Yes, you need a 3rd part certificate for provisioning. You can use your own, but it requires you to enter the thumbprint value of your own certificate, into the AMT controller. This cannot (to my knowledge) be automated, so you need the 3rd party provisioning certificate to access the AMT controller. After provisioning, you use your own PKI solution.
Basically the AMT firmware only has a few root certificates built in. And in order to provision it, you need a certificate for this. If you shop around, a provisioning can be acquired for a few hundred dollars. From: [email protected] [mailto:[email protected]] On Behalf Of John Aubrey Sent: 05 September 2014 20:19 To: '[email protected]' Subject: [mssms] RE: Who uses AMT and Out of Band? I took a look at a nice blog by SCCMGuru and it went step by step on how to set up OOB in SCCM with Intel SCS. My only lingering question is about the cert. I was under the impression that you needed a 3rd party cert, but he creates his own. Is the 3rd party cert still needed? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heine Jeppesen Sent: Friday, September 5, 2014 8:38 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Who uses AMT and Out of Band? I have implemented AMT a number of places, but it's not just something you do on a Friday afternoon. The PKI stuff is not hard, just follow the many guides for it. But the provisioning support in ConfigMgr leaves something to desire, to say it the least. ConfigMgr also doesn't (officially) support the latest versions of the AMT controller, which can cause provisioning issues. (ConfigMgr 2007 can't provision AMT v9.x machines) For provisioning, use the Intel SCS tool instead. Easy to setup and easy to use. Then use ConfigMgr to manage the computers. AMT has some oddities as well - It's not easy to keep the platform running. Let's say a local supporter reinstalls a desktop, with a new name. The AMT controller is still provisioned, but with a certificate using the old name. So now accessing it using Kerberos is tricky, until you unprovision it and reprovision again. This is just not as simple, as it could be. Also, remember to update and keep the AMT controller firmware updated. Updates, with security fixes, are released more often than you'd think. But for the purpose of easing administration, I simply love both the good old Wake On Lan and AMT. At one of my customers, where we handle the daily operations, I can wake up approx. 80% of their computers each night, to handle patching, deployments etc. (A lot of people tend to leave their laptop, in the docking station at night) Our success rates for patch or software deployments have improved tremendously, since I started doing deployments of out of business hours. -Heine From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of John Aubrey Sent: 04 September 2014 20:25 To: '[email protected]' Subject: [mssms] Who uses AMT and Out of Band? We are looking into enabling Out of Band with AMT support in our environment. Does anyone use it? Is it helpful? For the most part we'll be using it to remotely wake up machines and troubleshooting. It looks like a big set up, but should make things easier for software deployments and the help desk. Most of our PC's do have AMT enabled, so that isn't going to be an issue. --John
