This is part 2 of a document series to explain alternative configuration methods for Intel AMT.
This section focuses on Pre-Shared Key and Self-Signed Remote Configuration Certificate. Both methods are compatible with the ePO Deep Command AMT Configuration policy.
If starting to experiment with McAfee ePO Deep Command and you need to get Intel® AMT configured, you may be unable to use the stated approach of remote configuration with an SSL certificate. The goal of this section is to use a method aligned to Intel AMT Configuration policy event within McAfee ePO Deep Command v1.5.
Two core approaches will be shared:
This approach establishes initial trust between Intel® AMT firmware and Intel® SCS via a known 40-character key pair. The pre-shared key (PSK) approach has been available since Intel® AMT 2.x, and will be phased out in future versions of Intel® AMT.
Note: McAfee ePO Deep Command officially supports Intel AMT 4.1 and higher.
The concept is relatively simple: a public and private key pair is provided to both the firmware and the configuration software. The initial handshake uses this key pair to establish a TLS-session for completion of the initial Intel® AMT configuration event.
The method is useful for small test situations yet may be undesirable for large deployments due to a per system touch requirement. The key pairs must be typed in exactly leaving a chance for error.
To simplify the initial experience, please use the attached Setup.bin file prepared for your testing purposes.
Using the USBfile.exe utility from the Intel® AMT SDK, this setup.bin file has simple to remember values for the public and private portions of the key. The output below shows the contents of the setup.bin file.
Using the attached setup.bin file, via the Intel SCS console click the Tools option in the upper right and select the “Import PSK Key from File” option. Browse to the location where the “4444 setup.bin” file has been saved and complete the import process.
Next: The setup.bin file with Pre-shared Keys (PSK) must be applied to the client. Use only one of the two approaches mentioned below
Skip to the section "Enable and Assign the AMT Configuration Policy" below on how to use the McAfee ePO Deep Command v1.5 Intel AMT Configuration policy to complete the configuration event.
Note: If you prefer to create a personal setup.bin for your environment, refer to the Intel SCS 8.1 documented command for ConfigViaUSB. The command is executed on the client and will inject the PSK pair into the Intel RCS over the network. The resulting setup.bin file on the client must be placed on a FAT16 formatted USB flash drive that is 2GB or smaller. The setup.bin file must be the first file on the formatted USB flash drive. Insert the flash drive into the target computer and power it on. During the POST boot process, a prompt will appear to confirm the Intel AMT configuration event. Upon confirming the request, the system will be set to “In Configuration” with the PSK pair now applied to the firmware.
Aside from the Pre-Shared Key (PSK) method, Intel AMT is commonly configured via a remote configuration certificate. The McAfee ePO Deep Command product documentation, section 3, references creation and enabling of a custom certificate template. This template can be used to generate a self-signed remote configuration certificate using a Microsoft Enterprise CA.
For the purposes of this document, the certificate template “AMT Configuration” has already been created. The summary steps in creating and enabling the certificate template are summarized below. Refer to section 3 of the McAfee ePO Deep Command product documentation if further explanation needed
Save the newly created certificate template.
The certificate template must be enabled to be issued by the Microsoft Enterprise Certificate Authority. This is done by right clicking Certificate Templates under the designated Certificate Authority, selecting New > Certificate Template to Issue. Within the window that opens, select the newly created template.
The properties page of an example certificate ready to be issued is shown below
After creating the custom certificate template, complete the final two key steps as described in the sub-tasks sections below:
NOTE: The above steps on creating a self-signed remote configuration certificate template must be completed on a Microsoft Enterprise Certificate Authority,
The most common approach to issuing the certificate is via the web enrollment capabilities of the Microsoft Certificate Authority server and submitting the Certificate Signing Request (CSR).
To generate the CSR, use Microsoft Internet Information Services (IIS) which is also required for web enrollment of certificates.
Select the Server Certificates option within Microsoft IIS
Select to Create Certificate Request
Enter the Request Certificate properties similar to the example shown below, ensuring that Organizational Unit value is Intel(R) Client Setup Certificate
Set the Bit Length to 2048 as shown below
Provide a location to save the certificate signing request
Within your environment, connect to the internal certificate server via the web address <servername>/certsrv.
Once the Microsoft Active Directory Certificate Services page loads do the following:
Copy and paste the entire contents of the cert_request.txt file into the Saved Request field as shown below. In addition, select the “AMT Configuration” Certificate Template
Once the certificate signing request and desired template are selected as shown above, select Submit
Save the newly generated certificate file, certnew.cer.
Using the generated certnew.cer certificate, complete the certificate signing process within Microsoft IIS as shown below
Once the certificate signing process has been completed, export the certificate with private key to a .PFX file.
Import the certificate to the Personal Certificate Folder of the Logon account for the RCS server. This process is explained in various locations including the Intel vPro Platform Provisioning Certificates webpage.
Once the certificate is imported, visually inspect the certificate for the following information:
Using the obtained root certificate hash value, access the MEBx of the client and insert this value into the firmware. The location will vary depending on the generation of the Intel AMT firmware, yet is commonly located under a sub-menu highlighting TLS-PKI. One example is provided below.
Note: The above guidance is for manually inserting the root certificate hash value. This approach is useful for small test or deployment environments. For production use of a custom root certificate hash, other methods are available yet beyond the scope of this article.
Save the changes to the MEBx and allow the device to boot into the host operating system.
Refer to the section below on how to use the McAfee ePO Deep Command v1.5 Intel AMT Configuration policy to complete the configuration process.
Within ePO Deep Command v1.5, enable the AMT Configuration Policies according to your environment. This step requires RCS Manager to be installed on the target Intel SCS 8.x server to enable the policy, and that an Intel AMT configuration profile has been generated within the Intel SCS 8.x console. For more information how setup Intel SCS 8.x and create a profile, please refer to the McAfee ePO Deep Command v1.5 product documentation.
After the policy has run, update the Intel AMT Discovery Plugin data to confirm the clients have been configured. The policy update includes data related to the Intel AMT related queries, reports, and so forth.
In addition, a successful Intel AMT configuration using the AMT Configuration Policies will be listed in the Threat Event Log as shown below.
Although Intel AMT is configured, the AMT Actions may still be grayed out until the AMT tag is applied to a system. To expedite the process of applying the AMT tag, run the existing Run Tag Criteria Server Task for ePO Deep Command which reviews and applies the AMT tag
Shown in the example below are two systems configured with the AMT tag applied. Although the first used a PSK value and the second used a custom root certificate hash, both responded to the ePO Deep Command v1.5 AMT Configuration Policy.
The systems have a compliant configuration for ePO Deep Command without use of an SSL remote configuration certificate from a public CA.
The approaches shared in this section are useful for testing or small deployments.
Please refer to other sections of this document series if a different alternative method is needed to configure Intel AMT to be compliant with ePO Deep Command.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries