Intel AMT Configured via Microsoft SCCM and Used by McAfee ePO Deep Command

Version 1

    Introduction

    This document is the first of a two part series.

     

    You might be asking – “Why is Microsoft SCCM referenced in a McAfee Community?” or perhaps “What is Intel® AMT?”

     

    Answering the second question – Intel® Active Management Technology (AMT) enables beyond-the-operating-system management of the endpoint device.  This type of management, often referred to as “out-of-band” or “lights out”, is common with server and datacenter environments.    Intel® AMT is found in many business client platforms – workstation, desktop, and laptop.   Combined with McAfee ePO Deep Command, Intel® AMT enables improved security management such as McAfee EEPC pre-boot unlock, off-hours power and security update, or remote KVM connectivity.    (See related article on Good, Better, and Best Scenarios for McAfee ePO Deep Command)

     

    Now to the first question – Intel® AMT and the associated out-of-band management capabilities provided are frequently needed for PC LifeCycle management.   Microsoft System Center Configuration Management (SCCM) is a common tool used for the purpose of deploying system images, deploying software packages, collecting system asset information, and so forth.    Microsoft SCCM also includes the ability to configure Intel® AMT versions 3.x to 8.x.   

     

    Here is the key phrase to remember – “Once configured, Intel® AMT is a service awaiting an authenticated and authorized request”

     

    Fortunately, the Microsoft SCCM configuration of Intel® AMT is fully compatible with McAfee ePO Deep Command.    Microsoft SCCM requires Transport Layer Security (TLS) and Active Directory (AD) integration with defined domain users\groups assigned to the Intel® AMT systems for authentication purposes. 

     

    The primary focus of this document is for McAfee ePO Deep Command to utilize Intel® AMT systems  already configured via Microsoft SCCM. 

     

    The secondary focus of this document is planning considerations of ongoing Intel® AMT configuration in a Microsoft SCCM environment, and leading to the second part in the document series.

     

    Summary Steps

    If you find Microsoft SCCM 2007 or 2012 has already configured Intel® AMT in your environment, getting McAfee ePO Deep Command ready is completed in a few simple steps:

     

    • Deploy the McAfee ePO Deep Command Discovery Plugin

    image1.png

    • Validate Intel® AMT is in a Post Configuration State via the Deep Command Discovery & Reporting Dashboard

     

    image2.png

    • Update the Intel® AMT Credentials in the McAfee ePO Console Server Settings.   This includes both an appropriate domain user account and password along with the Trusted Root Certificate.

     

    image3.png

     

     

    To complete steps 1 and 2, review the McAfee ePO Deep Command setup and configuration documentation provided at https://community.mcafee.com/docs/DOC-5069 along with the McAfee ePO Deep Command 2.0 product guide.

     

    To complete step 3, a trusted root certificate and Active Directory account used with the Microsoft SCCM configuration of Intel® AMT must be determined.   The following sections explain how this is done.

     

    How do I determine what AMT user accounts were defined by SCCM?

    Talk with your Microsoft SCCM administrator.   In configuring Intel® AMT, they defined AMT Settings with specific AD users\groups.   Sample screenshots from Microsoft SCCM 2012 environments are shown below, and similar steps are used with Microsoft SCCM 2007.    An account with “PT Administration” rights into Intel® AMT is required by McAfee ePO Deep Command.

     

    Within the Microsoft SCCM console, select Administration in the lower left.   Expand Site Configuration and click on Sites.   Right click the target site and navigate to Configure Site Components > Out of Band Management

     

    image4.png

     

    Select the AMT Settings tab to see what Active Directory groups or user accounts have been applied to Intel® AMT.    Add an applicable domain  user credential in the McAfee ePO console for Intel® AMT credentials.

    image5.png

     

    A final note for this section.    If the intended domain user account to be used by McAfee ePO for Intel® AMT communications is not already a member of the domain group applied to the Intel® AMT firmware access control list, simply add the target user to the target domain via the Microsoft Management Console.   In the examples above, if the domain account “vprodemo\ePO_AMT_User” were to be used with McAfee ePO Server settings for Intel® AMT Credentials, then add that account to the “vprodemo\AMTadmins” group within the Microsoft Management Console.   No changes to the Intel® AMT configuration need to be pushed out.   The groups as defined by the Microsoft SCCM configuration already have been assigned into the firmware of the configured Intel® AMT systems.

     

    How to identify and obtain the Trusted Root Certificate?

