Part 4: Alternative Methods of Configuring Intel AMT

Version 3

                                                                              

    Modifying an Existing Intel AMT Configuration

                                                                              

    Document Series Background

    This is part 4 of a document series to explain alternative configuration methods for Intel AMT.  

     

    This section focuses on Delta or post configuration options.  

     

    To return to the document series introduction of alternative Intel AMT configuration methods, click here.

     

    Section Introduction

    An already configured Intel AMT system can be adjusted to align with the requirements of ePO Deep Command.   In addition, for simple testing environments a manual configuration of Intel AMT followed by a delta configuration can be performed.   For the purposes of this document, delta-configuration will be referred to as a 2-step configuration process.

     

    This document is separated into the following sub-sections:

     

    • Determine if TLS Enabled and Supported
    • Manual Configuration Options
    • Delta Configuration to Ensure TLS Enabled and Supported

     

    Determine if TLS Enabled and Supported

    After the Intel AMT Discovery Plugin has collected information from a configured Intel AMT system, the Deep Command system properties must show TLS as “Supported and Enabled” to be compliant with ePO Deep Command.

     

    Shown below are the collected properties of a sample system.    Although the system shows Configuration State as “Post Configuration”, the TLS field reports “Not Supported”.    A query and report can easily be generated to locate other systems in the environment that are in this state.   

    altconfig_pic32.png

     

    Note: One additional query point shown above is Hardware Crypto Enabled.   Some country import restrictions limit this feature.  This firmware feature is set by the OEM during the manufacturing process and may not be changeable.   If Hardware Crypto Enabled reports anything other than “Yes”, TLS is not possible on the platform and will not be compatible with ePO Deep Command.  Please discuss with your OEM.

     

    All systems in a Post Configuration state with Hardware Crypto Enabled and TLS shown as “Not Supported” can be moved to a configuration with TLS.    Before making the change, determine what other applications in the environment are using the Intel AMT platform.   Once the change to TLS is applied, all requesting applications to Intel AMT will need the certificate chain to complete the TLS session.

     

    Note: For more information on TLS Certificates chains with Intel AMT, please click here

     

    More information on applying a Delta Configuration via the ePO Deep Command environment is provided in the third sub-section of this document.

     

    Manual Configuration Options

    The desired starting state for a delta configuration is: Enterprise Mode, Post Configuration

     

    altconfig_pic33.png

    If Intel AMT reports the Configuration State is not Post Configuration and the other alternative configuration methods are not possible for your environment, this sub-section summarizes a few manual configuration approaches to obtain the desired state: Enterprise Mode, Post Configuration.

     

    This document focuses on the manual configuration options for Intel AMT 6.x and higher.    Details on how to manually configure Intel AMT 5.x or lower is outside the scope of this document.

     

    There are two simple approaches for Manual Configuration.   Apply only one of the sub-task sections:

    • Accessing the MEBx and selecting the “Activate Network Access” option
    • Applying USB setup using the Intel SCS 8.x console utilities

     

    Sub-Task: Activate Network Access Option

    To access the MEBx of a platform, refer to the OEM documentation for exact instructions.   The most common approach is a Ctrl+P key sequence during the system startup event.    Some OEMs show the option via the boot options for that platform.

     

    Once the MEBx screen has been accessed, select the Intel(R) AMT Configuration menu option followed by “Activate Network Access”. 

     

    This configures Intel AMT without TLS enabled.

     

    After the selection is completed, exit from the MEBx, complete the system boot process, and recapture the Intel AMT Discovery information to the McAfee ePO database.

    altconfig_pic34.png

    Once Intel AMT is configured without TLS Enabled and Support, as shown and described previously, refer to the sub-section below to Define a Delta Configuration Profile.

     

    Sub-Task: Perform USB Setup

    A second option available requires a USB flash drive that is preferably 2GB or smaller in size and must be FAT16 formatted.   

     

    From the Intel SCS console, select Tools followed by Prepare a USB Key for Manual Configuration

    altconfig_pic35.png

     

    Make the appropriate selections to create a setup.bin file for multiple systems.

    altconfig_pic36.png

    Once the file has been created and applied the target USB flash drive, insert the flash drive into a target client and power it on.

