This information is based on Microsoft’s Release Candidate of System Center Configuration Manager Service Pack 2 and is subject to change.

 

There are several new features / changes that are coming with ConfigMgr SP2 related to AMT / vPro functionality.  As noted in previous articles, some of the more obvious changes are:


OOB Wireless Management: Wireless Profile Management

    • Provide configuration of up to eight (8) wireless profiles per site that are available to AMT clients assigned to that site
    • Set the wireless information during AMT provisioning and configure all required profile settings (SSID, key management, encryption, etc.
    • Send wireless profile operations to the Intel translator on AMT systems with revisions earlier than 3.2.

End Point Access Control: 802.1x support

    • Provision 802.1x settings on AMT wireless clients during AMT provisioning
    • Send 802.1x settings operations to the Intel translator on AMT systems with revisions earlier than 3.2.1

Data Store (3PDS)

    • Write string data into 3PDS on AMT through OOB management console

Access Monitor: Audit Log

    • Enable or Disable Audit Log (no critical event settings)
    • View Audit Log through OOB Console

Remote Power Management

    • Power State Configuration

 

 

However, Microsoft has also made some more subtle changes between SCCM SP1 and SP2 to improve the end user experience that you may have not notice.

 

  • In-band Provisioning attempt schedule:  With SCCM SP1, in-band provisioning was hard coded to initiate once every 24 hours.  SCCM SP2 now supports the ability to set the provisioning attempt schedule to a configurable value within the Out of Band Management Properties - Provisioning Schedule Tab.
  • Handling wired and wireless contented clients with in-band provisioning:  To provision an AMT / vPro client with SCCM 2007, first stage provisioning must be completed on the wired interface.  With SCCM 2007 SP2, the wired interface information will be sent along with the AMT One Time Password (OTP) during agent initiated in-band provisioning.  Second stage provisioning can then occur over either wireless or wired interface (which one is resolved by DNS).
  • Out of Band Provisioning disabled by default:  The ability to use Out of Band provisioning (provisioning through AMT hello packet initiation) is configurable and defaulted to disabled with SCCM 2007 SP2.  If you are using Out of Band provisioning, you will need to enable it after upgrading from SCCM SP1 to SCCM SP2.  This is configured on the Out of Band Management Properties - General Tab.
  • Opening the Out of Band Console ensures an updated Kerberos token:  With SCCM SP1, occasionally you would run into a scenario where the Out of Band Management Console would attempt to connect with an expired or involved Kerberos token; this would prevent OOB Console from properly authenticating with the AMT / vPro Client.  This was common if you tried to connect to an AMT / vPro client immediately after an AMT client reprovision.  The Out of Band Management Console with SCCM SP2 now refreshes the Kerberos token to ensure a proper connection.
  • AMT / vPro client provisioning prevented if Configuration Manager Client is blocked or not approved:  If an SCCM client is block or not approved within with the site server, SCCM will not allow you provision an AMT / vPro client.
  • AMT PKI Certificates are revoked during an Update Management Controller:  If you have wired or wireless 802.1x authentications being used, SCCM will revoke these certificates and new certificate will be requested & issued.  As a clarifying note, the AMT TLS certificate used to secure the manageability traffic will not be revoked during this process.
  • Power control available for collection execution:  SCCM SP2 now allows the execution of an AMT power control on an entire collection just by right clicking on the collection and selecting Out of Band Management -> Power Control.  Previously with SCCM SP1, you were required to multi-select all the clients in that collection to perform the same function.
  • Serial over LAN (SOL) requires manual initiation with the Out of Band Management Console:  With SCCM SP1, when you opened the Out of Band Management Console, the SOL session was automatically started.  In SCCM SP2, you are now required to open and close the Serial over LAN connection via a new button or with the new Tools menu option.
  • IDE-Redirect Log renamed: What was previous known as the System Audit Log in SCCM SP1 within the Out of Band Management Console has been renamed to IDE-Redirect Log.  This was done to allow the AMT Audit Log to assuming that name.
  • Working with AMT Data Storage: Within SCCM SP2, you are now able to interact with the AMT / vPro 3rd Party Data Store through the new button added in Out of Band Management Console labeled Data Storage.  Note that the data storage is limited to ASCII characters and length of 4096 bytes.

 

 

--Matt Royer