Intel vPro Provisioning Process with Microsoft
Download
Report
Transcript Intel vPro Provisioning Process with Microsoft
Intel® vPro™ Provisioning
Process with Microsoft* System
Center Configuration Manager
SP1
These process flows focus on Advanced
Security by enabling Kerberos
Authentication and TLS security
* Other names and brands may be claimed as the property of others.
Slide 1
Purpose of Foils
• The following foils are intended to show the
detailed flow of the Intel® vPro™ Provisioning
Process with Microsoft* System Center
Configuration Manager SP1
– SCCM Agent Based Provisioning (PKI + FW >=3.2.1)
– Bare Metal Provisioning (PKI + FW >=3.2.1)
– Bare Metal Provisioning (PSK + FW <3.2.1)
– Full UnProvision – Reset to Factory Default
– Partial UnProvisioning
* Other names and brands may be claimed as the property of others.
Slide 2
Agent Based Provisioning (PKI + FW >=3.2.1)
1. Based on policy, the Configuration Manager Agent will assess if the client can be provisioned. If it can,
it will create a One Time Password (OTP) and send the OTP to both the OOB Service and into the Intel ®
AMT Firmware
2. OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign
Certificate, Present Provisioning Certificate along with the OTP for initial authentication
3. OOB Service Point sets the Remote Admin and MEBx password (if not changed)
4. OOB Service Point requests a web server certificate on behalf of the Intel AMT client
5. OOB Service Point created an Object in AD for the vPro client
6. OOB Service Point pushes web server certificate to Intel AMT client
7. OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize
provision
* Other names and brands may be claimed as the property of others.
Slide 3
Bare Metal Provisioning (PKI + FW >=3.2.1)
Microsoft SCCM
OOB Import
Wizard
1. Admin imports provisioning data** for client being provisioned into ConfigMgr 2007 SP1
2. vPro client sends a PKI hello packet to provisioning server (defined firmware schedule)
3. OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate
and Present Provisioning Certificate for initial authentication
4. OOB Service Point sets the Remote Admin and MEBx password (if not changed)
5. OOB Service Point requests a web server certificate on behalf of the AMT client
6. OOB Service Point created an Object in AD for the vPro Client
7. OOB Service Point pushes web server certificate to AMT client
8. OOB Service Point pushes ACL, power schema, and other configuration data to AMT to finalize provision
** - the collection of client provisioning data can be automated from the vPro client to SCCM, which requires an
OS to run the utility but could be done from a WinPE image
* Other names and brands may be claimed as the property of others.
Slide 4
Bare Metal Provisioning (PSK + FW <3.2.1)
Microsoft SCCM
OOB Import
Wizard
1.
2.
3.
4.
5.
6.
7.
8.
9.
Admin imports provisioning data** for client being provisioned into ConfigMgr 2007 SP1
vPro client sends a PSK hello packet to provisioning server (defined firmware schedule)
OOB Service Point forwards the provisioning request to the Intel WS-MAN Translator
The Intel WS-MAN Translator passes the PSK - PID to establish the secure connection
OOB Service Point sets Remote Admin and MEBx password routed through the Intel WS-MAN Translator
OOB Service Point requests a web server certificate on behalf of the AMT client
OOB Service Point created an Object in AD for the vPro client
OOB Service Point pushes web server certificate to AMT client routed through the Intel WS-MAN Translator
OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision
routed through the Intel WS-MAN Translator
** - The collection of client provisioning data can be automated from the vPro client to SCCM, which requires an
OS to run the utility but could be done from a WinPE image
* Other names and brands may be claimed as the property of others.
Slide 5
Full UnProvisioning – Reset to Factory Default**
1.
2.
3.
4.
Using TLS-secured connection and Digest Authentication, OOB SP sends a Full Unprovision command to client
OOB Service Point requests revocation of web server certificate of the Intel AMT client
OOB Service Point deletes corresponding Object in AD for the vPro client
Intel® Management Engine does the following:
a) resets the Remote Admin and MEBx password and deletes all ACL information
b) deletes web server certificate in the Management Engine
c) clears audit log, deletes audit policy, and disables auditing
d) deletes provisioning profile such as power schema, wireless profiles, and other configuration data in
ME
e) removes HOST Name, Domain Name, Provisioning Server IP and port
** - At conclusion of Full Unprovision, client is at Factory Default with the exception of Local
Admin password for access through the MEBx
* Other names and brands may be claimed as the property of others.
Slide 6
Partial UnProvisioning
1.
2.
3.
4.
5.
6.
7.
8.
Using TLS-secured connection and Digest authentication, OOB SP sends a Partial Unprovision command to client
OOB Service Point DOES NOT request revocation of web server certificate of the Intel AMT client
OOB Service Point DOES NOT delete corresponding Object in AD for the vPro client
Intel Management Engine DOES NOT reset the Remote Admin and MEBx password and deletes all ACL
information
Intel Management Engine DOES NOT delete web server certificate in the Intel ME
Intel Management Engine DOES NOT clear audit log, delete audit policy, or disables auditing
Intel Management Engine DOES NOT remove HOST Name, Domain Name, Provisioning Server IP and port
Intel Management Engine deletes provisioning profile such as power schema, wireless profiles, and other
configuration data in Intel ME
* Other names and brands may be claimed as the property of others.
Slide 7
* Other names and brands may be claimed as the property of others.
Slide 8