Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS

vPro Series of Posts


Welcome back! This time we’re going to cover the Intel SCS Service. This service does the actual vPro provisioning of your AMT clients. To make it work, you install the service then configure different ‘profiles’ or AMT personalities. On the target AMT system, you then run a command and point that particular AMT system at the profile you want.

General Information

I recommend watching the following videos for more information about SCS and how it works.

  1. SCS Introduction
  2. SCS Module 1 – Introduction to Intel® vPro™ Technology
  3. SCS Module 2 – Intel® SCS Overview
  4. SCS Module 3 – Intel® AMT Configuration
  5. SCS Module 4 – Jobs & Maintenance
  6. SCS Module 5 – Environmental Pre-requisites

Requirements

  1. A single VM running Windows Server 2012 (2008 R2 works).
  2. This VM must have the CA certificate of both the Enterprise Subordinate CA and the Standalone Root CA installed into the ‘Trusted Root Authorities’ store.
  3. SQL Server 2012 Express (2008 or better works).
  4. Intel SCS Service

Overview

  1. Configure the Certificate Trusts
  2. Install SQL Server Express
  3. Install SCS Service
  4. Configure SQL Permissions
  5. Generate a Provisioning Certificate
  6. Export the Provisioning Certificate
  7. Install the Provisioning Certificate

Configure the Certificate Trusts

  1. Login to your enterprise subordinate CA and copy the files from F:\wwwroot\intepub\certdata to the SCS VM at C:\Install_Files\CACertificates.
  2. On the SCS VM, start -> run -> mmc.
  3. When prompted, choose to run the certificate snap-in against the local computer account.
  4. Naviage to the ‘Trusted Root Certificate Authorities’ store.
  5. Right-click and choose ‘Import Certificate’.
  6. Import both certificates located at C:\Install_Files\CACertificates.

Install SQL Server Express

Next, install SQL Server Express on your Intel SCS VM. Here’s a nice video if you need help: tools & tech – install sql server 2012.

Install SCS Service

  1. RDP to your Intel SCS server.
  2. Download and extract the Intel SCS Service Installer.
  3. Run the file .\Intel-SCS-82\RCS\IntelSCSInstaller.exe
  4. On the ‘Welcome’ screen, select all three boxes: database, service, and console.
  5. On the ‘License Agreement’ screen, click ‘I accept’ and ‘next’.
  6. On the ‘Service Logon Authentication’ screen, click ‘Browse’, then ‘advanced’, then ‘Find Now’. Select ‘Network Service’ and click, OK, OK, Next.
  7. On the ‘Database Setup’ screen, in the ‘Database Server’ text box enter the name of the SCS server, then click ‘Next’.
  8. On the ‘Installer SQL Server Authentication’ screen, click ‘Next’.
  9. On the ‘Service SQL Server Authentication’ screen, click ‘Next’.
  10. On the ‘Confirm Setup Configuration’ screen, click ‘Install’.
  11. On the ‘InstallShield Wizard Completion’ screen, click ‘Finish’.

Configure SQL permissions for the Intel SCS Service

  1. In the start menu, run ‘SQL Server Management Studio’ from All Programs -> Microsoft SQL Server 2008 R2.
  2. On the ‘Connect to Server’ screen, click ‘Connect.
  3. On the left navigation pane, navigate to Security -> Logins.
  4. Find the login named ‘NT AUTHORITY\NETWORK SERVICE’. Right-click this login and choose ‘Properties’.
  5. Navigate to the ‘User Mapping’ page. db_datareader and db_datawriter on the IntelSCS database in SQL Server Management Studio.
  6. Click the word ‘IntelSCS’ to highlight that database’s row.
  7. In the bottom frame labeled “Database role membership for IntelSCS”, check the following boxes:
    • db_datareader
    • db_datawriter
    • public
  8. Click OK to save the changes, then exit SQL Server Management Studio.
  9. Restart the RCSServer service from the Windows Services applet.

Generate the Provisioning Certificate

  1. On your SCS server, run “MMC” as administrator, then add the ‘certificate’ snap-in.
  2. When prompted, choose to run the certificate snap-in against the local computer account.
  3. Navigate to Personal -> Certificates.
  4. Right-click and choose ‘All Tasks’ -> ‘Request New Certificate’.
  5. Complete the certificate request wizard. When prompted, choose to request an AMT Provisioning Certificate.

