You will need to authenticate with the vPro client if trying to access the 3PDS remotely.
Yes, you can configure AMT machines remotely using PKI Remote Configuration certificates: Please reference the following blog
Depends on the use case you are looking for. Can you be more specific?
This really depends if you are using digest or Kerberos accounts. If you are using Kerberos authentication, this is easily managed
vPro can support Enterprise mode in a TLS (certificate based) or Non-TLS (not certificate based) configuration. Requirement is dependent on a combination of ISV and end users choice.
Can you elaborate your questions? I'm lead to believe this is related to 3PDS?
There are a variety of potential use cases; however, it dependant on the Anti-virus ISV to take advantage of them. A couple of examples could be to leveraging system defense to pull OS off the network if infected or remote remediate boot environment and using SOL/IDER. Imagination is the limit.
There is backward compatibility; however, it is dependent on the ISV to leverage the correct ones as new technology is introduced.
Discovery is only one mechanism. You can also leverage the PKI / PSK provisioning hello packages or Detection through a Client Agent.