Intel vPro – Configuration – Part 10 – SCCM Integration

Posted on October 8, 2013 by windowsmasher

vPro Series of Posts

Now that we have a standalone vPro reference installation, let’s integrate it into SCCM!

Here, I’m going to turn things over to Brian Muller. His blog post on SCCM 2012 integration is excellent.

Integrating SCCM 2012 with SCS 8.1

Here is the general overview. Consider it a preview of what you’re in for (stolen from his post).

Adding the Out of Band Role Management Role to your SCCM server
Extending the Hardware Inventory for SCCM 2012
Modifying the SCS profile for SCCM 2012
Creating the collections required for the discovery and configuration of your clients
Creating the Discovery and Configurations packages
Creating the Task Sequences required for the discovery and configuration of your clients
Creating the Deployments (SCCM 2007 – Advertisements)
Creating the Status Filter rules to automatically update the Intel collections
Queries to help you troubleshoot

Next up, some custom PowerShell scripting to make things a bit easier.

Intel vPro – Configuration – Part 9 – Adding TLS

Posted on October 7, 2013 by windowsmasher

vPro Series of Posts

TLS: The Final Frontier. Here’s how it goes!

Overview

Configuring a SCS Profile for TLS
Reconfigure the AMT Device
Try it out!
Troubleshooting Options

Configuring a SCS Profile for TLS

Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb-tls’ for the name, and then click ‘Next’.
On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
- Active Directory Integration
- Access Control List (ACL)
- Transport Layer Security (TLS)
On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
On the ‘Transport Layer Security’ screen, choose your vPro SHA1 CA from the CA drop-down box, then choose the certificate template named “AMTTLSCertificates”, then click ‘Next’.
On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
Click the ‘set’ button next to the label ‘Edit IP and settings’.
On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
Under the IP frame, choose ‘Get the IP from the DHCP server’.
Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
On the ‘Finish’ screen, click ‘Finish’.

Reconfigure the AMT Device

The process for this is the same as the process in the previous blog post.

Login to the target AMT system.
Open a command prompt and navigate to C:\Temp\vPro.
Run the following command:
acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

You should see no errors.

Try it out!

First, try the WebUI in IE at https://amt-system.yourdomain.com:16993. Note that the protocol is ‘https’ and the port number is 16993. Next, try VNC+. Choose ‘TLS’ from the drop-down box labeled ‘Encryption’. Lastly, try Manageability Commander.

Troubleshooting Options

If provisioning fails, you can try adding the /verbose switch to acuconfig. This might give you more information.
For Manageability Commander, you can choose ‘help’ -> ‘show debug info’. This can be very useful.
For any applications using the Intel DLLs, you can enable debug mode like in the last blog post’s troubleshooting section.

And there you have it! vPro with Kerberos and TLS. The next blog post will focus on polishing everything a bit and adding some automation.

Intel vPro – Configuration – Part 8 – Adding Kerberos

Posted on October 7, 2013 by windowsmasher

vPro Series of Posts

Now that you have provisioning down with Digest users, let’s add that unique Kerberos twist. Before you begin, I highly recommend watching the following video. It’s difficult. It’s technical. It’s also incredibly helpful to understand the underpinnings of Kerberos.

Brian Desmond: Kerberos Uncovered

Overview

Configure SCS Profile for Kerberos
Configure Admin Workstation IE and Network Settings
1. IE Options
2. OS Options
  1. Kerberos CNAME registry key imported
  2. Kerberos Port Number registry key imported
Pre-flight checklist
1. AMT Device AD Object Exists
2. AMT Device SPN’s registered and correct
3. No duplicate SPN’s
Re-Configuring the AMT Device
Try it out!
Troubleshooting

Configure SCS Profile for Kerberos

Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb’ for the name, and then click ‘Next’.
On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
- Active Directory Integration
- Access Control List (ACL)
On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
Click the ‘set’ button next to the label ‘Edit IP and settings’.
On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
Under the IP frame, choose ‘Get the IP from the DHCP server’.
Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
On the ‘Finish’ screen, click ‘Finish’.

Configure Admin Workstation IE and Network Settings

Out of the box, Windows and IE don’t like to play well with some particular aspects of the Intel AMT Kerberos implementation. The following will make everything work. All of this must be done on the administrator’s workstation — the computer which will be used to connect to the AMT device. None of these steps need to be completed on the target AMT system itself.

