A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for out of band management.

The issuing CA must automatically approve certificate requests from the primary site server on behalf of AMT-based computers.

Important
AMT-based computers cannot support CA certificates with a key length greater than 2048 bits.

The out of band service point and each desktop computer that will be managed with the out of band management feature must have specific PKI certificates that are managed independently from Configuration Manager.

For more information, see the following topics:

• Certificate Requirements for Out of Band Management
  
  
• About Certificates for Out of Band Management
  
  
• Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority
  
  
• Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2008 Certification Authority
  
  

Desktop computers with the following configuration:

• Intel vPro Technology or Intel Centrino Pro Technology.
  
  
• A supported version of Intel AMT.
  
  
• Intel HECI driver.
  
  

Consult your computer manufacturer's documentation for the Intel requirements. If you will provision AMT-based computers in-band (the client for Configuration Manager 2007 SP1 or later is installed), download the latest HECI driver from the Intel Web site.

For information about the versions of AMT that are natively supported by Configuration Manager, see Configuration Manager 2007 SP1 Supported Configurations and Configuration Manager 2007 SP2 Supported Configurations. If you have AMT-based computers that are not natively supported by Configuration Manager, you might be able to support them with out of band management and reduced functionality by using Intel's translator. For more information, see http://go.microsoft.com/fwlink/?LinkId=108363.

Note
To use the auditing feature in Configuration Manager 2007 SP2, you must have a version of AMT that supports auditing. AMT versions earlier than 4.0 do not support auditing.

An Active Directory container configured with the correct security permissions for the domain in which the AMT-based computers reside. If the site manages AMT-based computers from multiple domains, the same container name and path must be used for all domains.

Note
It is not necessary to extend the Active Directory schema for out of band management.

This Active Directory container (or organizational unit) is required for publishing the AMT-based computer object during the AMT provisioning process.

For more information, see How to Prepare Active Directory Domain Services for Out of Band Management.

The following network services:

• DHCP server with an active scope.
  
  
• DNS servers for name resolution. Additionally, if you will provision AMT-based computers out of band (the Configuration Manager 2007 SP1 client is not installed), DNS might be needed to resolve the host name of ProvisionServer to the IP address of the out of band service point site system server.
  
  

For DHCP, ensure that the DHCP scope options include DNS servers (006) and Domain name (015), and that the DHCP server dynamically updates DNS with the computer resource record.

WINS cannot be used for resolving computer names, and DNS is required for all connections that are used by the out of band management feature. This includes connecting to AMT-based computers from the out of band management console, in addition to provisioning.

Note

AMT cannot register a host record in DNS, so you must ensure that either DHCP or the operating system updates DNS with a host record for the AMT-based computer’s fully qualified domain name. Alternatively, you can manually create these records in DNS as needed. For Configuration Manager 2007 SP2 and wireless support, ensure that DNS contains records with the wireless IP address for the AMT-based computer’s fully qualified domain name.

The DNS host name of ProvisionServer can be automatically registered by Configuration Manager if DNS supports automatic updates. For more information, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS.

Windows Remote Management (WinRM) 1.1 or later must be installed on each site system server that hosts the out of band service point role and on any computer that runs a remote Configuration Manager console.

For more information about WinRM versions, see http://go.microsoft.com/fwlink/?LinkId=105682.

If the out of band service point site system role is installed on Windows Server 2003, Windows Server 2003 Service Pack 2 or later is required.

Important
If you are running Windows Server 2003 Service Pack 2, the following hotfix must be installed: 942841.

For more information about the hotfix, see http://go.microsoft.com/fwlink/?LinkId=106107.

Configuration Manager 2007 SP1 Supported Configurations

MSXML 6.0 is required on computers that run the out of band management console.

The setup prerequisite check for Configuration Manager 2007 SP1 and later includes the check for Microsoft MSXML 6.0.

For more information, see Setup Prerequisite Checks.

The Windows feature, Telnet Client, must be installed on computers running Windows Vista or Windows Server 2008 if the computers run the out of band management console and perform serial-over-LAN commands.

Serial over LAN uses the Telnet protocol to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For more information, see Overview of Out of Band Management.

Computers that will be managed out of band must belong to the same Active Directory forest as the out of band service point's forest and must share the same namespace. Disjointed namespaces are not supported.

The following scenarios identify computers that are not supported for out of band management. AMT should be disabled on these computers:

• Workgroup computers.
  
  
• Computers that reside in a different Active Directory forest from the out of band service point site system server.
  
  
• Computers that reside in the same Active Directory forest as the out of band service point site system server but do not share the same namespace (noncontiguous namespace).
  
  For example, an AMT-based computer with the FQDN of computer1.northwindtraders.com cannot be provisioned by the out of band service point site system with the FQDN of contoso.com, even if they belong to the same Active Directory forest.
  
  
• Computers that reside in the same Active Directory forest as the out of band service point site system server but have a disjointed namespace—for example, an AMT-based computer that has a DNS name of computer1.corp.fabrikam.com and resides in an Active Directory domain named na.corp.fabrikam.com.
  
  

Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the traffic associated with out of band management activity.

The following ports are used by out of band management:

• From the AMT management controllers to the out of band service point site system server for out of band provisioning: TCP 9971.
  
  
• From the out of band service point site system server to AMT managed controllers for discovery: TCP 16992.
  
  
• From the out of band service point site system server to AMT management controllers for power control initiated from the Configuration Manager console and scheduled activities, provisioning, and discovery: TCP 16993.
  
  
• From computers running the out of band management console to AMT management controllers for all management tasks initiated from the out of band management console (including power-on commands): TCP 16993.
  
  
• From computers running the out of band management console to AMT management controllers for serial over LAN and IDE redirection: TCP 16995.
  
  

IPv4.

IPv6 is not supported. Out of band management uses IPv4 only.

Full IPsec environments are not supported.

Do not configure IPsec policies for the AMT communication between the out of band service point site system server and computers that will be managed out of band.

Refer to the port information in the preceding row to determine which ports are required for out of band management.

802.1X environments are not natively supported by Configuration Manager 2007 SP1.

If you have AMT-based computers that use 802.1X in a Configuration Manager 2007 SP1 site, you might be able to support this network environment by using the Intel Genscript tool: http://go.microsoft.com/fwlink/?LinkId=108363.

Out of band management can natively support 802.1X authenticated wired network and wireless networks in a Configuration Manager 2007 SP2 site when the version of AMT is 4.0 and later. For more information, see How to Configure AMT-Based Computers for 802.1X Authenticated Wired and Wireless Networks.

Infrastructure support for 802.1X authenticated wired networks and wireless networks:

• Authenticated wired 802.1X support: Client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.
  
  
• Wireless support: WPA and WPA2 security, AES or TKIP encryption, client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.
  
  

Note
If you use client authentication methods of EAP-TLS or EAP-TTLS/MSCHAPv2 with a client certificate, the RADIUS solution must support authentication by using the following format: domain\computer_account.

Applies only to Configuration Manager 2007 SP2.

To manage AMT-based computers out of band on an 802.1X authenticated wired network or a wireless connection, you must have a supporting infrastructure for these environments. These networks can be configured by using a Microsoft RADIUS solution, which are Network Policy Server on Windows Server 2008 or Internet Authentication Service (IAS) on Windows Server 2003. Other RADIUS solutions can be used if they are 802.1X compliant and support the configuration options listed for authenticated wired 802.1X support and wireless support.

For more information about the Microsoft RADIUS solutions, see the following Web resources:

• Network Policy Server (http://go.microsoft.com/fwlink/?LinkId=150894).
  
  
• Internet Authentication Services (http://go.microsoft.com/fwlink/?LinkId=150893).
  
  

For more information about other RADIUS solutions, refer to the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001).

AMT versions lower than 4.0 are not supported on 802.1X authenticated wired networks and wireless networks in Configuration Manager 2007 SP2.

The primary site must be running Configuration Manager 2007 SP1 or later and have installed the out of band service point.

See How to Install the Out of Band Service Point.

If you provision computers for AMT with the Configuration Manager client, computers must have the client installed for Configuration Manager 2007 SP1 or later. These clients must not be running Windows 2000 Professional, Windows XP Tablet PC, or versions of Windows XP earlier than SP2.

Clients prior to Configuration Manager 2007 SP1 cannot initiate provisioning for AMT. These computers must use out of band provisioning for AMT or be upgraded to Configuration Manager 2007 SP1 or later.

For more information about AMT provisioning choices, see Choose Between In-Band Provisioning and Out of Band Provisioning.

If you will use network discovery to identify computers with management controllers, you must first install the out of band service point, and you might have to configure an AMT Provisioning and Discovery Account.

For more information, see the following topics:

• How to Discover Computers with Management Controllers
  
  
• Determine Whether to Configure an AMT Provisioning and Discovery Account for Out of Band Management
  
  
• How to Add an AMT Provisioning and Discovery Account
  
  

You must have the following security rights for the collection that contains the computer that you want to manage out of band:

• View management controllers: This security right allows you to discover computers with management controllers and initiate power control actions from the Configuration Manager console. In Configuration Manager 2007 SP2, this security right also includes auditing actions of enabling and applying audit log settings, disabling auditing, and clearing the audit log.
  
  
• Manage management controllers: This security right allows you to view and manage computers by using the out of band management console.
  
  

Additionally, you must have the security right Modify Collection Setting to configure in-band provisioning, to remove provisioning information, and to update AMT management controllers.

For more information about configuring security rights in the Configuration Manager console, see Overview of Configuration Manager Object Security and WMI.

If you want to use any of the following features, the Configuration Manager site must be running Configuration Manager 2007 SP2:

• Out of band management on an 802.1X authenticated wired or wireless network. AMT-based computers must be provisioned with or their management controller must be updated with the out of band service point in the Configuration Manager 2007 SP2 site.
  
  
• Auditing for selected AMT operations.
  
  
• Data storage in AMT.
  
  
• Support for different power states. To use a power state other than the default of Always on, the management controller must be updated with the out of band service point in the Configuration Manager 2007 SP2 site.
  
  
• Provisioning schedule for in-band provisioning.
  
  

These features are new in Configuration Manager 2007 SP2.

Reporting point site system.

The reporting point site system role must be installed before out of band management reports can be displayed.

For more information about creating a reporting point, see How to Create a Reporting Point.