- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Intel Community,
I am trying to setup Out-of-Band management on a systems using Intel EMA. Currently, I have SQL Server 2022 installed on a system running Windows 10 Enterprise LTSC 2019. The hardware being used is fully compatible with IAMT/VPro requirements for OOB support (Motherboard: DFI ADS101, LAN Controller: I219-LM, CPU: i5-12500TE).
Currently, I have Intel EMA Platform Manager installed/running, and can also access/manage all in-band features within Intel EMA, but struggling with setting up OOB features.
Every pathway I search states that I (or my organization) would need to purchase a valid PKI certificate to fully utilize the Hardware Manageability features within Intel EMA. The PKI certificate (PFX file) can either be loaded onto Intel EMA for remote provisioning, or configured manually on the MEBx BIOS tab. (If this isn't correct, please correct me if I'm wrong)
This topic on the Intel Community forum made me question if it is possible to create my own PKI Certificate, and utilize this for OOB support on a test environment:
Intel AMT Provisioning Certificate with a .local domain
Is there a way to create a test PKI certificate that can be used for OOB management with Intel EMA, and a compatible IAMT/VPro system? Would a self-signed Windows Certificate (or something similar) suffice, or is a valid PKI Certificate required to be able to access these OOB management features?
My goal is to test these OOB features fully, without having to purchase a valid PKI certificate. This would only be done on a designated testing environment, and not for production use.
Any advise would be greatly appreciated. Thank you in advanced.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello RickyB,
Thank you for posting on the Intel® communities.
There are a few ways you can provision an endpoint into the desired admin control mode (ACM) without having to buy a certificate, please find more information on them below:
1-You can follow the steps found in the article below to create a self-sign certificate:
How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher
https://www.intel.com/content/www/us/en/support/articles/000059996/software.html
However, please bear in mind that if you use this method instead of buying a certificate from an authorized vendor you will need to manually add the hash to every single endpoint’s MEBx.
2- You can use the steps below to provision an endpoint in ACM without using a certificate.
How to Provision an Endpoint without an Intel® Active Management Technology (Intel® AMT) Certificate
https://www.intel.com/content/www/us/en/support/articles/000097538/software.html
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Victor,
Thank you for your reply.
I have seen this article before on "How to Create a Self-Certificate Hash for Intel AMT", but am running into issues with "Step 3: From the Console Root tree, double-click Certificate Templates. The list of templates is shown in the right pane."
On Windows 10 Enterprise LTSC 2019, there is no option for "Certificate Templates" within the Snap-In component of the Microsoft Management Console Window. Only option I'm seeing is for "Certificates", either for Current User, or Local Computer. Neither of these options contain "Certificate Templates".
I did some digging, and it looks like the "Certificate Templates" snap-in component is primarily available within the Windows Server OS. Currently trying to find a workaround for this within Windows 10 LTSC 2019. The only option I'm finding so far is to install Remote Server Administration Tools (RSAT) via PowerShell, but I'm not sure if this will give me the same capabilities as MMC when it comes to creating a Self-Certificate Hash.
Any advise?
Thanks,
-Ricky B.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello RickyB,
Thank you for your response.
Before moving forward with EMA please take a look at the supported operating systems for it, you can find them in the link below:
Unfortunately, there is no workaround we can provide since your EMA instance is not being run in a valid OS build.
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again from your reply, Victor.
The installation and maintenance guide you referenced states:
As a stand-alone application, the Intel® EMA Agent can be installed on the following operating systems:
- Microsoft Windows 10
- Microsoft Windows 11
Intel EMA Server can be installed on the following operating systems:
- Microsoft Windows Server 2019 (Note: The getPFX API requires the Intel EMA server to be installed on Windows Server 2019 or later)
- Microsoft Windows Server 2022 (Note: Crypto for Intel ME 11 systems is disabled by default on Windows
Server 2022)
Just to clarify, when it states that Intel EMA as a "stand-alone application", does this mean that only In-Band management features can be utilized on a Windows 10 OS? And all Out-of-Band features (which includes all IAMT components) would require Windows Server 2019 or 2022 to be installed on all PC builds?
If we purchased a valid PKI certificate from a reputable vendor, we still would not be able to fully manage OOB features within Intel EMA, on a Windows 10 PC (even if that Windows 10 build has SQL Server 2022 installed)?
Thanks again,
-Ricky B.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello RickyB,
Thank you for your response.
Please find your questions answered below:
Just to clarify, when it states that Intel EMA is a "stand-alone application", does this mean that only In-Band management features can be utilized on a Windows 10 OS? And all Out-of-Band features (which includes all IAMT components) would require Windows Server 2019 or 2022 to be installed on all PC builds?
R/ The Intel EMA agent is not the same as the Intel EMA server, the Intel EMA agent is the file you generate with the tool and is the one that will be installed in your endpoints on those you can either have Windows 10 or Windows 11, but for the Intel EMA server only Windows server 2019 and 2022 work.
If we purchased a valid PKI certificate from a reputable vendor, we still would not be able to fully manage OOB features within Intel EMA, on a Windows 10 PC (even if that Windows 10 build has SQL Server 2022 installed)?
R/You can only use EMA in admin control mode (ACM) if you have a valid PKI certificate either from a vendor, by using a self-sign cert or by using the adoption method previously shared that doesn’t require a a certificate.
Note: Both the method involving a self-sign cert and the one that doesn’t involve a certificate (adoption method) require you to physically access each endpoint’s MEBx to complete provisioning.
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Victor,
Thanks again for your reply.
I do have another follow-up question regarding this. If we set up a Server PC with Intel EMA, and a separate Client (EMA Agent), I'm assuming both systems will need to be fully IAMT/VPro compatible. Is this correct? Or would that primarily rely on the Client PC (or Server PC) to have that capability?
For example, if the Server PC does not have a compatible IAMT/VPro CPU, but does have a compatible LAN controller, would this impact the implementation process? Even though the Client (EMA Agent) has fully compatible hardware?
Thanks again,
-Ricky B.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello RickyB,
Thank you for your response.
On endpoints that are vPro capable (Full Manageability), there is BIOS access (OOB connection) in the ones that are not well that limitation exists.
In vPro capable systems with Standard Manageability, you have to check with the OEM what features they offer, for example sometimes with the endpoint's wired connection they offer full manageability, but with their wireless connection no manageability at all.
Regarding non-vPro endpoints, those can be provisioned but only in client control mode which can only provide access within the OS and with user consent, and in these cases, you will have to check the brand of their NICs because EMA only works with Intel branded adapters.
Now on the Server side. They can be vPro or non-vPro capable, the important things to consider are the server’s OS and SQL versions.
Having standard manageability almost works the same as having non-vPro capable devices. Something important to consider is that in non vPro system there is no MEBx, you only have to install the EMA agent file.
There is more information about standard and full manageability below:
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello RickyB,
We hope this message finds you well.
Do you have any updates for this thread?
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi RickyB,
We have not heard back from you.
If you need any additional information, please submit a new question as this thread will no longer be monitored.
Regards,
Victor G.
Intel Technical Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page