You find that you are unable to provision AMT devices in System Center Configuration Manager 2007 SP2 using an external certificate provided by VeriSign. However, using your Internal CA you find that you can successfully provision new machines. When attempting to provision an AMT device using your external certificate you receive the following error:
Error: Device internal error. This may be caused by:
This can occur if the AMT provisioning certificates does not meet one of the two following requirements.
1. The OID must be the correct OID specified by Intel: 'Server Authentication Certificate' with the Intel setup extension: 126.96.36.199.188.8.131.52.1, 2.16.840.1.1137184.108.40.206
2. The OU field in the certificate must be properly defined. For example, in the certificate Subject, it must contain the FQDN of the server that will be the out of band service point and the OU string of "Intel(R) Client Setup Certificate". See the following link for more details:
Note that because VeriSign does not support the Intel AMT provisioning OID, this certificate request uses the alternative method of supplying the OU attribute of "Intel(R) Client Setup Certificate". See http://www.symantec.com/connect/articles/intel-vpro-amt-out-band-remote-configuration-and-delayed-provisioning-best-practices
To resolve this issue, verify that the OID is the correct OID specified by Intel. Alternately, ensure that the OU is correctly defined in the provisioning certificate supplied by VeriSign. If it is not, request a new provisioning cert with the correct OU defined.
Hope this helps,
Buz Brodin | Senior Support Escalation Engineer
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
Its good to see collections of blogs all at one