McAfee Deep Command Installation Guide - Step 3

Version 9

    Install Intel® AMT and McAfee ePO Server Components


    Task: Install Intel® SCS on McAfee ePO Server

    The Intel Setup and Configuration Service (SCS) must be installed on a server in order for Intel® AMT clients to complete the configuration process. This can be run on a dedicated server, but for most environments it is safe to run this service on the McAfee ePO server.


    Note: Intel SCS is not needed if another product in your environment is already setup to configure Intel AMT clients (e.g. Microsoft SCCM).


    Intel SCS is freely available at

         NOTE: You should copy and paste the above URL into a new browser tab.

    Download and extract the Intel SCS 8 installation kit.  The Intel SCS installer, located under the extracted RCS directory, will install both the Remote Configuration Service and the AMT Configuration Utility (ACU) Wizard.

         Note: The Intel SCS 8 Deployment Guide is also available for download at the above URL


    The Remote Configuration Service runs on the server and handles communication with the AMT clients. The ACU Wizard is used to create configuration profiles; these profiles are used to apply the desired Intel® AMT firmware settings during the configuration process.


    Login to the McAfee ePO server and run IntelSCSInstaller.exe



    In the Welcome screen, select both Service and Wizard. Then click Next to proceed.



    Accept the license agreement and proceed to the Service Logon Screen. Enter the credentials for your service account that was created earlier in the installation guide.  Click Next to proceed.



    Then complete the installation wizard with the default settings.


    Task: Create Intel® AMT Configuration Profile

    Completing the SCS installation will launch the Intel Active Management Technology Configuration Utility.


    Click the second option entitled Create Settings to Configure Multiple Systems to start the process of creating an Intel AMT configuration profile.



    In the Intel Active Management Technology Profile Designer, click the New button to begin creating an Intel® AMT profile.


    In the Getting Started screen, enter a profile name (AMTConfigProfile is used in this example). Also ensure that Configuration / Reconfiguration is selected.   Click Next to proceed.



    In the Optional Settings screen, check the box for Transport Layer Security (TLS). This is required by McAfee Deep Command. Click Next to proceed.



    In the Transport Layer Security screen, the Certificate Authority pull-down list is populated based on Microsoft Active Directory registered CAs.  If the expected value is not shown by default or in the drop-down menu, enter the fully qualified distinguished name of your Microsoft Certificate Authority. In this example the server name is McAfee, the domain name is and the name of the certificate authority is RootCA. Set Server Certificate Template to WebServer. Then click Next to proceed.



    In the System Settings screen, set the options as depicted in the image below. For the password fields, you are establishing the passwords for these functions. McAfee recommends using strong passwords. The information icons will provide additional guidance on permissible passwords. When done, click Next to proceed.


         Note: The password applied for Intel® AMT Admin User will be ePO Console screens later in the next Task of this document.


    On the Finish screen, click Finish to create the profile. The profile will now be visible in the Profile Designer. This profile will be stored on the server and be available for use by the Remote Configuration Service. When clients start the configuration process, they can be set to use this profile for their configuration.




    Task: Install and Configure McAfee Deep Command in ePO

    Like all other endpoint security products, McAfee Deep Command requires that extensions be installed and packages be checked-in to McAfee ePO. Please see the McAfee Deep Command Product Guide for instructions on installing the extension and checking-in the packages in McAfee ePO. This document is attached to this post and also available in the documentation directory of the software package.


    The product is listed on the McAfee download site as McAfee ePO Deep Command. This guide does not make use of the ePO DC Gateway component or the ePO SCCM component. You only need the ePO DC and ePO DC Reports extensions, along with the ePO DC Client package. Install those two extensions and check in the one package, and then proceed with the next steps.


    Once Deep Command is installed, go to Menu > Configuration > Server Settings in ePO.



    From the Settings Categories list, select Intel AMT Credentials and click Edit to proceed.



    In the Edit Intel AMT Credentials screen, enter the Intel® AMT admin user credentials that were established while creating your AMT configuration profile. Then import the trusted root certificate from your Microsoft Certificate Authority (this is the rootcert.cer file that we created in Step 2 of this guide). Then click Save to proceed.


    McAfee Deep Command is now configured and ready for use, but ePO will not be able to perform Deep Command functions until the endpoints have been through the AMT configuration process and the Deep Command agent has been deployed.


    Task: Create Deep Command Deployment Task

    Deep Command includes a client agent that works in conjunction with fully configured Intel® AMT systems. McAfee ePO will automatically assign an AMT tag to systems that are fully configured, so the Deep Command client agent deployment task will be built so that it only goes to systems that have the AMT tag.


    Login to McAfee ePO and select Menu > Policy > Client Task Catalog

    Win 2K8R2 ePO46 Dev-2011-12-14-16-41-56.png


    Click New Task and then select Product Deployment. In the New Task screen, give the task a name. Set the Target platform to Windows. In the Products and components drop-down menu, select McAfee ePO Deep Command Client. Then click Save to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-14-16-44-32.png


    The task will now appear in the Client Task Catalog. Click Assign to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-14-16-45-42.png


    In the Select a group to assign the task screen, select My Organization and click OK to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-14-16-46-05.png


    In the Client Task Assignment Builder, select McAfee Agent > Product Deployment > Deploy Deep Command 1.0.


    In the Tags section, select Send this task to only computers which have the following criteria. In the Has any of these tags section, click Edit. Choose the AMT tag from the drop-down menu. Then click Save to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-14-16-50-18.png


    In the Schedule screen, enable the task and then set the schedule. In this example the task is run daily at 1:15PM with 30 minutes of randomization. If a system misses the task, the agent will run the missed task during the next policy enforcement.  This is useful for laptops that may be shutdown at the scheduled time. Click Save to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-14-16-54-11.png


    Review the client task summary and then click Save to complete the process. The task is now in place, but it will only start deploying Deep Command to systems that report as AMT Fully Provisioned. If your systems are not yet provisioned, please read McAfee Deep Command Installation Guide - Step 4.



    More resources for installing McAfee Deep Command

    McAfee Deep Command Installation Guide Introduction


    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
    Step 2: Configure Certificates for Intel AMT
    Step 3: Install Intel AMT and McAfee ePO Server Components

    Step 4: Configure Intel AMT Clients and Deploy McAfee Deep Command


    Appendix A: Installing Microsoft Certificate Authority with Web Enrollment

    Appendix B: Manually Importing the Microsoft Certificate Authority Root Certificate on McAfee ePO Server or Agent Handler

    Appendix C: McAfee Deep Command Setup Checklist