SCCM 2012 Power Management

[Rocket Man]

I have just started thinking about configuring power management on SCCM 2012. When I enable WOL it states that I need to add an out of band service point before I can use WOL fully. When enabling Out of band I get so far then it looks for a certificate?? If I browse there are 2 certificates to choose from, a sql cert and another cert that I have no idea what it's purpose is.

 

Does anyone know much about this?

Do I have to purchase a certificate or is there a built in certificate in CM2012 ready to be used?

 

Thanks

 

Rocket Man

[alewoodrum]

I also need an answer about this. Trying to configure SCCM 2012 power management.

[anyweb]

have you looked at the following yet ?

 

What you are interested in is actually Out Of Band Management

 

Deploying the Certificates for AMT - http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_AMT2008_cm2012

 

 

This certificate deployment has the following procedures:

• Creating, Issuing, and Installing the AMT provisioning certificate
  
• Creating and Issuing the Web Server Certificate for AMT-Based Computers
  
• Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers
  

 

Creating, Issuing, and Installing the AMT Provisioning Certificate

 

 

Create the provisioning certificate with your internal CA when the AMT-based computers are configured with the certificate thumbprint of your internal root CA. When this is not the case and you must use an external certification authority, use the instructions from the company issuing the AMT provisioning certificate, which will often involve requesting the certificate from the company’s public Web site. You might also find detailed instructions for your chosen external CA on the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001).

Important External CAs might not support the Intel AMT provisioning object identifier. When this is the case, use the alternative method of supplying the OU attribute of Intel® Client Setup Certificate.

When you request an AMT provisioning certificate from an external CA, install the certificate into the Computer Personal certificate store on the member server that will host the out of band service point.

 

To request and issue the AMT provisioning certificate

1. 
   Create a security group that contains the computer accounts of site system servers that will run the out of band service point.
   
2. 
   On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.
   
3. 
   In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.
   
4. 
   In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
   Important Do not select Windows 2008 Server, Enterprise Edition.
   
5. 
   In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning.
   
6. 
   Click the Subject Name tab, select Build from this Active Directory information, and then select Common name.
   
7. 
   Click the Extensions tab, make sure Application Policies is selected, and then click Edit.
   
8. 
   In the Edit Application Policies Extension dialog box, click Add.
   
9. 
   In the Add Application Policy dialog box, click New.
   
10. 
    In the New Application Policy dialog box, type AMT Provisioning in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.
    
11. 
    Click OK, and then click OK in the Add Application Policy dialog box.
    
12. 
    Click OK in the Edit Application Policies Extension dialog box.
    
13. 
    In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning.
    
14. 
    Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
    
15. 
    Click Add, enter the name of a security group that contains the computer account for the out of band service point site system role, and then click OK.
    
16. 
    Select the Enroll permission for this group, and do not clear the Read permission..
    
17. 
    Click OK, and close the Certificate Templates console.
    
18. 
    In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
    
19. 
    In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT Provisioning, and then click OK.
    Note If you cannot complete steps 18 or 19, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008.
    
20. 
    Do not close Certification Authority.
    

The AMT provisioning certificate from your internal CA is now ready to be installed on the band service point computer.

 

To install the AMT provisioning certificate

1. 
   Restart the member server that runs IIS, to ensure it can access the certificate template with the configured permission.
   
2. 
   Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
   
3. 
   In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
   
4. 
   In the Certificate snap-in dialog box, select Computer account, and then click Next.
   
5. 
   In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.
   
6. 
   In the Add or Remove Snap-ins dialog box, click OK.
   
7. 
   In the console, expand Certificates (Local Computer), and then click Personal.
   
8. 
   Right-click Certificates, click All Tasks, and then click Request New Certificate.
   
9. 
   On the Before You Begin page, click Next.
   
10. 
    If you see the Select Certificate Enrollment Policy page, click Next.
    
11. 
    On the Request Certificates page, select AMT Provisioning from the list of displayed certificates, and then click Enroll.
    
12. 
    On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
    
13. 
    Close Certificates (Local Computer).
    

The AMT provisioning certificate from your internal CA is now installed and is ready to be selected in the out of band service point properties.

 

Creating and Issuing the Web Server Certificate for AMT-Based Computers

 

Use the following procedure to prepare the web server certificates for AMT-based computers.

 

To create and issue the Web server certificate template

1. 
   Create an empty security group to contain the AMT computer accounts that System Center 2012 Configuration Manager creates during AMT provisioning.
   
2. 
   On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.
   
3. 
   In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
   
4. 
   In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
   Important Do not select Windows 2008 Server, Enterprise Edition.
   
5. 
   In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT Web Server Certificate.
   
6. 
   Click the Subject Name tab, click Build from this Active Directory information, select Common name for the Subject name format, and then clear User principal name (UPN) for the alternative subject name.
   
7. 
   Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
   
8. 
   Click Add and enter the name of the security group that you created for AMT provisioning. Then click OK.
   
9. 
   Select the following Allow permissions for this security group: Read and Enroll.
   
10. 
    Click OK, and close the Certificate Templates console.
    
11. 
    In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
    
12. 
    In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT Web Server Certificate, and then click OK.
    
13. 
    If you do not have to create and issue any more certificates, close Certification Authority.
    

The AMT Web server template is now ready to provision AMT-based computers with web server certificates. Select this certificate template in the out of band management component properties.

 

Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers

 

Use the following procedure if AMT-based computers will use client certificates for 802.1X authenticated wired or wireless networks.

 

To create and issue the client authentication certificate template on the CA

1. 
   On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.
   
2. 
   In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
   Important Do not select Windows 2008 Server, Enterprise Edition.
   
3. 
   In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT 802.1X Client Authentication Certificate.
   
4. 
   Click the Subject Name tab, click Build from this Active Directory information and select Common name for the Subject name format. Clear DNS name for the alternative subject name, and then select User principal name (UPN).
   
5. 
   Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
   
6. 
   Click Add and enter the name of the security group that you will specify in the out of band management component properties, to contain the computer accounts of the AMT-based computers. Then click OK.
   
7. 
   Select the following Allow permissions for this security group: Read and Enroll.
   
8. 
   Click OK, and close the Certificate Templates management console, certtmpl – [Certificate Templates].
   
9. 
   In the Certification Authority management console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
   
10. 
    In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT 802.1X Client Authentication Certificate, and then click OK.
    
11. 
    If you do not need to create and issue any more certificate, close Certification Authority.
    

The client authentication certificate template is now ready to issue certificates to AMT-based computers that can be used for 802.1X client authentication. Select this certificate template in the out of band management component properties.