Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
3043 Discussions

Website blank after Change IIS User Account

Stef37
Beginner
7,164 Views

As described in Intel's instructions, I changed the service account for IIS. However, the website remains white, and no errors are visible in the log files.

The Service "Intel® EMA Platform Manager" not starting and on Event viewer i find this event:

The Intel® EMA Platform Manager service terminated unexpectedly. It has done this 23 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

If I grant the service user local administrator rights, it works again. I conclude that some write permissions to a file/folder are required.

 

Does anyone have a tip or idea as to why the service user isn't working properly?

 

According to Intel, the following adjustments are necessary:

To do this, follow the steps below:
1. Give the account access to Intel® EMA assets (files and folders, certificate's private key).
a. Skip these steps if the account already has the necessary privileges. Intel® Endpoint Management Assistant (Intel® EMA) May 2025 Server Installation Guide Intel® EMA Server Installation R Guide—Introduction 22 Doc. No.: , Rev.: 1.14.3
b. If the SQL connection is using Windows authentication, ensure the new IIS user account satisfies the permission and role requirements for the SQL Server account. Refer Modify Permissions of SQL Server User, if Desired on page 27.
c. Change the service to run under the desired account.
d. Give read and write access to [System drive]\Program Files (x86)\Intel\Platform Manager\EMALogs.
e. Give full control to the following:
• [System drive]\inetpub\wwwroot: also for all sub-folders and files.
• [System drive]\inetpub\wwwroot\web.config
• [System drive]\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\app.config
• [System drive]\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\connections.config
• [System drive]\ProgramData\Intel\EMA\USBR - Or the USBR image path if you have updated it as described in Manageability Server on page 90
f. Use the Windows certlm tool to open the certificate store for Local Computer \Personal\Certificates and give "read" permission for the following certificates by right-clicking the target certificate and selecting All Tasks\Manage Private
Keys:
• Temporary Web TLS certificate. "Issued To" is the Intel® EMA web site FQDN or IP. "Issued By" is "MeshRoot-XXXX".
• Settings certificate. "Issued To" is "MeshSettingsCertificates-**bleep**". "Issued By" is "MeshRoot-XXXX".
• Inter-component TLS certificate for web server. "Issued To" is "EmaMtlsWeb-**bleep**". "Issued By" is "MeshRoot-XXXX".
2. Add a new IIS application pool for Intel® EMA.
a. Use IIS Manager to create a new app pool.
b. Choose .NET CLR Version v4.0.**bleep**, Integrated pipeline mode, and Start app pool immediately.
3. Assign an account to the new application pool.
a. Use IIS Manager to change the account for the new app pool.
b. Choose Custom Account and specify the desired Windows account.
4. Use IIS Manager to change the application pool used by Intel® EMA to the new one created above. Then restart the whole web site. For verification, access the Intel® EMA web site in a browser, then use Windows Task Manager to verfiy that the w3wp.exe process is running under the specified account.

0 Kudos
31 Replies
Arun_Intel1
Employee
6,580 Views

Hi Stef37,


We see that you have mentioned that you followed Intel's instructions, and changed the service account for IIS and now the website remains white, and no errors are visible in the log files.


Please let us know the Guide or the article that you have referred for the above instruction and kindly share us the screen shots of the issue as well for further analysis.


Thanks & Regards

Arun

Intel Customer Support Technician



0 Kudos
Stef37
Beginner
6,505 Views

Hello Arun

 

Guide = Intel® Endpoint Management Assistant (Intel® EMA) - Server Installation Guide Rev 1.14.3
Chapter 1.4.9 - Page 21 - IIS – Change IIS User Account

 

Yesterday, I noticed that as soon as I remove the local user rights from the service user, the "Intel® EMA Platform Manager" service can no longer be started.
However, the service user has modify rights to the folder path "C:\Program Files (x86)\Intel\Platform Manager\Platform Manager Server".

 

What kind of screenshots are desired? From the white page, it doesn't make sense.

 

Regards

Stefan

0 Kudos
Arun_Intel1
Employee
6,370 Views

Hi Stef37,


To change the service account for IIS, you need to create the user in Windows Active Directory and then create the user on the EMA database, assign the roles dbreader and dbwriter at least.

Make sure the service account was properly created as per Microsoft's suggestions. Double-check that the user has access to the server, remote access to the server works, and access to IIS, and please review the Microsoft event logs for any issues.

 

Finally, follow the steps available on the Intel® EMA Server Installation Guide, section 1.4.9 IIS – Change IIS User Account.

https://www.intel.com/content/www/us/en/content-details/841803/intel-endpoint-management-assistant-intel-ema-server-installation-and-maintenance-guide.html


Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro


0 Kudos
Stef37
Beginner
6,230 Views

Hi Arun,

It was implemented according to the description. If I add the service user to the local administrators group, everything works perfectly.

If I remove it again, I only get a white web page. So it must be a local problem (the database is therefore correct).

