Hello, MarkusLöffler,

I am following up on your post and wondering if further assistance is necessary. Look forward to your reply.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, MarkusLöffler,

I hope you are doing well.  Do not hesitate to reply if I can help you with anything else.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

today I reinstalled the EMA Agent on the new installed workstation.

Unfortunately, the endpoint still re-registers on every reboot, even when i just restart the Intel EMA background service .

I enabled enhanced logging on the Agent and found the following :

[2023-11-16 02:49:01.340 PM] \Agent\MeshManageability\agent\core\meshcore.c:856 Starting EMA Agent v1.11.1
[2023-11-16 02:49:01.405 PM] \Agent\MeshManageability\agent\core\meshcore.c:1001 EmaCore: Port 16991 Bind SUCCESS
[2023-11-16 02:49:01.436 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:247 Failed trying to get Windows Cryptographic Context. Last error: -2146885628
[2023-11-16 02:49:01.436 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:268 Creating new EMA Agent root certificate. Last error: 183
[2023-11-16 02:49:01.454 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:296 Error generating RSA key-pair. Last error: 0
[2023-11-16 02:49:01.455 PM] \Agent\MeshManageability\agent\core\meshctrl.c:386 Failed to open WinCrypto. Last error: 183

It creates a new node-id on every service restart, it looks like an issue with the certificate, but this occurs only with this endpoint.

How can i fix the certificate error on this endpoint ?

Best regards, Markus

Hello Miguel,

today I worked thtough the document you sent me.

I removed the endpoint from EMA, and unprovisioned AMT. After that I provisioned AMT again (USB stick) and reinstalled the EMA Agent.

Unfortunately the behaviour is still the same.

The endpoint creates a new entry in EMA on every reboot, in fact on every restart of the Intel(R) EMA Agent background service on the endpoint a new entry is being created.

Therefore i enabled advanced logging of the EMA Agent and found this :

[2023-11-16 03:37:38.278 PM] \Agent\MeshManageability\agent\core\meshcore.c:856 Starting EMA Agent v1.11.1
[2023-11-16 03:37:38.341 PM] \Agent\MeshManageability\agent\core\meshcore.c:1001 EmaCore: Port 16991 Bind SUCCESS
[2023-11-16 03:37:38.378 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:247 Failed trying to get Windows Cryptographic Context. Last error: -2146885628
[2023-11-16 03:37:38.378 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:268 Creating new EMA Agent root certificate. Last error: 183
[2023-11-16 03:37:38.413 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:296 Error generating RSA key-pair. Last error: 0
[2023-11-16 03:37:38.413 PM] \Agent\MeshManageability\agent\core\meshctrl.c:386 Failed to open WinCrypto. Last error: 183
[2023-11-16 03:37:41.114 PM] \Agent\MeshManageability\agent\core\meshinfo.c:375 SKU is AMT
[2023-11-16 03:37:43.148 PM] \Agent\MeshManageability\agent\core\meshinfo.c:396 Could not obtain Intel(R) AMT Soft disabled state. Error code: 1
[2023-11-16 03:37:43.149 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:149 UniquePlatformId_FeatureStateGet: Status code 2066 (0 means success) - FeatureEnabled '0'
[2023-11-16 03:37:43.149 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:79 UniquePlatformId_FeatureStateSet(1) Status code: 1 (0 means success)
[2023-11-16 03:37:43.149 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:115 UniquePlatformId_Get: Status code 2066 (0 means success) - CSMEPlatformId '0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 '
[2023-11-16 03:37:43.150 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:79 UniquePlatformId_FeatureStateSet(0) Status code: 1 (0 means success)
[2023-11-16 03:37:43.236 PM] \Agent\MeshManageability\agent\core\meshinfo.c:375 SKU is AMT
[2023-11-16 03:37:45.273 PM] \Agent\MeshManageability\agent\core\meshinfo.c:396 Could not obtain Intel(R) AMT Soft disabled state. Error code: 1
[2023-11-16 03:37:45.274 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:149 UniquePlatformId_FeatureStateGet: Status code 2066 (0 means success) - FeatureEnabled '0'
[2023-11-16 03:37:45.274 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:79 UniquePlatformId_FeatureStateSet(1) Status code: 1 (0 means success)
[2023-11-16 03:37:45.274 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:115 UniquePlatformId_Get: Status code 2066 (0 means success) - CSMEPlatformId '0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 '
[2023-11-16 03:37:45.275 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:79 UniquePlatformId_FeatureStateSet(0) Status code: 1 (0 means success)
[2023-11-16 03:37:45.303 PM] \Agent\MeshManageability\agent\core\meshcore.c:1139 Start node update timer
[2023-11-16 03:37:45.303 PM] \Agent\MeshManageability\agent\core\meshcore.c:1141 First attempt to connect to the EMA service
[2023-11-16 03:37:45.347 PM] \Agent\MeshManageability\agent\core\meshinfo.c:375 SKU is AMT
[2023-11-16 03:37:47.382 PM] \Agent\MeshManageability\agent\core\meshinfo.c:396 Could not obtain Intel(R) AMT Soft disabled state. Error code: 1
[2023-11-16 03:37:47.383 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:149 UniquePlatformId_FeatureStateGet: Status code 2066 (0 means success) - FeatureEnabled '0'
[2023-11-16 03:37:47.383 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:79 UniquePlatformId_FeatureStateSet(1) Status code: 1 (0 means success)
[2023-11-16 03:37:47.383 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:115 UniquePlatformId_Get: Status code 2066 (0 means success) - CSMEPlatformId '0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 '
[2023-11-16 03:37:47.383 PM] \Agent\MeshManageability\agent\heci\UniquePlatformIdCommand.c:79 UniquePlatformId_FeatureStateSet(0) Status code: 1 (0 means success)
[2023-11-16 03:37:50.335 PM] \Agent\MeshManageability\agent\core\meshcore.c:1512 EMA Server DNS lookup trying to find DNS value
[2023-11-16 03:37:50.345 PM] \Agent\MeshManageability\agent\core\meshcore.c:1590 Forcing non-usage of the HTTPS proxy
[2023-11-16 03:37:50.346 PM] \Agent\MeshManageability\agent\core\meshcore.c:1605 Attempting to connect to EMA Server
[2023-11-16 03:37:50.346 PM] \Agent\MeshManageability\agent\microstack\ILibAsyncSocket.c:918 ILibAsyncSocket_ConnectTo() finished
[2023-11-16 03:37:50.362 PM] \Agent\MeshManageability\agent\core\meshcore.c:565 Connected to ema service.
[2023-11-16 03:37:50.363 PM] \Agent\MeshManageability\agent\core\meshcore.c:583 Send the endpoint information block data to Swarm server
[2023-11-16 03:37:50.364 PM] \Agent\MeshManageability\agent\core\meshcore.c:611 Send the Timezone Information to the Swarm Server
[2023-11-16 03:37:50.414 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1608 Got GETSTATE from server with query 8
[2023-11-16 03:37:50.423 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1608 Got GETSTATE from server with query 2
[2023-11-16 03:37:50.423 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1608 Got GETSTATE from server with query 1
[2023-11-16 03:37:50.423 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1608 Got GETSTATE from server with query 15
[2023-11-16 03:37:50.493 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1608 Got GETSTATE from server with query 15
[2023-11-16 03:37:50.508 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1608 Got GETSTATE from server with query 15
[2023-11-16 03:37:50.589 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1608 Got GETSTATE from server with query 15
[2023-11-16 03:37:50.666 PM] \Agent\MeshManageability\agent\core\meshcore.c:524 GotShortEndPointer
[2023-11-16 03:38:02.981 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1608 Got GETSTATE from server with query 0
[2023-11-16 03:38:02.981 PM] \Agent\MeshManageability\agent\core\meshcore.c:524 GotShortEndPointer
[2023-11-16 03:38:06.412 PM] \Agent\MeshManageability\agent\core\meshinfo.c:375 SKU is AMT

For me it looks like on every restart of the EMA Service a new certificate and with that, a new node id in the registry s being created but why ?

Best regards, Markus

Hello, Markus,

As per the logs you are right, the Certificate is failing, and the validation with the Swarm Server is failing.  If I understood correctly; you are inserting the Self-Certificate via USB; and then, running the EMA agent file.  Please confirm if I am right.

If this is the case EMA v1.11.1 is in Admin mode.

Double-check the Self-Certificate is SHA256 (EMA only supports TLS 1.2; version TLS 1.1 or older was deprecated).

There is a newer way to provision endpoints without buying the Certificate.  It requires some extra steps.

First, uninstall the EMA agent file.  Access the installation file with Admin rights and select uninstall.

Go to the EMA server, and Stop managing all the duplicate lines including the provisioned ones.

Then, 

1. To prevent possible issues, perform a Full Unprovision of the endpoint from MEBEX BIOS.
2. Go into MEBX and under Intel® AMT Configuration Network Access State choose Network Activate.
3. Change the User Consent in MEBX to NONE. This will allow us to do OOB KVM without any user interaction.
4. Next, review if the EMA profile (Server) is in CIRA mode and set the desired settings.  You already have it (only review).
5. Enable AMT Auto-setup and choose the right profile.
6. Choose HBP (Host Base Provisioning), and create your own password, disable randomized password.  This will make the adoption easier.
7. Now, download the Intel® EMA API.  We will use the adopted scripts to pull the endpoint into EMA. https://www.intel.com/content/www/us/en/download/19693/intel-endpoint-management-assistant-intel-ema-api-sample-scripts.html
8. Install the EMA agent into the endpoint and it should show in the WebUI and provisioned into ACM. However, it will show as provisioned by another tool. That is because it has already been provisioned manually in MEBX (Select endpoint, Select from Actions: Provision).
9. The easiest way to adopt a single system is to use the Adopt-AMTSetupBySearch PS script.
10. Run the search and fill out the CLI request or you can do it all with PS> ./Adopt-AMTSetupBySearch.ps1 -emaServerURL <type the FQDN> -searchMethod hostnameStart -searchString laptop.
11. The Command will request the credentials of the EMA Tenant.
12. The Powershell script actually has examples in it for future scripting purposes.
13. Bring up Platform Manager and verify if everything went smoothly.  Also, verify in the EMA WebUI. The endpoint should have now been adopted in ACM since that was set up in MEBX, despite the auto-setup specifying HBP.

I look for your outcome.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

I worked through you instructions successfully until step 11 where I enter my Tenant-Administrator credentials and after that the script fails with the following error :

cmdlet Adopt-AMTSetupBySearch_UDELP-IEMA01.ps1 at command pipeline position 1
Supply values for the following parameters:
emaServerURL: https://udelp-iema01.de.uhlmann-net.de
searchMethod: hostnameStart
searchString: PC5517
Invoke-WebRequest : {"error":"unsupported_grant_type","error_description":"Standard OAuth authorization grant is
disabled. Please use GET /accessTokens/getUsingWindowsCredentials URI instead."}
At \\uhldevfs02\software$\Intel\EMA - AMT\Intel_EMA_API_Sample_Scripts_v1_7\PowerShell\Example
Scripts\Adopt-AMTSetupBySearch_UDELP-IEMA01.ps1:195 char:24
+ ...  { $token = Invoke-WebRequest -Uri "$emaServerURL/api/token" -UseBasi ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Second, when I check the EMAAgent Log on the endpoint PC5517 it still throws the certificate error :

[2023-11-20 12:25:32.768 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:247 Failed trying to get Windows Cryptographic Context. Last error: -2146885628
[2023-11-20 12:25:32.769 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:268 Creating new EMA Agent root certificate. Last error: 0
[2023-11-20 12:25:32.776 PM] \Agent\MeshManageability\agent\core\wincrypto.cpp:296 Error generating RSA key-pair. Last error: 0
[2023-11-20 12:25:32.776 PM] \Agent\MeshManageability\agent\core\meshctrl.c:386 Failed to open WinCrypto. Last error: 183

Best regards, Markus

Hello, Markus,

Are you running the steps from the EMA server with admin rights and using the Tenant account credentials?  Do you have Windows Active Directory?

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

thank you for the hint regarding Active Directory ! Yes, we are using AD auth and I managed to run the script with the parameter "-useADauth" and the Tenant-Admin credentials now.

