Intel® SCS Add-on 2.1 and SC2012 R2 ConfigMgr Integration (RCS Database mode) - Part 1

  • Article

Active Directory and Certificates preparation for OOB

This part will cover Active Directory configuration and certificates requirements for OOB.

AD Configuration

  1. Create an new OU in Active Directory for AMT computers objects. ※If there are many domain, please create an OU in each domain
  2. Create an Universal security group to manage provisioned AMT compute accounts. Like “SC2012CM R2 AMT Computers”
  3. Create a user account, which will be used for AMT provisioning. Like “CM_AMT”
  4. Previously created user account should be local administrator on any computer, which will be provisioned. We recommend using Group Policy Preferences (GPP) to add that account to the local admin group of computers.
  5. Create a security group, which will contain AMT administrators. Like “SC2012CM R2 AMT Administrators”
  6. Add to the group created on step 5, previously created AMT account and the SCCM server computer account.
  7. Add the group created on step 5 in the security settings of the OU created on step 1. Provide “Full Control” on the OU.
  8. In the security tab of the group created on step 2, add the AMT administrators group created on step 5. Provide “Read” and “Write” permissions on it.

 

Certificates requirements

In this blog, we later use a certificate named “AMT Provisioning certificate”. This certificate has been issued by our Enterprise CA. In that case the hash of the Enterprise CA root certificate has to be manually registered on every computers in order them to be managed.

This step could be skipped if a public certificate is used for that purpose because PC’s firmware contains by default the root certificate hash of all known public certificate authorities. If you decide to use a public certificate, we recommend to follow procedures from the Intel SCS User Guide to request a public certificate.

Prerequisites

1.On the Certificate Service server, grant to the AMT account (CM_AMT) the following rights:

  • Issue and Manage Certificates
  • Request Certificates

2.In the properties of the certificate server, go to “Policy Module” tab and in the “Properties”, verify that “Follow the settings in the certificate template.. ” is selected.

Creation of the AMT Client Configuration certificate template

  1. From the CA console, right-click on “Certificate Template” and click on “Manage
  2. Right-click on “User” and click on “Duplicate Template
  3. On “Compatibility” tab, verify that “Windows Server 2003” is selected for “Certificate Authority” and “Windows XP / Server 2003” for “Certificate recipient
  4. In the “General” tab, type the template name, select “5 years” as validity period and uncheck “Publish certificate in Active Directory
  5. From “Cryptography“tab, in the “Providers” section, select “Microsoft String Cryptography Provider
  6. From the “Subject Name” tab, select “Supply in the request
  7. Click “OK” on the warning dialog
  8. From the “Security” tab, add the “CM_AMT” user account and grant it “Read” and “Write” permissions.
  9. From “Extensions” tab, select “Application Policies” and click on “Edit” button.
  10. Click on “Add” button.
  11. Select “Server Authentication” in the list and click on “OK”.
  12. Click on “Add” button.
  13. Click on “New” button.
  14. Type in the “Name” field “AMT Local Access” and in the “Object identifier” field ”2.16.840.1.113741.1.2.2”. Click on “OK
  15. Click on “New” button
  16. Type in the “Name” field “AMT Remote Access” and in the “Object identifier” field ” 2.16.840.1.113741.1.2.1”. Click on “OK
  17. Verify that both “AMT Local Access” and “AMT Remote Access” have been added and click on “OK
  18. Click on “OK” button.
  19. Click on “OK” button.
  20. From the Certificate Services console, right-click on “Certificate Template” à “New” à and click on “Certificate Template to Issue
  21. Select “AMT Client Configuration Certificate” and click on “OK
  22. In “Certificate Template”, verify that “AMT Client Configuration Certificate” has been added.

 

Creation of AMT Provisioning template

  1. From the CA console, right-click on “Certificate Template” and click on “Manage
  2. Right-click on “Web Server” and click on “Duplicate Template
  3. On “Compatibility” tab, verify that “Windows Server 2003” is selected for “Certificate Authority” and “Windows XP / Server 2003” for “Certificate recipient
  4. In the “General” tab, type the template name, select “5 years” as validity period and uncheck “Publish certificate in Active Directory
  5. In case of an Enterprise CA, we have to verify that the template doesn’t need any approval to be issued. From “Issuance Requirements”, verify that “CA Certificate manager approval” is unchecked.
  6. From “Subject” tab, select “Build from this Active Directory information” and select “Common name” in the list as “Subject name format”.
  7. From “Extensions” tab, select “Application Policies” and click on “Edit” button.
  8. Click on “Add” button
  9. Click on “New” button
  10. Type in the “Name” field “AMT Provisioning” and in the “Object identifier” field ” 2.16.840.1.113741.1.2.3”. Click on “OK
  11. Select “AMT Provisioning” and click “OK
  12. Verify that “AMT Provisioning” has been correctly added and click “OK
  13. Verify that you have both “AMT Provisioning” and “Server Authentication” in the “Extension” tab.
  14. From “Security” tab, select “Domain Admins” and removeEnroll” permission.
  15. From “Security” tab, select “Enterprise Admins” and removeEnroll” permission.
  16. From “Security” tab, add the SCCM Server computer account and grant it “Enroll” permission.
  17. From “Request Handling” tab, select “Allow private key to be exported” and click “OK
  18. From the Certificate Services console, right-click on “Certificate Template” à “New” à and click on “Certificate Template to Issue
  19. Select “ConfigMgr 2012 R2 AMT Provisioning” and click “OK
  20. In “Certificate Template”, verify that “ConfigMgr 2012 R2 AMT Provisioning” has been added.

 

Installation of AMT Provisioning certificate

  1. On the Configuration Manager primary site server which manage Out of band management, run “mmc” from the run window.
  2. [File] and click on [Add/Remove Snap-in]
  3. Select [Certificates] from the available snap-ins, then click on [Add].
  4. Select [Computer account] and click on [Next].
  5. Select [Local computer: the computer this console is running on] and click on [Finish]
  6. Click on [OK]
  7. From [Console Root]-[Certificates]-[Personal]-[Certificates], click on [Request New Certificate].
  8. Click on [Next] then [Next].
  9. Select [ConfigMgr 2012 R2 AMT Provisioning] and click on [Enroll].
  10. Once the enrollment is done, click on [Finish].
  11. Verify that the new certificate is listed in the console.

 

Export of AMT Provisioning certificate

  1. On the Configuration Manager primary site server which manage Out of band management, run “mmc” from the run window.
  2. [File] and click on [Add/Remove Snap-in]
  3. Select [Certificates] from the available snap-ins, then click on [Add].
  4. Select [Computer account] and click on [Next].
  5. Select [Local computer: the computer this console is running on] and click on [Finish] and click on [OK]
  6. From [Console root]-[Certificates]-[Personal]-[Certificates], select the AMT Provisioning certificate and right-click on it and click on [All Tasks]-[Export].
  7. Click on [Next].
  8. Select [Yes, export the private key], then click [Next].
  9. Select [Personal Information Exchange – PKCS #12 (.PFX)], then check [Include all certificate in the certificate path if possible] and [Export all extended properties].
  10. Check [Password], then type a password twice. Click on [Next].
  11. Select a path where to export the certificate and click on [Next].
  12. Click on [Finish] and [OK]