Hello, mrant-k,

The issue seems to be a hardware limitation.  The endpoints (client) need to have Intel® vPro in the processor, chipset, and embedded network card (only Intel® wired and wireless cards).  Few docking stations are prepared for Intel® vPro.

I suggest you try the following:
1- Review the EMA agent profile settings, and make sure the WiFi configuration is set. If not, do the changes and re-install the new EMA agent file to the endpoints.
2- Unplug the USB-C ethernet dongle and try the provisioning and connection using the WiFi connection. I am sorry for the limitation.

Bear in mind, Intel® EMA requires endpoints with AMT version 11.8.79 and later.

Look forward to your response.

Regards,
Miguel C.
Intel Customer Support Technician

Hello, mrant-k,

I hope this email finds you well.

By any chance, have you been able to work on my previous suggestions?

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

Unfortunately, still hasn't worked for us. We use certificate-based authentication for corporate WiFi, and I have not been able to PKI provision any of these new laptops that don't have ethernet port even after creating WiFi profile to my best knowledge. If I do host-based provisioning, it provisions just fine, but then it goes to CCM mode. 

Hello, mrant-k,

Thank you for your update.

Thank you for your update on the status of the laptops.

Please keep using the wireless network card.  The full provisioning of the laptops in Admin control mode requires manual configuration the first time. It is necessary to include the PKI DNS suffix manually into the MEBx (AMT BIOS).

Please review if the PKI DNS suffix was included. 

Steps:

-Adding PKI DNS suffix to MEBx

-From the MEBx Main Menu, click MEBx Login, and type your password.  The Default is admin, if I am not wrong, you set a password for all the endpoints in the EMA web console. If a randomized password was set, select the endpoint, click the Actions button, and it displays the password of the endpoint.

-Click over Intel® AMT Configuration

-Scroll down and select Remote Setup and Configuration

-Select TLS PKI

-Select PKI DNS Suffix, hit enter

-Type your PKI DNS Suffix, hit Enter

The new Window will display the new PKI DNS Suffix

-Then, keep pressing Exit until you close MEBX.

At this point, the Endpoint will be in Admin Mode with the company PKI DNS Suffix.

Details in the document: Configuring LAN-less Endpoints to ACM https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/configuring-lan-less-endpoints-to-acm.pdf

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, mrant-k,

I am sorry to hear about the issue.  Do you mind confirming if the PKI DNS suffix was included manually in MEBx BIOS? In addition, if you are using the wireless card instead of the USB-Network dongle.

The PKI DNS suffix needs to match the PKI DNS of the AMT certificate.  Do you mind sending a new EMA Configuration log from the endpoint that you are trying to provision?

EMA Configuration Tool

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Run:

a-Open a command prompt (alternatively, you can run the tool from within Windows PowerShell*) as administrator.

b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c-Run the command: EMAConfigTool.exe –verbose

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

Yes, I confirm DNS suffix is added to MBEx. The laptops are directly connected to corp WiFi. Here's verbose result of one of the laptops. 

C:\Program Files (x86)\Intel\EMAConfigTool>EMAConfigTool.exe --verbose

Intel EMA Configuration Tool
Application Version: 1.1.0.183
Scan Date: 5/24/2023 8:17:57 AM

*** Host Computer Information ***
Computer Name: LTxxxx
Manufacturer: Dell Inc.
Model: Latitude 9520
Processor: 11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz
Windows Version: Microsoft Windows 10 Enterprise
BIOS Version: 1.21.0
UUID: 4C4C4544-005A-3210-8032-C8C04F4B5233

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 15.0.42.2235
KVM Supported: True
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True

*** ME Information ***
Version: 15.0.42.2235
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Client
Driver Installed: True
Driver Version: 2220.3.1.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2220.3.1.0
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: False
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: False
KVM Enabled: False
RSE Enabled: True

*** Power Management Capabilities ***
Supported Power States:
5: PowerCycle_Off_Soft
8: Off_Soft
2: On
10: Master_Bus_Reset
11: NMI
7: Hibernate
12: Off_Soft_Graceful
14: MasterBusReset_Graceful
Power Change Capabilities:
2: On
3: SleepLight
4: SleepDeep
7: Hibernate
8: Off_Soft

*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

*** ME Wired Network Information ***
ME Wired Interface Not Detected

*** ME Wireless Network Information ***
Wireless Interface Enabled: False
Link Status: Down
IP Address: 0.0.0.0
MAC Address: Information Unavailable
DHCP Enabled: True
DHCP Mode: Unknown

*** Root Certificate Hash Entries ***
Root certs HERE

Client logs also show pretty much the same as before. 

Hello, mrant-k,

The ECT log is showing the PKI DNS as not found in this wireless machine.  Please remember the ethernet USB dongle is not supported.

Please review the MEBx BIOS, and check if the PKI DNS suffix is there.  I sent you an email with a Word document with pictures as an example. Please review if the machine is running the latest BIOS and Management Engine Interface driver.

We can continue privately in order to gather the EMA url that you are using, the PKI DNS suffix, the certificate configuration, and how many endpoints will you provision. 

Look forward to your response; if there is no response to this email, I will send you a follow-up on 5/26/2023.

Regards,

Miguel C.

Intel Customer Support Technician

Hello Miguel,

I confirm the correct dns suffix was already set. We are not using USB dongle nor docking sttion.

Yet, I'm still getting the same "Failed PKI provisioning" error. 

Did follow your instructions, too.

• log into MEBx
• full unprovision

In addition to that,

• I also ran "EMAConfigTool.exe --unconfigure --password PASSWORD" and got confirmation it was successfully unconfigured
• And then I uninstalled the agent
• Logged into MEBx again and made sure it is full unprovisioned and the DNS suffix is still there

   

• Logged back into Windows and reinstalled the agent
• Get that very same error

Here are the new agent logs:

[2023-05-25 10:24:42.803 AM] \Agent\MeshManageability\agent\core\meshctrl.c:1143 Packet is not encrypted correctly or uses an old key. Last error: 0
[2023-05-25 10:24:52.888 AM] \Agent\MeshManageability\agent\core\meshctrl.c:1143 Packet is not encrypted correctly or uses an old key. Last error: 0
[2023-05-25 10:25:01.826 AM] \Agent\MeshManageability\agent\core\meshctrl.c:1143 Packet is not encrypted correctly or uses an old key. Last error: 0

Hello, mrant-k,

It seems GoDaddy’s certificate does not match Intel® EMA requirements, the root, intermediate, and leaf need to be SHA256.  

Please validate this information by doing the following: 

-Open IIS, go to the personal store, and open the Certificate, you should see the Cert. chain (3 lines) in the Certificate Path tab. 

-Open each line (Details tab) and verify they match the encryption of SHA 256 (SHA2) (2048 bits).

-In addition, for the leaf; from the Details tab, scroll down and confirm the Enhanced Key usage matches the OID number 2.16.840.1.113741.1.2.3.

I would appreciate it if you can share screenshots.

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Hi Miguel,

Here's my GoDaddy SSL with correct OID.

The chain however shows "Go Daddy Class 2 Cert Authority" having SHA1.

The other two certs (Go Daddy Root CA and Go Daddy Secure CA) have SHA256.

Hello, mrant-k,

You are right, the certificate chain is wrong.

It is necessary to get in touch with GoDaddy.  The Certificate chain usually has 3 lines only.  I am sending a link with an example of the Root section of the certificate.

https://certs.godaddy.com/repository/gdroot-g2.crt

Regards,

Miguel C.

Intel Customer Support Technician

Hi Miguel,

I did contact them, but they didn't have any clue what needs to be done. In fact, most of the support reps I've been dealing at Go Daddy aren't familiar with vPro at all. Can you tell me what information I need to relay to them so I can get a correct cert?

Hello, mrant-k,

I apologize for the inconvenience experienced with GoDaddy. I have a piece of old information, hopefully, this with help as a guide.

While you are selecting the type of certificate, choose the option that says: Organizational Validation (OV) SLL Certificate.

Then, a pop-up should appear, and select Intel® vPro.

I look forward to hearing from you.

Regards,

Miguel C.

Intel Customer Support Technician

Hi Miguel,

That was how I set up our cert. It is why some of the devices are getting provisioned successfully. The issue here is that some devices don't get provisioned. One thing I notice is that if I open the cert on my laptop, I can see it has presumably correct certificate chain. 

But if I open it on vPro server, it shows one additional CA (the class 2 one) in the chain for some reason. 

Hello, mrant-k,

Thank you for your quick response.

The certificate is showing an extra line as you mentioned, and it is SHA1. This is the Certificate issue. We need a Certificate chain with SHA2 (SHA256) in all the lines.

I found this public GoDaddy link, it talks about how to request an Intel® vPro Certificate.  Please review it and confirm with GoDaddy if they send you the correct certificate. 

GoDaddy certificate instructions

https://www.godaddy.com/help/intel-vpro-certificate-info-5260

If I understand correctly, it is necessary to choose the “Organizational Validation (OV) SLL Certificate” option.  When the product is added to the shopping cart, the terminology changes to “You’ve chosen a Deluxe SSL OV”.

I hope that Go Daddy will provide the correct Cert this time.

Hi Miguel,

I contacted them again and was re-assured that the cert they gave me is indeed a correct one. They even had me re-keyed and tested again. It appears that class 2 CA is installed on all of our hosts, so when I open the leaf cert, it automatically picks it up as a CA. They say however it doesn't mean that it is part of the vPro cert. I also tried disabling class 2 ca on vpro server, yet provisioning is still failing.