1) Correct, there are two areas that certs come into play. The first, as you identified is for the zero-touch provisioning model SCCM uses. This is is also known as the remote configuration certificate. As for the other certificate requirement for SCCM, you are also correct. SCCM requites that each AMT device have it's own cert that is used to encrypt the management traffic going to the AMT over the network. These certs would be issued directly from your own internal certificate authority, no 3rd party certs required. This actual cert is assigned to AMT during the provisioning process by the SCCM server.
2) I have a coworker who's done a lot of work with the CA vendors. Let me ask him about it when I get in the office tomorrow and I will reply to this thread with more info.
3) You can use mixed or native mode with in SCCM with vPro and AMT, it doesn't have any direct impact on SCCM's AMT support.
4) Yes, you will need to set a PKI (CA) server. Since you will have to create and publish a cert template you will need an Enterprise CA. The actual instructions from Microsoft have you make a copy of the standard web server template that comes with the CA for AMT to use. Take a look at this link for more specifics on what needs to be done to set up this template: http://technet.microsoft.com/en-us/library/dd252737.aspx#BKMK_AMTwebserver2008
On question 2...
2.1) You should be able to use the standard cert. Just make sure you follow the process on Godaddy's website.
2.2) The Secure Site Pro certificate type is a little more backward compatable with previous vPro generations as it's issed by their G1 CA. Verisign offers other choices for certificates at lower prices, but these certs would requrie firmware updates for AMT in order to work.
Thanks so much Dan
I did some testing with SCCM but I got held up with the aspect of setting up a PKI and external certs.
I've got 2 production machine that i'm almost ready to start installation, however i'm trying to get the PKI infrastructure in place before.
Your information will be very helpful in the cert section. I'll report back with my progress with whichever cert i get, i'm tempted to just get the godaddy standard ($50) and see if it works with that, according to Godaddy i can always upgrade to the premium version if the standard doesn't work.
Perhaps one more question is i just installed an issuing CA on one server that has 2008R2 Enterprise, i still need to authorize it from the intermidiate CA, but as i understand it, the key length cannot be more than 2048 since the vpro chips can only handle that lenght?
Also when installing the CA service (Active Directory Certificate Service - ADCS) there are a few roles that can be installed;
Certification Authority Web Enrollment
Network Device Enrollment Service
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
Do any other of these roles need to be installed for the CA to issue the vpro certs?
I'd say stick with the 2048 bit key length unless you have specific security requirement for something larger. Newer versions of AMT firmware do have support for 4096 bit keys. You'll need to check with your OEM to see if they have made those firmware updates available.
As for the CA rolls, all you need to get started is the certificate authority role itself. I personally like to add the web enrolment role as well. It makes it easy to grab a copy of the CA's cert should you need, it but is not required for AMT.
The only big requiremet for CA's and vPro is that it be on an enterprise version of Windows so that you can create and publish your own cert templates. The CA that comes with standard editions of Windows does not allow you to create new CA templates.
Here's a link to Microsoft's documentation on setting up a CA to support vPro clients:
I just wanted to post again for anyone reading this that i did install the GoDaddy regular cert and it does work with vPro when you follow their instructions.
We finally decided not to implement native mode on sccm, it was already enough work to get a PKI infrastructure in place for setting up a root & issuing CA, so decided to forego the added complications of native mode.
SCCM and vpro have been great with a few hassles but it really allows for some great control over the machines.
One of the best has been the VNC viewer on certain vpro machines that allows us to view in the VNC Plus viewer the complete bootup sequence including BIOS. the only downside of that is that it is only applicable to the computers that have the onboard intel graphics, which in our case is only about 1/3 of the machines, the others including the notebooks have ATI or Nvidia chips as graphics controllers.
So a word of caution for anyone hoping to get that kvm feature - verify that your model supports kvm, having the vpro chip is not enough.
Thanks again Dan for all your help!