Deploy EMA Agent During SCCM Task Sequence when rebuild Windows 10

TL_Aus2022 · ‎08-23-2022

Hi All

Overview
Currently in the environment there is AMT running and there has been a project to setup EMA.
The Server \ console \ Cert \ EMA agent have all been configured and work if the following steps are done manually.

BIOS update
Intel ME Firmware update - 11.8.92.4249

Intel ME Drivers install - 2102.100.0.1044

Unprovision - acuconfig.exe Unconfigure /RCSaddress 192.168.***.*** /Full

EMA agent install

The above steps work as well if it s deploy via SCCM via a task sequence with a few reboots put in there.

So the problem I have is when I want to rebuild \ re-image the machine I get the following error in the EMA agent log file. (see attached log)
With in the console I get 3 PC name all the same (attached image) the top pc is the original one before the rebuild.
The second one was created at the end of the rebuild of a PC when it finished, but as you can see not connected and provision.
The third PC was created 3 days later for some reason unknonwn and it says connected and provision.

Here is the interesting part if view the buttom one I see the following See image

General Tab (attached Image) - shows that is is all provision and if I click on Action and then Provision Intel AMT you see what is in the attached image (Provision Intel AMT)
Hardware Manageability Tab (attached Image) is weird where it just sits on Loading. So can't connected to the PC that way
Desktop Tabe (attached image) If I click connected there then I can access the machines.
File Tab (attached image) also the same I can access the PC files.

So it seem that there is something with the certificate that is not getting assigned to the machine when it is build.
Have a look at the EmaAgent.log and let me know your thoughts

thank
TL

MIGUEL_C_Intel · ‎08-25-2022

Hello, Thomas,

We are glad to hear you again.

We reviewed the log and the troubleshooting is below:

It is necessary to unprovisioning the endpoints before doing the rebuilding of Windows 10.

It is possible to gather the admin password using Intel® SCS.

Look forward to your outcome; if there is no response to this email, we will send you a follow-up on 8/29/2022.

TL_Aus2022 · ‎08-25-2022

hi Miguel

In the meeting that happened a few weeks ago with Brad and the intel team I ask the question if it can be done during the build process.
One of the techs on the call mention to use Meshcmd.exe to unprovision it as it works better to unprovision instead of AUconfig tool.

This is the command I have set in the task sequence with a 2minute wait just before the EMA Agent gets installed.
cmd /c meshcmd.exe AmtAcmDeactivate --password ***PASSWORD*** --type full

I will unprovision the machine before the rebuild as a test but we would really like to have it all automated with in the build just to make it simpler when other teams need to rebuild the PCs

So I kicked off a build and are you can see in Mesh Unprovision image the time stamp is at 3:00pm Yesterday
Then 30ish minutes late the EMA Agent start at 3:31pm as shown in the other image

I ran the command Meschcmd AmtAuditlog which provide some interesting information which you can see in Messch Auditlog image.
There is shows the unprovisioning started then 31 min later the provisionin started then the time stamp is correct to show 15:32 (3:32pm)

So question I see the the unprovision is run by Admin and the provision is run by local is that going to cause issues?

Thanks

MIGUEL_C_Intel · ‎08-28-2022

Hello, Thomas,

Yes, you are right Mesh Commander (a third-party tool) is an alternative way to unprovision the endpoints.

Regarding the second question, please let us know if the provisioning of the endpoints was set locally intentionally. I am searching for your current configuration; an answer will be provided soon.

TL_Aus2022 · ‎08-28-2022

Thanks Miguel.

If we need to setup a meeting please email Brad or my self with details as I will be out of the office from the 1st - 6th September returning the 7th.