The sections in this topic list the AMT provisioning events that occur during the AMT provisioning process in Configuration Manager 2007 SP1 and later, for out of band provisioning (no Configuration Manager 2007 SP1 or later client installed) and in-band provisioning (Configuration Manager 2007 SP1 or later client installed). These sections do not include the configuration actions that the Configuration Manager administrator must perform to support these processes. For configuration information, see Administrator Checklist: Enabling Out of Band Management.
 Note |
|---|
| The information in this topic applies only to Configuration Manager 2007 SP1 and later. |
The provisioning events listed are performed for every AMT-based computer that Configuration Manager provisions for AMT, irrespective of whether the computer has never been provisioned or has previously been provisioned and its provisioning information was removed (either partially or fully removed).
AMT Provisioning Process for Out of Band Provisioning in Configuration Manager
The following flow of events occurs when an AMT-based computer is provisioned out of band by Configuration Manager:
- On first startup from the manufacturer, the AMT-based computer
sends a “Hello” message to the out of band service point (once
every minute for 5 minutes, then once every 5 minutes for an hour,
then once an hour for 23 hours).
- The out of band service point inspects the UUID and the list of
certificate thumbprints in the “Hello” message. If the UUID is
unknown to Configuration Manager (it has not been imported with the
Import Computer for Out of Band Management Wizard), the “Hello”
message is discarded.
- When one of the certificate thumbprints sent in the “Hello”
message matches the root certificate thumbprint for the AMT
provisioning certificate in its own computer store, the out of band
service point creates an outbound TLS connection using the Secure
Channel (Schannel) Security Support Provider (SSP). In this
connection, the AMT-based computer is the server, and the out of
band service point is the client. This transport layer session is
established by using TLS handshaking:
- The out of band service point sends a client “Hello” message to
the AMT-based computer with a request to use SHA1.
- The AMT-based computer sends a server “Hello” message to the
out of band service point and sends its public key with a
self-signed certificate.
- The Microsoft Security Support Provider Interface (SSPI) is
used to create the TLS channel.
- The out of band service point sends its AMT provisioning
certificate and its full certificate chain to the AMT-based
computer, with the specific AMT provisioning OID or OU attribute of
Intel(R) Client Setup Certificate.
- The AMT-based computer checks the following for the AMT
provisioning certificate and, if these successfully match,
establishes the TLS session: the subject name (CN) against its own
DNS namespace; the OID against the OID for AMT provisioning (or the
OU attribute); and the certificate thumbprint of the root
certificate from the certificate chain against the certificate
thumbprint that it has stored in AMT firmware memory.
- The out of band service point sends a client “Hello” message to
the AMT-based computer with a request to use SHA1.
- The out of band service point establishes an application layer
connection with the AMT-based computer, using HTTP Digest
authentication:
- A SOAP request is sent from the out of band service point to
the AMT-based computer, without any user name and password.
- The AMT-based computer responds to the out of band service
point with an "authentication needed" response, which results in
HTTP Digest authentication.
- The out of band service point resends the SOAP request with the
same payload to AMT-based computer, this time using HTTP Digest
authentication.
- The AMT-based computer completes the authentication challenge
and sends a success or failure response to the out of band service
point.
- A SOAP request is sent from the out of band service point to
the AMT-based computer, without any user name and password.
- If the HTTP Digest authentication failed during the application
layer connection, the out of band service point retries using
another user name and password that has been configured in
Configuration Manager. All user names and passwords are tried
sequentially until authentication succeeds or there are no more
user names and passwords.
- The out of band service point sends an instruction to the site
server to create an Active Directory account in the configured
Active Directory container (or OU) and to set the SPN for the
AMT-based computer.
- The AMT-based computer undergoes first-stage provisioning,
initiated by a SOAP request from the out of band service point:
- The AMT time is synchronized with the Windows time from the out
of band service point.
- The AMT host name and domain is configured with the computer’s
host name and domain that has been provided with the Import
Computer for Out of Band Management Wizard.
- The requested and retrieved certificate is saved to the AMT
firmware memory, and TLS authentication is enabled.
- Configuration Manager creates a random and strong password for
the AMT Remote Admin Account and stores this value in AMT.
- Configuration Manager might reconfigure the MEBx password with
the strong password configured in the Configuration Manager
console, depending on whether it has been changed previously on the
AMT-based computer and on the version of AMT.
- The settings are saved in AMT firmware, and the AMT firmware
state is set to the operational mode of post provisioning.
- The AMT time is synchronized with the Windows time from the out
of band service point.
- The AMT-based computer undergoes second-stage provisioning,
initiated by a Windows Remote Management (WinRM) request from the
out of band service point:
- The AMT ACLs are deleted and configured according to the AMT
User Accounts and rights.
- The following AMT settings are enabled if they are enabled in
Configuration Manager: Ping responses; Web console; serial over
LAN; IDE redirection.
- Kerberos is enabled and for Configuration Manager
2007 SP1, the power scheme is set to 5 (if the default of 5 is
not already configured), which means that the AMT firmware will
have a power state of always on except for power loss. For
Configuration Manager 2007 SP2, the power scheme is set
according to the configured value for Manageability is on in the
following power state in the AMT Settings tab of the
Out of Band Management Properties dialog box.
- For Configuration Manager 2007 SP2 only, the following
additional actions occur: Any existing wireless profiles are
deleted; any certificates related to the wireless profiles or
802.1X wired network configuration are deleted; the wireless
capability of AMT is detected. The wireless profiles and the 802.1X
authenticated wired network configuration are then saved to
AMT.
- The AMT ACLs are deleted and configured according to the AMT
User Accounts and rights.
- The out of band service point sends the results of the
provisioning process to the site server, which then updates the
Configuration Manager database with the following information about
the AMT-based computer: the AMT status; the MEBx password, the AMT
Remote Admin Password.
AMT Provisioning Process for In-Band Provisioning in Configuration Manager
The following flow of events occurs when an AMT-based computer is provisioned in-band by Configuration Manager, which requires the Configuration Manager 2007 SP1 client:
- The Configuration Manager 2007 SP1 or later client
downloads its client policy with instructions to initiate AMT
provisioning and performs the follow checks:
- The Intel HECI driver is installed.
- The thumbprint of the AMT provisioning certificate’s root CA
matches one of the root CA certificate thumbprints in the AMT
memory.
- The Intel HECI driver is installed.
- The AMT client agent on the Configuration Manager 2007 SP1
or later client generates a random one-time password (OTP), hashes
it, sends the hash to the site server, and then activates the AMT
network interface so that the AMT-based computer is ready for
provisioning.
- The site server receives the OTP hash and sends an instruction
to the out of band service point to start provisioning for the
Configuration Manager 2007 SP1 or later client.
- The out of band service point retrieves the OTP hash for this
AMT-based computer from the site server and compares it with the
OTP hash reported by the AMT client agent to verify the identity of
the AMT-based computer to be provisioned.
- The AMT-based computer sends a “Hello” message to the out of
band service point once every minute for 5 minutes, then once every
5 minutes for an hour, and then once an hour for 23 hours. However,
these packets are discarded by the out of band service point
because the Configuration Manager 2007 SP1 or later client is
installed.
- The out of band service point creates an outbound TLS
connection by using the AMT provisioning certificate and the Secure
Channel (Schannel) Security Support Provider (SSP). In this
connection, the AMT-based computer is the server, and the out of
band service point is the client. This transport layer session is
established by using TLS handshaking:
- The out of band service point sends a client “Hello” message to
the AMT-based computer with a request to use SHA1.
- The AMT-based computer sends a server “Hello” message to the
out of band service point and sends its public key with a
self-signed certificate.
- The Microsoft Security Support Provider Interface (SSPI) is
used to create the TLS channel.
- The out of band service point sends its AMT provisioning
certificate and its full certificate chain to the AMT-based
computer, with the specific AMT provisioning OID or OU attribute of
Intel(R) Client Setup Certificate.
- The AMT-based computer checks the following for the AMT
provisioning certificate and, if these successfully match,
establishes the TLS session: the subject name (CN) against its own
DNS namespace; the OID against the OID for AMT provisioning (or the
OU attribute); and the certificate thumbprint of the root
certificate from the certificate chain against the certificate
thumbprint that it has stored in AMT firmware memory.
- The out of band service point sends a client “Hello” message to
the AMT-based computer with a request to use SHA1.
- The out of band service point establishes an application layer
connection with the AMT-based computer, using HTTP Digest
authentication:
- A SOAP request is sent from the out of band service point to
the AMT-based computer, without any user name and password.
- The AMT-based computer responds to the out of band service
point with an "authentication needed" response, which results in
HTTP Digest authentication.
- The out of band service point resends the SOAP request with the
same payload to AMT-based computer, this time using HTTP Digest
authentication.
- The AMT-based computer completes the authentication challenge
and sends a success or failure response to the out of band service
point.
- A SOAP request is sent from the out of band service point to
the AMT-based computer, without any user name and password.
- If the HTTP Digest authentication failed during the application
layer connection, the out of band service point retries using
another user name and password that has been configured in
Configuration Manager. All user names and passwords are tried
sequentially until authentication succeeds or there are no more
user names and passwords.
- The out of band service point sends an instruction to the site
server to create an Active Directory account in the configured
Active Directory container (or OU) and to set the SPN for the
AMT-based computer.
- The AMT-based computer undergoes first-stage provisioning,
initiated by a SOAP request from the out of band service point:
- The AMT time is synchronized with the Windows time from the out
of band service point.
- The AMT host name and domain is configured with the computer’s
host name and domain. The computer’s host and domain name might be
retrieved from system discovery or from client registration when
the client is assigned to the site.
- The requested and retrieved certificate is saved to the AMT
firmware memory, and TLS authentication is enabled.
- Configuration Manager creates a random and strong password for
the AMT Remote Admin Account and stores this value in AMT.
- Configuration Manager might reconfigure the MEBx password with
the strong password configured in the Configuration Manager
console, depending on whether it has been changed previously on the
AMT-based computer and on the version of AMT.
- The settings are saved in AMT firmware, and the AMT firmware
state is set to the operational mode of post provisioning.
- The AMT time is synchronized with the Windows time from the out
of band service point.
- The AMT-based computer undergoes second-stage provisioning,
initiated by a Windows Remote Management (WinRM) request from the
out of band service point:
- The AMT ACLs are deleted and configured according to the AMT
User Accounts and rights.
- Kerberos is enabled and for Configuration Manager
2007 SP1, the power scheme is set to 5 (if the default of 5 is
not already configured), which means that the AMT firmware will
have a power state of always on except for power loss. For
Configuration Manager 2007 SP2, the power scheme is set
according to the configured value for Manageability is on in the
following power state in the AMT Settings tab of the
Out of Band Management Properties dialog box.
- For Configuration Manager 2007 SP2 only, the following
additional actions occur: Any existing wireless profiles are
deleted; any certificates related to the wireless profiles or
802.1X wired network configuration are deleted; the wireless
capability of AMT is detected. The wireless profiles and the 802.1X
authenticated wired network configuration are then saved to
AMT.
- The AMT ACLs are deleted and configured according to the AMT
User Accounts and rights.
- The out of band service point sends the results of the
provisioning process to the site server, which then updates the
Configuration Manager database with the following information about
the AMT-based computer: the AMT status; the MEBx password, the AMT
Remote Admin Password.