Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2 Part 4

August 10, 2011 at 1:05 pm in AMT, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Installation, Intel, OOB, out of band management, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Vpro by Kenny Buntinx [MVP]

This is my last post about the step by step series about Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2.

In my previous post I have talked about importing the 3rd Party Remote Configuration Certificate on the OOB Service Point (In this example we will use a certificate from GoDaddy ) to provision Intel vPro technology based systems in SCCM at http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-3.aspx

In my previous posts I talked about what is OOB, OOB requirements and little bit about the necessary certificates. In this post I will talk about internal PKI infrastructure and how to configure OOB management point within SCCM. ConfigMgr 2007 SP2 uses four types of certificates for Out Of Band Management. These four different certificates are:

  • AMT Self Signed certificate – IntelAMT will generate a self-signed certificate during the PKI provisioning process to secure the connection with the ConfigMgr 2007 Server.
  • AMT provisioning certificate – This certificate is used by ConfigMgr 2007 to provision Intel AMT devices. The most simple and automated method for provisioning is the process of purchasing this certificate from a third-party provider (VeriSign, GoDaddy, Comodo, or Starfield). This certificate will need to be installed on each OOB Service Point in the environment.
  • Web server certificate -This certificate is generated by an internal Enterprise Certificate Authority during the provisioning process and installed on each AMT device within the firmware. This will allow for a TLS management session between the ConfigMgr 2007 OOB Management console and the AMT firmware.
  • 802.1x RADIUS Certificate – Optional certificate that allows the Intel AMT client to securely authenticate to an 802.1x network without the operating system being present.

 

In our case , you will need an internal certificate Authority and create two certificates :

AMT provisioning certificate – In this case the Godaddy cert and Request, install and prepare the AMT remote configuration certificate ( Already done in the previous blog post)

Web server certificate – this certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers

 

To Prepare Web server certificate – see the steps below :

 

1. Open your Certificate Authority issuing PKI Server –> Click Start> All Programs > Administrator Tools > Certification Authority

2. Right Click on Certificate Templates > Manage

3. In the Certificate Templates Console Window, right click on Web Server and select Duplicate Template

4. In the Duplicate Template Window, select the radio button for Windows 2003 Server, Enterprise Edition and Click OK

DDT.d96awjjfrximbk2m2qsliu5ye

DDT.a3k4l9_t2azme_c6ef0l46s

 

5. In the Properties of New Template Window and enter ConfigMgr AMT Web Server Certificate

6. Check the Box to Publish certificate in Active Directory

7. Proceed to next step to set the security rights on this template.

DDT.1267ggmdv9kybtbns5en0x9kb

DDT.prcs5_hsztigngwakhvneme6f

8. Select the Security Tab and click Add

9. Select the ConfigMgr site server 2007 primary site server computer group and Click OK

10. With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll , Click OK

11. Close the Certificate Templates Console

DDT.ys6tg1xa66xrq0bybc63m1l2f

DDT.xifb6o_8tyh4zjfsw3k2achah

 

12. In the Certification Authority Window, right-click on Certificate Templates > New > Certificate Template to Issue

13. In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template was created in the previous step)

14. Click OK

DDT.sfg1r_sf0gnzq2opcslrkw5y

DDT.ardw0uy_44ezggibpo1dmc4lb

 

15. In the Certification Authority Window, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand Window and ready for use by the Out of Band Service Point

Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel AMT system during the provisioning process,and used for TLS session during management of the Intel AMT client .

 

How to Configure OOB service in SCCM

 

After you have your exported *.pfx certificate we will import this into the SCCM out of band management properties box. Now you have configured all certificates, permissions and have a certificate private key we are going to configure the OOB management point.

1. Open SCCM console -> Site Settings -> Component Configuration -> Out Of Band Service Point

 

 

2. Create extra OU in Active Directory where SCCM creates AMT computer objects. Make sure the Configmgr Primary Site Server has permissions on that container to create those objects!

2. Configure MEBx password that SCCM uses to connect AMT-based computers. By default this password is admin but you can change this later on.

3. You could select “Allow out of band provisioning” and “Register ProvisionServer as an alias in DNS” but it wouldn’t be necessary if you only are going to in-band provision ( Thru the SCCM Client)

4. Configure Provisioning certificate. From here you now have to import that *.PFX file and enter your previous  configured password.

5. Configure your web certificate template. From here you have to select your internal PKI CA and select your ConfigMgr AMT Web Server Certificate.

You can configure all the other tabs at your own flavor .

You will find a good document from Intel with all the steps at www.intel.com/en_US/Assets/PDF/…/cg_MicrosoftConfigMgr_vPro.pdf

Hope it Helps ,

 

Kenny Buntinx

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInPin on Pinterest