How to Troubleshoot a Client Initiated Remote Access (CIRA) Connection in an Intel® Endpoint Management Assistant (Intel® EMA) Environment

Unable to connect in Client Control Mode (CCM) or Admin Control Mode (ACM) via Client Initiated Remote Access (CIRA).

1. Determine if the system is Intel® Active Management Technology (Intel® AMT)–capable before proceeding. You can follow the instructions in the article Using the Intel® Endpoint Management Assistant Configuration tool (Intel® EMA Configuration Tool).
2. If a remote provisioning certificate is already installed, ensure DHCP Option15 is set to the appropriate DNS Suffix, and then skip to Step 4.
3. Verify that the PKI DNS Suffix in Intel® Management BIOS Extension (Intel® MEBX) has been configured. This is persistent after doing a full un-provision.

   Note	The only way to see the TLS PKI screen is after doing a full un-provision via EMA, ACUConfig, or directly in Intel® Management BIOS Extension (Intel® MEBX). It can be found in the Remote Setup and Configuration tab in Intel MEBX.

   This must be set to get CIRA mode.
   The DNS suffix needs to be the same as the provisioning cert. Also, you can do an ipconfig /all and verify the DNS suffix on the physical Ethernet interface.
   Setting up Intel AMT initially requires being on a wired interface before wireless is supported when activating in Admin Control Mode.

4. Intel AMT CIRA makes use of the Intel AMT feature environment detection. When the endpoint system’s network domain matches the configured CIRA domain, Intel AMT will not start the CIRA connection. To force Intel AMT to always open a CIRA tunnel, enter a fake domain suffix in the CIRA intranet suffix field under General settings when creating your Intel AMT profile. This fake domain suffix should be complex enough to prevent anyone from guessing it and therefore using it to prevent a CIRA connection and open local management ports.

5. Verify that Local Manageability Service (LMS) drivers are installed from Intel® Management Engine Drivers for Windows® 10 and Windows® 11 or from their Original Equipment Manufacturer (OEM) site.
6. Then get connection status from the Intel® Management and Security Status tool.
7. Verify that the network information shows link status is up and Dynamic Host Configuration Protocol (DHCP). Remote management requires DHCP. Static IP (Internet Protocol) addresses do not work.
8. Install MeshCommander and see if the server can be seen.
9. Check Internet Settings and what the network interface is saying.