- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I would like to provision computers in my company. Most of them have non configured AMT (ME).
I installed Intel EMA and Intel SCS . I have my own root CA (standalone) . How should I configure everything to remotely provision all computers? I read a lot of posts but I can't find solution.
I created profile and install EMA agent on one host. I created Endpoint group and I can connect to the host . When I click "Provision Intel AMT" I get new window but I can only use HBP (host based provisioning). I would like to provision into admin control mode to use all features.
In attachements there are screens from EMA.
Would you help me with the process? how to create certificate and how to configure everything.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For ACM provisioning you need to buy an Intel AMT type certificate from an authorized CA (like Entrust, GoDaddy). Then upload it to your Tenant in EMA (Settings) marking it as a PKI cert.
Once the cert is uploaded, then you will get the ACM provisioning option (PKI) displayed.
I recommend you to refer to the documentation provided with the EMA installation package, searching for the word "PKI". You'll find information about how to identify the cert required for AMT and all the steps to use it in EMA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
Thank you for joining the Intel community
When using SCS you can use your own certificates by following the steps described in the Inte SCS User Guide Section 10.5 https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=220
Just take into consideration that you will need to physically insert your certificate root in every single system MEBx so it will be available during the remote configuration stage. Thus it looses its whole purpose
About EMA you can use PKI certificates also but I am not familiar about if you can use your own CA. You can follow the steps shown here: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=22
I will look forward for your comments
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried as you said with SCS remote configuration. But if I have certificate the only way to send it to the computer is to enter into the MEBX by Ctrl+P. So I have to touch each computer. Is this possible to do this using pendrive but without configure each PC? In older version of AMT was possible to use pendrive (I never tried) . I am not sure if I use pendrive with own certificate , can I use later SCS or EMA???
I have one computer which I configured using MEBX (ctrl +P ) but right now when I want to use EMA I get info that endpoint is provisioned by another tool (look at attachement)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
Let me research a bit on this error you are getting in EMA. I will let you know as soon as I have some updated info.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. I am waiting for you reply.
One more question. Do I need an Enterprise Root CA or can I use standalone Root CA? In standalone I don't have option -"Certificiate Templates" .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
Yes, the CU can use your own cert, but you will have to manually load it into MEBX. You will not be able to remotely provision, meaning it won't be a hands free operation. Did you attempt to configure the system with SCS or another utility prior to using EMA? If so can you unconfigure it so can start using EMA to perform the operation?
About the certificate types Intel SCS supports the Standalone and Enterprise versions of Microsoft CA. An Enterprise CA can be configured only in conjunction with Active Directory. A Standalone CA can operate with or without Active Directory. (If Active Directory is not present, there can be only one RCS instance and the Standalone CA must be installed on the same server as the RCS.) The Microsoft CA can have a hierarchy of CAs, with subordinate CAs and a root CA.
For more details you can check here: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=199
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
On this computer where I get Error in EMA I didn't do anything with MEBX and vpro. it has factory settings from dell.
I tried using SCS (installing on server and I tried with different PC computer) but I don't know how can I provision using my own cert . on the page 215 of this SCS user guide which you gave me a link . There is a procedure but in points
15 and 16 - in certificate authority choose certificate templates. I don't have this option because I have standalone ROOT CA not enterprise
If I were able to generate a certificate, I would upload it to MEBX using (Dell Command | Intel vPro Out of Band - this tool has possibiilty to upload own cert to the MEBX - I hope :)). If there is no possibility to do everything hands free I can use this dell software or another method with a pendrive. Of course the best would be to do whole process from server (EMA, SCS ) or SCCM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
We understand you want to remote provision using your own certificate, but this is not possible. You must input it manually in MEBX or import it with a USB (Currently only supported in older versions of SCS). The next release of SCS may also support it, but at that point it may be better for you to consider EMA. Been said that consider the host CA is necessary for SCS provisioning while the TLS certificate is necessary for EMA. This can be confusing at time, but it is important to keep them separate.
I will look forward to your updates
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello JoseH.
I still have a problem how to generate certificate template. I have standalone root CA and don't have Certificate tempate - option. How the whole process should look like? how to generate own certificate and how to put into MEBX using EMA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you by a very last time on next Monday 22nd.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
Please find the following Standalone CA setup directions below...
[Standalone CA Setup]
- Server Manager
- Add roles and features
- Next
- Select Role-based or feature-based installation
- Next > Next
- Select ADCS
- Next > Next > Next > Install
- Select Finish when the install has completed
- Click the Yellow Bang on the top banner of the Server Manager
- Select Configure Active Directory Certificate Services on the destination server
- Modify the credentials if needed and click Next
- Select Certification Authority > Next
- Select the Standalone CA radio button and click Next
- Select the Root CA radio button
- Select Create a new private key
- Select the cryptographic provider (Default is: RSA#Microsoft Software Key Storage Provider)Key length should be 2048
- Select SHA256 as the hash algorithm
- Next
- Modify Common name if desired > Next
- Modify validity period to desired length > Next
- Next > Configure > Close
- [Back on the Server Manager page] Click Tools > Certificate Authority
- Verify the CA is running
[SCS Profile - TLS Section]
- In the Certificate Authority drop down list manually enter the domain\name of the Standalone CA FQDNofCA\NameofCAThe name of the CA is shown on the Certificate Authority snap-in from step 21 of the Standalone CA Setup
- Select the Stand-alone CA radio button
Finish the rest of the profile…
Let me know if you have further questions
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you as a very last time on next Thursday 11th. After that we will mark the thread as closed
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello Unfortunately I didn't have time to verify this. I will try it next week . If it is possible plaese don't close thread and wait a few more days .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
Don't worry, we will keep the thread active and waiting for your updates.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
Just following up to check if you have any updates or were able to try something new.
We will keep the thread open until next week.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello MarcinW,
I think we will need to mark this thread as closed. If you have further issues or questions just go ahead and submit a new topic.
Regards
Jose A.
Intel Customer Support Technician

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page