Indeed there is!

Intel provides tools to give OEMs the ability to add customer certificate hashes to the AMT firmware at the end of the manufacturing process. Up to 23 certificate hashes can be added in this way. The advantage of having the OEM install the hash instead of having the IT shop add the hash after receipt of the machine, apart from the fact that you don't have to type them in , is that the OEM added hashes survive resets back to the "default factory" state.

Why would you use your own root hash instead of going with one of the default hashes from one of the provided certificate authorities like VeriSign or Go Daddy?

This is actually a complicated question. Like most things in IT the goal is to minimize cost and complexity.

The Subject Name in the remote Configuration certificate must match the DHCP domain name on the network segment (DHCP option 15) to which the AMT device is attached. So the more DCHP naming zones you have, the more Subject Names you need in the certificate. The more names you have the more the certificate authority will charge (as they have to do work to verify you own all of the names). Intel is working to lower this cost in upcoming releases of AMT, and in AMT 2.6 added a feature to allow a match for only the last two fields of the CN (e.g. intel.com). So all DHCP naming zones "below" intel.com such as a.intel.com and b.intel.com would be considered a match. This applies only to ".com" and ".net" names.

On the other hand the your OEM may charge to add your certificate hash to each AMT device you buy. So both options will need to be investigated to get the most cost effective solution for your company.

The vPro Quick Start Guide (http://communities.intel.com/openport/docs/DOC-1085) along with the SMS add-on documentation\resources - including some video tutorials (http://softwarecommunity.intel.com/articles/eng/1356.htm) may be a great place to start.

We are looking into creating more video or screencast based content.

May you be successful in your endeavors.

Hello swood and others,

I work for HP on vPro among other things. The most reasonable way to approach this is to let your HP account manager know that you are interested in what we call PC Customization Services (PCCS) to pre-populate your cert hash. This is not a standard service we offer currently, as with the PSK method, but we do have some tools that should support this. Feel free to use my name (Paul Broyles in Houston, TX) as a reference if they don't know what you are asking for.

As always, it is good to get customer feedback on this.

Regards, Paul

Gareth,

One question about the multiple DHCP domains before the *.intel.com wide card features is available. It may be because my misunderstanding about this remote configuration feature. If there are two domains, a.intel.com and b.intel.com, and the two SCS certs are generated accordingly. So, should those two certs need to loaded in AMT clients together since the clients are not sure which domain is belonged to during the set up time? Also, which one should be activated or doesn't matter as long as they both exist?