Out of band management in System Center 2012 Configuration Manager provides a powerful management control for computers that have the Intel vPro chip set and a version of Intel Active Management Technology (Intel AMT) that Configuration Manager supports.

Out of band management lets an administrative user connect to a computer's AMT management controller when the computer is turned off, in hibernation, or otherwise unresponsive through the operating system. In contrast, in-band management is the classic approach that Configuration Manager and its predecessors use, whereby an agent runs in the full operating system on the managed computer, and the management controller accomplishes tasks by communicating with the management agent.

Out of band management supplements in-band management. While in-band management supports a wider range of operations because its environment is the full operating system, in-band management might not be functional if the operating system is not present or is not operational. In these situations, by using the supplementary capabilities of out of band management, administrative users can manage these computers without requiring local access to the computer.

Out of band management tasks include the following:

These out of band management tasks are supported on an unauthenticated, wired connection, and an authenticated 802.1X wired connection, and wireless connection. Out of band management also has the following additional features:

For example scenarios of how out of band management can be used, see Example Scenarios for Using Out of Band Management in Configuration Manager. For more

Some of the preceding tasks are performed from the Configuration Manager console, while others require running the out of band management console that is supplied with Configuration Manager. Out of band management uses Windows remote management technology (WS-MAN) to connect to the AMT management controller on a computer.

Note
Out of band management is not supported for clients that are managed over the Internet with Internet-based client management. Configuration Manager clients that are blocked or unapproved by Configuration Manager cannot be managed out of band.

The following table outlines the options and features that out of band management provides in Configuration Manager.

Feature or scenario More information

Security-based management

Out of band management integrates with an internal public key infrastructure (PKI) by using the following certificates:

  • A provisioning certificate that is installed on the out of band service point, which allows computers to be configured for out of band management.

  • A web server certificate that is installed on the enrollment point for secured communication with the out of band service point during the provisioning process.

  • A web server certificate that is installed on each computer that is managed out of band so that communication is authenticated and is encrypted by using Transport Layer Security (TLS).

  • Client certificates, if required for 802.1X authentication.

For more information about these certificates, see PKI Certificate Requirements for Configuration Manager.

Administrators must be authenticated by using Kerberos before they can manage computers by using the out of band management console.

Out of band management activity is recorded and auditable by using an audit log on the AMT-based computers.

Support for 802.1X authenticated wired networks and wireless networks:

  • Authenticated wired 802.1X support: client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.

  • Wireless support: WPA and WPA2 security, AES or TKIP encryption, client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.

AMT provisioning

Enables and configures Intel AMT-based computers that are running the Configuration Manager client.

Enhanced inventory data

Provides hardware inventory data from the AMT chip, such as asset tag, BIOS UUID, power state, processor, memory, and drive information.

Identify AMT management controllers

Identifies computers with an AMT management controller and its provisioning status.

This information can be used to build query-based collections to group computers for out of band management activities, such as provisioning and power control.

Power control

Enables power on, power off, and restart capabilities for a single computer, selected computers, or a collection of computers.

Computers can also be woken up by scheduled software deployments that have a scheduled deadline.

Out of band management console

A dedicated management console that is run from the Configuration Manager console, or at a command prompt, to initiate out of band management tasks, including IDE redirection and serial-over-LAN sessions.

Note
Capabilities might vary depending on the manufacturer of the managed computer. For example, IDE redirection and serial-over-LAN capability can be disabled by the manufacturer.

IDE redirection

Enables the computer to boot from a boot image file or locally connected device rather than from its disk IDE interface. This is useful for diagnosing, repairing, or imaging a hard disk drive.

Serial over LAN

Serial-over-LAN technology encapsulates the data from a virtual serial port and sends it over the existing network connection that the out of band management console established.

Serial-over-LAN technology lets you run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For example, this might include reconfiguring the BIOS, or working in conjunction with IDE redirection, you can update the firmware or run diagnostic tools.

Extending Out of Band Management in Configuration Manager

For additional technical information to support and extend out of band management in Configuration Manager, see Intel’s application offerings on the Microsoft Pinpoint site.

What’s New in Configuration Manager

See Also