Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
FPGA community forums and blogs on community.intel.com are migrating to the new Altera Community and are read-only. For urgent support needs during this transition, please visit the FPGA Design Resources page or contact an Altera Authorized Distributor.
3049 Discussions

EMA_API_RemoveEndpoint (403) Forbidden

KevSchu
Beginner
‎09-25-2025 01:11 PM
293 Views

I had this working before, however recently, I can no longer use this API script to remove devices in masse from Intel EMA platform.

 

Retrieving Endpoint ID for Hostname: ComputerName
Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
At line:7 char:18
+ ... endpoints = Invoke-RestMethod -Uri "$emaServerURL/api/$emaAPIVersion/ ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

 

I was on 1.14.3, updated to 1.14.4, have tried several accounts with admin access.  I tried from the App server itself as well.  Everything results in the above error. 

0 Kudos

Link Copied

6 Replies
vij1
Employee
‎09-25-2025 04:30 PM
265 Views

Hi KevSchu,


Greetings!


To help us investigate the issue you're facing with the Intel EMA API, could you please provide the following information:


1.     Script Details: Kindly share the full script being used, including the specific API name or endpoint being called.

2.     Network Environment: Have there been any recent changes to your network setup, such as updates to firewall rules, proxy configurations, or server access policies?

3.     API Permissions: Have there been any modifications to the API roles or permissions assigned to the account(s) being used for these operations?


Looking forward to your response.


Best regards,

Vijay N.

Intel Customer Support

 

 


0 Kudos
Copy link
KevSchu
Beginner
‎09-26-2025 07:26 AM
227 Views

1. script snippet EMA_API-RemoveEndpoint.ps1

<#

This snippet removes an Intel EMA Endpoint from Intel EMA. This snippet should be run on the 
endpoint that intended to be removed, as Intel EMA agent uninstallation is executed locally.

The snippet unprovisions Intel AMT by calling the REST API on the Intel EMA server.  Then it 
uninstalls the Intel EMA agent on the local system on which the script is run.  It calls the REST 
API again to have Intel EMA stop managing the endpoint.

See Javascript examples for a similar snippet that uninstalls the Intel EMA agent remotely.

###################################################################################################

Copyright 2024 Intel Corporation.

This software and the related documents are Intel copyrighted materials, and your use of them is 
governed by the express license under which they were provided to you ("License"). Unless the 
License provides otherwise, you may not use, modify, copy, publish, distribute, disclose or 
transmit this software or the related documents without Intel's prior written permission.

This software and the related documents are provided as is, with no express or implied warranties, 
other than those that are expressly stated in the License.

#>

$emaServerURL      = "https://Server.domain.com"
$emaAPIVersion     = "latest" # 'latest' API version supported by EMA 1.4.0 and beyond
$hostname          = Get-Content c:\temp\input.txt
$localEMAAgentPath = #"C:\Program Files\Intel\EMA Agent\EMAAgent.exe" # default install path of Intel EMA agent
$getMEBXPassword   = $FALSE # attempt to retrieve MEBX password if it was randomized by EMA before removing endpoint from EMA
$useADAuth         = $True
$emaUsername       = "<>"
$emaPassword       = "<>"

Write-Host "Target Intel(R) EMA Server = $emaServerURL"

# Get authentication token ########################################################################

if($useADAuth) {
    if ($emaUsername -and $emaPassword) {
        # Retrieve token using provided AD username and password
        $emaPasswordSecure = ConvertTo-SecureString $emaPassword -AsPlainText -Force
        $psCreds = New-Object System.Management.Automation.PSCredential -ArgumentList $emaUsername, $emaPasswordSecure
        $creds = @{upn = $emaUsername; password = $psCreds.GetNetworkCredential().Password }
        $token = Invoke-RestMethod -Uri "$emaServerURL/api/$emaAPIVersion/accessTokens/getUsingWindowsCredentials" -Method Post -Body $creds        
    } else { 
        # Retrieve token using AD credentials of user running this script
        $token = Invoke-RestMethod -Uri "$emaServerURL/api/$emaAPIVersion/accessTokens/getUsingWindowsCredentials" -Method Get -UseDefaultCredentials
    }
}else {
    # Use normal username/password to get token
    $emaPasswordSecure = ConvertTo-SecureString $emaPassword -AsPlainText -Force
    $psCreds = New-Object System.Management.Automation.PSCredential -ArgumentList $emaUsername, $emaPasswordSecure
    $creds = @{username = $emaUsername; password = $psCreds.GetNetworkCredential().Password; grant_type = "password" }
    $token = Invoke-RestMethod -Uri "$emaServerURL/api/token" -Method Post -Body $creds
}

if($token) {
    Write-Host "Received authentication token."
}else {
    Write-Host "Error retrieving authentication token."
    return
}

$headers = @{ }
$headers.Add("Authorization", "$($token.token_type) $($token.access_token)")



#Start removing records from EMA server
$hostname | Foreach-object {
    # Get endpoint ID using hostname ##################################################################

    Write-Host("Retrieving Endpoint ID for Hostname: " + $_)

    $endpoints = $NULL
    $endpoints = Invoke-RestMethod -Uri "$emaServerURL/api/$emaAPIVersion/endpoints?computerName=$_" -Method Get -Headers $headers

    if ($endpoints.count -eq 0) {
        #Write-Host("Unable to find Endpoint ID for hostname: $_")
        return
    } elseif ($endpoints.count -eq 1) {
        # Return first (and only) endpoint ID in array
        Write-Host("EndpointID for $_ is $($endpoints[0].EndpointId)")
        $emaEndpointID = $endpoints[0].EndpointId

