The sections in this topic list the AMT provisioning events that occur during the AMT provisioning process in Configuration Manager 2007 SP1 and later, for out of band provisioning (no Configuration Manager 2007 SP1 or later client installed) and in-band provisioning (Configuration Manager 2007 SP1 or later client installed). These sections do not include the configuration actions that the Configuration Manager administrator must perform to support these processes. For configuration information, see Administrator Checklist: Enabling Out of Band Management.

Note
The information in this topic applies only to Configuration Manager 2007 SP1 and later.

The provisioning events listed are performed for every AMT-based computer that Configuration Manager provisions for AMT, irrespective of whether the computer has never been provisioned or has previously been provisioned and its provisioning information was removed (either partially or fully removed).

AMT Provisioning Process for Out of Band Provisioning in Configuration Manager

The following flow of events occurs when an AMT-based computer is provisioned out of band by Configuration Manager:

  1. On first startup from the manufacturer, the AMT-based computer sends a “Hello” message to the out of band service point (once every minute for 5 minutes, then once every 5 minutes for an hour, then once an hour for 23 hours).

  2. The out of band service point inspects the UUID and the list of certificate thumbprints in the “Hello” message. If the UUID is unknown to Configuration Manager (it has not been imported with the Import Computer for Out of Band Management Wizard), the “Hello” message is discarded.

  3. When one of the certificate thumbprints sent in the “Hello” message matches the root certificate thumbprint for the AMT provisioning certificate in its own computer store, the out of band service point creates an outbound TLS connection using the Secure Channel (Schannel) Security Support Provider (SSP). In this connection, the AMT-based computer is the server, and the out of band service point is the client. This transport layer session is established by using TLS handshaking:

    1. The out of band service point sends a client “Hello” message to the AMT-based computer with a request to use SHA1.

    2. The AMT-based computer sends a server “Hello” message to the out of band service point and sends its public key with a self-signed certificate.

    3. The Microsoft Security Support Provider Interface (SSPI) is used to create the TLS channel.

    4. The out of band service point sends its AMT provisioning certificate and its full certificate chain to the AMT-based computer, with the specific AMT provisioning OID or OU attribute of Intel(R) Client Setup Certificate.

    5. The AMT-based computer checks the following for the AMT provisioning certificate and, if these successfully match, establishes the TLS session: the subject name (CN) against its own DNS namespace; the OID against the OID for AMT provisioning (or the OU attribute); and the certificate thumbprint of the root certificate from the certificate chain against the certificate thumbprint that it has stored in AMT firmware memory.

  4. The out of band service point establishes an application layer connection with the AMT-based computer, using HTTP Digest authentication:

    1. A SOAP request is sent from the out of band service point to the AMT-based computer, without any user name and password.

    2. The AMT-based computer responds to the out of band service point with an "authentication needed" response, which results in HTTP Digest authentication.

    3. The out of band service point resends the SOAP request with the same payload to AMT-based computer, this time using HTTP Digest authentication.

    4. The AMT-based computer completes the authentication challenge and sends a success or failure response to the out of band service point.

  5. If the HTTP Digest authentication failed during the application layer connection, the out of band service point retries using another user name and password that has been configured in Configuration Manager. All user names and passwords are tried sequentially until authentication succeeds or there are no more user names and passwords.

  6. The out of band service point sends an instruction to the site server to create an Active Directory account in the configured Active Directory container (or OU) and to set the SPN for the AMT-based computer.

  7. The AMT-based computer undergoes first-stage provisioning, initiated by a SOAP request from the out of band service point:

    1. The AMT time is synchronized with the Windows time from the out of band service point.

    2. The AMT host name and domain is configured with the computer’s host name and domain that has been provided with the Import Computer for Out of Band Management Wizard.

    3. The requested and retrieved certificate is saved to the AMT firmware memory, and TLS authentication is enabled.

    4. Configuration Manager creates a random and strong password for the AMT Remote Admin Account and stores this value in AMT.

    5. Configuration Manager might reconfigure the MEBx password with the strong password configured in the Configuration Manager console, depending on whether it has been changed previously on the AMT-based computer and on the version of AMT.

    6. The settings are saved in AMT firmware, and the AMT firmware state is set to the operational mode of post provisioning.

  8. The AMT-based computer undergoes second-stage provisioning, initiated by a Windows Remote Management (WinRM) request from the out of band service point:

    1. The AMT ACLs are deleted and configured according to the AMT User Accounts and rights.

    2. The following AMT settings are enabled if they are enabled in Configuration Manager: Ping responses; Web console; serial over LAN; IDE redirection.

    3. Kerberos is enabled and for Configuration Manager 2007 SP1, the power scheme is set to 5 (if the default of 5 is not already configured), which means that the AMT firmware will have a power state of always on except for power loss. For Configuration Manager 2007 SP2, the power scheme is set according to the configured value for Manageability is on in the following power state in the AMT Settings tab of the Out of Band Management Properties dialog box.

    4. For Configuration Manager 2007 SP2 only, the following additional actions occur: Any existing wireless profiles are deleted; any certificates related to the wireless profiles or 802.1X wired network configuration are deleted; the wireless capability of AMT is detected. The wireless profiles and the 802.1X authenticated wired network configuration are then saved to AMT.

  9. The out of band service point sends the results of the provisioning process to the site server, which then updates the Configuration Manager database with the following information about the AMT-based computer: the AMT status; the MEBx password, the AMT Remote Admin Password.

AMT Provisioning Process for In-Band Provisioning in Configuration Manager

The following flow of events occurs when an AMT-based computer is provisioned in-band by Configuration Manager, which requires the Configuration Manager 2007 SP1 client:

  1. The Configuration Manager 2007 SP1 or later client downloads its client policy with instructions to initiate AMT provisioning and performs the follow checks:

    1. The Intel HECI driver is installed.

    2. The thumbprint of the AMT provisioning certificate’s root CA matches one of the root CA certificate thumbprints in the AMT memory.

  2. The AMT client agent on the Configuration Manager 2007 SP1 or later client generates a random one-time password (OTP), hashes it, sends the hash to the site server, and then activates the AMT network interface so that the AMT-based computer is ready for provisioning.

  3. The site server receives the OTP hash and sends an instruction to the out of band service point to start provisioning for the Configuration Manager 2007 SP1 or later client.

  4. The out of band service point retrieves the OTP hash for this AMT-based computer from the site server and compares it with the OTP hash reported by the AMT client agent to verify the identity of the AMT-based computer to be provisioned.

  5. The AMT-based computer sends a “Hello” message to the out of band service point once every minute for 5 minutes, then once every 5 minutes for an hour, and then once an hour for 23 hours. However, these packets are discarded by the out of band service point because the Configuration Manager 2007 SP1 or later client is installed.

  6. The out of band service point creates an outbound TLS connection by using the AMT provisioning certificate and the Secure Channel (Schannel) Security Support Provider (SSP). In this connection, the AMT-based computer is the server, and the out of band service point is the client. This transport layer session is established by using TLS handshaking:

    1. The out of band service point sends a client “Hello” message to the AMT-based computer with a request to use SHA1.

    2. The AMT-based computer sends a server “Hello” message to the out of band service point and sends its public key with a self-signed certificate.

    3. The Microsoft Security Support Provider Interface (SSPI) is used to create the TLS channel.

    4. The out of band service point sends its AMT provisioning certificate and its full certificate chain to the AMT-based computer, with the specific AMT provisioning OID or OU attribute of Intel(R) Client Setup Certificate.

    5. The AMT-based computer checks the following for the AMT provisioning certificate and, if these successfully match, establishes the TLS session: the subject name (CN) against its own DNS namespace; the OID against the OID for AMT provisioning (or the OU attribute); and the certificate thumbprint of the root certificate from the certificate chain against the certificate thumbprint that it has stored in AMT firmware memory.

  7. The out of band service point establishes an application layer connection with the AMT-based computer, using HTTP Digest authentication:

    1. A SOAP request is sent from the out of band service point to the AMT-based computer, without any user name and password.

    2. The AMT-based computer responds to the out of band service point with an "authentication needed" response, which results in HTTP Digest authentication.

    3. The out of band service point resends the SOAP request with the same payload to AMT-based computer, this time using HTTP Digest authentication.

    4. The AMT-based computer completes the authentication challenge and sends a success or failure response to the out of band service point.

  8. If the HTTP Digest authentication failed during the application layer connection, the out of band service point retries using another user name and password that has been configured in Configuration Manager. All user names and passwords are tried sequentially until authentication succeeds or there are no more user names and passwords.

  9. The out of band service point sends an instruction to the site server to create an Active Directory account in the configured Active Directory container (or OU) and to set the SPN for the AMT-based computer.

  10. The AMT-based computer undergoes first-stage provisioning, initiated by a SOAP request from the out of band service point:

    1. The AMT time is synchronized with the Windows time from the out of band service point.

    2. The AMT host name and domain is configured with the computer’s host name and domain. The computer’s host and domain name might be retrieved from system discovery or from client registration when the client is assigned to the site.

    3. The requested and retrieved certificate is saved to the AMT firmware memory, and TLS authentication is enabled.

    4. Configuration Manager creates a random and strong password for the AMT Remote Admin Account and stores this value in AMT.

    5. Configuration Manager might reconfigure the MEBx password with the strong password configured in the Configuration Manager console, depending on whether it has been changed previously on the AMT-based computer and on the version of AMT.

    6. The settings are saved in AMT firmware, and the AMT firmware state is set to the operational mode of post provisioning.

  11. The AMT-based computer undergoes second-stage provisioning, initiated by a Windows Remote Management (WinRM) request from the out of band service point:

    1. The AMT ACLs are deleted and configured according to the AMT User Accounts and rights.

    2. Kerberos is enabled and for Configuration Manager 2007 SP1, the power scheme is set to 5 (if the default of 5 is not already configured), which means that the AMT firmware will have a power state of always on except for power loss. For Configuration Manager 2007 SP2, the power scheme is set according to the configured value for Manageability is on in the following power state in the AMT Settings tab of the Out of Band Management Properties dialog box.

    3. For Configuration Manager 2007 SP2 only, the following additional actions occur: Any existing wireless profiles are deleted; any certificates related to the wireless profiles or 802.1X wired network configuration are deleted; the wireless capability of AMT is detected. The wireless profiles and the 802.1X authenticated wired network configuration are then saved to AMT.

  12. The out of band service point sends the results of the provisioning process to the site server, which then updates the Configuration Manager database with the following information about the AMT-based computer: the AMT status; the MEBx password, the AMT Remote Admin Password.

See Also