You are on page 1of 147

Intel® Setup and Configuration Service

(Intel® SCS)

User Guide

Version 7.0

Document Release Date: February 24, 2011


INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE,
EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS
GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR
SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR
IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR
WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT
OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR
INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A
SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on
the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for
future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to
them. The information here is subject to change without notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may cause the
product to deviate from published specifications. Current characterized errata are available on request.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product
order.

Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be
obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm.

Intel® Active Management Technology requires activation and a system with a corporate network connection, an
Intel® AMT-enabled chipset, network hardware and software. For notebooks, Intel AMT may be unavailable or limited
over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Results
dependent upon hardware, setup & configuration. 
For more information, visit http://www.intel.com/technology/platform-technology/intel-amt.

Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will
depend upon the setup and configuration of your hardware, software and IT environment. 
To learn more visit: http://www.intel.com/technology/vpro.

Systems using Client Initiated Remote Access require wired LAN connectivity and may not be available in public hot spots
or "click to accept" locations. For more information on CIRA, visit http://software.intel.com/en-us/articles/fast-call-for-help-
overview.

Intel, the Intel logo, and Intel vPro, are trademarks of Intel Corporation in the U.S. and/or other countries.

Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the U.S.
and/or other countries.

* Other names and brands may be claimed as the property of others.

Copyright © 2006–2011, Intel Corporation. All rights reserved.


Table of Contents

Table of Contents

Chapter 1: Introduction...........................................................................1
About the Intel AMT Environment ....................................................................... 1
Intel SCS Components........................................................................................... 2
Configuration Methods and Intel AMT Versions.................................................. 3
Host Based Configuration.............................................................................. 4
SMB/Manual Configuration .......................................................................... 5
One Touch Configuration (PSK) ................................................................... 5
Remote Configuration (PKI).......................................................................... 5
Unified Configuration Process....................................................................... 6
Intel AMT and Security Considerations ................................................................ 8
Password Format............................................................................................ 8
File Encryption............................................................................................... 9
Digital Signing of Files.................................................................................. 9
Recommendations for Secure Deployment ................................................. 10
Transport Layer Security Protocol............................................................... 10
Security Before and During Configuration.................................................. 11
Security After Configuration ....................................................................... 11
Admin Permissions in the Intel AMT Device ..................................................... 12
Default Admin User (Digest)....................................................................... 12
User Defined Admin User (Kerberos) ......................................................... 13
Maintenance Policies for Intel AMT ................................................................... 14
Synchronizing the Clock.............................................................................. 14
Synchronizing Network Settings ................................................................. 15
Re-issuing Certificates ................................................................................. 15
Replacing Active Directory Object Passwords............................................ 15
Changing the ADOU Location .................................................................... 16
Changing the Default Admin User Password .............................................. 16
Support for KVM Redirection ............................................................................. 17
Chapter 2: Prerequisites .......................................................................18
Supported Intel AMT Versions............................................................................ 18
Supported Operating Systems.............................................................................. 19
Hardware Requirements ...................................................................................... 20
Support for a Workgroup Environment ............................................................... 20
Prerequisite Tasks ................................................................................................ 21
Required User Permissions.................................................................................. 22
Unconfigured Systems ................................................................................. 22
Configured Systems ..................................................................................... 22
Setting up the RCS............................................................................................... 23
Installing the RCS ........................................................................................ 23
Backing up Data Stored in the RCS............................................................. 26
RCS User Account Requirements................................................................ 28
User Permissions Required to Access the RCS ........................................... 28
Modifying/Uninstalling the RCS ................................................................. 31
Silent Installation ......................................................................................... 33

Intel® SCS User Guide iii


Table of Contents

Chapter 3: Quick Start Guide ...............................................................34


Chapter 4: Using the ACU Wizard........................................................35
About the ACU Wizard ....................................................................................... 36
Configuring/Unconfiguring Individual Systems ................................................. 37
Configuring a System (Unified Configuration) ................................................... 38
Defining IP and FQDN for a Single System................................................ 40
Encrypting the Profile .................................................................................. 42
SMB/Manual Configuration with the ACU Wizard ............................................ 43
Unconfiguring a System ...................................................................................... 46
Defining Profiles for Multiple Systems ............................................................... 47
Connecting to the RCS................................................................................. 48
Exporting Profiles from the RCS................................................................. 49
Defining Manual Configuration (Multiple Systems)........................................... 51
Changing the Default RCS Settings..................................................................... 53
Chapter 5: Defining Configuration Profiles.........................................55
About Configuration Profiles............................................................................... 55
Creating/Editing Configuration Profiles.............................................................. 56
Saving the Configuration Profile ................................................................. 58
Defining the Profile Scope................................................................................... 59
Defining Profile Optional Settings ...................................................................... 60
Defining Active Directory Integration................................................................. 61
Defining the Access Control List (ACL) ............................................................. 62
Adding a User to the ACL ........................................................................... 63
Using Access Monitor.................................................................................. 65
Defining Home Domains ..................................................................................... 66
Defining Remote Access ..................................................................................... 67
Defining Management Presence Servers ..................................................... 68
Defining Remote Access Policies................................................................ 70
Defining Trusted Root Certificates...................................................................... 71
Defining Transport Layer Security (TLS) ........................................................... 73
Defining Advanced Mutual Authentication Settings................................... 75
Defining Network Setups..................................................................................... 76
Creating WiFi Setups................................................................................... 78
Creating 802.1x Setups ................................................................................ 80
Defining End-Point Access Control............................................................. 83
Defining System Settings..................................................................................... 85
Defining IP and FQDN Settings .................................................................. 89

Intel® SCS User Guide iv


Table of Contents

Chapter 6: Using the Configurator.......................................................91


About the Configurator ........................................................................................ 92
CLI Syntax ........................................................................................................... 92
CLI Global Options ............................................................................................. 93
Configurator Log Files......................................................................................... 93
Verifying the Status of an Intel AMT System ..................................................... 93
Discovering Systems............................................................................................ 94
Configuring Systems (Unified Configuration) .................................................... 95
Configuring Systems Using the RCS (Legacy) ................................................... 97
Creating TLS-PSK Pairs ...................................................................................... 99
Configuring a System Using a USB Key........................................................... 101
Power Package GUIDs .............................................................................. 103
Maintaining Configured Systems ...................................................................... 104
Maintaining Systems Using the RCS (Legacy) ................................................. 105
Unconfiguring Intel AMT Systems ................................................................... 107
Moving from Client Control to Admin Control................................................. 109
Disabling Client Control Mode.......................................................................... 111
Sending a Hello Message................................................................................... 111
Appendix A: Certification Authorities and Templates .....................112
Standalone or Enterprise CA ............................................................................. 113
Request Handling............................................................................................... 113
Required Permissions on the CA ....................................................................... 114
Additional Requirements for Windows 2003 CA.............................................. 114
Defining Enterprise CA Templates.................................................................... 115
Defining Common Names in the Certificate ..................................................... 119
Using Predefined Files Instead of a CA Request............................................... 121
CRL XML Format ............................................................................................. 122
Appendix B: Setting up Remote Configuration (PKI).......................123
About Remote Configuration............................................................................. 124
Prerequisites for Remote Configuration ............................................................ 125
Intel AMT Versions and Remote Configuration Certificates ............................ 125
Intel AMT 2.2 ............................................................................................ 125
Intel AMT 2.6 ............................................................................................ 126
Intel AMT 3.0 and Higher ......................................................................... 126
Acquiring and Installing a Vendor Supplied Certificate ................................... 127
Installing a Vendor Certificate................................................................... 127
Installing a Root Certificate and Intermediate Certificates........................ 129
Creating and Installing Your Own Certificate ................................................... 129
Creating a Certificate Template ................................................................. 129
Requesting and Installing the Certificate................................................... 132
Entering a Root Certificate Hash Manually in the Intel AMT Firmware .. 132
Remote Configuration Using Scripts................................................................. 133
How the Script Option Works.................................................................... 133
Preparing to Use Scripts............................................................................. 134
Defining a Script ........................................................................................ 134

Intel® SCS User Guide v


Table of Contents

Appendix C: Troubleshooting ............................................................135


Failed to Parse the XML File..................................................................... 136
Reconfiguration of Dedicated IP and FQDN Settings............................... 136
Disjointed Namespaces.............................................................................. 137
Damaged RCS Data Files (RCS does not Start) ........................................ 138
Connecting to an RCS behind a Firewall................................................... 138
Error when Removing AD Integration (Error in SetKerberos) ................. 139
Kerberos Authentication Failure................................................................ 139
The ACU Wizard Takes a Long Time to Start .......................................... 140
Problems Using ACU Wizard on a Network Drive................................... 140
Error: “Kerberos User is not Permitted to Configure..”............................. 141

Intel® SCS User Guide vi


1
Introduction
This guide describes how to use the Intel® Setup and Configuration Service
(Intel® SCS). The Intel SCS lets you configure computers to use
Intel® Active Management Technology (Intel® AMT).
This chapter describes Intel AMT and the Intel SCS components.
For more information, see:
• About the Intel AMT Environment
• Intel SCS Components
• Configuration Methods and Intel AMT Versions
• Intel AMT and Security Considerations
• Admin Permissions in the Intel AMT Device
• Maintenance Policies for Intel AMT
• Support for KVM Redirection

About the Intel AMT Environment

Intel AMT lets you remotely access computers when the operating system is not
available or the computer is turned off. The only requirement is that the computer must
be connected to a power supply and a network.
The Intel AMT environment includes:
• Intel AMT Systems — Computers with an Intel AMT device. The Intel AMT device
contains the hardware and software that control the Intel AMT features. The device
includes a Manageability Engine (ME) and an extended BIOS (MEBx). The ME
operates independently of the Central Processing Unit (CPU) of the computer.

• Management Console — A software application used to remotely manage computers


in a network. The management console must include an interface that can use the
features of Intel AMT.
• Intel SCS — See “Intel SCS Components” on page 2.

Intel® SCS User Guide 1


Chapter 1 • Introduction

Intel SCS Components

Intel AMT devices are usually supplied in an unconfigured condition. Setup and
configuration is the process that gives management consoles access to Intel AMT
features. The Intel SCS lets you complete this process. This diagram shows the main
components of the Intel SCS and how they can be used to configure Intel AMT systems.

Figure 1. Intel SCS Components

Intel® SCS User Guide 2


Chapter 1 • Introduction

Intel SCS 7.0 includes these components:


• Intel AMT Configuration Utility — A GUI application, referred to in this guide as
the ACU Wizard. You can run the ACU Wizard on Intel AMT systems to configure
them locally or send configuration requests to the RCS. You can also use the
ACU Wizard to define settings to use when configuring multiple systems.
For more information, see “Using the ACU Wizard” on page 35.
• Configuration Profiles — XML files that contain the configuration settings for the
Intel AMT devices. You can create and edit profiles using the ACU Wizard.
For more information, see “Defining Configuration Profiles” on page 55.
• Configurator — A Command Line Interface (CLI) application that runs locally on
the Intel AMT system. You can use the Configurator to configure the system or send a
configuration request to the RCS.
For more information, see “Using the Configurator” on page 91.
• Remote Configuration Service (RCS) — A Windows service (RCSServer) that runs
on a computer in the network. The RCS processes requests sent from the ACU Wizard
or the Configurator. This is the only Intel SCS component that requires installation
(see “Setting up the RCS” on page 23).

Configuration Methods and Intel AMT Versions

There are many different versions of Intel AMT. This table gives the configuration
methods available for the different Intel AMT versions:

Table 1. Intel AMT Configuration Methods

# Configuration Method Intel AMT Versions

1 Host Based Configuration 7.0 and higher

2 SMB/Manual Configuration 4.0 and higher

3 One Touch Configuration (PSK) 2.1 and higher

4 Remote Configuration (PKI) 2.2, 2.6, 3.0 and higher

• Intel SCS 7.0 can automatically select the method (#1, #3, or #4) that is available
for each Intel AMT system (see “Unified Configuration Process” on page 6).
• Methods #3, #4, and the unified configuration process all require an RCS (see
“Setting up the RCS” on page 23).

Intel® SCS User Guide 3


Chapter 1 • Introduction

Host Based Configuration

The host-based configuration method is new from Intel AMT 7.0. This method lets an
application running locally on the Intel AMT system configure the Intel AMT device.
Configuration is done with an XML configuration profile. The application and the
profile can be sent to the Intel AMT systems in a deployment package and run with a
script. Because this method has less security related requirements than earlier
configuration methods, control modes were added to Intel AMT 7.x.

Control Modes

After configuration, Intel AMT 7.x devices are put in one of these control modes:
• Client Control Mode — This is the default mode of host-based configuration.
Intel AMT devices in this mode have these security related limitations:
• The System Defense feature is not available.
• User consent is required for all redirection operations and changes to the boot
process.
• Permission from the Auditor user (if defined) is not required to unconfigure
Intel AMT.
• To make sure that untrusted users cannot get control of the Intel AMT system,
some Intel AMT configuration functions are blocked.
• Admin Control Mode — In this mode all Intel AMT features are available. All other
configuration methods automatically put Intel AMT 7.x devices in this mode.

User Consent

User consent is a new feature available in Intel AMT 6.0 and higher. If user consent is
enabled, when a remote connection to a computer starts a message shows on the
computer of the user. The message contains a code that the user must give to the person
who wants to connect to his computer. The remote user cannot continue the operation
until he supplies this code.
• Intel AMT 6.x — The user consent feature is available only for KVM Redirection.
• Intel AMT 7.x — For devices in Admin Control mode you can define which
operations require user consent. For devices in Client Control mode, user consent is
mandatory for these operations:
• Serial Over LAN to redirect BIOS screens and OS Boot text screens
• IDE-Redirection (IDE-R)
• KVM Redirection
• To remotely set BIOS boot options
• To change the source for remote boot (for example, boot from PXE)

Intel® SCS User Guide 4


Chapter 1 • Introduction

SMB/Manual Configuration

The SMB/Manual configuration method lets you configure the Intel AMT device with
basic configuration settings. Configuration is done locally at the Intel AMT system with
a USB key containing a configuration file (Setup.bin).

Note: The Intel SCS cannot configure Intel AMT 2.x and 3.x with this method
because they cannot read the Setup.bin file. Instead you can manually
enter the settings in the MEBx of the Intel AMT system.

After configuration, the Intel AMT device is put in one of these modes:
• Small Medium Business (SMB) Mode — Intel AMT 4.x and 5.x devices are put in
this mode. Advanced (optional) Intel AMT features are not available to devices in this
mode.
• Manual Mode — Intel AMT 6.x and higher devices are put in this mode.
All Intel AMT features are available to devices in this mode if a third-party
application can configure them.
To use this method, see “SMB/Manual Configuration with the ACU Wizard” on page 43.

One Touch Configuration (PSK)

The One Touch Configuration method uses a Pre-Shared Key (PSK) and the RCS. The
PSK is put in the Intel AMT device and the RCS to make sure communication is secure
during the configuration process. Usually, physical access to the Intel AMT system is
necessary if you want to use this method.
These are the main steps of this configuration method:
1. Use the Configurator CLI to create the PSK. The Configurator puts the PSK in an
output file and in the RCS (see “Creating TLS-PSK Pairs” on page 99).
2. Reboot the Intel AMT system with a USB key that contains the file. This puts the
key in the MEBx of the system.
3. Use the Configurator CLI to send a configuration request to the RCS (see “Using
the Configurator” on page 91).

Remote Configuration (PKI)


The Remote Configuration method uses the Public Key Infrastructure (PKI) of the
Transport Layer Security (TLS) protocol and the RCS. To use this method, the Intel
AMT device must have at least one active hash certificate defined in the MEBx. If the
manufacturer does this before he sends the computer out, then you can configure these
computers remotely. To use this method, see:
• “Setting up Remote Configuration (PKI)” on page 123
• “Using the Configurator” on page 91

Intel® SCS User Guide 5


Chapter 1 • Introduction

Unified Configuration Process

Intel SCS 7.0 includes a “Unified Configuration” process. This process lets you define
one deployment package to configure all Intel AMT versions in your network. The
Intel SCS automatically uses the necessary configuration method for each Intel AMT
device.
The Unified Configuration process uses two copies of the same XML profile:
• The first copy is created and stored in the RCS. This copy is used by the RCS to
remotely configure devices that do not support host-based configuration.
• The second copy is “exported” from the RCS and must be included in the deployment
package. This copy is used by the Configurator to locally configure devices that
support host-based configuration. This copy also includes data (added during export)
about the RCS and the required control mode for the Intel AMT device.

Figure 2. Unified Configuration Process

Intel® SCS User Guide 6


Chapter 1 • Introduction

Table 2. Steps in the Unified Configuration Process

Step Description

A script or a batch file runs the Configurator locally on the Intel AMT
system. The Configurator examines the Intel AMT device to find if it
supports host-based configuration.
Note: The name of the command to run is “ConfigAMT”. You can also use
the unified configuration process to do maintenance tasks using the
“MaintainAMT” command. For more information, see:
• “Configuring Systems (Unified Configuration)” on page 95
• “Maintaining Configured Systems” on page 104

The Configurator examines the settings in the profile sent in the deployment
package.

This step occurs if the Intel AMT device supports host-based configuration and
“Client Control” mode is defined in the profile.

The Configurator activates Intel AMT on the device and puts the device in
Client Control mode. The Configurator uses the local profile to define the
settings in the Intel AMT device. All configuration is done locally.

These steps occur if the Intel AMT device supports host-based configuration and
“Admin Control” mode is defined in the profile.

The Configurator sends a request to the RCS to “Setup” the Intel AMT
device. Note: The device must have a TLS-PSK key or must be configured
for remote configuration with PKI.

The RCS activates Intel AMT on the device and puts the device in Admin
Control mode.

The Configurator uses the local profile to define the settings in the Intel
AMT device. All configuration is done locally.

These steps occur for all Intel AMT devices that do not support host-based
configuration.

The Configurator sends a configuration request to the RCS.


Note: The device must have a TLS-PSK key or must be configured for
remote configuration with PKI.

The RCS gets the configuration settings from the profile stored in the RCS.

The RCS uses the profile stored in the RCS to define the settings in the Intel
AMT device. All configuration is done remotely.

Intel® SCS User Guide 7


Chapter 1 • Introduction

Intel AMT and Security Considerations

This section includes these security related topics:


• Password Format
• File Encryption
• Digital Signing of Files
• Recommendations for Secure Deployment
• Transport Layer Security Protocol
• Security Before and During Configuration
• Security After Configuration

Password Format
Most passwords you define in the Intel SCS must be between 8-32 characters, with a
minimum of one of each of these:
• A number
• A non alphanumeric character
• A lowercase Latin letter
• An uppercase Latin letter

Note: The colon (:), comma (,), and double quote (“) characters are NOT
permitted in these passwords:
• The MEBx password
• Digest user passwords (including the Admin user)
• RFB password — Used for KVM sessions using port 5900 (see “VNC
Clients” on page 17)

Note:
• The underscore (_) character is counted as an alphanumeric character
• The RFB password must be EXACTLY 8 characters long
• The Configurator CLI does not accept passwords that start with a
forward slash (/)

Intel® SCS User Guide 8


Chapter 1 • Introduction

File Encryption
The Intel SCS uses XML files for some of the configuration methods. These files can
contain passwords and other information about your network. It is recommended to
encrypt these files or restrict access to them. Configuration profiles stored in the RCS are
automatically encrypted by the RCS. The ACU Wizard lets you encrypt configuration
profiles that are not stored in the RCS. Other optional XML files, can be encrypted by a
third-party application using this format:
• Encryption algorithm: AES128 using SHA-256 on the provided password to create
the key
• Encryption mode: CBC
• Initialize Vector (IV) is the first 16 bytes of the Hash

Note: If you encrypt the profile and also use the optional XML files, you must
use the same password to encrypt all the files.

Digital Signing of Files

The exe and dll files of the Intel SCS components are digitally signed by Intel and
include a time-stamp. This does not include third-party files, such as xerces-c_2_7.dll.
Using digital signatures increases security because it gives an indication that the file is
genuine and has not been changed.
The ACU.dll is a library used by the Configurator (ACUConfig.exe) and the ACU Wizard
(ACUWizard.exe) components to do configuration tasks on Intel AMT devices. When
running a command from the Configurator CLI, the Configurator tries to authenticate the
signature of the ACU.dll. If authentication fails, the task is not permitted and the
Configurator returns an error message.
This authentication is also done on external files run by the Configurator. This is the
default behavior of the Configurator, but it can be changed per command (see “CLI
Global Options” on page 93). When running CLI commands remotely or in a
deployment package, it is not recommended to change this default.
The digital signature is authenticated against a trusted root certificate supplied by the
Equifax Secure Certificate Authority. The certificate is located in the user trusted root
certificate store of the operating system on the Intel AMT system. The certificate is
automatically included in the operating systems supported by the Intel SCS components.

Note:
• The ACU Wizard does not authenticate the signature of the ACU.dll.
• On some systems, authentication of the digital signature can increase the
configuration time by up to two minutes.

Intel® SCS User Guide 9


Chapter 1 • Introduction

Recommendations for Secure Deployment

The Intel SCS uses XML files for some of the configuration methods. These files can
include passwords and data that persons without approval must not access.
Intel recommends these standard security precautions:
• Encrypt all the files that the Configurator will use. Use a Strong password with a
minimum of 16 characters (see “File Encryption” on page 9).
• Make sure that deployment packages and the encryption password are stored in a
location that only approved personnel can access.
• Send deployment packages to the Intel AMT systems with a communication method
that prevents access to persons without approval.

Note: If you use the Silent Install option to install the RCS, the *.iss file
created by InstallShield* is NOT encrypted. This file contains the
username and password of the user you defined to run the RCS.

• When configuration/unconfiguration is complete make sure you delete any


configuration files remaining on the Intel AMT system.
• If the Configurator will need to communicate with a CA or create an AD object, give
permissions only to the specific CA template or the specific Active Directory
Organizational Unit.
• Always use the default requirement for digital signature authentication when using the
Configurator CLI remotely (see “Digital Signing of Files” on page 9).

Transport Layer Security Protocol

Transport Layer Security (TLS) is a protocol that secures and authenticates


communications across a public network. Intel AMT can use these types of TLS:
• Pre Shared Key (PSK) — The PSK protocol provides secure communication based
on a set of PSK configuration keys that have been shared in advance between two
parties using a secure channel. Intel AMT can use the PSK protocol only before and
during the configuration process of Intel AMT systems configured by the RCS.
• Public Key Infrastructure (PKI) — The PKI lets users of an unsecured network
securely and privately exchange information using an asymmetric public and private
cryptographic key pair. The key pair is retrieved and shared through a trusted
authority, known as a Certification Authority (CA). The CA supplies digital
certificates that can identify an individual or an organization.
These topics include information about how and when these protocols are used:
• “Security Before and During Configuration” on page 11
• “Security After Configuration” on page 11

Intel® SCS User Guide 10


Chapter 1 • Introduction

Security Before and During Configuration

Configuration requests sent from an Intel AMT system to the RCS contain security
related information about the network environment. Thus, Intel AMT uses one of the
TLS protocols (PSK or PKI) before and during the configuration process.

Note: The host-based configuration method does not send information to the
RCS. All configuration is done locally and thus TLS is not necessary.
However, make sure that the XML files are encrypted (see
“Recommendations for Secure Deployment” on page 10).

The type of TLS protocol you can use during configuration via an RCS depends on the
version of Intel AMT:
• Intel AMT 2.1/2.5 — You can only use PSK.
You must change the MEBx password of these Intel AMT systems from the default
password. After you install a PSK configuration key and change the MEBx password,
you must reboot the Intel AMT system.
• Intel AMT 2.2/2.6/3.x and higher — You can use PSK or PKI.
To use PKI, the Intel AMT system must have a Root Certificate Hash
pre-programmed in the firmware (usually by the manufacturer). You must also install
a client certificate on the computer running the RCS.

Security After Configuration

Secure communications between a configured Intel AMT system and a management


console depend on the security settings you define in your network.
You can use TLS-PKI in your network to ensure secure communication with all versions
of Intel AMT systems. When the Configurator, the ACU Wizard, or the RCS configure
an Intel AMT system with TLS, they request a certificate for that system. To do this, they
must have access to the Microsoft Certification Authority (CA).
The Microsoft CA can be installed as Stand-alone CA or as an Enterprise CA. An
Enterprise CA can be configured only in conjunction with Active Directory. A
Stand-alone CA can operate with or without Active Directory, but if Active Directory is
not present, there can be only one RCS instance and the Stand-alone CA must be
installed on the same server as the RCS.
The TLS-PKI can have a hierarchy of CAs, with subordinate CAs and a root CA. This is
beyond the scope of this guide.