Internet Explorer Options

We will perform the following steps below:

Enable Windows Integrated Authentication
Add AMT Device to the Local Intranet zone
Enable Automatic Logon security settings
Disable protected mode for the Local Intranet zone
Enable TLS 1.1

Procedure for Updating Internet Explorer Options

Login to your workstation as the user that you would like to use to connect to the AMT system.
Open Internet Explorer.
Click the gear icon in the top-right, then choose ‘Internet Options’
Select the ‘Advanced’ tab.
Scroll down to the ‘Security’ section.
Make sure that the following boxes are checked:
1. Windows Integrated Authentication
2. TLS 1.0
3. TLS 1.1
4. TLS 1.2
Select the ‘Security’ tab.
Click the ‘Local Intranet’ zone.
Click Sites -> Advanced
Add the FQDN of the target device, prefixed with http://. Example: “http://user-pc-01.mydomain.com”. Then, click ‘Add’.
Click ‘OK’ until you are back to the ‘Internet Options’ screen.
Click the ‘Custom Level…’ button.
Scroll down to the section ‘User Authentication’.
Ensure that the radio button named ‘Automatic logon with current user name and password’ is selected, then click ‘OK’.
Back at the ‘Internet Options’ screen, make sure that the check box named ‘Enabled Protected Mode’ is not checked.

Operating System Options

The Windows operating system needs tweaked to allow Kerberos tickets for an HTTP or HTTPS on a non-standard port. It also needs tweaked to allow Kerberos tickets for CNAME’s. Even though the references below at targetted at XP and Windows Server 2003, they still apply to all current windows and IE versions (including Windows 8 and Windows Server 2012).

References:

Procedure

Add the following registry entries:

Entry #1
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Value: 1

Entry #2
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Value: 1

Entry #3
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Value: 1

Entry #4
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Value: 1

Pre-flight Checklist

Next, let’s make sure that we don’t have any outstanding AD or SPN issues that will prevent Kerberos from working.

Confirm that AMT Device AD Object Exists

Open active directory and navigate to the OU that you specified for AMT devices in the SCS profile. Is your computer object there? If so, you’re set. If not, then it wasn’t created in our previous provisioning. This might be ok, but it’s probably better to go back a few blog posts and try everything again.

Confirm that the AMT Device SPN’s Registered and Correct

Open Active Directory.
Select ‘View’ from the top menu, then choose to enable ‘Advanced Features’.
Browse to the OU which contains the AMT objects, as specified in your SCS profile.
Right-click the AMT device which will be tested and choose ‘Properties’.
Click the ‘Attribute Editor’ tab.
Scroll down to the field named ‘ServicePrincipalNames’, and double-click it.
Verify that the following SPN’s are registered:
1. HTTP://fqdn:16992
2. HTTP://fqdn:16993
3. HTTP://fqdn:16994
4. HTTP://fqdn:16995
5. HTTP://fqdn:623
6. HTTP://fqdn:664

If you do not see the SPN’s registered, I suggest deleting the AMT object and re-provisioning it.

No duplicate SPN’s

Open a command prompt as administrator and type the following command. It should return zero duplicate SPN’s.

setspn -x

If it shows duplicate SPN’s, it will be necessary to remove the duplicates with this command:

setspn –D <SPN> <Account>

I highly recommend that you google around and read up on the concept of SPN’s and duplicate SPN’s before doing this.

Re-Configuring the AMT Device

Woohoo! Again, the actual meat of the process.

Login to the target AMT system.
Open a command prompt and navigate to C:\Temp\vPro.
Run the following command:
acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

You should see no errors.

Try it out!

First, try to open the WebUI at http://fqdn:16992. Use internet explorer, and make sure that you are logged in as a user which was given access in the SCS profile, and also has the internet explorer options configured properly (outlined above). Also, make sure that the target FQDN is in the ‘Intranet Zone’ in the IE options.

The WebUI should log in correctly. If you get a pop-up window asking for a username and password, then Kerberos has failed and the web page is attempting to use digest authentication.

You can also now use RealVNC+. Make sure to go into the options -> connections tab and check the box labeled ‘Use Single Sign-on’.

Also, you can use Manageability Commander. One issue with Manageability Commander is that it doesn’t support Kerberos SOL connections out of the box. To make Kerberos SOL connections work, it’s necessary to run the program with the following command-line switch: “-alttsp:0”.

Troubleshooting

Troubleshooting is actually pretty difficult, but there are three main things to try.

First, go back over all of the blog posts and double-check everything. This is a pain, and it seems like it won’t solve the problem, but it often does. I once misspelled the registry entry for the Kerberos port number workaround, and spent hours checking every other aspect of the configuration.

Second, if your problem is with Manageability Commander or Intel Platform Solutions Manager, you can configure Intel’s DLL files to dump a log. To do this, navigate to the application folder in Windows Explorer. Look for a file named ‘imrsdk.dll’ or ‘imrsdk_x64.dll’. Add a new file named ‘imrsdk.ini’ with the following code.

[COMMON]
Debug_Level=2

Make sure to restart your application. The Intel DLL will then drop a new file named log.txt into it’s folder, and may offer some good information.

Third, you can try the Wireshark approach. Install Wireshark on a computer with two network cards, and place it between your AMT device and its network connection. Then, bridge the connections on the Wireshark computer. You can use this computer to collect all TCP packets between the AMT device ,the domain controllers, and the SCS service. This might tell you if you have network-level problems. It may also be necessary to insert the Wireshark computer between your workstation and your workstation’s wired connection in order to see if the requested SPN is correct.

The next post will cover adding TLS to the mix!

Intel vPro – Configuration – Part 7 – Provisioning Your First System

Posted on October 6, 2013 by windowsmasher

vPro Series of Posts

Finally, finally, finally. Let’s provision our first system.

Overview

Set a MEBx Password
Configure MEBx to trust your Root CA
Verify BIOS settings
Verify Intel Management Engine Drivers
Verity Intel LMS Service
Configure Windows to trust both CA’s
Prepare the RCS Configurator Files
Run the provisioning commands
Test and demo the features

Set a MEBx Password

First, reboot the target AMT system and enter the Intel MEBx. MEBx standard for Management Engine Bios Interface. On Dell Optiplex systems, you can press F12 during the Dell boot logo. This causes the one-time boot list to appear. Intel MEBx is one of the entries in the boot list.

When you first enter MEBx, it will ask for a password the default password is “admin”. The MEBx will then immediately ask for you to create a new password. This new password must match the password that you chose for the SCS Profile that you want to assign to this system.

Configure MEBx to trust your Root CA

Once you successfully enter the MEBx and set a new password, it’s necessary to instruct the MEBx to trust your Root CA. First, we need to find the thumbprint for your Root CA.

To find the certificate thumbprint hash:

RDP to your Enterprise Subordinate CA.
Load the ‘Certificate Authorities’ Snap-In from Administrative Tools.
Right-click the CA and choose ‘Properties’.
On the ‘General’ Tab, click ‘View Certificate’.
On the ‘Certificate’ screen that appears, click the tab ‘Certificate Path’.
Double-click the certificate shown that’s at the root of the path (the top certificate). This should cause a new certificate window to appear.
On the new certificate window, verify that ‘Issued to:’ and ‘Issued by:’ correspond to your Offline Standalone Root CA. If either field shows your Enterprise Subordinate CA, you have the wrong certificate open.
Click the ‘Details’ Tab.
Find the field named ‘Thumbprint’ (usually at the bottom).
Write down the value of the ‘Thumbprint’ field.

Next, we need to enter the thumbprint value into the MEBx of your target system. Doing this is a little bit different on every AMT version. For AMT 6.0 versions (Dell Optiplex 980), you enter the MEBx and then choose:

ME General Configuration
- Remote Setup And Configuration
  - TLS PKI
    - Manage Hashes
      - Add a Customized Hash

Once your Thumbprint is added, reboot the system into the BIOS for the next step.

Verify BIOS settings

I’ve noticed that on Dell Optiplex systems it is necessary to disable Intel Trusted Execution (TXT) support in the BIOS. If you leave the setting ‘Enabled’, then the machine will get stuck in a power on\off cycle as soon as the first power control operation is sent to the AMT device from any vPro application. If this happens, you’ll need to reset the BIOS with the CMOS jumper before the system will become functional again. Note that this is separate from the TPM settings. TPM settings do not affect vPro.

I contacted Dell about this issue and a member of their Client Management Team got in touch with me to verify that this is, in fact, a known issue.

Verify Intel Management Drivers

Next, we need to check out the Intel Management Engine (IME) and Serial-Over-LAN (SOL) drivers.

In Windows, Start -> Run -> “devmgmt.msc”. This will open Device Manager.
Expand “Ports (COM & LPT)”.
Confirm that a device is installed named “Intel(R) Active Management Technology – SOL”.
If the device is missing, download the driver from your vendor.
Next, expand “System Devices”.
Confirm that a device is installed named “Intel(R) Management Engine Interface”.
If the device is missing, down the driver from your vendor.

Verity Intel LMS Service

The Intel IME and SOL drivers, when installed manually, also install the Intel LMS service. LMS stands for Local Management Service. If however, your drivers were installed by an imaging system, it’s likely that you’re missing the LMS Service.

On the target AMT system, open the Services snap-in.
Search for the service named ‘Intel(R) Management and Security Application Local Management Service’.
If the service is missing, you will need to search your vendor’s website for the Intel Management Engine drivers. Once found, download and install them.
If you already have the device driver installed, then the Intel Setup program will probably crash. To get it to run if that happens, try installing it with following command-line flags “-nodrv”.

Configure Windows to trust both CA’s

If you attempt to provision the system, but Windows doesn’t trust all of the CA’s in the provisioning certificate chain-of-trust, then the provisioning process will fail. This is somewhat odd since normally when verifying a certificate, only the root CA usually must be trusted. vPro is different — you must explicitly trust every intermediate CA also.