The following was done:
- Service account stored on the "Intel® EMA Platform Manager" service
- Write permissions for the service account on:
     -> LOG folder
     -> C:\inetpub\wwwroot\web.config
     -> C:\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\app.config
     -> C:\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\connections.config
- Read access to the certificates
- New application pool with stored service account

After restarting IIS, the w3wp.exe process runs under the new service account as described.

After the Windows updates last night, I discovered today that all folders and files in the wwwroot folder had been deleted. I was able to reproduce this myself:
As soon as the "Intel® EMA Platform Manager" service is restarted, all files are gone.

Regards
Stefan

0 Kudos
Arun_Intel1
Employee
6,127 Views

Hi Stef37,


Thank you for sharing your observation.


Before we proceed further, we would like to have the environmental details requested below and feel free to let us know if you want us to send an email to revert with the details requested.


Details required:


1) Intel EMA Version: 1.14.3

2) Number of EMA servers

3) Total number of endpoints

4) Please let us know if the IIS service user has access to the EMA database and holds the proper role.

5) Additionally please share us the EMA logs and the MS Event viewer logs as well.


Steps to collect the EMA logs from the Server:

Default Path:[System Drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

 

Please send me the files without the date called:

EMAlog-Webserver.txt

EMAlog-Swarmserver.txt

EMAlog-Ajaxserver.txt

EMAlog-Recoveryserver.txt

EMAlog-Manageabilityserver.txt


Thanks & Regards

Arun

Intel Customer Support Technician



0 Kudos
Stef37
Beginner
5,817 Views

Hi Arun

1) Intel EMA Version = 1.14.3
2) Number of EMA servers = 1
3) Total number of endpoints = 0 (No endpoints have been added yet. Currently, Intel EMA has only been installed.)
4) Please let us know if the IIS service user has access to the EMA database and holds the proper role = db_datareader, db_datawriter, db_owner, Public

 

After making the adjustments, the "Intel® EMA Platform Manager" service can no longer be started.
If I add the service user to the local administrators group, it works perfectly.
However, I then encounter the problem that when the server is restarted, the "C:\inetpub\wwwroot" folder is empty.

 

Regards
Stefan

 

 

On Event Viewer i found this:

Event ID: 1026

Application: PlatformManagerServer.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ArgumentNullException
at System.IO.FileSystemWatcher..ctor(System.String, System.String)
at PlatformManagerServer.PlatformManagerAutomator..ctor(PlatformManagerServer.PlatformControllerServer)
at PlatformManagerServer.PlatformControllerServer.Init()
at PlatformManagerServer.PlatformManagerService.Initialization()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

 

 

and:

Event ID: 1000

Faulting application name: PlatformManagerServer.exe, version: 1.14.3.0, time stamp: 0x681e89d1
Faulting module name: KERNELBASE.dll, version: 10.0.26100.4652, time stamp: 0x730de2a8
Exception code: 0xe0434352
Fault offset: 0x00000000000c7f9a
Faulting process id: 0x2434
Faulting application start time: 0x1DBFA0E5E27A932
Faulting application path: C:\Program Files (x86)\Intel\Platform Manager\Platform Manager Server\PlatformManagerServer.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: e73aac34-81c0-4316-8b2d-051e0ea46488
Faulting package full name:
Faulting package-relative application ID:

 

0 Kudos
Arun_Intel1
Employee
5,421 Views

Hi Stef37,


Please confirm if the SQL access works with the service account, and if the service account user has access to the EMA database.


Thanks & Regards

Arun

Intel Customer Support Technician





0 Kudos
Stef37
Beginner
5,307 Views

Hi Anrun

The SQL database is located on a central SQL Server. Access with the service user works perfectly, as far as I can tell.

If I remove the service user from the local administrators group on the web server with IIS, it no longer works. This allows me to prevent SQL access.

I'm on vacation starting Friday and will be happy to get back to you afterwards.

Regards

Stefan

0 Kudos
Arun_Intel1
Employee
5,164 Views

Hi Stef37,


Thanks for confirming, we are working upon this issue and will have an update once you are back from your vacation.

Enjoy your journey!


Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro




0 Kudos
Arun_Intel1
Employee
4,967 Views

Hi Stef37,

 

Changing the IIS User account is a little complex.  The service account user needs to have access to the main SQL database. In addition, the admin user needs to give him rights to the EMA database.

 

The lines below describe the steps that the admin user needs to perform in SQL for adding a service account user with EMA database access.

 

Open the Security folder

         Right-click over the Login folder

         Select New Login

On the General tab

Login Name

                   Type Service Account User domain\username

At the bottom, for Default Database: Select EMA database

On Server Roles

         Add sysadmin

On User Mapping

         Check EMADatabase. In the same row, type dbo at the Default Schema.

On Securables

         No changes are necessary

On Status

         Grant permission to the database and enable login

 

Restart the server

Log in with the service account user to the server; he should have access to the EMA database.

