Overflow: Additional Quiz Questions for Out of Band Management (AMT)

We’ve recently been looking at adding new quizzes to incorporate the new features in Configuration Manager 2007 SP1 and R2, so watch out for these to join the existing Configuration Manager quizzes at https://www.microsoft.com/downloads/details.aspx?FamilyID=b9fb478a-ec98-47f2-b31e-57443a8ae88f&DisplayLang=en. I'm sure Rob will also post an annoucement on this blog when they are available.

However, when I was asked to come up a few questions for the SP1 feature out of band management, I found that once I got going, I couldn’t stop. Hence the overflow! It’s probably because I’ve been interested in how customers have been implementing and using out of band management, and I've noticed that their questions and issues are often covered in the Configuration Manager documentation. So rather than throw away my extra questions, I thought I’d post them here.

When the quiz questions are just text, they aren’t in as snazzy a presentation as you get with the quizzes. But for those of you new to the out of band management feature and interested in learning more, this is a good way to quickly absorb some important information in bite-size chunks. And for those of you who have already spent time implementing this feature, use the following questions to quickly test your new-found knowledge. All the product documentation can be found on TechNet: Out of Band Management in Configuration Manager 2007 SP1.

In addition to the product documentation, Intel has some great Web resources for this feature. They offer everything from overviews, interviews, videos, hotfix information, forums, and integration with myITforum. Matt Royer in particular does a fantastic job of helping customers on the forums. See the Intel vPro Expert Center: Microsoft vPro Manageability (https://communities.intel.com/community/vproexpert/microsoft-vpro) and Matt’s living wiki SCCM SP1 / vPro Common Issues and Potential Resolutions (https://communities.intel.com/openport/docs/DOC-1627).

And get ready for those additional quizzes for SP1 and R2!

Update December 11th 2008: The new quizzes are now published – with added Silverlight! See https://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/12/10/test-your-knowledge-of-configuration-manager-2007-now-with-added-silverlight.aspx

- Carol

Twelve Bonus Questions for Out of Band Management

Question 1

Does out of band management require an internal PKI that is running Microsoft Certificate Services as an enterprise CA?

Correct Answer: Yes

More Information: Out of band management uses PKI certificates for authentication and TLS. Although the provisioning certificate can be from an external CA, you must have a Microsoft enterprise CA that is configured with a certificate template to provide the AMT-based computers with a Web server certificate.

Links:

· Prerequisites for Out of Band Management

· About Certificates for Out of Band Management

· Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management

Question 2

Do you need to extend the Active Directory schema for out of band management?

Correct Answer: No

More Information: Out of band management does not require schema extensions for either Configuration Manager or Intel. However, you must prepare Active Directory Domain Services by creating a container or OU with the appropriate security permissions.

Links:

· Prerequisites for Out of Band Management

· How to Prepare Active Directory Domain Services for Out of Band Management

Question 3

Can out of band management provision computers from another forest?

Correct Answer: No

More Information: Computers that will be managed out of band must belong to the same Active Directory forest as the out of band service point and must share the same namespace. In addition to being unable to provision computers from another forest, workgroup computers and domain-joined computers that are in the same forest but have a different namespace cannot be managed out of band by Configuration Manager.

Links:

· Prerequisites for Out of Band Management

Question 4

Can you provision computers for AMT without DNS reconfiguration?

Correct Answer: Yes

More Information: Although Configuration Manager has an option Register ProvisionServer as an alias in DNS, enabling this option might not be required. It is never required if you are provisioning in-band (the Configuration Manager 2007 SP1 client is installed), and might be required if you are provisioning out of band (the Configuration Manager 2007 SP1 client is not installed). If you are using out of band provisioning, an alternative to configuring DNS is to specify the DNS IP address in the AMT BIOS extensions.

Links:

· Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS

· How to Register an Alias in DNS for the Out of Band Service Point

Question 5

Can you install an out of band service point in secondary sites to prevent out of band management packets being sent over a WAN link?

Correct Answer: No

More Information: Install a single out of band service point in the primary site only. Most of the packets sent to the AMT-based computers will be sent from the out of band service point (including those for provisioning, scheduled power on commands, and interactive power control commands from the Configuration Manager console). However, when you use the out of band management console, packets are sent from the computer running the out of band management console and not from the out of band service point.

Links:

· Determine Whether You Should Install the Out of Service Point

· How to Install the Out of Band Service Point

· How to Run the Out of Band Management Console

Question 6

Does Configuration Manager automatically renew the AMT certificates that are about to expire?

Correct Answer: Yes

More Information: Configuration Manager uses a maintenance task to monitor the certificates that it deploys to the AMT-based computers and automatically requests a new certificate before the original certificate expires.

Links:

· About Certificates for Out of Band Management

· How to Customize Maintenance Tasks for Out of Band Management

Question 7

Do you need to configure an AMT Provisioning and Discovery Account if the AMT-based computer has never been provisioned and the MEBx account has the default name and password of “admin”?

Correct Answer: No

More Information: Configuration Manager will automatically try the combination of admin/admin when it attempts to provision computers for AMT. If you do not have a customized firmware, and you have not configured the MEBx account in the BIOS extensions, and the computer has not been previously provisioned, it is likely that you will not have to configure an AMT Provisioning and Discovery Account.

Links:

· Determine Whether to Configure an AMT Provisioning and Discovery Account for Out of Band Management

Question 8

Does the AMT Status “Detected” indicate that the computer can be provisioned by Configuration Manager?

Correct Answer: No

More Information: The AMT status of Detected means that AMT capability is detected, but the out of band service point is unable to provision the computer. This scenario can occur when the computer has been previously provisioned for AMT outside Configuration Manager and the password for the AMT Remote Admin Account or the MEBx Account has been changed and is unknown.

Links:

· About the AMT Status and Out of Band Management

· Decide How to Migrate from an AMT-Based Management Solution to Out of Band Management in Configuration Manager

Question 9

Do AMT-based computers automatically pick up changes you make to the AMT Settings or AMT User Accounts after they have been provisioned?

Correct Answer: No

More Information: Computers that are already provisioned for AMT do not automatically reconfigure with new AMT settings and AMT User Accounts. If you configure AMT settings and AMT User Accounts after computers are provisioned, you must manually update the AMT memory for these computers so that they are reconfigured with the new settings.

Links:

· About AMT Provisioning for Out of Band Management

· How to Update AMT Settings in Provisioned Computers Using Out of Band Management

Question 10

Can you rename a computer or move it to a different domain after it has provisioned for AMT by Configuration Manager?

Correct Answer: Yes

More Information: You can rename a computer or move it to a different domain after it has provisioned for AMT by Configuration Manager, but you must remove all the provisioning information from the AMT-based computer and then re-provision it. Failing to perform these procedures will result in Configuration Manager being unable to manage it after the name change or domain move.

Links:

· About AMT Provisioning for Out of Band Management

· How to Remove Provisioning Information for AMT-Based Computers

Question 11

Out of band management offers two methods of provisioning AMT-based computers: out of band provisioning and in-band provisioning. Is out of band provisioning the preferred method?

Correct Answer: No

More Information: In-band provisioning is more secure than out of band provisioning, because Configuration Manager can use the existing trust relationship between the client and the Configuration Manager infrastructure. In-band provisioning also requires less configuration because information about the computer is already known and the client receives all the provisioning information it needs through client policy. There are also no time restrictions with in-band provisioning. However, in-band provisioning does require that the Configuration Manager 2007 SP1 client is installed and that the version of AMT is 3.2.1 or higher.

Links:

· Out of Band Management Security Best Practices and Privacy Information

· How to Provision Computers for AMT

· Configuration Manager AMT Provisioning Process for Out of Band Management

Update December 11th 2008: See the following additional information about DHCP requirements for in-band provisioning: https://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/12/09/out-of-band-management-requirements-for-in-band-amt-provisioning-and-dhcp.aspx

Question 12

Do you have to configure at least one AMT User Account before running the out of band management console to connect to a computer out of band?

Correct Answer: Yes

More Information: AMT user accounts control which users or groups can run management functions in the out of band management console. When a logged on user attempts to connect to an AMT-based computer, AMT uses Kerberos to authenticate the account and then, based on the AMT user account configuration, authorizes access to certain AMT management features. Without a valid AMT User Account, you won’t be able to successfully use the out of band management console. If you configure AMT settings and AMT User Accounts after computers are provisioned for AMT, you must update the AMT memory for these computers.

Links:

· About the AMT User Accounts

· How to Configure AMT Settings and AMT User Accounts

This posting is provided AS IS with no warranties and confers no rights.

Comments