The provisioning certificate installed in each site that will manage AMT-based computers out of band often requires a specific object identifier (OID) that does not exist in the default certificate templates, in addition to the server authentication capability (OID 1.3.6.1.5.5.7.3.1). This means that an existing certificate template must be modified to include the custom object identifier. To do this, use a version 2 certificate template, because Configuration Manager does not support certificates that are created with a version 3 template. A version 2 template is not supported with the Standard Editions of Windows Server 2003 or Windows Server 2008.

However, if you are using an external CA for the provisioning certificate and the company provides its own method of requesting the certificate (for example, connecting to their Web enrollment site), you do not need to use a certificate template for the provisioning certificate.

If you are using an external CA that requires you to submit your request by using a certificate request file or if you are using your own internal CA to supply the provisioning certificate, you cannot use a version 1 certificate template when the certificate contains the custom OID. Instead, you must use a version 2 template so that it can be modified to include the custom OID. For an example deployment for submitting a certificate request to an external CA and using your own internal CA, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certificate Authority.

Each AMT-based computer requires a certificate that is installed in the management controller memory, and this certificate requires server authentication capability only (OID 1.3.6.1.5.5.7.3.1). This requirement matches the default version 1 template named Web Server. You could therefore use the Web Server template, modifying only the security permissions so that the site server can read and enroll using this template.

However, if you duplicate the Web Server template, you have more control over the certificate that is used because you can change the name and description to identify that it is being used with out of band management. You can also change properties of the certificate, such as its validity period and the key size. Because of the greater control offered by version 2 templates, these templates are recommended for out of band management. Using these templates requires the Enterprise Edition of the Windows server operating system.

Configuration Manager cannot manage AMT-based computers out of band until they are provisioned. By default, AMT-based computers are configured by the computer manufacturer to use external certification authorities (CAs), such as VeriSign, Go Daddy, Comodo, and Starfield. If you purchase a provisioning certificate from one of the external CAs and configure Configuration Manager to use this provisioning certificate, AMT-based computers will trust the CA of the provisioning certificate and provisioning can succeed.

If you plan to use your internal CA to supply the provisioning certificate, one of the following conditions must be true:

• Your computer supplier provided you with a customized firmware image that includes the certificate thumbprint of your internal root certificate. For more information about using a customized firmware image, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer.
  
  
• You will manually add the certificate thumbprint of your internal root certificate to each computer that will be provisioned for out of band management in Configuration Manager 2007 SP1. Refer to your computer manufacturer instructions for information about how to configure the AMT certificate hash option with your certificate thumbprint value.
  
  

If you need more information about how to locate the certificate thumbprint of your internal root certificate thumbprint, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.

During the AMT provisioning process, Configuration Manager configures the host name and DNS suffix in the AMT BIOS extensions with the FQDN of the AMT-based computer retrieved from the Configuration Manager database. The DNS suffix is then checked against the subject name in the provisioning certificate. The subject name in the provisioning certificate contains the FQDN of the site system server configured with the out of band service point role.

If the FQDN of the AMT-based computer shares the same namespace as the FQDN specified in the AMT provisioning certificate, AMT provisioning succeeds. If the FQDN of the AMT-based computer does not share the same namespace as the FQDN specified in the AMT provisioning certificate, AMT provisioning fails.

The following are examples of when the AMT-based computer shares the same namespace as the out of band service point:

• The FQDN of the AMT-based computer is computer1.contoso.com, and the FQDN of the out of band service point is server1.contoso.com.
  
  
• The FQDN of the AMT-based computer is computer1.sales.contoso.com, and the FQDN of the out of band service point is server1.contoso.com.
  
  
• The FQDN of the AMT-based computer is computer1.sales.contoso.com, and the FQDN of the out of band service point is server1.marketing.contoso.com.
  
  

In the preceding examples, the AMT-based computer and the out of band service point share the contoso.com namespace.

The following are examples of when the AMT-based computer does not share the same namespace as the out of band service point:

• The FQDN of the AMT-based computer is computer1.contoso.com, and the FQDN of the out of band service point is server1.northwindtraders.com.
  
  
• The FQDN of the AMT-based computer is computer1.northwindtraders.com, and the FQDN of the out of band service point is server1.contoso.com.
  
  

In the preceding examples, the AMT-based computer and the out of band service point do not share a common namespace. Consequently, AMT provisioning will fail, even if both computers belong to the same Active Directory forest.

The provisioning certificate is installed on the out of band service point site system server, and this server's FQDN must be supplied in the provisioning certificate's subject name. If you are using your own internal CA to supply the provisioning certificate, the FQDN of the out of band service point site system server can be automatically configured with the certificate request. For more information, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certificate Authority.

Important
You cannot provision AMT-based computers if they do not share the same namespace as the out of band service point. This means that AMT-based computers from a different Active Directory forest cannot be provisioned, and forests with a noncontiguous namespace will be unable to use out of band management unless the AMT-based computers and out of band service point belong to the same DNS tree.

Because an expired AMT provisioning certificate will result in provisioning failure, ensure that you renew your AMT provisioning certificate and configure out of band management with the new certificate before the original expires. Ensure that you request a new certificate in plenty of time before the existing certificate expires, which is particularly important if you are using an external CA for your provisioning certificate.

To help you identify when the AMT provisioning certificate is about to expire, Configuration Manager generates a warning status message with ID 7210 when the provisioning certificate in use is 40 days or less from expiration. This status message will be repeated once a day until the certificate is replaced with a validity period greater than 40 days or until the validity period is less than 15 days. When the validity period is less than 15 days, an error status message with ID 7211 is generated until the certificate is replaced with a validity period greater than 15 days.

Note
You must configure the out of band management component configuration properties with the new certificate. Installing the new certificate into the Certificates local store in the out of band service point site system computer is not sufficient. For more information, see How to Configure AMT Provisioning.

For more information about using status messages to monitor out of band management, see How to Monitor Out of Band Management.

For more information about site status configuration, see How to Configure Site Status Configuration.

An expired Web server certificate that is not renewed for AMT-based computers will result in Configuration Manager being unable to manage that computer out of band.

Configuration Manager monitors the certificates that it deploys to the AMT-based computers and automatically requests a new certificate before the original certificate expires. This helps to ensure seamless continuity and a sufficient grace period if the issuing CA cannot be immediately contacted.

When you install an out of band service point, an out of band management maintenance task is automatically enabled that periodically checks the remaining validity period of certificates that it has issued to AMT-based computers. It makes this check every 7 days and requests a new certificate when the expiration period is 42 days or less.

If you need to adjust these settings or initiate a check for certificates that are near expiration, see How to Customize Maintenance Tasks for Out of Band Management.

AMT-based computers do not support downloading a certificate revocation list (CRL) to check whether the provisioning certificate is revoked. This means that AMT-based computers will still accept a provisioning certificate that has been revoked by the issuing CA. If you know that the provisioning certificate has been revoked, delete it from the certificate store on the out of band service point site system server. Then deploy a new provisioning certificate, and configure it in the out of band management component properties. If you cannot immediately deploy a valid AMT provisioning certificate, remove the out of band service point role until you have a replacement certificate.

CRL checking by the computers that manage the AMT-based computers (the out of band service point site system, and any computer running the out of band management console) is not supported by Windows Remote Management (WinRM). This means that the site server and any computer running the out of band management console will still accept a Web server certificate that has been revoked for an AMT-based computer.

The Web server certificate issued to each AMT-based computer during the provisioning process is automatically revoked by Configuration Manager in the following scenarios:

• You remove the provisioning information from the computer, using Configuration Manager. The site server revokes the certificate with the revocation reason of Superseded.
  
  
• You provision the computer and Configuration Manager discovers a certificate previously issued to the same AMT-based computer. This might happen if the AMT-based computer is locally configured with the option to remove provisioning configuration in the BIOS extensions. The site server revokes the certificate with the revocation reason of Superseded and requests a new certificate.
  
  
• The out of band management maintenance task Evaluate Provisioned AMT Computer Certificates runs according to its configured schedule. When a certificate is found to be within the configured expiration period for renewal, the site server revokes the certificate with the revocation reason of Superseded and requests a new certificate. For more information about this maintenance task, see the previous section “Renewing the Web Server Certificate for AMT-Based Computers.”
  
  

The Web server certificate is not revoked when you update the data in the management controller.

The primary site server computer must have the permission Issue and Manage Certificate on the issuing certification authority.

Important
Make sure that you communicate to your PKI administrators the circumstances in which the Web server certificates can be automatically revoked by Configuration Manager. Explain that this action is an expected process for certificate management rather than denoting a security problem with the AMT-based computers.