Note: TLS-PKI is not available to Intel AMT devices in SMB mode.

Intel® SCS User Guide 11


Chapter 1 • Introduction

Admin Permissions in the Intel AMT Device

This section describes how administrator permissions are defined in the Intel AMT
device.

Default Admin User (Digest)

Each Intel AMT device contains a predefined administrative user named “admin”,
referred to in this guide as the default admin user. Intel AMT uses the HTTP Digest
authentication method to authenticate the default admin user.
The default admin user:
• Has access to all the Intel AMT features and settings on the device
• Is not contained in the Access Control List with other Digest users, and cannot be
deleted
Thus, for security reasons it is important how you define the password for this user (even
if you do not use it). The password is defined in the Network Settings section of the
configuration profile (see “Defining System Settings” on page 85).
There are three methods for defining the password of the default admin user:

Defined Passwords

This method is the easiest method to use and has no prerequisites. However, the
password you define in the profile is set in all devices configured with this profile. If the
password is discovered, all the devices can be accessed. If you use this method, define a
very strong password. To increase security, you can also configure systems with profiles
containing different passwords.

Digest Master Password

The RCS calculates a different (unique) password for each device using a secret key
(known as the “Digest Master Password”) and system-specific data from each device.
The RCS does not need to save these admin passwords because they can be recalculated
when necessary. After configuration, applications that need to use the default admin user
must recalculate the password themselves or ask the RCS to calculate it for them.
Before you can use the Digest Master Password method you need to:
1. Install the RCS (see “Setting up the RCS” on page 23).
2. Define the Digest Master Password (see “Changing the Default RCS Settings” on
page 53).

Intel® SCS User Guide 12


Chapter 1 • Introduction

Random Passwords

The RCS/Configurator generates a different (random) password for each device. These
passwords are not saved. Because the password is not known to you or any application,
after configuration you will not be able to connect to the device with the default admin
user. Do NOT use this method unless you define a Kerberos admin user (see “User
Defined Admin User (Kerberos)” on page 13).

User Defined Admin User (Kerberos)

If your network has Active Directory (AD), you can also define your own administrative
user in the device that will be authenticated using Kerberos. You can then use this user
instead of the default admin user.

To use a dedicated Active Directory Admin User (Kerberos):


1. Define an AD user in the Intel AMT device with the PT Administration realm (see
“Defining the Access Control List (ACL)” on page 62).
2. Define a password for the default admin user (see “Default Admin User (Digest)”
on page 12). The application communicating with the Intel AMT device using the
AD user will not use or require this password.
3. Run the Configurator/RCS using the credentials of the user defined in step 1.

Note: When using a Kerberos user and the host-based configuration method:
• The Configurator must NOT be “Run as administrator”.
• You must NOT add the credentials of a domain user to the profile (see
“Saving the Configuration Profile” on page 58).
• Some reconfiguration and maintenance tasks reset the password of the
AD object. If this happens, you must clear the ticket of the Kerberos
user before this user can do more configuration operations. You can do
this by restarting the Intel AMT system or logging off and on again.

Note: When using a Kerberos user, always make sure that this Kerberos user
exists in the ACL of the profile you use to do reconfiguration.

Intel® SCS User Guide 13


Chapter 1 • Introduction

Maintenance Policies for Intel AMT

The Intel SCS does not automatically maintain the configuration settings in Intel AMT
devices after they are configured. It is the responsibility of the network administrator to
define and schedule the necessary maintenance tasks for their network environment.
Maintenance tasks are done using commands of the Configurator CLI.
For more information about the Configurator, see “Using the Configurator” on page 91.

Note: The maintenance tasks described in this section are not applicable to
systems configured using the SMB/Manual configuration method.

For more information about the main maintenance tasks, see:


• “Synchronizing the Clock” on page 14
• “Synchronizing Network Settings” on page 15
• “Re-issuing Certificates” on page 15
• “Replacing Active Directory Object Passwords” on page 15
• “Changing the ADOU Location” on page 16
• “Changing the Default Admin User Password” on page 16

Synchronizing the Clock

The Intel AMT device contains a clock that operates independently from the clock in the
host operating system. For devices configured to use Kerberos authentication, it is
important to synchronize the device clock with the clock of a computer in the network.
(The clock of that computer must also be synchronized with the Key Distribution Center.
This is not done by the Intel SCS.) When the clock is not synchronized, Kerberos
authentication with the device might fail.
For Kerberos enabled devices, Intel recommends to synchronize the clock at two week
intervals. To do this task, use the SyncAMTTime parameter of these commands:
• MaintainAMT — Synchronizes the device clock with the clock of the host operating
system (if the device supports host-based configuration)
• MaintainAMTViaRCSOnly — Synchronizes the device clock with the clock of the
computer running the RCS

Intel® SCS User Guide 14


Chapter 1 • Introduction

Synchronizing Network Settings

After configuration, the Intel AMT device contains IP and FQDN settings that
management consoles use to connect to the device. Changes in the network environment
or the host operating system might make it necessary to change the settings in the device.
To do this task, use the SyncNetworkSettings parameter of the MaintainAMT or
MaintainViaRCSOnly commands.

Note: To use the SyncNetworkSettings parameter, you must use the same profile
that was used the last time the device was configured. If you made
changes to the settings in the profile, do a reconfiguration instead.

Re-issuing Certificates

Intel AMT Devices can be configured to use certificates for authentication (when using
TLS, EAC, Remote Access, or 802.1x). When certificates are issued by a Certification
Authority they are valid for a specified time. These certificates must be reissued before
they expire. Intel recommends that you schedule this maintenance task to run a minimum
of 30 days before the certificate expiration date.
To do this task, use the ReissueCertificates parameter of the MaintainAMT or
MaintainAMTViaRCSOnly commands.

Note: To use the ReissueCertificates parameter, you must use the same profile
that was used the last time the device was configured. If you made
changes to the certificate related settings in the profile, do a
reconfiguration instead.

Replacing Active Directory Object Passwords

If an Intel AMT device is configured to use Active Directory (AD) Integration, an object
is created in the AD Organizational Unit specified in the profile. The object contains a
password that is set automatically (not user defined). If the ADOU has a “maximum
password age” password policy defined in AD, the password must be replaced before it
expires. Intel recommends that you schedule this maintenance task to start a minimum of
10 days before the password is set to expire.
To do this task, use the RenewADPassword parameter of the MaintainAMT or
MaintainAMTViaRCSOnly commands.

Note: To use the RenewADPassword parameter, you must use the same profile
that was used the last time the device was configured. If you made
changes to the AD related settings in the profile, do a reconfiguration
instead.

Intel® SCS User Guide 15


Chapter 1 • Introduction

Changing the ADOU Location


If you change the location of the ADOU containing the objects representing the Intel
AMT devices, you must reconfigure the systems. This makes sure that all settings that
use the object are reconfigured to use the new object.

To change the ADOU location:


1. Define the new ADOU in the configuration profile (see “Defining Active Directory
Integration” on page 61).
2. Use one of these CLI commands to reconfigure the systems:
• “Configuring Systems (Unified Configuration)” on page 95
• “Configuring Systems Using the RCS (Legacy)” on page 97

Note: Make sure that you include the /ADOU flag with the path to the
old ADOU so that Intel SCS can delete the old objects.

Changing the Default Admin User Password

For increased security, it is recommended to change the default admin user password at
regular intervals. To do this you must reconfigure the device. As an alternative to
reconfiguring all the settings in the device, you can use a “Delta Configuration” profile.
This lets you reconfigure only the default admin user password. All other settings in the
device will stay in their current condition.

To reconfigure only the default admin user password:


1. Define a new “Delta Configuration” profile as described in “Creating/Editing
Configuration Profiles” on page 56. However, when you define the profile:
• In the Getting Started window, select Delta Configuration
• In the Profile Scope window, click Clear All and select the Admin User
Password check box
• In the System Settings window, select the method to use when configuring the
password
2. Use one of these CLI commands to reconfigure the systems using the profile you
created in step 1:
• “Configuring Systems (Unified Configuration)” on page 95
• “Configuring Systems Using the RCS (Legacy)” on page 97

Intel® SCS User Guide 16


Chapter 1 • Introduction

Support for KVM Redirection

Intel AMT 6.0 and higher includes support for third-party applications to operate Intel
AMT systems using remote Keyboard, Video and Mouse (KVM) Redirection.
KVM Redirection lets you remotely operate a system as if you are physically located at
the remote system. KVM Redirection uses Virtual Network Computing (VNC) to
“share” the graphical output of the remote system. The results of keyboard and mouse
commands transmitted to the remote system over the network are displayed on the screen
of the local system.
VNC includes two main components:
• VNC Server — An application located on the remote managed system that permits
the VNC Client to connect to and operate the system. From Intel AMT 6.0, a VNC
Server component is embedded in the Intel AMT device.
• VNC Client — An application, usually located on a management server, used to
connect to and operate the remote managed system.

To use KVM Redirection with Intel AMT requires that:


1. KVM is enabled in the MEBx of the Intel AMT system. If disabled in the MEBx,
KVM cannot be enabled by the Intel SCS during configuration (it must be done
manually at the system).
2. The KVM Redirection interface is enabled in the Intel AMT device.
3. A VNC Client is installed on the computer that will control the Intel AMT systems.

VNC Clients

VNC Clients can connect to the VNC Server in the Intel AMT device using these ports:
• Redirection Ports (16994 and 16995) — These ports are available to VNC Clients
that include support for Intel AMT authentication methods. To use these ports, the
VNC Client user must be defined in the Intel AMT device (see “Defining the Access
Control List (ACL)” on page 62). Port 16995 also uses Transport Layer Security.
• Default Port (5900) — VNC Clients that do not include support for Intel AMT can
use this port. This is a less secure option. To use this port:
• The VNC Client user must supply the Remote Frame Buffer (RFB) protocol
password defined in the Intel AMT device. To define the RFB password, see
“Defining System Settings” on page 85.
• Port 5900 must be open on the Intel AMT device. The Intel SCS does not open
this port.

Note: The VNC Client must use version 3.8 or 4.0 of the Remote Frame Buffer
(RFB) protocol.

Intel® SCS User Guide 17


2
Prerequisites
This chapter describes the prerequisites for using the Intel SCS to configure Intel AMT.
For more information, see:
• Supported Intel AMT Versions
• Supported Operating Systems
• Hardware Requirements
• Support for a Workgroup Environment
• Prerequisite Tasks
• Required User Permissions
• Setting up the RCS

Supported Intel AMT Versions

You can use the Intel SCS to configure Intel AMT on systems that have Intel AMT 2.1
and higher. Each system that you want to configure using the Intel SCS must have these
drivers and services installed and running in the operating system:
• MEI — The Intel Management Engine Interface (MEI) driver, also known as HECI,
is the software interface to the Intel AMT device. This driver is usually located under
“System devices”.
• LMS — The Local Manageability Service (LMS.exe) enables local applications to
send requests and receive responses to and from the device. The LMS listens for and
intercepts requests directed to the Intel AMT local host, and routes them to the device
via the MEI.
The MEI and LMS are usually installed by the manufacturer. If they are missing, or you
need to reinstall them, contact the manufacturer of your system to get the correct
versions for your system.

Intel® SCS User Guide 18


Chapter 2 • Prerequisites

Supported Operating Systems

This table describes on which operating systems the Intel SCS components can run.

Table 3. Supported Operating Systems

Version ACU Wizard 1 Configurator RCS 2

Windows* XP Professional x32 (SP3) Yes Yes Yes

Windows 7 Professional x32/x64 Yes Yes Yes

Windows 7 Ultimate x64 Yes Yes Yes

Windows 7 Enterprise x32 Yes Yes Yes

Windows Vista* x32 Yes Yes No

Windows Server* 2008 x32/64 Yes3 No Yes

Windows Server 2008 R2 Yes3 No Yes

Windows Server 2003 x32/x64 (SP2) Yes3 No Yes

Windows Home Server Yes3 No Yes


1
The ACU Wizard also requires Microsoft .NET Framework version 2.0 (SP1) or
higher installed on the computer.
2
The RCS also requires Microsoft .NET Framework version 3.0 (SP1) or higher
installed on the computer.
3
You cannot use the ACU Wizard to configure Intel AMT on computers that have
these operating systems. But, you can define settings to use when configuring other
systems that have one of the operating systems supported by the Configurator.
* Other names and brands may be claimed as the property of others.

Note:
• The Intel SCS components can run on operating systems (listed in
Table 3) installed with these languages: Czech, Danish, Dutch, English,
Finnish, French, German, Greek, Hungarian, Italian, Japanese, Korean,
Norwegian, Polish, Portuguese, Portuguese-Brazilian, Russian,
Simplified Chinese, Spanish, Swedish, Traditional Chinese, Turkish.
• The Intel SCS does not support Non-Latin or Extended Latin characters
in filenames or values in the XML files.

Intel® SCS User Guide 19


Chapter 2 • Prerequisites

Hardware Requirements

The minimum hardware requirements of each of the supported operating systems


(Table 3) are sufficient to run the Intel SCS components.
The RCS component can process a maximum of 200 requests at the same time. (This
number might be less if you use a CA or Active Directory.) If you want to use the RCS
to configure a large number of systems, install the RCS on a computer with sufficient
resources.
For example, the RCS was tested on an Intel® CoreTM I3 multi processor computer with
4 GB of RAM. Using this hardware configuration, the RCS successfully configured
1000 systems with a full configuration profile in less than an hour. During the tests, the
RCS (RCSServer.exe) used between 1 GB and 2 GB of RAM.

Support for a Workgroup Environment

You can configure and use Intel AMT in a peer-to-peer network (a Workgroup).
Computers in a fully peer-to-peer network usually do not have access to services such as
Active Directory (AD) or a Certification Authority (CA). Without access to an AD or
CA, you cannot configure Intel AMT systems with these settings:
• Active Directory Integration
• Kerberos Users
• 802.1x Setups (the IEEE802.1x protocol is not supported)
• Endpoint Access Control (EAC)
• Transport Layer Security (TLS) using authentication with certificates requested
from a CA during configuration
• Remote Access using authentication with certificates requested from a CA
during configuration. (This limitation does not prevent you from defining
Remote Access using password based authentication.)
If the systems are in a peer-to-peer network that is also part of a Client/Server network
you can configure these settings, if necessary. To do this you must:
• Install the RCS component on a computer in a Domain with access to the
necessary AD and/or CA, and the peer-to-peer network.
• Use only the Configurator CLI commands that send the tasks to the RCS
(ConfigViaRCSOnly and MaintainViaRCSOnly).

Note: On Intel AMT systems that support host-based configuration, you can
also configure TLS and/or Remote Access without access to a CA. This is
because the Configurator and ACU Wizard include an option to use
certificates you supply locally in files. To do this, when you define the
TLS or Remote Access settings in the configuration profile, select the
“Use certificate from a file” option.

Intel® SCS User Guide 20


Chapter 2 • Prerequisites

Prerequisite Tasks

The tasks that you must complete before you can use the Intel SCS to configure
Intel AMT depend on which Intel AMT features you want to configure.

Table 4. Prerequisite Tasks

To do this... You need to...

Use the ACU Wizard Copy the ACU_Wizard folder and all its contents to
the computer (or USB key) from where you want to
run the ACU Wizard.
If you want to use the ACU Wizard on a network
drive, see “Problems Using ACU Wizard on a
Network Drive” on page 140.

Integrate Intel AMT with • Create an Organizational Unit (OU) in Active


Active Directory Directory to store objects containing information
about the Intel AMT systems. In a multiple
domain environment, Intel recommends that you
create an OU for each domain.
• Give Create/Delete permissions in the OU you
created to the user account running the Intel SCS
component doing the configuration.

Use the Transport Layer


Security (TLS) protocol when
communicating with
Before you can use these features, you must define
Intel AMT systems
some configuration settings in the Microsoft
Use the IEEE802.1x network Certificate Authority (CA) installed in your
protocol to authenticate network.
Intel AMT systems and define
For more information see “Certification Authorities
Endpoint Access Control
and Templates” on page 112.
(EAC) settings

Use the remote access feature

Setup and configure See “Setting up Remote Configuration (PKI)” on


Intel AMT systems using the page 123.
remote configuration method

Intel® SCS User Guide 21


Chapter 2 • Prerequisites

Required User Permissions

The permissions required by the user account running the Configurator depend on the
state of the Intel AMT device.

Note: In this section, “Configurator” means the Configurator CLI, or the


ACU Wizard when used to do tasks on an Intel AMT system.

Unconfigured Systems
The local user account running the Configurator must have administrator permissions in
the operating system. On operating systems with User Account Control (UAC), the
Configurator must be “Run as administrator”. If the Configurator will be required to
request certificates from a Certification Authority (CA), or create Active Directory (AD)
objects, the user account must have sufficient permissions to do these tasks. If the user
account does not have the required permissions, you must add the credentials of a
domain user with these privileges to the profile (see “Saving the Configuration Profile”
on page 58).

Configured Systems
After an Intel AMT device is configured, reconfiguration and maintenance tasks can
only be done by a user defined in the device with administrator permissions. The user
account running the Configurator is not required to have administrator permissions in the
operating system.

Note: If the Intel AMT device is in Client Control mode, you can unconfigure
Intel AMT without requiring administration privileges in the device. To
do this, you must run the Configurator with a local user account with
administrator permissions on the Intel AMT system. On operating
systems with (UAC), the Configurator must be “Run as administrator”.

Intel® SCS User Guide 22


Chapter 2 • Prerequisites

Setting up the RCS

The RCS component is NOT a prerequisite for these configuration methods:


• SMB/Manual Configuration
• Host Based Configuration (in the default Client Control mode)

Note: If you want to use Master Passwords (see “Digest Master Password” on
page 12), you must also install the RCS.

For all other configuration methods, you must install and prepare the RCS.
For more information, see:
• Installing the RCS
• Backing up Data Stored in the RCS
• RCS User Account Requirements
• User Permissions Required to Access the RCS
• Modifying/Uninstalling the RCS
• Silent Installation

Installing the RCS

The installation file (IntelSCSInstaller.exe) lets you install the RCS and the ACU Wizard
components.

Note:
• You must have local administrator privileges on the computer
where you want to install the RCS. To install the RCS on
operating systems with User Account Control, you must run the
IntelSCSInstaller.exe as an administrator.
• The IntelSCSInstaller.exe does not include an “Upgrade” option
from earlier versions of Intel SCS. To upgrade from
Intel SCS 5.x, use the migration utility. For more information,
refer to the Intel(R)_SCS_5.x_Migration.pdf located in the
Migration_Utilities folder. (Upgrade from Intel SCS 6.x is not
supported.)

Intel® SCS User Guide 23


Chapter 2 • Prerequisites

To install the Intel SCS components:


1. Double-click IntelSCSInstaller.exe. The Welcome window of the
InstallShield Wizard opens.

Figure 3. Welcome Window


2. Make sure that only the check boxes of the components that you want to install are
selected:
• Service — Installs the RCS component.
• Wizard — Installs the ACU Wizard component. You can install this component
on any computer that can connect to the computer running the RCS.
3. Click Next. The License Agreement window opens.
4. Select I accept the terms of the license agreement and click Next.

Intel® SCS User Guide 24


Chapter 2 • Prerequisites

5. If you selected the Service check box, the Service Logon Authentication window
opens. This window lets you define the user under which the RCS will run.

Figure 4. Service Logon Authentication Window


a. Click Browse to select the user, or enter the username in the format
domain\username. (In a Windows Workgroup, enter the username in the format
computer\username.)

b. Enter the password.

Note: The user you select to run the RCS must have a password.

6. Click Next. The Confirm Setup Configuration window opens. This window shows
information about the selections you made.
7. (Optional) The default installation folder is C:\Program Files\Intel\SCS7.0. 
If you want to change this location, in the Install path field enter a new path or click
Browse to select it.
8. Click Install. The installation starts. When the installation finishes, the
InstallShield Wizard Complete window opens.
9. Click Finish. The InstallShield Wizard closes. The RCS is installed with default
settings. If necessary, you can change these settings (see “Changing the Default
RCS Settings” on page 53).

Intel® SCS User Guide 25


Chapter 2 • Prerequisites

Backing up Data Stored in the RCS

If one of the data files used by the RCS is damaged or missing, the RCS cannot operate. 
Thus, it is important to make a regular backup of these files.

Where the RCS Data Files are Located

The data used by the RCS is kept in these encrypted files:


• Profile.xml — The configuration profiles
• PSKsStorage.dat — PSK keys (for the One Touch Configuration method)
• DMP.dat — Digest Master Passwords. This file only exists if at some time the
RCS was set to use the Digest Master Password option (see “Changing the
Default RCS Settings” on page 53).
• scsadmin.dat — Contains a record for each system configured using Intel
SCS5.x and the password of its default Digest admin user. This file only exists if
the admin passwords were migrated from Intel SCS 5.x. For more information,
see the Intel(R)_SCS_5.x_Migration.pdf in the Migration_Utilities folder.
The version of Windows on the computer running the RCS causes the data files to be
installed in a folder (RCSConfServer) in one of these hidden locations:
• ProgramData\Intel_Corporation
• Documents and Settings\All Users\Application Data\Intel_Corporation

Note: The RCSConfServer folder also includes the log files of the RCS
component. Each time the log file (RCSLog.log) becomes too large, or the
RCS is restarted, the file content is moved to a new file with this format:
RCSLog.logYYYY-MM-DD-HH-MI-SS.log.

How to Backup and Restore the RCS Data Files

The data files used by the RCS are encrypted using the Microsoft Windows Data
Protection API (DPAPI). DPAPI uses the password of the user running the RCS when
encrypting the files. Thus, you need to make sure that when you backup the files you use
an encryption method that does not use DPAPI. If you do not, the RCS will not operate
correctly when you do any of these:
• Reinstall the RCS on an different computer
• Change the user account that runs the RCS (changing the password of the
existing user does not cause any problems)
The Intel SCS includes a Microsoft PowerShell cmdlet (RCS-Backup.ps1), located in the
RCS folder. This cmdlet lets you make backup copies of the RCS data files that are
encrypted using a user-independent encryption method. When you use the cmdlet to
restore the RCS data files, they are re-encrypted using DPAPI. Thus, the files can be
restored and used on any computer and with any RCS user account.

Intel® SCS User Guide 26


Chapter 2 • Prerequisites

Before using the RCS-Backup.ps1 cmdlet:


1. On the computer running the RCS, open a command prompt, type PowerShell
and press <Enter>. The PowerShell command prompt shows.
2. Type get-host and press <Enter>. Make sure that PowerShell version 2.0 is
installed (minimum requirement).
3. Type get-executionpolicy and press <Enter>. Make sure that the
PowerShell execution policy is not set to “Restricted” (the default). If the value
shown is Restricted, use the set-executionpolicy command to change it to
“RemoteSigned”.
4. If you want to move the RCS to a different computer, repeat steps 1 through 3 on
the new computer.

Using the RCS-Backup.ps1 cmdlet


For information about running PowerShell scripts, refer to this page in the Microsoft
Technet site: Running Windows PowerShell Scripts.

Note: You must run the cmdlet with the user account that is used to run the RCS
you want to backup or restore. (If you are changing the RCS user account,
make sure that you use the correct user account for each operation.)

The RCS-Backup.ps1 includes command line help. To open the help, from the
PowerShell command line, type get-help .\RCS-Backup.ps1 -full.

This table shows the syntax and parameters of the RCS-Backup.ps1 cmdlet.

Syntax RCS-Backup -Operation <Backup | Restore> -Password <password>


-Profiles <filename> -PSK <filename> [-Cred <filename>]
[-DMP <filename>]

Parameters

-Operation Defines the operation that the cmdlet will perform. Valid values:
• Backup — Create backup copies of the RCS data files
• Restore — Restore the backup copies of the RCS data files to the
RCS

-Password The password to use when encrypting or decrypting the RCS data files

-Profiles Backup/Restore the configuration profiles file (Profile.xml). Supply


the name and location of the backup file.

-PSK Backup/Restore the PSK keys file (PSKsStorage.dat). Supply the


name and location of the backup file.

-Cred Backup/Restore the Admin passwords file (scsadmin.dat). Supply the


name and location of the backup file.

-DMP Backup/Restore the Digest Master Passwords file (DMP.dat). Supply


the name and location of the backup file.