Login to your enterprise subordinate CA and copy the files from F:\wwwroot\intepub\certdata to the target AMT system at C:\temp\certs.
On the target AMT system, start -> run -> mmc.
When prompted, choose to run the certificate snap-in against the local computer account.
Naviage to the ‘Trusted Root Certificate Authorities’ store.
Right-click and choose ‘Import Certificate’.
Import both certificates located at C:\temp\certs.

Prepare the RCS Configurator Files

Trucking right along! It’s time to gather the Intel RCS Configurator files. RCS stands for Remote Configurator Service. It’s a small application that you run on the target AMT system. It will reach out to the SCS service, collect the appropriate SCS profile, and provision the AMT device.

Find the folder named ‘Configurator’ from the Intel SCS Server install files that were downloaded from Intel.
Copy the files in the ‘Configurator’ folder to the target AMT system at C:\temp\configurator.

Run the Provisioning Commands

OK, here goes nothing! Open a command prompt as administrator, navigate to C:\temp\configurator, then run the following command.

acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

If everything works, you’ll see a return code of 0. If there’s a failure, things get complicated quickly. vPro is very, very particular about everything. Go back and check the following settings:

DNS and DHCP connectivity from the target system to the SCS server and back.
Target AMT device MEBx contains the certificate thumbprint of the Offline Root CA server.
Target AMT device MEBx password matches the password set in the SCS profile.
All certificates in the certificate chain are 2048-bit.
All certificates in the certificate chain are SHA1.
Target AMT system operating system trusts both the root CA and the intermediate CA.
Intel Management Engine drivers on the target AMT system are installed and operating well.
Intel Management Engine LMS service on the target AMT system is installed and running.
Intel SCS server trusts both the root CA and the intermediate CA.
Intel SCS Service is running as the Network Service account and has proper access to SQL.
Intel SCS Service has the provisioning certificate installed.
Provisioning certificate has the proper OID listed under ‘Application Constraints’.
Provisioining certificate has the proper subject name listed.

Test and Demo the Features

There are two quick ways to test the AMT device. The first is the WebUI, and the second is via KVM.

WebUI

To test the WebUI, navigate to the following page:

http://FQDN-of-workstation:16992

If will ask you to login. Use the digest user which you specified in the SCS profile. From here, you should see inventory data and be able to send power commands to the system.

KVM

To test KVM, you’ll need to download RealVNC+ from the RealVNC+ downloads page. Once installed, perform the following steps:

Open Real VNC Viewer Plus
Switch ‘Connection Mode’ to “Intel(R) AMT KVM”.
Type the FQDN of your target AMT system into the text box “AMT System”.
For the ‘Encryption’ combo box, choose ‘None’.
Click the button labeled ‘Options’.
Click the tab labeled ‘Connection’.
Uncheck the checkbox next to the label ‘Use single sign-on if VNC server supports it’.
Click OK to save your changes.
Click ‘Connect’.

If VNC viewer connects, then awesome! You did it! If not, then it’s time to start troubleshooting :(.

In the next post, we’ll investigate Kerberos (Active Directory) support.

Intel vPro – Configuration – Part 6 – Basic SCS Profile

Posted on October 6, 2013 by windowsmasher

vPro Series of Posts

Let’s create the most basic of SCS profiles and work from there. This will let us test out the provisioning process and the vPro \ AMT features like KVM. After that works, we’ll move on to more advanced profiles that make use of Kerberos and TLS.

Procedure:

Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
On the ‘Getting Started’ screen, enter ‘rconfig-basic’ for the name, select ‘Configuration\Reconfiguration’, then click ‘Next’.
On the ‘Optional Settings’ screen, check the box labeled ‘Access Control List (ACL)’, then click ‘Next’.
On the ‘Access Control List’ screen, click ‘Add’, and add a digest user named ‘AMTdigest’.
On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT systems. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
Click the ‘set’ button next to the label ‘Edit IP and settings’.
On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
Under the IP frame, choose ‘Get the IP from the DHCP server’.
Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
On the ‘Finish’ screen, click ‘Finish’.

Nice and easy. Next step, actually provisioning a system.

Intel vPro – Configuration – Part 5 – Configure Active Directory

Posted on October 5, 2013 by windowsmasher

vPro Series of Posts

Whew, made it this far ‘eh? Awesome. Nice work! Before we get started on SCS profiles, we need to do a bit of work in Active Directory. Don’t worry, it won’t take long.

AD OU and Groups

When Kerberos authentication is used with the AMT devices, each AMT device is going to need an actual computer account in AD. The Intel SCS service manages this for you, but it needs to have a specific OU to create the computers in. SCS also needs permission to create computer accounts in that OU.

