The first thing I'd have you do is run the SCS Discovery tool - this will show you what you have (and send the xml file if you need more assistance.)How to run the SCS Discovery Tool

Thanks very much for the reply. That does help a bit.

As for the version of AMT, it is 5.2.40.1037

I prefer DHCP as well (for the AMT portion), but my point was, with the recommendations of various experts, they all seem to be saying:

1) Host Name (i.e., name of computer) = MyComputer.abc.com (static ip 10.1.2.19, for example)
2) AMT Name = MyComputer.abc.com (dchp - random ip)
In that scenario, we will have TWO instances of an identicalDNS name pointing to two separate IPs - how does that work?

So, if I ping MyComputer.abc.com - WHICH one would it ping? Wouldn't that be some sort of conflict?

Upon reading some more docs, I think on Intel's site, it mentions to give the same name to the AMT host as to the machine itself; and something about "the software or firmware may change the name(?)"

So, does that make sense? It's just very confusing to have a recommendation that TWO ip addresses should point to the same DNS name, without any further explanation as to WHY that is not a bad idea.

Can you send me the links that you are referring to regarding recommendation about having two ip address pointing to the same DNS name? That sounds wrong. With DHCP you the ME should take the same IP address as the host OS (see the Link Preference portion of the SDK.) At one point it was OK to have a static host but a dhcp ME but I don't think that is supported anymore, at least not on the later revs. Meanwhile I will see what I can dig up on the 5.2 AMT release requirements.

No, as far as I know, there is no restriction on using static.
It would be impossible to offer this type of thing 'without' static as an option, due to military, security-centric places; etc. Some folks (us included) just do NOT use DHCP - not for our hosts anyway.

Still supported are:
1) Host=Static, while AMT=DHCP.
2) Host=Static, while AMT [also] = static.

Another question - I am on 2008 Server R2, but in all examples for requesting a cert, I see they say, "Choose Windows 2003 Enterprise." First off, I don't have "Enterprise" version of o/s - not for these servers.
Secondly, does it have to be choosen and Windows 2003, or can I go ahead and choose Windows 2008 as the "type of cert?"

Thanks again!

This paper about creating certificates might be of some use to you. Bascially, if you have a system where you have already enabled AMT, you can apply TLS authentication after the fact. This paper shows you how you can create a certificate using OpenSSL and the AMT SDK and then how to install it using PowerShell. If you are trying to use a Windows cert, then you would need an OS that can operate as a Certificate Authority.

Thanks again for the continued invaluable information.

We defininitely want to use DHCP for the AMT side. We use static for our Hosts - so, we don't really have a choice on that.

I definitely am using Windows certs (currently) - have used some OpenSSL in the past. I have my CA setup, already submitted one request and generated the cert, installed it, etc.

BUT, in the typical examples, it shows the Intel-AMT cert as having 2 'purposes' listed - one for 'Ensures the identity of a remote computer' and one for 'Proves your identity to aremote computer'; but when I generate one from my Internal CA, it has only 'one purpose' listed - 'Ensures the identity of a remote computer'

Thoughts? Has anyone used their own certs successfully for the provisioning part? I don't mind entering the thumbprint into BIOS as needed but I just want to make sure I generate/create the cert requests and certs properly. Thanks!

It sounds to me that ensuring and proving is the same thing. Here is a blog that talks about provisioning certs - this might helpe you a little bit, but I'm pretty sure I had a blog that addressed creating your own - I have done this as well and got it to work. It still requires the OU field to be set correctly, Option 15, the FQDN - so this blog might be helpful. (I'm going to look for more info on creating your own provisioning cert.)

Thanks greatly! I am reading those now, and have read the MickySoft article on "how to" and it mentions using "your own" - but it says, in order to do the "Duplicate" and create the "AMT Custom provisioning template," you have to have 2003 Server 'Enterprise' version - so that puts a kink in things.
But I swear I saw someone who said they were able to do it with 2003 Standard.
We really have 2008 R2 Standard, but it still applies. Here's the article about needing 'Enterprise' version:
(steps 19 & 20 , and the related 'yellow note.')
http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2
Also,I don't recall any specs mentioning if the Cert has to be V1, V2 or V3, which also makes a difference, apparently.
And a note on another article that says now Godaddy supports the AMT provisioning certs via its 'Standard' certs, so you don't have to shell out the extra bucks for the "Premium SSL Cert."
Also: http://technet.microsoft.com/en-us/library/cc700804.aspx
It mentions the "must-have" Enterprise version of o/s. Ugh!

That is an excellent article - I have only used the Enterprise Windows versions and it has always worked for me. So it sounds like either you upgrade or you look into GoDaddy. It's too bad you can't use the Host Based Provisioning method that was available starting with AMT 6.2 (push down a script, run it and you're provisioned.)

FYI, also, here are the 1-4 steps I found that also show, specifically from Godaddy, the cert having the 2 purposes and the OID # 2.16.840.1.114413.1.7.23.2

http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-1.aspx

http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-2.aspx

http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-3.aspx

http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-4.aspx

If someone can screen-shot or verify it does NOT need to have the 2 purposes, and so forth, and that they got it working with 2003/2008 NON-Enterprise (i.e., Standard - LOL) version, that would be good.

I don't think we have any more 2003 Enterpriseservers left around - even if we did, I would need to move my CA to that server, and I'm not doing that. We do have some 2008 versions, but I'm not moving my CA just to get 'one or two' minor features that, imo, already should be allowed in 2008 R2 Standard!
Again: UGH!

Yeah, but 'host-based' is the "light/broken" version - it doesn't allow the remote KVM functionality, where I can re-direct the person's screen and remotely boot, while being like I'm right there at the"console."

I think that's the difference that I was remembering.

Few people realize that you can "move" a system in Client Control mode over to Admin Control Mode after AMT is enabled. I think the DTK offers this as soon as you connect to the system. Once an AMT system is enabled, and it can be in the most primative, basic configuration, you can modify it's configuration via the APIs or the powershell scripts that are included in the SDK. You can even apply TLS authentication once AMT is enabled. It doesn't all have to happen while running the Intel SCS tool.

As you can see, when you contact port 16992 on the local computer, the traffic is just captured byLMS and forwarded to AMT using a driver. It's not going thru the network at all. Also, network configuration on AMT will not affect the HECI driver or LMS.