Intel® SCS Add-on 2.1 and SC2012 R2 ConfigMgr Integration (RCS Database mode) - Part 1

Active Directory and Certificates preparation for OOB

This part will cover Active Directory configuration and certificates requirements for OOB.

AD Configuration

  1. Create an new OU in Active Directory for AMT computers objects. ※If there are many domain, please create an OU in each domain
  2. Create an Universal security group to manage provisioned AMT compute accounts. Like “SC2012CM R2 AMT Computers”
  3. Create a user account, which will be used for AMT provisioning. Like “CM_AMT”
  4. Previously created user account should be local administrator on any computer, which will be provisioned. We recommend using Group Policy Preferences (GPP) to add that account to the local admin group of computers.
  5. Create a security group, which will contain AMT administrators. Like “SC2012CM R2 AMT Administrators”
  6. Add to the group created on step 5, previously created AMT account and the SCCM server computer account.
  7. Add the group created on step 5 in the security settings of the OU created on step 1. Provide “Full Control” on the OU.
  8. In the security tab of the group created on step 2, add the AMT administrators group created on step 5. Provide “Read” and “Write” permissions on it.

 

Certificates requirements

In this blog, we later use a certificate named “AMT Provisioning certificate”. This certificate has been issued by our Enterprise CA. In that case the hash of the Enterprise CA root certificate has to be manually registered on every computers in order them to be managed.

This step could be skipped if a public certificate is used for that purpose because PC’s firmware contains by default the root certificate hash of all known public certificate authorities. If you decide to use a public certificate, we recommend to follow procedures from the Intel SCS User Guide to request a public certificate.

Prerequisites

1.On the Certificate Service server, grant to the AMT account (CM_AMT) the following rights:

  • Issue and Manage Certificates
  • Request Certificates

2.In the properties of the certificate server, go to “Policy Module” tab and in the “Properties”, verify that “Follow the settings in the certificate template.. ” is selected.

Creation of the AMT Client Configuration certificate template

  1. From the CA console, right-click on “Certificate Template” and click on “Manage
  2. Right-click on “User” and click on “Duplicate Template
  3. On “Compatibility” tab, verify that “Windows Server 2003” is selected for “Certificate Authority” and “Windows XP / Server 2003” for “Certificate recipient
  4. In the “General” tab, type the template name, select “5 years” as validity period and uncheck “Publish certificate in Active Directory
  5. From “Cryptography“tab, in the “Providers” section, select “Microsoft String Cryptography Provider
  6. From the “Subject Name” tab, select “Supply in the request
  7. Click “OK” on the warning dialog
  8. From the “Security” tab, add the “CM_AMT” user account and grant it “Read” and “Write” permissions.
  9. From “Extensions” tab, select “Application Policies” and click on “Edit” button.
  10. Click on “Add” button.
  11. Select “Server Authentication” in the list and click on “OK”.
  12. Click on “Add” button.
  13. Click on “New” button.
  14. Type in the “Name” field “AMT Local Access” and in the “Object identifier” field ”2.16.840.1.113741.1.2.2”. Click on “OK
  15. Click on “New” button
  16. Type in the “Name” field “AMT Remote Access” and in the “Object identifier” field ” 2.16.840.1.113741.1.2.1”. Click on “OK
  17. Verify that both “AMT Local Access” and “AMT Remote Access” have been added and click on “OK
  18. Click on “OK” button.
  19. Click on “OK” button.
  20. From the Certificate Services console, right-click on “Certificate Template” à “New” à and click on “Certificate Template to Issue
  21. Select “AMT Client Configuration Certificate” and click on “OK
  22. In “Certificate Template”, verify that “AMT Client Configuration Certificate” has been added.

 

Creation of AMT Provisioning template

  1. From the CA console, right-click on “Certificate Template” and click on “Manage
  2. Right-click on “Web Server” and click on “Duplicate Template
  3. On “Compatibility” tab, verify that “Windows Server 2003” is selected for “Certificate Authority” and “Windows XP / Server 2003” for “Certificate recipient
  4. In the “General” tab, type the template name, select “5 years” as validity period and uncheck “Publish certificate in Active Directory
  5. In case of an Enterprise CA, we have to verify that the template doesn’t need any approval to be issued. From “Issuance Requirements”, verify that “CA Certificate manager approval” is unchecked.
  6. From “Subject” tab, select “Build from this Active Directory information” and select “Common name” in the list as “Subject name format”.
  7. From “Extensions” tab, select “Application Policies” and click on “Edit” button.
  8. Click on “Add” button
  9. Click on “New” button
  10. Type in the “Name” field “AMT Provisioning” and in the “Object identifier” field ” 2.16.840.1.113741.1.2.3”. Click on “OK
  11. Select “AMT Provisioning” and click “OK
  12. Verify that “AMT Provisioning” has been correctly added and click “OK
  13. Verify that you have both “AMT Provisioning” and “Server Authentication” in the “Extension” tab.
  14. From “Security” tab, select “Domain Admins” and removeEnroll” permission.
  15. From “Security” tab, select “Enterprise Admins” and removeEnroll” permission.
  16. From “Security” tab, add the SCCM Server computer account and grant it “Enroll” permission.
  17. From “Request Handling” tab, select “Allow private key to be exported” and click “OK
  18. From the Certificate Services console, right-click on “Certificate Template” à “New” à and click on “Certificate Template to Issue
  19. Select “ConfigMgr 2012 R2 AMT Provisioning” and click “OK
  20. In “Certificate Template”, verify that “ConfigMgr 2012 R2 AMT Provisioning” has been added.

 

Installation of AMT Provisioning certificate

  1. On the Configuration Manager primary site server which manage Out of band management, run “mmc” from the run window.
  2. [File] and click on [Add/Remove Snap-in]
  3. Select [Certificates] from the available snap-ins, then click on [Add].
  4. Select [Computer account] and click on [Next].
  5. Select [Local computer: the computer this console is running on] and click on [Finish]
  6. Click on [OK]
  7. From [Console Root]-[Certificates]-[Personal]-[Certificates], click on [Request New Certificate].
  8. Click on [Next] then [Next].
  9. Select [ConfigMgr 2012 R2 AMT Provisioning] and click on [Enroll].
  10. Once the enrollment is done, click on [Finish].
  11. Verify that the new certificate is listed in the console.

 

Export of AMT Provisioning certificate

  1. On the Configuration Manager primary site server which manage Out of band management, run “mmc” from the run window.
  2. [File] and click on [Add/Remove Snap-in]
  3. Select [Certificates] from the available snap-ins, then click on [Add].
  4. Select [Computer account] and click on [Next].
  5. Select [Local computer: the computer this console is running on] and click on [Finish] and click on [OK]
  6. From [Console root]-[Certificates]-[Personal]-[Certificates], select the AMT Provisioning certificate and right-click on it and click on [All Tasks]-[Export].
  7. Click on [Next].
  8. Select [Yes, export the private key], then click [Next].
  9. Select [Personal Information Exchange – PKCS #12 (.PFX)], then check [Include all certificate in the certificate path if possible] and [Export all extended properties].
  10. Check [Password], then type a password twice. Click on [Next].
  11. Select a path where to export the certificate and click on [Next].
  12. Click on [Finish] and [OK]

Comments

  • Anonymous
    April 21, 2015
    The comment has been removed

  • Anonymous
    May 26, 2015
    Hey Andrew! was quite busy but just uploaded Part 2. Part 3 is coming in the next 2 days. Hope it helps.

  • Anonymous
    May 27, 2015
    Is it possible to remote configure a workstation when using a local CA cert?

  • Anonymous
    May 27, 2015
    Yes it is possible. If you're using a local CA cert, you have to follow the steps described in "Adding Enterprise Root CA certificate thumbprint into AMT computers" in the part 6 of that article ;)

  • Anonymous
    June 25, 2015
    Instead of using the CM_AMT could the computer account of the SCCM primary site server be used?  If it and intel SCS are installed on the same system.

  • Anonymous
    July 06, 2015
    The comment has been removed

  • Anonymous
    September 03, 2015
    We have OOB Service Point ,Enrollment Point on different server and SCCM Primary on different server. In that case :

  1. Should both the computer accounts  have permissions on  certificate or only primary site server?
  2. On which of these two servers should AMT Provisioning certificate be installed?
  • Anonymous
    September 10, 2015
    @Divya if you follow the different part of my article, you will see that you need that AMT provisioning certificate in 3 different places: RCS server, Enrollment Point and OOB Service Point. In the part 1, we export the certificate in PFX format because we need later to import that certificate to the network service account used by RCS Server. In your case, you need to install the AMT Provisioning certificate on  your 3 servers: RCS Server, Enrollment Point and OOB Service Point. Thus you need to grand the "enroll" permissions to those 3 servers. Finally, you only need to export the certificate installed on the RCS Server, in order to re-import it to the network service account.