Discover and Report All Intel AMT Capable Systems in the Environment
Task: Deploy ePO Deep Command Discovery Plug-In
McAfee Deep Command can only be installed on systems where Intel AMT is present. All Intel AMT hardware is delivered in an unconfigured state. Therefore, the first step of a McAfee Deep Command Deployment is to assess the AMT configuration status of your environment and then use Deep Command to configure AMT if necessary.
The McAfee Deep Command Discovery and Reporting software can be used to assess the Intel AMT configuration status of your environment. This software is available for free to all McAfee customers. It will be listed in the ePO Console Software Manager as shown below. See the product guide for instructions on installing and using the discovery and reporting software.
Data collected by the ePO Deep Command Discovery Plugin is summarized via the Intel® AMT Summary Dashboard as shown below. It can also be obtained via the Queries and Reports.
Task: Analyze Intel® AMT Summary Dashboard
The collected data provides key information to determine next steps. Shown below are a few key points to discern based on the information collected.
Does the System Have an Intel Management Engine Interface (MEI) Driver?
The MEI driver allows software in the client operating system to access the Intel AMT firmware. This driver must be present for the Deep Command Discovery and Reporting software to get all the AMT details from the system. This data is displayed in the Systems without Intel MEI Driver monitor in the Deep Command dashboard. If the dashboard reports that systems do not have the MEI driver installed, then you should deploy the appropriate MEI drivers in your environment before pursuing AMT configuration or Deep Command deployment tasks. Windows Update will deploy MEI drivers to all Intel vPro hardware from 2010 and newer. For older systems, MEI drivers must be obtained from the hardware manufacturer.
What is the AMT Provisioning State?
It is possible that Intel AMT is already configured on clients in your environment. This may have been done by another product that supports Intel AMT, like Microsoft SCCM. The first determination to make is whether or not the clients are in a pre-provisioned or in-provisioning state . This is shown in the Intel AMT Provisioning State monitor in the dashboard. A status of pre-provisioned means that the clients have factory default settings and do not have any AMT configuration defined. Systems in the in-provisioning state may be partially configured, but can be treated like systems that are in the pre-provisioned state. Systems in any other state require further analysis to determine if they are configured in a way that is compatible with McAfee Deep Command. In many cases, incompatible configurations can be remedied by simply re-configuring the client with a delta configuration file.
What is the Client’s Connection-Specific DNS Suffix?
AMT configuration uses an SSL certificate to establish trust between the Intel Remote Configuration Service (RCS) and the Intel AMT client. It is absolutely critical that the client’s LAN-based connection-specific DNS suffix matches what is entered in the certificate signing request for the SSL certificate. You can determine a system’s connection-specific DNS suffix by simply running ipconfig on that system. This value should match the value of option 15 in your DHCP scope.
Note: Intel provides detailed instructions for obtaining a properly formatted SSL certificate for use as a vPro remote configuration cert.
Note: If you have a multi-domain environment, you will need to purchase multiple SSL certificates and place them all in the personal certificate store for the user running the RCS service on the ePO server. This topic is outside the scope of this document. More information can be provided via Intel vPro Expert Center (http://www.intel.com/go/vproexpert) or supporting Certificate Authorities
Does the Client Meet the Installation Requirements for McAfee Deep Command?
Deep Command should only be installed on systems with Intel AMT hardware. Any system that appears in the dashboard in the Pre Configuration state and does not appear in the Systems Withouth MEI Driver list are ready for Deep Command deployment.
More resources for installing McAfee Deep Command 1.5
Step 2: Install Intel SCS
Step 4: Deploy Deep Command
Note: There are many ways to configure Intel AMT hardware. This document references a method known as remote configuration. This requires the use of an SSL certificate. While this is recommended for production deployments, you might consider an alternative configuration method for test environments. McAfee recommends using the host based configuration method for test or proof-of-concept environments.
Appendix C: McAfee ePO Deep Command 1.5 Setup Checklist