Is there a way to deploy an in house PKI cert AMT HASH via a Bios Upgrade on a Dell system, or via an SCCM package? There are some documents on creating a Setup.bin file onto a USB Key but I have not fond any clear directions on how to deploy that file.
You cannot deploy a setup.bin via the client OS. It must be done locally during boot via a USB drive. This is a security measure.
You might consider using client control mode to avoid this step.
I am not familiar with client control mode. On the systems that I need to input the AMT hash on, there is no option in the MEBX settings to import anything from a usb stick. Do I need some additional software for this?
If you import the hash via a USB stick, the MEBX menu is not used. The setup.bin will be detected on the USB stick automatically during boot.
For client control mode vs Admin control mode:
http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementa... Intel(R) AMT SDK Implementation and Reference Guide
Depending on the AMT features you wish to use, client control mode may be a smarter choice to make setup easier and avoid dealing with hashes.
The documentation does not seem to make any sense on how to import the USB key. The setup file is not boot-able so you cant just plug it in and start the computer and have it work. What I am trying to do is include the Hash thumbprint of my Root CA on the AMT controller. All the other provisioning and control will be done via SCCM. There is documentation on how to do this manually but I am trying to simplify typing in the hash value manually. Is there any clearer documentation on how to get the hash from the usb key into AMT bios?
I finally got the USB provisioning to work on some of my machines. The main reason why it was not working was due to an incorrectly formatted flash drive. On MBEX v8 everything worked. On MBEX v.7 (on a Dell Optiplex 780) I still can not get the provisioning to happen. I have tried file versions 2, 2.1, 3 and 4 but the system still fails to discover that there is a flash drive with the setup.bin file available for auto provisioning. Is there any trick to getting this to work on some older systems?