Part 3: Alternative Methods of Configuring Intel AMT

Version 3

                                                                               

    Host Based Configuration of Intel AMT

                                                                               

     

    Document Series Background

    This is part 3 of a document series to explain alternative configuration methods for Intel AMT.  

     

    This section focuses on Host Based Configuration, ability to configure Intel AMT via the local host operating system.

     

    To return to the document series introduction of alternative Intel AMT configuration methods, click here.

     

    Section Introduction

     

    Starting with Intel® AMT 7, a new approach was introduced to configure Intel AMT via local software without use of a remote configuration certificate.   This approach is called Host Based Configuration.  

     

    Note: Some OEMs provide the Host Based Configuration capability with Intel AMT 6.2.   Dell and Lenovo are two example platforms.   At this time, HP supports only Intel AMT 7.x and higher.   Check with your preferred OEM provider.

     

    Host Based Configuration in connection with McAfee ePO Deep Command is a simple to use solution.   However, there are a few considerations:

     

    • The Intel AMT Configuration policy within McAfee ePO Deep Command v1.5 cannot be used
      • Instead a custom package using the EEDK will be used

     

    • Intel AMT Configuration profile must be exported from Intel SCS and copied to the client.   When executing the command to apply the profile, a profile decryption password must be provided.

     

    • Intel AMT will be configured in Client Control Mode
      • AMT actions such as Boot to BIOS and Boot\Reboot from Image require User Consent
      • Migration to Admin Control Mode is possible if Remote Configuration criteria are met
      • More information on Control Modes is available in the Intel SCS User Guide

     

    • Intel AMT drivers in addition to MEI\HECI, specifically the LMS driver, must be installed on the client.   The Local Management Service (LMS) driver can be obtained from the platform OEM's website.   It is commonly listed in the chipset section for driver downloads with keywords such as "Intel AMT", "Intel Management Interface Driver", or "Intel Management Driver".

     

    • Same network permissions as explain in the Intel SCS installation reference for McAfee ePO Deep Command.   Suggested focus points and modifications
      • Complete "Install SCS to Use Network Service" section - it is not necessary to install the database component of Intel SCS
      • Skip the "Import Remote Configuration Certificate" section.   No external certificate is needed for host based configuration
      • Optional on the "Configure Intel SCS to user Digest Master Password".   For first time testing, recommended to skip this section.
      • Complete "Create an Intel AMT Configuration Profile" section
      • Complete "Set Communication Permissions Between Intel SCS and Infrastructure Components" section
      • Complete "Configure Certificate Template and Certificate Server Rights" section

     

    The remaining materials utilize the sample profile “AMTprofile” to complete the Intel AMT configuration process.   The examples shared run commands from the Local System account context.

     

    Network Permissions for Host Based Configuration

    The section focuses on required network permissions for Host Based Configuration.   For simplicity, the same WMI\DCOM permissions will be used as stated in the

    Intel SCS installation reference for McAfee ePO Deep Command.    Other network permissions options are available that do not require the RCSserver service, yet are outside the scope this document.

     

    The following diagram summarizes the events and permissions required for the AMT Configuration Policy within McAfee ePO Deep Command to complete:

     

    1. ACUconfig starts and must have elevated execution rights to interface with HECI.sys, the Intel AMT kernel mode driver on the system
    2. ACUconfig contacts the server where RCSserver is running.   This is defined by the RCS Manager agent plugin.   ACUconfig must have appropriate WMI namespace and DCOM access rights.
    3. If AD Integration is defined in the Intel AMT Configuration profile, the logon account of RCSserver contacts the domain named in the Intel AMT Configuration profile to modify objects in the Intel AMT OU container.   This action requires appropriate access rights of the RCSserver logon account
    4. With TLS defined in the Intel AMT Configuration profile, the logon account of RCSserver contacts the defined Microsoft Certificate Authority to request a TLS WebServer certificate for the Intel AMT client.

    altconfig_pic21.png

     

     

    Exporting the Intel AMT Configuration Profile

     

    Using the Intel SCS console, select to Export the Intel AMT configuration profile (i.e. AMTprofile).  

     

    Provide a path and file name for the XML profile, along with an encryption password.  

     

    The main points of the profile export screen are shown below.  

     

    Note: Ensure to select "The User running the RCS".   This option instructs the Intel AMT Client Utility (ACUconfig.exe) to utilize RCSserver when requesting necessary Microsoft Certificate Authority and Microsoft Active Directory options as stated in the configuration profile.

    profile_export.png

    Test Host Based Configuration

     

    The default McAfee ePO Deep Command setup runs Intel AMT configuration events via the McAfee agent on the client.   The McAfee agent runs the Intel ACUconfig application under the local system context.    To manually repeat, a tool such as Microsoft’s Sysinternals PSexec is required and can be obtained at http://technet.microsoft.com/en-us/sysinternals/bb897553.   Place the psexec files on the client.

     

    The test will also use the ePO Deep Command client files for Configurator, located as shown below.   The previously exported XML file must be copied to this location for testing purposes

    altconfig_pic27.png

    Open a command prompt with elevated permissions.   This is done by right clicking the Command Prompt icon (i.e. CMD.exe) and selecting “Run As Administrator”.

     

    Using the PSexec.exe utility that was copied to the client, run the following command

     

    Psexec.exe –i –s cmd.exe

     

    The following screenshot shows that the local user (i.e. DemoUser) was used to execute the PSexec command.   The result is a command prompt window running in the System context

    altconfig_pic28.png

     

    Using the command prompt running under the System account, change to the Configurator directory shown above (i.e. c:\Program Files (x86)\McAfee\ePO Deep Command Client\Configurator).

     

    The exported XML file from the SCS console is located in this directory, if the previous steps were completed.

     

    Run the following command:

     

    Acuconfig.exe configamt <XMLfile> /decryptionpassword <password>

     

    The password value is the encryption password used during the profile export routine.

     

    A successful configuration will look similar to the following:

    altconfig_pic29.png

     

     

    Intel AMT is now configured in Client Control Mode, using the Host Based Configuration process.  

     

    Validate Intel AMT Configuration and Deploy Custom Client Task

     

    Once Intel AMT is configured, validate the configuration via one of more of the following methods:

    • Via the ePO Console, perform an agent wake-up on the clients to update the Intel AMT discovery information.
    • Review the collected Deep Command system properties, including reference of Intel® AMT Fully Configured.
    • Open an Intel AMT WebUI session via the URL https://<FQDN>:16993 and login.

    altconfig_pic30.png

     

    • Test one or more AMT actions from the ePO Console.   Review the Server Task Log to ensure the action completed successfully.
      • Note: The AMT Actions menu is enabled once the AMT tag is applied to the target system within the ePO console.

     

    altconfig_pic31.png

     

    The final step is to create a Custom ACUconfig package to be delivered to all Host Based Configuration capable systems.    Refer to Appendix B on how to create the Client Task Execution Package.  

     

    Optional - Move to Admin Control Mode

     

    When the requirements of certificate-based remote configuration are fulfilled, a separate ACUconfig command can be used to move a system from Client Control Mode to Admin Control Mode.   Click here for more information on the requirements and how to acquire a valid certificate.  

     

    The command, running under the local system account as shown previously, for moving to Admin Control Mode is "MoveToACM" as shown below:

     

    ACUconfig MoveToACM <RCSserver>

     

    The RCSserver value is replaced with the hostname, FQDN, or IP address of the system where RCSserver is running.

     

     

     

    Click here to return to the start of this document series

     

    Click here for an Index of related McAfee ePO Deep Command resources within the McAfee Community site.

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries