Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
3045 Discussions

Intel AMT PKI certificate

VeeDub
New Contributor I
‎10-09-2023 08:21 PM
22,722 Views
Solved Jump to solution

Hello,

Both the video and the documentation do not explain clearly what is the process to obtain an Intel AMT PKI certificate?

Is this a certificate that I can create myself? (my impression is that it isn't).

If not, what are the requirements for the certificate?

I've had a look at section 3.5.1 of the Admin and Usage Guide and I am not much the wiser having read that section.

If I need to purchase a certificate, which seems possible / likely, then I want to understand the certificate requirements so that I don't waste money or any more time than is necessary in obtaining a certificate.

The statement:

"The certificate file needs to have the full certificate chain"

Means what exactly?

Can I suggest that documentation be written in "plain English", with examples where appropriate (like in this instance), so that potentially complicated topics may be more easily understood.

May I also suggest that you have your documentation and videos reviewed by someone who is not intimately familiar with setting up and using EMA; so that you can refine your guides, before releasing them to the general public.

Thanks

VW

0 Kudos
1 Solution
VeeDub
New Contributor I
‎12-04-2023 05:04 PM
19,862 Views
Solved Jump to solution
In response to Victor_G_Intel

Hello Victor,

When I attempted to re-add the Christine-P3660 endpoint into EMA, it didn't appear.

I decided at this point that as I had experienced a lot of issues with EMA, I decided to look for an alternative.

I managed to find an installer for MeshCommander.

I was able to get MeshCommander installed and connected to Christine-P3660 with the KVM in around 5 minutes.

I've decided that MeshCommander is more suitable for my needs.

I do appreciate your on-going assistance.

However, I think Intel EMA is more "enterprise" focussed than what I need and unfortunately not as easy to deploy as I would have expected.

Regards,

Vaughan

View solution in original post

In response to Victor_G_Intel
0 Kudos
Copy link

Link Copied

65 Replies
VeeDub
New Contributor I
‎11-21-2023 06:37 PM
5,963 Views
Solved Jump to solution
In response to Victor_G_Intel

Hello Victor,

The Powershell script is not working.

I have tried two commands:

./Adopt-AMTSetupBySearch.ps1 -emaServerURL as3.alleanza.local -searchMethod hostnameStart -searchString christine-P3660.alleanza.local -useADauth

./Adopt-AMTSetupBySearch.ps1 -emaServerURL as3.alleanza.local -searchMethod hostnameStart -searchString christine-P3660 -useADauth

The outcome is the same.

For some crazy reason I can't attach the Powershell output as a txt file.

So, I am pasting below.

PS C:\zen\ema> ./Adopt-AMTSetupBySearch.ps1 -emaServerURL as3.alleanza.local -searchMethod hostnameStart -searchString christine-P3660.alleanza.local -useADauth
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel. The underlying connection was closed: Could not establish trust relationship for
the SSL/TLS secure channel. Cannot validate argument on parameter 'emaAPIVersion'. The character
length of the 11 argument is too long. Shorten the character length of the argument so it is
fewer than or equal to "6" characters, and then try the command again. The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The
underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure
channel. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that
the path is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass"
to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name
Bypass to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The
term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path
is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass" to type
"Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name Bypass
to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The
underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure
channel. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that
the path is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass"
to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name
Bypass to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The
term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path
is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass" to type
"Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name Bypass
to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. Cannot validate
argument on parameter 'emaAPIVersion'. The character length of the 11 argument is too long.
Shorten the character length of the argument so it is fewer than or equal to "6" characters, and
then try the command again. The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel. The underlying connection was closed: Could not
establish trust relationship for the SSL/TLS secure channel. The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The term
'-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass" to type
"Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name Bypass
to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The
term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path
is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass" to type
"Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name Bypass
to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The
underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure
channel. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that
the path is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass"
to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name
Bypass to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The
term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path
is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass" to type
"Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name Bypass
to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy"
At C:\zen\ema\Adopt-AMTSetupBySearch.ps1:164 char:21
+ throw $error
+ ~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (System.Collections.ArrayList:ArrayList) [], Runt
imeException
+ FullyQualifiedErrorId : The underlying connection was closed: Could not establish trust rel
ationship for the SSL/TLS secure channel. The underlying connection was closed: Could not est
ablish trust relationship for the SSL/TLS secure channel. Cannot validate argument on paramet
er 'emaAPIVersion'. The character length of the 11 argument is too long. Shorten the characte
r length of the argument so it is fewer than or equal to "6" characters, and then try the com
mand again. The underlying connection was closed: Could not establish trust relationship for
the SSL/TLS secure channel. The underlying connection was closed: Could not establish trust r
elationship for the SSL/TLS secure channel. The underlying connection was closed: Could not e
stablish trust relationship for the SSL/TLS secure channel. The term '-ExecutionPolicy' is no
t recognized as the name of a cmdlet, function, script file, or operable program. Check the s
pelling of the name, or if a path was included, verify that the path is correct and try again
. Cannot bind parameter 'Scope'. Cannot convert value "Bypass" to type "Microsoft.PowerShell.
ExecutionPolicyScope". Error: "Unable to match the identifier name Bypass to a valid enumerat
or name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script fil
e, or operable program. Check the spelling of the name, or if a path was included, verify tha
t the path is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Byp
ass" to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identif
ier name Bypass to a valid enumerator name. Specify one of the following enumerator names and
try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
. The underlying connection was closed: Could not establish trust relationship for the SSL/TL
S secure channel. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a path was incl
uded, verify that the path is correct and try again. Cannot bind parameter 'Scope'. Cannot co
nvert value "Bypass" to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to m
atch the identifier name Bypass to a valid enumerator name. Specify one of the following enum
erator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script fil
e, or operable program. Check the spelling of the name, or if a path was included, verify tha
t the path is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Byp
ass" to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identif
ier name Bypass to a valid enumerator name. Specify one of the following enumerator names and
try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. Cannot validat
e argument on parameter 'emaAPIVersion'. The character length of the 11 argument is too long.
Shorten the character length of the argument so it is fewer than or equal to "6" characters,
and then try the command again. The underlying connection was closed: Could not establish tr
ust relationship for the SSL/TLS secure channel. The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. The underlying connection wa
s closed: Could not establish trust relationship for the SSL/TLS secure channel. The term '-E
xecutionPolicy' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Bypass" to type "
Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identifier name Bypas
s to a valid enumerator name. Specify one of the following enumerator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script fil
e, or operable program. Check the spelling of the name, or if a path was included, verify tha
t the path is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Byp
ass" to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identif
ier name Bypass to a valid enumerator name. Specify one of the following enumerator names and
try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
. The underlying connection was closed: Could not establish trust relationship for the SSL/TL
S secure channel. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a path was incl
uded, verify that the path is correct and try again. Cannot bind parameter 'Scope'. Cannot co
nvert value "Bypass" to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to m
atch the identifier name Bypass to a valid enumerator name. Specify one of the following enum
erator names and try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy" The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
. The term '-ExecutionPolicy' is not recognized as the name of a cmdlet, function, script fil
e, or operable program. Check the spelling of the name, or if a path was included, verify tha
t the path is correct and try again. Cannot bind parameter 'Scope'. Cannot convert value "Byp
ass" to type "Microsoft.PowerShell.ExecutionPolicyScope". Error: "Unable to match the identif
ier name Bypass to a valid enumerator name. Specify one of the following enumerator names and
try again:
Process, CurrentUser, LocalMachine, UserPolicy, MachinePolicy"

In response to Victor_G_Intel
0 Kudos
Copy link
Victor_G_Intel
Employee
‎11-22-2023 02:35 PM
5,943 Views
Solved Jump to solution

Hello VeeDub,

 

Thank you for your response.


Based on the output of your command, the issue that you are experiencing is related to PowerShell not our API or EMA; therefore, we must inform you that we don’t provide any troubleshooting or recommendations for that kind of problem. In order to move forward you will have to look online or maybe wait for a peer to jump in an help.

 

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
VeeDub
New Contributor I
‎11-22-2023 02:40 PM
5,940 Views
Solved Jump to solution
In response to Victor_G_Intel

Hello Victor,

Does this version info look OK?

Powershell_version.png

In response to Victor_G_Intel
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-22-2023 08:49 PM
5,923 Views
Solved Jump to solution
In response to VeeDub

Hello Victor,

I think the issue is with the command that you have provided to me.

If I try this command:

./Adopt-AMTSetupBySearch.ps1 -emaServerURL as3.alleanza.local -searchMethod hostnameStart -searchString CHRISTINE-P3660 -useADauth

Then I get the error listing with pages of text

However, if I try this command:

./Adopt-AMTSetupBySearch.ps1 -emaServerURL as3.alleanza.local -searchMethod hostnameStart -searchString CHRISTINE-P3660

without the switch: -useADauth

Then I am prompted for EMA credentials

Powershell_credentials.png

Then I see the following

Powershell_attempt_4.png

I don't think there is an issue with my Powershell environment, I think there is a bug with your script.

Regards,

VW

In response to VeeDub
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-22-2023 08:53 PM
5,921 Views
Solved Jump to solution
In response to VeeDub

Hello,

In the above example, I assume that the EMA credentials are the credentials that I use to login to the EMA portal (i.e. the Tenant Admin credentials).

In response to VeeDub
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-22-2023 10:28 PM
5,911 Views
Solved Jump to solution
In response to VeeDub

Hello Victor,

If I use the switch: -useADauth

Can I also specify the credentials to be used for ADauth

And can I also specify the EMA credentials to be used to access the EMAServerURL?

Regards,

VW

In response to VeeDub
0 Kudos
Copy link
Victor_G_Intel
Employee
‎11-23-2023 11:04 AM
5,895 Views
Solved Jump to solution

Hello VeeDub,

 

Thank you for getting back to us.


You only use -useADauth when an active directory is present in your environment.


The command already provided has worked in different environments; therefore, if there is a problem is probably within your environment.


In regards to the credentials, you need to use your tenant credentials once the command is run.


In reference to your questions about the command, please bear in mind that we don’t provide assistance when it comes to creating custom scripts, we provide as much information as possible in our EMA API documentation for you to create your own scripts. Once you have created your custom script you will be in charge of testing it and changing it as you see necessary.


Additionally, since the command is not recognizing Christine-P3660 you are welcome to try to unprovision that endpoint with the instructions previously shared and try again the steps previously sent and the command that worked for you.


Note: Your Powershell version looks okay; however, whether you want to use a more updated version or not is completely up to you.

 

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
VeeDub
New Contributor I
‎11-23-2023 05:01 PM
5,884 Views
Solved Jump to solution
In response to Victor_G_Intel

Hello Victor,

With my previous configuration my Tenant Admin user did not exist in the Active Directory.

So, I could not see how the powershell script could access the computer objects in the AD.

So, this morning I did the following:

- deleted the previous Tenant and Tenant Admin

- created a new Tenant, with a Tenant Admin account that exists in the AD as a Domain Admin

- I had to re-create the AMT Profile and Endpoint group

- I unprovisioned Christine-P3660 as this is the computer that I am currently testing with

- I then re-provisioned Christine-P3660 and installed the re-created Intel EMA Agent

 

I then tried running the script to adopt the endpoint

./Adopt-AMTSetupBySearch.ps1 -emaServerURL as3.alleanza.local -searchMethod hostnameStart -searchString CHRISTINE-P3660 -useADauth

Unfortunately, when I include the -useADauth switch I'm still getting pages of errors.

If I run the script without the -useADauth switch, then there are no errors and when I am prompted for credentials, the Tenant Admin credentials that I supply exist as a user in the AD. But the behaviour is as before.

As I have an AD domain, it seems logical to include the -useADauth switch.

While I am mindful of your previous comments re troubleshooting the powershell script, apart from the error with the supplied Powershell script when including the -useADauth switch; there is no other behaviour to indicate that there is any error with the AD.

I'd appreciate it if you could give some thought to some troubleshooting suggestions.

Also

can you provide a full list of the switches for the Adopt-AMTSetupBySearch script, I wonder if there are some other options that I could specify that might assist.

assuming that you have no idea how I might troubleshoot the Adopt-AMTSetupBySearch script and I don't have any idea either, what other options exist to Adopt the endpoints?

FWIW Powershell error-handling has in my experience always been poor. Powershell is fine when it "works", but in situations like I find myself here, when there is an error - the output is often total gibberish. Which makes troubleshooting a headache.

Thanks

VW

 

In response to Victor_G_Intel
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-23-2023 05:18 PM
5,883 Views
Solved Jump to solution
In response to VeeDub

Hello Victor,

Tried running the script a different way.

You might be able to assist with this output

PS C:\zen\ema> ./Adopt-AMTSetupBySearch.ps1 -useAdauth

cmdlet Adopt-AMTSetupBySearch.ps1 at command pipeline position 1
Supply values for the following parameters:
emaServerURL: as3.alleanza.local
searchMethod: hostnameStart
searchString: Christine-P3660
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel. Cannot validate argument on parameter 'emaAPIVersion'. The character length of
the 15 argument is too long. Shorten the character length of the argument so it is fewer than or
equal to "6" characters, and then try the command again. The term './Adopt-AMTSetupBySearch.ps1'
is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
The term './Adopt-AMTSetupBySearch.ps1' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At C:\zen\ema\Adopt-AMTSetupBySearch.ps1:164 char:21
+                     throw $error
+                     ~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (System.Collections.ArrayList:ArrayList) [], Runt
   imeException
    + FullyQualifiedErrorId : The underlying connection was closed: Could not establish trust rel
   ationship for the SSL/TLS secure channel. Cannot validate argument on parameter 'emaAPIVersio
  n'. The character length of the 15 argument is too long. Shorten the character length of the
 argument so it is fewer than or equal to "6" characters, and then try the command again. The
term './Adopt-AMTSetupBySearch.ps1' is not recognized as the name of a cmdlet, function, scri
pt file, or operable program. Check the spelling of the name, or if a path was included, veri
fy that the path is correct and try again. The term './Adopt-AMTSetupBySearch.ps1' is not rec
ognized as the name of a cmdlet, function, script file, or operable program. Check the spelli
ng of the name, or if a path was included, verify that the path is correct and try again.
In response to VeeDub
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-23-2023 05:47 PM
5,880 Views
Solved Jump to solution
In response to VeeDub

Hello Victor,

The other option if -useADauth is difficult to troubleshoot, is to deploy these systems without AD.

With all of the earlier systems with VPro, where I still use VNC Plus for the KVM, all those systems are in AD but VPro is not aware of the AD.

If we need to deploy these systems outside of AD as far as VPro is concerned, I think that should be OK.

Regards,

VW

In response to VeeDub
0 Kudos
Copy link
Victor_G_Intel
Employee
‎11-24-2023 11:57 AM
5,854 Views
Solved Jump to solution

Hello VeeDub,

 

Thank you for your responses.


In order to move forward with your inquiry we will require the information below:


1-Did you un-provisioned the endpoint Christine-P3660 directly via MEBx?


2-When re-provisioning the endpoint did you make sure to first go into MEBx and change the Network Access State to Network Activate and the user Consent to NONE? These two settings allow you to do OOB KVM without any user interaction.


3-Also, you mentioned that you re-created your AMT Profile and your Endpoint group as well, did you remember to set your profile to client control mode and then choose host base provisioning when setting up the AMT auto-setup?


4-How is this endpoint Christine-P3660 connected (wired, wireless, or docking station)?

 

5-We will require a new ECT log from Christine-P3660 now that it has been re-provisioned:


Intel® EMA Configuration Tool


https://www.intel.com/content/www/us/en/download/19805/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html


Installation:


Double-click the .msi file and follow the prompts.


Run:


a- Open a command prompt as administrator.


b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).


c- Run the command: EMAConfigTool.exe -filename XXXX –verbose


6-The following command outputs will be required as well:


From the client machine (Christine-P3660)


Open a PS window as Administrator.


Go to <drive>\program Files\Intel\EMA Agent>


Run the command: .\EmaAgent -swarmserver


Run the command: Test-NetConnection -ComputerName <FQDN> -port 80xx


Note: Run the port test using (ports 8000, 8080, and 443. All of these should be opened)


In regards to your questions about the power shell switches all the information we have for the Adopt-AMTSetupBySearch.ps1 can be found in the link below:


https://www.intel.com/content/www/us/en/download/19693/intel-endpoint-management-assistant-intel-ema-api-sample-scripts.html


Note: Inside the package you will find a folder called Power shell and inside it you will need to look for the example scripts sub folder and open the Adopt-AMTSetutroubleshootingpBySearch.ps1 file to find all the parameters for it.


Additionally, if you want to change anything or have troubleshooting steps/suggestions, and recommendations regarding AD you will need to contact Microsoft since this is out of our scope.


Also, in relation to your question about other options on how to adopt endpoints, you will need to choose to work towards using a self-sign certificate or buying a certificate from one of our authorized vendors.

