Article ID: 000090051 Content Type: Troubleshooting Last Reviewed: 09/26/2022

How to Provision Endpoints with Intel® Active Management Technology Version 14 or Later


Windows Server 2016 Family*, Windows 11* Family, Windows Server 2022 Family, Windows® 10 family, Windows Server 2012 family*


Intel® Endpoint Management Assistant requirements for Intel® AMT version 14 or later


Unable to provision endpoints with Intel® AMT version 14 or later even when the Intel® EMA configuration was working before with older AMT versions.
In some scenarios, Certificate vendors have renewed off the old Certificate chain, which will result in the intermediate chaining up to a SHA1 Signature Algorithm root CA.


Starting from Intel® Management Engine (ME) version 15.0 firmware for Intel®Chipset H platform, and Intel® ME 16.0 firmware for all platforms, Intel is removing support of SHA1 root certificates and RSA key sizes smaller than 2048 bits for Intel® AMT provisioning.
In those releases and later, it is no longer possible to add SHA1 hashes, and none of the certificates in the certificate chain can be SHA1-based, including the root certificate.

Source: Intel® AMT SDK Implementation and Reference Guide

example images

The Certificate vendor needs to reissue the certificate that is signed by an intermediate cert. that supports SHA256 Signature Algorithm. That intermediate will map to the root CA that supports Intel AMT.
In the case of DigiCert, the required intermediate CA’s are shown below.
The chain supports SHA256 Signature Algorithm.

example image

If the Certificate vendor issued a certificate that does not chain up to the DigiCert Global CA G2, then contact the vendor to reissue a certificate chain that looks like the screenshot above.