vPro Series of Posts
- Intel vPro – The Basics of vPro
- Intel vPro – Configuration – Part 1 – Architecture Overview
- Intel vPro – Configuration – Part 2 – PKI Installation
- Intel vPro – Configuration – Part 3 – PKI Configuration
- Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS
- Intel vPro – Configuration – Part 5 – Configure Active Directory
- Intel vPro – Configuration – Part 6 – Basic SCS Profile
- Intel vPro – Configuration – Part 7 – Provisioning Your First System
- Intel vPro – Configuration – Part 8 – Adding Kerberos
- Intel vPro – Configuration – Part 9 – Adding TLS
Finally, finally, finally. Let’s provision our first system.
- Set a MEBx Password
- Configure MEBx to trust your Root CA
- Verify BIOS settings
- Verify Intel Management Engine Drivers
- Verity Intel LMS Service
- Configure Windows to trust both CA’s
- Prepare the RCS Configurator Files
- Run the provisioning commands
- Test and demo the features
Set a MEBx Password
First, reboot the target AMT system and enter the Intel MEBx. MEBx standard for Management Engine Bios Interface. On Dell Optiplex systems, you can press F12 during the Dell boot logo. This causes the one-time boot list to appear. Intel MEBx is one of the entries in the boot list.
When you first enter MEBx, it will ask for a password the default password is “admin”. The MEBx will then immediately ask for you to create a new password. This new password must match the password that you chose for the SCS Profile that you want to assign to this system.
Configure MEBx to trust your Root CA
Once you successfully enter the MEBx and set a new password, it’s necessary to instruct the MEBx to trust your Root CA. First, we need to find the thumbprint for your Root CA.
To find the certificate thumbprint hash:
- RDP to your Enterprise Subordinate CA.
- Load the ‘Certificate Authorities’ Snap-In from Administrative Tools.
- Right-click the CA and choose ‘Properties’.
- On the ‘General’ Tab, click ‘View Certificate’.
- On the ‘Certificate’ screen that appears, click the tab ‘Certificate Path’.
- Double-click the certificate shown that’s at the root of the path (the top certificate). This should cause a new certificate window to appear.
- On the new certificate window, verify that ‘Issued to:’ and ‘Issued by:’ correspond to your Offline Standalone Root CA. If either field shows your Enterprise Subordinate CA, you have the wrong certificate open.
- Click the ‘Details’ Tab.
- Find the field named ‘Thumbprint’ (usually at the bottom).
- Write down the value of the ‘Thumbprint’ field.
Next, we need to enter the thumbprint value into the MEBx of your target system. Doing this is a little bit different on every AMT version. For AMT 6.0 versions (Dell Optiplex 980), you enter the MEBx and then choose:
- ME General Configuration
- Remote Setup And Configuration
- TLS PKI
- Manage Hashes
- Add a Customized Hash
- Manage Hashes
- TLS PKI
- Remote Setup And Configuration
Once your Thumbprint is added, reboot the system into the BIOS for the next step.
Verify BIOS settings
I’ve noticed that on Dell Optiplex systems it is necessary to disable Intel Trusted Execution (TXT) support in the BIOS. If you leave the setting ‘Enabled’, then the machine will get stuck in a power on\off cycle as soon as the first power control operation is sent to the AMT device from any vPro application. If this happens, you’ll need to reset the BIOS with the CMOS jumper before the system will become functional again. Note that this is separate from the TPM settings. TPM settings do not affect vPro.
I contacted Dell about this issue and a member of their Client Management Team got in touch with me to verify that this is, in fact, a known issue.
Verify Intel Management Drivers
Next, we need to check out the Intel Management Engine (IME) and Serial-Over-LAN (SOL) drivers.
- In Windows, Start -> Run -> “devmgmt.msc”. This will open Device Manager.
- Expand “Ports (COM & LPT)”.
- Confirm that a device is installed named “Intel(R) Active Management Technology – SOL”.
- If the device is missing, download the driver from your vendor.
- Next, expand “System Devices”.
- Confirm that a device is installed named “Intel(R) Management Engine Interface”.
