Having managed to get Intel AMT up and running a year or so ago, we found we’d pretty much forgotten how to configure it in Enterprise mode. Since our new machines were coming with AMT 7 we thought we revisit the technology. Having found a lot of people struggling to get AMT up and running we thought we’d share our findings in case it proved useful.
Overview of Intel AMT
Intel Active Management Technology (Intel AMT) is part of vPro and essentially allows out-of-band monitoring and management of hardware even when the machine is powered down. See the appropriate Intel AMT and Intel Setup & Configuration Software (SCS) documentation for more detailed information of the full capabilities.
There are several methods for configuring and operating Intel AMT:
- Manual Mode – The configuration is carried out locally via the Intel ME section of the BIOS.
- Host Based – The configuration is carried out locally on the machine under Windows by running the installed configuration tool.
- Small Medium Business (SMB) Mode – The configuration is carried out via a USB memory stick containing setup.bin created via the configuration tool.
- Enterprise Mode using PKI – This is uses the Remote Configuration Service (RCS) component of the Intel Setup & Configuration Software (SCS).
This the easiest way to get AMT up and running. Simply configure the AMT settings via Local Provisioning in the Intel ME section of the BIOS.
- Configure hostname
- Set network to DHCP/static
- You may need to turn on Legacy SMB Support (See this article)
This mode requires Windows, run Intel SCS Configuration Tool and select Configure/Unconfigure this system.
Small Medium Business (SMB) Mode
Use the Intel SCS Configuration Tool to created a USB memory stick with setup.bin, then boot the machines off the memory stick.
Enterprise Mode using PKI
Enterprise mode allows automatic remote provisioning via the Remote Configuration Service (RCS) provisioning server, provided as part of the Intel SCS (Setup and Configuration Software). This mode is a little fiddly to get going but the real reason to use this over the previous methods is that AMT traffic use SSL rather than normal http, hence the encryption protects authentication credentials and AMT payload traffic.
This mode ideally requires write access to the Active Directory in order to create machine objects for the AMT host and access to a Microsoft Certificate Authority to create certificates for each AMT host.
The RCS server needs to be configured with a signed certificate, either from a commercial CA (a number of whose certificate hashes are in the Intel ME BIOS by default), or from a self signed CA. Ours is generated from the CA on SMS-1, this allows the clients to verify the authenticity of the server.
If you opt to use self signed certificates, the hash of the CA certificate needs to be loaded into the User Certificate section of the Intel ME BIOS. This can be done by hand but is time consuming especially if you need to do more than a couple of machines. The best way to quickly configure a large number of machines is to create a USB memory stick with the appropriate certificate hash via the USBFile.exe from the Intel AMT SDK.
A user configured script can also be assigned to the server in order determine the appropriate AMT configuration profile to assign to a host when it requests configuration. Ours essentially looks up the UUID in the Active Directory in order to determine the hostname. This requires machines to exist in the Active Directory before hand, but since all our hosts are either pre-staged or created via WDS this isn’t a problem for us.
A basic overview of the process follows below:
- The AMT client sends Hello packets to provisionserver.<domain>
- Various parameters, (UUID, IP address etc) from the calling host are passed the to configuration script
- The script looks up the host from these parameters and determines the profile to apply
- The script performs a WMI call to ConfigAMT(….)
- The RCS server creates an AMT computer object in a specified Active Directory OU
- The Certificate Authority issues a signed certificate for the client
- The AMT configuration profile is sent to the client
See Part 2 for details on configuring the Remove Configuration Service.
Via Web Browser
For manual or SMB mode:
For Enterprise mode:
Via Linux Tools
You need to set AMT_PASSWORD environment variable to the AMT admin password.
For Enterprise mode:
amttool <fqdn>:16993 <command>
Via RealVNC viewer
RealVNC viewer plus has support for accessing the AMT onboard KVM for remote diagnosis.