Intel® AMT and Remote Provisioning (aka Zero Touch)

By Gael Holmes Hofemeier (Intel) (124 posts) on October 7, 2009 at 8:20 am

Lately I've been playing with the Intel® SCS Lite utility to provision my system. Last week I tried it out using a provisioning certificate (Remote Provisioning.)

I thought it might be useful to post the steps that are needed in order to set up the network and certs. In my environment, I run the SCS Service with a specific SCS User (SCSUser) and so the provisioning certificate had to be installed in that user's personal store (not in the Administrator's store.) Also note that this certificate is the root certificate that matches one of the Certificate Hashes that is already in the Intel AMT Client's Manageability Engine. Also, I am not using Active Directory in my environment.

Before Remote Configuration begins, the network should be configured as follows:

  • The Intel SCS must have a server (provisioning) certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA which has a root certificate hash stored in the Intel AMT device. The OID in the Extended Key Usage field must be [amt]2.16.840.1.113741.1.2.3, or the OU value in the Subject field must be "Intel® Client Setup Certificate".
    • Contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. A list of the hashes should be provided by the platform vendor. Go to the vendor's web site and purchase an "SSL certificate" For example, the following link to Verisign's site http://www.verisign.com/ssl/buy-ssl-certificates/index.html shows how to purchase an appropriate certificate. Use the OID or the OU values above (or both) when defining the certificate
    • This provisioning certificate must be installed in the SCS User's personal store.
    • It's OK if the provisioning certificate has a different domain associated with it than your management/provisioning console/AMT Client has.
  • The Intel AMT device must be configured to receive its IP address from a DHCP server.
  • Your DHCP server's Scope Options must be configured to support option 15 and to return the domain suffix that is in the provisioning certificate. Note that Remote Provisioning will not work without this requirement for Option 15.
  • The Intel AMT device must be pre-programmed with at least one active root certificate hash. The device comes with a set of hashes from various vendors.
  • The Intel AMT Setup and Configuration Server (SCS) must be registered with a DNS server accessible to the Intel AMT device with the name "ProvisionServer" (or the name defined by the PC manufacturer) and be in either the same domain as the device or in a domain with the same suffix. (Add an alias for "ProvisionServer"= <domain name of the Intel AMT Client>.)

Once your network is correctly configured and your provisioning certificate is installed, you should be able to follow the instructions provided in the SCS 6.0 Lightweight installation guide. The following components are required for remote provisioning:

  • SCS Service must be installed
  • SCS Console - you will need to set up a profile to be applied to your AMT Client system.
  • The Activator is then run on the AMT Client - follow the GUIs - make sure you choose the "PKI" option for provisioning. (you can set up a remote desktop on your Provisioning console in order to execute the Activator remotely on the AMT Client.)

I hope this helps!

Categories: Manageability & Security
Tags:

For more complete information about compiler optimizations, see our Optimization Notice.

Comments (0)

Trackbacks (2)


Leave a comment  

To obtain technical support, please go to Software Support.
Name (required)*

Email (required; will not be displayed on this page)*

Your URL (optional)


Comment*