Intel® Endpoint Management

Assistant
(Intel® EMA)

Single Server Installation Guide

Intel® EMA Version: 1.7.0

Document update date: Tuesday, April 5, 2022

Legal Disclaimer
Copyright 2018-2022 Intel Corporation.

This software and the related documents are Intel copyrighted materials, and your use of them is governed by the
express license under which they were provided to you ("License"). Unless the License provides otherwise, you may
not use, modify, copy, publish, distribute, disclose or transmit this software or the related documents without Intel's
prior written permission.
This software and the related documents are provided as is, with no express or implied warranties, other than those
that are expressly stated in the License.
Intel technologies may require enabled hardware, software or service activation.
No product or component can be absolutely secure.
Your costs and results may vary.
No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this
document.
Intel disclaims all express and implied warranties, including without limitation, the implied warranties of
merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course
of performance, course of dealing, or usage in trade.

The products and services described may contain defects or errors known as errata which may cause deviations from
published specifications. Current characterized errata are available on request.
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware,
software or service activation. Performance varies depending on system configuration. No computer system can be
absolutely secure. Intel does not assume any liability for lost or stolen data or systems or any damages resulting
from such losses. Check with your system manufacturer or retailer or learn more at
http://www.intel.com/technology/vpro.
Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and
brands may be claimed as the property of others.
1 Introduction 1
1.1 Before You Begin 1
1.2 Supported Operating Systems 2
1.3 Installation Prerequisites 2
1.3.1 Computer 2
1.3.2 Operating System 3
1.3.3 Database 3
1.3.4 Web Server 4
1.3.5 Intel AMT PKI Certificate 4
1.3.6 Microsoft .NET Framework Versions 4
1.3.7 Firewall 5

1.3.8 Network 5
1.3.9 Network Ports 5
1.4 Security Recommendations 6
1.4.1 Back Up Important Data 6
1.4.2 Modify the Access Control List (ACL) for Key Configuration Files 7
1.4.3 Enable Transparent Data Encryption on SQL Server Enterprise 7
1.4.4 Secure all Certificates and Keys 7
1.4.5 Samples files for Intel® EMA REST API and JavaScript library 7
1.4.6 Disable Insecure Cipher Suites 7
1.4.7 Strong Encryption Protocols 8
1.4.8 IIS – Replace the Temporary Web TLS Certificate 8
1.4.9 IIS – Change IIS User Account 9

1.4.10 IIS – Enabling the Transport Layer Security Protocol 10

1.4.11 IIS – Machine Key Validation Method 10
1.4.12 IIS – Restrict Unlisted IIS Extensions Execution 10
1.4.13 IIS – Dynamic IP Address Restrictions 10
1.4.14 IIS – Configure Host Headers for All Sites 10
1.4.15 IIS - Review updated web.config File 10
1.4.16 Check Binary Signatures 11
1.4.17 Change the Platform Manager Service User Account 12
1.4.18 Modify permissions of SQL Server user if desired 13
1.4.19 User Creation and Management 13
1.4.20 Use SQL Server Installed with TLS 13
1.5 Intel® EMA Installed Components 13
 1.6 Important File and Directory Locations 14
1.7 Scaling Considerations 15
2 Installing or Updating the Intel® EMA Server 16
2.1 Installing Using the Setup Wizard 17
2.1.1 Server Host Configuration 17
2.1.2 Database Settings 18
2.1.3 Server Host Information 19
2.1.4 Platform Manager Configuration 19
2.1.5 User Authentication 20
2.1.5.1 Normal Accounts 20
2.1.5.2 Domain Authentication 20

2.1.6 Global Administrator Account Setup 21

2.1.7 Summary 21
2.2 Performing an Update Installation Using the Setup Wizard 21
2.2.1 Database Settings 23
2.2.2 Platform Manager Configuration 24
2.2.3 Summary 24
2.3 Installing or Updating Using the Command Line 24
2.3.1 Basic Mode 25
2.3.2 Advanced Mode 26
2.3.3 Performing an Update Installation Using the Command Line 26
2.4 Uninstalling 27
2.4.1 Uninstalling Using the Installer GUI 27
2.4.2 Uninstalling Using the Command Line 27
2.5 Intel® EMA Installer Advanced Mode Menu Bar 28
3 Using the Global Administrator Interface 30
3.1 Changing the Global Administrator Password 30
3.2 Creating and Deleting Tenants 30
3.3 Managing Users and User Groups 30
3.3.1 Adding, Modifying, and Deleting User Groups 31
3.3.2 Adding, Modifying, and Deleting Users 31
4 Performing Intel® EMA Server Maintenance 32
4.1 Manually Installing Platform Manager 32
4.2 Configuring the Intel® EMA Platform Manager Service 32
4.2.1 Platform Manager TLS Certificate 32
 4.2.2 Mutual TLS Certificate for Client Authentication 32
4.3 Using the Intel® EMA Platform Manager Client Application 33
4.3.1 Starting Intel EMA Platform Manager 33
4.3.2 Monitoring Component Server Events 33
4.3.3 Monitoring Component Server Internal Tracking Information 34
4.3.4 Performing Basic Controls on Component Servers 34
4.4 Deploying New Packages 37
4.5 Updating the Database Connection String 37
4.6 Periodic Database Maintenance 38
4.7 Restoring the Intel® EMA Server from Backup 38
5 Appendix: Troubleshooting After Installation 40

6 Appendix - Modifying Component Server Settings 46

6.1 Swarm Server 46
6.2 Ajax Server 47
6.3 Manageability Server 48
6.4 Web Server 51
6.5 Security Settings 52
6.6 Recovery Server Settings 54
7 Appendix – Domain/Windows Authentication Setup 56
7.1 Server Connection Information Set at Installation 56
7.2 IIS Website’s Authentication and .NET Authorization 56
7.3 Internet Explorer Used by the End User 56
7.4 Optional – Grant Permission to Website Content 56
7.5 Optional – Double-hop Structure 56
7.6 References 57
8 Appendix – Configuring 802.1X for Active Directory 58
8.1 Active Directory Domain Services 58
8.2 Active Directory Certificate Services 59
1 Introduction
Intel® Endpoint Management Assistant (Intel® EMA) is a software application that provides an easy way to manage
Intel vPro® platform-based devices in the cloud, both inside and outside the firewall. Intel EMA is designed to make
Intel® AMT easy to configure and use so that IT can manage devices equipped with Intel vPro platform technology
without disrupting workflow. This in turn simplifies client management and can help reduce management costs for
IT organizations.
Intel EMA and its management console offer IT a sophisticated and flexible management solution by providing the
ability to remotely and securely connect Intel AMT devices over the cloud. Benefits include:
l Intel EMA can configure and use Intel AMT on Intel vPro platforms for out-of-band, hardware-level
management
l Intel EMA can manage systems using its software-based agent, while the OS is running, on non-Intel vPro®
platforms or on Intel vPro® platforms where Intel AMT is not activated

l Intel EMA can be installed on premises or in the cloud

l You can use Intel EMA’s built-in user interface or call Intel EMA functionality from APIs
This document describes the procedure to install and configure the Intel EMA server in a full production
environment, as well as how to maintain and manage the Intel EMA server after installation. It is intended for
technically competent system administrator users working with Intel EMA in the Global Administrator role.

Note: A simplified tutorial installation procedure for learning purposes is available in the Intel® EMA Quick
Start Guide.

The Global Administrator is responsible for installation, configuration, and management of the Intel EMA server as a
whole, as well as creating Tenant usage spaces within the Intel® EMA server. Other Intel EMA users, such as Tenant
Administrators and Account Managers are responsible for setting up and maintaining the users, user groups,
endpoint groups, and managed endpoint client systems for each Tenant hosted on the Intel EMA server.

Note: Key concepts such as user roles, tenants, and endpoint groups are described in detail in the Intel® EMA
Administration and Usage Guide, which also provides detailed information about the setup and maintenance
of Intel® EMA Tenants and their managed endpoint systems.

We recommend that you read this guide carefully before performing the installation. This document provides the
installation requirements, explains the configuration parameters, and provides detailed installation steps for the Intel®
EMA server and its components.

1.1 Before You Begin

The actual installation of the Intel® EMA server and its components is fairly straightforward, as described in Section 2.
However, before starting the procedure, we recommend that you take time to consider the following choices so that
you know in advance what to enter or select during the procedure.
l Ensure all prerequisites, described in Section 1.3, are met.
l Review the Security Recommendations in Section 1.4 and implement them as part of or after installing Intel
EMA.
l Review the Scaling Considerations in Section 1.7 to help you determine the right hardware to use for your
Intel EMA implementation.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

1
 l Determine the Fully Qualified Domain Name (FQDN) and/or IP Address that will be used to connect to the Intel
EMA server.
l For the SQL Server connection, decide if you want to use Windows authentication mode (recommended, for
security reasons) or SQL Authentication. If SQL Authentication, you will need to ensure the target credentials
are set up in SQL Server before installing.
l Determine how you will want the Intel EMA website to be found via IIS and how it will process requests: by
FQDN/hostname only; using FQDN/hostname first, then IP Address; by IP Address only. For additional host-
names to work correctly, and to manage them, you must configure a DNS server or a router.
l Decide whether you plan to install Intel EMA under domain authentication mode (Kerberos) or normal account
(username/password) mode, the default. If domain authentication, we suggest using the FQDN of your
machine for the hostname. You still need to make sure that other endpoints or other client web browsers can
connect to the value you entered here. If you decide to use another value, follow IT practice to set up the Ser-
vice Principle Name (SPN) after Intel EMA is installed.
l Determine the valid email address to use for the Global Administrator user.
l Intel EMA version 1.5.0 and later uses LDAPS secure ports by default (LDAPS secure port 636 and Global
Catalog port 3269). Previous versions of Intel EMA used the standard non-secure LDAP ports (LDAP port 389
and Global Catalog port 3268). If you are installing Intel EMA v 1.5.0 or later, and are using Active Directory or
802.1x integration, ensure the LDAPS ports are enabled. If you prefer to use the standard non-secure ports,
then after installing Intel EMA, open the installer program again (EMAServerInstaller.exe, run as administrator)
and select File > Advanced Mode, then click Settings > Switch from LDAPs to LDAP to reset the LDAP ports
Intel EMA uses to the standard non-secure ports. Alternatively, you can change the ports in the Web server
settings on the Server Settings page in the Intel EMA UI. If you experience problems with 802.1x setup during
Intel AMT provisioning, this could be the issue. See the following link for more information:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-
and-trusts.

1.2 Supported Operating Systems

As a stand-alone application, the Intel® EMA Agent can be installed on the following operating systems:
l Microsoft Windows 10
l Microsoft Windows 11
Intel EMA Server can be installed on the following operating systems:
l Microsoft Windows Server 2016 (Note: The getPFX API requires the Intel EMA server to be installed on Win-
dows Server 2019 or later)
l Microsoft Windows Server 2019

1.3 Installation Prerequisites

This is a list of the prerequisites needed to set up the Intel® EMA Server.

1.3.1 Computer
A computer or virtual machine with sufficient capability for the expected traffic. Systems not meeting these
minimum specifications could experience performance issues.
2 Intel® Xeon® Processors, 16 threads, 24GB RAM, 1TB Mirrored: This configuration should be able to handle over 20k
connections.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

2
For scaling considerations pertaining to large and/or distributed installation environments, see section 1.7.

1.3.2 Operating System

See Supported Operating Systems, section 1.2.
Currently, Intel EMA does not provide internationalization support. The operating system needs to have English-US
Windows display language, English-US system locale, and English-US format (match Windows display language).

1.3.3 Database
Install the Microsoft SQL Server*. The database may run on a separate server on the network or on the same system
as the Intel EMA Server. For demonstration or test purposes, Microsoft SQL Server Express edition can be used if
installed with Advanced Features. For production environments, we recommend using Microsoft SQL Server
Enterprise. A strong working knowledge of installing, configuring, and using SQL and Active Directory is required (if
using 802.1x).

IMPORTANT: To achieve security in-depth, we recommend to use Microsoft SQL Server Enterprise and enable
Transparent Data Encryption. Additionally Windows authentication mode is recommended as the authen-
tication mode.

Notes:
l Microsoft SQL Server, 2014, 2016, 2017, and 2019 (English-US version only) are supported.
l The operating system of the machine on which SQL Server is running must be a supported operating
system version and needs to have English-US Windows display language, English-US system locale,
and English-US format (match Windows display language). See Supported Operating Systems, section
1.2.
l The collation value in SQL Server must be set to SQL_Latin1_General_CP1_CI_AS.
l Be sure to allocate enough resources (CPU, memory, SSD, etc.) to SQL Server. If your SQL Server's
resources are dynamically allocated, ensure enough guaranteed fixed resources are allocated. If not,
you may see error messages like "Unable to get database connection, all connections are busy" in the
component server log files in Program Files (x86)\Intel\Platform Manager\EmaLogs.
l Intel EMA uses query notification in SQL Server to reduce the number of database reads. That feature
requires "Service Broker" to be enabled in SQL server. If Service Broker is disabled, you will see warn-
ings to that effect in the component server log files in Program Files (x86)\Intel\Platform Man-
ager\EmaLogs.
l Before installing Intel EMA, ensure that an SQL account exists on the SQL server that can be used by
the Intel EMA installer to connect to the SQL server. If you are not the SQL database administrator
(SQL DBA), contact the SQL DBA to have this account set up. This account must exist before you
install Intel EMA, since you will be asked to specify the SQL connection account during the installation
process. This account may be a Windows account under Windows Authentication or an SQL account
under SQL Authentication. In addition, the SQL account must have a default database configured. The
default database can be any existing database on the SQL server. This default database is required so
that the Intel EMA installer can confirm that the specified SQL account/user can contact the SQL server
and its databases.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

3
 l Before installing Intel EMA, ensure that the SQL account used in the Intel EMA SQL connection string
has sysadmin rights (to create new account for IIS default application pool identity) and has at least
dbcreator permission, which allows it to create, modify, and delete any database. Also, this account
must have the database level roles db_owner, db_datawriter, and db_datareader. The “sysadmin” right
is needed in order to create the new user “IIS APPPOOL\\DefaultAppPool\” for the SQL server (if it does
not exist). If it exists already or you do not use that account for the IIS application pool of the Intel EMA
website, then the role needed during installation is “dbcreator”, to create the Intel EMA database. Keep
in mind that the “sysadmin” or “dbcreator” rights are only needed during Intel EMA installation. Lastly
you must grant permission for "SUBSCRIBE QUERY NOTIFICATIONS" to the user of Intel
EMA database.
IMPORTANT: If you do not grant "sysadmin" rights to the SQL connection account, the install-
ation will still complete successfully, but with errors related to not being able to create the IIS
APPPOOL user mentioned above. If you did not grant "sysadmin" rights to the
SQL connection account, you MUST manually create this user on the SQL server after the
installation completes in order for Intel EMA to work.

See Section 1.4.18 for information about changing these permissions and roles.

1.3.4 Web Server

Intel EMA uses Microsoft Internet Information Server (IIS). Use the latest IIS 8, IIS 8.5, or IIS 10 version.
Install IIS URL Rewrite Module for the target IIS. If it is installed, Intel EMA will set up the website setting to remove the
IIS server version from the response header, the HSTS header, the cookie Same Site strict, and the auto redirect from
HTTP to HTTPS. If it is not installed, these settings will not be applied.

Note: If IIS is already installed, ensure that all authentication methods are disabled except for “Anonymous”
and “Windows” (only those two should be enabled). This only applies to Windows Authentication mode.

1.3.5 Intel AMT PKI Certificate

Intel AMT Admin Control Mode (ACM) provisioning requires a certificate issued by a trusted authority that matches
the domain name of the target Intel AMT endpoints. The certificate file needs to have the full certificate chain. Also, it
needs to be issued with the supported OID 2.16.840.1.113741.1.2.3 (this is the unique Intel AMT OID).

1.3.6 Microsoft .NET Framework Versions

Intel EMA Server software is built with Microsoft .NET Framework 4.8. The operating system must have Microsoft
.NET Framework 4.8 or later. If .NET Framework 4.8 or later is not installed, the Intel EMA installer will display a dialog
prompting you to download and install .NET Framework 4.8 runtime.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

4
1.3.7 Firewall
We recommended using a firewall software to ensure that only authorized ports are available for connection. The
firewall software built into Windows can perform this task.

1.3.8 Network
During the installation, you must specify the value (either hostname or IP address) to use for communication among
various components. If you choose hostname or FQDN, you need to make sure the value is resolvable by a DNS
server in the network. If you do not have the DNS server, a fixed IP address should be used during installation.
Incorrect hostname/IP address will cause Intel EMA features to not function properly. In a distributed server
archecture implementation, if using Active Directory, ensure all computers (including the computer hosting the load
balancer) are listed in Active Directory.

1.3.9 Network Ports

Table 1 lists the server network ports used for various communications among server components.

l For certain features/usages, the AJAX server and Manageability server will establish a TCP connection (locally
or remotely) with the Swarm server.
l The endpoint and the Swarm server communicate via a secure TCP connection. Intel AMT (CIRA) and the
Swarm server communicate via a secure TCP connection.
l The Platform Manager service uses a named pipe to talk to other Intel EMA component servers on the same
machine. The Platform Manager client application talks to the Platform Manager service via a secure TCP con-
nection.
Table 1: Server network ports

Protocol Port Usage

TCP 443 HTTPS Web server port. This is used between the web browser and the
web server.

TCP 1433 SQL server remote access. This is used between the internal Intel EMA
server and the internal SQL server; only needed if Intel EMA server and
the SQL server are not on the same machine. This is the default port
that SQL server uses.

TCP 8000 The default TCP port for communication between Platform Manager ser-
vice and Platform Manager client. You can change this port during
installation.

TCP 8080 Agent, console, and Intel AMT CIRA port. This is between client end-
points and the Intel EMA Swarm server. See note below.

TCP 8084 Web redirection port. This is used between the web browser and the
web server.

TCP 8085 Recovery port. This is used by the Recovery component server. If you
change this port on the Recovery Server tab of the Server Settings page,
you will be prompted to update port bindings. See "Appendix - Modi-
fying Component Server Settings" on page 46.

TCP 8089 Communication between the various Intel EMA component servers and
Intel EMA Swarm server. This port number is the default, and can be
changed in the Server Settings page. See "Appendix - Modifying Com-

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

5
 ponent Server Settings" on page 46.

TCP 8092 Port on which Ajax component server listens for internal component-
to-component communication. This port number is the default, and
can be changed in the Server Settings page. See "Appendix - Modifying
Component Server Settings" on page 46.

TCP 8093 Port on which Swarm component server listens for internal com-
ponent-to-component communication. This port number is the
default, and can be changed in the Server Settingspage. See "Appendix
- Modifying Component Server Settings" on page 46.

TCP 8094 Port on which Manageability component server listens for internal com-
ponent-to-component communication. This port number is the
default, and can be changed in the Server Settings page. See "Appendix
- Modifying Component Server Settings" on page 46.

TCP 8095 Port on which Recovery component server listens for internal com-
ponent-to-component communication. This port number is the
default, and can be changed in the Server Settings page. See "Appendix
- Modifying Component Server Settings" on page 46

LDAPS/LDAP 636/389 The LDAPS secure port is 636. The standard non-secure LDAP port is
389. These ports are for use with Active Directory and/or 802.1x con-
figuration.

Global Catalog 3269/3268 The secure (3269) and non-secure (3268) Global Catalog ports. These
(secure/non- ports are for use with Active Directory and/or 802.1x configuration.
secure)

1.4 Security Recommendations

This section details the security recommendations you should take into consideration when using Intel® EMA. Refer
to industry best practices sources and your IT organization’s policies for information on how to implement these
recommendations.

1.4.1 Back Up Important Data

Intel EMA’s component servers rely on several certificates created during the Intel EMA installation time.
The installer creates a self-signed MeshRoot root certificate, which it uses to create one or more
MeshSettingsCertificates that are stored in the Local Machine\Personal certificate store. These
MeshSettingsCertificate certificates are used to encrypt/decrypt the server settings stored in the database.
The MeshRoot certificate is used to create the mutual TLS certificates (EmaMtlsXXX) for the TCP-TLS
communications between the Intel EMA component servers (Ajax, Swarm, Manageability, Recovery, Web). They are
stored in the Local Machine\Personal certificate store.
If these certificates are lost, there is no way to make Intel® EMA work again without completely reinstalling the Intel
EMA server.
Therefore, after installing the Intel EMA server (or each server in a distributed environment), it is strongly
recommended that you perform the following steps:

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

6
 l Back up Intel EMA database (this should also be done periodically, not just after setup).
l Back up the MeshSettingsCertificate which is stored in the Local Machine\Personal certificate store on your
server machine. This certificate is used to encrypt/decrypt the server settings stored in the database.

1.4.2 Modify the Access Control List (ACL) for Key Configuration Files
After the Intel EMA server installation, you should modify the ACL to limit access to the following files\folders:
l [Intel EMA website root folder (e.g., C:\inetpub\wwwroot)] \ web.config.
l [Intel EMA server installation folder (e.g., C:\Program Files (x86)\Intel\Platform Manager)] \ Platform Manager
Server \ settings.txt
l [Intel EMA server installation folder (e.g., C:\Program Files (x86)\Intel\Platform Manager)] \ Runtime \ MeshSet-
tings \ connections.config
l [Intel EMA server installation folder (e.g., C:\Program Files (x86)\Intel\Platform Manager)] \ Runtime \ MeshSet-
tings \ app.config
l [Intel EMA server installation folder (e.g., C:\Program Files (x86)\Intel\Platform Manager)] \ EMALogs

1.4.3 Enable Transparent Data Encryption on SQL Server Enterprise

To achieve security in-depth, we recommend that you use SQL Server Enterprise and enable Transparent Data
Encryption.

1.4.4 Secure all Certificates and Keys

When Intel EMA is installed, several certificates and encryption keys are generated. The certificates and encryption
keys created by Intel EMA expire after 20 years.
Certificates are stored in the Intel EMA server database and in the server machine’s certificate store. Take care to keep
these certificates secure. If they are compromised, Intel EMA cannot replace them and push them to the managed
endpoints. In this case, you would need to uninstall and reinstall the Intel EMA server using new certificates, then
recreate all users and endpoint groups and then re-register all your endpoints.
Most of the encryption keys are stored in Intel EMA server settings, which is encrypted and saved in the Intel EMA
server database.

1.4.5 Samples files for Intel® EMA REST API and JavaScript library
The sample files are in the folder [Intel EMA installation package folder] \Samples. These files are not automatically
hosted on the Intel EMA website during installation. These sample files are implemented using bare-minimum code
to demonstrate how to use the API and do not use secure coding practices to guard against security concerns like
cross-site scripting.

IMPORTANT: These samples should never be hosted in a production environment.

For hosting in a test environment for development purposes, copy the Samples folder to the Intel EMA website root
folder (e.g., C:\inetpub\wwwroot\).

1.4.6 Disable Insecure Cipher Suites

Cipher suites determine the key exchange, authentication, encryption, and algorithms used in an SSL/TLS session.
It is strongly recommended that you disable insecure cipher suites to restrict the use of weak cryptographic
algorithms and protocols for TLS connections.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

7
By default, many versions of Microsoft Windows Server may have an insecure cipher suite configuration. The
following are the warnings or threats that result from insecure ciphers:
l 64-bit block cipher 3DES vulnerable to SWEEET32 attack
l Broken cipher RC4 is deprecated by RFC 7465
l CBC-mode cipher in SSLv3 (CVE-2014-3566) – Oracle padding
l Cipher suite uses MD5 for message integrity
l Weak certificate signature for SHA1
l Key exchange (DH 1024) is of lower strength than the certificate key

One workaround to avoid these threats and warnings is to download IIScrypto from this website:
https://www.nartac.com/Products/IIScrypto. This product helps to change schannels and cipher settings.
You must run the IIScrypto program and de-select the multi-protocols: unified hello, PCT 1.0, SSL2.0, MD5, and all
ciphers above triple DES. This helps clear all the aforementioned warnings (except for the SHA1 warning).

IMPORTANT! Intel EMA and Intel AMT require one of the following Cipher Suites to be enabled in order to
effectively communicate and function. As an example, enabling “TLS_RSA_WITH_AES_128_GCM_SHA256”
would work for all versions of Intel AMT currently supported by Intel EMA.
Intel AMT version 14 and earlier:
l TLS_RSA_WITH_AES_128_GCM_SHA256
l TLS_RSA_WITH_AES_256_CBC_SHA
l TLS_RSA_WITH_AES_128_CBC_SHA
Intel AMT version 15:
l TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
l TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
l TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.

1.4.7 Strong Encryption Protocols

We strongly recommend that you disable weak encryption protocols, such as PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0, and
TLS 1.1, and instead enable strong encryption protocols, such as TLS 1.2. Additionally, we recommend that you use
the Diffie-Hellman Ephemeral (DHE) protocol.

Note: If your environment includes endpoints with Intel AMT versions below 11.8.77.3664, you need to leave
TLS 1.1 enabled to ensure proper communication with these endpoints.

1.4.8 IIS – Replace the Temporary Web TLS Certificate

The Web TLS certificate is used for HTTPS communications between the Web browser and the Web + AJAX Server. A
temporary self-signed Web TLS certificate is created during installation. This certificate can be replaced at any time.
We recommend that you use a valid HTTPS certificate issued from a valid trusted Certificate Authority.

Note:
l This TLS certificate can also be used for the Platform Manager TLS certificate if you are running Plat-
form Manager on the same system as the IIS server. See section 4.2.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

8
 l For the self-signed website TLS certificate (and the Intel EMA settings certificate), Intel EMA grants the
default IIS DefaultAppPool account read access to the private key. If you change the account that the
IIS default application pool will run under, you must also change the access control accordingly.

To replace the temp Web TLS Certificate:

1. Install the new certificate in the Local Machine\Personal certificate store.
2. Run the IIS Manager on the Web Server (IIS Server).
3. Place the certificate in the Server Certificates.
4. Edit the Bindings section in the Default Website dialog box to use the new certificate.

1.4.9 IIS – Change IIS User Account

By default, Intel EMA uses the IIS default application pool (app pool) to run the Intel EMA website. This default app
pool uses the ApplicationPoolIdentity account by default. In a distributed installation running under Windows
authentication, where the Intel EMA component servers need to access a remote SQL Server, you may need to
change the account the Intel EMA website runs under to one that can access the remote SQL Server.
To do this, follow the steps below:
1. Give the account access to Intel EMA assets (files and folders, certificate's private key).
1. Skip these steps if the account already has the necessary privileges.
2. If the SQL connection is using Windows authentication, ensure the new IIS user account satisfies the
permission and role requirements for the SQL Server account. See section 1.4.18.
3. Change the service to run under the desired account.
4. Give read and write access to [System drive]\Program Files (x86)\Intel\Platform Man-
ager\EMALogs.
5. Give full control to the following:
l [System drive]\inetpub\wwwroot: also for all sub-folders and files.
l [System drive]\inetpub\wwwroot\web.config
l [System drive]\Program Files (x86)\Intel\Platform Man-
ager\Runtime\MeshSettings\app.config
l [System drive]\Program Files (x86)\Intel\Platform Man-
ager\Runtime\MeshSettings\connections.config
l [System drive]\ProgramData\Intel\EMA\USBR - Or the USBR image path if you have updated
it as described in Section 6.3, "Manageability Server" on page 48.
6. Use the Windows certlm tool to open the certificate store for Local Computer\Personal\Certificates
and give "read" permission for the following certificates by right-clicking the target certificate and
selecting All Tasks\Manage Private Keys:
l Temporary Web TLS certificate. "Issued To" is the Intel EMA web site FQDN or IP. "Issued By" is
"MeshRoot-XXXX".
l Settings certificate. "Issued To" is "MeshSettingsCertificates-XXX". "Issued By" is "MeshRoot-
XXXX".
l Inter-component TLS certificate for web server. "Issued To" is "EmaMtlsWeb-XXX". "Issued By"
is "MeshRoot-XXXX".
2. Add a new IIS application pool for Intel EMA.
1. Use IIS Manager to create a new app pool.
2. Choose .NET CLR Version v4.0.XXX, Integrated pipeline mode, and Start app pool immediately.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

9
 3. Assign an account to the new application pool.
1. Use IIS Manager to change the account for the new app pool.
2. Choose Custom Account and specify the desired Windows account.
4. Use IIS Manager to change the application pool used by Intel EMA to the new one created above. Then restart
the whole web site. For verification, access the Intel EMA web site in a browser, then use Windows Task Man-
ager to verfiy that the w3wp.exe process is running under the specified account.

1.4.10 IIS – Enabling the Transport Layer Security Protocol

It is strongly recommended that you enable Transport Layer Security (TLS), which is an industry-standard protocol
designed to protect the privacy of information communicated over the internet.
The TLS protocol enables clients/server applications to detect these security risks:
l Message tampering
l Message interception
l Message forgery
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement policy, which must be enabled to ensure
connections can only be successful if the Transport Layer Security (TLS) protocol is used.

1.4.11 IIS – Machine Key Validation Method

The machine key element in the ASP.NET web.config specifies the algorithm and keys to be used by an application
for encryption and hashing. Ensure that one of the SHA-2 family methods (for example, HMACSHA256) is configured
as the validation method for the machine key.

