Have you tried power control operations?
Right click on a provisioned system, select "Out of Band Management" then "Power Control".
While the OOB Management Console uses Kerberos authentication, these power control commands use the digest user. If the power control commands work, that tells us that there's a problem with Kerberos authentication. If the power controls commands do not work, that's usually a sign that there's something wrong with the TLS cert assigned to AMT.
If the power control command does work, I recommend checking the AMT OU you are using in Active Directory to make sure that there are objects there for your provisioned systems.