Solved: Intel AMT PKI certificate - Page 2

VeeDub · ‎10-09-2023

Hello,

Both the video and the documentation do not explain clearly what is the process to obtain an Intel AMT PKI certificate?

Is this a certificate that I can create myself? (my impression is that it isn't).

If not, what are the requirements for the certificate?

I've had a look at section 3.5.1 of the Admin and Usage Guide and I am not much the wiser having read that section.

If I need to purchase a certificate, which seems possible / likely, then I want to understand the certificate requirements so that I don't waste money or any more time than is necessary in obtaining a certificate.

The statement:

"The certificate file needs to have the full certificate chain"

Means what exactly?

Can I suggest that documentation be written in "plain English", with examples where appropriate (like in this instance), so that potentially complicated topics may be more easily understood.

May I also suggest that you have your documentation and videos reviewed by someone who is not intimately familiar with setting up and using EMA; so that you can refine your guides, before releasing them to the general public.

Thanks

VW

VeeDub · ‎12-04-2023

Hello Victor,

When I attempted to re-add the Christine-P3660 endpoint into EMA, it didn't appear.

I decided at this point that as I had experienced a lot of issues with EMA, I decided to look for an alternative.

I managed to find an installer for MeshCommander.

I was able to get MeshCommander installed and connected to Christine-P3660 with the KVM in around 5 minutes.

I've decided that MeshCommander is more suitable for my needs.

I do appreciate your on-going assistance.

However, I think Intel EMA is more "enterprise" focussed than what I need and unfortunately not as easy to deploy as I would have expected.

Regards,

Vaughan

View solution in original post

Victor_G_Intel · ‎10-30-2023

Hello VeeDub,

Thank you for your response.

We appreciate your feedback and will provide it to our Product management and the dev team.

Best regards,

Victor G.

Intel Technical Support Technician

Victor_G_Intel · ‎11-02-2023

Hello VeeDub,

We hope this message finds you well.

Do you have any updates for this case? Don’t hesitate to let us know if you need anything else.

Best regards,

Victor G.

Intel Technical Support Technician

Victor_G_Intel · ‎11-03-2023

Hello VeeDub,

Thank you so much for contacting Intel customer support,

3-Next, you will want to set up a profile with CIRA mode and other desired settings. If you already have a profile with CIRA or TLS with the settings if you prefer you can skip this step and just create an endpoint configuration and associate the profile to it.

Are you referring to creating an Endpoint Group?

If so, I have done this.

R/Once you create an endpoint group you will need to assign each endpoint group a profile with the configuration that you want, in this case, the profile that you need in case you don’t have one with CIRA selected as a provisioning method.

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=27

4-Create a new adoption end-point.

??

R/Once you have your endpoint group created with an AMT profile setup then you need to add the endpoint that you will be working on to that endpoint group.

5-Enable AMT auto-setup and choose the right profile.

??

R/ Our guide explains how to do the auto-setup, you just need to select the endpoint group you need to work on and then choose the options you like within it and then choose the option on the right-hand side corner that says “Save and Intel Amt auto-setup”.

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=21

6-Since you don't have a cert you will need to choose HBP (Host Base Provisioning) and also don't use a randomized password but one you can remember or document. It is ok that you use HBP in auto-setup because it doesn't overwrite what has been set in MEBX. That said if you use this endpoint configuration on a new system that hasn't been set up in MEBX by choosing activate network then it will be provisioned into CCM NOT ACM.

I think there is configuration that I need to do, where a step-by-step guide would be helpful.

R/You choose HBP when you are setting up the Intel AMT auto-setup

You will find some images of the sections you need to visit in your setup attached to this post.

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎11-03-2023

Hello Victor,

I think I understand this, will try again next Friday.

Thanks

VW

Victor_G_Intel · ‎11-06-2023

Hello VeeDub,

Thank you so much for your response.

Don’t hesitate to contact us back when you attempt the procedure again.