It looks like the command was successful :

Retrieving Endpoint IDs for hostnames starting with: PC5517

86663E76FD2BE39F2F30C708A6E01C995AB67B41014A7800FCD9A38600CDE553 - PC5517
                                                                                                                        Found 1 endpoint(s)                                                                                                                                                                                                                             Enter 1 to submit an adopt AMT setup request for all endpoints found, or any other value to exit >: 1                                                                                                                                           Endpoint (86663E76FD2BE39F2F30C708A6E01C995AB67B41014A7800FCD9A38600CDE553 - PC5517) - Adoption request successfully submitted.

Adoption request(s) submitted for 1 of 1 endpoints found.

But : The endpoint (PC5517) still re-registers on every reboot and it still throws the crypto-error in the EMAagent logs. This is related to just this one single endpoint. 

I managed to provision three other endpoints of the same hardware type without problems.

This leads me to another question. The goal is to remotely power-on endpoints when they have been accidentially powered off.

At the moment the "wake" function does not work, the PCs do not power on, even the ones that are connected to EMA and have AMT status "provisoned"

In the EMASwarmServer Eventlog I see the error :

21.11.2023 08:24:49 Error:Error building Wake-on-LAN packet.

Do you think it would be possible to arrange a remote session to go through our configuration ?

Best regards, Markus

Hello, Markus,

I am glad the command helped you to provision the endpoints. 

Before setting a meeting, we need to gather some documentation of your current settings and let you know some exceptions or restrictions.

Laptops or machines connected through the internet via Wireless (Intel® network cards only) are not capable of being turned on, or accessing the BIOS of them. Machines need to be in Windows; Intel® AMT requires the network card driver operation.

Details on Intel® Endpoint Management Assistant (Intel® EMA) Configuring LAN-less Endpoints to ACM

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/configuring-lan-less-endpoints-to-acm.pdf

Please provide the following information:

Current EMA software version.

Do you have more than one EMA server?

OS of the server and the SQL version.

Are OS and database in the same machine; Physical or Virtual?

Run the Intel® EMA Configuration Tool (ECT) in the failing endpoint. You can send it as a private message.

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

Run:

a-Open a command prompt as administrator (alternatively, you can run the tool from Windows PowerShell*).

b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c-Run the command: EMAConfigTool.exe --verbose

Please remember to unprovision (actions>Provision AMT) and the action>stop the provisioning of the endpoint from the EMA Web console (delete all the duplicate lines). Then, go to the endpoint, uninstall the EMA agent file (run as administrator), and finally access MEBEX and perform a full unprovisioning.

I look forward to your feedback.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

I am aware of the restrictions regarding LAN-less endpoints but we are managing only workstation-PCs in our LAN with direct ethernet connection.

Regarding your questions : 

Current EMA software version : 1.11.1.0

Do you have more than one EMA server? : We are running only one server with all roles

OS of the server and the SQL version. : Server OS is Windows Server 2022 Build 21H2, SQL Server Express 2019

Are OS and database in the same machine; Physical or Virtual? : All located on the same virtual server.

Output of the EMA configtool :

Intel EMA Configuration Tool
Application Version: 1.1.0.183
Scan Date: 22.11.2023 16:58:11

*** Host Computer Information ***
Computer Name: PC5535
Manufacturer: HP
Model: HP Z4 G4 Workstation
Processor: Intel(R) Xeon(R) W-2123 CPU @ 3.60GHz
Windows Version: Microsoft Windows 10 Enterprise
BIOS Version: P61 v02.91
UUID: 2D3D9FEF-122D-736F-BA0F-42E53FB74FDA

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 11.12.94.2479
KVM Supported: False
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True

*** ME Information ***
Version: 11.12.94.2479
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Client
Driver Installed: True
Driver Version: 1815.12.0.2021
PKI DNS Suffix: "this is set to our internal DNS suffix"
LMS State: NotPresent
LMS Version: 1815.12.0.2021
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: True
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: False
An error occurred.

Unbehandelte Ausnahme: System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei AshCreek.Program.WriteToConsole(Boolean writeVerbose)
   bei AshCreek.Program.Main(String[] args)

Hello, Markus,

Thank you for sharing the EMA configuration and ECT log from the non-working machine - PC5535.

