Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Provision AMT computers using SCS or EMA remotely into admin control mode using own certificate.

MarcinW
Beginner
5,365 Views

Hello. 

I would like to provision computers in my company.  Most of them have non configured AMT (ME). 

I installed Intel EMA and Intel SCS . I have my own root CA (standalone) . How should I configure everything to remotely provision all computers? I read a lot of posts but I can't find solution. 

I created profile and install EMA agent on one host. I created Endpoint group and I can connect to the host . When I click "Provision Intel AMT" I get new window but I can only use HBP (host based provisioning). I would like to provision into admin control mode to use all features. 

In attachements there are screens from EMA. 

Would you help me with the process? how to create certificate and how to configure everything. 

0 Kudos
16 Replies
Asoka_CP
Beginner
5,352 Views

For ACM provisioning you need to buy an Intel AMT type certificate from an authorized CA (like Entrust, GoDaddy). Then upload it to your Tenant in EMA (Settings) marking it as a PKI cert.

Once the cert is uploaded, then you will get the ACM provisioning option (PKI) displayed.

I recommend you to refer to the documentation provided with the EMA installation package, searching for the word "PKI". You'll find information about how to identify the cert required for AMT and all the steps to use it in EMA.

0 Kudos
JoseH_Intel
Moderator
5,346 Views

Hello MarcinW,


Thank you for joining the Intel community


When using SCS you can use your own certificates by following the steps described in the Inte SCS User Guide Section 10.5 https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=220 


Just take into consideration that you will need to physically insert your certificate root in every single system MEBx so it will be available during the remote configuration stage. Thus it looses its whole purpose


About EMA you can use PKI certificates also but I am not familiar about if you can use your own CA. You can follow the steps shown here: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=22


I will look forward for your comments


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
MarcinW
Beginner
5,340 Views

I tried as you said with SCS remote configuration. But if I have certificate the only way to send it to the computer is to enter into the MEBX by Ctrl+P. So I have to touch each computer.  Is this possible to do this using pendrive but without configure each PC?  In older version of AMT was possible to use pendrive (I never tried) . I am not sure if I use pendrive with own certificate , can I use later SCS or EMA??? 

I have one computer which I configured using MEBX (ctrl +P ) but right now when I want to use EMA I get info that endpoint is provisioned by another tool (look at attachement) 

0 Kudos
JoseH_Intel
Moderator
5,316 Views

Hello MarcinW,


Let me research a bit on this error you are getting in EMA. I will let you know as soon as I have some updated info.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
MarcinW
Beginner
5,267 Views

Ok. I am waiting for you reply. 

One more question.  Do I need an Enterprise Root CA or can I use standalone Root CA? In standalone I don't have option -"Certificiate Templates" .  

0 Kudos
JoseH_Intel
Moderator
5,258 Views

Hello MarcinW,


Yes, the CU can use your own cert, but you will have to manually load it into MEBX. You will not be able to remotely provision, meaning it won't be a hands free operation. Did you attempt to configure the system with SCS or another utility prior to using EMA? If so can you unconfigure it so can start using EMA to perform the operation?


About the certificate types Intel SCS supports the Standalone and Enterprise versions of Microsoft CA. An Enterprise CA can be configured only in conjunction with Active Directory. A Standalone CA can operate with or without Active Directory. (If Active Directory is not present, there can be only one RCS instance and the Standalone CA must be installed on the same server as the RCS.) The Microsoft CA can have a hierarchy of CAs, with subordinate CAs and a root CA.


For more details you can check here: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=199


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
MarcinW
Beginner
5,248 Views

hello

On this computer where I get Error in EMA I didn't do anything with MEBX and vpro. it has factory settings from dell. 

I tried using SCS (installing on server and I tried with different PC computer)   but I don't know how can I provision using my own cert . on the page  215 of this SCS user guide which you gave me a link . There is a procedure but in points 

15 and 16 - in certificate authority  choose certificate templates.  I don't have this option because I have standalone ROOT CA not enterprise . So I don't know how can I do this .

If I were able to generate a certificate, I would upload it to MEBX using (Dell Command | Intel vPro Out of Band​ - this tool has possibiilty to upload own cert to the MEBX - I hope :)). If there is no possibility to do everything hands free I can use this dell software or another method with a pendrive. Of course the best would be to do whole process from server (EMA, SCS ) or SCCM. 

0 Kudos
JoseH_Intel
Moderator
5,201 Views

Hello MarcinW,


We understand you want to remote provision using your own certificate, but this is not possible. You must input it manually in MEBX or import it with a USB (Currently only supported in older versions of SCS). The next release of SCS may also support it, but at that point it may be better for you to consider EMA. Been said that consider the host CA is necessary for SCS provisioning while the TLS certificate is necessary for EMA. This can be confusing at time, but it is important to keep them separate.


I will look forward to your updates


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
MarcinW
Beginner
5,020 Views

hello JoseH. 

I still have a problem how to generate certificate template. I have standalone root CA and don't have Certificate tempate - option. How the whole process should look like?  how to generate own certificate and how to put into MEBX  using EMA. 

0 Kudos
JoseH_Intel
Moderator
5,025 Views

Hello MarcinW,


I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you by a very last time on next Monday 22nd.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
4,865 Views

Hello MarcinW,


Please find the following Standalone CA setup directions below...


[Standalone CA Setup]

  1. Server Manager
  2. Add roles and features
  3. Next
  4. Select Role-based or feature-based installation
  5. Next > Next
  6. Select ADCS
  7. Next > Next > Next > Install
  8. Select Finish when the install has completed
  9. Click the Yellow Bang on the top banner of the Server Manager
  10. Select Configure Active Directory Certificate Services on the destination server
  11. Modify the credentials if needed and click Next
  12. Select Certification Authority > Next
  13. Select the Standalone CA radio button and click Next
  14. Select the Root CA radio button
  15. Select Create a new private key
    1. Select the cryptographic provider (Default is: RSA#Microsoft Software Key Storage Provider)Key length should be 2048
    2. Select SHA256 as the hash algorithm
  16. Next
  17. Modify Common name if desired > Next
  18. Modify validity period to desired length > Next
  19. Next > Configure > Close
  20. [Back on the Server Manager page] Click Tools > Certificate Authority
  21. Verify the CA is running


[SCS Profile - TLS Section]

  1. In the Certificate Authority drop down list manually enter the domain\name of the Standalone CA FQDNofCA\NameofCAThe name of the CA is shown on the Certificate Authority snap-in from step 21 of the Standalone CA Setup
  2. Select the Stand-alone CA radio button


Finish the rest of the profile…


Let me know if you have further questions


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
4,665 Views

Hello MarcinW,


I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you as a very last time on next Thursday 11th. After that we will mark the thread as closed


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
MarcinW
Beginner
4,603 Views

hello Unfortunately I didn't have time to verify this. I will try it next week . If it is possible plaese don't close thread and wait a few more days . 

0 Kudos
JoseH_Intel
Moderator
4,599 Views

Hello MarcinW,


Don't worry, we will keep the thread active and waiting for your updates.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
4,535 Views

Hello MarcinW,


Just following up to check if you have any updates or were able to try something new.

We will keep the thread open until next week.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
4,491 Views

Hello MarcinW,


I think we will need to mark this thread as closed. If you have further issues or questions just go ahead and submit a new topic.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Reply