Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
3045 Discussions

Boot Windows (.iso file)

JVITM
Beginner
‎03-03-2025 03:26 AM
1,551 Views

Hello,
I have my clients configured as Client Control Mode, and I have an .iso file with Windows 11.
I have tried to boot it but I always get the error “RCO/USBR boot failed”.
Is it because of the Client Control Mode, I have to set them as Admin?
I have come to think that it is due to the size of the file (5.432 GB).
On the other hand, I would like to know how to set the admin mode as efficiently as possible. I have seen that I need to request a certificate and then go computer by computer accessing MEBx and set PKI DNS Suffix, is this the best way? I have computers in different countries, so I do not have them all in LAN.
Suppose I have an environment called ema.business.net. I need to request the certificate in the name of business.net, right? Not the full name.
Thanks in advance

0 Kudos

Link Copied

8 Replies
vij1
Employee
‎04-25-2025 05:37 PM
1,266 Views

Hello JVITM,


Thank you for reaching out regarding the issue you're encountering with USB Redirection and the “RCO/USBR boot failed” error when attempting to boot a Windows 11 .iso file.


1.     CIRA-based Provisioning:

USB Redirection (USBR) works best with CIRA-based provisioning. If your endpoints are not already provisioned via CIRA, we strongly recommend transitioning to this method for optimized USBR performance. CIRA provisioned endpoints provide more reliable connectivity and faster interactions.


2.     Mounting ISO in Client Control Mode (CCM):

Mounting an ISO file does work in Client Control Mode (CCM); however, it’s important to note that user consent is required for each redirection session. If you are installing the OS and the user becomes unavailable or the system reboots, the session may break or fail since consent cannot be re-established without user presence.


3.     Adjust USBR Throttling Rate:

If you're using TLS with relay, it may be necessary to adjust the "USBR Redirection Throttling Rate" under the Manageability Server settings. We recommend starting with a throttling rate of 10 milliseconds and increasing it in increments of 10 until you find an optimal value. Note that increasing the throttling rate will reduce USBR boot performance, so use this setting with caution, particularly for TLS with relay instances.


4.     Verify Drivers in the .iso File:

Ensure that the .iso file you are using contains the necessary drivers for USB keyboard and mouse support, especially for KVM interaction during boot. Without these drivers, the system may fail to boot properly via USB Redirection.


How to configure the Endpoint in Admin control mode on an Intel Endpoint Management Assistant (EMA)


Please check on the EMA server if Fully Qualified Domain Name (FQDN) has the same PKI DNS Suffix which is in the SSL/TLS certificate (Such as GoDaddy, Sectigo etc) and on the MEBx of the Endpoint.

Step 1: check for the FQDN in the platform manager on the Intel EMA server.

This PC - local disk (C) - Program files x86 - platform manager - Intel Platform manager - settings

 

Step 2: Enable the PKI DNS Suffix in the MEBx of the Endpoint:

Restart the Endpoint - Press Ctrl+P (Or Ctrl + Alt + F1 on some units) to login to the MEBx

1.     Log into MEBx (default password = admin)

1.     For accessing MEBx, please refer to OEM guidance.

2.     If first time logging in, the password change is required

2.     Intel® AMT Configuration -> Remote Setup and Configuration -> TLS PKI -> PKI DNS Suffix

1.     If PKI DNS Suffix menu is not available, then AMT is currently configured

2.     Go back to Intel® AMT Configuration -> Unconfigure Network Access -> Full Unprovision

3.     Enter the value for PKI DNS Suffix to match the provisioning certificate

1.     For example, Intel.com (without quotes)

4.     Exit and Save

 

Step 3: Pleae check if the DNS Suffix is the same on the TLS/SSL certificate as on the MEBx


How to Purchase and Install DigiCert*, Entrust* and/or GoDaddy* Certificates for Intel® AMT Remote Setup and Configuration

https://www.intel.com/content/www/us/en/support/articles/000055009/technologies.html

Best regards,

Vijay N.

Intel Customer Support Technician


0 Kudos
Copy link
JVITM
Beginner
‎04-29-2025 07:34 AM
1,203 Views
In response to vij1

Hi!

 

Yes, they are provisioned through CIRA, but with Client Control Mode. I have downloaded the iso several times and different versions of Windows but without success, it fails to boot correctly despite having the user's consent. I understand that it is necessary to put the endpoint in admin control mode.

 

I was reviewing the documentation you have attached, is it necessary that each user has to do those steps manually, can't it be done unattended without relying on the user? We have computers all over the world and we would not like to depend on the users themselves.

 

I say this because indicating the steps to a standard user login to the MEBx, ect will be a bit of a mess (although we can always record a video, but if there is another alternative).

 

Thanks for everything

In response to vij1
Preview file
32 KB
0 Kudos
Copy link
vij1
Employee
‎04-28-2025 11:42 AM
1,231 Views

Hello JVITM,

 

I am following up on the case and would like to know if I can help you with anything else. Look forward to your response.

 

Regards,

Vijay N


0 Kudos
Copy link
vij1
Employee
‎04-29-2025 05:07 PM
1,171 Views

Hello JVITM,


Thank you for your continued collaboration.


If accessing MEBx is not feasible, you can still achieve Admin Control Mode (ACM) provisioning by configuring DHCP Option 15 correctly or using a supported workaround. Below are key requirements and options:

1.     Valid Intel AMT Provisioning Certificate

Must be issued by an Intel-trusted public CA (e.g., Digicert, GoDaddy, Sectigo).

o  The Common Name (CN) of the certificate must use a public DNS domain (e.g., vprodemo.com) that you own, due to the DV process.

2.     Matching DNS Suffix for Verification

o  Option 15 (DHCP) or PKI DNS Suffix in ME firmware must match the domain in the AMT certificate CN.

o  AMT checks Option 15 (wired only) unless the PKI DNS Suffix is manually configured—it overrides DHCP and works across any network interface.

3.     Wired LAN Only for Initial Provisioning

o  ACM provisioning via Wi-Fi is not allowed unless the PKI DNS Suffix is already set in the firmware.

Workarounds for Environments with Invalid Option 15 Domains

If your environment uses .local, .corp, .private, etc., which are invalid for public CAs, consider these workarounds:

a) Modify DHCP Option 15 for Intel vPro VLAN/IP Scope

·       Set Option 15 to a public domain name you own, but only for the vPro IP range.

·       No need to alter AD domain or general DNS settings.

·       Pro: No endpoint access required.

·       Con: May affect devices like printers/Wi-Fi APs if they rely on Option 15.

b) Use DHCP User Classes (if supported)

·       Set Option 15 dynamically for vPro clients only, using User/Vendor Classes or DHCP reservations.

·       Pro: Centralized and scriptable control.

·       Con: Depends on DHCP server capabilities and complexity.

c) Set PKI DNS Suffix via MEBx or OEM Factory

·       Directly write the valid domain into ME firmware.

·       Pro: Works over any interface (Wi-Fi, Thunderbolt dock, etc.).

·       Con: Requires physical access or OEM factory configuration.

d) Use Custom AMT Certificate (Not Public CA)

·       Create your own AMT cert for internal domain and inject your custom Root CA hash into ME firmware.

·       Pro: Bypasses public CA requirement.

·       Con: Requires physical access to insert custom cert + security risk if misused. Limited support in ME FW 18+.

Additional Notes:

·       CN Hostname in the cert is ignored by Intel AMT firmware unless strict validation is enabled.

·       EKU field in the certificate must contain Intel AMT OID: 2.16.840.1.113741.1.2.3

·       Intel recommends activating AMT as early as possible to avoid third-party takeover and ensure secure control.


Best regards,

Vijay N.

Intel Customer Support Technician


0 Kudos
Copy link
pujeeth
Employee
‎05-02-2025 04:32 PM
1,137 Views

Hello JVITM,

 

I am following up on the case and would like to know if I can help you with anything else. Look forward to your response.

 

Regards,

Pujeeth

 

0 Kudos
Copy link
pujeeth
Employee
‎05-06-2025 08:21 AM
1,070 Views

Hello JVITM,

 

I am following up on the case and would like to know if I can help you with anything else. Look forward to your response.

 

Regards,

Pujeeth

Intel customer support technician


0 Kudos
Copy link
JVITM
Beginner
‎05-08-2025 02:01 AM
1,016 Views

Hi!

So far everything is clear. When I start to put it into production if I find something out of the ordinary I will notify you.

Thank you very much!

0 Kudos
Copy link
vij1
Employee
‎05-08-2025 08:48 AM
994 Views

Hello JVITM,


Thank you for your update. I’m glad to hear everything is clear so far. Please don’t hesitate to reach out if you encounter anything unusual during the production process. I’ll be happy to assist you.


Best regards,

Vijay N.

Intel Customer Support Technician


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.