How to install Intel EMA Single-Server Mode

This step-by-step tutorial guides you through installing and configuring Intel Endpoint Management Assistant in Single-Server Mode.

Published on Aug 13, 2024

/ Author:

Rafael Escalante

intel

endpoint

management

assistant

ema

1.13.1

This step-by-step tutorial guides you through installing and configuring Intel Endpoint Management Assistant in Single-Server Mode.

In this guide, you will learn how to install Intel Endpoint Management Assistant (EMA) in a Single-Server mode for PoC environments and Small-Medium-Businesses. Intel EMA is a cloud application that allows the remote management of corporate devices outside the corporate firewall, also, this tool can provision and manage the Intel Active Management Technology (AMT) part of the Intel vPro Platform allowing the users to connect the BIOS, perform a power-off/power-on or install an Operating System remotely using the USB-Redirection (USB-R).

Intel EMA is an Infrastructure as a Service (IaaS) solution and the entity who owns the service is responsible for updating, managing and maintaining the console in a production environment.

# Checklist of prerequisites to install Intel EMA in a Single-Server Mode.

1. A single Virtual Machine (VM) with Microsoft Windows Server 2019 or 2022 installed in English, at least 2 vCPUs and 16 GB of RAM. If you choose Microsoft Windows Server 2019, you must install the [.NET Framework 4.8.0](https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net48-offline-installer)
2. A database instance based on Microsoft SQL Server 2017, 2019 or 2022. You can use the versions [Express](https://www.microsoft.com/en-us/download/details.aspx?id=104781), [Standard](https://www.microsoft.com/en-us/d/sql-server-standard-2022/dg7gmgf0m80j?activetab=pivot:overviewtab) or [Enterprise](https://www.microsoft.com/en-us/sql-server/sql-server-2022-pricing). Also, Intel EMA support the Platform as a Service (PaaS) options with the different Cloud Service Providers like [Azure SQL](https://azure.microsoft.com/en-us/products/azure-sql/database), [AWS RDS](https://aws.amazon.com/rds/sqlserver/) or [GCP SQL](https://cloud.google.com/sql-server?hl=en). Bear in mind that the version Express supports only up to 10 GB for a relational database, for more information click [here](https://learn.microsoft.com/en-us/sql/sql-server/editions-and-components-of-sql-server-2022?view=sql-server-ver16).
3. A Windows user with Local Administrator privileges over the VM and SYSAdmin privileges over the Microsoft SQL Server instance.
4. An internal DNS record pointing to the VM (can be an [A Record](https://www.ietf.org/rfc/rfc1035.txt) or [CNAME Record](https://www.ietf.org/rfc/rfc1035.txt)). Example: **ema-demo.rescalante.com**
5. An external DNS record pointing to the entrypoint (public IP address) that is going to contact the VM within your private network (can be an [A Record](https://www.ietf.org/rfc/rfc1035.txt) or [CNAME Record](https://www.ietf.org/rfc/rfc1035.txt)). Example: **ema-demo.rescalante.com** (The internal and external DNS resolutions must be the same)
6. The ports TCP 8080 and TCP 443 must be open internally and externally. Intel EMA can be put behind a Load Balancer or a Reverse-Proxy but the ports must be redirected as TCP maintaining the sessions from origin (in some CSPs this option is called **session stickiness**).
7. A valid web certificate that matches the DNS resolutions. This certificate can be emitted by an internal or external Certification Authority (CA). (On this tutorial we are going to learn how to request a certificate using [Let's Encrypt](https://letsencrypt.org/)).

# Packages required to install Intel EMA in a Single-Server Mode.
* Latest version of [Intel EMA](https://www.intel.com/content/www/us/en/download/19449/intel-endpoint-management-assistant-intel-ema.html).
* Latest version of [Microsoft SQL Server 2022 Express](https://www.microsoft.com/en-us/download/details.aspx?id=104781)
* Latest version of [IIS Crypto GUI](https://www.nartac.com/Products/IISCrypto/Download)
* Latest version of [Microsoft URL Rewrite](https://www.iis.net/downloads/microsoft/url-rewrite)
* Latest version of [Certify the Web](https://certifytheweb.com/)
* (Only for Microsoft Windows Server 2019) [.NET Framework 4.8.0](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net48)
* (Optional) Latest version of [Microsoft SQL Management Studio](https://learn.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver16)

## Step 1 - Preparing the Windows Server VM.

### 1.1 Connect to the Intel EMA VM using Remote Desktop.
To start interacting with the VM, you need to connect using RDP. If your are working with a CSP or using on-premises infrastructure, use the command `Test-NetConnection` in PowerShell to validate the port is reachable from your current device.

```powershell
Test-NetConnection -ComputerName <dns-resolution-or-ip-vm> -Port 3389
```

![EMA Installation Test-NetConnection command to RDP](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-test-netconnection-command-to-rdp.RdYZXDd9l4fn.png)

Use the native RDP agent from Windows to establish connection with your VM.

