In this guide, you will learn how to install Intel Endpoint Management Assistant (EMA) in a Single-Server mode for PoC environments and Small-Medium-Businesses. Intel EMA is a cloud application that allows the remote management of corporate devices outside the corporate firewall, also, this tool can provision and manage the Intel Active Management Technology (AMT) part of the Intel vPro Platform allowing the users to connect the BIOS, perform a power-off/power-on or install an Operating System remotely using the USB-Redirection (USB-R).

Intel EMA is an Infrastructure as a Service (IaaS) solution and the entity who owns the service is responsible for updating, managing and maintaining the console in a production environment.

Checklist of prerequisites to install Intel EMA in a Single-Server Mode.

1. A single Virtual Machine (VM) with Microsoft Windows Server 2019 or 2022 installed in English, at least 2 vCPUs and 16 GB of RAM. If you choose Microsoft Windows Server 2019, you must install the .NET Framework 4.8.0
2. A database instance based on Microsoft SQL Server 2017, 2019 or 2022. You can use the versions Express, Standard or Enterprise. Also, Intel EMA support the Platform as a Service (PaaS) options with the different Cloud Service Providers like Azure SQL, AWS RDS or GCP SQL. Bear in mind that the version Express supports only up to 10 GB for a relational database, for more information click here.
3. A Windows user with Local Administrator privileges over the VM and SYSAdmin privileges over the Microsoft SQL Server instance.
4. An internal DNS record pointing to the VM (can be an A Record or CNAME Record). Example: ema-demo.rescalante.com
5. An external DNS record pointing to the entrypoint (public IP address) that is going to contact the VM within your private network (can be an A Record or CNAME Record). Example: ema-demo.rescalante.com (The internal and external DNS resolutions must be the same)
6. The ports TCP 8080 and TCP 443 must be open internally and externally. Intel EMA can be put behind a Load Balancer or a Reverse-Proxy but the ports must be redirected as TCP maintaining the sessions from origin (in some CSPs this option is called session stickiness).
7. A valid web certificate that matches the DNS resolutions. This certificate can be emitted by an internal or external Certification Authority (CA). (On this tutorial we are going to learn how to request a certificate using Let's Encrypt).
   
   

Packages required to install Intel EMA in a Single-Server Mode.

• Latest version of Intel EMA.
• Latest version of Microsoft SQL Server 2022 Express
• Latest version of IIS Crypto GUI
• Latest version of Microsoft URL Rewrite
• Latest version of Certify the Web
• (Only for Microsoft Windows Server 2019) .NET Framework 4.8.0
• (Optional) Latest version of Microsoft SQL Management Studio
  
  

Step 1 - Preparing the Windows Server VM.

1.1 Connect to the Intel EMA VM using Remote Desktop.

To start interacting with the VM, you need to connect using RDP. If your are working with a CSP or using on-premises infrastructure, use the command Test-NetConnection in PowerShell to validate the port is reachable from your current device.

Test-NetConnection -ComputerName <dns-resolution-or-ip-vm> -Port 3389

Use the native RDP agent from Windows to establish connection with your VM.

And access using the Windows Credentials with Administrator Privileges over the VM.

Until you get to the main window of the VM.

1.2 Download the packages required for the installation.

Inside the VM open the web browser and download the packages listed in the Packages required to install Intel EMA in a Single-Server Mode section. (In this tutorial, we are using Windows Server 2022, so the .NET Framework 4.8.0 is not necessary as it comes by default with this version).

Apply the latest Windows Updates in the Virtual Machine and perform a reboot if necessary.

(Optional) Step 2 - Install Microsoft SQL Server 2022 Express.

This section is optional, on this section you will learn how to install Microsoft SQL Express 2022 as the database engine required for Intel EMA. In production environments is always recommended to install Standard or Enterprise versions.

2.1 Download MSSQL 2022 Express installation package.

To start the installation of Microsoft SQL Express open the file SQL2022-SSEI-Expr.exe as an Administrator.

Select the option Custom to perform a custom installation, by default the installer will be downloaded to the C:\SQL2022 folder and click on Install.

