CollapseAll image

Upgrade from Client Control Mode to Admin Control Mode

The following steps describe how to perform an upgrade to Admin Control mode on a platform that is already in Client Control mode. This flow can be initiated remotely.

1.  Acquire a certificate derived from one of the root certificates embedded in Intel AMT (see Acquiring an Intel® vPro™ Certificate).

2.  Verify that the platform is connected to a wired LAN and the local DNS value matches the one used in the certificate.

3.  Perform the Add Certificate Chain use case. Perform this use case using an Intel AMT user with admin credentials.

4.  Retrieve the instance of IPS_HostBasedSetupService, where the “Name” key equals “Intel(r) AMT Host Based Setup Service”.

5.  Invoke IPS_HostBasedSetupService.Get and retrieve the ConfigurationNonce property.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$hostBasedSetupServiceInstance =$hostBasedSetupServiceRef.Get()

$configurationNonce =$hostBasedSetupServiceInstance.GetProperty("ConfigurationNonce")

 

 

The following two steps are normally performed on a server in a more secure environment under enterprise control. See <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\HostBasedSetup\DigSignScript
for an example of how to perform these steps.

6.  Randomly create an McNonce. This is a 20 character string converted to Base 64.

7.  Concatenate ConfigurationNonce|MCNonce. Create a hash using SHA-2_256 and sign the hash using the private key of the certificate acquired in step 1. This yields the digital signature (see Creating a Signed Configuration Request).

8.  Invoke IPS_HostBasedSetupService.UpgradeClientToAdmin, with the following parameters:

Property

Value

McNonce

The 20-character randomly generated string

SigningAlgorithm

2 (RSA_SHA-2_256)

DigitalSignature

The encrypted hash of ConfigurationNonce | MCNonce

 

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$inputObject =$hostBasedSetupServiceRef.CreateMethodInput("UpgradeClientToAdmin")

$inputObject.SetProperty("McNonce",$mcNonce)

$inputObject.SetProperty("SigningAlgorithm","2")

$inputObject.SetProperty("DigitalSignature",$digitalSignature)

$outputObject =$hostBasedSetupServiceRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

 

 

9.  Invoke IPS_HostBasedSetupService.Get and retrieve the CurrentControlMode property to verify that the platform is now in Admin control mode.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$hostBasedSetupServiceInstance =$hostBasedSetupServiceRef.Get()

$currentControlMode =$hostBasedSetupServiceInstance.GetProperty("CurrentControlMode")

$allowedControlModes =$hostBasedSetupServiceInstance.GetProperty("AllowedControlModes")

 

 

 

 Note:

When IPS_HostBasedSetupService.UpgradeClientToAdmin succeeds, Intel AMT deletes the previous provisioning audit record, creates an instance of IPS_AdminProvisioningAuditRecord, and deletes the certificate chain.

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Located at: <SDK_Root>\Windows\ Intel_AMT\Samples\Configuration\HostBasedSetup.

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.