Intel® SCS User Guide 27


Chapter 2 • Prerequisites

RCS User Account Requirements

The user account running the RCS requires the following on the computer where the
RCS is installed:
• Log on as a service permission
• Read permission on the folder containing the RCSServer.exe file
• Read/Write permissions on the folder (RCSConfServer) containing the data files used
by the RCS (see “Backing up Data Stored in the RCS” on page 26)
The InstallShield Wizard tries to give these permissions to the RCS user you select
during installation (Figure 4).

Note: If the RCS is installed on a server running Windows Server 2008


(all x32/64 versions and R2), the RCS user account must be a Local
Administrator on that server.

User Permissions Required to Access the RCS

Configuration methods that use the RCS require these users to have permissions to
connect to the RCS:
• The user account running the Configurator/ACU Wizard
• Any user who wants to create or edit profiles in the RCS
If a user has administrator permissions on the computer running the RCS they will be
able to connect to the RCS. If you do not want to give a user administrator permissions
you can do these procedures instead:
• “Defining DCOM Permissions” on page 28
• “Defining WMI Permissions” on page 29

Defining DCOM Permissions

This procedure describes how to define DCOM permissions.

To define DCOM permissions:


1. On the computer running the RCS open a command prompt window, enter
dcomcnfg and press <Enter>. The Component Services window opens.
2. From the Console Root tree, select Component Services > Computers > 
My Computer.
3. Right-click My Computer and select Properties. The My Computer Properties
window opens.
4. Click the COM Security tab. The COM Security tab opens.

Intel® SCS User Guide 28


Chapter 2 • Prerequisites

Figure 5. COM Security Tab

5. From the Access Permissions section:


a. Click Edit Limits. The Access Permission window opens.

b. Make sure that all users that need to connect to the RCS appear in the list and
have the Local Access and Remote Access permissions.

c. Click OK. The Access Permission window closes.


6. From the Launch and Activate Permissions section:
a. Click Edit Limits. The Launch Permission window opens.

b. Make sure that all users that need to connect to the RCS appear in the list and
have these permissions: Local Launch, Remote Launch, Local Activation, and
Remote Activation.

c. Click OK. The Launch Permission window closes.


7. Click OK. The My Computer Properties window closes.
8. Close the Component Services window.

Defining WMI Permissions

The Intel SCS includes three namespaces that control access to the RCS:
• Intel_RCS — Give permissions to this namespace to users that need to do operations
on Intel AMT systems using the RCS.
• Intel_RCS_Editor — Give permissions to this namespace to users that need to
connect to the RCS to define profiles or settings in the RCS.
• Intel_RCS_Master_Password — Give permissions to this namespace to users that
need to use the RCS to calculate or get the Digest Master Password for an Intel AMT
system.

Intel® SCS User Guide 29


Chapter 2 • Prerequisites

To define WMI permissions:


1. On the computer running the RCS open a command prompt window, enter
wmimgmt.msc and press <Enter>. The Windows Management Infrastructure
window opens.
2. Right-click WMI Control (Local) and select Properties. The WMI Control
(Local) Properties window opens.
3. Click the Security tab. The Security tab opens.

Figure 6. Security Tab

4. Do these steps for each of the namepsaces (Intel_RCS, Intel_RCS_Editor, and


Intel_RCS_Master_Password):
a. From the tree, select the namespace and click Security. The Security window
of the namespace opens.

b. Make sure that all the required users appear in the list and have the Execute
Methods, Full Write, and Remote Enable permissions.

c. Click OK. The Security window of the namespace closes.


5. Close the Windows Management Infrastructure window.

Intel® SCS User Guide 30


Chapter 2 • Prerequisites

Modifying/Uninstalling the RCS

You can use the IntelSCSInstaller.exe to change installation properties or remove all the
Intel SCS components.

Note: If you want to change the user account running the RCS, or move the
RCS to a different computer, you must backup the data files. For more
information, see “Backing up Data Stored in the RCS” on page 26.

To modify/uninstall the Intel SCS components:


1. Double-click IntelSCSInstaller.exe. The Welcome window of the
InstallShield Wizard opens.

Note: You can also modify/uninstall from the Add or Remove Programs option
of the Control Panel.

Figure 7. Welcome Window


2. Select one of these:
• Add or remove components — Lets you make changes to an existing
installation. Continue to step 4.
• Remove all components — Removes all Intel SCS components installed on this
computer. Continue to step 3.

Intel® SCS User Guide 31


Chapter 2 • Prerequisites

3. Click Next. A message shows asking if you are sure that you want to remove all the
Intel SCS components:
a. Click Yes. All the Intel SCS components are removed and the InstallShield
Wizard Complete window opens.

b. Continue to step 8.
4. Click Next. The Modify Components window opens.

Figure 8. Modify Components


5. Select the check boxes of the components you want to remove or install and click
Next.

Note: If the component is already installed, do NOT select the check


box unless you want to uninstall it.

6. Click Next to continue the installation. Enter the required details as described in
“Installing the RCS” on page 23.
When complete, the Confirm Setup Configuration window opens.
7. Click Modify. The installation starts. When the installation finishes, the
InstallShield Wizard Complete window opens.
8. Click Finish. The InstallShield Wizard closes

Intel® SCS User Guide 32


Chapter 2 • Prerequisites

Silent Installation

The InstallShield* executable used to install the Intel SCS, enables you to install the
Intel SCS from a command line using a script file to respond to the installer questions.
This capability is called “silent install”. You can also embed the script file into another
application (for example, a management console) that will run the silent installation as
part of its own installation.
You generate the install script by running the installer with the Record (r) option. Besides
installing Intel SCS, this option also causes the creation of an install script that includes
the responses that you entered during the installation process.

To do a silent install:
1. From the command line, run the installation executable file with these parameters:
IntelSCSInstaller.exe /r /f1“<path\silentinstall.iss>”
where <path\silentinstall.iss> is the name and location of the install script that you
want to create.
The Welcome window of the InstallShield Wizard opens.
2. Do the required installation, as described in “Installing the RCS” on page 23.
3. If the environment on which you want to do a silent install differs from that of the
system on which the install script was recorded, open the script file in a text editor
and edit the required parameter values.
4. Once you have an install script suitable for your environment, you can use it to do a
silent install. From the command line, run the installation executable file with these
parameters:
IntelSCSInstaller.exe /s /f1“<path\silentinstall.iss>” /f2“<path\scsinstall.log>”
where:
• <path\silentinstall.iss> is the name and location of the install script that you
created (and customized if necessary).
• <path\scsinstall.log> is the name and location of the log file that you want to
create. The log file provides information on the installation’s progress and any
errors that may occur. For more information, refer to:
http://helpnet.acresso.com/robo/projects/installshield11helplib/SetupLog.htm

Note: Use absolute paths. Make sure that there are no spaces between
the fl or f2 parameters and the first double quotation mark (“).

Intel® SCS User Guide 33


3
Quick Start Guide
This is a quick start guide to help you decide how to use the Intel SCS to configure
Intel AMT systems.
How you use the Intel SCS depends on these four conditions:

#1 The Number of Systems to Configure


The ACU Wizard is the easiest deployment method and is recommended when a small
number of systems need to be configured. To use this method, see:
• “About the ACU Wizard” on page 36.
• “Configuring/Unconfiguring Individual Systems” on page 37.
When a large number of systems need to be configured automatically, use the
Configurator (see “Using the Configurator” on page 91).

#2 The Intel AMT Versions in the Network


The versions of Intel AMT in your network will define which configuration methods you
can use (see “Configuration Methods and Intel AMT Versions” on page 3).

#3 The Security Requirements


The Intel AMT device gives access to the computer even when the operating system is
not running. This means that a virus/person could use the Intel AMT device to bypass the
security measures defined in the operating system and take over the computer. Each of
the configuration methods include safeguards to prevent this during configuration. The
most secure methods use one of the TLS protocols (PKI or PSK), and thus are not as
easy to use as the other methods. For more information about security, see “Intel AMT
and Security Considerations” on page 8.

#4 The Required Intel AMT Features


All the configuration methods can configure Intel AMT devices so that management
consoles have access to the Intel AMT features. However, Intel AMT also includes
optional features that cannot be configured using the SMB/Manual configuration
method. For information about these optional features, see “Defining Profile Optional
Settings” on page 60.

Intel® SCS User Guide 34


4
Using the ACU Wizard
This chapter describes how to use the ACU Wizard to configure systems, define profiles,
and define settings in the RCS.
For more information, see:
• About the ACU Wizard
• Configuring/Unconfiguring Individual Systems
• Configuring a System (Unified Configuration)
• SMB/Manual Configuration with the ACU Wizard
• Unconfiguring a System
• Defining Profiles for Multiple Systems
• Defining Manual Configuration (Multiple Systems)
• Changing the Default RCS Settings

Intel® SCS User Guide 35


Chapter 4 • Using the ACU Wizard

About the ACU Wizard

The ACU Wizard does not require installation. You can run the ACU Wizard from a
local drive, a mapped network drive, or a USB key.

Note: Each window of the ACU Wizard includes context sensitive help that
shows when you press F1.

To start the ACU Wizard, open the ACU_Wizard folder and double-click
ACUWizard.exe. The Welcome window opens.

Figure 9. Welcome Window


The Welcome window includes these options:
• Configure/Unconfigure this System
This option lets you directly configure Intel AMT systems. You can only select this
option if the computer is an Intel AMT system. For more information, see
“Configuring/Unconfiguring Individual Systems” on page 37.
• Create Settings to Configure Multiple Systems
This option, available when you run the ACU Wizard from any location, lets you
define settings for multiple systems:
• Configuration profiles to use with the Configurator or RCS — See “Defining
Profiles for Multiple Systems” on page 47.
• A USB key for manual configuration — See “Defining Manual Configuration
(Multiple Systems)” on page 51.

Intel® SCS User Guide 36


Chapter 4 • Using the ACU Wizard

Configuring/Unconfiguring Individual Systems

The Configuration Options window lets you define Intel AMT settings on individual
Intel AMT systems.

To configure/unconfigure Intel AMT:


1. From the Welcome window, click Configure/Unconfigure this System. 
The Configuration Options window opens.

Figure 10. Configuration Options Window


2. Select the task and click Next:
• Configure via Windows — Use the host-based configuration method or the
unified configuration process to configure this system (see “Configuring a
System (Unified Configuration)” on page 38).
• Configure via USB Key — Use the SMB/Manual method to configure this
system (see “SMB/Manual Configuration with the ACU Wizard” on page 43).
• Unconfigure — Unconfigures the system (see “Unconfiguring a System” on
page 46).

Intel® SCS User Guide 37


Chapter 4 • Using the ACU Wizard

Configuring a System (Unified Configuration)

The Configure via Windows window lets you configure all versions of Intel AMT.
Configured systems are reconfigured.

Figure 11. Configure via Windows Window


The ACU Wizard automatically does these steps:
1. Detects the Intel AMT version of the system to decide which configuration method
is available.
2. Looks in the folder where the ACU Wizard is located for a valid configuration file
named “Profile.xml”.
What occurs next depends on the Intel AMT version of the system:
• Intel AMT 7.x — Configuration is done locally (host-based configuration) using the
settings in Profile.xml. If Profile.xml does not exist, it is created with default settings.
Optionally, you can edit the settings in the profile before starting the configuration. If
you make changes, they are saved in Profile.xml and will be available for the next
systems you configure. The same profile can be used for all Intel AMT 7.x systems in
your network.

Intel® SCS User Guide 38


Chapter 4 • Using the ACU Wizard

• Intel AMT 6.x and lower — Configuration is done remotely by the RCS using the
settings in a profile stored in the RCS. The ACU Wizard looks in Profile.xml for a tag
with connection information to the RCS. If Profile.xml does not exist, or it exists but
does not contain this tag, an error message shows. Before you can use this option to
configure these systems, you need to:
• Install an RCS (see “Setting up the RCS” on page 23)
• Create a configuration profile in the RCS (see “Defining Profiles for Multiple
Systems” on page 47)
• Export the profile from RCS and save it with the name Profile.xml in the same
folder as the ACU Wizard (see “Exporting Profiles from the RCS” on page 49)

To configure an Intel AMT system:


1. From the Configuration Options window, select Configure via Windows.
The Configure via Windows window opens.
2. In the Admin Password section, enter the password for the default Administrator
user in the Intel AMT device:
• Current Password — This field is enabled only if the system is configured. If
the user account running the ACU Wizard is defined in the Intel AMT device as
an administrator, you do not need to supply this password.
• Password/Confirm Password — These fields show only for systems with
Intel AMT 7.0 and higher. The first time you use the ACU Wizard to configure a
system, you must enter the password here. This password is saved in the
Profile.xml. In subsequent configurations, the ACU Wizard automatically
populates this field for you. This is the password that will be put in the
Intel AMT device. If you want to change the password of a configured system,
enter the new password here.
For information about the required format, see “Password Format” on page 8.
3. (Optional) If this is an Intel AMT 7.x system, you can change the default settings in
Profile.xml before you start configuration. To do this, click Edit Configuration
(see “Creating/Editing Configuration Profiles” on page 56).
4. (Optional) If necessary, you can change the default network settings that the Intel
SCS will put in the Intel AMT device. To do this, select Override default Settings
and click Network Settings (see “Defining IP and FQDN for a Single System” on
page 40).

Note: The default network settings that Intel SCS puts in the device will
operate correctly for most network environments.

5. If the profile is not encrypted, click Next to define if you want to encrypt the
profile (see “Encrypting the Profile” on page 42).

Note: If you have already encrypted the profile, this step is not
necessary. Click Configure to configure the system.

Intel® SCS User Guide 39


Chapter 4 • Using the ACU Wizard

Defining IP and FQDN for a Single System

Each Intel AMT device can have its own IP and FQDN settings. The IP and FQDN
settings are usually the same as those defined in the host operating system, but they can
be different. The Intel SCS puts these settings in the Intel AMT device.

To change the default IP and FQDN settings:


1. From the Configure via Windows window, click Network Settings. The Network
Settings window opens.

Figure 12. Network Settings Window


2. From the FQDN Setting section, select the source for the FQDN (hostname.suffix):
• FQDN created from:
• Primary DNS FQDN — The hostname part of the FQDN is the hostname
from the host operating system. The suffix is the “Primary DNS Suffix”
from the host operating system. This is the default setting, and is correct for
most network environments.
• On-board LAN connection-specific DNS FQDN — The hostname part of
the FQDN is the hostname from the host operating system. The suffix is the
“Connection-specific DNS Suffix” of the card.
• Host Name — Takes the host name from the operating system. The suffix is
blank.
• Active Directory FQDN — The hostname part of the FQDN is the
hostname from the host operating system. The suffix is the AD domain of
which the host operating system is a member.
• DNS Look Up FQDN — Takes the name returned by an “nslookup” on the
IP address of the card.
• Use the following FQDN — Enter the FQDN you want to set in the device.

Intel® SCS User Guide 40


Chapter 4 • Using the ACU Wizard

3. (Optional) Intel AMT 6.0 and higher includes a setting called “Shared FQDN”.
This setting can change the behavior of the Intel AMT device when using option 81
of the DHCP server to update DNS:
• When this setting is true, the Intel AMT device will send broadcast queries only
when the operating system is not running. This is the default behavior of all
Intel AMT versions that do not support the Shared FQDN setting.
• When this setting is false, the device will always send its own broadcast queries,
even when the operating system is running. For Intel AMT 6.0 and higher
devices that will be configured with a dedicated FQDN, clear this check box:
The device and the OS will have the same FQDN (Shared FQDN).
4. (Optional) Intel AMT 6.0 and higher includes the Intel AMT Dynamic DNS
Update (DDNS Update) Client. When enabled, this client can periodically update
the DNS with the FQDN and IP address configured in the Intel AMT device. 
Intel AMT will send DDNS Updates based on the policy configured in the DHCP
server returned in the DHCP option 81 flags. Before Intel AMT 6.0, Intel AMT
was only capable of using the DHCP option 81 to request that the DHCP server
update the DNS on its behalf. If you want to disable all DNS updates, clear this
check box: The device will update the DNS directly with its FQDN and IP.

Note: If you clear this check box, Intel AMT will not send DHCP option
81 or DDNS Update requests.

5. From the IP Setting section, select the source for the IP settings:
• Use the same IP as the host (for static IP only)
• Get the IP from the DHCP server
• Use the following settings — Enter the IP and subnet address
6. Click OK. The Network Settings window closes and the Profile.xml is updated
with the changes that you made (in the <NetworkSettings> tag).

Intel® SCS User Guide 41


Chapter 4 • Using the ACU Wizard

Encrypting the Profile

The Profile Encryption window lets you encrypt the configuration profile. To open an
encrypted profile, you must supply the password used to encrypt it.

Figure 13. Profile Encryption Window

You can do one of the following:


• To encrypt the profile, enter a password (see “Password Format” on page 8).
• If you do not want to encrypt the profile, clear the Encrypt the XML file using
this password check box.
When you click Configure, the profile is saved with the password you entered. The
system is configured with Intel AMT and can be accessed by management consoles.

Intel® SCS User Guide 42


Chapter 4 • Using the ACU Wizard

SMB/Manual Configuration with the ACU Wizard

This procedure describes how to configure an Intel AMT system using a USB key.

Note: This option is available only for systems with Intel AMT 4.0 and higher.
For more information, see “SMB/Manual Configuration” on page 5.

To configure an Intel AMT system:


1. From the Configuration Options window, select Configure via USB Key.
The Configure via USB Key window opens.

Figure 14. Configure via USB Key Window


2. In the MEBx Password section, enter the password for the MEBx:
• Current Password — The ACU Wizard always puts the default password of
unconfigured systems (“admin”) in this field. If this is not the password in the
MEBx, enter the correct password. If you do not supply the correct password,
configuration will fail.
• New Password — The new password to put in the MEBx. For the first
configuration it is mandatory to change the MEBx password. For reconfiguration
you must also enter a value here, but it can be the same as the Current Password.
For information about the required format, see “Password Format” on page 8.

Note: The passwords are not encrypted on the USB key. Make sure that
you restrict access to the USB key.

Intel® SCS User Guide 43


Chapter 4 • Using the ACU Wizard

3. (Optional) Select Display advanced settings to view or edit the default settings
that the ACU Wizard will define for this system:
• Power Settings — Defines in which power states (of the host system) the
Intel AMT device will operate.
• Always on (S0-S5) — If the system is connected to the power supply, the
Intel AMT manageability features are available in any of the system power
states. This is the recommended setting.
• Host is on (S0) — The Intel AMT manageability features are available only
if the operating system of the Intel AMT system is up and running.
• Network Settings — By default, the ACU Wizard configures the Intel AMT
device with the hostname and the domain name defined in the operating system.
This is the recommended setting, but you can change these settings if necessary
for your network environment. By default, the ACU Wizard also uses the
Dynamic Host Configuration Protocol (DHCP) server to configure the IP address
of the device. If you are not using DHCP in your network, clear the
DHCP Enabled check box and enter the network IP addresses.
• Redirection Settings — These settings are shown only for systems with
Intel AMT 6.0 and higher:

Select the settings:


• Enable KVM Redirection — Enables support for KVM redirection
• Allow IT to change user consent setting — Enables changes to the user
consent setting in the Intel AMT device to be done remotely
• User consent setting — Defines for which redirection operations user
consent is mandatory. For more information, see “User Consent” on page 4.
4. Put a USB key in the Intel AMT system (this USB key will be formatted in step 7).

Note: The ACU Wizard does not restrict the size of USB key you can
use. But, the computer BIOS must fully support the selected USB
key and be able to do a reboot from it.

Intel® SCS User Guide 44


Chapter 4 • Using the ACU Wizard

5. Click Next. The Create Configuration USB Key window opens.

Figure 15. Create Configuration USB Key Window

6. From the USB Drive drop-down list, select the drive letter of the USB key (you
cannot select a USB key if you are using it to run the ACU Wizard).

7. Click Next. A message is shown warning that the USB key will be formatted.
8. Click Yes. The ACU Wizard creates a configuration file (Setup.bin) on the
USB key. When complete, the USB Key Ready window opens with information
about the success or failure of the process.

9. Click Finish. The ACU Wizard closes.

10. Make sure that only the USB key that you selected in step 6 is connected to the
system and reboot the system. During the reboot, a message is shown on the
screen:

11. Type “Y” and press <Enter>. The settings are put in the device and a new message
is shown on the screen:

12. Remove the USB key from the system and press a key to continue the reboot.
The system is now configured with Intel AMT and can be accessed by
management consoles.

Note: After configuration, the data in the Setup.bin file on the USB key is
deleted (but the file is not deleted). Thus, you must do all the steps of this
procedure for each system that you want to configure using a USB key.

Intel® SCS User Guide 45


Chapter 4 • Using the ACU Wizard

Unconfiguring a System

This procedure describes how to use the ACU Wizard to unconfigure Intel AMT on a
system.

Note:
• This option is available only for systems with Intel AMT 7.0 and higher.
For all other Intel AMT versions, use the Configurator
(see “Unconfiguring Intel AMT Systems” on page 107).
• If the system was configured with Active Directory integration, the
ACU Wizard does not delete the object representing the system. Delete
the object manually, or use the Configurator CLI command instead.

To unconfigure a system:
1. From the Configuration Options window, select Unconfigure. The Unconfigure
System window opens.

Figure 16. Unconfigure System window


2. If the system is in Admin Control mode, you must select the user credentials to use
during unconfiguration:
• Unconfigure this system using current user — Select this option if the user
running the ACU Wizard is defined in the Intel AMT device as an administrator.
• Unconfigure this system using admin password — Select this option to
unconfigure using the default admin user. You must supply the password of the
admin user.

Note: If the system is in Client Control mode, this step is not required
(the fields are not shown).

3. Click Unconfigure. The ACU Wizard deletes all the Intel AMT settings from the
system and disables the Intel AMT features on the system.

Intel® SCS User Guide 46


Chapter 4 • Using the ACU Wizard

Defining Profiles for Multiple Systems

The Profile Designer window lets you create profiles with configuration settings for
multiple systems. These profiles are used by the Configurator or the RCS. The location
of the profiles is shown in the top left section (“Profiles Folder” or “Server”). The right
pane shows the configuration settings of the profile selected in the left pane.

Figure 17. Profile Designer Window


You can save profiles:
• In a folder you select — You can only use these profiles for host-based configuration
of systems with Intel AMT 7.x. To set the folder where the profiles are saved,
click .
• In the RCS — You can use these profiles to configure systems with any Intel AMT
version. To create profiles in the RCS, you must first connect to the RCS. If you want
to do unified configuration, you must also export the profile after you define it.
For more information, see:
• “Connecting to the RCS” on page 48.
• “Exporting Profiles from the RCS” on page 49.

Note: You create and edit the profiles using the Configuration Profile Wizard
(see “Defining Configuration Profiles” on page 55).

Intel® SCS User Guide 47


Chapter 4 • Using the ACU Wizard

Connecting to the RCS

Before you can create profiles in the RCS, you must first connect to the RCS.

Note: After the first successful connection, the ACU Wizard automatically
connects to the RCS each time you enter the Profile Designer window.

To connect to the RCS:


1. From the Welcome window, click Create Settings to Configure Multiple
Systems. The Profile Designer window opens.

2. Select Tools > Connect to Service. The Connect to Service window opens.

Figure 18. Connect to Service Window


3. Select one of these:
• Connect to a service running on this computer — If the RCS you want to
connect to is installed on this computer, make sure that it is running and then
select this option. The next time you start the wizard on this computer the
ACU Wizard will automatically connect to the RCS.
• Connect to a service on a remote computer — Select this option if the RCS
runs on a different computer in the network. Enter the name of the computer
running the RCS. The ACU Wizard will login using the current user credentials.
Optionally, you can clear the Login as current user check box and enter
credentials of a different user.
4. Click Login. When connection is established, the Connect to Service window
closes. The profiles stored in the RCS are shown in the Profile Designer window.

Intel® SCS User Guide 48


Chapter 4 • Using the ACU Wizard

Exporting Profiles from the RCS

To use unified configuration (see “Unified Configuration Process” on page 6) you must
export the profile that you saved in the RCS to an XML file. You must then put this
exported profile in your deployment package.

To export the profile:


1. From the Profile Designer window, select the profile you want to use to configure
the systems.
2. Select Edit > Export to XML. The Export Profile to XML File window opens.

Figure 19. Export Profile to XML File Window


3. In the Path to XML file field, define a name and location for the exported file.
4. Do one of these:
• If you want to encrypt the profile, enter a password (see “Password Format” on
page 8).
• If you do not want to encrypt the profile, clear the Encrypt the XML file using
this password check box.
5. In the Credentials section, define the username and password of a user with
permissions to login to the computer running the RCS.

