Maintaining Intel AMT Configuration

Version 3

    Introduction

     

    Once configured, Intel® AMT is a service on your network awaiting an authenticated and authorized request.    To ensure McAfee ePO Deep Command or other applications continue to communicate with Intel AMT, specific maintenance operations are recommended.   Common scenarios for failed communications to a connected Intel AMT device include:

     

    • If the operating system name changes, the FQDN in the Intel AMT firmware is not automatically updated.   The old FQDN is no longer resolvable to a valid IP address within the environment or TLS authentication fails due to incorrect FQDN of the Intel AMT TLS certificate.
    • If the TLS webserver certificate issued to the Intel AMT device expires, Intel AMT is unable to update by itself.
    • If using Kerberos authentication, a system clock time dependency and Microsoft Active Directory (AD) object must be maintained.

     

     

    McAfee ePO Deep Command enables Intel AMT maintenance tasks to be created.   Determining what tasks are needed and recommended frequency in applying the tasks is the purpose of this document.   The document demonstrates both a reactive and proactive approach to Intel AMT configuration maintenance.

    Reactively Identify and Fix an Intel AMT Communication Error

    Using the system properties collected via McAfee ePO, a custom query and report can determine what configured Intel AMT clients are experiencing communication errors.

    The sample query below selects the System Name, Intel® AMT DNS Name, Last Communication, Last Error Message, and TLS data points.    The System Name and Last Communication are found under “Managed Systems”, the rest of the properties are found under Intel® AMT in the query builder.

    pic1.png

     

    On the Query Builder Filter Tab, two common filters include:

    • Intel® AMT Fully Configured: Yes
    • Last Error Message: Contains “Failed to enforce policy”

     


    pic2.png

    Running the query in my lab environment, three problematic systems are identified.   The query was performed on November 12, 2012.   The results show two of the systems have not had Agent-to-Server Communication (ASC) for a few weeks.    This is likely due to systems being disconnected from the network or other reasons which need to be addressed before focusing on failed Intel AMT communications.

     

    pic3.png

     

    The third system, shown as “LenovoTiny”, indicates the Intel AMT FQDN differs from the operating system name.   In short – the client was renamed.    The Intel AMT Hostname and associated TLS certificate need to be updated.   

     

    Additional notes in determining cause and effect for failed communications:

     

    • Focus first on the “Last Error Message”.   If Intel AMT policies cannot be enforced, this indicates a communications failure.   For now, ignore error messages relating to a specific Intel AMT feature.
    • The TLS field must state “Supported and Enabled” for a compatible communication of McAfee ePO to Intel AMT.   This property value indicates Intel AMT has a TLS certificate applied.
    • If the System Name and Intel® AMT DNS Name are the same but the Last Error Message indicates failure, investigate two additional points.    If all clients show this error, the Intel AMT credentials within McAfee ePO are incorrect.    If only a few clients were affected, a possible network or FQDN-to-IP resolution may be the issue.

     

     

    For the common error shown for “LenovoTiny”, a simple first step to resolve the issue is to Enforce AMT Firmware Configuration Policy.   This action forces the Intel AMT configuration to be reapplied to the target system.  

     

    Select the target client, click Actions > AMT Actions > Enforce AMT Firmware Configuration Policy as shown below

    pic4.png


    For a mismatched FQDN, enforcing the Intel AMT configuration policy resolved the error.   After the next ePO Deep Command Discovery and Reporting data collection, an Enforce AMT Policies action was completed as noted below.  

     

    pic5.png

     

    Using the above mentioned custom query, the “LenovoTiny” unit is no longer listed as having communication errors.  

     

    The sequence can be automated via McAfee ePO Server Task, connecting results from the query with a specific action or Client Execution Task.   The next section explores Intel AMT Maintenance Tasks.

    Understanding Intel AMT Maintenance Tasks

    Intel AMT Maintenance tasks can be initiated via commands executed on the client endpoint, or via Jobs as defined on the Intel SCS console.   McAfee ePO Deep Command uses Client Execution Tasks to initiate the Maintenance Tasks on the client.  This approach is more scalable due to a distributed pull approach versus a central push approach.

     

    In the Client Task Catalog, a subsection of Client Task Types exists for ePO Deep Command 1.5.0 as shown below
    pic6.png


    By default, no maintenance tasks are defined.   Before creating an AMT Maintenance Task, review the following McAfee ePO Deep Command product guide explanations augmented with Intel SCS User Guide and additional commentary.    Specific recommendations are in underlined bold italics:

     

    • Synchronize AMT Time: Synchronize the clock of the Intel AMT device with the clock of the computer running Intel RCS service.   This task is performed automatically when any of the other tasks are performed
      • Intel SCS User Guide: The Intel AMT device contains a clock that operates independently from the clock in the host operating system. For devices configured to use Kerberos authentication, it is important to synchronize the device clock with the clock of a computer in the network.  The clock of that computer must also be synchronized with the Key Distribution Center. This is not done by Intel SCS.  When the clock is not synchronized, Kerberos authentication with the device might fail.    For Kerberos enabled devices, Intel recommends to synchronize the clock at two week intervals.
      • Additional Commentary: The Intel AMT PC Alarm Clock function is based on the internal AMT time.   Intel AMT time divergence of a few minutes can occur over extended periods depending on environmental conditions. 

     

    • Synchronize Network Settings: Synchronizes network settings of the Intel® AMT device based on these: Fully qualified domain name, IP address, DDNS and DHCP option 81
      • Intel SCS User Guide: After configuration, the Intel AMT device contains IP and FQDN settings that management consoles use to connect to the device. Changes in the network environment or the host operating system might make it necessary to change the settings in the device
      • Additional Commentary:  Changes to the IP address refer only to Static IP environments, when maintenance of the IP address is needed.   In a DHCP environment, Intel AMT will automatically update based on the IP address lease reply.   Changing the dynamic DNS update settings, applicable to Intel AMT 6.x and higher, benefits by this maintenance task.   If the FQDN of the host operating system changes, in environments such as McAfee ePO Deep Command with certificates issued to Intel AMT, updated certificates must be issued to the device.   The Synchronize Network Settings maintenance task will commonly be associated to Re-Issue AMT Certificates.   This maintenance task is commonly used as needed and not set to a regular scheduling interval.

     

    • Re-Issue AMT Certificates: Reissues the certificates stored in the Intel® AMT device. If the device contains 802.1x certificates, this resets the Intel® AMT administrator password to the default.
      • Intel SCS User Guide: Intel AMT devices can be configured to use certificates for authentication (when using TLS, EAC, Remote Access, or 802.1x). When certificates are issued by a Certification Authority they are valid for a specified time. These certificates must be reissued before they expire. Intel recommends that you schedule this maintenance task to run a minimum of 30 days before the certificate expiration date.
      • Additional Commentary: The 30 days before certificate expiration recommendation applies only to the systems using the same FQDN.   A regular scheduled Intel AMT maintenance task will often suffice.   For scenarios where the FQDN of the device has changed, it is recommended that the Re-Issue AMT Certificates maintenance event be combined with Synchronize Network settings.   An alternative approach is to Enforce AMT Configuration for the target system, generating an Intel AMT reconfiguration event.

     

     

     

     

     

    • Renew Active Directory Password: Reset the password of the Active Directory object representing the Intel AMT system.
      • Intel SCS User Guide: If an Intel AMT device is configured to use Active Directory (AD) Integration, an object is created in the AD Organizational Unit specified in the profile. The object contains a password that is set automatically (not user-defined). If the ADOU has a “maximum password age” password policy defined in AD, the password must be replaced before it expires. Intel recommends that you schedule this maintenance task to start a minimum of 10 days before the password is set to expire.
      • Additional Commentary: This maintenance task is recommended only if Active Directory Integration is used in the Intel AMT configuration profile.   Only the password of the Intel AMT object is maintained.   Changing the Active Directory OU location of the Intel AMT objects requires a reconfiguration event to occur, not a maintenance task.

