3 Replies Latest reply on Jul 16, 2010 3:09 PM by chykun

    Intel AMT Lenovo Activation using PKI

    bbowron

      We are starting to provision our M58p, M57p, and T500's using SCCM. We need to use our PKI cert and we have been able to manually enter the hash into a few machines and provisioning starts with no issues. Now the problem is we need to deploy this hash to machines already out in the field and machines currently being deployed.

      1) How do we deploy the new PKI hash to machines out in the field?

      2) How do we deploy the hash before the machine is deployed as manually this is alot to have each tech enter it manually (not to mention error prone). We have already tried the usbfile.exe and intel usb provision utility but on reboot the machines all say "Disk Error Press any key to restart".

       

      Any help would be appreciated.

        • 1. Re: Intel AMT Lenovo Activation using PKI
          spabercr

          This issue may have multiple reasons so I need to get clarifying information.

          Each platform has separate versions of AMT, I specifically need to know which versions you have.

          I also highly recommend you upgrade to the latest version for each generation you have, there have been various issues with certificates including the replacement of Verisign G2 cert about a year ago, here is the link http://communities.intel.com/community/openportit/vproexpert/blog/2010/04/27/microsoft-sccm-and-intel-vpro-certificates).

           

          If this is not a Verisign cert please let me know what cert you are using.

           

          Once I have this info I can work thru the issue. One last thing on USB keys, there are a limited number of USB keys that are supported, I would contact Lenovo directly and ask them for a list of apporved keys to use for provisioning.

          • 2. Re: Intel AMT Lenovo Activation using PKI
            spabercr

            some additoanl quesiotns I need to ask, what consoel woudl you be using and are you looking to buy a provisioning cert our use your own. the Idea of PKI si to remotely update platforms and this will help me point you in the right direciton. Currently by jsut the words you sue it sounds like you ahve yrou own cert, if that is the case  then its going to be by hand or usb key. There are alternative (and possibly cheaper and less time consuming) ways to get thsi done.

            • 3. Re: Intel AMT Lenovo Activation using PKI
              chykun

              I think you'd be better off buying a provisioning cert from GoDaddy, VeriSign, Komodo...  I looked a month ago and you can get a 2 year cert for $200.00 from GoDaddy.  Those hashes are in the MEBx by default.   I don't know of a way that you can put your in-house root hash into the MEBx other than getting a custom firmware load from the manufacturer or touching every machine.  With they USB key method, again, you are touching every machine.