![Connecting through RDP to the VM where we are going to install Intel EMA](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-remote-desktop-connection.d7pRre7zT9Qa.png)

And access using the Windows Credentials with Administrator Privileges over the VM.

![EMA Installation Windows Credentials RDP](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-windows-credentials-rdp.mIhgjxORFllf.png)

Until you get to the main window of the VM.

![https://storage.googleapis.com/rescalante.com/static/media/ema-installation-windows-server-2022-vm-accessed.RQkxkDbHqSXd.png](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-windows-server-2022-vm-accessed.RQkxkDbHqSXd.png)

### 1.2 Download the packages required for the installation.
Inside the VM open the web browser and download the packages listed in the **Packages required to install Intel EMA in a Single-Server Mode** section. (In this tutorial, we are using Windows Server 2022, so the .NET Framework 4.8.0 is not necessary as it comes by default with this version).

![EMA Installation Download Intel EMA](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-download-intel-ema.k6HcGRKdFU4M.png)

![EMA Installation Downloaded Packages](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-downloaded-packages.rW4f0IGJvmOb.png)

Apply the latest Windows Updates in the Virtual Machine and perform a `reboot` if necessary.

![EMA Installation Windows Server Updates](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-windows-server-updates.XVaH4IRVFxuG.png)

## (Optional) Step 2 - Install Microsoft SQL Server 2022 Express.
This section is optional, on this section you will learn how to install Microsoft SQL Express 2022 as the database engine required for Intel EMA. In production environments is always recommended to install Standard or Enterprise versions.

### 2.1 Download MSSQL 2022 Express installation package.
To start the installation of Microsoft SQL Express open the file `SQL2022-SSEI-Expr.exe` as an Administrator.

![EMA Installation MSSQL Express 2022 Installation Type](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-express-2022-installation-type.l2588XGl1erj.png)

Select the option **Custom** to perform a custom installation, by default the installer will be downloaded to the `C:\SQL2022` folder and click on **Install**.

![EMA Installation MSSQL 2022 Express Media Target Location](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-2022-express-media-target-location.n6jIUuk4DMsV.png)

Wait for the Microsoft SQL Server 2022 Express package to complete the download.

![EMA Installation MSSQL Express 2022 Downloading Package](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-express-2022-downloading-package.3IWLiOxgmGbN.png)

The installer will launch automatically as soon as the package is ready opening the **SQL Server Installation Center**.

![EMA Installation MSSQL Server 2022 Express Installation Center](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-express-installation-center.vDeu9kiDPXgV.png)

### 2.2 MSSQL Express 2022 installation.
Now that the MSSQL Express installer is ready, select the option **New SQL Server standalone installation or add features to an existing installation** and you will get the first prompt with the **License Terms**.

![EMA Installation MSSQL Server 2022 License Terms](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-license-terms.gObN3QvrUhUn.png)

The next section will ask if we want to install the latest MSSQL Express 2022 updates, it's always recommended to have the latest updates.

![EMA Installation MSSQL Server 2022 Express Updates](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-express-updates.fiZmYXBxuJ70.png)

Wait for the installer to validate the setup files and download the latest updates.

![EMA Installation MSSQL Server 2022 Express Install Setup Files](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-express-install-setup-files.XYE54BbWnyY7.png)

Validate the install rules, probably you will see a warning in the Windows Firewall, you can ignore this warning as we are going to access the database only through **localhost**.

![EMA Installation MSSQL Server 2022 Express Install Rules](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-express-install-rules.bLqcAgBzaOHc.png)

In the Feature Selection section, select only the **Database Engine Services** for Intel EMA we don't require MSSQL features installed.

![EMA Installation MSSQL Server 2022 Express Feature Selection](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-express-feature-selection.cKmaAWm0Bppv.png)

Configure the MSSQL instance with any name you want, for this guide, we are going to use the default name **SQLEXPRESS** for the instance.

![EMA Installation MSSQL Server 2022 Instance Configuration](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-instance-configuration.k8ioN9bceavH.png)

Leave the default Service Accounts in the Server Configuration.

![EMA Installation MSSQL Server Server Configuration](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-server-configuration.B2CPcjWxcEw6.png)

Now it's time to configure the **SYSAdmin** account for Microsoft SQL, here you have two options, use Windows Authentication or SQL Authentication, for this guide we are going to select **Mixed Mode** to enable both. With this configuration we will be able to access the MSSQL instance using the Windows account that is executing the installer and the **sa** account with a password stored in the master database.

![EMA Installation MSSQL Server DB Engine Accounts](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-server-configuration.B2CPcjWxcEw6.png)

Wait a couple of minutes to complete the MSSQL server installation.

![EMA Installation MSSQL Server Installation Progress](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-installation-progress.XMc4cy7nTG1l.png)

The installation has completed and Microsoft SQL Server Express 2022 has been successfully installed.

![EMA Installation MSSQL Server Installation Complete](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-installation-complete.hwS8JD4yyxjZ.png)

### 2.3 Enable TCP/IP stack in MSSQL Express 2022
By default, Microsoft SQL Express doesn't enable the TCP/IP stack, however, for this guide we are going to enable the database instance to listen from localhost through the TCP 1433 used by default in MSSQL environments. To perform this action open the **SQL Server Configuration Manager**.

![EMA Installation MSSQL Server 2022 Configuration Manager](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-configuration-manager.fG4gZ4t9Yzc3.png)

Expand the menu **SQL Server Configuration Manager > Protocols for SQLEXPRESS**

![EMA Installation MSSQL Server 2022 Configuration Protocols](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-configuration-manager.fG4gZ4t9Yzc3.png)

Open the TCP/IP protocol and change the option **Enabled** to **Yes**

![EMA Installation MSSQL Server 2022 TCP Stack](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-tcp-stack.zwOHbFOTipND.png)

Open the IP Addresses tab and find the IP `127.0.0.1` change the option **Enabled** to **Yes** and the option **TCP Port** to **1433**, also at the end of the table change the IPAll option **TCP Port** to **1433**, we are enabling the MSSQL instance to listen on `localhost` and through the MSSQL default port 1433.

![EMA Installation MSSQL Server 2022 TCP Properties](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-tcp-properties.XtTNH47Q51te.png)

Apply the changes and click on ok, you will see a prompt asking to restart the SQL Service.

![EMA Installation MSSQL Server 2022 TCP Changes](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-tcp-changes.j2mKnTeKUGsf.png)

Go to the menu **SQL Server Services** select the instance **SQL Server (SQLEXPRESS)** with a right click and **Restart** the service.

![EMA Installation MSSQL Server 2022 Restart Service](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-restart-service.IfE4um8esoxh.png)

Wait for the MSSQL Service to restart and close the window.

![EMA Installation MSSQL Server 2022 Restarting Service](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-mssql-server-2022-restarting-service.8y5ESrrtcUr0.png)

### 2.4 Installing Microsoft SQL Server Management Studio
The Microsoft SQL Server Management Studio is an application that allow us connecting to MSSQL Server instances and we can interact with the databases directly. To start the installer open the file `SSMS-Setup-ENU.exe` with Administrator privileges.

![EMA Installation Microsoft SQL Management Studio Installer](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-microsoft-sql-management-studio-installer.lv2ymBcLxJXs.png)

Leave the default location to perform the installation at *C:\Program Files (x86)\Microsoft SQL Server Management Studio 20* and proceed with the installation.

![EMA Installation Microsoft SQL Management Studio Install](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-microsoft-sql-management-studio-install.ce5ZF4tJNurV.png)

Wait for the installer to finish the installation and close the window.

![EMA Installation Microsoft SQL Management Studio Completed](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-microsoft-sql-management-studio-completed.ylraKhk5jHva.png)

### 2.5 Accessing to the MSSQL Server Express 2022 instance using MSSQL Management Studio.
Before we try MSSQL Management Studio, you can check if your Microsoft DB instance is listening through the port TCP 1433, you can use the following command line to perform this validation:

```powershell
Test-NetConnection -ComputerName localhost -Port 1433
```

If the test succeeded, you will the see the key `TcpTestSucceeded` as `True`, and now it's time to open Microsoft SQL Management Studio application.

![EMA Installation Microsoft SQL Management Studio Open](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-microsoft-sql-management-studio-open.rMF2mPswu6Ow.png)

This time we are going to access with the **sa** account we defined during the MSSQL Server installation. The Server Name must be `localhost` as we are accessing to the MSSQL instance in the same VM, the authentication we are going to select is SQL Server Authentication, we need to input the user that his time is sa and the password. Finally, select the option Trust Server Certificate and proceed to login.

![EMA Installation Microsoft SQL Management Studio Login](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-microsoft-sql-management-studio-login.7gtc66KQACQH.png)

If you input the parameters properly, you will be able to access the MSSQL Server Express 2022 instance.

![EMA Installation Microsoft SQL Management Studio Inside](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-microsoft-sql-management-studio-inside.ZOghG29zulmj.png)

## Step 3 - Install Intel Endpoint Management Assistant.
On this section you will install Intel EMA and the previous steps will make more sense as we are going to connect the Intel EMA application to the database and perform the installation.

### 3.1 Prepare your Windows Server environment to install Intel EMA.
We are going to generate a folder structure under `C:`, the idea here is to have order when we install Intel EMA that you would appreciate in the future when you update your console.

![EMA Installation Windows Explorer](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-windows-explorer.StBmFD1Q2Hc3.png)

We are going to generate a folder called `C:\EMA` and under that folder two new folders, one called `C:\EMA\Installers` and the other one `C:\EMA\Versions`,under the folder versions we are going to generate a folder for the version that we would like to install, for this tutorial the version 1.13.1 `C:\EMA\Versions\IntelEMA1.13.1` these folders are going to provide an order and in the future you can keep track of what you have installed.

![EMA Installation Windows Explorer EMA Folder](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-windows-explorer-ema-folder.pB4oHqWjG7tA.png)

Now we are going to copy the Intel EMA installer to `C:\EMA\Installers`

![EMA Installation Copy EMA Installer](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-copy-ema-installer.lQNXnMfGiQom.png)

Execute the file `Ema_Install_Package_1.13.1.0.exe` with Administrator Privileges and select the folder where we are going to extract the installation files, that's why we created the folder `C:\EMA\Versions\IntelEMA1.13.1`

![EMA Installation Extracting Installer](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-extracting-installer.jV2yx5lEyjAF.png)

Click on the Unzip button:

![EMA Installation Installer Extraction Completed](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-installer-extraction-completed.WgrpTyQSNqVT.png)

Open the folder `C:\EMA\Versions\IntelEMA1.13.1` in Windows Explorer and validate that the EMA installation files are there.

![EMA Installation Installer Extracted](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-installer-extracted.qyv9jykPkG4F.png)

### 3.2 Install Intel Endpoint Management Assistant
Now that we prepared our Windows Server environment it's time to install Intel EMA, to start the installation, execute the file `EMAServerInstaller.exe` with Administrator Privileges:

![EMA Installation Execute Installer Adminsitrator](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-execute-installer-adminsitrator.FGt8ZBAF8iKg.png)

In the Welcome window you will see a warning mentioning the installer is about to install Microsoft Internet Information Services (IIS), click on next.

![EMA Installer IIS Warning](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-iis-warning.0aEgXKv4509G.png)

Now the installer will prompt to accept the License Agreement.

![EMA Installer License Agreement](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-license-agreement.QB8zTnp8KKsI.png)

In the next window, you can choose the installation type, on this section you can choose between the single-server and multi-server architectures. In my experience, the suggestion here is to choose **Initial Install fr Distributed Server (Recommended)** as in the future, depending on your growth, you might require to install a secondary server and have a high availability architecture using a Load Balancer.

![EMA Installer Server Host Configurationt](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-server-host-configuration.NCJLYRsajOkv.png)

It's time to configure the database connection, for this guide, we are going to use SQL Authentication to connect our Intel EMA app to the MSSQL Instance.

![EMA Installer Database Setup](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-database-setup.oBzDYd9bJmX8.png)

In the Database Setup section we are going to configure the following parameters:
* `Database Server: localhost` as we installed the MSSQL instance in the same VM.
* `Database Name: EMADatabase` if we want to leave the Database schema by default. You can change the name of the EMA DB schema if you want.
* `Username: sa` as we defined the SYSAdmin user during the MSSQL installation.
* `Password: <password>` the password for the SYSAdmin user.

![EMA Installer Database Setup User](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-database-setup-user.XqVy0kFTkfTe.png)

When you click next, you will notice the installer will check the database connection.

![EMA Installer Database Setup Testing](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-database-setup-testing.u7sapAApkApv.png)

If you have issues with the Database connection, I recommend reviewing the connection using Microsoft SQL Management Studio, and check if the port TCP 1433 is listening through localhost.

```powershell
Test-NetConnection -ComputerName localhost -Port 1433
```

In the Load Balancer information window, we need to input the Fully-Qualified Domain Name (FQDN) of our server, for this tutorial we defined **ema-demo.rescalante.com** as our main DNS resolution, this is the most important step of the entire installation. If this step is not properly defined since the beginning, you might need to reinstall Intel EMA from the scratch in the future.

![EMA Installer Load Balancer Information](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-load-balancer-information.9oG0BRm8m9DF.png)

For the AJAX and WebServer configuration we are going to tick the box **Same as Swarm Server** to use the same DNS resolution for these components.

![EMA Installer Load Balancer Information AJAX](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-load-balancer-information-ajax.PzwSbQhXI3RA.png)

We are going to do the same for the Recovery Server component.

