Hello Ceta,

Thank you for posting on the Intel® communities

In regard to your inquiries please take a look at the following information:

I had more of a general question in regards to the environment to set up an on-prem Intel EMA server.

I have installed the Intel EMA software on a test bare metal MS 2019 server (with IIS and MS SQL Server installed). I am using an Intel NUC 12 Pro model with vPro built in that has Windows 11 installed (using this as my test endpoint/client). They both have static IP's and are on the same subnet & vlan (wired network). I am able to set up the test server with the EMA software and set up the EMA local website and add the device with the agent files. I am able to connect to the remote desktop through the local Intel EMA webpage. However, I am not able to power on/wake the device when it is powered off (I am able to send a power off command via the EMA webpage and it works, just not power on), I am also not able to view the Hardware manageability section (I believe this is where the Out of Band management GUI is if I understand correctly?). The device is provisioning into client control mode which is due to the lack of a cert in the AMT profile that I have set up from what I have read here - which is also why I'm assuming I can not get the CIRA connection to connect in the web page - is this what allows me to wake the device if it is powered off?

R/In order to use CIRA you will need to have a PKI certificate either from a vendor or by creating a self-sign certificate. If you decide not to use a cert for whatever reason you will still be able to use EMA but all the endpoints you have experienced will be provisioned in CCM and will have limitations (user consent). In regards to the wake-up command please bear in mind that when you use TLS you need at least two endpoints fully provisioned, and one of them must be turned on per subnet with the Intel EMA agent running, if both endpoints or for this matter all endpoints are off, EMA will not be able to manage them with AMT.

Please refer to the following series of videos to learn more about the provisioning process.

Remote Endpoint Management with Intel® AMT EMA (1 of 3) | Intel Business

https://www.youtube.com/watch?v=WKi4C8_r1XE

Remote Endpoint Management with Intel® AMT EMA (2 of 3) | Intel Business

https://www.youtube.com/watch?v=1z9e2T3wDqI

Remote Endpoint Management with Intel® AMT EMA (3 of 3) | Intel Business

https://www.youtube.com/watch?v=iLU17jNADV8

From the research I have done from the Intel setup guide pdf and this forum, I am seeing it is easier to install an AMT PKI cert from a 3rd party vendor (godaddy, digicert, etc.). The way our organization is set up is kind of challenging/makes this kind of difficult. We wouldn't have a public-facing IP/Domain dedicated to this and I believe 3rd party vendors will not fulfill cert requests with just the name of the local server.

R/We wouldn’t be able to know if the vendors will fulfill this type of request or not; however, you are more than welcome to ask them directly, their information can be found in the following link at the bottom of the page.

Intel® Active Management Technology Implementation

https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/active-management-technology/implementation.html.

Would it be feasible to host an internal web server with all of these components and set up the Intel EMA server with IIS and MS SQL? We would have around 5-10 local locations that would be able to reach the internal IP of the host server (Intel EMA, IIS, MS SQL) and make it more of an intranet site. Would the only way for me to achieve this setup be through setting up an internal CA? I know that is a long process to set up and I would have to manually configure each endpoint(we would have about 300), but I just wanted to see my options or next steps I would have to take.

R/As long as you keep your EMA instance as it is and you don’t use a cert you will be able to use TLS which is used for instances where all the endpoints are in the same network as the EMA server. If you use a PKI cert that you create or a self-sign certificate for that matter you will be able to provision the endpoints in ACM (admin control mode/ no user consent needed), but you will need to deal with a more time-consuming process since you will need to add the hash manually to every system’s MEBx. You can find more information about that process in the link below.

How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher

https://www.intel.com/content/www/us/en/support/articles/000059996/software.html

Best regards,

Victor G.

Intel Technical Support Technician