The AMT Embedded Tools Suite will not work for what you’re trying to do. In order to use your own root certificate hash you will need to manually insert it into the firmware of every AMT computer.
Also, something to keep in mind, while SCCM 2012 is able to configure current versions of AMT (up to AMT 8). SCCM will not be able to configure AMT versions beyond that. This is because SCCM uses SOAP to communicate with AMT. And as of AMT 9, AMT will no longer support SOAP, only WS-Management. So, you will need to configure future versions of AMT with SCS.
Thanks for your answer. Though I'm less than thrilled that AMT is designed this way, I understand the potential for large security risks if it is too easy to install additional trusted root CAs into the mbex firmware.
I am intrigued by your addendum about future versions of AMT. Will AMT be approaching a stable API in the future, or is using SCS the only way to ensure version agnostic management of clients in a more rapidly evolving development model? Are there news publications or white papers regarding road maps for future versions of AMT? I would be interested in such material so that I may become more educated about AMT before our widespread deployment of it. I would like to structure our deployment in such a way that management of AMT clients will not become yet another headache in our hectic environment.
If I could pester you about a couple of other questions / issues here I would appreciate your help, or I can post a new question(s) if you feel it's more appropriate.
1) We have desktop boards that span from the inception of AMT up to 6.2 for sure, and there are probably a handful of newer ones around somewhere. What's the best strategy for incorporating as many clients as possible into a management solution such as SCS? If version <= X is not worth supporting in a modern environment, what is version X?
2) I seem to have hosed the mbex firmware on my workstation (brilliant right?), by unintentionally flashing an update to the firmware while some settings were already in place. Now changes to some settings don't stick, or in the case of entering CA hashes, the values appear to be offset by 2 bytes. I've reset the ME firmware to defaults many times (by moving the bios jumper to config mode), and this has no effect. My supposed solution was to first reset ME firmware to defaults and reflash it with the current version, but the express bios update utility skips the ME firmware update regardless of the force flag. I am not overly concerned about it but if there's an easy fix I'd like to take care of it.
WS-MAN was first introduced in AMT 3, it wasn’t until AMT 6 that SOAP was deprecated in favor of WS-MAN. Now in AMT 9, SOAP has been completely phased out. SCCM uses SOAP, and as such will not be able to configure future generations of AMT. SCCM will be able to manage these new AMT systems, but only after you configure them with SCS.
Here’s our SCS integration guide for SCCM:
While there are no AMT roadmaps available, there are other sources of information.
AMT SDK: http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/default.htm?turl=WordDocuments%2Fdeprecatedanddeletedfeatures.htm
IT Project Planning Guide:
Intel vPro Technology Implementation:
Now for your other two questions…
- Intel SCS is not a management solution, its sole purpose is the configuration and maintenance of vPro computers. While SCS is capable of configuring AMT version 2.x and 3.x, these versions have not been fully validated, full support starts with AMT 4.
- Some manufactures offer ME firmware updates separate from their BIOS. Depending on the manufacturer you might be able to download and update separately with that.