1.4.12 IIS – Restrict Unlisted IIS Extensions Execution

If IIS features ISAPI Extensions or CGI are installed, ensure that unspecified ISAPI modules or unspecified CGI
modules, respectively, are not allowed to run.

1.4.13 IIS – Dynamic IP Address Restrictions

Dynamic IP Address Restrictions is an IIS setting that can be used to mitigate against DDoS and brute force attacks.
For single server installations, in IIS Manager, enable “Deny IP Address based on the number of concurrent requests”,
enable “Deny IP Address based on the number of requests over a period of time”, and then set values required to
protect your environment.
For more information, see the following link:
https://docs.microsoft.com/en-us/iis/manage/configuring-security/using-dynamic-ip-restrictions

1.4.14 IIS – Configure Host Headers for All Sites

If multiple websites will be hosted in IIS on the same IP address and port, configure host headers for all sites.

1.4.15 IIS - Review updated web.config File

The Intel® EMA server installation adds the following headers to your web.config file, and renames the existing
web.config file to web.config.original.<date>. After installation, review the new web.config file and modify if desired.
For more information about HTTP headers, refer to the following link:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

10
The following headers are automatically added to the web.config file during installation.
Table 2: Headers added to web.config

Header Value
X-Content-Type-Options nosniff

X-XSS-Protection 1; mode=block

X-Frame-Options SAMEORIGIN

Referrer-Policy strict-origin

Expect-CT max-age=86400, enforce

Feature-Policy payment 'none'; microphone 'none'; geolocation 'none';

strict-transport-security max-age=31536000; includeSubDomains;

Note: Added by IIS rewriter rule

Content Security Policy (CSP) default-src 'self' blob:;script-src 'self' 'unsafe-inline'

'nonce-<autogen_value> ' 'sha256-<multiple values> ';
Note: Added by plugin
object-src 'none';style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com;img-src 'self' data:;
font-src 'self' data: https://fonts.gstatic.com;base-uri
'none';worker-src 'self' blob:

The CORS header is added but commented out by default. To enable it, edit the web.config file and remove the
comment tags and add your domain information.

<!--
<add name="Access-Control-Allow-Origin" value="https://<YOURDOMAINHERE>" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS"
/>
-->

Lastly, the X-Robots-Tag header is added, which disables web search engines from finding installed instances of the
Intel® EMA server.

Note: Intel EMA grants the default IIS DefaultAppPool account read access to the web.config file. If you
change the account that the IIS default application pool will run under, you must also change the access con-
trol accordingly.

1.4.16 Check Binary Signatures

All Intel EMA binaries are signed as an integrity mechanism. We recommend that you check and confirm the
signatures on these files. Further, we recommend that you only use installation packages from trusted sources (such
as www.intel.com).

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

11
1.4.17 Change the Platform Manager Service User Account
Perform this action after installing the Intel EMA server. By default, the Intel EMA Platform Manager service runs
under the System user. To improve security, we recommend that you modify this service to run as a local or domain
user.

Note: Whatever account you set Platform Manager to run under will be the account that all Intel
EMA component server services (i.e., Manageability Server, Swarm Server, etc.) run under as well. After the Plat-
form Manager account is changed, the component server services will use the new account once they are
restarted. In a distributed server environment this must be done for each Platform Manager instance.

First, give the account access to Intel EMA assets (files and folders, certificate's private key).
1. Skip these steps if the account already has the necessary privileges.
2. If the SQL connection is using Windows authentication, ensure the new user account satisfies the permission
and role requirements for the SQL Server account. See section 1.4.18.
3. Change the service to run under the desired account.
4. Give read and write access to [System drive]\Program Files (x86)\Intel\Platform Manager\EMALogs.
5. Give full control to the following:
l [System drive]\inetpub\wwwroot: also for all sub-folders and files.
l [System drive]\inetpub\wwwroot\web.config
l [System drive]\Program Files (x86)\Intel\Platform Manager
l [System drive]\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\app.config
l [System drive]\Program Files (x86)\Intel\Platform Man-
ager\Runtime\MeshSettings\connections.config
l [System drive]\ProgramData\Intel\EMA\USBR - Or the USBR image path if you have updated it as
described in Section 6.3, "Manageability Server" on page 48.
6. Use the Windows certlm tool to open the certificate store for Local Computer\Personal\Certificates and give
"read" permission for the following certificates by right-clicking the target certificate and selecting All
Tasks\Manage Private Keys:
l Temporary Web TLS certificate. "Issued To" is the Intel EMA web site FQDN or IP. "Issued By" is
"MeshRoot-XXXX".
l Recovery certificate. "Issued To" is the Intel EMA web site FQDN or IP. "Issued By" is "MeshRoot-
XXXX".
l Settings certificate. "Issued To" is "MeshSettingsCertificates-XXX". "Issued By" is "MeshRoot-XXXX".
l Inter-component TLS certificate for web server. "Issued To" is "EmaMtlsWeb-XXX". "Issued By" is
"MeshRoot-XXXX".
l Note that the Temporary Web TLS certificate and the Recovery certificate look similar in the listing, but
if you open them and go to the Details tab, you can see which is which.
Next, ensure the file settings.txt in the Intel EMA installation folder has read/write permissions for the new Platform
Manager service account.
Lastly, find Intel Platform Manager in Windows services and change the user account under which this service is
running, then restart all the Intel EMA component servers.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

12
1.4.18 Modify permissions of SQL Server user if desired
After installation, the SQL account used by Intel EMA needs to execute stored procedures and run database
commands. Therefore, this SQL account needs db_owner, db_datawriter, and db_datareader permissions for the Intel
EMA database. These permissions are granted by default during Intel EMA installation. If you do not want to give db_
owner permission, you must grant this SQL account Execute permission to run all Intel EMA stored procedures.
Also, you must grant permission for "SUBSCRIBE QUERY NOTIFICATIONS" to the user of Intel EMA database.

1.4.19 User Creation and Management

It is strongly recommended that you periodically check existing user accounts for Intel EMA and ensure that any
accounts that are no longer being used are deleted. See the Intel® EMA Administration and Usage Guide for
information on creating, modifying, and deleting user accounts.

1.4.20 Use SQL Server Installed with TLS

It is strongly recommended that you use an instance of SQL Server that has been installed with TLS to encrypt data
transmitted between SQL Server and Intel EMA. For more information, see the link below:
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-
database-engine?view=sql-server-ver15

1.5 Intel® EMA Installed Components

After installation, most software components are installed in the C:\Program Files (x86)\Intel\Platform Manager
folder. The main components are as follows:
l Intel® EMA Platform Manager service:
l Installed as an auto-started Windows service with display name Intel® EMA Platform Manager and
service name PlatformManager
l Deploys the Intel EMA website content to the IIS server
l Monitors Intel EMA component servers on the machine and auto-starts any that are not running
l In a distributed server architecture, each Intel EMA server machine will have its own Platform Manager
service
l Intel EMA Platform Manager client application:
l Installed as a Windows desktop application
l Provides the graphical user interface (GUI) for user interaction
l Used for checking Intel EMA internal server events and performing simple server controls
l Can communicates with the Platform Manager service on a local or remote machine
l Intel EMA website:
l Primary GUI for end users
l Deployed on the IIS server by the Platform Manager service after installation
l May have multiple instances in a distributed environment
l See the Intel® EMA Administration and Usage Guide for further details
l Intel EMA REST APIs:
l Deployed on the IIS server by the Platform Manager service after installation
l Enables third-party software development to create a different Intel® EMA GUI for end users

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

13
 l See the Intel® EMA API Guide for further details
l Intel EMA JavaScript libraries:
l Deployed on the IIS server by the Platform Manager service after installation
l Delivers some features that REST APIs are not designed to support
l Enables third-party software development to create a different Intel EMA GUI for end users
l See the Intel® EMA JavaScript Libraries Guide for further details
l Intel EMA AJAX server:
l Started by the Platform Manager service
l Handles the JavaScript library’s requests
l May have multiple instances in a distributed environment
l See the Intel® EMA Administration and Usage Guide for further details about the scheduled tasks fea-
ture
l Intel EMA Swarm server:
l Started by the Platform Manager service
l Accepts the TCP connection from the endpoints (devices) and handles communication between end-
points
l May have multiple instances in a distributed environment
l Intel EMA Manageability server:
l Started by the Platform Manager service
l Manages Intel AMT provisioning and unprovisioning requests for endpoints
l Talks to the Swarm server to send provision/unprovision requests to the endpoints
l Only one instance in a distributed environment
l Intel EMA Recovery Server
l Started by the Platform Manager service
l Used for initiating recovery process to return specified endpoint’s OS to a last known good state in a
secure manner
l May have multiple instances in a distributed environment
l Intel EMA Agent:
l Agent software is not installed on the server machine
l Agent installer is included in Intel EMA software package
l Agent must be installed on the endpoint for the Intel EMA server to manage it
l See the Intel® EMA Administration and Usage Guide for how to download and manage the agent
installers

1.6 Important File and Directory Locations

<Installer Directory>/EMALog-Intel®EMAInstaller.txt Installation log

C:\Program Files (x86)\Intel\Platform Contains settings for the Platform Manager, including the
Manager\Platform Manager Server\settings.txt port number and password.

C:\Program Files (x86)\Intel\Platform Man- Contains the database connection string (encrypted).
ager\Runtime\MeshSettings\app.config and con-
nections.config

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

14
C:\Program Files (x86)\Intel\Platform A log for each server component. These are the same log mes-
Manager\EMALogs sages that you can see in the Platform Manager’s Event log.
l EMALog-XXX.txt
l TraceLog-XXX.txt

C:\Program Files\Intel\Ema Agent Install location for 64 bit Intel EMA Agent files. For 32 bit
agent, see Program Files (x86).

C:\inetpub\wwwroot IIS web site locations.

1.7 Scaling Considerations

As you plan your Intel EMA server implementation, keep in mind that the configuration of the server hardware can
have an impact on the overall performance of your Intel EMA instance as the number of managed endpoints grows.
The following table shows testing results that may be helpful in determining the appropriate server hardware
configuration for your Intel EMA server installation. The table shows the number of managed endpoints required to
achieve the thresholds in the column headings (e.g., 80% CPU utilization) given the server hardware configurations in
the row labels (e.g., 4 CPUs and 16 GB memory).

Note: Performance can vary greatly from one implementation to another depending on a variety of envir-
onmental factors. The following test result information is provided solely to aid in pre-implementation
decision making and is not intended as any claim of actual performance.

Based on the following test result data, for example, you could expect a single Intel EMA server with 4 CPUs and 16
GB of RAM to satisfactorily support approximately 82K managed endpoints (the 10% memory column below). Note
that if CIRA will be used, we recommend that you reduce the number of endpoints in any column below by half.
Furthermore, the data below is based on an idle state for the Intel EMA agent on the managed endpoint. You should
allow some headroom (for example, 20%) for usage such as KVM sessions on the endpoint.
Given the above considerations, for a single Intel EMA server with 4 CPUs and 16 GB of RAM in an implementation
where CIRA will be used, we recommend no more than approximately 33K managed endpoints (82K/2 * .80 = 32.8).
Table 3: Scaling Consideration Data

Intel EMA Intel EMA Intel EMA DB DB

80% CPU 100% CPU 10% mem 80% CPU 100% CPU

2 CPU, 8 GB mem 166,389 207,969 44,600 155,775 195,145

4 CPU, 16 GB mem 349,636 436,972 82,180 290,036 363,566

8 CPU, 32 GB mem 447,525 559,256 130,977 165,275 207,029

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

15
2 Installing or Updating the Intel® EMA
Server
Follow the steps below to install the Intel® EMA server. For updating, see section 2.2.

General Installation Notes:

l Do not edit the Intel EMA database to manually add a user to the user table. Use the Intel EMA user
interface (either GUI or API) to create all Intel EMA user accounts.
l Installing two separate Intel EMA instances that use the same Intel EMA database is not supported.
Note that this is different from a distributed server architecture installation in which an Intel
EMA instance's server components are installed on multiple machines.
l Having multiple instances of the Manageability Server component server running is not supported.
However, installing a second instance of the Manageability Server for failover purposes is allowed as
long as the Manageability service on the second instance is stopped and disabled. If there are no active
Manageability Servers, you will still be able to manage existing endpoints but you will not be able to
provision new endpoints or utilize the USB Redirection (USBR) feature. If needed, in a failover scenario,
this second instance can be started. When started, the Intel EMA component server settings must be
updated to point to the IP address of new Manageability Server. See section 6 for information on modi-
fying component server settings.
l If you are using a remote SQL database, and you do not plan to change the account under which Plat-
form Manager and the Intel EMA component servers run (note, it is recommended to change this
account, per Section 1.4.17), then before installing Intel EMA you must manually create an account on
the remote SQL database for the system account of the machine on which the Intel EMA server will be
installed.
l The USB Redirection (USBR) and One Click Recovery (OCR) features of Intel EMA allows you to mount a
remote disk image (.iso or .img) to a managed endpoint via Intel AMT. To enable these features, the
installer creates a folder that is accessible to the accounts under which all Intel EMA Web Server com-
ponents, all Recovery Server components, and the Manageability Server component are running. This
folder will be used by Intel EMA to store uploaded image files and to access those stored image files
when mounting an image file to a managed endpoint.
l Intel EMA version 1.5.0 and later uses LDAPS secure ports by default (LDAPS secure port 636 and
Global Catalog port 3269). Previous versions of Intel EMA used the standard non-secure LDAP ports
(LDAP port 389 and Global Catalog port 3268). If you are installing Intel EMA v 1.5.0 or later, and are
using Active Directory or 802.1x integration, ensure the LDAPS ports are enabled. If you prefer to use
the standard non-secure ports, then after installing Intel EMA, open the installer program again
(EMAServerInstaller.exe, run as administrator) and select File > Advanced Mode, then click Settings
> Switch from LDAPs to LDAP to reset the LDAP ports Intel EMA uses to the standard non-secure
ports. Alternatively, you can change the ports in the Web server settings on the Server Settings page in
the Intel EMA UI. If you experience problems with 802.1x setup during Intel AMT provisioning, this
could be the issue. See the following link for more information: https://docs.microsoft.com/en-
us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

16
2.1 Installing Using the Setup Wizard
Extract the installation ZIP file, open the folder, and right-
click on EMAServerInstaller.exe and select Run as
administrator. The installer opens and the status bar at
the bottom shows Ready if the initial checks have passed.
Click the top-left icon to begin the installation process.

Note: For assistance, click Help > Intel Support

WARNING! For first-time installations, if you

continue with the installation process, the Intel
EMA Setup Wizard will delete everything in the
c:\inetpub\wwwroot folder. Be sure to backup any
needed files before continuing with the installation
process.
This does NOT apply when updating from a
previous Intel EMA version, although IIS bindings
will be set to default values. Click Next on the
Welcome screen to continue the setup process.
When the License Agreement is displayed, accept
the license to continue.

