Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
The Intel sign-in experience has changed to support enhanced security controls. If you sign in, click here for more information.
2702 Discussions

I am new to vPro & when i was provisioning AMT on a device I got these errors.


Exit with code 33. Details: Failed to configure this Intel(R) AMT device. Initial connection to the Intel(R) AMT device failed. A valid PKI certificate was not found in Certificate Store of the user running the Remote Configuration Service.

Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.

I know that inorder to provision a device i should have have LMS installed & running. But what is the other error about?

Thanks in advance

0 Kudos
4 Replies
Valued Contributor III

You need to have a valid public certificate, from supported by Intel CA, to authorize on remote machines. Read example doc of how to achive that, also note a



Hi, please check AMT Implementation and Reference Guide at


for list of Public trusted Root CA of which Root cert hashes are embeded in AMT FW so they are trusted by AMT FW.

You will need AMT Provisioning certificte (see requirements at and

Please note that up to AMT 5.x it supports SHA-1 ONLY - you will need all certificates in the chain to be SHA-1 (you have to request it explicite from CA).

AMT 6.0 or newer added suport for SHA-2 so both SHA-1 & SHA-2 certificates will work. see more details



New Contributor I


just as an Info.

SHA-2 certificates may be supported with AMT 6.0 or higher, but they don't work, because the Hash-Values in the AMT-mebx only


points to the SHA-1 Certificate-Hashes.

We tried to use a Verysign/Symantec SHA-2 Certificate and got an Error moving the device to Admin-Mode.

The Error Message was 'Signing the Nonce failed. This command is not supported on the operating System where the RCS is running.'

The operating System and Intel SCS are both on the latest Version so it should have worked.

After checking the Problem with the Intel Support we got the message that SHA 2 is supported but not implemented in Version 6.0 or higher.

(We tried it with a new Client with AMT-Version 8.0 and Version 9.0)

Because of this we had to revoke the SHA-2 Certificate and use a Verisign/Symantec SHA-1 private Certificate at the moment. They still offer this

method but you can't use it for Websites.


Hi, sorry for late answer. Please note this community is not actively monitored by Intel employees.

SHA-2 leaf certificates (AMT Provisioning certificates) are supported by Intel AMT 6.0 or newer.

Intel AMT up to AMT 10 has only SHA-1 CA root certificate hashes embeded in default AMT FW - so you will have to use CA vendor cross signing certificate for CA's SHA-2 root cert issued by CA's SHA-1 "old" root.

all such certificates shall be installed on RCS server so SHA-2 leaf (AMT Provisioning certificate) trust chain will lead via cross sign cert to "old" SHA-1 root from AMT FW list.

and it works (checked it with other customers for AMT 8/9/10).

For some CAs they have different Roots for SHA 1 and for SHA 2 and new one may not be cross signed - you will have to check it with CA.