- If the device is missing, down the driver from your vendor.
Verity Intel LMS Service
The Intel IME and SOL drivers, when installed manually, also install the Intel LMS service. LMS stands for Local Management Service. If however, your drivers were installed by an imaging system, it’s likely that you’re missing the LMS Service.
- On the target AMT system, open the Services snap-in.
- Search for the service named ‘Intel(R) Management and Security Application Local Management Service’.
- If the service is missing, you will need to search your vendor’s website for the Intel Management Engine drivers. Once found, download and install them.
- If you already have the device driver installed, then the Intel Setup program will probably crash. To get it to run if that happens, try installing it with following command-line flags “-nodrv”.
Configure Windows to trust both CA’s
If you attempt to provision the system, but Windows doesn’t trust all of the CA’s in the provisioning certificate chain-of-trust, then the provisioning process will fail. This is somewhat odd since normally when verifying a certificate, only the root CA usually must be trusted. vPro is different — you must explicitly trust every intermediate CA also.
- Login to your enterprise subordinate CA and copy the files from F:\wwwroot\intepub\certdata to the target AMT system at C:\temp\certs.
- On the target AMT system, start -> run -> mmc.
- When prompted, choose to run the certificate snap-in against the local computer account.
- Naviage to the ‘Trusted Root Certificate Authorities’ store.
- Right-click and choose ‘Import Certificate’.
- Import both certificates located at C:\temp\certs.
Prepare the RCS Configurator Files
Trucking right along! It’s time to gather the Intel RCS Configurator files. RCS stands for Remote Configurator Service. It’s a small application that you run on the target AMT system. It will reach out to the SCS service, collect the appropriate SCS profile, and provision the AMT device.
- Find the folder named ‘Configurator’ from the Intel SCS Server install files that were downloaded from Intel.
- Copy the files in the ‘Configurator’ folder to the target AMT system at C:\temp\configurator.
Run the Provisioning Commands
OK, here goes nothing! Open a command prompt as administrator, navigate to C:\temp\configurator, then run the following command.
acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>
If everything works, you’ll see a return code of 0. If there’s a failure, things get complicated quickly. vPro is very, very particular about everything. Go back and check the following settings:
- DNS and DHCP connectivity from the target system to the SCS server and back.
- Target AMT device MEBx contains the certificate thumbprint of the Offline Root CA server.
- Target AMT device MEBx password matches the password set in the SCS profile.
- All certificates in the certificate chain are 2048-bit.
- All certificates in the certificate chain are SHA1.
- Target AMT system operating system trusts both the root CA and the intermediate CA.
- Intel Management Engine drivers on the target AMT system are installed and operating well.
- Intel Management Engine LMS service on the target AMT system is installed and running.
- Intel SCS server trusts both the root CA and the intermediate CA.
- Intel SCS Service is running as the Network Service account and has proper access to SQL.
- Intel SCS Service has the provisioning certificate installed.
- Provisioning certificate has the proper OID listed under ‘Application Constraints’.
- Provisioining certificate has the proper subject name listed.
Test and Demo the Features
There are two quick ways to test the AMT device. The first is the WebUI, and the second is via KVM.
To test the WebUI, navigate to the following page:
If will ask you to login. Use the digest user which you specified in the SCS profile. From here, you should see inventory data and be able to send power commands to the system.
To test KVM, you’ll need to download RealVNC+ from the RealVNC+ downloads page. Once installed, perform the following steps:
- Open Real VNC Viewer Plus
- Switch ‘Connection Mode’ to “Intel(R) AMT KVM”.
- Type the FQDN of your target AMT system into the text box “AMT System”.
- For the ‘Encryption’ combo box, choose ‘None’.
- Click the button labeled ‘Options’.
- Click the tab labeled ‘Connection’.
- Uncheck the checkbox next to the label ‘Use single sign-on if VNC server supports it’.
- Click OK to save your changes.
- Click ‘Connect’.
If VNC viewer connects, then awesome! You did it! If not, then it’s time to start troubleshooting :(.
In the next post, we’ll investigate Kerberos (Active Directory) support.