Wait for the Microsoft SQL Server 2022 Express package to complete the download.

The installer will launch automatically as soon as the package is ready opening the SQL Server Installation Center.

2.2 MSSQL Express 2022 installation.

Now that the MSSQL Express installer is ready, select the option New SQL Server standalone installation or add features to an existing installation and you will get the first prompt with the License Terms.

The next section will ask if we want to install the latest MSSQL Express 2022 updates, it's always recommended to have the latest updates.

Wait for the installer to validate the setup files and download the latest updates.

Validate the install rules, probably you will see a warning in the Windows Firewall, you can ignore this warning as we are going to access the database only through localhost.

In the Feature Selection section, select only the Database Engine Services for Intel EMA we don't require MSSQL features installed.

Configure the MSSQL instance with any name you want, for this guide, we are going to use the default name SQLEXPRESS for the instance.

Leave the default Service Accounts in the Server Configuration.

Now it's time to configure the SYSAdmin account for Microsoft SQL, here you have two options, use Windows Authentication or SQL Authentication, for this guide we are going to select Mixed Mode to enable both. With this configuration we will be able to access the MSSQL instance using the Windows account that is executing the installer and the sa account with a password stored in the master database.

Wait a couple of minutes to complete the MSSQL server installation.

The installation has completed and Microsoft SQL Server Express 2022 has been successfully installed.

2.3 Enable TCP/IP stack in MSSQL Express 2022

By default, Microsoft SQL Express doesn't enable the TCP/IP stack, however, for this guide we are going to enable the database instance to listen from localhost through the TCP 1433 used by default in MSSQL environments. To perform this action open the SQL Server Configuration Manager.

Expand the menu SQL Server Configuration Manager > Protocols for SQLEXPRESS

Open the TCP/IP protocol and change the option Enabled to Yes

Open the IP Addresses tab and find the IP 127.0.0.1 change the option Enabled to Yes and the option TCP Port to 1433, also at the end of the table change the IPAll option TCP Port to 1433, we are enabling the MSSQL instance to listen on localhost and through the MSSQL default port 1433.

Apply the changes and click on ok, you will see a prompt asking to restart the SQL Service.

Go to the menu SQL Server Services select the instance SQL Server (SQLEXPRESS) with a right click and Restart the service.

Wait for the MSSQL Service to restart and close the window.

2.4 Installing Microsoft SQL Server Management Studio

The Microsoft SQL Server Management Studio is an application that allow us connecting to MSSQL Server instances and we can interact with the databases directly. To start the installer open the file SSMS-Setup-ENU.exe with Administrator privileges.

Leave the default location to perform the installation at C:\Program Files (x86)\Microsoft SQL Server Management Studio 20 and proceed with the installation.

Wait for the installer to finish the installation and close the window.

2.5 Accessing to the MSSQL Server Express 2022 instance using MSSQL Management Studio.

Before we try MSSQL Management Studio, you can check if your Microsoft DB instance is listening through the port TCP 1433, you can use the following command line to perform this validation:

Test-NetConnection -ComputerName localhost -Port 1433

If the test succeeded, you will the see the key TcpTestSucceeded as True, and now it's time to open Microsoft SQL Management Studio application.

This time we are going to access with the sa account we defined during the MSSQL Server installation. The Server Name must be localhost as we are accessing to the MSSQL instance in the same VM, the authentication we are going to select is SQL Server Authentication, we need to input the user that his time is sa and the password. Finally, select the option Trust Server Certificate and proceed to login.

If you input the parameters properly, you will be able to access the MSSQL Server Express 2022 instance.

Step 3 - Install Intel Endpoint Management Assistant.

On this section you will install Intel EMA and the previous steps will make more sense as we are going to connect the Intel EMA application to the database and perform the installation.

3.1 Prepare your Windows Server environment to install Intel EMA.

We are going to generate a folder structure under C:, the idea here is to have order when we install Intel EMA that you would appreciate in the future when you update your console.