     

    A prompt will occur similar to the example below.   Press Y to accept the Intel AMT configuration.

     

    Note: Some OEM systems will require a BIOS setting change for USB provisioning

     

    altconfig_pic37.png

     

    Define a Delta Configuration Profile

    With Intel AMT configured and only missing the TLS settings, a Delta Configuration package can be created to align the configuration with ePO Deep Command requirements.

     

    Within the Intel SCS console, create a new profile similar to the example below, ensuring the Delta Configuration option is selected.

    altconfig_pic38.png

     

    When prompted for the Profile Scope, press Clear All and then select only the Transport Layer Security (TLS) option as shown below.

    altconfig_pic39.png

     

    Within the TLS setting of the profile, specify the target Certificate Authority.  

     

    In this example, the standalone certificate authority as explained in Appendix A is used.

    altconfig_pic40.png

     

    Save the profile within the Intel SCS Console

     

    Test the Delta Configuration

    To apply the delta configuration provide, the easiest method is adjust the AMT Configuration Policy to the default profile.

    default_config_policy.png

    To expedite the AMT configuration policy enforcement, ensure the AMT tag is applied to the client and select "Enforce AMT Firmware Configuration Policy" from the Actions menu.

    apply_delta_config.png

    If the above options are available and work in your environment, skip to the next section to validate the changed configuration of Intel AMT.

     

    If not, a more manual method is required to complete the configuration change on the client.   The default McAfee ePO Deep Command setup runs Intel AMT configuration events via the McAfee agent on the client.   The McAfee agent runs the Intel ACUconfig application under the local system context.    To manually repeat, a tool such as Microsoft’s Sysinternals PSexec is required and can be obtained at http://technet.microsoft.com/en-us/sysinternals/bb897553.  

     

    Place the psexec files on the client.

     

    The test will also use the ePO Deep Command client files for Configurator, located as shown below. 

    altconfig_acuconfigfiles.png

     

    Open a command prompt with elevated permissions.   This is done by right clicking the Command Prompt icon (i.e. CMD.exe) and selecting “Run As Administrator”.

     

    Using the PSexec.exe utility that was copied to the client, run the following command

     

    Psexec.exe –i –s cmd.exe

     

    The following screenshot shows that the local user (i.e. DemoUser) was used to execute the PSexec command.   The result is a command prompt window running in the System context

    altconfig_pic41.png

     

    Using the command prompt running under the System account, change to the Configurator directory shown above (i.e. c:\Program Files (x86)\McAfee\ePO Deep Command Client\Configurator).

     

    Run the following command:

     

    Acuconfig.exe configviarcsonly <RCSserver_address> <profile_name>

     

    In the example below, Intel AMT is already configured in Admin Control Mode.   The TLS settings for Intel AMT must be added, as defined by the profile AddTLS.

     

    The open command prompt is running in the local System context, and the necessary WMI\DCOM permissions have been established.   (See first Visio diagram on Part 3 of the document series)

    altconfig_pic42.png

     

    After the configuration event has completed successful, perform an agent wake-up on the client to update the Deep Command properties.   

     

    As shown below, the system properties indicate TLS is Enabled and Supported.

    altconfig_pic43.png

     

    Validate Intel AMT Configuration and Deploy Custom Client Task

    Once Intel AMT is configured, validate the configuration via one of more of the following methods:

     

    • Open an Intel AMT WebUI session via the URL https://<HOSTorFQDN>:16993 and login

    altconfig_pic44.png

     

    • Test one or more AMT actions from the ePO Console.   Review the Server Task Log to ensure the action completed successfully.

    altconfig_pic45.png

     

    The final step is to create a Custom ACUconfig package to be delivered to all Host Based Configuration capable systems.   

     

    Refer to Appendix B on how to create the Client Task Execution Package.  

     

     

    Click here to return to the start of this document series

     

    Click here for an Index of related McAfee ePO Deep Command resources within the McAfee Community site.

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries