Intel vpro 1.14.2 - Clients stay in CCM mode, never change to ACM

ThomasB84 · ‎03-25-2025

Hi,

i work for a company with about 400x intel vpro capable devices, mainly:

200x HP ZBook 14 G7,

50x ZBook 14 G6

50x HP Zbook 14 G8

50x HP Zbook 14 G10

(And just starting rollout of some ZBook 14 G11 and HP Fury 16 G11. Also some Dell Precision are here and there.)

We bought all of the machines with Intel vPro, because we have many home office workers, or workers in other countries, where we want to be able to remote into the BIOS setup or boot usb devices without user consent, so we need ACM-mode for Intel AMT.

I did setup a very small test environment, fresh install of Windows Server 2022 Evaluation, SQL 2022 Express and an official Comodo Certificate for a test public-domain which has the special OID which is needed for vPro ACM. - I grabbed a HP ZBook G7 with Windows 11, patched it to the latest and greatest patch state, latest BIOS and so on and starting my experiments to get ACM working. (Intel EMA 1.14.2) - The router/DNS server is a AVM fritz!box, so the domain suffix for the local LAN is just fritz.box; my public domain is a subdomain, called something like "amt.mydomain.de". I have port forwareded the public sub domain ports 443, 8080 and 8084 to the EMA server in this LAN. I can provision the HP ZBook G7 to client control mode and the CIRA link is there. - But i never have seen the "admin control mode" although this is the only thing i am interested in.

Also i have checked and confirmed my Comodo special AMT certificate has in fact the correct OID 2.16.840.1.113741.1.2.3, which is mentioned in the EMA 1.14.2 admin manual.

The hp zbook g7 devices have an intel wifi card (AX201), i have also an HP Thunderbolt Dock G4 with Intel NIC I225-LMvP available, but i had no luck to get a connection outside of windows 11 with that thunderbolt dock.

I unprovisioned the device a dozen times, deleted everything and tried again. I tried to setup in MEBx without remote setup, but no luck to get the device switch over to ACM.

ThomasB84 · ‎03-25-2025

When is see the EMAConfigTool logs i see the ME interface does whyever not connect to my wifi !? and it does not see the Intel NIC in the HP thunderbolt dock !? - So perhaps my main problem is that i only have connection to the system as soon as the OS is running, and when the OS is shutdown the wifi does not work with AMT and the HP Thunderbolt Dock G4 does also not work with AMT when OS is not running !?

ThomasB84 · ‎03-25-2025

I now have wireless working, also when the OS is not active.

But still, after some further fiddling arround, still only CCM, not ACM.

When i check the ema platform logs, in manageabilityserver i see:

Message:Starting Mesh Router 52060 -> BAFC650D:16993, SYSTEM
Message: Attempting TLS Mesh phase 2 connection : (nbk-test-ema,BAFC650D).
Message:AMT Profile detected : (nbk-test-ema,BAFC650D).
Checking TLS state : (nbk-test-ema,BAFC650D).
Message:TLS State, Local=ServerAuth, Remote=ServerAuth : (nbk-test-ema,BAFC650D).
AMT is in TLS and the target is CIRA. Non-secure port needs to be opened. : (nbk-test-ema,BAFC650D).
Clearing environment detection : (nbk-test-ema,BAFC650D).
In TLS conn?=True, AMT Port=16993, Current TLS state=TlsNoAuth : (nbk-test-ema,BAFC650D).
Valid TLS Cert already exists. Using existing TLS cert : (nbk-test-ema,BAFC650D).
Checking user account : (nbk-test-ema,BAFC650D).
Setting Intel AMT hostname : (nbk-test-ema,BAFC650D).
Configuring PING response : (nbk-test-ema,BAFC650D).
Configuring redirection port : (nbk-test-ema,BAFC650D).
Configuring web interface : (nbk-test-ema,BAFC650D).
[2] - Warning:Phase 2 - No valid route to endpoint (,F3CF4CD5), routing 0. (<- can be ignored, another machine, old thinpkad t440)
Warning:Unable to set advanced boot options - (nbk-test-ema,BAFC650D).INTERNAL_ERROR
Fetching AMT_GeneralSettings : (nbk-test-ema,BAFC650D).
Configuring power profile : (nbk-test-ema,BAFC650D).
Removing all private keys : (nbk-test-ema,BAFC650D).
Checking user accounts : (nbk-test-ema,BAFC650D).
Creating new AMT user account: "EMA-user" : (nbk-test-ema,BAFC650D).
Sending password to ema agent : (nbk-test-ema,BAFC650D).
Enabling hardware KVM from profile : (nbk-test-ema,BAFC650D).
Setting KVM user consent timeout from profile : (nbk-test-ema,BAFC650D).
Attempting to configure user consent from profile : (nbk-test-ema,BAFC650D).
Checking trusted certificates : (nbk-test-ema,BAFC650D).
Enabling Wireless Management : (nbk-test-ema,BAFC650D).
Applying network configuration : (nbk-test-ema,BAFC650D).
Removing remote access policies : (nbk-test-ema,BAFC650D).
Removing remote access servers : (nbk-test-ema,BAFC650D).
Binding CIRA certificate : (nbk-test-ema,BAFC650D).
Enabling user remote access activation : (nbk-test-ema,BAFC650D).
Adding remote access server (amt.ANONYM.de:8080, 3) : (nbk-test-ema,BAFC650D).
Adding remote access policies : (nbk-test-ema,BAFC650D).
Adding environment detection - egkrlnygezwxbfqv : (nbk-test-ema,BAFC650D).
Message:Completed round 2 provisioning : (nbk-test-ema,BAFC650D).
Message:-- Successful provisioning - HBPX-XXXX : (nbk-test-ema,BAFC650D).
Warning:Phase 2 - No valid route to endpoint (,F3CF4CD5), routing 0. (<- can be ignored, another machine, old thinpkad t440)

EDIT: I see some warning messages are related to endpoint "F3CF4CD5" which is a very old Thinkpad test machine i used first. But this old platform is not supported anymore (Intel AMT 9.5), which is fine for me. So the phase2 warnings are all from that old machine, not from the modern machine with AMT v14 and therefore can be ignored.

And normally these messages should say: "round2" completed -> ACM mode. - But it does not do that.

Message:Completed round 2 provisioning : (nbk-test-ema,BAFC650D).
Message:-- Successful provisioning - HBPX-XXXX : (nbk-test-ema,BAFC650D).

I guess it is because i set them up "wifi" only, because these laptops have no physical lan port, and the "hp thunderbolt g4 dock" which brings a physical intel lan port to the device is not recognized outside the OS (in the hp marketing material of the thunderbolt g4 dock they state it supports "wired vpro" !?)

ThomasB84 · ‎03-26-2025

Certificate at the tenant, but still only "host based HBP" option, no option "TLS PKI" !?

PKI cert has the OID 2.16.840.1.113741.1.2.3 extension.

With HBP i get all laptops to this state, but all CCM only.

ThomasB84 · ‎03-29-2025

So, i have now followed the doc "how-to-purchase-and-install-sectigo-certificates-for-vpro-amt.pdf" from 2021 and created a pfx file with fullchain to import to EMA server (not the .cer files as before). Now i am able to choose "TLS-PKI" activation method. I wonder that my "thumprint" is not matching the one in the doc, and also the "use cases for this cert" do not contain the detail "AMT_Provisioning" as shown in the pdf file from intel. - Maybe this is because the pdf file is 4 years old, and i have a new 2025 certificate from Sectigo ? - I mean, i get this cert from Sectigo special for AMT usage and it is containing the special OID when i check with openssl command. (amt.mydomain.de)

As far as i am understanding there is no need to install agent files and even the EMA Agent on the client, if the ADMIN-Mode is the goal for Intel AMT provisioning, am i right !?

So normally, if i create a EMA endpoint group, set it to AMT autosetup with TLS-PKI mode, and enter the TLS-PKI domain (amt.mydomain.de) in the MEBx by hand, the new AMT client should appear in the endpoint group !? - I tried that, with no luck.

My MEBx has the ability to enter hostname, domainname for the client in network setup. Here i entered the hostname i liked for that machine, and the same domain as the EMA server itself (i tried mydomain.de and also amt.mydomain.de). - I also entered in the "TLS PKI" part of the MEBx my FQDN of the EMA server itself, like amt.mydomain.de . - I have additional possibility to also enter a provisioning server FQDN, where i also entered amt.mydomain.de .

The MEBx has an option "RCFG" where i can start remote provisioning: When i choose that option i can do "Start Configuration" which immediately ends in "Start Configuration Error" and another message "Intel(R) - Activate rejected"

I wonder, because my domain name is very long, in fact the PKI-TLS domain has 30 characters, the domain name itself 26 letters. - Sometimes in MEBx i see that the PKI-TLS domain name gets crumbled, the domain ends with something like ".ä9 " or other special characters. Perhaps a field length issue ?

Jimmy_Wai_Intel · ‎04-25-2025

Hi ThomasB84,

The PKI DNS suffix shouldn't be scrambled. Please try entering a shorter PKI DNS suffix in MEBx. For .de domains, only the 2 levels is required, e.g. intel.de. You can refer to the detailed tech info here - https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsdkhomepage.htm

You only need to enter PKI DNS suffix in MEBx, you don't need to change another other settings. If you have, please revert those. After entering PKI DNS suffix in MEBx, you still need to use Intel AMT autosetup in Intel EMA endpoint group and the corresponding set of Intel EMA agent files to provision AMT on the endpoint.

In addition, as Arun mentioned, you can also verify the PKI DNS suffix stored in MEBx using the ECT tool.

Jimmy Wai

Technical Sales Specialist

Arun_Intel1 · ‎04-24-2025

Hello ThomasB84,

Greetings!

Apologies for the delayed response.

We see that you are unable to connect in ACM mode however CCM mode works with Inband (Desktop) and Out of Band (Hardware Manageability) with the latest Intel EMA 1.14.2.

And also you have uploaded the Sectigo certificate as well in the Intel EMA console and have manually configured the PKI DNS Suffix in the MEBx, and have done multiple unprovisioning and reprovisioning, yet it does not connect with the ACM mode.\

Additionally Please select shared with host OS option on the screen shot 8 and uncheck the Enable wifi profile sharing with UEFI BIOS in screen shot 10, in the Intel AMT profile.

We wanted to check for the ECT logs of the Endpoint with and without the Dock and share it in a separate file, and please confirm if the Endpoint is getting provisioned in the ACM mode without the Dock if you have tried?

Steps to collect the Intel® EMA Configuration Tool (ECT) Logs from the Endpoint:

Download the tool from the following link: Intel® EMA Configuration Tool
Installation:

Download and unzip the tool.
Double-click the .msi file and follow the installation prompts.

Run the Tool:
a. Open a command prompt as an administrator (or use Windows PowerShell*).
b. Navigate to the installation folder (default: C:\Program Files (x86)\Intel\EMAConfigTool).
c. Run the following command:
EMAConfigTool.exe --verbose

And please share screen shot of the settings tab under Tenant Admin in the Intel EMA console, where all the three (Root, intermittent and the PKI certificates of Sectigo should be visible)

Best Regards

Arun

Intel Customer Support Technician

intel.com/vPro

ThomasB84 · ‎04-26-2025

Hi,

My lab activities were completed a month ago. Since I was unable to resolve the issues independently and did not receive any responses here, I have since decommissioned my lab environment and canceled the Sectigo certificate order.

Additionally Please select shared with host OS option on the screen shot 8 and uncheck the Enable wifi profile sharing with UEFI BIOS in screen shot 10, in the Intel AMT profile.

I want to note that our Microsoft AD domain (e.g., company.internal) does not align with the Intel AMT domain. Our local domain is not publicly accessible, so I configured an external domain name specifically for Intel AMT to ensure worldwide accessibility outside our corporate network. Given this setup, I’m uncertain whether the Intel AMT "shared-with-host" option is viable in our environment.

Please try entering a shorter PKI DNS suffix in MEBx. For .de domains, only the 2 levels is required, e.g. intel.de. You can refer to the detailed tech info here

I’m not sure if that would resolve the issue. The AMT domain I configured (amt.publicdomain.de) does not align with any existing domains in our corporate network. As previously mentioned, our internal Active Directory domain (e.g., company.internal) is not publicly accessible. To enable external connectivity for Intel AMT, which is our main goal, I created a dedicated subdomain (amt.publicdomain.de) pointing to the public IP of our Intel EMA server. However, the parent domain (publicdomain.de) is managed by an external web hosting provider unrelated to our AMT infrastructure. Given this setup, shortening the PKI DNS suffix to something like publicdomain.de may not address the domain mismatch.

