The provisioning certificate installed in each site that will manage AMT-based computers out of band often requires a specific object identifier (OID) that does not exist in the default certificate templates, in addition to the server authentication capability (OID 1.3.6.1.5.5.7.3.1). This means that an existing certificate template must be modified to include the custom object identifier. To do this, use a version 2 certificate template, because Configuration Manager does not support certificates that are created with a version 3 template. A version 2 template is not supported with the Standard Editions of Windows Server 2003 or Windows Server 2008.

However, if you are using an external CA for the provisioning certificate and the company provides its own method of requesting the certificate (for example, connecting to their Web enrollment site), you do not need to use a certificate template for the provisioning certificate.

If you are using an external CA that requires you to submit your request by using a certificate request file or if you are using your own internal CA to supply the provisioning certificate, you cannot use a version 1 certificate template when the certificate contains the custom OID. Instead, you must use a version 2 template so that it can be modified to include the custom OID. For an example deployment for submitting a certificate request to an external CA and using your own internal CA, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.

Each AMT-based computer requires a certificate that is installed in the management controller memory, and this certificate requires server authentication capability only (OID 1.3.6.1.5.5.7.3.1). This requirement matches the default version 1 template named Web Server. You could therefore use the Web Server template, modifying only the security permissions so that the site server can read and enroll using this template.

However, if you duplicate the Web Server template, you have more control over the certificate that is used because you can change the name and description to identify that it is being used with out of band management. You can also change properties of the certificate, such as its validity period and the key size. Because of the greater control offered by version 2 templates, these templates are recommended for out of band management. Using these templates requires the Enterprise Edition of the Windows server operating system.

If you require a client certificate for 802.1X authenticated wired and wireless networks for Configuration Manager 2007 SP2, this also requires the Enterprise Edition of the Windows server operating system. For more information about this certificate, see The Optional Client Certificate for AMT-Based Computers in Configuration Manager 2007 SP2 Only.

Configuration Manager cannot manage AMT-based computers out of band until they are provisioned. By default, AMT-based computers are configured by the computer manufacturer to use external certification authorities (CAs), such as VeriSign, Go Daddy, Comodo, and Starfield. If you purchase a provisioning certificate from one of the external CAs and configure Configuration Manager to use this provisioning certificate, AMT-based computers will trust the CA of the provisioning certificate and provisioning can succeed.

If you plan to use your internal CA to supply the provisioning certificate, one of the following conditions must be true:

• Your computer supplier provided you with a customized firmware image that includes the certificate thumbprint of your internal root certificate. This is recommended for security reasons, to help protect against rogue provisioning servers. For more information about using a customized firmware image, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer.
  
  
• You will manually add the certificate thumbprint of your internal root certificate to each computer that will be provisioned for out of band management in Configuration Manager 2007 SP1 or later. Refer to your computer manufacturer instructions for information about how to configure the AMT certificate hash option with your certificate thumbprint value.
  
  

If you need more information about how to locate the certificate thumbprint of your internal root certificate thumbprint, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.

During the AMT provisioning process, Configuration Manager configures the host name and DNS suffix in the AMT BIOS extensions with the FQDN of the AMT-based computer retrieved from the Configuration Manager database. The DNS suffix is then checked against the subject name in the provisioning certificate. The subject name in the provisioning certificate contains the FQDN of the site system server configured with the out of band service point role.

If the FQDN of the AMT-based computer shares the same namespace as the FQDN specified in the AMT provisioning certificate, AMT provisioning succeeds. If the FQDN of the AMT-based computer does not share the same namespace as the FQDN specified in the AMT provisioning certificate, AMT provisioning fails.

The following are examples of when the AMT-based computer shares the same namespace as the out of band service point:

• The FQDN of the AMT-based computer is computer1.contoso.com, and the FQDN of the out of band service point is server1.contoso.com.
  
  
• The FQDN of the AMT-based computer is computer1.sales.contoso.com, and the FQDN of the out of band service point is server1.contoso.com.
  
  
• The FQDN of the AMT-based computer is computer1.sales.contoso.com, and the FQDN of the out of band service point is server1.marketing.contoso.com.
  
  

In the preceding examples, the AMT-based computer and the out of band service point share the contoso.com namespace.

The following are examples of when the AMT-based computer does not share the same namespace as the out of band service point:

• The FQDN of the AMT-based computer is computer1.contoso.com, and the FQDN of the out of band service point is server1.northwindtraders.com.
  
  
• The FQDN of the AMT-based computer is computer1.northwindtraders.com, and the FQDN of the out of band service point is server1.contoso.com.
  
  

In the preceding examples, the AMT-based computer and the out of band service point do not share a common namespace. Consequently, AMT provisioning will fail, even if both computers belong to the same Active Directory forest. Additionally, out of band management does not support a disjointed namespace. For example, an AMT-based computer that has an FQDN of computer1.contoso.com but resides in the Active Directory domain named na.corp.contoso.com cannot be successfully provisioned by out of band management.

The provisioning certificate is installed on the out of band service point site system server, and this server's FQDN must be supplied in the provisioning certificate's subject name. If you are using your own internal CA to supply the provisioning certificate, the FQDN of the out of band service point site system server can be automatically configured with the certificate request. For more information, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.

Important

You cannot provision AMT-based computers if they do not share the same namespace as the out of band service point. This means that AMT-based computers from a different Active Directory forest cannot be provisioned, and forests with a noncontiguous namespace will be unable to use out of band management unless the AMT-based computers and out of band service point belong to the same DNS tree. Disjointed namespaces within the same tree are also not supported.

Because an expired AMT provisioning certificate will result in provisioning failure, ensure that you renew your AMT provisioning certificate and configure out of band management with the new certificate before the original expires. Ensure that you request a new certificate well before the existing certificate expires, which is particularly important if you are using an external CA for your provisioning certificate.

To help you identify when the AMT provisioning certificate is about to expire, Configuration Manager generates a warning status message with ID 7210 when the provisioning certificate in use is 40 days or less from expiration. This status message will be repeated once a day until the certificate is replaced with a validity period greater than 40 days or until the validity period is less than 15 days. When the validity period is less than 15 days, an error status message with ID 7211 is generated until the certificate is replaced with a validity period greater than 15 days.

Note
You must configure the out of band management component configuration properties with the new certificate. Installing the new certificate into the Certificates local store in the out of band service point site system computer is not sufficient. For more information, see How to Configure AMT Provisioning.

For more information about using status messages to monitor out of band management, see How to Monitor Out of Band Management.

For more information about site status configuration, see How to Configure Site Status Configuration.

An expired Web server certificate that is not renewed for AMT-based computers will result in Configuration Manager being unable to manage that computer out of band.

Configuration Manager monitors the certificates that it deploys to the AMT-based computers and automatically requests a new certificate before the original certificate expires. This helps to ensure seamless continuity and a sufficient grace period if the issuing CA cannot be immediately contacted.

When you install an out of band service point, an out of band management maintenance task is automatically enabled that periodically checks the remaining validity period of certificates that it has issued to AMT-based computers. It makes this check every 7 days and requests a new certificate when the expiration period is 42 days or less.

If you need to adjust these settings or initiate a check for certificates that are near expiration, see How to Customize Maintenance Tasks for Out of Band Management.

Note
If the out of band service point in Configuration Manager 2007 SP2 connects to an AMT-based computer by using a wireless network connection, certificate renewal is not possible.

An expired client certificate that is not renewed for AMT-based computers will result in Configuration Manager being unable to manage that computer out of band by using the associated 802.1X authenticated wired network or wireless networks.

In addition to monitoring the Web server certificates that it deploys to AMT-based computers, Configuration Manager monitors all client certificates that it deploys and automatically requests new certificates before the originals expires. For more information about certificate renewal for out of band management, see the previous section for renewing the Web server certificate for AMT-based computers.

AMT-based computers do not support downloading a certificate revocation list (CRL) to check whether the provisioning certificate is revoked. This means that AMT-based computers will still accept a provisioning certificate that has been revoked by the issuing CA. If you know that the provisioning certificate has been revoked, delete it from the certificate store on the out of band service point site system server. Then deploy a new provisioning certificate, and configure it in the out of band management component properties. If you cannot immediately deploy a valid AMT provisioning certificate, remove the out of band service point role until you have a replacement certificate.

CRL checking by the Configuration Manager computers that connect to the AMT-based computers (the out of band service point site system, and any computer running the out of band management console) is performed by Windows Remote Management (WinRM). Versions of WinRM that are natively installed with operating systems prior to Windows Server 2008 R2 and Windows 7 do not support CRL checking. Versions of WinRM that are installed with Windows Server 2008 R2 and Windows 7 do support CRL checking. You might also be able to download and install later versions of WinRM that support CRL checking for earlier operating systems.

The different versions of WinRM and their capability to support CRL checking results in the following behavior with out of band management:

• When CRL checking is not supported by the out of band service point site system and any computer running the out of band management console, these computers will still accept a Web server certificate that has been revoked for an AMT-based computer.
  
  
• When CRL checking is supported by the out of band service point site system and any computer running the out of band management console, these computers will not accept a Web server certificate that has been revoked for an AMT-based computer. Additionally, as further protection against untrusted certificates, out of band management communication will fail in these scenarios if the CRL cannot be accessed. (For example, it is offline or network communication problems prevents access.)
  
  

Note
Typically, computers that do not perform CRL checking are running operating systems prior to Windows Server 2008 R2 and Windows 7.

The Web server certificate issued to each AMT-based computer during the provisioning process is automatically revoked by Configuration Manager in the following scenarios:

• You remove the provisioning information from the computer, using Configuration Manager. The site server revokes the certificate with the revocation reason of Superseded.
  
  
• You provision the computer and Configuration Manager discovers a certificate previously issued to the same AMT-based computer. This might happen if the AMT-based computer is locally configured with the option to remove provisioning configuration in the BIOS extensions. The site server revokes the certificate with the revocation reason of Superseded and requests a new certificate.
  
  
• The out of band management maintenance task Evaluate Provisioned AMT Computer Certificates runs according to its configured schedule. When a certificate is found to be within the configured expiration period for renewal, the site server revokes the certificate with the revocation reason of Superseded and requests a new certificate. For more information about this maintenance task, see the previous section “Renewing the Web Server Certificate for AMT-Based Computers.”
  
  
• For Configuration Manager 2007 SP2 only: You block a Configuration Manager client that is provisioned for AMT. The site server revokes the certificate with the revocation reason of Superseded. For more information about this scenario, see About Blocking Clients and Out of Band Management.
  
  

The Web server certificate is not revoked when you update the data in the management controller.

The primary site server computer must have the permission Issue and Manage Certificate on the issuing certification authority.

Important
Make sure that you communicate to your PKI administrators the circumstances in which the Web server certificates can be automatically revoked by Configuration Manager. Explain that this action is an expected process for certificate management rather than denoting a security problem with the AMT-based computers.

The optional client certificate is used for authentication to a RADIUS server and is never used to authenticate to the Configuration Manager infrastructure. This means that it is the RADIUS server that performs CRL checking for this client certificate. Consult the documentation for your RADIUS solution about whether CRL checking is supported and the resulting behavior for AMT-based computers if their client certificate is revoked or the CRL cannot be accessed.

Note
Microsoft RADIUS solutions perform CRL checking. For example, Network Policy Server on Windows Server 2008 performs CRL checking for AMT-based computers and rejects connection requests when the client certificate is revoked or cannot be verified because the CRL is not accessible.

The client certificates issued to each AMT-based computer are automatically revoked by Configuration Manager and with the same revocation reason of Superseded for the same scenarios as it revokes the Web server certificate. Additionally, depending on your configuration, a client certificate (or multiple client certificates) might be revoked whenever you update the management controller and you have configured the client certificate template on the Configuration Manager 802.1X wired network configuration or for one of the wireless profiles.

Important
Make sure that you communicate to your PKI administrators the circumstances in which the client certificates can be automatically revoked by Configuration Manager. Explain that this action is an expected process for certificate management rather than denoting a security problem with the AMT-based computers.