AMT Provisioning issue

idata · ‎12-05-2009

We had tested intel amt provisioning using sccm 2007 sp1 earlier. for the test we used a private certificate for testing. i entered the hash manually int eh client and amt provisioning was working fine. now we purchased the certificate from veresign and installed it in sccm OOB. now i unprovision the client and try to provision it again and on the lientlog (oobmgmt.log) it gives an error " Failed to call checkcertificate provider method,80041001". the certificate that we purchased from veresign has a different root hash than what we have built in in the amt bios of the clients. its like doig it with a private certificate. i installed the proper root, intermediate certificated that i got from veresign but still cannot. juts for testing i manually entered the rooot hash in the client and the client was provisioned. BUT the client log said device provisioned successfully. amt log in the server said provisioning successfull but i was not able to connect to the client using OOB or Power control. if i dont include the certificate hash in the client device manually if fails. i am attaching a log for your info. i am not sure if it is an issue with the veresign certificate or our web server certificate. i verefied in the local CA that a certificate was issued to the client which was provisioned.

idata · ‎12-05-2009

I'd suggest starting with this article from Buz Brodin at Microsoft.

http://blogs.technet.com/configurationmgr/archive/2009/04/30/configmgr-2007-amt-provisioning-error-hash-list-of-amt-device-doesn-t-contain-our-provision-server-certificate-hash.aspx http://blogs.technet.com/configurationmgr/archive/2009/04/30/configmgr-2007-amt-provisioning-error-hash-list-of-amt-device-doesn-t-contain-our-provision-server-certificate-hash.aspx

It's my understanding that Verisign changed their root CA certificate a few months back. Any certificates obtained after that point in time have a mismatching hash with the ones embedded in the AMT firmware. Terry Cutler talks about this situation in this article:

/community/openportit/vproexpert/activation/blog/2009/05/22/how-does-the-verisign-root-certificate-change-affect-intel-vpro http://communities.intel.com/community/openportit/vproexpert/activation/blog/2009/05/22/how-does-the-verisign-root-certificate-change-affect-intel-vpro

It would probably be desirable to update your systems to the latest AMT firmware, in order to ensure that the appropriate hashes are available. I don't know if any OEMs actually followed through with the G2 update or not, but it's worth checking on.

Cheers,

Trevor Sullivan

idata · ‎12-07-2009

Thanks for your reply. So in my case if i understand correctly i should request Verisign to reissue the certificate wit a root hash of G1 premium which matches the root hashes in the intel vpro machines. i will contact verisign and update accordingly. this might be a common problem and was curios to know ehat other people are doain about this.

idata · ‎12-07-2009

That is my understanding, yes. Back when I was at my last company, I had requested a Verisign certificate prior to the changeover to G2 certs, so these days, I typically recommend that people use Godaddy, since they're more consistent.

Cheers,

Trevor Sullivan

idata · ‎12-08-2009

I just noticed that Steve Davies with Intel just recently updated a document on the vPro Expert Center. Please review the last page of this document for information on default certificate hashes:

/docs/DOC-2110 http://communities.intel.com/docs/DOC-2110

Hope this helps!

Cheers,

Trevor Sullivan

idata · ‎12-29-2009

WE had to return the server certificate to verisign and request for a new secure site pro certificate which has a root hash maching the hash on the intel vpro machines.