Intel vPro® Platform
Intel Manageability Forum (Intel® EMA, AMT, SCS & Manageability Commander)
This community is designed for sharing of public information. Please do not share Intel or third-party confidential information here.
2616 Discussions

Problems with Intel SCS and Active Directory

Community Manager


Was wondering if somebody could help.. I've been having problems provisioning an AMT machine. The problem is the once the machine has been configured it is coming back as "Limited Access".

After investigating further, it appears that the problem is

related to the active directory. The new machine was not added to the active


So after signing on to the machine and joining the domain

manually. I then deleted the AMT machine from the SCS and then re-provisioned

the machine again. This time the machine was provisioned correctly.


then delete AMT machine from the SCS and then re-provisioned the machine again,

but this time using a profile with TLS configured. The machine was provisioned


I re-read the manual and from what I remember, we followed all

the steps. I re-checked that the active directory schema had been updated. I ran

the 'CheckSchemaExists.VBS' from 'C:\program

files\Intel\AMTConfServer\AminScripts\Active Directory Schema'. It returned

Schema Exists for


I went through the

section 'Give the SCS User Permission to Create/Delete AMT Object' from the "Intel AMT SCS Installation and User Manual". From what I can recall the

user was SCSUser (but I can't be 100%, is there anyway to tell?). I then tried

to provision another machine, but this resulted in the same problem, 'Limited


Any ideas?

Many thanks


0 Kudos
3 Replies

Hi Gibbo,

The provisioning AMT does not add the machine to the AD, You need to add the machine to AD and then provision AMT either with Kerberos support which will give you (single-signon) ability to manage AMT with the same usernames that you use to log into Windows or digest authentication (user name/passwords defined in the profile separately). On the SCS tree on the left side navigate to "User" section and make sure the SCSUser or the account you used to install has Administrator access to the SCS. If you had Enterprise Admin access it should be alright. When you provision using Kerberos it will create an object with the machine name in the OU that is specified in the config properties for the machine (this is the second input item on the config properties window) but it will not automatically add the computer to AD. The computer should be part of domain prior to initiating provision. Hope this helps!


Community Manager

Hi Mohan,

thanks for getting back to me.

We are currently try to test Zero touch, so the machine will not have been added to the Active directory before it is provisioned.

The only user in the user tree is the Administrator, so they should have all the rights that are required.

So still a little lost.



Hi Gibbo,

Zero touch refers to just the AMT provisioning in that a properly staged machine gets provisioned automatically once it is setup on a user's desk. It does not have anything to do with what you normally do with respect to your OS build and prep work that you do with respect to getting the machine joined to your domain. once you have the machine joined to your domain internally if you have one of the client setup certficates from the trusted roots built into AMT firmware then provisioning happens automatically whe the computer is turned on at user's desk without touching it when you turn it on. In fact you need to make sure that the desktop/laptop gets provisioned properly with "hostname.domainname" in other words fully qualified name so it can be accessed later on for managing it. Appropriate process changes are needed to make sure provisioning does not happen prior to joining the computers to the domain so thery can be managed with fully qualified name of the computer.

Alternatively, there is a way to provision AMT prior to the OS build (Bare metal provisioning). In that case you need to have a plan to figure out the FQDN for the machine when the OS build is complete and have an alternate database lookup to figure that name corresponding to the UUID and have a script associate that FQDN for the UUID coming from the hello packets during provisioning. This will be more process intensive and I have not had a chance to work with baremetal provision. hope this helps!

thanks, Mohan.