Introduction to Out of Band Management in Configuration Manager 2012

Updated: May 1, 2011

Applies To: System Center Configuration Manager 2012

Out of band management in Microsoft System Center Configuration Manager 2012 provides powerful management control for computers that have the Intel vPro chip set and a version of AMT that Configuration Manager 2012 supports.

Out of band management allows an administrator to connect to a computer's AMT management controller when the computer is turned off, in sleep or hibernate modes, or otherwise unresponsive through the operating system. By way of contrast, in-band management is the classic approach used by Configuration Manager and its predecessors whereby an agent runs in the full operating system on the managed computer and the management controller accomplishes tasks by communicating with the management agent.

Out of band management supplements in-band management. While in-band management supports a wider range of operations because its environment is the full operating system, in-band management might not be functional if the operating system is not present or is not operational. In these situations, the supplementary capabilities of out of band management allow administrators to manage these computers without requiring local access to the computer.

Out of band management tasks include the following:

  • Powering on one or many computers (for example, for maintenance on computers outside business hours).

  • Powering off one or many computers (for example, the operating system stops responding).

  • Restarting a nonfunctioning computer or booting from a locally connected device or known good boot image file.

  • Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server.

  • Reconfiguring the BIOS settings on a selected computer (and bypassing the BIOS password if this is supported by the BIOS manufacturer).

  • Booting to a command-based operating system to run commands, repair utilities, or diagnostic applications (for example, upgrading the firmware or running a disk repair utility).

  • Configuring scheduled software deployments to wake up computers prior to running.

These out of band management tasks are supported on an unauthenticated, wired connection and an authenticated 802.1X wired connection and wireless connection. Out of band management also has the following additional features:

  • Auditing for selected AMT features.

  • Support for different power states, to help conserve power consumption and adherence to IT policy.

  • Data storage in AMT, where up to 4096 bytes in ASCII characters can be saved in the nonvolatile random access memory (NVRAM) of the management controller.

For example scenarios of how out of band management can be used, see Example Scenarios for Using Out of Band Management in Configuration Manager 2012.

Some of the preceding tasks are performed from the Configuration Manager console, while others require running the out of band management console that is supplied with Configuration Manager 2012. Out of band management uses Windows remote management technology (WS-MAN) to connect to the AMT management controller on a computer.

noteNote
Out of band management is not supported for clients that are managed over the Internet with Internet-based client management. Configuration Manager clients that are blocked or unapproved by Configuration Manager 2012 cannot be managed out of band.

The following table outlines the options and features that out of band management provides in Configuration Manager 2012.

 

Feature or Scenario More Information

Security-based management

Out of band management integrates with an internal public key infrastructure (PKI) by using the following certificates:

  • A provisioning certificate that is installed on the out of band service point, which allows computers to be configured for out of band management.

  • A web server certificate that is installed on the enrollment point for secured communication with the out of band service point during the provisioning process.

  • A web server certificate that is installed on each computer that will be managed out of band so that communication is authenticated and is encrypted using Transport Layer Security (TLS).

  • Client certificates, if required for 802.1X authentication.

For more information about these certificates, see About Certificates for Out of Band Management in Configuration Manager 2012.

Administrators must be authenticated by using Kerberos before they can manage computers by using the out of band management console.

Out of band management activity is recorded and auditable by using an audit log on the AMT-based computers.

Support for 802.1X authenticated wired networks and wireless networks:

  • Authenticated wired 802.1X support: client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.

  • Wireless support: WPA and WPA2 security, AES or TKIP encryption, client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.

AMT provisioning

Enables and configures AMT-based computers running the Configuration Manager client.

Enhanced inventory data

Provides hardware inventory data from the AMT chip, such as asset tag, BIOS UUID, power state, processor, memory, and drive information.

Identify AMT management controllers

Identifies computers with an AMT management controller and its provisioning status.

This information can be used to build query-based collections to group computers for out of band management activities, such as provisioning and power control.

Power control

Enables power on, power off, and restart capabilities for a single computer, selected computers, or a collection of computers.

Computers can also be woken up by scheduled software deployments that have a deadline.

Out of band management console

A dedicated management console that is run from the Configuration Manager console or from a command prompt to initiate out of band management tasks, including IDE redirection and serial-over-LAN sessions.

noteNote
Capabilities might vary depending on the manufacturer of the managed computer. For example, IDE redirection and serial-over-LAN capability can be disabled by the manufacturer.

IDE redirection

Enables the computer to boot from a boot image file or locally connected device rather than from its disk IDE interface. This is useful for diagnosing, repairing, or imaging a hard drive.

Serial over LAN

Serial-over-LAN technology encapsulates the data from a virtual serial port and sends it over the existing network connection established by the out of band management console.

This allows you to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For example, this might include reconfiguring the BIOS or, working in conjunction with IDE redirection, you can update the firmware or run diagnostic utilities.

What’s New in Configuration Manager 2012

The following have changed for Out Of Band Management since Configuration Manager 2007:

  • Configuration Manager 2012 no longer supports provisioning out of band, which could be used in Configuration Manager 2007 when the Configuration Manager client was not installed or the computer did not have an operating system installed. To provision computers for AMT in Configuration Manager 2012, they must belong to an Active Directory domain, have the Configuration Manager 2012 client installed, and be assigned to a Configuration Manager 2012 primary site.

  • To provision computers for AMT, you must install the new site system role, the enrollment point, in addition to the out of band service point. Both these site system roles must be installed in the same primary site.

  • AMT discovery no longer uses port TCP 16992; only port TCP 16993 is used.

  • Port TCP 9971 is no longer used to connect the AMT management controller to the out of band service point to provision computers for AMT.

  • The out of band service point uses HTTPS (port TCP 443 by default) to connect to the enrollment point.

  • The WS-MAN translator is no longer supported.

  • You no longer select individual permissions for each AMT User Account. Instead, all AMT User Accounts are automatically configured for the PT Administration (Configuration Manager 2007 SP1) or Platform Administration (Configuration Manager 2007 SP2) right, which grants permissions to all AMT features.

  • You must specify a universal security group in the Out Of Band Management Component Properties to contain the AMT computer accounts that Configuration Manager creates during the AMT provisioning process.

  • The site server computer no longer requires Full Control to the OU that is used during AMT provisioning. Instead, grant Read Members and Writer Members (this object only).

  • The certificate templates for the AMT web server certificate and the AMT 802.1X client certificate no longer use Supply in the request and the site server computer account no longer requires permissions to these certificate templates:

    • For the AMT web server certificate template: On the Subject tab, select Build from this Active Directory information and then select Common name for the Subject name format. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in the Out Of Band Management Component Properties.

    • For the AMT 802.1X client certificate template: On the Subject tab, select Build from this Active Directory information and select Common name for the Subject name format. Clear DNS name, and then select User principal name (UPN) for the alternate subject name. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in the Out Of Band Management Point Component Properties.

  • The AMT provisioning certificate no longer requires that the private key can be exported.

  • The AMT provisioning certificate will be checked for certificate revocation by the out of band service point, by default. You can disable this option in the out of band service point properties.

  • AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN.

  • When you reassign an AMT-based computer from one Configuration Manager site to another, you must first remove the AMT provisioning information, reassign the client, and then provision the client again for AMT.

  • The security rights View management controllers and Manage management controllers from Configuration Manager 2007 is now named Provision AMT and Control AMT, respectively. The Control AMT permission is automatically added to the Remote Tools Operator security role. If an administrative user is assigned to the Remote Tools Operator security role and you want her to provision AMT-based computers or control the AMT audit log, you must add the Provision AMT permission to this security role or make sure that the administrative user belongs to another security role that includes this permission.

See Also