Overview of Out of Band Management

Out of band management in Configuration Manager 2007 provides powerful management control for computers that have the Intel vPro chip set and a version of the Intel Active Management Technology (Intel AMT) that is supported by Configuration Manager. For more information about supported AMT versions, see Configuration Manager 2007 SP1 Supported Configurations and Configuration Manager 2007 SP2 Supported Configurations.

Note
The information in this topic applies only to Configuration Manager 2007 SP1 and later.

Out of band management allows an administrator to connect to a computer's management controller when the computer is turned off, in sleep or hibernate modes, or otherwise unresponsive through the operating system. By way of contrast, in-band management is the classic approach used by Configuration Manager and its predecessors whereby an agent runs in the full operating system on the managed computer and the management controller accomplishes tasks by communicating with the management agent.

Out of band management supplements in-band management. While in-band management supports a wider range of operations because its environment is the full operating system, in-band management might not be functional if the operating system is not present or is not operational. In these situations, the supplementary capabilities of out of band management allow administrators to manage these computers without requiring local access to the computer.

Out of band management tasks include the following:

Powering on one or many computers (for example, for maintenance on computers outside business hours).
Powering off one or many computers (for example, the operating system stops responding).
Restarting a nonfunctioning computer or booting from a locally connected device or known good boot image file.
Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server.
Reconfiguring the BIOS settings on a selected computer (and bypassing the BIOS password if this is supported by the BIOS manufacturer).
Booting to a command-based operating system to run commands, repair utilities, or diagnostic applications (for example, upgrading the firmware or running a disk repair utility).
Configuring scheduled software update deployments and advertisements to wake up computers prior to running.

If you are using Configuration Manager 2007 SP1, these out of band management tasks are natively supported on an unauthenticated, wired connection. However, with Configuration Manager 2007 SP2 and later, they are also supported on an authenticated 802.1X wired connection and wireless connection. Configuration Manager 2007 SP2 also has the following additional features:

Auditing for selected AMT features.
Support for different power states, to help conserve power consumption and adherence to IT policy.
Data storage in AMT, where up to 4096 bytes in ASCII characters can be saved in the nonvolatile random access memory (NVRAM) of the management controller.

For example scenarios of how out of band management can be used, see Example Scenarios for Using Out of Band Management.

Some of the preceding tasks are performed from the Configuration Manager console, while others require running the out of band management console that is supplied with Configuration Manager 2007 SP1 and later. Out of band management uses Windows remote management technology (WS-MAN) to connect to the management controller on a computer.

Note
Out of band management is not supported for clients that are managed over the Internet with Internet-based client management. Additionally, Configuration Manager clients that are blocked by a Configuration Manager 2007 SP1 site continue to accept out of band management communication. Configuration Manager clients that are blocked by a Configuration Manager 2007 SP2 site cannot be managed out of band.

Note

Out of band management is not supported for clients that are managed over the Internet with Internet-based client management. Additionally, Configuration Manager clients that are blocked by a Configuration Manager 2007 SP1 site continue to accept out of band management communication. Configuration Manager clients that are blocked by a Configuration Manager 2007 SP2 site cannot be managed out of band.

The following table outlines the options and features that out of band management provides in Configuration Manager 2007 SP1 and later.

Feature or Scenario

More Information

Security-based management

Out of band management integrates with an internal public key infrastructure (PKI), using the following certificates:

A provisioning certificate that is installed on the out of band service point that allows computers to be configured for out of band management.
A Web server certificate that is installed on each computer that will be managed out of band so that communication is authenticated and is encrypted using Transport Layer Security (TLS).
For Configuration Manager 2007 SP2 only: Client certificates, if required for 802.1X authentication.

For more information about these certificates, see Certificate Requirements for Out of Band Management and About Certificates for Out of Band Management.

Administrators must be authenticated by using Kerberos before they can manage computers out of band.

Out of band management activity is recorded and auditable. Configuration Manager 2007 SP2 supports an audit log on AMT-based computers. For more information, see How to Configure AMT Auditing and How to Manage the Audit Log for AMT-Based Computers.

For Configuration Manager 2007 SP2 only: Support for 802.1X authenticated wired networks and wireless networks:

Authenticated wired 802.1X support: client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.
Wireless support: WPA and WPA2 security, AES or TKIP encryption, client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.

For more information about configuring AMT-based computers for 802.1X authenticated wired networks and wireless networks, see How to Configure AMT-Based Computers for 802.1X Authenticated Wired and Wireless Networks.

AMT provisioning

Enables and configures AMT-based computers for out of band management. Supported scenarios include the following:

Automatic provisioning out of band for new computers that do not have the client installed for Configuration Manager 2007 SP1 and later.
Automatic provisioning in-band for computers running the client for Configuration Manager 2007 SP1 and later.

For more information, see the following topics:

Enhanced inventory data

Provides hardware inventory data from the AMT chip, such as asset tag, BIOS UUID, power state, processor, memory, and drive information.

Enhanced network discovery method

Identifies computers with a management controller and its provisioning status.

This information can be used to build query-based collections to group computers for out of band management activities, such as provisioning and power control.

For more information, see How to Discover Computers with Management Controllers.

Power control

Enables power on, power off, and restart capabilities for a single computer or selected computers in a collection. Additionally, in Configuration Manager 2007 SP2, power control is available for a collection.

Computers can also be woken up by scheduled mandatory advertisements and software update deployments with a deadline.

For more information, see the following topics:

Out of band management console

A dedicated management console that is run from the Configuration Manager console or from a command prompt to initiate out of band management tasks, including IDE redirection and serial-over-LAN sessions.

Note
Capabilities might vary depending on the manufacturer of the managed computer. For example, IDE redirection and serial-over-LAN capability can be disabled by the manufacturer.

For more information, see the following topics:

IDE redirection

Enables the computer to boot from a boot image file or locally connected device rather than from its disk IDE interface. This is useful for diagnosing, repairing, or imaging a hard drive.

Serial over LAN

Serial-over-LAN technology encapsulates the data from a virtual serial port and sends it over the existing network connection established by the out of band management console.

This allows you to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For example, this might include reconfiguring the BIOS or, working in conjunction with IDE redirection, you can update the firmware or run diagnostic utilities.

For more information, see the following topics:

For more in-depth information about using out of band management in Configuration Manager 2007 SP1 and later, see the following topics in this section:

Certificate Requirements for Out of Band Management—Lists the PKI certificate requirements to run out of band management in Configuration Manager 2007 SP1 and later.
About Certificates for Out of Band Management—Provides information about the deployment and usage of the PKI certificates used with out of band management.
About AMT Provisioning for Out of Band Management—Provides information about provisioning computers for AMT, which is a necessary procedure before computers can be managed out of band.
About Reports for Out of Band Management—Lists the reports that are available for working with out of band management.
About the AMT Status and Out of Band Management—Lists the values, descriptions, and queries for the AMT status that is displayed in the Configuration Manager console and reports.
About Blocking Clients and Out of Band Management—Provides information about how blocking and unblocking clients in Configuration Manager impacts computers that can be managed out of band.
Administrator Checklist: Enabling Out of Band Management—Provides the administration steps required to enable out of band management for a site.

See Also

Other Resources