Intel AMT Configured via McAfee ePO Deep Command and Used by Microsoft SCCM

Version 2

    Introduction

    This document is the second of a two part series.

     

    Intel® Active Management Technology (AMT) enables beyond-the-operating-system management of the endpoint device.    This type of management, often referred to as “out-of-band” or “lights out”, is common with server and datacenter environments.    Intel® AMT is found in many business client platforms – workstation, desktop, and laptop.   Combined with McAfee ePO Deep Command, Intel® AMT enables improved security management such as McAfee EEPC pre-boot unlock, off-hours power and security update, or remote KVM connectivity.    (See related article on Good, Better, and Best Scenarios for McAfee ePO Deep Command)

     

    Intel® AMT and the associated out-of-band management capabilities provided are frequently needed for PC LifeCycle management.   Microsoft System Center Configuration Management (SCCM) is a common tool used for the purpose of deploying system images and software packages, collecting system asset information, and so forth.    Microsoft SCCM also includes the ability to configure Intel® AMT versions 3.x to 8.x.   

     

    Here is the key phrase to remember – “Once configured, Intel® AMT is a service awaiting an authenticated and authorized request”

     

    Configuration of Intel® AMT via McAfee ePO Deep Command may be a preferred approach after reviewing the considerations listed at the end of the previous document.   Making the configuration compatible with Microsoft SCCM is the focus of this document.

     

    Summary Steps

     

    Microsoft SCCM Out of Band Management requires the Intel® AMT configuration to include Active Directory (AD) users\groups and Transport Layer Security (TLS).  

     

    The TLS requirement applies also to McAfee ePO Deep Command with the flexibility of a McAfee ePO generated TLS certificate or from an internal Microsoft CA.  

     

    The AD Users\groups must include the computer accounts of the Microsoft SCCM servers in addition to users that will access the Out of Band Management console.

     

    Core steps to complete the setup include:

    1. Focus on the Remote Configuration approach of McAfee ePO Deep Command.    Install Intel® Setup and Configuration Service (SCS) for McAfee ePO Deep Command Remote Configuration - demonstrated online, step by step example provided in an earlier article, and explained in the McAfee ePO Deep Command product guide (see section on remote configuration)
    2. Define Active Directory (AD) Organizational Unit (OU) for Intel® AMT objects
    3. Define and Apply Appropriate Active Directory Groups – SCCM computer accounts and SCCM OOB Console users
    4. Apply and validate the Intel® AMT configuration changes
    5. Prepare the Microsoft SCCM environment for Out of Band Management

     

    The remainder of this document will focus on steps 2 through 6.    Step 1 is covered via the linked materials.  

     

    Intel AMT Objects in Microsoft Active Directory

    Microsoft SCCM uses Kerberos authentication to communicate with Intel® AMT.   McAfee ePO Deep Command is flexible whether Digest or Kerberos authentication.    For a foundational understanding how Kerberos authentication to Intel® AMT works and is different from Digest authentication, see https://community.mcafee.com/docs/DOC-4253

     

    The following steps assume Intel® SCS has already been installed.   

     

    To designate an AD OU for Intel® AMT objects:

    • Create an Active Directory OU that is separate from the computer objects already in the domain

     

    image7.png

    • Enable the Advanced Features to see all OU Property options

    image8.png

    • On the Security tab, add in Logon account of the RCSserver from your Intel® SCS installation.   If you installed Intel® SCS using the   Network Service Account, the computer account is the Logon account.   The example below shows the computer account (i.e. SCS8).   Grant that account Read\Write access to create objects within the designated AD OU.

    image9.png

     

    AD Groups for SCCM Servers and Out of Band Management Console

    Microsoft SCCM server communications to Intel® AMT utilize Kerberos authentication.   For AMT Discovery and one-to-many actions, the SCCM computer account is used.   For one-to-one via the SCCM Out of Band Management Console, the currently logged on domain user account is based for Kerberos authentication.  

     

    Intel® AMT Access Control List definitions allow users or groups to be added, not computer accounts.    A simple workaround is to define a new group and add the desired SCCM computer accounts similar to the following example.

    image10.png

     

    The SCCM Servers group is then added to the Access Control List of the Intel® AMT Configuration profile via Intel® SCS.   Grant the SCCM Server group “PT Administration” Realm access for the Remote interface.

    image11.png

     

    The above screenshot example shows other groups, namely vprodemo\AMTadmins and vprodemo\AMTHelpDesk.   Domain users associated to these groups will utilize the SCCM Out of Band Management console for direct Intel® AMT communications.

     

    As the names suggest, vprodemo\AMTadmins is an administrator group.   Full access to Intel® AMT realms is granted by selecting PT Administration.   The same Realms settings as the SCCM computers group.

     

    In contrast, the vprodemo\AMTHelpDesk group has a reduced of rights that are sufficient for Microsoft SCCM Out of Band Management console.   The minimum set of Intel® AMT Realms include:

    • Redirection
    • Hardware Asset
    • Remote Control
    • Network Time
    • General Info
    • Event Log Reader

     

    Shown below is an example from the Intel SCS console for setting the AMT Realm settings for the HelpDesk group.

    image12.png

    Scrolling down on the Realms selections, the remainder of the target selections are shown.

     

    image13.png

     

    Apply and validate the Intel® AMT configuration changes

    Complete the settings of the Intel® AMT configuration profile and apply to the target client via the Remote Configuration process.

     

    Once Intel® AMT is configured, open a web browser and connect via the WebUI (i.e. https://FQDN:16993).    If logged with credential that is member of the AMT ACL groups, click Log On and the authentication will pass-through.

     

    The following screenshot shows:

    • Intel® AMT WebUI session to x220.vprodemo.com
    • Log On has completed using vprodemo\itproadmin account (member of vprodemo\AMTadmin group)
    • Klist command shows Kerberos ticket granted for Log On account to target system

     

    image14.png

     

    If troubleshooting Kerberos authentication via Intel AMT WebUI using Microsoft Internet Explorer, review McAfee KB77546.

     

    An additional testing approach is via the McAfee KVM Viewer.   The default settings will use the currently logged in credential.   Shown below, the user vprodemo\itproadmin is logged in and the McAfee KVM Viewer application will use that credential.   A successful connection validates the Kerberos and TLS settings.

     

    image15.png

     

    Prepare the Microsoft SCCM environment for Out of Band Management

    Once Intel® AMT is configured and validated per the steps described above, the Microsoft SCCM environment can be updated to start using the technology.

     

    Transfer the TLS root certificate

    The public or root certificate for TLS communications must be in the Windows certificate store of the Microsoft SCCM server and system running the SCCM console.   

     

    If an internal Microsoft certificate authority was used, the trusted root certificates are replicated through the Microsoft PKI.

     

    If the McAfee ePO Deep Command root certificate was used, as shown in the following example, follow the steps outlines in Appendix A of the product guide.

     

    image16.png

     

    Microsoft SCCM Out of Band Service Point

    Similar to a McAfee ePO extension, the Site System Roles in Microsoft SCCM provide extensions to the base solution.   

     

    The screens below show a Microsoft SCCM 2012 environment with the system role already added.  

    image17.png

    Adding of the system role will require it settings to be defined.   More information via Microsoft Technet materials.

     

    To ensure McAfee ePO Deep Command controls the configuration of Intel AMT, the following SCCM setting must be disabled for all collections.

     

    SCCM Disabled OOB Config.png

     

    Once the role is added, select a target System or Collection.    Right click and a new option will appear, Manage Out of Band.  

     

    Select the option to Discover AMT Status.

     

    This action will initiate a call from the SCCM computer account to the target clients.  

    image18.png

     

    A successful discovery will report the AMT Status as Externally Provisioned.     More information on AMT Status within Microsoft SCCM available online.

     

    image19.png

     

    Note: The SCCM console view and columns can be adjusted by right clicking a column header and selecting desired columns.   Shown below, the AMT Status and AMT Version are added in.

    image20.png

     

    For clients showing AMT Status of “Externally Provisioned” the necessary steps are now complete.

     

     

    Microsoft SCCM Out of Band Operations

    Via the right click menus in the Microsoft SCCM console, there are two main  Manage Out of Band actions.

     

    The first is Power Control.    This action uses the Microsoft SCCM computer account and can be initiated on a collection of systems as shown below.

    image21.png

     

    The Power Control options are below.

    image22.png

    The second action is the Out of Band Management Console.   This action authenticates to Intel® AMT via the logged on user account.   Shown below, a single system is selected with the desired option in the lower right.

     

    image23.png

    Once selected, the Configuration Manager Out of Band Management console will appear as shown below.

    image24.png

    If Microsoft SCCM will be used to power-on and patch systems, the Wake-on-LAN settings must specific use of Intel AMT.

    SCCM OOB WoL.png

     

    Concluding Thoughts

    Configuring Intel® AMT via McAfee ePO Deep Command aligns to the Intel® SCS, ensuring support for the latest versions of the technology.   Once configured, Intel® AMT is a service awaiting an authenticated and authorized request.   This document summarized the steps required to configure Intel® AMT to be compliant with Microsoft SCCM in addition to McAfee ePO Deep Command.   Each console is able to communicate with Intel® AMT for their respective purposes.

     

    A related blog, Integrating SCCM 2012 with SCS 8.1, provides additional insights in preparing a Microsoft SCCM environment to utilize Intel® AMT after configuration for Intel® SCS.

     

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries