Note: The Self Signed Certificate issue was corrected with AMT firmware 3.2.2. Please work with your OEM to secure the 3.2.2 firmware update. -- Matt Royer
Summary
An issue has been identified that may cause the remote configuration provisioning process to fail when using Microsoft System Center Configuration Manager (SCCM) on systems that have been upgraded from Intel AMT 3.x firmware to 3.2.1 firmware. The Self-signed certificate used to establish the initial PKI provisioning (Remote Configuration) connection is being read as invalid, which causes this failure.
The recommended resolution is to perform a provision and un-provision of the system to regenerate the Self-signed certificate. This resolves the certificate being read as invalid and prepares the PC to be provisioned successfully by SCCM. This can be accomplished locally at the PC or remotely from the console. Both scenarios are documented in detail below but local provision/un-provision will require entering the Management Engine BIOS Extension (MEBx) screen at the local machine. To perform this action remotely, the community has developed a software-based script to execute a remote provision/un-provision. The script should be run for vPro clients experiencing this issue prior to SCCM provision. Once the script is executed, the vPro clients can then be natively provisioned by SCCM.
Background
vPro Clients that are experiencing the issue will show up as AMT Status "Detected" within the Collection View after a Management Controller discovery and will exhibit with the following error in the amtopmgr.log:
During SCCM Management Controller Discovery
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x6fcb970 returned by ApplyControlToken
*During a SCCM Provisioning attempt*
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x261b948 returned by ApplyControlToken
Note: An AMT Status of "Detected" can occur for a variety of reasons; in general it means that the SCCM Out of Band Service Point is unable to establish an initial connection with the AMT client. This scenario can also occur when the computer has been previously provisioned for AMT outside Configuration Manager and the password for the AMT Remote Admin Account or the MEBx Account has been changed and is unknown.
When trying to provision a vPro Client that has a firmware version less than 3.2.1 that is impacted with the Self-signed Certificate issue, SCCM will forward the request to the Intel WS-MAN Translator (which is required for provisioning and management of a vPro Client less than 3.2.1.) The Intel WS-MAN Translator will handle provisioning the vPro client despite the invalid Self-signed Certificate. The steps listed below should not be required for firmware versions less than 3.2.1 if you have the Intel WS-MAN Translator installed and properly configured.
As an interim workaround for vPro Clients 3.2.1 experiencing the issue, you can either locally (through the MEBx) or remotely provision and un-provision the AMT client. The un-provisioning process will regenerate a new Self-signed Certificate within the AMT Management Engine, after which, SCCM can natively use this newly generated certificate to establish the initial secure connection during the provisioning process.
Provisioning via Pre-Shared Key (PSK) is not impacted by the Self-signed Certificate issue; however, to leverage PSK provisioning you will need to install / configure the Intel WS-MAN Translator and load the PID/PPS pair into the vPro client. PID/PPS configuration within the vPro client requires either manual configuration via Management Engine BIOS Extension (MEBx) or One Touch Provisioning through USB key import.
Local Provision / Un-provision
To performing a Provision / Un-provision locally on the vPro Client
Log into the MEBx by pressing Ctrl-P during POST
If you have not changed the default admin password already, login in with "admin" as the password. If you have already changed the MEBx password, log in with the password you changed it to
Within the MEBx Menu, select "Change Intel(R) ME Password".
When presented with "Intel (R) New ME Password", Enter in the same password you configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.
When presented with "Verify Password", re-enter the password.
From the MEBx Menu, select "Intel(R) AMT Configuration"
Within the Intel(R) AMT Configuration Menu, select "Provision Model"
When presented with "Change to Intel(R) AMT 1.0 Mode: (Y/N)", enter "N"
When presented with "Change to Small Business : (Y/N), enter "Y"
When returned to the Intel(R) AMT Configuration Menu, select "Unprovision"
When presented with "Reset Intel(R) AMT Provisioning: (Y/N), enter "Y"
When presented, ensure you select "Full Unprovision" and press enter
When returned to the Intel(R) AMT Configuration Menu, select "Return to Previous Menu"
When returned to the MEBx Menu, select "Exit"
When presented with "Are you sure you want to exit: (Y/N)", enter "Y"
Allow vPro Client to reboot fully
After performing the local Provision / Un-provision, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. Although fairly simplistic, one of key disadvantages of locally provisioning and un-provisioning the vPro Client is that you will need to have physical (touch) access.
