Hi!
I work as a sysadmin for my company. Some time ago we decided to switch to Intel NUC systems for our workstations. They're small, affordable and fast. What's there not to like.
We also have an SCCM 2012 R2 in place and for the past few days I've been trying to get vPro/AMT/Out of Band management to work. To no great success I might add.
I followed Microsoft's howto on OoB that can be found here: http://technet.microsoft.com/en-us/library/gg712319.aspx
I was able to setup and configure the the OoB managment point but the provisioning isn't happening.
This is an excerpt from my atmopmgr.log on the SCCM machine.
| >>>>>>>>>>>>>>>Provision task (In Band Provision) begin<<<<<<<<<<<<<<< | 6684 (0x1A1C) |
| Provision target is indicated with SMS resource id. (MachineId = 16777232 W0009.my.company.com) | 6684 (0x1A1C) |
| Found valid basic machine property for machine id = 16777232. | 6684 (0x1A1C) |
| Warning: Currently we don't support mutual auth. Change to TLS server auth mode. | 6684 (0x1A1C) |
| The provision mode for device W0009.my.company.com is 1. | 6684 (0x1A1C) |
| AMT Provision Worker: 1 task(s) are in the pending list. | 7360 (0x1CC0) |
| The IP addresses of the host W0009.my.company.com are 10.1.1.21. | 6684 (0x1A1C) |
| Root hash of provisioning certificate is MYROOTPROVHASH. | 6684 (0x1A1C) |
| Attempting to establish connection with target device using SOAP. | 6684 (0x1A1C) |
| Create provisionHelper with (Hash: MYROOTPROVHELPERHASH) | 6684 (0x1A1C) |
| Set credential on provisionHelper... | 6684 (0x1A1C) |
| Try to use provisioning account to connect target machine 10.1.1.21... | 6684 (0x1A1C) |
| Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle. | 6684 (0x1A1C) |
| Fail to connect and get core version of machine 10.1.1.21 using provisioning account #0. | 6684 (0x1A1C) |
| Try to use default factory account to connect target machine 10.1.1.21... | 6684 (0x1A1C) |
| Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle. | 6684 (0x1A1C) |
| Fail to connect and get core version of machine 10.1.1.21 using default factory account. | 6684 (0x1A1C) |
| Try to use provisioned account (random generated password) to connect target machine 10.1.1.21... | 6684 (0x1A1C) |
| AMT Provision Worker: There are 2 tasks in pending list | 7360 (0x1CC0) |
| AMT Provision Worker: Wait 15 seconds... | 7360 (0x1CC0) |
| Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle. | 6684 (0x1A1C) |
| Fail to connect and get core version of machine 10.1.1.21 using provisioned account (random generated password). | 6684 (0x1A1C) |
| Error: Device internal error. This may be caused by: 1. Incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 2. Provisioning certificate's root hash is not in AMT firmware's root certificate trust list. 3. Provisioning certificate is not configured with SHA1RSA as signature algorithm or 1024 or 2048 bits as public key length. It might not be able to provision some versions of AMT machine. 4. AMT firmware self signed certificate issue(date zero). 5. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 6. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 16777232) | 6684 (0x1A1C) |
| Error: Can NOT establish connection with target device. (MachineId = 16777232) | 6684 (0x1A1C) |
| Use FQDN to try again | 6684 (0x1A1C) |
| Root hash of provisioning certificate is MYROOTPROVHASH. | 6684 (0x1A1C) |
| Attempting to establish connection with target device using SOAP. | 6684 (0x1A1C) |
| Create provisionHelper with (Hash: MYROOTPROVHELPERHASH) | 6684 (0x1A1C) |
| Set credential on provisionHelper... | 6684 (0x1A1C) |
| Try to use provisioning account to connect target machine W0009.my.company.com... | 6684 (0x1A1C) |
| Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle. | 6684 (0x1A1C) |
| Fail to connect and get core version of machine W0009.my.company.com using provisioning account #0. | 6684 (0x1A1C) |
| Try to use default factory account to connect target machine W0009.my.company.com... | 6684 (0x1A1C) |
| Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle. | 6684 (0x1A1C) |
| Fail to connect and get core version of machine W0009.my.company.com using default factory account. | 6684 (0x1A1C) |
| Try to use provisioned account (random generated password) to connect target machine W0009.my.company.com... | 6684 (0x1A1C) |
| Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle. | 6684 (0x1A1C) |
| Fail to connect and get core version of machine W0009.my.company.com using provisioned account (random generated password). | 6684 (0x1A1C) |
| Error: Device internal error. This may be caused by: 1. Incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 2. Provisioning certificate's root hash is not in AMT firmware's root certificate trust list. 3. Provisioning certificate is not configured with SHA1RSA as signature algorithm or 1024 or 2048 bits as public key length. It might not be able to provision some versions of AMT machine. 4. AMT firmware self signed certificate issue(date zero). 5. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 6. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 16777232) | 6684 (0x1A1C) |
| Error: Can NOT establish connection with target device. (MachineId = 16777232) | 6684 (0x1A1C) |
| CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=13 MUF=0 PCNT=1, P1='W0009.my.company.com' P2='' P3='' P4='' P5='' | 6684 (0x1A1C) |
| CStateMsgReporter::DeliverMessages - Created state message file: D:\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\f4jqjxf1.SMX | 6684 (0x1A1C) |
| >>>>>>>>>>>>>>>Provision task (In Band Provision) end<<<<<<<<<<<<<<< | 6684 (0x1A1C) |
The created AD OU is being filled with <COMPUTERNAME>$iME objects.
The clients are in my normal DHCP scopes and these have options 6 and 15 configured.
I'm using a certificate issued by DigiCert as AMT Provisioning certificate. According to DigiCert their root CA's are in the store. How can I verify this?
The AMT Provisioning certificate was signed using these parameters: Intel(R) AMT SDK Implementation and Reference Guide
This is the first time the machines will be provisioned. I haven't the MEBx before.
I'm fresh out of ideas right now. What can I do to make work? 
Any help would be greatly appreciated!