Intel® Setup and Configuration Software (® SCS)

Deployment Guide

Version 8.0

Document Release Date: May 2, 2012

Document Version: 1.1 INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY E STOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm. Intel® Active Management Technology requires activation and a system with a corporate network connection, an Intel® AMT-enabled chipset, network hardware and software. For notebooks, Intel AMT may be unavailable or limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Results dependent upon hardware, setup & configuration.n. For For more information, visit http://www.intel.com/technology/platform-technology/intel-amt. Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software and IT environment. To learn more visit: http://www.intel.com/technology/vpro. Systems using Client Initiated Remote Access require wired LAN connectivity and may not be available in public hot spots or "click to accept" locations. For more information on CIRA, visit http://software.intel.com/en-us/articles/fast-call-for-help-overview. Intel, the Intel logo, and Intel vPro, are trademarks of Intel Corporation in the U.S. and/or other countries. * Other names and brands may be claimed as the property of others. Copyright © 2012, Intel Corporation. All rights reserved.

ii 1 Introduction ...... 5 2 Intel® AMT Overview ...... 6 2.12.1 Intel® SCS Overview...... 6 2.22.2 Infrastructure Starting State ...... 7 3 Intel AMT Discovery ...... 9 3.13.1 Purposes and Prerequisites ...... 9 3.23.2 Local Query of Intel AMT Status...... 10 3.33.3 Local SystemDiscovery of Intel AMT ...... 10 4 Deciding on a Configuration Path ...... 12 4.14.1 Why is Setup and Configuration Necessary? ...... 12 4.24.2 Configuration Process Overview...... 13 4.34.3 Configuration Methods ...... 14 4.44.4 Domain User Account ...... 15 4.54.5 Install the Intel SCS Server Components ...... 15 5 Configuration Options ...... 17 5.15.1 Host-Based Configuration ...... 17 5.1.1Create Intel AMT Configuration Profile ...... 17 5.1.2Export the Profile and Run the ACUConfig Utility ...... 19 5.25.2 SMB/Manual Configuration ...... 20 5.35.3 Remote Configuration Using PKI ...... 22 5.3.1Configure Certificates for Intel AMT ...... 22 5.3.1.1 Task: Get SSL Certificate for Remote Intel AMT Configuration...... 22 5.3.1.2 Task: Export SSL Certificate for Remote Intel AMT Configuration...... 29 5.3.1.3 Task: Import SSL Certificate for Remote Intel AMT Configuration to User Certificate Store ...... 31 5.3.2Create and Apply Configuration Profile via Remote Configuration using PKI .... 34 5.45.4 Verify the Setup and Configuration ...... 36

iii 6 Delta Configurations ...... 37 6.16.1 Infrastructure Considerations ...... 37 6.26.2 Change Control Management...... 4040 6.2.1Defining and Applying a Delta Configuration ...... 41 6.2.2Changing Configuration Mode ...... 43 7 Configuration Maintenance ...... 44 8 Deployment Scenarios ...... 46 8.18.1 Enterprise Wired Deployment ...... 48 8.1.1Overview ...... 4848 8.1.2Intel AMT Configuration Methods and Options ...... 48 8.28.2 Enterprise Wireless Deployment ...... 49 8.2.1Overview ...... 4949 8.2.2Intel AMT Configuration Methods and Options ...... 50 8.38.3 Clients Outside the Enterprise ...... 50 8.3.1Overview ...... 5050 8.3.2Intel AMT Configuration Methods and Options ...... 50 8.48.4 Service Provider Deployment ...... 51 8.4.1Overview ...... 5151 8.4.2Intel AMT Configuration Methods and Options ...... 52 8.58.5 Permissions Required for ACUconfig and Accessing the RCS ...... 52 A Appendix A: Common Configuration Options ...... 57 A.1 Defining the Intel AMT FQDN Source ...... 57 A.1.1Purpose of Intel AMT FQDN Value ...... 57 A.1.2Prerequisites to Determining Intel AMT FQDN Value ...... 57 A.1.3Defining, Applying, and Validating Intel AMT FQDN Value ...... 58 A.2 Defining Access Authorization via Intel AMT ACL ...... 58 A.2.1Purpose of Intel AMT Access Control List ...... 58 A.2.2Prerequisites in Determining Level of Authorization ...... 59 A.2.3Defining, Applying, and Validating Intel AMT ACLs ...... 60 A.3 Active Directory Integration ...... 60 A.3.1Purpose of Active Directory Integration ...... 61 A.3.2Prerequisites and Dependencies for Active Directory Integration ...... 61 A.3.3Defining, Applying, and Validating Intel AMT Value ...... 64 A.4 Transport Layer Security (TLS) ...... 66 A.4.1Purpose of TLS with Intel AMT Configuration ...... 66 A.4.2Overview and Prerequisites for TLS ...... 67 A.4.3Environmental Preparations ...... 67 A.4.3.1Enabling Web Enrollment for Microsoft Certificate Authority ...... 68 A.4.3.2Granting Service Account Privileges to Microsoft Certificate Authority ...... 69 A.4.4Defining, Applying and Validating a TLS Profile Configuration ...... 71 A.5 Wireless LAN ...... 7373 A.5.1Purpose of Intel AMT over Wireless...... 74 A.5.2Prerequisites for Intel AMT over Wireless ...... 74 A.5.3Defining, Applying and Validating Intel AMT over Wireless Configuration ...... 74 A.6 Intel AMT Configuration Options Not Covered ...... 77

