Hello Victor

1: We do have a current deployment with Intel AMT

2: 14'524 Systems with Intel AMT version 11.8.77

3: At the moment every new and every reconfiguring system is affected by this (over time this should be every system) as our Active Directory is not allowing modifying or creation of computer objects without a trailing '$' . These systems are in a production environment and are getting periodicaly new staged.  As i understood the issue we are having, this should not only be a problem of our environment? Is there any way to change the naming in the AD-Integration to something with a trailing '$'?

Kind Regrads

SysArch

Hello SysArch,

Thank you for posting on the Intel® communities.

Please let me review this information internally, and kindly wait for an update.

Once we have more information to share, we will post it on this thread.

Regards,

Victor G.

Intel Technical Support Technician

I wanted to provide an update to this thread. We are digging into this and are working on a response for this thread. Thank you for your patience.

Regards,

Michael

Hi @MichaelA_Intel 

I can confirm that we are having the same issue at our end.
Affecting 2500 devices.

We have also opened an support case with Microsoft Premier Support regarding this security update KB5008102 for November 2021.
We are seeing the same error messages in the event logs of Active Directory Domain Controllers.

Best Regards

Horgster

Hi @MichaelA_Intel  and @SysArch 

I have found an workaround to this problem.

According to KB5008102; this protection and validation check is forced on users who do not have administrator rights for machine accounts that is trying to create or modify sAMAccountName computer accounts ending with with $iME.

The Intel SCS or Intel EMA server machine account is not an administrator account, hence that is why Active Directory refuses these machines accounts to create computer accounts ending with $iME

Ref:
https://support.microsoft.com/en-gb/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e

To workaround this, until proper fix exist, do this:

1. Add the AD machine account of "Intel SCS" or "Intel EMA" server as member of the "Administrators" group in Active Directory.

2. Reboot the "Intel SCS" or "Intel EMA" server

This allows you to provisioning the Intel AMT devices again with the ComputerName$iME.

This is of course an ugly workaround and nothing you want to run for an very long time in your environment, but it is the lesser of two evils right now!

This allows you to both run the current security updates for November 2021 while this problem is sorted out with permanent fix and at the same time allows you to continue to provisioning Intel AMT devices.

Above workaround works perfect for us.

Use it for what it's worth!

Best Regards
Horgster

Thank you for sharing this workaround. Unfortunately, getting my SCS service account approved as a domain admin is about as likely as security approving a removal of the cumulative security patch. But others might have more luck with that.

@JRüeg 

That is fully understandable.

But please be aware that I did write "Administrators group", not "Domain Admins group".
Right now, this is the less of two evils until permanent fix exist or better workaround exists.

Best Regards
Horgster

We did open a Microsoft case and after some back and forth adding the user to the administrators group in the domain is the only available workaround. There is no other way to delegate the needed permissions and there is no other workaround planned. The solution according to Microsoft is for Inel to update their product.

The answer also containes information that "there are plans to apply the same enforcements" for users in the administrators group as well. So this workaround will not be a permanent solution even if it is not a security concern in your company.

Hello everyone,

Thank you for all of your responses.

Please have into consideration that, this situation is being worked on as we speak directly with Microsoft; therefore, as soon as we come up with a solution for this, we will be posting it on this thread; consequently, please wait for an update.

Regards,

Victor G.

Intel Technical Support Technician

Thank you for sharing your feedback and describing the issue.  Please review the attached document and contact your Intel Rep or open a ticket with Intel Customer Support if you have additional questions or need next steps.  

Hello SysArch,

Were you able to check the previous post?   

Please let me know if you need further assistance.

Regards,

Victor G.

Intel Technical Support Technician

Hello Victor G

Yes we checked it and unfortunately it's not helpfull for us, as we are using the AMT Kerberos authentication. 

Regards,

SysArch

Hello SysArch,

Thank you for your response.

We are checking into different alternatives, we will update the community as soon as possible.

Regards,

Adrian M.

Intel Customer Support Technician

Hello SysArch,

We would like to inform you that we have received your input and working on it. This is a high priority to us, but that said many of the developers are out at the end of the year on holiday. 

As soon as we have an update, we will contact you back

Best regards,

Sergio S.

Intel Customer Support Technician

Hello SysArch,

We have received a fix from the development team and have posted the packages to Download Center. You can find more information here:

https://www.intel.com/content/www/us/en/download/16349/intel-setup-and-configuration-software-intel-scs.html

In case you need more assistance, please contact us back.

Hi Sergio,

Thank you for the update.

I have tested and can confirm it has worked for me, systems are back to being enrolled successfully.

Many thanks

Chris

Hello somersetchris,

We are glad to hear that you were able to solve your issue, please let us know if you need more assistance or if we can close this thread.

Best regards,

Sergio S.

Intel Customer Support Technician