Click Next on the Welcome screen to continue the setup

process.

2.1.1 Server Host Configuration

Choose Standard Install for Single Server Architecture.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

17
2.1.2 Database Settings
Specify the server where the database is hosted. The
actual value depends on the database server you installed.
Refer to your SQL installation for details.

Notes:
l If you are using a SQL server installed on
the same machine as Intel® EMA then you
can use localhost.
l If you are using a remote SQL server,
ensure the SQL server’s account is set up
for your IIS Default Application Pool to con-
nect.
l For security purposes, we recommend that
Windows authentication mode is used for
SQL Authentication. If using SQL Authentic-
ation, you must ensure the target credential
is set up in the SQL server first.

To create a customized database connection string, click

the checkbox for Advanced Mode and enter a connection
string.
Note that both Basic and Advanced modes create a
connection string which is used by the Intel EMA
component servers. Advanced Mode allows you to create
a customized connection string. For more information
about connection strings, see
https://docs.microsoft.com/en-
us/dotnet/framework/data/adonet/connection-string-
syntax. Note that some examples on this page may not be
supported by Intel EMA.

Note: The parameter “Mul-

tipleActiveResultSets=True” is required. For more
information, see https://docs.microsoft.com/en-
us/dotnet/framework/data/adonet/sql/enabling-
multiple-active-result-sets.

Regardless of mode (Basic or Advanced), the connection

string is encrypted and stored in c:\Program Files
(x86)\Intel\Platform
Manager\Runtime\MeshSettings\connections.config.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

18
2.1.3 Server Host Information
If you have a Website TLS certificate for the server, enter a
matching hostname for the server here.
This is the main Intel® EMA website HTTPS URL, and this
is the FQDN/hostname that will be provided in the agent
configuration file for endpoints to connect to, so make
sure that it resolves correctly in DNS.

Note: If you plan to use the One Click Recovery fea-

ture, you must enter a complete FQDN (server_
name.domain), not just the server name. Also, do
not select Use IP Address if you plan to use One
Click Recovery.

For Identity mode:

l Use FQDN/hostname only: processes the request

with the FQDN/hostname only. We suggest enter-
ing the addressable, full FQDN.
l Use FQDN/hostname first: processes the request
using the FQDN/hostname, but can also find the
website via the IP Address.
l Use IP address: processes requests with the IP
address only

Note: If Intel EMA will be installed under domain/Windows authentication mode (Kerberos) in the next step,
we recommend using the FQDN of your machine at Hostname field. You still need to ensure that other end-
points or other client web browsers can connect to the value you entered here. If you decide to use another
value, follow IT best practices to set up the Service Principle Name (SPN) after Intel EMA is installed. Choosing
Use IP address does not work for Kerberos.

2.1.4 Platform Manager Configuration

External Port is used by the Intel® EMA Platform Manager
service running on this Intel EMA server to accept
connection from the Intel EMA Platform Manager client
application. Make sure that the port you specify is open in
the underlying network.
This screen cannot be edited in update mode.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

19
2.1.5 User Authentication
Choose either Use normal accounts or Use domain authentication.

2.1.5.1 Normal Accounts

If you select Use normal accounts then Intel® EMA will

keep an internal user database.
This is the default setting of the installation process. This
puts the installed instance in username/password mode.

2.1.5.2 Domain Authentication

If your server is joined to an Active Directory domain, you have the

option to Use domain authentication.
The currently logged-in user is automatically added to Intel EMA
with the Global Administrator role (shown as Site Administrator in
the screen at left).

Note: Intel EMA version 1.5.0 and later uses LDAPS secure

ports by default (LDAPS secure port 636 and Global Catalog
port 3269). Previous versions of Intel EMA used the stand-
ard non-secure LDAP ports (LDAP port 389 and Global Cata-
log port 3268). If you are installing Intel EMA v 1.5.0 or later,
and are using Active Directory or 802.1x integration, ensure
the LDAPS ports are enabled. If you prefer to use the stand-
ard non-secure ports, then after installing Intel EMA, open
the installer program again (EMAServerInstaller.exe, run as
administrator) and select File > Advanced Mode, then click
Settings > Switch from LDAPs to LDAP to reset the
LDAP ports Intel EMA uses to the standard non-secure
ports. Alternatively, you can change the ports in the Web
server settings on the Server Settings page in the Intel
EMA UI. If you experience problems with 802.1x setup dur-
ing Intel AMT provisioning, this could be the issue. See the
following link for more information: https://-
docs.microsoft.com/en-us/troubleshoot/windows-server-
/identity/config-firewall-for-ad-domains-and-trusts.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

20
2.1.6 Global Administrator Account Setup
This screen only appears during setup if you have chosen
“Normal accounts” for user authentication. If using
domain accounts, the user running the installer will be
made a Global Administrator.

Note: The Name field must be entered in the form

of an email address (i.e., name@domain).

Global Administrator: This role is able to perform user

management, tenant creation, and server management.
This role does not perform device management.

2.1.7 Summary
Review your installation settings and then click Install.
All required Windows components will be installed,
followed by the Intel® EMA software itself.

IMPORTANT: Do not abort or exit the installer until

installation is complete. Installation rollback is not
supported.

Installation status is shown at the bottom of the Installer

main menu. Installation options are unavailable during
installation.
To check the log file during installation, click File >
Advanced Mode. To exit Advanced Mode, click File >
Advanced Mode again.
After installation, you can check the logfile EMALog-
Intel®EMAInstaller.txt in the same folder as the Intel EMA
installer.

At this point, you are ready to log in as the Global Administrator and click View Getting Started tips under Getting
Started on the overview page. See section 3.

2.2 Performing an Update Installation Using the Setup

Wizard
Follow the steps below to perform an update installation using the Intel EMA setup wizard.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

21
 Update Installation Notes:
l When upgrading an Intel EMA instance, the account under which the Platform Manager service runs
reverts to Local System. If you are running that service under another local or domain account, it will
need to be reconfigured and all Intel EMA components halted and restarted after the upgrade is
complete.
l If you are updating from an existing version of Intel EMA, the Intel EMA website’s bindings in IIS will be
set to default values during the update installation. You can check the log files after installation to find
the pre-update bindings for your reference.
l The Intel EMA Agent software on managed endpoints is automatically updated upon connecting to
the updated Intel EMA server instance for the first time after server update. For Intel EMA version 1.5.0
and later, this automatic update is only performed if the Swarm Server setting Agent Auto Update is
enabled (default). See section 6.1 for details.
l For updates from previous Intel EMA versions, the installer detects the connection string auto-
matically.

Extract the installation ZIP file, open the folder, and

right-click on EMAServerInstaller.exe and select Run
as administrator. The installer opens and the status
bar at the bottom shows Ready if the initial checks
have passed.
Click the top-left icon to begin the installation
process.

Note: For assistance, click Help > Intel

Support

The installer detects that you are performing an

update installation and informs you that your IIS
web.config file will be renamed to allow an updated
file to be installed.

Click OK.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

22
 Select which type of installation update you are
performing: Single Server Architecture or Distributed
Server Architecture. This screen is only displayed if
you are updating from a version prior to v1.6.0.

IMPORTANT! Selecting an installation type that

does not match your existing installation will
result in a non-functioning Intel EMA instance
that will need to be fully uninstalled and rein-
stalled. Make sure the type you select matches
the type that is currently installed. This action
cannot be undone once you complete the
update.

Click Next.

Click Next on the Welcome screen to continue the

setup process.

Note: The warning regarding IIS being installed

does not apply to update installations.

2.2.1 Database Settings

Note: For update mode, the fields are filled in and
cannot be changed.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

23
2.2.2 Platform Manager Configuration
External Port is used by the Intel® EMA Platform Manager
service running on this Intel EMA server to accept
connection from the Intel EMA Platform Manager client
application. Make sure that the port you specify is open in
the underlying network.
This screen cannot be edited in update mode.

2.2.3 Summary
Review your installation settings and then click Install.
All required Windows components will be installed,
followed by the Intel® EMA software itself.

IMPORTANT: Do not abort or exit the installer until

installation is complete. Installation rollback is not
supported.

Installation status is shown at the bottom of the Installer

main menu. Installation options are unavailable during
installation.
To check the log file during installation, click File >
Advanced Mode. To exit Advanced Mode, click File >
Advanced Mode again.
After installation, you can check the logfile EMALog-
Intel®EMAInstaller.txt in the same folder as the Intel EMA
installer.

2.3 Installing or Updating Using the Command Line

This section describes how to install or update from the command line.

Note: The installer requires a relative path to the installer executable EMAServerInstaller.exe. You cannot use
an absolute path when issuing the installer command. Change directory to the directory where EMAServer-
Installer.exe is located and issue the command from that folder.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

24
There are two modes for command line installation: Basic Mode and Advanced Mode. Use Basic Mode to provide all
database connection values directly in the command line. Use Advanced Mode to provide a customized database
connection string.
Note that both Basic and Advanced modes create a connection string which is used by the Intel EMA component
servers. Advanced Mode allows you to create a customized connection string. For more information about
connection strings, see https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/connection-string-
syntax. Note that some examples on this page may not be supported by Intel EMA. Regardless of mode (Basic or
Advanced), the connection string is encrypted and stored in c:\Program Files (x86)\Intel\Platform
Manager\Runtime\MeshSettings\connections.config.

Note: For updates from previous Intel EMA versions, the installer detects the connection string automatically.

Note: During single server standard installation, the Intel EMA installer creates a folder for use with the USB
Redirection (USBR) and One Click Recovery (OCR) features, which allow you to boot a managed endpoint to an
image file (.iso or .img) that is stored in this folder. This folder is created with the following permissions:
SYSTEM, Administrators, and IIS AppPool\DefaultAppPool. If you alter these permissions, the next time you
perform an update installation to Intel EMA a warning message will be logged informing you that permissions
for the folder do not meet requirements.

Open a command prompt in Administrator mode in the folder where you unpacked the installation package.

2.3.1 Basic Mode

Use the command syntax template below and replace the placeholder values <in brackets> to install using normal
user accounts. For more options including domain authentication, run the executable with the --help option by
itself.
EMAServerInstaller.exe FULLINSTALL --host=<server_fqdn> --dbserver=<db_server_address>
--db=<db_name> --dbuser=<SQL_user> --dbpass=<SQL_password> --guser=<global_admin_email>
--gpass=<global_admin_password> --verbose --console --accepteula
For the connection to the server machine, you can also use the following structure:
--host=<name of FQDN of the server machine > --ip=<IP of the server machine > [--ipfirst|
--hostfirst]
If you want Intel EMA to use the IP to connect first, use the --ipfirst flag. If you want Intel EMA to use FQDN to
connect first, use the --hostfirst flag.
For the database connection, use the following:

Windows Authentication: --db=<DBName> and -–dbserver=<DBServerName>

SQL Authentication: --db=<DBName> and -–dbserver=<DBServerName>

--dbuser=<UserId> --dbpass=<Password>

If you want to install under “user name/password” mode (i.e., normal account mode), the command line structure
requires you to enter a username and password for the global administrator. These required parameters are identified
as follows:

For global administrator setup: --guser=<UserName> --gpass=<UserPassword>.

If you want to install under “domain/window authentication” mode, specify -–domainauth flag and do not enter --
guser, --gpass.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

25
The example syntax template uses the --console option, so no GUI will be loaded and instead the installer will
show progress on the screen and then return to the command prompt when completed.
At this point, you are ready to begin using the Intel EMA Server’s Platform Manager, as described in Section 4.

2.3.2 Advanced Mode

The --dbadvanced parameter is used to provide a customized database connection string, which is encrypted and
stored in c:\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\connections.config.
Use the command syntax template below and replace the placeholder values <in brackets> to install using normal
user accounts. For more options including domain authentication, run the executable with the --help option by
itself.
EMAServerInstaller.exe FULLINSTALL --host=<server_fqdn> --dbadvanced= “<connection_
string>” --guser=<global_admin_email> --gpass=<global_admin_password> --verbose --console
--accepteula
For more information about connection strings, see https://docs.microsoft.com/en-
us/dotnet/framework/data/adonet/connection-string-syntax. Note that some examples on this page may not be
supported by Intel EMA.

Note: The parameter “MultipleActiveResultSets=True” is required. For more information, see https://-

docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/enabling-multiple-active-result-sets.

2.3.3 Performing an Update Installation Using the Command Line

Update Installation Notes:
l When upgrading an Intel EMA instance, the account under which the Platform Manager service runs
reverts to Local System. If you are running that service under another local or domain account, it will
need to be reconfigured and all Intel EMA components halted and restarted after the upgrade is
complete.
l If you are updating from an existing version of Intel EMA, the Intel EMA website’s bindings in IIS will be
set to default values during the update installation. You can check the log files after installation to find
the pre-update bindings for your reference.
l The Intel EMA Agent software on managed endpoints is automatically updated upon connecting to
the updated Intel EMA server instance for the first time after server update. For Intel EMA version 1.5.0
and later, this automatic update is only performed if the Swarm Server setting Agent Auto Update is
enabled (default). See section 6.1 for details.
l For updates from previous Intel EMA versions, the installer detects the connection string auto-
matically.

Use the command example below to update the Intel EMA server machine.
EMAServerInstaller FULLINSTALL --updateinstalltype=<single/distributed> --accepteula -c -
v

Notes:
l For updates from previous Intel® EMA versions, only the updateinstalltype, accepteula, console (c), and
verbose (v) parameters are accepted. Do not enter any other parameters for updates. Doing so will
cause the installation to abort and an error message to be displayed.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

26
 l For updateinstalltype, you must correctly specify which type of installation (single server architecture
or distributed server architecture) you are currently updating. Specifying the wrong type will result in
an inoperable Intel EMA instance which must be fully uninstalled and reinstalled.

2.4 Uninstalling
Do not abort or exit the installer before the uninstallation is complete.

Notes:
l Before uninstalling, ensure the account used in the Intel EMA SQL connection string has at least db_
creator rights, which allow it to create, modify, and delete any database. This account must also have
the database level roles db_owner, db_datawriter, and db_datareader.

2.4.1 Uninstalling Using the Installer GUI

1. On the Installer main menu, click the Uninstall the Intel® EMA Server option at bottom.
2. On the dialog, decide whether you want to delete the settings certificate.
3. Decide whether you want to delete the database.
Notes:
l In a single server installation, this option will also remove the default shared USBR image file
storage folder. If you specify a custom USBR image storage folder in Server Settings, that folder
will not be deleted.
l If the database is managed and/or cloud-based, Intel EMA cannot delete the database so do
not specify this option.

