Introduction to Out of Band Management in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
Out of band management in System Center 2012 Configuration Manager provides a powerful management control for computers that have the Intel vPro chip set and a version of Intel Active Management Technology (Intel AMT) that Configuration Manager supports.
Out of band management lets an administrative user connect to a computer's AMT management controller when the computer is turned off, in hibernation, or otherwise unresponsive through the operating system. In contrast, in-band management is the classic approach that Configuration Manager and its predecessors use, whereby an agent runs in the full operating system on the managed computer, and the management controller accomplishes tasks by communicating with the management agent.
Out of band management supplements in-band management. While in-band management supports a wider range of operations because its environment is the full operating system, in-band management might not be functional if the operating system is not present or is not operational. In these situations, by using the supplementary capabilities of out of band management, administrative users can manage these computers without requiring local access to the computer.
Out of band management tasks include the following:
Powering on one or many computers (for example, for maintenance on computers outside business hours).
Powering off one or many computers (for example, the operating system stops responding).
Restarting a nonfunctioning computer or booting from a locally connected device or known good boot image file.
Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server.
Reconfiguring the BIOS settings on a selected computer (and bypassing the BIOS password if this is supported by the BIOS manufacturer).
Booting to a command-based operating system to run commands, repair tools, or diagnostic applications (for example, upgrading the firmware or running a disk repair tool).
Configuring scheduled software deployments to wake up computers before the computers are running.
These out of band management tasks are supported on an unauthenticated, wired connection, and an authenticated 802.1X wired connection, and wireless connection. Out of band management also has the following additional features:
Auditing for selected AMT features.
Support for different power states, to help conserve power consumption and adherence to IT policy.
Data storage in AMT, where up to 4096 bytes in ASCII characters can be saved in the nonvolatile random access memory (NVRAM) of the management controller.
For example scenarios of how out of band management can be used, see Example Scenarios for Using Out of Band Management in Configuration Manager.
Some of the preceding tasks are performed from the Configuration Manager console, while others require running the out of band management console that is supplied with Configuration Manager. Out of band management uses Windows remote management technology (WS-MAN) to connect to the AMT management controller on a computer.
Out of band management is not supported for clients that are managed over the Internet with Internet-based client management. Configuration Manager clients that are blocked or unapproved by Configuration Manager cannot be managed out of band.
The following table outlines the options and features that out of band management provides in Configuration Manager.
Extending Out of Band Management in Configuration Manager
For additional technical information to support and extend out of band management in Configuration Manager, see Intel’s application offerings on the Microsoft Pinpoint site.
What’s New in Configuration Manager
The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.
The following items are new or have changed for out of band management since Configuration Manager 2007:
System Center 2012 Configuration Manager no longer supports provisioning out of band, which could be used in Configuration Manager 2007 when the Configuration Manager client was not installed, or the computer did not have an operating system installed. To provision computers for AMT in System Center 2012 Configuration Manager, they must belong to an Active Directory domain, have the System Center 2012 Configuration Manager client installed, and be assigned to a System Center 2012 Configuration Manager primary site.
To provision computers for AMT, you must install the new site system role, the enrollment point, in addition to the out of band service point. You must install both these site system roles on the same primary site.
There is a new account, the AMT Provisioning Removal Account, which you specify on the Out of Band Management Component Properties: Provisioning tab. When you specify this account and use the same Windows account that is specified as an AMT User Account, you can use this account to remove the AMT provisioning information, if you have to recover the site. You might also be able to use it when the client was reassigned and the AMT provisioning information was not removed on the old site.
Configuration Manager no longer generates a status message to warn you that the AMT provisioning certificate is about to expire. You must check the remaining validity period yourself and ensure that you renew this certificate before it expires.
AMT discovery no longer uses port TCP 16992; only port TCP 16993 is used.
Port TCP 9971 is no longer used to connect the AMT management controller to the out of band service point to provision computers for AMT.
The out of band service point uses HTTPS (by default, port TCP 443) to connect to the enrollment point.
The WS-MAN translator is no longer supported.
The maintenance task Reset AMT Computer Passwords has been removed.
You no longer select individual permissions for each AMT User Account. Instead, all AMT User Accounts are automatically configured for the PT Administration (Configuration Manager 2007 SP1) or Platform Administration (Configuration Manager 2007 SP2) right, which grants permissions to all AMT features.
You must specify a universal security group in the Out Of Band Management Component Properties to contain the AMT computer accounts that Configuration Manager creates during the AMT provisioning process.
The site server computer no longer requires Full Control to the organizational unit (OU) that is used during AMT provisioning. Instead, it grants Read Members and Writer Members (this object only) permissions.
The enrollment point rather than the primary site server computer now requires the Issue and Manage Certificates permission on the issuing certification authority (CA). This permission is required to revoke AMT certificates. As in Configuration Manager 2007, this computer account requires DCOM permissions to communicate with the issuing CA. To configure this, ensure that for Windows Server 2008, the computer account of the enrollment point site system server is a member of the security group Certificate Service DCOM Access, or, for Windows Server 2003 SP1 and later, a member of the security group CERTSVC_DCOM_ACCESS in the domain where the issuing CA resides.
The certificate templates for the AMT web server certificate and the AMT 802.1X client certificate no longer use Supply in the request, and the site server computer account no longer requires permissions to the following certificate templates:
For the AMT web server certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in the Out Of Band Management Component Properties.
For the AMT 802.1X client certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. Clear the DNS name check box, and then select User principal name (UPN) as the alternate subject name. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in Out Of Band Management Point Component Properties.
The AMT provisioning certificate no longer requires that the private key can be exported.
By default, the out of band service point checks the AMT provisioning certificate for certificate revocation. This occurs when the site system first runs, and when the AMT provisioning certificate is changed. You can disable this option in the Out Of Band Service Point Properties.
You can enable or disable CRL checking for the AMT web server certificate in the out of band management console. To change the settings, click the Tools menu, and then click Options. The new setting is used when you next connect to an AMT-based computer.
When a certificate for an AMT-based computer is revoked, the revocation reason is now Cease of Operation instead of Superseded.
AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN.
When you reassign an AMT-based computer from one Configuration Manager site to another, you must first remove the AMT provisioning information, reassign the client, and then provision the client again for AMT.
The security rights View management controllers and Manage management controllers in Configuration Manager 2007 are now named Provision AMT and Control AMT, respectively. The Control AMT permission is automatically added to the Remote Tools Operator security role. If an administrative user is assigned to the Remote Tools Operator security role, and you want this administrative user to provision AMT-based computers or control the AMT audit log, you must add the Provision AMT permission to this security role, or ensure that the administrative user belongs to another security role that includes this permission.