- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use an Intel EMA server to manage about 120 clients on my campus. I have a PKI certificate and my endpoint groups are set up to use TLS provisioning (not CIRA) and Admin Control Mode. They're also configured to set a random MebX extension password upon connecting to the server, but they all use a common "admin" account password for remote connections.
Everything was working fine until I re-imaged the machines. Now any PC I've re-imaged shows as "Not Connected" in the EMA web interface, and if I reapply/install the provisioning package from their endpoint group it just adds the device as a new PC and the old random password is not recognized, so I can't use the Intel AMT tab to remotely manage the PCs because it can no longer configure those options...
Any advice here would be most welcome!
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MU_Ryan,
Thank you for joining the community
If you unprovision the endpoint the random Intel MEBX password will be deleted from the Intel EMA database, and thus not retrievable by the API. Before unprovisioning an endpoint, be sure to retrieve its Intel MEBX password and note it down. This is particularly important for LAN-less systems, as you may need to reset the PKI DNS suffix in the Intel MEBX prior to reprovisioning.
I think this might have happened
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jose,
In this situation I'm definitely on a LAN, and I didn't unprovision the endpoint at all. When I erase/re-image the PC, it shows as "not connected" in the EMA web interface. It acts as though the PC is not reachable through the network, even though nothing has changed (the IP address and Hostname are even the same). The only way I've been able to reconnect to the client PC is by re-provisioning it with the configuration files generated by its endpoint group, but this of course creates a new record in EMA and doesn't use the old, random password, even though the old record still exists in the database. I don't understand why they're not reconnecting after I re-image them. Are we supposed to unprovision all clients before they have Windows re-installed on them?
Also, would it be possible for you to provide a link with instructions no how to retrieve the password for the MebX extension from the EMA database? The documentation I can find online just says "use the API" but I did not see anything in the linked API guide about retrieving this password.
Many thanks,
Ryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a problem that was solved in MeshCentral, you can see the "Intel AMT Smart Credential Management" feature in this blog. Basically, MeshCentral will keep a log of all Intel AMT activations and what password was used. If an agent is re-installed on a device, the server will look at the Intel AMT UUID and if it matches a previously activated Intel AMT device, it will automatically try the older passwords to see if anyone of them works. If it finds a working password, it will update the device and resume using Intel AMT as normal.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is MeshCentral supposed to be a replacement for EMA? I'd heard of it when I was searching for vPro solutions, but EMA always came up as the official interface for this sort of thing. Are you saying this behavior is intentional, and there's no way to remedy it in EMA? I thought the MebX password was stored outside of the OS, on the chip itself, so even if we re-image the client PCs it shouldn't matter to the EMA interface, as the password would still be valid?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh apologies. I don't work on EMA and Intel EMA is the official Intel tool for Intel vPro. Your correct that once activated, the Intel AMT password is not stored in the OS and so, when you re-image a computer and put a new agent, the server will not know what password to use for Intel AMT so you need to provide it again.
I work with the open source community on a different solution and was just saying that I encountered your exact problem and built a solution for it in the open source solution. I don't think there is nice remedy in Intel EMA right now for this. For Intel EMA, Jose's explanation above is correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MU_Ryan,
What happened during the reimage was that the EMAagent.exe and EMAagent.msh were deleted from the system, then for EMA purposes the system was no longer accessible, and, by reinstalling a new EMAagent.exe and EMAagent.msh, it is like doing a reprovisioning.
You can get the EMA API guide from here: My Document (intel.com)
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Jose,
Does this mean that every time a PC is reimaged we need to use the API to retrieve the MebX password from the EMA database and then do a full unprovision in MebX before imaging it, then use EMA's agent files to reprovision it afterward? That seems like a terrible amount of additional work for something as simple as an operating system refresh. Is there not a way to image a PC and reconnect it to the EMA server using its existing record? I apologize if this sounds petulant, but we reimage hundreds of machines annually and having to manually retrieve passwords for each one and physically touch them to prepare for this process would be ludicrous.
Thank you for your time and patience,
Ryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MU_Ryan,
Probably the recommendation would be to fully unprovision the system before doing a reimage. Or alternatively you could setup a manual password instead of the random one, then there won't be necessary to retrieve the password before doing the unprovision/reimage. Another option could be generate a OS image that includes the EMAagent files already installed so it could be possible the system will automatically reconnect after the reimage process.
Probably the root cause of this hassle is that fact that EMA was not designed thinking a system needed to be continuously reimaged. Usually the reimage process is something that doesn't happen that often.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So that leads to two questions:
1. Can EMA remotely unprovision a client PC like this? As far as I can tell it can't, which means I'd have to physically touch each machine before I reinstalled the operating system. Am I understanding this correctly?
