Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2873 Discussions

how to issue an SCCM provion certificate with a Microsoft Enterpise CA?



I set up the SCCM SP1, with Microsoft CA in Enterprise CA mode, and created a provision certificate templete, then request an provison certificate, export the certficate then added into SCCM OOB management. But provion failed, the amtopmgr.log shows:

Found new provision server certificate with hash 8B3263FC3CC7AEEDF7775DF562100F33C6B9BCDE. $$<![CDATA[<SMS_AMT_OPERATION_MANAGER> Warning: Found invalid provision certificate. Check the CN name and OID. (CertID = 4) $$]]>

My Templete duplicated from User templete, and the OID name is intel-oid, the OID number is: 2.16.840.1.113741.1.2.1, and I dont find any place to type the CN name when i did those.

Does anyone have some idea about this issue? or have some step by step guide?



0 Kudos
5 Replies

This is content from the SCCM SP1 Help File. I think this is what you are looking for. Does it address your question?


PKI certificates must be prepared and installed prior to managing computers out of band in Configuration Manager 2007 SP1. This guide does not include installing and configuring Configuration Manager 2007 SP1 or provisioning computers for AMT, but it provides the steps to deploy the certificates required for provisioning computers for AMT so that they can be managed out of band. For more information about configuration of Configuration Manager 2007 SP1 for out of band management, see Configuring Out of Band Management.

The following table lists the two PKI certificates that are required for managing AMT computers out of band and describes how they are used in a Configuration Manager 2007 SP1 site.

Certificate Requirement

Certificate Description

AMT provisioning certificate

This certificate is used to prepare AMT-based computers for out of band management by Configuration Manager 2007 SP1.

For more information about AMT provisioning, see About AMT Provisioning for Out of Band Management\.

Web server certificate

This certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers.

After this certificate is installed, it is used to authenticate the AMT-based computer to the computer running the out of band management console before establishing an out of band management session and then encrypting all data between them.

For more information about the certificates, see Certificate Requirements for Out of Band Management.

Follow the steps in this guide to achieve the following goals:

  • Create Windows security groups to be used with the certificate templates.

  • Request, install, and prepare the AMT provisioning certificate.

  • Prepare Web server certificates by configuring a certificate template on the issuing CA.

Creating Windows Security Groups for the Site System Servers

This step has a single procedure.

To create Windows security groups for the site system servers

1. On the domain controller, click Start, Programs, Administrative Tools, Active Directory Users and Computers.

2. Right-click the domain, click New, and then click Group.

3. In the New Object - Group dialog box, enter ConfigMgr Primary Site Servers as the Group name, and then click OK.

4. In Directory Users and Computers, right-click the group you have just created, and then click Properties.

5. Click the Members tab, and then click Add to select the member server.

6. Click OK, and then click OK again to close the group properties dialog box.

7. Repeat steps 2 through 6, this time naming the group ConfigMgr Out of Band Service Points.

8. Restart your member server (if running) so that it can pick up the new group membership.


In our test environment, there is only one server to add, which will be used for both the primary site server and the out of band service point. However, in a production environment, it is likely that you will have multiple primary sites that will support out of band management, and install the out of band service point on a different server than the site server. It is therefore good practice to assign permissions to two groups and add all your primary site servers to one group, and all your out of band service point site systems to the other group.

Creating security groups for these servers enables you to assign permissions so that only these servers can request these certificates.

These security groups will be used to help ensure that only the required servers can use the two certificate templates required for AMT provisioning.

Requesting, Installing and Preparing the AMT Provisioning Certificate

This step has two procedures:

Requesting and installing the AMT provisioning certificate using only one of the following procedures, depending on your requirements: BKMK_AMTprovisioning1 Requesting and Installing the AMT Provisioning Certificate from an External Certification Authority. BKMK_AMTprovisioning2 Requesting and Installing the AMT Provisioning Certificate from an In-House Certification Authority When All Computers That Will Be Managed Out Of Band Are In the Same Active Directory Domain As the Out Of Band Service Point. BKMK_AMTprovisioning3 Requesting and Installing the AMT Provisioning Certificate from an In-House Certification Authority When One or More Computers That Will Be Managed Out Of Band Are Not In the Same Active Directory Domain As the Out Of Band Service Point. BKMK_AMTprovisioning4 Preparing the AMT Provisioning Certificate for the Out of Band Management Component

AMT-based computers are configured by the computer manufacturer to use external certification authorities, such as VeriSign an...


Thanks very much.

After 55 times failures, i got it!!!!!! My SCCM SP1 provsion done.

0 Kudos

Hi vPro Experts,

I installed SCCM client on my AMT enabled PC. But In my SCCM Console, i could see the AMT status as "Detected" not provisioned.

Any one helpme to resolve this!

Thanks in Advance


0 Kudos

Hello Nirmal,

You might want to start a new thread/discussion about the specific problem you're having, in order to get the best level of assistance.

It sounds like you aren't set up to do provisioning yet, even though ConfigMgr is seeing your AMT chipsets. You probably need to create a collection that contains ConfigMgr resources that have Intel AMT available ("detected"), and then right-click the collection, select Modify Collection, then on the tab to the far right, there will be a checkbox to enable AMT Provisioning for that ConfigMgr collection. You can do this on your All Systems collection in theory, but I believe that it is not recommended; You can create a new, query-based ConfigMgr collection by specifying AMT Status = 1 or 3, I believe. I don't have a box in front of me to look at right now.

If you post back more information though, please start a new thread. Also, additional information such as

Trevor Sullivan

Systems Engineer

0 Kudos

Detected basically means that the SCCM can detect that client is AMT capable but does not have access to it (either to provision or to perform management functions). I would recommend logging into the MEBx (ctrl-P on POST) and performing a full unprovision. You also need to make sure that you are using PKI certificate that has been configured in the MEBx (verisign, godday, etc) are there by default; a self generated one needs to be manually entered.

--Matt Royer

0 Kudos