Dear Victor,

Thank you for responding - the information you've asked for is as follows:

1. Please provide the exact EMA version that you are currently working with? 1.9.1.0
2. What will be the AMT version(s) being used on the endpoints? A mixture - test machine has 16.1.25.2128
   And earlier AMT too
3. We will require you to share some screenshots of the error you are seen on your end. The EMA client logs say: [2023-03-16 11:52:18.58 AM] \Agent\MeshManageability\agent\core\meshctrl.c:1137 Packet is not encrypted correctly or uses an old key. Last error: 0
4. Despite having this error with AD were you able to finish the provisioning of the endpoints? Yes - Admin Control Mode seems to complete
5. How many endpoints do you have in your current deployment and how many are you planning to deploy? We have around 5000 - many of them are All-In-One units.
6. Are the Endpoints on the same network as the EMA server or not? They are on different subnets - we've managed with Intel SCS before.
7. Is the EMA server installed on a physical server or on a virtual machine? A virtual server
8. Are you using a certificate? If yes, did you purchase it? Yes, Sectigo, yes we purchased it.

Please let me know what further information you require?

Test machine model was Dell Optiplex 7400 All-In-One

Most features in AMT work - which is great - but the key feature we need does not work and that is turning machines on via vPro powershell:

Instead of getting the top result which we get via Intel SCS configured machine

Get-AMTPowerState -Credential $MyCred -TLS -ComputerName

Computer Name Power State ID Power State Description
------------- -------------- -----------------------
XXXXXXXXXXX 2 On (S0)

Get-AMTPowerState -Credential $MyCred -TLS -ComputerName

Computer Name Power State Description
------------- -----------------------
XXXXXXXXXXX Cannot connect

What i've noticed is that the AD IME account wasn't created in the specified AD OU which had full control rights given to the Intel EMA service account - and thought this may be a reason for the vPro Powershell to not work. Please do advise on next steps?

Kindest regards and many thanks

Yasser

Also - on the server side we get:

16/03/2023 17:00:08    01 : Applying wired 802.1X settings failed: (XXXXXXXXXXX ,22C9B919). Error = Certificate could not be added. Status code: INVALID_CERT.

16/03/2023 17:00:06    01 : Applying wired 802.1X settings: (XXXXXXXXXXX ,22C9B919).

Also - please note we manually insert the computer hostname and domain name into the MEBX for these tests.

Hello YasserA,

Thank you for your response.

Please provide the following to continue:

1-Discovery logs from one of the affected endpoints:

• Download and unzip the Intel® Configurator v12.2
• https://downloadcenter.intel.com/download/30340/Intel-Configurator
• Open the unzipped folder, open the Configurator folder and run ACUConfigInstaller.msi
• Open a Command Prompt window as an Administrator.
• Go to drive C: \Program Files (x86) \Intel \SCS ACUConfig, and
• Run the command: Acuconfig.exe /verbose /output console systemdiscovery
• The discovery log file will be created in the same location the software ACUConfig was installed.
•  Default location: C:\Program Files (x86)\Intel\SCS ACUConfig

2-EMA logs from Server:

[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

3-EMA log from one of the affected endpoints:

[System drive]\Program Files\Intel\EMA Agent\EMAagentlog

4-Could you please let us know the type of cryptographic version the Certificate is using? If you are unsure, please go to the EMA server, open the Manage Computer Certificates>Personal Store>Open the EMA Certificate, and review the cryptographic version. AMT 14 and later requires SHA256 Certificates; previous AMT versions worked with SHA1. To further validate the information you find, please send us screenshots of the EMA certificate, (send screenshots from all 3 tabs: General, Details, and Certificate Path).

Best regards,

Victor G.

Intel Technical Support Technician

Hello YasserA,

Thank you so much for your response.

Please try to use our API Sample Scripts below to see if you are able to wake up the endpoints.

Intel® Endpoint Management Assistant (Intel® EMA) API Sample Scripts

https://www.intel.com/content/www/us/en/download/19693/intel-endpoint-management-assistant-intel-ema-api-sample-scripts.html

Notes: The power shell example script you want to take into consideration is the following one: Set-IntelEMAEndpointPowerState which sends a specified power command to an endpoint.

You can use the article below as an example of what you are trying to achieve.

How to Reboot the System with the Powershell API (Application Programming Interface) on Intel® EMA?

https://www.intel.com/content/www/us/en/support/articles/000088376/software/manageability-products.html

Best regards,

Victor G.

Intel Technical Support Technician  

Hello YasserA,

Thank you for posting on the Intel® communities.

Please let me review this information internally, and kindly wait for an update.

Once we have more information to share, we will post it on this thread.

Regards,

Victor G.

Intel Technical Support Technician

Hello YasserA,

Thank you so much for your patience.

According to the information provided, we believe you are missing the username and password in your PowerShell command. It needs to look like this:

PowerShell.exe -ExecutionPolicy Bypass -File Set-IntelEMAEndpointPowerState.ps1 -emaServerURL XXXXXXXXXXXXXXXXXX -hostname XXXXXXXXXXXX -emaUsername TenantADMIN@city.ac.uk -emaPassword PASSWORD-powerState PowerOn -VerbosePSE

Best regards,

Victor G.

Intel Technical Support Technician  

Hello YasserA,

Thank you for your response.

We will investigate further on our end and once we have more information to share, we will post it on this thread.

Regards,

Victor G.

Intel Technical Support Technician

Hello YasserA,

Thank you so much for your patience.

We apologize If you are using AD you will want to use the useADAuth flag in the API command, not an EMA user. It is spelled out in the example scripts in the API tool kit.

Additionally, regarding the certificate, you will want to work with Sectigo on how to update your AMT certificate once it expires. Once you have received the PFX file from Sectigo it is really easy to import via the EMA console. If you eventually need help with that we can assist you with importing the cert into EMA. 

Best regards,

Victor G.

Intel Technical Support Technician  

Dear Victor,

Thank you for that update!

I'm trying this line with the useADAuth flag and with a powershell window which is run-as the tenant admin account - but still have issues (see below):

Can you please advise?

Kindest regards

Yasser

PS D:\> .\Set-IntelEMAEndpointPowerState.ps1 -emaServerURL nsq1057ap.enterprise.internal.city.ac.uk -hostname NSQEGM08A18 -useADAuth -powerState PowerOn -Verbose PSE

VERBOSE: Intel EMA Server: https://nsq1057ap.enterprise.internal.city.ac.uk
VERBOSE: API path to call: /api/PSE/endpointOOBOperations/Single/PowerOn
VERBOSE: Attempting to retrieve token using Windows credentials of logged in user.
VERBOSE: GET with 0-byte payload
404 - File or directory not found.
Server Error

404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

At D:\Set-IntelEMAEndpointPowerState.ps1:155 char:21
+ throw $error
+ ~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (System.Collections.ArrayList:ArrayList) [], RuntimeException
+ FullyQualifiedErrorId :
404 - File or directory not found.
Server Error

404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Hello YasserA,

We appreciate your response.

Please let us review the command's output and its syntax and we will get back to your shortly.

Regards,

Victor G.

Intel Technical Support Technician

Hello YasserA,

Thank you for your patience.

After checking the syntax of your command, we were able to replicate the error you were having, please proceed to remove the word PSE after verbose and it should work. Please keep us updated in case it doesn’t.

Example:

PS D:\> .\Set-IntelEMAEndpointPowerState.ps1 -emaServerURL nsq1057ap.enterprise.internal.city.ac.uk -hostname NSQEGM08A18 -useADAuth -powerState PowerOn -Verbose

Best regards,

Victor G.

Intel Technical Support Technician

Hello YasserA,

Were you able to check the previous post?  

Please let me know if you need further assistance.  

Regards,

Victor G. 

Intel Technical Support Technician  

Hello YasserA,

We have not heard back from you.

If you need any additional information, please submit a new question as this thread will no longer be monitored.

Regards,

Victor G.

Intel Technical Support Technician