The information provided below is based on McAfee ePO Deep Command version 1.5. The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more. The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution
McAfee ePO Deep Command enables beyond-the-operating-system security management to all systems supporting Intel® Active Management Technology (AMT). The intent of this article is to provide an index of resources posted online. The resources listed below are provided in a best effort manner. They are intended to compliment the McAfee ePO Deep Command product page and product documentation.
This document is presented in a Frequently Asked Questions (FAQ) format to address the most common to more advanced inquiries related to McAfee ePO Deep Command.
Check back often as this "living index" of materials is regularly updated.
Q: What is "beyond-the-operating-system security management"?
A: McAfee ePO Deep Command communicates below the operating system to Intel® AMT. Communication can occur even when a system is powered off or the host operating system is not responding.
Q: How does this capability improve endpoint security?
A: Review the to see a few examples. The most common is reliable power-on combined with a client task execution, useful for off-hours security updates. Integration with McAfee EEPC7 enables secure unattend unlock of the preboot authentication (PBA) environment among other items. See the recorded demonstration for additional examples how McAfee ePO Deep Command can be used.
Q: What new functionality is provided with McAfee EEPC7 in connection with McAfee ePO Deep Command?
A: The following demonstration links demonstrate how these two products work together to improve endpoint security.
Q: What other products are enhanced or integrated with McAfee ePO Deep Command?
A: Endpoint security solutions such as VirusScan Enterprise (VSE) benefit with the reliable power control offered by McAfee ePO Deep Command, whether a direct or scheduled power event. Combining a power-on event with a client task or policy enforcement is a common reason to consider McAfee ePO Deep Command. Review the to see an example of updating VSE DAT files during off-hours.
Q: What is required to setup a testing and demonstration environment in my lab?
Q: How do I determine if Intel AMT exists in my production environment?
Q: My Deep Command Discovery & Reporting Dashboard shows systems in a Post Configuration state. What does this mean?
A: The Intel® Active Management Technology (AMT) is configured on the discovered endpoint systems. If the configuration did not occur via McAfee ePO Deep Command, another console application in your environment has configured Intel® AMT. Multiple consoles can communicate with Intel® AMT if the configuration settings are compatible. Review .
Q: What guidance is available for pilot or production deployment of McAfee ePO Deep Command?
A: In addition to the recorded setup and configuration training materials above, an Online installation guide for ePO Deep Command v1.5 is available here.
Q: The online installation guide for McAfee ePO Deep Command references a Remote Configuration Certificate. Why is this required and how is it obtained?
A: To remotely and securely configure Intel® AMT, a trusted connection between the Intel® Setup and Configuration Software (SCS) and Intel® AMT firmware must be established. One method is a remote conifguration certificate for the target environment. More information on the purpose and how to obtain this certificate is available here. The remote configuration certificate is recommended but not required. are explained, with Host Based Configuration as a popular selection.
Q: How is the configuration of Intel® AMT maintained using McAfee ePO Deep Command?
A: System names change, TLS certificates expire, system clocks need to be synchronized for Kerberos authentication. Learn more about maintaining Intel® AMT Configuration using McAfee ePO Deep Command
Q: Who do I contact for technical product support?
A: McAfee customer support representatives are ready to answer technical production support question. Please contact your McAfee sales representative to get connected as needed.
Q: Who do I contact for deployment assistance?
A: McAfee Professional Services are actively assisting customers in the deployment of McAfee ePO Deep Command. Please contact your McAfee sales representative to get connected as needed.
Q: Why should I contact McAfee support or professional services if this index of materials is available?
A: This index, linked materials, and associated McAfee ePO Deep Command product documentation provide brief non-personalized answers how to setup and utilize the product. This index does not replace the availability, responsiveness, and assistance of a localized contact more familiar with your specific needs.
Q: What log files and other basic troubleshooting guidance are provided with McAfee ePO Deep Command?
A: Please review section 6 of the McAfee ePO Deep Command v1.5 product guide. Two common log files include: On the server the log file "AMTservice.log" will show details McAfee ePO Deep Command actions, on the client the log file "AMTMgmtService_out.log"
A: These settings are not required for McAfee ePO Deep Command, but do improve the security configuration of Intel® AMT. Learn more on the differences of Digest and Kerberos authentication and why Digest Master Passwords is a good idea.
Q: Some McAfee ePO Deep Command Actions, specifically Boot\Reboot from Image or to BIOS are failing. The AMTservice.log references a TLS related error. What is happening and how is this resolved?
A: If other McAfee ePO Deep Command actions are working, review what certificates are needed for Intel® AMT operations and how to create a PEM file.
Q: Intel® AMT exists in my environment, but is disabled in the system BIOS. How do I enabled Intel® AMT in the BIOS, and how is this different from the configuration guideline mentioned earlier?
A: Some OEM BIOS settings allow Intel® AMT to be disabled, this is common in HP and Lenovo systems. The default BIOS setting is commonly enabled. Some customers may have requested a custom BIOS settings or changed the setting during the staging process of the system. Major OEMs provide BIOS setting tools to remotely change a setting such as Intel AMT. Use same approach for enabling Intel VT to enable Intel AMT
Q: What is required for McAfee ePO Deep Command to work with wireless clients inside my production environment?
A: Learn more about supporting Intel® AMT over an 802.11 wireless connection.
Q: What is required for McAfee ePO Deep Command to work with 802.1x over wired or wireless inside my production environment?
A: Intel® AMT configuration settings include 802.1x setup\definitions. Microsoft Active Directory integration with Kerberos authentication is a prerequisite to defining 802.1x setting in the Intel® AMT configuration profile. Whether wired or , the same principles for 802.1x apply. More information is available via the Intel® Setup and Configuration Service (SCS) User guide attached below. Refer to the section entitled "Creating 802.1x Setups".
Q: What is required for McAfee ePO Deep Command to work with client endpoints outside my production environment?
A: Learn how to setup McAfee ePO Deep Command Gateway Services for clients outside the enterprise
Q: If an advanced Intel® AMT features such as System Defense is not supported by McAfee ePO Deep Command, how do I still use this technology feature?
A: Scripting and reference tools such as Intel® vPro PowerShell Module can use the System Defense features of Intel® AMT. Read more on how to isolate a Client from the Network
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries