The following flow of events occurs when an AMT-based computer is provisioned by System Center 2012 Configuration Manager.
- The Configuration Manager client downloads its client policy
with instructions to initiate AMT provisioning and performs the
- The Intel HECI driver is installed.
- The AMT status is Not Provisioned. Any other status
stops the provisioning process.
- The Intel HECI driver is installed.
- The Configuration Manager client generates a random one-time
password (OTP), hashes it, sends the hash to the site server, and
then activates the AMT network interface so that the AMT-based
computer is ready for provisioning. For AMT-based computers that
support wireless network connections, they also send their wired IP
address, which will be used during provisioning, even if the
AMT-based computer has multiple network interfaces.
- The Configuration Manager client sends AMT manufacturing
information to the site server by using a state message. This
information includes the AMT version number.
- The site server receives the OTP hash and then creates an
Active Directory account in the configured Active Directory
container (or OU), and sets the SPN for the AMT-based computer. The
site server then sends an instruction to the out of band service
point to start provisioning for the Configuration Manager
- The out of band service point retrieves the OTP hash for this
AMT-based computer from the site server and compares it with the
OTP hash reported by the AMT firmware to verify the identity of the
AMT-based computer to be provisioned.
- The out of band service point retrieves the Active Directory
account and password from the site server and then sends an
instruction to the enrollment point to request an AMT web server
certificate for the AMT-based computer. The enrollment point
impersonates the AMT-based computer to request the AMT web server
- The out of band service point creates an outbound TLS
connection by using the AMT provisioning certificate and the Secure
Channel (Schannel) Security Support Provider (SSP). In this
connection, the AMT-based computer is the server, and the out of
band service point is the client. This transport layer session is
established by using TLS handshaking:
- The out of band service point sends a client “Hello” message to
the AMT-based computer and requests to use SHA1.
- The AMT-based computer sends a server “Hello” message to the
out of band service point and sends its public key with a
- The Microsoft Security Support Provider Interface (SSPI) is
used to create the TLS channel.
- The out of band service point sends its AMT provisioning
certificate and its full certificate chain to the AMT-based
computer, with the specific AMT provisioning object identifier
(OID) or OU attribute of Intel(R) Client Setup
- The AMT-based computer checks the following for the AMT
provisioning certificate and, if these successfully match,
establishes the TLS session: the subject name (CN) against its own
DNS namespace, the OID against the OID for AMT provisioning (or the
OU attribute), and the certificate thumbprint of the root
certificate from the certificate chain against the certificate
thumbprint that it has stored in AMT firmware memory.
- The out of band service point sends a client “Hello” message to the AMT-based computer and requests to use SHA1.
- The out of band service point establishes an application layer
connection with the AMT-based computer, by using HTTP Digest
- A SOAP request is sent from the out of band service point to
the AMT-based computer, without any user name and password.
- The AMT-based computer responds to the out of band service
point with an "authentication needed" response, which results in
HTTP Digest authentication.
- The out of band service point resends the SOAP request with the
same payload to AMT-based computer, this time by using HTTP Digest
- The AMT-based computer finishes the authentication challenge
and sends a success or failure response to the out of band service
- A SOAP request is sent from the out of band service point to the AMT-based computer, without any user name and password.
- If the HTTP Digest authentication failed during the application
layer connection, the out of band service point retries by using
another user name and password that has been configured in
Configuration Manager. All user names and passwords are tried
sequentially until authentication succeeds or there are no more
user names and passwords.
- The AMT-based computer undergoes first-stage provisioning,
initiated by a SOAP request from the out of band service point:
- The AMT time is synchronized with the Windows time from the out
of band service point.
- The AMT host name and domain is configured by using the
computer’s host name and domain. The computer’s host and domain
name might be retrieved from system discovery or from client
registration when the client is assigned to the site.
- The requested and retrieved certificate is saved to the AMT
firmware memory, and TLS authentication is enabled.
- Configuration Manager creates a random and strong password for
the AMT Remote Admin Account and stores this value in AMT.
- Configuration Manager might reconfigure the MEBx password with
the strong password configured in the Configuration Manager
console, depending on whether it has been changed previously on the
AMT-based computer and on the version of AMT.
- The settings are saved in AMT firmware, and the AMT firmware
state is set to the operational mode of post provisioning.
- The AMT time is synchronized with the Windows time from the out of band service point.
- The AMT-based computer undergoes second-stage provisioning,
initiated by a Windows Remote Management (WinRM) request from the
out of band service point:
- The AMT ACLs are deleted and configured according to the AMT
User Accounts and rights.
- Kerberos is enabled, and in the Out of Band Management
Component Properties dialog box, on the AMT Settings
tab, the power scheme is set according to the configured value for
Manageability is on in the following power state. In
addition, the other AMT settings, such as Enable web
interface, Enable serial over LAN and IDE redirection,
and Allow ping responses, are also set according to the
configured values in the AMT Advanced Settings dialog
- If you have configured any 802.1X options, the following
additional actions occur: Any existing wireless profiles are
deleted, any certificates related to the wireless profiles or
802.1X wired network configuration are deleted, and the wireless
capability of AMT is detected. If any certificates are required to
support 802.1X, the out of band service point sends an instruction
to the enrollment point to request the certificates for the
AMT-based computer, and the enrollment point impersonates the
AMT-based computer to request these certificates. The wireless
profiles and the 802.1X authenticated wired network configuration
are then saved to AMT.
- The AMT ACLs are deleted and configured according to the AMT User Accounts and rights.
- The out of band service point sends the results of the
provisioning process to the site server, which then updates the
Configuration Manager database to use the following information
about the AMT-based computer: the AMT status; the MEBx password,
the AMT Remote Admin Password.