 

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
VeeDub
New Contributor I
‎11-24-2023 01:22 PM
5,850 Views
Solved Jump to solution
In response to Victor_G_Intel

Hello Victor,

1-Did you un-provisioned the endpoint Christine-P3660 directly via MEBx?

R > Yes

2-When re-provisioning the endpoint did you make sure to first go into MEBx and change the Network Access State to Network Activate and the user Consent to NONE? These two settings allow you to do OOB KVM without any user interaction.

R > Good question, I'm not 100% sure whether I checked / reset the User Consent option (have a feeling that I probably have not). If I didn't, would this stop the AdoptAMTScript from working?

R> If so, I won't be on-site until next Thursday to check. Otherwise I do have remote access to this system via Windows and can provide the diagnostics.

3-Also, you mentioned that you re-created your AMT Profile and your Endpoint group as well, did you remember to set your profile to client control mode and then choose host base provisioning when setting up the AMT auto-setup?

R > Yes.

4-How is this endpoint Christine-P3660 connected (wired, wireless, or docking station)?

R > Wired. All these systems are desktops on a wired LAN.

Regards,

VW

In response to Victor_G_Intel
0 Kudos
Copy link
AJ334
Beginner
‎11-26-2023 06:54 AM
5,778 Views
Solved Jump to solution
In response to VeeDub

@VeeDub I was able to get this to work and I had the same TLS errors you posted. After tearing up the script I found that powershell just refused to connect to the https URL due to it not trusting the cert of the EMA server.

To bypass this, I modified to the Adopt-AMTSetupBySearch.ps1 just after line 124 and added this code block (credit to AndOS over at stackoverflow https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error 

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

Basically after the condensed steps I posted earlier, added this and I now have full control of the hardware in ACM mode. Will retest once I get my cert and hopefully can get rid of the additional steps. Though it does look like I can't make use of the Intel Manageability Commander anymore.

In response to VeeDub
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-26-2023 03:38 PM
5,762 Views
Solved Jump to solution
In response to AJ334

@AJ334 

Thanks for assisting!

Should the Powershell script look like this after inserting your code?

    [Parameter(Mandatory = $false)] [ValidateLength(8,255)] 
        [string] $emaPassword
)
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

if (!$emaServerURL.StartsWith("https://")) {
    $emaServerURL = "https://" + $emaServerURL
}

 

If so, I'm still having problems

PS C:\zen\ema> ./Adopt-AMTSetupBySearch.ps1 -useAdauth

cmdlet Adopt-AMTSetupBySearch.ps1 at command pipeline position 1
Supply values for the following parameters:
emaServerURL: as3.alleanza.local
searchMethod: hostnameStart
searchString: Christine-P3660
{"Message":"{\"ExtendedCode\":3010,\"ExtendedMessage\":\"Method not allowed due to current
authentication mode\"}"} The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel. Cannot validate argument on parameter
'emaAPIVersion'. The character length of the 15 argument is too long. Shorten the character
length of the argument so it is fewer than or equal to "6" characters, and then try the command
again. The term './Adopt-AMTSetupBySearch.ps1' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again. The term './Adopt-AMTSetupBySearch.ps1'
is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel. Cannot validate argument on parameter 'emaAPIVersion'. The character length of
the 15 argument is too long. Shorten the character length of the argument so it is fewer than or
equal to "6" characters, and then try the command again. The term './Adopt-AMTSetupBySearch.ps1'
is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
The term './Adopt-AMTSetupBySearch.ps1' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At C:\zen\ema\Adopt-AMTSetupBySearch.ps1:178 char:21
+                     throw $error
+                     ~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (System.Collections.ArrayList:ArrayList) [], Runt
   imeException
    + FullyQualifiedErrorId : {"Message":"{\"ExtendedCode\":3010,\"ExtendedMessage\":\"Method not
    allowed due to current authentication mode\"}"} The underlying connection was closed: Could
  not establish trust relationship for the SSL/TLS secure channel. Cannot validate argument on
 parameter 'emaAPIVersion'. The character length of the 15 argument is too long. Shorten the c
haracter length of the argument so it is fewer than or equal to "6" characters, and then try
the command again.

 

Are your endpoints in an AD domain?

In response to AJ334
0 Kudos
Copy link
AJ334
Beginner
‎11-26-2023 05:25 PM
5,747 Views
Solved Jump to solution
In response to VeeDub

@VeeDub  I had one blank line after your line 3 above but otherwise yes it's correct.

 

The command I ran is:
.\Adopt-AMTSetupBySearch.ps1 -verbose -emaServerURL emaserver.myfqdn.com -searchMethod hostnameStart -searchString ThePCNameAsShownInEMA -useADAuth

 

One of the PCs is on the same domain as the EMA server and I ran the command via PS directly on the EMA server and not the client. Another PC involved has not yet joined the domain but it still got adopted successfully as well so key seems to be to run the script on the server after installing Agent on client following the condensed steps above.

 

A simple test to rule out https issues is to create a test script including the block you copied earlier as well as the below (at the end):

Invoke-WebRequest -Uri "emaserver.myfqdn.com/api/latest/accessTokens/getUsingWindowsCredentials" -UseBasicParsing -Method Get -UseDefaultCredentials

 

Then launch a powershell as one of the tenant admin AD IDs and run the above script. If TLS errors still show, more troubleshooting is needed but this was how I figured out why the TLS error was occuring. 

 

In response to VeeDub
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-26-2023 06:29 PM
5,730 Views
Solved Jump to solution
In response to AJ334

@AJ334 

If my EMA server is: as3.alleanza.local

Does this script look right?

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

Invoke-WebRequest -Uri "as3.alleanza.local/api/latest/accessTokens/getUsingWindowsCredentials" -UseBasicParsing -Method Get -UseDefaultCredentials

 When I run this script, I am seeing this.

Invoke-WebRequest : Unable to connect to the remote server
At C:\zen\ema\Test.ps1:16 char:1
+ Invoke-WebRequest -Uri "as3.alleanza.local/api/latest/accessTokens/ge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invok
   e-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeW
   ebRequestCommand

Line 16 = Invoke-WebRequest ...

In response to AJ334
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-26-2023 06:36 PM
5,730 Views
Solved Jump to solution
In response to VeeDub

BTW I am running this script on as3.alleanza.local

In response to VeeDub
0 Kudos
Copy link
AJ334
Beginner
‎11-28-2023 08:42 PM
5,621 Views
Solved Jump to solution
In response to VeeDub

@VeeDub the invoke URL should be as below:

Invoke-WebRequest -Uri "https://as3.alleanza.local/api/latest/accessTokens/getUsingWindowsCredentials" -UseBasicParsing -Method Get -UseDefaultCredentials

 

See what shows.

In response to VeeDub
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-27-2023 08:28 PM
5,669 Views
Solved Jump to solution
In response to Victor_G_Intel

Hello Victor,

Updated info from EMAConfigTool attached.

Swarm_Server.png

Test-NetConnection on port 8000 and 443 passed

Test-NetConnection on port 8080 failed

There is a Windows Firewall entry created by Intel EMA, which includes port 8080, so don't understand why this isn't working.

Am performing a chkdsk and DISM commands.

If that makes no difference will investigate configuration of AV software.

Will confirm once port 8080 is also accessible.

Thanks

VW

In response to Victor_G_Intel
Preview file
6 KB
0 Kudos
Copy link
VeeDub
New Contributor I
‎11-27-2023 08:51 PM
5,669 Views
Solved Jump to solution
In response to VeeDub

Hello Victor,

After performing:

chkdsk

dism commands

sfc /scannow

Port 8080 is also accessible.

Christine-P3660 is showing in EMA as Connected and Provisioned (note this is without running any Powershell script).Endpoints_1.pngEndpoints_2.png

I don't appear to have an option for KVM, but it is possible that I have not configured that properly in MEBX.

Regards,

VW

In response to VeeDub
0 Kudos
Copy link
Victor_G_Intel
Employee
‎11-28-2023 09:44 AM
5,633 Views
Solved Jump to solution

Hello VeeDub,

 

Thank you for your responses.


Since you are not using a certificate, the two options (Network Access State to Network Activate and user Consent to NONE) previously mentioned before attempting to provision the endpoints are necessary if you want your endpoints to be provisioned in admin control mode (no user consent).


In regards to the endpoint Christine-P3660, this one still appears to be provisioned in ACM despite it being un-provisioned; however, from what we understand you don’t have a remote KVM connection to it and that might be due to its CIRA connection being in a not connected state (according to the latest log you provided), this is related to the problem you have with port 8080, this since in the CIRA approach the endpoint system’s Intel AMT connects to the Intel EMA Server via a TCP TLS connection at port 8080.


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.