intel® setup and configuration service (intel® scs ......for more information, see the installing...

Intel® Setup and Configuration Service

(Intel® SCS)

Release Notes

Version 7.1

Document Release Date: June 23, 2011

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.

Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm.

Intel® Active Management Technology requires activation and a system with a corporate network connection, an Intel® AMT-enabled chipset, network hardware and software. For notebooks, Intel AMT may be unavailable or limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Results dependent upon hardware, setup & configuration. For more information, visit http://www.intel.com/technology/platform-technology/intel-amt.

Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software and IT environment. To learn more visit: http://www.intel.com/technology/vpro.

Systems using Client Initiated Remote Access require wired LAN connectivity and may not be available in public hot spots or "click to accept" locations. For more information on CIRA, visit http://software.intel.com/en-us/articles/fast-call-for-help-overview.

Intel, the Intel logo, and Intel vPro, are trademarks of Intel Corporation in the U.S. and/or other countries.

Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the U.S. and/or other countries.

* Other names and brands may be claimed as the property of others.

Copyright © 2006–2011, Intel Corporation. All rights reserved.

http://www.intel.com/design/literature.htm

http://www.intel.com/design/literature.htm

http://www.intel.com/technology/platform-technology/intel-amt

http://www.intel.com/technology/vpro

Table of Contents

Intel® SCS Release Notes iii

Table of Contents

1 Introduction..........................................................................................11.1 Intel SCS Components ............................................................................... 11.2 Supported Operating Systems .................................................................... 3

2 New Features of Intel SCS 7.1 ............................................................42.1 Profile Version Validation ......................................................................... 42.2 Migration Utilities ...................................................................................... 42.3 Improvements to Workgroup Support........................................................ 42.4 Running the RCS Using the Network Service Account............................. 52.5 Host-based Configuration Using RCS Credentials on CA/AD.................. 52.6 Changes to Certificate Common Names and Subject Name...................... 52.7 Import PSK Keys Option in ACU Wizard ................................................. 62.8 Changes to Dedicated Network Settings .................................................... 62.9 Static IP Settings in One Touch Configuration (PSK) ............................... 7

3 New Features from Intel SCS 7.0 .......................................................83.1 System Discovery....................................................................................... 83.2 Host Based Configuration Method............................................................. 83.3 Unified Configuration Process ................................................................... 93.4 Digest Master Password ........................................................................... 113.5 Configuration with Kerberos Admin Users ............................................. 113.6 Delta Configuration.................................................................................. 113.7 New Options to Define the FQDN Source............................................... 123.8 Support for Shared FQDN and Dynamic DNS ........................................123.9 Support for Predefined Files Instead of a CA Request ............................ 133.10 Manual Configuration USB File for Multiple Systems ......................... 133.11 Other New Features................................................................................ 13

4 Changes from Earlier Intel SCS Versions .......................................144.1 Changes to the Intel SCS Components .................................................... 144.2 Changes to Data Storage ..........................................................................154.3 Changes to the Intel SCS Architecture..................................................... 164.4 Other Changes .......................................................................................... 174.5 Unsupported Options from Earlier Versions of Intel SCS.......................17

5 Resolved Issues ................................................................................18

6 Known Issues ....................................................................................19

1 Introduction

Intel® SCS Release Notes 1

1 Introduction

This document describes new features and changes made in version 7.1 of the Intel® Setup and Configuration Service (Intel® SCS). The Intel SCS lets you configure computers to use Intel® Active Management Technology (Intel® AMT).

1.1 Intel SCS Components

This diagram shows the main components of Intel SCS 7.1 and how they can be used to configure Intel AMT systems.

Figure 1. Intel SCS Components

1 Introduction


Intel SCS 7.1 includes these components:

• Intel AMT Configuration Utility — A GUI application, referred to as theACU Wizard. You can run the ACU Wizard on Intel AMT systems to configure them locally or send configuration requests to the RCS. You can also use the ACU Wizard to define settings to use when configuring multiple systems.

• Configuration Profiles — XML files that contain the configuration settings for the Intel AMT devices. You can create and edit profiles using the ACU Wizard.

• Configurator — A Command Line Interface (CLI) application that runs locally on the Intel AMT system. You can use the Configurator to configure the system locally or send a configuration request to the RCS.

• Remote Configuration Service (RCS) — A Windows service (RCSServer) that runs on a computer in the network. The RCS processes requests sent from the ACU Wizard or the Configurator. This is the only Intel SCS component that requires installation.

