Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2878 Discussions

Possible bug with EMA when using 'Unprovision-IntelAMTOnIntelEMAEndpoints.ps1' and random passwords

neilbrin
New Contributor I
1,945 Views

Hi Intel,

 

I have a possible bug to report for the Intel EMA product. On our Intel EMA platform. When we rebuild a terminal we need to automate the un-provisioning of the Intel AMT, so it can go through the process of the Intel AMT automatically re-provisioned for the new endpoint record. What we have noticed is that the Intel provided script fails on terminals where the AMT admin password is randomly set with a password where it's very first character is a slash '/'

We receive an Error 400 'Bad Request' and can't complete the un-provisioning process, so we have a physical terminal with two endpoint records, one in an unconnected state but with CIRA connected and one in a Connected state but with CIRA not connected.

We have now seen this approximately 3 times in the environment and the only way we can get around this is to totally unconfigure AMT via the BIOS and then have it automatically re-provision.

Intel EMA version: 1.10.1.0
Endpoints configuration; Terminals configured in ACM mode, CIRA with PKI
No. of terminals: 160 (currently) but will have in excess of 8500 when fully rolled out

0 Kudos
8 Replies
MIGUEL_C_Intel
Moderator
1,921 Views

Hello, neilbrin,


Thank you for bringing this to our attention.


The unprovision process suggests to unprovision EMA from the endpoints before doing the new EMA provisioning with the new OS image.  In addition, it is necessary to stop managing the endpoints from the EMA server; these steps prevent duplicate endpoints.


I am sending an article; that describes the process of How to Complete a Remote OS Re-imaging While Using the Intel® Endpoint Management Assistant (Intel® EMA).

https://www.intel.com/content/www/us/en/support/articles/000060040/software/manageability-products.html


It will give you an idea of how to create the script.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
neilbrin
New Contributor I
1,887 Views

Thanks Miguel for your quick response.

We have already created an unprovisioning process that has been working across our fleet for the last 6 months. The unprovisioning process is based around the Intel provided script 'Unprovision-IntelAMTOnIntelEMAEndpoint.ps1' 

We have a lot of test endpoints and due to this we complete anywhere from 10-40 rebuilds of terminals/endpoints every week. However, every now and again an endpoint fails this process and in every one of these errors (this has occurred 4 times so far), it's due to the random password that was set on the Intel AMT it was set with a password that starts with a slash '/'. If in the Intel labs someone could somehow run this script constantly against systems that have been rebuilt, then I'm sure you'll come across this issue.

Regards,
Neil...




0 Kudos
MIGUEL_C_Intel
Moderator
1,872 Views

Hello, neilbrin,


Do you mind sending the Platform Manager and EMA server logs for further investigation?  For security reasons; I am sending an email, please reply to it with the logs.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
1,755 Views

Hello, Neilbrin,


I hope this post finds you well.


The engineering team is attempting to replicate if it is an issue with the API sample script or with the AMT version.  We will keep you posted.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
1,654 Views

Hello, Neilbrin,

 

We are still working on the issue. Please allow us more time.

 

Regards,
Miguel C.
Intel Customer Support Technician

0 Kudos
neilbrin
New Contributor I
1,644 Views

No problems Miguel.

At this satge out of the 160 Endpoints that we manage only 1 x endpoint has this issue at the moment, so we will NOT rememdiate this endpoint by clearing it's AMT config using the BIOS method, as we can then validate later if a bug is found and patch released that it has resolved the issue

 

Regards,
Neil...

0 Kudos
MIGUEL_C_Intel
Moderator
1,636 Views

Hello, Neilbrin,


Thank you for your quick response.


Please perform the tests below; it will help us understand if it is an EMA API or AMT issue.


Unprovision the endpoint from the EMA WebUI, select the endpoint, click actions, and select stop managing.

Another option is to unprovision the machine with Intel® EMA Configuration Tool.


Intel® EMA Configuration Tool (ECT)

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html


Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

 

a-Open a command prompt (alternatively, you can run the tool from within Windows PowerShell*) as administrator.

b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).


Run:

1- Admin Mode: EMAConfigTool.exe --unconfigure --password <AMT admin password>

2- Client Mode: EMAConfigTool.exe –unconfigure


We look forward to your outcome.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
1,542 Views

Hello, Neilbrin,


I followed up with the developer team and they said that they are going to work on this bug, due to being a random password issue, it will take some additional time to fix it.


The workaround is using ECT for unprovisioning the machines. We appreciate your interest in the product and alerting us about the bug.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Reply