Skip navigation

An enterprise customer wanted to enable Active Directory integration with Intel AMT on their large Intel vPro client estate. However their security team wanted the permissions for the Intel SCS service account against the Organisational Unit (OU) where Intel AMT computer objects are stored to support Kerberos, to be as restrictive as possible.


As defined in the Intel® Setup and Configuration Software User Guide, permissions for the SCS service account on the OU container are “Create Computer objects”, “Delete Computer objects” and “List content” (the latter seems to be default) and full control on descendant computer objects. The latter was not acceptable so ...



... to support AMT maintenance tasks such as updating the password of the AD object representing the Intel AMT device and ensuring the Kerberos clock remains synchronised, the following explicit permissions are required on all descendant computer objects within the OU.


The customers security team were happier with these permissions and they are now activating their Intel vPro systems to enable the powerful manageability and security capabilities that Active Management Technology, available on Intel vPro Technology platforms provides.

Take from an original (deleted) post by TerryCutler.


Intel AMT Remote Configuration enables the authentication of the firmware for an initial Intel AMT configuration event.  Remote configuration supports Admin Control Mode configuration of the Intel AMT firmware and is typically done using valid provisioning certificate for the customers environment.


This authentication process has to be completed without user interaction. If the requesting application i.e. Intel SCS is prompted every time access to the private key is required, the autonomy is lost.


When importing the certificate to your target server, if the strong key protection option is selected and grayed out, this indicates a conflicting group policy for cryptography has been applied to the server.


Changing the group policy setting of the server will remove this barrier, so set the System Cryptography policy to the "User input is not required when new keys are stored and used"

Filter Blog

By date: By tag: