Solved: Intel EMA - CIRA Not Connected

mezzadrist · ‎02-27-2024

I am trying to configure some new HP EliteBooks x360 14" 1040 Gen 10 laptops with vPro.

Intel AMT version is v16.1.30 on the clients

Intel EMA server version is v1.12.2.0

This is the first model I've tried with vPRO that doesn't have Ethernet. It has WiFi only.

Certificates look good, I've set up a profile with wireless information, 802.1x information, etc.

However, after running EMAAGENT on the laptops, they only seem to partially provision.

On the Intel EMA server, when I look at a client:

Intel AMT status shows "provisioned"

Intel AMT setup status shows "pending activation"

Intel EMA - CIRA shows "Not Connected"

On the client, in Intel Management and Security Status:

The wireless connection shows "link down" and configuration for wireless "wireless disabled"

As a result, none of the out of band features are available.

I've followed the EMA guide and I'm not sure what to do next or look at next:

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf

Any help or guidance would be greatly appreciated.

mezzadrist · ‎03-04-2024

After following 8.1 I was able to get it to work.

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=87

View solution in original post

MIGUEL_C_Intel · ‎02-27-2024

Hello, Mezzadrist,

I am glad you are interested in Intel® EMA software.

The Out-of-Band features require provisioning in Admin Control Mode (ACM). This provisioning method requires a third-party certificate for Intel® AMT. In addition, we need to manually add the PKI DNS suffix of the Certificate in the MEBx BIOS of each LAN-Less (WiFI) endpoint. This process is unnecessary on wired connection endpoints if the DNS of the DHCP option 15 of your company network matches the PKI DNS of the EMA configuration.

The documentation on how to configure LAN-Less endpoints is below:

Configuring LAN-less Endpoints to ACM - Intel® EMA; disregard sections 4 and 4.1

https://downloadmirror.intel.com/646990/Configuring_LAN-less_Endpoints_to_ACM.pdf

Vendor Certificates to Support Intel® AMT (bottom of the website)

https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/active-management-technology/implementation.html

Regards,

Miguel C.

Intel Customer Support Technician

mezzadrist · ‎02-27-2024

Thank you for your speedy reply. We are using a Godaddy certificate. I believe that's all set correctly and I've confirmed it's SHA-256, etc.

I followed the directions you provided, ignoring section 4/4.1 since this is EMA and not SCS.

I checked the PKI DNS Suffix and it was correct in the MEBX, then ran the emaagent.exe tool, but I still get:

Intel® AMT setup status: Pending Configuration

MIGUEL_C_Intel · ‎02-27-2024

Hello, Mezzadrist,

You are welcome.

You are right, the Settings tab screenshot shows the Certificate as valid. I understand, you manually added the PKI DNS suffix into the MEBx BIOS of the endpoint.

Did you validate the Certificate chain as SHA256 from IIS? The 3 lines (Root, Intermediate, and Domain).
By any chance, do you have working OOB wired connection endpoints?
You are saying the OOB access is not working, please confirm if the connection works when the endpoint OS is working.
Is the endpoint connected to the power outlet?
Please send the EMA Server logs; they will provide more details of the provisioning issue.

Default Path: [System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

EMAlog-Webserver.txt

EMAlog-Swarmserver.txt

EMAlog-Manageabilityserver.txt

6.If it is possible, share the Intel® EMA Configuration Tool (ECT) log from the endpoint.

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

Run:

a-Open a command prompt as administrator (alternatively, you can run the tool from Windows PowerShell*).

b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c-Run the command: EMAConfigTool.exe --verbose

You can send the information via private message.

Regards,

Miguel C.

Intel Customer Support Technician

mezzadrist · ‎02-28-2024

I'm not sure how to send a private message on this platform, but here are the items you requested:

1. From IIS:

2. I do, but they were enrolled 5 years ago, back when we had RCS/SCS and imported into Intel EMA.

3. Basic connection does work when the OS is booted (remote desktop, etc.), just no OOB features.

4. Yes, power is connected

5. Server logs attached. The computer I'm trying to provision is "ETC-39597". Looking at the logs, these entries stand out, but I'm not sure how to resolve this:

2024-02-28 00:58:52.7518|ERROR||3044|53|ApplyWirelessConfiguration - MeshManageabilityServer.code.AmtSetup.WirelessManager, EMAManageabilityServer, Version=1.12.2.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Failed to apply wireless configuration : (ETC-39597,B054293F).
Exception Level(0):Access is denied.

StackTrace Level(0): at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at MeshServersCommon.code.AD.ActiveDirectoryService.AddComputerToOrgUnit(ActiveDirectoryComputerObject computerObject, String orgUnit)
at MeshManageabilityServer.code.IEEE802_1X.AdAbstraction.CreateAmtComputerInAd(ActiveDirectoryComputerObject computer, String orgUnitDistinguishedName)
at MeshManageabilityServer.code.IEEE802_1X.AdAbstraction.CreateAdComputer(String computerName, String orgUnitDistinguishedName)
at MeshManageabilityServer.code.IEEE802_1X.Ieee8021XService.GetAdObjectNameAndCertificatesBeforeSetup(String computerName, Ieee8021XSettings settings)
at MeshManageabilityServer.code.IEEE802_1X.Ieee8021XService.ConfigureWirelessSettings(String computerName, Ieee8021XSettings settings)
at MeshManageabilityServer.code.AmtSetup.WirelessManager.AddWiFiProfile(WiFiSetup setup)
at MeshManageabilityServer.code.AmtSetup.WirelessManager.AddWiFiProfiles(WiFiConnection wiFiConnection)
at MeshManageabilityServer.code.AmtSetup.WirelessManager.ApplyWirelessConfiguration(AMTProfile amtProfile)

2024-02-28 00:58:52.7518|ERROR||3044|53|PerformRound2Provisioning - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.12.2.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Applying wireless settings failed: (ETC-39597,B054293F). Error = Access is denied.

and

2024-02-28 01:59:24.2465|INFO||3044|49|CreateAmtComputerInAd - MeshManageabilityServer.code.IEEE802_1X.AdAbstraction, EMAManageabilityServer, Version=1.12.2.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - EVENT: Information, 802.1x configuration (ETC-39597,B054293F). Adding computer to Active Directory.
2024-02-28 01:59:24.4497|ERROR||3044|49|CreateAmtComputerInAd - MeshManageabilityServer.code.IEEE802_1X.AdAbstraction, EMAManageabilityServer, Version=1.12.2.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - EVENT: Exception, 802.1x configuration (ETC-39597,B054293F). Add computer to organization unit in Active Directory failed. Error = Access is denied.

2024-02-28 01:59:24.4497|ERROR||3044|49|AddWiFiProfile - MeshManageabilityServer.code.AmtSetup.WirelessManager, EMAManageabilityServer, Version=1.12.2.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Unable to create WiFi Profile : (ETC-39597,B054293F).
Exception Level(0):Access is denied.

6. client log attached.

mezzadrist · ‎03-04-2024

After following 8.1 I was able to get it to work.

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=87

MIGUEL_C_Intel · ‎03-04-2024

Hello, Mezzadrist,

I am glad to know the issue is resolved. Do not hesitate to reply if I can help you with anything else.

Regards,

Miguel C.

Intel Customer Support Technician