![EMA Installer Load Balancer Information Recovery](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-load-balancer-information-recovery.se3pJLKaXnRN.png)

When the installer asks which components we want to deploy we are going to choose all of them.
* `Swarm Server Component` is responsible for handling the Intel EMA agent connections and the Intel AMT CIRA connections.
* `Ajax & Web Server Components` are responsible for the WebUI and the WebSockets management.
* `Recovery Server Component` is responsible for handling the Intel One-Click Recovery sessions to reinstall the OS from a UEFI BIOS.
* `Manageability Server Component` is responsible for the configuration/reconfiguration of the devices with Intel Active Management Technology (AMT).

![EMA Installer Server Components Deploy](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-server-components-deploy.VYQwKRmJYguQ.png)

I recommend leaving the Intel EMA Platform Manager external port using the port TCP 8000, this port is used to connect using an application that is installed along with with Intel EMA used to manage the EMA components listed above. This is very useful when managing multiple EMA servers in a multi-server architecture. **IMPORTANT:** Do not publish this port.

![EMA Installer Install Platform Manager](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-install-platform-manager.MgY4YT01pW7M.png)

Now it's time configure the Intel EMA Authentication, for this guide we are going to use **Local Accounts**, but bear in mind, Intel EMA supports 3 authentication options:
* `Local Accounts` where EMA stores the usernames and password encrypted in the database. Intel EMA supports Multi-Factor Authentication (MFA) for Local accounts since version 1.13.0
* `Domain Authentication` where EMA relies in the Microsoft Active Directory to authenticate the users.
* `Azure AD Authentication` where EMA relies in Microsoft Entra ID (Microsoft Azure Active Directory) to validate the users. If your organization configured MFA, Intel EMA will authorized the users using the OAuth2 flow.

![EMA Installer User Authentication Type](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-user-authentication-type.JlIx7YG1RmOK.png)

As we have chosen Local Accounts, we need to generate the **Global Adminsitrator** user that has full control over the configuration on Intel EMA.

![EMA Installer Global Administrator Setup](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-global-administrator-setup.X7GtHNqvloks.png)

The installer will ask if you want to add additional servers at this point, as this is a single-server environment is not necessary.

![EMA Installer Ask Add More Servers](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-ask-add-more-servers.8x5lMAIN3v09.png)

Finally, the installer will ask for a final review of the installation.

![EMA Installer Review Installation Settings](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-review-installation-settings.Rq1yrnZdHs0X.png)

After you click on **Install**, the installer will take care of the installation.

![EMA Installer Installing](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-installing.fAZPBOjbYYoG.png)

If you want to review what's going on during the installation, open the menu `File > Advanced Mode`

![EMA Installer Installing Advanced Mode](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-installing-advanced-mode.jdSb2xp9eqt7.png)

Wait for the installer to finish with the Intel EMA installation. You will see an entry in the logs saying **Install complete. It may take a few minutes to unpack some things**

![EMA Installer Installation Complete](https://storage.googleapis.com/rescalante.com/static/media/ema-installer-installation-complete.SDa3Vovqrnu4.png)

### 3.3 Intel EMA Initial Configuration with the Global Administrator
At this point, Intel EMA has been successfully installed, to validate the WebUI is running, you can open any web browser inside the VM and open the url `https:\\localhost`

![Validate Intel EMA Installation Localhost](https://storage.googleapis.com/rescalante.com/static/media/validate-intel-ema-installation-localhost.dsboHY3E9rFP.png)

You will see a warning as we are accesing with localhost, this is expected as the certificate is not valid, to proceed with the initial configuration click on `Continue to localhost (unsafe)`

![Validate Intel EMA Installation](https://storage.googleapis.com/rescalante.com/static/media/validate-intel-ema-installation.P2nYwO4nITJF.png)

To access Intel EMA, input the **Global Administrator** user and password to authenticate to Intel EMA.

![Configuring Intel EMA Global Administrator Input](https://storage.googleapis.com/rescalante.com/static/media/configuring-intel-ema-global-administrator-input.b1wplpT33foE.png)

When you click on Log In, you will see a prompt mentioned a Cross-Origin warning, this is expected as we installed Intel EMA with the FQDN **ema-demo.rescalante.com** and we are accessing with **localhost**

![Configuring Intel EMA Cross Origin Warning](https://storage.googleapis.com/rescalante.com/static/media/configuring-intel-ema-cross-origin-warning.Usi3na4ucLLe.png)

When you access to Intel EMA, you will se a Getting started section where you can start with the initial configuration.

![Configuring Intel EMA Global Administrator Main](https://storage.googleapis.com/rescalante.com/static/media/configuring-intel-ema-global-administrator-main.iXlc1uMcflSM.png)

Before we proceed with the configuration, open the Windows Explorer and create a new folder called `C:\EMA\USBR` this folder is going to be used for one of the coolest features that Intel AMT has which is USB Redirection (USB-R), this feature allows to upload `.iso` and `.img` files to Intel EMA and deploying an OS from the scratch using the Intel AMT connection. This is very useful in IT Environments when you need to restore/reinstall the OS without touching the device.

