CollapseAll image

Host-based Setup Options

There are several options for host-based setup:

 

Host-Based Setup to Client Control Mode

This is the easiest host-based method to implement.

   An application running on the local host with OS administrative privileges can perform this function. (See a description of how to do local setup). The application requests the username and password of the local system user using either a an Intel MEI command or an Intel ME WMI providercommand, then uses these credentials for access.

   The application provides an Intel AMT admin user password that can be used later to implement configuration settings and add additional users.

   After setup, Intel AMT will be in Client Control mode with its limitations (see Functional Limitations of Client Control Mode).

   Redirection, KVM, and certain remote control actions will require User Consent. This requirement cannot be disabled in Client Control mode.

   The setup process creates a client provisioning audit record that notes the date and time of setup. An application can save the time of setup and periodically compare it to the value in the audit record to assure that a rogue user did not unprovision and later perform another setup to take control of Intel AMT on the platform.

 

Digitally signing the host-based setup request

   The command to perform host based setup to Client Control mode has an option to include a digital signature as a means to detect rogue provisioning.

   Using a client nonce readable from Intel AMT and a randomly created console nonce, the local setup application creates a hash of the two nonces and then requests a digital signature and associated certificate from a central site provided by the enterprise. The setup application includes the signature, certificate and console nonce in the setup request. Intel AMT uses the certificate to decrypt and validate the signature. If the signature is valid, the platform enters Client Control mode.

   The client provisioning audit record will contain the certificate. Application software can periodically check that the certificate in the record matches the one used originally. When the certificate matches the one used to sign the setup command, it assures that a different user did not unprovision and later perform another setup to take control of Intel AMT.

   See Creating a Signed Configuration Request for additional details.

 

Host-Based Setup to Admin Control Mode

   This method has a series of prerequisites, the same as the prerequisites for Remote Configuration:

This method requires a certificate that traces to one of the root certificates built into Intel AMT (see Root Certificate Hashes). The certificate chain must be loaded into Intel AMT using IPS_HostBasedSetupService.AddNextCertInChain method. This can be done locally before any setup has been performed.

The platform must be configured to acquire an IP address via DHCP.

The platform must be connected to the network via a wired LAN.

This action cannot be done in IPv6 mode, as Intel AMT does not support IPv6 before setup and configuration has started.

   Invoke the AdminSetup method with a digital signature created using the certificate.

   The platform ends up in Admin Control mode with no feature limitations. User consent can be enabled or disabled.

   The provisioning audit record will be in IPS_AdminProvisioningAuditRecord format, containing values describing the setup just performed.

Upgrade from Client Control Mode to Admin Control Mode

   This approach is similar to going directly to Admin Control mode, with the same prerequisites, except that loading the certificate chain is done either locally or out-of-band using the admin credentials or those of a user with Intel AMT admin privileges, and not with the $$OsAdmin credentials. (You will need to acquire a certificate that traces to one of the root certificates built into Intel AMT. See Root Certificate Hashes.) Also, this can be done with an IPv6 connection.
The value of this approach is that the IT organization can configure the platform locally with no special credentials, move it into Client Control mode, and then, at a later time, move the platform to Admin Control mode. An ISV can also implement a two-stage setup process, if it simplifies the application flow.

   Execute the IPS_HostBasedSetupService.UpgradeClientToAdmin method out-of-band adding a digital signature using the certificate.

   Platform moves from Client Control mode to Admin control mode, removing the Client Control mode functional limitations.

   The provisioning audit record will be in IPS_AdminProvisioningRecord format, containing values describing the setup just performed.

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.