I am having issues with the certificates needed to set my AMT devices to admin mode. I am using Intel SCS 9.0 and the specific AMT device I am trying to configure is running 8.0.4. I have created a very basic AMT profile in SCS that only sets the Active Directory integration and the ACL's to use. I have then gone and exported the profile to two different XML files; one file tells the device to configure in Client mode and the other file tells the device to configure in Admin. The Client mode configuration works perfectly every time (I perform a Full Unconfigure each time I try a new profile) but when I try to perform an Admin mode configuration I always get the following error:
A valid PKI certificate was not found in Certificate Store of the user running the Remote Configuration Service.
I have been successful in performing a Client mode configuration using ConfigAMT followed by a configuration using ConfigViaRCSOnly and providing an AMT profile. When I have done this the system appears in the RCS console as configured and connected and shows me the correct AMT profile. However, the client itself is still in Client mode, not in Admin mode. I have then tried using the MoveToRCS command and once again I get the PKI error shown above.
We have a Microsoft Enterprise PKI infrastructure so I am trying to use certificates generated in-house as opposed to buying a certificate from a third-party. To create my PKI certificate I followed the procedure shown in the Intel SCS User Guide and I also followed the advice provided by the SCCM GURU found at
Ultimately I am planning to install the SCCM add-on and integrate this whole thing with SCCM 2012 R2. At the moment I have not installed the add-on and I am just trying to configure and test these devices with Intel SCS 9 running independently of SCCM
Does anyone have any advice for trouble-shooting PKI errors or know how I should configure the certificates?
Did you manage to work out the solution? I'm having this exact same issue, and followed the same SCCM Guru guide, but can't get it to work for some reason
I do not yet have the process working as I am trying to get a new security certificate from GoDaddy. It took a long time to find an answer but here is what seems to be happening:
The security certificates for changing from Client mode to Admin mode are hard-coded into the AMT firmware and you must use a certificate from one of those providers to make the switch. We have already been using certificates from GoDaddy for other purposes and since that is one of the hard-coded providers I am trying to get a certificate from them. The hold up for me is our own internal bureaucracy. Note that the only reason I found this information at all is because I stumbled across it in the documentation for the Software Development Kit for AMT when I used Google to search for it. The search on the Intel site failed to find anything about this at all.
My understanding is once I have the new certificate installed I will be able to switch modes and then at that point I can start using the internal certificates for all other processes related to AMT. As I said before though my own personal hold-up right now is the internal bureaucracy I have to deal with.