Hello,
I have a question. I'm in a project to setup and configure our desktops with AMT using SCCM 2012 R2 and using Intel SCS 9.12.74.
I'm trying to use the Intel SCS 9.1 since SCCM natively doesn't support all AMT versions.
We have our own internal PKI running, I successfully created and issued the AMT provisioning certificates for our Provisioning server, and the certificate templates for the client certificates are also ready and standby. The Microsoft procedure from Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Aut… was used for this.
Now I have the challenge of getting the machines provisioned but our internal root CA is not yet trusted by default in the AMT machines.
As far as I found, I have 2 options
- Enter the thumbprint for our Root CA cert in all machines
- manually using ctrl-P :-(
- using an USB key - also manually :-(
- Buy a third party AMT provisioning certificate from a vendor that is pre-trusted in AMT, so VeriSign, GoDaddy etc..
The problem here, is that we (as most of the companies) use INTERNAL Dns names for our infrastructure like company.internal and that VeriSign etc will NOT issue certificates for internal websites anymore after 1-nov-2015.
A great solution would be, that we get a utility to remotely update the root hashes in AMT, ideally some tool using the same config file as the USB tool, running remotely, or which can be scripted using SCCM.
What possibility do we have to automatically update the root hashes remotely?
TIA, B.v.Zanten