A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for out of band management.

The issuing certification authority must automatically approve certificate requests from the primary site server on behalf of AMT-based computers.

Important
AMT-based computers cannot support certification authority certificates with a key length greater than 2048 bits.

The out of band service point and each desktop computer that will be managed with the out of band management feature must have specific public key infrastructure (PKI) certificates that are managed independently from Configuration Manager.

For more information, see the following topics:

• Certificate Requirements for Out of Band Management
  
  
• About Certificates for Out of Band Management
  
  
• Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certificate Authority
  
  

Desktop computers with the following configuration:

• Intel vPro Technology or Intel Centrino Pro Technology.
  
  
• A supported version of Intel AMT.
  
  
• Intel HECI driver.
  
  

Consult your computer manufacturer's documentation for the Intel requirements. If you will provision AMT-based computers in-band (the Configuration Manager 2007 SP1 client is installed), download the latest HECI driver from the Intel Web site.

For information about the versions of AMT that are natively supported by Configuration Manager, see Overview of Out of Band Management and Configuration Manager 2007 SP1 Supported Configurations. If you have AMT-based computers that are not natively supported by Configuration Manager, you might be able to support them with out of band management and reduced functionality by using Intel's translator. For more information, see http://go.microsoft.com/fwlink/?LinkId=108363.

You must create and configure with the correct security permissions an Active Directory container for the domain in which the AMT-based computers reside. If the site manages AMT-based computers from multiple domains, the same container name and path must be used for all domains.

Note
It is not necessary to extend the Active Directory schema for out of band management.

This Active Directory container (or organizational unit) is required for publishing the AMT-based computer object during the AMT provisioning process.

For more information, see How to Prepare Active Directory Domain Services for Out of Band Management.

The following network services:

• DHCP server with an active scope.
  
  
• DNS servers for name resolution. Additionally, if you will provision AMT-based computers out of band (the Configuration Manager 2007 SP1 client is not installed), DNS might also be needed to resolve the host name of ProvisionServer to the IP address of the out of band service point site system server.
  
  

For DHCP, ensure that the DHCP scope options include DNS servers (006) and Domain name (015) and that the DHCP server dynamically updates DNS with the computer resource record.

WINS cannot be used for resolving computer names, and DNS is required for all connections that are used by the out of band management feature. This includes connecting to AMT-based computers from the out of band management console, in addition to provisioning.

The DNS host name of ProvisionServer can be automatically registered by Configuration Manager if DNS supports automatic updates. For more information, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS.

Windows Remote Management (WinRM) must be installed on each site system server that hosts the out of band service point role and on any computer that runs a remote Configuration Manager console.

To download the latest version of WinRM and for more information, see http://go.microsoft.com/fwlink/?LinkId=105682.

If the out of band service point site system role is installed on Windows Server 2003, Windows Server 2003 Service Pack 2 or later is required.

Important
If you are running Windows Server 2003 Service Pack 2, the following hotfix must be installed: 942841.

For more information about the hotfix, see http://go.microsoft.com/fwlink/?LinkId=106107.

Configuration Manager 2007 SP1 Supported Configurations

MSXML 6.0 is required on computers that run the out of band management console.

The Configuration Manager 2007 SP1 2007 setup prerequisite check includes the check for MSXML 6.0.

For more information, see Setup Prerequisite Checks.

The Windows feature Telnet Client must be installed on computers running Windows Vista or Windows Server 2008 if they will run the out of band management console and perform serial-over-LAN commands.

Serial over LAN uses the Telnet protocol to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For more information, see Overview of Out of Band Management.

Computers that will be managed out of band must belong to the same Active Directory forest as the out of band service point's forest and must share the same namespace.

The following AMT-based computers cannot be provisioned by Configuration Manager:

• Workgroup computers.
  
  
• Computers that reside in a different Active Directory forest from the out of band service point site system server.
  
  
• Computers that reside in the same Active Directory forest as the out of band service point site system server but do not share the same namespace (noncontiguous namespace).
  
  For example, an AMT-based computer with the FQDN of computer1.northwindtraders.com cannot be provisioned by the out of band service point site system with the FQDN of contoso.com, even if they belong to the same Active Directory forest.
  
  

Intervening network devices such as routers and firewalls must allow the traffic associated with out of band management activity.

The following ports are used by out of band management:

• From the AMT management controllers to the out of band service point site system server for provisioning: TCP 9971.
  
  
• From the out of band service point site system server to AMT managed controllers for discovery: TCP 16992.
  
  
• From the out of band service point site system server to AMT management controllers for power control initiated from the Configuration Manager console and scheduled activities, provisioning, and discovery: TCP 16993.
  
  
• From computers running the out of band management console to AMT management controllers for all management tasks initiated from the out of band management console (including power on commands): TCP 16993.
  
  
• From computers running the out of band management console to AMT management controllers for serial over LAN and IDE redirection: TCP 16995.
  
  

IPv6 is not supported.

Out of band management uses IPv4 only.

Full IPsec environments are not supported.

Do not configure IPsec policies for the AMT communication between the out of band service point site system server and computers that will be managed out of band.

Refer to the port information in the preceding row to determine which ports are required for out of band management.

802.1X environments are not natively supported by Configuration Manager.

If you have AMT-based computers that use 802.1X, see the following information about using the Intel WS-MAN translator: http://go.microsoft.com/fwlink/?LinkId=108363.

The primary site must be running Configuration Manager 2007 SP1 and have installed the out of band service point.

See How to Install the Out of Band Service Point.

If you will provision computers for AMT with the Configuration Manager client, computers must have the Configuration Manager 2007 SP1 client installed. These clients must not be running Windows 2000 Professional or Windows XP Tablet PC.

Clients prior to Configuration Manager 2007 SP1 cannot initiate provisioning for AMT, and these computers must use out of band provisioning for AMT or be upgraded to Configuration Manager 2007 SP1.

For more information about AMT provisioning choices, see How to Provision Computers for AMT.

If you will use network discovery to identify computers with management controllers, you must first install the out of band service point and you might have to configure an AMT Provisioning and Discovery Account.

For more information, see the following topics:

• How to Discover Computers with Management Controllers
  
  
• Determine Whether to Configure an AMT Provisioning and Discovery Account for Out of Band Management
  
  
• How to Add an AMT Provisioning and Discovery Account
  
  

You must have the following security rights for the collection that contains the computer that you want to manage out of band:

• View management controllers: This security right allows you to discover computers with management controllers and initiate power control actions from the Configuration Manager console.
  
  
• Manage management controllers: This security right allows you to view and manage computers by using the out of band management console.
  
  

For more information about configuring security rights in the Configuration Manager console, see Overview of Configuration Manager Object Security and WMI.

Reporting point site system.

The reporting point site system role must be installed before out of band management reports can be displayed.

For more information about creating a reporting point, see How to Create a Reporting Point.