Ok I was able to work it out myself in the end.
For those playing at home I had to disable Integrated Windows Authentication in IE settings. This allowed me to login using the admin digest account.
I am still yet to figure out how to get the AMT status to change to Externally Provisioned but will update this thread when I do in case it helps anyone else out.
This is great news that you were able to isolate the web interface problem, can you please give me some details on your SCCM version?
Also, you may want to consider running the platform discovery task sequence on all of your AMT platforms before and after configuration, this will update the hardware inventory classes in your SCCM instance and hopefully populate your collections accordingly.
SCCM Version is SCCM 2012 R2 SP1
We are not using the full Intel SCS Addon. We have kept things fairly simple in that regard by just using the Configurator to send a hello packet to the Intel RCS which executes a PowerShell script to provision the appropriate Intel SCS Profile to the workstation.
I have configured the Out-of-Band component in SCCM to have the correct Admin password for discovery purposes.
My main issue now is with Kerberos authentication. I have successfully pushed the profile to the Workstation and most things are working as expected with my Active Directory account. I can KVM (only if my AD account is directly on the chip and not in a nested group) and connect using the Manageability Command Tool or the Intel vPro Platform Solution Manager.
Unfortunately I cannot connect to the AMT Web Interface with Keberos using any AD account. I belive this is also stopping the appropriate OOB discovery through SCCM.
I never heard from biz-support so I am adding my findings here:
I discovered through a network trace that the port was not being sent with the SPN as per https://support.microsoft.com/en-us/kb/908209 even though I had configured the registry keys and rebooted.
Results: (NOTE: Above registry keys were present on all systems)
Remote server (Hosting Intel RCS) - Windows Server 2012 (non R2) with IE 10 - Web authenticawtion using kerberos unsuccessful (Trace shows port not sent despite registry keys being present)
Remote server - Windows Server 2012 R2 with IE 11 - Web authentication using kerberos successful
Local workstation (connecting to local AMT chip) - Windows 10 with IE 11 - Web authentication using kerberos successful
I am not sure why the port is not being sent from that particular server but it could be the OS or IE version.
Also as per my other thread make sure any groups you add are Global AD groups and NOT Domain Local groups.
SCCM is now showing as "Externally Provisioned".