Provision AMT computers using SCS or EMA remotely into admin control mode using own certificate.

MarcinW · ‎01-28-2021

Hello.

I would like to provision computers in my company. Most of them have non configured AMT (ME).

I installed Intel EMA and Intel SCS . I have my own root CA (standalone) . How should I configure everything to remotely provision all computers? I read a lot of posts but I can't find solution.

I created profile and install EMA agent on one host. I created Endpoint group and I can connect to the host . When I click "Provision Intel AMT" I get new window but I can only use HBP (host based provisioning). I would like to provision into admin control mode to use all features.

In attachements there are screens from EMA.

Would you help me with the process? how to create certificate and how to configure everything.

Asoka_CP · ‎01-28-2021

For ACM provisioning you need to buy an Intel AMT type certificate from an authorized CA (like Entrust, GoDaddy). Then upload it to your Tenant in EMA (Settings) marking it as a PKI cert.

Once the cert is uploaded, then you will get the ACM provisioning option (PKI) displayed.

I recommend you to refer to the documentation provided with the EMA installation package, searching for the word "PKI". You'll find information about how to identify the cert required for AMT and all the steps to use it in EMA.

JoseH_Intel · ‎01-28-2021

Hello MarcinW,

Thank you for joining the Intel community

When using SCS you can use your own certificates by following the steps described in the Inte SCS User Guide Section 10.5 https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=220...

Just take into consideration that you will need to physically insert your certificate root in every single system MEBx so it will be available during the remote configuration stage. Thus it looses its whole purpose

About EMA you can use PKI certificates also but I am not familiar about if you can use your own CA. You can follow the steps shown here: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-...

I will look forward for your comments

Regards

Jose A.

Intel Customer Support Technician

MarcinW · ‎01-29-2021

I tried as you said with SCS remote configuration. But if I have certificate the only way to send it to the computer is to enter into the MEBX by Ctrl+P. So I have to touch each computer. Is this possible to do this using pendrive but without configure each PC? In older version of AMT was possible to use pendrive (I never tried) . I am not sure if I use pendrive with own certificate , can I use later SCS or EMA???

I have one computer which I configured using MEBX (ctrl +P ) but right now when I want to use EMA I get info that endpoint is provisioned by another tool (look at attachement)

JoseH_Intel · ‎02-01-2021

Hello MarcinW,

Let me research a bit on this error you are getting in EMA. I will let you know as soon as I have some updated info.

Regards

Jose A.

Intel Customer Support Technician

MarcinW · ‎02-08-2021

Ok. I am waiting for you reply.

One more question. Do I need an Enterprise Root CA or can I use standalone Root CA? In standalone I don't have option -"Certificiate Templates" .

JoseH_Intel · ‎02-09-2021

Hello MarcinW,

Yes, the CU can use your own cert, but you will have to manually load it into MEBX. You will not be able to remotely provision, meaning it won't be a hands free operation. Did you attempt to configure the system with SCS or another utility prior to using EMA? If so can you unconfigure it so can start using EMA to perform the operation?

About the certificate types Intel SCS supports the Standalone and Enterprise versions of Microsoft CA. An Enterprise CA can be configured only in conjunction with Active Directory. A Standalone CA can operate with or without Active Directory. (If Active Directory is not present, there can be only one RCS instance and the Standalone CA must be installed on the same server as the RCS.) The Microsoft CA can have a hierarchy of CAs, with subordinate CAs and a root CA.

For more details you can check here: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=199

Regards

Jose A.

Intel Customer Support Technician

MarcinW · ‎02-10-2021

hello

On this computer where I get Error in EMA I didn't do anything with MEBX and vpro. it has factory settings from dell.

I tried using SCS (installing on server and I tried with different PC computer) but I don't know how can I provision using my own cert . on the page 215 of this SCS user guide which you gave me a link . There is a procedure but in points

15 and 16 - in certificate authority choose certificate templates. I don't have this option because I have standalone ROOT CA not enterprise . So I don't know how can I do this .

If I were able to generate a certificate, I would upload it to MEBX using (Dell Command | Intel vPro Out of Band - this tool has possibiilty to upload own cert to the MEBX - I hope :)). If there is no possibility to do everything hands free I can use this dell software or another method with a pendrive. Of course the best would be to do whole process from server (EMA, SCS ) or SCCM.

JoseH_Intel · ‎02-14-2021

Hello MarcinW,

We understand you want to remote provision using your own certificate, but this is not possible. You must input it manually in MEBX or import it with a USB (Currently only supported in older versions of SCS). The next release of SCS may also support it, but at that point it may be better for you to consider EMA. Been said that consider the host CA is necessary for SCS provisioning while the TLS certificate is necessary for EMA. This can be confusing at time, but it is important to keep them separate.

I will look forward to your updates

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎02-18-2021

Hello MarcinW,

I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you by a very last time on next Monday 22nd.

Regards

Jose A.

Intel Customer Support Technician

MarcinW · ‎02-18-2021

hello JoseH.

I still have a problem how to generate certificate template. I have standalone root CA and don't have Certificate tempate - option. How the whole process should look like? how to generate own certificate and how to put into MEBX using EMA.

JoseH_Intel · ‎03-04-2021

Hello MarcinW,

Please find the following Standalone CA setup directions below...

[Standalone CA Setup]

Server Manager
Add roles and features
Next
Select Role-based or feature-based installation
Next > Next
Select ADCS
Next > Next > Next > Install
Select Finish when the install has completed
Click the Yellow Bang on the top banner of the Server Manager
Select Configure Active Directory Certificate Services on the destination server
Modify the credentials if needed and click Next
Select Certification Authority > Next
Select the Standalone CA radio button and click Next
Select the Root CA radio button
Select Create a new private key
1. Select the cryptographic provider (Default is: RSA#Microsoft Software Key Storage Provider)Key length should be 2048
2. Select SHA256 as the hash algorithm
Next
Modify Common name if desired > Next
Modify validity period to desired length > Next
Next > Configure > Close
[Back on the Server Manager page] Click Tools > Certificate Authority
Verify the CA is running

[SCS Profile - TLS Section]

In the Certificate Authority drop down list manually enter the domain\name of the Standalone CA FQDNofCA\NameofCAThe name of the CA is shown on the Certificate Authority snap-in from step 21 of the Standalone CA Setup
Select the Stand-alone CA radio button

Finish the rest of the profile…

Let me know if you have further questions

Regards

Jose A.

Intel Customer Support Technician