Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Intel EMA Agent - Rebuild

Jools86
New Contributor II
2,327 Views

Imagine the following scenario:

 

Windows 10 machine is built with Intel EMA Agent and MEBx password randomised and stored within Intel EMA (Accessible via RestAPI).

 

Support engineer needs rebuilds the PC - a rebuild will re-install the EMA Agent and not rationalise an existing record if it has the same NETBIOS name:

 

Jools86_0-1663778578563.png

 

So you end up with 2 machines with the same name, the original record has the actual MEBx password and the new one doesnt so no CIRA connection is made - and both become essentially useless.

 

What is the recommendation for rebuilds, EMAAgent install - it would be nice if it could QA the existing mEBx password against the one stored on the SQL Database for any existing record with the same NETBIOS name - and then rationalise the records into one.

 

As it stands, is the only solution MEshcmd AMTACMDeactivate with a RESTAPI lookup against an existing machine within EMA for the MEBx password?

 

So step would EMA re-build steps would effectively be (or is there something easier)?

 

  • Lookup EMA RestAPI for any existing MEBx password for the machine
  • MeshCMD Deactivate using above password
  • Install EMA agent (which will auto-provision)

 

 

0 Kudos
1 Solution
Jools86
New Contributor II
2,146 Views

Hi Victor,

 

I had to go into MEBx and edit DNS suffix.

 

Its a manual step, but a pretty simple one. Not ideal, as in an engineer cannot rebuild a PC without having to either DE-Provision AMT first, or enter the DNS suffix in via MEBx afterwards.  from: https://www.intel.com/content/www/us/en/support/articles/000059019/software/manageability-products.html.

 

So the correct solution to rebuild a machine that was provisioned by AMT is the following (if you forget to de-provision the PC via Intel EMA before the rebuild):

  1. Run the SQL script here on your EMA DB (after the rebuild has completed): https://www.intel.com/content/www/us/en/support/articles/000087537/technologies/intel-active-management-technology-intel-amt.html 
  2. On the newly rebuilt machine within EMA, you will see GREEN, but CIRA is yellow. Edit the MEBx domain name on your system (via BIOS) to the DNS suffix of your domain, i.e. Intel.com. CIRA should go green when you boot the PC back up.

Thanks Victor G. and Jose A. for providing me with the answers.

 

Regards,

 

Julian

View solution in original post

0 Kudos
11 Replies
JoseH_Intel
Moderator
2,316 Views

Hello Jools86,


Thank you for joining the Intel community


You want to take a look at the following article about this issue:

https://www.intel.com/content/www/us/en/support/articles/000087537/technologies/intel-active-management-technology-intel-amt.html


Let me know if it works


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Jools86
New Contributor II
2,299 Views

Hi Jose,

 

Thanks ever so much for the Link to the SQL script.

 

Good and Bad news.

 

Good: I have tested the SQL script this morning and it merged the 2 records and MEBx password was moved.

 

Bad: However CIRA is yellow (from Intel EMA console) and HW management not possible. I will de-provision and re-do this test just to confirm it happens every time (CIRA going Yellow). <<<<<_UPDATE_>>>>>> I was using our DEV build and noticed no PKI Certs in Local Machine store. This is probably my issue. Will update this thread.

 

Julian.

0 Kudos
Jools86
New Contributor II
2,263 Views

Again - Rebuild and CIRA is yellow - after the duplicate record is removed using the SQL script.

I built another machine with AMT Not provisioned and it works fine, its the rebuilds with the script that have this CIRA issue.

 2022-09-27 15_37_10-Intel® Endpoint Management Assistant and 13 more pages - Work - Microsoft​ Edge.png

If I try and connect to the client from "Device page":

Jools86_0-1664289667788.png

EMA Agent error message (on actual machine which has YELLOW cira):

Jools86_1-1664289712609.png

 

 

0 Kudos
MIGUEL_C_Intel
Moderator
2,291 Views

Hello Jools86,


We will wait for your outcome, thank you for your update.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Jools86
New Contributor II
2,260 Views

Hi Miguel,

 

See my notes above (I accidentally replied to myself).

 

But basically, machine called "Workstation01" scenarios:

 

  • 1st Build - AMT De-Provisioned
    • EMA installs
      • AMT is Provisioned and CIRA is GREEN and I can connect from Console
  • Rebuild - AMT provisioned (from 1st build)
    • EMA installs
      • Run SQL Script
      • Record looks good, MEBx password is correct - but CIRA is Yellow in Console

 

I have tested this on 2 machines now, perfectly replicable. So SQL script is close, but CIRA connections not possible.

0 Kudos
Victor_G_Intel
Moderator
2,232 Views

Hello Jools86,


Thank you so much for contacting Intel customer support,


Please proceed with the following steps on the machine that’s been having the problem after the rebuild was done on it:


1-Uninstall EMA directly from the machine


2-Proceed with the unprovisioning of the machine



3-From the EMA web console select the option that says stop managing endpoint.


Once you have completed all the steps you should be able to reprovision the computer.


Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,220 Views

Thanks Victor.

 

This topic is about rebuilding Windows 10/11 machines that have already been provisioned by Intel EMA.

 

The SQL script that Jose A. sent me: https://www.intel.com/content/www/us/en/support/articles/000087537/technologies/intel-active-management-technology-intel-amt.html is supposed to handle the MEBx password when the Intel EMA agent gets re-installed on the rebuilt machine (that the support engineer forgot to de-provision) by merging the Intel EMA DB records for the duplicate Hostname.

 

However my feedback is that although the SQL script merges the records and the sole record left wihin Intel EMA has the correct MEBx Admin password, I cannot connect to the rebuilt device via Intel EMA as the CIRA connection is yellow:

 

Jools86_0-1664354744289.png

 

0 Kudos
Victor_G_Intel
Moderator
2,206 Views

Hello Jools86,


Thank you so much for your response.


In this case, the SQL script that you run did what it was supposed to do; however, I understand that you still have a problem with CIRA not being connected in this rebuilt system; nevertheless, that needs to be seen as a separate problem and; therefore, must be addressed separately, you have the option to follow the steps in the article below if you don’t want to unprovisioned and provisioned the system entirely with the steps previously provided.


How to Troubleshoot a Client Initiated Remote Access (CIRA) Connection in an Intel® Endpoint Management Assistant (Intel® EMA) Environment


https://www.intel.com/content/www/us/en/support/articles/000059019/software/manageability-products.html


Please let us know which path you take and the outcome of any steps that you decide to follow.

 

Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Moderator
2,173 Views

Hello Jools86,


Were you able to check the previous post?  


Please let me know if you still need further assistance


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Moderator
2,156 Views

Hello Jools86,

 

We have not heard back from you.


If you need any additional information, please submit a new question as this thread will no longer be monitored.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,147 Views

Hi Victor,

 

I had to go into MEBx and edit DNS suffix.

 

Its a manual step, but a pretty simple one. Not ideal, as in an engineer cannot rebuild a PC without having to either DE-Provision AMT first, or enter the DNS suffix in via MEBx afterwards.  from: https://www.intel.com/content/www/us/en/support/articles/000059019/software/manageability-products.html.

 

So the correct solution to rebuild a machine that was provisioned by AMT is the following (if you forget to de-provision the PC via Intel EMA before the rebuild):

  1. Run the SQL script here on your EMA DB (after the rebuild has completed): https://www.intel.com/content/www/us/en/support/articles/000087537/technologies/intel-active-management-technology-intel-amt.html 
  2. On the newly rebuilt machine within EMA, you will see GREEN, but CIRA is yellow. Edit the MEBx domain name on your system (via BIOS) to the DNS suffix of your domain, i.e. Intel.com. CIRA should go green when you boot the PC back up.

Thanks Victor G. and Jose A. for providing me with the answers.

 

Regards,

 

Julian

0 Kudos
Reply