- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
We have a problem with the AMT setup.
We can configure HBP without any problems.
But we can't configure TLS-PKI.
We created a self-signed certificate according to the requirements, with the addition of an OID and made a chain.
We entered the DNS suffix PKI server-ema.it-ktk.local.
And entered the fingerprint of the root certificate.
But the AMT status hangs on Pending Activation.
How to enable Admin Control correctly?
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alex00900,
The self-certificate option is tricky, it requires some extra steps due to the encryption requirements of the Certificate chain -SHA2. The root and the cert need to be SHA256. Then, it is necessary to install manually the certificate hash in the endpoint. Please, be aware this process needs to be done in every single endpoint.
First, review if both are SHA256.
Open the Microsoft Manage Computer Certificates app, and open the Certificate folder of the Certificate-Local Computer>Personal.
Open the Certificate
Go to the Certification Path tab.
Select the Root Cert and press the View Certificate icon.
In the new window, select the Details tab.
Make sure it is SHA256.
Upload the Certificate chain in the EMA console Settings tab. You should see both lines of the Certificate.
If both are SHA256, it is necessary to perform the steps below.
Hash manual installation using the USBFile.exe tool. Endpoints with Intel® vPRO come with pre-installed hashes of Authorized Certificate vendors.
It is possible to download it from Intel® Active Management Technology SDK.
Note:
USB drive needs to be formatted as FAT (FAT32 and UEFI are not supported)
AMT configuration via USB option needs to be activated in the BIOS of the endpoint.
Finally, add the PKI DCS suffix in the endpoint.
If the issue continues, please share pictures of the Certificate chain (both lines) from the Details tab showing the SHA type.
Add a picture from the settings tab of the EMA console showing the Certificate installation.
And share the results of running the EMA Configuration tool (ECT), which will show the hash inclusion.
Intel® EMA Configuration Tool (ECT)
Installation:
Download and unzip the tool.
Double-click the .msi file and follow the prompts.
Run:
a- Open a command prompt (alternatively, you can run the tool from Windows PowerShell*) as administrator.
b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).
c- Run the command: EMAConfigTool.exe --verbose
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, thanks for your reply, we tried to do with USBFile.exe tool but couldn't find a suitable one libcrypto.dll , taken from OpenSSL.
All our certificates have SHA256. We have made a chain and added it to the EMA server.
Error in the attached screenshot.
Need a specific version of the file libcrypto.dll ?
We renamed it and dropped it into a folder with USBFile.exe.
We executed the command USBFile.exe -create setup.bin passMEBx passMEBx -amt -hash SERVER-EMA-CA.cer SERVER-EMA-CA sha256
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alex00900,
The case will require further investigation by the engineering team. Please send me in a private message the self-certificate that you created.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alex00900,
I got the private message with the self-cert. Intel® AMT does not support the .local domain. I am sending the Certificate requisites.
PKI Certificate Verification Methods
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, thank you for your reply. Please confirm my understanding of how I will start to redo the CA and create a separate domain.
I need to create a certificate so that it has a name, say "intel.it-ktk.ee". Following the table from your link.
Then it will be checked with libcrypto.dll ?
And will I be able to proceed to the above written procedure?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alex00900,
The domain of the EMA Certificate needs to match the domain of your company.
I am gathering more details about the libcrypto.dll file. I will provide an update soon.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alex00900,
We are still working on your case.
Do you mind confirming the version of Intel® AMT SDK version that you are using?
Latest: Intel® AMT SDK version 16.0.7.1
https://www.intel.com/content/www/us/en/download/704388/intel-amt-sdk.html?cache=1639697797
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We mainly use versions 12.0.x.
I'm afraid this topic is no longer relevant because of the necessary actions to enable Admin mode.
It is necessary to deploy a new domain, create all the existing infrastructure on it, reconnect all PCs to this domain, then generate a certificate and it will work.
Correct me if I'm wrong.
While we are using the program to turn on the PC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Alex00900,
You are right, it is necessary to create a new domain, Certificate, and provision all the PCs to the new domain.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Alex00900,
By any chance, have you been able to work on your EMA configuration? Please let us know if I can help you with anything else.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Alex00900,
I hope this post finds you well.
If further assistance is necessary, do not hesitate to reply.
Regards,
Miguel C.
Intel Customer Support Technician
![](/skins/images/DF2E495CEC88D713A66401CF495CD875/responsive_peak/images/icon_anonymous_message.png)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page