Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
The Intel sign-in experience has changed to support enhanced security controls. If you sign in, click here for more information.
2706 Discussions

How to burn the internal certificate thumb print value in Intel vPro Chip



I have Installed and configured SCCM Out of band configuration for Intel vPro Provisioning

To make use of SCCM for Out of band management either I should have any one of the certificates like Versign, Godaddy, Starfield or I should make use of the certificate created by Internal CA.

I need to use the certificate created by Our internal Certificate Authority.

So I want to burn the certificate thumbprint value in Intel vPro Chip.

Any one please help me to do this.

Thanks in Advance,


0 Kudos
6 Replies


To use your own enterprise CA to general the Remote Configuration PKI certificate, first follow the instruction layed out in the BKMK_AMTprovisioning2 Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management TechNet article.

To prepare the AMT client, login to the MEBx by pressing "Ctrl-P" during the client POST.

  1. Once logged in the MEBx, select "Intel(R) AMT Configuration"

  2. Select "Setup and Configuration"

  3. Select "TLS PKI"

  4. Select "Manage Certificate Hashes"

  5. In the "Manage Certificate Hashes" Screen, Press the insert key to add a new certificate

  6. In the "Hash Name" field, enter in something human readable and identifiable

  7. In the "Certificate Hash" field, enter in the thumbprint of your Root CA that the PKI certificate was generated from

To get the thumbprint of you Root CA, open up the Root CA certificate and go to the detail tab. Scroll down the list until you see the thumbprint; this value is your certificate hash.

Please note, that if you perform a full unprovision of the AMT client, the custom certificate hash will be deleted from list and you will need to re-enter it. Some OEMs can provide a service to have your custom certificate hash permanently burned in during the manufacturing process.

--Matt Royer


Hi Miroyer,


Now I am able to burn the thumprint value in vPro chip.

but In SCCM Console,

Still I could see the AMT status as "Detected" and when I look into the amtopmgr.log it was showing following the error msg,

"CAMTDiscoveryWSMAN:DoConnecttoAMTDevice:Failed to establish tcp session to<ipaddress>:16992"

I changed the MEBx pwd and I entered the certificate Thumprint value .

Did the MEBx password change might affect the remote admin password?

Please help in this regard,

Thanks in advance,



The MEBx Account in the "Out of Band Management Properties" is used for 2 purposes.

  • What to set the MEBx account to if it's currently the factory default admin/admin

  • What to try if the MEbx account is not admin/admin

The Provisioning Account allows you to specify the name of the AMT Remote Admin Accounts and its password that have been configured in the firmware for AMT-based computers and can provision these computers. So in a scenario where the amt client remote admin password was set by another ISV or is different then the MEBx password, you can specify a different remote admin account info (admin / <something else>) or another Digest User that has been already been configured in the MEBx firmware.

When SCCM tries to provision a AMT device, the it will use the following attempt order:

  1. User: admin / Password: admin (Factory Default)

  2. User: admin / Password: (what is listed in SCCM MEBx account)

  3. Users and passwords listed in the Provisioning Account

The reason the Provisioning Account is typically not needed is because...

  • In a factory default state, the remote admin password is "admin". Since SCCM knows that it will try and provision with that first

  • The first time you log into and AMT MEBx from a default state, it requires you to change the MEBx password which then set the remote admin (since it was not currently set)

  • If you do a Full unprovision of an AMT client, it set the Remote Admin password to the MEBx password

So in most cases, the password you set in SCCM as the MEBx account works on the second remote admin password try.

--Matt Royer


Hi Matt,

Hope you are well!

I have an enviroment with internal certification authority, SCCM 2007 SP1 installed and configured, clients Dell optiplex 755 provisioned.

I can power off, power on and access web ui, but i have one question:

I have more than 100 clients here, how to burn the internal certificate thumb print value in Intel vPro remotely?

any idea?

thanks a lot.

Mara Silveira



Root certificate hashes can only be configured via the MEBx locally.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation


It *really* needs to be made an option to use an internal CA without having to go through hoops to make it work.

Plus, whats up with changing the OU string and OID business between versions? Reeks of not knowing what you're doing. Seems like massive overhead for something that is just not necessary. If someone is going to hijack an AMT service, they've likely compromised way more of an environment that is far more important.