McAfee Deep Command Installation Guide - Step 4

Version 5

    Configure Intel AMT Clients and Deploy McAfee Deep Command

    With the server components installed and configured, client-side AMT configuration and Deep Command installation can now be done.  If Intel AMT is not already configured, this section will first show how to manually configure AMT on a client and how to do this in an automated fashion. Once that is complete, the ePO server will start deploying Deep Command because of the deployment task that was created in step 3 of this document.


    Task: Manually Configure an Intel AMT Client

    This task will illustrate the process for configuring AMT clients and will also validate that the server-side components were correctly installed and configured. Intel AMT is configured by applying the settings in the configuration file to the firmware on the AMT client. The ACUConfig program is run on the client. It communicates with the Intel RCS service on the server and applies the configuration settings to the firmware on the AMT client. This program can be run manually, scripted, or wrapped in a package for automated deployments.


    For the purposes of this document, the AMT configuration package to be executed on the client includes three files as shown below. The EXE and DLL files are provided via the Intel SCS software in the ACU_Configurator directory.



    To manually configure Intel AMT on a client, copy the ACU_configurator folder with the three files as shown above to the client.  


    Open a command prompt on the client.   If Windows 7 or Vista, be sure to “Run as Administrator" as shown in the example below.



    The configuration command syntax is:

    • ACUconfig.exe ConfigViaRCSOnly <RCS_IPaddress> <RCSProfileName> /WMIuser <domain\userid of service account> /WMIuserpassword <domain account password>



    Using the command syntax, the command shown in the example below according to the previous steps of this document is:

    • ACUconfig.exe ConfigViaRCSOnly AMTconfigProfile /WMIuser vprodemo\AMTConfigService /WMIuserpassword McAfee123!


    If the configuration completes successfully, then Intel Management and Security Status will generate a popup indicating Intel® ME is Configured




    Tip: While testing, view the ACU log file to ensure that the last line of the log file displays an exit code of 0, that means success.


    McAfee ePO will now recognize the system as “Fully Provisioned.” You can validate this status in any of the following ways once the Intel AMT Discovery and Reporting has been updated.

    • In the System Tree, look for the system to have the AMT tag.
    • In the dashboard, look in the Intel AMT Fully Provisioned monitor. A status of Yes indicates success.
    • In the System Details screen, select the Intel AMT tab and look in the Intel AMT Fully Provisioned field.


    Note: You can also validate AMT configuration outside of McAfee ePO. Simply launch a web browser and go to https://hostname:16993. This connects your browser to the web service running on the AMT client. Click the Log On button and attempt to authenticate using the credentials that were established in the AMT configuration profile. If you can authenticate and execute the tasks available in the web console, then AMT configuration was successful.


    Task: Set WMI Permissions for Automated Intel AMT Configuration

    The manual Intel AMT configuration approach used in the previous task required a domain account login. The configuration process required authentication to the Intel Remote Configuration Service (RCS) that was installed and configured previously. A packaged delivery of the files and command can be executed using the local system account of the computer.   This will require appropriate WMI permissions for Domain Computers, as shown accordingly.


    Via the Server Manager where Intel RCS was installed, expand Configuration, right click on WMI Control, and select Properties. Select the Security tab. Expand the Root tree to see the WMI namespaces. Select Intel_RCS and click the Security button. Add Domain Computers to the list of Group or User Names. Grant Domain Computers Execute Methods, Full Write, and Remote Enable. Save the settings and close the properties screens.



    The previous command syntax, if executed via the Local System account, is now:

    • ACUconfig.exe ConfigViaRCSOnly <RCS_IPaddress> <RCSProfileName>


    The references to WMIuser are no longer required if the command is executed under the user context of the Local System Account.    

    Task: Identify and Tag Systems Ready for Intel AMT Configuration

    The data collected by the Deep Command Discovery and Reporting software can be used to create a custom query that identifies systems ready for AMT configuration. The query simply looks for systems that are AMT capable, are not missing the MEI driver and are also not already fully AMT provisioned. The results of this query will then be used to apply a tag to identify systems that are ready for AMT configuration.


    In McAfee ePO go to Menu > Reporting > Queries and Reports. Then select ePO Deep Command Reporting and choose New.


    Win 2K8R2 ePO46 Dev-2011-12-15-11-22-22.png


    In the Feature Group, select Systems Management. In the Results Type choose Managed Systems and click Next to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-15-11-23-02.png


    In the Query Builder, choose to display results as a Table. Keep the other default values and click Next to proceed. In the columns screen, display only the System Name column. Then click next to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-15-11-24-30.png


    In the Filter screen, scroll down to the Intel AMT properties and select Intel AMT Fully Provisioned and set it to equals no. Select Intel AMT Supported and set it to equals yes. Then select Intel MEI Enabled and set it to equals yes. Then click Save to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-15-11-28-30.png


    In the Save Query screen, give the query a name and description. Save the query in the existing group entitled ePO Deep Command Reporting. Then click Save to complete this process.