 

More details in the Notes section 1.3.3 Database of Intel® Endpoint Management Assistant (Intel® EMA) Server Installation Guide.

https://www.intel.com/content/www/us/en/content-details/841803/intel-endpoint-management-assistant-intel-ema-server-installation-and-maintenance-guide.html?DocID=841803

  

Warning:

We reviewed the case with the development team, and they suggested adding the local admin rights to the service account. The reason is that the user will lose access after the EMA software updates.

This content is a preview of a link.


www.intel.com

www.intel.com

https://www.intel.com/content/www/us/en/content-details/841803/intel-endpoint-management-assistant-intel-ema-server-installation-and-maintenance-guide.html?DocID=841803


Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro


0 Kudos
Stef37
Beginner
4,868 Views

Hi Arun

From my perspective, I've already done this.

Here's the situation again:
A database for Intel EMA was created on the central Microsoft SQL Server during setup.
After creating the database, the service user was entered in SQL under Login and granted the necessary rights to the Intel EMA database.

On the service server with the IIS for Intel EMA (new server only for Intel EMA), the adjustments were made according to the "Intel® Endpoint Management Assistant" PDF (e.g., read access to certificates, application pool, etc.).

Conclusion: The website remains white.

If I add the service user to the local administrators group on the service server, everything works perfectly.

I noticed that when I follow all the instructions in section 1.4.9, the "Intel® EMA Platform Manager" service can no longer be started.
If I add the service user back to the local administrators group, the website opens again, and login works.

 

I am now on vacation for 2 weeks and would be happy to be able to solve the problem afterwards

 

Regards

Stefan

0 Kudos
Arun_Intel1
Employee
4,719 Views

Hi Stef37,


Thank you for sharing the insight of the issue, we are working upon it and will share our inputs.

Meanwhile, we wish you have a safe and happy Journey!


Thanks & Regards

Arun

Intel Customer Support Technician





0 Kudos
Arun_Intel1
Employee
2,577 Views

Hi Stef37,

 

As per our engineering suggestion, it is recommended that the user who accesses the EMA console, keep the admin rights to the database. This is suggested to prevent access issues after EMA software upgrades.

 To further continue with the troubleshooting, we will need the user's access to the EMA database while using the service user account, Where we can schedule for a meeting, within our working hours (8am - 5pm PST).

 

Thanks & Regards

Arun

Intel Customer Support Technician



0 Kudos
Stef37
Beginner
1,935 Views

Hi Arun

I am now back from vacation and the problem still exists.

We're going around in circles.

In order for the website to display and for me to log in to Intel EMA with my own domain user, the service user must be stored in the local Administrators group.
Then everything works perfectly.

If I restart the "Intel® EMA Platform Manager" service (the log-on user is the same as the one stored in the database), everything under wwwroot is deleted except for the Views folder and the web.config file.
-> This means that after a server restart (e.g., automatic Windows updates), everything is deleted, and the website is no longer displayed.

Unfortunately, the specified time of 8:00 a.m. to 5:00 p.m. PST is outside of my working hours.

Who else can help me with this? Are there Intel technicians in Europe?

 

Regards

Stefan

0 Kudos
Arun_Intel1
Employee
2,359 Views

Hi Stef37,


Gentle reminder as a follow up to check upon our previous request regarding the meeting request if the issue still persists.


Thanks & Regards

Arun

Intel Customer Support Technician



0 Kudos
Arun_Intel1
Employee
1,903 Views

Hi Stef37,


Thank you for sharing your observation.


We would like to schedule a meeting at 4pm (Switzerland)  (7 AM PST), to further check upon the issue. Once your confirm the same, then we shall go ahead and send out the meeting link through the email.


Note:

We would like to have the meeting scheduled 24 hrs.' prior to the meeting, hence it would be the next day after your confirmation.


Thanks & Regards

Arun

Intel Customer Support Technician


 


0 Kudos
Stef37
Beginner
1,648 Views

Hi Arun

I could arrange it next Monday or Tuesday at 4:00 p.m.

Regards
Stefan

0 Kudos
Arun_Intel1
Employee
1,640 Views

Hi Stef37,


Sure, please let us know the exact date and time with the time zone so that we can go ahead and send you a meeting invite through the email as said, for next week.


Note: Please keep the complete set up accessible with atleast one endpoint physically accessible.


Thanks & Regards

Arun

Intel Customer Support Technician




0 Kudos
Stef37
Beginner
1,535 Views

Hi Arun

Tuesday, August 19, 2025, at 4:00 PM (GMT+2, Swiss Time)

Note: No agents have been created or clients connected yet. The only issue is that if I remove the service user's local administrator rights, the website for administration is no longer available (white page, no error message, and the Intel Service no longer starts).

Regards
Stefan

0 Kudos
Suneesh
Employee
1,518 Views

Hi Stef37,


Thank you for the confirmation.


We will send an email with the meeting link to join at the scheduled time.


Note: Please ensure the complete setup is accessible, with at least one endpoint physically available for troubleshooting.


Regards,

Suneesh S

Intel Customer Support Technician

​​​​​​​intel.com/vPro


0 Kudos
Reply