Re: Intel AMT Lenovo Activation using PKI

idata · ‎06-24-2010

We are starting to provision our M58p, M57p, and T500's using SCCM. We need to use our PKI cert and we have been able to manually enter the hash into a few machines and provisioning starts with no issues. Now the problem is we need to deploy this hash to machines already out in the field and machines currently being deployed.

1) How do we deploy the new PKI hash to machines out in the field?

2) How do we deploy the hash before the machine is deployed as manually this is alot to have each tech enter it manually (not to mention error prone). We have already tried the usbfile.exe and intel usb provision utility but on reboot the machines all say "Disk Error Press any key to restart".

Any help would be appreciated.

idata · ‎07-12-2010

This issue may have multiple reasons so I need to get clarifying information.

Each platform has separate versions of AMT, I specifically need to know which versions you have.

I also highly recommend you upgrade to the latest version for each generation you have, there have been various issues with certificates including the replacement of Verisign G2 cert about a year ago, here is the link /community/openportit/vproexpert/blog/2010/04/27/microsoft-sccm-and-intel-vpro-certificates http://communities.intel.com/community/openportit/vproexpert/blog/2010/04/27/microsoft-sccm-and-intel-vpro-certificates).

If this is not a Verisign cert please let me know what cert you are using.

Once I have this info I can work thru the issue. One last thing on USB keys, there are a limited number of USB keys that are supported, I would contact Lenovo directly and ask them for a list of apporved keys to use for provisioning.

idata · ‎07-13-2010

some additoanl quesiotns I need to ask, what consoel woudl you be using and are you looking to buy a provisioning cert our use your own. the Idea of PKI si to remotely update platforms and this will help me point you in the right direciton. Currently by jsut the words you sue it sounds like you ahve yrou own cert, if that is the case then its going to be by hand or usb key. There are alternative (and possibly cheaper and less time consuming) ways to get thsi done.

idata · ‎07-16-2010

I think you'd be better off buying a provisioning cert from GoDaddy, VeriSign, Komodo... I looked a month ago and you can get a 2 year cert for $200.00 from GoDaddy. Those hashes are in the MEBx by default. I don't know of a way that you can put your in-house root hash into the MEBx other than getting a custom firmware load from the manufacturer or touching every machine. With they USB key method, again, you are touching every machine.

MarcinW · ‎01-27-2021

I have the same question. How can I provision using my own root CA (I didn't buy any commercial certificate ). At first I would like to try provision my computers using my root CA certificate from my domain. How can I do this? I configured Intel SCS and Intel EMA server , but I can't provision computers.
Could you give me the link how to configure this? I would like to do this remotely , but if it is not possible I can use pendrive to force configuration into unconfigured computers.