Procedure

In AD Users and Computers, create an OU to store AMT Objects. I recommend the name “AMT Objects”.
Grant your SCS Server computer account ‘full control’ on this new OU.
In AD Users and Computers, create a new security group connecting to AMT objects. I recommend ‘AMT Admins’.
Assign your user account to be a member of the new group.

That’s it! Next stop: SCS Profile world.

Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS

Posted on October 5, 2013 by windowsmasher

vPro Series of Posts

Welcome back! This time we’re going to cover the Intel SCS Service. This service does the actual vPro provisioning of your AMT clients. To make it work, you install the service then configure different ‘profiles’ or AMT personalities. On the target AMT system, you then run a command and point that particular AMT system at the profile you want.

General Information

I recommend watching the following videos for more information about SCS and how it works.

Requirements

A single VM running Windows Server 2012 (2008 R2 works).
This VM must have the CA certificate of both the Enterprise Subordinate CA and the Standalone Root CA installed into the ‘Trusted Root Authorities’ store.
SQL Server 2012 Express (2008 or better works).
Intel SCS Service

Overview

Configure the Certificate Trusts
Install SQL Server Express
Install SCS Service
Configure SQL Permissions
Generate a Provisioning Certificate
Export the Provisioning Certificate
Install the Provisioning Certificate

Configure the Certificate Trusts

Login to your enterprise subordinate CA and copy the files from F:\wwwroot\intepub\certdata to the SCS VM at C:\Install_Files\CACertificates.
On the SCS VM, start -> run -> mmc.
When prompted, choose to run the certificate snap-in against the local computer account.
Naviage to the ‘Trusted Root Certificate Authorities’ store.
Right-click and choose ‘Import Certificate’.
Import both certificates located at C:\Install_Files\CACertificates.

Install SQL Server Express

Next, install SQL Server Express on your Intel SCS VM. Here’s a nice video if you need help: tools & tech – install sql server 2012.

Install SCS Service

RDP to your Intel SCS server.
Download and extract the Intel SCS Service Installer.
Run the file .\Intel-SCS-82\RCS\IntelSCSInstaller.exe
On the ‘Welcome’ screen, select all three boxes: database, service, and console.
On the ‘License Agreement’ screen, click ‘I accept’ and ‘next’.
On the ‘Service Logon Authentication’ screen, click ‘Browse’, then ‘advanced’, then ‘Find Now’. Select ‘Network Service’ and click, OK, OK, Next.
On the ‘Database Setup’ screen, in the ‘Database Server’ text box enter the name of the SCS server, then click ‘Next’.
On the ‘Installer SQL Server Authentication’ screen, click ‘Next’.
On the ‘Service SQL Server Authentication’ screen, click ‘Next’.
On the ‘Confirm Setup Configuration’ screen, click ‘Install’.
On the ‘InstallShield Wizard Completion’ screen, click ‘Finish’.

Configure SQL permissions for the Intel SCS Service

In the start menu, run ‘SQL Server Management Studio’ from All Programs -> Microsoft SQL Server 2008 R2.
On the ‘Connect to Server’ screen, click ‘Connect.
On the left navigation pane, navigate to Security -> Logins.
Find the login named ‘NT AUTHORITY\NETWORK SERVICE’. Right-click this login and choose ‘Properties’.
Navigate to the ‘User Mapping’ page. db_datareader and db_datawriter on the IntelSCS database in SQL Server Management Studio.
Click the word ‘IntelSCS’ to highlight that database’s row.
In the bottom frame labeled “Database role membership for IntelSCS”, check the following boxes:
- db_datareader
- db_datawriter
- public
Click OK to save the changes, then exit SQL Server Management Studio.
Restart the RCSServer service from the Windows Services applet.

Generate the Provisioning Certificate

On your SCS server, run “MMC” as administrator, then add the ‘certificate’ snap-in.
When prompted, choose to run the certificate snap-in against the local computer account.
Navigate to Personal -> Certificates.
Right-click and choose ‘All Tasks’ -> ‘Request New Certificate’.
Complete the certificate request wizard. When prompted, choose to request an AMT Provisioning Certificate.

Export the Provisioning Certificate

Open MMC and add the certificates snap-in, targeted at the local computer.
Navigate to Personal -> Certificates
Identify the AMT Provisioning Certificate. Right-click it and choose ‘Open’.
Navigate to the ‘Details’ tab and choose ‘Copy to file’.
On the ‘Welcome’ screen, click ‘Next’.
On the ‘Export Private Key’ screen, choose ‘Yes, export the private key’ then choose ‘Next’.
On the ‘Export File Format’ screen, choose the following two checkboxes, then choose ‘Next’.
- Include all certificates in the certification path if possible.
- Export all extended properties.
On the ‘Password’ screen, enter a password to protect the private key.
On the ‘File to Export’ screen, enter ‘C:\Install_Files\scs-prov-cert.pfx’ and click ‘Next’.
On the ‘Completed’ screen, click ‘Close’.

