Microsoft System Center Configuration Manager can provision an AMT / vPro client in two different capacities: Bare metal and Agent Initiated.  Bare metal provisioning begins with the AMT client sending a “hello packet” to the SCCM Out of Band Service Point; if the AMT client is approved and authorized to be provisioned, SCCM will initiated the provisioning process.  Agent Initiated provisioning begins with the SCCM Client Agent pulling down the “Automatic Provisioning” policy from the SCCM Policy Server; if the SCCM Client Agent receives the policy, the Agent will negotiated a One Time password (OTP) with the AMT ME firmware and send the provisioning request along with the OTP to the Out of Band Service point to begin the provisioning process.

Bare Metal / Hello Packet Initiated Provisioning
For Bare Metal provisioning to work properly on AMT / vPro Clients with firmware 2.x, there are a couple of prerequisites that must be met.

SCCM Server

AMT Client

  • AMT Firmware version that support PKI provisioning with SCCM.  For AMT 2.x Desktops and Laptops, you will want to ensure that you have a minimum of AMT Firmware 2.2.20 (Desktop) and 2.2.20 (Laptop).  Note: For AMT Desktops with firmware 3.x, you will want to ensure that you have firmware 3.2.2 or above to meet the minimal requirements.  AMT Laptops with firmware 4.x and Desktops with firmware 5.x have the minimum requirements meet from the initial firmware release.


SCCM Client Agent Initiated Provisioning
In addition to the prerequisites needed for Bare Metal provisioning, SCCM Agent initiated provisioning requires a couple additional items.

AMT Client

  • AMT ME / HECI Driver installed (available from your OEM driver website)
  • Execution of RNGSeedCreator.exe (Download available from here:  RNGSeedCreator.exe is an executable that is ran on an AMT / vPro client with firmware version 2.x that has never been configured or provisioned; this utility generates a random number for the firmware to support the OTP used during the SCCM Agent Initiated Provisioning process.  For SCCM PKI provisioning to complete successfully, the random number generated by RNGSeedCreator.exe must be completed prior to initiating provisioning via the SCCM Client Agent.Note: AMT / vPro clients with firmware version 3.x and higher do not need to have the RNGSeedCreator.exe ran prior to SCCM Agent Initiated provisioning.



If your AMT clients do not meet the minimal firmware version for PKI based provisioning (Bare Metal or Agent Initiated), you can use the software distribution capabilities within SCCM to remotely upgrade the AMT firmware and drivers; check out the following Blog / Video which walks you through creating this software package.  Similar to upgrading the AMT firmware with SCCM Software distribution, you can also use the same Software Distribution process to run the RNGSeedCreator.exe utility on your 2.2 (Desktop) and 2.6 clients.  If you wish to combine the firmware upgrade and RNGSeedCreator.exe execution into a single SCCM advertisement, you can construct a single task sequence that runs both the Firmware upgrade and RNGSeedCreator.exe software packages.  A guide on how to accomplish this has been included in the RNGSeedCreator download package.



Once the firmware has been upgraded to the minimal firmware version to support PKI provisioning and the RNGSeedCreator.exe has been run, SCCM Agent Initiated provision can complete successfully on 2.2 and 2.6 clients.

--Matt Royer