CollapseAll image

Perform Local Setup Directly to Admin Control Mode

The following steps describe how to perform a host-based setup directly to Admin Control mode.

Note: Before performing the setup, the platform needs to be queried to determine whether Intel AMT is enabled on it. For details, refer to Checking Whether Intel AMT is enabled.

1.  Retrieve the $$OsAdmin credentials by invoking the MEI command CFG_GetLocalSystemAccount, which returns the user ID (always $$OsAdmin) and a randomly generated password. Alternatively, invoke the WMI method OOB_Service.GetLocalAdminCredentials via the ME WMI provider. (See Intel ME WMI Provider). The PC user who performs this step must have OS Admin privileges on the host platform. Use the returned credentials for the following WS-Management requests.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$connectionWMI = Invoke-WmiMethod-Class OOB_Service -Namespace "ROOT\Intel_ME:OOB_Service" -ComputerName "localhost" -Name "GetLocalAdminCredentials"

$user =$connectionWMI.Username

$password =$connectionWMI.Password

 

 

2.  Acquire a certificate derived from one of the root certificates embedded in Intel AMT (see Acquiring an Intel® vPro™ Certificate).

3.  Verify that the platform is connected to a wired LAN and the local DNS value matches the one used in the certificate.

4.  Perform the Add Certificate Chain use case. Perform this use case using the $$OsAdmin credentials.

5.  Retrieve the value of the AMT_GeneralSettings.DigestRealm property by retrieving the instance of AMT_GeneralSettings, where the “InstanceID” key equals “Intel(r) AMT: General Settings”.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$generalSettingsRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_GeneralSettings WHERE InstanceID='Intel(r) AMT: General Settings'")

$generalSettingsInstance =$generalSettingsRef.Get()

$digestRealm =$generalSettingsInstance.GetProperty("DigestRealm")

 

 

6.  Compute NetworkAdminPassword by using the MD5 Hashing function:

NetworkAdminPassword = MD5 (username + “:” + AMT_GeneralSettings.DigestRealm + “:” + plaintextPassword)

The password used in this calculation will be the password for the Intel AMT network admin user.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$user ="myUser" # The new Administrator user name to config.

$password ="P@ssw0rd" # The new Administrator password to config.

$hash =$user +":" +$digestRealm +":" +$password

$cryptoServiceProvider =[System.Security.Cryptography.MD5CryptoServiceProvider]

$md5Algorithm = New-Object$cryptoServiceProvider

$networkAdminPassword = New-Object System.Text.StringBuilder

# Convert to hex format.

$md5Algorithm.ComputeHash([Char[]]$hash) | % { [void]$networkAdminPassword.Append($_.ToString("x2")) }

 

 

7.  Retrieve the instance of IPS_HostBasedSetupService, where the “Name” key equals “Intel(r) AMT Host Based Setup Service”.

8.  Invoke IPS_HostBasedSetupService.Get and retrieve the ConfigurationNonce property.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$hostBasedSetupServiceInstance =$hostBasedSetupServiceRef.Get()

$configurationNonce =$hostBasedSetupServiceInstance.GetProperty("ConfigurationNonce")

 

 

The following two steps are normally performed on a server in a more secure environment under enterprise control. See <SDK_Root>\Windows\\Bin\Configuration\Bin\HostBasedSetup\DigSignScript
for an example of how to perform these steps.

9.  Randomly create an McNonce. This is a 20 character string converted to Base 64.

10.          Concatenate ConfigurationNonce|MCNonce. Create a hash using SHA-2_256 and sign the hash using the private key of the certificate acquired in step 2. This yields the digital signature (see Creating a Signed Configuration Request).

11.          Invoke IPS_HostBasedSetupService.AdminSetup , with the following parameters:

Property

Value

NetAdminPassEncryptionType

2 (HTTP Digest MD5)

NetworkAdminPassword

The password hash

McNonce

The 20-character randomly generated string

SigningAlgorithm

2 (RSA_SHA-2_256)

DigitalSignature

The encrypted hash of ConfigurationNonce | MCNonce

 

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$inputObject =$hostBasedSetupServiceRef.CreateMethodInput("AdminSetup")

$inputObject.SetProperty("NetAdminPassEncryptionType","2")

$inputObject.SetProperty("NetworkAdminPassword",$networkAdminPassword.ToString())

$inputObject.SetProperty("McNonce",$mcNonce)

$inputObject.SetProperty("SigningAlgorithm","2")

$inputObject.SetProperty("DigitalSignature",$digitalSignature)

$outputObject =$hostBasedSetupServiceRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

 

 

12.          Invoke IPS_HostBasedSetupService.Get and retrieve the CurrentControlMode property to verify that the platform is now in Admin control mode.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$hostBasedSetupServiceInstance =$hostBasedSetupServiceRef.Get()

$currentControlMode =$hostBasedSetupServiceInstance.GetProperty("CurrentControlMode")

$allowedControlModes =$hostBasedSetupServiceInstance.GetProperty("AllowedControlModes")

 

 

 

 Note:

When IPS_HostBasedSetupService.AdminSetup succeeds, Intel AMT deletes the previous provisioning audit record, creates an instance of IPS_AdminProvisioningAuditRecord with the leaf certificate included, and deletes the certificate chain.

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Located at: <SDK_Root>\Windows\ Intel_AMT\Samples\Configuration\HostBasedSetup.

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.