Re: Re:Provisioning Record State: Pending Activation - Page 2

SKubo · ‎07-15-2024

Hello,

I installed the EMA agent on vProPC, but IntelAMT provisioning is failing.

Currently, the EMA server hostname and the management console URL (FQDN) are set to different values, but in the IntelAMT automatic provisioning settings, the FQDN setting is specified as "Shared with host os". Do I need to change this setting to one of the following?

Are there any other possible reasons why provisioning may fail?

Regards,
Skubo

Suneesh · ‎08-09-2024

Dear Satoshi,

Greetings of the day!

After reviewing the details shared, here are the necessary steps to ensure proper configuration:

For LAN-less (Wireless) Endpoints:

It is essential to add the Certificate Domain into the MEBx BIOS of the endpoints (PKI DNS suffix).

For Wired Machines:

Configuration can be done either remotely or manually: a) Remote Configuration:
The Certificate Domain needs to match the domain of the DHCP option 15. b) Manual Configuration (or endpoints in a different domain):
We need to manually add the Certificate Domain in the MEBx BIOS. c) Scenario where the Certificate Domain (FQDN) does not match the domain of the DHCP option 15:
In this case, the Certificate Domain must be manually added to the MEBx BIOS.

Next Steps:

Please go to a wireless endpoint and click on "View." Share with us a screenshot showing the EMA connection status.
Also, click on the "Desktop" tab and let us know if you can establish the connection when clicking on "Connect."
Confirm whether the endpoint you are trying to connect to is powered on.
Check if the wireless card belongs to Intel.
If all the above matches, please share the following:
- Manageability log from the server.
- SSU logs from the wireless endpoint.
If the above conditions are met, please try to reprovision the device.
Additionally, could you share the Wi-Fi settings from the AMT profile?
Ensure that the endpoint is not connected via VPN.

Thank you for your cooperation.

Best Regards,

Suneesh

Suneesh · ‎08-13-2024

Hello Satoshi,

Thank you for contacting Intel.

This is the first follow-up regarding the issue you reported to us.

We wanted to inquire whether you had the opportunity to review the plan of action (POA) we provided.

Feel free to reply to this email, and we'll be more than happy to assist you further.

Regards,

Suneesh

SKubo · ‎08-14-2024

Hello Suneesh,

Thank you for getting in touch.

For LAN-less (Wireless) Endpoints:

　⇒ Understood

For Wired Machines:

　⇒ The "Domain for DHCP Option 15" and the domain registered in MEBx are the same value. What do you think is the reason why it doesn't work properly if it is not registered in MEBx?

Regarding the items to check in the "Next Steps" section, we will check each one and reply, so we would appreciate your patience.

Best Regards,

Skubo

Suneesh · ‎08-15-2024

Hi Satoshi,

Hope you're having a great day.

Thank you for your response. We'll await further updates.

Best regards,

Suneesh

vij1 · ‎08-16-2024

Hello Skubo,

Could you please confirm if the domain for DHCP Option 15 matches the certificate chain domain? Remote provisioning will work correctly if these values match, particularly for endpoints located within the same EMA server domain (LAN).

However, if the endpoints are outside of this domain, the certificate chain domain must be manually added to the MEBx BIOS on each endpoint.

Please let us know your current configuration so we can assist you further.

Thank you for your attention.

Best regards,

Vijay N

SKubo · ‎08-21-2024

Hello Vijay N,

Sorry for the late reply.

Is it correct to understand that domain registration in MEBx is not necessary only if you belong to the same domain (Active Directory or EntraID) as the domain of the certificate, and if you are using a wired LAN?
In addition, the current setting is that the endpoint does not belong to any domain.

Best Regards,
SKubo

Suneesh · ‎08-21-2024

Hello Satoshi,

Good day!

When should the EMA Certificate domain be added to the MEBx PKI DNS suffix field?

The certificate is required when provisioning and remotely accessing endpoints without user consent. If the domain in the company's DHCP Option 15 matches the EMA certificate domain (EMA FQDN domain), there's no need to manually add it to the MEBx for wired endpoints.

However, for wireless (LAN-less) endpoints, the domain must be manually added to the MEBx.

Best regards,

Suneesh

SKubo · ‎08-21-2024

Hello Suneesh,

When should the EMA Certificate domain be added to the MEBx PKI DNS suffix field?

=> Automatic provisioning did not complete when the policy was distributed, so we registered the suffix in MEBx.
In this regard, the agent was already registered and the policy was distributed from the EMA server, so we registered the suffix in MEBx.
Does this answer your question?

The certificate is required when provisioning and remotely accessing endpoints without user consent. If the domain in the company's DHCP Option 15 matches the EMA certificate domain (EMA FQDN domain), there's no need to manually add it to the MEBx for wired endpoints.

=> When connected to a wired LAN, automatic provisioning could not be completed with just DHCP Option 15, but it was completed by manually registering in the MEBx the same suffix that was registered in DHCP Option 15. Therefore, I would like to confirm whether there are any other conditions.
In the answer I received from Vijay N, it said "within the same EMA server domain (LAN)," so I thought that a condition might be that it belongs to the same domain as the EMA server.

However, for wireless (LAN-less) endpoints, the domain must be manually added to the MEBx.

=> I am aware of this.

Best Regards,
SKubo

vij1 · ‎08-22-2024

Hello Skubo,

I wanted to clarify the domain requirements for remote provisioning with Intel® EMA:

When the EMA instance domain matches the domain specified in the DHCP Option 15 of your company network, and the endpoints are within the same domain (LAN) as the EMA server, it is not necessary to manually add the EMA certificate domain in the MEBx BIOS.

