If you are provisioning computers for AMT in Configuration Manager 2007 SP1 and later without the corresponding client installed (out of band provisioning), you need to decide whether you should register an alias for the out of band service point in DNS.

The information in this topic applies only to Configuration Manager 2007 SP1 and later.

AMT-based computers contact a provisioning server for out of band provisioning using the value specified in the BIOS extensions for the provisioning server. The value can be a short name, a fully qualified domain name (FQDN), or an IP address. Typically, the value is the short name of ProvisionServer. You can change this value on each computer by configuring the BIOS extensions, or you can request the value you want to use as part of a customized firmware image. For more information about customizing the firmware image, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer.

Using the default name of ProvisionServer could present a security risk if a record with this name is configured to resolve to an IP address of the wrong or rogue computer. If an incorrect IP address is given to AMT-based computers, provisioning will not succeed and the AMT-based computers cannot be managed. Configuring the provisioning server value with an alternative name or IP address is more secure than using a well-known name. If you are using the default name of ProvisionServer, ensure that you have configured the entry in DNS before turning on the AMT-based computers. Additionally, ensure that you secure the DNS record (for example, using DNS secure dynamic updates so that only the owner can modify this record) to safeguard against the record being modified such that it no longer resolves to the out of band service point site system computer.

When a name is used rather than an IP address, the AMT-based computer must be configured with an FQDN and at least one DNS server. This is typically achieved using DHCP configuration options, but these values can also be specified in the BIOS extensions. When an AMT-based computer first starts up, it uses DNS to resolve the name of the provisioning server using one of the following methods:

If an IP address is specified as the provisioning server in the BIOS extensions, there is no need for an alias in DNS. This IP address must be owned by the out of band service point site system server in the Configuration Manager site that will manage the AMT-based computer.

Register an alias for the out of band service point in DNS if both of the following conditions apply:

Do not register an alias for the out of band service point in DNS if any of the following conditions apply:

See Also