Intel® SCS User Guide 49


Chapter 4 • Using the ACU Wizard

6. If the profile includes any of these settings:


• Active Directory Integration
• Requesting certificates from a Certification Authority
these optional fields are shown in the Credentials section:

If you supply a username and password here, the Configurator uses them to
communicate with the CA and/or create Active Directory objects. If they are not
supplied, these operations are done using the user running the Configurator. If you
do not supply a username and password, make sure that you run the Configurator
with a user that has permissions to do these operations. (On operating systems with
User Account Control (UAC), the local administrator account does not have
sufficient permissions.)
7. By default, Intel AMT 7.x devices are put in the Client Control mode (see “Control
Modes” on page 4). If you need to remove the restrictions of Client Control mode,
select Put locally configured devices in Admin Control mode. If you select this
check box, the devices are put in Admin Control mode. This setting is ignored for
Intel AMT versions earlier than 7.0.
8. (Optional) Click Set to define the source the Configurator will use to define the IP
and FQDN of the Intel AMT device. This step is only required if you need to
change the default settings (see “Defining IP and FQDN Settings” on page 89).

Intel® SCS User Guide 50


Chapter 4 • Using the ACU Wizard

Defining Manual Configuration (Multiple Systems)

You can prepare a USB key with identical configuration settings to use with multiple
Intel AMT systems. When the systems are rebooted with the USB key, Intel AMT is
configured on them.

Note: This option is available only for systems with Intel AMT 6.0 and higher.
For other Intel AMT systems you must make a new USB key for each
system (see “SMB/Manual Configuration with the ACU Wizard” on
page 43).

To prepare the USB key:


1. Put a USB key in the computer.

Note: The ACU Wizard does not restrict the size of USB key you can
use. But, the computer BIOS must fully support the selected USB
key and be able to do a reboot from it.

2. Select Tools > Prepare a USB Key for Manual Configuration. 


The Settings for Manual Configuration of Multiple Systems window opens.

Figure 20. Settings for Manual Configuration of Multiple Systems Window

Intel® SCS User Guide 51


Chapter 4 • Using the ACU Wizard

3. If you have mobile and desktop systems, you must prepare a different USB key for
each type. This is because mobile and desktop systems have different power
settings. Select the type of system that this USB key will configure:
• Mobile Systems
• Desktop Systems
4. Select the versions of Intel AMT that this USB key will configure:
• All systems are Intel AMT 6.0 and higher — If selected, you can use this
USB key to configure systems that have Intel AMT 6.x and 7.x.
• All systems are Intel AMT 7.0 and higher — If selected, you can use this
USB key to configure only systems that have Intel AMT 7.x. The data in the
USB key is “scrambled” so it cannot easily be read.

Note: Make sure that you keep this USB key in a secure location. The
data in the USB key is NOT encrypted (even if it is “scrambled”).

5. In the Configuration Settings section, enter the password for the MEBx:
• Old MEBx Password— The ACU Wizard always puts the default password of
unconfigured systems (“admin”) in this field. If this is not the password currently
defined in the MEBx, enter the correct password. If you do not supply the correct
password, configuration will fail.
• New MEBx Password — The new password to put in the MEBx. For the first
configuration it is mandatory to change the MEBx password. For reconfiguration
you must also enter a value here, but it can be the same as the Current Password.
For information about the required format, see “Password Format” on page 8.
6. From the drop-down list, define in which power states (of the host system) the
Intel AMT device will operate:
• Always on (S0-S5) — If the system is connected to the power supply, the
Intel AMT manageability features are available in any of the system power
states. This is the recommended setting.
• Host is on (S0) — The Intel AMT manageability features are available only
if the operating system of the Intel AMT system is up and running.
7. (Optional) By default, the user consent feature is not enabled for systems
configured using this configuration method (see “User Consent” on page 4).
If you want to define that user consent is mandatory for redirection sessions, select
User consent required for redirection sessions.
8. From the USB Drive drop-down list, select the drive letter of the USB key (you
cannot select a USB key if you are using it to run the ACU Wizard).

9. Click Next. The Formatting USB drive window opens.


10. Click Yes if you are sure you want to continue and format the USB key. The
ACU Wizard creates a configuration file on the USB key.

Intel® SCS User Guide 52


Chapter 4 • Using the ACU Wizard

Changing the Default RCS Settings

The RCS is installed with default settings. If necessary, you can change these settings.

To change the default RCS settings:


1. Before you can change the RCS settings, the ACU Wizard must be connected to the
RCS (see “Connecting to the RCS” on page 48).
2. From the Profile Designer window, select Tools > Settings. The Settings window
opens.

Figure 21. Settings Window


3. Make the necessary changes. The settings are described in this table:

Table 5. RCS Settings

Section Description

For more information about this option and when to use it, see
“Admin Permissions in the Intel AMT Device” on page 12.
To define the active Digest Master Password (DMP), click Set and
enter the password. The password must be between 8-32 characters,
with at least one number, one non alphanumeric character, one
Digest Master lowercase Latin letter, and one uppercase Latin letter.
Password For increased security, change the DMP at regular intervals and
then reconfigure the systems. The RCS saves the last 10 DMPs that
were set in an encrypted file. If the file is full, when a new DMP is
set the oldest entry is deleted.
Note: Keep a record of each DMP you set. You might need to
supply them to third-party applications.

Intel® SCS User Guide 53


Chapter 4 • Using the ACU Wizard

Table 5. RCS Settings

Section Description

The RCS communicates with the Intel AMT device using the
Transmission Control Protocol (TCP). During communication, if
the device does not answer within a specified time the RCS cancels
the communication. This default “Timeout” setting is 10 seconds.
Network This is usually enough time for the device to respond. To change
this default, enter a new value (between 10 and 80 seconds) in this
field: Timeout for connection with systems (in seconds).
Note: A large Timeout value can cause configuration/maintenance
tasks done by the RCS to take longer than usual.

Select the option you want to use:


• None — Select this option if you do not want to use any of the
Advanced Configuration Options described here
• One Time Password required — This option is only used with
the Remote Configuration (PKI) method. If selected, the RCS
will start configuration only after the Intel AMT device
authenticates itself to the RCS with the OTP created by the
Configurator. For more information, see “About Remote
Configuration” on page 124.
Advanced • Support Configuration triggered by Hello messages — Select
Configuration this option only if you want the RCS to remotely configure
Options systems using a script that you supply. If you select this option:
1. Specify the TCP port that the RCS will use to listen for hello
messages from the Intel AMT systems. The minimum value for
the port is 1025. The default port is 9971.
2. Specify the path to a script that will provide the required
information about the Intel AMT systems. The script must be
located on the computer running the RCS.
For more information, see “Remote Configuration Using Scripts”
on page 133.
Note: If you enable or disable support for Hello messages, or
change the listener port number, you must restart the RCS.

4. Click OK. The settings are saved and the Settings window closes.

Intel® SCS User Guide 54


5
Defining Configuration Profiles
This chapter describes how to define configuration profiles.
For more information, see:
• About Configuration Profiles
• Creating/Editing Configuration Profiles
• Defining the Profile Scope
• Defining Profile Optional Settings
• Defining Active Directory Integration
• Defining the Access Control List (ACL)
• Defining Home Domains
• Defining Remote Access
• Defining Trusted Root Certificates
• Defining Transport Layer Security (TLS)
• Defining Network Setups
• Defining System Settings

About Configuration Profiles

Configuration profiles are XML files that contain the settings that will be put into the
Intel AMT devices during configuration. Note that the SMB/Manual configuration
method does not use configuration profiles.

Intel® SCS User Guide 55


Chapter 5 • Defining Configuration Profiles

Creating/Editing Configuration Profiles

The Intel SCS includes a Configuration Profile Wizard that lets you create and edit
configuration profiles. This wizard starts when you click:
• Edit Configuration in the Configure via Windows window (see “Configuring a
System (Unified Configuration)” on page 38)
• New or Edit in the Profile Designer window (see “Defining Profiles for Multiple
Systems” on page 47)

When you start the Configuration Profile Wizard, the Getting Started window opens.

Figure 22. Getting Started Window

Intel® SCS User Guide 56


Chapter 5 • Defining Configuration Profiles

To define the profile:


1. If you create a profile in the RCS, this additional field is shown in the Profile
Description section:

Enter a name that will identify this profile in the RCS.


2. (Optional) In the Profile Description section, enter a description for the profile.
This field is for informational purposes only.
3. Select the task for which you want to use this profile:
• Configuration / Reconfiguration — Systems configured using this profile will
be set with the Intel AMT settings exactly as they are defined in this profile.
Optional settings that are not defined in this profile will be removed from the
systems during configuration.
• Delta Configuration — After a system is configured, you can use this option to
make changes to specific settings only. Only settings defined in the Profile Scope
window will be changed on the systems during configuration. All other settings
will stay in their current condition on the systems.
4. Click Next to continue in the Configuration Profile Wizard and define the settings
as described in these topics:
• “Defining the Profile Scope” on page 59
• “Defining Profile Optional Settings” on page 60
• “Defining Active Directory Integration” on page 61
• “Defining the Access Control List (ACL)” on page 62
• “Defining Home Domains” on page 66
• “Defining Remote Access” on page 67
• “Defining Transport Layer Security (TLS)” on page 73
• “Defining Network Setups” on page 76
• “Defining System Settings” on page 85
5. When you have defined all the required settings for this profile, save the profile
(see “Saving the Configuration Profile” on page 58).

Intel® SCS User Guide 57


Chapter 5 • Defining Configuration Profiles

Saving the Configuration Profile

The Finish window is the last step when you create a new profile or edit an existing
profile. The type of profile and the settings you define in the profile cause different fields
to show in the Finish window.

To save the profile:


1. If these fields are shown:

a. In the Name of XML file, enter a name for this profile.

b. (Optional) Select the Encrypt the XML file using this password check box
and enter a password (see “Password Format” on page 8). Intel recommends
that you use this encryption option (the profile contains passwords).
2. If the profile includes any of these settings:
• Active Directory Integration
• Requesting certificates from a Certification Authority
these optional fields are shown:

Make sure the Configurator runs under a user with permissions to communicate
with the CA or create Active Directory objects. On operating systems with User
Account Control (UAC), the local administrator account does not have sufficient
permissions. If you supply a username and password here, the Configurator uses
them to do these tasks.

Note: When creating/editing a profile in the RCS, these fields are not
shown. Instead, they are shown if you export the profile to use it
in the Unified Configuration process.

3. Click Finish.

Intel® SCS User Guide 58


Chapter 5 • Defining Configuration Profiles

Defining the Profile Scope

The Profile Scope window of the Configuration Profile Wizard lets you limit the settings
that will be configured on systems when using this profile. Only settings defined in the
Profile Scope window will be changed on the systems during configuration. All other
settings will stay in their current condition on the systems. Thus you can use this profile:
• To configure systems without making changes to Intel AMT settings configured using
third-party applications
• To make changes to specific Intel AMT settings on configured systems

Figure 23. Profile Scope Window

To limit the profile scope:


1. Select the check boxes of all the settings that you want to configure/unconfigure on
the systems using this profile. Settings that are not selected will not be shown in the
Configuration Profile Wizard when you continue to edit the profile.
2. Click Next to continue to the Optional Settings window.

Intel® SCS User Guide 59


Chapter 5 • Defining Configuration Profiles

Defining Profile Optional Settings


The Optional Settings window of the Configuration Profile Wizard lets you select which
optional settings to configure/unconfigure in the Intel AMT device using this profile.

Figure 24. Optional Settings Window

To select the optional settings:


1. Select the check boxes of the optional settings you want to configure using this
profile. The Intel SCS will remove (unconfigure) any existing settings from the
Intel AMT system of options that are not selected in this window.
2. Click Next to continue in the Configuration Profile Wizard and define the
configuration settings, as described in these topics:
• “Defining Active Directory Integration” on page 61
• “Defining the Access Control List (ACL)” on page 62
• “Defining Home Domains” on page 66
• “Defining Remote Access” on page 67
• “Defining Transport Layer Security (TLS)” on page 73
• “Defining Network Setups” on page 76

Intel® SCS User Guide 60


Chapter 5 • Defining Configuration Profiles

Defining Active Directory Integration

If your network is using Active Directory, the Active Directory Integration window lets
you configure the Intel AMT device to use security features of the Active Directory.

Figure 25. Active Directory Integration Window


You can define integration with the Active Directory by selecting one of these:
• Active Directory OU — Click and select the Organizational Unit where
the system is stored in AD. During configuration, the Intel SCS sends a request
to the AD to create an object representing the Intel AMT system and add it to the
Active Directory Organizational Unit (ADOU) you define here.
• Path to file containing ADOU information — Enter the path to an XML file
(path from the Intel AMT system) that contains the path and password of the
ADOU where Intel AMT systems are stored. (For an example of the required
XML format, see the ADObjectFile.xml example in the sample_files folder.)
The file must be placed in a location that can be accessed from all the Intel AMT
systems that will be configured using this profile.

Intel® SCS User Guide 61


Chapter 5 • Defining Configuration Profiles

Defining the Access Control List (ACL)

The Access Control List (ACL) window of the Configuration Profile Wizard lets you
define users and their access privileges in the Intel AMT device. If you enable ACL you
must define at least one user or group, but no more than seven digest users and 32 Active
Directory users/groups. User identification and realm selection must be coordinated with
the requirements and instructions of third-party management consoles.

Figure 26. Access Control List (ACL) Window


You can do these tasks to define the users in the ACL:
• Create a new user by clicking Add — See “Adding a User to the ACL” on page 63.
• Edit an existing user by clicking Edit.
• Remove a user from the list by clicking Remove.

Intel® SCS User Guide 62


Chapter 5 • Defining Configuration Profiles

Adding a User to the ACL


The User/Group Details window enables you to add a new user or user group to the
profile’s Access Control List.

To add a user:
1. From the Access Control List (ACL) window, click Add. The User/Group Details
window opens.

Figure 27. User/Group Details Window


2. In the User Type section, select the required type of user:
• Digest User — Enter the username and password (see “Password Format” on
page 8). The usernames “admin” and “administrator” are not permitted (these
names are reserved for the default admin user). The username must be unique in
this profile, a maximum of 16 characters, and cannot contain these characters: 
(,), (:), (“), (&), (<), or (>). Usernames starting with $$ are not permitted.
• Active Directory User/Group — Click Browse and select the user or group.

Note: You cannot select the default user groups from the Active Directory
Builtin folder. Instead, either add the required users individually or create
and add a new group containing the users.

3. From the Access Type drop-down list, specify an access type. This parameter
defines the locations from where the user is allowed to do an action. A user might
be limited to local actions or might also be able to do actions from the network.
Select one of these:
• Local — The user can access the Intel AMT system only via the local host.
• Remote — The user can execute an action only via the network.
• Both — The user can execute an action either locally or from the network.

Intel® SCS User Guide 63


Chapter 5 • Defining Configuration Profiles

4. From the Realms section, select the check boxes of the realms that you want to
make available to this user. The realms define specific functional capabilities, as
described in this table.
Note that not all realms are available on all versions of Intel AMT.

Table 6. Intel AMT Realms

Realm Capabilities

Redirection Enables and disables the redirection capability and


retrieves the redirection log. The redirection interface
itself is a separate proprietary interface that does not
depend on HTTP/SOAP. See the Redirection Library
Design Guide.

PT Administration Manages security control data, such as Access Control


Lists, Kerberos parameters, Transport Layer Security,
Configuration parameters, power saving options and
power packages. A user with PT Administration
Realm privileges has access to all realms.
Note: If this user will be used to run the Configurator
to do host-based configuration, the Access Type must
be Local (or Both).

Hardware Asset Used to retrieve information about the hardware


inventory of the Intel AMT system

Remote Control Enables powering a system up or down remotely. Used


in conjunction with the Redirection capability to boot
remotely.

Storage Used to configure, write to and read from non-volatile


user storage. The actual commands are in the Storage
Library.

Event Manager Allows configuring hardware and software events to


generate alerts and to send them to a remote console
and/or log them locally

Storage Administration Used to configure the global parameters that govern


the allocation and use of non-volatile storage

Agent Presence Local Used by an application designed to run on the local


platform to report that it is running and to send
heartbeats periodically

Agent Presence Remote Used to register Local Agent applications and to


specify the behavior of Intel AMT when an application
is running or stops running unexpectedly

Circuit Breaker Used to define filters, counters, and policies to monitor


incoming and outgoing network traffic and to block
traffic when a suspicious condition is detected (the
System Defense feature)

Intel® SCS User Guide 64


Chapter 5 • Defining Configuration Profiles

Table 6. Intel AMT Realms (Continued)

Realm Capabilities

Network Time Used to set the clock in the Intel AMT device and
synchronize it to network time

General Info Returns general setting and status information. With


this interface, it is possible to give a user permission to
read parameters related to other interfaces without
giving permission to change the parameters

Firmware Update Used only by manufacturers via Intel-supplied tools to


update the Intel AMT firmware

EIT Implements the Embedded IT service

Local User Notification Provides alerts to a user on the local interface

Endpoint Access Control Returns settings associated with NAC posture

Endpoint Access Control Configures and enables the NAC posture


Administrator

Event Log Reader Allows definition of a user with privileges only to read
the Intel AMT system log

Access Monitor Allows a system auditor to monitor all events.


Before assigning this realm, see “Using Access
Monitor” on page 65.

User Access Control Groups several ACL management commands into a


separate realm to enable users to manage their own
passwords without requiring administrator privileges

Using Access Monitor

The access monitor serves as a deterrent to rogue administrator activity by tracing any
attempts to do damaging actions. The feature is implemented by means of two elements:
an Audit Log and a special Auditor user that you assign the Access Monitor realm. The
Intel AMT system writes selected events to the Audit Log that is accessible only to the
Auditor. Only the Auditor can define which events the Intel AMT system writes to the
Audit Log.
You can assign the Access Monitor realm to one user only, and only that user can then
relinquish it. By default, the default admin user account has access to this realm.

Note: The Access Monitor feature is available from Intel AMT 4.0 and higher.

Intel® SCS User Guide 65


Chapter 5 • Defining Configuration Profiles

Defining Home Domains

The Home Domains window of the Configuration Profile Wizard lets you define a list of
domains. When the Intel AMT system is not located in one of the domains listed in the
Home Domains list, access to Intel AMT is blocked.
.

Figure 28. Home Domains Window

To define the domains:


1. Click Add. The Domain Properties window opens.
2. Enter the DNS suffix name and click OK. The Domain Properties window closes
and the domain appears in the list of domains.

Note: Make sure that the list of home domains is complete and accurate.
If this profile is applied to an Intel AMT system that does not
operate in a domain in this list, you will not be able to configure or
access Intel AMT functions on that system.

3. (Optional) To permit access to Intel AMT over a Virtual Private Network, select
Allow Intel® AMT functionality via VPN. If selected, access to the Intel AMT
system is permitted when it is connected over a VPN to a domain in the Home
Domains list.

Intel® SCS User Guide 66


Chapter 5 • Defining Configuration Profiles

Defining Remote Access

The remote access feature lets Intel AMT systems (versions 4.x and higher) located
outside an enterprise connect to management consoles inside the enterprise network. The
connection is done via a Management Presence Server (MPS) located in the DMZ of the
enterprise. The MPS appears as a proxy server to management console applications. The
Intel AMT device establishes a Mutual Authentication TLS tunnel with the MPS.
Multiple consoles can interact with the Intel AMT device through the tunnel.
For remote access to work, the Intel AMT system must first be configured when it is
inside the enterprise with the information needed to connect with the MPS.

Figure 29. Remote Access Window


To define the remote access parameters, see these topics:
• “Defining Management Presence Servers” on page 68
• “Defining Remote Access Policies” on page 70

Intel® SCS User Guide 67


Chapter 5 • Defining Configuration Profiles

Defining Management Presence Servers

You can define up to four Management Presence Servers in a configuration profile.

To define a management presence server:


1. From the Management Presence Servers section of the Remote Access window,
click Add. The Management Presence Server Properties window opens.

Figure 30. Management Presence Server Properties Window


2. In the Server FQDN or IP Address field, enter the FQDN or IP address of the
Management Presence Server.
3. In the Port field, enter the Port that the Management Presence Server listens on for
connections from Intel AMT systems.
4. Click Edit List to define the location of the trusted root certificates that will be
used by Intel AMT systems configured with this profile (see “Defining Trusted
Root Certificates” on page 71).
5. If you entered an IP address in the Server FQDN or IP Address field, you need to
enter the FQDN in the Common Name field. (If you entered the FQDN in the
Server FQDN or IP Address field, the Common Name field is disabled.)

Intel® SCS User Guide 68


Chapter 5 • Defining Configuration Profiles

6. Define the required type of authentication:


• To define authentication based on a password, select System authentication is
password based, enter a username and password, and continue from step 9.
• To define authentication based on certificates, select System authentication is
certificate based, and continue from step 7.
7. From the Select the method for creating the certificate drop-down list, select the
source for the certificate that will be installed in the Intel AMT device:
• Request certificate from CA — By default, the settings for this option are
displayed. To use this option, the Intel SCS (Configurator, RCS, or ACU Wizard)
must have access to the CA during configuration. Continue from step 8.
• Use certificate from a file — This option is available only for systems that
support host-based configuration. For information about this method and the
necessary file format, see “Using Predefined Files Instead of a CA Request” on
page 121. If you select this option, define the file locations and continue from
step 9.
8. To request the certificate from a CA, do these steps:
a. From the Certificate Authority drop-down list, select the Enterprise CA that the
Intel SCS will use to request a certificate that the MPS can authenticate.

b. From the Client Certificate Template drop-down list, select the template that
will be used to create the client certificate. The templates shown are templates
where the Subject Name is supplied in the request and the usage is “Client
Authentication”. For information how to create a template, see “Defining
Enterprise CA Templates” on page 115.

Note: If the Profile Designer is located on a computer that does not have
access to the CA, the drop-down lists will not display the CA or
the templates. If necessary, you can manually supply the CA name
(in the format FQDN\CA Name) and the name of the template.

c. Define the Common Names that will be included in the Subject Name of the
generated certificate. For more information, see “Defining Common Names in
the Certificate” on page 119.
9. Click OK. The settings are saved and the Management Presence Server window
closes.

Intel® SCS User Guide 69


Chapter 5 • Defining Configuration Profiles

Defining Remote Access Policies

A Remote Access policy defines what will cause the Intel AMT device to start a
connection with an MPS (the trigger), and to which MPS it will connect. If Remote
Access is enabled, you must define at least one Remote Access policy.

To define a remote access policy:


1. From the Remote Access Policy List section of the Remote Access window,
click Add. The Remote Access Policy window opens.

Figure 31. Remote Access Policy Window


2. In the Policy Name field, enter a descriptive name for the policy.
3. In the Tunnel lifetime limit field, enter an interval in minutes. When there is no
activity in an established tunnel for this period of time, the Intel AMT device will
close the tunnel. Selecting No Limit means the tunnel will not time out but will
stay open until it is closed by the user or when a different policy with higher
priority needs to be processed.
4. In the Trigger section, select the trigger or triggers for this policy:
• Fast Call For Help — The Intel AMT device establishes a tunnel with the MPS
when the user initiates a connection request. If required, you can limit when the
user can access this option (only from the operating system or only from the
BIOS). By default, both options are available to the user.
• Alerts — The device establishes a connection when an event occurs that
generates an alert addressed to the network interface.
• Scheduled Maintenance every — The device connects to the MPS based on the
number of hours, minutes, or seconds defined here.

Intel® SCS User Guide 70


Chapter 5 • Defining Configuration Profiles

Note: A policy can include one or more triggers, but two different
policies cannot contain the same trigger.

5. In the Management Presence Server section, select the MPSs that apply to the
policy (up to two). When a trigger occurs, the Intel AMT device attempts to
connect to the server listed in the Preferred server field. If that connection does not
succeed, the device tries to connect to the server listed in the Alternative server
field, if one was specified.
6. Click OK. The Remote Access Policy window closes.

Defining Trusted Root Certificates

An Intel AMT system must have a trusted root certificate to use any of these features:
• Remote Access using a Management Presence Server
• Mutual authentication in Transport Layer Security
• Most types of 802.1x setups

To define the trusted root certificates:


1. From the relevant feature window, click Edit List. The Trusted Root Certificates
Used In Profile window opens.

Figure 32. Trusted Root Certificates Used In Profile

Intel® SCS User Guide 71


Chapter 5 • Defining Configuration Profiles

2. To add a trusted root certificate, click Add. The Add Trusted Root Certificate
window opens.

Figure 33. Add Trusted Root Certificate Window


3. Select one of these:
• From Certificate Authority — From the drop-down list select the Enterprise
Certification Authority (CA).
• From File — Enter the path to the file or click Browse to locate and select a
certificate. The file must be in base64 PEM format (see “Using Predefined Files
Instead of a CA Request” on page 121).

Note: You can only add a certificate from a CA if the certificate is


self-signed and the CA is a root CA. You cannot add a certificate
from a subordinate CA.

4. Click OK. The Path to Root Certificate window closes and the certificate shows in
the Trusted Root Certificates Used In Profile window.
5. Select the check box of at least one of the trusted root certificates in the list.
6. Click OK. The Trusted Root Certificates Used In Profile window closes.

Intel® SCS User Guide 72


Chapter 5 • Defining Configuration Profiles

Defining Transport Layer Security (TLS)

The Transport Layer Security (TLS) window of the Configuration Profile Wizard lets
you define TLS settings to apply to the Intel AMT system. When TLS is enabled, the
Intel AMT device authenticates itself with other applications using a server certificate. If
mutual TLS authentication is enabled, any applications that interact with the device must
supply client certificates that the device uses to authenticate the applications.

Figure 34. Transport Layer Security (TLS) Window

Note: You cannot use a configuration profile containing TLS settings to


configure Intel AMT systems that have Cryptography disabled.

Intel® SCS User Guide 73


Chapter 5 • Defining Configuration Profiles

To configure TLS settings:


1. From the Select the method for creating the certificate drop-down list, select the
source for the certificate that will be installed in the Intel AMT device:
• Request certificate from CA — By default, the settings for this option are
displayed. To use this option, the Intel SCS (Configurator, RCS, or ACU Wizard)
must have access to the CA during configuration. Continue from step 2.
• Use certificate from a file — This option is available only for systems that
support host-based configuration. For information about this method and the
necessary file format, see “Using Predefined Files Instead of a CA Request” on
page 121. If you select this option, define the file locations and continue from
step 3.
2. To request the certificate from a CA, do these steps:
a. From the Certificate Authority drop-down list, select the certification authority.

b. From the Server Certificate Template drop-down list, select the template that
will be used to create the certificate. If you are using a Stand-alone root CA,
you can only select the default “WebServer”. If you are using an Enterprise root
CA, select the template you defined for TLS. For information how to create a
template, see “Defining Enterprise CA Templates” on page 115.

Note: If the Profile Designer is located on a computer that does not have
access to the CA, the drop-down lists will not display the CA or
the templates. If necessary, you can manually supply the CA name
(in the format FQDN\CA Name) and the name of the template.
When entering these values manually, you must also select the
type of CA (Enterprise CA or Stand-alone CA).

c. Define the Common Names that will be included in the Subject Name of the
generated certificate. For more information, see “Defining Common Names in
the Certificate” on page 119.
3. (Optional) To enable mutual TLS, select Use mutual authentication for remote
interface.
4. If you enabled mutual TLS, you must define the trusted root certificates that will be
used by Intel AMT systems configured with this profile (see “Defining Trusted
Root Certificates” on page 71).
5. (Optional) Define advanced mutual TLS settings (see “Defining Advanced Mutual
Authentication Settings” on page 75).

Intel® SCS User Guide 74


Chapter 5 • Defining Configuration Profiles

Defining Advanced Mutual Authentication


Settings

The Advanced Mutual Authentication Settings window lets you define a Certificate
Revocation List (CRL). The CRL is a list of entries, usually supplied by a CA, that
indicate which certificates have been revoked (see “CRL XML Format” on page 122 for
the required format).
You can also define the Fully Qualified Domain Name (FQDN) suffixes that will be used
by mutual authentication. The Intel AMT device will validate that any client certificates
used by management consoles have one of the listed suffixes in the certificate subject. If
no FQDN suffixes are defined, the Intel AMT device will not validate client certificate
subject names.

To define advanced mutual TLS settings:


1. From the TLS window (Figure 34), click Advanced. The Advanced Mutual
Authentication Settings window opens.

Figure 35. Advanced Mutual Authentication Settings Window


2. (Optional) Define the CRL you want to use in this profile:
a. Select Use CRL.
b. Click Load File. The Open window opens.
c. Browse to the location of the CRL XML file, select it and click Open. The
information in the file is imported into the configuration profile, and the name
of the file appears in the list.

Intel® SCS User Guide 75


Chapter 5 • Defining Configuration Profiles

3. (Optional) Define the trusted domains to use in mutual authentication. To add a


domain to the list, click New and specify the domain in the Domain Properties
window. The Intel AMT system will validate that any client certificates used by the
management consoles have one of the listed suffixes in the certificate subject. If no
FQDN suffixes are defined, the Intel AMT system will not validate client
certificate subject names.
4. Click OK. The Advanced Mutual Authentication Settings window closes.

Defining Network Setups

The Network Configuration window of the Configuration Profile Wizard enables you to
define several network setups that the Intel AMT device must use. A network setup
includes encryption and authentication protocol settings and can be used for wired or
wireless connections.

Note: Due to a Firmware limitation, to disable the WiFi option on a


WiFi enabled Intel AMT device you must do unconfiguration.
(Clearing the WiFi check box in the Optional Settings window
and doing reconfiguration is not enough.)

Figure 36. Network Configuration Window

Intel® SCS User Guide 76


Chapter 5 • Defining Configuration Profiles

To define network setups:


1. From the WiFi Connection section, select one of these:
• Allow WiFi connection without a WiFi setup — If you want to allow WiFi
connection without a WiFi setup (using the hosts WiFi settings). You can select
this option only if you define a home domain in the Home Domains list and do
not select a WiFi setup.
• Allow WiFi connection with the following WiFi setups — If you select this
option, you can define up to 15 profiles in the WiFi setup list (see “Creating WiFi
Setups” on page 78).
After creating WiFi setups you can also do these tasks:
• Edit an existing WiFi setup by clicking Edit.
• Remove a WiFi setup from the list by clicking Remove.
• Select a WiFi setup and click the Up or Down arrows to change the priority
of the WiFi setup in the list.

Note: If you enable support for WiFi synchronization (step 2), it is not
mandatory to define WiFi setups in the profile.

2. Intel AMT 6.0 and higher include support for synchronization of the WiFi profiles
present on the host platform with the WiFi setups defined in the Intel AMT device.
When the Enable Synchronization of Intel® AMT with host platform WiFi
profiles check box is selected this support is enabled. 
The synchronization is done by a third-party application, such as the
Intel PROSet/Wireless Software, in the following way:
• User-defined profiles — When a user performs a successful connection to a
wireless network with a WiFi profile that is not defined in the Intel AMT, the
third-party application displays a pop-up message asking the user if he wants to
add the profile to the Intel AMT (making the profile available for use by the
Intel AMT). Up to eight user defined profiles can be stored in the Intel AMT (in
addition to the WiFi setups defined in “Creating WiFi Setups” on page 78).
• IT-defined profiles — Wi-Fi profiles that are added to the host operating system
through a Group Policy by IT administrators will be added to the Intel AMT.

Note:
• User-defined profiles can only be “synchronized” by the user.
They cannot be altered or added from a remote computer.
• WiFi profiles are only added to the Intel AMT if the Wi-Fi
protocol is supported by the Intel AMT.

3. If required, from the 802.1x Setup Name drop-down list select the 802.1x setup to
use on a wired LAN when the Intel AMT device is active in S3, S4, or S5 power
states. Optionally, you can also edit an existing 802.1x setup by clicking Edit or
create a new 802.1x setup by clicking Add (see “Creating 802.1x Setups” on
page 80).

Intel® SCS User Guide 77


Chapter 5 • Defining Configuration Profiles

4. (Optional) Define advanced wired 802.1x authentication options:


a. Click Advanced. The Advanced Wired 802.1x Settings window opens.

Figure 37. Advanced Wired 802.1x Settings Window

b. Select the check boxes of the options you want to enable:


• Enable 802.1x for Intel® AMT even if host is not authorized for 802.1x
Manageability traffic is enabled even if the host is unable to complete 802.1x
authentication to the network.
• Keep 802.1x session open after boot to allow PXE boot for …. minutes 
The 802.1x session is kept alive after a PXE boot for the number of minutes
that you specify (up to 1440 minutes—24 hours). This is the period allowed
for completion of an 802.1x authentication. This parameter can be set only
when an 802.1x profile has been selected. If the 802.1x profile is deleted,
this value will be forced to zero.

c. Click OK. The Advanced Wired 802.1x Settings window closes and the
settings are saved.
5. If required, define the End-Point Access Control (EAC) parameters (see “Defining
End-Point Access Control” on page 83).

Creating WiFi Setups

The WiFi setups defined in the Intel AMT device are required to enable communication
with the Intel AMT device over a wireless network. These WiFi setups can also be used
to enable Remote Access via a Management Presence Server (MPS) even when the
computer is not in the enterprise network.

Intel® SCS User Guide 78


Chapter 5 • Defining Configuration Profiles

To create a WiFi setup:


1. From the WiFi Connection section of the Network Configuration window,
click Add. The WiFi Setup window opens.

Figure 38. WiFi Setup Window


2. In the Setup Name field, enter a name for the WiFi setup. The setup name can be up
to 32 characters, and must not contain ( / \ < > : ; * | ? ” ) characters.
3. In the SSID field enter the Service Set Identifier (up to 32 characters) that identifies
the specific WiFi network. If left empty, the device will try to connect to all WiFi
networks that use Data Encryption as defined in this WiFi Setup.
4. From the Key Management Protocol drop-down list, select one of these:
• WiFi Protected Access (WPA)
• Robust Security Network (RSN)
5. From the Encryption Algorithm drop-down list, select one of these:
• Temporal Key Integrity Protocol (TKIP)
• Counter mode CBC MAC Protocol (CCMP)
6. In the Authentication section, select one of these:
• Passphrase — Enter a Passphrase for the WiFi setup. The Passphrase must
contain between 8 and 63 printable ASCII characters.
• 802.1x Setup — From the drop-down list, select the 802.1x setup to use in this
WiFi setup. Optionally, you can also edit an existing 802.1x setup by clicking
Edit or create a new 802.1x setup by clicking Add (see “Creating 802.1x
Setups” on page 80).
7. Click OK. The WiFi setup appears in the WiFi setup list.

Intel® SCS User Guide 79


Chapter 5 • Defining Configuration Profiles

Creating 802.1x Setups

The IEEE802.1x network protocol provides an authentication mechanism to devices


wishing to attach to a LAN, either establishing a point-to-point connection or preventing
it if authentication fails. It is used for most wireless 802.11 access points and is based on
the Extensible Authentication Protocol (EAP). You can include the 802.1x setups you
define in the profile for wireless and wired connections. (The “EAP (GTC)” protocol can
only be used in 802.1x wired setups.)

Note: 802.1x setups require integration with Active Directory (see “Defining
Active Directory Integration” on page 61) and an Enterprise-root CA.

To create an 802.1x setup:


1. From the WiFi Setup window or the Wired 802.1x Authentication section of the
Network Configuration window, click Add. The 802.1x Setup window opens.

Figure 39. 802.1x Setup Window

Intel® SCS User Guide 80


Chapter 5 • Defining Configuration Profiles

2. In the Setup Name field, enter a name for this 802.1x setup. The setup name can be
up to 32 characters, and must not contain ( / \ < > : ; * | ? ” ) characters.
3. From the Protocol drop-down list, select the required protocol. The options in the
Authentication section are enabled/disabled according to the protocol selected, as
described in this table.

Table 7. Authentication Options Per Protocol

Client Trusted Root Roaming


Protocol
Certificate Certificate Identity

EAP-TLS Required Required Not available

EAP-TTLS Optional Required Optional


(MS-CHAP v2)

EAP-PEAP Optional Required Optional


(MS-CHAP v2)

EAP (GTC) Not available Not available Not available

EAP-FAST Required Required Optional


(MS-CHAP v2)

EAP-FAST (GTC) Required Required Optional

EAP-FAST (TLS) Required Required Optional

4. From the Select the method for creating the certificate drop-down list, select the
source for the certificate that will be installed in the Intel AMT device:
• Request certificate from CA — By default, the settings for this option are
displayed. To use this option, the Intel SCS (Configurator, RCS, or ACU Wizard)
must have access to the CA during configuration. Continue from step 5.
• Use certificate from a file — This option is available only for systems that
support host-based configuration. For information about this method and the
necessary file format, see “Using Predefined Files Instead of a CA Request” on
page 121. If you select this option, define the file locations and continue from
step 6.
• Do not use a certificate — Instead of using a certificate, authentication is done
with a username and password. (This option is shown only if client certificates
are optional for the Protocol selected in step 3.) Continue from step 6.

Intel® SCS User Guide 81


Chapter 5 • Defining Configuration Profiles

5. To request the certificate from a CA, do these steps:


a. From the Certificate Authority drop-down list, select the Enterprise CA that the
Intel SCS will use to request a certificate that the RADIUS server can
authenticate.

b. From the Client Certificate Template drop-down list, select the template that
will be used to create the client certificate. The templates shown are templates
where the Subject Name is supplied in the request and the usage is “Client
Authentication”. For information how to create a template, see “Defining
Enterprise CA Templates” on page 115.

Note: If the Profile Designer is located on a computer that does not have
access to the CA, the drop-down lists will not display the CA or
the templates. If necessary, you can manually supply the CA name
(in the format FQDN\CA Name) and the name of the template.

c. Define the Common Names that will be included in the Subject Name of the
generated certificate. For more information, see “Defining Common Names in
the Certificate” on page 119.
6. (Optional) To enable roaming, select the Roaming Identity check box. The user
will connect to the RADIUS server with an identity of Anonymous.
7. If a trusted root certificate is required (see the table in step 3), select it from the list
of trusted root certificates. If it does not appear in the list, click Edit List to define
the location of the trusted root certificate (see “Defining Trusted Root Certificates”
on page 71). This certificate will be used in the 802.1x setup to authenticate with a
RADIUS server.
8. From the RADIUS Server Verification section, select one of these:
• Do not verify RADIUS server certificate subject name
• Verify server’s FQDN — Enter the FQDN of the RADIUS server.
• Verify server’s domain suffix — Enter the domain name suffix of the RADIUS
server.
9. Click OK. The 802.1x Setup window closes and the 802.1x setup is saved.

Intel® SCS User Guide 82


Chapter 5 • Defining Configuration Profiles

Defining End-Point Access Control

If the 802.1x profile’s protocol supports End-Point Access Control (EAC), you can use
NAC/NAP authentication along with the RADIUS server to authenticate the Intel AMT
device.

Note: EAC requires integration with Active Directory (see “Defining Active
Directory Integration” on page 61) and an Enterprise-root CA.

To define EAC:
1. From the Network Configuration window, click Configure EAC. The Configure
End-Point Access Control window opens.

Figure 40. Configure End-Point Access Control Window


2. In the EAC vendor section, select one of these:
• NAC
• NAP or NAC-NAP Hybrid
• Both NAC and NAP
3. From the Highest hash algorithm supported by the authentication server drop-down
list, select one of these:
• SHA-1
• SHA-256 (supported from Intel AMT 6.0)
• SHA-384 (supported from Intel AMT 6.0)

Intel® SCS User Guide 83


Chapter 5 • Defining Configuration Profiles

4. From the Select the method for creating the certificate drop-down list, select the
source for the certificate that will be installed in the Intel AMT device:
• Request certificate from CA — By default, the settings for this option are
displayed. To use this option, the Intel SCS (Configurator, RCS, or ACU Wizard)
must have access to the CA during configuration. Continue from step 5.
• Use certificate from a file — This option is available only for systems that
support host-based configuration. For information about this method and the
necessary file format, see “Using Predefined Files Instead of a CA Request” on
page 121. If you select this option, define the file locations and continue from
step 6.
5. To request the certificate from a CA, do these steps:
a. From the Certificate Authority drop-down list, select the Enterprise CA that the
Intel SCS will use to request a certificate for EAC posture signing.

b. From the Certificate Template drop-down list, select the template that will be
used to create the client certificate. The templates shown are templates where
the Subject Name is supplied in the request. For information how to create a
template, see “Defining Enterprise CA Templates” on page 115.

Note: If the Profile Designer is located on a computer that does not have
access to the CA, the drop-down lists will not display the CA or
the templates. If necessary, you can manually supply the CA name
(in the format FQDN\CA Name) and the name of the template.

c. Define the Common Names that will be included in the Subject Name of the
generated certificate. For more information, see “Defining Common Names in
the Certificate” on page 119.
6. Click OK. The Configure End-Point Access Control window closes.

Intel® SCS User Guide 84


Chapter 5 • Defining Configuration Profiles

Defining System Settings

The System Settings window of the Configuration Profile Wizard lets you define several
settings in the Intel AMT device.

Figure 41. System Settings Window

Note: The location in the ACU Wizard from where you open the Configuration
Profile Wizard causes different options to show in the System Settings
window.

For information about these settings, see:


• Management Interfaces
• Power Management Settings
• Network Settings

Intel® SCS User Guide 85


Chapter 5 • Defining Configuration Profiles

Management Interfaces

1. In the Management Interfaces section, select the interfaces you want to open on the
Intel AMT system:
• Web UI — Enables you to manage and maintain Intel AMT systems using a
browser-based interface.
• Serial Over LAN — Enables you to remotely manage Intel AMT systems by
encapsulating keystrokes and character display data in a TCP/IP stream.
• IDE Redirection — IDE-R enables you to map a drive on the Intel AMT system
to a remote image or drive. This functionality is generally used to reboot an
Intel AMT system from an alternate drive.
• KVM Redirection — Opens the KVM Redirection interface. For more
information about KVM, see “Support for KVM Redirection” on page 17.
2. (Optional) When the KVM Redirection check box is selected, the RFB Password
for KVM sessions field is enabled. This password is only necessary if your VNC
client uses port 5900 (see “VNC Clients” on page 17). If you enter a password, it
must be EXACTLY eight characters (see “Password Format” on page 8).
3. (Optional) This button is shown only when you edit a profile in
the RCS. This is because the options it contains cannot be configured locally using
the host-based configuration method. By default, user consent is necessary before a
KVM redirection session can begin (see “User Consent” on page 4).
If you want to change the user consent settings for KVM redirection sessions:
a. Click KVM Settings. The KVM Redirection Settings window opens.

Figure 42. KVM Redirection Settings Window

b. If you want to remove the user consent requirement, clear the User consent
required before beginning KVM session check box.

Note: User consent is mandatory for Intel AMT 7.0 and higher devices
if they are configured in Client Control mode. Thus, if you want
to remove the user consent requirement, you must configure these
devices in Admin Control mode.

c. If User Consent is required, the Timeout for user consent field defines the
maximum time (in minutes) allocated for the user consent process. If the user
consent process is not completed in this time, a new KVM connection request
must be sent.

Intel® SCS User Guide 86


Chapter 5 • Defining Configuration Profiles

Power Management Settings

1. From the drop-down list in the Power Management Settings section, select one of
these:
• Always on (S0-S5) — If the system is connected to the power supply, the
Intel AMT manageability features are available in any of the system power
states. This is the recommended setting.
• Host is on (S0) — The Intel AMT manageability features are available only if
the operating system of the Intel AMT system is up and running.
2. (Optional) If you selected Always on (S0-S5), you can select the ME will go into a
lower power state when idle check box. If the Intel AMT device supports this
feature, the device will go to sleep when there is no activity. When a request arrives
the device automatically wakes up. The Time out if idle field defines the number of
minutes the device must wait before it can go to sleep.

Network Settings

1. When you edit a full configuration profile in the RCS, this additional field is shown
in the Network Settings section:

Enter a password for the MEBx (see “Password Format” on page 8). If the MEBx
password of the Intel AMT device is still the factory default, the RCS will change it
to the password you enter here. This field is required only for remote configuration
of unconfigured systems (the field is not shown in “delta” profiles).
2. When you edit a profile for multiple systems, these additional fields are shown in
the Network Settings section:

Define the password of the default admin user built into each Intel AMT device:
• Use the following password for all systems — The password you define here
(see “Password Format” on page 8), is set in all devices configured with this
profile.
• Create a random password for each system— The RCS/Configurator
generates a different (random) password for each device.
• Use a Master Password to create a password for each system — This option
is only shown if a Digest Master Password is set in the RCS.

Note: For more information about these options (see “Admin


Permissions in the Intel AMT Device” on page 12).

Intel® SCS User Guide 87


Chapter 5 • Defining Configuration Profiles

3. (Optional) Select Enable Intel® AMT to respond to ping requests. When this
check box is selected, the Intel AMT device will respond to a ping if the host
platform does not.
4. (Optional) For Intel AMT 4.0 and higher systems, you can define which interfaces
are open for the local Fast Call for Help feature. If the computer is inside the
enterprise network the user can initiate a connection request to connect to a
management console. By default, the user can access this option from the operating
system and from the BIOS. To change this setting, do one of these:
• To close both interfaces, clear the Enable Fast Call for Help (within the
enterprise network) check box.
• To select which interface to open, click Fast Call For Help Settings and select
the interface from the Fast Call for Help interfaces window:

Note:
• You cannot make changes to this setting if a Fast Call For Help
trigger was defined in a Remote Access policy. The setting in the
policy will be used for remote and local connection requests.
• To enable the Fast Call for Help feature from outside the
enterprise network, see “Defining Remote Access” on page 67.

5. When you edit a profile for multiple systems (but not in the RCS), this additional
field is shown in the Network Settings section:

Click Set to define the source the Configurator will use to define the IP and FQDN
of the Intel AMT device. This step is only required if you need to change the
default settings (see “Defining IP and FQDN Settings” on page 89).

Note: The default network settings that Intel SCS puts in the device will
operate correctly for most network environments.

Intel® SCS User Guide 88


Chapter 5 • Defining Configuration Profiles

Defining IP and FQDN Settings

Each Intel AMT device can have its own IP and FQDN settings. The IP and FQDN
settings are usually the same as those defined in the host operating system, but they can
be different. The Intel SCS puts these settings into the Intel AMT device.

Figure 43. Network Settings Window

To define the IP and FQDN settings:


1. From the FQDN Setting section, select the source for the FQDN (hostname.suffix):
• FQDN created from:
• Primary DNS FQDN — The hostname part of the FQDN is the hostname
from the host operating system. The suffix is the “Primary DNS Suffix”
from the host operating system. This is the default setting, and is correct for
most network environments.
• On-board LAN connection-specific DNS FQDN — The hostname part of
the FQDN is the hostname from the host operating system. The suffix is the
“Connection-specific DNS Suffix” of the onboard wired LAN interface.
• Host Name — Takes the host name from the operating system. The suffix is
blank.
• Active Directory FQDN — The hostname part of the FQDN is the
hostname from the host operating system. The suffix is the AD domain of
which the host operating system is a member.
• DNS Look Up FQDN — Takes the name returned by an “nslookup” on the
IP address of the onboard wired LAN interface.
• Get the FQDN from the dedicated network settings file

Intel® SCS User Guide 89


Chapter 5 • Defining Configuration Profiles

2. (Optional) Intel AMT 6.0 and higher includes a setting called “Shared FQDN”.
This setting can change the behavior of the Intel AMT device when using option 81
of the DHCP server to update DNS:
• When this setting is true, the Intel AMT device will send broadcast queries only
when the operating system is not running. This is the default behavior of all
Intel AMT versions that do not support the Shared FQDN setting.
• When false, the device will always send its own broadcast queries, even when
the operating system is running. For Intel AMT 6.0 and higher devices that will
be configured with a dedicated FQDN, clear this check box:
The device and the OS will have the same FQDN (Shared FQDN).
3. (Optional) Intel AMT 6.0 and higher includes the Intel AMT Dynamic DNS
Update (DDNS Update) Client. When enabled, this client can periodically update
the DNS with the FQDN and IP address configured in the Intel AMT device. 
Intel AMT will send DDNS Updates based on the policy configured in the DHCP
server returned in the DHCP option 81 flags. Before Intel AMT 6.0, Intel AMT
was only capable of using the DHCP option 81 to request that the DHCP server
update the DNS on its behalf. If you want to disable all DNS updates, clear this
check box: The device will update the DNS directly with its FQDN and IP.

Note: If you clear this check box, Intel AMT will not send DHCP option
81 or DDNS Update requests.

