Sometimes, as ConfigMgr admins we need more than just the built in tools provided out of the box. Specifically, the tools used for remote administration tasks such as modifying the BIOS options, checking boot order, remote re-image using PXE, remote recovery, etc. Within ConfigMgr, that has historically been the Out of Band Management role (OOBM). With the release of ConfigMgr 1511, Microsoft removed OOBM from Configuration Manager. You may be asking, “So, what are we supposed to use in place of that? “.
Well, the answer is right in front of us… Ask yourself this… “What chipset and processor features did OOBM leverage to provide us the functionality?”
ANSWER: Intel® vPro and Intel® AMT (Intel® Active Management Technology)
This post is intended to be a primer, possibly for upcoming post as I get time. Today we’re going to walk through enabling remote management through Intel® Active Management Technology without integration with corporate PKI (certificates). The walk through here will only work for clients connected directly to the wired corporate network.
What are the requirements?
Client(s):
- Physical computers with
- Windows 7, 8, 8.1, or 10 installed
- Intel® Processor with vPro Technology
- Intel® Chipset with AMT onboard
- Integrated NIC with wired connection to corporate network
- Up to date Chipset/ System BIOS
- Up to date AMT Firmware
Software:
- Microsoft® System Center Configuration Manager 1511 or higher
- System Center Configuration Manager Console
- Microsoft® SQL Server 2012 SP1 or higher
- Intel® Setup and Configuration Software (Intel SCS) v11.2
- Intel® SCS Add-on for Microsoft System Center Configuration Manager v2.1.8
- Intel® SCS Platform Discovery Utility v11.0
- Intel® SCS Solutions Framework v11.1
- Intel® Manageability Commander 2.0
- Intel® Management Engine Components for Windows® 7*, 8.1*, and Windows® 10
Microsoft® Active Directory:
- Healthy Active Directory
- Healthy DNS
- Healthy DHCP
- Organizational Unit for creation and placement of Intel® AMT objects
- Service Account for Remote AMT Activation and Configuration
- Security Group(s) to provide access for remote configuration of AMT clients
- Security Group(s) to provide access for remote management of AMT clients
Server(s):
- Microsoft® System Center Configuration Manager Primary Site Server
Permissions and Access Rights:
- Admin access to the ConfigMgr Console
- Local Administrator access on ConfigMgr Primary Site Server and SQL DB Server
- SA Access in SQL Server Instance
- Ability to create and set permissions on objects in Active Directory
- Organizational Unit(s)
- User(s)
- Group(s)
Optional:
- 1GB USB Drive (Thumb Drive)
Prepare the Environment
We will need to create some items in Active Directory in order to manage AMT and Remote Configuration. Below is a table with the information needed for them. Account, OU, and Group names may differ in your environment based upon the naming convention specified by your IT Department.
Accounts, and Groups to be created in AD for Intel® Active Management Technology
Name | Type | Description | Notes |
Svc-IntelRCS | AD User (Service Account) | Account used for Provisioning AMT objects, and running the Intel Remote Configuration Server Service (IntelRCS) | |
Intel AMT Admins | AD Security Group | Provides full administrative access to all Intel AMT features over both interfaces (Out of Band, and Local) | Members:· Domain Admins· Help Desk· SCCM Admins· Svc-IntelRCS |
Intel AMT Provisioners | AD Security Group | Members of this group can provision Intel vPro clients. Update their own respective AMT Objects in AD. Configure remote AMT settings through the RCS management server service. | Members:· Domain Admins· Domain Computers· SCCM Server Account (ServerName$)· Svc-IntelRCS |
Organizational Unit to be created in AD for Intel® AMT
Intel AMT Provisioning will create a computer object that represents the onboard AMT Chip. Best practice is to keep these objects in a separate OU from the normal computer objects in AD. This is because the AMT object will have the same Display name and DNS FQDN as their Domain Computer Object; only the SamAccountName will differ.
- OU Name
- IntelAMT
- AD Group for Permission Delegation
- Intel AMT Provisioners
- “This Object” permissions
- Create Computer Objects
- Delete Computer Objects
- List Contents
- “Descendant Computer Objects” permissions
- Change Password
- Write all properties
NOTE: If editing existing permissions, ensure that the box for “Apply these permissions to the objects and/ or containers within this container only” is checked.