![Intel EMA Windows Explorer USBR](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-windows-explorer-usbr.6VVO3VSN46g5.png)

Go back to the web browser and click on the settings section and access to `Server Settings > Manageability Server`, under this section look for the parameter `USBR Images Root Directory` and change it for `C:\EMA\USBR`. As you may guessed this is the directory where the Intel EMA app is going to store the `.iso` and `.img` files used for USB-R.

![Intel EMA Server Settings Manageability USBR](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-server-settings-manageability-usbr.ey2pIhB9OWbk.png)

Click on `Save and Restart Server` to save the changes.

![Intel EMA Server Settings Manageability Save](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-server-settings-manageability-save.XY3n3jaGQbuc.png)

Now, go to the Home menu and click on `Create Tenant` to generate our first organization on Intel EMA, add a `Tenant Name` and a `Description`

![Intel EMA Create Tenant](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-create-tenant.UMXWyqxtFEeI.png)

After you generate the first Tenant you will notice that you can start generating users, go to the `Users > Manager Users` menu and create the first user under the new Tenant (Organization) we've generated. Assing the role **Tenant Administrator** and click on Save.

![Intel EMA Create Tenant Administrator](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-create-tenant-administrator.sIUCaiUiasbR.png)

Validate that the user has been generated.

![Intel EMA Manage Users Tenant](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-manage-users-tenant.lN9FE1XnkOnI.png)

Now you can Log Out and continue with the network validation.

### 3.4 Intel EMA Network Validation.
Intel EMA has been properly configured with the **Global Administrator** account and now it's time to validate if we can reach out the TCP Ports 443 (WebUI) and 8080 (Agents) from any device. This is very easy to test, open a PowerShell window in any device outside the VM and validate the ports using the following commands:

```powershell
Test-NetConnection -ComputerName <dns-resolution-or-ip> -Port 443
```

```powershell
Test-NetConnection -ComputerName <dns-resolution-or-ip> -Port 8080
```

![EMA Installation Validate Ports](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-validate-ports.Oh9GtIsbr2Ab.png)

## Step 4 - Security Hardening for Intel EMA
On this section you are going to perform a security hardening for your Intel EMA console, adding a valid certificate, the security headers and disabling the TLS and Cipher Suites considered vulnerable in the industry.

### (Optional) 4.1 Request and install a valid certificate for Intel EMA usign CertifyTheWeb (Let's Encrypt).
From your PC open the web browser and access to `https://<fqdn>` for this guide we are going to access to `https://ema-demo.rescalante.com` you will notice a security warning, this happens because the EMA WebUI doesn't have a valid certificate to show in the Web Browser. During the installation, EMA installs a Self-Signed Certificate.

![Intel EMA WebUI Self Signed Certificate](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-webui-self-signed-certificate.c35XrvISV0of.png)

Go back to the VM and open the Windows Explorer, execute with Administrator Privileges the file `CertifyTheWebSetup_V1.6.0.exe`

![EMA Installation Certify The Web](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-certify-the-web.dkPpB03yxvOx.png)

In the main window, you will see the License Agreement of this tool. Certify the Web is an application to request a valid certificate to Let's Encrypt servers for Microsoft IIS.

![EMA Installation Certify The Web License Agreement](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-certify-the-web-license-agreement.AsV7oZ7ubUrU.png)

Select the default destination to perform the installation.

![EMA Installation Certify The Web Install Location](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-certify-the-web-install-location.l7dxE6Du0VpE.png)

Leave the defaults for the Start Menu folder.

![EMA Installation Certify The Web Start Menu](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-certify-the-web-start-menu.VPHkgvklSzZk.png)

Wait for Certify the Web to be properly installer.

![EMA Installation Certify The Web Installation](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-certify-the-web-installation.gTPJ4aJNNBDC.png)

When the installer ends, click on Finish to open the application.

![EMA Installation Certify The Web Run Application](https://storage.googleapis.com/rescalante.com/static/media/ema-installation-certify-the-web-run-application.CaznukAhdvek.png)

Using Certify the Web is very straighforward if you have basic knowledge about certificates, on this guide, we are going to explain how to request a certificate valid for your Intel EMA application. Click on `New Certificate`

![Certify the Web Main Window](https://storage.googleapis.com/rescalante.com/static/media/certify-the-web-main-window.JIU7bDWRGl70.png)

You will see a prompt asking to register a new contact. For more information, review the Certify the Web Privacy Policy [here](https://certifytheweb.com/home/privacy)

![Certify the Web Requesting New Contact](https://storage.googleapis.com/rescalante.com/static/media/certify-the-web-requesting-new-contact.IYejxduOWSZq.png)

Input an email that will be used by Let's Encrypt in case they require to contact you and click on Register Contact.

