Is setup.bin a onetime or multi use? - AMT already provisioned message...

[nandox5]

I made the setup.bin on meshcentral (through the group). When i turn on the laptop or desktop with the usb plugged in i get the Automatic provision found, want to continue? I click yes

I then get AMT on this computer is already provisioned. Press any key to exit.

The two machines that i tested this on had AMT unprovisioned and not active.

Trying this method due to laptops not provisioning with ACM. I think it's nearly impossible to provision laptops in ACM without the USB. I just installed MeshCentral today and i have tested a wired desktop machine with a successful ACM activation. (have a valid vpro cert etc.. configured).

Any ideas on how i can get a bunch of laptops provisioned in ACM? I'd like to make this process as easy as possible for the help desk team. They will be switching a bunch of machines from the old intel SCS to CIRA/EMA/MESHCENTRAL.

Meshcentral is installed on Linux Ubuntu 18.04 if it makes any difference.

[Ylianst]

Your not the only one to ask. I get that question all the time. How to you activate Intel AMT into ACM easily? The big problem is that ACM is quite a powerful mode since you can take control of a computer remotely and so, it's not a mode that can and should be granted easily to anyone. You can do CCM easily, but ACM is difficult on purpose. I have a video on Intel AMT activation that covers this exact topic here.

For Intel AMT devices with a wired Ethernet port, the easiest by far is to get a trusted Intel AMT activation certificate (you need to pay for this), setup a DHCP server with the network name of your cert (option 15) and then run "meshcmd amtconfig" and run the meshagent on the AMT machine. MeshCentral should detect it has a cert that is trusted by Intel AMT and that Intel AMT is on a wired network with option 15 that match your cert. It will then perform activation to ACM.

For "Is setup.bin a onetime or multi use?" - The setup.bin generated by MeshCentral is multi-use. It will set the trusted root hash of your MeshCentral activation cert and a random trusted FQDN into AMT. MeshCentral will then detect the match and activate. The setup.bin will not directly activate to ACM, instead it gets the platform ready for activation (no paid cert or dhcp 15 needed) which is a lot more secure. One SUPER ALLOYING thing however is that if AMT is already activated into CCM, it will not accept the USB key. This is annoying because if you opt to use CCM as a fallback when ACM is not available, you can't use the USB key.

Hope this helps.

[nandox5]

Thanks for the reply.

I have Meshcentral setup with all requirements for ACM, DHCP option 15, paid cert etc... I was able to successfully get one machine into ACM. While others are having a hard time activate AMT at all (No CCM or ACM) they get stuck on Not Activated (Pre)

1. The problem i am running into is that - while i understand that if machine is already on CCM and usb provision will not work at this point. The machines that i am getting errors on are not AMT active/provisioned (no CCM or ACM), yet i still get a message that says it's already previsioned and will not let me provision.

2. I got multiple laptops with no Ethernet NIC - Is USB my only hope to get them on ACM? or is there a USB to ETHERNET adapter that you guys know will work to provision over "wired" connection.

[Ylianst]

1. If you have a valid cert and option 15 and the option 15 cert matches the name of your cert, it should work. Send screenshots of where you get the error and any context around the error. Do you use the agent or meshcmd amtconfig with an agentless device group?
2. USB setup.bin or manually in MEBx or maybe a thunderbolt dock depending on the vendor and Intel AMT version. Getting any other USB Ethernet adapter will not work since that would not be a Ethernet port that is managed by Intel AMT.

The activation limitation are not a limitation of MeshCentral, they are restrictions of Intel AMT.

[nandox5]

Okay, i have installed and reinstalled the agent multiple times that i probably broke something.. so for sake of troubleshooting, i have removed the Agent, Removed the mesh install folder, rebooted the machine, removed the agent from meshcentral dashboard and downloaded a brand new Agent installer.

State before installing the agent:

After installing agent

this is happening on 3 machines where AMT will not activate at all. (CCM or ACM) They are connected to the built in ethernet.

Server Console

[nandox5]

Oh, a special note. This machine was provisioned through a different server before with CCM. So i did the ACUconfig unConfigure to remove provisioning. I also tried sending the Unprovision command from the server that provisioned it but that one didn't seem to work.

[Ylianst]

Nice. You seem to know what you are doing, that is amazing! I don't get to chat with AMT experts much. Here is a big trick. If using an agent, go in the agent console and type "amtconfig" like this:

It will kick off the Intel AMT synchronization process and should show you exactly that is doing on. You can also type amtevents to see what happened in the past.

[nandox5]

You are legend! it worked on 1 out of the 2 affected test machines.. opening the LMS tunnel i was able to kick start the CCM deactivation and ACM activated after a minute of waiting. nice! it seems that this nifty command will manually kickstart the config! exactly what i was looking for. Perhaps documenting all these hidden commands would be of great benefit to everyone. (may be they are already documented? I'm just blind).. i did run into a problem on the second machine.. keep reading

However, on the second machine.. i get this error

[Ylianst]

Nice. On the second system you are getting error 4 for for call AddNextCertInChain(), you can see documentation here. The error is "CERT_VERIFY_FAILED".

Something went wrong when Intel AMT verified the certificate. What version of AMT is the second system?

As for the "amtconfig" command, that should be triggered automatically when the agent connects, but may get delayed depending on the load on the server. The MeshCentral server will limit how many Intel AMT devices it's configuring at any one time. "amtconfig" will force the server to start the process, but will also show you what is going on which is useful.

[nandox5]

tested this on two identical machines and both failed with same error version is v16.0.15, sounds like it's related to AMT.. which is weird because when getting the root cert hash entries that are on those machines i get

Root Cert 1: Go Daddy Class 2 CA, SHA256, C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4, Active, Default;
Root Cert 2: Go Daddy Root CA-G2, SHA256, 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA, Active, Default;
**Root Cert 3: Comodo AAA CA, SHA256, D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4, Active, Default;**
Root Cert 4: Starfield Class 2 CA, SHA256, 14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58, Active, Default;
...
...

Cert 3 matches with the root cert of my AMT cert

[Ylianst]

Ha, sadly, I own Intel AMT v7, v8, v9, v10, v11, v12, v14, v15. I don't have a v16 to test with. I know in v16 they changed some of the certificate formats to support ECC and I added support for this in MeshCommander and it should not affect this flow, however, I have not tested a full ACM activation with v16.

One thing that is odd. For Intel AMT 14 and above, Host-based TLS ACM activation should be used by default, but you seem to have activated using the legacy system.

In the "domains" section of the config.json, do you use the "TlsAcmActivation" key? It should be true by default.

{
  "settings": { },
  "domains": {
    "": {
      "AmtManager": {
        "TlsAcmActivation": true
      }
    }
  }
}

[nandox5]

I added the configuration above to the config, it was not there, how can you tell which method (legacy or HostBased) was used? On a side note.. while testing activations. is there a console command that allows me to unprovision a specific machine?

[Ylianst]

If you see:

Performing TLS ACM activation...

It's using the new ACM activation flow that is more secure. If you see:

Getting ready for ACM activation...

That is the old method using WSMAN calls. The new method is only supported in Intel AMT v14 and higher.

For deactivation, you can use meshcmd.exe.

meshcmd AmtAcmDeactivate --user admin --pass mypassword --type full

Let me know if that works.

[nandox5]

Ran into this new error message on a brand new laptop with v16. This time i tried the setup.bin method.

EDIT: Tried another newer but not as new machine AMT: 15.0.23 - same issue as above with setup.bin I was able to use setup.bin on other computers (older AMT version though) EDIT 2 : hmm seems to be happening on all machines.. let me reboot server.. and then check firewall settings as some SNORT policies were changed... nvm not firewall related

[Ylianst]

Try "TlsAcmActivation": false to see if the other activation technique works... however, it seems something else is going on such as incorrect activation certificates or option 15 FQDN is not matching. Because of security, Intel AMT will not indicate exactly what the problem is and so, I have spent some time trying to find and detect all the edge cases.

[nandox5]

"tlsAcmActivation": false fixed the error 408 error on laptop with v15. It's now on ACM. (done with setup.bin)

new laptop that is on v16 still did not work, giving me the same error as before/ ERR4 (tried with setup.bin method)

What JS file handles the cert chaining process. I can try to debug this issue.

[nandox5]

Another thing i found out that may not be related or cause any problems, but worth nothing to check.. in server console if i get the certs, I see the amt cert shows domain.com even though cert is ema.domain.com Is there anything i can do to help you debug this issue? I have a few v16 machines here that i can play with.

[Ylianst]

I just put in a request to get a Intel AMT v15 and v16 machines. So far I have Intel AMT v7,8,9,10,11,12,14 as part of my regular testing for MeshCentral, MeshCommander, MeshCMD. I need to fill in that gap.

The domain showing as "domain.com" could be a problem. Intel AMT needs to match the certificate domain with the trusted FQDN or DHCP Option 15. If you are ok with it, send me the public portion (not private key) of your Intel AMT activation certificate, my contact information is here. Also, screen shot of where you see the "domain.com" could be great. I will take a look at the certificate parsing code to see what is going on.

So far, I only have 2 to 3 Intel AMT activation certs to test with, maybe you got yours from a different CA and so, I get a new test case.

[silversword411]

request to get a Intel AMT v15 and v16 machines

If you get any extras, feel free to send 'em this way! :)

[nandox5]

I just put in a request to get a Intel AMT v15 and v16 machines. So far I have Intel AMT v7,8,9,10,11,12,14 as part of my regular testing for MeshCentral, MeshCommander, MeshCMD. I need to fill in that gap.

The domain showing as "domain.com" could be a problem. Intel AMT needs to match the certificate domain with the trusted FQDN or DHCP Option 15. If you are ok with it, send me the public portion (not private key) of your Intel AMT activation certificate, my contact information is here. Also, screen shot of where you see the "domain.com" could be great. I will take a look at the certificate parsing code to see what is going on.

So far, I only have 2 to 3 Intel AMT activation certs to test with, maybe you got yours from a different CA and so, I get a new test case.

Email sent encrypted through microsoft 365. Let me know if you don't receive it.

thanks again