Enable and Integrate Intel Active Management Technology with AD and ConfigMgr | Quisitive
woman running scripts on a laptop.
Enable and Integrate Intel Active Management Technology with AD and ConfigMgr
April 16, 2019
Quisitive
Today we’re going to walk through enabling remote management through Intel® Active Management Technology

Sometimes, as ConfigMgr admins we need more than just the built in tools provided out of the box. Specifically, the tools used for remote administration tasks such as modifying the BIOS options, checking boot order, remote re-image using PXE, remote recovery, etc. Within ConfigMgr, that has historically been the Out of Band Management role (OOBM). With the release of ConfigMgr 1511, Microsoft removed OOBM from Configuration Manager. You may be asking, “So, what are we supposed to use in place of that? “.

Well, the answer is right in front of us… Ask yourself this… “What chipset and processor features did OOBM leverage to provide us the functionality?”

ANSWER: Intel® vPro and Intel® AMT (Intel® Active Management Technology)

This post is intended to be a primer, possibly for upcoming post as I get time. Today we’re going to walk through enabling remote management through Intel® Active Management Technology without integration with corporate PKI (certificates). The walk through here will only work for clients connected directly to the wired corporate network.

What are the requirements?

Client(s):

  • Physical computers with
    • Windows 7, 8, 8.1, or 10 installed
    • Intel® Processor with vPro Technology
    • Intel® Chipset with AMT onboard
    • Integrated NIC with wired connection to corporate network
    • Up to date Chipset/ System BIOS
    • Up to date AMT Firmware

Software:

Microsoft® Active Directory:

  • Healthy Active Directory
  • Healthy DNS
  • Healthy DHCP
  • Organizational Unit for creation and placement of Intel® AMT objects
  • Service Account for Remote AMT Activation and Configuration
  • Security Group(s) to provide access for remote configuration of AMT clients
  • Security Group(s) to provide access for remote management of AMT clients

Server(s):

  • Microsoft® System Center Configuration Manager Primary Site Server

Permissions and Access Rights:

  • Admin access to the ConfigMgr Console
  • Local Administrator access on ConfigMgr Primary Site Server and SQL DB Server
  • SA Access in SQL Server Instance
  • Ability to create and set permissions on objects in Active Directory
    • Organizational Unit(s)
    • User(s)
    • Group(s)

Optional:

  • 1GB USB Drive (Thumb Drive)

Prepare the Environment

We will need to create some items in Active Directory in order to manage AMT and Remote Configuration. Below is a table with the information needed for them. Account, OU, and Group names may differ in your environment based upon the naming convention specified by your IT Department.

Accounts, and Groups to be created in AD for Intel® Active Management Technology

NameTypeDescriptionNotes
Svc-IntelRCSAD User (Service Account)Account used for Provisioning AMT objects, and running the Intel Remote Configuration Server Service (IntelRCS)
Intel AMT AdminsAD Security GroupProvides full administrative access to all Intel AMT features over both interfaces (Out of Band, and Local)Members:·         Domain Admins·         Help Desk·         SCCM Admins·         Svc-IntelRCS
Intel AMT ProvisionersAD Security GroupMembers of this group can provision Intel vPro clients. Update their own respective AMT Objects in AD. Configure remote AMT settings through the RCS management server service.Members:·         Domain Admins·         Domain Computers·         SCCM Server Account (ServerName$)·         Svc-IntelRCS

Organizational Unit to be created in AD for Intel® AMT

Intel AMT Provisioning will create a computer object that represents the onboard AMT Chip. Best practice is to keep these objects in a separate OU from the normal computer objects in AD. This is because the AMT object will have the same Display name and DNS FQDN as their Domain Computer Object; only the SamAccountName will differ.

  • OU Name
    • IntelAMT
  • AD Group for Permission Delegation
    • Intel AMT Provisioners
  • “This Object” permissions
    • Create Computer Objects
    • Delete Computer Objects
    • List Contents
  • “Descendant Computer Objects” permissions
    • Change Password
    • Write all properties

NOTE: If editing existing permissions, ensure that the box for “Apply these permissions to the objects and/ or containers within this container only” is checked.

Download, Unzip, and Stage Intel® Software for Installation

Install Intel® Setup and Configuration (SCS)

Import Intel® Active Management Technology Hardware Classes in ConfigMgr

Create Default Intel® AMT Profile

Install Intel® SCS Add-on

Deploy Intel® AMT Solution using ConfigMgr

Remove deployment for Discovery TS from “All Systems” Collection

Create a test collection

Enable the Discovery TS

Deploy Discovery TS to test collection