1 Introduction


1.2 Supported Operating Systems

This table describes on which operating systems the Intel SCS components can run.

Table 1. Supported Operating Systems

Version ACU Wizard 1 Configurator RCS 2

Windows* XP Professional x32 (SP3) Yes Yes Yes

Windows 7 Professional x32/x64 Yes Yes Yes

Windows 7 Ultimate x64 Yes Yes Yes

Windows 7 Enterprise x32 Yes Yes Yes

Windows Vista* x32 Yes Yes No

Windows Server* 2008 x32/64 Yes3 No Yes

Windows Server 2008 R2 Yes3 No Yes

Windows Server 2003 x32/x64 (SP2) Yes3 No Yes

Windows Home Server Yes3 No Yes

1 The ACU Wizard also requires Microsoft .NET Framework version 2.0 (SP1) or higher installed on the computer.2 The RCS also requires Microsoft .NET Framework version 3.0 (SP1) or higher installed on the computer.3 You cannot use the ACU Wizard to configure Intel AMT on computers that have these operating systems. But, you can define settings to use when configuring other systems that have one of the operating systems supported by the Configurator.

* Other names and brands may be claimed as the property of others.

Note:

• The Intel SCS components can run on operating systems (listed in Table 3) installed with these languages: Czech, Danish, Dutch, English, Finnish, French, German, Greek, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Portuguese-Brazilian, Russian, Simplified Chinese, Spanish, Swedish, Traditional Chinese, Turkish.

• The Intel SCS does not support Non-Latin or Extended Latin characters in filenames or values in the XML files.

2 New Features of Intel SCS 7.1



This section describes new features and changes included in Intel SCS 7.1. For full information about a feature, refer to the Intel® Setup and Configuration Service User Guide.

2.1 Profile Version Validation

Configuration profiles now contain an <SCSVersion> tag. This tag, with the format A.B.C.D, defines the version of the Intel SCS to which the XML profile is applicable. Each Intel SCS component (Configurator, RCS, and ACU Wizard) does a check of the value of this tag when using an XML profile. If the values of A and B in are not the same as the values of the component version:

• The Configurator and RCS return error messages (error code 38)

• The ACU Wizard does not show the XML profile in the Profile Designer window

For example, profiles created using ACU Wizard version 7.0.x.x cannot be used by Configurator/RCS/ACU Wizard versions 7.1.x.x.

2.2 Migration Utilities

Intel SCS 7.1 now includes two migration utilities:

• SCSMigration.exe — Use this utility to migrate data (including profiles) from Intel SCS 5.x/6.x and Intel SCS Lite to Intel SCS 7.1. For more information, see the Intel(R)_SCS_Migration.pdf located in the RCS\RCS_Data_Migration folder.

• ProfilesConverter.exe — Use this utility to convert Intel SCS 7.0 XML configuration profiles to the format used by Intel SCS 7.1. ProfilesConverter.exe is located in the ACU_Configurator\XML_Profile_Conversion folder.

2.3 Improvements to Workgroup Support

The Configurator can now use the credentials of a Domain user to connect to an Active Directory, even when configuring systems in a Workgroup.

For more information, see the Support for a Workgroup Environment section of the Intel® Setup and Configuration Service User Guide.

Note: The ProfilesConverter.exe utility only converts profiles that were created to use with the host-based configuration method. Profiles located in the RCS are automatically converted when you upgrade from Intel SCS 7.0. Profiles that were exported from Intel SCS 7.0 to use with the unified configuration process, must be re-exported from Intel SCS 7.1.



2.4 Running the RCS Using the Network Service Account

The Windows operating system includes a built-in security account named“Network Security”. During installation of the RCS you can now select this account to run the RCS. When the RCS runs under this account, the RCS communicates on the network using the credentials of the computer. This can increase security because it is not easy to impersonate a computer.

For more information, see the Installing the RCS and Using the Network Service Account sections of the Intel® Setup and Configuration Service User Guide.

2.5 Host-based Configuration Using RCS Credentials on CA/AD

By default, when using the host-based configuration method the Configurator does all the configuration tasks. This includes connecting to the Certification Authority (CA) and the Active Directory (AD) if necessary. If you do not want to give the Configurator permissions on the CA or the AD, you can now use the RCS. If you select this option, the Configurator sends the request to the RCS. The RCS communicates with the AD/CA and sends the data returned by the AD/CA back to the Configurator. The Configurator then does the necessary configuration in the Intel AMT device.

To use this option:

1. Define the profile in the RCS.

2. Export the profile to an XML file, and in the Credentials section select this option: The user running the RCS.

For more information, see the Exporting Profiles from the RCS section of the Intel® Setup and Configuration Service User Guide.

2.6 Changes to Certificate Common Names and Subject Name

In previous versions of Intel SCS, all the Common Names (CNs) defined for a specific setting were included in the Subject Name of the generated certificate. The Intel SCS sent the CNs to the Certification Authority (CA) in the order defined in the profile. But, there was no guarantee that the CA would put them in the certificate in the order they were sent. Thus, Intel SCS could not guarantee which CN would be the first CN in the Subject Name field. The format of the first CN in the Subject Name field of a certificate is a critical requirement for some authentication servers.

To solve this problem, the Intel SCS now tells the CA to put only one specific CN in the Subject Name field. Then the Intel SCS tells the CA to put all the CNs defined for the setting in the Subject Alternative Name field. You can now use the “User-defined CNs” option to define a specific CN for the Subject Name field.

For more information, see the Defining Common Names in the Certificate section of the Intel® Setup and Configuration Service User Guide.



2.7 Import PSK Keys Option in ACU Wizard

The Intel SCS 5.x and 6.x Consoles included an option to import PSK keys from a file supplied by a manufacturer. This option has been added to the ACU Wizard of Intel SCS 7.1 (it was not available in the ACU Wizard of Intel SCS 7.0).

For more information, see the Importing PSK Keys from a File section of the Intel® Setup and Configuration Service User Guide.

2.8 Changes to Dedicated Network Settings

Intel SCS 7.0 included a new option that let you set a specific IP and/or FQDN in the Intel AMT device. The implementation of this option, and how you define the IP and FQDN related settings in the device, have been made easier in Intel SCS 7.1.

When you use the ACU Wizard to configure a single system the implementation has not changed. You can still set these values “on the fly” during configuration.

For multiple systems all settings related to the IP and FQDN of the device are now defined in the profile. The name and location of the (optional) dedicated network settings file is now defined in the /NetworkSettingsFile parameter of all the relevant Configurator CLI commands.

For more information, see the Defining IP and FQDN Settings section of the Intel® Setup and Configuration Service User Guide.



2.9 Static IP Settings in One Touch Configuration (PSK)

The Configurator CLI CreatePSK command is used to prepare Intel AMT systems for configuration using the One Touch Configuration (PSK) method. The command creates a file that contains a TLS-PSK pair. New parameters were added to this command that let you add IP settings to this file. When the system is rebooted with a USB key containing the file, the pair and the IP settings are put in the MEBx of the system.

Note: By default, the file is created in a version (1.0) supported from Intel AMT 2.1 and higher. If you use the new parameters, the file is created in a version (2.1) that is supported only from Intel AMT 4.0 and higher.

Table 2. New CreatePSK Parameters

Parameter Description

/UsingDhcp Sets the DHCP mode to enabled in the MEBx

/LocalHostIp <ip> The static IP address (IPV4) to set in the MEBx. If you supply this parameter, the /SubnetMaskIp parameter is mandatory (the remaining static IP parameters are optional).

Note: Static IP settings can only be set in a device that is in a fully unconfigured state before rebooting with the USB key.

/SubnetMaskIp <subnet_mask>

The subnet mask static IP address to set in the MEBx

/GatewayAddrIp <ip> The default gateway static IP address to set in the MEBx

/DnsAddrIp <ip> The preferred DNS static IP address to set in the MEBx

/SecondaryDnsAddrIp <ip>

An alternate DNS static IP address to set in the MEBx

3 New Features from Intel SCS 7.0



This section describes features, included in Intel SCS 7.1, that were introduced from Intel SCS 7.0. For full information about a feature, refer to the Intel® Setup and Configuration Service User Guide.

3.1 System Discovery

The new System Discovery feature lets you get data about Intel AMT from systems in your network. This data can help organizations to decide how to configure and use Intel AMT in their network. System Discovery is included in Intel SCS 7.1 as:

• A command option in the Configurator component (SystemDiscovery)

• A standalone utility, located in the SCS_Discovery folder

The data is saved in an XML file and/or in the registry of the system. The data can then be collected using third-party hardware and software inventory applications.

The data is saved in the registry of each system at:

• 32-bit and 64-bit operating systems: HKLM\SOFTWARE\Intel\SCS7.0\System_Discovery

• In addition, on 64-bit operating systems: HKLM\SOFTWARE\Wow6432Node\Intel\SCS7.0\System_Discovery

For information about the data format, see the “System Discovery Data Format” section of the SCS_Discovery\Intel(R)_SCS_7.1_Discovery.pdf.

3.2 Host Based Configuration Method

Intel SCS now supports the new host-based configuration method available from Intel AMT 6.2 and higher. This method lets the Configurator, running locally on the Intel AMT system, configure the Intel AMT device. Configuration is done with an XML configuration profile. The Configurator and the profile can be sent to the Intel AMT systems in a deployment package and run with a script.



3.3 Unified Configuration Process

The “Unified Configuration” process lets you define one deployment package to configure all Intel AMT versions in your network. The Intel SCS automatically uses the necessary configuration method for each Intel AMT device.

The Unified Configuration process uses two copies of the same XML profile:

• The first copy is created and stored in the RCS. This copy is used by the RCS to remotely configure devices that do not support host-based configuration.

• The second copy is “exported” from the RCS and must be included in the deployment package. This copy is used by the Configurator to locally configure devices that support host-based configuration. This copy also includes data (added during export) about the RCS and the required control mode for the Intel AMT device.

Figure 2. Unified Configuration Process



Table 3. Steps in the Unified Configuration Process

Step Description

A script or a batch file runs the Configurator locally on the Intel AMT system. The Configurator examines the Intel AMT device to find if it supports host-based configuration.

Note: The name of the command to run is “ConfigAMT”. You can also use the unified configuration process to do maintenance tasks using the “MaintainAMT” command.

The Configurator examines the settings in the profile sent in the deployment package.

This step occurs if the Intel AMT device supports host-based configuration and “Client Control” mode is defined in the profile.

The Configurator activates Intel AMT on the device and puts the device in Client Control mode. The Configurator uses the local profile to define the settings in the Intel AMT device. All configuration is done locally.

These steps occur if the Intel AMT device supports host-based configuration and “Admin Control” mode is defined in the profile.

The Configurator sends a request to the RCS to “Setup” the Intel AMT device. Note: The device must have a TLS-PSK key or must be configured for remote configuration with PKI.

The RCS activates Intel AMT on the device and puts the device in Admin Control mode.

The Configurator uses the local profile to define the settings in the Intel AMT device. All configuration is done locally.

These steps occur for all Intel AMT devices that do not support host-based configuration.

The Configurator sends a configuration request to the RCS.

Note: The device must have a TLS-PSK key or must be configured for remote configuration with PKI.

The RCS gets the configuration settings from the profile stored in the RCS.

The RCS uses the profile stored in the RCS to define the settings in the Intel AMT device. All configuration is done remotely.



3.4 Digest Master Password

Each Intel AMT device contains a predefined administrative user named “admin”, referred to as the default admin user. Intel AMT uses the HTTP Digest authentication method to authenticate the default admin user. The default admin user:

• Has access to all the Intel AMT features and settings on the device

• Is not contained in the Access Control List with other Digest users, and cannot be deleted

Thus, for security reasons it is important how you define the password for this user (even if you do not use it). The Digest Master Password feature of Intel SCS is an additional method for defining the password of the default admin user.

The RCS calculates a different (unique) password for each device using a secret key (known as the “Digest Master Password”) and system-specific data from each device. The RCS does not need to save these admin passwords because they can be recalculated when necessary. After configuration, applications that need to use the default admin user must recalculate the password themselves or ask the RCS to calculate it for them.

3.5 Configuration with Kerberos Admin Users

If your network has Active Directory (AD), you can now define your own administrative user in the device that will be authenticated using Kerberos. You can then use this user instead of the default admin user.

These are the necessary steps if you want to use a Kerberos admin user:

1. Define an AD user in the Intel AMT device with the PT Administration realm.

2. Define a password for the default admin user. The application communicating with the Intel AMT device using the AD user will not use or require this password.

3. Run the Configurator/RCS using the credentials of the user defined in step 1.

3.6 Delta Configuration

Intel SCS can now configure Intel AMT settings without deleting or changing Intel AMT settings defined by a third-party application. This is done using the Profile Scope window of the Configuration Profile Wizard. Only settings defined in the Profile Scope window will be changed on the systems during configuration. All other settings will stay in their current condition on the systems. Thus you can use a profile:

• To configure systems without making changes to Intel AMT settings configured using third-party applications

• To make changes to specific Intel AMT settings on configured systems



3.7 New Options to Define the FQDN Source

Intel SCS includes new options for defining how the FQDN (hostname.suffix) for the Intel AMT device is constructed:

• Primary DNS FQDN — The hostname part of the FQDN is the hostname from the host operating system. The suffix is the “Primary DNS Suffix” from the host operating system. This is the default setting, and is correct for most network environments.

• On-board LAN connection-specific DNS FQDN — The hostname part of the FQDN is the hostname from the host operating system. The suffix is the “Connection-specific DNS Suffix” of the onboard wired LAN interface.

• Host Name — Takes the host name from the operating system. The suffix is blank.

• Active Directory FQDN — The hostname part of the FQDN is the hostname from the host operating system. The suffix is the AD domain of which the host operating system is a member.

• DNS Look Up FQDN — Takes the name returned by an “nslookup” on the IP address of the onboard wired LAN interface.

• File — See “Changes to Dedicated Network Settings” on page 6.

3.8 Support for Shared FQDN and Dynamic DNS

Intel SCS now includes support for these features that are available from Intel AMT 6.0 and higher:

• Shared FQDN — This setting can change the behavior of the Intel AMT device when using option 81 of the DHCP server to update DNS:

• When this setting is true, the Intel AMT device will send broadcast queries only when the operating system is not running. This is the default behavior of all Intel AMT versions that do not support the Shared FQDN setting.

• When this setting is false, the device will always send its own broadcast queries, even when the operating system is running.

• Intel AMT Dynamic DNS Update (DDNS Update) Client — When enabled, this client can periodically update the DNS with the FQDN and IP address configured in the Intel AMT device. Intel AMT will send DDNS Updates based on the policy configured in the DHCP server returned in the DHCP option 81 flags. Before Intel AMT 6.0, Intel AMT was only capable of using the DHCP option 81 to request that the DHCP server update the DNS on its behalf.

Note: The System Discovery feature (see “System Discovery” on page 8) gets data about the host network configuration. This data can help you decide which FQDN option is correct for your network.



3.9 Support for Predefined Files Instead of a CA Request

Usually, during configuration of Intel AMT features defined to use certificate-based authentication, the Intel SCS requests the certificate from a CA. To do this, the Intel SCS component (Configurator, RCS, or ACU Wizard) configuring the Intel AMT device must have access to the CA during configuration. However, in some network environments the CA cannot be accessed from all computers.

The new host-based configuration method supplies a solution to this problem. When defining certificate-based authentication, you can now use predefined certificate and private key files (used for the encryption).

3.10 Manual Configuration USB File for Multiple Systems

The ACU Wizard component has a new option to create a USB key for manual configuration of multiple systems. This option can be used to configure systems that have Intel AMT 6.0 and higher. When prepared for systems that have Intel AMT 7.0 and higher, the data in the USB key is “scrambled” so it cannot easily be read.

3.11 Other New Features

• You can now define which interfaces (operating system/BIOS) are available to the user in the Fast Call for Help feature (Intel AMT 4.0 and higher).

• Support for the redirection and user consent settings in manual configuration.

• The certificate enrollment flow does not expose the private key to software (Intel AMT 7.0 and higher only).

• Support for shared static IPv4 address synchronization (Intel AMT 7.0 and higher only).

• The exe and dll files of the Intel SCS components are now digitally signed. (By default, Configurator CLI commands authenticate the signature of the ACU.dll.)

• Most Intel AMT features can now be configured in a peer-to-peer network (Workgroup).

4 Changes from Earlier Intel SCS Versions



This section describes the main changes made to Intel SCS 7.x from earlier versions of the Intel SCS.

4.1 Changes to the Intel SCS Components

Intel SCS 7.x includes new components and changes to how the components work together to configure Intel AMT. These are the main changes made to the components of previous versions of the Intel SCS:

• Service — In Intel SCS 5.x and 6.0, the Service was the main component and was necessary for most of the configuration methods. In Intel SCS 7.x, the Service (named RCS) is not necessary for systems that support the host-based configuration method.

• Intel® vPro™ Technology Activator Utility — This component has been replaced by the Configurator. The Configurator is now the main component of Intel SCS 7.x.

• Database — See “Changes to Data Storage” on page 15.

• Console — In Intel SCS 7.x, a “Console” is not necessary. This table shows how the tasks that were done from the Console are now done in Intel SCS 7.x:

Table 4. Console Tasks and Intel SCS 7.x

Task in the Console Intel SCS 7.x

Define profiles Configuration profiles are now XML files. You can create profiles using the ACU Wizard.

Define TLS-PSK keys TLS-PSK keys are now created by the Configurator on the Intel AMT system and then sent to the RCS.

Operations on Intel AMT systems

All configuration requests to the RCS are sent from the Intel AMT system using the Configurator.

Define maintenance policies

The RCS does not include maintenance policies (see “Changes to the Intel SCS Architecture” on page 16)

Define users and roles Users and roles are not used in Intel SCS 7.x. However, applications and users must have the necessary permissions on the Intel AMT system and/or the RCS.

View logs Logs of events and operations done by the RCS are now kept in a log file in the RCSConfServer folder. Each time the log file (RCSLog.log) becomes too large, or the RCS is restarted, the file content is moved to a new file with this format: RCSLog.logYYYY-MM-DD-HH-MI-SS.log.



4.2 Changes to Data Storage

In Intel SCS 5.x and 6.x, data was kept in a central SQL database that was used by the Service and Console components. Intel SCS 7.x does not use an SQL database or require one to be installed. The data used by the RCS component of Intel SCS 7.x is kept in these files:

• Profile.xml — The configuration profiles

• PSKsStorage.dat — TLS-PSK keys (for the One Touch Configuration method)

• DMP.dat — Digest Master Passwords. This file only exists if at some time the RCS was set to use the Digest Master Password option.

• scsadmin.dat — Contains a record for each system configured using Intel SCS5.x/6.x and the password of its default Digest admin user. This file only exists if the admin passwords were migrated from Intel SCS 5.x/6.x.

In previous versions of the Intel SCS, the SQL database also included:

• Passwords for Intel AMT “admin” users

• Configuration requests

• Information about the Intel AMT systems

• Logs

• Users

Because of changes to the Intel SCS 7.x components and their roles, Intel SCS 7.x does not keep this data.

In organizations where Intel SCS 5.x/6.x or Intel SCS Lite is operating, some of the data must be moved to files that the Intel SCS 7.x can use. Intel SCS 7.x includes a migration utility that can do this task. For more information, see the Intel(R)_SCS_Migration.pdf in the RCS\Migration_Utilities folder.

Note: In Intel SCS Lite, the data was kept in XML files, but the format is not the same as the Intel SCS 7.1 XML format.



4.3 Changes to the Intel SCS Architecture

These changes were made to the Intel SCS architecture:

• Intel SCS 7.x does not use the Microsoft Internet Information Services (IIS) or require it to be installed.

• In Intel SCS 5.x, communication with the Service was done by sending XML format messages using the Simple Object Access Protocol (SOAP). In Intel SCS 7.x, the API used to communicate with the Service (RCS component) uses Windows Management Instrumentation (WMI).

• In Intel SCS 5.x, all requests from applications to the Service were first sent to an SQL database. The Service then used a “queuing mechanism” to process the requests. In Intel SCS 7.x, this mechanism was removed. All requests to the Service are now sent directly to the Service (RCS).

• In Intel SCS 7.x, the Service can process a maximum of 200 requests at the same time (200 concurrent threads). This number might be less when using a CA or Active Directory. If a request cannot be processed (because all threads are being used), the Service returns a “Server too busy” error (0x80041045). It is now the responsibility of the person/application that sends a request to the Service to make sure the request was processed.

• In Intel SCS 5.x and 6.0, “maintenance policies” were defined in the Console and the Service processed them on the systems automatically. In Intel SCS 7.x, it is now the responsibility of the person/application that manages the systems to schedule and send maintenance requests to the systems. You can do this using the Configurator CLI commands (MaintainAMT or MaintainViaRCSOnly).

Note: The RCS was tested on an Intel® CoreTM I3 multi processor computer with 4 GB of RAM. Using this hardware configuration, the RCS successfully configured 1000 systems with a full configuration profile in less than an hour. During the tests, the RCS (RCSServer.exe) used between 1 GB and 2 GB of RAM.



4.4 Other Changes

• Scripts — Intel SCS 7.x continues to support remote configuration using scripts and “Hello” messages. If you use this method, you will need to change the script that you use. For more information, and a sample script, refer to the Remote Configuration Using Scripts section of the Intel® Setup and Configuration Service User Guide.

• AD Integration — Integration with Active Directory is now defined at the profile level (not in the Service Settings). For Intel SCS 5.x, this change is automatically made by the migration utility.

• One Time Password — This option is only used with the Remote Configuration (PKI) method. If selected, the RCS will start configuration only after the Intel AMT device authenticates itself to the RCS with the OTP created by the Configurator. For increased security, in Intel SCS 7.x this option is now used by default. If you do not want to use it, you must change the default RCS settings.

4.5 Unsupported Options from Earlier Versions of Intel SCS

• Pending Requests — Certification Authorities include settings that define how they handle certificate requests. Intel SCS 7.x does not support pending certificate requests. If during configuration the CA puts the certificate into the “Pending Requests” state, the Intel SCS returns an error (#35). Thus, you must make sure that the CA and the templates used by the Intel SCS are not defined to put certificate requests into a pending state.

• Order of Common Names (CNs) — The format of the first CN in the Subject Name of generated certificates is no longer defined in “Service Settings”. Instead, you can define the CNs in the profile. The order of CNs cannot be defined. To put a specific CN in the Subject Name field, use the “User-defined CNs” option.For more information, see “Changes to Certificate Common Names and Subject Name” on page 5.

• Intel SCS 7.x does not support these options that were available in Intel SCS 5.x:

• FQDN Validation — This option was located in the configuration profile Domains window. When selected the Intel SCS would not configure an Intel AMT system unless it had an FQDN that matched a Domain that was marked as “permitted for configuration”. In version 7.x of the Intel SCS, you must ensure that you enter the correct home domains in the Home Domains window.

• Use VLAN — This option was located in the configuration profile Advanced profile settings window. In version 7.x of the Intel SCS, Virtual LANs are not supported.

• Encryption Mode Options — To improve and simplify the setup and configuration process, the encryption mode options have been removed from the advanced profile settings. If your environment includes crypto disabled computers, create a configuration profile (without TLS) specifically for them.

5 Resolved Issues


5 Resolved Issues

This table describes known issues from Intel SCS version 7.0 that have been resolved in version 7.1 of the Intel SCS.

Table 5. Known Issues

Internal Tracking Number

Description

2841869 When configuration failed because the “Delta” profile did not contain the admin password, the Intel SCS returned an incorrect error.

2841868 If several PSKs existed in the RCS database with the same PID, but only one of them had the correct password in the newMebxPassword field, the configuration might fail.

2841855 System Discovery returned an incorrect return code (0) when it failed to complete DNS lookup.

2841697 The RCS log records did not include a unique identifier for the Intel AMT system (such as UUID).

2841362 When creating a USB key for multiple systems, the password in the Old MEBx Password field was shown on the screen.

6 Known Issues


6 Known Issues

This table describes known issues with version 7.1 of the Intel SCS. Note that the numbers in brackets refer to the internal tracking numbers used in Intel SCS 7.0.

Table 6. Known Issues


Description Impact / Solution

2842221 The Configurator does not block the MoveToACM command on systems with Intel AMT 6.2. The Configurator incorrectly tries to do the operation. The returned error message does not explain that this operation is not supported.

The MoveToACM command is only supported from Intel AMT 7.0 and higher.

2842216 In the 802.1x Setup window, selecting the EAP (GTC) protocol correctly disables the option to edit the trusted root certificate (Edit List button). But, changing back to a protocol requires a trusted root certificate does not enable the button. This only occurs if a trusted root certificate was already defined.

Close and reopen the 802.1x Setup window to enable the Edit List button.

2842214 The Migration Complete window of the migration utility shows that migration of PSK keys failed but does not explain the reason. This can occur when selecting to migrate PSK keys from a database that does not contain PSK records.

Migration of this data failed because no data was found in the database.

2842213 In the System Settings window of the ACU Wizard, clearing the KVM Redirection check box does not disable the KVM Settings button.

When the check box is cleared, settings defined using the KVM Redirection button are not saved in the profile.

2842211 The SQL data window of the migration utility includes an option to use Windows NT authentication to connect to the Intel SCS 5.x/6.x database. If the user running the migration utility does not have permissions on the database, an incorrect message is returned: “could not connect to the database server”.

This is the correct message:

“Database login failure”

6 Known Issues


2842207 The override default settings check box in the Configure via Windows window is incorrectly enabled for Intel AMT 6.1 and lower systems. This can only occur when the Profile.xml file used by the ACU Wizard was exported from the RCS (unified configuration process).

Do not use this option to make changes to network settings for Intel AMT 6.1 and lower systems.

2842205 The WiFi Setup window of the ACU Wizard incorrectly lets you define 802.1x Setups with the same name (using the Add button). This only occurs if you add the second 802.1xSetup without first closing the WiFi Setup window.

You cannot save a profile that contains 802.1x Setups with the same name. You must edit one of the 802.1x Setups and change the value in the Setup Name field.

2842201 When running the SystemDiscovery CLI command and DNS lookup fails, the error contains duplicate messages.

Ignore the duplicate message.

2842199 When using the /NetworkSettings option to define the FQDN and using a file that does not contain the FQDN, an incorrect error message is returned. The error message states that the “NetworkSettings file was not given” even though the file was supplied.

If this message is returned and you defined the source of FQDN to be from a dedicated network settings file, make sure that the file contains the FQDN.

2842194 Trying to configure a different ADOU without using the /ADOU parameter, correctly returns an error message that the AD object could not be created. But, this message is returned three times instead of one time.

Ignore the duplicate messages.

2842173 For some Intel AMT systems, selecting the Configure/Unconfigure option in the Welcome window of the ACU Wizard returns an incorrect error message. The message incorrectly states that the system does not support Intel AMT. This can only occur on Intel AMT 5.x or lower when Intel AMT is disabled in the MEBx.

Use the Configurator CLI to configure the system, or enable Intel AMT in the MEBx.

Table 6. Known Issues (Continued)



6 Known Issues


2842041 When running the ACU Wizard outside of the domain, you cannot select an Active Directory user or group in the Access Control List.

Run the ACU Wizard from a computer that is in the domain.

2842027 When running the migration utility under a user without the necessary permissions to access the source data files, this incorrect message is shown: “One or more fields are invalid or incomplete”.

If you see this message, make sure that the user running the migration utility has the necessary permissions (see the Intel(R)_SCS_Migration.pdf).

2842022 When using the migration utility to migrate profiles that contain invalid passwords, the error message does not specify which password is invalid.

Before starting the migration utility, use the Intel SCS 5.x/6x GUI to make sure that all the passwords in the profiles are valid.

2841906

(2840561)

The Intel SCS does not block Non-Latin and Extended Latin characters in file names or values in the XML files.

The Intel AMT device does not support Non-Latin or Extended Latin characters in ACL Digest user names or WiFi profile names. The Configurator will complete the configuration but without configuring these settings.

2841902 The ACU Wizard lets you open an XML profile that contains duplicate boolean flags but does not give a warning.

The value of the second boolean flag is shown in the GUI. If you manually create an XML file, make sure it does not contain duplicate flags.

2841900

(2841600)

The MoveToACM command is not supported if the RCS is installed on a computer running Windows Server 2003 or Windows XP Professional.

Install the RCS on one of the other operating systems that can run the RCS (see Table 1).

2841896

(2841844)

Installation of the RCS creates an additional empty registry key “HKLM\SOFTWARE\Intel\Intel(R) Setup and Configuration Service\7.0.0”.

This registry key is not used by the RCS component, but is necessary for the InstallShield* Wizard.

2841893 When modifying an installation of the RCS, the InstallShield wizard creates some temporary files but does not delete them.

The temporary files (*.rra) are not deleted from the Service folder.




6 Known Issues


2841889 When trying to load an XML profile in the ACU Wizard without the necessary permissions, this incorrect error message is shown: “XML not in correct format. Reason: Access is denied”.

If you see this message, make sure that the user running the ACU Wizard has the necessary permissions on the XML file.

2841885 The ACU Wizard fails to configure a system if the Profile.xml file contains the <RCSParameters> tag and is “read only”. A message is shown stating that “access to the path is denied”.

If you export a profile from the RCS to use with the ACU Wizard, make sure that it is NOT defined as read only.

2841875

(2841687)

If the RCS crashes, some systems fail configuration with an incorrect message: “The SSL handshake failed due to incorrect PSK settings”.

Send the configuration request to the RCS again.

2841874

(2840551)

After starting the RCS, the first WMI call sometimes fails with an exception.

Ignore the first WMI call.

2840547

(2841872)

When configuring a system with a USB key, the ACU Wizard shows KVM options for some systems that do not support the feature.

The KVM setting is ignored and the system is configured correctly.




intel® setup and configuration service (intel® scs ......for more information, see the installing...

Documents