5 Replies Latest reply on Jul 28, 2008 8:01 AM by miroyer

    how to issue an SCCM provion certificate with a Microsoft Enterpise CA?

    jenniferjin

      Hi,

       

      I set up the SCCM SP1, with Microsoft CA in Enterprise CA mode, and created a provision certificate templete, then request an provison certificate, export the certficate then added into SCCM OOB management. But provion failed, the amtopmgr.log shows:

      Found new provision server certificate with hash 8B3263FC3CC7AEEDF7775DF562100F33C6B9BCDE.  $$

       

      My Templete duplicated from User templete, and the OID name is intel-oid, the OID number is: 2.16.840.1.113741.1.2.1, and I dont find any place to type the CN name when i did those.

       

      Does anyone have some idea about this issue? or have some step by step guide?

       

      thanks

       

      -Jen

        • 1. Re: how to issue an SCCM provion certificate with a Microsoft Enterpise CA?
          miroyer

           

          This is content from the SCCM SP1 Help File. I think this is what you are looking for. Does it address your question?

           

           

           

           

           

          Overview

           

           

          PKI certificates must be prepared and installed prior to managing computers out of band in Configuration Manager 2007 SP1. This guide does not include installing and configuring Configuration Manager 2007 SP1 or provisioning computers for AMT, but it provides the steps to deploy the certificates required for provisioning computers for AMT so that they can be managed out of band. For more information about configuration of Configuration Manager 2007 SP1 for out of band management, see Configuring Out of Band Management.

           

           

          The following table lists the two PKI certificates that are required for managing AMT computers out of band and describes how they are used in a Configuration Manager 2007 SP1 site.

           

          Certificate Requirement

          Certificate Description

          AMT provisioning certificate

          This certificate is used to prepare AMT-based computers for out of band management by Configuration Manager 2007 SP1.

           

           

                         For more information about AMT provisioning, see About AMT Provisioning for Out of Band Management\.

          Web server certificate

          This certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers.

           

           

                         After this certificate is installed, it is used to authenticate the AMT-based computer to the computer running the out of band management console before establishing an out of band management session and then encrypting all data between them.

           

          For more information about the certificates, see Certificate Requirements for Out of Band Management.

           

           

          Follow the steps in this guide to achieve the following goals:

           

          • Create Windows security groups to be used with the certificate templates.

          • Request, install, and prepare the AMT provisioning certificate.

          • Prepare Web server certificates by configuring a certificate template on the issuing CA.

           

          Creating Windows Security Groups for the Site System Servers

           

           

          This step has a single procedure.

           

           

          To create Windows security groups for the site system servers

           

           

          1. On the domain controller, click Start, Programs, Administrative Tools, Active Directory Users and Computers.

           

           

          2. Right-click the domain, click New, and then click Group.

           

           

          3. In the New Object - Group dialog box, enter ConfigMgr Primary Site Servers as the Group name, and then click OK.

           

           

          4. In Directory Users and Computers, right-click the group you have just created, and then click Properties.

           

           

          5. Click the Members tab, and then click Add to select the member server.

           

           

          6. Click OK, and then click OK again to close the group properties dialog box.

           

           

          7. Repeat steps 2 through 6, this time naming the group ConfigMgr Out of Band Service Points.

           

           

          8. Restart your member server (if running) so that it can pick up the new group membership.

           

          Note

          In our test environment, there is only one server to add, which will be used for both the primary site server and the out of band service point. However, in a production environment, it is likely that you will have multiple primary sites that will support out of band management, and install the out of band service point on a different server than the site server. It is therefore good practice to assign permissions to two groups and add all your primary site servers to one group, and all your out of band service point site systems to the other group.

           

           

                         Creating security groups for these servers enables you to assign permissions so that only these servers can request these certificates.

           

          These security groups will be used to help ensure that only the required servers can use the two certificate templates required for AMT provisioning.

           

           

          Requesting, Installing and Preparing the AMT Provisioning Certificate

           

           

          This step has two procedures:

           

           

          Requesting and installing the AMT provisioning certificate using only one of the following procedures, depending on your requirements:

           

           

          Requesting and Installing the AMT Provisioning Certificate from an External Certification Authority.

           

           

          Requesting and Installing the AMT Provisioning Certificate from an In-House Certification Authority When All Computers That Will Be Managed Out Of Band Are In the Same Active Directory Domain As the Out Of Band Service Point.

           

           

          Requesting and Installing the AMT Provisioning Certificate from an In-House Certification Authority When One or More Computers That Will Be Managed Out Of Band Are Not In the Same Active Directory Domain As the Out Of Band Service Point.

           

           

          Preparing the AMT Provisioning Certificate for the Out of Band Management Component

           

           

          AMT-based computers are configured by the computer manufacturer to use external certification authorities, such as VeriSign and Go Daddy. If you will use your in-house CA to provision computers for AMT, one of the following conditions must be true:

           

          • Your computer supplier updated the AMT memory of the computers with the certificate thumbprint of your in-house root certificate.

          • You will manually add the certificate thumbprint of your in-house root certificate to each computer that will be provisioned for out of band management in Configuration Manager 2007SP1.

           

          If you need more information about how to locate the certificate thumbprint of your in-house root certificate thumbprint, use the following procedure.

           

           

          If your in-house root certificate thumbprint has not been added to the AMT memory of your computers, refer to your computer manufacturer instructions for information about how to configure the AMT certificate hash option with your certificate thumbprint value.

           

           

          To locate the certificate thumbprint of your in-house root certificate

           

           

          1. On the computer running Certificate Services and configured as the root CA, click Start, Programs, Administrative Tools, Certification Authority.

           

           

          2. Right-click the name of your CA, and then click Properties.

           

           

          3. Click View Certificate.

           

           

          4. Click the Details tab.

           

           

          5. Scroll and select Thumbprint.

           

           

          6. Copy the string of hexadecimal numbers to the clipboard.

           

           

          7. Open Notepad or another text editor, and paste the string of hexadecimal numbers into the file.

           

           

          8. Save the file and store it securely for later reference; for example, to provide it to your computer supplier or if you need to type the string to configure the AMT certificate hash value.

           

           

          9. In the Certificate dialog box, click OK.

           

           

          10. Click OK, and exit Certification Authority.

           

           

          Requesting and Installing the AMT Provisioning Certificate from an External Certification Authority

           

          Note

          If you have alternative instructions from the company issuing the AMT provisioning certificate, use their instructions in preference to the steps in the following procedure.

           

          To request and install the AMT provisioning certificate from an external certification authority

           

           

          1. On the domain controller running the Windows Server2003 console, click Start, Programs, Administrative Tools, Certification Authority.

           

           

          2. Expand the name of your CA, and then click Certificate Templates.

           

           

          3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.

           

           

          4. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.

           

           

          5. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning.

           

           

          6. Click the Request Handling tab, and select Allow private key to be exported.

           

           

          7. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

           

           

          8. In the Edit Application Policies Extension dialog box, click Add.

           

           

          9. In the Add Application Policy dialog box, click New.

           

           

          10. In the New Application Policy dialog box, type AMT Provisioning in the Name: field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.

           

           

          11. Click OK, and then click OK in the Add Application Policy dialog box.

           

           

          12. Click OK in the Edit Application Policies Extension dialog box.

           

           

          13. In the Properties of New Template dialog box, you should now see listed as the description of Application Policies Server Authentication and AMT Provisioning.

           

           

          14. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

           

           

          15. Click Add, enter ConfigMgr Out of Band Service Points in the text box, and then click OK.

           

           

          16. Select the following Allow permissions for this group: Read and Enroll.

           

           

          17. Click OK and close the Certificate Templates administrator console, certtmpl - .

           

           

          18. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

           

           

          19. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Provisioning, and then click OK.

           

          Note

          If you cannot complete steps 18 or 19, check that you are using the Enterprise Edition of Windows Server 2003. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2003.

           

          20. Do not close Certification Authority.

           

           

          21. On the member server, load Internet Explorer and connect to the Web enrollment service with the address http://<server>/certsrv where <server> is the name or IP address of the Enterprise CA.

           

           

          22. On the Welcome page, select Request a certificate.

           

           

          23. On the Request a Certificate page, select advanced certificate request.

           

           

          24. On the Advanced Certificate Request page, select Create and submit a request to this CA.

           

           

          25. On the Advanced Certificate Request page, specify the following:

           

           

          Select ConfigMgr AMT Provisioning for the Certificate Template.

           

          Note

          If you cannot see this certificate template displayed, check that you restarted the member server (if it was running) after you configured the security group in the earlier procedure.

          • Type the fully qualified domain name (FQDN) of the out of band service point in the Name field, or, if all computers to be managed out of band are not in the same Active Directory domain as the out of band service point, use a wildcard in the format *.<common namespace>.

          Note

          An example of a wildcard entry is *.contoso.com if computers to be managed out of band reside in the domain sales.contoso.com and marketing.contoso.com, and the out of band service point site system server resides in opperations.contoso.com.

           

          Type a contact e-mail address for your company in the E-Mail field.

           

           

          Type the name of your company in the Company field.

           

           

          Type the name of your company's department in the Department field.

           

           

          Type your company's city name in the City field.

           

           

          Type your company's state (full name or abbreviation) in the State field.

           

           

          Type your company's country code and region in the Country/Region field.

           

           

          Under the section Key Options, enable Store certificate in the local computer certificate store.

           

           

          Under the section Additional Options, click PKC10, click Save request to file, and then type in the full path and name for the offline certificate request file, such as C:\certreq_amt_<servername>.txt where <servername> is the host name of the out of band service point.

           

           

          Type your choice of name for Friendly Name, such as ConfigMgr AMT Provisioning Certificate for <FQDN> where <FQDN> is the fully qualified name of the out of band service point.

           

           

          26. Click Save.

           

           

          27. Click Yes when prompted in the Potential Scripting Violation dialog box.

           

           

          28. Click Yes when prompted in the Certificate Enrollment dialog box.

           

           

          29. Click OK to confirm that the request was saved to file.

           

           

          30. Exit Internet Explorer.

           

           

          31. Send the file to the external CA using any instructions that they provide.

           

           

          32. When you receive the AMT provisioning certificate from the CA, it is likely to be in an e-mail format. Copy the text and paste it into Notepad, saving the file with a .p7b extension. Make sure that you can access the file from the member server.

           

           

          33. On the member server, click Start, click Run, type MMC in the Run dialog box, and then click OK.

           

           

          34. In the empty console, click File, and then click Add/Remove Snap-in.

           

           

          35. In the Add or Remove Snap-ins dialog box, click Add.

           

           

          36. Select Certificates from Available snap-ins, and then click Add.

           

           

          37. In the Certificates snap-in dialog box, click Computer account, and then click Next.

           

           

          38. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

           

           

          39. In the Add Standalone Snap-in dialog box, click Close.

           

           

          40. In the Add or Remove Snap-ins dialog box, click OK.

           

           

          41. In the console, expand Certificates (Local Computer).

           

           

          42. Expand Personal, and then right-click Certificates.

           

           

          43. Click All Tasks, and click Import.

           

           

          44. In the Welcome to the Certificate Import Wizard page, click Next,

           

           

          45. On the File to Import page, click Browse to navigate to the saved file with the .p7b extension, and then click Next.

           

           

          46. Select Place all certificates in the following store, click Next, and then click Finish.

           

           

          47. Press F5 to refresh, and you should now see the provisioning certificate displayed.

           

           

          48. Do not close Certificates (Local Computer).

           

           

          The AMT provisioning certificate from an external CA is now installed and is ready to be prepared for the out of band management component.

           

           

          Requesting and Installing the AMT Provisioning Certificate from an In-House Certification Authority When All Computers That Will Be Managed Out of Band Are in the Same Active Directory Domain as the Out of Band Service Point

           

           

          To request and install the AMT provisioning certificate from an in-house certification authority when all computers that will be managed out of band are in the same Active Directory domain as the out of band service point

           

           

          1. On the domain controller running the Windows Server2003 console, click Start, Programs, Administrative Tools, Certification Authority.

           

           

          2. Expand the name of your CA, and then click Certificate Templates.

           

           

          3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.

           

           

          4. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.

           

           

          5. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning.

           

           

          6. Click the Request Handling tab, and select Allow private key to be exported.

           

           

          7. Click the Subject Name tab, select Build from this Active Directory information, and then select Common name.

           

           

          8. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

           

           

          9. In the Edit Application Policies Extension dialog box, click Add.

           

           

          10. In the Add Application Policy dialog box, click New.

           

           

          11. In the New Application Policy dialog box, type AMT Provisioning in the Name: field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.

           

           

          12. Click OK, and then click OK in the Add Application Policy dialog box.

           

           

          13. Click OK in the Edit Application Policies Extension dialog box.

           

           

          14. In the Properties of New Template dialog box, you should now see listed as the description of Application Policies Server Authentication and AMT Provisioning.

           

           

          15. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

           

           

          16. Click Add, enter ConfigMgr Out of Band Service Points in the text box, and then click OK.

           

           

          17. Select the following Allow permissions for this group: Read and Enroll.

           

           

          18. Click OK, and close the Certificate Templates administrator console, certtmpl - .

           

           

          19. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

           

           

          20. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Provisioning, and then click OK.

           

          Note

          If you cannot complete steps 19 or 20, check that you are using the Enterprise Edition of Windows Server 2003. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2003.

           

          21. Do not close Certification Authority.

           

           

          22. On the member server, click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

           

           

          23. In the Add/Remove Snap-in dialog box, click Add, click Certificates, and then click Add.

           

           

          24. In the Certificate snap-in dialog box, select Computer account, and then click Next.

           

           

          25. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

           

           

          26. In the Add Standalone Snap-in dialog box, click Close.

           

           

          27. In the Add/Remove Snap-in dialog box, click OK.

           

           

          28. In the console that now displays Certificates (Local Computer), expand Certificates (Local Computer), and then click Personal.

           

           

          29. Right-click Certificates, click All Tasks, and then click Request New Certificate.

           

           

          30. On the Welcome to the Certificate Request Wizard page, click Next.

           

           

          31. On the Certificates Type page, select ConfigMgr AMT Provisioning from the list of displayed certificates, and then click Next.

           

          Note

          If you cannot see this certificate template displayed, check that you restarted the member server (if it was running) after you configured the security group in the earlier procedure.

           

          32. On the Certificate Friendly Name and Description page, optionally enter a friendly name and description to help you identify this certificate, and then click Next.

           

           

          33. On the Completing the Certificate Request Wizard page, click Finish.

           

           

          34. You should see the Certificate Request Wizard dialog box informing you that the certificate request was successful. Click OK.

           

           

          35. You should now see the provisioning certificate displayed.

           

           

          36. Do not close Certificates (Local Computer).

           

           

          The AMT provisioning certificate from your in-house CA is now installed and is ready to be prepared for the out of band management component.

           

           

          Requesting and Installing the AMT Provisioning Certificate from an In-House Certification Authority When One or More Computers That Will Be Managed Out of Band Are Not in the Same Active Directory Domain as the Out of Band Service Point

           

           

          To request and install the AMT provisioning certificate from an in-house certification authority when one or more computers that will be managed out of band are not in the same Active Directory domain as the out of band service point domain

           

           

          1. On the domain controller running the Windows Server2003 console, click Start, Programs, Administrative Tools, Certification Authority.

           

           

          2. Expand the name of your CA, and then click Certificate Templates.

           

           

          3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.

           

           

          4. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.

           

           

          5. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning.

           

           

          6. Click Publish certificate in Active Directory.

           

           

          7. Click the Request Handling tab, and select Allow private key to be exported.

           

           

          8. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

           

           

          9. In the Edit Application Policies Extension dialog box, click Add.

           

           

          10. In the Add Application Policy dialog box, click New.

           

           

          11. In the New Application Policy dialog box, type AMT Provisioning in the Name: field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.

           

           

          12. Click OK, and then click OK in the Add Application Policy dialog box.

           

           

          13. Click OK in the Edit Application Policies Extension dialog box.

           

           

          14. In the Properties of New Template dialog box, you should now see listed as the description of Application Policies Server Authentication and AMT Provisioning.

           

           

          15. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

           

           

          16. Click Add, enter ConfigMgr Out of Band Service Points in the text box, and then click OK.

           

           

          17. Select the following Allow permissions for this group: Read and Enroll.

           

           

          18. Click OK and close the Certificate Templates administrator console, certtmpl - .

           

           

          19. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

           

           

          20. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Provisioning, and then click OK.

           

          Note

          If you cannot complete steps 19 or 20, check that you are using the Enterprise Edition of Windows Server 2003. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2003.

           

          21. Do not close Certification Authority.

           

           

          22. On the member server, load Internet Explorer and connect to the Web enrollment service with the address http://<server>/certsrv where <server> is the name or IP address of the Enterprise CA.

           

           

          23. On the Welcome page, select Request a certificate.

           

           

          24. On the Request a Certificate page, select advanced certificate request.

           

           

          25. On the Advanced Certificate Request page, select Create and submit a request to this CA.

           

           

          26. On the Advanced Certificate Request page, specify the following:

           

           

          Select ConfigMgr AMT Provisioning for the Certificate Template.

           

          Note

          If you cannot see this certificate template displayed, check that you restarted the member server (if it was running) after you configured the security group in the earlier procedure.

          • Type the fully qualified domain name (FQDN) of the out of band service point in the Name field, or, if all computers to be managed out of band are not in the same Active Directory domain as the out of band service point, use a wildcard in the format *.<common namespace>.

          Note

          An example of a wildcard entry is *.contoso.com if computers to be managed out of band reside in the domain sales.contoso.com and marketing.contoso.com, and the out of band service point site system server resides in opperations.contoso.com.

           

          Under the section Key Options, enable Store certificate in the local computer certificate store.

           

           

          Type your choice of name for Friendly Name, such as ConfigMgr AMT Provisioning Certificate for <FQDN> where <FQDN> is the fully qualified name of the out of band service point.

           

           

          27. Click Submit.

           

           

          28. Click Yes when prompted to confirm the certificate request.

           

           

          29. Click Install this certificate.

           

           

          30. Exit Internet Explorer.

           

           

          31. To confirm that the certificate is installed, click Start, click Run, type MMC in the Run dialog box, and then click OK.

           

           

          32. In the empty console, click File, and then click Add/Remove Snap-in.

           

           

          33. In the Add or Remove Snap-ins dialog box, click Add.

           

           

          34. Select Certificates from Available snap-ins, and then click Add.

           

           

          35. In the Certificates snap-in dialog box, click Computer account, and then click Next.

           

           

          36. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

           

           

          37. In the Add Standalone Snap-in dialog box, click Close.

           

           

          38. In the Add or Remove Snap-ins dialog box, click OK.

           

           

          39. In the console, expand Certificates (Local Computer).

           

           

          40. Expand Personal, and view the certificates, confirming that the provisioning certificate you requested is installed.

           

           

          41. Do not close Certificates (Local Computer).

           

           

          The AMT provisioning certificate from your in-house CA is now installed and is ready to be prepared for the out of band management component.

           

           

          Preparing the AMT Provisioning Certificate for the Out of Band Management Component

           

           

          To prepare the AMT provisioning certificate for the out of band management component

           

           

          1. In Certificates (Local Computer) running on the member server, right-click the provisioning certificate, click All Tasks, and then click Export.

           

           

          2. In the Certificate Export Wizard, click Next.

           

           

          3. On the Export Private Key page, select Yes, export the private key, and then click Next.

           

           

          4. On the Export File Format page, ensure that Personal Information Exchange - PKCS #12 (.PFX) is selected, and then select Include all certificates in the certificate path if possible.

           

           

          5. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

           

           

          6. Click Next, and on the File to Export page, specify the path and name of the file that you want to export, and then click Next.

           

           

          7. Click Finish in the Completing the Certificate Export Wizard page, and then click OK in the Certificate Export Wizard dialog box.

           

           

          8. Store the file securely and ensure that you can access it from the Configuration Manager console.

           

           

          The AMT provisioning certificate is now ready to be configured for the out of band management component. For more information, see How to Configure AMT Provisioning.

           

           

          Preparing the Web Server Certificates for AMT Computers

           

           

          This step has a single procedure.

           

           

          To create and issue the Web server certificate template on the certification authority

           

           

          1. On the domain controller running the Certification Authority management console, right-click Certificate Templates, and click Manage to load the Certificate Templates management console.

           

           

          2. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

           

           

          3. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Web certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT Web Server Certificate, and then select Publish certificate in Active Directory.

           

           

          4. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

           

           

          5. Click Add, enter ConfigMgr Primary Site Servers in the text box, and then click OK.

           

           

          6. Select the following Allow permissions for this group: Read, Enroll, and Autoenroll.

           

           

          7. Click OK, and close the Certificate Templates management console, certtmpl - .

           

           

          8. In the Certification Authority management console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

           

           

          9. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Web Server Certificate, and then click OK.

           

           

          10. Close Certification Authority.

           

           

          The AMT Web server template is now ready to provision AMT computers with Web server certificates.

           

           

           

          • 2. Re: how to issue an SCCM provion certificate with a Microsoft Enterpise CA?
            jenniferjin

             

            Thanks very much.

             

             

            After 55 times failures, i got it!!!!!! My SCCM SP1 provsion done.

             

             

            • 3. Re: how to issue an SCCM provion certificate with a Microsoft Enterpise CA?
              Nirmal

               

              Hi vPro Experts,

               

               

              I installed SCCM client on my AMT enabled PC. But In my SCCM Console, i could see the AMT status as "Detected" not provisioned.

               

               

              Any one helpme to resolve this!

               

               

              Thanks in Advance

               

               

              Nirmal

               

               

              • 4. Re: how to issue an SCCM provion certificate with a Microsoft Enterpise CA?
                Trevor.Sullivan

                Hello Nirmal,

                 

                You might want to start a new thread/discussion about the specific problem you're having, in order to get the best level of assistance.

                 

                 

                 

                It sounds like you aren't set up to do provisioning yet, even though ConfigMgr is seeing your AMT chipsets. You probably need to create a collection that contains ConfigMgr resources that have Intel AMT available ("detected"), and then right-click the collection, select Modify Collection, then on the tab to the far right, there will be a checkbox to enable AMT Provisioning for that ConfigMgr collection. You can do this on your All Systems collection in theory, but I believe that it is not recommended; You can create a new, query-based ConfigMgr collection by specifying AMT Status = 1 or 3, I believe. I don't have a box in front of me to look at right now.

                 

                 

                If you post back more information though, please start a new thread. Also, additional information such as

                 

                 

                 

                Trevor Sullivan

                Systems Engineer

                • 5. Re: how to issue an SCCM provion certificate with a Microsoft Enterpise CA?
                  miroyer

                  Detected basically means that the SCCM can detect that client is AMT capable but does not have access to it (either to provision or to perform management functions).  I would recommend logging into the MEBx (ctrl-P on POST) and performing a full unprovision.  You also need to make sure that you are using PKI certificate that has been configured in the MEBx (verisign, godday, etc) are there by default; a self generated one needs to be manually entered.

                   

                   

                   

                   

                  --Matt Royer