4. Click OK, then click OK to the warning message.

5. After the uninstall is complete, check the log by clicking File > Advanced Mode to confirm successful com-
pletion.

2.4.2 Uninstalling Using the Command Line

Note: The installer requires a relative path to the installer executable EMAServerInstaller.exe. You cannot use
an absolute path when issuing the installer command. Change directory to the directory where EMAServer-
Installer.exe is located and issue the command from that folder.

1. Open a command prompt window with administrative privileges.

2. Change directory to where the Intel EMA Installer Package was extracted.
3. To uninstall without removing the database and settings certificate, type the UNINSTALL command below
and press Enter.

EMAServerInstaller UNINSTALL -c --verbose

4. To uninstall and remove the settings certificate, add the --deletesettingscert option.

EMAServerInstaller UNINSTALL --deletesettingscert –c --verbose

5. To uninstall and remove the database, add the --deletedb option, shown below (to remove both the set-

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

27
 tings certificate and the database, use both options).

EMAServerInstaller UNINSTALL --deletedb –c --verbose

Notes:
l In a single server installation, this option will also remove the default shared USBR image file
storage folder. If you specify a custom USBR image storage folder in Server Settings, that folder
will not be deleted.
l If the database is managed and/or cloud-based, Intel EMA cannot delete the database so do
not specify this option.

2.5 Intel® EMA Installer Advanced Mode Menu Bar

By default, the Intel EMA installer EMAServerInstaller.exe menu bar has two choices: File and Help. Selecting File >
Advanced Mode displays an expanded menu bar with the following menu choices.

File Advanced Mode

Sets Advanced Mode on, displays expanded menu bar, and displays a log file of installer actions that have
occurred (for using during or after installation).

Database Update Database

Launches the Update Database Settings dialog. Use this to update your database connection string post-
installation.

Settings Sync Web Server Settings

Restarts the Intel EMA Web Server to apply/sync changes to web server settings.
Switch from LDAPS to LDAP
Sets the LDAP ports Intel EMA uses to the standard non-secure ports. Intel EMA version 1.5.0 and later
uses LDAPS secure ports by default (LDAPS secure port 636 and Global Catalog port 3269). Previous
versions of Intel EMA used the standard non-secure LDAP ports (LDAP port 389 and Global Catalog port
3268). If you are installing Intel EMA v 1.5.0 or later, and are using Active Directory or 802.1x integration,
ensure the LDAPS ports are enabled. If you prefer to use the standard non-secure ports, then after
installing Intel EMA, open the installer program again (EMAServerInstaller.exe, run as administrator) and
select File > Advanced Mode, then click Settings > Switch from LDAPs to LDAP to reset the LDAP ports
Intel EMA uses to the standard non-secure ports. Alternatively, you can change the ports in the Web
server settings on the Server Settings page in the Intel EMA UI. If you experience problems with 802.1x
setup during Intel AMT provisioning, this could be the issue. See the following link for more information:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-
domains-and-trusts.

Actions Setup Firewall Rules

Runs the portion of the installer that handles firewall rule configuration.
Clear Firewall Rules
Runs the portion of the uninstaller that resets firewall rules.
IIS Registration
Runs the Microsoft.NET aspnet_regiis.exe
Dump all features to file

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

28
 Writes the enabled Windows features to a file, and writes disabled Windows features to another file.
Check Common Names
Displays the hostname, FQDN, IP addresses of this machine.
Check Software
Displays IIS version, .NET CLR version, OS version, .NET framework.
Domain Detection
Detects what domain the system running the installer is part of.
Uninstall the Intel EMA Server
Uninstalls the Intel EMA server.

Manager Launch Intel EMA Platform Manager

Launches the Intel EMA Platform Manager

Help Intel Support

Opens the Intel support portal in a web browser.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

29
3 Using the Global Administrator
Interface
Intel® EMA’s Global Administrator pages are used to manage tenants, users, and user groups.
To login to Intel EMA, do the following:
1. Open a browser and navigate to the FQDN/Hostname you specified during installation.
2. At the login page, enter the user name (i.e., email address) and password for the Global Administrator.

Note: If you specified domain authentication, the Global Administrator Overview page is automatically dis-
played.

1. At the bottom of the Overview page, under Getting Started, click View Getting Started tips.
2. On the Getting started page, follow the steps (in order) to Create a Tenant, Add a Tenant Administrator, and
then Add Additional Users (if desired). Note that you MUST create at least one Tenant Administrator for each
Tenant you create. The Global Administrator cannot perform many of the tasks in Tenants.

Note: In order to perform the Tenant setup tasks as described in the section 3 of the Intel® EMA Admin-
istration and Usage Guide, you must be logged in as the Tenant Administrator user of that Tenant. See the
Intel® EMA Administration and Usage Guide for details.

Logging out
To log out, click the user name in the top bar of the Overview page and select Log out.

3.1 Changing the Global Administrator Password

This operation can only be performed if “normal accounts” authentication mode was selected during installation.
In the top right of the title bar, click the circle showing the first two letters of the Global Administrator user name and
select Change password.

3.2 Creating and Deleting Tenants

To create a new Tenant, do the following:
1. From the Overview page, click Create a tenant under Tenants at bottom left. Or, from the Getting started
page (available by clicking View Getting Started tips on the first page), select the Create Tenant.
2. Enter a Tenant Name and Description, then click Save.
To delete a Tenant, select the Tenants tab on the Users page, then click the down-arrow at right for the target Tenant
and select Delete Tenant….

3.3 Managing Users and User Groups

To manage users or user groups, you must first select a target tenant. New users (except for a new global
administrator) and user groups are created under this target tenant.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

30
3.3.1 Adding, Modifying, and Deleting User Groups
To create a new User Group, do the following:
1. From the Users page (available from the navigation bar at left), select the User Groups tab and click New
Group.
2. In the New Group dialog, enter a Group name, Description, and specify Access Rights, then click Save.
To delete a user group, go to the User Groups tab of the Manage Tenants & Users page, click the down-arrow for
the target user group and select Delete Group....

3.3.2 Adding, Modifying, and Deleting Users

To add a user, do the following:
1. From the Overview page, click Add or remove users under Users at the bottom. Or, from the Users page
(available from the navigation bar at left), select the Users tab.
2. Select which tenant to manage users for, and click New User.
3. In the New User dialog, enter a valid email address for User name, then enter a Password (and confirm), and
Description.
4. Select a Role for this user and click Save.
To delete a user, go to the Users tab of the Manage Users page, click the down-arrow for the target user, and select
Delete....

Notes:
l The last Global Administrator user cannot remove its account, nor edit it.
l If you configured Intel EMA to use Active Directory authentication, ensure the username of any user
you create corresponds to the userPrincipalName attribute of the Active Directory user. The Password
field is not shown or needed in this mode.

To edit a user, go to the Users tab of the Manage Users page, click the down-arrow for the target user, and select
Edit....
If you are editing your own user account, in order to change the password, you will need to enter your current
password first. If you are editing other accounts (that your role can manage), you do not need to enter the user’s
current password.
For “locked” users, use the Edit option to unlock the user’s account.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

31
4 Performing Intel® EMA Server
Maintenance
Use the Intel EMA Platform Manager to monitor each Intel EMA server and perform various maintenance tasks on the
component servers running on the Intel EMA server machine. You can also use it to deploy a new Intel EMA
component server package. In a distributed server architecture environment, a Platform Manager client on one Intel
EMA server machine can connect to and monitor the server components on the other Intel EMA server machines.

Note: Be sure to change the user account under which the Platform Manager service runs. See Section 1.4.17
for details.

4.1 Manually Installing Platform Manager

The Platform Manager tool is installed as part of the Intel EMA server installation. However, if necessary, you can
install it manually by opening the Intel EMA installation media and running the Platform Manager installation file
PlatformManager.msi (be sure to run as Administrator).
You can use this method to install a standalone Platform Manager client on a Windows-based machine separate
from the one on which the Intel EMA server is installed, then remotely connect from the standalone Platform
Manager client to the existing Platform Manager server on the Intel EMA server machine.
Additionally, you can use this method to reinstall the Platform Manager server in the event that it gets accidentally
uninstalled. This assumes that all other Intel EMA components are still installed in C:\Program Files
(x86)\Intel\Platform Manager and that you reinstall Platform Manager to the same location.

4.2 Configuring the Intel® EMA Platform Manager

Service
Before using the Platform Manager, review this section and decide if you want to modify any default settings. All of
the configurable values are in the file C:\Program Files (x86)\Intel\Platform Manager\Platform Manager
Server\settings.txt.

4.2.1 Platform Manager TLS Certificate

The Platform Manager Service provides the TCP TLS connection between the service and the client application. A
default certificate for this TLS connection is provided with the Intel EMA installation, but this default certificate can be
updated to a certificate from a reputable certificate authority by updating the “certhash” value in the settings.txt file
with the thumbprint of the TLS certificate you want to use.

4.2.2 Mutual TLS Certificate for Client Authentication

The Platform Manager Service can optionally require that Mutual TLS be used in the connection between the service
and client applications. To enable this, update the “allowedclientcert” value in the settings.txt file with the client
certificate thumbprint. Multiple client certificates are supported by adding multiple “allowedclientcert” lines.
When you enable this feature, only clients providing a certificate which corresponds to one defined in the
“allowedclientcert” list will be allowed to connect.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

32
4.3 Using the Intel® EMA Platform Manager Client
Application
Once you have configured the Platform Manager service, you are ready to start using the Platform Manager client
application.

4.3.1 Starting Intel EMA Platform Manager

1. Start the Intel EMA Platform Manager application like any other normal Windows desktop application. Altern-
atively, you can run the Intel EMA installer EMAServerInstaller.exe (run as Administrator) and select Manager
> Launch Intel EMA Platform Manager from the menu bar.
2. In the Connect to Platform Manager Server dialog, enter the identifier (hostname/FQDN/IP Address) and
port for the Intel EMA Platform Manager server. If you are on the same machine as the Intel EMA component
servers, use the localhost:port value.
3. Enter the Intel® EMA Web Server Identifier. This is the hostname/FQDN/IP Address you use to open the
Intel EMA website.
4. If you configured the service for Mutual TLS, select a Client Authentication Certificate.
5. Click OK.
6. If prompted, verify and Accept the Server Certificate.
7. In the Connection Credentials dialog, enter the username and password for the Global Administrator user. If
you are using Windows Authentication, select Use Windows Authentication and then click OK. If you get an
error connecting to the Intel EMA server, check to ensure you entered the correct identifier for the Platform
Manager server above, and that the Intel EMA server is up and running.

Notes:
l If you are using Windows Authentication, ensure the system running Platform Manager is
joined to the domain, and that the Global Administrator account you are using is logged into
the domain. Otherwise you will be prompted for credentials.

8. The Intel EMA Platform Manager window is displayed, with the application servers shown in the left-hand
pane. If the screen prompts you to Connect, check to ensure you entered a user with Global Administrator
rights in the Connection Credentials dialog.

4.3.2 Monitoring Component Server Events

1. Select a component server from the list in the left-hand pane (for example, the EMAAjaxServer).
2. Select the Events tab to see the events for that server. Events are also logged in C:\Program Files (x86)\In-
tel\Platform Manager\EMALogs\EMALog-[server type].txt on the selected server machine. Note that the log
file contains more detail than what is displayed on the Events tab.
3. If desired, click Trace at the bottom of the panel to enable detailed debugging tracing (this will result in a lot
more messages being logged). The trace log is also logged in C:\Program Files (x86)\Intel\Platform Man-
ager\EMALogs\TraceLog-[server type].txt.

Note: The trace file will not be present if tracing is not enabled for the selected component server.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

33
4.3.3 Monitoring Component Server Internal Tracking Information
1. Select a component server from the list at left.
2. Select the Component tab to display useful information for the selected component server. Different com-
ponent servers have different tracked values, as described below.
Intel EMA AJAX server:
l AjaxSessions: Number of active AJAX request sessions issued by Intel EMA JavaScript library, which are pro-
cess by the AJAX server.
l HttpSessions: Number of HTTP sessions (used for web redirection features) issued by Intel EMA JavaScript lib-
rary, which are process by the AJAX server.
l SwarmSessions: Number of active TCP connections to the Swarm server from the AJAX server.
l TerminalSessions: Number of terminal sessions (used for the Serial-Over-LAN feature and the file browsing
feature) issued by Intel EMA JavaScript library, which are process by the AJAX server.
l WebSocketSessions: Number of active Web Socket sessions issued by Intel® EMA JavaScript library, which
are process by the AJAX server.
Intel EMA Manageability server:
l Each row is a slot to be used for Intel AMT provisioning. A pending Intel AMT provisioning request is put into
an available slot. The Manageability server starts the provisioning for all the slots individually. If there is no
slot available, the request awaits for an available slot to open. The row displays the information text of Intel
AMT provisioning.
Intel EMA Swarm server:
l ConAgents: Number of active Intel EMA Agent’s TCP connections to the Swarm server.
l ConConsoles: Number of active TCP connections from other Intel EMA servers.
l ConIntelAmt: Number of active Intel AMT CIRA connections to the Swarm server.
l DbFails: DB queries’ failure count made by this Swarm server.
l DbQueries: DB query count made by this Swarm server.