Remote Provision / Un-provision
To perform a Provision / Un-provision remotely on the vPro Client, the community has created a visual basic script that will perform the function remotely. In an attempt to reduce the complexity, the VBScript leverages the Intel WS-MAN Translator to provide the authentication and remote configuration connection. To leverage this remote Provision/Un-provision capability, you must have the Intel WS-MAN Translator installed and configured prior to executing the VBScript. Please visit the following Blog to learn how to install and configure the Intel WS-MAN Translator.
The VBScript and guide can be download from the following location (http://communities.intel.com/docs/DOC-1850) and contents can be decompressed to a folder on either your SCCM server or on workstation that you want to run the script from. Please note that you must have WINRM basic authentication switched to "true" on the computer you are planning to run the VBscript from; WINRM Basic Authentication is required for connections to the Intel WS-MAN Translator to work properly. To turn WINRM Basic Authentication to true, run the following command from the command line:
winrm set winrm/config/client/auth @{Basic="true"}
With the archive file decompressed, you will see two VBScripts in the folder: SelfSignedFix.vbs and ExecFromCollection.vbs. SelfSignedFix.vbs is the VBScript that will perform the remote Provision / Un-provision. To use the SelfSignedFix.vbs, there are several parameters you must supply for it to work properly:
Intel WS-MAN Translator URL: This is the secure URL on which the Intel WS-MAN Translator is listening
The Hostname, FQDN, or IP Address of the vPro Client: This is the vPro Client that is having the issue with the Self-signed Certificate and needs to be Provisioned / Un-provisioned
Log File Location: This is the folder or share where the results of the provision / un-provision will be logged for the client. Note that SelfSignedFix.vbs script will automatically create a new log with the filename of the hostname, FQDN, or IP Address you used as the previous parameter.
Screen Output: Whether (Y) or not (N) to display the Provisioning / Un-provisioning output on the console screen.
Critical Note: Prior to executing the SelfSignedFix.vbs, it is imperative that you change the MEBx password in the SelfSignedFix.vbs VBScript to match what is configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.
As a general reference, you can only change the MEBx password remotely once and only if the vPro Client is in a factory default state (never been provisioned). Since this VBScript remotely provisions and un-provisions the vPro client, we must set the MEBx password during this provisioning process. To Change the MEBx password, open SelfSignedFix.vbs with any text editor and modify (line 19) with your environment specific information:
Const SCCMMEBxPassword = "P@ssw0rd" to Const SCCMMEBxPassword = "<your SCCM MEBx password>"
Note: If you have already changed the MEBx password, the MEBx password will not changed; however, you should still change the SCCMMEBxPassword in SelfSignedFix.vbs VBScript to match your SCCM Configuration in case you run into a vPro Client where you have not changed the MEBx password yet.
With the MEBx Password modified, here are some examples of how the SelfSignedFix.vbs can be run from the command line:
cscript SelfSignedFix.vbs
vpro-client.vprodemo.com c:\temp NThe script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on vpro-client.vprodemo.com. c:\temp\vpro-client.vprodemo.com.log will be generated with the results of the provision / un-provision and those results will not be displayed on console.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1769/4.JPG!
cscript SelfSignedFix.vbs
vpro-client "
sccmsp1\certfix$\error logs" YThe script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on vpro-client.
sccmsp1\certfix$\error logs\vpro-client.log will be generated with the results of the provision / un-provision and those results will be displayed on console.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1770/5.JPG!
cscript SelfSignedFix.vbs
192.168.0.101 "" YThe script will connect to the Intel WS-MAN Translator listening on https://sccmsp1.vprodemo.com/ to perform the Provision / Un-provision on client located at IP address 192.168.0.101. 192.168.0.101.log file will be generated in the current working directory that the script was ran from with the results of the provision / un-provision and those results will be displayed on console.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1771/6.JPG!
After running SelfSignedFix.vbs, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues.
Provision / Un-provision Log
Similar to what is displayed in the previous screen shots, a successful remote Provision / Un-provision log will look like the following:
**Begin Execution 8/11/2008 8:22:22 PM*************************
Connecting to https://sccmsp1.vprodemo.com/wstrans/setup/eoi20/192.168.0.101/wsman
Setting AMT Clock
Setting HostName
Setting TLS settings
Setting new MEBx Password
CommitChanges
CommitChanges_OUTPUT
ReturnValue = 2057
Unprovision
PartialUnprovision_OUTPUT
ReturnValue = 0
**End Execution 8/11/2008 8:22:30 PM*************************
In an event that vPro Client is inaccessible to be remotely provisioned / un-provisioned, the error log will look like the following:
**Begin Execution 8/11/2008 8:22:12 PM*************************
Connecting to https://sccmsp1.vprodemo.com/wstrans/setup/eoi20/192.168.0.100/wsman
Unable to connect to AMT Device: 192.168.0.100
**End Execution 8/11/2008 8:22:12 PM*************************
This error can occur for a variety of reasons. Some common causes of this error are:
vPro Client is not accessible on the network
vPro Client is already provision
Remote Admin password for the vPro Client has already been changed from the factory default. If the remote admin password has been changed, you can modify SelfSignedFix.vbs with the correct password.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1772/7.JPG!
In either case, you will need to root cause why the vPro Client was not remotely accessible to be provisioned / un-provisioned. You can then run SelfSignedFix.vbs at a later time to retry and remotely provision / un-provision.
Automating the execution of SelfSignedFix.vbs within SCCM
To avoid having to run SelfSignedFix.vbs on each impacted system individually, there are a couple of automated procedures you can perform depending on what is right for your environment. To identify and isolate the vPro Clients that are impacted by the invalided Self-signed Certificate, you can create a SCCM Collection using the following criteria "Select * from sms_r_system where AMTStatus=1"; this will automatically bucket all the vPro Clients listed as AMTStatus Detected in a single collection for easy identification.
For step by step instructions on how to create the collection for vPro Clients with the AMT Status of Detected, please reference the guide included with the scripts.
Once you have the impacted vPro Clients in a single collection, you can either use SCCM Advertisements to push and execute SelfSignedFix.vbs from the client or you can use the included ExecFromCollection.vbs to connect directly to collection and execute SelfSignedFix.vbs on an enumerated list of members in that collection.
Critical Note: Before proceeding to use one of these large execution methods, it is recommended that you test your configuration (both SelfSignedFix.vbs and Intel WS-MAN Translator) by testing on a few impacted system individually first. Once you run SelfSignedFix.vbs steps above on these select impacted vPro Clients, you need to ensure you are able to natively provision the client within SCCM before you move onto a more automated implementation.
Using ExecFromCollection.vbs
ExecFromCollection.vbs is a VBscript that will connect to a desired collection, enumerate the list of members in the collection, and execute SelfSignedFix.vbs VBScript against each member in the collection. Prior to using ExecFromCollection.vbs, you must first change the SMSSiteCode, SMSServer, SMSCOLLECTION, and WSTransURL constants. To modify the required constants, open up ExecFromCollection.vbs with any text editor and change the following values with entries specific to your environment (Make sure you save your changes).
SMSSITECODE : This is your SMS Site Code
SMSSERVER : This is the FQDN of you SMS Site Server
SMSCollection : This is the SMS Collection ID that you want to enumerate the list of vPro Clients from. You can find the Collection ID of a particular collection by right clicking on the collection and select "Properties"; the Collection ID will be at the bottom of the General Tab
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1774/9.JPG!WSTransURL : This is the secure URL in which the Intel WS-MAN Translator is listening on
Once the constants have been modified within ExecFromCollection.vbs, you can execute the VBscript by running the following Command Line:
cscript ExecFromCollection.vbs
ExecFromCollection.vbs will cycle through each enumerate member in the collection and execute SelfSignedFix.vbs VBScript against it. Prior to running ExecFromCollection.vbs, you need to ensure that the SelfSignedFix.vbs VBscript and ExecFromCollection.vbs VBscript are located in the same folder.
After running ExecFromCollection.vbs VBscript, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log files to help isolate the root of their issue. For step- by-step instructions on using ExecFromCollection.vbs, please reference the Guide included in the download package.
Using SCCM Advertisement to Execution SelfSignedFix.vbs
In terms of leveraging SCCM Advertisements to push the SelfSignedFix.vbs down to the client and execute it, there are several different ways this could be done. This example simply pulls the SelfSignedFix.vbs off a remote share which is then executed by a SCCM Task Sequence. When the advertisement is picked up by the SCCM Client Agent, the task sequence is executed and SelfSignedFix.vbs is run on the vPro Client machine. Depending on your environment, you may want to leverage alternative methods of deploying and executing this with a SCCM Advertisement. Please note, that the SelfSignedFix.vbs is not performing any provision / un-provision commands locally on the client; although it is running on the local client, the provision / un-provision commands are being routed to the Intel WS-MAN Translator and then the commands are sent back down to the vPro client from the Intel WS-MAN Translator.
In preparation of creating a task sequence, create a remote share on a server where the SelfSignedFix.vbs will be run from and the log files generated from SelfSignedFix.vbs will be stored. Ensure sufficient permissions are granted to the account running the advertisement.
Create a New Task Sequence and give it a name that is easily recognizable. Make sure you create the Task Sequence with the option of "Create a new custom task sequence".
When you edit your task sequence, add a new "General"-> "Run Command Line" task.
Give the task an appropriate name and in the Command Line field enter in:
cscript
server\share\SelfSignedFix.vbs %COMPUTERNAME% "
server\share" N
... where
server\share is the remote share that you created and https://wsmantransurl/ is the secure URL of your Intel WS-MAN Translator. %COMPUTERNAME% is an OS environment variable that will give you the hostname of the client.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1766/12.JPG!Once the task sequence is created, you can advertise the task sequence on a Collection you created for just the AMT Detected vPro Clients.
Depending on your advertisement mandate, the next time the client's SCCM agent pulls down an updated policy it will execute the task sequence.
After running SelfSignedFix.vbs VBscript via the advertisement, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log file and isolate the root of their issue.
Note: Depending on your Client OS configuration, it may be necessary to set WINRM basic authentication to "true" prior to execution SelfSignedFix.vbs; this can be accomplished by add winrm set winrm/config/client/auth @{Basic="true"} command line task prior to the execution of SelfSignedFix.vbs.
This blog was intended to give you a general understanding of the issue and the work arounds that are in place. For a comprehensive step-by-step guide, please refer to the documentation included with Remote Provision / Un-provision Script archive file. To download the Scripts and the Guide, please visit the following URL: http://communities.intel.com/docs/DOC-1850
--Matt Royer
As explained in the SCCM SP1 & WS-MAN Translator: How vPro firmware versions less than 3.2.1 are supported blog, The Intel WS-MAN Translator is crucial component to providing support for vPro Client with firmware versions less than 3.2.1 with Microsoft System Center Configuration Manager.
Intel has just posted the production release of the Intel WS-MAN Translator 1.0 and is available for download at the following location: http://softwarecommunity.intel.com/articles/eng/3840.htm. At that location you will find the install binaries and documentation on how to install the translator. However, here is a high level overview of how to install and configure the Intel WS-MAN Translator.
Pre-installation Steps
Generate a Certificate Request on SCCM Server for Intel WS-MAN Translator
On the SCCM Server, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS)
Expand Web Sites and Right Click on Default Web Site and select Properties
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1723/GenerateCert1.JPG!*In the Default Web Site Properties windows Select the Directory Security Tab. In the Secure Communications section, click the Server Certificate button
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1724/GenerateCert2.JPG!This will launch the Web Server Certificate Wizard. Click Next
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1725/GenerateCert3.JPG!*In the IIS Certificate Wizard Window, select Create a new certificate . Click Next
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1726/GenerateCert4.JPG!*Select Send the request immediately to an online certification authority. Click Next
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1727/GenerateCert5.JPG!Enter a Name for the certificate: WS-MAN Translator Server Certificate. Click Next
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1728/GenerateCert6.JPG!Enter Organization Information (Organization and Organizational Unit) and Click Next
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1729/GenerateCert7.JPG!*Enter the Common name: This is the FQDN of your server you are installing the Intel WS-MAN Translator on and should be the same as the FQDN of your SCCM Server. Click Next
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1730/GenerateCert8.JPG!Enter in your Geographical Information. Click Next
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1731/GenerateCert9.JPG!Enter 443 for the SSL Port for this web site. Click Next
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1732/GenerateCert10.JPG!In the Choose a Certification Authority Window, select your issuing Certificate Authority. Click Next
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1733/GenerateCert11.JPG!*Confirm your request and click Next
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1734/GenerateCert12.JPG!Once Wizard is complete, click Finished
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1735/GenerateCert13.JPG!*
Modifying Windows Remote Management (WinRM) to support Basic Authentication
On the SCCM Server, open a command prompt and run the following command: winrm set winrm/config/client/auth @{Basic="true"} (command line is case sensitive)
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1716/WINRM1.JPG!You should see Basic = True returned
Set Delegation for the SCCM Server
On your Domain Infrastructure Image, Click Start > All Programs > Administrator Tools > Active Directory Users and Computers > vprodemo.com > Computers. Right Click on SCCM Server and select Properties.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11434-1782/Computer.JPG!Check the box Trust Computer for Delegation and click OK
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11434-1781/delegation.JPG!*
Note: If you do not allow this, you will need to setup the WS-MAN Translator (during configuration steps) run time account with a user that has permission to the AMT client. At that point the credentials configured in the run time account are used to manage the client for Kerberos authentication.
Installing the Intel WS-MAN Translator
On the SCCM Server, run the Intel WS-MAN Translator Setup
In the Intel WS-Management Translator setup window, click Next
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1736/Install1.JPG!*In the Intel WS-Management Translator setup window, click Next
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1737/Install2.JPG!*During the installation, keep all of the Default settings until installation wizard is complete and install has finished.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1738/Install3.JPG!
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1740/Install5.JPG!
Configuring the Intel WS-MAN Translator
Click Start > All Programs > Intel WS-Management Translator > wtranscfg.exe to configure the Translator
In the WS-Translator Configuration Wizard Window, Set common setup accounts & Set TLS/forwarding options. Click Next
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1718/ConfigTrans1.JPG!*In the Set initial setup password window, enter the password you configured within SCCM Out of Band Management Properties > Provisioning setting Section > MEBx Account. Click Next
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1719/ConfigTrans2.JPG!*In the Set Common Pre-Shared Key window, should select a more random and secure PID and PPS for security reasons. Click Next.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1720/ConfigTrans3.JPG!In the Import Common Setup Certificate, Click Browse and select the Same Certificate you used in SCCM Out of Band Management Properties > Certificates Section > Provisioning Certificate. Click Next.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1721/ConfigTrans4.JPG!In the Select TLS/forwarding options windows, select (default Options): Listening Port: 443 & Forwarding Port: 16993. For the Server Certificate: select the WS-Man Translator certificate created in previous step. Click Finished. Click OK to Restart the Translator Service.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1722/ConfigTrans5.JPG!
Configuring SCCM SP1 to use the Intel WS-MAN Translator
Within System Center Configuration Manager Out of Band Management Properties > Provisioning setting Section > AMT Settings. Check the option for Enable support for Intel WS-MAN Translator. Once selected, click Apply.
*!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1717/ConfigSCCM1.JPG!*
--Matt Royer
For those that don't know, you can use the Intel AMT Web console as an alternative to running the out of band management console in Configuration Manager 2007 SP1 to manage vPro computers.
On more than a few occasions, people have been experiencing problems with connecting to the vPro AMT Web console after the vPro Client has been provisioned by SCCM. In every case that I have been involved in, it simply comes down to one or two of the following:
Not having the required HotFix (KB908209) for IE 6 installed and registry entry for both IE6 & IE 7 added
Connecting to the wrong URL of the vPro Client
Not having the "Enable Web Interface" checked within SCCM "Out of Band Management Properties"
Not connecting with a user that has appropriate access
Making sure you have KB908209 installed and having the registry key added for Internet Explore
There is a hotfix released for Internet Explorer 6 that addresses connecting to a web site with Kerberos authentication protocol that uses a non-standard port. Since you are trying to authenticate with Kerberos on a non-standard port when you connect to a vPro AMT Web console, you need this hot fix: http://support.microsoft.com/default.aspx/kb/908209. Keep in mind, besides the hotfix you also need to add a registry entry to allow the hotfix to be active (steps listed in the KB article). Here is the registry entry you need to add.
For 32 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001
For 64 Bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\"iexplore.exe"=dword:00000001
Although Microsoft included the hotfix into Internet Explorer 7, you still need to add the registry entry to get the authentication to work. Forgetting to add this registry entry tends to be the number 1 reason why people are having the problem!!!!
Connecting to the correct URL
When connecting to vPro AMT Web console, you must connect to the vPro Client with the following URL https://FQDN:16993 where the FQDN is the full qualified domain name of the vPro client (ie. https://vpro-client.vprodemo.com:16993). Using the IP address will not work (or at least you will get a warning about an invalid certificate) because SCCM has configured the vPro client to use TLS and the URL needs to match the certificate that was issued during the provisioning process. As a general reference, 16993 is the port that the TLS web services is listening on and you need connect with https since it's a secure connection
Ensuring you have "Enable Web Interface" check
To enable vPro AMT Web console support on the vPro Client, you need to verify that "Enable Web Interface" is checked within the SCCM "Out of Band Management Properties" - "AMT Settings" Tab. With this checked, SCCM (during the provisioning process) will configure the vPro Client to allow vPro AMT Web console access.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1712/Webui+checked.JPG!
Make sure you have permission
Since SCCM only supports Kerberos authentication (with exception of the Remote Admin account, who's password is only known by SCCM), you need to authentication with a Kerberos users that has been granted access to the vPro Client. If you are having problems authenticating, make sure the user you are trying to authenticate with is listed in the AMT User Accounts in the "Out of Band Management Properties" - "AMT Settings" tab.
--Matt Royer