About Blocking Clients and Out of Band Management
Applies To: System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
If a client computer is no longer trusted, the Configuration Manager administrator can block the client in the Configuration Manager 2007 console so that it can no longer communicate with site systems to download policy, upload inventory data, or send state or status messages. A client can also be unblocked if it is later deemed trusted. Blocking and unblocking clients has specific consequences when the computer is provisioned for out of band management, as described in the following sections. For more information about blocking clients, see Determine If You Need to Block Configuration Manager Clients and How to Block Configuration Manager Clients.
The information in this topic applies only to Configuration Manager 2007 SP1 and later.
Blocking AMT-Based Computers in Configuration Manager 2007 SP1
Computers that are blocked by Configuration Manager 2007 SP1 continue to accept out of band management communication. When an AMT-based computer is blocked because it is no longer trusted, you have the following options:
Manually revoke the computer’s AMT certificate, and manually disable or delete the AMT account in Active Directory Domain Services. This option is the most secure because it doesn’t require a connection to the untrusted computer, you can immediate verify that these actions have succeeded, and you can also control the revocation reason and whether the account is disabled or deleted. The main disadvantage of this option is that if you unblock this client later, you will be unable to manage the computer out of band until you manually remove the provisioning information from the BIOS extensions and then reprovision the computer. The other disadvantages are the administrator overhead and potential delays in taking these manual actions.
Remove provisioning information from the AMT-based computer by using Configuration Manager when the out of band service point can connect to the AMT-based computer. This action automatically revokes the computer’s AMT certificate (with the revocation reason of Superseded) and automatically deletes the AMT account in Active Directory Domain Services. It also deletes the associated SPN. For more information about removing provisioning information, see How to Remove Provisioning Information for AMT-Based Computers. This option is the most convenient, while offering additional security, because the revocation and account deletion happens automatically. Additionally, if you unblock this client later, you will be able to reprovision it without having to locally reconfigure the BIOS extensions. The disadvantages of using this option include the following: You must communicate with an untrusted computer; you cannot control the revocation reason; and, you cannot disable the account even if your company policy prefers or requires you to do so—instead, the account is automatically deleted. If you use this option, verify that the certificate has been revoked and the account deleted, and take manual remedial action if necessary.
Take no actions to prevent out of band management communication. This option is the least secure because an untrusted computer has a valid certificate and account that can log into Active Directory Domain Service, which results in the security risks of elevation of privileges and information disclosure. However, being able to manage this computer out of band means that you can take additional steps to help protect the computer, such as re-imaging or reformatting it and then powering it down. These additional steps alone will not prevent an attacker from powering up the computer again nor protect the information in AMT.
To identify the AMT certificate, on the issuing CA, locate the certificate that was issued to the site server with the FQDN of the AMT-based computer in the certificate Subject. To identify the AMT account, in the computer’s domain, locate the organizational unit (OU) or container specified in the Out of Band Management component properties General tab. The account will display as Computer with <computername> in the results pane of the Active Directory Users and Computers console, although the full properties of this account shows the name in the following format: <computername>$iME.
Blocking AMT-Based Computers in Configuration Manager 2007 SP2
Computers that are blocked by Configuration Manager 2007 SP2 cannot continue to be managed out of band. When an AMT-based computer is blocked, the following actions automatically occur to help protect the network from the security risks of elevation of privileges and information disclosure:
The site server revokes all certificates issued to the AMT-based computer with the revocation reason of Superseded. The AMT-based computer might have multiple certificates because Configuration Manager 2007 SP2 supports 802.1X authenticated wired and wireless networks that support client certificates.
The site server deletes the AMT account in Active Directory Domain Services.
Provisioning information is not removed from AMT, but it can no longer be managed out of band because its certificate is revoked and its account is deleted. If you later unblock the client, you must take the following actions before you can manage the computer out of band:
Manually remove provisioning information from the computer’s BIOS extensions. You will not be able to perform this configuration remotely.
Reprovision the computer with Configuration Manager.
If you think you might unblock the client later and you can verify a connection to the AMT-based computer before blocking the client, you can remove provisioning information with Configuration Manager and then block the client. This sequence of actions saves you from having to manually configure the BIOS extensions after unblocking the client. However, this option relies on a successful connection to the untrusted computer to complete the removal of provisioning information. This is particularly risky when the AMT-based computer is a laptop and might be disconnected from the network or on a wireless connection.
To verify that the AMT-based computer successfully removed provisioning information, confirm that the AMT status has changed from Provisioned to Not Provisioned. However, if the provisioning information was not removed before the client was blocked, the AMT status remains at Provisioned but you will be unable to manage the computer out of band until you reconfigure the BIOS extensions and reprovision the computer for AMT. For more information about the AMT status, see About the AMT Status and Out of Band Management.
About Certificates for Out of Band Management
Determine If You Need to Block Configuration Manager Clients
Overview of Out of Band Management
Out of Band Management Security Best Practices and Privacy Information
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.