Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Issues with Certificate Provisioning for AMT

jmjoyner-atacpatech
3,808 Views

The MSP that I work for is deploying AMT and EMA for a client as we rebuild their environment following a disaster. Currently, I have been able to get EMA working and Host Based Provisioning of AMT working well enough. However, we want to give their IT staff the ability to remotely access workstations without the need for user approval as well as low-level access to the system should Windows not load. From what I understand, this means Certificate Provisioning is needed. I have added DHCP option 15 to match the FQDN of the GoDaddy Wildcard Deluxe certificate we have for them. The cert was requested with GoDaddy's "This certificate is for Intel vPro" option and imports into the EMA without any issue.

Regardless, after a day AMT status from the EMA server for the test system still shows: 

The logs show the following lines, confirming that the provisioning process is falling back to HBP mode:
Message:-- Attempting phase 1 PKI provisioning : (SSMS-Ppo9axfVQx,9264685F).
Get Mesh information (Tenant) : (SSMS-Ppo9axfVQx,9264685F).
Message:Starting PKI Setup process for endpoint: (SSMS-Ppo9axfVQx,9264685F) ComputerName: SSMS-Ppo9axfVQx.
Message:Setup computer name SSMS-Ppo9axfVQx. : (SSMS-Ppo9axfVQx,9264685F).
Message:Sending Agent Stop Remote Configuration Message : (SSMS-Ppo9axfVQx,9264685F).
Message:Connecting to Swarm Server : (SSMS-Ppo9axfVQx,9264685F).
Warning:Received stop remote configuration status from: 9264685F, status: INVALID_PT_MODE (3)
Message:Requesting ME administrator account : (SSMS-Ppo9axfVQx,9264685F).
Message:Disconnecting Swarm Server : (SSMS-Ppo9axfVQx,9264685F).
Message:Attempting host based provisioning : (SSMS-Ppo9axfVQx,9264685F).
 
Any assistance would be appreciated.
0 Kudos
8 Replies
JoseH_Intel
Moderator
3,752 Views

Hello jmjoyner-atacpatech,


Thank you for joining the Intel community


As you correctly state, in order to avoid the user consent during remote connection you will need to provision the systems in Admin Control Mode, meaning certificate provision. Are you trying to redeploy the systems been already provisioned? I could suggest to un-provision these systems that currently are in Client Control Mode and reattempt to provision them in Admin Control Mode using the PKI certificate.


I will look forward to your reply


Regards


Jose A.

Intel Customer Support Technician

For firmware updates and troubleshooting tips, visit:

https://intel.com/support/serverbios


0 Kudos
jmjoyner-atacpatech
3,695 Views

My team did initially try to simply upgrade the configuration by running the EMAAgent.exe installer with the XML of a new endpoint profile after we had imported the SSL cert. When this did not work, we did test unprovisioning and completely uninstalling the agent using the EMAAgent.exe installer. The same result occurred. We have uncovered more information since I posted. We were able to test with a computer that was wired into the network, where the first test system was running wirelessly. The wired systems all completed the provisioning process. This seems odd since the wireless is just a bridge.

If we must have their devices on the wired network to complete the provisioning process, then we can do that. The new issue is that the Intel AMT tab of the EMA page for a provisioned device is showing "Loading..." indefinitely.

0 Kudos
JoseH_Intel
Moderator
3,633 Views

Hello jmjoyner-atacpatech,


Whenever you provision a wireless system it will be set into Client Control Mode, even if you use the certificate. Then you need to apply one extra step to set them to Admin Control Mode. You can look for details here: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=14


If you want to avoid this extra step you can connect the wireless systems to the wired LAN and run the provisioning process using PKI so they will be set in ACM


This "Loading..." forever issue happens whenever the systems are not reachable for any reason. You can try using MeshCommander for testing purposes https://www.meshcommander.com/


Regards


Jose A.

Intel Customer Support Technician



0 Kudos
jmjoyner-atacpatech
3,563 Views

Hello, Jose.

 

That does shed a lot of light on the issue. Thank you for the information. I'll take a look over the linked PDF to see what is needed and then gauge it against the labor involved in just provisioning via wired network instead. They only have about a half dozen or so laptops. So, it might not be worth the difficulty in trying to teach their in-house staff how to do wireless provisioning.

And thanks for the suggestion on meshcommander, considering it is a little out of scope of the original thread topic. I'll give that a look as well.

0 Kudos
jmjoyner-atacpatech
3,551 Views

One last question at this time, we are pushing the EMA Agent out via a Windows domain GPO that runs a boot-time script to run the EMAAgent.exe installer with the FullInstall parameter from a network share. This being a boot-time script, naturally, the bat file will run each time the system boots up and the installer will launch again with that parameter. If a device is a laptop that sometimes operates wirelessly but receives the install on a wired connection, the next time the system boots up, if wirelessly, will the installer running again cause this Client Control Mode issue to reappear on the system?

 

I guess what I'm trying to ask is, for a system with a fully provisioned record, will re-running the installer with the FullInstall parameter completely redo the provisioning process as well, or will the existing record on the server of the provisioning status of the device or the old provisioning configuration on the device itself cause the install to skip over the provisioning process since it wouldn't be changed by subsequent installs? Basically, I'm concerned that laptops will bounce between Admin and Client Control Modes depending on whether the device is wired or not at the time of boot.

0 Kudos
JoseH_Intel
Moderator
3,537 Views

Hello jmjoyner-atacpatech,


Is good he hear that you are getting some progress. About your last question it is not recommended to keep running the EMA agent full install on every system boot as it will try to continuously reprovision the system over and over again. It will rewrite the MEBx firmware possibly shortening its lifespan. Besides that it is not a common practice. We know from companies that run a installation (provisioning) script only once during initial configuration but it doesn't run it again unless it is necessary to reprovision the system for any reason.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
jmjoyner-atacpatech
3,501 Views

That's pretty much what I was expecting. Thank you for your help, Jose. I think we've done as much as we can on this topic.

 

For anyone who finds this thread and is experiencing the same issues. If you have a small number of wireless clients who need Admin Control Mode AMT Provisioning through Intel EMA, connecting the device to a wired network for the provisioning step looks to be the way to go. For larger numbers of wireless clients, going with the solution on page 14 of the PDF linked above is your solution. As for testing Intel AMT stuck in "Loading..." issues, MeshCommander was able to confirm that remote KVM is working on the system, and after proper provisioning and testing via MeshCommander (which looks to be a pretty good alternative for the Intel AMT tab in EMA), the Intel AMT tab information did populate.

0 Kudos
JoseH_Intel
Moderator
3,419 Views

Hello jmjoyner-atacpatech,


I am glad to hear that you were able to get the appropriate support. We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and submit a new topic.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Reply