vPro Series of Posts
- Intel vPro – The Basics of vPro
- Intel vPro – Configuration – Part 1 – Architecture Overview
- Intel vPro – Configuration – Part 2 – PKI Installation
- Intel vPro – Configuration – Part 3 – PKI Configuration
- Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS
- Intel vPro – Configuration – Part 5 – Configure Active Directory
- Intel vPro – Configuration – Part 6 – Basic SCS Profile
- Intel vPro – Configuration – Part 7 – Provisioning Your First System
- Intel vPro – Configuration – Part 8 – Adding Kerberos
- Intel vPro – Configuration – Part 9 – Adding TLS
My last vPro post was a first-look at vPro and what it offers. This post will cover the vPro configuration possibilities, architecture, and requirements.
Basic Network Requirements
First of all, the AMT device will need a DNS name and an IP address. If you’re using Microsoft DNS servers in an Active Directory domain with DDNS enabled, then you’re good to go. AMT will use the DNS name and IP Address of the Windows Operating System installed on the AMT-enabled workstation. Otherwise, you’ll have to custom-tailor the provisioning process for your DNS\IP environment (more on that in later posts).
To enable and configure AMT, you’ll need:
- A server to run the Intel Software Configuration Service (Intel SCS).
- SCS requires Microsoft SQL (express edition is fine).
- A PKI, if you want to run AMT in TLS encrypted mode. Also, the PKI must only use SHA1 certificates throughout the entire chain of trust. This means that you may not be able to use your current PKI. However, configuring a PKI well isn’t as hard as it sounds and will be detailed in later posts.
- The ability to create and delegate an OU in Active Directory, if you want to use Active Directory to handle permissions for connecting to the AMT object. Otherwise, you can use local AMT users (called “Digest Users”).
AMT comes disabled on systems by default. To enable AMT, you must ‘provision’ the systems. The Intel SCS service will help you do this, but you must have a ‘Provisioning Certificate’. This certificate can be either purchased from a third-party Certificate Authority, or self-signed by your PKI.
The certificate has specific requirements, so a self-signed certificate will require a custom certificate template. Also, when using a self-signed certificate, the provisioning process cannot be fully automated. Since the AMT device isn’t pre-programmed to trust your certificate authority, it’s necessary to either use USB provisioning or manually enter the root CA’s root certificate thumbprint into the AMT device via it’s BIOS interface. This is a pain.
My next few vPro posts will cover the configuration of a reference system with TLS, Kerberos, and a Self-Signed provisioning certificate. Thanks!