cancel
Showing results for 
Search instead for 
Did you mean: 

Intel AMT Configured via McAfee ePO Deep Command and Used by Microsoft SCCM

Introduction

This document is the second of a .

Intel® Active Management Technology (AMT) enables beyond-the-operating-system management of the endpoint device.    This type of management, often referred to as “out-of-band” or “lights out”, is common with server and datacenter environments.    Intel® AMT is found in many business client platforms – workstation, desktop, and laptop.   Combined with McAfee ePO Deep Command, Intel® AMT enables improved security management such as McAfee EEPC pre-boot unlock, off-hours power and security update, or remote KVM connectivity.    (See related article on )

Intel® AMT and the associated out-of-band management capabilities provided are frequently needed for PC LifeCycle management.   Microsoft System Center Configuration Management (SCCM) is a common tool used for the purpose of deploying system images and software packages, collecting system asset information, and so forth.    Microsoft SCCM also includes the ability to configure Intel® AMT versions 3.x to 8.x.   

Here is the key phrase to remember – “Once configured, Intel® AMT is a service awaiting an authenticated and authorized request”

Configuration of Intel® AMT via McAfee ePO Deep Command may be a preferred approach after reviewing the considerations listed at the end of the .   Making the configuration compatible with Microsoft SCCM is the focus of this document.

Summary Steps

Microsoft SCCM Out of Band Management requires the Intel® AMT configuration to include Active Directory (AD) users\groups and Transport Layer Security (TLS).  

The TLS requirement applies also to McAfee ePO Deep Command with the flexibility of a McAfee ePO generated TLS certificate or from an internal Microsoft CA.  

The AD Users\groups must include the computer accounts of the Microsoft SCCM servers in addition to users that will access the Out of Band Management console.

Core steps to complete the setup include:

  1. Focus on the Remote Configuration approach of McAfee ePO Deep Command.    Install Intel® Setup and Configuration Service (SCS) for McAfee ePO Deep Command Remote Configuration - demonstrated online, step by step example provided in an , and explained in the McAfee ePO Deep Command product guide (see section on remote configuration)
  2. Define Active Directory (AD) Organizational Unit (OU) for Intel® AMT objects
  3. Define and Apply Appropriate Active Directory Groups – SCCM computer accounts and SCCM OOB Console users
  4. Apply and validate the Intel® AMT configuration changes
  5. Prepare the Microsoft SCCM environment for Out of Band Management

The remainder of this document will focus on steps 2 through 6.    Step 1 is covered via the linked materials.  

Intel AMT Objects in Microsoft Active Directory

Microsoft SCCM uses Kerberos authentication to communicate with Intel® AMT.   McAfee ePO Deep Command is flexible whether Digest or Kerberos authentication.    For a foundational understanding how Kerberos authentication to Intel® AMT works and is different from Digest authentication, see https://community.mcafee.com/docs/DOC-4253

The following steps assume Intel® SCS has already been installed.   

To designate an AD OU for Intel® AMT objects:

  • Create an Active Directory OU that is separate from the computer objects already in the domain

image7.png

  • Enable the Advanced Features to see all OU Property options

image8.png

  • On the Security tab, add in Logon account of the RCSserver from your Intel® SCS installation.   If you installed Intel® SCS using the   Network Service Account, the computer account is the Logon account.   The example below shows the computer account (i.e. SCS8).   Grant that account Read\Write access to create objects within the designated AD OU.

image9.png

AD Groups for SCCM Servers and Out of Band Management Console

Microsoft SCCM server communications to Intel® AMT utilize Kerberos authentication.   For AMT Discovery and one-to-many actions, the SCCM computer account is used.   For one-to-one via the SCCM Out of Band Management Console, the currently logged on domain user account is based for Kerberos authentication.  

Intel® AMT Access Control List definitions allow users or groups to be added, not computer accounts.    A simple workaround is to define a new group and add the desired SCCM computer accounts similar to the following example.

image10.png

The SCCM Servers group is then added to the Access Control List of the Intel® AMT Configuration profile via Intel® SCS.   Grant the SCCM Server group “PT Administration” Realm access for the Remote interface.

image11.png

The above screenshot example shows other groups, namely vprodemo\AMTadmins and vprodemo\AMTHelpDesk.   Domain users associated to these groups will utilize the SCCM Out of Band Management console for direct Intel® AMT communications.

As the names suggest, vprodemo\AMTadmins is an administrator group.   Full access to Intel® AMT realms is granted by selecting PT Administration.   The same Realms settings as the SCCM computers group.

In contrast, the vprodemo\AMTHelpDesk group has a reduced of rights that are sufficient for Microsoft SCCM Out of Band Management console.   The minimum set of Intel® AMT Realms include:

  • Redirection
  • Hardware Asset
  • Remote Control
  • Network Time
  • General Info
  • Event Log Reader

Shown below is an example from the Intel SCS console for setting the AMT Realm settings for the HelpDesk group.

image12.png

Scrolling down on the Realms selections, the remainder of the target selections are shown.

image13.png

Apply and validate the Intel® AMT configuration changes

Complete the settings of the Intel® AMT configuration profile and apply to the target client via the Remote Configuration process.

Once Intel® AMT is configured, open a web browser and connect via the WebUI (i.e. https://FQDN:16993).    If logged with credential that is member of the AMT ACL groups, click Log On and the authentication will pass-through.

The following screenshot shows:

  • Intel® AMT WebUI session to x220.vprodemo.com
  • Log On has completed using vprodemo\itproadmin account (member of vprodemo\AMTadmin group)
  • Klist command shows Kerberos ticket granted for Log On account to target system

image14.png

If troubleshooting Kerberos authentication via Intel AMT WebUI using Microsoft Internet Explorer, review McAfee KB77546.

An additional testing approach is via the McAfee KVM Viewer.   The default settings will use the currently logged in credential.   Shown below, the user vprodemo\itproadmin is logged in and the McAfee KVM Viewer application will use that credential.   A successful connection validates the Kerberos and TLS settings.

image15.png

Prepare the Microsoft SCCM environment for Out of Band Management

Once Intel® AMT is configured and validated per the steps described above, the Microsoft SCCM environment can be updated to start using the technology.

Transfer the TLS root certificate

The public or root certificate for TLS communications must be in the Windows certificate store of the Microsoft SCCM server and system running the SCCM console.   

If an internal Microsoft certificate authority was used, the trusted root certificates are replicated through the Microsoft PKI.

If the McAfee ePO Deep Command root certificate was used, as shown in the following example, follow the steps outlines in Appendix A of the product guide.

image16.png

Microsoft SCCM Out of Band Service Point

Similar to a McAfee ePO extension, the Site System Roles in Microsoft SCCM provide extensions to the base solution.   

The screens below show a Microsoft SCCM 2012 environment with the system role already added.  

image17.png

Adding of the system role will require it settings to be defined.   More information via Microsoft Technet materials.

To ensure McAfee ePO Deep Command controls the configuration of Intel AMT, the following SCCM setting must be disabled for all collections.

SCCM Disabled OOB Config.png

Once the role is added, select a target System or Collection.    Right click and a new option will appear, Manage Out of Band.  

Select the option to Discover AMT Status.

This action will initiate a call from the SCCM computer account to the target clients.  

image18.png

A successful discovery will report the AMT Status as Externally Provisioned.     More information on AMT Status within Microsoft SCCM available online.

image19.png

Note: The SCCM console view and columns can be adjusted by right clicking a column header and selecting desired columns.   Shown below, the AMT Status and AMT Version are added in.

image20.png

 

For clients showing AMT Status of “Externally Provisioned” the necessary steps are now complete.

Microsoft SCCM Out of Band Operations

Via the right click menus in the Microsoft SCCM console, there are two main  Manage Out of Band actions.

The first is Power Control.    This action uses the Microsoft SCCM computer account and can be initiated on a collection of systems as shown below.

image21.png

The Power Control options are below.

image22.png

The second action is the Out of Band Management Console.   This action authenticates to Intel® AMT via the logged on user account.   Shown below, a single system is selected with the desired option in the lower right.

image23.png

Once selected, the Configuration Manager Out of Band Management console will appear as shown below.

image24.png

If Microsoft SCCM will be used to power-on and patch systems, the Wake-on-LAN settings must specific use of Intel AMT.

SCCM OOB WoL.png

Concluding Thoughts

Configuring Intel® AMT via McAfee ePO Deep Command aligns to the Intel® SCS, ensuring support for the latest versions of the technology.   Once configured, Intel® AMT is a service awaiting an authenticated and authorized request.   This document summarized the steps required to configure Intel® AMT to be compliant with Microsoft SCCM in addition to McAfee ePO Deep Command.   Each console is able to communicate with Intel® AMT for their respective purposes.

A related blog, Integrating SCCM 2012 with SCS 8.1, provides additional insights in preparing a Microsoft SCCM environment to utilize Intel® AMT after configuration for Intel® SCS.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

Comments

After posting the above article, I shared insights on one approach to integrate the McAfee KVM Viewer into an SCCM console session.  See https://community.mcafee.com/community/business/epo/deepcommand/blog/2014/01/10/mcafee-kvm-viewer-vi...

Plus - just last month, McAfee released Deep Command 2.1 with further improvements to the McAfee KVM Viewer.

Version history
Revision #:
1 of 1
Last update:
‎10-14-2013 10:45 AM
Updated by: