You might be asking – “Why is Microsoft SCCM referenced in a McAfee Community?” or perhaps “What is Intel® AMT?”
Answering the second question – Intel® Active Management Technology (AMT) enables beyond-the-operating-system management of the endpoint device. This type of management, often referred to as “out-of-band” or “lights out”, is common with server and datacenter environments. Intel® AMT is found in many business client platforms – workstation, desktop, and laptop. Combined with McAfee ePO Deep Command, Intel® AMT enables improved security management such as McAfee EEPC pre-boot unlock, off-hours power and security update, or remote KVM connectivity. (See related article on )
Now to the first question – Intel® AMT and the associated out-of-band management capabilities provided are frequently needed for PC LifeCycle management. Microsoft System Center Configuration Management (SCCM) is a common tool used for the purpose of deploying system images, deploying software packages, collecting system asset information, and so forth. Microsoft SCCM also includes the ability to configure Intel® AMT versions 3.x to 8.x.
Here is the key phrase to remember – “Once configured, Intel® AMT is a service awaiting an authenticated and authorized request”
Fortunately, the Microsoft SCCM configuration of Intel® AMT is fully compatible with McAfee ePO Deep Command. Microsoft SCCM requires Transport Layer Security (TLS) and Active Directory (AD) integration with defined domain users\groups assigned to the Intel® AMT systems for authentication purposes.
The primary focus of this document is for McAfee ePO Deep Command to utilize Intel® AMT systems already configured via Microsoft SCCM.
The secondary focus of this document is planning considerations of ongoing Intel® AMT configuration in a Microsoft SCCM environment, and leading to the second part in the document series.
If you find Microsoft SCCM 2007 or 2012 has already configured Intel® AMT in your environment, getting McAfee ePO Deep Command ready is completed in a few simple steps:
To complete steps 1 and 2, review the McAfee ePO Deep Command setup and configuration documentation provided at https://community.mcafee.com/docs/DOC-5069 along with the McAfee ePO Deep Command 2.0 product guide.
To complete step 3, a trusted root certificate and Active Directory account used with the Microsoft SCCM configuration of Intel® AMT must be determined. The following sections explain how this is done.
Talk with your Microsoft SCCM administrator. In configuring Intel® AMT, they defined AMT Settings with specific AD users\groups. Sample screenshots from Microsoft SCCM 2012 environments are shown below, and similar steps are used with Microsoft SCCM 2007. An account with “PT Administration” rights into Intel® AMT is required by McAfee ePO Deep Command.
Within the Microsoft SCCM console, select Administration in the lower left. Expand Site Configuration and click on Sites. Right click the target site and navigate to Configure Site Components > Out of Band Management
Select the AMT Settings tab to see what Active Directory groups or user accounts have been applied to Intel® AMT. Add an applicable domain user credential in the McAfee ePO console for Intel® AMT credentials.
A final note for this section. If the intended domain user account to be used by McAfee ePO for Intel® AMT communications is not already a member of the domain group applied to the Intel® AMT firmware access control list, simply add the target user to the target domain via the Microsoft Management Console. In the examples above, if the domain account “vprodemo\ePO_AMT_User” were to be used with McAfee ePO Server settings for Intel® AMT Credentials, then add that account to the “vprodemo\AMTadmins” group within the Microsoft Management Console. No changes to the Intel® AMT configuration need to be pushed out. The groups as defined by the Microsoft SCCM configuration already have been assigned into the firmware of the configured Intel® AMT systems.
The earlier screenshot of the Intel® AMT Credentials in the McAfee ePO Console showed a highlighted certificate. This public root certificate is used for TLS communications specific to Intel® AMT redirection operations. Microsoft SCCM environments utilize an internal Microsoft PKI\CA to issue the necessary TLS certificates to the Intel® AMT systems… again, within the Microsoft SCCM configuration settings for Intel® AMT.
There are many methods to determine what root certificate and if applicable certificate chain were used. One example shown here - https://community.mcafee.com/docs/DOC-4182
See the examples below for Microsoft SCCM 2012 to validate the same trusted root certificate authority is used. Similar steps are done for Microsoft SCCM 2007.
Once obtained, the Trusted Root Certificate must be imported to the Intel® AMT Credential settings of McAfee ePO.
Validate McAfee ePO Deep Command policies are successfully applied and actions completed.
Although Microsoft SCCM has the ability to configure Intel® AMT in a manner that is compatible with McAfee ePO Deep Command, a few considerations for future planning purposes are listed below for your consideration:
If Intel® AMT is already configured via Microsoft SCCM in your environment, the configuration is compatible with McAfee ePO Deep Command. Discover the configured systems, update the Intel® AMT credentials within ePO, and enjoy the benefits related to out-of-band security management.
For long term planning purposes, consider moving the Intel® AMT configuration and maintenance process away from Microsoft SCCM and utilize an Intel® SCS aligned configuration approach. McAfee ePO Deep Command is aligned to Intel® SCS; Intel® SCS is aligned to the latest configuration options of Intel® AMT. Just as a Microsoft SCCM configured Intel® AMT system can be compatible to McAfee ePO Deep Command, the reverse is also true. If you are on Microsoft SCCM and want to take advantage of updated configuration options such as host based or non-Microsoft CA TLS certificates, take a look at McAfee ePO Deep Command.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries