defined in step 1 Note When using a Kerberos user and the host based configuration method e The Configuration Utility must NOT be Run as administrator
132. stem VNC includes two main components e VNC Server An application located on the remote managed system that permits the VNC Client to connect to and operate the system From Intel AMT 6 0 a VNC Server component is embedded in the Intel AMT device e VNC Client An application usually located on a management server used to connect to and operate the remote managed system To use KVM Redirection with Intel AMT requires that 1 KVM is enabled in the Intel MEBX of the Intel AMT system If disabled in the Intel MEBX KVM cannot be enabled by the Configuration Utility during configuration it must be done manually at the system 2 The KVM Redirection interface is enabled in the Intel AMT device 3 A VNC Client is installed on the computer that will control the Intel AMT systems VNC Clients VNC Clients can connect to the VNC Server in the Intel AMT device using these ports e Redirection Ports 16994 and 16995 These ports are available to VNC Clients that include support for Intel AMT authentication methods To use these ports the VNC Client user must be defined in the Intel AMT device see Defining the Access Control List ACL on page 49 Port 16995 also uses Transport Layer Security Default Port 5900 VNC Clients that do not include support for Intel AMT can use this port This is a less secure option To use this port e The VNC Client user must supply the Remote Frame Buffer RFB protocol password
133. sure that the list of home domains contains valid home domains for all systems that will be configured with this profile 3 Optional To permit access to Intel AMT over a Virtual Private Network select Allow Intel AMT functionality via VPN If selected access to the Intel AMT system is permitted when it is connected over a VPN to a domain in the Home Domains list Intel AMT Configuration Utility User Guide 53 Chapter 5 Defining Configuration Profiles Defining Remote Access The remote access feature lets Intel AMT systems versions 4 x and higher located outside an enterprise connect to management consoles inside the enterprise network The connection is done via a Management Presence Server MPS located in the DMZ of the enterprise The MPS appears as a proxy server to management console applications The Intel AMT device establishes a Mutual Authentication TLS tunnel with the MPS Multiple consoles can interact with the Intel AMT device through the tunnel For remote access to work the Intel AMT system must first be configured when it is inside the enterprise with the information needed to connect with the MPS Configuration Profile Wizard Optional Settings Remote Access Management Presence Servers Getting Started Specify at least one management presence server MPS to authenticate systems that are Profile Scope outside of the firewall Optional Settings AD Integration Edit Access Control List Remo
134. t the source for the certificate that will be installed in the Intel AMT device Request certificate from Microsoft CA By default the settings for this option are displayed To use this option the Configuration Utility must have access to the CA during configuration Continue from step 8 Use certificate from a file For information about this method and the necessary file format see Using Predefined Files Instead of a CA Request on page 103 If you select this option define the file locations and continue from step 9 8 To request the certificate from a CA do these steps a From the Certificate Authority drop down list select the Enterprise CA that the Configuration Utility will use to request a certificate that the MPS can authenticate b From the Client Certificate Template drop down list select the template that will be used to create the client certificate The templates shown are templates where the Subject Name is supplied in the request and the usage is Client Authentication For information how to create a template see Defining Enterprise CA Templates on page 96 Note If the Profile Designer is located on a computer that does not have access to the CA the drop down lists will not display the CA or the templates If necessary you can manually supply the CA name in the format FQDN CA Name and the name of the template c Define the Common Names that will be included in the Subject Name o
135. tes in which the Management Engine ME is operational Home Domains Always On 50 55 bd po M ME will go into a lower power state when idle Timeout if idle 3 minutes Transport Layer Security Network Settings Network Configuration IV Enable Intel AMT to respond to ping requests IV Enable Fast Call for Help within the enterprise network Fast Call for Help Settings Figure 31 System Settings Window Note The location in the Configuration Utility from where you open the Configuration Profile Wizard causes different options to show in the System Settings window For information about these settings see e Management Interfaces e Power Management Settings e Network Settings Intel AMT Configuration Utility User Guide 12 Chapter 5 Defining Configuration Profiles Management Interfaces 1 Select the interfaces that you want to open on the Intel AMT device Web UI Enables you to manage and maintain Intel AMT systems using a browser based interface Serial Over LAN Enables you to remotely manage Intel AMT systems by encapsulating keystrokes and character display data in a TCP IP stream IDE Redirection IDE R enables you to map a drive on the Intel AMT system to a remote image or drive This functionality is generally used to reboot an Intel AMT system from an alternate drive KVM Redirection Opens the KVM Redirection interface For more information about KVM see Support for KVM
136. the hostname from the host operating system The suffix is the AD domain of which the host operating system is a member DNS Look Up FQDN Takes the name returned by an nslookup on the IP address of the on board wired LAN interface e Get the FQDN from the dedicated network settings file Note If you select a dedicated network settings file as the source for the FQDN or IP e Make sure that the file contains only the settings FQDN IP that you want to supply using the file For information about the format and tags of the XML file see the NetworkSettings xml example file located in the sample_files folder e Do not forget to supply the path to the file using the NetworkSettings File parameter of the Configurator CLI command 2 Optional Intel AMT 6 0 and higher includes a setting called Shared FQDN This setting can change the behavior of the Intel AMT device when using option 81 of the DHCP server to update DNS e When this setting is true the Intel AMT device will send broadcast queries only when the operating system is not running This is the default behavior of all Intel AMT versions that do not support the Shared FQDN setting e When false the device will always send its own broadcast queries even when the operating system is running For Intel AMT 6 0 and higher devices that will be configured with a dedicated FQDN clear this check box The device and the OS will have the same FQDN Shared FQDN
137. the Configuration Profile Wizard the Getting Started window opens E Configuration Profile Wizard Getting Started Profile Scope Welcome Optional Settings This wizard creates a profile to configure multiple systems that are enabled with Intel AMT The profile determines the management settings of the systems These settings will be applied to all systems AD Integration configured with this profile Access Control List Home Domains Remote Access Transport Layer Security Network Configuration Profile Description System Settings Finish Description This profile will be used for Configuration Reconfiguration All Intel AMT settings on the system will be set exactly as defined in this profile Delta Configuration Figure 12 Getting Started Window Intel AMT Configuration Utility User Guide 43 Chapter 5 Defining Configuration Profiles To define the profile 1 Optional In the Profile Description section enter a description for the profile This field is for informational purposes only 2 Select the task for which you want to use this profile Configuration Reconfiguration Systems configured using this profile will be set with the Intel AMT settings exactly as they are defined in this profile Optional settings that are not defined in this profile will be removed from the systems during configuration Delta Configuration After a system is configured you can use this option t
138. tion Protocol EAP You can include the 802 1x setups you define in the profile for wireless and wired connections The EAP GTC protocol can only be used in 802 1x wired setups Note 802 1x setups require integration with Active Directory see Defining Active Directory Integration on page 48 and an Enterprise root CA To create an 802 1x setup 1 From the WiFi Setup window or the Wired 802 1x Authentication section of the Network Configuration window click Add The 802 1x Setup window opens i iclx Definition Setup Name Protocol EAP FAST MS CHAP v2 x Authentication Select the method for creating the certificate Request certificate from Microsoft CA x Certificate Authority Client Certificate Template Refresh CAs amp Templates Common Names CNs in certificate DefaultCNs User defined CNs Roaming Identity Select the trusted root certificate used to authenticate the RADIUS server from the list below If it does not appear in the list use the Edit List option 7 Edit List RADIUS Server Verification Do not verify RADIUS server certificate subject name Verify server s FQDN Verify server s domain suffix Figure 29 802 1x Setup Window Intel AMT Configuration Utility User Guide 67 Chapter 5 Defining Configuration Profiles 2 Inthe Setup Name field enter a name for this 802 1x setup The setup name can be up to 32 characters and
139. torage Event Manager Allows configuring hardware and software events to generate alerts and to send them to a remote console and or log them locally Storage Administration Used to configure the global parameters that govern the allocation and use of non volatile storage Agent Presence Local Used by an application designed to run on the local platform to report that it is running and to send heartbeats periodically Agent Presence Remote Used to register Local Agent applications and to specify the behavior of Intel AMT when an application is running or stops running unexpectedly Circuit Breaker Used to define filters counters and policies to monitor incoming and outgoing network traffic and to block traffic when a suspicious condition is detected the System Defense feature Network Time Used to set the clock in the Intel AMT device and synchronize it to network time Intel AMT Configuration Utility User Guide 51 Chapter 5 Defining Configuration Profiles Table 5 Intel AMT Realms Continued General Info Returns general setting and status information With this interface it is possible to give a user permission to read parameters related to other interfaces without giving permission to change the parameters Firmware Update Used only by manufacturers via Intel supplied tools to update the Intel AMT firmware EIT Implements the Embedded IT service Local User Notificati
140. u might find when using the Configuration Utility and provides their solutions For more information see Configuration Utility Error Cannot Configure Intel AMT The Configuration Utility Takes a Long Time to Start Problems Using Configuration Utility on a Network Drive Remote Connection to Intel AMT Fails Error with XML File or Missing SCSVersion Tag Reconfiguration of Dedicated IP and FQDN Settings Disjointed Namespaces Kerberos Authentication Failure Error Kerberos User is not Permitted to Configure Error when Removing AD Integration Error in SetKerberos Failed Certificate Requests via Microsoft CA Delta Profile Fails to Configure WiFi Settings Disabling the Wireless Interface Intel AMT Configuration Utility User Guide 105 Appendix B Troubleshooting Configuration Utility Error Cannot Configure Intel AMT The Welcome window of the Configuration Utility includes an option named Configure Unconfigure this System If you select this option when the Configuration Utility is running on a system that does not have Intel AMT this error message shows Cannot Configure Intel AMT xX This system does not support Intel AMT and therefore cannot be configured This is because you can use this option only when you run the Configuration Utility on systems that have Intel AMT But in this version of the Configuration Utility this error message can also occur for systems that have Intel AMT
141. ue and Manage Certificates e Request Certificates For an Enterprise root CA you also need to grant the Configuration Utility user account the Read and Enroll permissions on the templates you want to select in the configuration profiles Defining Enterprise CA Templates If you use the Configuration Utility with an Enterprise CA to configure Intel AMT features to use certificate based authentication you must define certificate templates Note This procedure shows how to create a template containing the correct settings for Intel AMT For settings specific to your organization such as certificate expiration specify the values you require You must also make sure that the CA and the template are not defined to put certificate requests into the pending status For more information see Request Handling on page 95 To create a certificate template l From your Certificate Authority server select Start gt Run The Run window opens Enter mmc and click OK The Microsoft Management Console window opens If the Certificate Templates plug in is not installed perform these steps a Select File gt Add Remove Snap in The Add Remove Snap in window opens b Click Add The Add Standalone Snap in window opens c From the list of available snap ins select Certificate Templates click Add and then click Close The Add Standalone Snap in window closes d Click OK The Add Remove Snap in window closes and the Certificate
142. uide 35 Chapter 4 Using the Configuration Utility 3 Optional Select Display advanced settings to view or edit the default settings that the Configuration Utility will define for this system Power Settings Defines in which power states of the host system the Intel AMT device will operate e Always on S0 S5 If the system is connected to the power supply the Intel AMT manageability features are available in any of the system power states This is the recommended setting e Host is on S0 The Intel AMT manageability features are available only if the operating system of the Intel AMT system is up and running Network Settings By default the Configuration Utility configures the Intel AMT device with the hostname and the domain name defined in the operating system This is the recommended setting but you can change these settings if necessary for your network environment By default the Configuration Utility also uses the Dynamic Host Configuration Protocol DHCP server to configure the IP address of the device If you are not using DHCP in your network clear the DHCP Enabled check box and enter the network IP addresses Redirection Settings These settings are shown only for systems with Intel AMT 6 0 and higher Redirection Settings V Enable KVM Redirection IV Allow IT to change user consent setting User consent setting User consent not required User consent required for KVM sessions U
143. urer are used This table gives the GUID values in Hex 32 character format per Intel AMT version Table 7 Power Package GUIDs Intel AMT 8 x 7 x 6 x mobile ON in SO 763997110B565043887098 12F391B560 ON in S0 ME Wake in S3 AC 4 5 AC 30800DEE09C07843AF287868A2DBBE3A Intel AMT 8 x 7 x 6 x desktop ON in SO 944F8312FB104FDC968E1E232B0C9065 ON in S0 ME Wake in 3 S4 5 7322734623DC432FA98A 13D37982D855 OFF After Power Loss Intel AMT 5 x desktop ON in SO 944F8312FB104FDC968E1 E232B0C9065 ON in SO S3 A18600AB9A7F4C42A6E6BB243A295D9E ON in S0 S3 S4 5 7286ABAC96B448E29B9EIB7DF91C7FD4 ON in S0 ME WoL in S3 7B32CD4D6BBE4389A62A4D7BD8DBD026 ON in S0 ME WoL in S3 S4 5 7322734623DC432FA98A 13D37982D855 ON in SO S3 S4 5 OFF After C519A4BA6E6F8D4DB227517F7E4595DB Power Loss ON in S0 ME WoL in S3 S4 5 D60BE3ED04C52C46B772D 18018EE2FC4 Intel AMT 4 x mobile 763997110B565043887098 12F391B560 N in S0 3 AC 26D31C768708C74BBBSF387443 1SA5FF 530E08DB6COFD948B2D28958D3F 1156E N in SO ME Wake in 3 AC 055DDSB64CA4874DA5A8B47C14DEDASF O O ON in S0 S3 AC S4 5 AC O O N in SO ME Wake in S3 AC S4 5 AC 30800DEE09C07843AF287868A2DBBE3A Intel AMT Configuration Utility User Guide 86 Chapter 6 Using the Configurator Maintaining Configured Systems Command MaintainAMT Description Perfo
144. ve Home Domains Remote Access Remote Access Policy List Transport Layer Security Specify at least one Remote Access policy to allow systems outside the firewall to connect to a management console within the network via an MPS listed above Network Configuration System Settings Finish Add Edit Remove Figure 19 Remote Access Window To define the remote access parameters see these topics e Defining Management Presence Servers on page 55 e Defining Remote Access Policies on page 57 Intel AMT Configuration Utility User Guide 54 Chapter 5 Defining Configuration Profiles Defining Management Presence Servers You can define up to four Management Presence Servers in a configuration profile To define a management presence server 1 From the Management Presence Servers section of the Remote Access window click Add The Management Presence Server Properties window opens E Management Presence Server Properties Details Specify the location and listening port of the MPS Server FQDN or IP Address Port feo Server Authentication The trusted root certificates used by the system to authenticate the MPS must appear in the list below If they do not use the Edit List option Edit List Common Name CN System Authentication System authentication is certificate based Select the method for creating the certificate Request certificate from Microsoft CA Certif
145. within 60 seconds To do this you can wrap your script with a batch file like this Start Myscript bat 1 2 Exit 0 If you do this your script will be responsible to handle any subsequent errors if they are generated by your script Subsequent script errors will not be recorded in the log Parameters Sent in Base64 Format Some of the parameters sent sent to the script by the Configurator are sent in Base64 format The number of characters sent in the Base64 value representing the parameter must be divisible by 4 If it is not additional characters are added to the end of the Base64 value For example if the Base64 value includes only 6 characters two characters are automatically added When Base64 values are sent to a batch file the command line interpreter removes these additional characters This means that the parameter value cannot be decoded correctly To solve this problem add the missing characters to the Base64 value before decoding it Intel AMT Configuration Utility User Guide 93 A Certification Authorities and Templates This appendix describes the prerequisites and procedures for using a Certification Authority CA with the Configuration Utility For more information see Standalone or Enterprise CA Request Handling Required Permissions on the CA Defining Enterprise CA Templates Defining Common Names in the Certificate Using Predefined Files Instead of a CA Request CRL X
146. y tab opens Make sure that the user running the Configurator or the group the user is in appears in this list and has the Read and Enroll permissions If this is a template for TLS do these steps a Click the Extensions tab The Extensions tab opens b From the list of extensions select Application Policies and click Edit The Edit Application Policies Extension window opens c Click Add The Add Application Policy window opens d From the list of Application policies select Server Authentication and click OK the Server Authentication policy contains this OID 1 3 6 1 5 5 7 3 1 e Click OK to return to the Properties of New Template window Intel AMT Configuration Utility User Guide 99 16 17 18 19 20 21 Appendix A Certification Authorities and Templates Note If you define Mutual TLS in the configuration profile each application that needs to communicate with the Intel AMT device will need a certificate In addition to the Server Authentication OID added in step 14 d the certificate must contain these OIDs For remote access 2 16 840 1 113741 1 2 1 e For local access 2 16 840 1 113741 1 2 2 You can add these OIDs to this template by clicking New in the Add Application Policy window You must then install a certificate based on this template in the certificate store of the user running the application Click OK The Properties of New Template window closes Select Start gt
147. ystem If you want to use this option you must define a list of trusted domains When the host system is not located in one of the domains in the list access to the Intel AMT device is blocked The list of domains is defined in the Home Domains window of the configuration profile see Defining Home Domains on page 53 Note If you use this option make sure that you have a complete and accurate list of all the domains where the host system can operate If you make a mistake when defining this list you might not be able to connect to the Intel AMT device after it is configured You must make sure that you always configure systems only with a profile that contains a list of domains correct for those systems You must make sure that you define the domain names exactly as they are defined in option 15 of the DHCP servers onboard specific DNS suffix 4 VPN Do you want to permit access to Intel AMT via a VPN By default Intel AMT devices are configured to block access via Virtual Private Network VPN connections If want to manage systems outside of the organization s network and are connected to it using VPN you will need to change this setting This setting is defined in the Home Domains window of the configuration profile Note A prerequisite for this setting is to define a list of Home Domains see item 3 in this checklist 5 AD Do you want to integrate Intel AMT with Active Directory AD If your network uses AD
148. ystems these additional fields are shown Specify the method to be used to create the Intel AMT admin user password Use the following password for all systems Show password Create a random password for each system Define the password of the default admin user built into each Intel AMT device Use the following password for all systems The password you define here see Password Format on page 4 is set in all devices configured with this profile e Create a random password for each system The Configuration Utility generates a different random password for each device 2 Optional Select Enable Intel AMT to respond to ping requests When this check box is selected the Intel AMT device will respond to a ping if the host platform does not 3 Optional You can define which interfaces are open for the local Fast Call for Help feature If the computer is inside the enterprise network the user can initiate a connection request to connect to a management console By default the user can access this option from the operating system and from the BIOS To change this setting do one of these To close both interfaces clear the Enable Fast Call for Help within the enterprise network check box e To select which interface to open click Fast Call For Help Settings and select the interface from the Fast Call for Help interfaces window E Fast Call for Help Interfaces iol x Define the
Download Pdf Manuals
Related Search