- No category
advertisement
6
Using the Configurator
This chapter describes how to use the Configurator.
For more information, see:
•
•
•
•
•
Verifying the Status of an Intel AMT System
•
•
•
Configuring a System Using a USB Key
•
Maintaining Configured Systems
•
Unconfiguring Intel AMT Systems
•
Running Scripts with the Configurator
Intel
®
AMT Configuration Utility User Guide 78
Chapter 6 • Using the Configurator
About the Configurator
The Command Line Interface (CLI) of the Configurator component lets you automatically do tasks on multiple Intel AMT systems. The Configurator can be run locally on the Intel AMT system using a script or a batch file.
The Configurator (ACUConfig.exe) is located in the Configurator folder.
Note: The Configurator folder also contains dll files that are necessary for the
Configurator to operate.
CLI Syntax
The Configurator CLI is not case-sensitive. To view a list of the available CLI commands, type ACUConfig (with no parameters) and press <Enter>.
Note: This guide only includes commands related to the configuration methods that are supported by the Configuration Utility. The syntax and descriptions of the commands in this guide include only the parameters that are supported by the Configuration Utility.
For information about the full list of commands and parameters, supported by Intel SCS refer to the Intel(R)_SCS_8.2_User_Guide.pdf
This is the general syntax:
ACUConfig.exe [global options] command [command arguments and options]
To view syntax of a specific command, type the command name followed by “/?”.
These conventions are used in the command syntax of the examples:
• Optional parameters are enclosed in square brackets [ ]
• User defined variables are enclosed in angled brackets < >
• Mutually exclusive parameters are separated with a pipe |
• Where necessary, braces { } are used to group elements together to eliminate ambiguity in the syntax.
Note: The CLI does not support passwords that start with a forward slash (/).
Intel
®
AMT Configuration Utility User Guide 79
Chapter 6 • Using the Configurator
Configurator Log Files
The Configurator records errors and other log messages in two locations:
• In the Windows Event Viewer Application log of the Intel AMT system.
• In a log file. By default:
• A new log file is created each time you run the Configurator. You can use the
/KeepLogFile global option to change this default.
• The log file is saved in the folder where the Configurator is located, and has this format:
ACUlog_HostName_YYYY-MM-DD-HH-MI-SS.Log
For example: ACUlog_ComputerX_2010-05-01-11-05-57.log.
You can use the /Output File global option to change the default name and location of the log file.
CLI Global Options
You can use any of these global options with the CLI commands:
• /LowSecurity — Disables authentication of the ACU.dll digital signature.
For more information, see “Digital Signing of Files” on page 6.
• /Verbose — Creates a detailed log
• /KeepLogFile — Appends the current log to the existing log file
• /Output {Console | File <logfile> | Silent} — Defines where errors and other log messages will be recorded:
• Console — Shows log messages only on the console screen
• File <logfile> — Lets you change the default name and location of the log file. Supply the full path and name for the log file in the <logfile> parameter
• Silent — Do not record any log messages (console or log file)
Note: To save log messages to a file and also display them on the console screen, use the /Output parameter twice.
For example: /Output File <logfile> /Output Console.
Intel
®
AMT Configuration Utility User Guide 80
Chapter 6 • Using the Configurator
Verifying the Status of an Intel AMT System
Command
Description
Syntax
Parameters
[global options]
Status
Provides details about the status of the Intel AMT system
ACUConfig.exe [global options] Status
See
“CLI Global Options” on page 80.
Discovering Systems
Command
Description
Syntax
SystemDiscovery
Gets data from the Intel AMT device and the host platform of the system. The data is saved in an XML file and/or in the registry of the system. The data can then be collected by third-party hardware and software inventory applications.
Intel SCS also includes a standalone System Discovery utility that you can use for this task instead of the Configurator. The utility contains only the
SystemDiscovery command. The utility is located in the SCS_Discovery folder.
The data is saved in the registry of each system at:
• 32-bit and 64-bit operating systems: HKLM\SOFTWARE\Intel\
Setup and Configuration Software\SystemDiscovery
• In addition, on 64-bit operating systems: HKLM\SOFTWARE\Wow6432Node\
Intel\Setup and Configuration Software\SystemDiscovery
For information about the data format, see the “System Discovery Data Format” section of the SCS_Discovery\Intel(R)_SCS_8.2_Discovery.pdf.
For information about how to collect this data from the systems, refer to the documentation of your hardware/software inventory application.
Note: On systems that do not have Intel AMT, this command gets data from the host platform only.
ACUConfig.exe [global options] SystemDiscovery
{ [<filename>] | [/NoFile] } [/NoRegistry] [/AdminPassword <password>]
Parameters
[global options]
See “CLI Global Options” on page 80
Intel
®
AMT Configuration Utility User Guide 81
Chapter 6 • Using the Configurator
<filename>
/NoFile
/NoRegistry
/AdminPassword
<password>
By default, the name of the XML file is the FQDN of the system and it is saved in the same folder as the Configurator. You can change this default name and location by supplying the <filename> parameter.
Example:
SCSDiscovery.exe SystemDiscovery C:\MyXMLFile.xml
This example creates an XML file named “MyXMLFile” in the root of C. In
addition, a log file is created (see “Configurator Log Files” on page 80).
Do not save data in an XML file. If you use this parameter, do not use the
<filename> parameter
Do not save data in the registry of the system
The current password of the default Digest admin user defined in the Intel AMT device. The SystemDiscovery command gets some of the data about Intel AMT using the WS-Man interface. To use this interface, administrator permissions in
Intel AMT are necessary. Without administrator permissions, this data cannot be retrieved and a warning message will be recorded in the log. This parameter is
NOT necessary if one of these are true:
• The device is in an unconfigured state
• The user account running the Configurator is a Kerberos account that is configured in the Intel AMT device with administrator permissions
Configuring Systems
Command
Description
Syntax
Note: The CLI does not support passwords that start with a forward slash (/).
ConfigAMT
Configures the Intel AMT system with settings in a configuration profile (XML file). Configured systems are reconfigured.
ACUConfig.exe [global options] ConfigAMT <filename>
[/DecryptionPassword <password>] [/AbortOnFailure]
[/AdminPassword <password>] [/ADOU <ADOU path>]
[/NetworkSettingsFile <file>]
{ [/FileToRun < filename>] [/FileHash <SHA256 hash>]
[/FileUser <username>] [/FilePassword <password>] }
Intel
®
AMT Configuration Utility User Guide 82
Chapter 6 • Using the Configurator
Parameters
[global options]
<filename>
/DecryptionPassword
<password>
/AbortOnFailure
/AdminPassword
<password>
/ADOU <ADOU path>
/NetworkSettingsFile
<file>
/FileToRun
/FileHash
/FileUser
/FilePassword
See
“CLI Global Options” on page 80
The XML file containing the configuration parameters for this
Intel AMT system
Mandatory if any of the files that the Configurator will use are
encrypted (see “File Encryption” on page 5)
If configuration fails, put the Intel AMT device in the “Not
Provisioned” mode. This parameter is applicable only for systems that were unconfigured when the command started (during reconfiguration this parameter is ignored).
The current password of the default Digest admin user defined in the
Intel AMT device. This parameter is NOT necessary if one of these are true:
• The device is in an unconfigured state
• The XML profile contains the Digest admin password
• The user account running the Configurator is a Kerberos account that is configured in the Intel AMT device with administrator permissions
The path to the Active Directory Organizational Unit (ADOU) containing the AD object of configured systems. If this parameter is supplied, the Configurator will delete the existing AD object representing the system. A new AD object is created in the ADOU defined in the configuration profile.
The path to a file that contains the network settings (FQDN and/or IP) to put in the Intel AMT device. Only use this parameter if you defined the source for at least one of these settings as a dedicated network settings
file. For more information, see “Defining IP and FQDN Settings” on page 75.
The Configurator can use these parameters to run a script after the
ConfigAMT command has completed successfully. For more information, see
“Running Scripts with the Configurator” on page 91.
Intel
®
AMT Configuration Utility User Guide 83
Chapter 6 • Using the Configurator
Configuring a System Using a USB Key
Command
Description
Syntax
Note: The CLI does not support passwords that start with a forward slash (/).
ConfigViaUSB
Creates a file containing configuration settings. When the Intel AMT system is rebooted with a USB key containing this file, Intel AMT is
configured on the system. For more information, see “SMB/Manual
The Configurator does not restrict the size of USB key you can use. But, the computer BIOS must fully support the selected USB key and be able to do a reboot from it.
Note:
• The settings you can define are limited. If additional settings are required, they must be performed by a third-party application.
• This command puts the Intel AMT device in the Admin Control mode
(see
• You can use this option to define certain KVM parameters not available in Client Control.
ACUConfig.exe [global options] ConfigViaUSB
{/NewMEBxPass <password>} [/CurrentMEBxPass <password>]
[/OutputFile <filename>] [/PowerPackage <guid>] {{/UsingDhcp}|
{/HostName <host_name> /DomainName <domain_name>
/LocalHostIp <ip> /SubnetMaskIp <subnet_mask>
[/GatewayAddrIp <ip> ] [/DnsAddrIp <ip>]
[/SecondaryDnsAddrIp <ip>]}} [/EnableKVM <false | true>]
[/EnableUserConsent <none | kvm_only | all_redirection>]
[/EnableRemoteITConsent <false | true>]
Parameters
[global options]
/NewMEBxPass
<password>
/CurrentMEBxPass
<password>
/PowerPackage <guid>
See
“CLI Global Options” on page 80
has already been changed from the default of “admin”.
The current Intel MEBX password. The default password of unconfigured systems is “admin”. This parameter is not required for systems that have the default password.
Power Package GUID (see
“Power Package GUIDs” on page 86)
Intel
®
AMT Configuration Utility User Guide 84
Chapter 6 • Using the Configurator
/OutputFile <filename> The name of the file and the path to the location where you want to save it. If this parameter is not used, by default the file is created in the same folder as the Configurator. The file must be named Setup.bin and must be placed in the root folder of the USB key.
To make sure that Setup.bin is the first file that the BIOS will find during reboot (requirement), format the USB key before creating/copying the file. If the Intel AMT system does not successfully reboot with the USB key you prepared, try this:
• Make sure that the file name starts with a capital “S”
• Format the USB key using FAT16
Note:
• The Setup.bin file is NOT encrypted so make sure that you restrict access to it.
• After configuration the Configurator deletes the data it contains. This means that you must create a new file for each system you want to configure.
• The Configurator overwrites any existing file with the same name without giving a warning.
Sets the DHCP mode to enabled in the Intel MEBX
Intel AMT system hostname (1 – 32 characters)
Intel AMT system domain name (0 – 63 characters)
/UsingDhcp
/HostName <host_name>
/DomainName
<domain_name>
/LocalHostIp <ip> The IP address (IPV4) to set in the Intel MEBX. If you supply this parameter, the /SubnetMaskIp parameter is mandatory (the remaining
IP parameters are optional).
The subnet mask IP address to set in the Intel MEBX /SubnetMaskIp
<subnet_mask>
/GatewayAddrIp <ip>
/DnsAddrIp <ip>
The default gateway IP address to set in the Intel MEBX
The preferred DNS IP address to set in the Intel MEBX
/SecondaryDnsAddrIp <ip> An alternate DNS IP address to set in the Intel MEBX
/EnableKVM <false | true> Enable/Disable support for KVM redirection.
Note: This parameter is mandatory on systems with Intel AMT 6.0 and higher. If you do not supply it, configuration will fail on those systems.
/EnableUserConsent
<none | kvm_only | all_redirection>
Defines for which redirection operations user consent is mandatory.
For more information, see
Note: You can use the “all_redirection” option only on systems with
Intel AMT 7.x and higher.
/EnableRemote ITConsent
<false | true>
Defines if it is permitted to remotely make changes to the user consent setting in the Intel AMT device
Intel
®
AMT Configuration Utility User Guide 85
Chapter 6 • Using the Configurator
Power Package GUIDs
The optional “/PowerPackage” parameter enables you to define power management settings of the Intel AMT device during manual configuration. If not supplied, the default power settings defined by the manufacturer are used. This table gives the GUID values (in Hex 32 character format) per Intel AMT version.
Table 7. Power Package GUIDs
Supported Power Package GUID (Hex 32)
Intel AMT 8.x / 7.x /6.x (mobile)
ON in S0
ON in S0, ME Wake in S3/AC,
S4-5/AC
763997110B56504388709812F391B560
30800DEE09C07843AF287868A2DBBE3A
Intel AMT 8.x / 7.x /6.x (desktop)
ON in S0 944F8312FB104FDC968E1E232B0C9065
ON in S0, ME Wake in S3,S4-5
Intel AMT 5.x (desktop)
7322734623DC432FA98A13D37982D855
ON in S0
ON in S0, S3
ON in S0, S3, S4-5
ON in S0, ME WoL in S3
ON in S0, ME WoL in S3, S4-5
ON in S0, S3, S4-5, OFF After
Power Loss
ON in S0, ME WoL in S3,S4-5,
OFF After Power Loss
944F8312FB104FDC968E1E232B0C9065
A18600AB9A7F4C42A6E6BB243A295D9E
7286ABAC96B448E29B9E9B7DF91C7FD4
7B32CD4D6BBE4389A62A4D7BD8DBD026
7322734623DC432FA98A13D37982D855
C519A4BA6E6F8D4DB227517F7E4595DB
D60BE3ED04C52C46B772D18018EE2FC4
Intel AMT 4.x (mobile)
ON in S0
ON in S0, S3/AC
ON in S0, S3/AC, S4-5/AC
ON in S0, ME Wake in S3/AC
ON in S0, ME Wake in S3/AC,
S4-5/AC
763997110B56504388709812F391B560
26D31C768708C74BBB5F38744315A5FF
530E08DB6C0FD948B2D28958D3F1156E
055DD5B64CA4874DA5A8B47C14DEDA5F
30800DEE09C07843AF287868A2DBBE3A
Intel
®
AMT Configuration Utility User Guide 86
Chapter 6 • Using the Configurator
Maintaining Configured Systems
Command
Description
Syntax
Note: The CLI does not support passwords that start with a forward slash (/).
MaintainAMT
Performs specific maintenance tasks based on settings in the <filename>
XML file. For more information about maintaining Intel AMT, see
“Maintenance Policies for Intel AMT” on page 12.
ACUConfig.exe [global options] MaintainAMT <filename>
<task> [<task>...] [/DecryptionPassword <password>]
[/AdminPassword <password>] [/NetworkSettingsFile <file>]
{ [/FileToRun < filename>] [/FileHash <SHA256 hash>]
[/FileUser <username>] [/FilePassword <password>] }
Parameters
[global options]
<filename>
<task>
/DecryptionPassword
<password>
See
“CLI Global Options” on page 80
The XML file containing the original configuration settings that were used to configure the Intel AMT system. Settings in the XML file not related to the specified maintenance tasks are ignored.
Define at least one of these maintenance tasks:
• SyncAMTTime — Synchronize the clock of the Intel AMT device with the clock of the host. This task is performed automatically when any of the other tasks are performed.
• SyncNetworkSettings — Synchronize network settings of the Intel AMT device as defined in the <NetworkSettings> tag of the <filename> XML file (see
“Defining IP and FQDN Settings” on page 75)
• ReissueCertificates — Reissue the certificates stored in the Intel AMT device. If the device contains 802.1x certificates, the RenewADPassword task is automatically done as well.
• RenewADPassword — Change the password of the Active Directory object representing the Intel AMT system.
• RenewAdminPassword — Changes the password of the default Digest admin user in the Intel AMT device according to the password setting defined in the profile.
• AutoMaintain — Automatically does only the maintenance tasks (listed here) that are necessary for this Intel AMT system. For more information, see
“Automating the Maintenance Tasks” on page 14.
Mandatory if any of the files that the Configurator will use are encrypted
(see “File Encryption” on page 5)
Intel
®
AMT Configuration Utility User Guide 87
Chapter 6 • Using the Configurator
/AdminPassword
<password>
/NetworkSettingsFile
<file>
/FileToRun
/FileHash
/FileUser
/FilePassword
The current password of the default Digest admin user defined in the
Intel AMT device. This parameter is NOT necessary if one of these are true:
• The XML profile contains the Digest admin password
• The user account running the Configurator is a Kerberos account that is configured in the Intel AMT device with administrator permissions
The path to a file that contains the network settings (FQDN and/or IP) to put in the Intel AMT device. Only use this parameter if you defined the source for at least one of these settings as a dedicated network settings file. For more information, see
“Defining IP and FQDN Settings” on page 75.
The Configurator can use these parameters to run a script after the
MaintainAMT command has completed successfully. For more information,
see “Running Scripts with the Configurator” on page 91.
Intel
®
AMT Configuration Utility User Guide 88
Chapter 6 • Using the Configurator
Unconfiguring Intel AMT Systems
Command
Description
Syntax
Note: The CLI does not support passwords that start with a forward slash (/).
Parameters
[global options]
/AdminPassword
<password>
/Full
Unconfigure
Unconfigures Intel AMT features on configured Intel AMT systems.
There are two types of unconfiguration:
• Partial — Removes the configuration settings from the system and disables the Intel AMT features on the system. The PID, PPS, admin
ACL settings, host name, and domain name are not deleted. Note that if the manufacturer defined the SOL and IDE interfaces to be closed by default, then a partial configuration operation will close them and they cannot be reopened without physical access to the Intel MEBX. This is a known Firmware limitation.
• Full — Deletes all the Intel AMT settings from the system and disables the Intel AMT features on the system.
Note:
• Systems in Client Control mode are always unconfigured with a “Full” unconfiguration.
• The default unconfiguration type for systems in Admin Control mode is “Partial”.
ACUConfig.exe [global options] UnConfigure
[/AdminPassword <password>] [/Full] [/ADOU <ADOU path>]
{[/DomainUser <username>] [/DomainUserPassword <password>]}
[/SourceForAMTName <source>] [/NetworkSettingsFile <file>]
See
“CLI Global Options” on page 80
The current password of the default Digest admin user defined in the
Intel AMT device. This parameter is NOT necessary if one of these are true:
• The XML profile contains the Digest admin password
• The user account running the Configurator is a Kerberos account that is configured in the Intel AMT device with administrator permissions
For systems in Admin Control mode, does a full unconfiguration (the default is partial unconfiguration)
Intel
®
AMT Configuration Utility User Guide 89
Chapter 6 • Using the Configurator
/ADOU <ADOU path> During unconfiguration, the Configurator deletes the Active Directory
(AD) object that was created to represent the Intel AMT system. (The object was created by Intel SCS only if AD integration was enabled.) By default, the Configurator uses the settings configured in the Intel AMT device to find the location of the AD Organizational Unit (ADOU) containing the object. In large enterprise networks the search for the
ADOU can take some time.
If you supply this parameter, the Configurator will only look for the object in the Organizational Unit that you define in <ADOU path>.
/DomainUser <username> The name (in the format domain\username) of a domain user with permissions to delete the AD object representing the Intel AMT system.
If you supply this parameter, the AD object is deleted using the credentials of this user. By default, the credentials of the user running the Configurator are used to delete the AD object.
The password of the domain user /DomainUserPassword
<password>
/SourceForAMTName
<source>
Defines how the FQDN (hostname.suffix) for the Intel AMT device is constructed. Valid values:
• DNS — The hostname part of the FQDN is the hostname from the host operating system. The suffix is the “Primary DNS Suffix” from the host operating system. This is the default setting, and is correct for most network environments
• SpecificDNS — The hostname part of the FQDN is the hostname from the host operating system. The suffix is the “Connection-specific DNS
Suffix” of the onboard wired LAN interface.
• AD — The hostname part of the FQDN is the hostname from the host operating system. The suffix is the AD domain of which the host operating system is a member.
• DNSLOOKUP — Takes the FQDN returned by an “nslookup” on the
IP address of the onboard wired LAN interface.
• HOST — Takes the hostname from the host operating system. The suffix is blank.
Note: When this parameter is not supplied, the default source for the
FQDN is “DNS”. However, if the /NetworkSettingsFile parameter is supplied (and FQDN data is included in the file), the FQDN is taken from the file.
/NetworkSettingsFile
<file>
This parameter tells the Configurator to get the IP and/or the FQDN from a dedicated network settings file. For information about the required
XML format, see the NetworkSettings.xml example file located in the
sample_files folder.
Intel
®
AMT Configuration Utility User Guide 90
Chapter 6 • Using the Configurator
Running Scripts with the Configurator
The Configurator includes options that you can use to run scripts. These scripts can be batch files or executables created using scripting languages. Before the script starts to run, the Configurator sends parameter values about the Intel AMT system to the script.
The script can then use these parameter values. For example, you could use a script to send data to your management console about each Intel AMT system after it is configured.
Note: The parameter values are sent as a string. Parameters without values are sent as empty strings. Each parameter value is separated by a space.
Scripts run by the Configurator are only run on Intel AMT systems that support host-based configuration (Intel AMT 6.2 and higher). The script must be put in a location that the Configurator can access from the Intel AMT system. The Configurator can run a script after configuration, reconfiguration, and maintenance operations done with these commands:
• ConfigAMT
• MaintainAMT
This table describes the CLI parameters of these commands used to run scripts.
Table 8. CLI Parameters
Parameter Description
/FileToRun
<filename>
If this parameter is supplied, the Configurator will run this executable file (batch, script, or executable) after the command has completed.
If the /FileToRun parameter is used without the /LowSecurity
global option, the file must be digitally signed (see “Digital
Signing of Files” on page 6). If the file is not signed, the
Configurator will NOT run the CLI command or the file. In addition, if the /LowSecurity parameter is not used, the file must be located in the same folder as the ACUConfig.exe file.
Intel
®
AMT Configuration Utility User Guide 91
Chapter 6 • Using the Configurator
Table 8. CLI Parameters (Continued)
Parameter Description
These additional optional parameters are valid only if /FileToRun was specified:
/FileHash
<SHA256 hash>
When this parameter is supplied, the Configurator runs a hash function on the file supplied in the /FileToRun parameter. The result of the hash function is then compared with the original hash value of the file, supplied in this parameter. If the values of the hashes are different, the Configurator will NOT run the CLI command or the file. (If any change was made to the file, the hash values will not be the same.) Before you can use this option, you must generate a SHA256 hash value from the <filename> file.
The sample_files folder includes an application (SHA256.exe) that you can use to generate the hash value.
For example: SHA256.exe MyFile.bat will return the hash value of MyFile.bat.
The hash value is marked in blue. Copy the value and supply it in the <SHA256 hash> variable.
/FileUser
<username>
/FilePassword
<password>
It is recommended to use this parameter to supply a user with the minimum permissions required to run this file.
Contains the password required to run the file. Valid only if
/FileUser was also specified.
This table describes the parameters and the sequence in which the Configurator sends them to the file that you specify in the /FileToRun parameter.
Table 9. Parameters Sent by the Configurator to the Script
# Description
1 The user defined in the /FileUser parameter*
2 The password defined in the /FilePassword parameter*
3 The hostname defined in the Intel AMT device
4 The FQDN defined in the Intel AMT device
5 The UUID of the Intel AMT device
6 The Intel MEBX password of the Intel AMT device*
7 The password of the default Administrator (“admin”) user in the Intel AMT device*
String Example: fileusername fileuserpassword myhostname myhostname.example.com
88888888-8887-8888-8888-878888888888 mebxpassword adminpassword
(Parameters marked with an asterisk (*) are sent to the script in Base64 format)
Intel
®
AMT Configuration Utility User Guide 92
Chapter 6 • Using the Configurator
What if a Failure Occurs?
Scripts that run after configuration, reconfiguration, and maintenance operations only run if the operation is successful (or completes with warnings).
If a script fails, Intel SCS does not make any changes to the Intel AMT settings set by the operation that ran before the script.
The ConfigAMT command includes a parameter called /AbortOnFailure. This parameter is applicable only for systems that were unconfigured when the command started (during reconfiguration this parameter is ignored). If you supply this parameter, Intel SCS will put the Intel AMT device in the “Not Provisioned” mode (unconfigured) if the post configuration script fails. This means that if the script fails, unconfigured systems that were configured successfully will be automatically unconfigured. Only use this parameter if it is critical that the post configuration script will complete successfully.
Script Runtime and Timeout
The maximum permitted runtime for scripts is 60 seconds. If the script does not complete within 60 seconds, an error is returned. The error is recorded in the log file and will contain an error code (0xC0003EAA) and a description like this:
“The supplied script has not finished in the time-out period defined by Intel
®
SCS”
If your script requires more than 60 seconds to complete, you must make sure that your script returns a success code (0) within 60 seconds. To do this, you can wrap your script with a batch file like this:
Start Myscript.bat %1 %2 ...
Exit 0
If you do this, your script will be responsible to handle any subsequent errors if they are generated by your script. Subsequent script errors will not be recorded in the log.
Parameters Sent in Base64 Format
Some of the parameters sent sent to the script by the Configurator are sent in Base64 format. The number of characters sent in the Base64 value representing the parameter must be divisible by 4. If it is not, additional “=” characters are added to the end of the
Base64 value. For example, if the Base64 value includes only 6 characters two “=” characters are automatically added.
When Base64 values are sent to a batch file, the command line interpreter removes these additional “=” characters. This means that the parameter value cannot be decoded correctly. To solve this problem, add the missing “=” characters to the Base64 value before decoding it.
Intel
®
AMT Configuration Utility User Guide 93
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Table of Contents
- 6 Introduction
- 7 About the Intel AMT Environment
- 7 Configuration Methods and Intel AMT Versions
- 8 Host Based Configuration
- 8 SMB/Manual Configuration
- 9 Intel AMT and Security Considerations
- 9 Password Format
- 10 File Encryption
- 11 Digital Signing of Files
- 12 Control Modes
- 12 User Consent
- 13 Recommendations for Secure Deployment
- 13 Security After Configuration
- 14 Access to the Intel MEBX
- 15 Admin Permissions in the Intel AMT Device
- 15 Default Admin User (Digest)
- 15 Defined Passwords
- 15 Random Passwords
- 16 User Defined Admin User (Kerberos)
- 17 Maintenance Policies for Intel AMT
- 17 Synchronizing the Clock
- 18 Synchronizing Network Settings
- 18 Re-issuing Certificates
- 18 Replacing Active Directory Object Passwords
- 19 Changing the ADOU Location
- 19 Changing the Default Admin User Password
- 19 Automating the Maintenance Tasks
- 21 Support for KVM Redirection
- 21 VNC Clients
- 22 Prerequisites
- 23 Getting Started Checklist
- 27 Supported Intel AMT Versions
- 28 Supported Operating Systems
- 29 Support for a Workgroup Environment
- 30 Required User Permissions
- 30 Unconfigured Systems
- 30 Configured Systems
- 31 Quick Start Guide
- 32 Using the Configuration Utility
- 33 Starting the Configuration Utility
- 34 Configuring/Unconfiguring Individual Systems
- 35 Configuring a System
- 37 Defining IP and FQDN for a Single System
- 39 Encrypting the Profile
- 40 SMB/Manual Configuration
- 43 Unconfiguring a System
- 44 Using the Profile Designer
- 45 Defining Manual Configuration (Multiple Systems)
- 47 Defining Configuration Profiles
- 47 About Configuration Profiles
- 48 Creating/Editing Configuration Profiles
- 50 Saving the Configuration Profile
- 51 Defining the Profile Scope
- 52 Defining Profile Optional Settings
- 53 Defining Active Directory Integration
- 54 Defining the Access Control List (ACL)
- 54 Adding a User to the ACL
- 57 Using Access Monitor
- 58 Defining Home Domains
- 59 Defining Remote Access
- 60 Defining Management Presence Servers
- 62 Defining Remote Access Policies
- 63 Defining Trusted Root Certificates
- 65 Defining Transport Layer Security (TLS)
- 67 Defining Advanced Mutual Authentication Settings
- 68 Defining Network Setups
- 70 Creating WiFi Setups
- 72 Creating 802.1x Setups
- 75 Defining End-Point Access Control
- 77 Defining System Settings
- 78 Management Interfaces
- 78 Power Management Settings
- 79 Network Settings
- 80 Defining IP and FQDN Settings
- 83 Using the Configurator
- 84 About the Configurator
- 84 CLI Syntax
- 85 Configurator Log Files
- 85 CLI Global Options
- 86 Verifying the Status of an Intel AMT System
- 86 Discovering Systems
- 87 Configuring Systems
- 89 Configuring a System Using a USB Key
- 91 Power Package GUIDs
- 92 Maintaining Configured Systems
- 94 Unconfiguring Intel AMT Systems
- 96 Running Scripts with the Configurator
- 98 What if a Failure Occurs?
- 98 Script Runtime and Timeout
- 98 Parameters Sent in Base64 Format
- 99 Certification Authorities and Templates
- 99 Standalone or Enterprise CA
- 100 Request Handling
- 101 Required Permissions on the CA
- 101 Defining Enterprise CA Templates
- 106 Defining Common Names in the Certificate
- 106 Default CNs
- 107 User-defined CNs
- 108 Using Predefined Files Instead of a CA Request
- 108 Required Format for Certificate and Key Files
- 109 CRL XML Format
- 110 Troubleshooting
- 111 Configuration Utility Error: “Cannot Configure Intel AMT”
- 111 The Configuration Utility Takes a Long Time to Start
- 112 Problems Using Configuration Utility on a Network Drive
- 112 Remote Connection to Intel AMT Fails
- 113 Error with XML File or Missing SCSVersion Tag
- 113 Reconfiguration of Dedicated IP and FQDN Settings
- 114 Disjointed Namespaces
- 115 Kerberos Authentication Failure
- 115 Error: “Kerberos User is not Permitted to Configure..”
- 116 Error when Removing AD Integration (Error in SetKerberos)
- 116 Failed Certificate Requests via Microsoft CA
- 117 Delta Profile Fails to Configure WiFi Settings
- 117 Disabling the Wireless Interface