4.3.4 Performing Basic Controls on Component Servers

To halt/stop or resume an component server, right-click the server in the left-hand pane and select the desired
option.
To see the available control commands for a particular component server, select a server and go to its Console tab,
then type “help” and click Send. The commands are listed below.
All servers:
l testmessage: This sends out test blast messages via TCP connections between Intel EMA components. You
should see the Received test blast from: [source server] message in the Events tab of the AJAX server, Man-
ageability server, and the Swarm server.
l echo: Print back what you typed.
l time: Print the current server machine time.
l utctime: Print the current server machine time in UTC.
l version: Print the component version.
l shutdown: This will let you shutdown/halt this server; however, it will be re-launched soon after.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

34
 l collect: Trigger .NET garbage collection.
l whoami: Print the current account this server runtime is running under.
l logpath: Print the log folder path.
l trace: Lets you start/stop tracing info being logged in a trace file. The trace file is in the path specified by log-
path.
l restart: Restarts the server.
Intel EMA AJAX server:
l stats: Print the "tracked values", same as what Application tab shows.
l testdb: Test connection to Intel EMA server DB.
l ajaxcert: Print information about the inter-service TLS ajax certificate.
l swarmsessions: Print the current swarm sessions.
l alertsessions: Print the current alert sessions.
l dbcount: Control DB trace counting.
l Start: This starts to collect the database SQL commands info, run by the Swarm server. It includes the
collection start time, the collection duration, and the total number of DB connections made by Swarm
server. For each SQL command item, it includes the execution count, the error count, the total running
time, and the SQL command. Note that our SQL commands are designed to use parameterized inputs.
Therefore, we only log the parameter name here, not the value.
l Save and Restart: Save the collected data to the EMALogs folder in the Intel® EMA server installation
folder.
l Cancel: Cancel the data collection and do not save anything to file.
l mcount: Print the count of different types of test blast messages sent via TCP connections between Intel
EMA components.
Intel EMA Manageability server:
l testdb: Test connection to Intel EMA server DB.
l exec: This triggers the Manageability server to check Intel EMA server DB to find any Intel AMT provisioning
work to be done immediately. Otherwise, Manageability server checks that periodically.
l restart: Restart the Manageability server.
l dbcleanup: Performs on-demand database maintenance routine. See Section 4.6 for details.
l slots: Print activation tasks' slots. Manageability server currently is performing internal throttling. It can do at
most concurrent 20 provisioning tasks (slots). For the remaining provisioning tasks, they will wait in the Intel®
EMA sever DB to be picked up later.
l manageabilitycert: Displays information about the inter-service TLS manageability certificate.
l fileuploadcleanup: Performs on-demand clean up to remove expired USBR temporary files.
l cert8021xrenewal: Performs on-demand certificate renewal for expiring 802.1x certificates.
Intel EMA Swarm server:
l stats: Print
l The incoming traffic from Intel EMA Agent in bytes, the outgoing traffic to Intel EMA Agent in bytes.
l .Net Garbage Collector: GetTotalMemory’s value. Intel EMA DB queries count, connections count, DB
queries failure count made by this Swarm server.
l Connected Intel EMA agent counts.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

35
 l The number of received blast messages, the number of sent blast messages.
l Intel EMA server DB schema version.
l testdb: Test connection to Intel EMA server DB.
l swarmcert: Display information about the inter-service TLS swarm server certificate.
l servercert: Display information about the Intel EMA swarm server certificate.
l resetagentstore: Sync the in-memory agent installers information based on the available Intel EMA agent
installers in Intel EMA DB. Then it checks the agent download and agent upload for each connected Intel EMA
agents.
l forcedisconnect: This will disconnect this target endpoint for now. The endpoint can still connect back.
l dbcount: Control DB trace counting.
l consoles: This lists the current connected Intel EMA application servers. For example, when you do a "remote
terminal" session, there will be 1 console session between AJAX Server and Swarm server.
l dbschema: Print the Intel EMA server DB schema version.
l allownode: Add an endpoint to pass list. When Swarm server gets an Intel EMA agent connection request, if
there exists a non-empty endpoint banned list, it will check it. If this incoming agent/endpoint is banned, it
will reject the connection.
Note: The current Intel EMA release does not implement this feature.

l bannode: Add an endpoint to banned list.

l clearnodeaccess: Clear the banned and pass list in memory. It will be reloaded when Swarm server starts
again.
l nodeaccesslist: Print the endpoint white/banned list.
l ipblocklist: When Swarm server gets an Intel AMT CIRA or Intel EMA agent connection request, if there exists
an non-empty IP block list, it will check it. If this incoming IP address is in the same subnet as specified in the
IP block list, it will reject the connection.
Note: The current Intel EMA release does not implement this feature.

l swarmid: Print the this Swarm server's id and the lead Swarm server's id. This is useful when you have mul-
tiple Swarm servers under load balancer. The leader is usually the Swarm server just started recently and with
highest ID.
l agentpingtime: Print the current ping time for maintaining Intel EMA agent TCP connection. If you provide a
numerical argument, it will set the ping time to this value in seconds.
l agentrequireping: Print if we need all the Intel® EMA agents to respond with a pong to a ping sent by the
Swarm server. 1 is true, and 0 is false. If this setting is true, then the Swarm server will drop the agent TCP con-
nection if a pong is not received. If you provide an argument (1 or 0), you can set the value.
l ignoredupagents: By default, this is disabled. When the Intel EMA Swarm server receives an incoming Intel
EMA agent connection, if this connection has an endpoint ID that is the same as an existing connection, then
we will disconnect and remove the existing connection and accept the new one. However, if this is enabled,
we will do nothing and just ignore the new incoming connection. This prints 1 or 0. 1 is true/enabled, and 0 is
false/disabled. If you provide an argument (1 or 0), you can set the value.
l swarmpeers: Print the other peer Swarm servers' IDs and IP addresses.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

36
4.4 Deploying New Packages
A package is a zip file containing a component server or website. An Intel EMA release contains several packages.
Packages are located in the StoredPackages folder in your Intel EMA release.

Note: If you have an older version of Intel EMA, you can use Platform Manager to upload and deploy newer ver-
sions without touching your Intel EMA database. However, if the new release includes Intel EMA database
changes, then you must still use the Intel EMA installer to perform an update.

To update a particular component server:

1. In the left-hand pane, open Intel® EMA Servers and select a machine from the list (for example, localhost).
2. Select the Storage tab.
3. Click Upload and select the .zip package (for example, EMASiteCoreReact.zip) you want to deploy to that
machine. The old version is replaced with the new version in the Component Packages list.
4. Click Deploy to deploy the new package on the selected machine.

4.5 Updating the Database Connection String

To update the database connection string after installation, do the following:
1. Run the Intel® EMA Installer Wizard (in the installation folder, right-click on EMAServerInstaller.exe and
select Run as administrator).
2. From the File menu, select Advanced Mode. Additional menus are displayed, including the Database menu.
3. From the Database menu, select Update Database. The Update Database Settings dialog is displayed.
4. To update the server or database name, or the SQL authentication user and password, simply enter new val-
ues for these fields and click Update. To enter a new customized database connection string, continue to the
next step.
5. Click the checkbox for Advanced Mode.
6. Enter a new Connection String. For more information about connection strings, see https://-
docs.microsoft.com/en-us/dotnet/framework/data/adonet/connection-string-syntax. Note that some
examples on this page may not be supported by Intel EMA.

Note: The parameter “MultipleActiveResultSets=True” is required. For more information, see

https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/enabling-multiple-active-result-sets.
7. Click Update to update the connection string and close the Update Database Settings dialog.

Note:
l You must restart all Intel EMA component servers (i.e., Swarm Server, .Manageability Server, etc.) in
order for the new connection string to take effect.
l A copy of the previous connection string file c:\Program Files (x86)\Intel\Platform Man-
ager\Runtime\MeshSettings\connections.config is created.
l In a distributed server architecture environment, the connection string must be updated on all Intel
EMA server systems.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

37
4.6 Periodic Database Maintenance
The Intel EMA database grows over time, which can eventually affect performance. Periodically, you should rebuild
the table indexes and clean up the database row file and log file to ensure optimal database performance. In addition,
there is an automated database cleanup utility, DBCLEANUP, that automatically runs periodically to maintain specific
tables such as the audit log table to remove old entries. See Section 6.3 for information on setting the interval (Audit
Log Cleanup Interval) to automatically run DBCLEANUP.
You can also run the DBCLEANUP command manually from the Manageability Server's Console tab in Platform
Manager. To do this, follow the steps below:
1. Run the Platform Manager (see Section 4.3.1 for details).
2. From the navigation pane at left, select Intel® EMA Servers > localhost > EMAManageabilityServer.
3. Select the Console tab.
4. In the Component Console window, enter the command dbcleanup at the prompt and press Enter.

4.7 Restoring the Intel® EMA Server from Backup

In Section1.4.1, we recommend that you back up your Intel EMA database and MeshSettingsCertificate after
installing Intel EMA. This section describes how to restore your Intel EMA server from that backup.
1. Start with a clean system.
2. Restore the database backup.
3. Restore the MeshSettingsCertificate certificate (including the private key) to the Local Machine/Personal loc-
ation of the Certificate Store. The access of the private key needs to be open for the account running the Intel
EMA components and the account running Intel EMA IIS website.
4. Run the Intel EMA Installer and choose Single Server setup, as described in Section "Installing or Updating the
Intel® EMA Server" on page 16. Be sure to point the installation to the restored database. The installer will indic-
ate that you are performing an update installation. This is normal.
5. In IIS Manager, check to ensure IIS bindings are correct. You should see information similar to the following:

Site bindings should be similar to this:

For ports 443 and 8084, you should see binding details like this (with 443 or 8084 port):

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

38
 For URL rewrite, you should see settings like this:

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

39
5 Appendix: Troubleshooting After
Installation
Check logs, traces, or events The installation log file EMALog-Intel®EMAInstaller.txt is located in
the same folder as the Intel EMA installer (i.e., wherever you
downloaded and ran the installer).

Note: The following warning appears in the installation log file

regardless of whether you are installing with a local SQL Server
or a remote SQL Server. For installations with a remote
SQL Server, this message can be ignored. For local SQL server
installations, ensure the the account is set up to allow your IIS
Default Application Pool to connect.
EVENT: DbWarning, ExecuteNonQuerySafe warning:
CREATE LOGIN [IIS APPPOOL\DefaultAppPool] FROM
WINDOWS() - System.Data.SqlClient.SqlException
(0x80131904): User does not have permission to
perform this action.

Please see Section 4 of this guide for information on viewing the log
file, trace file, or events for each of the Intel® EMA component servers.

Intel® EMA Server Installation Error Intel® EMA Platform Manager Package path not set correctly
The installer can find an existing Platform Manager settings file (e.g.,
C:\Program Files (x86)\Intel\Platform Manager\Platform Manager
Server\settings.txt), but cannot find the Intel EMA packages (e.g.,
C:\Program Files (x86)\Intel\Platform Manager\Packages) listed in
that settings file.
To fix:
1. Uninstall the Intel EMA Server, selecting all options.
2. Ensure that Intel EMA Platform Manger is no longer installed
and there is no content in the Intel EMA installation folder
(e.g., C:\Program Files (x86)\Intel\Platform Manager).
3. Re-install the Intel EMA Server.

Intel® EMA Platform Manager Service Like all Windows services, the Intel EMA Platform Manager Service will
not starting timeout if the service takes too long to start (30 seconds by default).
On slow machines, this timeout limit may be reached while the Intel
EMA Platform Manager Service is starting. If this happens Intel EMA
will not work correctly.
Check the status, events, and log of this service:
l In the Windows Services viewer, check to see if it is started
successfully.
l In the Windows Event Viewer, go to Windows Logs \ System
and look for entries with Level: Error and Source: Service Con-
trol Manager.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

40
 l If this service has exceptions thrown, you can find them in the
log file, PlatformManagerError.txt, on your Windows drive (e.g.
C:\PlatformManagerError.txt).
To fix:
Change the Windows registry settings to modify this timeout value.
We recommend doing an internet search for “Error 1053
ServicesPipeTimeout” for information on how to do this.

Error when trying to access the Intel® Ensure the website is deployed. The website may not be deployed due
EMA website to the package path issue mentioned above.
To fix:
Use Windows IIS Manager to determine the folder of the Intel® EMA
website (click Explore under Actions, top right). In that folder you
should see many subfolders and files.

If not, use the Platform Manager to “sync site” and redeploy the
website.

Using Internet Explorer on a Windows The default security settings of Internet Explorer on Windows Server

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

41
Server machine (e.g. Windows Server 2014) can cause many features of Intel EMA to
not function correctly.
To fix:
We recommend using other web browsers (e.g., Chrome or Firefox)
on Windows Server machines.

The target Intel® EMA website URL must If the URL used to access the Intel EMA website does not match the
match the Intel® EMA website’s cer- Issued to field of Intel EMA website certificate, the web browser’s
tificate security filtering will block many features.
To fix:
Ensure Intel EMA URL matches the Issued to field of the certificate.

Warnings and errors during Intel® AMT Depending on the target Intel® AMT firmware’s status, some of the
setup/provision warnings/errors may be transient errors. The Intel EMA Manageability
server will automatically re-try the failed setup periodically. However,
some of the warnings/errors are valid and need to be addressed.

Note: Refer to the Platform Manager section of this guide for

information on warnings and error messages logged by the
Manageability server during the setup/provision process.

Transient warnings/errors that can be ignored

Warning/Error type – OTP_REQUIRED:

Message:Host Based Admin Setup (1st try): OTP_

REQUIRED
Message:Unable to go to admin mode, rolling back out
of client mode.

Warning/Error type – INTERNAL_ERROR due to Unauthorized WSMAN

call:

Message:Creating DotNetWSManClient object...

Warning:Error (2):
Intel.Manageability.WSManagement.WSManException:
The remote server returned an error: (401)
Unauthorized.
Message:Host Based Setup (1st try): INTERNAL_ERROR

Note: The server will re-try the installation despite these errors

until the third try.

Valid warnings/errors that must be addressed

PKI domain suffix not matching the PKI certificate:

Warning/Error type – Message:Host Based Admin

Setup (3rd try): AUTH_FAILED

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

42
 Warning/Error type – Message:Unable to go to admin
mode, rolling back out of client mode.

INTERNAL_ERROR due to Intel® Management and Security Application

Local Manageability Service (LMS) not running correctly:

Warning/Error type – Warning:Error (2):

Intel.Manageability.WSManagement.WSManException:
The underlying connection was closed: The
connection was closed unexpectedly.
Warning/Error type – Message:Host Based Setup (3rd
try): INTERNAL_ERROR

WSManException due to Intel AMT FW requiring a reset:

Warning:Error (2):
Intel.Manageability.WSManagement.WSManException:
The underlying connection was closed: The
connection was closed unexpectedly. --->
System.Net.WebException: The underlying connection
was closed: The connection was closed unexpectedly.
If this does not resolve after the Intel® Manageability
Server retries the setup, then shut down the Intel® AMT
machine, unplug the power cable and unplug the
Ethernet cable to reset the Intel® ME firmware. Then
reconnect the cables back and restart the machine.

Error due to full certificate store in Intel® AMT FW:

Error: .[omitted]….. Certificate Store in firmware is full

and no more certificates can be added.
In this case, we suggest to unprovision this Intel® AMT
system. Then use Intel® EMA’s manual provision or
auto provision to set up this system again.

Intel® AMT operation does not work, but This section applies to the scenario where Intel EMA server is installed
all other features function correctly under Use hostname only mode and the target endpoint is
provisioned with Intel AMT CIRA.
If Intel AMT operation does not work, but all other features work, it is
very likely that the Intel AMT CIRA firmware cannot resolve the
hostname/FQDN entered during Intel EMA server installation.
To fix:
1. Unprovision the target endpoint.
2. With a clean setup and a clean/unprovisioned endpoint, per-
form a CIRA provision and monitor the provision events.
a. To monitor, go to the EMAManageabilityServer’s
Events tab in Platform Manager. Make sure there are
no errors (a few warnings are OK).
b. On the target endpoint, open the Intel® Management

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

43
 and Security Status Tool and go to the General tab. If
the provision is successful, you should see two events:
Configured and Remote Control Connection is
Enabled.
c. If the provision was successful, continue with the
remaining steps. Otherwise, check the event and logs
of the Intel® Manageability server and fix the issues.
3. On the EMASwarmServer’s Component tab (in Platform Man-
ager), monitor the ConIntelAmt value. This is the number of
active CIRA connections. If you provisioned one endpoint with
CIRA and CIRA successfully established the connection to
Intel EMA Swarm server, this value should be 1. If this number
is not correct, restart the target endpoint and wait for one to
two minutes. If the ConIntelAmt value is still incorrect, con-
tinue with the remaining steps.
4. At this point, Intel AMT CIRA firmware probably cannot resolve
the hostname/FQDN. To verify this, use the fixed IP address
mode to do a provision. If fixed IP address mode works, then
the root cause is due to the name resolution issue. In that
case, consult your IT administrator. Follow these steps to tem-
porarily use the fixed IP address mode:
a. On the Server Settings page, change the ciraserver_ip
setting of the Manageability server (see "Appendix -
Modifying Component Server Settings" on page 46).
b. Save settings are restart the Manageability server.
5. Unprovision the target endpoint and re-perform the provision.
This time, CIRA will use the IP address you specified above.

Uninstalling Intel® EMA server fails to When uninstalling the Intel EMA server, you may see the
drop the database warning/error: “Unable to drop database.”
To fix:

1. Open Microsoft SQL Server Management Studio and connect

to your database, then check the existing databases.
Determine whether the Intel EMA database is set to “Single
User” mode.
2. Right click the target database and choose Delete. Do not
change any default values in the Delete option window. Delete
the target database.
3. If the database is not deleted, right-click the database server
and choose Restart. After the database server is restarted, try
to delete the target database again.

802.1x setup fails during Intel AMT Intel EMA version 1.5.0 and later uses LDAPS secure ports by default
provisioning (LDAPS secure port 636 and Global Catalog port 3269). Previous
versions of Intel EMA used the standard non-secure LDAP ports
-OR-
(LDAP port 389 and Global Catalog port 3268). If you are installing
Active Directory user validation fails Intel EMA v 1.5.0 or later, and are using Active Directory or 802.1x
after updating to v1.5.0 or later

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

44
-OR- integration, ensure the LDAPS ports are enabled. If you prefer to use
the standard non-secure ports, then after installing Intel EMA, open
Active Directory option not available
the installer program again (EMAServerInstaller.exe, run as
during installation or update to v1.5.0 or
administrator) and select File > Advanced Mode, then click Settings
later
> Switch from LDAPs to LDAP to reset the LDAP ports Intel EMA uses
to the standard non-secure ports. Alternatively, you can change the
ports in the Web server settings on the Server Settings page in the
Intel EMA UI. If you experience problems with 802.1x setup during
Intel AMT provisioning, this could be the issue. See the following link
for more information: https://docs.microsoft.com/en-
us/troubleshoot/windows-server/identity/config-firewall-for-ad-
domains-and-trusts.
See section 6, "Appendix - Modifying Component Server Settings" on
the next page

Intel EMA agents fail to connect to This may be due to disabled TLS cipher suites. As of v1.4.0, Intel EMA
server after updating to v1.4.0 or later restricted the usable TLS ciphers suites for the agent while leaving the
older cipher used by Intel AMT enabled for CIRA. Check to ensure
proper TLS cipher suites are enabled. See sections 1.4.6 and 1.4.7 for
more information.

Error processing MeshSet- During an update installation, the installer will fail with an error
tingsCertificate during update install- message "Missing, invalid, or multiple MeshSettingsCertificates
ation found" under the following circumstances:
l No MeshSettingsCertificate was found in the Intel
EMA database
l The MeshSettingsCertificate was found, but it is corrupted or
in an invalid format
l Multiple MeshSettingsCertificates were found in the Intel
EMA database
To fix:
To fix this problem, restore the last known good copy of the
MeshSettingsCertificate to the Intel EMA database from backup. Be
sure to remove any invalid or additional copies of the certificate
before restoring from backup. See section 4.7 for information on
restoring from backup.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

45
6 Appendix - Modifying Component
Server Settings
The settings for the various component servers (Swarm Server, Ajax Server, etc.) that comprise the Intel EMA server
can be modified using the Server Settings tab, which is accessible from the Settings selection on the vertical
navigation pane at left. To modify security settings for the component servers, select the Security Settings tab. See
section 6.5 for a list of security settings and descriptions.
The following subsections describe the settings available for each of the component servers. For each component
server, settings are listed in the order they appear in the Intel EMA user interface pages.

Note: If you change the serverIps or messagePort setting for any of the component servers, you must restart
all the component servers, not just the one whose settings you changed (in a distributed server architecture,
you must do this on all server machines). Also, you will need to recycle the Intel EMA web site's IIS application
pool to restart the Intel EMA web server when you change these two settings. For other settings, restarting
only the modified component server will suffice. If you change messagePort, make sure the new port is not
blocked by a firewall.

6.1 Swarm Server

Setting Description
UI: Admin Port The port that Swarm Server's Admin TCP listener will bind to. This is for com-
munication from other Intel EMA server processes to the Swarm server. The
API: adminport
default is 8089.

UI: Admin Port Local Determines if the Admin TCP listener will only bind to the local loopback or not.
Values are 0 and 1.
API: adminportlocal
0 = Distributed-server environment
1 = Single server environment

UI: Agent Auto Update Boolean. Enables or disables automatic agent update. Default: Enabled.
API: enableAgentAuto
Update

UI: Agent Update Interval Interval in seconds between Intel EMA Agent updates. I.e., if set to 5, the Intel
(Seconds) EMA server will wait 5 seconds before attempting to update the next agent
requesting update. Default: 10. Minimum: 10. Maximum: 120.
API: agentUpdateIntervalSeconds

UI: Log File Path Path to the Intel EMA logfile.

API: logfilepath Maximum: 248 characters
Minimum: 2 characters

UI: Enable Intel CIRA Power State Enable periodic CIRA power state polling. Values are True/False. The default is
Polling True.
API: enableCIRAPowerPolling

UI: Maximum Number of The maximum number of concurrent DB connections for this server.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

46
Setting Description
Concurrent Database Connections
API: maxdbconnections

UI: Swarm Servers List of active Swarm Servers. Includes Server ID and Server IP & Port (format
IP Address: port).
API: swarmserver

UI: Server IPs List of machine IP addresses where this component server type is running. For
example, if the Swarm server is running on machine ip1, ip2, and ip3, then
API: serverIps
serverIps will include all IP addresses.

UI: Message Port The TCP port this component server type is listening on to accept internal traffic
from other Intel EMA components. Default 8093.
API: messagePort

UI: TCP Connection Retry Wait time between retries when establishing communication connections
between Intel EMA server components.
API: tcpConnRetrySeconds

UI: TCP Connection Idle Interval between heartbeat messages sent between components once com-
munications are established.
API: tcpConnIdleSeconds

UI: Database Connection Wait Amount of time in minutes that Intel EMA will wait for getting a database
Time (Minutes) connection.
API: dbConnectionWaitTime Range: 1 - 10
Minutes
Default: 2

UI: Database Lock Timeout Period Amount of time in seconds that a SQL query will keep a lock.
(Seconds)
Range: 1 - 60
API: dbSetLockTimeoutSeconds
Default: 2

UI: Database Retry Hold Time for Amount of time in milliseconds that a SQL query will wait to complete. This
a Query (Milliseconds) value is multiplied by the value of Database Retry Attempts for a Query to
increase the hold time in each retry.
API: dbRetryHoldtimeMilli
Seconds Range: 100 - 60000

Default: 100

UI: Database Retry Attempts for a Number of retries to execute a failed SQL query. After reaching this value, the
Query Swarm server will restart due to critical failure in the database.
API: dbRetryMaxAttempts Range: 3 - 100
Default: 5

6.2 Ajax Server

Setting Description
UI: Ajax Cookie Auto Refresh Range in minutes in which the Ajax cookie life can be extended.
Range
API: ajaxCookieAutoRefreshRange

UI: Ajax Cookie Idle Timeout Amount of time, in minutes, from when the cookie is added until it expires.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

47
Setting Description
API: ajaxCookieIdleTimeout

UI: Http Header Access Control Additional headers to set in response to the Ajax request.
Allow Headers
API: httpheader_Access-Control-
Allow-Headers

UI: Log File Path Path to the Intel EMA logfile.

API: logfilepath Maximum: 248 characters
Minimum: 2 characters

UI: User Access Failed Max Count Number of failed password attempts before user account is locked by the Web
API.
API: userAccessFailedMaxCount

UI: Expire Sessions Sets whether the Ajax server should expire the session or not (default is
enabled).
API: expiresessions

UI: Maximum Number of The maximum number of concurrent DB connections for this server.
Concurrent Database Connections
API: maxdbconnections

UI: Server IPs List of machine IP addresses where this component server type is running. For
example, if the Ajax server is running on machine ip1, ip2, and ip3, then server-
API: serverIps
Ips will include all IP addresses.

UI: Swarm Servers List of active Swarm Servers. Includes Server ID and Server IP & Port (format
IP Address: port).
API: swarmserver

UI: Message Port The TCP port this component server type is listening on to accept internal
traffic from other Intel EMA components. Default 8092.
API: messagePort

6.3 Manageability Server

Setting Description
UI: CIRA Server Host Hostname of the CIRA access server, which is the Swarm Server
(or the Swarm Server load balancer in a distributed architecture).
API: ciraserver_host
Only used when the installation mode is using hostname. This is
used in multi-server installations.

UI: CIRA Server IP IP Address of the CIRA access server, which is the Swarm Server

(or the Swarm Server load balancer in a distributed architecture).
API: ciraserver_ip
Only used when the installation mode is using IP address.

UI: CIRA Server Port The port of the CIRA access server, which is the Swarm Server (or
the Swarm Server load balancer in a distributed architecture). Used
API: ciraserver_port
by the load balancer to direct incoming traffic (from CIRA) to the
Swarm Server's 8080 port.

UI: Log File Path Path to the Intel EMA logfile.

API: logfilepath Maximum: 248 characters

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

48
Setting Description
Minimum: 2 characters

UI: Maximum Number of Concurrent Database The maximum number of concurrent database connections for
Connections this server.
API: maxdbconnections

UI: USBR Images Root Directory The root directory on the Intel EMA server where uploaded
bootable image files (.iso and .img) are stored. Default value is
API: usbrImagesRootDirectory
C:\ProgramData\Intel\EMA\USBR.

Note: If this folder is changed by the Global Administrato

arfter images have been uploaded, the files will not be vis-
ible or available to other users like the Tenant Admin-
istrator. The Global Administrator (system administrator)
will need to manually copy the content from the original
folder to the new folder before other users can access the
files.

UI: Maximum USBR Image Storage Capacity per Disk space in GB each tenant is allowed for USBR image storage.
Tenant
Default: 20 GB
API: maxUsbrImageStorageCapacityPerTenant
Maximum: 50 GB
InGigabytes

UI: Maximum USBR Image storage Capacity Per Total disk space in GB (for all tenants) allowed in this Intel
EMA Instance EMA instance for USBR image storage.
API: maxUsbrImageStorageCapacityPer Default: 50 GB
EmaInstanceInGigabytes
Maximum: 500 GB

UI: Maximum USBR Slot Count per Tenant Number of active USBR sessions allowed for each tenant.
API: maxUsbrSlotCountPerTenant

UI: Maximum USBR Idle time Length of time in minutes a USBR session can be idle before being
automatically terminated.
API: maxUsbrIdleTimeInMinutes

UI: USBR Redirection Manager Loop Interval Status polling interval in seconds for active USBR sessions.
API: usbrRedirectionManagerLoopIntervalIn
Seconds

UI: USBR Redirection Throttling Rate The delay in sending USBR file data to the target endpoint's Intel
AMT firmware. This is needed in order to throttle the data rate, as
API: usbrRedirectionThrottlingRateIn
certain internal data flows within Intel EMA do not work properly if
Milliseconds
the data rate is too high.

Note: CIRA based provisioning is highly recommended

when using USBR. USBR is sensitive to latency and Intel
EMA has optimized USBR for CIRA provisioned endpoints.
If you are using TLS with relay, you will need to adjust the
“USBR Redirection Throttling Rate” under the Manageability
Server section in Server Settings as a Global Admin. This

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

49
Setting Description
setting is dependent upon your unique network envir-
onment. We recommend starting at a setting of 10 mil-
liseconds and increasing it in increments of 10 until you
find a rate that works well in your network environment. It
is unlikely you would need to go above of 50 milliseconds.
Note that increasing this setting will decrease the USBR
boot performance, especially for CIRA endpoints, and
should only be used for TLS with relay only instances.

Default value: 0, max value 1000, min value 0. 

Suggested value = start at 10, increment by 10 to find appropriate
rate for your network.

UI: File Upload Retention Period Number of days an incomplete resumable file upload would be
kept, after which it would be automatically deleted.
API: fileUploadRetentionPeriodInDays

UI: File Upload Cleanup Interval Interval in hours that file cleanup process would run to process
incomplete resumable files.
API: fileUploadCleanupIntervalInHours

UI: Swarm Servers List of active Swarm Servers. Includes Server ID and Server IP
& Port (format IP Address: port).
API: swarmserver

UI: Server IPs List of machine IP addresses where this component server type is
running. For example, if the Manageability server is running on
API: serverIps
machine ip1, ip2, and ip3, then serverIps will include all
IP addresses

UI: Message Port The TCP port this component server type is listening on to accept
internal traffic from other Intel EMA components. Default 8094.
API: messagePort

UI: Audit Log Cleanup Interval (Hours) Interval in hours before cleanup of audit log records in the Intel
EMA database.
API:  AuditLogCleanupIntervalInHours

UI: Audit Log Retention Period (Days) Interval in days before cleanup of audit log records in the Intel
EMA database.
API:  AuditLogRetentionPeriodInDays

UI: Enable 8021X Certificate Auto Renewal Boolean, default "True." Used to determine whether automatic
802.1x certificate renewal flows are enabled. If enabled, Intel EMA
API: Is8021XCertificateRenewalEnabled
automatically renews certificates that will be expiring soon.

UI: 802.1X Certificate Renewal Window (Days) Integer. Sets the number of days prior to an 802.1x certificate's
expiration at which Intel EMA flags that certificate for renewal.
API: Ieee8021xCertificateRenewalWindowDays
Default: 30
Maximum: 90
Minimum: 1

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

50
6.4 Web Server
Note: Use the Save and Sync Web Settings button to restart the web server. Alternatively, you can run the
Intel EMA installer EMAServerInstaller.exe (as Administrator) and select Settings > Sync Web Server Settings
from the menu bar.

Setting Description
UI: Access Token Time to Live Expiration duration of the API bearer token, in seconds.
API: AccessTokenTimeToLive

UI: Ajax Server Host Hostname or IP address of the Ajax server, or the load balancer of the Ajax
servers.
API: AjaxServerHost

UI: Enable Allowed Domains, Used by the Ajax server. If enabled, the web server checks incoming
Allowed Domains Ajax/websocket requests to accept or reject.
API: EnableAllowedDomains, AllowedDomains is a comma delimited list with example
AllowedDomains test1.intel.com,test2.intel.com.
EnableAllowedDomains is 0 (false) or 1 (true).

