• Article

Prerequisites for Out of Band Management in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Out of band management in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Important

Out of band management in Configuration Manager has external dependencies on Intel Active Management Technology (Intel AMT) and on Microsoft public key infrastructure (PKI) technologies. For authoritative information about configuration or technical details about these external dependencies, see the product documentation for the related technologies.

For information about Intel AMT and Intel Setup and Configuration Software, see the Intel documentation or the documentation from your computer manufacturer. For additional information, see Intel vPro Expert Center: Microsoft vPro Manageability.

For information about Microsoft public key infrastructure (PKI) technologies, see Windows Server 2008 Active Directory Certificate Services.

Dependencies External to Configuration Manager

The following table lists the external dependencies for running out of band management.

Dependency

More information

A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for out of band management.

The issuing CA must automatically approve certificate requests from the AMT computer accounts that Configuration Manager creates in Active Directory Domain Services during the AMT provisioning process.

To revoke AMT certificates, the issuing CA must be configured with the Issue and Manage Certificates permission for the server where the enrollment point site system role is installed.

Important

AMT cannot support CA certificates with a key length greater than 2048 bits.

The out of band service point and each desktop or laptop computer that is managed out of band must have specific PKI certificates that are managed independently from Configuration Manager.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

For step-by-step instructions, see Deploying the Certificates for AMT.

The computer account for the enrollment point site system server must have DCOM permissions to revoke AMT certificates from the issuing CA. Ensure that this site system computer is a member of the security group Certificate Service DCOM Access (for Windows Server 2008) or CERTSVC_DCOM_ACCESS (for Windows Server 2003 SP1 and later) in the domain where the issuing CA resides.

Desktop or laptop computers with the following configuration:

  • Intel vPro Technology or Intel Centrino Pro Technology

  • A supported version of Intel AMT that is configured for Enterprise mode, with the provision mode of PKI

  • Intel HECI driver

For information about the AMT versions that Configuration Manager supports, see the Out of Band Management section in the Supported Configurations for Configuration Manager topic.

Download the latest HECI driver from the Intel website and consult your computer manufacturer's documentation for the Intel requirements.

An Active Directory container and a universal security group:

  • The Active Directory container must be configured with the correct security permissions for the domain in which the AMT-based computers reside. If the site manages AMT-based computers from multiple domains, the same container name and path must be used for all domains.

  • A universal security group that contains computer accounts for the AMT-based computers.

Note

You do not have to extend the Active Directory schema for out of band management.

During the AMT provisioning process, Configuration Manager creates computer accounts in this Active Directory container or organizational unit (OU) and adds the accounts to the universal security group.

The site server computer requires the following permissions:

  • For the OU that is used during the AMT provisioning process: Allow Create all child objects and Delete all child objects and apply to This object only.

  • For the universal security group that is used during the AMT provisioning process: Allow Read and Write, and apply to This object only.

The following network services:

  • DHCP server with an active scope

  • DNS servers for name resolution

For DHCP, ensure that the DHCP scope options include DNS servers (006) and Domain name (015), and that the DHCP server dynamically updates DNS with the computer resource record.

WINS cannot be used for resolving computer names, and DNS is required for all connections that are use out of band management. This includes connecting to AMT-based computers from the out of band management console, in addition to AMT provisioning.

Note

AMT cannot register a host record in DNS, so you must ensure that either DHCP or the operating system updates DNS with a host record for the AMT-based computer’s fully qualified domain name (FQDN). Alternatively, you can manually create these records in DNS as needed. For wireless support, ensure that DNS contains records with the wireless IP address for the AMT-based computer’s fully qualified domain name.

Site system role dependencies for the computers that will run the enrollment point and the out of band service point site system roles.

See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Windows Remote Management (WinRM) 1.1 or later must be installed on computers that are running Windows XP if they run the out of band management console.

For more information about WinRM versions, see Versions of Windows Remote Management.

MSXML 6.0 is required on computers that run the out of band management console.

The Setup Prerequisites checker for Configuration Manager includes the check for Microsoft MSXML 6.0.

The Windows feature, Telnet Client, must be installed on computers that run Windows 7, Windows Vista, or Windows Server 2008 if the computers run the out of band management console and perform serial-over-LAN commands.

Serial over LAN uses the Telnet protocol to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For more information, see Introduction to Out of Band Management in Configuration Manager.

Computers to be managed out of band must belong to the same Active Directory forest as the site system servers that run the out of band service point and the enrollment point.

In addition, computers must share the same namespace; disjoint namespaces are not supported.

The following scenarios identify computers that are not supported for out of band management. AMT should be disabled on these computers:

  • Workgroup computers.

  • Computers that reside in a different Active Directory forest from the computers that run the out of band service point site system role and the enrollment point.

  • Computers that reside in the same Active Directory forest as the site system servers that run the out of band service point and the enrollment point but do not share the same namespace (noncontiguous namespace).

    For example, an AMT-based computer with the FQDN of computer1.northwindtraders.com cannot be provisioned by the out of band service point site system with the FQDN of contoso.com, even if they belong to the same Active Directory forest.

  • Computers that reside in the same Active Directory forest as the out of band service point site system server but have a disjoint namespace—for example, an AMT-based computer that has a DNS name of computer1.corp.fabrikam.com and resides in an Active Directory domain named na.corp.fabrikam.com.

Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the traffic associated with out of band management activity.

The following ports are used by out of band management:

  • From the out of band service point to the enrollment point: HTTPS (by default, port TCP 443).

  • From the out of band service point site system server to AMT management controllers for power control initiated from the Configuration Manager console and scheduled activities, provisioning, and discovery: TCP 16993.

  • From computers running the out of band management console to AMT management controllers for all management tasks initiated from the out of band management console (including power-on commands): TCP 16993.

  • From computers running the out of band management console to AMT management controllers for serial over LAN and IDE redirection: TCP 16995.

IPv4.

IPv6 is not supported. Out of band management uses IPv4 only.

Full IPsec environments are not supported.

Do not configure IPsec policies for the AMT communication between the out of band service point site system server and computers that will be managed out of band.

Infrastructure support for 802.1X authenticated wired networks and wireless networks:

  • Authenticated wired 802.1X support: Client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.

  • Wireless support: WPA and WPA2 security, AES or TKIP encryption, client authentication options of EAP-TLS or EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2.

Note

If you use client authentication methods of EAP-TLS or EAP-TTLS/MSCHAPv2 with a client certificate, the RADIUS solution must support authentication by using the following format: domain\computer_account.

To manage AMT-based computers out of band on an 802.1X authenticated wired network or a wireless connection, you must have a supporting infrastructure for these environments. These networks can be configured by using a Microsoft RADIUS solution, such as Network Policy Server on Windows Server 2008. Other RADIUS solutions can be used if they are 802.1X-compliant and support the configuration options listed for authenticated wired 802.1X support and wireless support.

For more information about Network Policy Server on Windows Server 2008, see Network Policy Server.

For more information about other RADIUS solutions, see Intel vPro Expert Center: Microsoft vPro Manageability.

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for running out of band management.

Dependency

More information

The primary site must be running System Center 2012 Configuration Manager and have installed the out of band service point and the enrollment point.

The out of band service point must in the same Active Directory forest as the site server, and you can install only one out of band service point in each primary site.

Step 4: Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning 

Computers that you want to manage out of band must have the Configuration Manager client installed and must be assigned to a primary site.

Important

Intel AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN.

 How to Install Clients on Windows-Based Computers in Configuration Manager

To configure out of band management, you must have the following security permissions:

  • Site: Read and Modify

  • Mobile Device Enrollment Profile: Read, Create, Modify, Meter Site, and Manage Certificates for Operating System Deployment

The Full Administrator security role includes these permissions.

To manage computers out of band, you must have the following security permissions for the collections that contain the computers:

  • Provision AMT: This security permission allows you to manage AMT computers from the Configuration Manager console, which includes discovering the status of AMT management controllers, provisioning computers for AMT and the auditing actions of enabling and applying audit log settings, disabling auditing, and clearing the audit log.

  • Control AMT: This security permission allows you to view and manage computers by using the out of band management console, and initiate power control actions in the Configuration Manager console. The Remote Tools security role includes the Control AMT permission.

  • Read and Modify Collection Setting to enable AMT provisioning for the collection.

  • Provision AMT, Read, and Read Resource to remove provisioning information and update AMT management controllers.

For more information about how to configure security permissions, see Configure Role-Based Administration.

Reporting services point.

To use Configuration Manager reports for out of band management, you must install and configure a reporting services point.

For more information, see Reporting in Configuration Manager.