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎11-09-2023

Hello Victor,

So I have enabled MEBX on the first workstation and installed the EMA agent.

I can see that the Intel EMA Agent is running on the computer.

You have previously said:

@Victor_G_Intel wrote:
- Install the EMA agent onto the laptop and it should show in the WebUI and provisioned into ACM. However, it will show as provisioned by another tool. That is because it has already been provisioned manually in MEBX

I can't find the WebUI that you refer to.

I can't see this desktop in EMA.

At present the Managed Endpoints is empty.

So, I have tried using the Powershell script in the hope that this would populate the Managed Endpoints in EMA.

.\Adopt-AMTSetupBySearch.ps1 -emaServerURL as3.alleanza.local -searchMethod hostnameStart -searchstring Brendan-P3660.alleanza.local

Where

as3.alleanza.local = fqdn of EMA Server

Brendan-P3660.alleanza.local = fqdn of workstation

Output from script:

Invoke-WebRequest : The underlying connection was closed: Could not establish trust relationship
for the SSL/TLS secure channel.
At C:\zen\ema\Adopt-AMTSetupBySearch.ps1:195 char:24
+ ... { $token = Invoke-WebRequest -Uri "$emaServerURL/api/token" -UseBasi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invok
e-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeW
ebRequestCommand

Victor_G_Intel · ‎11-10-2023

Hello VeeDub,

Thank you for your response.

The steps we previously provided work on our end; therefore, please try them one more time making sure each step is completed accordingly:

1-Go into MEBX and under Intel AMT Configuration, Network Access State choose Network Activate (Note: The language may vary slightly from OEM to OEM. We used a Lenovo in this test).

2-Also, you will want to change user Consent in MEBX to NONE. This will allow you to do OOB KVM without any user interaction.

3-Next, you will want to set up a profile with CIRA mode and other desired settings. If you already have a profile with CIRA or TLS with the settings if you prefer you can skip this step and just create an endpoint configuration and associate the profile to it.

4-Create a new adoption end-point.

5-Enable AMT autosetup and choose the right profile.

6-Since you don't have a cert he will need to choose HBP (Host Base Provisioning) and also don't use a randomized password but one you can remember or document. It is ok that you use HBP in autosetup because it doesn't overwrite what has been set in MEBX. That said if you use this endpoint configuration on a new system that hasn't been set up in MEBX by choosing activate network then it will be provisioned into CCM NOT ACM.

7-Proceed to download the EMA API. You will use the adopted scripts to pull the endpoint into EMA.

https://www.intel.com/content/www/us/en/download/19693/intel-endpoint-management-assistant-intel-ema-api-sample-scripts.html

8-Install the EMA agent onto the laptop and it should show in the EMA WebUI and provisioned into ACM. However, it will show as provisioned by another tool. That is because it has already been provisioned manually in MEBX.

9-The easiest way to adopt a single system is to use the Adopt-AMTSetupBySearch PS script.

While you are running the command please have into consideration the information below:

PS> ./Adopt-AMTSetupBySearch.ps1 -emaServerURL EMAServer.demo.com -searchMethod hostnameStart -searchString laptop -adoptedEndpointsFilePath C:\temp\adoptedEndpointList.txt -Verbose

EMAServer.demo.com: with FQDN of EMA instance

searchMethod: with hostnameStart

searchString: with PC name

When you enter the command and you hit enter a screen will be shown and you will have to enter your Tenant credentials.

Note: The Powershell script has examples in it for future scripting purposes.

10-Bring up Platform Manager and verify if everything went smoothly. Also, verify in the EMA WebUI. The endpoint should have now been adopted in ACM since that was set up in MEBX, despite the auto-setup specifying HBP.

Note: Please remember that there are some domains that are not supported in EMA, .local is one of them, you can see more information on the ones available here . Please bear in mind that since your FQDN doesn't have a supported domain and cannot be changed after EMA has been installed you will need to install EMA from scratch before attempting the steps above.

To install EMA from scratch you can do the following:

1-Go to the EMA web GUI and unprovision all the endpoints from there, you will have to select each endpoint and then select the option to unprovision them one by one (You can omit this step if you don't have any endpoints yet).

2-Once you have all of your endpoints unprovisioned, you will need to go to the directory in your server where the ema installer is (make sure you access it as an administrator) once you find it run it, a pop-up window will appear, just make sure you select the option to uninstall EMA and delete the database.

3- Reinstall EMA using a .COM domain or any other of the validated ones.

4- Go through the EMA server installation documentation.

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎11-11-2023

Hello Victor,

I have some "interesting" developments to report.

Today, I sat down with the intention of working through your most recent post to try and either get VPro working or work out where the problem seemed to lie.

I encountered issues accessing the EMA server remotely which resulted in me restarting the EMA server and installing a bunch of updates.

Once I was able to access the EMA server remotely, logged into the EMA portal.

To my surprise, the Endpoint which I had been trying to add on Friday was listed and the status was "Provisioned".

The remote KVM is working.

One aspect which I would like to be able to change is that the EndPoint has two monitors attached. The Desktop / KVM option defaults to 'All displays' (which is fine). But once I select either Monitor 1 or Monitor 2, it then switches back to 'All displays' after 1 - 2 minutes. I would like the Display option to remain on the one that I select. So for instance if I choose: Monitor 1, then I want it to stay on Monitor 1 until I make an alternative selection.

So, apart from restarting the EMA server (3 or 4 times) and installing Microsoft updates; I have not performed any of your most recently suggested troubleshooting steps.

Therefore, the powershell script that I used previously, which did not execute properly (clearly wasn't required to provision this Endpoint).

I won't be back on-site until next Friday, at that time I will try to provision more Endpoints.

Regards,

VW

Victor_G_Intel · ‎11-13-2023

Hello VeeDub,

Thank you for getting back to us.

We appreciate your feedback about the monitors and will provide it to our Product management and the dev team.

Please remember to test all the endpoints you provision properly and don't hesitate to contact us if you need anything else.

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎11-16-2023

Hello Victor,

I have attempted to add more endpoints without success.

In reviewing the previous correspondence I have noticed the following comment

@Victor_G_Intel wrote:
Note: Please remember that there are some domains that are not supported in EMA, .local is one of them, you can see more information on the ones available here . Please bear in mind that since your FQDN doesn't have a supported domain and cannot be changed after EMA has been installed you will need to install EMA from scratch before attempting the steps above.

That comment does not make sense for the following reasons:

1. Where a Microsoft Active Directory domain is not connected to the Internet and / or is not meant to be externally accessible; then best practice AD naming standard is to use the domain suffix: .local

.local is equivalent to 192.168 .x.x, 10.x.x.x with regards to IP addressing

2. Despite your comment above, the first endpoint that I added is visible in EMA, so despite your comment it has been possible to add endpoints with a .local domain suffix.

However, the problem that I have encountered is that none of my other endpoints are appearing in EMA, provisioned or otherwise.

Please advise suggestions to troubleshoot.

Thanks

VW

VeeDub · ‎11-16-2023

Hello Victor,

I also note that the powershell script executes with errors, so that would probably be the place to start in terms of troubleshooting (i.e. resolving the errors so that the powershell script executes without error).

Regards,

Vaughan

Victor_G_Intel · ‎11-17-2023

Hello VeeDub,

Thank you for your responses.

In regard to this question:

One aspect which I would like to be able to change is that the EndPoint has two monitors attached. The Desktop / KVM option defaults to 'All displays' (which is fine). But once I select either Monitor 1 or Monitor 2, it then switches back to 'All displays' after 1 - 2 minutes. I would like the Display option to remain on the one that I select. So for instance if I choose: Monitor 1, then I want it to stay on Monitor 1 until I make an alternative selection.

