Archive for December, 2013

A CA is necessary if you want to configure any of these settings in an Intel AMT device:

  • Remote Access
  • Transport Layer Security
  • 802.1x Setups
  • End-Point Access Control

During configuration of these settings, Intel SCS sends a request to a CA software application to generate a certificate. Intel SCS puts the generated certificate in the Intel AMT device.

Intel SCS supports the Standalone and Enterprise versions of Microsoft CA. The Microsoft CA can have a hierarchy of CAs, with subordinate CAs and a root CA. In my lab environment I only have a root CA so this guide will show the setup of this. At the customer where I implemented this I was using a subordinate CA so it’s also fully possible to use a subordinate CA if your configuration requires that.

These features require a Standalone root CA or an Enterprise root CA:

  • Transport Layer Security (including mutual authentication)
  • Remote Access with password-based authentication

These features require an Enterprise root CA:

  • Remote Access with certificate-based authentication
  • 802.1x setups (Wired or WiFi)
  • EAC settings

I will here go through the steps for configuring your Enterprise Root CA and Templates required for the integration between Configuration Manager 2012 R2 and Intel SCS 9.0. I’m running my Enterprise Root CA on Windows Server 2012 R2, so some of the settings might be found on different places in earlier versions on Windows Server. If you need guidance on installing your CA this can be found on TechNet for Windows Server 2008 and Windows Server 2012.

Required Permissions on the CA

  • Configure the required permissions on the CA, these permissions are required on the CA by the user account running Intel SCS component doing the configuration; (This is the CM_AMT account created in Part 2 of this series)
    • Issue and Manage Certificates
    • Request Certificates

1

Request Handling

  1. Certification Authorities include settings that define how certificate requests are handled. Intel SCS does not support pending certificate requests. If during configuration the CA puts the certificate into the “Pending Requests” state, Intel SCS returns an error (#35). Thus, you must make sure that the CA and the templates used by Intel SCS are not defined to put certificate requests into a pending state. For Enterprise and Standalone CAs, request handling is defined in the Request Handling tab (right-click the CA and select Properties > Policy Module > Properties). Make sure that the correct option is selected (shown in yellow in the screenshot below).

2

For Enterprise CAs, you must also make sure that the templates used by Intel SCS are not defined to require approval. Make sure that the CA certificate manager approval check box is NOT selected (shown in yellow i the screenshot below).

3
Create the AMT Client Configuration Certificate Template

First we create a Template for Intel AMT features to use certificate-based authentication

  1. On the server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.
    4
  2. In the results pane, right-click the entry that displays User in the Template Display Name column, and then click Duplicate Template.
    5
  3. In the Properties of New Template dialog box, on the Compatibility tab, ensure that Windows Server 2003 is selected for Certification Authority and Windows XP/Server 2003 is selected for Certificate recipient.
    6
  4. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template. I’ve used AMT Client Configuration Certificate in my example.
    7
  5. Make sure that the Publish certificate in Active Directory check box is NOT selected.
  6. Change the validity and renewal periods as required by your policy. I’ve selected 5 years validity period and 6 weeks renewal period.
  7. In the Properties of New Template dialog box, on the Cryptography tab, in the list of providers, mark the check box beside Microsoft Strong Cryptographic Provider.
    8
  8. In the Properties of New Template dialog box, on the Subject Name tab, select Supply in the request. (If you get a waring dialog box, click OK on it)
    9
  9. In the Properties of New Template dialog box, on the Security tab, add the user running the Configurator with Read and Enroll permissions. (This is the CM_AMT user we created in Part 2 of this series)
    10
  10. In the Properties of New Template dialog box, on the Extensions tab, from the list of extensions, select Application Policies and click Edit. The Edit Application Policies Extension window opens.
  11. Click Add. The Add Application Policy window opens.
  12. From the list of Application policies, select Server Authentication and click OK.
    11
  13. Back in the Edit Application Policies Extension window, click Add again. The Add Application Policy window opens.
  14. In the Add Application Policy window click New.
  15. In the New Application Policy window, type AMT Local Access in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.2. Click OK.
    12
  16. Back in the Add Application Policy window click New.
  17. In the New Application Policy window, type AMT Remote Access in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.1. Click OK.
    13
  18. Back in the Add Application Policy window hold CTRL in and select both AMT Local Access and AMT Remote Access and then click OK.
  19. You should then be back in the Edit Application Policies Extension window, and it should look like this;
    14
  20. Click OK to return to the Properties of New Template window.
  21. Click OK, and close the Certificate Templates console.
  22. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
    15
  23. Select the template that you just created (AMT Client Configuration Certificate) and click OK. The Enable Certificate Templates window closes and the template is added to the right pane with the other certificate templates.
    16