     

    • Renew Administrative Password: Resets the password of the default Digest admin user in the Intel AMT device according to the password setting defined in the profile.
      • Intel SCS User Guide: For increased security, it is recommended to change the password of the default Digest admin user at regular intervals.
      • Additional Commentary:  This applies only if the Intel AMT admin password is set to randomized, digest master password, or the static password has been changed in the profile.   It is recommended the Intel AMT communications not utilize the default Intel AMT admin account.   Use this account only for Intel AMT configuration events.   A previous document explains the pros and cons of Kerberos versus Digest authentication, along with options how randomize the Intel AMT admin account (click here).   Regular maintenance and re-randomization of the Intel AMT admin account according to environment policies is recommended.   First – understand the benefits and options in randomizing the Intel AMT admin account.   Then apply your selection and frequency based on the target environment password security policy.

     

    Using the above explanations, a few common scenarios for Intel AMT Maintenance tasks are presented in the next section on proactively maintaining the Intel AMT configuration.

    Proactively Maintain Intel AMT Configuration

     

    Scenario 1: McAfee ePO Deep Command Operations Failing After System Name Change


    The first section of this document demonstrated a query and reactive approach to update the FQDN of the Intel AMT firmware.    Building upon the custom query shown in that section, a maintenance task similar to the following can be used.

    pic7.png

    Using a server task to combine the custom query (i.e. “AMT Communication errors”) with the Maintenance Task will look similar to the following:
    pic8.png

    Schedule the server task to run on a regular interval for proactive maintenance due to system name changes.   Although this resolution is technically reactive, the server task automates the maintenance event.

     

    Scenario 2: Updating the Intel AMT Certificates

    Review the Validity Period of the Web Server certificate template.   In the example below, the certificates issued using the default template are valid for 2 years.   
    pic9.png 
    In addition to the TLS Web Server Certificate, if the Intel AMT configuration in the environment uses 802.1x certificates the Validity Period of the template is also a factor of consideration.
    If all certificate templates have a validity period of 2 years and the system hostname has not changed during that time, the following Intel AMT Maintenance Task settings will update the certificates:

    pic10.png


    In this example, the task is set to run on the first Thursday of November – approximately a year from now.   Additional scheduling granularity can be applied based on the target environment.
    pic11.png

    The intent of this Intel AMT maintenance task is to avoid broken communications due to expired TLS certificates.

    Scenario 3: Updating Intel AMT Active Directory Object Password

    If AD Integration with Kerberos authentication is used in the environment, the password policy for the Organizational Unit where Intel AMT objects are stored will apply.   In the following example, the default domain policy with a 42 day maximum password age applies.    After the 42 days, if the Intel AMT object is not maintained authentication to the object may fail due to expired object password.

    pic12.png

     

    In this scenario, an Intel AMT Maintenance Task every 30 days via the McAfee ePO schedule will provide 12 days grace period in case a particular client is not on the network when at the given time.

    The Intel AMT Maintenance Task will look similar to the following:
    pic13.png

    With an assigned schedule such as the following:


    pic14.png
    An alternative to monthly execution of the task is to provide an exception on the object password policy only to the Organizational Unit where Intel AMT objects are stored.

    Concluding Thoughts

    Maintaining the Intel AMT configuration ensures communications are not disrupted due to system name changes, expired certificates, expired passwords, and so forth.   To help automate the scheduling of maintenance events, whether reactively or proactively, Client Tasks can be defined within McAfee ePO specific to an AMT Maintenance action.

     

    Click here for an index of additional resources on McAfee ePO Deep Command in this community.

     

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries