1 / 8

Intel vPro Provisioning Process with Microsoft System Center Configuration Manager SP1

Intel vPro Provisioning Process with Microsoft System Center Configuration Manager SP1. These process flows focus on Advanced Security by enabling Kerberos Authentication and TLS security. Purpose of Foils.

marlee
Download Presentation

Intel vPro Provisioning Process with Microsoft System Center Configuration Manager SP1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intel vPro Provisioning Process with Microsoft System Center Configuration Manager SP1 These process flows focus on Advanced Security by enabling Kerberos Authentication and TLS security

  2. Purpose of Foils • The following foils are intended to show the detailed flow of the Intel vPro Provisioning Process with Microsoft System Center Configuration Manager SP1 • SCCM Agent Based Provisioning (PKI + FW >=3.2.1) • Bare Metal Provisioning (PKI + FW >=3.2.1) • Bare Metal Provisioning (PSK + FW <3.2.1) • Full UnProvision – Reset to Factory Default • Partial UnProvisioning

  3. Agent Based Provisioning (PKI + FW >=3.2.1) • Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If it can, it will create a One Time Password and send the OTP to both the OOB Service and into the AMT Firmware • OOB Service Point secures connection with the AMT client through Embedded AMT Self Sign Certificate, Present Provisioning Certificate along with the OTP for initial Authentication • OOB Service Point sets the Remote Admin and MEBx password (if not changed) • OOB Service Point requests a web server certificate on behalf of the AMT client • OOB Service Point created an Object in AD for the vPro Client • OOB Service Point pushes web server certificate to AMT client • OOB Service Point pushes ACL, power schema, and other configuration data to AMT to finalize provision

  4. Bare Metal Provisioning (PKI + FW >=3.2.1) • Admin imports provisioning data* for Client being provisioned into ConfigMgr 2007 SP1 • vPro Client sends a PKI hello packet to provisioning server (defined firmware schedule) • OOB Service Point secures connection with the AMT client through Embedded AMT Self Sign Certificate and Present Provisioning Certificate for initial Authentication • OOB Service Point sets the Remote Admin and MEBx password (if not changed) • OOB Service Point requests a web server certificate on behalf of the AMT client • OOB Service Point created an Object in AD for the vPro Client • OOB Service Point pushes web server certificate to AMT client • OOB Service Point pushes ACL, power schema, and other configuration data to AMT to finalize provision * - the collection of client provisioning data can be automated from the vPro client to SCCM, which requires an OS to run the utility but could be done from a WinPE image

  5. Bare Metal Provisioning (PSK + FW <3.2.1) Admin imports provisioning data* for Client being provisioned into ConfigMgr 2007 SP1 vPro Client sends a PSK hello packet to provisioning server (defined firmware schedule) OOB Service Point forwards the provisioning request to the Intel WS-MAN Translator The Intel WS-MAN Translator passes the PSK - PID to establish the Secure Connection OOB Service Point sets Remote Admin and MEBx password routed through the Intel WS-MAN Translator OOB Service Point requests a web server certificate on behalf of the AMT client OOB Service Point created an Object in AD for the vPro Client OOB Service Point pushes web server certificate to AMT client routed through the Intel WS-MAN Translator OOB Service Point pushes ACL, power schema, and other configuration data to AMT to finalize provision routed through the Intel WS-MAN Translator * - the collection of client provisioning data can be automated from the vPro client to SCCM, which requires an OS to run the utility but could be done from a WinPE image

  6. Full UnProvision – Reset to Factory Default* • Using TLS-secured connection and Digest Authentication, OOB SP sends a Full Unprovision command to client • OOB Service Point requests revocation of web server certificate of the AMT client • OOB Service Point deletes corresponding Object in AD for the vPro Client • Management Engine does the following: • resets the Remote Admin and MEBx password and deletes all ACL information • deletes web server certificate in ME • deletes audit policy, and disables auditing • deletes provisioning profile such as power schema, wireless profiles, and other configuration data in ME • removes HOST Name, Domain Name, Provisioning Server IP and port • removes any customer provisioning certificate added to the MEBx * - At conclusion of Full Unprovision, client is at Factory Default with the exception of Local Admin password for access through the MEBx

  7. Partial UnProvision AMT Remote Admin Password: #$dR%Y>N&* AMT Remote Admin Password: admin • Using TLS-secured connection and Digest authentication, OOB SP sends a Partial Unprovision command to client • OOB Service Point DOES NOT request revocation of web server certificate of the AMT client • OOB Service Point DOES NOT delete corresponding Object in AD for the vPro Client • Remote Admin password is set back to default (admin) • Management Engine DOES NOT reset the local MEBx password • Management Engine DOES NOT delete web server certificate in ME • Management Engine DOES NOT clear audit log, delete audit policy, or disables auditing • Management Engine DOES NOT remove HOST Name, Domain Name, Provisioning Server IP and port • Management Engine deletes provisioning profile such as ACLs, power schema, wireless profiles, and other configuration data in ME

More Related