- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
we are trying to upgrade our Intel EMA from 1.6.0.0 to 1.11.0.0.
The installation ends with an error: "This target recovery cert cannot be saved in cert store. The thumbprint:78...." .
How can I solve the problem?
BTW, where can be downloaded Intel EMA 1.10 or 1.9?
Thanks
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71
I want to better understand the current Intel® EMA instance configuration.
Tell me about the OS running the EMA server and OS running the SQL database.
Include if both are running on the same server machine or virtual machine.
How many endpoints are provisioned now?
Is the EMA instance running in Client Control Mode (CCM) or Admin Control Mode (ACM)?
If it is ACM; do you mind accessing IIS, open the Cert from the Personal Store, and send a picture of what you see in the Certification Path tab?
In addition, select the root Cert (first line), and click view details icon. In the next window select the Details tab. Please let me know if it is SHA1 or SHA256.
Next, is it possible to access the EMA instance using the Global admin and Tenant account?
If yes, please confirm if you can see the endpoints.
Please confirm if you keep a backup of the EMA configuration before doing the update.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Miguel,
both are running on the same server (ESX virtual) with Windows Server 2016 and SQL Server 2019.
The number of endpoints is 8193.
ACM.
Digicert Global Root G2 -> Digicert Global CA G2 -> ..server = all in SHA256.
Yes, I can see the endpoints.
Yes, I made a backup snapshot in vmware before the upgrade, which I restored after the above error.
Thanks.
George71
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71
Thank you for your update. It has introduced security updates and the current Certificate might not match the requirements. The Certificate chain must be SHA256 (Root, Intermediate, and Leaf are SHA256).
Please follow the instructions of section 2.2 - Performing an Update Installation using the Setup Wizard. It is necessary to turn off some EMA services and IIS before doing the update.
It is possible to validate the Certificate chain by accessing IIS; open the Certificate from the Personal Store > select the Root Cert from the Certification Path tab > click the details icon > from the new window select the Details tab > Review if it says SHA1 or SHA256. Do the same for the Intermediate Certificate.
I look forward to hearing from you.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Miguel,
I wrote: "Digicert Global Root G2 -> Digicert Global CA G2 -> ..server = all in SHA256." This means that the Certificate chain is SHA256 (Root, Intermediate, and Leaf are SHA256). That wasn't the problem.
The problem was not stopping the services in the Platform Manager before running the upgrade. I expected Wizard to do it for me. Thanks. The upgrade now went through without any errors.
But installing new AMT stations works strangely. The EMA Agent log writes: "Failed creating random password wide string for WinCrypto.". And Intel EMA in Intel AMT setup status shows "Pending Configuration", but everything works. In the intel EMA above the device in the "Hardware Manageability" tab, the system status and other things are correctly shown. Why does it show "Pending configuration" when everything is working?
I still haven't received an answer on how to download the older version 1.7-1.10 ?
Thanks
George71
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
I am glad to hear the Intel® EMA software update was possible. Intel removed the previous versions due to security and performance improvements. The engineering team confirmed there are no update limitations from version 1.3.2 and higher to the latest 1.11.0.
George71, to better understand the issue do you mind sending via private message the installer log ([System drive]\EMALog-Intel EMAInstaller.txt) and the EMA logs from Server ([System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs).
Please send me the files without the date called:
EMAlog-Webserver.txt
EMAlog-Swarmserver.txt
EMAlog-Ajaxserver.txt
EMAlog-Recoveryserver.txt
EMAlog-Manageabilityserver.txt
In addition, please gather and send me the following log from an endpoint with the Pending configuration status.
Download and run Intel® EMA Configuration Tool (ECT)
Installation:
Download and unzip the tool.
Double-click the .msi file and follow the prompts.
Run:
a- Open a command prompt (alternatively, you can run the tool from Windows PowerShell*) as administrator.
b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).
c- Run the command: EMAConfigTool.exe –verbose
I look forward to your reply.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
By any chance, have you been able to collect the EMA server logs, the EMA installer log, and the EMA configuration log from any of the pending activation endpoints?
I look forward to hearing from you.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Miguel,
I restored the snapshot again. I can upgrade for the third time and immediately reactivate one station. Can you please describe specifically what all the logs (file names) are and where they are located. So that we don't forget something.
Thanks.
George71
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
I am glad to hear the rollback was possible with the snapshot.
The EMA server logs' location is in the instructions below. Before doing the EMA update; I would like to confirm if the issue with the new endpoints started before doing the update or after.
Did you try to provision the endpoints after doing the EMA update? If yes, please unprovision the new endpoints; the EMA configuration tool will help you. If I am not mistaken you enable the Random endpoint password. It is necessary to access the EMA console> Endpoint tab> click over the endpoint and select Stop Managing, the new pop-up window will display the Endpoint Password.
Select Stop Managing
Then, run the EMA configuration tool (ECT) in the endpoint and unprovision the machine.
Intel® EMA Configuration Tool (ECT) software
Installation:
Download and unzip the tool.
Double-click the .msi file and follow the prompts.
Run:
a- Open a command prompt (alternatively, you can run the tool from Windows PowerShell*) as administrator.
b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).
c- Run the command: EMAConfigTool.exe --unconfigure --password <Random password>
Then, run the command EMAConfigTool.exe –verbose. The log will confirm if the system is unconfigured.
Now, we can gather the EMA server logs from the path below: ([System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs). There are 5 files, and their names are:
EMAlog-Webserver.txt
EMAlog-Swarmserver.txt
EMAlog-Ajaxserver.txt
EMAlog-Recoveryserver.txt
EMAlog-Manageabilityserver.txt
Finally, we can gather a log after doing the EMA installation or update. The path of the file is below:
([System drive]\EMALog-Intel EMAInstaller.txt)
Please share the logs via private message (for security reasons).
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
By any chance, have you been able to gather the information requested? I look forward to hearing from you.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Miguel,
I send you private message with EMALogs.zip (08-23-2023).
The ZIP contained these files:
(the EMA server logs)
EMAlog-Webserver.txt
EMAlog-Swarmserver.txt
EMAlog-Ajaxserver.txt
EMAlog-Recoveryserver.txt
EMAlog-Manageabilityserver.txt
Were they helpful?
(the EMA configuration log)
*_System_Summary.json/xml .. is that it? Or where should I look for "configuration log"?
(the EMA installer log)
[System drive]\EMALog-Intel EMAInstaller.txt does not exist. Is it created on every install/upgrade?
Yes, I confirm that everything works fine before the update. Both now endpoints and old ones, for which I call unconfig AMT through the BIOS. These are common testing procedures that we have been using for over 5 years.
Regards
George71
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
I am still reviewing the logs with the engineering department. Intel has implemented some security features and only TLS 1.1 and TLS1.2 are supported.
I am asking for a picture from the Details tab of the root certificate in order to validate if it is SHA256.
In addition, please validate if the MeshSettings certificate after doing the update is the same. Otherwise, replace it with the old one.
MeshSettingsCertificate is stored in the Local Machine\Personal certificate store on your server machine. This certificate is used to encrypt/decrypt the server settings stored in the database.
Look forward to your response; if there is no response to this email, I will send you a follow-up on 9/6/2023.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Miguel,
after the update, the MeshSettings certificate is the same.
Regards,
George71
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
Intel published a new EMA version 1.11.1; do you mind updating EMA to this version? Please review the sections:
2.3 Performing an update Installation using the setup wizard and
9.1 Updating using the Setup Wizard
Intel(R)_EMA_Server_Installation_and_Maintenance_Guide included in the Intel® EMA zip file.
Intel® Endpoint Management Assistant (Intel® EMA) v1.11.1
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Miguel,
I tried version 1.11.1 and the problem is the same.
Regards,
George71
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
Thank you for providing me with the results of the latest EMA version 1.11.1. Please allow me time to review again the logs and picture provided. I will give you an update soon.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
We are still working on the EMA server logs. Our findings in the meantime are the following. Intel® EMA software v1.11.1 made a change on the supported Server operating systems. Only Windows Server 2019 and 2022 are supported.
For reference: Intel® Endpoint Management Assistant (Intel® EMA) Release Notes https://downloadmirror.intel.com/646990/Intel_EMA_Release_Notes.pdf#page=9
There is a workaround that we can run to figure out if a crypto is blocking the connection. This failure might be caused by an older crypto cipher that is less secure and deprecated.
Allow older TLS protocols that work with Intel® AMT 14 and older versions.
Download or copy Internet Information Services IIS Crypto from Nartac* Software onto the Intel® EMA server. It can be found here https://www.nartac.com/Products/IISCrypto/
Allow the server to use older Server and client TLS Protocols and test.
Disable the unnecessary options and ensure the EMA server complies with your company security policies.
For reference: Intel® Active Management Technology (Intel® AMT) Version 14 and Later Not Working on Windows Server* 2022?
Look forward to your response.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
By any chance, have you been able to work on our previous troubleshooting?
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Miguel,
Do I have to work on something? You wrote: "We are still working on the EMA server logs.".
Regards,
George71
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, George71,
Yes, we need your assistance on doing the troubleshooting below:
Intel® EMA software v1.11.1 made a change to the supported Server Operating Systems (OS). Only Windows Server 2019 and 2022 are supported.
For reference: Intel® Endpoint Management Assistant (Intel® EMA) Release Notes https://downloadmirror.intel.com/646990/Intel_EMA_Release_Notes.pdf#page=9
There is a workaround that we can run to figure out if a crypto is blocking the connection.
Steps:
- Allow older TLS protocols that work with Intel® AMT 14 and older versions.
- Download or copy Internet Information Services IIS Crypto from Nartac* Software onto the Intel® EMA server. It can be found here https://www.nartac.com/Products/IISCrypto/
- Allow the server to use older Server and client TLS Protocols and test.
- Disable the unnecessary options and ensure the EMA server complies with your company security policies.
For reference: Intel® Active Management Technology (Intel® AMT) Version 14 and Later Not Working on Windows Server* 2022?
Please let us know the outcome.
Regards,
Miguel C.
Intel Customer Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page