UI: Log File Path Path to the Intel EMA logfile.

API: logfilepath Maximum: 248 characters
Minimum: 2 characters

UI: Maximum Number of The maximum number of concurrent database connections for this server.
Concurrent Database Connections
API: maxdbconnections

UI: Swarm Server Host Hostname or IP address of the Swarm server, or the load balancer of the
Swarm servers.
API: SwarmServerHost

UI: Swarm Server Port 8080 in single server installation or the Swarm server port exposed by the
swarm server load balancer in distributed server architecture.
API: SwarmServerPort

UI: Global Catalog Port The port used for connecting to the Active Directory Global Catalog. This is
used to perform AD login when AD username and password are provided.
API: GlobalCatalogPort
Default is 3269, which is the SSL port. See note for LDAP Connection Port
below.

UI: LDAP Connection Port The port used for LDAP connection in 802.1x configuration. Default port is
secure 636.
API: LdapConnectionPort
Note: Intel EMA version 1.5.0 and later uses LDAPS secure ports by
default (LDAPS secure port 636 and Global Catalog port 3269). Previous
versions of Intel EMA used the standard non-secure LDAP ports (LDAP
port 389 and Global Catalog port 3268). If you are installing Intel EMA v
1.5.0 or later, and are using Active Directory or 802.1x integration,
ensure the LDAPS ports are enabled. If you prefer to use the standard
non-secure ports, then after installing Intel EMA, open the installer pro-
gram again (EMAServerInstaller.exe, run as administrator) and select

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

51
Setting Description
File > Advanced Mode, then click Settings > Switch from LDAPs to
LDAP to reset the LDAP ports Intel EMA uses to the standard non-
secure ports. Alternatively, you can change the ports in the Web server
settings on the Server Settings page in the Intel EMA UI. If you exper-
ience problems with 802.1x setup during Intel AMT provisioning, this
could be the issue. See the following link for more information: https://-
docs.microsoft.com/en-us/troubleshoot/windows-server-
/identity/config-firewall-for-ad-domains-and-trusts.

UI: Max Access Token TTL Maximum time for API bearer tokens to be refreshed.
API: MaxAccesstokenTTL

UI: Frontend Storage Type Allows you to specify whether Intel EMA Website runtime information should
be stored in browser local storage or browser session storage. If Local Storage
API: frontendstoragetype
is used, the session will remain (no need to login again) after the front end web-
site is closed. If Session Storage is used, the session is lost when the front end
website is closed.

6.5 Security Settings

Most of the security settings below apply across the component servers, although some apply only to a specific
component server (for example, the Ajax server). Many of these settings are intended to help prevent Denial of Service
(DoS) attacks.

Note: If you change security settings for any of the component servers, you must restart all the component
servers, not just the one whose settings you changed (in a distributed server architecture, you must do this on
all server machines). Also, you will need to recycle the Intel EMA web site's IIS application pool to restart the
Intel EMA web server when you change these settings.

Setting Description
UI: Unauthorized TCP connection timeout Boolean. When enabled Intel EMA will terminate new TCP
connections that go idle and do not complete the SSL
API: enableUnauthTcpConnectionIdle
handshake to help prevent Denial of Service attacks.
Timeout
Default: true.

UI: TCP connection timeout The amount of time in milliseconds a new TCP TLS

connection has to complete SSL handshake before the
API: unauthTcpConnectionIdleTimeout
connection is considered idle and terminated.
InMilliSeconds
Default: 5000
Maximum: 3,600,000 (1 hour)

UI: Rate Limiter Boolean. When enabled Intel EMA will perform per-IP
address HTTPS/TCP TLS request rate limiting to help
API: enableRateLimiter
prevent Denial of Service attacks.
Default: true.

UI: Rate Limiter Window Size The window size in milliseconds to use for tracking requests
with per-IP address rate limiting.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

52
Setting Description
API: rateLimiterWinSizeInMilliSeconds Default: 200
Maximum: 3,600,000 (1 hour)

UI: Ajax HTTP Requests Max Count The maximum number of allowed requests per-IP address
in a window before requests would be rejected to the Ajax
API: ajaxHttpRateLimiterMaxCount
Server Web redirection port (8084).
Default: 20
Maximum: 1,000,000

UI: Recovery HTTP Requests Max Count The maximum number of allowed requests per-IP address
in a window before requests would be rejected to the
API: recoveryHttpRateLimiterMaxCount
Recovery Server Web redirection port (8085).
Default: 20
Maximum: 1,000,000

UI: Message Ports Requests Max Count (Before The maximum number of allowed pre-authentication
Authorization) requests per-IP address in a window before requests would
be rejected to the internal component-to-component ports
API: blastMessageBeforeAuthRateLimiterMaxCount
(8092, 8093, 8094).
Default: 100
Maximum: 1,000,000

UI: Message Ports Requests Max Count (After The maximum number of allowed post-authentication
Authorization) requests per-IP address in a window before requests would
be rejected to the internal component-to-component ports
API: blastMessageAfterAuthRateLimiterMaxCount
(8092, 8093, 8094).
Default: 80,000
Maximum: 1,000,000

UI: Swarm Admin Ports Request Max Count (Before The maximum number of allowed pre-authentication
Authorization) requests per-IP address in a window before requests would
be rejected to the Swarm Server Admin port (8089).
API: adminPortBeforeAuthRateLimiterMaxCount
Default: 20,000
Maximum: 1,000,000

UI: Swarm Admin Ports Request Max Count (After The maximum number of allowed authenticated requests
Authorization) per-IP address in a window before requests would be
throttled to the Swarm Server Admin port (8089).
API: adminPortAfterAuthRateLimiterMaxCount
Default: 20,000
Maximum: 1,000,000

UI: Agent Port Request Max Count (Before The maximum number of allowed pre-authentication
Authorization) requests per-IP address in a window before requests would
be rejected to the Swarm Server Agent port (8080).
API: agentPortBeforeAuthRateLimiterMaxCount
Default: 20
Maximum: 1,000,000

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

53
Setting Description
UI: Agent Port Request Max Count (After The maximum number of allowed authenticated requests
Authorization) per-IP in a window before requests would be throttled to the
Swarm Server Agent port (8080).
API: agentPortAfterAuthRateLimiterMaxCount
Default: 1000
Maximum: 1,000,000

UI: Connection Count Check Boolean. When enabled Intel EMA will limit the TCP TLS
connection count per-IP address to help prevent Denial of
API: enableConnectionCountChecker
Service attacks.
Default: true.

UI: Message Port (connections per port) The maximum number of connections per-IP address
allowed to the internal component-to-component ports
API: blastMessageConnCountChecker
(8092, 8093, 8094).

Default: 20
Maximum: 1,000,000

UI: Admin Port (connections per port) The maximum number of connections per-IP address
allowed to the Swarm Server Admin port (8089).
API: swarmAdminPortConnCountChecker
Default: 20,000
Maximum: 1,000,000

UI: Swarm Agent Port (connections per port) The maximum number of connections per-IP address
allowed to the Swarm Server Agent port (8080).
API: swarmAgentPortConnCountChecker
Default: 20,000
Maximum: 1,000,000

6.6 Recovery Server Settings

The settings below are provided to support future Intel platforms.

Setting Description
UI: Log File Path Path to the Intel EMA logfile.
API: logfilepath Maximum: 248 characters
Minimum: 2 characters

UI: Maximum Number of The maximum number of concurrent database connections for this server.
Concurrent Database Connections
API: maxdbconnections

UI: Message Port The TCP port this component server type is listening on to accept internal
traffic from other Intel EMA components. Default 8095.
API: messagePort

UI: Recovery Port Port to be used for recovery. Default 8085.

API: RecoveryPort

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

54
Setting Description
Note: If you change the default port, you will be prompted to update
port bindings by running the following commands in admin mode on
each recovery server in this Intel EMA installation (items in brackets <>
are provided in the prompt popup dialog):
netsh http delete sslcert ipport=<original port
number>
netsh http add sslcert ipport=<new port number>
certhash=<certificate hash>
appid={3a6739cf-6707-4623-a073-34b6b7a51b1d}

UI: Recovery Port Enabled Boolean, default "True." Specifies whether or not the recovery port is enabled.
API: RecoveryPortEnabled

UI: Server IPs List of machine IP addresses where this component server type is running. For
example, if the Ajax server is running on machine ip1, ip2, and ip3, then server-
API: serverIps
Ips will include all IP addresses.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

55
7 Appendix – Domain/Windows
Authentication Setup
The Intel® EMA installer sets up the fundamental settings for domain/Windows authentication if it is installed under
domain/Windows authentication mode. However, there are many different network infrastructure scenarios. Some of
the scenarios require the IT administrators to perform extra steps.

7.1 Server Connection Information Set at Installation

While running the Intel EMA installer, at the hostname field of External Identity setup, we suggest using the NetBIOS
hostname or NetBIOS FQDN of your machine in the Hostname field. You still need to make sure that other endpoints
or other client web browsers can connect to the value you entered here. You can find your NetBIOS name by right-
clicking This PC in Windows File Explorer, and choosing Properties.

If you decide to use another value (e.g., in a load balancing scenario), follow IT practice to set up the Service Principle
Name (SPN) after Intel® EMA is installed.

7.2 IIS Website’s Authentication and .NET

Authorization
Intel EMA sets the following properties (differently from most default IIS website setups) for the Intel® EMA website
when it is installed under domain/Windows authentication mode:
l At IIS \ Authentication, also enable “Anonymous Authentication” with “Application Pool Identity”
l At ASP.NET \ .NET Authorization Rules, “Anonymous Users” need to be allowed
Please double check that these properties are set correctly.

7.3 Internet Explorer Used by the End User

For the domain/Windows authentication to work correctly, the Intel EMA website should be recognized as being in
the Local Intranet zone. You can verify the zone by right-clicking on the Intel EMA web page, and then choosing
Properties.
Some users may have Display intranet sites in Compatibility View selected (checked) under the Compatibility View
Settings in Internet Explorer. This needs to be unchecked; otherwise, the Intel EMA website will not work correctly.

7.4 Optional – Grant Permission to Website Content

There are several options for setting up this permission, e.g., NTFS or URL Authorization. IT administrators need to
set it up based on their specific infrastructure need.

7.5 Optional – Double-hop Structure

In a normal Intel EMA installation, you don’t need to do this. However, if you need to support special double-hop
authentication, e.g., passing the logged-in credential to another backend server, then you need to set up several extra
settings, e.g., Delegation at AD’s Computer object for your server machine. Please follow standard IT practice.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

56
7.6 References
l https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-
in-iis/
l https://blogs.msdn.microsoft.com/webtopics/2009/01/19/service-principal-name-spn-checklist-for-ker-
beros-authentication-with-iis-7-07-5/
l https://support.microsoft.com/en-us/help/326214/how-to-configure-user-and-group-access-on-an-
intranet-in-windows-serve
l https://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-
disk
l https://docs.microsoft.com/en-us/iis/-
configuration/system.webserver/security/authentication/anonymousauthentication
l https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-
2012/hh831722(v=ws.11)

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

57
8 Appendix – Configuring 802.1X for
Active Directory
This section is intended for Intel® EMA Global Administrators who want to enable 802.1X authentication for Intel®
AMT. If your Tenant Administrators plan to configure 802.1x profiles for use in their Tenant-specific Intel AMT
profiles, the Global Administrator must configure 802.1x for Active Directory Domain Services, specifically an Active
Directory Organizational Unit (OU) and Active Directory Certificate Service certificate template, as described in this
section. Note that the configuration described here is just one possible configuration. Those highly familiar with
802.1x configuration may wish to deviate from this configuration.
Intel EMA supports Extensible Authentication Protocol (EAP).

Note: This section focuses on configuration for the Intel EMA server system to enable 802.1x authentication
at the overall server level as a prerequisite for configuring 802.1x profiles for a specific Tenant in Intel EMA.
For information on configuring an 802.1x profile for a specific Tenant usage space, see the Intel® EMA Admin-
istration and Usage Guide.

8.1 Active Directory Domain Services

During Intel AMT configuration of an endpoint, Intel EMA creates an Intel AMT computer object (identified by -iME
suffix) within the AD OU as defined in the 802.1x profile. This object is used by Intel AMT to support Kerberos
authentication. Note that the AD OU requires full permissions for the user account running the Intel EMA
Manageability Server. Follow the steps below to create an AD OU for this purpose.
1. Add an Organization Unit to the AD Domain to which the endpoint belongs. The example below uses the
domain VPRODEMO.COM and the Organizational Unit, VProDevComputers.
Figure 1: Add a new Organization Unit

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

58
 2. Add privileges for the Intel EMA server user account.
a. Add the user account or a security group to which the user account belongs to the Security tab of the
Organizational Unit where the AD Computer objects for 802.1X authentication will be created. Ensure
that this account or security group has all available permissions allowed, and edit the Advanced Secur-
ity Settings to apply this group's privileges to “This object and all descendant objects.”
Figure 2: Modify Security list of the OU

Figure 3: Modify advanced security settings

8.2 Active Directory Certificate Services

Note: This section is not required for EAP_PEAP_MSCHAP_V2.

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

59
EAP-TLS mandates that a Client Authentication and Trusted Root certificates are required. The Intel AMT 802.1x
client certificate requires an Active Directory Certificate Service certificate. A duplicate of the Workstation
authentication template with the specific properties described in step 2 below can be used.
1. Choose the Certification Authority (Enterprise root CA) that is associated with your specific 802.1x envir-
onment configuration; the example below uses VPRODEMO-WIN-GUVUHKBNQ69-CA.
Figure 4: Certification Authority list

2. Create a Certificate Template: AMTComputer. This is a duplicate template based on the Workstation
Authentication template.
Figure 5: Certificate Templates list

a. Right-click AMTComputer and select Properties.

b. On the Subject Name tab, select Supply in the request.
c. On the Request Handling tab, if you plan to use the Microsoft Certificate Authority for certificate con-
figuration under Client Authentication in your 802.1x profile (recommended, see the Intel® EMA Admin-
istration and Usage Guide), leave the box Allow private key to be exported unselected
(recommended). If you plan to select "From Database" instead of Microsoft Certificate Authority in
your 802.1x profile, then select this checkbox.
d. On the Security tab, grant Read and Enroll permission to Domain Computers. (Also add Everyone for
manual enrollment.)
e. Enable the template in the Certification Authority (right-click on Certificate Template and select New
> Certificate Template to Issue).

Intel® EMA Single Server Installation Guide - Tuesday, April 5, 2022

60