Jimmy_Wai_Intel · ‎04-27-2025

Since you have purchased an Intel AMT provisioning certificate from Sectigo for amt.publicdomain.de, setting PKI DNS suffix in MEBx to publicdomain.de is the correct method. With PKI DNS suffix set in MEBx, the provisioning process will match that with the CN property in the provisioning certificate for verification and ignore the DNS domain at the OS level.

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

ThomasB84 · ‎04-27-2025

@Jimmy_Wai_Intel wrote:
Since you have purchased an Intel AMT provisioning certificate from Sectigo for amt.publicdomain.de, setting PKI DNS suffix in MEBx to publicdomain.de is the correct method. With PKI DNS suffix set in MEBx, the provisioning process will match that with the CN property in the provisioning certificate for verification and ignore the DNS domain at the OS level.

If I configure only publicdomain.de in MEBx, how does MEBx determine that it needs to connect to the subdomain amt.publicdomain.de and not to publicdomain.de at all ?

Arun_Intel1 · ‎05-06-2025

Hello ThomasB84,

Greetings!

Once we configure the PKI DNS Suffix (publicdomain.de) in the MEBx, the AMT verifies only the publicdomain.de in the subdomain (amt.publicdomain.de), and trusts the certificate allowing the subdomain to be accessed, as .de is a 2 level depth verification done by the Intel AMT Domain Level Depth verifier.

Please find the same in the SDK link given below:

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

ThomasB84 · ‎05-06-2025

@Arun_Intel1 wrote:
Once we configure the PKI DNS Suffix (publicdomain.de) in the MEBx, the AMT verifies only the publicdomain.de in the subdomain (amt.publicdomain.de), and trusts the certificate allowing the subdomain to be accessed, as .de is a 2 level depth verification done by the Intel AMT Domain Level Depth verifier.

Hi Arun,

That answers how the certificate is verified—no questions there.

However, what I still don’t understand is: How does the MEBx know it has to connect specifically to the subdomain amt.publicdomain.de?

The Intel EMA Server is only reachable at this exact FQDN and nowhere else. If I only configure publicdomain.de as the PKI DNS suffix (which is valid for the certificate but not for the server connection), the certificate may verify as valid—but how does the MEBx determine that the correct EMA server endpoint is amt.publicdomain.de / the ipv4 of this FQDN ?

pujeeth · ‎05-07-2025

Hello ThomasB84,

Greetings!

I understand your concern about how the Intel MEBx (Management Engine BIOS Extension) determines the specific subdomain (amt.publicdomain.de) to connect to the Intel EMA (Endpoint Management Assistant) server when only a base PKI DNS suffix (publicdomain.de) is set in MEBx. When you set the PKI DNS suffix in MEBx (e.g., publicdomain.de), Intel AMT verifies that the server certificate's Common Name (CN) or Subject Alternative Name (SAN) matches or is a subdomain of the configured suffix. This is a security check to ensure the certificate is trusted for the domain or its subdomains.

The PKI DNS suffix alone does not specify the actual server endpoint (FQDN or IP) to connect to. It only restricts which certificates are accepted during the TLS handshake.

If you only set the PKI DNS suffix and do not configure the server FQDN (or IP) in the agent, policy, or MEBx, the AMT firmware will not know which endpoint to connect to. Both steps are necessary: certificate trust via the suffix, and endpoint address via agent/policy/MEBx.

Please feel free to respond to this email at your earliest convenience.

Regards

Pujeeth

Intel Customer Support Technician

pujeeth · ‎05-12-2025

Hello ThomasB84,

This is the first follow-up regarding the issue you reported to us.

We wanted to inquire whether you had the opportunity to review the information we provided.

Feel free to reply to this email, and we'll be more than happy to assist you further.

Regards,

Pujeeth

Intel Customer Support Technician

pujeeth · ‎05-14-2025

Hello ThomasB84,

We are following up on this case. If further assistance is necessary, please do not hesitate to reply.

Regards,

Pujeeth

Intel Customer Support Technician