Example Scenario for Implementing Out of Band Management in Configuration Manager 2012

Updated: May 1, 2011

The following sections in this topic provide an example scenario for implementing Out of Band Management in Configuration Manager 2012, by using a three-phased approach:

In the following scenario, Trey Research is interested in using Out of Band Management to more efficiently troubleshoot computers that fail to boot or stop responding, require powering on for routine maintenance, or require the reconfiguration of the BIOS settings. This company has Intel AMT-based computers with versions of AMT that are supported by Configuration Manager 2012, but they do not have customized firmware that includes the certificate thumbprint of their own internal root CA.

Trey Research has a single Configuration Manager 2012 primary site and all the internal computers reside in the testnet.treyresearch.net domain. The company already has an existing public key infrastructure (PKI) infrastructure, using Windows Server 2008 Certificate Services, and has an enterprise certification authority running Windows Server 2008 Enterprise Edition.

Adam is the Configuration Manager administrator who has been asked to implement Out of Band Management by using a 3-phase approach. He will first test the functionality by using a small number of desktop computers and without purchasing a provisioning certificate from an external CA. If the testing goes well, Adam can purchase an AMT provisioning certificate and provision all the AMT desktop computers. For the final deployment phase, Adam is to extend the out of band management to laptops that use the wireless network.

Pilot: A Few Computers that Use Certificate Services (Internal CA) for the Provisioning Certificate

For the pilot phase to implement and test Out of Band Management, Adam takes the course of action outlined in the following table.

 

Process Reference

Adam checks the prerequisites for Out of Band Management and decides to create a site system server on which he will install the out of band service point and the enrollment point. This computer has the fully qualified domain name (FQDN) of server15.testnet.treyresearch.net.

Adam also confirms that the existing DHCP and DNS configuration meets the requirements for AMT.

For more information about the prerequisites, see Prerequisites for Out of Band Management in Configuration Manager 2012.

Adam works with his Active Directory service administrators to create the following Windows security groups:

  • A group named ConfigMgr Out Band Service Points that contains server15.

  • A group named ConfigMgr Primary Site Servers that contains the primary site server computer account.

  • A universal security group named ConfigMgr AMT Computers that will contain the AMT computer accounts.

They then create an OU in the testnet.treyresearch.net domain for the published AMT-based computer accounts, and grant the newly created group ConfigMgr Primary Site Servers the following permissions to this OU: Create Computer Objects and Delete Computer Objects.

For more information about how to create groups and OUs, refer to the Active Directory Domain Services documentation.

Adam works with the PKI team with the following results:

  • The web server certificate template is duplicated and configured for the enrollment point. It is installed and configured in IIS on server15.

  • A custom template is created to request and install the AMT provisioning certificate on server15.

  • The web server certificate template is duplicated and configured so that it is appropriate for out of band management.

  • They identify and write down the certificate thumbprint of the root CA, which will need to be manually added to the AMT firmware until they purchase a provisioning certificate from an external CA.

For guidance about how to deploy the PKI certificates required for out of band management, see .

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager 2012.

For more information about how the certificates are used in out of band management, seeAbout Certificates for Out of Band Management in Configuration Manager 2012.

To prepare the desktop AMT-based computers that Adam will use in the initial testing, Adam checks that the AMT firmware configuration is correct and adds the certificate thumbprint of their internal root CA:

  1. When the computer boots up, he presses CTRL-P to configure the ME module.

  2. He selects Intel (R) ME Configuration, Intel (R) ME Feature Control, Manageability Feature Selection, and then selects Intel (R) AMT. He exits and reboots the computer.

  3. He runs the ME module again, selects Intel (R) AMT Configuration, Setup and Configuration, to verify that the value for the Current provision mode is PKI. The value is not PKI, so he selects TLS PKI, and sets the Remote Configuration to Enable.

  4. In the TLS-PKI section, he selects Manage Certificate Hashes, presses Insert, and types the certificate thumbprint of his internal root CA.

  5. He saves the changes, exits, and reboots the computer.

For more information, see the Intel documentation.

Adam then configures the Configuration Manager primary site and makes the following changes:

  • He installs a new site system server on server15, configures it with the intranet FQDN of server15.treyresearch.net, and then installs the out of band service point and the enrollment point. He then configures the Out of Band Management component.

  • On the AMT Provisioning Certificate page for the out of band service point, he browses to the AMT provisioning certificate that he installed.

  • On the Out of Band Management Component Properties dialog box, he configures the following:

    • On the General tab, he specifies the OU that he created in testnet.treyresearch.net, the universal security group that he created, browses to the AMT web server certificate template that he created earlier, and configures a strong password for the MEBx Account.

