Secure Intel AMT (Active Management Technology) communications using Transport Level Security (TLS) within the Real-Time System Management (RTSM) solution. This article provides instructions for enabling TLS after an initial installation of Out of Band Management (OOBM) and explains the technical requirements for Intel AMT Remote Configuration (formerly Zero Touch Configuration).

Symptoms

• Unable to manage AMT endpoints via HTTPS/Port 16993.

• Remote Configuration fails with certificate thumbprint mismatch errors in AmtConfig.log.

• "Connection Failed" errors when using Real-Time System Manager (RTSM) over secure channels.

How It Works

The Intel AMT Remote Configuration process establishes trust without physical interaction by using an Intel Client Setup Certificate.

1. Handshake: The AMT client obtains a DHCP lease including Option 15 (DNS suffix) and locates the Provisioning Server via DNS.

2. Mutual Authentication: The server presents its Intel Client Setup Certificate. The client validates this certificate against a thumbprint (hash) pre-stored in its NVRAM by the OEM.

3. Validation: The client validates the Organizational Unit (OU) of the certificate against the DNS suffix received via DHCP.

4. Encrypted Tunnel: Once validated, a Mutual TLS (MTLS) session is established to transmit the assigned Intel AMT profile.

Cause

TLS is not enabled by default during the initial OOBM installation. Secure communication requires sequential configuration of the Microsoft CA, IIS, and the AMT provisioning profiles. Remote Configuration failures typically stem from missing DHCP Option 15, incorrect certificate OIDs, or outdated OEM firmware that lacks the necessary NVRAM hashes.

DISCLAIMER: The following information is provided just as a reference. Actual configuration and usage for Remote Configuration for Intel AMT Out of Band Management is better handled by Intel Support team.

Part 1: Enabling TLS After Out of Band Management Installation

NOTE: Incorrectly configuring TLS can result in loss of connectivity to all managed Intel AMT systems. Test in a non-production environment before applying to production.

Prerequisites

Before starting, confirm the following are in place:

1. A Windows Server operating system capable of hosting Microsoft Certificate Services.
2. IIS is running and accessible on the Notification Server.
3. All AMT systems are reachable and currently managed.

Best practices

• Obtain a certificate from a trusted CA (such as VeriSign, Comodo, or GoDaddy) before starting.
• Ensure the CA server has its final computer name and domain membership set. Changing either will invalidate all previously issued certificates.
• Run through the process in a mirrored test environment before applying to production.

Step 1: Install Microsoft Certificate Authority

1. Navigate to Add/Remove Windows Components > Certificate Services.
2. Select Stand-alone Root CA (or your existing hierarchy type).
3. Assign a Common Name and validity period.
4. Complete the wizard and ensure the CA is active.

A warning will appear: changing the server name or domain after this point invalidates all issued certificates. Confirm the server name and domain are final before proceeding.

1. Click OK, then click Next.
2. Select Stand-alone Root CA (or the appropriate CA type for your hierarchy). Click Next.
3. Enter a Common Name for the CA. Add a Distinguished Name suffix if applicable. Set the validity period. Click Next.
4. Leave Certificate Database Settings at default unless otherwise required. Click Next.
5. Click Yes when prompted to stop IIS services.
6. Allow the installation to complete.

Step 2: Configure IIS to Run in TLS Mode

1. On the Notification Server (SMP Server), open IIS Manager: Start > Administrative Tools > Internet Information Services (IIS) Manager
2. Expand the server node, then expand Web Sites.
3. Right-click the web site used by Notification Server and Intel SCS (default: Default Web Site) and select Properties.
4. Click the Directory Security tab.
5. Under Secure communications, click Server Certificate.
6. The Web Server Certificate Wizard launches. Click Next.
7. Select Send the request immediately to an online certificate authority. Click Next.

If this option is grayed out, refer to Microsoft's IIS documentation for your server version.

1. Enter a name for the certificate (or leave the default). Click Next.
2. Enter your Organization and Organizational Unit names. Click Next.
3. Confirm the Common Name field matches your server's valid DNS entry. Click Next.
4. Enter your locale details. Click Next.
5. Review the entered information and click Next, then Finish.

Additional step (from community note): If SSL is enabled on the AMTSCS web directory, update the Service Location setting in the Altiris provisioning console to reflect the HTTPS endpoint:

• Navigate to: Out of Band Management > Configuration Service Settings > Provisioning
• Update the Service Location to:
• https://<servername>:443/AMTSCS

Step 3: Configure AMT Provisioning Profiles to Use TLS

1. In the Altiris Console, navigate to: View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Provision Profiles
2. Select the profile to edit and click the edit (pencil) icon.
3. Click the TLS tab.
4. Check Use TLS.
5. Select the radio buttons for:
• Local Interface TLS Server Authentication
• Network Interface TLS Server Authentication
6. In the Server Certificate field, select the CA configured in Step 1.
7. Click OK to save.

Step 4: Apply the TLS Profile to Existing AMT Systems

1. In the Altiris Console, navigate to: View > Solutions > Out of Band Management > Configuration > Provisioning > Intel® AMT Systems > Intel® AMT Systems
2. Select all applicable systems (use Shift for range selection, Ctrl for individual selection).
3. To apply changes to systems already assigned to this profile:
• Right-click and select Re-provision...
4. To switch systems to a different profile:
• Right-click and select Un-provision... with the Partial option.
• Right-click again and select Create assignments.
• Select the correct profile from the dropdown and click OK.

Step 5 (If Using RTSM): Configure Real-Time System Manager for TLS

1. Export the CA root certificate in Base-64 encoded X.509 format.
2. In the Altiris Console, navigate to: View > Solutions > Real-Time Console Infrastructure > Configuration > Configuration
3. Click the Intel® AMT Connection Settings tab.
4. Under Transport Level Security, add the trusted domain suffix for the CA on the Notification Server.
5. Under Redirection Security, enter the path in the Trusted CA certificate location field.

Part 2: Intel AMT Remote Configuration

Remote Configuration eliminates the need to physically touch each AMT client before or after provisioning. It uses Mutual TLS (MTLS) to establish a trusted session between the ProvisionServer and the AMT management engine.

Platform Requirements

Prerequisites for Remote Configuration

The following must be in place before Remote Configuration can function:

1. DHCP with option 15 enabled — returns the DNS suffix with the IP lease; used to validate the configuration certificate.
2. Intel® Client Setup Certificate — an SSL server authentication certificate obtained from an approved Certificate Authority. One certificate is required per ProvisionServer (or per DNS subdomain). Certificate requirements:
• Type: SSL Server Authentication
• OID value in EKU field: 2.16.840.1.113741.1.2.3
• OU value in Subject field: Intel(R) Client Setup Certificate
• Common Name: <host>.<domain> (e.g., ProvisionServer.Loc1.com)
3. Updated Altiris client agent — required to support the agent-initiated process.
4. Intel® SCS version 3.0 or higher — embedded in Altiris OOBM. Verify via the AMTconfig service.
5. Provisioning Ports: Ensure ports 16992 (HTTP) and 16993 (HTTPS) are open between the ProvisionServer and endpoints.

How Remote Configuration Works

Remote Configuration runs in three stages: preparation, mutual authentication, and profile assignment.

Stage 1a — Agent Initiated Preparation (AMT 2.2, 2.6, 3.0)

Use this path when the host OS and Altiris agent are already installed.

1. Altiris Client Management Suite deploys updated BIOS, AMT firmware, MEI/LMS drivers, and the latest Altiris agent. The firmware update places certificate hashes into NVRAM.
2. The Altiris agent queries the BIOS and firmware for the configuration mode, configuration state, AMT version, and system UUID. This data is passed to the ProvisionServer via the management console.
3. The management console generates a One Time Password (OTP) and sends it to both the Altiris client agent (which writes it to NVRAM) and the ProvisionServer (running Intel SCS).
4. The Altiris agent sends a command via MEI to open the AMT network interface. The interface stays open for 6 hours; if provisioning does not complete, the agent can restart the process.
5. Once the ProvisionServer IP is resolved via DNS, the AMT client sends a hello packet containing the system UUID and a self-signed certificate generated from the active certificate hash.

Stage 1b — Bare Metal Preparation (AMT 3.0 only)

Use this path when no host OS has been loaded.

1. On first boot, AMT creates a self-signed certificate based on the active certificate hash loaded by the OEM at manufacturing time.
2. AMT obtains a DHCP lease including option 15 (DNS domain suffix) and queries DNS for the ProvisionServer within that domain.
3. A hello packet is sent to the ProvisionServer containing the AMT client's UUID and self-signed certificate.

Stage 2 — Mutual Authentication

This stage is identical for both preparation paths.

1. The ProvisionServer requests the self-signed certificate from the AMT client.
2. The AMT management engine requests the Intel® Client Setup Certificate from the ProvisionServer.
• The ProvisionServer generates TLS Key 1, encrypts it with the public key from the client's self-signed certificate, and sends it along with the Intel® Client Setup Certificate and a PEM file (chain of trust) to the management engine.
3. The AMT client performs validation:
• Extracts and stores TLS Key 1.
• Uses the PEM file and Intel® Client Setup Certificate to extract the root certificate, generates a hash, and validates it against the active certificate hash in NVRAM. If the hashes do not match, the process stops.
• Validates the OU assignment of the Intel® Client Setup Certificate against the DNS suffix received via DHCP option 15.
4. If validation succeeds, the AMT management engine creates TLS Key 2, encrypts it with the public key of the Intel® Client Setup Certificate, and transmits it to the ProvisionServer.
5. With TLS Key 1 and Key 2 held by both sides, mutual authentication is complete and an MTLS session is established.

Stage 3 — Profile Assignment

Once the MTLS session is established, the FQDN and UUID are matched and the assigned Intel® AMT profile is transmitted to the management engine. This stage is functionally similar to the existing TLS-PSK provisioning process.

The MTLS session established during Remote Configuration provisioning is separate from the TLS configuration defined in the assigned Intel® AMT profile.

Common Questions

Q: Will TLS-PSK (one-touch/manual) provisioning still be supported alongside Remote Configuration?
Yes. Both TLS-PSK and Remote Configuration are supported going forward.

Q: Why is one Intel® Client Setup Certificate required per ProvisionServer?
The OU value and DNS domain suffix on the certificate are validated by the AMT client during mutual authentication. Each ProvisionServer must present a certificate with the correct DNS domain suffix for its environment. Wildcard certificates (e.g., *.company.com) are supported and can reduce the number of certificates needed in multi-subdomain environments.

Remote Configuration Verification

1. Confirm the AMTconfig service reports Intel® SCS version 3.0 or higher.
2. After a provisioning attempt, check that the target system appears in: View > Solutions > Out of Band Management > Configuration > Provisioning > Intel® AMT Systems
3. Confirm the system's FQDN and UUID are correctly mapped.
4. Attempt a remote management operation on the newly provisioned system.

• How to Enable TLS Within Out of Band Management After the Install —  https://community.broadcom.com/groups/viewdocument/how-to-enable-tls-within-out-of-ban-1?CommunityKey=2e7731d2-88b7-41f8-b095-7828c53aaa71&tab=librarydocuments
• Remote Configuration Preview —  https://community.broadcom.com/groups/viewdocument/remote-configuration-preview?CommunityKey=2e7731d2-88b7-41f8-b095-7828c53aaa71&tab=librarydocuments
• ITMS TechDocs (reference for current product versions): https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/it-management-suite/ITMS.html