Intel vPro is the golden chalice of workstation management. On newer systems it lets you KVM to a computer over IP, even one without an operating system. It’s also confusing and has a painful learning curve. Here’s what I’ve figured out so far.
vPro includes the following capabilities (this is not exhaustive).
- Wake-on-lan over https. This replaces the need for magic packets, which aren’t routable or secure.
- KVM access (keyboard, video, mouse) over https to a device at the hardware level. It will show you everything coming out of the video card, and your keyboard\mouse movements are routed directly to the motherboard regardless of OS version or drivers.
- Alarm clock. This can wake PC’s according to a specific schedule.
- IDER (IDE Redirection). This feature will redirect an ISO or floppy disk image to a virtual IDE device on the motherboard. When used with the KVM feature, this allows things like memory tests, offline virus scanning, OS imaging, etc.
- SOL (serial-over-lan). This is great for linux admins and machines that will be used as appliances.
This is a quick overview of the requirements to help you see what we’re getting into. Things start getting complicated quickly, which is fine if you’re ready for it.
Public key infrastructure notes:
Since AMT devices communicate via HTTPS, each workstation needs a web server certificate issued by a CA. During provisioning, the web server certificate will be installed into the AMT device’s firmware. The Intel SCS service manages this for you and makes it easy.
Running a singe-server CA is particularly dangerous with vPro because a compromise of the CA will require that every system with vPro be deprovisioned, or it stays fundamentally compromised at the hardware level. I highly recommend that you build both an offline root CA and an online issuing CA, and then enable CRL checking. This allows you to immediately lock-down the vPro service after a compromise and makes re-provisioning much easier. See this post about offline roots: Single vs Two Tier PKI.
Due to limitations in the AMT firmware, the PKI must have no CNG certificates (SHA256, SHA384, or SHA512) anywhere in the chain . If any CNG certificates are in the chain (even at the offline root), then IDER and SOL will not work at all, KVM will be unreliable, and the WOL features will sometimes lock the system into a reboot cycle until power is physically removed for a few seconds. This might require you to build a second PKI (offline root, plus an issuing CA). The following post from a Microsoft PFE discusses building a second PKI for legacy applications needing SHA1 – Choosing a Hash and Encryption Algorithm for a new PKI.
One important note: the PKI stuff is not as hard as it looks; it just takes some time to wrap your head around.
The AMT hardware on new systems typically ships in a deactivated state from your OEM. the AMT hardware is particular about the activation process, and requires that you have a special certificate. This can be purchased or generated by your PKI.
If you use a self-generated certificate, you will need to visit each machine, manually open the MEBx GUI, and type in the thumbprint of your root CA’s “CA Certificate” so that the AMT device trusts your root CA. If this sounds like a horrible process; you’re right, it is. Fortunately, the Intel SCS service can generate a USB key which makes the process easier. With the USB key, you just insert the key during POST and the BIOS will install a ‘profile’ of settings including the CA thumbprint.
The AMT device comes with a number of pre-loaded root certificate hashes. You can purchase a vPro certificate from a third-party in order to bypass the need to touch every machine. Here is a link to a matrix which compares AMT versions with third-party CA compatibility: Intel AMT Firmware / Remote Configuration Hash Matrix.
From Godaddy, the cost of a single-host provisioning certificate as of 04/25/13 is about $80 per year. A quick note about GoDaddy — they call vPro compatible certificates “Deluxe SSL” certificates which are different from their “Premium SSL” certificates. The correct level of SSL certificate is not available for purchase via the Godaddy website. To obtain a “Deluxe SSL” certificate, you will need to call them on the phone or contact them via email.
The AMT firmware is Kerberos-aware and uses Active Directory for authentication. This is cool, because it means that access to the vPro features can be based on AD groups. A separate AD object is created for every provisioned AMT device. These objects are used by the respective AMT devices to bind to the domain and validate kerberos requests.
AMT is not netbios-aware and will not function without proper DNS resolutions. This is a major deal-breaker for organizations which do not use a microsoft DNS server with DDNS enabled. Intel has documented and created a reference implementation of a service named MPS (Management Presence Server) which can be used to manage clients with a DNS hostname mismatch, as well as internet devices. I have not yet tried to configure the reference MPS server binaries provided by Intel; but it sure doesn’t look like it’s for the faint of heart.
Following are a few of the terms that the Intel documentation uses.
- Intel AMT – Intel Active Management Technology, a subset of the vPro suite.
- Intel MEI – Intel Management Engine Interface, a driver that the host OS uses to communicate with the AMT hardware on the motherboard.
- MEBx – Management Engine Bios Extension, a BIOS GUI that can be used to configure an AMT device by hand. On an AMT capable system, it’s accessible by pressing Ctrl-P during the POST process.
- Intel SCS – Intel Software Configuration Service, a piece of software used to provision and manage settings on AMT systems. It’s a service typically installed on the server from which your AMT devices will be provisioned.
- Intel RCS – Intel Remote Configuration Service, the name of the actual service installed onto a Windows server by the Intel SCS installer.
- Configurator – an Intel utility used to provision a computer. It is run on an AMT capable machine and talks to the RCS service to negotiate provisioning.
- Intel MPS – Intel Management Presence Server, a server service which allows vPro features to be routed to managed clients via the internet. It also enables vPro features for clients with a mismatched DNS hostname resolution.
How It Works
Here’s a quick overview of the process for getting up and running with vPro for manual provisioning and testing.
- Build and configure a SHA1-based PKI and certificate templates.
- Generate or purchase a provisioning certificate.
- Build and configure a server to run the Intel SCS\RCS service.
- Create AMT “profiles” with the SCS console GUI.
- Install the MEI and SOL drivers on a target workstation
- If using an internally-generated provisioning certificate, create a vPro profile USB key to aid target PC configuration. Then, use the USB key on a target workstation.
- Run the configurator on the target system to provision the machine.
- Connect to the machine with RealVNC to test the vPro features.
More Info and References
If you’re interested in vPro, I highly recommend the Intel training videos:
- SCS Introduction (YouTube)
- SCS Module 1 – Introduction to Intel® vPro™ Technology (YouTube)
- SCS Module 2 – Intel® SCS Overview (YouTube)
- SCS Module 3 – Intel® AMT Configuration (YouTube)
- SCS Module 4 – Jobs & Maintenance (YouTube)
- SCS Module 5 – Environmental Prerequisites (YouTube)
Also, the following user guides:
- Intel SCS Deployment Guide
- Intel SCS User’s Guide (PDF is provided in the SCS media download)
- Intel vPro Interactive Training Guide
Over the next couple weeks I’ll provide detailed steps and scripts for configuring and automating much of the process above. If you can’t wait, feel free to browse my internal documentation here at your own risk: OSU Chemistry Wiki – SCCM – Configuring OOB Management.