Dell XT2 Administrator's Guide
Contents
1. Click the lt gt to expand the Section 1 Provisioning section Altiris Console 6 5 Windows Internet Explorer attirisbox tr pro Toca TRVOR OVAd mimietrator i E Alert Standard Format Getting Started i CJ Collections amp O Config raton 3 Intel AMT Getting Started Intel amp AMT Getting Started Name Type Description Modified By Modified Date Section 1 Provisioning Folder TRYPROWdministrator 6 14 2007 1 17 14 PM Section 2 Intel AMT Tasks Folder TRvPROMAdministretor 6 14 2007 11713PM S O Section 2 Intel AMT Tasks O Reports amp CJ tasks Rows 1to2of2 5 x Click the lt gt to expand the Basic Provisioning without TLS section Altiris onsole 6 5 Windows Internet Explorer g Pttp elursbox trvpro local Akiris Consol Defaut aspx ConsoleGude 3 aaBb67 250 4204 8186 62 40867078 ViewGudet x x we Search cs SOR paris Console S altiris console Home View Manage 145 amp E Out of Band Management i Ej Alert Standard Format Getting Started i C Collections aiiirisbox tr pro focal TRVPRONAdmInieteator r Intel AMT Getting Started a C3 Configuration Name Type Description Modified By Modified Date E EY init AMT Geting Started Section Provisioning Folder TRVPROMdministretor 6 14 2007 1 17 14 PM S Secton i Provitoning Section 2 Intel AMT Tasks Folder TRVPRO Administrator 6 142. amp CJ Configuration S amp Intel AMT Getting Started amp C Section i Proisioning S O Basic Proveioning vethout TLS Step L Configure Ons SB Step 2 Discover Capabiihes Gi step 3 View Intel AMT Capable Computers Step Create Profile Step 5 Generate Secunty Keys Step 6 Configure Automatic Profile Assignments ti O Sector 2 Intel AMT Tasks i Cj Reports S C3 Tasks Out of Band Discovery F Enable currently enabled l Name Out of Band Discovery Description Detects Out of Band capability of chent system Package name Out of Band Discovery Package Program name out of Band Discovery Program E F Enable Verbose Reporting of Status Events Applies to collections Computers All 32 bit Windows Vista Computers All 32 bit Windows XP Computers All 64 bit Windows Vista 4 rudes No schedule has been defined only nun at scheduled time Run as soon as possible after the scheduled time F User Can Run F Notify user when the task is available Lotes dp The Agent installation task has been saved successfully j Select Step 3 View I ntel AMT Capable Computers Altiris Console 6 5 Windows Internet Explorer STD ET EIEN EE SESE aS E amp E Out of Band Management E Ej Alert Standard Format Getting Started CJ Collections S C3 Config raton E amp Intel AMT Gettng Started S Section 1 Provisioning S O Basi Provisioning w
3. Close the Export Security Keys to USB Key and drive explorer windows to return to the Altiris Console Take the USB device to the computer insert the device and turn on the computer The USB device is recognized immediately and you are prompted to Continue with Auto Provisioning Y N Press y Intel R Management Engine BIOS Extension Copyright C 2683 87 Intel Corporation All Rights Reserved Found USB Key for provisioning Intel R AMT Continue with Auto Provisioning Y N Press any key to continue with system boot Intel R Management Engine BIOS Extension Copyright C 2683 8 Intel Corporation All Rights Reserved Found USB Key for provisioning Intel R AMT Continue with Auto Provisioning Y N Intel R AMT Provisioning complete Press any key to continue with system boot Intel R Management Engine BIOS Extension Copyright C 2683 8 Intel Corporation All Rights Reserved Found USB Key for provisioning Intel R AMT Continue with Auto Provisioning Y N Intel R AMT Provisioning complete Press any key to continue with system boot ME BIOS Sync Successful Once complete turn off the computer and move back to the management server Select Step 6 Configure Automatic Profile Assignments gt Altiris Console 6 5 Windows Internet Explorer Oc fons _ feticbox trvpro local Aris Console Def s aspx hConsoleGude 3f aaib 7 2506 42ad 8186 fe2f4 aate 707b VewGden Y j x lt e Search on
4. Click Test on the DNS Configuration screen to verify that DNS has the ProvisionServer entry and that it resolves to the correct Intel setup and configuration server SCS E E3 Wet Standard Format Getting Started CJ Colectons amp O Confg raton E amp Intel AMT Gettng Started S O Secton 1 Provisioning S D Basic Provisioning without TLS Step 1 Configure DNS Bg Step 2 Discover Capsbiibes Di Siep 3 View Intel AMT Capable Computers Sien 4 Create Profie Step 5 Generate Security Keys Step 6 Configure Automatic Profle Assignments Step 7 Monitor Provisioning Process Step 6 Monitor Profile Assignments CJ Enabie Security MS C Section 2 Intel AMT Tasks O Reports a C tas DNS Configuration Intel AMT device setup and configuration requires the presence of a Domain Name System DNS Server The DNS must have information for two entities e The computer running Intel SCS Server must be registered in the DNS l e A configured operational Intel AMT device must be registered within ONS Intel SCS The Notification Server with Out of Band Management Solution installed with i e Intel SCS Server is running on this computer must be registered in the DNS as This must be done in each DNS Domain When it sends its Hello message the Intel AMT device first uses the domain name received from the DHCP server If there is more than one SCS in the domain the DNS will alternate be
5. Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmware Local Update Intel R ME Features Control ntel R ME Power Control Return to Previous Menu ESC Exit fi Select ENTER Access Intel ME ON in Host Sleep States is the next option The default setting is Mobile ON in SO Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME POWER CONTROL ntel R ME ON in Host Sleep States Return to Previous Menu ESC 1 Exit tl Select CENTER Access 30 S3 AC S0 SIAC 54 57AC 30 ME Wake in S3 AC 90 ME Wake in S3 AC 54 5 AC 12 Select Return to Previous Menu and then press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation ALL Rights Reserved INTEL R ME POWER CONTROL Intel R ME ON in Host Sleep States ESC 1 Exit th Select CENTER Access 13 Select Return to Previous Menu and then press lt Enter gt 14 Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmware Local Update Intel R ME Features Control Intel R ME Power Control revious Menu CESC Exit tl Select
6. Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION TCP IP Provision Model setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update Computer host name ESC Exit CENTER Submit 6 Select TCP IP and then press Enter 7 Press lt n gt when the following message appears DHCP Enable Disable DHCP Y N Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Name TCP IP Provision Model setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update ESC 1 Exit t Select ENTER Access DHCP Enabled Disable DHCP Y N 8 Type the domain name into the field Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION Host Name Provision Model setup and Configuration Un Provision S L IDE R Password Policy Secure Firmware Update Domain name ESC Exit CENTER Submit 9 Select Provision Model from the menu and then press lt Enter gt 10 Press lt y gt when the following message appears Enterprise change to Small Business Y N Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CO
7. Intel ME Password pett123 t t ute snd townload USE key Me fst configure agtongs aod click Generate fila and th slick Download USE key Me Place domnisaded e to tha USE Slorage Devic Available No data exported yet a Httoi skirisbox trvpro kocallAbbrs OO6SC SecuriyMEBxSetingsPage aspi K Internet Click Generate Once the keys have been created a link appears to the left of the Generate button hitp jfaktirisbox trvpro local Akiris OO8SC Security MEBxSettingsP age aspx selectedeQopeexport Export Security Keys to USB Key o9 altiris Export keys C AR e Only selected Generate keys before export Generate Security Keys Number of security keys to generate so Factory Default Intel Management Engine Password Intel ME Password admin New Intel Management Engine Password This password amp either uploaded from USB key or typed in manually into the Management Engine BIOS Extension screen Intel ME Password oet 123 Export Result Te create and download USE Ley Me first configure settings and click Generate file and then tlick Download USB key Mie Place donnioaded fie ta the USB Storage Device avalabe No data exported yet Gar Cove Hto f skrisbox trvpeo local Abrs OOESC Secur ty MEBxSetting Page aspx e Internet p Insert the previously formatted USB device into a USB connector on the Provisioning Serverr Click the Download USB key file link to dow
8. ME Firmware Local Update Intel R ME Features Control Intel R ME Power Control Return to Previous Menu ESC Exit tl Select ENTER Access I d Q 1 T x ENABLED 9 Select Intel ME Features Control and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmuare Local Update n u ontroi Intel R ME Power Control Return to Previous Menu ESC Exit tl Select ENTER Access Manageability Feature Selection is the next option This feature sets the platform management mode The default setting is Intel AMT Selecting the None option disables all remote management capabilities Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME FEATURES CONTROL lanageabilitu Feature Selection Return to Previous Menu ESC Exit tl Select ENTER Access Intel R AMT ASF 10 Select Return to Previous Menu and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME FEATURES CONTROL 1 Manageability Feature Selection heturr oO rreyvious ienu ESC 1 Exit tlI Select CENTER Access 11 Select Intel ME Power Control and then press lt Enter gt
9. All Rights Reserved MAIN MENU Intel R ME Configuration Intel R AMT Configuration Change Intel R ME Password Exit Intel R ME Password i ESC 1 Exit ENTER Submit 3 Select Change Intel ME Password Press lt Enter gt Type the new password twice for verification The new password must include the following elements o Eight characters o One uppercase letter o One lowercase letter o A number o A special nonalphanumeric character such as or excluding the and characters The underscore and spacebar are valid password characters but do NOT add to the password complexity Change the password to establish Intel AMT ownership The computer then goes from the factory default state to the setup state Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU Intel R ME Configuration Intel R AMT C onf iguration ME d Intel R ME New Password ESC Exit CENTER Submit Select Intel ME Configuration and then press lt Enter gt ME Platform Configuration allows you to configure ME features such as power options firmware update capabilities and so on Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU Intel R ME Cont guration Intel R AMT Configuration Change Intel R ME Password Exit ESC Exit tl Select
10. ENTER Access x ENABLED Skip Set PRTC Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION 1 TCP IP Provision Model Setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update Enter PRTC in GMT UTC format YYYY MM DD HH M SS L ESCT Exit ENTER Submit Idle Timeout is the next option The default setting is 1 This timeout is applicable only when a WoL option is selected for enabling ME for the Enterprise operating mode Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION Provision Model Setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update Set PRTC idle limeout Timeout Value 1 65535 ESC Exit CENTER Submit 34 Select Return to Previous Menu and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION Setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update Set PRTC ESC J Exit fi Select CENTER Access 35 Select Exit and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved
11. MAIN MENU Intel R ME Configuration Intel R AMT Configuration Change Intel R ME Password ESC 1 Exit REB ESTA CT CENTER1 Access 36 Press lt y gt when the following message appears Are you sure you want to exit Y N Intel R Management Engine BIOS Extension vt 0 4 9003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU Intel R ME Configuration Intel R AMT Configuration Change Intel R ME Password Exit ESC 1 Exit th Select ENTER Access fire you sure you want to exit Y N The computer restarts Turn off the computer and disconnect the power cable The computer is now in setup state and is ready for MEBx Interface SMB Mode The Intel Management Engine BIOS Extension MEBx is an optional ROM module that Intel provides to Dell to be included in the Dell BIOS The MEBx has been customized for Dell computers Dell also supports setup and configuration of Intel AMT in the small and medium business SMB mode The only setting not required in the SMB mode is the Set PI D and PPS option Also the Provision Model option is set to Small Business instead of Enterprise Follow the steps below to set up and configure Intel AMT in the SMB mode ME Configuration To enable Intel Management Engine ME on the target platform perform the following steps 1 Press Ctrl p at the Dell logo screen to enter the MEBx screens 2 Type admin in the
12. PID and PPS Enter the PID and PPS in the dash format Ex PID 1234 ABCD PPS 1234 ABCD 1234 ABCD 1234 ABCD 1234 ABCD A PPS value of 0000 0000 0000 0000 0000 0000 0000 0000 does not change the setup configuration state If this value is used the setup and configuration state stays as Not started Delete PI D and PPS Deletes the current PID and PPS stored in ME If there is no PID and PPS entered the MEBX returns an error message Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R TLS PSK CONFIGURATION 1 Delete PID and PPS Return to Previous Menu ESC 1 Exit ti Select ENTER Access xx may cause Intel R AMT partial unprovision TLS PKI Remote Configuration Settings The remote configuration options are contained under the TLS PKI sub menu There are four remote configuration items e Remote Configuration Enable Disable e Manage Certificate Hashes e Set FQDN e Set PKI DNS Suffix Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR REMOTE CONFIGURATION emote Loniiguration Lnable visal Manage Certificate Hashes Set FQDN Set PKI DNS Suffix Return to Previous Menu ESC 1 Exit ti Select ENTER Access xx may cause Intel R AMT partial unprovision Remote Configuration Enable Disable The selectable options are Enable an
13. R Password Policy Secure Firmware Update Computer host name ESCT Exit CENTER Submit 6 Select TCP IP Press Enter 7 Press lt n gt when the following message appears o DHCP Enable Disable DHCP Y N Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Name TCP IP Provision Model setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update ESC 1 Exit t Select ENTER Access DHCP Enabled Disable DHCP Y N 8 Type the domain name into the Domain name field Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Name Provision Model setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update Domain name ESC Exit CENTER Submit 9 Select Provision Model from the menu and then press lt Enter gt 10 Press lt n gt when the following message appears o Enterprise change to Small Business Y N Intel R Management Engine BIOS Extension v4 0 4 60003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION Host Name TCP IP Provision Model setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update ESC Exit t
14. R AMT CONFIGURATION Host Mame TCP IP Provision Model setup and Configuration Un Provision SULA LDE I Password Policy Secure Firmware Update ESC 1 Exit fi Select CENTER Access Username amp Password DISABLED 32 For Serial Over LAN SOL IDE R select Enabled and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Name TCP IP Provision Model Setup and Configuration Un Provision Password Policy secure Firmware Update ESC Exit tl Select CENTER Access Serial Over LAN DISABLED 33 For IDE Redirection lt select Enabled and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Mame TCP IP Provision Model Setup and Configuration Un Provision Password Policy Secure Firmware Update ESC I Exit tl Select ENTER Access IDE Redirection D DISABLED x ENOBLEI Secure Firmware Update is the next option The default setting is Enabled Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved ESCT Exit INTELCR AMT CONFIGURATION Host Name TCP IP Provision Model Setup and Configuration Un Provision SOL IDE R Password Policy tt Select
15. Remote troubleshooting and recovery Significantly reduces desk side visits increasing the efficiency of IT technical staff Proactive alerting Decreases downtime and minimizes repair times Remote hardware and software asset Increases speed and accuracy over manual inventory tracking reducing asset tracking accounting costs Increases speed and accuracy over manual inventory tracking reducing asset Third party nonvolatile storage accounting cost Information on this page provided by Intel The Intel Management Engine BIOS Extension MEBx is an optional ROM module provided to Dell from Intel that is included in the Dell BIOS The MEBx has been customized for Dell computers Back to Contents Page Back to Contents Page Operational Modes Intel AMT can be set up for either Enterprise or Small and Medium Business operational modes also called provisioning models Both operational modes support dynamic and static IP networking If you use dynamic IP networking DHCP the Intel AMT host name and the operating system host name must match You must also configure both the operating system and Intel AMT to use DHCP as well If you use static IP networking the Intel AMT IP address must be different from the operating system s IP address Additionally the Intel AMT hostname must be different from the operating system s hostname e Enterprise mode This mode is for large organizations This is an advanced networking mode that
16. Setup and Configuration Anytime Secure Firmware Update EI Set PRTC blank Idle Timeout Timeout Value 0x0 OxFFFF 1 Default setting May cause Intel AMT partial unprovision 1 Intel ME Platform State Control is only changed for Management Engine ME troubleshooting 2 n Enterprise mode DHCP automatically loads the domain name 3 Un provision setting only seen if the box is provisioned Back to Contents Page Back to Contents Page Setup and Configuration Methods Overview As discussed in the Setup and Configuration Overview section the computer has to be configured before the Intel AMT capabilities are ready to interact with management application There are two methods to complete the provisioning process in order from least complex to most complex e Configuration service A configuration service allows you to complete the provisioning process from a GUI console on their server with only one touch on each of the Intel AMT capable computers The PPS and PID fields are completed using a file created by the configuration service saved to a USB mass storage device e MEBx interface The IT administrator manually configures the Management Engine BIOS Extension MEBx settings on each Intel AMT ready computer The PPS and PID fields are completed by typing the 32 character and 8 character alpha numeric keys created by the configuration service into the MEBx interface Details on using these various methods are available
17. Step 6 Monitor Profile Assignments B O Enable Security MS O Section 2 Intel AMT Tasks O Reports C tas amp S My Favorites Bh Alteis Console Home DNS Configuration the Intel AMT enabled machines that are being Intel AMT device setup and configuration the presence of a Domain Name System requires DNS Server The DNS must have information for two entities The computer running Intel SCS Server must be registered in the DNS l e A configured operational Intel AMT device must be registered within ONS Intel SCS The Notification Server with Out of Band Management Solution installed with i e Intel SCS Server is running on this computer must be registered in the DNS as This must be done in each DNS Domain When it sends its Hello message the Intel AMT device first uses the domain name received from the DHCP server If there is more than one SCS in the domain the DNS will alternate between the servers If there are multiple SCS me ee en ec em Ie Ne added to the DNS Click on the Test button below to verify that DNS has the ProvisionServer entry and that it resolves to the correct Intel SCS Server Intel AMT Devices Ensure that the DNS is configured with the Fully Qualified Domain Names FQDN of configured Intel AMT devices must be configured to have the same FQON as the host OS This stems from the fact the Intel AMT device is no
18. and Latitude notebooks from a remote management console View Client Systems Discovery Management capabilities for certain older models as well as Dell Inspiron notebooks and Dimension Results desktops are limited to discovery only See the Product Guide for a complete list of supported models View Client Systems Configured for Dell Client Manager Standard includes a 90 day license If the license is allowed to expire inventory functions Hardware Management will cease functioning To obtain a free unlimited canse you must register your product Once you have obtained your unlimited license you will need to install it Click here to install a license Hardware Management Tasks Scan for Inventory Data Scan for Current BIOS Settings Getting Started Configure BIOS Settings Quick Start Tasks If you ve already installed the Altiris management framework Altiris Notification Server Upgrade BIOS Version plus management agents on the systems you wish to manage you are read to enable hardware Set Monitoring and Alerts management on your qualified Dell client systems by following the links in the Enable Hardware A Management section at the top of the quick start task menu on the left ASF and AMT Setup and Tasks Clicking any link on the quick start task menu opens the target task policy or report in this window Click te ASF Quick Start View Report button on any of the five hardware management task pages to laam the status of the task
19. d e ae y akris Console 6 5 at kl Gr altiris console i j Home View Manage aitirisbox tripro Toca TRYPROL AMM Init Stor 4 amp E Out of Band Management Ej Alert Standard Format Getting Started i C Colectons amp C3 Config raton S E Intel AMT Gettng Started E S Factory Default Password New Password amp O Sector 1 Provisioning S O Basic Provisioning without TLS Step 1 Configure ONS SB Step 2 Discover Capables Gi Siep 3 view Intel AMT Capable Computers ST Step 4 Create Profle Step 5 Generate Security Keys Step 7 Monitor Provisioning Process Step amp Monitor Profle Assignments i O Enable Security M5 i C Secton 2 Intel AMT Tasks i CJ Reports a O Tasks Favorites x My Favorites Filter by ero Fiter by Pes Bh Altes Console Home pk spes ess ps oboe pmi Verify that the setting is enabled In the Intel AMT 2 0 dropdown select the profile created previously Configure the other settings for the environment amp O Enable Security LS S C Section 2 Intel AMT Tasks Reports C3 Tasks Qi Siep 3 view Intel AMT Capable Computers ST Step Create Profile Mf Sep 5 Gremio Bout Rass a Step 7 Monitor Prowsioning Process E Step 8 Monitor Profile Assignments Select Step 7 Monitor Provisioning Process E Ej Alert Standard Format Getting Started
20. e jE http jakirisbox trpeo local Altits OOBSC EGRProfileOlg aspx actioneadd Configure Intel AMT Setup amp Configuration Service Profile C altiris ACL Power Policy Configure the Profile Power Policy Intel AMT is ON in the following host sleep states Intel AMT is always ON SO SS Idle timeout o minutes Select Step 5 Generate Security Keys Altiris Console 6 5 Windows Internet Explorer aitirisbox tripro Toca TIVot OVAdmimigtrator i E Alert Standard Format Getting Started i CJ Collections amp O Confg raton E amp Intel AMT Getong Started S Sector 1 Provisioning S O Basic Provisioning vifout TLS Step 1 Configure ONS dj Step 2 Oscover Capsb tes Gi Siep 3 View Intel AMT Capable Computers ST Step 4 Create Profle Profile ID Profile Name Devices Description Step 6 Configure Automate Profle Assignments Step 7 Monitor Provisioning Process Step amp Monitor Profile Assignments O Enabie Security 715 i C Section 2 Intel AMT Tasks O Reports C3 tas Rows Itolofs Page 1 ofi Rora per page an d Select the icon with the arrow pointing out to Export Security Keys to USB Key F Altiris Console 6 5 Windows Internet Explorer le xj Ge Zo retp ifatinsbon trvpro Jocal AKris Console Del st asp Console Gude f aa6b67 2506 42ad 8186 Fe2t4aaae7070VewGud ie X ive seach po Be abris Console 6 5 m Gl eee Y o
21. supports Transport Layer Security TLS and requires a configuration service Enterprise mode allows IT administrators to set up and configure Intel AMT securely for remote management The Dell computer is defaulted to Enterprise mode when it leaves the factory The mode can be changed during the setup and configuration process Small Medium Business SMB mode This mode is a simplified operational mode that does not support TLS and does not require a setup application SMB mode is for customers who do not have independent software vendor ISV management consoles or the necessary network and security infrastructures to use encrypted TLS In SMB mode Intel AMT setup and configuration is a manual process completed through the Intel ME BIOS Extension MEBx This mode is the easiest to implement since it does not require much infrastructure but it is the least secure since all network traffic is not encrypted Intel AMT Configuration sets up all other Intel AMT options not covered in Intel AMT Setup such as enabling the computer for Serial Over LAN SOL or IDE Redirect IDE R You can change the settings modified in the configuration phase many times over the course of a computer s life span You can make changes to the computer locally or through a management console Back to Contents Page Back to Contents Page Setup and Configuration Overview The following is a list of important terms related to the Intel amp AMT setup and configu
22. then CNAME records need to be added to the DNS Click on the Test button below to verify that DNS has the ProvisionServer entry and that it resolves to the correct Intel SCS Server Resolved ProvisionServer IP 192 168 20 10 Resolved Intel SCS IP 192 168 20 10 Ensure that the DNS is configured with the Fully Qualified Domain Names FQDN of the Intel AMT enabled machines that are being configured Intel AMT devices must be configured to have the same FQON as the host OS This stems from the fact the Intel AMT device is not a secure DNS client and it relies on the host OS to maintain the DNS record For this reason the Intel AMT device snoops the DHCP requests and responses issued by the host OS The Intel AMT device then uses the IP provided by the DHCP to the host OS as its own When the host OS is down the Intel AMT device requests DNS registration of its confiqured FQDN from the DHCP option B1 Step 3 View Intel AMT Capable Computers Step 4 Create Profile Sten 5 Generate Security Keys Step 6 Configure Automatic Profle Assignments Step 7 Monitor Provisioning Process Step 6 Monitor Profile Assignments O Enable security MS i C Section 2 Intel AMT Tasks O Reports a C tas amp S My Favorites Bh Alteis Console Home Verify that the setting is Enabled If Disabled click the check box next to Disabled and click Apply
23. to Contents Page MEBx Defaults The table below lists all the default settings for the Intel Management Engine BIOS Extension MEBx Password Intel ME Platform Configuration Intel ME Platform State Control Intel ME Firmware Local Update Intel ME Features Control Manageability Feature Selection Intel ME Power Control Intel ME ON in Host Sleep States Intel AMT Configuration Default Settings Host Name TCP IP DHCP Enabled Disable Domain Name Provision Model Enterprise Change to Small Business Setup and Configuration Current Provisioning Mode Provisioning Record Provisioning Server Provisioning Server Address Port Number 0 65535 TLS PSK Set PID and PPS Delete PID and PPS TLS PKI Remote Configuration Enable Disable Manage Certificate Hashes Set FQDN Set PKI DNS Suffix Un Provision SOL IDE R Username amp Password Serial Over LAN IDE Redirection Password Policy admin Enabled Disabled Enabled Disabled None Intel AMT ASF Mobile ON in SO Mobile ON in SO S3 AC Mobile ON in SO S3 AC S4 5 AC Mobile ON in SO ME WoL in S3 AC Mobile ON in SO ME WoL in S3 AC S4 5 AC blank Provisioning Mode PKI Displays the provision PSK PKI record data of the computer 0 0 0 0 0 blank format ABCD 1234 Disabled Five default hashes active blank blank Disabled Enabled Disabled Enabled Disabled Enabled Default Password Only During
24. to be populated otherwise the following message appears upon POST and you are unable to enter the MEBx interface Bad ME memory configuration DIMM A is located beneath the keyboard For instructions on accessing this slot refer to the system documentation Back to Contents Page Back to Contents Page USB Setup and Configuration The default console package provided is the Dell Client Management DCM application This section provides the procedure to set up and configure Intel AMT with the DCM package As mentioned earlier in the document several other packages are available through third party vendors The computer must be configured and seen by the DNS server before you begin this process Also a USB storage device is required and must conform to the requirements listed on the Using a USB Device page The nature of management software is that it is not always dynamic or real time In fact sometimes if you tell a computer to do something such as to reboot you may just have to do it again and it will work Format a USB device with the FAT16 file system and no volume label and then set it aside Ele Edt View Favorites Tools Help G bok P Search gt Folders je Address My Computer 7 B jtian 5 5 N Name T System Tasks A Hard Disk Drives ig View system information local Disk C Local Disk TA Add or remove programs G Change setting Devices with Removable Storage Eje
25. x defauts z ro oem vuo direction Ascending x 6727 2005 12100100 AM Bh Altris Console Home S E E E E G The computers for which profiles were assigned appear in the list Each computer is identified by the FQDN UUI D and Profile Name columns gt Altiris Console 6 5 Windows Internet Explorer Geo Zo retoiiahristos trepro local AKrisiConsole Del sut aspxXConsoleGude 3f aa0b67 250b 422 8186 fe2f 494967076 View dei v 9 iX uve Search Po We SE 7 Akiris Console 6 5 A A u Bage GQ Toos o altiris console ahMirisbox fripen ioca TRVOR OVAdministrator Home View Manage Tools Reports Configure Help gt 1 14 REST dde GP WT Veo SUE TEST zi E Out of Band Management Folt ZINS Cj Alert Standard Format Getting Started C Collections amp O Configuration E amp Intel AMT Geteng Started amp O Section 1 Provisioning m O Basi Provisioning without TLS Step 1 Configure ONS i Step 2 Oscover Capablites Di Step 3 View Intel AMT Capable Computers ST Step 4 Create Profle Gf Step 5 Generate Security Keys Step 6 Configure Automatic Profle Assignments Step 7 Monitor Provisioning Process Step 8 Monitor Profile Assignments O Enabie Security MS i C Section 2 Intel AMT Tasks Profile Assignments i CJ Reports C Tasks Xo My Favorites F ev uuto ey eqn f amp y Profile eefeuit_s z Bg Altiris Console Home I Order By uuto w dir
26. 2007 1 17 13 PM amp CJ Enable Security TLS amp C Secton 2 Intel AMT Tasks i C3 Reports i CJ Tasks Favorites wl amp My Favorites Altris Console Home Romi 1to2of2 p Page 1of1 Rows per page 4 x Bye 0 rFFTTFT B S ex Xii 7 Select Step 1 Configure DNS The notification server with an out of band management solution installed must be registered in DNS as ProvisionServer att risbox tr pro Toca TRYPR ONAdministrator 1 1 5 amp E Outof Band Management ie Ej Alert Standard Format Getting Started amp C Colectons Intel AMT Getting Started a C3 Configuration liName Type Description Modified By Modified Date amp E intei AMT Geteng Started Section 1 Provisioning Folder TRVPROVdministrator 6 14 2007 1 17 14 PM S O Sector 1 Provisioning S C Basic Provisioning without TLS Section 2 Intel AMT Tasks Folder TRYPROWdministrator 6 14 2007 1 17 13 PM Step 2 Discover Cepsbilties Di Siep 3 View Intel AMT Capable Computers 51e0 4 Create Profile Step 5 Generate Security Keys Step 6 Configure Automate Profle Assignments Step 7 Monitor Provisioning Process Step amp Monitor Profile Assignments Cy Enable Security 715 i C Section 2 Intel AMT Tasks i C Reports amp O tasks Favorites Ms amp My Favorites Jamm Pee rea s Rom ser sage 57 zl bow TTTTT T3 KoE
27. AMT Configuration page contains the user configurable options listed below For images of these menu options refer to the and pages of this document Menu Options Host Name A hostname can be assigned to the Intel AMT capable computer This is the host name of the Intel AMT enabled computer If Intel AMT is set to DHCP the host name MUST be identical to the operating system machine name TCP IP Allows you to change the following TCP IP configuration of Intel AMT Network interface ENABLE DISABLED If the network interface is disabled all the TCP IP settings are no longer needed e DHCP Mode ENABLE DISABLED If DHCP Mode is enabled TCP IP settings are configured by a DHCP server If DHCP mode is disabled the following static TCP IP settings are required for Intel AMT If a computer is in static mode it needs a separate MAC address for the Intel Management Engine This extra MAC address is often called the Manageability MAC MNGMAC address Without a separate Manageability MAC address the computer can NOT be set to static mode e IP address Internet address of the Intel Management Engine Subnet mask The subnet mask used to determine what subnet IP address belongs to Default Gateway address The default gateway of the Intel Management Engine Preferred DNS address Preferred domain name server address Alternate DNS address Alternate domain name server address Domain name Domain name of the Intel
28. AMT Quick Start Please note that depending upon your Notification Server conSguration settings and other factors these reports may take some time to begin retuming data the first time you enable the policy or task that ts being Summaries reported on Dell Client Discovery and installation Summary First Time Setup If you ve just installed Altiris Notification Server for the first ime there are a few things you BIOS Configuration need to do first before you can perform Dell Client Manager tasks Links to these tasks are found under the BIOS Upgrades Getting Started section of the quick start task menu Also depending upon your environment and management preferences you may want to consider adjusting some Nosification Server configuration Reports options to better suit your needs Dell Client Manager Agent gj Leam more xj Done r brtane Rio 7 Click the lt gt to expand the Intel AMT Getting Started section Altiris Console 6 5 Windows Internet Explorer aitirisbox tripro Toca TIVot OVAdminigtrator amp E Out of Banc Management i E Alet Standard Format Getting Started i C Colectons E C Reports Section 2 Intel AMT Tasks Folder i C Tasks Intel amp AMT Getting Started Fem Name Type Description Modified By Modified Date Section 1 Provisioning Folder TRYPROWdministrator 6 14 2007 1 17 14 PM Rows 1to2of2 Page 1 of 1 Rows per page all x TRYPROWdministrator 6 14 2007 1 1713 PM
29. CENTERJ Access Exit the MEBx Setup and save the ME configuration The computer displays an Intel ME Configuration Complete message and then restarts After the ME configuration is complete you can configure the Intel AMT settings ntel AMT Configuration To enable Intel AMT Configuration settings on the target platform perform the following steps At the initial boot screen press Ctrl p to re enter the MEBx screens as seen in of Enabling Management Engine for Enterprise Mode When a prompt for the password appears enter the new Intel ME password Select Intel AMT Configuration and then press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU Intel R ME Configuration ntel R AMT Configuration Change Intel R ME Password Exit ESC Exit REB ESTA T4 CENTER Access Select Host Name and then press lt Enter gt Type in a unique name for this Intel AMT machine and then press Enter Spaces are not accepted in the host name Make sure there is not a duplicate host name on the network Host names can be used in place of the computer s IP for any applications requiring the IP address Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION TCP IP Provision Model setup and Configuration Un Provision SOL IDE
30. E Config Intel R AMT Configuration Change Intel R ME Password Exit ESC Exit th Select ENTER Access The main menu presents three function selections e Intel ME Configuration Intel AMT Configuration e Change Intel ME Password The Intel ME Configuration and Intel AMT Configuration menus are discussed on the following pages First the password must be changed in order to proceed through these menus Changing the Intel ME Password The default password is admin and is the same on all newly deployed platforms You must change the default password before changing any feature configuration options The new password must include the following elements Eight characters One uppercase letter One lowercase letter A number A special nonalphanumeric character such as or excluding the and characters The underscore _ and spacebar are valid password characters but do NOT add to the password complexity Information on this page provided by Intel Back to Contents Page ME Configuration Menu To reach the Intel Management Engine ME Platform Configuration page follow these steps 1 Under the Management Engine BIOS Extension MEBx main menu select ME Configuration Press Enter 2 The following message appears System resets after configuration changes Continue Y N 3 Press Y The ME Platform Configuration page opens This page allows you to configure the specific fun
31. ENTER Access 6 Press lt y gt when the following message appears System resets after configuration change Continue Y N Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation AlI Rights Reserved MAIN MENU Intel R ME Configuration Intel R AMT Configuration Change Intel R ME Password Exit ESC Exit BE BESTIA CT ENTER Access Caution System resets after configuration changes Continue Y N Intel ME State Control is the next option The default setting for this option is Enabled Do not change this setting to Disabled If you want to disable Intel AMT change the Manageability Feature Selection option to None in Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION intelinJ ME otate Control Intel R ME Firmware Local Update Intel R ME Features Control Intel R ME Power Control Return to Previous Menu ESC Exit t Select ENTER Access T T 2 AR I p x ENABLED 7 Select Intel ME Firmware Local Update Press lt Enter gt 8 Then select either Enabled or Disabled and press lt Enter gt The default setting for this option is Disabled Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION Intel R ME State Control Intel R
32. IOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME FEATURES CONTROL 1 Manageability Feature Selection 2turr oO rreyvious ienu ESC 1 Exit tlI Select CENTER Access 12 Select Intel ME Power Control and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmware Local Update Intel R ME Features Control ntel R ME Power Control Return to Previous Menu ESC Exit fi Select ENTER Access Intel ME ON in Host Sleep States is the next option The default setting is Mobile ON in SO Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME POWER CONTROL ntel R ME ON in Host Sleep States Return to Previous Menu ESC 1 Exit tl Select CENTER Access 30 S3 AC S0 SIAC 54 57AC 30 ME Wake in S3 RC 90 ME Wake in S3 AC 54 5 AC 13 Select Return to Previous Menu and then press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation ALL Rights Reserved INTEL R ME POWER CONTROL Intel R ME ON in Host Sleep States ESC 1 Exit th Select CENTER Access 14 Select Return to Previous Menu and then press lt Enter gt Intel R Management Engine BI
33. Intel Active Management Technology v4 0 Administrator s Guide Overview Product Overview Operational Modes Setup and Configuration Overview Provisioning Methods Menus and Defaults MEBx Settings Overview ME Configuration Menu AMT Configuration Menu MEBx Defaults Setup and Configuration Methods Overview Configuration Service MEBx Interface Enterprise Mode MEBx Interface SMB Mode System Deployment Operating System Drivers If you purchased a DELL n Series computer any references in this document to Microsoft Windows operating systems are not applicable Management Intel AMT Web GUI AMT Redirection SOL I DE R AMT Redirection Overview Troubleshooting Troubleshooting Information in this document is subject to change without notice 2008 Dell Inc All rights reserved Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc is strictly forbidden Trademarks used in this text Dell Latitude and the DELL logo are trademarks of Dell Inc Intel is a registered trademark of Intel Corporation in the U S and other countries Microsoft and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and or other countries Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products Dell Inc disclaims any proprietary interes
34. Intel ME Password field Press lt Enter gt Passwords are case sensitive You must change the default password before making changes to the MEBx options Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved Whob MENU Intel R ME Configuration Intel R AMT Configuration Change Intel R ME Password Exit Intel R ME Password i ESCT Exit ENTER Submit 3 Select Change Intel ME Password and then press lt Enter gt 4 Type the new password twice for verification The new password must include the following elements o Eight characters o One uppercase letter o One lowercase letter o A number o A special nonalphanumeric character such as or excluding the and characters The underscore and spacebar are valid password characters but do NOT add to the password complexity Change the password to establish Intel AMT ownership The computer then goes from the factory default state to the setup state Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU Intel R ME Configuration Intel R AMT Conf iguration Intel 1E Passwor Intel R ME New Password ESC I Exit CENTER Submit Select Intel ME Configuration and then press lt Enter gt ME Platform Configuration allows you to configure ME features such as power options firmware update capabi
35. Management Engine Provision Model The following provisioning models are available e Provisioning Mode Enterprise Small Business This allows you to select between small business and enterprise mode Enterprise mode may have different security settings than small business mode Because of the different security settings each of these modes requires a different process to complete the setup and configuration process Setup and Configuration The menu contains the parameters for the setup and configuration server This menu also contains the security settings for PSK and PKI configurations Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R SETUP AND CONFIGURATION Arr ni rrovisiaonintq Provisioning Record Provisioning Server TLS PSK b TLS PKI gt Return to Previous Menu ESC Exit fi Select ENTER Acceess Current Provisioning Mode Displays the current provisioning TLS Mode None PKI or PSK This configuration is only shown in Enterprise Provision Model Provisioning Record Displays the provision PSK PKI record data of the computer If the data has not been entered the MEBX displays a message that states Provision Record not present If the data is entered the Provision Record displays the following o TLS provisioning mode Displays the current configuration mode of the computer None PSK or PKI o Provisioning IP The IP of
36. NFIGURATION Host Name TCP IP Provision Model setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update ESC Exit ft Select ENTER Access Enterprise Change to Small Business Y N Skip the Un Provision option This option returns the computer to factory defaults See the section for more information about unprovisioning Select SOL IDE R Press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Name TCP IP Provision Model Un Provision Password Policy Secure Firmware Update Set PRTC ESC 1 Exit t Select ENTER Access 13 Press lt y gt when The following message appears a Caution System resets after configuration changes Continue Y N Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION Host Name TCP IP Provision Model Un Provision SOL IDE R Password Policy Secure Firmware Update Set PRTC ESC 1 Exit BE BESTIA CU ENTER Access Caution System resets after configuration changes Continue Y N 14 Select Enabled for Username amp Password and then press lt Enter gt This option allows you to add users and passwords from the WebGUI If the option is disabled then only the administrator has MEBx remote a
37. OS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmware Local Update Intel R ME Features Control Intel R ME Power Control rious Menu CESC Exit tl Select CENTERJ Access 15 Exit the MEBx Setup and save the ME configuration The computer displays an Intel ME Configuration Complete message and then restarts After the ME configuration is complete you can configure the Intel AMT settings ntel AMT Configuration Enabling I ntel AMT for SMB Mode 1 At the initial boot screen press Ctrl p to re enter the MEBx screens 2 When a prompt for the password appears enter the new Intel ME password 3 Select Intel AMT Configuration and then press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU Intel R ME Configuration iS AMI 3nd uration He i Change Intel R ME Password Exit ESC Exit EE BEST T4 ENTER Access 4 Select Host Name and then press lt Enter gt 5 Type in a unique name for this Intel AMT machine and then press Enter Spaces are not accepted in the host name Make sure there is not a duplicate host name on the network Host names can be used in place of the computer s IP for any applications requiring the IP address Intel R Management Engine BIOS Extension v4 0 4 0003
38. Previous Menu Enter PKI DNS Suffix ESC 1 Exit CENTER Submit Un provision The Un Provision option allows you to reset the Intel AMT configuration to factory defaults There are two types of un provision e Full Un provision This option resets all of the Intel AMT settings to their default values If a PID PPS value is present both values are lost The MEBx password remains untouched e CMOS clear This un provision option is not available in the MEBx This option clears all values to their default values If a PID PPS is present both values are lost The MEBx password resets to the default value admin To invoke this option you need to clear the CMOS i e system board jumper Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Name TCP IP Provision Model Setup and Configuration SOL IDE R Password Policy Secure Firmware Update ESC1 Exit fi Select ENTER Access SOL IDE R Username and Password DISABLED ENABLED This option provides the user authentication for SOL IDER session If the Kerberos protocol is used set this option to Disabled and set the user authentication through Kerberos If Kerberos is not used you have the choice to enable or disable user authentication on the SOL IDER session e Serial Over LAN SOL DISABLED ENABLED SOL allows the Intel AMT managed client console