4. From the IP Setting section, select the source for the IP settings:
• Use the same IP as the host (for static IP only)
• Get the IP from the dedicated network settings file or from the DHCP server
(When this option is selected, if a dedicated network settings file exists with
IP data the Configurator will use it. If a file is not specified, or a file is
specified and does not contain IP data, the Configurator will get the IP from
the DHCP server.)
5. If you defined that the Configurator will retrieve the FQDN or IP information from
a dedicated network settings file, enter the path from the Intel AMT system to the
XML file. For information about the format and tags of the XML file, see the
NetworkSettings.xml example file located in the sample_files folder.
6. Click OK. The Network Settings window closes.

Intel® SCS User Guide 90


6
Using the Configurator
This chapter describes how to use the Configurator.
For more information, see:
• About the Configurator
• CLI Syntax
• CLI Global Options
• Configurator Log Files
• Verifying the Status of an Intel AMT System
• Discovering Systems
• Configuring Systems (Unified Configuration)
• Configuring Systems Using the RCS (Legacy)
• Creating TLS-PSK Pairs
• Configuring a System Using a USB Key
• Maintaining Configured Systems
• Maintaining Systems Using the RCS (Legacy)
• Unconfiguring Intel AMT Systems
• Moving from Client Control to Admin Control
• Disabling Client Control Mode
• Sending a Hello Message

Intel® SCS User Guide 91


Chapter 6 • Using the Configurator

About the Configurator


The Command Line Interface (CLI) of the Configurator component lets you
automatically do tasks on multiple Intel AMT systems. The Configurator can be run
locally on the Intel AMT system using a script or a batch file. If possible, the
Configurator does the necessary task locally on the system. If not, the Configurator sends
the task to the RCS. The CLI also includes commands that make the Configurator send
the task to the RCS, even if it can be done locally.
The Configurator (ACUConfig.exe) is located in the ACU_Configurator folder.

Note: The ACU_Configurator folder also contains dll files that are necessary
for the Configurator to operate.

CLI Syntax

The Configurator CLI is not case-sensitive. To view a list of the available CLI
commands, type ACUConfig (with no parameters) and press <Enter>.
This is the general syntax:
ACUConfig.exe [global options] command [command arguments and options]
To view syntax of a specific command, type the command name followed by “/?”.
These conventions are used in the command syntax of the examples:
• Optional parameters are enclosed in square brackets [ ]
• User defined variables are enclosed in angled brackets < >
• Mutually exclusive parameters are separated with a pipe |
• Where necessary, braces { } are used to group elements together to eliminate
ambiguity in the syntax.

Note: The CLI does not support passwords that start with a forward slash (/).

Intel® SCS User Guide 92


Chapter 6 • Using the Configurator

CLI Global Options

You can use any of these global options with the CLI commands:
• /LowSecurity — Disables authentication of the ACU.dll digital signature.
For more information, see “Digital Signing of Files” on page 9.
• /Verbose — Creates a detailed log
• /KeepLogFile — Appends the current log to the existing log file
• /Output {Console | File <filename> | Silent} — Defines the output parameters:
• Console — Diverts logging messages to the console screen
• File <filename> — Logs messages to an output file (default option)
• Silent — Creates no output (console or file)

Configurator Log Files

Each action that the Configurator performs, and any errors that occur, are saved in two
locations:

• In the Windows Event Viewer Application log of the Intel AMT system.

• In a log file. If you do not make changes using the global options, this is the default:
• A new log file is created each time you run the Configurator. You can use the
/KeepLogFile global option to change this default.
• The log file is saved in the folder where the Configurator is located, and has this
format: ACUlog_HostName_YYYY-MM-DD-HH-MI-SS.Log
(for example: ACUlog_ComputerX_2010-05-01-11-05-57.log).
You can use the /Output global option to change this default.

Verifying the Status of an Intel AMT System

Command Status

Description Provides details about the status of the Intel AMT system

Syntax ACUConfig.exe [global options] Status

Parameters

[global options] See “CLI Global Options” on page 93.

Intel® SCS User Guide 93


Chapter 6 • Using the Configurator

Discovering Systems

Command SystemDiscovery

Description Gets data from the Intel AMT device and the host platform of the system. The
data is saved in an XML file and/or in the registry of the system. The data can
then be collected by third-party hardware and software inventory applications.
Intel SCS also includes a standalone System Discovery utility that you can use
for this task instead of the Configurator. The utility contains only the
SystemDiscovery command. The utility is located in the SCS_Discovery folder.
The data is saved in the registry of each system at:
• 32-bit and 64-bit operating systems:
HKLM\SOFTWARE\Intel\SCS7.0\System_Discovery
• In addition, on 64-bit operating systems:
HKLM\SOFTWARE\Wow6432Node\Intel\SCS7.0\System_Discovery
For information about the data format, see the “System Discovery Data Format”
section of the SCS_Discovery\Intel(R)_SCS_7.0_Discovery.pdf.
For information about how to collect this data from the systems, refer to the
documentation of your hardware/software inventory application.
Note: On systems that do not have Intel AMT, this command gets data from the
host platform only.

Syntax ACUConfig.exe [global options] SystemDiscovery [<filename>]


[/NoFile] [/NoRegistry]

Parameters

[global options] See “CLI Global Options” on page 93

<filename> The name of the XML file and the path to the location where you want to save it.
By default, the name of the XML file is the FQDN of the system and it is saved
in the same folder as the Configurator.

/NoFile Do not save data in an XML file. If you use this parameter, do not use the
<filename> parameter

/NoRegistry Do not save data in the registry of the system

Intel® SCS User Guide 94


Chapter 6 • Using the Configurator

Configuring Systems (Unified Configuration)

Command ConfigAMT

Description Configures the Intel AMT system with settings in a configuration


profile (XML file). Configured systems are reconfigured. You can use
this command with the unified configuration process. If the device
supports host-based configuration, the configuration is done locally. If
not, configuration is done remotely by the RCS.
For more information, see “Unified Configuration Process” on page 6.

Syntax ACUConfig.exe [global options] ConfigAMT <filename>


[/DecryptionPassword <password>] [/AbortOnFailure]
Note: The CLI does not [/AdminPassword <password>] [/ADOU <ADOU path>]
support passwords that start [/FileToRun < filename>] [/FileUser <username>]
with a forward slash (/).
[/FilePassword <password>]

Parameters

[global options] See “CLI Global Options” on page 93

<filename> The XML file containing the configuration parameters for this
Intel AMT system

/DecryptionPassword Mandatory if any of the files that the Configurator will use are
<password> encrypted (see “File Encryption” on page 9)

/AbortOnFailure If configuration fails, put the Intel AMT device in the “Not
Provisioned” mode

/AdminPassword The current password of the default Digest admin user defined in the
<password> Intel AMT device. This parameter is NOT necessary if one of these are
true:
• The device is in an unconfigured state
• The Intel SCS can find the Digest admin password (in one of the
profiles, using a Master Password, or using the scsadmin.dat file)
• The user account running the Configurator/RCS is defined in the
Intel AMT device as an administrator

/ADOU <ADOU path> The path to the Active Directory Organizational Unit (ADOU)
containing the AD object of configured systems. If this parameter is
supplied, the configurator will delete the existing AD object
representing the system. A new AD object is created in the ADOU
defined in the configuration profile.

Intel® SCS User Guide 95


Chapter 6 • Using the Configurator

/FileToRun < filename> Note: In this version of the Intel SCS, this parameter is permitted only
when using the ConfigAMT command to do host-based configuration.
If used on Intel AMT systems that will be configured by the RCS,
configuration will fail.
If this parameter is supplied, the Configurator will run this executable
file (batch, script, or executable) after the ConfigAMT command has
completed. These parameters are sent as a string (in this sequence) to
the file you specify:
• The user defined in the /FileUser parameter*
• The password defined in the /FilePassword parameter*
• The hostname defined in the Intel AMT device
• The FQDN defined in the Intel AMT device
• The UUID of the Intel AMT device
• The MEBx password of the Intel AMT device*
• The password of the default Administrator (“admin”) user in the Intel
AMT device*
Parameters without values are sent as empty strings. Each parameter
value is separated by a space. For example:
MyFileUser “” “” myhostname example.com
88888888-8887-8888-8888-878888888888 “” admin
Note:
• The Configurator runs the file only if the ConfigAMT command
completes configuration successfully without errors.
• The parameters marked with an asterisk (*) are sent to the specified
file in Base64 format.
• If the /FileToRun parameter is used without the /LowSecurity global
option, the file must be digitally signed (see “Digital Signing of Files”
on page 9). In addition, if the /LowSecurity parameter is not used, the
file must be located in the same folder as the ACUConfig.exe file.

/FileUser <username> Valid only if /FileToRun was specified. It is recommended to use this
parameter to supply a user with the minimum permissions required to
run this file.

/FilePassword <password> Valid only if /FileToRun was specified. Contains the password required
to run the file.

Intel® SCS User Guide 96


Chapter 6 • Using the Configurator

Configuring Systems Using the RCS (Legacy)

Command ConfigViaRCSOnly

Description Sends a configuration request to the RCS. The RCS remotely configures the
Intel AMT system with a profile located in the RCS. Configured systems are
reconfigured. The RCS uses one of the TLS protocols (PSK or PKI) during
the configuration process (see “Security Before and During Configuration”
on page 11).
Note: Systems with Intel AMT 7.x are put in Admin Control mode (see
“Control Modes” on page 4).

Syntax ACUConfig.exe [global options] ConfigViaRCSOnly <RCSaddress>


<profilename> [/AbortOnFailure] [/AdminPassword <password>]
Note: The CLI does {[/WMIUser <username>] [/WMIUserPassword <password>]}
not support passwords [/SourceForAMTName <source>] [/NetworkSettingsFile <file>]
that start with a
[/UseHostStaticIP] [/DedicatedFQDN] [/DisableDNSUpdate]
forward slash (/).
[/ADOU <ADOU path>]

Parameters

[global options] See “CLI Global Options” on page 93

<RCSaddress> The IP or FQDN of the computer running the RCS

<profilename> The profile in the RCS containing the configuration parameters

/AbortOnFailure If configuration fails, put the Intel AMT device in the “Not Provisioned”
mode

/AdminPassword The current password of the default Digest admin user defined in the
<password> Intel AMT device. This parameter is NOT necessary if one of these are true:
• The device is in an unconfigured state
• The RCS can find the Digest admin password (in one of the RCS profiles,
using a Master Password, or using the scsadmin.dat file)
• The user account running the RCS is defined in the Intel AMT device as
an administrator

/WMIUser The name (in the format domain\username) of a user with WMI permissions
<username> on the computer running the RCS. This parameter is only required if you run
the Configurator with a user without WMI permissions on the RCS
computer.

/WMIUserPassword The password of the WMI user


<password>

Intel® SCS User Guide 97


Chapter 6 • Using the Configurator

/SourceForAMTName Defines how the FQDN (hostname.suffix) for the Intel AMT device is
<source> constructed. Valid values:
• DNS — The hostname part of the FQDN is the hostname from the host
operating system. The suffix is the “Primary DNS Suffix” from the host
operating system. This is the default setting, and is correct for most
network environments.
• SpecificDNS — The hostname part of the FQDN is the hostname from the
host operating system. The suffix is the “Connection-specific DNS Suffix”
of the onboard wired LAN interface.
• AD — The hostname part of the FQDN is the hostname from the host
operating system. The suffix is the AD domain of which the host operating
system is a member.
• DNSLOOKUP — Takes the FQDN returned by an “nslookup” on the IP
address of the onboard wired LAN interface.
• HOST — Takes the hostname from the host operating system. The suffix
is blank.
Note: When this parameter is not supplied, the default source for the FQDN
is “DNS”. However, if the /NetworkSettingsFile parameter is supplied (and
FQDN data is included in the file), the FQDN is taken from the file.

/NetworkSettingsFile This parameter tells the Configurator to get the IP and/or the FQDN from a
<file> dedicated network settings file. For information about the required XML
format, see the NetworkSettings.xml example file located in the sample_files
folder.

/UseHostStaticIP Inserts the static IP settings of the host operating system into the Intel AMT
device.
(This is the IP configuration of the onboard wired LAN interface only.)
Note: When this parameter is not supplied, the default source for the IP is a
DHCP server. However, if the /NetworkSettingsFile parameter is supplied
(and IP data is included in the file), the IP is taken from the file.

/DedicatedFQDN This setting is supported from Intel AMT 6.0 and higher. Use only if the
Intel AMT device is configured with its own dedicated FQDN. If set, the
device will send broadcast queries to DHCP even when the OS is running.

/DisableDNSUpdate Disables the Intel AMT Dynamic DNS Update (DDNS Update) Client
included in Intel AMT 6.0 and higher. If you disable this client,
Intel AMT will not send DHCP option 81 or DDNS Update requests.

/ADOU <ADOU path> The path to the Active Directory Organizational Unit (ADOU) containing
the AD object of configured systems. If this parameter is supplied, the RCS
will delete the existing AD object representing the system. A new AD object
is created in the ADOU defined in the configuration profile.

Intel® SCS User Guide 98


Chapter 6 • Using the Configurator

Creating TLS-PSK Pairs

Command CreatePSK

Description This command prepares the Intel AMT system for configuration using
the One Touch Configuration (PSK) method.
When you run this command, a TLS-PSK pair is (immediately) put in
the RCS and also in a file in a location that you specify. You can run this
command from any computer that can access the RCS.
When the Intel AMT system is rebooted with a USB key that contains
the file, the pair is put in the MEBx of the system. The file must be
named Setup.bin and must be placed in the root folder of the USB key.
To make sure that Setup.bin is the first file that the BIOS will find during
reboot (requirement), format the USB key before creating/copying the
file. If the Intel AMT system does not successfully reboot with the USB
key you prepared, try this:
• Make sure that the Setup.bin file name starts with a capital “S”
• Format the USB key using FAT16
Note:
• When you reboot a system with the USB key, the data in the Setup.bin
file is deleted (but the file is not deleted). If you want to use the same
TLS-PSK pair to configure multiple systems, save the Setup.bin file
before you copy it to the USB key. Then replace the file on the USB
key before each reboot.
• The Configurator does not restrict the size of USB key you can use.
But, the computer BIOS must fully support the selected USB key and
be able to do a reboot from it.

Syntax ACUConfig.exe [global options] CreatePSK


<RCSaddress> {/NewMEBxPass <password>}
Note: The CLI does not [/CurrentMEBxPass <password>] [/OutputFile <filename>]
support passwords that start {[/WMIUser <username>] [/WMIUserPassword <password>]}
with a forward slash (/).

Parameters

[global options] See “CLI Global Options” on page 93

<RCSaddress> The IP or FQDN of the computer running the RCS

Intel® SCS User Guide 99


Chapter 6 • Using the Configurator

/NewMEBxPass The new password to put in the MEBx. This parameter is mandatory,
<password> even if the MEBx password has already been changed from the default
of “admin”.
For information about the required format, see “Password Format” on
page 8.

/CurrentMEBxPass By default, the Configurator always uses the default password of


<password> unconfigured systems (“admin”) in this parameter. If this is not the
password in the MEBx, supply the correct password. If you do not
supply the correct password, the reboot of the Intel AMT system with
the USB key will not complete successfully.

/OutputFile <filename> The name of the file and the path to the location where you want to save
it. If this parameter is not used, by default the file is created in the same
folder as the Configurator.
Note:
• The file is NOT encrypted. Make sure that you restrict access to it.
• The Configurator overwrites any existing file with the same name
without giving a warning.

/WMIUser <username> The name (in the format domain\username) of a user with WMI
permissions on the computer running the RCS. This parameter is only
required when running the Configurator under a user without WMI
permissions on the RCS computer.

/WMIUserPassword The password of the WMI user


<password>

Intel® SCS User Guide 100


Chapter 6 • Using the Configurator

Configuring a System Using a USB Key

Command ConfigViaUSB

Description Creates a file containing configuration settings. When the Intel AMT
system is rebooted with a USB key containing this file, Intel AMT is
configured on the system. For more information, see “SMB/Manual
Configuration” on page 5.
The Configurator does not restrict the size of USB key you can use. But,
the computer BIOS must fully support the selected USB key and be able
to do a reboot from it.
Note:
• The settings you can define are limited. If additional settings are
required, they must be performed by a third-party application.
• This command places Intel AMT 7.x systems into the Admin Control
mode (see “Control Modes” on page 4).
• You can use this option to define certain KVM parameters not
available in Client Control mode of Intel AMT 7.x.

Syntax ACUConfig.exe [global options] ConfigViaUSB


{/NewMePassword <password>} [/MePassword <password>]
Note: The CLI does not [/OutputFile <filename>] [/PowerPackage <guid>] {{/UsingDhcp}|
support passwords that start {/HostName <host_name> /DomainName <domain_name>
with a forward slash (/).
/LocalHostIp <ip> /SubnetMaskIp <subnet_mask>
[/GatewayAddrIp <ip> ] [/DnsAddrIp <ip>]
[/SecondaryDnsAddrIp <ip>]}} [/EnableKVM <false | true>]
[/EnableUserConsent <none | kvm_only | all_redirection>]
[/EnableRemoteITConsent <false | true>]

Parameters

[global options] See “CLI Global Options” on page 93

/NewMePassword The new password to put in the MEBx (see “Password Format” on
<password> page 8). This parameter is mandatory, even if the MEBx password has
already been changed from the default of “admin”.

/MePassword <password> The current MEBx password. The default password of unconfigured
systems is “admin”. This parameter is not required for systems that
have the default password.

Intel® SCS User Guide 101


Chapter 6 • Using the Configurator

/OutputFile <filename> The name of the file and the path to the location where you want to save
it. If this parameter is not used, by default the file is created in the same
folder as the Configurator. The file must be named Setup.bin and must
be placed in the root folder of the USB key.
To make sure that Setup.bin is the first file that the BIOS will find
during reboot (requirement), format the USB key before
creating/copying the file. If the Intel AMT system does not successfully
reboot with the USB key you prepared, try this:
• Ensure that the file name starts with a capital “S”
• Format the USB key using FAT16
Note:
• The Setup.bin file is NOT encrypted so make sure that you restrict
access to it. It is a “consumable” file so after configuration the
Configurator deletes the data it contains. This means that you must
create a new file for each system you want to configure.
• The Configurator overwrites any existing file with the same name
without giving a warning.

/PowerPackage <guid> Power Package GUID (see “Power Package GUIDs” on page 103).
Default: No power package.

/UsingDhcp Use DHCP IP information. Default: Not using DHCP.

/HostName <host_name> Intel AMT system hostname (1 – 32 characters)

/DomainName Intel AMT system domain name (0 – 70 characters)


<domain_name>

/LocalHostIp <ip> Local Host IP information

/SubnetMaskIp Subnet Mask IP information


<subnet_mask>

/GatewayAddrIp <ip> Gateway address IP information

/DnsAddrIp <ip> DNS address IP information

/SecondaryDnsAddrIp <ip> Secondary DNS address IP information

/EnableKVM <false | true> Enable/Disable support for KVM redirection

/EnableUserConsent  Defines for which redirection operations user consent is mandatory.


<none | kvm_only | For more information, see “User Consent” on page 4.
all_redirection>
Note: You can use the “all_redirection” option only on systems with
Intel AMT 7.0 and higher.

/EnableRemote ITConsent Defines if it is permitted to remotely make changes to the user consent
<false | true> setting in the Intel AMT device

Intel® SCS User Guide 102


Chapter 6 • Using the Configurator

Power Package GUIDs

The optional “/PowerPackage” parameter enables you to define power management


settings of the Intel AMT device during manual configuration. This table gives the GUID
values (in Hex 32 character format) per Intel AMT version.

Table 8. Power Package GUIDs

Supported Power Package GUID (Hex 32)

Intel AMT 6.x / 7.x (mobile)

ON in S0 763997110B56504388709812F391B560

ON in S0, ME Wake in S3/AC, 30800DEE09C07843AF287868A2DBBE3A


S4-5/AC

Intel AMT 6.x / 7.x (desktop)

ON in S0 944F8312FB104FDC968E1E232B0C9065

ON in S0, ME Wake in S3,S4-5 7322734623DC432FA98A13D37982D855

Intel AMT 5.X (desktop)

ON in S0 944F8312FB104FDC968E1E232B0C9065

ON in S0, S3 A18600AB9A7F4C42A6E6BB243A295D9E

ON in S0, S3, S4-5 7286ABAC96B448E29B9E9B7DF91C7FD4

ON in S0, ME WoL in S3 7B32CD4D6BBE4389A62A4D7BD8DBD026

ON in S0, ME WoL in S3, S4-5 7322734623DC432FA98A13D37982D855

ON in S0, S3, S4-5, OFF After C519A4BA6E6F8D4DB227517F7E4595DB


Power Loss

ON in S0, ME WoL in S3,S4-5, D60BE3ED04C52C46B772D18018EE2FC4


OFF After Power Loss

Intel AMT 4.x (mobile)

ON in S0 763997110B56504388709812F391B560

ON in S0, S3/AC 26D31C768708C74BBB5F38744315A5FF

ON in S0, S3/AC, S4-5/AC 530E08DB6C0FD948B2D28958D3F1156E

ON in S0, ME Wake in S3/AC 055DD5B64CA4874DA5A8B47C14DEDA5F

ON in S0, ME Wake in S3/AC, 30800DEE09C07843AF287868A2DBBE3A


S4-5/AC

Intel® SCS User Guide 103


Chapter 6 • Using the Configurator

Maintaining Configured Systems

Command MaintainAMT

Description Performs specific maintenance tasks based on settings in the <filename>


XML file. If the device supports host-based configuration, the maintenance
tasks are done locally. If not, the tasks are done remotely by the RCS.
For more information about maintaining Intel AMT, see
“Maintenance Policies for Intel AMT” on page 14.

Syntax ACUConfig.exe [global options] MaintainAMT <filename>


Note: The CLI does <task> [<task>...] [/DecryptionPassword <password>]
not support passwords [/AdminPassword <password>]
that start with a
forward slash (/).

Parameters

[global options] See “CLI Global Options” on page 93

<filename> The XML file containing the original configuration settings that were used to
configure the Intel AMT system. Settings in the XML file not related to the
specified maintenance tasks are ignored.

<task> Define at least one of these maintenance tasks:


• SyncAMTTime — Synchronize the clock of the Intel AMT device with
the clock of the computer running the RCS. If the device supports
host-based configuration, the clock is synchronized with the clock of the
host. This task is performed automatically when any of the other tasks are
performed.
• SyncNetworkSettings — Synchronize network settings of the Intel AMT
device as defined in the <NetworkSettings> tag of the <filename> XML
file (see “Defining IP and FQDN Settings” on page 89)
• ReissueCertificates — Reissue the certificates stored in the Intel AMT
device. If the device contains 802.1x certificates, the RenewADPassword
task is automatically done as well.
• RenewADPassword — Change the password of the Active Directory
object representing the Intel AMT system.

/DecryptionPassword Mandatory if any of the files that the Configurator will use are encrypted
<password> (see “File Encryption” on page 9)

/AdminPassword The current password of the default Digest admin user defined in the
<password> Intel AMT device. This parameter is NOT necessary if one of these are true:
• The Intel SCS can find the Digest admin password (in one of the RCS
profiles, using a Master Password, or using the scsadmin.dat file)
• The user account running the Configurator/RCS is defined in the
Intel AMT device as an administrator

Intel® SCS User Guide 104


Chapter 6 • Using the Configurator

Maintaining Systems Using the RCS (Legacy)

Command MaintainViaRCSOnly

Description Performs specific maintenance tasks based on settings in the <profilename>.


All maintenance tasks are done remotely by the RCS.
For more information about maintaining Intel AMT, see
“Maintenance Policies for Intel AMT” on page 14.

Syntax ACUConfig.exe [global options] MaintainViaRCSOnly <RCSaddress>


<profilename> <task>[<task>...] [/AdminPassword <password>]
Note: The CLI does {[/WMIUser <username>] [/WMIUserPassword <password>]}
not support passwords [/SourceForAMTName <source>] [/NetworkSettingsFile <file>]
that start with a
[/UseHostStaticIP] [/DedicatedFQDN] [/DisableDNSUpdate]
forward slash (/).

Parameters

[global options] See “CLI Global Options” on page 93

<RCSaddress> The IP or FQDN of the computer running the RCS

<profilename> The profile in the RCS containing the original configuration settings that
were used to configure the Intel AMT system. Settings in the profile not
related to the specified maintenance tasks are ignored.