Example:

DHCP Option 15: intel.com

EMA FQDN: ema.intel.com

Certificate Domain: intel.com

Since the endpoints are within the same LAN as the EMA server, remote provisioning is possible without additional configuration. This applies specifically to wired endpoints.

For wireless (LAN-less) endpoints, you will need to manually add the certificate domain in the MEBx BIOS.

If the endpoints are in a different domain (e.g., remote locations), the certificate domain must be added in the MEBx BIOS to enable remote provisioning.

Please review these details and let us know if you need further assistance or clarification.

Best regards,

Vijay N.

SKubo · ‎08-23-2024

Hello Vijay N,

I understand the conditions regarding the wired LAN. Of the conditions you listed, currently there are no endpoints on the same LAN as the EMA server, so I would like to check separately.

However, for the wireless LAN, although provisioning has been completed, I am still unable to connect to CIRA, so I would like to prioritize resolving that issue.

If I want to connect to CIRA when connecting to a wireless LAN, is it okay to meet the following two conditions?
- Manually registering a DNS suffix in the MEBx
- Registering a wireless profile in the "Wifi" item of the AMT Profile

Also, is ACM the correct provisioning mode?

To confirm operation, we used the same PC that was able to connect to CIRA via wired LAN, and with the wired LAN disconnected, initialized MEBx and reinstalled the agent.

Best regards,
Skubo

SKubo · ‎08-23-2024

The ECT log is also attached.

Suneesh · ‎08-23-2024

Hello Satoshi,

Good day!

For wireless or LAN-less endpoints, the following three steps are required to complete the provisioning:

1. Manually registering the DNS suffix in the MEBx.

2. Registering a wireless profile in the "Wi-Fi" section of the AMT profile.

3. Ensuring ACM is set to the correct provisioning mode.

Please also verify the certificate domain and ensure that it matches the PKI DNS suffix in the settings.

We found a Fujitsu manual that indicates it uses Intel's standard manageability. Please check the hardware manageability capabilities of the endpoints and share a screenshot with us. You can review the manual on the Fujitsu website: [Fujitsu System Catalog] (https://jp.fujitsu.com/platform/pc/product/catalog_syskou/syskou/bib/bib2312.pdf).

If the manageability is indeed standard, then it may not support wireless. Also, please provide the wireless card model as seen in the device manager.

Best regards,

Suneesh

SKubo · ‎08-26-2024

Hello Suneesh,

1. Manually registering the DNS suffix in the MEBx.

=> There are no issues with the wired LAN, and the suffix has been provisioned successfully, so I think the value registered in MEBx is fine.

2. Registering a wireless profile in the "Wi-Fi" section of the AMT profile.

=> If you check the management console that can be checked with "localhost:16993" on the agent side, the Wi-fi profile set on the EMA side is registered, so I think there is probably no problem.

3. Ensuring ACM is set to the correct provisioning mode.

=> Since I am using the same profile as the wired LAN that I have already set up, I don't think there will be any problems here either.

We will contact you regarding the wireless card model after checking the screenshot separately, so please wait for a while.

Best regards,
Skubo

Suneesh · ‎08-26-2024

Hello Satoshi,

Greetings of the day.

We are checking on this with our team and will provide an update as soon as possible.

In meantime, please help us with the network card model used.

Regards,

Suneesh

SKubo · ‎08-27-2024

Hello Suneesh,

I have attached a picture of the wireless card.

Best Regards,
SKubo

Suneesh · ‎08-27-2024

Hello Satoshi,

Greetings of the day.

Thank you for sharing the card details.

We found a Fujitsu manual that indicates it uses Intel's standard manageability. Please verify the hardware manageability capabilities of the endpoints and provide us with a screenshot showing whether they support Full AMT or Standard Manageability. You can review the manual on the Fujitsu website: [Fujitsu System Catalog] (https://jp.fujitsu.com/platform/pc/product/catalog_syskou/syskou/bib/bib2312.pdf).

If the manageability is indeed standard manageability, then it may not support wireless.

Regards,

Suneesh

SKubo · ‎08-28-2024

Hello Suneesh,

Sorry, I'm not sure what information you want to know, but would the following information be okay?

It says Wireless (Intel vPro® Enterprise platform compatible), but is this actually compatible?

The endpoint product name, model number, and serial number are as follows.
・Product name: LIFEBOOK U9313/N
・Model name: FMVU66061
・SN: R4600447

Best Regards,
SKubo

Suneesh · ‎08-28-2024

Hello SKubo,

I hope this message finds you well.

The resolution of the case has been extended, and we are eager to resolve it as soon as possible. If you’re open to it, we’d appreciate the opportunity to discuss the matter further via email or through a web ticket. I would appreciate your confirmation.

Best regards,

Suneesh

SKubo · ‎08-28-2024

Hello Suneesh,

Understood, please provide us with your web ticket or email address.

Best Regards,
SKubo

Suneesh · ‎08-30-2024

Hello Satoshi,

Good day.

We will create a new case and send you an email from this case so you can securely send logs and pictures without any security concerns.

Regards,

Suneesh

Suneesh · ‎09-02-2024

Hi Satoshi,

Good day!

I have created a new case and sent an email to you. You will be able to send logs and pictures with no security concerns.

I will be waiting for your reply

Regards,

Suneesh