Install the Provisioning Certificate

Open a command prompt as administrator.
Navigate to C:\Install_Files\IntelSCS82\Tools.

Run the following command:

RCSutils.exe /Certificate Add c:\Install_Files\scs-prov-cert.pfx  /RCSuser NetworkService
net stop rcsserver && net start rcsserver

Run the following command to verify the import. It will generate a text file with information about all the certificates stored by the RCS service.
```
 RCSUtils.exe /certificate view /RCSuser NetworkService /log file C:\rcsout.txt
```
Open the file C:\rcsout.txt and ensure that the expected certificates are listed.

If you screw up the certs, you can remove them by running the certificate view function previously stated, and running the following command against each certificate’s serial number:

RCSUtils.exe /certificate remove  /rcsuser networkservice

ex:
RCSUtils.exe /certificate remove 7C4656C3061F7F4C0D67B319A855F60EBC11FC44 /rcsuser networkservice

Congrats! You now have a viable SCS server installed. Next, we’ll cover configuring Active Directory to work with the SCS Service.

Intel vPro – Configuration – Part 3 – PKI Configuration

Posted on October 5, 2013 by windowsmasher

vPro Series of Posts

Now that your PKI is installed, we need to configure it for use with vPro.

Overview

Create Provisioning Certificate Template
Create AMT Device TLS Template

Creating the Provisioning Certificate Template

RDP to your Enterprise Subordinate CA Server, then choose Start -> Run -> certtmpl.msc.
Right-click the Web Server certificate template and choose ‘Duplicate’.
Name the new template “AMT Provisioning Certificate”
Navigate to the ‘Request Handling’ tab, and check the box labeled “Allow private key to be exported”.
Navigate to the ‘Subject Name’ tab, and choose ‘Build from this Active Directory information’.
Click the ‘Subject Name Format’ combo box and choose ‘Common Name’ from the list. Leave the other checkboxes on this page to their defaults.
Navigate to the ‘Security’ tab, and grant the server which is going to run the Intel SCS service the Read and Enroll permissions. If you don’t have a server configured to run Intel SCS, you will have to come back and do this later.
Navigate to the ‘Extensions’ tab, click ‘Application Policies’, then click ‘Edit’.
On the ‘Edit Application Policies Extension’ screen, click ‘Add’.
On the ‘Add Application Policy’ screen, click “New”.
On the ‘New Application Policy’ screen, enter the following:
- Name: ‘AMT Provisioning’
- Object Identifier: 2.16.840.1.113741.1.2.3
Click ‘OK’ until the template is saved.

Create the AMT Device TLS Certificate Template

This template will be used by the Intel SCS service. It will request certificates on behalf of your AMT devices. These certificates will be installed into the AMT device firmware and used for traffic authentication and for the WebUI.

RDP to your Enterprise Subordinate CA Server, then choose Start -> Run -> certtmpl.msc.
Right-click the certificate template named “Web Server” and choose ‘Duplicate’.
Name the new template “AMT TLS Certificate”.
Navigate to the ‘Request Handling’ tab, and check the box labeled “Allow private key to be exported”.
Navigate to the ‘Subject Name’ tab, and ensure that the radio button ‘Supply in the request’ is selected.
Navigate to the ‘Security’ tab, and grant the Intel SCS Server the Read and Enroll permissions. If you don’t have a server configured to run Intel SCS, you will have to come back and do this later.
Click ‘OK’ to save the template.

Enabling the Templates

On your Enterprise Subordinate CA server, run the ‘Certification Authority’ tool.
Navigate to the ‘Certificate Templates’ folder on the left pane.
Right-click the ‘Certificate Templates’ folder and choose ‘New’ -> ‘Certificate Template to Issue’.
Choose the ‘AMT TLS Certificate’ template, and click ‘OK’.
Again, right-click the ‘Certificate Templates’ folder and choose ‘New’ -> ‘Certificate Template to Issue’.
Choose the ‘AMT TLS Certificate’ template, and click ‘OK’.

Great! Now you’re ready to install and configure the Intel SCS Service. This will be detailed in a future post.

Intel vPro – Configuration – Part 2 – PKI Installation

Posted on October 5, 2013 by windowsmasher

vPro Series of Posts

At this point in the series, our goal is to set up the simplest possible configuration to get vPro working as a proof-of-concept. Since the proof-of-concept will be using a self-signed certificate, we will need to install a Certificate Authority. Since it’s unsafe to use a single-tier PKI with vPro, we will install a two-tier PKI.