2. Can EMA configure a new machine with a manual password? The only option I can find for the MEBx password is to set one at random (recommended) or to not set one at all. If I'm understanding this correctly, it would again mean touching each machine to set a manual password, which defeats the purpose of using EMA. Furthermore, if you set a manual password in MEBx by physically touching the client PC you cannot use the Intel AMT tab in the EMA web interface, because the EMA server doesn't know what password you set, which again seems counter-intuitive.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MU_Ryan,
About the unprovisioning, EMA is capable of doing it remotely:
"If the endpoint is in Intel® AMT Client Control Mode, Intel EMA tries to use Intel EMA Agent to issue a CFG_
Unprovision command via Intel® MEI driver, to reset Intel AMT to default factory settings.
If the above fails or the endpoint is in Intel AMT Admin Control Mode, Intel EMA sends to WSMAN request AMT_
SetupAndConfigurationService\Unprovision to reset Intel AMT to default factory settings.
Intel EMA also tries to clear/remove the Active Directory objects created for 802.1X configuration, if this endpoint
group is using an Intel AMT Profile with 802.1X setup"
About the manual password option, let me make sure if you need to physically touch the system. It looks like you will need to by I want confirm.
I will get back to you as soon as I have updates.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help, Jose.
I still don't understand why the MEBx connection is lost when reinstalling Windows. I can see how the "Desktop," "Files," and "Processes" tabs for a client machine would be inactive since there is no longer an EMA agent/service running on the target PC, but the "Intel AMT" tab should be connecting directly to the vPro interface using the stored password from the EMA database. The IP Address and domain are still shown correctly, but all the records say "Not Connected" and appear to be incapable of connecting to the vPro hardware...but that shouldn't have anything to do with the OS...right?
--Ryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MU_Ryan,
When you re-imaged the system and assuming you also re-installed the agent files, what happens is a new record get’s created…assuming you used the same system name, there will be two records that appear in the EMA console for that endpoint group with the same name. The “not connected” will show in the old record because that agent has been overwritten due to the re-image. But the strange thing is that with the old record, you SHOULD be able to click on the Intel AMT tab and it should still respond. Conversely, the new record, you will be unable to get a response from the Intel AMT tab. You need to unprovision AMT from the OLD record and then reprovision with the new record. I know this is confusing and we need a better way of doing this. We’ll be submitting an enhancement request considering Windows 11 will be coming.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again, thank you for your response Jose!
I totally understand about the new agent files creating a new record that isn't associate with the old record's password. The real hiccup is that AMT tab not working for the old record even if I don't try to install new agent files, because I can't perform a full unprovision action. I tested it just now by removing the CMOS battery from the BIOS and completely resetting everything to its Out-Of-Box condition:
First I provisioned this test PC from the EMA server using an automatic configuration profile with a random MEBx password, and everything looked fine - I was able to connect on both the Intel AMT tab and the Desktop tabs within EMA's web interface without any trouble.
I then reimaged the test PC and watched it apply the image through the Intel AMT tab without any problems. I could also watch as it began to install drivers and configure itself after the operating system was applied, but eventually the connection froze/timed out, and when the PC finally came back up to its login screen, now fully configured, I get an endless "Loading..." message on the Intel AMT tab in the EMA interface. Everything looks like it should be working, it just...isn't. (pictures attached)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MU_Ryan,
Thank you for your feedback. Let me check deeper on this and I will get back to you.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am dealing with the same frustrating issue. Since Intel EMA is based off of the original Meshcentral, would Intel be able to implement a similar fix to the one Ylian pushed for his Meshcentral2 program?
To ask large organizations to perform a tedious manual process to ensure we won't have to physically touch machines that are in some cases many miles away is not ideal. A
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MU_Ryan, we are looking through your posts and latest comment. There is a little bit of confusion that I'm having because you mention using TLS mode vs. CIRA but the screen shots provided show CIRA enabled. Can you provide further clarification on this piece?
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally I use TLS mode for the automated configuration settings - all of my PCs are on our local domain/intranet, just scattered across different buildings in different parts of town. As part of my troubleshooting over the last few weeks, I've taken my test machines and switched between TLS and CIRA, just to see if enabling or disabling that feature had any impact on the behavior I've been describing. Unfortunately it does not; whether I use CIRA or TLS, after imaging a PC it will not reconnect to the EMA server using the existing record, and the "Intel AMT" tab just shows the loading message from my screenshot.
The ideal solution would be to allow me to set a specific password for the MEBx extension as part of the automatic configuration profile, rather than only a random one, but I understand that is not an option at this time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MU_Ryan,
Thank you for the further explanation. Just to give you an update, this has spurred an internal conversation between a few of us. We may need to schedule a session with you. If/when this is needed, I will work with you to set up a time. Still working on this.
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would be wonderful, please feel free to contact me anytime. Thank you again for your continued communication on this issue.
--Ryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michael,
I would also be willing to work with your team on this issue if needed. We have our entire org in EMA and to be able to reset PCs remotely and have EMA recognize the device from a prior OS install would be a godsend. We have a lot of remote sites and this is a big part of why we chose to use Intel EMA/AMT for our org.
-Dennis
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page