AMT Provisioning Process for Out of Band Management in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
The following flow of events occurs when an AMT-based computer is provisioned by System Center 2012 Configuration Manager.
The Configuration Manager client downloads its client policy with instructions to initiate AMT provisioning and performs the follow checks:
The Intel HECI driver is installed.
The AMT status is Not Provisioned. Any other status stops the provisioning process.
The Configuration Manager client generates a random one-time password (OTP), hashes it, sends the hash to the site server, and then activates the AMT network interface so that the AMT-based computer is ready for provisioning. For AMT-based computers that support wireless network connections, they also send their wired IP address, which will be used during provisioning, even if the AMT-based computer has multiple network interfaces.
The Configuration Manager client sends AMT manufacturing information to the site server by using a state message. This information includes the AMT version number.
The site server receives the OTP hash and then creates an Active Directory account in the configured Active Directory container (or OU), and sets the SPN for the AMT-based computer. The site server then sends an instruction to the out of band service point to start provisioning for the Configuration Manager client.
The out of band service point retrieves the OTP hash for this AMT-based computer from the site server and compares it with the OTP hash reported by the AMT firmware to verify the identity of the AMT-based computer to be provisioned.
The out of band service point retrieves the Active Directory account and password from the site server and then sends an instruction to the enrollment point to request an AMT web server certificate for the AMT-based computer. The enrollment point impersonates the AMT-based computer to request the AMT web server certificate.
The out of band service point creates an outbound TLS connection by using the AMT provisioning certificate and the Secure Channel (Schannel) Security Support Provider (SSP). In this connection, the AMT-based computer is the server, and the out of band service point is the client. This transport layer session is established by using TLS handshaking:
The out of band service point sends a client “Hello” message to the AMT-based computer and requests to use SHA1.
The AMT-based computer sends a server “Hello” message to the out of band service point and sends its public key with a self-signed certificate.
The Microsoft Security Support Provider Interface (SSPI) is used to create the TLS channel.
The out of band service point sends its AMT provisioning certificate and its full certificate chain to the AMT-based computer, with the specific AMT provisioning object identifier (OID) or OU attribute of Intel(R) Client Setup Certificate.
The AMT-based computer checks the following for the AMT provisioning certificate and, if these successfully match, establishes the TLS session: the subject name (CN) against its own DNS namespace, the OID against the OID for AMT provisioning (or the OU attribute), and the certificate thumbprint of the root certificate from the certificate chain against the certificate thumbprint that it has stored in AMT firmware memory.
The out of band service point establishes an application layer connection with the AMT-based computer, by using HTTP Digest authentication:
A SOAP request is sent from the out of band service point to the AMT-based computer, without any user name and password.
The AMT-based computer responds to the out of band service point with an "authentication needed" response, which results in HTTP Digest authentication.
The out of band service point resends the SOAP request with the same payload to AMT-based computer, this time by using HTTP Digest authentication.
The AMT-based computer finishes the authentication challenge and sends a success or failure response to the out of band service point.
If the HTTP Digest authentication failed during the application layer connection, the out of band service point retries by using another user name and password that has been configured in Configuration Manager. All user names and passwords are tried sequentially until authentication succeeds or there are no more user names and passwords.
The AMT-based computer undergoes first-stage provisioning, initiated by a SOAP request from the out of band service point:
The AMT time is synchronized with the Windows time from the out of band service point.
The AMT host name and domain is configured by using the computer’s host name and domain. The computer’s host and domain name might be retrieved from system discovery or from client registration when the client is assigned to the site.
The requested and retrieved certificate is saved to the AMT firmware memory, and TLS authentication is enabled.
Configuration Manager creates a random and strong password for the AMT Remote Admin Account and stores this value in AMT.
Configuration Manager might reconfigure the MEBx password with the strong password configured in the Configuration Manager console, depending on whether it has been changed previously on the AMT-based computer and on the version of AMT.
The settings are saved in AMT firmware, and the AMT firmware state is set to the operational mode of post provisioning.
The AMT-based computer undergoes second-stage provisioning, initiated by a Windows Remote Management (WinRM) request from the out of band service point:
The AMT ACLs are deleted and configured according to the AMT User Accounts and rights.
Kerberos is enabled, and in the Out of Band Management Component Properties dialog box, on the AMT Settings tab, the power scheme is set according to the configured value for Manageability is on in the following power state. In addition, the other AMT settings, such as Enable web interface, Enable serial over LAN and IDE redirection, and Allow ping responses, are also set according to the configured values in the AMT Advanced Settings dialog box.
If you have configured any 802.1X options, the following additional actions occur: Any existing wireless profiles are deleted, any certificates related to the wireless profiles or 802.1X wired network configuration are deleted, and the wireless capability of AMT is detected. If any certificates are required to support 802.1X, the out of band service point sends an instruction to the enrollment point to request the certificates for the AMT-based computer, and the enrollment point impersonates the AMT-based computer to request these certificates. The wireless profiles and the 802.1X authenticated wired network configuration are then saved to AMT.
The out of band service point sends the results of the provisioning process to the site server, which then updates the Configuration Manager database to use the following information about the AMT-based computer: the AMT status; the MEBx password, the AMT Remote Admin Password.