R/This is expected. Each time Windows ask for permissions, the Display will show all displays options.

In regards to your current problem, you mentioned that you were able to provisioned one endpoint already, can you please show us with a screenshot how that endpoint appears in the EMA web UI?

Also, you said that you were trying to provision more endpoints, assuming you are using the same endpoint group and the same profile how is that provisioning not working? Are you getting an error while installing the EMA agent file? Did you remember to download the EMA agent file and the agent policy on each endpoint? It will be good to verify as well if every endpoint you are trying to provision is fully up to date.

We would like to know as well if all your endpoints or at least the ones being tested in the same network as the EMA server? Are these endpoints connected wireless or wired?

We will also require some screenshots of how your profile in EMA looks like.

A set of EMA logs will be required as well:

EMA logs from Server:

[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

Additionally, we will require two ECT logs one from the endpoint that works and one from one of the endpoint that you try to provision but is not showing up in EMA, to get the logs the tool below will have to be run on each endpoint.

Intel® EMA Configuration Tool

https://www.intel.com/content/www/us/en/download/19805/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Double-click the .msi file and follow the prompts.

Run:

a- Open a command prompt as administrator.

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe -filename XXXX --verbose

Best regards,

Victor G.

Intel Technical Support Technician

AJ334 · ‎11-19-2023

Hi Victor,

I am hitting a similar issue as VeeDub on a recent batch of HP 800SFFs G9.

Condensing the above conversation:

- I installed EMA on a server

- I activated Network Access on the client device, set opt-in to none

- I installed the EMA agent (group and HBP provision, no cert)

- I can get the devices provisioned in ACM mode

- Since MEBX is provisioned by something else, seems power on/off commands are not available from the EMA portal

- Intel Manageability Commander still can't connect due to TLS error

- I also cannot get the IDE redirection to work

- CIRA is disabled

- Tried to use the adopt script but it threw the same TLS error and did nothing

First off, is the above as far as you can go with the new version of the platform without the certificate? i.e. if I buy a new PC for use in an environment where there's just 3 PCs (Workgroup and no internet) and a server, I can no longer use the Intel Manageability Commander to connect. Is this correct?

Second, for the PKI certificate in EMA, is the certificate to use the EMA server/DNS name with the OID attached? If not, I'm not quite understanding what the requirement is for the cert? Asking as I'm looking to use openssl to get the cert sorted out.

BR,
AJ

VeeDub · ‎11-19-2023

Hello Victor,

One aspect which I would like to be able to change is that the EndPoint has two monitors attached. The Desktop / KVM option defaults to 'All displays' (which is fine). But once I select either Monitor 1 or Monitor 2, it then switches back to 'All displays' after 1 - 2 minutes. I would like the Display option to remain on the one that I select. So for instance if I choose: Monitor 1, then I want it to stay on Monitor 1 until I make an alternative selection.

R/This is expected. Each time Windows ask for permissions, the Display will show all displays options.

R/I'm not seeing Windows ask for any permissions. This behaviour is not desirable.

Screenshots and logs attached

Thanks

VW

VeeDub · ‎11-20-2023

Also, you said that you were trying to provision more endpoints, assuming you are using the same endpoint group and the same profile how is that provisioning not working?

Are you getting an error while installing the EMA agent file?

/R No. The only error I am seeing is with the Powershell script as previously advised and the Powershell script has had the same error for all endpoints.

Did you remember to download the EMA agent file and the agent policy on each endpoint?

/R Yes

It will be good to verify as well if every endpoint you are trying to provision is fully up to date.

/R If you mean BIOS, then Yes.

We would like to know as well if all your endpoints or at least the ones being tested in the same network as the EMA server?

/R Same subnet

Are these endpoints connected wireless or wired?

/R Wired.

Victor_G_Intel · ‎11-20-2023

Hello VeeDub,

Thank you for your response.

Can you please confirm that you selected the activation method host base provisioning while you were filling up the Intel AMT autosetup?

Additionally, we appreciate the images and the logs you provided, by using the information on them and comparing it with what you have in EMA we have encountered some discrepancies with the way this two endpoints have been provisioned; therefore, we believe it will be better and quicker for you to unprovision this two endpoints in order to move forward with your deployment.

To unprovision the endpoints you will do it directly into MEBx by following the steps in the article below:

https://www.intel.com/content/www/us/en/support/articles/000058945/software/manageability-products.html

Note: The only steps you won’t follow will be step 3 and steps 5, this since you are only looking to get both endpoints fully unprovisioned.

Once the endpoints are unprovisioned you will use the steps previously provided in order to get the endpoints into admin control mode without using a certificate, the only difference will be that once you get to the part where you need to run the power shell command to adopt the endpoint you will need to make sure that it looks as much as possible as any the examples below:

Command:

PS> ./Adopt-AMTSetupBySearch.ps1 -emaServerURL EMAServer.demo.com -searchMethod hostnameStart -searchString laptop -adoptedEndpointsFilePath C:\temp\adoptedEndpointList.txt -Verbose

EMAServer.demo.com: FQDN of EMA instance

searchMethod: hostnameStart

searchString: PC name

Examples:

PS> ./Get-IntelEMAEndpointMEBXPassword.ps1 -emaServerURL EMAServer.demo.com -hostname hostname -Verbose

C:\> PowerShell.exe -ExecutionPolicy Bypass -File Get-IntelEMAEndpointMEBXPassword.ps1 -emaServerURL EMAServer.demo.com -hostname hostname -Verbose

Note: Please make sure to add the -verbose part to the end of the command as well as the required spaces between the different parts of the command, also please remenber that when you are intriducing the part searchString you must use the PC name, for example: BRENDAN-P3660/ CHRISTINE-P3660.

In case you still have an issue with the command, don’t hesitate to provide us with the error output once it has being run with the correct syntax.

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎11-20-2023

Hello Victor,

Why would I want to unprovision a workstation that is already provisioned?

Regards,

VeeDub

VeeDub · ‎11-20-2023

Hello Victor,

This is what I see when I try to run the Powershell script

The file: C:\temp\adoptedEndpointList.txt is a 0 byte file.

Regards

VeeDub

Victor_G_Intel · ‎11-21-2023

Hello VeeDub,

Thank you for your responses.

The reason you need to fully unprovisioned the two endpoints you have showed us is because from what we can see non of them are working properly. Brendan-P3660 is showing as provisioned but CIRA appears as not connected for it; therefore, there is no KVM management for it, and Christine-P3660 is showing as provisioned as well but is not being recognized by EMA, in other words, despite being provisioned both endpoints are not properly configured.

In regards to the command I apologize the ones previously provided were meant to be used for other scenarios the one that you need to run once each endpoint has been unprovisioned is the one below:

PS> ./Adopt-AMTSetupBySearch.ps1 -emaServerURL EMAServer.demo.com -searchMethod hostnameStart -searchString laptop.

emaServerURL: FQDN

searchMethod: hostnameStart

searchString: endpoint Name

Note: If Active Directory is present, add

-useADauth

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎11-21-2023

Hello Victor,

I do have KVM management for Brendan-P3660.

The Powershell script still isn't working.

Regards

VW

Victor_G_Intel · ‎11-21-2023

Hello VeeDub,

We appreciate your response.

Your command’s Syntax seems a bit wrong, please use the one below.

PS> ./Adopt-AMTSetupBySearch.ps1 -emaServerURL EMAServer.demo.com -searchMethod hostnameStart -searchString laptop.

emaServerURL: FQDN

searchMethod: hostnameStart

searchString: endpoint Name

Note: If Active Directory is present, add

-useADauth

In regards to the previously provided steps to unprovision the endpoints and reprovision them we encourage you to follow them before attempting to run the command.

Best regards,

Victor G.

Intel Technical Support Technician