Create the AMT Provisioning Certificate Template

Second we create the Provisioning Certificate Template for Configuration Manager 2012 R2, this certificate is needed so we can configure the Out Of Band Service Point.

  1. On the server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.
  2. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.
  3. In the Properties of New Template dialog box, on the Compatibility tab, ensure that Windows Server 2003 is selected for Certification Authority and Windows XP/Server 2003 is selected for Certificate recipient.
  4. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr 2012 R2 AMT Provisioning.
  5. Click the Subject Name tab, select Build from this Active Directory information, and then select Common name.
  6. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.
  7. In the Edit Application Policies Extension dialog box, click Add.
  8. In the Add Application Policy dialog box, click New.
  9. In the New Application Policy dialog box, type AMT Provisioning in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.
  10. Click OK, and then click OK in the Add Application Policy dialog box.
  11. Click OK in the Edit Application Policies Extension dialog box.
  12. In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning.
  13. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
  14. Click Add, enter the name of the computer account for the out of band service point site system role, and then click OK.
  15. Select the Enroll permission for this group, and do NOT clear the Read permission.
  16. Click OK, and close the Certificate Templates console.
  17. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  18. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr 2012 R2 AMT Provisioning, and then click OK.

The AMT provisioning certificate from your internal CA is now ready to be installed on the band service point server. (Microsoft have this guide posted on TechNet also).

Install the AMT Provisioning Certificate

We then need to install the AMT Provisioning Certificate on our Configuration Manager server that will run the Out Of Band Service Point.

  1. Restart the member server that runs IIS, to ensure it can access the certificate template with the configured permission.
  2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
  4. In the Certificate snap-in dialog box, select Computer account, and then click Next.
  5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.
  6. In the Add or Remove Snap-ins dialog box, click OK.
  7. In the console, expand Certificates (Local Computer), and then click Personal.
  8. Right-click Certificates, click All Tasks, and then click Request New Certificate.
  9. On the Before You Begin page, click Next.
  10. If you see the Select Certificate Enrollment Policy page, click Next.
  11. On the Request Certificates page, select ConfigMgr 2012 R2 AMT Provisioning from the list of displayed certificates, and then click Enroll.
  12. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
  13. Close Certificates (Local Computer).

The AMT provisioning certificate from your internal CA is now installed and is ready to be selected in the out of band service point properties. (Microsoft have this guide posted on TechNet also).

Previous Postings in this series:

Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 2 : Active Directory

This is Part 2 in a series of blog posts about Integrating Configuration Manager 2012 R2 with Intel SCS 9.0, this part will focus on the Active Directory configuration.

Intel AMT supports the Kerberos authentication method. This means that Intel SCS and Configuration Manager 2012 R2 can authenticate with the Intel AMT device using “Kerberos” users. These users are defined in the Intel AMT device using the Access Control List.

Integration of Intel AMT with your AD is mandatory when using the Add-on to configure Intel AMT. When integration is enabled, during configuration Intel SCS creates an AD object for the Intel AMT device. Some of the entries in this object define parameters used in Kerberos tickets.

Before you can integrate Intel AMT with your AD, you must:

  1. Create an Organizational Unit (OU) in AD to store objects containing information about the Intel AMT devices. In a multiple domain environment, Intel recommends that you create an OU for each domain.
    I’ve created an OU named : AMT Provisioned Computers

    1

  2. Create an universal security group that will contain accounts for the provisioned AMT-based computers. (This is needed when configuring the Out of Band Management Components)
    I’ve named the group :  SCCM 2012 R2 AMT Provisioned Computers

    2

  3. Create an user account for AMT Provisioning,
    I’ve named my user account CM_AMT

    3

  4. Create an User Group in your AD that will contain user accounts that need access to Intel AMT.
    I’ve named the group SCCM 2012 R2 AMT Administrators
    Add the following accounts to this Group:

    1. The user account created for AMT Provisioning in previous step (CM_AMT)
    2. User accounts running the Configurator Manager Console (so that they can use the OOB Management Console).
    3. The computer account of the computer running the Configuration Manager. This will enable SCCM to run OOB Management Controller Discovery with these credentials.

      4

  5. Give Create/Delete permissions in the OU you created in Step 1 to the user account running the Intel SCS component doing the configuration. (User account is created in Step 3)

    5

Previous Postings in this series:

Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 Introduction

Lately I’ve been working on a project for a customer where they wanted to implement the out of band management feature, but the out of band management feature in Configuration Manager 2012 R2 only supports the following versions of AMT;

  • Intel AMT version 3.2 with a minimum revision of 3.2.1
  • Intel AMT version 4.0, version 4.1, and version 4.2
  • Intel AMT version 5.0 and version 5.2 with a minimum revision of 5.2.10
  • Intel AMT version 6.0 and version 6.1

More information about this here; http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigOOB

The issue here is that all new computers comes with newer versions of AMT, and cannot be provisioned for out of band management by Configuration Manager 2012 R2.

So after some research I found that Intel SCS 9.0 can be integrated with Configuration Manager 2012 R2 for provisioning and then all management can be done from Configuration Manager 2012 R2. All features like Web Interface, KVM, Serial Over LAN (SOL), IDE Redirection (IDER), Power Commands and Integration with Wake-On-Lan are fully functional.

We’ve successfully implemented this and I thought I would share the experience throug this series of blog posts.

Why do we need the Add-on for Intel AMT?

Configuration Manager 2012 R2 includes built-in support for Out of Band (OOB) management of Intel AMT. This includes the capability to discover and configure Intel AMT, and then use some of the OOB features of Intel AMT. Some of these capabilities were implemented by Microsoft using the Simple Object Access Protocol (SOAP) interface of Intel AMT. The SOAP interface has been deprecated for some time, and was replaced with the Web Services Management (WS-Management) interface. From version 9.0 of Intel AMT, SOAP is no longer supported and any solutions that use that interface will not work.

The Add-on enables SCCM to be used with all supported versions of Intel AMT.

After installing the Add-on Intel AMT component, these built-in capabilities of SCCM are replaced by Intel SCS:

  • Discovery of data from systems that support Intel AMT
  • Configuration/Unconfiguration of Intel AMT on the discovered systems
  • Maintenance of Intel AMT settings on the discovered systems

All operations related to any of these tasks will be handled by Intel SCS components using a Kerberos Administrator user, configured in Intel AMT. This means that all built-in menu options and settings windows in SCCM related to “provisioning” or configuration are no longer used.

In this release of the Add-on, only the built-in SCCM features that use Kerberos authentication are supported. All these features are located in the “Out of Band Management Console”, available when you right-click a configured Intel AMT system.

1

2

You can download the Intel Software used in this series of postings from the following locations;

Intel Setup and Configuration Software (Intel SCS)https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921&ProdId=3051&lang=eng
Intel SCS Add-on for Microsoft System Center Configuration Manager – https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=24010
Intel Core vPro processor add-on for System Center Configuration Managerhttps://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21835