        # Stop managing endpoint on Intel EMA server ######################################################
        Write-Host "Stop managing endpoint on Intel EMA server: $emaEndpointID..."
        Invoke-RestMethod -Uri "$emaServerURL/api/$emaAPIVersion/endpoints/$emaEndpointID" -Method Delete -Headers $headers -ErrorVariable respError
        if (!$respError) {
            Write-Host "Endpoint removed."
        } else {
            Write-Host "Stop management request failed: " $respError
            return
        }

    } elseif ($endpoints.count -gt 1) {
        Write-Host("More than one match found for hostname: $_")
        $endpoints | Foreach-object {
            #Write-Host "EndpointID for $_ is $_.EndpointId.endpointid"
            Write-Host "EndpointID for" $_.ComputerName "is" $_.EndpointID
            $emaEndpointID = $_.EndpointId

            # Stop managing endpoint on Intel EMA server ######################################################
            Write-Host "Stop managing endpoint on Intel EMA server: $emaEndpointID..."
            Invoke-RestMethod -Uri "$emaServerURL/api/$emaAPIVersion/endpoints/$emaEndpointID" -Method Delete -Headers $headers -ErrorVariable respError
            if (!$respError) {
                Write-Host "Endpoint removed."
            } else {
                Write-Host "Stop management request failed: " $respError
                return
            }
        }
    }    
}

2. no changes

3. no changes 

0 Kudos
Copy link
vij1
Employee
‎09-30-2025 08:46 AM
131 Views

Hi KevSchu,

 

I have tested the API: EMA_API-RemoveEndpoint.ps1 with the latest EMA version 1.14.4.0, and no issues were found.

 

Note:

The recommended use case for the EMA_API-RemoveEndpoint.ps1 script is to run it on the local endpoint. Please remember that these are sample scripts and not supported. However, the EMA 1.14.4.0 authentication flow does not seem to have changed, where it will provoke auth 403 forbidden errors. Please check your environment again and any script changes.

 

Results of my test:

From EMA 1.14.4.0 Server

PS C:\Users\SUT\Downloads> .\EMA_API-RemoveEndpoint.ps1

Target Intel EMA Server = https://ema.vprodemo.com

Received authentication token.

Retrieving Endpoint ID for Hostname: SUT

EndpointID for SUT is 5080F1F3E96810B949D2CA87AF7CCF96B71E509C4AEC482C9EBAC6825298D580

Retrieving endpoint state for: 5080F1F3E96810B949D2CA87AF7CCF96B71E509C4AEC482C9EBAC6825298D580

Intel EMA agent is connected...

Retrieving endpoint provisioning record...

Endpoint AMT is not fully unprovisioned, checking for provisioning record...

Provisioning record found, attempting to unprovision endpoint AMT...

Waiting for Intel EMA to unprovision endpoint AMT... 1

Waiting for Intel EMA to unprovision endpoint AMT... 2

Waiting for Intel EMA to unprovision endpoint AMT... 3

Waiting for Intel EMA to unprovision endpoint AMT... 4

Waiting for Intel EMA to unprovision endpoint AMT... 5

Waiting for Intel EMA to unprovision endpoint AMT... 6

Waiting for Intel EMA to unprovision endpoint AMT... 7

Waiting for Intel EMA to unprovision endpoint AMT... 8

Waiting for Intel EMA to unprovision endpoint AMT... 9

Waiting for Intel EMA to unprovision endpoint AMT... 10

Waiting for Intel EMA to unprovision endpoint AMT... 11

Endpoint AMT unprovisioning complete.

Uninstalling Intel EMA agent...

EmaAgent uninstalledStop managing endpoint on Intel EMA server: 5080F1F3E96810B949D2CA87AF7CCF96B71E509C4AEC482C9EBAC6825298D580...

Endpoint removed.

 

I encourage you to review your environment and script and try again.


Best regards,

Vijay N

Intel Customer Support


0 Kudos
Copy link
KevSchu
Beginner
‎10-01-2025 10:23 AM
98 Views
In response to vij1

Well, sure enough it still works.  Zscaler was the issue, disabled it and everything started working again.

 

We use this script in masse because when machines are replaced hundreds at a time, its easier to pull a list of them and send them through this script.

In response to vij1
0 Kudos
Copy link
vij1
Employee
‎10-01-2025 11:07 AM
95 Views

Hi KevSchu,

 

Thanks for confirming — glad to hear it’s working now!

 

Good to know Zscaler was the root cause. Disabling it seems to have resolved the issue effectively.

Also, it makes perfect sense to use the script in bulk for large-scale machine replacements.

 

Let us know if you need any further assistance or if anything else comes up.

 

Best regards,

Vijay N


0 Kudos
Copy link
vij1
Employee
‎10-01-2025 11:24 AM
86 Views

Hi KevSchu,

 

Thanks for confirming — glad to hear it’s working now!

 

Good to know Zscaler was the root cause. Disabling it seems to have resolved the issue effectively.

Also, it makes perfect sense to use the script in bulk for large-scale machine replacements. That’s a smart and efficient approach.

 

Let us know if you need any further assistance or if anything else comes up.

 

Best regards,

Vijay N


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.