Intel vPro – Configuration – Part 1 – Architecture Overview

vPro Series of Posts


My last vPro post was a first-look at vPro and what it offers. This post will cover the vPro configuration possibilities, architecture, and requirements.

Architecture Overview

Basic Network Requirements

First of all, the AMT device will need a DNS name and an IP address. If you’re using Microsoft DNS servers in an Active Directory domain with DDNS enabled, then you’re good to go. AMT will use the DNS name and IP Address of the Windows Operating System installed on the AMT-enabled workstation. Otherwise, you’ll have to custom-tailor the provisioning process for your DNS\IP environment (more on that in later posts).

Server Requirements

To enable and configure AMT, you’ll need:

  1. A server to run the Intel Software Configuration Service (Intel SCS).
  2. SCS requires Microsoft SQL (express edition is fine).
  3. A PKI, if you want to run AMT in TLS encrypted mode. Also, the PKI must only use SHA1 certificates throughout the entire chain of trust. This means that you may not be able to use your current PKI. However, configuring a PKI well isn’t as hard as it sounds and will be detailed in later posts.
  4. The ability to create and delegate an OU in Active Directory, if you want to use Active Directory to handle permissions for connecting to the AMT object. Otherwise, you can use local AMT users (called “Digest Users”).

Provisioning Certificate

AMT comes disabled on systems by default. To enable AMT, you must ‘provision’ the systems. The Intel SCS service will help you do this, but you must have a ‘Provisioning Certificate’. This certificate can be either purchased from a third-party Certificate Authority, or self-signed by your PKI.

The certificate has specific requirements, so a self-signed certificate will require a custom certificate template. Also, when using a self-signed certificate, the provisioning process cannot be fully automated. Since the AMT device isn’t pre-programmed to trust your certificate authority, it’s necessary to either use USB provisioning or manually enter the root CA’s root certificate thumbprint into the AMT device via it’s BIOS interface. This is a pain.

My next few vPro posts will cover the configuration of a reference system with TLS, Kerberos, and a Self-Signed provisioning certificate. Thanks!

Advertisements

11 thoughts on “Intel vPro – Configuration – Part 1 – Architecture Overview

  1. Pingback: Intel vPro – The Basics of vPro | windowsmasher

  2. Pingback: Intel vPro – Configuration – Part 2 – PKI Installation | windowsmasher

  3. Pingback: Intel vPro – Configuration – Part 3 – PKI Configuration | windowsmasher

  4. Pingback: Intel vPro – Configuration – Part 4 – Install and Configre Intel SCS | windowsmasher

  5. Pingback: Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS | windowsmasher

  6. Pingback: Intel vPro – Configuration – Part 5 – Configure Active Directory | windowsmasher

  7. Pingback: Intel vPro – Configuration – Part 6 – Basic SCS Profile | windowsmasher

  8. Pingback: Intel vPro – Configuration – Part 7 – Provisioning Your First System | windowsmasher

  9. Pingback: Intel vPro – Configuration – Part 8 – Adding Kerberos | windowsmasher

  10. Pingback: Intel vPro – Configuration – Part 9 – Adding TLS | windowsmasher

  11. Pingback: Intel vPro – Configuration – Part 10 – SCCM Integration | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s