We are going to generate a folder called C:\EMA and under that folder two new folders, one called C:\EMA\Installers and the other one C:\EMA\Versions,under the folder versions we are going to generate a folder for the version that we would like to install, for this tutorial the version 1.13.1 C:\EMA\Versions\IntelEMA1.13.1 these folders are going to provide an order and in the future you can keep track of what you have installed.

Now we are going to copy the Intel EMA installer to C:\EMA\Installers

Execute the file Ema_Install_Package_1.13.1.0.exe with Administrator Privileges and select the folder where we are going to extract the installation files, that's why we created the folder C:\EMA\Versions\IntelEMA1.13.1

Click on the Unzip button:

Open the folder C:\EMA\Versions\IntelEMA1.13.1 in Windows Explorer and validate that the EMA installation files are there.

3.2 Install Intel Endpoint Management Assistant

Now that we prepared our Windows Server environment it's time to install Intel EMA, to start the installation, execute the file EMAServerInstaller.exe with Administrator Privileges:

In the Welcome window you will see a warning mentioning the installer is about to install Microsoft Internet Information Services (IIS), click on next.

Now the installer will prompt to accept the License Agreement.

In the next window, you can choose the installation type, on this section you can choose between the single-server and multi-server architectures. In my experience, the suggestion here is to choose Initial Install fr Distributed Server (Recommended) as in the future, depending on your growth, you might require to install a secondary server and have a high availability architecture using a Load Balancer.

It's time to configure the database connection, for this guide, we are going to use SQL Authentication to connect our Intel EMA app to the MSSQL Instance.

In the Database Setup section we are going to configure the following parameters:
* Database Server: localhost as we installed the MSSQL instance in the same VM.
* Database Name: EMADatabase if we want to leave the Database schema by default. You can change the name of the EMA DB schema if you want.
* Username: sa as we defined the SYSAdmin user during the MSSQL installation.
* Password: <password> the password for the SYSAdmin user.

When you click next, you will notice the installer will check the database connection.

If you have issues with the Database connection, I recommend reviewing the connection using Microsoft SQL Management Studio, and check if the port TCP 1433 is listening through localhost.

Test-NetConnection -ComputerName localhost -Port 1433

In the Load Balancer information window, we need to input the Fully-Qualified Domain Name (FQDN) of our server, for this tutorial we defined ema-demo.rescalante.com as our main DNS resolution, this is the most important step of the entire installation. If this step is not properly defined since the beginning, you might need to reinstall Intel EMA from the scratch in the future.

For the AJAX and WebServer configuration we are going to tick the box Same as Swarm Server to use the same DNS resolution for these components.

We are going to do the same for the Recovery Server component.

When the installer asks which components we want to deploy we are going to choose all of them.
* Swarm Server Component is responsible for handling the Intel EMA agent connections and the Intel AMT CIRA connections.
* Ajax & Web Server Components are responsible for the WebUI and the WebSockets management.
* Recovery Server Component is responsible for handling the Intel One-Click Recovery sessions to reinstall the OS from a UEFI BIOS.
* Manageability Server Component is responsible for the configuration/reconfiguration of the devices with Intel Active Management Technology (AMT).

I recommend leaving the Intel EMA Platform Manager external port using the port TCP 8000, this port is used to connect using an application that is installed along with with Intel EMA used to manage the EMA components listed above. This is very useful when managing multiple EMA servers in a multi-server architecture. IMPORTANT: Do not publish this port.

Now it's time configure the Intel EMA Authentication, for this guide we are going to use Local Accounts, but bear in mind, Intel EMA supports 3 authentication options:
* Local Accounts where EMA stores the usernames and password encrypted in the database. Intel EMA supports Multi-Factor Authentication (MFA) for Local accounts since version 1.13.0
* Domain Authentication where EMA relies in the Microsoft Active Directory to authenticate the users.
* Azure AD Authentication where EMA relies in Microsoft Entra ID (Microsoft Azure Active Directory) to validate the users. If your organization configured MFA, Intel EMA will authorized the users using the OAuth2 flow.

As we have chosen Local Accounts, we need to generate the Global Adminsitrator user that has full control over the configuration on Intel EMA.

The installer will ask if you want to add additional servers at this point, as this is a single-server environment is not necessary.

Finally, the installer will ask for a final review of the installation.

After you click on Install, the installer will take care of the installation.

If you want to review what's going on during the installation, open the menu File > Advanced Mode

Wait for the installer to finish with the Intel EMA installation. You will see an entry in the logs saying Install complete. It may take a few minutes to unpack some things

3.3 Intel EMA Initial Configuration with the Global Administrator

At this point, Intel EMA has been successfully installed, to validate the WebUI is running, you can open any web browser inside the VM and open the url https:\\localhost

You will see a warning as we are accesing with localhost, this is expected as the certificate is not valid, to proceed with the initial configuration click on Continue to localhost (unsafe)

To access Intel EMA, input the Global Administrator user and password to authenticate to Intel EMA.

When you click on Log In, you will see a prompt mentioned a Cross-Origin warning, this is expected as we installed Intel EMA with the FQDN ema-demo.rescalante.com and we are accessing with localhost

When you access to Intel EMA, you will se a Getting started section where you can start with the initial configuration.

Before we proceed with the configuration, open the Windows Explorer and create a new folder called C:\EMA\USBR this folder is going to be used for one of the coolest features that Intel AMT has which is USB Redirection (USB-R), this feature allows to upload .iso and .img files to Intel EMA and deploying an OS from the scratch using the Intel AMT connection. This is very useful in IT Environments when you need to restore/reinstall the OS without touching the device.

Go back to the web browser and click on the settings section and access to Server Settings > Manageability Server, under this section look for the parameter USBR Images Root Directory and change it for C:\EMA\USBR. As you may guessed this is the directory where the Intel EMA app is going to store the .iso and .img files used for USB-R.

Click on Save and Restart Server to save the changes.

Now, go to the Home menu and click on Create Tenant to generate our first organization on Intel EMA, add a Tenant Name and a Description

After you generate the first Tenant you will notice that you can start generating users, go to the Users > Manager Users menu and create the first user under the new Tenant (Organization) we've generated. Assing the role Tenant Administrator and click on Save.

Validate that the user has been generated.

Now you can Log Out and continue with the network validation.

3.4 Intel EMA Network Validation.

Intel EMA has been properly configured with the Global Administrator account and now it's time to validate if we can reach out the TCP Ports 443 (WebUI) and 8080 (Agents) from any device. This is very easy to test, open a PowerShell window in any device outside the VM and validate the ports using the following commands:

Test-NetConnection -ComputerName <dns-resolution-or-ip> -Port 443

Test-NetConnection -ComputerName <dns-resolution-or-ip> -Port 8080

Step 4 - Security Hardening for Intel EMA

On this section you are going to perform a security hardening for your Intel EMA console, adding a valid certificate, the security headers and disabling the TLS and Cipher Suites considered vulnerable in the industry.

(Optional) 4.1 Request and install a valid certificate for Intel EMA usign CertifyTheWeb (Let's Encrypt).

From your PC open the web browser and access to https://<fqdn> for this guide we are going to access to https://ema-demo.rescalante.com you will notice a security warning, this happens because the EMA WebUI doesn't have a valid certificate to show in the Web Browser. During the installation, EMA installs a Self-Signed Certificate.

Go back to the VM and open the Windows Explorer, execute with Administrator Privileges the file CertifyTheWebSetup_V1.6.0.exe

In the main window, you will see the License Agreement of this tool. Certify the Web is an application to request a valid certificate to Let's Encrypt servers for Microsoft IIS.

Select the default destination to perform the installation.

Leave the defaults for the Start Menu folder.

Wait for Certify the Web to be properly installer.

When the installer ends, click on Finish to open the application.

Using Certify the Web is very straighforward if you have basic knowledge about certificates, on this guide, we are going to explain how to request a certificate valid for your Intel EMA application. Click on New Certificate

You will see a prompt asking to register a new contact. For more information, review the Certify the Web Privacy Policy here

Input an email that will be used by Let's Encrypt in case they require to contact you and click on Register Contact.

