30
Using the key
The following are typical stages in the use of a USB drive key:
1. An IT technician inserts a USB drive key into the system hosting the SCS.
2. Through the SCS, the IT technician requests local setup and configuration records.
3. The SCS generates the appropriate passwords and PID/PPS sets and stores them in its database.
4. The SCS writes the passwords and PID/PPS sets to a setup.bin file in the USB drive key.
5. The IT technician takes the USB drive key to the staging area for new Intel AMT platforms and performs the following
actions:
i. Unpack a system and connect it to the network.
ii. Insert the USB drive key into the system.
iii. Power on the system.
6. The system BIOS checks for the presence of a USB drive key.
– If a key is detected, the BIOS looks for a setup.bin file; if this file is found, the BIOS continues with Step 7.
– If a key is not detected – or if a key is detected but no setup.bin file is found – the system boots normally; no Intel
AMT setup and configuration is performed.
7. The system BIOS displays a message indicating that automatic setup and configuration will occur and takes the
following actions:
i. Read the first available record in the setup.bin file into memory, validate the file header record, locate the next
available record, and invalidate the current record so it cannot be used again.
ii. Place the file’s memory address into the MEBx parameter block.
iii. Call MEBx.
8. MEBx processes the record from memory.
9. MEBx writes a completion message to be displayed.
10. The IT technician powers down the system. At the time, the system is in In-Setup phase and is ready to be distributed
to the user in an Enterprise mode environment.
11. Return to Step 5 for additional Intel AMT systems.
Note
Refer to the ISV for your SCS for more information on USB drive key setup and configuration.
Using the TLS-PKI method
Remote provisioning of Intel AMT systems is achieved using the TLS-PKI method.
Note
By default, HP EliteDesk 800 G1 Business PCs are shipped ready for remote provisioning (that is, no changes to the MEBx
are required). The MEBx is pre-configured to support PKI; thus, all that is required to initiate provisioning is an agent that
can be pushed over the network to Intel AMT systems whenever convenient.
TLS-PKI provisioning uses Public Key Infrastructure with Certificate Hashes (PKI-CH) protocol to maintain security; a DHCP
environment is required.
Thus, no pre-shared key is required with TLS-PKI provisioning; instead, authentication is mutual. The Intel AMT system
maintains default hashes in firmware for a number of certificates; alternatively, you can add your own hashes (see Appendix
D: Supported certificates). Hashes are integrated into the “hello” messages sent to the SCS, which must have compatible
certificates in order for authentication to take place.
Creating a secure connection between the Intel AMT system and SCS requires a certificate, which is used for encryption
rather than authentication. If you do not wish to use a third-party certificate, you can use the SCS to create a self-signed
certificate. The SCS uses the public key from the certificate to encrypt the session key it generates and sends to the Intel
AMT system, which can decrypt the session key using its private key.
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals