The provisioning AMT does not add the machine to the AD, You need to add the machine to AD and then provision AMT either with Kerberos support which will give you (single-signon) ability to manage AMT with the same usernames that you use to log into Windows or digest authentication (user name/passwords defined in the profile separately). On the SCS tree on the left side navigate to "User" section and make sure the SCSUser or the account you used to install has Administrator access to the SCS. If you had Enterprise Admin access it should be alright. When you provision using Kerberos it will create an object with the machine name in the OU that is specified in the config properties for the machine (this is the second input item on the config properties window) but it will not automatically add the computer to AD. The computer should be part of domain prior to initiating provision. Hope this helps!
thanks for getting back to me.
We are currently try to test Zero touch, so the machine will not have been added to the Active directory before it is provisioned.
The only user in the user tree is the Administrator, so they should have all the rights that are required.
So still a little lost.
Zero touch refers to just the AMT provisioning in that a properly staged machine gets provisioned automatically once it is setup on a user's desk. It does not have anything to do with what you normally do with respect to your OS build and prep work that you do with respect to getting the machine joined to your domain. once you have the machine joined to your domain internally if you have one of the client setup certficates from the trusted roots built into AMT firmware then provisioning happens automatically whe the computer is turned on at user's desk without touching it when you turn it on. In fact you need to make sure that the desktop/laptop gets provisioned properly with "hostname.domainname" in other words fully qualified name so it can be accessed later on for managing it. Appropriate process changes are needed to make sure provisioning does not happen prior to joining the computers to the domain so thery can be managed with fully qualified name of the computer.
Alternatively, there is a way to provision AMT prior to the OS build (Bare metal provisioning). In that case you need to have a plan to figure out the FQDN for the machine when the OS build is complete and have an alternate database lookup to figure that name corresponding to the UUID and have a script associate that FQDN for the UUID coming from the hello packets during provisioning. This will be more process intensive and I have not had a chance to work with baremetal provision. hope this helps!