Introducing: Out of Band Management in Configuration Manager 2007 SP1

While you’ve been getting to grips with the new features and options in Configuration Manager, I’ve been busy learning about yet another great feature coming out in SP1 – out of band management.  "Out of band" here means management below the operating system layer - you can manage computers even in the following scenarios:

  • The Configuration Manager client isn’t installed.

  • The computer stops responding – perhaps the disk is corrupt or the operating system has hung.

  • The computer does not have an operating system installed.

  • The computer is turned off.

That’s pretty powerful!  You can see how it’s ideally suited to extreme troubleshooting scenarios, but being able to power up computers also helps with routine maintenance tasks such as reconfiguration and upgrades, not to mention catching those last few computers that are preventing you from achieving your compliance levels for security updates.


Powering up computers with out of band management isn’t the same as traditional Wake On LAN technology that uses UDP “send and hope for the best” datagrams.  Instead, it uses an established transport session for a more reliable and controlled communication.  However, this can come at the cost of additional processing and time, so for scheduled wake-up activities you have the option of using traditional wake-up packets, or out of band management - or a mixture of the two whereby the UDP wake-up packets are sent only to computers that can’t support out of band management, and the established session is used for computers that do support out of band management.


Some of the out of band management tasks are initiated with a right-click option from the Configuration Manager console (for example, you can power up multiple computers in a collection), while others use a separate console called the Out of Band Management Console. You can run this with a right-click action from the Configuration Manager console, or you can run it separately from a command line.  It’s a nice-looking console and has been very popular with customers at demos!


Interested?  There are some important prerequisites, such as PKI certificates and the computers must have Intel vPro Technology or Intel Centrino Pro Technology, with AMT (Active Management Technology) v3.2.


Our beta release is due soon, so here’s some more information from the following two topics:

  • Overview of Out of Band Management

  • Prerequisites for Out of Band Management


... and yes, there is a step-by-step for the certificate deployment!



Overview of Out of Band Management


Out of band management in Configuration Manager 2007 SP1 provides powerful management control for computers that have the Intel vPro chip set and Intel Active Management Technology (Intel AMT) firmware versions 3.2 or later.

Out of band management allows an administrator to connect to a computer's management controller when the computer is turned off, in sleep or hibernate modes, or otherwise unresponsive through the operating system. By way of contrast, in-band management is the classic approach used by Configuration Manager and its predecessors whereby an agent runs in the full operating system on the managed computer and the management controller accomplishes tasks by communicating with the management agent.

Out of band management supplements in-band management. While in-band management supports a wider range of operations because its environment is the full operating system, in-band management might not be functional if the operating system is not present or is not operational. In these situations, the supplementary capabilities of out of band management allow administrators to manage these computers without requiring local access to the computer.

 Out of band management tasks include the following:

  • Powering on one or many computers (for example, for maintenance on computers outside business hours).

  • Powering off one or many computers (for example, the operating system stops responding).

  • Restarting a nonfunctioning computer or booting from a locally connected device or known good boot image file.

  • Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server.

  • Reconfiguring the BIOS settings on a selected computer (and bypassing the BIOS password if this is supported by the BIOS manufacturer).

  • Booting to a command-based operating system to run commands, repair utilities, or diagnostic applications (for example, upgrading the firmware or running a disk repair utility).

  • Configuring scheduled software update deployments and advertisements to wake up computers prior to running.

Some of the preceding tasks are performed from the Configuration Manager console, while others require running the out of band management console that is supplied with Configuration Manager 2007 SP1. Out of band management uses Windows remote management technology (WS-MAN) to connect to the management controller on a computer.


The following outlines the new options and features that out of band management provides in Configuration Manager 2007 SP1.


Security-based management

Out of band management integrates with an in-house public key infrastructure (PKI), using the following certificates:

·         A provisioning certificate that is installed on the out of band service point that allows computers to be configured for out of band management.

·         A Web server certificate that is installed on each computer that will be managed out of band so that communication is authenticated and is encrypted using Transport Layer Security (TLS).

Administrators must be authenticated using Kerberos before they can manage computers out of band, and out of band management activity is recorded and auditable.


AMT provisioning

Enables and configures AMT-based computers for out of band management. Supported scenarios include the following:

·         Automatic provisioning out of band for new computers that do not have the Configuration Manager 2007 SP1 client installed.

·         Automatic provisioning in-band for computers running the Configuration Manager 2007 SP1 client.


Enhanced inventory data

Provides hardware inventory data from the AMT chip, such as asset tag, BIOS UUID, power state, processor, memory, and drive information.


Enhanced network discovery method

Identifies computers with a management controller and its provisioning status. This information can be used to build query-based collections to group computers for out of band management activities, such as provisioning and power control.


Power control

Enables power on, power off, and restart capabilities for a single computer or selected computers in a collection. Computers can also be woken up by scheduled mandatory advertisements and software update deployments with a deadline.


Out of band management console

A dedicated management console that is run from the Configuration Manager console to initiate out of band management tasks, including IDE redirection and serial-over-LAN sessions.


IDE redirection

Enables the computer to boot from a boot image file or locally connected device rather than from its disk IDE interface. This is useful for diagnosing, repairing, or imaging a hard drive.


Serial over LAN

Serial-over-LAN technology encapsulates the data from a virtual serial port and sends it over the existing network connection established by the out of band management console. This allows you to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For example, this might include reconfiguring the BIOS or, working in conjunction with IDE redirection, you can update the firmware or run diagnostic utilities.


Dependencies External to Configuration Manager 2007

·         A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for out of band management.

·         Desktop computers with Intel vPro Technology or Intel Centrino Pro Technology, Intel AMT version 3.2 or later and the latest Intel HECI driver.

·         You must create and configure with the correct security permissions an Active Directory container into which the AMT-based computers will be published. Note: It is not necessary to extend the Active Directory schema for out of band management.

·         If you will provision new computers for AMT without the Configuration Manager 2007 SP1 client installed, you might need DNS servers that resolve the host name of ProvisionServer to the IP address of the out of band service point site system server and a DHCP server with an active scope.

·         Windows Remote Management (WinRM) must be installed on each site system server that hosts the out of band service point role, and any computer that runs a remote Configuration Manager console.

·         If the out of band service point site system role is installed on Windows Server 2003, this requires Windows Server 2003 Service Pack 2 or later. If you are running Windows Server 2003 Service Pack 2, this requires that the following hotfix is also installed: QFE 942841.

·         Computers that will be managed out of band must belong to the site server's Active Directory forest.

·         Intervening network devices such as routers and firewalls must allow the traffic associated with out of band management activity.

·         Full IPsec environments are not supported.


Configuration Manager 2007 Dependencies

·         The site must be running Configuration Manager 2007 SP1 and have installed the out of band service point.

·         If you will provision computers for AMT with the Configuration Manager client, computers must have the Configuration Manager 2007 SP1 client installed.

·         If you will use network discovery to identify computers with management controllers, you must first install the out of band service point and configure the AMT provisioning account.



There’s a lot more information available with beta 1, including an administrator checklist, configuring topics, procedural how-to topics, the step-by-step for certificate deployment, and a list of log files for verification and troubleshooting.  Unfortunately, some of the how-to topics and the F1 help won’t quite match what you see in beta 1 because it’s written for UI changes that didn’t make it for beta 1.  Sometimes the UI options will have a slightly different name, and might be in a different dialog box, but you can probably work it out. Reference the accompanying release notes for more information.




- Carol Bailey


This posting is provided “AS IS” with no warranties and confers no rights.


Skip to main content