CollapseAll image

Set a New Posture Signer

A posture signer is required by the Intel AMT to sign the posture. The following steps describe how to set a new posture signer.

 Note:

Setting a new posture signer can only be performed from the network (this limitation was removed  starting in Release 6.1), and requires administrator permissions.

1.  Retrieve the instance of AMT_EndpointAccessControlService., where the “Name” key equals “Intel(r) AMT Endpoint Access Control Service”.

2.  Examine the EndpointAccessControlService.EnabledState property. If the service is enabled (value 2), disable it by invoking AMT_EndpointAccessControlService.RequestStateChange with the following parameter:

Parameter

Value

RequestedState

3

3.  Delete the existing AMT_EACCredentialContext by invoking AMT_EACCredentialContext.Delete.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$endpointAccessControlServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_EndpointAccessControlService WHERE Name='Intel(r) AMT Endpoint Access Control Service'")

$instanceID =# The ID of the instance that equals the handle of the desired certificate

$eacCredentialContextInstance =$wsmanConnectionObject.NewInstance("AMT_EACCredentialContext")

$publicKeyCertificateRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyCertificate WHERE InstanceID='" +$instanceID +"'")

$eacCredentialContextInstance.SetProperty("ElementInContext",$publicKeyCertificateRef)

$eacCredentialContextInstance.SetProperty("ElementProvidingContext",$endpointAccessControlServiceRef)

$eacCredentialContextInstance.Create()

EnableEACService("2")

UpdatePostureState

 

 

4.  Retrieve the EPR of the desired certificate to be used for signing the posture: The EPR of AMT_PublicKeyCertificate whose handle number appears in its InstanceID property.

 Note:

Be sure that the private key for this certificate was already added to Intel AMT. See Add a Public-Private Key Pair

 

5.  Retrieve the EPR of the AMT_EndpointAccessControlService.

6.  Create an instance of AMT_EACCredentialContext by invoking AMT_EACCredentialContext.Create with the following parameters:

Parameter

Value

ElementInContext

The certificate EPR from step 4.

ElementProvidingContext

The service EPR from step 5.

7.  Enable the EAC service by invoking AMT_EndpointAccessControlService.RequestStateChange with the following parameter:

Parameter

Value

RequestedState

2

8.  Update the posture state by invoking AMT_EndpointAccessControlService.UpdatePostureState with the following parameter:

Parameter

Value

UpdateType

0

 

Click here for a snippet demonstrating this step

See Enable/Disable the EAC Service for the EnableEACService function.

You can execute this snippet by inserting it into the execution template found here.

  

$endpointAccessControlServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_EndpointAccessControlService WHERE Name='Intel(r) AMT Endpoint Access Control Service'")

$instanceID =# The ID of the instance that equals the handle of the desired certificate

$eacCredentialContextInstance =$wsmanConnectionObject.NewInstance("AMT_EACCredentialContext")

$publicKeyCertificateRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyCertificate WHERE InstanceID='" +$instanceID +"'")

$eacCredentialContextInstance.SetProperty("ElementInContext",$publicKeyCertificateRef)

$eacCredentialContextInstance.SetProperty("ElementProvidingContext",$endpointAccessControlServiceRef)

$eacCredentialContextInstance.Create()

EnableEACService 2

UpdatePostureState

 

 

The following snippet implements the UpdatePowerState function invoked in the previous snippet.

UpdatePowerState function

 

function UpdatePostureState

{

    $endpointAccessControlServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_EndpointAccessControlService WHERE Name='Intel(r) AMT Endpoint Access Control Service'")

    $inputObject =$endpointAccessControlServiceRef.CreateMethodInput("UpdatePostureState")

    $inputObject.SetProperty("UpdateType","0")

    $outputObject =$endpointAccessControlServiceRef.InvokeMethod($inputObject)

    $returnValue =$outputObject.GetProperty("ReturnValue")

}

 

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Not applicable

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.