    • On the AMT Settings tab, he specifies his own account as an AMT User Account and a Windows global domain security group that contains help desk engineers who will use the out of band management console. He also selects the options Enable serial over LAN and IDE redirection, Allow ping responses, and Enable BIOS password bypass for power on and restart commands.

For more information, see the following:

Adam wants to use Wake on LAN technology to install critical software updates on computers. He has tried this feature in the past and discovered that subnet-directed broadcasts consumed too much network bandwidth over the remote links and that few of their network adapters worked with unicast transmissions.

He enables Wake on LAN and decides to keep the default option of Use power on commands if the computer supports this technology; otherwise, use wake-up packets.

For more information, see .

Adam adds the AMT Status column to the Configuration Manager console and creates a new collection that contains just five AMT-based computers as his initial pilot. These computers are for testing only and contain different supported versions of AMT. He configures this collection for AMT provisioning.

For more information, see .

Adam monitors the AMT provisioning process.

For more information, see .

When the computers are successfully provisioned for AMT, Adam starts testing these computers for Out of Band Management.

For example scenarios of using Out of Band Management, seeExample Scenarios for Using Out of Band Management in Configuration Manager 2012.

Rollout: Full Deployment by Using an External CA for the Provisioning Certificate

When the initial testing is complete, Adam receives confirmation from his manager that Out of Band Management can be rolled out to all AMT-based workstation computers. To eliminate the requirement to add the thumbprint of their internal root CA certificate to each AMT-based computer, Adam purchases a provisioning certificate from an external CA and installs this on server15, according to the accompanying instructions.

Adam then takes the course of action outlined in the following table.

 

Process Reference

Adam checks the prerequisites for Out of Band Management again, to see whether there are any additional changes that he needs to make. He notes the following:

  • There are ports requirements that he must relate to the firewall administrator so that help desk engineers can connect to AMT-based computers in remote sites that are protected by the internal company firewall.

  • Some help desk computers still run Windows XP and so these computers must be checked for their version of WinRM and updated if necessary.

  • Help desk engineers must be added to an appropriate security role to run the Out of Band Management console.

For more information, see Prerequisites for Out of Band Management in Configuration Manager 2012.

Adam configures the properties of the out of band service point, browses to the newly purchased AMT provisioning certificate, and saves the changes.

For more information, see .

Adam creates new collections to gradually rollout AMT provisioning for workstation computers. Over a period of four weeks, he enables these collections for AMT provisioning and monitors progress.

For more information, see .

As a result of this course of action, all Intel AMT-based workstation computers are provisioned for AMT and can be managed out of band by the help desk. The ability to troubleshoot and repair computers when the operating system is not functioning greatly reduces the total cost of ownership for the company because engineers no longer require local access to the computer.

Add Wireless Support: Extend Management to Wireless Networks

After the successful rollout for workstations to use Out of Band Management, Trey Research now wants to extend this support to laptop computers that use the wireless network. The wireless network uses a Windows Server 2008-based server that is running Network Policy Server (NPS) and requires a client certificate for authentication.

Adam takes the course of action outlined in the following table.

 

Process Reference

Adam checks the wireless support prerequisites for out of band management and confirms that the versions of AMT on the laptops will support wireless profiles. He notes the wireless configuration settings that are required by the Network Policy Server as WPA2 security, AES encryption, and EAP-TLS authentication.

For more information about the prerequisites, see Prerequisites for Out of Band Management in Configuration Manager 2012.

Adam works with the PKI team to create an additional certificate template that the AMT-based computers will use to authenticate with the Network Policy Server.

For more information about creating the client certificate template, see the section “Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers” in .

For more information about the certificate requirements, see About Certificates for Out of Band Management in Configuration Manager 2012.

Adam configures the Out of Band Management Component Properties: 802.1X and Wireless tab:

  • He creates a wireless profile that contains the wireless network name, the security type of WPA2-Enterprise, and the encryption method of AES. He then selects the trusted root certificate for the Network Policy Server, and the client certificate template that was created earlier.

For more information, see steps 26 through 39 in .

Adam creates a new collection for laptops that can support AMT. On the Out of Band Management tab, he selects Enable provisioning for AMT-based computers.

Adam then monitors the provisioning status for these laptops, and uses the log file Amtopmgr.log, to verify that the wireless profile is successfully configured for these AMT-based computers.

TipTip
If these laptops were already provisioned for AMT without the wireless profile, Adam would run the Update Provisioning Data in Management Controller Memory command for the wireless settings to be applied. For more information, see .

See .

As a result of this course of action, laptops can also now be managed out of band by the help desk, which reduces the time to resolve the problems reported by laptop users.

See Also