Now that you added your contact information, select the Default Website and input the domain (FQDN) of your Intel EMA instance.

Add the domain to request a new certificate. You will see the FQDN of your EMA instance listed below.

Click on Request Certificate and you will notice that the Certify The Web application will start requesting a certificate to the Let's Encrypt Servers.

If for some reason the request fails, check that your domain is valid and publicly available, you can also check if the port TCP 80 is open as it's the way Let's Encrypt validates that you own the domain. From your PC, use the following command to validate the TCP Port 8080 is open and reachable from the internet.

Test-NetConnection -ComputerName <dns-resolution-or-ip> -Port 80

After your receive a Success, we can consider the certificate has been emitted.

To install the certificate open Microsoft IIS and access to the Default Web Site.

Open the Bindings section.

Edit the port 443:

Select in the SSL certificate a certificate that contains the name Certify, this is the certificate emitted by Let's Encrypt.

The beauty of certify the web is that certificate renews automatically every 3 months and you don't need to modify anything. It's important to be sure that the TCP Port 80 is open as it's the way Let's Encrypt continues validating that you own the domain. Now if you open the Web Browser on your PC and access to https://<fqdn> you will see a valid certificate and you won't see anymore the warning of the self-signed certificate.

If you click on the Lock icon in the Web Browser and open the certificate, you will notice the certificate was emitted by Let's Encrypt and expires every 3 months.

4.2 Install IIS URL Rewrite Module and set the Strict Transport Security (HSTS) Header.

It's recommended to install the URL Rewrite Module for Microsoft IIS, the URL Rewrite module allows to hide the Microsoft IIS version and set the HSTS Header. For more information about HSTS, click Here

Go back to the VM, open the Windows Explorer where you downloaded all the installation files.

Open the file rewrite_amt64_en-US.msi to start installing the IIS URL Rewrite Module and review the License Agreement.

Click on Install and wait for the installer to finish.

Review the installation and close the window.

Open Microsoft IIS again, select the Default Web Site and double click on the option HTTP Response Headers

Add the HSTS configuration adding a header with the Name Strict-Transport-Security and the Value max-age=31536000; includeSubDomains;

Review the HTTP Response Headers list and validate the HSTS header has been added.

4.3 Disable TLS and Cipher Suites Vulnerabilities

Using the tool IISCrypto.exe you will learn how to disable TLS 1.0 and TLS 1.1 and the Cipher Suites that are considered vulnerable by the industry. For more information click here

Open the Windows Explorer again and launch IISCrypto.exe with Administrator Privileges.

Review the License Agreement.

IIS Crypto is a tool that basically look for the Windows Registries that enable/disable certain TLS versions and Cipher Suites.

Click on the Best Practices button, which is going to apply the best practices defined by IIS Crypto.

Disable TLS 1.0 and TLS 1.1 that are considered vulnerable.

Restart the VM.

Appendixes.

Appendix A: Microsoft SQL Server Scale Limits.

The following table shows the main differences between the Microsoft SQL Server flavors. For Intel EMA the only consideration with the version Express is the 10 GB Limit. For environments with more than 5000 devices is recommended to consider at least the Standard version. With the proper maintenance the database size shouldn't pass the 10 GB in environments with less than 5000 endpoints.

Table Source: Microsoft SQL Server Scale Limits

Appendix B: Commands to Validate the Network.

Command to validate the DNS resolution in PowerShell:

Resolve-DNSName -Name <dns-resolution>

Command to validate a TCP connection in PowerShell:

Test-NetConnection -ComputerName <dns-resolution-or-ip> -Port <port>

Conclusion.

In this guide, you learned how to install Intel Endpoint Management Assistant from the scratch considering the parameters to install a Single-Server architecture. If you require to access to the official guides provided by Intel, you can access to the Intel EMA Install Guides in the Documentation section.

This tutorial has been created based on my experience and I hope can save you hours of try and error installing this amazing tool.