Export the Provisioning Certificate

  1. Open MMC and add the certificates snap-in, targeted at the local computer.
  2. Navigate to Personal -> Certificates
  3. Identify the AMT Provisioning Certificate. Right-click it and choose ‘Open’.
  4. Navigate to the ‘Details’ tab and choose ‘Copy to file’.
  5. On the ‘Welcome’ screen, click ‘Next’.
  6. On the ‘Export Private Key’ screen, choose ‘Yes, export the private key’ then choose ‘Next’.
  7. On the ‘Export File Format’ screen, choose the following two checkboxes, then choose ‘Next’.
    • Include all certificates in the certification path if possible.
    • Export all extended properties.
  8. On the ‘Password’ screen, enter a password to protect the private key.
  9. On the ‘File to Export’ screen, enter ‘C:\Install_Files\scs-prov-cert.pfx’ and click ‘Next’.
  10. On the ‘Completed’ screen, click ‘Close’.

Install the Provisioning Certificate

  1. Open a command prompt as administrator.
  2. Navigate to C:\Install_Files\IntelSCS82\Tools.
  3. Run the following command:
    RCSutils.exe /Certificate Add c:\Install_Files\scs-prov-cert.pfx  /RCSuser NetworkService
    net stop rcsserver && net start rcsserver
  4. Run the following command to verify the import. It will generate a text file with information about all the certificates stored by the RCS service.
     RCSUtils.exe /certificate view /RCSuser NetworkService /log file C:\rcsout.txt
  5. Open the file C:\rcsout.txt and ensure that the expected certificates are listed.

If you screw up the certs, you can remove them by running the certificate view function previously stated, and running the following command against each certificate’s serial number:

RCSUtils.exe /certificate remove  /rcsuser networkservice

ex:
RCSUtils.exe /certificate remove 7C4656C3061F7F4C0D67B319A855F60EBC11FC44 /rcsuser networkservice

Congrats! You now have a viable SCS server installed. Next, we’ll cover configuring Active Directory to work with the SCS Service.

Advertisements

18 thoughts on “Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS

  1. Pingback: Intel vPro – Configuration – Part 5 – Configure Active Directory | windowsmasher

  2. Pingback: Intel vPro – Configuration – Part 6 – Basic SCS Profile | windowsmasher

  3. Pingback: Intel vPro – Configuration – Part 7 – Provisioning Your First System | windowsmasher

  4. Pingback: Intel vPro – Configuration – Part 8 – Adding Kerberos | windowsmasher

  5. Pingback: Intel vPro – Configuration – Part 9 – Adding TLS | windowsmasher

  6. Pingback: Intel vPro – Configuration – Part 1 – Architecture Overview | windowsmasher

  7. Pingback: Intel vPro – Configuration – Part 2 – PKI Installation | windowsmasher

  8. Pingback: Intel vPro – Configuration – Part 3 – PKI Configuration | windowsmasher

  9. Pingback: Intel vPro – The Basics of vPro | windowsmasher

  10. Pingback: Intel vPro – Configuration – Part 10 – SCCM Integration | windowsmasher

  11. Configure the Certificate Trusts
    1.Login to your enterprise subordinate CA and copy the files from F:\wwwroot\intepub\certdata to the SCS VM at C:\Install_Files\CACertificates.
    2.On the SCS VM, start -> run -> mmc.
    3.When prompted, choose to run the certificate snap-in against the local computer account.
    4.Naviage to the ‘Trusted Root Certificate Authorities’ store.
    5.Right-click and choose ‘Import Certificate’.
    6.Import both certificates located at C:\Install_Files\CACertificates.

    Maybe its me that stupid but i dont get it with number 1 where should i copy from ?
    i am a bit stuck here so all the help i can get i would appreciate

  12. Hi Windowsmasher
    i keep getting this message
    Exit with code
    75.
    Details: Failed to complete remote configuration of this Intel(R) AMT device.
    Failed to authenticate with the RCS.
    A call to this function has failed –
    Access is denied.

    do you know what could cause it ?

      • Hi, Windowsmasher

        I also got the same error code but even I granted the Network Service account in WMI(Intel_RCS) with full access. I still get the error code 75 to fail the authentication with RCS from AMT system. Do you know any other place I can try to root cause the issue? Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s