I've worked out the problem, we need to use a shorter Root Cert. Ours is currently 4096, wheras we should be using a key length of no greater than 2048 for AMT.
I didnt run into the issue up to now as we use a Comodo Cert for provisioning.
The give away was:
Error: Failed to add a new Trusted root certificate,Device does not support the certificate format.
Error: Failed to add a new Trusted root certificate,return value:2063.
Build a second CA with a Root key of 2048 in length. and issue this for purposes of 802.1x.