<task> Define at least one of these maintenance tasks:


• SyncAMTTime — Synchronize the clock of the Intel AMT device with
the clock of the computer running the RCS. This task is performed
automatically when any of the other tasks are performed.
• SyncNetworkSettings — Synchronize network settings of the Intel AMT
device as defined in the “Network Settings” parameters described below.
• ReissueCertificates — Reissue the certificates stored in the Intel AMT
device. If the device contains 802.1x certificates, the RenewADPassword
task is automatically done as well.
• RenewADPassword — Change the password of the Active Directory
object representing the Intel AMT system.

/AdminPassword The current password of the default Digest admin user defined in the
<password> Intel AMT device. This parameter is NOT necessary if one of these are true:
• The RCS can find the Digest admin password (in one of the RCS profiles,
using a Master Password, or using the scsadmin.dat file)
• The user account running the RCS is defined in the Intel AMT device as an
administrator

Intel® SCS User Guide 105


Chapter 6 • Using the Configurator

/WMIUser The name (in the format domain\username) of a user with WMI permissions
<username> on the computer running the RCS. This parameter is only required when
running the Configurator under a user without WMI permissions on the RCS
computer.

/WMIUserPassword The password of the WMI user


<password>

These Network Settings parameters are used with the SyncNetworkSettings task:

/SourceForAMTName Defines how the FQDN (hostname.suffix) for the Intel AMT device is
<source> constructed. Valid values:
• DNS — The hostname part of the FQDN is the hostname from the host
operating system. The suffix is the “Primary DNS Suffix” from the host
operating system. This is the default setting, and is correct for most
network environments.
• SpecificDNS — The hostname part of the FQDN is the hostname from the
host operating system. The suffix is the “Connection-specific DNS Suffix”
of the onboard wired LAN interface.
• AD — The hostname part of the FQDN is the hostname from the host
operating system. The suffix is the AD domain of which the host operating
system is a member.
• DNSLOOKUP — Takes the FQDN returned by an “nslookup” on the IP
address of the onboard wired LAN interface.
• HOST — Takes the hostname from the host operating system. The suffix
is blank.
Note: When this parameter is not supplied, the default source for the FQDN
is “DNS”. However, if the /NetworkSettingsFile parameter is supplied (and
FQDN data is included in the file), the FQDN is taken from the file.

/NetworkSettingsFile Defines that the source for the IP and/or the FQDN of the Intel AMT device
<file> is a dedicated network settings file. For information about the required XML
format, see the NetworkSettings.xml example file located in the sample_files
folder.

/UseHostStaticIP Inserts the static IP settings of the host operating system into the Intel AMT
device.
(This is the IP configuration of the onboard wired LAN interface only.)
Note: When this parameter is not supplied, the default source for the IP is a
DHCP server. However, if the /NetworkSettingsFile parameter is supplied
(and IP data is included in the file), the IP is taken from the file.

/DedicatedFQDN This setting is supported from Intel AMT 6.0 and higher. Use only if the Intel
AMT device is configured with its own dedicated FQDN. If set, the device
will send broadcast queries to DHCP even when the OS is running.

/DisableDNSUpdate Disables the Intel AMT Dynamic DNS Update (DDNS Update) Client
included in Intel AMT 6.0 and higher. If you disable this client,
Intel AMT will not send DHCP option 81 or DDNS Update requests.

Intel® SCS User Guide 106


Chapter 6 • Using the Configurator

Unconfiguring Intel AMT Systems

Command Unconfigure

Description Unconfigures Intel AMT features on configured Intel AMT systems. If the
system can be unconfigured locally (Intel AMT 7.x), the Configurator does
the unconfiguration. If not, the Configurator sends the unconfiguration
request to the RCS. There are two types of unconfiguration:
• Partial — Removes the configuration settings from the system and
disables the Intel AMT features on the system. The system and the RCS
can still communicate since the PID, PPS, admin ACL settings, host name,
domain name, and the RCS IP and port number are not deleted. Note that
if the manufacturer defined the SOL and IDE interfaces to be closed by
default, then a partial configuration operation will close them and they
cannot be reopened without physical access to the MEBx. This is a known
Firmware limitation.
• Full — Deletes all the Intel AMT settings from the system and disables
the Intel AMT features on the system.
Note:
• Systems in Client Control mode are always unconfigured with a “Full”
unconfiguration.
• The default unconfiguration type for systems in Admin Control mode is
“Partial”.

Syntax ACUConfig.exe [global options] UnConfigure


[/ADOU <ADOU path>] [/AdminPassword <password>]
Note: The CLI does not [/RCSaddress <RCSaddress>] [/Full]
support passwords that {[/WMIUser <username>] [/WMIUserPassword <password>]}
start with a forward
[/NetworkSettingsFile <file>] [/SourceForAMTName <source>]
slash (/).

Parameters

[global options] See “CLI Global Options” on page 93

/ADOU <ADOU path> Deletes the Active Directory object representing the system from the
Organizational Unit defined in <ADOU path>

/AdminPassword The current password of the default Digest admin user defined in the
<password> Intel AMT device. This parameter is NOT necessary if one of these are true:
• The Configurator/RCS can find the Digest admin password (in one of the
RCS profiles, using a Master Password, or using the scsadmin.dat file)
• The user account running the Configurator/RCS is defined in the
Intel AMT device as an administrator

/RCSaddress The IP or FQDN of the computer running the RCS


<RCSaddress>

Intel® SCS User Guide 107


Chapter 6 • Using the Configurator

/Full For systems in Admin Control mode, does a full unconfiguration (the default
is partial unconfiguration)

/WMIUser The name (in the format domain\username) of a user with WMI permissions
<username> on the computer running the RCS. This parameter is only required when
running the Configurator with a user without WMI permissions on the RCS
computer.

/WMIUserPassword The password of the WMI user


<password>

/NetworkSettingsFile This parameter tells the Configurator to get the IP and/or the FQDN from a
<file> dedicated network settings file. For information about the required XML
format, see the NetworkSettings.xml example file located in the sample_files
folder.

/SourceForAMTName Defines how the FQDN (hostname.suffix) for the Intel AMT device is
<source> constructed. Valid values:
• DNS — The hostname part of the FQDN is the hostname from the host
operating system. The suffix is the “Primary DNS Suffix” from the host
operating system. This is the default setting, and is correct for most
network environments
• SpecificDNS — The hostname part of the FQDN is the hostname from the
host operating system. The suffix is the “Connection-specific DNS Suffix”
of the onboard wired LAN interface.
• AD — The hostname part of the FQDN is the hostname from the host
operating system. The suffix is the AD domain of which the host operating
system is a member.
• DNSLOOKUP — Takes the FQDN returned by an “nslookup” on the IP
address of the onboard wired LAN interface.
• HOST — Takes the hostname from the host operating system. The suffix
is blank.
Note: When this parameter is not supplied, the default source for the FQDN
is “DNS”. However, if the /NetworkSettingsFile parameter is supplied (and
FQDN data is included in the file), the FQDN is taken from the file.

Intel® SCS User Guide 108


Chapter 6 • Using the Configurator

Moving from Client Control to Admin Control

Command MoveToACM

Description Moves an Intel AMT system, configured in Client Control mode, to the
Admin Control mode.
When complete, the security related limitations of the Client Control mode
no longer apply to this system (see “Control Modes” on page 4).
Note: This command is not supported if the RCS is installed on a computer
running Windows Server 2003 or Windows XP Professional.
To use this command:
• The system must be configured in Client Control mode.
• The Intel AMT system and the RCS must be setup for authentication using
remote configuration certificates. For more information, see “Setting up
Remote Configuration (PKI)” on page 123.
Note: As an alternative for this command, you can do this:
1. Unconfigure the system.
2. Configure the system again using a method that uses the RCS to put the
system in the Admin Control mode during configuration.

Syntax ACUConfig.exe [global options] MoveToACM <RCSaddress>


Note: The CLI does {[/WMIUser <username>] [/WMIUserPassword <password>]}
not support passwords [/AdminPassword <password>] [/CertificateCNSuffix <suffix>]
that start with a
[/SourceForAMTName <source>]
forward slash (/).

Parameters

[global options] See “CLI Global Options” on page 93

<RCSaddress> The IP or FQDN of the computer running the RCS

/WMIUser The name (in the format domain\username) of a user with WMI permissions
<username> on the computer running the RCS. This parameter is only required when
running the Configurator with a user without WMI permissions on the RCS
computer.

/WMIUserPassword The password of the WMI user


<password>

/AdminPassword The current password of the default Digest admin user defined in the
<password> Intel AMT device. This parameter is NOT necessary if one of these are true:
• The Configurator/RCS can find the Digest admin password (in one of the
RCS profiles, using a Master Password, or using the scsadmin.dat file)
• The user account running the Configurator/RCS is defined in the
Intel AMT device as an administrator

Intel® SCS User Guide 109


Chapter 6 • Using the Configurator

/CertificateCNSuffix When the MoveToACM command starts, the Configurator sends all the
<suffix> hashed root certificates located in the Intel AMT device to the RCS. The RCS
looks in the certificate store of the user account running the RCS for a remote
configuration certificate that traces to one of the hashes.
For authentication to succeed, the domain suffix of the Common Name (CN)
in the Subject Name field of the certificate must match the
“Connection-specific DNS Suffix” assigned to the Intel AMT device. This
suffix can be assigned to the device using option 15 of the DHCP server
(DNS Domain Name).
By default, the RCS tries to authenticate using only the first certificate it finds
that matches one of the hashes. If this is not the correct certificate (for
example, in networks using multiple remote configuration certificates with
different domain suffixes), authentication will fail.
You can use this parameter to specify the correct DNS Domain Name that is
assigned to the Intel AMT device. If supplied, the RCS examines each remote
configuration certificate in the store until it finds a certificate with this suffix
in the CN.

/SourceForAMTName Defines how the FQDN (hostname.suffix) for the Intel AMT device is
<source> constructed. Valid values:
• DNS — The hostname part of the FQDN is the hostname from the host
operating system. The suffix is the “Primary DNS Suffix” from the host
operating system. This is the default setting, and is correct for most
network environments
• SpecificDNS — The hostname part of the FQDN is the hostname from the
host operating system. The suffix is the “Connection-specific DNS Suffix”
of the onboard wired LAN interface.
• AD — The hostname part of the FQDN is the hostname from the host
operating system. The suffix is the AD domain of which the host operating
system is a member.
• DNSLOOKUP — Takes the FQDN returned by an “nslookup” on the IP
address of the onboard wired LAN interface.
• HOST — Takes the hostname from the host operating system. The suffix is
blank.

Intel® SCS User Guide 110


Chapter 6 • Using the Configurator

Disabling Client Control Mode

Command DisableClientControlMode

Description Permanently disables the Client Control mode option in the Intel AMT device
(see “Control Modes” on page 4). After running this command, the device
cannot be put in Client Control mode.
After you run this command:
• Client Control mode can only be re-enabled from the BIOS of the computer.
(Either by resetting the BIOS, or using a manufacturer provided BIOS
menu command to re-enable the option.)
• Future host-based configurations on an unconfigured device can only put
the device in Admin Control mode
• The control mode and configuration status of a device that is already
configured is not changed
• Reconfiguration of a configured device does not change the control mode

Syntax ACUConfig.exe [global options] DisableClientControlMode

Parameters

[global options] See “CLI Global Options” on page 93

Sending a Hello Message

Command SendHello

Description Sends a “Hello” message to the RCS.


This option is only relevant if you want to use scripts to configure the system
(see “Remote Configuration Using Scripts” on page 133).

Syntax ACUConfig.exe [global options] SendHello <RCSaddress> [<port>]

Parameters

[global options] See “CLI Global Options” on page 93

<RCSaddress> The IP or FQDN of the computer running the RCS

<port> The port number the RCS uses to listen for hello messages. If not supplied,
the message is sent to the default port (9971).

Intel® SCS User Guide 111


A
Certification Authorities and Templates
This appendix describes the prerequisites and procedures for using a
Certification Authority (CA) with the Intel SCS.
For more information, see:
• Standalone or Enterprise CA
• Request Handling
• Required Permissions on the CA
• Additional Requirements for Windows 2003 CA
• Defining Enterprise CA Templates
• Defining Common Names in the Certificate
• Using Predefined Files Instead of a CA Request
• CRL XML Format

Intel® SCS User Guide 112


Appendix A • Certification Authorities and Templates

Standalone or Enterprise CA

If you require a Certification Authority in your network, and which type you require,
depends on the Intel AMT features you want to implement.
These features require a Stand-alone root CA or an Enterprise root CA:
• Transport Layer Security (including mutual authentication)
• Remote Access with password based authentication
These features require an Enterprise root CA:
• Remote Access with certificate based authentication
• 802.1x setups (Wired or WiFi)
• EAC settings

Request Handling

Certification Authorities include settings that define how they handle certificate
requests. Intel SCS 7.0 does not support pending certificate requests. If during
configuration the CA puts the certificate into the “Pending Requests” state, the Intel SCS
returns an error (#35). Thus, you must make sure that the CA and the templates used by
the Intel SCS are not defined to put certificate requests into a pending state.
For Enterprise and Stand-alone CAs, request handling is defined in the Request Handling
tab (right-click the CA and select Properties > Policy Module > Properties).
Make sure that the correct option is selected (shown in yellow in this figure).

Figure 44. Request Handling Tab

Intel® SCS User Guide 113


Appendix A • Certification Authorities and Templates

For Enterprise CAs, you must also make sure that the templates used by the Intel SCS
are not defined to require approval. Make sure that CA certificate manager approval
check box is NOT selected (shown in yellow in this figure).

Figure 45. Issuance Requirements Tab

Required Permissions on the CA

These permissions are required on the CA by the user account running the Intel SCS:
• Issue and Manage Certificates
• Request Certificates
For an Enterprise root CA you also need to grant the Intel SCS user account the Read and
Enroll permissions on the templates you want to select in the configuration profiles.

Additional Requirements for Windows 2003 CA

If the RCS is installed on a server running Windows Server 2008 (all x32/64 versions
and R2) and the CA is installed on a server running Windows Server 2003:
1. On the computer running the CA, select Start > Run > Dcomcnfg.
2. Select Component Services > Computers.
3. Right-click My Computer and select Properties.
4. Select the COM Security tab.
5. In the Access Permissions section, click Edit Limits.
6. Select the RCS user account and grant it these permissions:
• Local Access
• Remote Access

Intel® SCS User Guide 114


Appendix A • Certification Authorities and Templates

Defining Enterprise CA Templates

If you use the Intel SCS with an Enterprise CA to configure Intel AMT features to use
certificate-based authentication, you must define certificate templates.

Note: This procedure shows how to create a template containing the correct
settings for Intel AMT. For settings specific to your organization (such as
certificate expiration), specify the values you require. 
You must also make sure that the CA and the template are not defined to
put certificate requests into the pending status. For more information, see
“Request Handling” on page 113.

To create a certificate template:


1. From your Certificate Authority server, select Start > Run. The Run window
opens.
2. Enter mmc and click OK. The Microsoft Management Console window opens.
3. If the Certificate Templates plug-in is not installed, perform these steps:
a. Select File > Add/Remove Snap-in. The Add/Remove Snap-in window opens.

b. Click Add. The Add Standalone Snap-in window opens.

c. From the list of available snap-ins, select Certificate Templates, click Add
and then click Close. The Add Standalone Snap-in window closes.

d. Click OK. The Add/Remove Snap-in window closes and the Certificate
Templates snap-in is added to the Console Root tree.
4. From the Console Root tree, double-click Certificate Templates. The list of
templates appears in the right pane.

Figure 46. Microsoft Management Console

Intel® SCS User Guide 115


Appendix A • Certification Authorities and Templates

5. In the right-pane, right-click the User template and select Duplicate Template.

Note: If the CA is installed on a server running Windows Server 2008


(all x32/64 versions and R2), the Duplicate Template window
opens. Ensure that you select Windows Server 2003 Enterprise
and click OK.

The Properties of New Template window opens.

Figure 47. Properties of New Template Window


6. In the Template display name field, enter a meaningful name. For example, name a
template used to generate 802.1x client certificates “802.1x”.
7. Change the validity and renewal periods as required by local policy and
click Apply.
8. Click the Request Handling tab. The Request Handling tab opens

Intel® SCS User Guide 116


Appendix A • Certification Authorities and Templates

Figure 48. Request Handling Tab


9. Click the CSPs button. The CSP Selection window opens.

Figure 49. CSP Selection Window


10. In the list of requests, select the Microsoft Strong Cryptographic Provider
check box and click OK. The CSP Selection window closes.
11. Click the Subject Name tab and select Supply in the request.
12. Click the Security tab. The Security tab opens.

Intel® SCS User Guide 117


Appendix A • Certification Authorities and Templates

13. Make sure that the user running the Configurator (or the group the user is in)
appears in this list and has the Read and Enroll permissions.
14. If this is a template for TLS, do these steps:
a. Click the Extensions tab. The Extensions tab opens.

b. From the list of extensions, select Application Policies and click Edit. The
Edit Application Policies Extension window opens.

c. Click Add. The Add Application Policy window opens.

d. From the list of Application policies, select Server Authentication and click
OK (the Server Authentication policy contains this OID: 1.3.6.1.5.5.7.3.1).

e. Click OK to return to the Properties of New Template window.

Note: If you define Mutual TLS in the configuration profile, each


application that needs to communicate with the Intel AMT device
will need a certificate. In addition to the Server Authentication
OID (added in step 14 d), the certificate must contain these OIDs:
• For remote access: 2.16.840.1.113741.1.2.1
• For local access: 2.16.840.1.113741.1.2.2
You can add these OIDs to this template (by clicking New in the
Add Application Policy window). You must then install a
certificate, based on this template, in the certificate store of the
user running the application. For information how to do this, see
“Requesting and Installing the Certificate” on page 132.

15. Click OK. The Properties of New Template window closes.


16. Select Start > Programs > Administrative Tools > Certification Authority.
17. From the Console Root tree, select Certificate Authority > Certificate
Templates.
18. Right-click in the right pane and select New > Certificate Template to Issue. The
Enable Certificate Templates window opens.
19. Select the template that you just created and click OK. The Enable Certificate
Templates window closes and the template now appears in the right pane with the
other certificate templates.
20. Restart the CA (to publish the new template in the Active Directory).

Intel® SCS User Guide 118


Appendix A • Certification Authorities and Templates

Defining Common Names in the Certificate

When defining these settings for the Intel AMT device, you can define that
authentication is certificate-based:
• Remote Access
• Transport Layer Security
• 802.1x Setups
• End-Point Access Control
If you also select the “Request certificate from CA option”, the Intel SCS sends a request
to the Certification Authority (CA) to create the certificate. The certificate is created
based on the certificate template that you select for the setting.

Note: Due to Microsoft limitations, creation of the certificate might fail in these
situations:
• If the FQDN of the Intel AMT is longer than 64 characters
• If the certificate subject is longer than 256 characters
• If one of the CN types is Distinguished Name, and the Distinguished
Name is longer than 256 characters

The Subject Name field of the certificate includes Common Names (CNs).
You can use these options in the profile to define the CNs for each setting:

Figure 50. Common Name Options

Default CNs

When you select Default CNs, these are the Common Names that will be included in the
Subject Name of the generated certificate:
• DNS Host Name (FQDN)
• Host Name
• SAM Account Name (Active Directory account name for the Intel AMT object)
• User Principle Name
• UUID of the Intel AMT system

Note: The Intel SCS sends the CNs to the CA in the order shown in this
list. But, this does not guarantee that this is the order that the
Microsoft CA will put them in the certificate.

Intel® SCS User Guide 119


Appendix A • Certification Authorities and Templates

User-defined CNs

This option lets you control which CNs will be included in the Subject Name of the
generated certificate.
If you need to make sure that the first CN in the Subject Name field is a specific CN, use
this option and select only one CN. For example, when defining 802.1x Setups:
• The Cisco* Access Control Server (ACS) requires that the SAM Account Name
is always the first CN.
• The Funk* Odyssey* Server requires that the Host Name is always the first CN.

To define user-defined common names:


1. Select User-defined CNs.
2. Click Edit CNs. The Advanced Common Name window opens.

Figure 51. Advanced Common Name Window


3. From the Available Common Names list, select the required CNs and click to
add them to the Selected Common Names list.
4. Click OK. The Advanced Common Name window closes.

Intel® SCS User Guide 120


Appendix A • Certification Authorities and Templates

Using Predefined Files Instead of a CA Request

Usually, during configuration of Intel AMT features defined to use certificate-based


authentication, the Intel SCS requests the certificate from a CA. To do this, the Intel SCS
component (Configurator, RCS, or ACU Wizard) configuring the Intel AMT device
must have access to the CA during configuration. However, in some network
environments the CA cannot be accessed from all computers.
The new host-based configuration method included with Intel SCS 7.0 supplies a
solution to this problem. When defining certificate-based authentication, you can now
use predefined certificate and private key files (used for the encryption).
To do this, select the Use certificate from a file, option:

Note: For each file you can click Browse to locate and select it, or enter the path
to it from the Intel AMT system. However, make sure that you put both
files in a location that can be accessed from the Intel AMT system. Two
such files are required per Intel AMT system.

Required Format for Certificate and Key Files

The files that you supply must be in the base64 format, known as the PEM format. The
information in each file must be enclosed between a correct “BEGIN” header line
(starting with five dashes) and an “END” footer line.
For certificate files:
-----BEGIN CERTIFICATE-----
... (CA certificate in base64 encoding) ...
-----END CERTIFICATE-----
For key files you must use only the “PKCS#1 RSAPrivateKey” format, like this:
-----BEGIN RSA PRIVATE KEY-----
...(Key in RSA PKCS#1 format)...
-----END RSA PRIVATE KEY-----

Note: If required, you can encrypt the private key file (see “File Encryption” on
page 9).

Intel® SCS User Guide 121


Appendix A • Certification Authorities and Templates

CRL XML Format

If required, the information from a Certificate Revocation List (CRL) is included inside
the configuration profile. The Configurator does not use the original CRL file supplied
by the Certification Authority. The information from the CRL file must be placed in the
<CRLs> tag.
The Profile Designer can import the CRL into the configuration profile (see “Defining
Advanced Mutual Authentication Settings” on page 75).

Note: The profile can contain a maximum of four CRLs that contain a
maximum total (together) of 64 serial numbers.

This is an example of the XML format required by the Profile Designer:

<?xml version="1.0" encoding="UTF-8"?>


<!--
This file maps the untrusted certificates serial number to the URI of the issuer.
The URI value represents a valid CRL distribution point of a Certificate Authority.
-->
<crl>
<uri name="http://certification.authority.example.1.CRL">
<cert serialnumber="15 27 82 20 00 00 00 00 00 01"/>
<cert serialnumber="15-27-82-20-00-00-00-00-00-02"/>
<cert serialnumber="15278220000000000003"/>
</uri>
<uri name="http://certification.authority.example.2.CRL">
<cert serialnumber="15 27 82 20 00 00 00 00 00 04"/>
<cert serialnumber="15 27 82 20 00 00 00 00 00 05"/>
</uri>
</crl>

For the serial number attribute:


• Use exactly two hexadecimal characters for each byte (a byte with a single character
will be ignored).
• The serial number can be represented as a single hexadecimal number. If the bytes are
separated from each other, use any printable non-hexadecimal character separator
between each pair.

Intel® SCS User Guide 122


B
Setting up Remote Configuration (PKI)
This appendix describes the prerequisites and procedures to setup remote configuration.
For more information, see:
• About Remote Configuration
• Prerequisites for Remote Configuration
• Intel AMT Versions and Remote Configuration Certificates
• Acquiring and Installing a Vendor Supplied Certificate
• Creating and Installing Your Own Certificate
• Remote Configuration Using Scripts

Intel® SCS User Guide 123


Appendix B • Setting up Remote Configuration (PKI)

About Remote Configuration

Remote configuration is a feature added with Intel AMT versions 2.2, 2.6, and 3.0 and
higher. It eliminates the need for IT personnel to manually install a PID/PPS pair to
enable setup, and depends on these Intel AMT enhancements:
• Embedded Hashed Root Certificates — The Intel AMT system contains one or
more root certificate hashes from worldwide SSL certificate providers in the firmware
image. When the RCS authenticates to the Intel AMT system, it must do so with a
certificate compatible with one of the hashed root certificates.
• Self-signed Certificate — The Intel AMT system produces a self-signed certificate
that is used to pass its public key to the RCS.
• Limited Network Access — The Configurator opens the network interface of the
Intel AMT system to send the configuration request. After 24 hours, the interface
automatically closes if the setup and configuration is not completed.
• One Time Password (OTP) — Before the Configurator sends a configuration
request to the RCS, the Configurator creates an OTP and sets it in the Intel AMT
device. The Configurator then sends the request, including the OTP, to the RCS. If the
RCS is defined to require an OTP, the RCS does not start configuration until the
device is authenticated using the OTP. For increased security, this is the default
setting. You can remove this requirement if required (see “Changing the Default RCS
Settings” on page 53).
These remote configuration enhancements are available only from Intel AMT 3.0 and
higher:
• Simplified One-Touch — An IT administrator can enter the RCS FQDN or PKI DNS
Suffix via the MEBx menu or with a USB key. The Intel AMT system verifies that the
FQDN in the RCS certificate matches the entered value. This feature is also known as
Secure DNS since providing an FQDN or PKI DNS Suffix is more secure than
depending on DHCP option 15.
• Bare Metal Setup and Configuration — The Intel AMT device can be predefined
by the manufacturer to start sending Hello messages as soon as the system is
connected to power and to the network. This can occur even if an operating system is
not installed on the host system (thus the name “bare metal”). The RCS then
configures the system using a script (see “Remote Configuration Using Scripts” on
page 133).

