Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2920 Discussions

Upgrade Intel EMA from 1.6 to 1.11

George71
Beginner
8,860 Views

Hello,

 

we are trying to upgrade our Intel EMA from 1.6.0.0 to 1.11.0.0.

 

The installation ends with an error: "This target recovery cert cannot be saved in cert store. The thumbprint:78...." .

 

How can I solve the problem?

 

BTW, where can be downloaded Intel EMA 1.10 or 1.9?

 

Thanks

0 Kudos
49 Replies
MIGUEL_C_Intel
Moderator
5,411 Views

Hello, George71


I want to better understand the current Intel® EMA instance configuration.

Tell me about the OS running the EMA server and OS running the SQL database.

Include if both are running on the same server machine or virtual machine.

How many endpoints are provisioned now?


Is the EMA instance running in Client Control Mode (CCM) or Admin Control Mode (ACM)?

If it is ACM; do you mind accessing IIS, open the Cert from the Personal Store, and send a picture of what you see in the Certification Path tab?

In addition, select the root Cert (first line), and click view details icon.  In the next window select the Details tab. Please let me know if it is SHA1 or SHA256.


Next, is it possible to access the EMA instance using the Global admin and Tenant account?

If yes, please confirm if you can see the endpoints.


Please confirm if you keep a backup of the EMA configuration before doing the update.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
5,391 Views

Hello, Miguel,

 

both are running on the same server (ESX virtual) with Windows Server 2016 and SQL Server 2019.

The number of endpoints is 8193.

ACM.

Digicert Global Root G2 -> Digicert Global CA G2 -> ..server = all in SHA256.

Yes, I can see the endpoints.

Yes, I made a backup snapshot in vmware before the upgrade,  which I restored after the above error.

 

Thanks.

 

George71

0 Kudos
MIGUEL_C_Intel
Moderator
5,380 Views

Hello, George71


Thank you for your update.  It has introduced security updates and the current Certificate might not match the requirements.  The Certificate chain must be SHA256 (Root, Intermediate, and Leaf are SHA256). 


Please follow the instructions of section 2.2 - Performing an Update Installation using the Setup Wizard.  It is necessary to turn off some EMA services and IIS before doing the update.

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-distibuted-seve-installation-and-maintenance-guide.pdf#page=39.


It is possible to validate the Certificate chain by accessing IIS; open the Certificate from the Personal Store > select the Root Cert from the Certification Path tab > click the details icon > from the new window select the Details tab > Review if it says SHA1 or SHA256. Do the same for the Intermediate Certificate.


I look forward to hearing from you.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
5,366 Views

Hello, Miguel,

 

I wrote: "Digicert Global Root G2 -> Digicert Global CA G2 -> ..server = all in SHA256." This means that the Certificate chain is SHA256 (Root, Intermediate, and Leaf are SHA256).  That wasn't the problem.

 

The problem was not stopping the services in the Platform Manager before running the upgrade. I expected Wizard to do it for me. Thanks. The upgrade now went through without any errors.

 

But installing new AMT stations works strangely. The EMA Agent log writes: "Failed creating random password wide string for WinCrypto.". And Intel EMA in Intel AMT setup status shows "Pending Configuration", but everything works.  In the intel EMA above the device in the "Hardware Manageability" tab, the system status and other things are correctly shown. Why does it show "Pending configuration" when everything is working?

 

I still haven't received an answer on how to download the older version 1.7-1.10 ?

 

Thanks

George71

0 Kudos
MIGUEL_C_Intel
Moderator
5,357 Views

Hello, George71,


I am glad to hear the Intel® EMA software update was possible.  Intel removed the previous versions due to security and performance improvements.  The engineering team confirmed there are no update limitations from version 1.3.2 and higher to the latest 1.11.0.


George71, to better understand the issue do you mind sending via private message the installer log ([System drive]\EMALog-Intel EMAInstaller.txt) and the EMA logs from Server ([System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs).


Please send me the files without the date called:

EMAlog-Webserver.txt

EMAlog-Swarmserver.txt

EMAlog-Ajaxserver.txt

EMAlog-Recoveryserver.txt

EMAlog-Manageabilityserver.txt


In addition, please gather and send me the following log from an endpoint with the Pending configuration status.


Download and run Intel® EMA Configuration Tool (ECT)

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

 

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

 

Run:

a- Open a command prompt (alternatively, you can run the tool from Windows PowerShell*) as administrator.

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe –verbose


I look forward to your reply.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
5,303 Views

Hello, George71,


By any chance, have you been able to collect the EMA server logs, the EMA installer log, and the EMA configuration log from any of the pending activation endpoints?


I look forward to hearing from you.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
5,262 Views

Hello, Miguel,

 

I restored the snapshot again. I can upgrade for the third time and immediately reactivate one station. Can you please describe specifically what all the logs (file names) are and where they are located. So that we don't forget something.

 

Thanks.

 

George71

0 Kudos
MIGUEL_C_Intel
Moderator
5,252 Views

Hello, George71,


I am glad to hear the rollback was possible with the snapshot.


The EMA server logs' location is in the instructions below.  Before doing the EMA update; I would like to confirm if the issue with the new endpoints started before doing the update or after.


Did you try to provision the endpoints after doing the EMA update?  If yes, please unprovision the new endpoints; the EMA configuration tool will help you.  If I am not mistaken you enable the Random endpoint password. It is necessary to access the EMA console> Endpoint tab> click over the endpoint and select Stop Managing, the new pop-up window will display the Endpoint Password.


Select Stop Managing

Then, run the EMA configuration tool (ECT) in the endpoint and unprovision the machine.


Intel® EMA Configuration Tool (ECT) software

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

Run:

a- Open a command prompt (alternatively, you can run the tool from Windows PowerShell*) as administrator.

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe --unconfigure --password <Random password>


Then, run the command EMAConfigTool.exe –verbose.  The log will confirm if the system is unconfigured.


Now, we can gather the EMA server logs from the path below: ([System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs). There are 5 files, and their names are:

EMAlog-Webserver.txt

EMAlog-Swarmserver.txt

EMAlog-Ajaxserver.txt

EMAlog-Recoveryserver.txt

EMAlog-Manageabilityserver.txt


Finally, we can gather a log after doing the EMA installation or update. The path of the file is below:

([System drive]\EMALog-Intel EMAInstaller.txt)


Please share the logs via private message (for security reasons).


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
5,202 Views

Hello, George71,


By any chance, have you been able to gather the information requested?  I look forward to hearing from you.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
5,183 Views

Hello, Miguel,

I send you private message with EMALogs.zip (08-23-2023).
The ZIP contained these files:
(the EMA server logs)
EMAlog-Webserver.txt
EMAlog-Swarmserver.txt
EMAlog-Ajaxserver.txt
EMAlog-Recoveryserver.txt
EMAlog-Manageabilityserver.txt
Were they helpful?

(the EMA configuration log)
*_System_Summary.json/xml .. is that it? Or where should I look for "configuration log"?

(the EMA installer log)
[System drive]\EMALog-Intel EMAInstaller.txt does not exist. Is it created on every install/upgrade?

Yes, I confirm that everything works fine before the update. Both now endpoints and old ones, for which I call unconfig AMT through the BIOS. These are common testing procedures that we have been using for over 5 years.

 

Regards

George71

0 Kudos
MIGUEL_C_Intel
Moderator
5,164 Views

Hello, George71,


I am still reviewing the logs with the engineering department.  Intel has implemented some security features and only TLS 1.1 and TLS1.2 are supported.


I am asking for a picture from the Details tab of the root certificate in order to validate if it is SHA256.

In addition, please validate if the MeshSettings certificate after doing the update is the same. Otherwise, replace it with the old one.


MeshSettingsCertificate is stored in the Local Machine\Personal certificate store on your server machine.  This certificate is used to encrypt/decrypt the server settings stored in the database.


Look forward to your response; if there is no response to this email, I will send you a follow-up on 9/6/2023.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
5,117 Views
0 Kudos
George71
Beginner
5,109 Views

Hello, Miguel,

after the update, the MeshSettings certificate is the same.

Regards,
George71

0 Kudos
MIGUEL_C_Intel
Moderator
5,101 Views

Hello, George71,


Intel published a new EMA version 1.11.1; do you mind updating EMA to this version? Please review the sections:

2.3 Performing an update Installation using the setup wizard and 

9.1 Updating using the Setup Wizard


Intel(R)_EMA_Server_Installation_and_Maintenance_Guide included in the Intel® EMA zip file.


Intel® Endpoint Management Assistant (Intel® EMA) v1.11.1

https://www.intel.com/content/www/us/en/download/19449/intel-endpoint-management-assistant-intel-ema.html


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
5,083 Views

Hello, Miguel,

 

I tried version 1.11.1 and the problem is the same.

 

Regards,

George71

0 Kudos
MIGUEL_C_Intel
Moderator
5,062 Views

Hello, George71,


Thank you for providing me with the results of the latest EMA version 1.11.1.  Please allow me time to review again the logs and picture provided. I will give you an update soon.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
4,954 Views

Hello, George71,


We are still working on the EMA server logs.  Our findings in the meantime are the following.  Intel® EMA software v1.11.1 made a change on the supported Server operating systems.  Only Windows Server 2019 and 2022 are supported.


For reference: Intel® Endpoint Management Assistant (Intel® EMA) Release Notes https://downloadmirror.intel.com/646990/Intel_EMA_Release_Notes.pdf#page=9


There is a workaround that we can run to figure out if a crypto is blocking the connection. This failure might be caused by an older crypto cipher that is less secure and deprecated.


Allow older TLS protocols that work with Intel® AMT 14 and older versions.


Download or copy Internet Information Services IIS Crypto from Nartac* Software onto the Intel® EMA server. It can be found here https://www.nartac.com/Products/IISCrypto/ 

Allow the server to use older Server and client TLS Protocols and test.

Disable the unnecessary options and ensure the EMA server complies with your company security policies. 



For reference: Intel® Active Management Technology (Intel® AMT) Version 14 and Later Not Working on Windows Server* 2022?

https://www.intel.com/content/www/us/en/support/articles/000093800/software/manageability-products.html


Look forward to your response.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
4,811 Views

Hello, George71,


By any chance, have you been able to work on our previous troubleshooting?


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
4,796 Views

Hello, Miguel,

 

Do I have to work on something? You wrote: "We are still working on the EMA server logs.".

 

Regards,

George71

0 Kudos
MIGUEL_C_Intel
Moderator
4,775 Views

Hello, George71,


Yes, we need your assistance on doing the troubleshooting below:

Intel® EMA software v1.11.1 made a change to the supported Server Operating Systems (OS).  Only Windows Server 2019 and 2022 are supported.


For reference: Intel® Endpoint Management Assistant (Intel® EMA) Release Notes https://downloadmirror.intel.com/646990/Intel_EMA_Release_Notes.pdf#page=9


There is a workaround that we can run to figure out if a crypto is blocking the connection.


Steps:

  • Allow older TLS protocols that work with Intel® AMT 14 and older versions.
  • Download or copy Internet Information Services IIS Crypto from Nartac* Software onto the Intel® EMA server. It can be found here https://www.nartac.com/Products/IISCrypto/ 
  • Allow the server to use older Server and client TLS Protocols and test.
  • Disable the unnecessary options and ensure the EMA server complies with your company security policies. 


For reference: Intel® Active Management Technology (Intel® AMT) Version 14 and Later Not Working on Windows Server* 2022?

https://www.intel.com/content/www/us/en/support/articles/000093800/software/manageability-products.html


Please let us know the outcome.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Reply