Thursday 16 April 2015

Setting up Out-of-bound (OOB) access in SCCM with Intel AMT

This is a pretty legnthy article so I am going to summarise the article below:

- Install Intel SCS Driver on all workstations and SCCM server
- Create certificate templates for AMT clients and SCCM OOB Server Role and our Web Server.
- Install the SCS Tools, perform discovery and provisioning.
- Install SCS Addon for SCCM Server, perform OOB management.

Machines with a Intel vPro chipset come equiped with a feaure called AMT (Intel Management Technology.) To my knowledge there is not a utility that can simply tell you whether or not you have a Intel vPro chipset - although from my experience the Intel sticker on your laptop / desktop will usually have something like "Intel Core i7 vPro" or "Intel Core i5 vPro" and so on (of course you could always check the manafactures website as well if possible).

You should firstly enable / provision AMT either via the BIOS under "Intel Management Engine BIOS Extension MEBx" (although this may vary on your laptop / desktop manafacturer) - you will need to login firstly - the default password is "admin".

We will now setup the following in AD:

- A user account (e.g. AMT_Provisioning) that will be used for AMT Provisioning
- A Universal security group for AMT Provisioned computers (e.g. AMT Provisioned Computers Sec)
- An OU for AMT Provisioned computers (e.g. AMT Provisioned Computers) * Do not place computers you are planning AMT provisioing for in this OU! The AMT Provisioing process will create a separate object in here for you!*

We will then need to add a new site role (enrollment point and The out of band service point):

Administration >> Site Configuration >> Sites >> Add System Role.

We should now generate a client workstation certificate (and auto-enroll GPO for users):

We should create a new certificate - duplicating the existing "User" template and in the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate - and make sure "Publish Certificate in Active Directory" is unticked!

In the cryptography tab make sure "Microsoft Enhanced Cryptographic Provider 1.0" and "Microsoft Strong Cryptographic Provider" are ticked.

Under the subject tab ensure that "Supply in the request" is selected.

We should then ensure that the user account that will be used for AMT provisioning (e.g. AMT_Prov) has the "Read" and "Enroll" permissions!
** Also if you are going to run the provisioing using the "AMT Utility" you will also have to issue "Read and Enroll" rights to the computer you are running the utility on! **

Finally go to Extensions >> Application Policies >> Edit >> Add and select "Server Authentication" and then click Add again and hit "New" - typing in the name of "AMT Local Access" and OI of "2.16.840.1.113741.1.2.2" then do the same again but this time with a name of "AMT Remote Access" and OI of "2.16.840.1.113741.1.2.1" and then finally select all three selections and hit OK.

In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK.

We will also need to supply a AMT provisioning certificate - which we will generate from our CA.

We will create a new certificate template: CA Console > Certificate Templates >> Right-hand click and select 'Manage.'

Once created go to the properties under the General tab and call it: 'ConfigMgr AMT Provisioning'. 

Click the Subject Name tab, select Build from this Active Directory information, and then select Common name.

Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

In the Edit Application Policies Extension dialog box, click Add.

In the Add Application Policy dialog box, click New.

In the New Application Policy dialog box, type AMT Provisioning in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.

Click OK, and then click OK in the Add Application Policy dialog box.

Click OK in the Edit Application Policies Extension dialog box.

In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning.

Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

Click Add, enter the name of a security group that contains the computer account for the out of band service point site system role, and then click OK.

Select the Enroll permission for this group, and do not clear the Read permission..

Click OK, and close the Certificate Templates console.

In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT Provisioning, and then click OK.

We will now go to the SCCM server and open up the Certificates mmc snapin (Computer Account!) and under the Personal node - right hand click and select "Request New Certificate." We should select the Active Directory Enrollment policy when prompted and then select the template we created before (ConfigMgr AMT Provisioning.)

Now back on the "Add Site System Roles Wizard" and choose our newly issued certificate and complete the wizard (selecting the IIS settings and so on.)

After this you should now have an Enrollment point and Out of band service point role in place on your SCCM server.

We should also configure the web server - by creating a certificate template for this:

Go to the Certificate Authority snapin - Manage Templates >> Duplicate the "Web Server" template.

In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT Web Server Certificate.

Click the Subject Name tab, click Build from this Active Directory information, select Common name for the Subject name format, and then clear User principal name (UPN) for the alternative subject name.

Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

Click Add and enter the name of the security group that you created for AMT provisioning. Then click OK.

Select the following Allow permissions for this security group: Read and Enroll.

Click OK, and close the Certificate Templates console.

In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT Web Server Certificate, and then click OK.

We proceed by going to our SCCM server and requesting a new certificate from the template we have just created to assign to our IIS server:

Load up the Certificates mmc snapin (Computer Account!) and right-hand click on the personal node and select "New certificate enrollment" >> Select "Active Directory Enrollment Policy" >> ConfigMgr AMT Web Server Certificate" >> Click on the details button >> Properties >> Private Key and tick "Make private key exportable" >> Enroll.

Export the new certificate (with its assosiated private key) and import it into IIS. We will now have to edit the site bindings to allocate the SSL certificate to the relevent website:

Right-hand click website >> Edit Bindings >> Select "https" type >> Edit >> and choose the appropriate SSL certificate.

We will now Out of Band Management Component in SCCM by going to:

Administration >> Site Configuration >> Sites select the appropriate site and on the 'Home' tab select "Configure Site Components" and then "Out of band management"

Under the general tab:-

- Select the enrollment point (make sure IIS is configured properly / works with the chosen URL!)
- Create and select the OU for AMT-Based computer accounts
- Create and select the global security group for the AMT-Based computer accounts
- Assign a password for the MEBx account (the default is 'admin' - although quite rightly SCCM would like you to choose a securer password!).
- Under the provisioning tab make sure you add any custom passwords used for the MEBx account e.g. Name: admin Password: custom-password.

