How to Manage AMT Provisioning Information in Configuration Manager

After you have provisioned Intel AMT-based computers for System Center 2012 Configuration Manager, you might have to update the AMT settings or remove the provisioning data.

Use the following sections to manage the AMT provisioning information on AMT-based computers:

How to Update Computers for New AMT Settings
How to Remove AMT Information

How to Update Computers for New AMT Settings

After AMT-based computers are provisioned by Configuration Manager, you must update their AMT management controller if you change any of the AMT settings or configurations. For example, you might want to add support for wireless networks after a successful trial period on the Ethernet. Computers that are already provisioned for AMT are not automatically reconfigured.

Note
If you manage AMT-based computers on 802.1X authenticated wired or wireless networks, you can update the AMT management controllers when the computers are connected to these networks, with the exception of settings in a wireless profile that is currently in use.

To update computers for new AMT settings

In the Configuration Manager console, click Assets and Compliance.
In the Assets and Compliance workspace, locate, and then select the AMT-based computers to update.
On the Home tab, in the Device group, click Manage Out of Band, click Update AMT Provisioning Data, and then click OK.

How to Remove AMT Information

You might have to remove the AMT provisioning information because you no longer want the computer managed out of band by Configuration Manager. Or, you no longer trust the computer and decide that its associated certificates and Active Directory account should no longer be available. Another scenario is if you rename a computer that is already provisioned for AMT by Configuration Manager or move the computer to another domain, or you want to reassign the computer to another Configuration Manager site.

Warning
For more information about renaming or moving AMT-based computers, see Renaming AMT-Based Computers and Domain Changes in this topic. For more information about how to reassig AMT-based computers, see Reassigning AMT-Based Computers to Another Configuration Manager Site in this topic.

You have the following options when you use Configuration Manager to remove provisioning information from an AMT-based computer:

You can remove the configuration data for the management controller including whether IDE redirection and serial over LAN are enabled, network pings are supported, and the web interface is enabled, but keep identification information about the computer including its host name, IP address, and DNS suffix.
You can remove both the configuration data and the identification information from the computer.

Additionally, the following actions are performed when you remove provisioning information:

The primary site server revokes the certificate that was issued to the AMT-based computer when it was provisioned. The revocation reason is Cease of Operation.
The primary site server removes the Active Directory objects that were created during AMT provisioning: The object published to the organizational unit (OU) and the computer account added to the universal security group.
The primary site server deletes the service principal name (SPN) for the AMT-based computer.

By default, AMT-based computers automatically reprovision with Configuration Manager if they are in a collection that is configured for the option Enable AMT provisioning. To prevent automatic provisioning, select the option Disable automatic provisioning when you remove provisioning information for the computer.

Note
If you disable automatic reprovisioning and later want to automatically provision these AMT-based computers, right-click the resource, click Manage Out of Band, and then click Enable Automatic AMT Provisioning. If you reassign the client to another Configuration Manager hierarchy that is configured for AMT provisioning, the automatic AMT provisioning status Disabled is not carried forward to the new hierarchy.

Note

If you disable automatic reprovisioning and later want to automatically provision these AMT-based computers, right-click the resource, click Manage Out of Band, and then click Enable Automatic AMT Provisioning. If you reassign the client to another Configuration Manager hierarchy that is configured for AMT provisioning, the automatic AMT provisioning status Disabled is not carried forward to the new hierarchy.

Use the following procedure to remove provisioning information for an AMT-based computer if you no longer want to manage it out of band with Configuration Manager. After you complete the procedure, to confirm that this action is successful, check that the AMT status for the computer changes from Provisioned to Not Provisioned. This check is particularly important if you are removing the provisioning information because the AMT-based computer is no longer trusted. If the status remains as Provisioned, you must manually delete the associated AMT account in Active Directory Domain Services and manually revoke any out of band management certificates that have been issued to the computer.

Important
If the AMT audit log is enabled on the AMT-based computer, clear the log before you remove the AMT provisioning information. For more information, see To clear the audit log on AMT-based computers.

To remove AMT provisioning information

In the Configuration Manager console, click Assets and Compliance.
In the Assets and Compliance workspace, locate and select the AMT-based computers to update.
On the Home tab, in the Device group, click Manage Out of Band, and then click Remove AMT Provisioning Data.
Select a data removal option.
If you want to prevent the AMT-based computer from automatically reprovisioning, select Disable automatic provisioning.

If you are removing the AMT provisioning information because you have recovered the site, select Use AMT Provisioning Removal Account. You might also be able to use this account if you have reassigned the AMT-based computer from another site and did not remove the provisioning information in the original site. For example, this might apply if you are migrating from Configuration Manager 2007.

Note
To successfully remove the AMT provisioning information by using the AMT Provisioning Removal Account, the following must be true: The AMT Provisioning Removal Account is configured in the out of band management component properties. If this account is not configured, the option to select this account is not available. The account that is configured for the AMT Provisioning Removal Account was configured as an AMT User Account in the out of band management component properties when the AMT-based computer was provisioned or updated. The account that is configured for the AMT Provisioning Removal Account is a member of the local Administrators group on the out of band service point computer. The AMT auditing log does not contain any data. When the AMT Status for the selected AMT-based computer is Detected rather than Provisioned, this option is always selected when the AMT Provisioning Removal Account is configured because in this scenario, you must use the AMT Provisioning Removal Account.

Note

To successfully remove the AMT provisioning information by using the AMT Provisioning Removal Account, the following must be true:

The AMT Provisioning Removal Account is configured in the out of band management component properties. If this account is not configured, the option to select this account is not available.
The account that is configured for the AMT Provisioning Removal Account was configured as an AMT User Account in the out of band management component properties when the AMT-based computer was provisioned or updated.
The account that is configured for the AMT Provisioning Removal Account is a member of the local Administrators group on the out of band service point computer.
The AMT auditing log does not contain any data.

When the AMT Status for the selected AMT-based computer is Detected rather than Provisioned, this option is always selected when the AMT Provisioning Removal Account is configured because in this scenario, you must use the AMT Provisioning Removal Account.

Click OK.

Renaming AMT-Based Computers and Domain Changes

If you rename a computer that Configuration Manager already provisioned for AMT or move the computer to another domain, you must remove all the provisioning information from the AMT-based computer, and then provision the computer again. You can remove the provisioning information either before renaming or moving the computer or after renaming or moving the computer. However, do not provision the computer again until the name change or domain move is completed. If you fail to perform these procedures, the AMT-based computer cannot be managed out of band after the change of name or domain move.

When you remove the provisioning information, select the option to remove both configuration data and identification information from the management controller; and select the Disable automatic provisioning option and re-enable it after the name change or domain move has taken place.

Reassigning AMT-Based Computers to Another Configuration Manager Site

If you reassign an AMT-based computer to another Configuration Manager site, you must remove the AMT provisioning information and then provision the computer again in the new site. Until you do this, you cannot connect to the AMT-based computer in the new site. In this scenario, the AMT Status displays Detected.

As a best practice, use the preceding procedure in this topic to remove the provisioning information while the computer is in the original site. If this is not possible, you can manually remove the provisioning information by configuring the BIOS extensions. Alternatively, if one of the AMT User Accounts on the AMT-based computer is configured for a Windows account that is configured as the AMT Provisioning Removal Account in the new site, you can remove the provisioning information after the Configuration Manager client is assigned to the new site.