This post will cover the following:

Installing the Offline Standalone Root CA
Installing the Online Enterprise Subordinate (Issuing) CA

Installing the Offline Standalone Root CA

Requirements

You will need two VM’s:

Standalone root CA: Windows Server 2008 Standard or better.
Enterprise subordinate CA: Windows Server 2008 Enterprise or better.

Concepts

Please read the following blog post a couple times in order to learn the concepts behind PKI. Without this information, it will be difficult to continue.

Single vs Two Tier PKI

In our case, we will configure IIS on the enterprise subordinate CA and use it as the AIA and CDP locations for both the offline standalone root and the online enterprise subordinate issuing CA.

Procedure

Install Windows Server 2008 Standard or above on the VM.
Download the following scripts from my blog post titled Server 2008 R2 Standalone Root CA Install Script and store them on the VM at the folder C:\Install_Files.
1. capolicy.inf
2. SetupCA-RootCA.ps1
3. Install-StandAloneCA.cmd
Modify capolicy.inf.
1. Remove the following lines:
```
[LegalPolicy]
URL = "http://certs.chemistry.ohio-state.edu/CertData/cps.docx"
```
2. Change the line ‘renewalkeylength’ from 4096 to 2048. vPro doesn’t support keys larger than 2048.
Modify SetupCA-RootCA.ps1 line 351.
1. Replace -CAName with a friendly-name for your CA (you get to choose this).
2. Change -DNSuffix to match the distinguished name of your domain. You can find this by running the following command in powershell:
```
([adsi]'').distinguishedname
```
3. Finally, change -HashAlgorith from SHA256 to SHA1. vPro doesn’t support SHA256 certificates.
Modify Install-StandAloneCA.cmd
1. Insert your domain’s distinguished name on line 9.
2. On line 20, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
```
certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://cdp.yourdomain.com/Certdata/%%3%%8%%9.crl"
```
3. On line 23, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
```
certutil -setreg CA\CACertPublicationURLs  "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://aia.yourdomain.com/CertData/%%1_%%3%%4.crt"
```
After placing all three files into C:\Install_Files, launch a command prompt as administrator and type the following commands:
```
cd C:\Install_Files
Install-StandAloneCA.cmd
certutil -crl
```

Enterprise Subordinate Issuing CA

Now that your Offline Root CA is configured, it’s time to install the Enterprise Issuing CA.

Procedure

Install Windows Server 2008 Enterprise or above on the VM.
Create partitions on the server like the following:
- C:\, 25GB, boot
- D:\, 5GB, cert db
- E:\, 5GB, logs
- F:\, 5GB, inetpub
Download the following scripts from my blog post titled Server 2008 Enterprise Subordinate CA Install Scripts and store them on the VM at the folder C:\Install_Files.
1. capolicy.inf
2. Setup-IssuingCA1.ps1
3. Install-ADCS.cmd
Modify capolicy.inf.
1. Remove the following lines:
```
[LegalPolicy]
URL = "http://certs.chemistry.ohio-state.edu/CertData/cps.docx"
```
2. Change the line ‘renewalkeylength’ from 4096 to 2048. vPro doesn’t support keys larger than 2048.
Modify Setup-IssuingCA1.ps1 line 351.
1. Replace -CAName with a friendly-name for your CA (you get to choose this).
2. Change -DNSuffix to match the distinguished name of your domain. You can find this by running the following command in powershell:
```
([adsi]'').distinguishedname
```
3. Finally, change -HashAlgorith from SHA256 to SHA1. vPro doesn’t support SHA256 certificates.

Modify Install-ADCS.cmd

Insert your domain’s distinguished name on line 9.

On line 20, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.

certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n65:F:\inetpub\wwwroot\certdata\%%3%%8%%9.crl\n6:http://cdp.yourdomain.com/Certdata/%%3%%8%%9.crl"

On line 23, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.

certutil -setreg CA\CACertPublicationURLs  "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n1:F:\inetpub\wwwroot\certdata\%%1_%%3%%4.crt\n2:http://aia.yourdomain.com/CertData/%%1_%%3%%4.crt"

After placing both files into C:\Install_Files, launch a command prompt as administrator and type the following commands:
```
cd C:\Install_Files
Install-ADCS.cmd
```

Fixing Certificate Validation

Before we continue, we need to configure the AIA and CDP points so that certificate validation will pass. Otherwise, the subordinate CA won’t trust the root when we try to link them.

