Intel® SCS Add-on 2.1 and SC2012 R2 ConfigMgr Integration (RCS Database mode) – Part 2


RCS Server Installation

As a prerequisite, download Intel SCS package and Intel SCS Add-on package from the following links. Copy these packages on the Configuration Manager server where Out of band management will be configured.

Intel Setup and Configuration Software (Intel SCS) https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921&ProdId=3051&lang=eng

Intel SCS Add-on 2.1 for Microsoft System Center Configuration Manager https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=24010

Prerequisites

1. Installation of Microsoft SQL Server 2008 R2 Native Client which is a prerequisite of RCS Server. Click [Next].

image
2. Select [I accept the terms in the license agreement] and click [Next].
3. Click on [Next] and [Next]
4. Click on [Install].
5. Click on [Finish].

Installation procedure

1. Run “Intel SCS Installer” and click [Next].
2. Select [I accept the terms of the license agreement] and click on [Next].
3. Select [Remote Configuration Service], [Database Mode] and [Console] then click [Next].

image
4. Select as a [Username] [Network Service] then click [Next].
5. Type the SQL Server name in [SQL Server] field, in the [Database Name] field, keep [IntelSCS]. Select [Windows Authentication] as the authentication method for the database. Click on [Next].

image
※In our lab, SQL Server is located on the SCCM server.
6. Click on [Create Database].
7. Click on [Close].

Post Installation tasks

We have to grant permissions on SCS database.

1. Run “Microsoft SQL Server Management Studio”, then from [ServerName]-[Security]-[Logins] right-click on ”NT AUTHORITY\NETWORK SERVICE” and click on [Properties].
2. Click on [User Mapping], check [Intel SCS] and add [db_datareader] and [db_datawriter] rights. Click on [OK].

image

And then we export the encryption key.

1. Run “Intel SCS Console”, click on [Tools].
2. Click on [Tools]-[Settings].
3. Click on the arrow [>].
4. Click on [Storage] tab and click on [Export: button.
5. Select the export path and click on [Save].
6. Type a password twice and click [OK].

Definition of “Digest Master Password”

1. Run “Intel SCS Console” then click on [Tools].
2. Click on [Tools]-[Settings].
3. Select the [Security Settings]tab, then click on [Set].
4. Specify a password twice and click [OK].

Adding the AMT Provisioning certificate to the Network Service account.

1. From the Intel SCS Source folder, we are going to use “RCSUtil.exe”.

image
2. Run a command prompt as an adminitrator.
3. Run the following command :
cd “D:\Temp\Intel OOB\IntelSCS\Utils”
4. Run the following command :
RCSutils.exe /Certificate Add c:\Temp\AMTProvisioningCert.pfx  Password01
※This is the certificate export in part 1
5. Run the following command :
net stop rcsserver && net start rcsserver
6. Run the following command which export information about certificate in a file.
RCSUtils.exe /certificate view /RCSuser NetworkService /log file C:\rcsout.txt
7. Verifiy that the certificate has been correctly imported.

image

Granting permissions on RCS Server to CM_AMT account.

1. Run a command prompt as an administrator and run the following command :
RCSutils.exe /Permissions Add MS\CM_AMT /RCSnamespace RCS Editor

Comments (2)

  1. Mike Rudyi says:

    Is it possible to just use the system account (i.e NetworkService) and not Granting permissions on RCS Server to CM_AMT account?  What is the benefit of using a separate account, or is it a hard requirement?

  2. In my actual configuraiton (described in this serie of articles), the "Intel AMT Remote Configuration Task Sequence" deployed by SCCM is run under CM_AMT account (as configured in part 1). You can always verify that account by editing the Intel AMT remote configuration task sequence and see the "Run this step as the following account" field.

    The last command I describe in that Part 2 article is to grant permission to CM_AMT to connect to RCS Server remotely and get the AMT profile. If you used the SCCM Primary site server account in Part 1 instead of CM_AMT, then you will need to grand permissions on RCS Server to that primary site server.

    Using Network Service account as RCS Service account is what Intel recommends for security reason.

Skip to main content