Microsoft System Center Configuration Manager can provision an AMT / vPro client in two different capacities: Bare metal and Agent Initiated.  Bare metal provisioning begins with the AMT client sending a “hello packet” to the SCCM Out of Band Service Point; if the AMT client is approved and authorized to be provisioned, SCCM will initiated the provisioning process.  Agent Initiated provisioning begins with the SCCM Client Agent pulling down the “Automatic Provisioning” policy from the SCCM Policy Server; if the SCCM Client Agent receives the policy, the Agent will negotiated a One Time password (OTP) with the AMT ME firmware and send the provisioning request along with the OTP to the Out of Band Service point to begin the provisioning process.

Bare Metal / Hello Packet Initiated Provisioning
For Bare Metal provisioning to work properly on AMT / vPro Clients with firmware 2.x, there are a couple of prerequisites that must be met.

SCCM Server

• SCCM SP1 with Rollup Hotfix KB960804 or higher (full list of required hotfixes found here: http://communities.intel.com/docs/DOC-1897Required Software Bundles and HotFixes (KB’s) for System Center Configuration Manager SP1
• Intel WS-MAN Translator installed and configured (Download available from here: http://software.intel.com/en-us/articles/intel-ws-management-translator/ )
• SCCM configured for Out of Band Management (SCCM Quick Start Guide: http://communities.intel.com/docs/DOC-1754)

AMT Client

• AMT Firmware version that support PKI provisioning with SCCM.  For AMT 2.x Desktops and Laptops, you will want to ensure that you have a minimum of AMT Firmware 2.2.20 (Desktop) and 2.2.20 (Laptop).  Note: For AMT Desktops with firmware 3.x, you will want to ensure that you have firmware 3.2.2 or above to meet the minimal requirements.  AMT Laptops with firmware 4.x and Desktops with firmware 5.x have the minimum requirements meet from the initial firmware release.

SCCM Client Agent Initiated Provisioning
In addition to the prerequisites needed for Bare Metal provisioning, SCCM Agent initiated provisioning requires a couple additional items.

AMT Client

• AMT ME / HECI Driver installed (available from your OEM driver website)
• Execution of RNGSeedCreator.exe (Download available from here: http://communities.intel.com/docs/DOC-3807).  RNGSeedCreator.exe is an executable that is ran on an AMT / vPro client with firmware version 2.x that has never been configured or provisioned; this utility generates a random number for the firmware to support the OTP used during the SCCM Agent Initiated Provisioning process.  For SCCM PKI provisioning to complete successfully, the random number generated by RNGSeedCreator.exe must be completed prior to initiating provisioning via the SCCM Client Agent.Note: AMT / vPro clients with firmware version 3.x and higher do not need to have the RNGSeedCreator.exe ran prior to SCCM Agent Initiated provisioning.

If your AMT clients do not meet the minimal firmware version for PKI based provisioning (Bare Metal or Agent Initiated), you can use the software distribution capabilities within SCCM to remotely upgrade the AMT firmware and drivers; check out the following Blog / Video which walks you through creating this software package.  Similar to upgrading the AMT firmware with SCCM Software distribution, you can also use the same Software Distribution process to run the RNGSeedCreator.exe utility on your 2.2 (Desktop) and 2.6 clients.  If you wish to combine the firmware upgrade and RNGSeedCreator.exe execution into a single SCCM advertisement, you can construct a single task sequence that runs both the Firmware upgrade and RNGSeedCreator.exe software packages.  A guide on how to accomplish this has been included in the RNGSeedCreator download package.

Once the firmware has been upgraded to the minimal firmware version to support PKI provisioning and the RNGSeedCreator.exe has been run, SCCM Agent Initiated provision can complete successfully on 2.2 and 2.6 clients.

--Matt Royer

Microsoft has released a really great blog on the “Security Best Practices for Out of Band Management in Configuration Manager 2007 SP1”.  The following topics are covered in great detailed and is a definite read.  http://blogs.technet.com/configmgrteam/archive/2009/08/05/updated-security-best-practices-for-out-of-band-management-in-service-pack-1.aspx

• Request customized firmware before purchasing AMT-based computers
• Use in-band provisioning instead of out of band provisioning
• Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site 
• Control the request and installation of the provisioning certificate
• Ensure that you request a new provisioning certificate before the existing certificate expires
• If the provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server, and remove it from the out of band management component configuration properties
• If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console
• Use a dedicated certificate template for provisioning AMT-based computers
• Use out of band management instead of Wake On LAN
• Use a dedicated OU to publish AMT-based computers
• Use Group Policy to Restrict User Rights for the AMT Accounts
• Use a dedicated collection for in-band provisioning
• Restrict who has the Media Redirection right and the PT Administration right
• Retrieve and store image files securely when booting from alternative media to use the IDE redirection function
• Minimize the number of AMT Provisioning and Discovery Accounts

--Matt Royer