** Note: MEBx stands for 'Intel Management Engine BIOS Extension' and is the password that is used to access the AMT. **

Under the 'AMT Settings' tab:-

- Specify the security group that will contain the users who will use AMT (e.g. helpdesk, admins and so on...) by clicking on the yellow star in the upper right-hand corner.
- Advanced and Audit Settings sections can be left as is (dependent on your requirements obviously!)

Under the 'Provisioning' tab:-

- You can define a "provisioing account" IF your manafacturer has set a custom MEBx password or a user has manually already configured this password.

I am not concerned about Wireless - so I will emit this configuration - click OK to exit the configuration view.

On the machines we must ensure that IntelSCS is installed:
https://downloadcenter.intel.com/download/20921

and also that IntelHD Graphics drivers are installed for features such as remote control / KVM.

and finally you should install the relevent Intel Management Engine Driver for your chipset / motherboard series.

Within the Intel SCS package there is a utiliy called SCSDiscovery.exe - we can run the following (on the target computer) to find out whether AMT is present and enabled in the BIOS:

SCSDiscovery.exe SystemDiscovery

An XML file should be generated in the working directory - we are looking for the following elements to return true:

<IsAMTSupported>True</IsAMTSupported>
<IsAMTEnabledInBIOS>True</IsAMTEnabledInBIOS>

There is another utility called ACUWizard.exe that will help us provision AMT - either manually or by providing us with a settings file that can be scripted / automarically provision machines.

But before we launch this tool we must use a tool called "RCS" in order to facilitate a few things for the ACUConfig utiliy - taken from Intel:

"The RCSutils utility is a Command Line Interface (CLI) that was created to make some of the RCS setup tasks easier. These tasks include installing certificates and giving Windows Management Instrumentation (WMI) permissions to user accounts so that they can access the RCS."

Within the IntelSCS folder there should be a subfolder called RCS and within here we launch the RCS installer:

IntelSCSInstaller.exe

Upon installation completing - we will launch the Intel SCS Console and create a new profile. We must select "TLS Authentication" as an optional feature because SCCM 2012 no longer supports unsecure connections to AMT (Port 16993)!

We will also select Active Directory Integration: Here we specify the OU containing computers for AMT deployment.

and Access Control List: Here we will click "Add" >> "Active Directory User Group" >> Select the user / security group of users that will have access to AMT - The realm should be set too "PT Administration" and the "Access Type" should be set to "Both."

So on the TLS Configuration page select our DC and also the ConfigMgr Client Certificate we created earlier.

** Intel SCS will install the root CA in the AMT and also request a certificate from the template we setup and install it in the AMT. **

After this, you should save the XML file as 'profile.xml' and place it in the "ACU_Wizard" directory. We will now run ACUWizard.exe

** Note: If you run into any errors while running this tool you should refer to the log file that is generated in the working directory: ACUConfig.log **

You should now use the SCSDiscovery utility to indentify if AMT has been successfully provisioned

SCSDiscovery.exe

And we confirm the following line is equal to true:

<IsAMTEnabledInBIOS>True</IsAMTEnabledInBIOS>

We can now test the AMT with one of Intel's own tools called: Intel® vPro™ Platform Solution Manager - downloaded from:

https://downloadcenter.intel.com/download/22183/Intel-vPro-Technology-Solution-Reference-Design-Intel-vPro-Platform-Solution-Manager

I got the following error when attempting to reboot the computer with AMT:

"The sender was not authorized to access the resource"

This was becuase I was invoking the action of a local workstation and NOT on the SCCM server!

If this goes well, we should now install the Intel SCS SCCM Addon available below:

https://downloadcenter.intel.com/download/24010/Intel-SCS-Add-on-for-Microsoft-System-Center-Configuration-Manager

** Note: Although SCCM has built-in support for AMT - this is only up to version 6.1 (http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigOOB) - in this scenerio we are installing version 9 so we must download the above addon package from Intel **

Although before we install the addon we will need to configure Hardware Inventory Classes: sms_def_AMT.mof and sms_def_SCSDiscovery.mof - these files can be found in the addon installer directory. In order to import these into SCCM we do the following: Administration >> Overview >> Client Settings >> right-hand click on your "Default Client Configuration" (any changes made here will replicate onto your custom client settings!) and select Properties >> Hardware Inventory >> Set Classes >> Import.

During the installation process of the Addon you will be prompted to specify the location of some of the SCS components (Solutions Framework etc.) - you should point them to the SCS package we downloaded from here:

https://downloadcenter.intel.com/download/20921/Intel-Setup-and-Configuration-Software-Intel-SCS-

We should install the Discover, Configure, Maintain and Unconfigure components and also specify the XML profile we generated earlier using the Intel SCS Console. Finally select a directory to store the generated packages that is accessable to SCCM at all times! E.g. D:\Sources\Intel AMT Packages.

Now back in the SCCM Console you should see a series of new Device Collections - including: Intel SCS Platform Discovery and Intel AMT Configured.

We should now go to Assets and Compliance >> Overview >> Devices >> Add the "AMT Status" column to the list view and right-hand click on an AMT configured host >> Manage Out of Band >> Discover AMT Status.

We can now start provisioning AMT via task sequences. By default the addon creates several task sequences - one of which will help us achieve this - Intel AMT Configuration. Simply put it runs the following command:

Configure.bat ".\Profile.xml" "SCCM2012" <SCCM-SERVER-FQDN> "C:\temp" <SCCM-SITE-CODE>

It is a command line version of the ACUWizard utility we used before.

0 comments:

Post a Comment