Hello, George71,

The new security update affects the server and the endpoints. The validation between them is impossible if the old TLS protocols are closed.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, Miguel,

yes, I have verified that TLS 1.0 is still working.

Regards

George71

Hello, George71,

1) Do you mind clarifying your last post?

Intel® EMA updates since version 1.8 finished the TLS 1.0 support. Intel® Core processors Gen 12 and 13 only support TLS 1.2.  

2) Did you enable TLS 1.0 with the Nartac software?

3) Please perform the following steps

Open the Manage Computer Services tool in the EMA Server

Go to the Personal Certificate store.

Open the Certificate

From the Certification Path tab, select the Root; as an example, from the Picture, it is Sectigo (AAA)

Click the View Certificate icon.

From the new window, select the Details tab.

Could you check if it says SHA or SHA256?

I look forward to your reply.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

Thank you for your confirmation, please allow me time to review all the documentation provided.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

We reviewed the symptoms of the EMA software version update from 1.6 to 1.11.1, and our conclusion is related to the operating system. Windows Server 2016 is old; the mainstream support expired on 11/01/2022.  It seems some crypto files are missing.

George71, we encourage you to create a development environment (virtual machine) with a fresh installation of Windows Server 2022.
It is possible to continue using the old Database.  Create a backup of the Certificates (MeshSettingsCertificate), and import the keys.  Use the same Admin User for the OS installation in the new EMA server.
Remember only one EMA instance can run at a time.

Regards,
Miguel C.
Intel Customer Support Technician

Hello, George71,

We apologize for the inconvenience. Intel and Microsoft have implemented security features and they block the communication between the EMA server and the endpoints.

Jumping to Windows Server 2019 would be an excellent idea. Remember to keep a backup of the EMA SQL DataBase and MeshCertSettings outlined in the EMA installation guide section 1.4.1- Backup Important Data

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=11

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

I want to add some clarifications to my previous post.

We (Intel) are not saying the issue is related only to Microsoft OS.  There is a tight relationship between the OS and EMA.  Microsoft will continue releasing security patches, but Windows Server 2016 will no longer extend its functionality beyond 11/01/22, which likely implies new functionality like upgraded crypto libraries.  

I am adding for reference the changes experienced with the new EMA version 1.11.0, section 3 of the Release Notes PDF.

https://downloadmirror.intel.com/646990/Intel_EMA_Release_Notes.pdf#page=9

• Microsoft Windows Server 2019 (Note: The getPFX API requires the Intel EMA server to be installed on Windows Server 2019 or later)
• Microsoft Windows Server 2022 (Note: Crypto for Intel ME 11 systems is disabled by default on Windows Server 2022)

We need to test if Windows Server 2019 or 2022 eliminates your issues since there is a marriage between EMA and the OS that needs to be considered since loosening the crypto requirements with Nartac didn't work.  

We encourage you to test with a snapshot in a development environment.  We want to see if your issues are resolved in 2019 or 2022. 

The logs showed crypto issues, we used them for the troubleshooting. We suggested enabling the old TLS options with the third-party tool Nartac.

Look forward to your outcome.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

I hope this post finds you well.

By any chance, have you been able to review my previous post?

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

We will gladly provide further assistance, if necessary, do not hesitate to reply.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

Do you mind sending the EMA Server logs? They will provide more details of the issue.  

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

As I mentioned before, Microsoft Windows Server 2016 is not supported anymore with the latest versions of Intel® EMA.  There are some crypto versions not supported by this OS version.

The EMA Server logs are the best debug logs to find the issue and the solution. 

EMA logs from the Server

Default Path: [System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

I got the EMA Server logs.  Please allow me to finish reviewing them with the engineering team.

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

While I finish the revision with the engineering team, please let me know if you follow the update process instructions.

First, we need to keep a backup of the EMA SQL DataBase and Mesh Settings Certificate.

Both are outlined in the EMA installation guide section 1.4.1- Backup Important Data

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=13

Then, update the database connection string.

2.2 Performing an update Installation using the Setup Wizard

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-distibuted-seve-installation-and-maintenance-guide.pdf#page=40

4.5 Updating the database connection string.

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-distibuted-seve-installation-and-maintenance-guide.pdf#page=57

2.5 Intel® EMA Installer advanced mode menu bar

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-distibuted-seve-installation-and-maintenance-guide.pdf#page=47

Contains the database connection string (encrypted).

C:\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\app.config and connections.config

Regards,

Miguel C.

Intel Customer Support Technician

Hello, George71,

Thank you for your feedback.

Yes, I am aware the connection between the EMA server and the new AMT workstations is working, you can see the hardware manageability details; however, you are getting the error message at the Intel AMT setup status shows "Pending Configuration.”

As well you are getting this error message from the installer log:

"This target recovery cert cannot be saved in the cert store. The thumbprint:78...." .

George71, we appreciate your patience and all the troubleshooting performed so far.  The issue is odd, there is no documentation about it.

Please share with us the results of the workaround below:

1- Please send the EMA server Installation log, the path: [System drive]\EMALog-Intel EMAInstaller.txt

2- Go into the EMA SQL DB and check if the table dbo.EndpointHistory exists after the upgrade. Please review the status before the upgrade. Bear in mind it is necessary to keep a back of the database and the Mesh Settings Certificate.

Both are outlined in the EMA installation guide section 1.4.1- Backup Important Data

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=13

3- For our documentation purposes, do you mind sharing the brand name, model, current BIOS version, and current Management Engine driver of any of the new machines showing the issue?

We look forward to hearing back from you.

Regards,

Miguel C.

Intel Customer Support Technician