Intel vPro Provisioning Process with Microsoft System Center Configuration Manager SP1

1
Intel vPro Provisioning Process with Microsoft
System Center Configuration Manager SP1

• These process flows focus on Advanced Security by
  enabling Kerberos Authentication and TLS security

2
Purpose of Foils

• The following foils are intended to show the
  detailed flow of the Intel vPro Provisioning
  Process with Microsoft System Center
  Configuration Manager SP1
• SCCM Agent Based Provisioning (PKI FW gt3.2.1)
• Bare Metal Provisioning (PKI FW gt3.2.1)
• Bare Metal Provisioning (PSK FW lt3.2.1)
• Full UnProvision Reset to Factory Default
• Partial UnProvisioning

3
Agent Based Provisioning (PKI FW gt3.2.1)

• Based on policy, the Configuration Manager Agent
  will assess if the Client can be provisioned,.
  If it can, it will create a One Time Password and
  send the OTP to both the OOB Service and into the
  AMT Firmware
• OOB Service Point secures connection with the AMT
  client through Embedded AMT Self Sign
  Certificate, Present Provisioning Certificate
  along with the OTP for initial Authentication
• OOB Service Point sets the Remote Admin and MEBx
  password (if not changed)
• OOB Service Point requests a web server
  certificate on behalf of the AMT client
• OOB Service Point created an Object in AD for the
  vPro Client
• OOB Service Point pushes web server certificate
  to AMT client
• OOB Service Point pushes ACL, power schema, and
  other configuration data to AMT to finalize
  provision

4
Bare Metal Provisioning (PKI FW gt3.2.1)

• Admin imports provisioning data for Client being
  provisioned into ConfigMgr 2007 SP1
• vPro Client sends a PKI hello packet to
  provisioning server (defined firmware schedule)
• OOB Service Point secures connection with the AMT
  client through Embedded AMT Self Sign Certificate
  and Present Provisioning Certificate for initial
  Authentication
• OOB Service Point sets the Remote Admin and MEBx
  password (if not changed)
• OOB Service Point requests a web server
  certificate on behalf of the AMT client
• OOB Service Point created an Object in AD for the
  vPro Client
• OOB Service Point pushes web server certificate
  to AMT client
• OOB Service Point pushes ACL, power schema, and
  other configuration data to AMT to finalize
  provision
• - the collection of client provisioning data
  can be automated from the vPro client to SCCM,
  which requires an OS to run the utility but could
  be done from a WinPE image

5
Bare Metal Provisioning (PSK FW lt3.2.1)

• Admin imports provisioning data for Client being
  provisioned into ConfigMgr 2007 SP1
• vPro Client sends a PSK hello packet to
  provisioning server (defined firmware schedule)
• OOB Service Point forwards the provisioning
  request to the Intel WS-MAN Translator
• The Intel WS-MAN Translator passes the PSK - PID
  to establish the Secure Connection
• OOB Service Point sets Remote Admin and MEBx
  password routed through the Intel WS-MAN
  Translator
• OOB Service Point requests a web server
  certificate on behalf of the AMT client
• OOB Service Point created an Object in AD for the
  vPro Client
• OOB Service Point pushes web server certificate
  to AMT client routed through the Intel WS-MAN
  Translator
• OOB Service Point pushes ACL, power schema, and
  other configuration data to AMT to finalize
  provision routed through the Intel WS-MAN
  Translator
• - the collection of client provisioning data
  can be automated from the vPro client to SCCM,
  which requires an OS to run the utility but could
  be done from a WinPE image

6
Full UnProvisioning Reset to Factory Default

• Using TLS-secured connection and Digest
  Authentication, OOB SP sends a Full Unprovision
  command to client
• OOB Service Point requests revocation of web
  server certificate of the AMT client
• OOB Service Point deletes corresponding Object in
  AD for the vPro Client
• Management Engine does the following
• resets the Remote Admin and MEBx password and
  deletes all ACL information
• deletes web server certificate in ME
• clears audit log, deletes audit policy, and
  disables auditing
• deletes provisioning profile such as power
  schema, wireless profiles, and other
  configuration data in ME
• removes HOST Name, Domain Name, Provisioning
  Server IP and port
• - At conclusion of Full Unprovision, client is
  at Factory Default with the exception of Local
  Admin password for access through the MEBx

7
Partial UnProvisioning

• Using TLS-secured connection and Digest
  authentication, OOB SP sends a Partial
  Unprovision command to client
• OOB Service Point DOES NOT request revocation of
  web server certificate of the AMT client
• OOB Service Point DOES NOT delete corresponding
  Object in AD for the vPro Client
• Management Engine DOES NOT reset the Remote Admin
  and MEBx password and deletes all ACL information
• Management Engine DOES NOT delete web server
  certificate in ME
• Management Engine DOES NOT clear audit log,
  delete audit policy, or disables auditing
• Management Engine DOES NOT remove HOST Name,
  Domain Name, Provisioning Server IP and port
• Management Engine deletes provisioning profile
  such as power schema, wireless profiles, and
  other configuration data in ME

8
(No Transcript)