![Certify the Web Registering New Contact](https://storage.googleapis.com/rescalante.com/static/media/certify-the-web-registering-new-contact.1kdejRyQWpLP.png)

Now that you added your contact information, select the Default Website and input the domain (FQDN) of your Intel EMA instance.

![Certify the Web Adding Domain to IIS Default Website](https://storage.googleapis.com/rescalante.com/static/media/certify-the-web-adding-domain-to-iis-default-website.S7BAWMnnRRXn.png)

Add the domain to request a new certificate. You will see the FQDN of your EMA instance listed below.

![Certify the Web Adding Domain Certificate to IIS Default Website](https://storage.googleapis.com/rescalante.com/static/media/certify-the-web-adding-domain-certificate-to-iis-default-website.VGo6zzhFSUNE.png)

Click on `Request Certificate` and you will notice that the Certify The Web application will start requesting a certificate to the Let's Encrypt Servers.

![Certify the Web Requesting Certificate](https://storage.googleapis.com/rescalante.com/static/media/certify-the-web-requesting-certificate.wM5DsSxLqK29.png)

If for some reason the request fails, check that your domain is valid and publicly available, you can also check if the port TCP 80 is open as it's the way Let's Encrypt validates that you own the domain. From your PC, use the following command to validate the TCP Port 8080 is open and reachable from the internet.

```powershell
Test-NetConnection -ComputerName <dns-resolution-or-ip> -Port 80
```

After your receive a Success, we can consider the certificate has been emitted.

![Certify the Web Requesting Certificate Success](https://storage.googleapis.com/rescalante.com/static/media/certify-the-web-requesting-certificate-success.vmoNk6DTrbCr.png)

To install the certificate open Microsoft IIS and access to the Default Web Site.

![Microsoft IIS Main Window Default Website](https://storage.googleapis.com/rescalante.com/static/media/microsoft-iis-main-window-default-website.lpt5juUciqgn.png)

Open the `Bindings` section.

![Microsoft IIS Default Website Bindings](https://storage.googleapis.com/rescalante.com/static/media/microsoft-iis-default-website-bindings.W4Y7mAiQWvm8.png)

Edit the port **443**:

![Microsoft IIS Default Website Edit Site Binding](https://storage.googleapis.com/rescalante.com/static/media/microsoft-iis-default-website-edit-site-binding.wiY8P0Zr6Ss1.png)

Select in the `SSL certificate` a certificate that contains the name `Certify`, this is the certificate emitted by Let's Encrypt.

![Microsoft IIS Default Website Select Lets Encrypt Certificate](https://storage.googleapis.com/rescalante.com/static/media/microsoft-iis-default-website-select-lets-encrypt-certificate.bfCuzoooiXV6.png)

The beauty of certify the web is that certificate renews automatically every 3 months and you don't need to modify anything. It's important to be sure that the TCP Port 80 is open as it's the way Let's Encrypt continues validating that you own the domain. Now if you open the Web Browser on your PC and access to `https://<fqdn>` you will see a valid certificate and you won't see anymore the warning of the self-signed certificate.

![Intel EMA Web Browser Window Valid Certificate](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-web-browser-window-valid-certificate.Z3ALU22uMxuu.png)

If you click on the Lock icon in the Web Browser and open the certificate, you will notice the certificate was emitted by Let's Encrypt and expires every 3 months.

![Intel EMA Web Browser Window Valid Lets Encrypt Certificate](https://storage.googleapis.com/rescalante.com/static/media/intel-ema-web-browser-window-valid-lets-encrypt-certificate.xUuJlsmgjTzy.png)

### 4.2 Install IIS URL Rewrite Module and set the Strict Transport Security (HSTS) Header.
It's recommended to install the URL Rewrite Module for Microsoft IIS, the URL Rewrite module allows to hide the Microsoft IIS version and set the HSTS Header. For more information about HSTS, click [Here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)

Go back to the VM, open the Windows Explorer where you downloaded all the installation files.

![Windows Explorer IIS URL Rewrite Module Installer](https://storage.googleapis.com/rescalante.com/static/media/windows-explorer-iis-url-rewrite-module-installer.tUln3RuSnvv3.png)

Open the file `rewrite_amt64_en-US.msi` to start installing the IIS URL Rewrite Module and review the License Agreement.

![IIS URL Rewrite Module Installation License Agreement](https://storage.googleapis.com/rescalante.com/static/media/-iis-url-rewrite-module-installation-license-agreement.LU5TAdtMFObs.png)

Click on Install and wait for the installer to finish.

![IIS URL Rewrite Module Installation in Progress](https://storage.googleapis.com/rescalante.com/static/media/iis-url-rewrite-module-installation-in-progress.55LnQqleFhC7.png)

Review the installation and close the window.

