A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for out of band management.

The issuing CA must automatically approve certificate requests from the AMT computer accounts that Configuration Manager creates in Active Directory Domain Services during the AMT provisioning process.

Important
AMT cannot support CA certificates with a key length greater than 2048 bits.

The out of band service point and each desktop or laptop computer that will be managed out of band must have specific PKI certificates that are managed independently from Configuration Manager.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager 2012.

For step-by-step instructions, see

Desktop or laptop computers with the following configuration:

• Intel vPro Technology or Intel Centrino Pro Technology.
  
  
• A supported version of Intel AMT that is configured for Enterprise mode, with the provision mode of PKI.
  
  
• Intel HECI driver.
  
  

Download the latest HECI driver from the Intel Web site and consult your computer manufacturer's documentation for the Intel requirements.

An Active Directory container and a universal security group:

• The Active Directory container must be configured with the correct security permissions for the domain in which the AMT-based computers reside. If the site manages AMT-based computers from multiple domains, the same container name and path must be used for all domains.
  
  
• A universal security group that will contain computer accounts for the AMT-based computers.
  
  

Note
You do not have to extend the Active Directory schema for out of band management.

During the AMT provisioning process, Configuration Manager creates computer accounts in this Active Directory container (or organizational unit) and adds the accounts to the universal security group.

The site server computer requires the following permissions:

• For the OU that is used during the AMT provisioning process: Create Computer Objects and Delete Computer Objects (this object only).
  
  
• For the universal security group that is used during the AMT provisioning process: Read Members and Write Members (this object only)
  
  

The following network services:

• DHCP server with an active scope.
  
  
• DNS servers for name resolution.
  
  

For DHCP, ensure that the DHCP scope options include DNS servers (006) and Domain name (015), and that the DHCP server dynamically updates DNS with the computer resource record.

WINS cannot be used for resolving computer names, and DNS is required for all connections that are use out of band management. This includes connecting to AMT-based computers from the out of band management console, in addition to AMT provisioning.

Note

AMT cannot register a host record in DNS, so you must ensure that either DHCP or the operating system updates DNS with a host record for the AMT-based computer’s fully qualified domain name. Alternatively, you can manually create these records in DNS as needed. For wireless support, ensure that DNS contains records with the wireless IP address for the AMT-based computer’s fully qualified domain name.

Windows Remote Management (WinRM) 1.1 or later must be installed on computers running Windows XP if they will run the out of band management console.

For more information about WinRM versions, see

MSXML 6.0 is required on computers that run the out of band management console.

The setup prerequisite check for Configuration Manager 2012 includes the check for Microsoft MSXML 6.0.

The Windows feature, Telnet Client, must be installed on computers that run Windows 7, Windows Vista, or Windows Server 2008 if the computers run the out of band management console and perform serial-over-LAN commands.

Serial over LAN uses the Telnet protocol to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For more information, see Introduction to Out of Band Management in Configuration Manager 2012.

Computers that will be managed out of band must belong to the same Active Directory forest as the out of band service point's forest and must share the same namespace. Disjointed namespaces are not supported.

The following scenarios identify computers that are not supported for out of band management. AMT should be disabled on these computers:

• Workgroup computers.
  
  
• Computers that reside in a different Active Directory forest from the out of band service point site system server.
  
  
• Computers that reside in the same Active Directory forest as the out of band service point site system server but do not share the same namespace (noncontiguous namespace).
  
  For example, an AMT-based computer with the FQDN of computer1.northwindtraders.com cannot be provisioned by the out of band service point site system with the FQDN of contoso.com, even if they belong to the same Active Directory forest.
  
  
• Computers that reside in the same Active Directory forest as the out of band service point site system server but have a disjointed namespace—for example, an AMT-based computer that has a DNS name of computer1.corp.fabrikam.com and resides in an Active Directory domain named na.corp.fabrikam.com.
  
  

Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the traffic associated with out of band management activity.

The following ports are used by out of band management:

• From the out of band service point to the mobile device and AMT enrollment point: HTTPS (port TCP 443 by default).
  
  
• From the out of band service point site system server to AMT management controllers for power control initiated from the Configuration Manager console and scheduled activities, provisioning, and discovery: TCP 16993.
  
  
• From computers running the out of band management console to AMT management controllers for all management tasks initiated from the out of band management console (including power-on commands): TCP 16993.
  
  
• From computers running the out of band management console to AMT management controllers for serial over LAN and IDE redirection: TCP 16995.
  
  

IPv4.

IPv6 is not supported. Out of band management uses IPv4 only.

Full IPsec environments are not supported.

Do not configure IPsec policies for the AMT communication between the out of band service point site system server and computers that will be managed out of band.

Infrastructure support for 802.1X authenticated wired networks and wireless networks:

• Authenticated wired 802.1X support: Client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.
  
  
• Wireless support: WPA and WPA2 security, AES or TKIP encryption, client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.
  
  

Note
If you use client authentication methods of EAP-TLS or EAP-TTLS/MSCHAPv2 with a client certificate, the RADIUS solution must support authentication by using the following format: domain\computer_account.

To manage AMT-based computers out of band on an 802.1X authenticated wired network or a wireless connection, you must have a supporting infrastructure for these environments. These networks can be configured by using a Microsoft RADIUS solution, such as Network Policy Server on Windows Server 2008. Other RADIUS solutions can be used if they are 802.1X compliant and support the configuration options listed for authenticated wired 802.1X support and wireless support.

For more information about the Microsoft RADIUS solutions, see the following Web resources:

• Network Policy Server ().
  
  
• Internet Authentication Services ().
  
  

For more information about other RADIUS solutions, refer to the Intel vPro Expert Center: Microsoft vPro Manageability Web site ().

The primary site must be running Configuration Manager 2012 and have installed the out of band service point and the AMT enrollment point.

Computers that you want to manage out of band must have the Configuration Manager 2012 client installed and must be assigned to a primary site.

How to Install Clients in Configuration Manager 2012

You must have the following security permissions for the collection that contains the computers that you want to manage out of band:

• Provision AMT: This security permission allows you to manage AMT computers from the Configuration Manager console, which includes discovering the status of AMT management controllers, provisioning computers for AMT and the auditing actions of enabling and applying audit log settings, disabling auditing, and clearing the audit log.
  
  
• Control AMT: This security permission allows you to view and manage computers by using the out of band management console, and initiate power control actions from the Configuration Manager console, The Remote Tools security role includes the Control AMT permission.
  
  
• Read and Modify Collection Setting to enable AMT provisioning for the collection.
  
  
• Provision AMT, Read, and Read Resource to remove provisioning information and update AMT management controllers.
  
  

Reporting services point.

The reporting services point site system role must be installed before out of band management reports can be displayed.