Hi Stef37,

Thank you for joining the meeting!

Sorry to hear that the information provided has not been much useful, however there are few product limitations as well for which the guide provides certain protocols that needs to be followed.

Referring to section 1.3.3, in the server installation guide, kindly refer to the database section which would be helpful for your clarification.

https://www.intel.com/content/www/us/en/content-details/841803/intel-endpoint-management-assistant-intel-ema-server-installation-and-maintenance-guide.html

Note:

Before installing Intel® EMA, ensure that the SQL account used in the Intel® EMA SQL connection string to create the database has sysadmin rights (to create new account for IIS default application pool identity) and has at least dbcreator permission, which allows it to create, modify, and delete any database. Also, this account must have the database level roles db_owner, db_datawriter, and db_datareader. The “sysadmin” right is needed in order to create the new user “IIS APPPOOL\\DefaultAppPool\” for the SQL server (if it does not exist). If it exists already or you do not use that account for the IIS application pool of the Intel® EMA website, then the role needed during installation is “dbcreator”, to create the Intel® EMA database. Keep in mind that the “sysadmin” or “dbcreator” rights are only needed during Intel® EMA installation. Lastly you must grant permission for "SUBSCRIBE QUERY NOTIFICATIONS" to the user of Intel® EMA database.  

Changing the IIS User account is a little complex.  The service account user needs to have access to the main SQL database. In addition, the admin user needs to give him rights to the EMA database.

The lines below describe the steps that the admin user needs to perform in SQL for adding a service account user with EMA database access.

Open the Security folder

         Right-click over the Login folder

         Select New Login

On the General tab

Login Name

                   Type Service Account User domain\username

At the bottom, for Default Database: Select EMA database

On Server Roles

         Add sysadmin

On User Mapping

         Check EMADatabase. In the same row, type dbo at the Default Schema.

On Securables

         No changes are necessary

On Status

         Grant permission to the database and enable login

Restart the server

Log in with the service account user to the server; he should have access to the EMA database.

Hence, as per the engineering suggestion, it is recommended that the user who accesses the EMA console, keep the admin rights to the database. This is suggested to prevent access issues after EMA software upgrades.

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

Hi Stef37,

An email has been sent to your email id, with the meeting link for Wednesday as requested.

Kindly acknowledge through the email for confirming the meeting.

Thanks & Regards

Arun

Intel Customer Support Technician

Hi Stef37,

Thank you for your email reply!

We see your note in the email which say that you have performed a fresh installation and as soon as the service user is in the server's local administrators group, it works, where the issue has been resolved.

Please feel free to revert for any further query!

Thank & Regards

Arun

Intel Customer Support Technician

Hi Stef37,

We have informed the same to our business unit and can arrange for a specialist to join the meeting this time, kindly let us know your availability so that we can go ahead and schedule the call for the same.

We wanted to make sure that we are providing the best service possible for our customers.

Your understanding is greatly appreciated in this matter!

Thanks & Regards

Arun

Intel Customer Support Technician

Hi Stef37,

​Our next week morning availability is tight. We will be available on Thursday, Sept 3rd, at 5 PM Switzerland (8 AM US PST).

​

We created a lab recently, and the configuration was successful. One big thing we saw in your environment. The entire contents of wwwroot are deleted after a server restart". We spoke with some of our developers, and that’s not a symptom we have ever seen. Wondering if you have some group policy, security software, etc, that is unique to your environment and wipes and/or redeploys apps/sites.

​

Lab details:

EMA software was installed, endpoint provisioned, and tested in-band and out-of-band KVM without any issues.

​

I’ll list the steps I used at the bottom of this email; there may be other options that would work, but this worked in my test AD environment.

Steps I used to install EMA and change the Platform Manager and IIS service account to a non-admin account

Environment:

• EMA 1.14.3 was reinstalled.
• 2 Win 2022 Servers: 1 application server, 1 running SQL Server 2022 Express
• Traditional Active Directory running in an environment

Created a new EMA service account user in Active Directory

To perform initial installation and setup, logged into both servers as a Domain Admin account

On the server running SQL Server

• Installed SQL Server 2022 Express and SQL Server Management Studio
• In SSMS:
  • Created two SQL Authentication accounts on the SQL Server, one for the installer (with sysadmin rights) and one with no rights other than default rights. 
  • Configured the default SQLEXPRESS instance created at install to allow SQL authentication in addition to Windows authentication
• In SQL Server Configuration Manager, enable TCP/IP configuration and set the TCP/IP port to 1433. 

On the EMA application server:

• Ran the EMA server installer wizard
  • Choose the initial install for the Distributed Server
  • For database setup, specify the remote database
  • Choose SQL Authentication and provide the SQL Authentication accounts created above
  • Use FQDN first for Swarm Server Load Balancer, and provide the Server’s FQDN and IP address. Used “Same as Swarm Server” for the remaining load balancers.
  • Deployed all Server Components
  • Chose domain authentication
  • Completed the wizard and allowed the server to install
• In certlm.msc, under Certificates - Local Computer > Personal > Certificates
• For every certificate issued by MeshRoot or EmaPlatformManagerRoot, the AD service account has “Read” access to the private key:
  • Right-click on each certificate, choose “Manage Private Keys”, add the AD service account, and grant “Read” access
  • You can exclude EMAPlatformManagerRoot (where this is not an available option)
• In Local Security Policy, under Local Policies > User Rights Assignment, find the “Log on as a service” policy, and add the AD service account.
• Give full control to the AD service account for the following folders and their descendants:
  • [System drive]\Program Files (x86)\Intel\Platform Manager
  • [System drive]\inetpub\wwwroot
  • [System drive]\ProgramData\Intel\EMA\USBR {Or the USBR image path if you have updated it)

• At the command line, as administrator, run these commands (In this example, ‘KTG\ntservice’ is the AD service account to be used for the IIS AppPool and the Platform Manager service logon.)
  • netsh http add urlacl url=https://+:443/AJAX/ user=KTG\ntservice
  • netsh http add urlacl url=https://+:8084/ user=KTG\ntservice 
  • netsh http add urlacl url=https://+:8085/ user=KTG\ntservice

Back on the server running SQL Server:

• In SSMS, granted the SQL authentication service account db_owner access to the EMADatabase, in addition to the already existing access

On the EMA application server:

• Updated the account running Platform Manager
  • Find Intel Platform Manager in Windows services and change the user account under which this service is running
  • Restart the Platform Manager service
• In Task Manager, end all “Intel® EMA” component server tasks – AJAX, Manageability, Recovery, Swarm -- Platform Manager will restart them. 
  • Don’t kill Platform Manager itself here – it can’t restart itself .

• Changed the account running the EMA web application in IIS:
• Add a new IIS application pool for Intel® EMA.
  • Use IIS Manager to create a new app pool.
  • Choose .NET CLR Version v4.0.XXX, Integrated pipeline mode, and start the app pool immediately.
• Assign an account to the new application pool.
  • Use IIS Manager to change the account for the new app pool.
  • Choose Custom Account and specify the desired Windows account.
  • Use IIS Manager to change the application pool used by Intel® EMA to the new one created above. Then restart the whole website.
  • For verification, access the Intel® EMA website in a browser, then use Windows Task Manager to verify that the w3wp.exe process is running under the specified account.

​

We look forward to your availability.

​

Thanks & Regards

Arun

Intel Customer Support Technician

Hi Stef37,

Thanks for sharing your observation.

We are working upon the issue and will get back with an update asap.

Thanks & Regards

Arun

Intel Customer Support Technician