    Win 2K8R2 ePO46 Dev-2011-12-15-11-30-09.png


    This query can now be used to identify systems ready for AMT configuration. The next step is to create a tag that will be applied to those systems. Go to Menu > Systems > Tag Catalog then choose Tag > Actions > New Tag. In the Description screen, name the tag AMT_Ready. Click Next to proceed. Do not specify any criteria in the criteria screen and click Next to proceed. Accept the default values in the Evaluation screen and then click Next to proceed. Accept the default values in the Preview screen and click Save to complete this process.

    Win 2K8R2 ePO46 Dev-2011-12-15-11-33-00.png


    This tag needs to be manually applied to systems. This is done by running a server task that applies the tag to all systems returned by the AMT Ready Systems query. Go to Menu > Automation > Server tasks and choose New Task.  Name the task and give it a description. Click Next to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-15-11-37-08.png


    In the Actions screen set it to run the AMT Ready Systems Query and set the Sub-Action to apply the AMT_Ready tag. Click Next to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-15-11-38-50.png


    In the Schedule screen, set the task to run on a schedule. In this example the task will be set to run hourly. Then click Next to proceed.

    Win 2K8R2 ePO46 Dev-2011-12-15-11-39-48.png

    Tip: For lab environments and first-time installs, use Run Immediately for the Schedule type. This will make it run the next time the McAfee Agent synchronizes.


    Review the settings in the Summary screen and then click Save to complete this process.



    Task: Create AMT Configuration Package

    The AMT configuration package must contain the three Intel files listed above (ACU.dll, ACUConfig.exe and xerces-c_2_8.dll) and a batch file that will execute ACUConfig with the necessary parameters. This batch file is generic and the parameters that are specific to your environment (server IP address and AMT configuratio profile name) can be entered in the client deployment task in ePO. For simplicity, we have provided a generic package that will work in any ePO 4.6 patch 1 environment and attached it to this post ( For instructions on how to build your own custom packages please visit the McAfee ePO Tools Exchange site and look for the ePO Enterprise Deployment Kit (EEDK).


    Example batch file

    ACU Config bat.PNG



    Task: Create Deployment Task for AMT Configuration Package

    To deploy the AMT configuration package from ePO, the package must be checked in to the master repository and a client task must be created. This client task will be setup as a tag-based deployment so that only systems that are not already AMT configured will receive the package.


    In ePO to go Menu > Software > Master Repository and check in the AMT configuration package.


    Then go to Menu > Policy > Client Task Catalog. Select Product Deployment and then click New Task. Choose Product Deployment and click OK to proceed. Then name the task and give it a description. Set the target platform to Windows and select the AMT configuration package from the Products and components drop-down menu. Then enter the ACUconfig parameters in the Command line field. Click Save to proceed.

    Deploy AMT config package.png


    Note: The command line field must contain the following string: "/output file c:\Windows\Temp\ACUConfig.log" ConfigViaRCSonly <ipaddress> <AMTconfigprofilename>

    Note: Replace <ipaddress> with the IP address of the server that is running the RCS service. Replace <AMTconfigprofilename> with the name of your AMT configuration profile (AMTConfigProfile.xml is used in this guide).



    You will now see the Deploy AMT Config Package in your Client Task Catalog. Highlight the task and click Assign. Select My Organization and click OK to proceed.  Then select McAfee Agent > Product Deployment > Deploy AMT Config Package. In the tags section, set it to go to any system that has the AMT_Ready tag but not to systems that have the AMT tag. This will ensure that the task goes to any system is ready for AMT configuration but is not already fully AMT configured. Then click Next to proceed.

    AMT config package client task 01.png


    Set the schedule for the task. McAfee recommends running this daily. The task will only work if the system is connected to your LAN with a wired network connection. If a system is remote, there is no sense in repeatedly running this task. Instead, it is designed to simply run once per day. Click Save to complete this process.

    AMT config package client task 02.png

    Tip: For lab environments and first-time installs, use Run Immediately for the Schedule type. This will make it run the next time the McAfee Agent synchronizes.


    Task: Track AMT Configuration and Deep Command Installation Progress

    Based on the tasks completed in steps 3 and 4 of this guide, a fully automated Deep Command installation process is in place. McAfee ePO runs a query that searches for systems that are not AMT configured but are ready to start the AMT configuration process. It then tags these systems with the AMT_Ready tag. McAfee ePO will then push the custom AMT configuration package to those systems. When AMT configuration is complete, the systems will automatically be tagged with the AMT tag. Another deployment task in ePO will then push Deep Command only to those systems. Progress of AMT configuration can be tracked in ePO by watching the Intel AMT Fully Provisioned monitor of the Intel AMT Summary dashboard. Tracking the progress of the Deep Command deployment can be done with a custom query. This query looks looks at the properties for all managed systems and checks to see if they have any version of Deep Command installed. An example query is attached to this post and can be imported into any ePO 4.6 server.




    More resources for installing McAfee Deep Command

    McAfee Deep Command Installation Guide Introduction


    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
    Step 2: Configure Certificates for Intel AMT
    Step 3: Install Intel AMT and McAfee ePO Server Components

    Step 4: Configure Intel AMT Clients and Deploy McAfee Deep Command


    Appendix A: Installing Microsoft Certificate Authority with Web Enrollment

    Appendix B: Manually Importing the Microsoft Certificate Authority Root Certificate on McAfee ePO Server or Agent Handler

    Appendix C: McAfee Deep Command Setup Checklist