This is my last post about the step by step series about Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2.
In my previous post I have talked about importing the 3rd Party Remote Configuration Certificate on the OOB Service Point (In this example we will use a certificate from GoDaddy ) to provision Intel vPro technology based systems in SCCM at http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-3.aspx
In my previous posts I talked about what is OOB, OOB requirements and little bit about the necessary certificates. In this post I will talk about internal PKI infrastructure and how to configure OOB management point within SCCM. ConfigMgr 2007 SP2 uses four types of certificates for Out Of Band Management. These four different certificates are:
- AMT Self Signed certificate – IntelAMT will generate a self-signed certificate during the PKI provisioning process to secure the connection with the ConfigMgr 2007 Server.
- AMT provisioning certificate – This certificate is used by ConfigMgr 2007 to provision Intel AMT devices. The most simple and automated method for provisioning is the process of purchasing this certificate from a third-party provider (VeriSign, GoDaddy, Comodo, or Starfield). This certificate will need to be installed on each OOB Service Point in the environment.
- Web server certificate -This certificate is generated by an internal Enterprise Certificate Authority during the provisioning process and installed on each AMT device within the firmware. This will allow for a TLS management session between the ConfigMgr 2007 OOB Management console and the AMT firmware.
- 802.1x RADIUS Certificate – Optional certificate that allows the Intel AMT client to securely authenticate to an 802.1x network without the operating system being present.
In our case , you will need an internal certificate Authority and create two certificates :
• AMT provisioning certificate – In this case the Godaddy cert and Request, install and prepare the AMT remote configuration certificate ( Already done in the previous blog post)
• Web server certificate – this certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers
To Prepare Web server certificate – see the steps below :
1. Open your Certificate Authority issuing PKI Server –> Click Start> All Programs > Administrator Tools > Certification Authority
2. Right Click on Certificate Templates > Manage
3. In the Certificate Templates Console Window, right click on Web Server and select Duplicate Template
4. In the Duplicate Template Window, select the radio button for Windows 2003 Server, Enterprise Edition and Click OK
5. In the Properties of New Template Window and enter ConfigMgr AMT Web Server Certificate
6. Check the Box to Publish certificate in Active Directory
7. Proceed to next step to set the security rights on this template.
8. Select the Security Tab and click Add
9. Select the ConfigMgr site server 2007 primary site server computer group and Click OK
10. With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll , Click OK
11. Close the Certificate Templates Console
12. In the Certification Authority Window, right-click on Certificate Templates > New > Certificate Template to Issue
13. In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template was created in the previous step)
14. Click OK
15. In the Certification Authority Window, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand Window and ready for use by the Out of Band Service Point
Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel AMT system during the provisioning process,and used for TLS session during management of the Intel AMT client .
How to Configure OOB service in SCCM
After you have your exported *.pfx certificate we will import this into the SCCM out of band management properties box. Now you have configured all certificates, permissions and have a certificate private key we are going to configure the OOB management point.
1. Open SCCM console -> Site Settings -> Component Configuration -> Out Of Band Service Point
2. Create extra OU in Active Directory where SCCM creates AMT computer objects. Make sure the Configmgr Primary Site Server has permissions on that container to create those objects!
2. Configure MEBx password that SCCM uses to connect AMT-based computers. By default this password is admin but you can change this later on.
3. You could select “Allow out of band provisioning” and “Register ProvisionServer as an alias in DNS” but it wouldn’t be necessary if you only are going to in-band provision ( Thru the SCCM Client)
4. Configure Provisioning certificate. From here you now have to import that *.PFX file and enter your previous configured password.
5. Configure your web certificate template. From here you have to select your internal PKI CA and select your ConfigMgr AMT Web Server Certificate.
You can configure all the other tabs at your own flavor .
You will find a good document from Intel with all the steps at www.intel.com/en_US/Assets/PDF/…/cg_MicrosoftConfigMgr_vPro.pdf
Hope it Helps ,
Kenny Buntinx