Example Scenario for Implementing Out of Band Management in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

The following sections in this topic provide an example scenario for implementing out of band management in System Center 2012 Configuration Manager, by using a three-phased approach:

  • Pilot: Implementing and Testing a Few Computers that Use Certificate Services (Internal CA) for the Provisioning Certificate

  • Rollout: Full Deployment by Using an External CA for the Provisioning Certificate

  • Add Wireless Support: Extend Management to Wireless Networks

In the following scenario, Trey Research is interested in using out of band management to more efficiently troubleshoot computers that fail to start or stop responding, require powering on for routine maintenance, or require reconfiguring the BIOS settings. This company has Intel AMT-based computers with versions of AMT that are supported by Configuration Manager, but they do not have customized firmware that includes the certificate thumbprint of their own internal root certification authority (CA).

Trey Research has a single Configuration Manager primary site, and all the internal computers reside in the testnet.treyresearch.net domain. The company already has an existing public key infrastructure (PKI) infrastructure that is using Windows Server 2008 Certificate Services, and has an enterprise certification authority running Windows Server 2008 Enterprise Edition.

Adam is the Configuration Manager administrative user who has been asked to implement out of band management by using a three-phase approach. He first tests the functionality by using a small number of desktop computers and without purchasing a provisioning certificate from an external CA. If the testing goes well, Adam can purchase an AMT provisioning certificate and provision all the AMT-based desktop computers. For the final deployment phase, Adam is asked to extend the out of band management to laptops that use the wireless network.

Pilot: Implementing and Testing a Few Computers that Use Certificate Services (Internal CA) for the Provisioning Certificate

For the pilot phase to implement and test out of band management, Adam takes the course of action outlined in the following table.

Process

Reference

Adam checks the prerequisites for out of band management and decides to create a site system server on which he installs the out of band service point and the enrollment point. This computer has the fully qualified domain name (FQDN) of server15.testnet.treyresearch.net.

Adam also confirms that the existing DHCP and DNS configuration meets the requirements for AMT.

For more information about the prerequisites, see Prerequisites for Out of Band Management in Configuration Manager.

Adam works with his Active Directory service administrators to create the following Windows security groups:

  • A group named ConfigMgr Out Band Service Points that contains server15.

  • A group named ConfigMgr Primary Site Servers that contains the primary site server computer account.

  • A universal security group named ConfigMgr AMT Computers that will contain the AMT computer accounts.

They then create an organization unit (OU) in the testnet.treyresearch.net domain for the published AMT-based computer accounts, and grant the newly created group ConfigMgr Primary Site Servers the following permissions to this OU: Create Computer Objects and Delete Computer Objects.

For more information about how to create groups and OUs, see the Active Directory Domain Services documentation.

Adam works with the PKI team with the following results:

  • The web server certificate template is duplicated and configured for the enrollment point. It is installed and configured in IIS on server15.

  • A custom template is created to request and install the AMT provisioning certificate on server15.

  • The web server certificate template is duplicated and configured so that it is appropriate for out of band management.

  • They identify and write down the certificate thumbprint of the root CA, which has to be manually added to the AMT firmware until they purchase a provisioning certificate from an external CA.

For guidance about how to deploy the PKI certificates required for out of band management, see the Deploying the Certificates for AMT section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

To prepare the desktop AMT-based computers that Adam will use in the initial testing, Adam checks that the AMT firmware configuration is correct and adds the certificate thumbprint of their internal root CA:

  1. When the computer starts, he presses CTRL+P to configure the ME module.

  2. He selects Intel (R) ME Configuration, Intel (R) ME Feature Control, Manageability Feature Selection, and then selects Intel (R) AMT. He exits and restarts the computer.

  3. He runs the ME module again, selects Intel (R) AMT Configuration, Setup and Configuration, to verify that the value for the Current provision mode is PKI. The value is not PKI, so he selects TLS PKI, and sets the Remote Configuration to Enable.

  4. In the TLS-PKI section, he selects Manage Certificate Hashes, presses the Insert key, and types the certificate thumbprint of his internal root CA.

  5. He saves the changes, exits, and then restarts the computer.

For more information, see the Intel documentation.

Adam then configures the Configuration Manager primary site and makes the following changes:

  • He installs a new site system server on server15, configures it with the intranet FQDN of server15.treyresearch.net, and then installs the out of band service point and the enrollment point. He then configures the Out of Band Management component.

  • On the AMT Provisioning Certificate page for the out of band service point, he browses to the AMT provisioning certificate that he installed.

  • On the Out of Band Management Component Properties dialog box, he configures the following:

    • On the General tab, he specifies the OU that he created in testnet.treyresearch.net, the universal security group that he created, browses to the AMT web server certificate template that he created earlier, and configures a strong password for the MEBx Account.

    • On the AMT Settings tab, he specifies his own account as an AMT User Account and a Windows global domain security group that contains help desk engineers who will use the out of band management console. He also selects the options Enable serial over LAN and IDE redirection, Allow ping responses, and Enable BIOS password bypass for power on and restart commands.

For more information, see the following sections in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic:

Adam wants to use Wake on LAN technology to install critical software updates on computers. He has tried this feature in the past and discovered that subnet-directed broadcasts consumed too much network bandwidth over the remote links and that few of their network adapters worked with unicast transmissions.

He enables Wake on LAN and decides to keep the default option of Use power on commands if the computer supports this technology; otherwise, use wake-up packets.

For more information, see the Step 6: Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

Adam adds the AMT Status column to the Configuration Manager console and creates a new collection that contains just five AMT-based computers as his initial pilot. These computers are for testing only and contain different supported versions of AMT. He configures this collection for AMT provisioning.

For more information, see the Step 7: Displaying the AMT Status and Enabling AMT provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

Adam monitors the AMT provisioning process.

For more information, see the Step 8: Monitoring AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

When the computers are successfully provisioned for AMT, Adam starts testing these computers for out of band management.

For example scenarios of using out of band management, see Example Scenarios for Using Out of Band Management in Configuration Manager.

Rollout: Full Deployment by Using an External CA for the Provisioning Certificate

When the initial testing is completed, Adam receives confirmation from his manager that out of band management can be rolled out to all AMT-based workstation computers. To eliminate the requirement to add the thumbprint of their internal root CA certificate to each AMT-based computer, Adam purchases a provisioning certificate from an external CA and installs it on server15, according to the accompanying instructions.

Adam then takes the course of action outlined in the following table.

Process

Reference

Adam checks the prerequisites for out of band management again, to see whether there are any additional changes that he has to make. He notes the following:

  • There are ports requirements that he must relate to the firewall administrator so that help desk engineers can connect to AMT-based computers in remote sites that are protected by the internal company firewall.

  • Some help desk computers still run Windows XP, and so he must check these computers for their version of Windows Remote Management (WinRM) and update the version if necessary.

  • He must add help desk engineers to an appropriate security role to run the out of band management console.

For more information, see Prerequisites for Out of Band Management in Configuration Manager.

Adam configures the properties of the out of band service point, browses to the newly purchased AMT provisioning certificate, and saves the changes.

For more information, see the Step 4: Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

Adam creates new collections to gradually roll out AMT provisioning for workstation computers. Over a period of four weeks, he enables these collections for AMT provisioning and monitors progress.

For more information, see the Step 7: Displaying the AMT Status and Enabling AMT provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

As a result of this course of action, all Intel AMT-based workstation computers are provisioned for AMT and can be managed out of band by the help desk. The ability to troubleshoot and repair computers when the operating system is not functioning greatly reduces the total cost of ownership for the company because engineers no longer require local access to the computer.

Add Wireless Support: Extend Management to Wireless Networks

After the successful rollout for workstations to use out of band management, Trey Research now wants to extend this support to laptop computers that use the wireless network. The wireless network uses a Windows Server 2008-based server that is running Network Policy Server (NPS) and requires a client certificate for authentication.

Adam takes the course of action outlined in the following table.

Process

Reference

Adam checks the wireless support prerequisites for out of band management and confirms that the versions of AMT on the laptops supports wireless profiles. He notes the wireless configuration settings that are required by the Network Policy Server as WPA2 security, AES encryption, and EAP-TLS authentication.

For more information about the prerequisites, see Prerequisites for Out of Band Management in Configuration Manager.

Adam works with the PKI team to create an additional certificate template that the AMT-based computers use to authenticate with the Network Policy Server.

For more information about creating the client certificate template, see “Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers” in the Deploying the Certificates for AMT section of the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

Adam configures the Out of Band Management Component Properties: 802.1X and Wireless tab:

  • He creates a wireless profile that contains the wireless network name, the security type of WPA2-Enterprise, and the encryption method of AES. He then selects the trusted root certificate for the Network Policy Server, and the client certificate template that was created earlier.

For more information, see steps 26 through 39 in the Step 5: Configuring the Out of Band Management Component section in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

Adam creates a new collection for laptops that can support AMT. On the Out of Band Management tab, he selects Enable provisioning for AMT-based computers.

Adam then monitors the provisioning status for these laptops, and uses the log file Amtopmgr.log, to verify that the wireless profile is successfully configured for these AMT-based computers.

Tip

If these laptops are already provisioned for AMT without the wireless profile, Adam runs the Update Provisioning Data in Management Controller Memory command for the wireless settings to be applied. For more information, see the How to Update Computers for New AMT Settings section in the How to Manage AMT Provisioning Information in Configuration Manager topic.

For more information about monitoring AMT provisioning, see the Step 8: Monitoring AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

As a result of this course of action, laptops can also now be managed out of band by the help desk, which reduces the time to resolve the problems reported by laptop users.