Download the following scripts from my blog post titled Server 2008 Enterprise Subordinate CA Install Scripts – Part 2 – IIS and store them on the VM at the folder C:\Install_Files.
1. Install-SubCA-IIS.cmd
2. MoveIISRoot.cmd
Open a command prompt as administrator and type the following commands:
```
cd C:\Install_Files
Install-SubCA-IIS.cmd
```
Login to the Standalone Root CA and copy the files located at C:\Windows\System32\certsrv\certdata to the Subordinate CA’s path F:\inetpub\wwwroot\CertData. These files are the CA Certificate and the initial blank CRL, needed for the CDP and AIA locations.

Linking the two CA’s

You might notice that after running Install-ADCS.cmd, the script gives you an error that the Enterprise Subordinate CA does not have a CA certificate and thus cannot start. Here’s how we fix that.

Step 1 – Establish Trust

In order for the servers to have a parent-child relationship, the child CA must trust the parent CA.

Login to the Subordinate CA.
Start -> Run (or Windows+R) -> “mmc”
File -> Add Snap-in -> Certificates -> Local Computer -> Computer Account.
Expand until you see ‘Trusted Root Certificate Authorities’.
Right-click ‘Trusted Root Certificate Authorities’ and choose ‘Install Certificate’.
Follow the wizard, selecting the file at F:\inetpub\wwwroot\CertData\ that was copied from the Standalone CA.

Step 2 – Generate a CA Certificate for the Subordinate CA

Look on the C drive of the Enterprise Subordinate CA. You will see a certificate request file. Copy this file to your Standalone Root CA.
Login to the standalone root CA and launch the Certificate Authority snap-in from ‘Administrative Tools’.
Right-click the Standalone Root CA and choose ‘All Tasks’ -> ‘Submit New Request’.
Open the request file saved from the C drive of the Enterprise Subordinate CA.
Navigate to ‘Pending Requests’.
Right-click the Pending Request for the Enterprise Subordinate CA’s certificate and choose ‘Approve’.
Navigate to ‘Issued Certificates’.
Double-click the Enterprise Subordinate CA’s certificate.
Navigate to the ‘Details’ tab.
Choose ‘Copy to File…’
Follow the wizard, accepting the defaults. Save the file and copy the file to the Enterprise Standalone CA.

Step 3 – Install the Subordinate CA’s CA Certificate

Login to the Enterprise Subordinate CA and launch the Certificate Authority snap-in from ‘Administrative Tools’.
Right click the Enterprise Subordinate CA and choose ‘Install CA Certificate’.
Select the certificate file copied from the Standalone Root CA.
Right-click the Enterprise Subordinate CA and choose ‘All Tasks’ -> ‘Start Service’.

Verification

Both certificate servers should now be theoretically working and can issue and verify certificates. To test this, login to the Enterprise Subordinate CA and run the command ‘PKIView.msc’. It should enumerate your PKI and there should be no errors.

Congrats! Your PKI is now installed. Look to the next post for configuring your PKI for Intel AMT.

Intel vPro – Configuration – Part 1 – Architecture Overview

Posted on October 5, 2013 by windowsmasher

vPro Series of Posts

My last vPro post was a first-look at vPro and what it offers. This post will cover the vPro configuration possibilities, architecture, and requirements.

Architecture Overview

Basic Network Requirements

First of all, the AMT device will need a DNS name and an IP address. If you’re using Microsoft DNS servers in an Active Directory domain with DDNS enabled, then you’re good to go. AMT will use the DNS name and IP Address of the Windows Operating System installed on the AMT-enabled workstation. Otherwise, you’ll have to custom-tailor the provisioning process for your DNS\IP environment (more on that in later posts).

Server Requirements

To enable and configure AMT, you’ll need:

A server to run the Intel Software Configuration Service (Intel SCS).
SCS requires Microsoft SQL (express edition is fine).
A PKI, if you want to run AMT in TLS encrypted mode. Also, the PKI must only use SHA1 certificates throughout the entire chain of trust. This means that you may not be able to use your current PKI. However, configuring a PKI well isn’t as hard as it sounds and will be detailed in later posts.
The ability to create and delegate an OU in Active Directory, if you want to use Active Directory to handle permissions for connecting to the AMT object. Otherwise, you can use local AMT users (called “Digest Users”).

Provisioning Certificate

AMT comes disabled on systems by default. To enable AMT, you must ‘provision’ the systems. The Intel SCS service will help you do this, but you must have a ‘Provisioning Certificate’. This certificate can be either purchased from a third-party Certificate Authority, or self-signed by your PKI.

The certificate has specific requirements, so a self-signed certificate will require a custom certificate template. Also, when using a self-signed certificate, the provisioning process cannot be fully automated. Since the AMT device isn’t pre-programmed to trust your certificate authority, it’s necessary to either use USB provisioning or manually enter the root CA’s root certificate thumbprint into the AMT device via it’s BIOS interface. This is a pain.

My next few vPro posts will cover the configuration of a reference system with TLS, Kerberos, and a Self-Signed provisioning certificate. Thanks!