iv Intel® SCS Deployment Guide This deployment guide is an instructional document for those new to the Intel ®® Active Management Technology (Intel ®® AMT) configuration process. Information provided within this deployment guide is meant to complement the Intel ®® Setup and Configuration Software (Intel®® SCS) User Guide (filename Intel(R)_SCS_8.0_User_Guide.pdf df ,, available in the Intel SCS 8 download package), and will refer to that guide for a complete listing of features and settings within Intel SCS. Readers who want guidance on obtaining a baseline implementation of Intel AMT will benefit by reviewing this deployment guide. Once a baseline configuration is completed, the deployment guide explores common configuration options, how to amend and maintain the Intel AMT configuration, and includes common deployment scenarios. The guide has three main components across multiple chapters and appendix sections. The structure of the guide is as follows:

 Foundational Concepts: Chapters 2 through 5 introduce Intel AMT, how to discovery if Intel AMT exists on a system, and common configurations of Intel AMT via Intel SCS.  Production Planning: Chapters 6 through 8 focus on how to extend an existing configuration of Intel AMT, configuration maintenance considerations of Intel AMT, and common deployment scenarios.  Common Configuration Options: The appendix sections include common configuration options for Intel AMT. The purposes, prerequisites, and examples provide you with a core understanding of frequently used options. You are encouraged to complete the Foundational Concepts before exploring the other sections of this deployment guide. Less common configuration options for Intel AMT are outside the scope this guide, and you are encouraged to review the Intel SCS User Guide or related resources for further information.

5 Intel AMT provides out-of-band management within the physical chipset of a client computer. It is a component of the Intel®® Management Engine (Intel®® ME). The simplified diagram shown below is a summary on how Intel AMT works. In wired mode on the corporate network, Intel AMT traffic shares the same physical network interface as the host .

Figure 1: Intel AMT communication overviewew

Communications to Intel AMT commonly occur on the same IP address, specifically when the system is using DHCP issued IPv4 addresses. Once Intel AMT is in a configured and operational state, network traffic on ports 16992-16995 is directly intercepted by Intel AMT within the chipset before being passed to the host operating system. In a wired mode, the Intel AMT traffic occurs below the operating system and the client firewall. If the host operating system is not available, Intel AMT will continue to operate as long as power is attached and a network connection is present.

Intel SCS enables the initial setup, configuration changes, and configuration maintenance of systems where Intel AMT is present. To ensure Intel AMT is properly configured only for the target environment, the is commonly delivered in an unconfigured state. Intel SCS allows you to complete the setup and configuration process which enables access to the Intel AMT features.

6 Intel® SCS Deployment Guide After configuration, systems can be managed via software solutions that include support for Intel AMT. Intel SCS can be obtained at http://www.intel.com/go/scs

In order to assist you with a “baseline” implementation of Intel AMT, this deployment guide assumes an initial “starting state” environment. Three key components will bebe required. For initial setup purposes a closed wired network is recommended:

 Infrastructure Services – – Microsoft* Active Directory Domain Controller with DHCP and DNS services.  Intel RCS server – – System for Intel Remote Configuration Service (RCS)  Intel AMT client – – Network wire connected client system

The summary architecture diagram below shows the starting state for the purposes of this deployment guide.

Figure 2: Summary Architecture Diagram

Intel® SCS Deployment Guide 7 For initial testing or portable demonstration environment purposes, the above architecture can be simplified using two direct connected systems as shown below. The “server” on the left hosts a single virtual machine environment with Infrastructure and Intel RCSCS server components. The “client” on the right is an Intel AMT capable system. The client system is direct connected to the “server” via a network cable. The server has a static IP address, as required by the Infrastructure Services, and the client is assigned a dynamic IP address.

Infrastructure Components

AAD DDNNSS DDHHCCPP IInntteell®RR CCSS

Server Intel AMT Environment Laptop

Figure 3: Simplified or Portable Demonstration Environment

8 Intel® SCS Deployment Guide This section addresses common methods to detect Intel AMT locally on the system with brief references how to collect the information centrally.

The primary objective of this section is to determine what platforms have Intel AMT, the current configuration state, and specific firmware version. Knowing the exact Intel AMT versions in the environment will assist in determining what configuration approach is appropriate in addition to available platform capabilities.. Many client management solutions that are Intel AMT capable have a base inventory capability that is commonly dependent upon the Intel ®® Management Engine Interface (Intel®® MEI) driver. The locally obtained Intel AMT information shared in this section can be especially helpful if the Intel MEI driver is missing or if no solution exists in the environment to detect and inventory Intel AMT capable systems. Before you begin, make sure the complete Intel SCS package has been downloaded and extracted to the target environment. Intel SCS can be downloaded at http://intel.com/go/scs.. Copy the Configurator directory, selected in the example below, to the Intel AMT client.

Figure 4: The Configurator Directory

Intel® SCS Deployment Guide 9 On the Intel AMT client system, open a command prompt to the Configurator directory. For systems running Microsoft Vista, Microsoft Windows* 7, or newer operating systems, the command prompt must be opened with elevated privileges due to interaction with a kernel level driver. This is done by right clicking on the command prompt icon and selecting “Run as Administrator”.. Run the following command to determine the current Intel AMT configuration state. Refer to the Intel SCS User Guide section “Verifying the Status of an Intel AMT System”” for more information. ACUconfig.exe /output console status

Figure 5: The ACUconfig Command

In the above example, the output of the ACUconfig.exe Status command shows: -- Intel AMT version 7.1.30 -- System is currently unconfigured -- Expected mode of configuration is PKI -- System supports host-based configuration -- Current Intel AMT configuration state is Pre-Provision For a single system, information provided by the Status command provides a simple view of the Intel AMT configuration state. If additional information is required or needs to be obtained across multiple systems in the environment, the SystemDiscovery command may be preferred.

Additional information about Intel AMT can be captured to a local file or Windows registry using the SystemDiscovery command as explained in the ““Discovering Systems”” section of the Intel SCS User Guide. At the same command prompt, run the following: ACUconfig.exe SystemDiscovery

10 Intel® SCS Deployment Guide As explained in the Intel SCS User Guide, the resulting data provides more in depth information about the Intel AMT platform in a format which can be centrally collected via custom inventory solutions. The following example shows the resulting XML file in the Configurator directory along with a preview of the file contents. The combined information is helpful with initial configuration and troubleshooting when needed.

Figure 6: XML File Generated by ACUconfig

Intel® SCS Deployment Guide 11 This section helps you understand the Intel AMT Discovery data and determine which of the common Intel AMT configuration methods is most appropriate for your situation:

 Host-Based Configuration

 Remote Configuration using Public Key Infrastructure (PKI)

 SMB\Manual Configuration

At the conclusion of this section, the server component of Intel SCS will be installed.

The factory default state for Intel AMT firmware is unconfigured and unusable. This is important to ensure unauthorized users cannot access the features of Intel AMT. It also means that before authorized system administrators can use Intel AMT powerful management features, they must first set up and configure Intel AMT. There are three main purposes of setup and configuration:

 Securely deliver a profile to the target client firmware

 Ensure that only intended users have access to managed clients<