Modifying an Existing Intel AMT Configuration
Document Series Background
This is part 4 of a document series to explain alternative configuration methods for Intel AMT.
This section focuses on Delta or post configuration options.
To return to the document series introduction of alternative Intel AMT configuration methods, click here.
An already configured Intel AMT system can be adjusted to align with the requirements of ePO Deep Command. In addition, for simple testing environments a manual configuration of Intel AMT followed by a delta configuration can be performed. For the purposes of this document, delta-configuration will be referred to as a 2-step configuration process.
This document is separated into the following sub-sections:
- Determine if TLS Enabled and Supported
- Manual Configuration Options
- Delta Configuration to Ensure TLS Enabled and Supported
Determine if TLS Enabled and Supported
After the Intel AMT Discovery Plugin has collected information from a configured Intel AMT system, the Deep Command system properties must show TLS as “Supported and Enabled” to be compliant with ePO Deep Command.
Shown below are the collected properties of a sample system. Although the system shows Configuration State as “Post Configuration”, the TLS field reports “Not Supported”. A query and report can easily be generated to locate other systems in the environment that are in this state.
Note: One additional query point shown above is Hardware Crypto Enabled. Some country import restrictions limit this feature. This firmware feature is set by the OEM during the manufacturing process and may not be changeable. If Hardware Crypto Enabled reports anything other than “Yes”, TLS is not possible on the platform and will not be compatible with ePO Deep Command. Please discuss with your OEM.
All systems in a Post Configuration state with Hardware Crypto Enabled and TLS shown as “Not Supported” can be moved to a configuration with TLS. Before making the change, determine what other applications in the environment are using the Intel AMT platform. Once the change to TLS is applied, all requesting applications to Intel AMT will need the certificate chain to complete the TLS session.
Note: For more information on TLS Certificates chains with Intel AMT, please click here
More information on applying a Delta Configuration via the ePO Deep Command environment is provided in the third sub-section of this document.
Manual Configuration Options
The desired starting state for a delta configuration is: Enterprise Mode, Post Configuration
If Intel AMT reports the Configuration State is not Post Configuration and the other alternative configuration methods are not possible for your environment, this sub-section summarizes a few manual configuration approaches to obtain the desired state: Enterprise Mode, Post Configuration.
This document focuses on the manual configuration options for Intel AMT 6.x and higher. Details on how to manually configure Intel AMT 5.x or lower is outside the scope of this document.
There are two simple approaches for Manual Configuration. Apply only one of the sub-task sections:
- Accessing the MEBx and selecting the “Activate Network Access” option
- Applying USB setup using the Intel SCS 8.x console utilities
Sub-Task: Activate Network Access Option
To access the MEBx of a platform, refer to the OEM documentation for exact instructions. The most common approach is a Ctrl+P key sequence during the system startup event. Some OEMs show the option via the boot options for that platform.
Once the MEBx screen has been accessed, select the Intel(R) AMT Configuration menu option followed by “Activate Network Access”.
This configures Intel AMT without TLS enabled.
After the selection is completed, exit from the MEBx, complete the system boot process, and recapture the Intel AMT Discovery information to the McAfee ePO database.
Once Intel AMT is configured without TLS Enabled and Support, as shown and described previously, refer to the sub-section below to Define a Delta Configuration Profile.
Sub-Task: Perform USB Setup
A second option available requires a USB flash drive that is preferably 2GB or smaller in size and must be FAT16 formatted.
From the Intel SCS console, select Tools followed by Prepare a USB Key for Manual Configuration
Make the appropriate selections to create a setup.bin file for multiple systems.
Once the file has been created and applied the target USB flash drive, insert the flash drive into a target client and power it on.
A prompt will occur similar to the example below. Press Y to accept the Intel AMT configuration.
Note: Some OEM systems will require a BIOS setting change for USB provisioning
Define a Delta Configuration Profile
With Intel AMT configured and only missing the TLS settings, a Delta Configuration package can be created to align the configuration with ePO Deep Command requirements.
Within the Intel SCS console, create a new profile similar to the example below, ensuring the Delta Configuration option is selected.
When prompted for the Profile Scope, press Clear All and then select only the Transport Layer Security (TLS) option as shown below.
Within the TLS setting of the profile, specify the target Certificate Authority.
In this example, the standalone certificate authority as explained in Appendix A is used.
Save the profile within the Intel SCS Console
Test the Delta Configuration
To apply the delta configuration provide, the easiest method is adjust the AMT Configuration Policy to the default profile.
To expedite the AMT configuration policy enforcement, ensure the AMT tag is applied to the client and select "Enforce AMT Firmware Configuration Policy" from the Actions menu.
If the above options are available and work in your environment, skip to the next section to validate the changed configuration of Intel AMT.
If not, a more manual method is required to complete the configuration change on the client. The default McAfee ePO Deep Command setup runs Intel AMT configuration events via the McAfee agent on the client. The McAfee agent runs the Intel ACUconfig application under the local system context. To manually repeat, a tool such as Microsoft’s Sysinternals PSexec is required and can be obtained at http://technet.microsoft.com/en-us/sysinternals/bb897553.
Place the psexec files on the client.
The test will also use the ePO Deep Command client files for Configurator, located as shown below.
Open a command prompt with elevated permissions. This is done by right clicking the Command Prompt icon (i.e. CMD.exe) and selecting “Run As Administrator”.
Using the PSexec.exe utility that was copied to the client, run the following command
Psexec.exe –i –s cmd.exe
The following screenshot shows that the local user (i.e. DemoUser) was used to execute the PSexec command. The result is a command prompt window running in the System context
Using the command prompt running under the System account, change to the Configurator directory shown above (i.e. c:\Program Files (x86)\McAfee\ePO Deep Command Client\Configurator).
Run the following command:
Acuconfig.exe configviarcsonly <RCSserver_address> <profile_name>
In the example below, Intel AMT is already configured in Admin Control Mode. The TLS settings for Intel AMT must be added, as defined by the profile AddTLS.
The open command prompt is running in the local System context, and the necessary WMI\DCOM permissions have been established. (See first Visio diagram on Part 3 of the document series)
After the configuration event has completed successful, perform an agent wake-up on the client to update the Deep Command properties.
As shown below, the system properties indicate TLS is Enabled and Supported.
Validate Intel AMT Configuration and Deploy Custom Client Task
Once Intel AMT is configured, validate the configuration via one of more of the following methods:
- Open an Intel AMT WebUI session via the URL https://<HOSTorFQDN>:16993 and login
- Test one or more AMT actions from the ePO Console. Review the Server Task Log to ensure the action completed successfully.
The final step is to create a Custom ACUconfig package to be delivered to all Host Based Configuration capable systems.
Refer to Appendix B on how to create the Client Task Execution Package.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries