toolsign5You find that you are unable to provision AMT devices in System Center Configuration Manager 2007 SP2 using an external certificate provided by VeriSign.  However, using your Internal CA you find that you can successfully provision new machines.  When attempting to provision an AMT device using your external certificate you receive the following error:

Error: Device internal error. This may be caused by:

1. SChannel hotfix applied that can send our root certificate in provisioning certificate chain.
2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware).
3. AMT firmware self signed certificate issue(date zero).
4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode.
5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection.
Cause

This can occur if the AMT provisioning certificates does not meet one of the two following requirements.

1. The OID must be the correct OID specified by Intel:  'Server Authentication Certificate' with the Intel setup extension: 1.3.6.1.5.5.7.3.1, 2.16.840.1.113741.1.2.3

or

2. The OU field in the certificate must be properly defined.  For example, in the certificate Subject, it must contain the FQDN of the server that will be the out of band service point and the OU string of "Intel(R) Client Setup Certificate".  See the following link for more details:

http://social.technet.microsoft.com/wiki/contents/articles/requesting-an-amt-provisioning-certificate-using-a-windows-server-2008-ca.aspx

Note that because VeriSign does not support the Intel AMT provisioning OID, this certificate request uses the alternative method of supplying the OU attribute of "Intel(R) Client Setup Certificate".  See http://www.symantec.com/connect/articles/intel-vpro-amt-out-band-remote-configuration-and-delayed-provisioning-best-practices

Resolution

To resolve this issue, verify that the OID is the correct OID specified by Intel.  Alternately, ensure that the OU is correctly defined in the provisioning certificate supplied by VeriSign.  If it is not, request a new provisioning cert with the correct OU defined.

Hope this helps,

Buz Brodin | Senior Support Escalation Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode

clip_image001 clip_image002