This is part 3 of a document series to explain alternative configuration methods for Intel AMT.
This section focuses on Host Based Configuration, ability to configure Intel AMT via the local host operating system.
Starting with Intel® AMT 7, a new approach was introduced to configure Intel AMT via local software without use of a remote configuration certificate. This approach is called Host Based Configuration.
Note: Some OEMs provide the Host Based Configuration capability with Intel AMT 6.2. Dell and Lenovo are two example platforms. At this time, HP supports only Intel AMT 7.x and higher. Check with your preferred OEM provider.
Host Based Configuration in connection with McAfee ePO Deep Command is a simple to use solution. However, there are a few considerations:
The remaining materials utilize the sample profile “AMTprofile” to complete the Intel AMT configuration process. The examples shared run commands from the Local System account context.
The section focuses on required network permissions for Host Based Configuration. For simplicity, the same WMI\DCOM permissions will be used as stated in the
The following diagram summarizes the events and permissions required for the AMT Configuration Policy within McAfee ePO Deep Command to complete:
Using the Intel SCS console, select to Export the Intel AMT configuration profile (i.e. AMTprofile).
Provide a path and file name for the XML profile, along with an encryption password.
The main points of the profile export screen are shown below.
Note: Ensure to select "The User running the RCS". This option instructs the Intel AMT Client Utility (ACUconfig.exe) to utilize RCSserver when requesting necessary Microsoft Certificate Authority and Microsoft Active Directory options as stated in the configuration profile.
The default McAfee ePO Deep Command setup runs Intel AMT configuration events via the McAfee agent on the client. The McAfee agent runs the Intel ACUconfig application under the local system context. To manually repeat, a tool such as Microsoft’s Sysinternals PSexec is required and can be obtained at http://technet.microsoft.com/en-us/sysinternals/bb897553. Place the psexec files on the client.
The test will also use the ePO Deep Command client files for Configurator, located as shown below. The previously exported XML file must be copied to this location for testing purposes
Open a command prompt with elevated permissions. This is done by right clicking the Command Prompt icon (i.e. CMD.exe) and selecting “Run As Administrator”.
Using the PSexec.exe utility that was copied to the client, run the following command
Psexec.exe –i –s cmd.exe
The following screenshot shows that the local user (i.e. DemoUser) was used to execute the PSexec command. The result is a command prompt window running in the System context
Using the command prompt running under the System account, change to the Configurator directory shown above (i.e. c:\Program Files (x86)\McAfee\ePO Deep Command Client\Configurator).
The exported XML file from the SCS console is located in this directory, if the previous steps were completed.
Run the following command:
Acuconfig.exe configamt <XMLfile> /decryptionpassword <password>
The password value is the encryption password used during the profile export routine.
A successful configuration will look similar to the following:
Intel AMT is now configured in Client Control Mode, using the Host Based Configuration process.
Once Intel AMT is configured, validate the configuration via one of more of the following methods:
When the requirements of certificate-based remote configuration are fulfilled, a separate ACUconfig command can be used to move a system from Client Control Mode to Admin Control Mode. Click here for more information on the requirements and how to acquire a valid certificate.
The command, running under the local system account as shown previously, for moving to Admin Control Mode is "MoveToACM" as shown below:
ACUconfig MoveToACM <RCSserver>
The RCSserver value is replaced with the hostname, FQDN, or IP address of the system where RCSserver is running.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries