Before AMT-based computers can be managed out of band in Configuration Manager 2007 SP1 and later, they must be provisioned for AMT (set up and configured).
|The information in this topic applies only to Configuration Manager 2007 SP1 and later.|
AMT provisioning results in the following external interactions between Configuration Manager and the networking infrastructure:
- The site server checks the Configuration
Manager database to ensure that a public key infrastructure (PKI)
certificate with server authentication capability is not already
issued to the AMT-based computer. If a certificate is found, it is
- The site server requests one or more PKI
certificates from an internal issuing certification authority on
behalf of AMT-based computers. In Configuration Manager
2007 SP1 only, a single certificate is requested for server
authentication capability. This certificate request contains the
FQDN of the computer that will be managed out of band and uses a
certificate template that is configured with server authentication
capability. Additionally, in Configuration Manager 2007 SP2
and later, if a client certificate has been configured for an
802.1X authenticated network or one or more wireless networks,
these certificates are also requested. These certificates also
contain the FQDN of the computer that will be managed out of band
and use a certificate template that is configured with client
authentication capability. The issuing certification authority (CA)
server approves the requests, and the certificates are granted to
the site server computer.
- The AMT-based computers are published as an
AMT account to Active Directory Domain Services, with a link to the
Windows computer object in Active Directory Domain Services.
- A service principal name (SPN) for the
AMT-based computers is registered in Active Directory Domain
Services so that administrators can connect to them using the out
of band management console.
- For Configuration Manager 2007 SP2 and
later when provisioning in-band, the AMT accounts are automatically
added to the security group specified for 802.1X and wireless
networks. However, this option is not enabled by default.
Additionally, the following internal interactions occur between Configuration Manager and the nonvolatile random access memory (NVRAM) of the management controller in the AMT-based computer, after the out of band management component on the site server connects to the AMT-based computer by using a specified AMT provisioning account and port number:
- The PKI certificate with server
authentication capability retrieved by the site server is installed
on the AMT-based computer, including the certificate chain up to
the root CA certificate. For Configuration Manager 2007 SP2
and later, the PKI certificates with client authentication
capability retrieved by the site server are also installed, along
with the root certificate for the RADIUS server, on the AMT-based
- The fully qualified domain name (FQDN) of the
AMT-based computer is retrieved from the Configuration Manager
database and is configured in AMT on the AMT-based computer. The
Windows computer time is used to configure the system time.
- The AMT settings configured in Configuration
Manager, such as whether to use IDE redirection and serial over
LAN, respond to a network ping, and support a Web interface, are
configured in AMT on the AMT-based computers. In Configuration
Manager 2007 SP2, this also includes the power state setting.
In addition to the AMT settings, the AMT remote password is reset
to a random and strong password, any AMT user accounts are deleted,
and support for Kerberos authentication is enabled on the AMT-based
|In the log file, Amtopmgr.log, you will see references to first-stage provisioning and second-stage provisioning. The first two points in the preceding list occur during the first-stage provisioning. The last point in the preceding list occurs during second-stage provisioning. For more information about the log files used with out of band management, see Log Files for Out of Band Management.|
For more information about how to provision a computer, see How to Provision Computers for AMT.
For more information about the certificates used for AMT provisioning, see About Certificates for Out of Band Management.
Updating the Data in the Management Controller Memory
Computers that are already provisioned for AMT do not dynamically reconfigure with new AMT settings that are configured in Configuration Manager. If you change the Configuration Manager AMT settings after AMT-based computers are provisioned for AMT, you must initiate an action on these computer resources to update the data in the management controller memory. Updating the data in the management controller memory for an AMT-based computer results in it getting the latest AMT settings and configurations. Additionally, the AMT-based computer's SPN is reregistered, and its Active Directory object is refreshed (or published if it does not exist). Updating the data in the management controller memory does not result in revoking the AMT certificate for server authentication, but it does revoke any client authentication certificate that has been configured for 802.1X authenticated wired or wireless networks. New client authentication certificates are requested if these are specified in the 802.1X authenticated wired or wireless configuration.
If you have configured 802.1X authenticated wired or wireless network support with Configuration Manager 2007 SP2, this supports updating the management controller on these networks with the following caveats:
- If the AMT-based computer is connected to a
wireless network, the settings in the wireless profiles will not be
- If the AMT-based computer is connected to an
802.1X authenticated wired network, the settings for this
configuration will be updated. If the new settings are incompatible
with the required network settings, the connection will be lost if
the operating system is not running.
Removing AMT Provisioning Information
There might be occasions when you want to remove the provisioning information for an AMT-based computer, such as when you no longer want the computer to be managed out of band by Configuration Manager 2007 but want to use another out of band solution. The following options are available for removing provisioning information from the computer:
- You can remove the configuration data from
the management controller but keep identification information about
the computer, such as its name, IP address, and DNS suffix.
Configuration data includes whether IDE redirection and serial over
LAN are enabled, network pings are supported, and the Web interface
- You can remove both configuration data and
identification information from the management controller.
In both cases, any certificates installed in AMT are revoked, the SPN is deleted, and the ATM account is deleted from Active Directory Domain Services.
After the AMT provisioning information is removed, it might be automatically provisioned again by Configuration Manager. For example, this will apply by default if the AMT-based computer can provision in-band and it is in a collection that has automatic AMT provisioning enabled. It will also apply by default if the AMT-based computer can provision out of band. However, when you select the option to remove provisioning information, you can disable automatic provisioning and re-enable it later if required.
For more information about removing provisioning information for an AMT-based computer and using automatic provisioning again, see How to Remove Provisioning Information for AMT-Based Computers.
Renaming AMT-Based Computers and Domain Changes
If you rename a computer that is already provisioned for AMT by Configuration Manager or move the computer to another domain, you must remove all the provisioning information from the AMT-based computer and then provision the computer again. You can remove the provisioning information either before naming or moving the computer or after renaming or moving the computer. However, do not provision the computer again until the name change or domain move is complete. If you fail to perform these procedures, the AMT-based computer cannot be managed out of band after the change of name or domain move.
When you remove the provisioning information, select the option to remove both configuration data and identification information from the management controller; and if applicable, select the option to disable automatic provisioning and re-enable it after the name change or domain move has taken place.
TasksHow to Run the Out of Band Management Console
ConceptsAbout Certificates for Out of Band Management
Certificate Requirements for Out of Band Management
Configuration Manager AMT Provisioning Process for Out of Band Management
Decide How to Migrate from an AMT-Based Management Solution to Out of Band Management in Configuration Manager
Overview of Out of Band Management