Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2873 Discussions

Failed PKI provisioning

mrant-k
Novice
17,305 Views

We are trying to adopt EMA in addition to our existing endpoint management solutions and running into some serious issues. We acquired PKI cert with valid OID from GoDaddy. The leaf cert (in the form of pfx), GoDaddy G2 Root CA, and Intermediate cert are added into the server. The first 2 devices were successfully provisioned, but then any new devices we attempt to add are failing. 

- Windows Server 2019 Datacenter (US-English) (EMA server)

- Succeeded client laptop has AMT 14.1.67

- Failed Client laptops have AMT 11 and lower, and AMT 15 and above

- Verified DHCP option 15 is set with correct DNS suffix, which is also in the GoDaddy Deluxe cert

- Correct OID is verified

- Exported EMAAgent files and run -fullinstall on client

- We can see the client in EMA console as power on and connected (but unprovisioned)

- We then attempt to provision the client and it fails provisioning and we see these 2 msgs in the Failed Intel AMT SetupAdmin activation and Failed PKI provisioning

- On the client we see the Intel ME software repeated switching states from "Configured" to "Unconfigured"

-  The clients are connected to LAN via USB-C ethernet dongle since these newer laptops don't come with ethernet port anymore

- We've tried searching and following many threads in this forum and other places to no avail

Any help is greatly appreciated. 

60 Replies
MIGUEL_C_Intel
Moderator
2,989 Views

Hello, mrant-k,


I hope this post finds you well.


Thank you for letting us know the status of the Certificate. 


The certificate is new; did you update the EMA agent file into the endpoint? In addition to previous troubleshooting posts, make sure the endpoint is using the latest Management Engine driver provided by the system manufacturer.


Regarding the error message from the endpoint, it seems the EMA server was not recognized.  Please, run the command below from the endpoint.  It resolves the FQDN and the port it’s trying to connect.  


Open a command line as Administrator in the endpoint.

Go to the default path \c:\Program Files\Intel\Ema Agent\

Run the command: emaagent.exe -swarmserver


Then, we can open the settings.txt file and compare the information.

From the EMA server, go to Program Files x86\Intel\Platform Manager\Platform Manager Server and open the “settings.txt” file.

Look near the top of the file for this section:

#hostname for Intel(R) EMA instance

emahostname=ematest.intel.com and the port.


We can do a test from the EMA Web console.  Go to the Endpoints tab and search for the endpoint, from the view (blue option) check if the Connected and CIRA are green.


The EMA server logs (EMAlog-Swarmserver.txt and EMAlog-Manageabilityserver.txt) provide errors detected when the endpoint (name) is trying to connect to the EMA server.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
mrant-k
Novice
2,942 Views

Hi Miguel,

I think I figured that part out. The hardware manageability tab loads now. Now, I'm running into a new issue. I'm getting "Websocket connection could not be established. The URL used in web browser may be different from Intel® EMA server URL specified at Intel® EMA installation time." as I attempt connect remote desktop.

I do get a similar message when I log into the console but it seems to login regardless. It reads something like this:

"The current URL used in login does not match the URL entered in Intel® EMA Settings. Cross-origin requests may get blocked. The URL in settings is https://emaserver.domain.com"

0 Kudos
MIGUEL_C_Intel
Moderator
2,928 Views

Hello, mrant-k,


I hope this post finds you well.


The EMA software is giving us a summary of the limitation.  The PKI DNS suffix needs to match the domain of the company: intel.com for example and the URL of EMA will be very similar such as ema.intel.com.  This is very important because DHCP option 15 of the company network needs to resolve the domain of your company (intel.com).


EMA URL is case sensitive, if the URL entered in the EMA installation contains upper and lower cases; we need to add them in the browser.


For testing purposes, in the settings tab you can add an extra line with an alternative name:

Emahostname=test.com

Create a copy of the settings tab, edit it, then copy it to the same location. Remove the original file.


Bear in mind, this is for testing purposes, it is not suggested for production environments.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
2,896 Views

Hello, mrant-k,


I am following up on the case. 


By any chance, have you been able to review and test my last suggestions?


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
2,877 Views

Hello, mrant-k,


If further assistance is necessary, do not hesitate to reply.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
mrant-k
Novice
2,853 Views

Hello Miguel,

Sorry for late reply. I think most part is now working, but I have another issue trying figure out. Our PCs now provisioned successfully in ACM, however, they show user consent is required for KVM. I tried changing it to "not required" under hardware manageability, but it keeps switching back. 

We can disable user consent requirement by going into MBEx, but we'd like to automate this process without going into BIOS. Can this be done somehow?

mrantk_0-1687891807678.png

 

0 Kudos
MIGUEL_C_Intel
Moderator
2,839 Views

Hello, mrant-k,


It is nice to hear from you again.


I understand the endpoints are requesting user consent to be accessed.  I suggest you update the EMA agent profile in the EMA server and update the agent file in the endpoints.  Disable the user-consent option.

After this update and restarting EMA services in the Server; the endpoints will stop asking for the user consent.


I will gladly provide further assistance if necessary.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
mrant-k
Novice
2,824 Views

Hi Miguel,

That is how we have set up. Remote KVM is checked, and User Consent for In-Band KVM is unchecked. Agent file is up to date. We have rebooted the server several times. Am I missing something else?

mrantk_0-1687958434085.png

 

0 Kudos
MIGUEL_C_Intel
Moderator
2,813 Views

Hello, mrant-k,


After doing the changes in the EMA profile and restarting the EMA services in the server; it is necessary to wait until the endpoint is restarted or the EMA services in the endpoint are restarted.


I will gladly provide further assistance if necessary.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
mrant-k
Novice
2,791 Views

Hi Miguel,

It has always been set up that way. We have rebooted both endpoint and server many times. For some reason, without manually touching the MBEx, "user consent required" won't go away. 

0 Kudos
JWMillet3
Beginner
2,797 Views

In my experience rebooting the computer does not fix the issue. I usually see this issue after a bios update.

For reference: https://community.intel.com/t5/Intel-vPro-Platform/Group-Configuration-settings-for-User-consent-for-In-Band-KVM/m-p/1499980#M10306

 

We've been seeing this issue for years now, however yesterday was the first time I've seen it with a 2n1/Laptop. Its always been desktops and after a bios update. We would have to travel on site and clear the CMOS battery. I've tried rebooting, re-provisioning, and attempting the change through the EMA UI. None of those worked for me. I also tried recreating the agent files multiple times for different endpoint groups.

This looks to be an issue with configuration on provisioning.

0 Kudos
mrant-k
Novice
2,561 Views
That doesn't sound good. Well, we are in the very early stage of EMA adoption. So far TBH, I'm not quite impressed, but hoping it'll get improved as time goes on.
0 Kudos
MIGUEL_C_Intel
Moderator
2,769 Views

Hello, mrant-k,


I hope this post finds you well.


Thank you for your feedback. I am understanding the user-consent requirement option is not changing in the endpoints; even after updating the EMA profile from Client to Admin Control Mode and removing the user-consent requirement. As well, I am understanding the endpoint was provisioned by the EMA agent file.


Do you mind sending an EMA web console picture showing 1 endpoint from the Endpoints tab, plus the results of running the Intel® EMA Configuration Tool in the same endpoint? I want to compare EMA console information with the endpoint configuration.


Intel® EMA Configuration Tool

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html


I look forward to hearing from you.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
mrant-k
Novice
2,750 Views

I'll get back to you with those items next week when we're back in office. 

0 Kudos
MIGUEL_C_Intel
Moderator
2,740 Views

Hello, mrant-k,


Thank you for your feedback.


I will be waiting for your reply with the information.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
2,660 Views

Hello, mrant-k,


I hope all is well.


By any chance, have you been able to gather the information requested?


I look forward to hearing from you.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
2,570 Views

Hello, mrant-k,


I hope this post finds you well.


If further assistance is necessary please share the information requested.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
mrant-k
Novice
2,562 Views
Hi Miguel,
It's now working. I didn't make any changes. It's kinda miracle. I guess you can archive this post now. Thanks for your guidance and efforts.
0 Kudos
MIGUEL_C_Intel
Moderator
2,529 Views

Hello, mrant-k,

 

On behalf of Intel, I am happy to know the provisioning of the endpoint is completed.  Do not hesitate to reply if further assistance is necessary.

 

Regards,
Miguel C.
Intel Customer Support Technician

0 Kudos
Reply