First, I noted the machine is not using the latest BIOS version 02.92 Rev.A. It seems the update includes the security update related to TLS 1.2. (The following fixes have been made in BIOS version 2.92:

Updated OpenSSL to version 1.1.1s for the latest security changes)

HP Z4-G4 Xeon Workstation System BIOS

https://support.hp.com/si-en/drivers/swdetails/hp-z4-g4-workstation/16449890/swItemId/vc-319517-1

As well, there are newer Chipset and Intel Management Engine Software (AMT included) drivers.

HP Z4 G4 Workstation https://support.hp.com/si-en/drivers/hp-z4-g4-workstation/16449890

Then, if we are planning to provision the machine with the script: ./Adopt-AMTSetupBySearch.ps1 -emaServerURL <type the FQDN> -searchMethod hostnameStart -searchString <endpoint name>

We need to unprovision manually the endpoint from MEBEX after uninstalling the EMA agent file.

After restarting the PC, get into MEBEX and Enable the Network Access; in addition, Change the User Consent to NONE and save changes (the system will reboot).

After these changes, the endpoint will show up as 

State: Provisioned

Control Mode: Admin, right now is in Client.

The Intel® AMT profile requires some changes. The autosetup is in Host-Based provisioning instead of PKI Certificate.  We need a profile as a Client instead of Admin.

Please reset the endpoint and EMA profile with my suggestions provided on 11-16-2023 04:56 PM

Look forward to hearing back from you.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

I applied the mentioned updates on the HP Z4 Workstation PC5535

- HP Z4-G4 Xeon Workstation System BIOS V 2.92A

- Intel Management Engine Software V 2242.3.34.0

The Intel Chipset Driver was already up to date (V 10.1.18019.814)

The output of EmaConfigTool looks different now :

Intel EMA Configuration Tool
Application Version: 1.1.0.183
Scan Date: 24.11.2023 09:49:56

*** Host Computer Information ***
Computer Name: PC5535
Manufacturer: HP
Model: HP Z4 G4 Workstation
Processor: Intel(R) Xeon(R) W-2123 CPU @ 3.60GHz
Windows Version: Microsoft Windows 10 Enterprise
BIOS Version: P61 v02.92
UUID: 2D3D9FEF-122D-736F-BA0F-42E53FB74FDA

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 11.12.94.2479
KVM Supported: False
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True

*** ME Information ***
Version: 11.12.94.2479
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Client
Driver Installed: True
Driver Version: 2240.3.4.0
PKI DNS Suffix: <set to our internal DNS Suffix>
LMS State: Running
LMS Version: 2240.3.4.0
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: True
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: False
RSE Enabled: False

*** Power Management Capabilities ***
Supported Power States:
   5: PowerCycle_Off_Soft
   8: Off_Soft
   2: On
   10: Master_Bus_Reset
   11: NMI
   7: Hibernate
   12: Off_Soft_Graceful
   14: MasterBusReset_Graceful
Power Change Capabilities:
   2: On
   3: SleepLight
   4: SleepDeep
   7: Hibernate
   8: Off_Soft

*** CIRA Information ***
CIRA Server: <set to our EMA Server FQDN>
CIRA Connection Status: CONNECTED
CIRA Connection Trigger: TRIGGER_PERIODIC

*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: 0.0.0.0
MAC Address: C8:D9:D2:23:E4:9B
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): <set to our internal DNS Suffix>

