Re:Intel EMA Deployment and Issues with Administrator Control Mode

BrunoGasparotto · ‎10-16-2025

We recently completed the deployment of Intel EMA in our environment. All configurations were successfully applied and are functioning correctly. However, our goal is to enable Administrator Control Mode on all clients.

To achieve this, we requested a PKI certificate from Sectigo with the required attribute for Intel vPro. The certificate was successfully imported and configured in IIS, and it was also uploaded to the certificate configuration section in Intel EMA.

Despite these steps, we are unable to activate the clients — the Administrator Control Mode option is not available. We even went as far as recreating the server and redoing all configurations, but the issue persists. At this point, we are unable to identify what is preventing the activation of Administrator Control Mode.

Below is the procedure used to request the certificate:

Intel® vPro™ Technology How To Purchase and Install DigiCert* Certificates for Intel® AMT Remote Setup and Configuration

ema_cert _2.png

Arun_Intel1 · ‎10-16-2025

Hi BrunoGasparotto,

We see that you have completed the deployment of Intel EMA with all configurations successfully applied and are functioning

correctly. However you are unable to provision the endpoint in ACM mode with a PKI certificate from Sectigo with the

required attribute for Intel vPro.

The certificate has been successfully imported and configured in IIS, and it was also uploaded to the

certificate configuration section in Intel EMA, even after recreating the server and redoing all configurations, the issue still

persists.

We would like to inform you that the Sectigo certificates has some known issues recently and has been worked by the team upon these issues, however there is no known ETA disclosed yet.

Therefore we would request you to contact GoDaddy or DigiCert who are the authorized certificate providers as well and purchase a certificate and get it configured in the Intel EMA console and import it in the IIS for a successful provisioning of the endpoints in ACM mode.

Please find the link given below for purchasing the certificate:

https://www.intel.com/content/www/us/en/support/articles/000055009/technologies.html

We greatly appreciate your understanding in this matter!

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

BrunoGasparotto · ‎10-16-2025

Unfortunately, we attempted to use a certificate from DigiCert, but due to the lack of adequate support from their team, we were unable to generate a PKI certificate that would also enable ACM (Admin Control Mode) functionality.

It's important to note that the issue we're currently facing is different from the provisioning problem encountered with the Sectigo certificate. In our case, the ACM feature is not being enabled, and only HBP (Host-Based Provisioning) is available.

Additionally, the Intel documentation available for ACM provisioning is outdated, which has made the implementation process significantly more challenging.

Arun_Intel1 · ‎10-16-2025

Hi BrunoGasparotto,

Thank you for sharing your observation.

To further analyze the issue, please share us the ECT log of the Endpoint that you are trying to provision in ACM, the screen shot of the place where you are getting an option only for the host based provisioning and the Screen shot of the general tab from the Intel EMA console, logged as a Tenant admin.

With that, kindly share the Intel document that you are referring to provision the endpoint, which is showing out dated.

Steps to collect the Intel® EMA Configuration Tool (ECT) Logs from the endpoint:

Download the tool from the following link: Intel® EMA Configuration Tool
Installation:

Download and unzip the tool.
Double-click the .msi file and follow the installation prompts.

Run the Tool:
a. Open a command prompt as an administrator (or use Windows PowerShell*).
b. Navigate to the installation folder (default: C:\Program Files (x86)\Intel\EMAConfigTool).
c. Run the following command:
EMAConfigTool.exe --verbose

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

BrunoGasparotto · ‎10-21-2025

So the issue isn't with the Endpoint itself — it's on the server side, which isn't recognizing the certificate during provisioning.

Arun_Intel1 · ‎10-21-2025

Hi BrunoGasparotto,

The ECT logs of the endpoint was not to conclude that the issue is on the endpoint, however for getting certain details which would be present on the ECT log, that can help us to further analyze the issue,

We can send out an email to you, if you are not comfortable sharing the log through the community.

With that, we would require the screen shot of the place where you are getting an option only for the host based provisioning and the Screen shot of the general tab from the Intel EMA console, logged as a Tenant admin.

And also kindly share the Intel document that you are referring to provision the endpoint, which is showing out dated.

Please let us know if we have to send an email through which you can share these details.

Thanks & Regards

Arun

Intel Customer Support Technician

intel.con/vPro

Suneesh · ‎10-23-2025

Hello BrunoGasparotto,

I’m following up on your case and wanted to check if there’s anything else I can assist you with.

Feel free to reply to this email, and we'll be more than happy to assist you further.

Regards,

Suneesh S

Intel Customer Support Technician

intel.com/vPro

BrunoGasparotto · ‎10-27-2025

Hello Suneesh

Attached is the log generated by the endpoint's EMA Configuration Tool (ECT)."

Suneesh · ‎10-27-2025

Hello BrunoGasparotto,

Thank you for providing the ECT logs.

Based on our analysis, we can confirm that the endpoint has been successfully provisioned in CCM mode and is currently connected via a wireless network. However, we noticed that the PKI DNS Suffix is not found, which is required for provisioning in ACM mode.

To address this, please refer to the following Intel® support article on how to create a Certificate Chain PFX file for Intel® EMA:

https://www.intel.com/content/www/us/en/support/articles/000099677/software.html

Once the new PFX file is uploaded to the EMA web console, follow these steps to configure the PKI DNS suffix on the endpoint:

1. Access MEBx (default password: admin)

o Refer to your OEM documentation for instructions.

o If logging in for the first time, you’ll be prompted to change the password.

2. Navigate to:

Intel® AMT Configuration → Remote Setup and Configuration → TLS PKI → PKI DNS Suffix

o If this menu is not available, AMT is already configured.

o In that case, go to Intel® AMT Configuration → Unconfigure Network Access → Full Unprovision.

3. Enter the PKI DNS Suffix to match the provisioning certificate (e.g., Intel.com).

4. Save and exit.

5. Proceed with provisioning as per the Intel® EMA Administration and Usage Guide v1.4.0, section 1.2.7. https://www.intel.com/content/www/us/en/support/articles/000055619/software/manageability-products.html

Please refer to the article on How to Provision a LAN-Less Endpoint with Intel® EMA. https://www.intel.com/content/www/us/en/support/articles/000058945/software/manageability-products.html

Important Note:

As previously mentioned, Sectigo certificates have known issues that are currently being investigated. Unfortunately, there is no ETA for resolution at this time.

We recommend reaching out to GoDaddy or DigiCert, both of whom are authorized certificate providers, to obtain a compatible certificate. Once acquired, please configure it in the Intel EMA console and import it into IIS to enable successful ACM mode provisioning.

Please let us know if you need further assistance.

Regards,

Suneesh S

Intel Customer Support Technician

intel.com/vPro