Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2908 Discussions

Provisioning Intel AMT in "Admin control mode" on new computers

TomW
Novice
1,771 Views

Hi,

 

I'm trying to establish whether Intel AMT CIRA can be provisioned before the OS is installed/configured. I know USB provisioning is still a thing for provisioning settings (and we'll probably use that to set DNS and FQDN information), but I get the impression it can't be used to actually register/initiate Intel AMT CIRA and have computers show in Intel EMA. Is that correct?

I want to make the process as straightforward and as consistent and reliable as possible for our team, and I feel if there's a way we can get machines configured and enrolled before putting computers and desks and setting up Windows, then that'd be the way to go.

Thanks

0 Kudos
7 Replies
Victor_G_Intel
Employee
1,738 Views

Hello TomW,


Thank you so much for contacting Intel customer support,


To answer your question, no Intel AMT CIRA can’t be provisioned before the OS is installed/configured.


Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
TomW
Novice
1,728 Views

Thanks for clarifying Victor.

So it would seem the standard deployment procedure would be something like:

  1. Deploy settings via USB provisioning if required (DNS suffix, FQDN, certificate information)
  2. Install/start/AutoPilot OS and deploy agent package via something like SCCM or Intune

This of course glosses over the server-side configuration, where you'd need to ensure:

  • Intel EMA is up and running and accessible over the internet 
  • An Intel vPro compatible Certificate is configured and installed on Intel EMA server
  • Create endpoint group in Intel EMS, configure as desired and create/output agent files

Let's see how I go with all of that.

0 Kudos
Victor_G_Intel
Employee
1,714 Views

Hello TomW,

 

Thank you for your response.

 

Don’t hesitate to let us know if you need anything else or if its okay for us to close this thread.

 

Best regards,

 

Victor G.

Intel Technical Support Technician

 

0 Kudos
Victor_G_Intel
Employee
1,653 Views

Hello  TomW,

 

Were you able to check the previous message we sent?  

 

Please let us know if you need further assistance or if we can close this thread.

 

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
TomW
Novice
1,645 Views

Yep thanks Victor, will let you know if I need any more assistance.

0 Kudos
MIGUEL_C_Intel
Moderator
1,635 Views

Hello, TomW,


It was our pleasure to assist you. Do not hesitate to reply or create a new ticket if necessary.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
TomW
Novice
1,608 Views

I figured I'd re-use this thread for another related question. I'm about to order a certificate, but just wanted to confirm that the common name should be the FQDN of the Intel EMA server, rather than the DNS suffix/root domain.

For example, if my corporate domain is example.com and my server is intelema.example.com, does the common name of my certificate need to be intelema.example.com, or should it be example.com? I'm assuming intelema.example.com, but just wanted to check.

The documentation here says:


The Domain suffix in the leaf certificate must match the Domain suffix of the DNS entry associated with the host platform.

So I interpret that as, if the certificate is for intelema.example.com, then the "domain suffix" would be example.com, and so DHCP option 15 (or the DNS suffix manually configured in Intel AMT on the computer) must also be example.com.

Is my intepretation correct?

0 Kudos
Reply