How to Configure AMT Provisioning
Applies To: System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
You must provision computers for AMT before they can be managed out of band in Configuration Manager 2007 SP1 or later. For more information about provisioning for AMT, see About AMT Provisioning for Out of Band Management.
The information in this topic applies only to Configuration Manager 2007 SP1 and later.
Before configuring AMT provisioning in Configuration Manager 2007 SP1 or later, ensure that an Active Directory organization unit or container for out of band management controllers is created and configured with the appropriate permissions, and ensure that you have the required certificates for out of band management. For more information, see the following topics:
Before you can provision computers for AMT, you must also install an out of band service point in the primary site. You can perform this site role installation either before or after performing the following procedures. For more information, see How to Install the Out of Band Service Point.
Use the following procedures to prepare the certificates for out of band management, and then configure the out of band management component for AMT provisioning. After configuring AMT provisioning options, configure the AMT settings. For more information, see How to Configure AMT Settings and AMT User Accounts.
Additionally, if you have Configuration Manager 2007 SP2, you can also configure the following:
AMT features to include in the audit logs of AMT-based computers. For more information about configuring the audit log, see How to Configure AMT Auditing. To enable or disable auditing of the configured features or to clear or export the audit log on AMT-based computers, see How to Manage the Audit Log for AMT-Based Computers.
Support for 802.1X authenticated wired networks and wireless networks. For more information about configuring support for these environments, see How to Configure AMT-Based Computers for 802.1X Authenticated Wired and Wireless Networks.
To prepare the certificates for out of band management
Request, install, and prepare the AMT provisioning certificate issued by a certification authority (CA) that is trusted by the AMT-based computers. For more information, see About Certificates for Out of Band Management.
Ensure that you have a Microsoft enterprise CA to automatically issue certificates requested by the site server. These certificate requests will supply the subject name and must include the certificate capability of server authentication.
For step-by-step instructions for preparing these certificates, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.
To configure out of band management for AMT provisioning
In the Configuration Manager console, navigate to System CenterConfiguration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Component Configuration, right-click Out of Band Management, and then click Properties.
On the General tab, specify an organizational unit or container for the option Active Directory container. If the site will manage AMT-based computers from only one domain, specify this domain's organizational unit or container. If the site will manage AMT-based computers from multiple domains, specify the details for any one domain.
Click Set to specify a strong password for the MEBx Account that Configuration Manager will set in AMT when the computer is provisioned for the first time. If your manufacturer has provided you with a customized password (it is not admin) or if you have changed the password for the MEBx Account in AMT, you must specify this password by creating and configuring an AMT Provisioning and Discovery Account. For more information, see How to Add an AMT Provisioning and Discovery Account.
To specify your choice of password for the MEBx Account, it must be at least 8 characters and a maximum of 32 characters, together with at least one each of an uppercase, a lowercase, a numeric, and a symbol character. Symbol characters include ! @ # $ % ^ & * and exclude : (colon) “ ” (double quotes) _ (underscore).
For Configuration Manager 2007 SP2 only: If you must use out of band provisioning rather than just in-band provisioning, select Allow out of band provisioning. In the security warning dialog box, click Yes if you understand and accept the security implications of this setting. Click No if you either do not understand the security implications or you want to change your mind about selecting this option. More information about the security implications can be found in the section “Use in-band provisioning instead of out of band provisioning” in Out of Band Management Security Best Practices and Privacy Information.
Use the default value of 9971 for the AMT provisioning port, unless you have been provided with a different value from your computer manufacturer.
For Configuration Manager 2007 SP2 only: This option cannot be configured unless you have selected Allow out of band provisioning.
If you are using out of band AMT provisioning (the Configuration Manager 2007 SP1 or later client is not installed) and you want Configuration Manager to automatically register the name ProvisionServer in DNS, enable the option Register ProvisionServer as an alias in DNS. For more information about this option, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS.
Click Browse next to the option Provisioning certificate, and select the certificate file that contains the exported AMT provisioning certificate with the private key. Type in the password that was created when the certificate was exported, and then click OK.
Click Select next to the option Certificate template, and in the AMT Certificate Configuration dialog box, specify the following:
Issuing CA: Click the drop-down menu to see a list of enterprise CAs that are retrieved from Active Directory Domain Services and displayed by the FQDN. Select the CA that will issue the certificates for AMT-based computers. The name of the CA will automatically display in the field CA name.
AMT certificate template: Click the drop-down menu to see a list of templates that are available to the site server and retrieved from the selected CA. Select the certificate template that will be used to request the certificates for AMT-based computers.
Click OK to close the Certificate Configuration dialog box.
Click the Provisioning Settings tab.
In the section AMT Provisioning and Discovery Accounts, click the New icon.
In the AMT Provisioning and Discovery Account dialog box, specify the following:
Name: Enter the name of the provisioning account configured in the BIOS extensions.
Password: Enter the password that is configured in the BIOS extensions for the provisioning account.
Confirm password: Reenter the password for confirmation.
Description: Optionally, enter a description that will help you identify the account. The description is particularly useful if you have multiple accounts to configure to help you identify which account relates to which computers.
Click OK to close the AMT Provisioning and Discovery Account dialog box.
For Configuration Manager 2007 SP2 only: Click the Provisioning Schedule tab if you will provision AMT-based computers in-band, and then either accept the default schedule of 1 day or specify your preferred schedule.
Click OK to close the Out of Band Management Properties dialog box.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.