Support Knowledge Base

Unable to Provision Intel® EMA in Admin Control Mode (ACM) with invalid domains at DHCP Option 15

Content Type: Troubleshooting | Article ID: 000100444 | Last Reviewed: 04/11/2025

Description Resolution Additional information

Environment

Operating System

Windows Server 2022 Family, Windows Server 2019 family*

Intel® Active Management Technology (AMT), Admin Control Mode (ACM), DHCP server with invalid Option 15 settings (e.g., .local, .corp), Public Certificates (e.g., intel.com)

Description

Customer is unable to provision Intel® EMA in Admin Control Mode (ACM).
Invalid DHCP Option 15 environments include local certificate domains such as .local, .corp, or self-certificates.

Resolution

To resolve the issue of provisioning Intel® EMA in ACM with invalid DHCP Option 15 environments, follow these steps:

Check for the FQDN in the Platform Manager on the Intel EMA Server:
- Open This PC.
- Go to Local Disk (C:).
- Open Program Files (x86).
- Find and open Platform Manager.
- Open Intel Platform Manager.
- Go to Settings.
Check if the DNS Suffix is the Same on the TLS/SSL Certificate as on the MEBx:
- Verify that the DNS Suffix on the TLS/SSL certificate matches the one set in the MEBx.
Resolve the Issue of Provisioning Intel® AMT in ACM with Invalid DHCP Option 15 Environments:
- Ensure Valid Intel® AMT Provisioning Certificate:
  - Obtain a valid Intel® AMT Provisioning certificate from a trusted Public CA (e.g., DigiCert, GoDaddy, Sectigo).
  - The certificate's Common Name (CN) domain name part must be a public DNS domain name owned by the customer (e.g., vprodemo.com).
  - The Enhanced Key Usage (EKU) field must contain the Intel AMT unique OID (2.16.840.1.113741.1.2.3).
- Configure Intel AMT to ACM:
  - Connect the Intel® vPro system's AMT Wired LAN to a Wired Ethernet LAN with a DHCP server supporting Option 15 set to the AMT certificate domain name part of CN.
  - Alternatively, set the Public Key Infrastructure (PKI) DNS Suffix field in AMT firmware to the AMT certificate domain name part of CN.
- Workarounds for Invalid DHCP Option 15 Environments:
  - Change DHCP Server IP Option 15:
    - Set the DHCP server IP Option 15 value to a public DNS domain name owned by the customer (e.g., vprodemo.com).
    - This change should be applied only to the IP scope assigned to Intel.

Additional information

Intel® AMT configuration to ACM over Wi-Fi does not validate the AMT certificate CN against Wireless LAN DHCP Option 15.
Wired LAN DHCP Option 15 is visible in the OS output of the ipconfig /all command as the Ethernet adapter Connection-specific DNS Suffix value.
For detailed guidance on setting up DHCP server policies, refer to the attached guide for MS server DHCP service or consult your DHCP server vendor.

Related Information

How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher
How to Provision a LAN-Less Endpoint with Intel® EMA

Related Products

This article applies to 2 products.

Intel® Endpoint Management Assistant (Intel® EMA) Intel® Active Management Technology (Intel® AMT)

Need more help?

Contact support