You are right, actually nobody is able to issue public certificates for internal domain anymore, for security reasons.
In case that you have used Microsoft SCCM 2007/2012, you probably will face problems to provision machines with Intel vPro (with ME >=9.0 version) - read this blog. Based on my experience, I would suggest you shift the provision mechanism to Intel SCS, and integrate it with Microsoft SCCM using this add-on. As far you use a local domain and will not be able to issue 3rd party certificate, I would suggest adopt HBC as your primarily provision mechanism, and in cases that having Admin Control Mode is imperative, inject into ME the hash of your internal root CA to make it available to be provisioned using an internal provisioning certificate.
Also, if you have any problem, you also can use our support: https://bizsupport.intel.com