Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
3056 Discussions

Intel EMA installation and set up for basic functionality

Tomhys
Beginner
‎11-25-2025 03:46 AM
462 Views
Hello, For a long time we have used Intel Manageability Commander to connect to Intel AMT on computers. We have manually configured AMT in the BIOS and used this tool to connect to them and it worked wonderfully. We used separate IP and LAN1 connection just for purpose of AMT. Sadly I just received new server ant it uses AMT version v16.1.30. The Intel MC is no longer working with the newer AMT. So I am trying to configure the Intel EMA and its nightmare. Is there any other official way to use something more lightweight than the EMA ? Situation is I am deploying to small scale project only 4 servers. There is Domain, DNS, but no DHCP only static IPs used, no internet access. We have own Certificate Authority running for the domain. I have managed to install the Intel EMA. I have created the Tenant and Tenant admin. Created the AMT Profile and endpoint group, installed agent on the desired server and its appeared in the Endpoints section. But under Hardware Manageability Intel® AMT is not reachable. I am able to reach the AMT web interface on the IP:16992 for this machine. I tried to follow this guide, because I have no certificate signed by the public vendor: https://www.intel.com/content/www/us/en/support/articles/000097538/software.html But at point of running the CLI script I insert my credentials and get error: Invoke-WebRequest : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. i have made temporary Allow all rule on firewall and disabled local firewall on the server running EMA. Is the issue that I need to put my own certificate for the web application and not use the default one ? I just need the most simple, boring way to be able to connect from the server to the AMT in case of emergency. Thank you
0 Kudos

Link Copied

6 Replies
vij1
Employee
‎11-25-2025 12:25 PM
406 Views

Hello Tomhys,

 

Thank you for providing the detailed information regarding your environment and the challenges encountered after transitioning to systems running Intel® AMT version 16.1.30.

 

We understand that Intel Manageability Commander was previously used successfully for direct AMT access and that you are now experiencing increased complexity when using Intel® Endpoint Management Assistant (EMA) for a small-scale deployment.

 

 

Lightweight Alternative Option

For environments with a limited number of systems, a simpler approach may be more suitable.

MeshCommander, an open-source tool, provides basic AMT functionality such as:

  • KVM access
  • Power control
  • Basic AMT management

 

This may serve as an alternative to EMA for small-scale deployments. Please note that MeshCommander is a third-party tool and is not officially supported by Intel.

Website:

https://www.meshcommander.com/

 

Continuing with Intel EMA

If you choose to proceed with Intel EMA, please note:

  • Proper TLS certificate configuration is required for secure communication between EMA and Intel AMT using your internal Certificate Authority (CA).
  • This will resolve the current SSL/TLS trust issue observed during provisioning.

 

Intel EMA uses port 8080 for communication between the server and endpoints via CIRA.

Please also note:

  • Secure TLS connections are supported starting from AMT 16 (and AMT 15 with BIOS updates).
  • Legacy ports 16992, 16994, and 623 are no longer supported in this mode.
  • TLS communication should instead use port 16993.

 

We suggest running the following PowerShell commands on the system to validate connectivity:

Test-NetConnection localhost -Port 16992

Test-NetConnection localhost -Port 16993

 

Environmental Details Required:

To assist further, please provide the following details:

  • OS version of the EMA Server
  • SQL version
  • Installation type (Physical or Virtual)
  • Will EMA and SQL be on the same server?
  • Authentication mode: Local, Azure AD, or Windows AD
  • Intel® EMA version
  • Location of endpoints (Local or Remote)

 

Endpoint Validation – EMA Configuration Tool

Please run the Intel® EMA Configuration Tool on the affected endpoint and share the output with us. This will provide detailed system information required for further analysis.

Intel® EMA Configuration Tool (ECT):

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

  • Download and unzip the tool
  • Double-click the .msi file and follow the installation prompts

Execution:

a. Open Command Prompt as Administrator (or PowerShell)

b. Navigate to:

C:\Program Files (x86)\Intel\EMAConfigTool

c. Run the command:

EMAConfigTool.exe --verbose

 

Please share the requested information and command output so we can continue with targeted troubleshooting and resolution.

 

Best regards,

Vijay N

Intel Customer Support Technician

Intel® vPro™ Technology

https://www.intel.com/vpro


0 Kudos
Copy link
Tomhys
Beginner
‎11-26-2025 04:22 AM
342 Views

Hello Vijay,

I was looking at the mesh commander, which is working great and would be sufficient for my need. But cybersec would prefer to use the official Intel application.
For your questions:

  • OS version of the EMA Server - Win Server 2022 v 21H2
  • SQL version - SQL Server 2019
  • Installation type (Physical or Virtual) - Installed in HyperV virtual machine
  • Will EMA and SQL be on the same server? - Yes they are on the same VM
  • Authentication mode: Local, Azure AD, or Windows AD - Windows AD
  • Intel® EMA version - v. 1.14.4.0
  • Location of endpoints (Local or Remote) - They are in the same network, just in different VLAN, but routed together behind FW.

I will send the output from EMA ConfigToll in DM. In EMA for this system I see that we have it in Admin Control Mode and provisioning is completed. 
We have AMT profile set as:

  • General tab: Always use Intel AMT CIRA
  • Power states: Any time system is connected
  • Management interfaces: selected KVM, Web-based user interface, Remote platform Erase
  • FQDN Source: Shared with host OS
  • IP Address: Use a statis IP address from host
  • Wifi: did not touch
  • Wired 802.1X: did not touch

Setting in Endpoint Group:
Intel AMT Setup enabled
Selected AMT profile
Activation method: Host Based Provisioning (no other method is available for me)
And set my custom Admin password

 

Please let me know if there is some setting I should use differently for my use case. 
I definitely have incorrect certificate settings. 

Preview file
8 KB
0 Kudos
Copy link
Tomhys
Beginner
‎11-26-2025 04:30 AM
332 Views
In response to Tomhys

I definitely have incorrect certificate settings, we have it in default. In all guides I tried to find its described to have certificate from public known CA. I dont know how to implement certificate from our own local CA.

Thank you

In response to Tomhys
0 Kudos
Copy link
vij1
Employee
‎11-26-2025 12:43 PM
267 Views

Hello Tomhys,

 

Thank you for sharing the details.

 

Based on the ECT logs, we noticed the following:

 

  1. Intel® Management Engine Driver Version
  2. The current version is 2406.5.5.0, which is outdated. Please update to the latest version using the link below:
  3. Intel® Management Engine Drivers for Windows 10* and Windows 11*

https://www.intel.com/content/www/us/en/download/682431/intel-management-engine-drivers-for-windows-10-and-windows-11.html

  1. PKI DNS Suffix Configuration
  2. The PKI DNS Suffix is currently set to THIS-MINE-DOMAIN.dom, which is incorrect. It should match your Fully Qualified Domain Name (FQDN), for example:
  3. example.hf.intel.com

For more details, please refer to:

PKI Certificate Verification Methods

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/pkicertificateverificationmethods.html

 

To resolve this, the Intel EMA server must be configured with a certificate issued by your internal Certificate Authority (CA) and properly bound to IIS.

 

Required Action: Replace Default EMA Certificate with CA-Issued Certificate

Please follow the steps below to install and bind your internally signed certificate.

 

Part 1: Import CA Certificates using Microsoft Management Console (MMC)

  1. Obtain the following from your internal CA:
    • Root CA certificate
    • Intermediate CA certificate(s)
    • Server certificate for EMA (FQDN-based)
  1. On the EMA server, open:
    • Start → Run → MMC
  1. Navigate to:
    • File → Add/Remove Snap-in
    • Select Certificates → Add
    • Choose Computer Account → Next → Finish
    • Click OK
  1. Expand:
    • Certificates (Local Computer)
  1. Import Root CA:
    • Go to Trusted Root Certification Authorities → Certificates
    • Right-click → All Tasks → Import
    • Select your Root CA certificate file → Complete the wizard
  1. Import Intermediate CA:
    • Go to Intermediate Certification Authorities → Certificates
    • Right-click → All Tasks → Import
    • Select your Intermediate CA certificate → Complete the wizard

Verify that both Root and Intermediate certificates appear correctly in their respective stores.


Part 2: Install the Server Certificate in IIS

  1. Open Internet Information Services (IIS) Manager
  2. Select the EMA server name
  3. Double-click Server Certificates
  4. Click Complete Certificate Request
  5. Browse and select the EMA server certificate
  6. Enter a friendly name (e.g., EMA-FQDN-2025)
  7. Click OK

The certificate should now appear in the Server Certificates list.


Part 3: Bind Certificate to EMA Website

  1. In IIS, expand Sites and select the site used by Intel EMA (typically Default Web Site)
  2. Click Bindings in the right panel
  3. Add or Edit HTTPS binding:
    • Type: HTTPS
    • IP Address: All Unassigned
    • Port: 443
    • SSL Certificate: Select the newly imported certificate
  1. Click OK to save

Important:

If intermediate certificates were installed after binding, please remove and re-add the HTTPS binding to rebuild the trust chain.

 

Best regards,

Vijay N

Intel Customer Support Technician

Intel® vPro™ Technology

https://www.intel.com/vpro


0 Kudos
Copy link
Tomhys
Beginner
‎11-27-2025 12:32 AM
223 Views

Hello,

I have updated the Intel ME with the version you provided.

I have put the FQDN of our EMA Server to the PKI DNS Configuration. If I understand correctly we need now to insert our root CA to the AMT on the specific machine ? I cant find any guide how to do this.


I have the personal and root cert on the certificate manager on said device. We dont have intermediate cert.
I imported it to IIS using the import function (complete cert request didnt work for me). Then I assigned it to the site.

The state now is that I have EMA with trusted certificate and I see the connection as secure.
The side effect is that now when I open the settings tab in Intel EMA I get "Internal Server Error. Please contact the administrator"
The same error i get when i open Provision Intel AMT window on the endpoint. Screenshots attached.

Thank you.

 

 

Preview file
17 KB
Preview file
110 KB
0 Kudos
Copy link
vij1
Employee
‎11-27-2025 09:31 AM
102 Views

Hello Tomhys,


I wanted to let you know that I’ll be sending you a private message shortly to request the file. 


Please keep an eye out for it, and feel free to reach out if you have any questions or need clarification.


Thank you for your support!


Best regards,

Vijay N

Intel Customer Support Technician

intel.com/vPro



0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.