*** ME Wireless Network Information ***
ME Wireless Interface Not Detected

*** Root Certificate Hash Entries ***
Root Cert 1: Go Daddy Class 2 CA, SHA256, C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4, Active, Default;
Root Cert 2: Go Daddy Root CA-G2, SHA256, 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA, Active, Default;
Root Cert 3: Comodo AAA CA, SHA256, D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4, Active, Default;
Root Cert 4: Starfield Class 2 CA, SHA256, 14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58, Active, Default;
Root Cert 5: Starfield Root CA-G2, SHA256, 2C:E1:CB:0B:F9:D2:F9:E1:02:99:3F:BE:21:51:52:C3:B2:DD:0C:AB:DE:1C:68:E5:31:9B:83:91:54:DB:B7:F5, Active, Default;
Root Cert 6: VeriSign Class 3 Primary CA-G5, SHA256, 9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF, Active, Default;
Root Cert 7: Baltimore CyberTrust Root, SHA256, 16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB, Active, Default;
Root Cert 8: Cybertrust Global Root, SHA256, 96:0A:DF:00:63:E9:63:56:75:0C:29:65:DD:0A:08:67:DA:0B:9C:BD:6E:77:71:4A:EA:FB:23:49:AB:39:3D:A3, Active, Default;
Root Cert 9: Verizon Global Root, SHA256, 68:AD:50:90:9B:04:36:3C:60:5E:F1:35:81:A9:39:FF:2C:96:37:2E:3F:12:32:5B:0A:68:61:E1:D5:9F:66:03, Active, Default;
Root Cert 10: Entrust.net CA (2048), SHA256, 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77, Active, Default;
Root Cert 11: Entrust Root CA, SHA256, 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C, Active, Default;
Root Cert 12: Entrust Root CA-G2, SHA256, 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39, Active, Default;
Root Cert 13: VeriSign Universal Root CA, SHA256, 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C, Active, Default;
Root Cert 14: Affirm Trust Premium, SHA256, 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A, Active, Default;
Root Cert 15: DigiCert Global Root CA, SHA256, 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61, Active, Default;
Root Cert 16: DigiCert Global Root G2, SHA256, CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F, Active, Default;
Root Cert 17: DigiCert Global Root G3, SHA256, 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0, Active, Default;
Root Cert 18: DigiCert Trusted Root G4, SHA256, 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88, Active, Default;
Root Cert 19: GlobalSign NP RSA CA 2018, SHA256, 67:54:0A:47:AA:5B:9F:34:57:0A:99:72:3C:FE:FA:96:A9:6E:E3:F0:D9:B8:BF:4D:EF:94:40:B8:06:5D:66:5D, Active, Default;
Root Cert 20: Uhlde_Root_CA, SHA1, 8D:5F:45:75:6C:B3:14:C9:4F:45:B4:1D:75:FB:2E:1F:0D:79:08:3B, Active, Not Default;
Root Cert 21: Uhlde_Sub_CA, SHA1, B5:7F:77:B3:77:53:26:FC:1E:8A:D3:67:A5:14:4A:67:35:17:1D:13, Active, Not Default;
Root Cert 22: GlobalSign NP ECC CA 2018, SHA256, 72:24:39:52:22:CD:58:8C:4F:26:83:71:69:22:AD:DB:41:E3:9B:58:1A:C3:4F:A8:7B:39:EF:A8:96:FB:B3:9E, Active, Default;
Root Cert 23: GlobalSign Root CA - R3, SHA256, CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B, Active, Default;
Root Cert 24: GlobalSign ECC Root CA - R5, SHA256, 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24, Active, Default;
Root Cert 25: GlobalSign Root CA - R6, SHA256, 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69, Active, Default;

Pausing before ending process in 3 sec.  The duration of this pause can be adjusted using the --delayterm option.

As I am not in the office today I will do the unprovisioning on monday and report the outcome then.

Regarding to the following :

---

The Intel® AMT profile requires some changes. The autosetup is in Host-Based provisioning instead of PKI Certificate.  We need a profile as a Client instead of Admin.

---

 Do you mean we need to change from Host based provisioning (HBP) to Certificate based (TLS-PKI) ?

Then we will need to install a PKI Certificate first or did I get you wrong ?

Best regards, Markus

Hello, Markus,

The ECT log looks better now.

State: Provisioned

Control Mode: Client

Driver Installed: True

*** ME Wired Network Information ***

Wired Interface Enabled: True

Link Status: Up

IP Address: 0.0.0.0

MAC Address: C8:D9:D2:23:E4:9B

You are right, the next process is Unprovision the endpoint from MEBEX.

Access again the MEBEX BIOS and change the Network Access option to Enabled and the User Consent to None.

If you run ECT again, the endpoint will say:

State: Provisioned

Control Mode: ADMIN

Then, we need to create an Intel® AMT profile as Client Control Mode, in the AMT auto-setup section we have to select Host-Based instead of PKI Provisioning (this option is used when we have a Certificate).

Note:

The wired Network connection is up but the IP address was not recognized.  Make sure the ethernet cable is attached to the wired port of the endpoint and no VPN (this is necessary for the configuration).

