Thursday, October 20, 2011

SCCM 2007 R3 - Out of Band Management



What is Out of Band in Configuration Manager
Out of band management in Configuration Manager 2007 provides powerful management control for computers that have the Intel vPro chip set and a version of the Intel Active Management Technology (Intel AMT) that is supported by Configuration Manager.
Out of band management allows an administrator to connect to a computer's management controller when the computer is turned off, in sleep or hibernate modes, or otherwise unresponsive through the operating system. By way of contrast, in-band management is the classic approach used by Configuration Manager and its predecessors whereby an agent runs in the full operating system on the managed computer and the management controller accomplishes tasks by communicating with the management agent.
Out of band management supplements in-band management. While in-band management supports a wider range of operations because its environment is the full operating system, in-band management might not be functional if the operating system is not present or is not operational. In these situations, the supplementary capabilities of out of band management allow administrators to manage these computers without requiring local access to the computer.


Out of band management tasks include the following:
  • Powering on one or many computers (for example, for maintenance on computers outside business hours).
  • Powering off one or many computers (for example, the operating system stops responding).
  • Restarting a nonfunctioning computer or booting from a locally connected device or known good boot image file.
  • Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server.
  • Reconfiguring the BIOS settings on a selected computer (and bypassing the BIOS password if this is supported by the BIOS manufacturer).
  • Booting to a command-based operating system to run commands, repair utilities, or diagnostic applications (for example, upgrading the firmware or running a disk repair utility).
  • Configuring scheduled software update deployments and advertisements to wake up computers prior to running.
If you are using Configuration Manager 2007 SP1, these out of band management tasks are natively supported on an unauthenticated, wired connection. However, with Configuration Manager 2007 SP2 and later, they are also supported on authenticated 802.1X wired connection and wireless connection. Configuration Manager 2007 SP2 also has the following additional features:
  • Auditing for selected AMT features.
  • Support for different power states, to help conserve power consumption and adherence to IT policy.
  • Data storage in AMT, where up to 4096 bytes in ASCII characters can be saved in the nonvolatile random access memory (NVRAM) of the management controller.

What does it look like in use:





Reference, Kaido Jarvemets, Configmgr MVP
http://depsharee.blogspot.com/2010/05/sccm-out-of-band-management-part-1.html



Setup

To set up Out of band management of Your Clients With SCCM 2007, you will need to buy a Third party certificate that is issued from one that is within the apporoved list of the AMT Chip. Usually this is Global Trust, GO Daddy, Verysign..     Check this With Your hardware clients.



My Experience!
Choose a 2048bit Certificate. Remember to checkmark the Use for AMT Provisioning while ordering the Certificate.   (4096bit Certificate, worked only on a few models.)

Intel Active Management Technology must be in Advanced Mode (previously called Enterprise Mode)  Usually is default.
HP machines, all worked just nicely with 2048bit.
Dell machines, lots of models not beeing able to get provisioned for some reason. I guess they where not purchased with AMT vPro activated. (Dell this is BAD!)   20$ extra on the purchase.
SCCM reports that they have AMT Chip. But you wont be able to enter the AMT Bios with Ctrl+P.
So... like Dell Latitude 6410 where provisioned and working, but Latitude 6420 and 6520 where not!
Still investigating this...   It may be just be a Dell driver issue :)

Recommendations:
  1. Check first that all your machines have Intel vPro
    1. http://communities.intel.com/docs/DOC-5693
  2. Plan
  3. Update BIOS (Lots of fixes regarding AMT, even at Dell Bios Update nr 30 :)
  4. Update Drivers, with AMT also.
  5. Implement
  6. Wait
Now SCCM has two metods of waking up machines.. nice! :)

Intel® AMT traffic is capable of spanning subnets.

Follow the guides on the link below.
I have yet to find another easy way to get Your Corporate CA approved in the AMT Chip. You can add the HASH of you Root CA manually or by a Intel USB stick tool. But still no automated way of doing this.
This step is by design, and of course for Security reasons.

After gtting the Third party certifcate is Complete the SCCM OOB can take ownership of the AMT on the Clients and use the CA afterwards to manage clients.

Then you must Go through the Out of Band setup requirements for Certificates etc.. that is specified in the TechNet: http://technet.microsoft.com/en-us/library/cc161989.aspx



 

Some good information and blog regarding setting up OOB With Third party certificate.



No comments:

Post a Comment