Trevor,

I think you're doing pretty well, in my opinion. I'm like you, largley self taught most things I do. AMT and vPro has been probably the toughest thing I've had to get my head around and get to work in my environment. There's so many pieces and places where things could go wrong!

I hadn't been able to get any of my systems provisioned until I upgraded their AMT BIOS to 3.2.2, there was a bug fix that helped me out on that one. Also, I'm working to come up with a way to rename 95% of our systems - it seems that AMT doesn't like an underscore in a computer name (they've actually been true to the real DNS spec) so we're working to rename all our systems so they can be provisioned. Yuk.

Focus on the light!

Sandy,

Sorry to hear about the issues you've been having. Honestly though, while it's frustrating making this stuff work, it really starts to make you realize how many problems there are in your IT environment. Things in my case, like client DNS records not updating properly, having DHCP option 15 not matching your AD FQDN, and things in your case, like underscores in the client hostnames, all help to identify issues, and help drive a resolution to them. In my case, I have to wait for a project to revise our DNS infrastructure to complete before I can make any real headway, and in some of our locations, we've got AMT systems with static IP addresses that we can't use, and .... the list of issues just goes on and on.

The majority of my vPro systems are 2.6 systems, so the lack of Configuration Manager integration with pre-3.2.1 firmwares was a really big sore spot until KB 959040 was finally released. Even then, I had to wait forever for it, and I still have not been able to even get it working!

Oh well, despite all the time I've spent on this, I am still hopeful to get a return on the investment over the longer term, be able to better support our end users, and maintain a dynamic, efficient infrastructure of clients.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Ok, well Matt's suggestion definitely worked on Windows 7 Beta Build 7000 (which was having the issue), and I would assume Vista also, considering they both had the same exact behavior. I had not realized that he was referring to the internal subordinate CA's certificate ... I was confusing that with the AMT Provisioning certificate.

I'm glad that it worked, however I'm concerned that this is a bug with Microsoft's software. The subordinate CA's certificate should not need to be in the Trusted Root Certificate Authorities certificate store, am I right? My basic understanding regarding the Windows certificate store is that the Trusted Root Certificate Authority store is for ... well, trusted root CAs, and the Intermediate Certificate Authorities was for .... intermediate CAs, which subordinates would fall under. Am I correct in my thinking here?

If the OOBconsole is looking for the subordinate CA's public key in the Trusted Root CA store, rather than the Intermediate CA store, then that should be considered a bug, right? If I'm not thinking properly, can someone explain to me what the logic is behind having the subordinate / intermediate CA's public key in the Trusted Root CA store?

Trevor Sullivan

Systems Engineer

OfficeMax Corporation