Wired Interface Enabled: True

Link Status: Up

IP Address: 0.0.0.0

Please make sure you are using the script:

script:

./Adopt-AMTSetupBySearch.ps1 -emaServerURL <type the FQDN> -searchMethod hostnameStart -searchString <endpoint name>

emaServerURL <type the FQDN>

searchMethod hostnameStart 

searchString <endpoint name>

Second Note:

You are using Windows Server 2022. By default, this OS disables TLS 1.1 available on AMT version 11 crypto. It is necessary to enable it. An easy option is to install the third-party software called Nartac, https://www.nartac.com/, and select Best Practices. You can disable the non-necessary options later.

More details in section 1.4.6 Disable Insecure Cipher Suites of the Intel® Endpoint Management Assistant (Intel® EMA) Server Installation Guide Version: 1.11.0 provided in the EMA software zip file.

I will wait for the outcome next week.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

I went through the steps you explained , unprovisoned AMT via MEBX , enabled network access and set user consent to NONE

The endpoint now states:

State: Provisioned

Control Mode: ADMIN

The Intel® AMT profile is already configured for Client Control Mode, in the AMT auto-setup section we have selected Host-Based.

In EMA web-console the endpoint now is in "Admin Control Mode".

But the "Hardware Manageability" tab no longer works and it show "CIRA not connected".

Trying to use the Adopt-AMTSetupBySearch.ps1 but this throws the error :

Retrieving Endpoint IDs for hostnames starting with: PC5535

0F34E293192F38E310311DD682AC878559C805EA85E5D910194DD1B9A09C6671 - PC5535

Found 1 endpoint(s)

Enter 1 to submit an adopt AMT setup request for all endpoints found, or any other value to exit >: 1

Error with endpoint (0F34E293192F38E310311DD682AC878559C805EA85E5D910194DD1B9A09C6671 - PC5535): The target endpoint is already provisioned by EMA.

Adoption request(s) submitted for 0 of 1 endpoints found.

I also used "Nartac" to enable TLS 1.1 on the EMA server but I think this is not relevant as long as we don't use TLS-PKI.

I also spoke to our network engineer and he explained to me that our network uses Cisco-ISE for port-security. This means we are checking the MAC-address and a client certificate (802.1x) from the Active Directory before the client can access the network.

As soon as the client is turned off, it has no client-certificate and therefore can't connect to the client-network but will be connected to another network that has no access to other intenal systems. 

Would it be possible to configure the client (MEBX) to provide the client certificate in S0 state or is it possible to use the client-certificate from the Windows cert-store ?

Best regards, Markus

Hello, Markus,

The adoption with the script: ./Adopt-AMTSetupBySearch.ps1 -emaServerURL <type the FQDN> -searchMethod hostnameStart -searchString <endpoint name>

is telling us: The target endpoint is already provisioned by EMA. 

Meaning, that we need to 1- uninstall the EMA agent file in the endpoint, 2- Stop the provisioning of the machine in the EMA web console, and 3- In MEBX, we need to select Full Unprovision.

If we run the Ema Config Tool again, we should see the following:

*** ME Information ***

Version: 11.12.94.2479

SKU: Intel(R) Full AMT Manageability

State: Not provisioned

Control Mode: None

PKI DNS Suffix: Not found

It is necessary to enable TLS 1.1 in the EMA server when we are using older machines with AMT version 11. Machines with AMT 12 or newer do not require it.

Your network configuration is using a Radius Server (802.1x), and an Extra certificate is necessary for it, you need to set and add it in the EMA console > AMT profile > Wired 802.1x.

It is necessary to use a Windows certificate. The steps are available in the section: 8 Appendix - Configuring 802.1x for Active Directory of the Intel® Endpoint Management Assistant (Intel® EMA) Server Installation Guide Version: 1.12.1 included in the EMA zip package.

On your last test, the provisioning was completed partially. Did you get duplicate lines?

Regards,

Miguel C.

Intel Customer Support Technician

Hello, Markus,

I am following up on the case and wondering if you have been able to run the recommendations.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

sorry for the late reply. I talked to my network engineer and we need to clarify our network configuration first.

Before we can continue with the EMA Agent troubleshooting we need to make sure the endpoint is able to communicate in S0 state, therefore we either need to configure the 802.1x profile or we need to make some changes to our network configuration.

I will come back to you as soon as we found a solution.

Thank you for your help so far !

Best regards, Markus