![IIS URL Rewrite Module Installation Completed](https://storage.googleapis.com/rescalante.com/static/media/iis-url-rewrite-module-installation-completed.xQZghOwoCwvj.png)

Open Microsoft IIS again, select the Default Web Site and double click on the option `HTTP Response Headers`

![Microsoft IIS HTTP Response Headers Option](https://storage.googleapis.com/rescalante.com/static/media/microsoft-iis-http-response-headers-option.EaP6ARZV64gD.png)

![Microsoft IIS HTTP Response Headers List](https://storage.googleapis.com/rescalante.com/static/media/microsoft-iis-http-response-headers-option.EaP6ARZV64gD.png)

Add the HSTS configuration adding a header with the Name `Strict-Transport-Security` and the Value `max-age=31536000; includeSubDomains;`

![Microsoft IIS HTTP Response Headers Strict Transport Security](https://storage.googleapis.com/rescalante.com/static/media/microsoft-iis-http-response-headers-strict-transport-security.Z7UTFCxtideL.png)

Review the HTTP Response Headers list and validate the HSTS header has been added.

![Microsoft IIS HTTP Response Headers Security Listed](https://storage.googleapis.com/rescalante.com/static/media/microsoft-iis-http-response-headers-security-listed.xQ5rMFWz5gd1.png)

### 4.3 Disable TLS and Cipher Suites Vulnerabilities
Using the tool IISCrypto.exe you will learn how to disable TLS 1.0 and TLS 1.1 and the Cipher Suites that are considered vulnerable by the industry. For more information click [here](https://www.encryptionconsulting.com/why-should-organizations-avoid-older-tls-protocols/)

Open the Windows Explorer again and launch `IISCrypto.exe` with Administrator Privileges.

![Windows Explorer IIS Crypto Installer](https://storage.googleapis.com/rescalante.com/static/media/windows-explorer-iis-crypto-installer.aTXFdeEERTWH.png)

Review the License Agreement.

![IIS Crypto License Agreement](https://storage.googleapis.com/rescalante.com/static/media/iis-crypto-license-agreement.EtgvqXh0ZfeH.png)

IIS Crypto is a tool that basically look for the Windows Registries that enable/disable certain TLS versions and Cipher Suites.

![IIS Crypto Main Window](https://storage.googleapis.com/rescalante.com/static/media/iis-crypto-main-window.gmkiYpbwBGlw.png)

Click on the `Best Practices` button, which is going to apply the best practices defined by IIS Crypto.

![IIS Crypto Best Practices Applied](https://storage.googleapis.com/rescalante.com/static/media/iis-crypto-best-practices-applied.lo1UXrvtr8mR.png)

Disable TLS 1.0 and TLS 1.1 that are considered vulnerable.

![IIS Crypto Disable TLS Vulnerabilities](https://storage.googleapis.com/rescalante.com/static/media/iis-crypto-disable-tls-vulnerabilities.8gCgq3N28Bc0.png)

Restart the VM.

## Appendixes.

### Appendix A: Microsoft SQL Server Scale Limits.
The following table shows the main differences between the Microsoft SQL Server flavors. For Intel EMA the only consideration with the version Express is the 10 GB Limit. For environments with more than 5000 devices is recommended to consider at least the Standard version. With the proper maintenance the database size shouldn't pass the 10 GB in environments with less than 5000 endpoints.

![Microsoft SQL Server Scale Limits](https://storage.googleapis.com/rescalante.com/static/media/microsoft-sql-server-scale-limits.1yRZHFQn5ejU.png)
Table Source: [Microsoft SQL Server Scale Limits](https://learn.microsoft.com/en-us/sql/sql-server/editions-and-components-of-sql-server-2022?view=sql-server-ver16)

### Appendix B: Commands to Validate the Network.

Command to validate the DNS resolution in PowerShell:

```powershell
Resolve-DNSName -Name <dns-resolution>
```

Command to validate a TCP connection in PowerShell:

```powershell
Test-NetConnection -ComputerName <dns-resolution-or-ip> -Port <port>
```

## Conclusion
In this guide, you learned how to install Intel Endpoint Management Assistant from the scratch considering the parameters to install a Single-Server architecture. If you require to access to the official guides provided by Intel, you can access to the [Intel EMA Install Guides](https://www.intel.com/content/www/us/en/download/19449/intel-endpoint-management-assistant-intel-ema.html) in the **Documentation** section.

This tutorial has been created based on my experience and I hope can save you hours of try and error installing this amazing tool.

How to install Intel EMA Single-Server Mode

This step-by-step tutorial guides you through installing and configuring Intel Endpoint Management Assistant in Single-Server Mode.

Author: Rafael Escalante

Sitemap

Information

Contact