We had tested intel amt provisioning using sccm 2007 sp1 earlier. for the test we used a private certificate for testing. i entered the hash manually int eh client and amt provisioning was working fine. now we purchased the certificate from veresign and installed it in sccm OOB. now i unprovision the client and try to provision it again and on the lientlog (oobmgmt.log) it gives an error " Failed to call checkcertificate provider method,80041001". the certificate that we purchased from veresign has a different root hash than what we have built in in the amt bios of the clients. its like doig it with a private certificate. i installed the proper root, intermediate certificated that i got from veresign but still cannot. juts for testing i manually entered the rooot hash in the client and the client was provisioned. BUT the client log said device provisioned successfully. amt log in the server said provisioning successfull but i was not able to connect to the client using OOB or Power control. if i dont include the certificate hash in the client device manually if fails. i am attaching a log for your info. i am not sure if it is an issue with the veresign certificate or our web server certificate. i verefied in the local CA that a certificate was issued to the client which was provisioned.
I'd suggest starting with this article from Buz Brodin at Microsoft.
It's my understanding that Verisign changed their root CA certificate a few months back. Any certificates obtained after that point in time have a mismatching hash with the ones embedded in the AMT firmware. Terry Cutler talks about this situation in this article:
It would probably be desirable to update your systems to the latest AMT firmware, in order to ensure that the appropriate hashes are available. I don't know if any OEMs actually followed through with the G2 update or not, but it's worth checking on.
Thanks for your reply. So in my case if i understand correctly i should request Verisign to reissue the certificate wit a root hash of G1 premium which matches the root hashes in the intel vpro machines. i will contact verisign and update accordingly. this might be a common problem and was curios to know ehat other people are doain about this.
That is my understanding, yes. Back when I was at my last company, I had requested a Verisign certificate prior to the changeover to G2 certs, so these days, I typically recommend that people use Godaddy, since they're more consistent.
I just noticed that Steve Davies with Intel just recently updated a document on the vPro Expert Center. Please review the last page of this document for information on default certificate hashes:
Hope this helps!
WE had to return the server certificate to verisign and request for a new secure site pro certificate which has a root hash maching the hash on the intel vpro machines.