About AMT Provisioning for Out of Band Management
Applies To: System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Before AMT-based computers can be managed out of band in Configuration Manager 2007 SP1 and later, they must be provisioned for AMT (set up and configured).
The information in this topic applies only to Configuration Manager 2007 SP1 and later.
AMT provisioning results in the following external interactions between Configuration Manager and the networking infrastructure:
The site server checks the Configuration Manager database to ensure that a public key infrastructure (PKI) certificate with server authentication capability is not already issued to the AMT-based computer. If a certificate is found, it is revoked.
The site server requests one or more PKI certificates from an internal issuing certification authority on behalf of AMT-based computers. In Configuration Manager 2007 SP1 only, a single certificate is requested for server authentication capability. This certificate request contains the FQDN of the computer that will be managed out of band and uses a certificate template that is configured with server authentication capability. Additionally, in Configuration Manager 2007 SP2 and later, if a client certificate has been configured for an 802.1X authenticated network or one or more wireless networks, these certificates are also requested. These certificates also contain the FQDN of the computer that will be managed out of band and use a certificate template that is configured with client authentication capability. The issuing certification authority (CA) server approves the requests, and the certificates are granted to the site server computer.
The AMT-based computers are published as an AMT account to Active Directory Domain Services, with a link to the Windows computer object in Active Directory Domain Services.
A service principal name (SPN) for the AMT-based computers is registered in Active Directory Domain Services so that administrators can connect to them using the out of band management console.
For Configuration Manager 2007 SP2 and later when provisioning in-band, the AMT accounts are automatically added to the security group specified for 802.1X and wireless networks. However, this option is not enabled by default.
Additionally, the following internal interactions occur between Configuration Manager and the nonvolatile random access memory (NVRAM) of the management controller in the AMT-based computer, after the out of band management component on the site server connects to the AMT-based computer by using a specified AMT provisioning account and port number:
The PKI certificate with server authentication capability retrieved by the site server is installed on the AMT-based computer, including the certificate chain up to the root CA certificate. For Configuration Manager 2007 SP2 and later, the PKI certificates with client authentication capability retrieved by the site server are also installed, along with the root certificate for the RADIUS server, on the AMT-based computer.
The fully qualified domain name (FQDN) of the AMT-based computer is retrieved from the Configuration Manager database and is configured in AMT on the AMT-based computer. The Windows computer time is used to configure the system time.
The AMT settings configured in Configuration Manager, such as whether to use IDE redirection and serial over LAN, respond to a network ping, and support a Web interface, are configured in AMT on the AMT-based computers. In Configuration Manager 2007 SP2, this also includes the power state setting. In addition to the AMT settings, the AMT remote password is reset to a random and strong password, any AMT user accounts are deleted, and support for Kerberos authentication is enabled on the AMT-based computer.
In the log file, Amtopmgr.log, you will see references to first-stage provisioning and second-stage provisioning. The first two points in the preceding list occur during the first-stage provisioning. The last point in the preceding list occurs during second-stage provisioning. For more information about the log files used with out of band management, see Log Files for Out of Band Management.
For more information about how to provision a computer, see How to Provision Computers for AMT.
For more information about the certificates used for AMT provisioning, see About Certificates for Out of Band Management.
Updating the Data in the Management Controller Memory
Computers that are already provisioned for AMT do not dynamically reconfigure with new AMT settings that are configured in Configuration Manager. If you change the Configuration Manager AMT settings after AMT-based computers are provisioned for AMT, you must initiate an action on these computer resources to update the data in the management controller memory. Updating the data in the management controller memory for an AMT-based computer results in it getting the latest AMT settings and configurations. Additionally, the AMT-based computer's SPN is reregistered, and its Active Directory object is refreshed (or published if it does not exist). Updating the data in the management controller memory does not result in revoking the AMT certificate for server authentication, but it does revoke any client authentication certificate that has been configured for 802.1X authenticated wired or wireless networks. New client authentication certificates are requested if these are specified in the 802.1X authenticated wired or wireless configuration.
If you have configured 802.1X authenticated wired or wireless network support with Configuration Manager 2007 SP2, this supports updating the management controller on these networks with the following caveats:
If the AMT-based computer is connected to a wireless network, the settings in the wireless profiles will not be updated.
If the AMT-based computer is connected to an 802.1X authenticated wired network, the settings for this configuration will be updated. If the new settings are incompatible with the required network settings, the connection will be lost if the operating system is not running.
Removing AMT Provisioning Information
There might be occasions when you want to remove the provisioning information for an AMT-based computer, such as when you no longer want the computer to be managed out of band by Configuration Manager 2007 but want to use another out of band solution. The following options are available for removing provisioning information from the computer:
You can remove the configuration data from the management controller but keep identification information about the computer, such as its name, IP address, and DNS suffix. Configuration data includes whether IDE redirection and serial over LAN are enabled, network pings are supported, and the Web interface is enabled.
You can remove both configuration data and identification information from the management controller.
In both cases, any certificates installed in AMT are revoked, the SPN is deleted, and the ATM account is deleted from Active Directory Domain Services.
After the AMT provisioning information is removed, it might be automatically provisioned again by Configuration Manager. For example, this will apply by default if the AMT-based computer can provision in-band and it is in a collection that has automatic AMT provisioning enabled. It will also apply by default if the AMT-based computer can provision out of band. However, when you select the option to remove provisioning information, you can disable automatic provisioning and re-enable it later if required.
For more information about removing provisioning information for an AMT-based computer and using automatic provisioning again, see How to Remove Provisioning Information for AMT-Based Computers.
Renaming AMT-Based Computers and Domain Changes
If you rename a computer that is already provisioned for AMT by Configuration Manager or move the computer to another domain, you must remove all the provisioning information from the AMT-based computer and then provision the computer again. You can remove the provisioning information either before naming or moving the computer or after renaming or moving the computer. However, do not provision the computer again until the name change or domain move is complete. If you fail to perform these procedures, the AMT-based computer cannot be managed out of band after the change of name or domain move.
When you remove the provisioning information, select the option to remove both configuration data and identification information from the management controller; and if applicable, select the option to disable automatic provisioning and re-enable it after the name change or domain move has taken place.
Reassigning AMT-Based Computers to Another Configuration Manager Site
If you reassign an AMT-based computer to another Configuration Manager site, you must remove the AMT provisioning information, select the option to disable automatic provisioning and then provision the computer again in the new site. Until you do this, you will not be able to manage the AMT-based computer out of band in the new site. In this scenario, the AMT Status displays Detected.
Remove the provisioning information when the computer is in the original site. If this is not possible, you can manually remove the provisioning information by configuring the BIOS extensions.
About Certificates for Out of Band Management
Certificate Requirements for Out of Band Management
Configuration Manager AMT Provisioning Process for Out of Band Management
Decide How to Migrate from an AMT-Based Management Solution to Out of Band Management in Configuration Manager
Overview of Out of Band Management
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.