Hi Friends, I regeret to infor you that there arent any clearcut documents about remote provisioning vPro clients using SCCM especially when it comes to using self created certificate from an internal CA. There is this one thing that has been troubling me for long, and that is the certificate based authentication and I just cant get the Remote Configuration to work. As you are already aware that the Intel MeBX are preloaded with a few standard certificates from external vendors like GoDaddy, Verisign, Comodo and so on but thhen there are a lot of people like myself who do not wish to purchase certificates from the above mentioned vendors. We really want to use a certificate from an internal CA based on our existing Windows Active Directory Infrastructure if possible. I would really appreciate if you could help me with the steps of using self generated certificate from an Internal CA for remotely provisioning the vPro enabled clients. My objective is to be able to Remotely provision vPro enabled clients out of the box (either in the workgroup or even across a Domain). I am new to the vPro technology and have studied most of the resources from the web and ofcourse the user guides available off the Intel website and so on. I want to learn Remote configuration using the PKI or the PSK infrastructure. I am trying to implement the vPro remote provisioning in my Lab here, to no avail. I have a small private network on a domain with one Windows server 2008 computer with the following roles ADS, DNS, DHCP, IIS, WDS and SCCM as well. I have also enabled DHCP option 15, 6 and also made sure that the alias name has been created for ProvisionServer in the DNS records. I have a few HP 2540P laptops with Intel AMT firmware version 6.0.3. Would you please clarify my queries on the following:
1. If I am going to be using SCCM to do OOB Provisioning and managing vPro enabled clients, do I still need to install SCS / RCS on the DC server 2008? If yes, why?
2. Are there any basic out of the box configuration / setup that I need to do in the MeBX of the vPro clients before they can be remotely provisioned via SCCM using TLS? Or is it that the Remote Configuration can be done by simply connecting the out of the box vPro client to the network and power supply? I am suppose, there are. Could you please give me the detailed steps that we need to perform in the MeBX of the vPro clients with AMT >= 6 before connecting to the network?
3. I dont wish to use the certificates from the external CA like GoDaddy, Verisign, Comodo etc, however I would rather use the certificate created from an internal CA based on our existing AD infrastructure and certification authority instead. I have also exported a copy of the .pfx certificate file as per http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2 .
Per the documentation, now that we have created a provisioning certificate, we need to insert the certificate hash into the MeBX. Is there a way to burn in the certificate hash into the MeBX using a USB flash drive. Which tool would I use and what command/syntax would prepare a USB flash drive for burning in the certificate hash into the MeBX?
4. For the environments with only AMT version 6 and above, do we still need to install and configure wsman Translator for provisioning based PSK keys? I suppose wsman translator is only required for provisioning vPro client with earlier AMT versions. Right?
In simple words, I just want to implement remote provisioning vPro client with AMT versions 6 and above with SCCM using the PKI infrastructure (certificate from an Internal CA). Can you please walk us through the detailed steps that havent been discussed else where.
Thanks In advance