    The earlier screenshot of the Intel® AMT Credentials in the McAfee ePO Console showed a highlighted certificate.    This public root certificate is used for TLS communications specific to Intel® AMT redirection operations.    Microsoft SCCM environments utilize an internal Microsoft PKI\CA to issue the necessary TLS certificates to the Intel® AMT systems… again, within the Microsoft SCCM configuration settings for Intel® AMT.  

    There are many methods to determine what root certificate and if applicable certificate chain were used.   One example shown here - https://community.mcafee.com/docs/DOC-4182

     

    See the examples below for Microsoft SCCM 2012 to validate the same trusted root certificate authority is used.   Similar steps are done for Microsoft SCCM 2007.

    image6.png

     

    Once obtained, the Trusted Root Certificate must be imported to the Intel® AMT Credential settings of McAfee ePO.

     

    Validate McAfee ePO Deep Command policies are successfully applied and actions completed.

     

    Future Planning and Considerations

    Although Microsoft SCCM has the ability to configure Intel® AMT in a manner that is compatible with McAfee ePO Deep Command, a few considerations for future planning purposes are listed below for your consideration:

     

    1. If you’ve upgraded Microsoft SCCM from one version to the next and have Intel® AMT configuration supplied by SCCM, you likely know that Intel® AMT must be fully unconfigured prior to the SCCM upgrade.   Such is not the case with McAfee ePO Deep Command.
    2. Microsoft SCCM natively supports certificate-based Remote Configuration of Intel® AMT.   This process requires a wired network connection, valid remote configuration certificate, DHCP clients, and so forth.   In contrast, McAfee ePO Deep Command supports Host Based Configuration (perfect for wireless, VPN, static IP, and other advanced configuration scenarios) in addition to certificate-based remote configuration.
    3. Microsoft SCCM configuration of Intel® AMT requires an internal Microsoft Certificate Authority.   In contrast, McAfee ePO Deep Command 2.0 can also utilize the ePO infrastructure for TLS certificates assigned to Intel® AMT.  
    4. Microsoft SCCM configuration engine for Intel® AMT is not aligned to the latest generation Intel® Setup and Configuration Software (SCS).     Intel® SCS provides all available configuration options for Intel® AMT.   McAfee ePO Deep Command provides a Remote Configuration Services agent to integrate with Intel® SCS.
    5. Microsoft SCCM can configure Intel® AMT 3.x through 8.x.    In contrast, McAfee ePO Deep Command will continue to configure and maintain Intel® AMT going forward, including current versions that extend to Intel® AMT 9.x and so forth.
    6. Maintenance and remediation of Intel® AMT configuration via Microsoft SCCM may be less favorable as compared to McAfee ePO Deep Command. See guidance on Intel® AMT maintenance as provided via McAfee ePO - https://community.mcafee.com/docs/DOC-4380.
    7. Complete discovery of Intel® AMT is obtained via McAfee ePO Deep Command Discovery and Reporting, a free extension.    The discovery includes important data such as Intel® AMT version, configuration state, configuration mode, presence of Intel® AMT drivers (MEI and LMS), and so forth.   The information is displayed via built-in easy to review reports and dashboards.   In contrast, obtaining similar information within Microsoft SCCM will require some customizations with one explanation provide via an online blog.
    8. Microsoft SCCM natively supports the following Intel® AMT capabilities: power control, boot redirection, serial-over-LAN, and audit logging.   Examples how these are used for PC LifeCycle management summarized on Microsoft TechNet.   Customizations via add-on tools enable KVM Remote Control and Alarm Clock (one example provided here) and ability to unlock Bitlocker encrypted drives (see video demonstration).    Aside from the Intel® AMT Audit logging capabilities, McAfee ePO Deep Command provides all of the functionality natively in one solution for the purposes of security management.

     

    Concluding Thoughts

    If Intel® AMT is already configured via Microsoft SCCM in your environment, the configuration is compatible with McAfee ePO Deep Command.   Discover the configured systems, update the Intel® AMT credentials within ePO, and enjoy the benefits related to out-of-band security management.

     

    For long term planning purposes, consider moving the Intel® AMT configuration and maintenance process away from Microsoft SCCM and utilize an Intel® SCS aligned configuration approach.   McAfee ePO Deep Command is aligned to Intel® SCS; Intel® SCS is aligned to the latest configuration options of Intel® AMT.    Just as a Microsoft SCCM configured Intel® AMT system can be compatible to McAfee ePO Deep Command, the reverse is also true.    If you are on Microsoft SCCM and want to take advantage of updated configuration options such as host based or non-Microsoft CA TLS certificates, take a look at McAfee ePO Deep Command.

     

    In the next document, I’ll explain how to configure Intel® AMT via McAfee ePO Deep Command and still be compliant with Microsoft SCCM.

     

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries