How to Provision and Configure AMT-Based Computers in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Before you can manage Intel AMT-based-computers out of band in System Center 2012 Configuration Manager, you must provision them after the Configuration Manager client is installed. AMT provisioning requires Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and out of band service point site system roles. During and after the provisioning process, public key infrastructure (PKI) certificates secure the communication between the AMT-based computers and the Configuration Manager site.

Use the following steps and the supplemental procedures in this topic to provision and configure AMT-based computers for out of band management. This information includes the optional configuration to manage AMT-based computers out of band when these computers are connected to an authenticated wired network or a wireless network. You can also configure these optional settings after the AMT-based computer is provisioned, and then update the AMT management controller.

Steps to Provision and Configure AMT-based Computers

Use the following table for the steps, details, and more information about how to provision and configure AMT-based computers.

Important

Before you perform these steps, ensure that you have all the prerequisites to provision and configure AMT-based computers. For more information, see Prerequisites for Out of Band Management in Configuration Manager.

If you manage AMT-based computers on 801.1X and wireless networks, check the configuration of your RADIUS server so that you know which 802.1X settings to configure for AMT.

Additionally, when the AMT-based computer host is configured for wireless networking, either natively in the operating system or by using another solution, ensure that the settings that you specify in the out of band management wireless profile for the Network name (SSID), Security type, and Encryption method match the configuration of your host wireless configuration.

Steps

Details

More information

Step 1: Prepare Active Directory Domain Services by creating security groups and an organization unit (OU).

Create two security groups:

  • A security group that contains the computer accounts of the primary site servers.

  • A universal security group that will contain accounts for the provisioned AMT-based computers. Grant the first security group the following security permissions to This object only: Read Members and Writer Members.

Create an OU in each domain that will contain AMT-based computers. Grant the first security group the following security permissions to This object only: Create Computer Objects and Delete Computer Objects.

For more information about how to create security groups and OUs, see the Active Directory documentation.

Step 2: Confirm DHCP configuration.

Ensure that you have an active scope and configure the following DHCP options:

  • 006 (DNS Servers)

  • 015 (DNS Domain Name)

Additionally, ensure that the DHCP server is configured to dynamically update DNS with the computer resource records.

For more information about how to configure DHCP, see the DHCP documentation.

Step 3: Create and issue the PKI certificates.

Ensure that you have configured the following:

  • The web server certificate for the enrollment point.

  • The AMT provisioning certificate.

  • The AMT web server certificate template.

  • For wireless management only: The AMT client authentication certificate template.

To configure the web server certificate for the enrollment point, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

To configure the certificates for AMT, see the Deploying the Certificates for AMT section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Step 4: Configure the site system roles for AMT.

Install and configure the following site system roles:

  • The enrollment point.

  • The out of band service point.

See the following procedure Step 4: Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning in this topic.

Step 5: Configure the out of band management component.

Specify settings such as the OU and security group that you configured in step 1, the certificate templates that you configured in step 3, and AMT User Accounts if you want to run the out of band management console.

See the following procedure Step 5: Configuring the Out of Band Management Component in this topic.

Step 6: Optional: Configure the site to send power on commands for scheduled wake-up activities.

Powering on computers by using out of band management allows computers assigned to the site to come out of hibernation so that they can respond to scheduled management tasks.

See the following procedure Step 6: Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities in this topic.

Step 7: Display the AMT Status and enable AMT provisioning.

If necessary, create a new collection to contain the AMT-based computers that you want to provision.

Optional but recommended: Add the AMT Status to the Configuration Manager console.

Select Enable AMT provisioning for AMT-based computers in the collection properties.

See the following procedure Step 7: Displaying the AMT Status and Enabling AMT provisioning in this topic.

Step 8: Monitor the AMT provisioning process.

When the Configuration Manager client next downloads client policy, it sends a provisioning request to the out of band service point. If provisioning fails, it automatically retries according to the provisioning schedule that is configured in the out of band management component properties.

See the following procedure Step 8: Monitoring AMT Provisioning in this topic.

Supplemental Procedures to Provision and Configure AMT-based Computers

Use the following information when the steps in the preceding table require supplemental procedures.

Step 4: Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning

These procedures configure the site system roles for AMT provisioning. Choose one of these procedures according to whether you install a new site system server for AMT provisioning or use an existing site system server:

To install and configure the AMT provisioning site systems: New site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles

  3. On the Home tab, in the Create group, click Create Site System Server.

  4. On the General page, specify the general settings for the site system, and then click Next.

  5. On the System Role Selection page, select Out of band service point and Enrollment point from the list of available roles, and then click Next.

    Note

    The roles are not available for secondary sites. In addition, the out of band service point cannot be installed on more than one site system in the primary site.

  6. On the Out of band service point page, do not change the default settings for the scheduled power Power on commands unless you have to fine-tune these for your network infrastructure. Click Next.

  7. On the AMT Provisioning Certificate page, click Browse to select the AMT provisioning certificate that you created in step 3 in the preceding table. Or, type in the certificate thumbprint.

  8. Decide whether you have to clear the Enable CRL checking for the AMT provisioning certificate check box, and then click Next.

    Note

    Although the option to check the certificate revocation list (CRL) is more secure, if the out of band service point cannot access the CRL when you enable this option, the out of band service point does not provision computers for AMT. If your AMT provisioning certificate is from an external CA, the out of band service point must have direct Internet access when you enable CRL checking, because this option does not support web proxy access.

  9. On the Enrollment Point Settings page, review the settings. Keep the default settings unless you must change them for your environment. Click Next.

  10. Complete the wizard.

To install and configure the AMT provisioning site systems: Existing site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use for AMT provisioning.

  3. On the Home tab, in the Create group, click Add Site System Roles.

  4. On the General page, specify the general settings for the site system, and then click Next.

  5. On the System Role Selection page, select Out of band service point and Enrollment point from the list of available roles, and then click Next.

    Note

    The roles are not available for secondary sites. In addition, the out of band service point cannot be installed on more than one site system in the primary site.

  6. On the Out of band service point page, do not change the default settings for the scheduled power on commands unless you have to fine-tune these for your network infrastructure. Click Next.

  7. On the AMT Provisioning Certificate page, click Browse to select the AMT provisioning certificate that you created in step 3 in the preceding table. Or, type the certificate thumbprint.

  8. Decide whether you must clear the Enable CRL checking for the AMT provisioning certificate check box, and then click Next.

    Note

    Although the option to check the CRL is more secure, if the out of band service point is unable to access the CRL, AMT provisioning will fail. If your AMT provisioning certificate is from an external CA, the out of band service point must have Internet access.

  9. On the Enrollment Point Settings page, review the settings. Keep the default settings unless you need to change them for your environment. Click Next.

  10. Complete the wizard.

Step 5: Configuring the Out of Band Management Component

This procedure configures the out of band management component.

To configure the Out of Band Management component

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration and then click Sites.

  3. On the Home tab, in the Settings group, click Configure Site Components, and then click Out of Band Management.

  4. Select the enrollment point that you configured in the preceding procedure.

  5. Specify the OU and then the universal group that you configured in step 1 in the preceding table.

  6. Specify the AMT web server certificate that you configured in step 3 in the preceding table.

  7. Decide whether to clear the check box for CRL checking.

    Note

    When this option is selected, computers that manage AMT-based computers out of band must be able to check the CRL for the AMT web server certificate before they can make a successful connection. By default, the CRL is published on the issuing CA. Although checking the CRL is more secure, if the CRL is not available, the connection fails. Computers that manage AMT-based computers include the site server and computers that run the out of band management console.

  8. Click Set to specify a strong password for the account in the Management Engine BIOS extension (MEBx) that is used for the initial authenticated access to manage AMT-based computers.

    Note

    The password is case sensitive and must be at least 8 characters, with a maximum of 32 characters, together with at least one each of an uppercase, a lowercase, a numeric, and a symbol character. Symbol characters include ! @ # $ % ^ & * and exclude : (colon) “ ” (double quotes) _ (underscore).

  9. Click the AMT Settings tab.

  10. Click the New icon New Icon to specify AMT User Accounts that will run the out of band management console. As a best practice, specify security groups rather than individual user accounts.

  11. Decide whether you must change the default manageability setting of Always on to Host is on.

    Note

    The setting Host is on can help to save power consumption for when the AMT-based computer is in standby or the operating system is shut down. It might also be required by your company policy. However, if you select Host is on and the AMT-based computer is in a power state that does not allow out of band communication, the AMT-based computer does not respond to out of band communication. In this scenario, there is no indication that you cannot connect to the AMT-based computer because it is configured for a power state that does not support manageability.

  12. Click Advanced settings and decide whether to change any of the default settings, and then click OK.

    Note

    More information about the advanced settings:

    • Enable web interface: Enables or disables the ability for the AMT-based computer to display firmware information in the AMT Web browser. This option is not enabled by default.

    • Enable serial over LAN and IDE redirection: Enables or disables the options for serial over LAN and IDE redirection on the AMT-based computer. This option is enabled by default.

    • Allow ping responses: Enables or disables the AMT management controller to respond to network ping requests when it is sent ICMP datagrams. This option is not enabled by default.

    • Enable BIOS password bypass for power on and restart commands: Enables or disables the ability to bypass a BIOS prompt for a configured password when powering on an AMT-based computer or restarting it. By default, this option is enabled.

    • Kerberos clock tolerance (minutes): Specifies the allowed clock tolerance between the management controller and the timestamp in received messages. Having a shorter value helps eliminate replay attacks, but too short a value might result in valid connections being rejected. The default setting is 5 minutes.

  13. Click Audit Log Settings. Review the AMT features to audit, decide whether to change any of the default settings, and then click OK.

    Note

    Selecting the features to audit does not enable auditing. You can enable auditing on selected AMT-based computers after they are provisioned. For more information, see To enable auditing and update audit settings on AMT-based computers.

  14. Click the Provisioning tab.

  15. If you have to specify an AMT Discovery and Provisioning Account, click the New icon New Icon to specify one or more accounts.

    Note

    Specify an AMT Provisioning and Discovery Account if any one of the following conditions applies:

    • The AMT-based computer has never been provisioned, and your manufacturer delivered the computer with a customized MEBx password. (It is not admin.) When this is the case, add an AMT Provisioning and Discovery Account named admin and specify the password that was provided by the manufacturer.

    • The AMT-based computer has never been provisioned, and your manufacturer delivered the computer with the default MEBx password of admin, but you have configured the MEBx password in the computer’s BIOS extensions. When this is the case, add an AMT Provisioning and Discovery Account named admin and specify the password that you configured in the BIOS extensions.

    • The AMT-based computer has been previously provisioned by another AMT management solution, and the provisioning information has been partially removed (either by that management solution or by locally configuring the BIOS extensions). When this is the case, and you want to discover or provision these computers by using Configuration Manager, add an AMT Provisioning and Discovery Account named admin and specify the password for the AMT Remote Admin Account that was configured by the other management solution.

  16. Configure the AMT provisioning schedule.

  17. Click Set to specify the AMT Provisioning Removal Account. Specify a Windows account that is specified as an AMT User Account in step 10. You must also add this account to the local Administrators group on the out of band service point computer.

    Note

    If you must recover the site, you can use this account to remove the AMT provisioning information from computers, and then reprovision them.

    For more information about how to remove AMT provisioning information, see How to Remove AMT Information.

  18. If you want to manage AMT-based computers when they are connected to authenticated wired and wireless 802.1X networks, click the 802.1X and Wireless tab; otherwise, click OK to close the Out of Band Management Component Properties dialog box.

  19. To configure 802.1X authentication for wired networks, select Enable 802.1X authentication for wired network access, and then click Configure.

  20. In the 802.1X Wired Network Access Control dialog box, click Select to select the Trusted root certificate.

  21. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by using one of the following methods, and then click OK:

    • To specify the trusted root certificate by selecting an enterprise CA from the forest, ensure that From certification authority (CA) is selected, and select the CA from the list.

    • To specify the trusted root certificate by selecting a DER encoded binary X.509 (.cer) or base-64 encoded X.509 (.cer) file that contains the exported trusted root certificate, click From file, click Browse, select the .cer file, and then click Open.

  22. In the drop-down box, select the client authentication method to use.

  23. If you selected the client authentication method of EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, click Use client certificate if you also want to use a client certificate for authentication.

  24. If Use client certificate is selected, click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template that you created in step 3 in the preceding table, and then click OK.

  25. If you do not have to configure wireless settings, click OK to close the Out of Band Management Component Properties dialog box.

  26. To create and configure a wireless profile, click the New icon New Icon.

  27. In the Wireless Profile dialog box, type a display name for the Profile name.

  28. Type the name of the wireless network in the Network name (SSID).

  29. Specify the security type in the Security type box.

  30. Specify the encryption method in the Encryption method box.

  31. Click Select to specify the trusted root certificate for the RADIUS server.

  32. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by using one of the following methods, and then click OK:

    • To specify the trusted root certificate by selecting an enterprise CA from the forest, ensure that From certification authority (CA) is selected, and select the CA from the list.

    • To specify the trusted root certificate by selecting a DER encoded binary X.509 (.cer) or base-64 encoded X.509 (.cer) file that contains the exported trusted root certificate, click From file, click Browse, select the .cer file, and then click Open.

  33. In the drop-down box, select the client authentication method to use.

  34. If you selected the client authentication method of EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, click Use client certificate if you also want to use a client certificate for authentication.

  35. If Use client certificate is selected, click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template that you created in step 3 in the preceding table, and then click OK.

  36. Create additional wireless profiles as required.

  37. To change the order of the wireless profiles, select a wireless profile, and then click the Move Item Down icon Move Down Icon or Move Item Up icon Move Up Icon. The AMT-based computers try each wireless profile in turn until a connection is successfully made, and they continue to use this profile for the duration of the connection.

  38. If you must change the settings of a wireless profile, select the wireless profile, and then click the Properties icon Properties Icon.

  39. Click OK to close the Out of Band Management Component Properties dialog box.

Step 6: Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities

This procedure enables the primary site server to send power on commands to AMT-based computers when they have scheduled deployments and these computers are in hibernation or are turned off.

To configure the site to send power on commands for scheduled wake-up activities

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure.

  3. On the Home tab, click Properties, and then click the Wake On LAN tab.

  4. Select the Enable Wake On LAN for this site check box, and then select one of the following options:

    - **Use AMT power on commands if the computer supports this technology; otherwise, use wake-up packets**
    
    - **Use AMT power on commands only**
    

    Warning

    After configuring the wake-up option for the site, all deployments that are configured for Wake On LAN use the same setting. You cannot configure which deployments to use on an individual basis; for example, you cannot configure only software update deployments to use wake-up packets only or a specific task sequence to use power Power on commands only.

  5. Click OK.

Note

Because of the additional overhead involved in establishing, maintaining, and terminating an out of band management session, conduct your own tests so that you can accurately judge how long it takes to wake up multiple computers by using AMT power on commands in your environment, for example, across slow WAN links to computers in secondary sites. This knowledge helps you determine whether waking up multiple computers for scheduled activities by using power on commands with out of band communication is practical when you have a high number of computers to wake up within a short period of time.

Step 7: Displaying the AMT Status and Enabling AMT provisioning

This procedure adds the AMT Status column to the Configuration Manager console and enables AMT provisioning.

To display the AMT status column in the Configuration Manager console and enable AMT provisioning for a collection

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Devices, and select the device collection that contains the AMT-based computers.

  3. In the results pane, right-click any column title, and select AMT Status.

  4. On the Home tab, in the Collection group, click Manage out of Band, and then click Discover AMT Status. Click OK to confirm the action.

  5. On the Home tab, click Properties.

  6. In the collection properties dialog box, click the Out of Band Management tab.

  7. Select Enable provisioning for AMT-based computers, and then click OK.

  8. If you have configured out of band management for 802.1X authenticated wired connections or 802.1X wireless connections: Ensure that one of the following network connections are in operation for the AMT-based computers:

    - The computer is connected to an Ethernet port on which 802.1X authentication is not required.
    
    - The computer is connected to an 802.1X authenticated network through the operating system.
    

    In addition, for out of band management on wireless networks, check that your DNS servers have a host record for the AMT-based computer, which contains the wireless IP address. AMT cannot register a host record in DNS, so you must ensure that either DHCP or the operating system on the host computer updates DNS so that the wireless IP address of the AMT-based computers can be resolved to its fully qualified domain name (FQDN). Alternatively, you can manually create these records in DNS as required.

Step 8: Monitoring AMT Provisioning

Although you can manually discover the current status by using the Discover AMT Status option, the value also updates automatically after the AMT provisioning process.

Monitor the AMT status by using any of the following methods:

  • View the AMT Status column in the Configuration Manager console.

  • Create query-based collections by using the AMT Status value.

  • View the report Computers with out of band management controllers.

For more information about the AMT status, see About the AMT Status and Out of Band Management in Configuration Manager.

How to Verify That Computers are Provisioned for 802.1X Network Connections

Because the settings for 802.1X are applied after the AMT-based computer is provisioned on an unauthenticated Ethernet connection, the AMT Status of Provisioned does not confirm that the computer can be managed out of band on a wireless or wired 802.1X network connection. Use the following procedure to verify that the settings for 802.1X are successfully applied.

To verify whether AMT-based computers are configured for authenticated wired and wireless network connections
  1. On the out of band service point, locate and open the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log.

  2. Search for one of the following text strings, where <wireless_profile> is the specified name of the wireless profile:

    - To confirm that the authenticated wired settings were successfully configured, search for **Begin to set Wired 8021x Profile...**, and then **Set Wired 8021x Profile Success...**.
    
    - To confirm that the wireless profile settings were successfully configured, search for **Set wireless profile: \<wireless\_profile\>**, and then **Successfully add wireless profile \<wireless\_profile\>**.
    
    - To identify a failure in configuring a wireless profile because a specified configuration element failed (for example, a client certificate was specified but could not be issued), search for **Set wireless profile: \<wireless\_profile\>**, the reason for the failure (for example, **No client Certificate**), and then **The wireless profile: \<wireless\_profile\> is invaid. Skip adding...**.
    
    - To identify a failure in updating wireless profiles because the AMT-based computer is currently on a wireless connection, search for **The wireless connection is active, skip setting wifi profiles**.
    
  3. Close the log file and take corrective action if the settings were not successfully applied.