Intel® SCS User Guide 124


Appendix B • Setting up Remote Configuration (PKI)

Prerequisites for Remote Configuration

Before remote configuration begins, these initial conditions must be met:


• The Intel AMT device must have at least one active hash certificate defined in the
MEBx.
• The Intel AMT system must be configured to receive its IP address from a DHCP
server. The DHCP server must support option 15 and return the local domain suffix.
• The computer running the RCS must have a certificate with the Server Authentication
Certificate OID (1.3.6.1.5.5.7.3.1) and also contain one of these:
• An OID in the Extended Key Usage field with this value:
2.16.840.1.113741.1.2.3
- Or -
• In the Subject Name field, an OU with this value: 
OU=Intel(R) Client Setup Certificate.
In the Certification Path of this certificate, the thumbprint of the root certificate must
be enabled in the Intel AMT hash table.
• The Suffix of the Common Name (CN) in the Subject Name of the RCS certificate
must match the domain suffix of the Intel AMT system (see “Intel AMT Versions and
Remote Configuration Certificates” on page 125).
• For “Bare Metal Setup and Configuration” only: The computer running the RCS must
have an alias record with the name “Provisionserver” in the DNS server (or the name
defined by the manufacturer in the MEBx). The Intel AMT system must be able to
access this DNS server.

Intel AMT Versions and Remote Configuration


Certificates

Intel AMT validates the RCS certificate by comparing a domain suffix or FQDN against
the CN in the certificate. Different Intel AMT versions perform this comparison in
different ways. This can have an impact on the certificate that an organization acquires.
If your network includes a mixture of Intel AMT versions, you must acquire a certificate
that is appropriate for all the versions that will be configured.

Intel AMT 2.2

Intel AMT retrieves its domain suffix using DHCP Option 15. The CN in the RCS
certificate must match the full domain suffix. The result is that a separate certificate is
required for each domain.

Intel® SCS User Guide 125


Appendix B • Setting up Remote Configuration (PKI)

For example, the CN in the certificate is corp.east.yourenterprise.com and DHCP


returns a domain suffix of east.yourenterprise.com. The CN contains the full suffix so
there is a match. A CN of yourenterprise.com would not match
east.yourenterprise.com.

Intel AMT 2.6

Intel AMT 2.6 supports the 2.2 functionality, with these additions:
• Wildcard CN: If the CN in the certificate is preceded by “*.”, then the domain suffix
received from DHCP need only match the CN where they have overlapping fields.
For example, if the CN is *.a.b.org, then yyy.a.b.org, a.b.org, and b.org would all
match (but c.b.org would not).
• If the CN ends with “.com” or “.net”, then the domain suffix received from DHCP
needs to match only last two fields in the CN. For example, if the CN is
east.corp.yourenterprise.com, then west.mkting.yourenterprise.com would match.
• Intel AMT 2.6 supports certificates that use the SubjectAltName (SAN) “DNS Name”
extension. The certificates have multiple DNS names, and each one is compared
consecutively with the domain suffix received from DHCP. When one of the names
matches, Intel AMT accepts the certificate. A certificate with multiple DNS names
would be useful when the root domain is not .com or .net.

Intel AMT 3.0 and Higher

If a system with Intel AMT 3.0 or higher depends exclusively on the domain suffix
returned by DHCP, it behaves the same as Intel AMT 2.2.
The Intel AMT 3.0 FQDN option and domain extension option add the following:
• If you enter the FQDN of the computer running the RCS via the MEBx menu, or with
a formatted USB key, or the manufacturer enters the value before delivery, the CN in
the certificate must either exactly match all fields of the FQDN or it must be a
wildcard entry with a match in all but the first field of the FQDN. For example, if the
FQDN is east.corp.yourenterprise.com, the CN in the certificate must also be
east.corp.yourenterprise.com or *.corp.yourenterprise.com.
• If a DNS suffix is entered, then all fields in the suffix must be included in the CN. For
example, if the entered suffix is corp.yourenterprise.com, then the CN could be
corp.yourenterprise.com or east.corp.yourenterprise.com or
main.east.corp.yourenterprise.com (but not east.yourenterprise.com).

Intel® SCS User Guide 126


Appendix B • Setting up Remote Configuration (PKI)

Acquiring and Installing a Vendor Supplied


Certificate

Contact one of the vendors whose root certificate hashes are built into the Intel AMT
firmware. A list of the hashes should be provided by the system vendor. Go to the
vendor’s website and purchase an “SSL certificate”.
These settings are necessary for the certificate to be compatible for remote configuration
use:
• The OU or the OID must match the values defined in “Intel AMT Versions and
Remote Configuration Certificates” on page 125 (the OU is the usual value entered
when purchasing a certificate commercially).
• The CN must match the Intel AMT system domain suffix (see “Intel AMT Versions
and Remote Configuration Certificates” on page 125).
• The keys should be exportable to support IT key backup policies.
• The request type should be PKCS10.
After completion, export the acquired certificate in p7c format.

Installing a Vendor Certificate

You can install more than one certificate into the certificate store of the user account
running the RCS (RCSServer.exe). The RCS selects the certificate suitable for the
specific Intel AMT system.

To install a certificate in the RCS users certificate store:


1. On the computer where the RCS is installed, log in as the user running the RCS.
2. Open a command prompt window, enter mmc and press <Enter>. The Microsoft
Management Console window opens.
3. If the Certificates plug-in is not installed, perform these steps:
a. Select File > Add/Remove Snap-in. The Add/Remove Snap-in window opens.

b. Click Add. The Add Standalone Snap-in window opens.

c. From the list of available snap-ins, select Certificates and click Add. The
Certificates snap-in window opens.

d. Select My user account and click Finish. The Certificates snap-in window
closes.

e. Click Close. The Add Standalone Snap-in window closes.

f. Click OK. The Add/Remove Snap-in window closes and the Certificates
snap-in is added to the Console Root tree.

Intel® SCS User Guide 127


Appendix B • Setting up Remote Configuration (PKI)

4. From the Console Root tree, right-click Certificates > Personal and select
All Tasks > Import. The Certificate Import Wizard opens.
5. Click Next. The File to Import window opens.
6. Enter the path and file name of the certificate to be imported or click Browse and
navigate to the file.
7. Click Next. The Password window opens.

Note: If the Enable strong private key protection check box is


enabled, ensure that it is NOT selected.

Figure 52. Certificate Import Wizard


8. Enter the password for the private key.
9. Select the Mark this key as exportable check box.
10. Click Next.
11. Select Place all certificates in the following store. The Personal certificate store
should already be selected.
12. Click Next and Finish.

Intel® SCS User Guide 128


Appendix B • Setting up Remote Configuration (PKI)

Installing a Root Certificate and Intermediate


Certificates

If the SSL certificate comes from a CA whose “chain of trust” certificates are not
automatically included in the Window 2003 trusted certificates store, it will be necessary
to install the root certificate and any intermediate certificates in the local computer store
of the computer running the RCS (RCSServer.exe).

To save the root certificate:


1. Retrieve the root certificate and the certificates of any intermediate CAs, according
to the instructions of the certificate vendor. It may be possible to download them
from the vendor website, or the vendor may e-mail the trusted root. Save the
certificate in .cer format.
2. Navigate to each stored certificate, right-click and select Install certificate. A
certificate manager Import Wizard opens.
3. Click Next.
4. Select Automatically select the certificate store based on the type of the
certificate and click OK.
5. Click Next then Finish.
6. When prompted if you want to add the certificate to the root store, click Yes.

Creating and Installing Your Own Certificate

These sections describe how you can install your own certificate to enable remote
configuration:
• Creating a Certificate Template
• Requesting and Installing the Certificate
• Entering a Root Certificate Hash Manually in the Intel AMT Firmware

Creating a Certificate Template

This procedure describes how to create a remote configuration certificate.

To create the certificate template:


1. From your Certificate Authority server, select Start > Run. The Run window
opens.
2. Enter mmc and click OK. The Microsoft Management Console window opens.

Intel® SCS User Guide 129


Appendix B • Setting up Remote Configuration (PKI)

3. If the Certificate Templates plug-in is not installed, perform these steps:


a. Select File > Add/Remove Snap-in. The Add/Remove Snap-in window opens.

b. Click Add. The Add Standalone Snap-in window opens.

c. From the list of available snap-ins, select Certificate Templates, click Add
and then click Close. The Add Standalone Snap-in window closes.

d. Click OK. The Add/Remove Snap-in window closes and the Certificate
Templates snap-in is added to the Console Root tree.
4. From the Console Root tree, double-click Certificate Templates. The list of
templates appears in the right pane.

Figure 53. Microsoft Management Console


5. In the right-pane, right-click the Computer template and select
Duplicate Template.

Note: If the CA is installed on a server running Windows Server 2008


(all x32/64 versions and R2), the Duplicate Template window
opens. Ensure that you select Windows Server 2003 Enterprise
and click OK.

The Properties of New Template window opens.

Intel® SCS User Guide 130


Appendix B • Setting up Remote Configuration (PKI)

Figure 54. Properties of New Template Window


6. In the Template display name field, enter a name for the template.
7. Click the Extensions tab. The Extensions tab opens.
8. From the list of extensions, select Application Policies and click Edit. The Edit
Application Policies Extension window opens.
9. Click Add. The Add Application Policy window opens.
10. Click New. The New Application Policy window opens.
11. Enter a policy name, and in the Object Identifier field enter this OID for remote
configuration: 2.16.840.1.113741.1.2.3
12. Click OK to return to the Add Application Policy window, click OK to return to
the Edit Application Policies Extension window, and click OK to return to the
Properties of New Template window.
13. Click the Subject Name tab and select Supply in the request.
14. Click the Request Handling tab and select the Allow private key to be exported
check box.
15. Click OK. The Properties of New Template window closes.
16. Select Start > Program Files > Administrative Tools > Certification Authority.
The Certification Authority window opens.
17. From the tree in the left pane, select Certificate Templates.
18. Right-click in the right pane and select New > Certificate Template to Issue.
19. In the Enable Certificate Templates window, select the template that you just
created and click OK. The template now appears in the right pane with the other
certificate templates.
20. Restart the CA (to publish the new template in the Active Directory).

Intel® SCS User Guide 131


Appendix B • Setting up Remote Configuration (PKI)

Requesting and Installing the Certificate

This procedure describes how to request and install the certificate on the computer
running the RCS (RCSServer.exe).

To install the certificate:


1. On the computer running the RCS, open an internet browser and connect to
Certificate Services for the Root CA using this naming convention:
http://CA_FQDN/certsrv. If the CA requires an SSL connection, use this naming
convention instead: https://CA_FQDN/certsrv.
2. Click Request a certificate.
3. Click advanced certificate request.
4. Click Create and submit a request to this CA.
5. From the Certificate Template drop-down list, select the certificate template that
you created (see “Creating a Certificate Template” on page 129).
6. In the Identifying Information for Offline Template section, enter the domain name
where the certificate will be used (the domain suffix or FQDN of the computer
running the RCS) in the Name field.
7. Leave all the other default values and click Submit.
8. Install the certificate in the RCS user’s certificate store and then restart the RCS.

Entering a Root Certificate Hash Manually in


the Intel AMT Firmware

Normally the certificate hashes are programmed in the Intel AMT system firmware by
the manufacturer. However, there is an option of entering the root certificate’s hash
manually via the MEBx. (The names and locations of menu options might vary slightly
in different Intel AMT versions.)

To enter the certificate hash via the MEBx:


1. Open the Root certificate and tab to Details. Keep the Root certificate thumbprint
from the thumbprint field for use in step 7.
2. Power on the Intel AMT system and press <Ctrl-P> during boot.
3. When the MEBx menu is displayed, do a full unconfiguration (unprovision).
4. From the MEBx menu, select Setup and Configuration > TLS PKI.
5. Select Manage Certificate Hashes.
6. Press <Insert> and enter a name for the hash.
7. Enter the Root certificate thumbprint from step 1.
8. Answer Yes to the question about activating the hash.
9. Exit the MEBx and reboot the Intel AMT system.

Intel® SCS User Guide 132


Appendix B • Setting up Remote Configuration (PKI)

Remote Configuration Using Scripts

Usually, when the RCS configures a system the configuration process is started when the
Configurator sends a configuration request to the RCS. In certain conditions, this might
not be applicable for your network environment. For example:
• If you want to use the “Bare Metal” option
• If you want to supply the RCS with the configuration data for each system, or start the
configuration process from the RCS
Instead of using the Configurator, you can use “Hello” messages and a script.

How the Script Option Works

The RCS requires identification information for each Intel AMT system before it can
perform the setup and configuration. The “Hello” message sent from an Intel AMT
system contains the UUID of the Intel AMT system.

When a Hello message arrives:


1. The RCS sets environment variables based on values in the Hello message, and
activates the script.
2. The script reads the environment variables set by the RCS, and uses them to find
the necessary identification information for the Intel AMT system.
3. The script uses the “ConfigAMT” command of the RCS API to send the
configuration request to the RCS.
4. The RCS configures the system.

Environment Variables
The RCS sets these environment variables:
• CS_AMT_UUID — The UUID of the system
• CS_AMT_ADDRESS — The IP address of the system
• CS_AMT_CONFIGURATION_METHOD — The configuration mode of the device:
• 1 — The device has a Private Share Key defined (PID-PPS)
• 2 — The device is set for PKI authentication
• CS_AMT_PID — The PID of the TLS-PSK key (for PSK only)

Intel® SCS User Guide 133


Appendix B • Setting up Remote Configuration (PKI)

Preparing to Use Scripts

To use the script option:


• The RCS must be set to listen for hello messages and use the script that you supply
(see “Changing the Default RCS Settings” on page 53).
• The Intel AMT system must be prepared for configuration using one of these methods
that use the TLS protocol:
• “One Touch Configuration (PSK)” on page 5
• “Remote Configuration (PKI)” on page 5
• The Intel AMT system must send a Hello message. This will happen automatically if
the system was prepared for “Bare Metal Setup and Configuration” by the
manufacturer. If not, you can send a Hello message using the Configurator CLI (see
“Sending a Hello Message” on page 111).

Defining a Script

Script functionality is the responsibility of the IT organization. The script can retrieve the
information from an external source or from the host containing the Intel AMT device.
For example:

• The script can send a Windows Management Instrumentation (WMI) query to get the
FQDN from the host using the IP address sent in the Hello message. (This requires
that the host is operational and running a version of Microsoft Windows that
processes WMI queries.)

• The script can get the FQDN from a pre-prepared database or file containing the
UUID and FQDN of each Intel AMT device.

Sample Script
The Intel SCS includes a sample script (ConfigAMT.vbs). You can use the sample script
as a basis for reference when creating your script. The script is located at:
\\sample_files\hello_listener_sample_files folder

Intel® SCS User Guide 134


Appendix C • Troubleshooting

C
Troubleshooting
This appendix describes problems you might find when using the Intel SCS, and
provides their solutions.
For more information, see:
• Failed to Parse the XML File
• Reconfiguration of Dedicated IP and FQDN Settings
• Disjointed Namespaces
• Damaged RCS Data Files (RCS does not Start)
• Connecting to an RCS behind a Firewall
• Error when Removing AD Integration (Error in SetKerberos)
• Kerberos Authentication Failure
• The ACU Wizard Takes a Long Time to Start
• Problems Using ACU Wizard on a Network Drive
• Error: “Kerberos User is not Permitted to Configure..”

Intel® SCS User Guide 135


Appendix C • Troubleshooting

Failed to Parse the XML File

This error can occur when the Configurator (ACUConfig.exe) cannot read the
configuration profile.
Solutions:
• Make sure that the profile contains the correct tags and legal values (try and open
it with the ACU Wizard).
• If the Intel AMT system is running Windows XP, make sure that service pack 3 is
installed.
• If the profile is encrypted, this error can occur on Intel AMT systems running
Windows 7 and Windows Server 2008. This is because of a known Microsoft
issue. Install this hotfix: http://support.microsoft.com/kb/981118.
• The Intel SCS uses Microsoft XML Core Services (MSXML) to parse XML
files. MSXML is included in most operating systems supported by the Intel SCS
components, and also in most versions of .NET framework. If it is not installed,
download MSXML 6.0 from the Microsoft website and install it on the
computer.

Reconfiguration of Dedicated IP and FQDN Settings

Reconfiguration can fail when all these conditions are true:


1. The Intel AMT device was configured with an FQDN and IP different from the
host operating system (for example, by using a dedicated network settings file).
2. The dedicated network settings file contains FQDN and IP values different from
those currently defined in the Intel AMT device.
3. The Intel SCS needs to reconfigure the device using the new values in the
dedicated network settings file.
Solution:
Make sure you supply the current IP address or FQDN of the Intel AMT device in the
<CurrentAMTAddress> tag of the dedicated network settings file.

Intel® SCS User Guide 136


Appendix C • Troubleshooting

Disjointed Namespaces

A disjointed namespace occurs when the primary Domain Name System (DNS) suffix of
a computer does not match the DNS domain of which it is a member. Defining a network
environment with disjointed namespaces (intentionally or accidentally) can cause many
different types of communication and authentication failures.
For Intel AMT, these failures can be related to:
• Configuration/Reconfiguration
• Authentication using Kerberos users in the Access Control List (ACL)
• Authentication using Transport Layer Security (TLS)
Solution:
If integration with Active Directory (AD) is enabled, during configuration the Intel SCS
creates an AD object for the Intel AMT device. Some of the entries in this object define
parameters used in Kerberos tickets. For example, the DNS Host Name and the Service
Principal Names (SPNs). If these entries in the AD object are configured using the
correct DNS name, problems with disjointed namepsaces can be avoided. For example,
“Object 2” in this diagram was created by Intel SCS using an FQDN in the Intel AMT
device (System1.DDC.com) that matches the DNS name.

Figure 55. Disjointed Namespace and Intel SCS 7.0


To implement this solution:
1. Check in the DNS to find the correct name that can be resolved using DNS
resolution. This name needs to be inserted into the FQDN of the Intel AMT device.
2. Use the Intel SCS to configure/reconfigure the Intel AMT device with the required
FQDN. The Intel SCS includes several options for the source it can use when
inserting the FQDN into the Intel AMT device (see “Defining IP and FQDN
Settings” on page 89).

Intel® SCS User Guide 137


Appendix C • Troubleshooting

Damaged RCS Data Files (RCS does not Start)

If one of the data files used by the RCS is damaged or missing, the RCS cannot operate.
This also means that:
• The ACU Wizard shows a “login failure” message when trying to connect to the RCS.
• When you try to save a profile, the ACU Wizard shows an error message.
• In the Services window on the computer running the RCS, you cannot start the
RCSServer service.
Solution:
If you created a backup, restore the latest version of the data files to the correct location
(see “Backing up Data Stored in the RCS” on page 26).
If you did not create a backup, do one of these:
• Uninstall and then reinstall the RCS. This creates new empty copies of all the required
data files.
- OR-
• In the registry of the computer running the RCS, add a DWORD key with the name
“Recover” to this key:
• 32-bit operating systems:
HKLM\SOFTWARE\Intel\SCS7.0
• 64-bit operating systems:
HKLM\SOFTWARE\Wow6432Node\Intel\SCS7.0
When the RCS starts, it checks if this key exists. If the key exists with a value not
equal to zero, the RCS will automatically create a new empty file for each damaged or
missing data file. Only damaged or missing data files are replaced.

Connecting to an RCS behind a Firewall

If you install the RCS on a computer that is protected by a firewall, you might receive
error messages when you try to connect to the RCS.
Solution:
You must make sure that the firewall is configured to enable the WMI to connect to the
RCS. For more information, refer to the Microsoft Developer Network:
http://msdn.microsoft.com/en-us/library/aa389286(VS.85).aspx

Intel® SCS User Guide 138


Appendix C • Troubleshooting

Error when Removing AD Integration (Error in SetKerberos)

For some Intel AMT 4.x and 5.x systems, this warning can occur during reconfiguration
with a profile that contains TLS settings but disables Active Directory (AD) integration:
error in SetKerberos (1) Failed while calling WS-Management call SetKerberosSettings
This warning occurs only if the system was initially configured with a profile containing
TLS settings and AD integration enabled. The result is that configuration is completed
(including TLS), but the AD integration is not disabled.
Solution:
This is a known limitation that was solved in versions 4.2.30 and 5.2.30 of the Intel AMT
firmware. For systems with this problem:
1. Reconfigure the system using a profile that disables TLS and Active Directory.
2. Reconfigure the system using a profile that enables and defines the required TLS
settings.

Kerberos Authentication Failure

If integration with Active Directory (AD) is enabled, during configuration the Intel SCS
creates an AD object for the Intel AMT device. The values of the Service Principal Name
(SPN) attribute in this object are used in Kerberos tickets during AD authentication.
If the AD forest contains more than one object representing the same Intel AMT device,
the Kerberos authentication will fail. This is because identical SPN values exist for
different objects. The AD does not know which SPN to use, and thus returns an error.
Multiple objects can be created during reconfiguration when you change the AD
Organizational Unit (ADOU) defined in the profile (see “Defining Active Directory
Integration” on page 61). If you do not use the /ADOU flag in the CLI, the Intel SCS
does not know the location of the old object and thus cannot delete it.
Solution:
Make sure that the AD forest contains only one AD object for each Intel AMT device.
If not:
1. Manually delete the object from the old ADOU.
2. Wait approximately 15 minutes, or manually purge the Kerberos tickets.

Intel® SCS User Guide 139


Appendix C • Troubleshooting

The ACU Wizard Takes a Long Time to Start

To use the ACU Wizard, Microsoft .NET Framework must be installed on the computer.
Some versions of the .NET Framework include limitations that can cause the ACU
Wizard to take a long time to start. To prevent these problems, the
ACUWizard.exe.config file includes this setting:
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
However, not all versions of .NET support this setting.
Solution:
Make sure that the version of .NET Framework installed on the computer supports the
generatePublisherEvidence setting.
For example: Version 2.0 (service pack 1) or version 3.0 (service pack 1).

Problems Using ACU Wizard on a Network Drive


Due to security measures built into .NET Framework, if you try to start the ACU Wizard
on a network drive, you might receive this error message: 
Intel® Active Management Technology Configuration Utility has encountered a problem
and needs to close.
Solution:
Give “Full Trust” to the network share as shown in this example:
cd c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
CasPol.exe -m -ag 1.2 -url file:///N:/your/network/path/* FullTrust

Intel® SCS User Guide 140


Appendix C • Troubleshooting

Error: “Kerberos User is not Permitted to Configure..”

Usually, this error will occur if all these conditions are true:
• The requested operation will change the FQDN setting in the Intel AMT device, or the
Intel AMT Active Directory object.
• The requested operation is run using a Kerberos admin user.
• The password of the default Digest admin user is not defined in the profile or supplied
in the CLI command (/AdminPassword).
This is to prevent losing connection to the device when changing these settings.
But, this error can also occur (incorrectly) if all these conditions are true:
• The requested operation will NOT change the FQDN setting in the Intel AMT device,
or the Intel AMT Active Directory object
• The Delta configuration profile does not contain the Admin User Password settings
(defined in the Profile Scope).
• The system has Intel AMT 6.0 or higher.
• The operation was run using the ConfigViaRCSOnly or MaintainViaRCSOnly
commands.
Solution:
• Define the Digest admin password in the profile or the CLI command.
-OR-
• Try to run the command with one or more of the following flags: /DedicatedFQDN,
/DisableDNSUpdate. (In this version of the Intel SCS, these flags are part of the
network settings.)

Intel® SCS User Guide 141