Summary
Provides solutions to handle duplicate endpoints in Intel® EMA
Description
Steps and descriptions to approach in regard to unable to remove duplicated endpoints scenario.
Resolution
To prevent endpoints from appearing please stick to the following:
- When re-installing the OS or decommissioning an endpoint:
- During the OS reinstallation or endpoint decommissioning process, unprovision Intel® AMT or Intel Standard Manageability on the endpoint.
- The Intel® EMA Configuration Tool and its Intel® Endpoint Management Assistant Configuration Tool (Intel® EMA Configuration Tool) User Guide is a command line tool that can be used locally on the endpoint to unprovision Intel® AMT or Intel Standard Manageability.
- Unprovisioning can also be initiated through Intel® EMA. Make sure that Intel® EMA completes the unprovisioning process before installing the Intel® EMA agent or shutting down the endpoint’s OS.
- Manual unprovisioning via the MEBX directly on the endpoint is also an option. Manual unprovision
- If it is not always possible to unprovision prior to OS (Operating System) reinstallation or decommissioning, attempt to unprovision Intel® AMT or Intel Standard Manageability as part of the endpoint build process before the initial installation of the Intel® EMA agent.
- Remove the old endpoint record in Intel® EMA by selecting the Stop managing endpoint action. This action can also be scripted using Intel® EMA’s REST API
- During the OS reinstallation or endpoint decommissioning process, unprovision Intel® AMT or Intel Standard Manageability on the endpoint.
To fix already duplicated endpoints make sure to stick to the following:
- Ensure that the above preventative steps have been taken to avoid adding new duplicate endpoints to the Intel® EMA deployment.
There are a few options to resolve duplicate endpoints:- For duplicate endpoints with the same hostname, a database script is available to merge duplicate endpoint entries. Contact Intel Customer Support or visiting this article Why are Intel® Endpoint Management Assistant (Intel® EMA) Endpoints Showing Duplicated After Re-imaging?
- Unprovision Intel® AMT on the endpoint using one of the approaches described above. Then select the Stop managing endpoint action for the older endpoint. If the endpoint’s group is configured with Intel® AMT auto setup, Intel® EMA will automatically attempt to reprovision Intel AMT or Intel Standard Manageability, associated with the newer endpoint. (NOTE: Before unprovisioning, if using Certificate-Based Provisioning to Admin Control Mode, consider if conditions will allow the EMA agent to successfully reprovision. If this is a concern, see the provisioning adoption option below.)
- Select the Stop managing endpoint action for the older endpoint. Record any randomized passwords – the AMT admin password is required to adopt an endpoint provisioned using Certificate-Based Provisioning to Admin Control Mode. Use the REST API to adopt the system’s provisioning to the newer endpoint record. PowerShell scripts demonstrating this API call are available in the Intel® EMA API Sample Scripts package.
Additional information
Why do duplicate endpoints appear in Intel® EMA?
- Duplicate endpoints commonly appear when an endpoint's operating system is re-installed, and the EMA agent is installed in the new OS.
- The Intel® EMA agent generates a unique endpoint ID for each endpoint based on a certificate created during its first execution on the endpoint. If the certificate is not available when the Intel® EMA agent starts running, a new certificate is generated, resulting in a change of the endpoint's ID and the appearance of a duplicate endpoint entry in Intel® EMA.
- This change in endpoint ID does not alter the configuration of Intel® AMT or Intel Standard Manageability, so out-of-band connectivity (including AMT CIRA connectivity) remains associated with the original endpoint ID.
- Another cause of duplicate endpoints is a BIOS update that resets the Trusted Platform Module (TPM), invalidating the certificate mentioned earlier. This change also leads to a change in the endpoint's ID and the appearance of a duplicate endpoint entry in Intel® EMA.
- Uninstalling and reinstalling the Intel® EMA agent should not generate a duplicate endpoint entry unless the certificate is intentionally deleted, or the OS is deleted and reinstalled. The certificate is typically not deleted during agent uninstallation, and the endpoint's ID should remain the same during the uninstallation/reinstallation process