Here are the high level steps to configure SCCM SP1 so that you can begin provisioning and managing vPro Clients out of band.  This does not take in consideration any additional configuration settings you may want to enable based on your business needs.  Please note that until the WS-MAN translator is released, you will only be able to Provision and Manager AMT 3.x or higher machines.

 

Configure AMT Certificate on Enterprise CA for SCCM SP1

 

 

 

  1. Open of the Certification Authority Management Console for the Certificate Authority that will issue your AMT certificates.

  2. Expand the menu so that the “Certificate Templates” drill down is available.
                                  Right Click on “Certificate Templates” and select “Manage”.

  3. When the “Certificate Templates” windows appears, Select “Web Server” from the Template Display list.

  4. Right Click on “Web Server” Template and select “Duplicate Template”.

  5. When the “Properties of New Template” appears, ensure the “General” tab is select and enter in the “AMT Certificate” in the “Template Display Name” field and check “Publish certificate in Active Directory”.

  6. Within the “Properties of New Template” windows, click on the “Security” tab.

  7. Click “Add” and add the server name of the SCCM SP1 Site Server.

  8. Ensure you give the SCCM SP1 Site computer name read, Enroll, & Autoenroll permissions and then click “OK”.

  9. Close the “Properties of New Template” window

  10. Right Click on “Certificate Templates” and select “New”, then “Certificate Template to Issue”

  11. When the “Enable Certificate Templates” window appears, select “AMT Template” and click “OK”.

 

Here is a video that visually goes through the process for configuring the CA:

 

 

 

 

 

 

 

Adding “OOB Service Point” Role

 

 

 

 

 

  1. Open up “Configuration Manager Console”Expand “Site Database”-> “Site Manager” -> Site server Name -> “Site Settings” -> “Site Systems”.  Right click on the SCCM Server and select “New Roles”.

  2. When the “New Site Role” wizard appears, click “Next”.

  3. Check the “OOB Service Point” and click “Next”.

  4. When presented with the “Transmission” options, leave default unless business needs dedicate otherwise and click “Next” to finish.

 

Configure “Out of Band Management”

 

 

 

  1. Open up “Configuration Manager Console”.

  2. Expand “Site Database”-> “Site Manager” -> Site server Name -> “Site Settings” and click on “Component Configuration”.

  3. Right click on “Out of Band Management” and select “Properties”.

  4. Under the “Provisioning Settings”, click “Set” near the MEBx Account.

  5. When the windows appears in the “General” tab, enter in the MEBx password that you want the MEBx password to be or what you have had your OEM preconfigured it with.  SCCM SP1 will try the default (admin) password first (no configuration required) if necessary.  Once completed, click “OK”.

  6. Within the “General” tab, check the “Register provisioning server in DNS for zero touch provisioning”.  This will register provisionserver on your DNS server.

  7. Under “Certificates”, click the “Browse” next to “Provision Certificate”.

  8. On the “Select Provisioning Certificate” window, click “Browse” and choose your Remote Provisioning Certificate and then OK.  Then enter in the password associated to the certificate and click “OK”.  Please check of the following blogs to get more detail on Remote Configuration and process to create the certificate  Please check out Terry Culter’s blog on Remote Configuration - What is it? How does it work? When will it be available?

  9. Back on the “General” tab, Click the “Select” next to “Certificate Template”.

  10. Once the “AMT Certificate Configuration Dialog” window appears and fully loads, select “AMT Certificate” under the “AMT Device Certificate Template” and click “OK”.

  11. Back on the “Out of Band Management Properties”, click the “AMT Settings” tab.

  12. Click the “New Icon” next to “AMT User Accounts”.  When the “AMT User Account Setting” appears, click “Browse”, choose your desired groups or users, and click “OK”.  Once the group has been selected, identify which permissions to authorize for that group or user.  Click “OK” when completed

  13. On the “AMT Settings” tab, ensure that “Enable Web interface”, Enable Serial over LAN and IDE redirection for AMT devices”, and “Allow ping responses”. You may choose which options you want based on your business needs.

  14. Back on the “Out of Band Management Properties”, click the “Provisioning” tab.

  15. Click the “New Icon” next to “Provision Accounts”.  When the “Windows User Account” appears, enter in a user name and password.  This will allow you to specify user accounts that have been configured in the firmware for AMT-based computers, and can provision these computers.  Once satisfied, check “OK”.

  16. Click “Apply” and “OK” to save the changes for the “Out of Band Management”.

 

Configure “Wake on LAN” settings to work with AMT

 

 

 

  1. Open up “Configuration Manager Console”.

  2. Expand “Site Database”-> “Site Manager”, right click on Site server Name and “Properties”.

  3. On the “Wake On LAN” tab, check “Enable Wake on LAN for this site” and click “OK”.  Checking this option will allow SCCM SP1 Wake on LAN to use AMT remote power up control.

 

Enable Network discover of Out of Band Management

 

 

 

  1. Open up “Configuration Manager Console”

  2. Expand “Site Database”-> “Site Manager”, right click on Site server Name -> “Discovery Methods” and double click on “Network Discovery”.

  3. When the “Network Discovery Properties” appears, check “Enable network discovery” and “Enable discovery of baseboard management Controller”.  Then click “OK”.

  4. On the “Wake On LAN” tab, check “Enable Wake on LAN for this site” and click “OK”.  Checking this option will allow SCCM SP1 Wake on LAN to use AMT remote power up control.

 

Here is a video that visually goes through the process four steps above:

 

   

 

Matt Royer