39. QDN for the ME The FQDN is the combination of the host name and domain example http host name 16992 Or http system1 16992 The management computer makes a TCP connection to the Intel AMT capable computer and accesses the top level Intel AMT embedded Web page within the Management Engine of the Intel AMT capable computer Type the username and password The default username is admin and the password is what was set during Intel AMT setup in the MEBx Review the computer information and make any necessary changes You can change the MEBx password for the remote computer in the WebGUI Changing the password in the WebGUI or a remote console results in two passwords The new password known as the remote MEBx password only works remotely with the WebGUI or remote console The local MEBx password used to locally access the MEBx is not changed You have to remember both the local and remote MEBx passwords to access the computer MEBx locally and remotely When the MEBx password is initially set in Intel AMT setup the password serves as both the local and remote password If the remote password is changed then the passwords are out of sync Select Exit Back to Contents Page Back to Contents Page AMT Redirection Overview Intel amp AMT makes it possible to redirect serial and IDE communications from a managed client to a management console regardless of the boot and power state of the managed client The client need only have the Intel AMT cap
40. Set PRTC th Select ENTER Access x ENABLED 17 Skip Set PRTC Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Mame TCP IP Provision Model Un Provision SOL IDE R Password Policy Secure Firmware Update Enter PRTC in GMT UTC format YYYVY MM DD HH MM SS ESC Exit CENTER 1 Submit Idle Timeout is the next option The default setting is 1 This timeout is applicable only when a WoL option is selected for screen of the process for enabling ME for the Enterprise operating mode Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION TCP IP Provision Model Un Provision SOL IDE R Password Policy Secure Firmware Update Set PRTC Timeout Value 1 65535 ESC l Exit ENTER Submit 18 Select Return to Previous Menu and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Provision Model Un Provision SOL IDE R Password Policy Secure Firmware Update Set PRTC Idle Timeout urn to fI ESC 1 Exit th Select ENTER Access 19 Select Exit and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporati
41. ability a connection to a power source and a network connection Intel AMT supports Serial Over LAN SOL text keyboard redirection and IDE Redirection IDER CD ROM redirection over TCP IP Serial Over LAN Overview Serial Over LAN SOL is the ability to emulate serial port communication over a standard network connection SOL can be used for most management applications where a local serial port connection is normally required When an active SOL session is established between an Intel AMT enabled client and a management console using the Intel AMT redirection library the client s serial traffic is redirected through Intel AMT over the LAN connection and made available to the management console Similarly the management console may send serial data over the LAN connection that appears to have come through the client s serial port I DE Redirection Overview IDE Redirection IDER is capable of emulating an IDE CD drive or a legacy floppy or LS 120 drive over a standard network connection IDER enables a management machine to attach one of its local drives to a managed client over the network Once an IDER session is established the managed client can use the remote device as if it were directly attached to one of its own IDE channels This can be useful for remotely booting an otherwise unresponsive computer IDER does not support the DVD format For example IDER is used to boot a client with a corrupt operating system First a valid bo
42. aused at the very early stage of its booting so the computer has no traffic originating from the ME on any of its busses ensuring that an you can debug a computer problem without worrying about any role the ME might have played in it I ntel ME Firmware Local Update This option on the ME Platform Configuration menu sets the policy for allowing the MEBx to be updated locally The default setting is Disabled The other setting available is Enabled Enabled allows local ME firmware updates Disable does not allow local ME firmware updates Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmware Local L Intel R ME Features Control Intel R ME Power Control Return to Previous Menu ESC Exit BE BESTIA ENTER Access x ENABLED Intel ME Features Control The ME Features Control menu contains the following configuration selection Manageability Feature Selection When you select the Manageability Feature Selection option on the ME Features Control menu the ME Manageability Feature menu appears Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME FEATURES CONTROL anamqgab1i Ly Feature J Return to Previous Menu ESC 1 Exit tL Select CENTER Access x Intel R AMT ASF You can u
43. ccess Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Mame TCP IP Provision Mode Un Provision Password Policy Secure Firmware Update Set PRTC ESC 1 Exit tl Select ENTER Access Username amp Password DISABLED x LEI 15 For Serial Over LAN select Enabled and then press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Mame TCP IP Provision Model Un Provision Password Policy Secure Firmware Update Set PRTC ESC Exit th Select ENTER Access Serial Over LAN DISABLED 16 For IDE Redirection select Enabled and then press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION Host Name TCP IP Provision Model Un Provision Password Policy Secure Firmware Update Set PRTC ESC Exit t Select ENTER Access IDE Redirection DISABLED Secure Firmware Update is the next option The default setting is Enabled Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved ESC 1 Exit INTEL R AMT CONFIGURATION Host Name TCP IP Provision Model Un Provision SOL IDE R Password Policy
44. crypted using the Transport Layer Security Pre Shared Key TLS PSK protocol Once the computers connect to an SCS Enterprise Mode Configuration occurs Back to Contents Page MEBx Settings Overview The Intel amp Management Engine BIOS Extension MEBx provides platform level configuration options for you to configure the behavior of Management Engine ME platform Options include enabling and disabling individual features and setting power configurations This section provides details about MEBx configuration options and constraints if any All the ME Platform Configuration setting changes are not cached in MEBx They are committed to ME non volatile memory NVM until you exit MEBx Hence if MEBx crashes the changes made until that point are NOT going to be committed to ME NVM Access MEBx Configuration User I nterface The MEBx configuration user interface can be accessed on a computer through the following steps 1 Turn on or restart your computer 2 When the blue DELL logo appears press Ctrl p immediately If you wait too long and the operating system logo appears continue to wait until you see the Microsoft Windows desktop Then shut down your computer and try again 3 Type the ME password Press Enter The MEBx screen appears as shown below Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU ni igura Intel R M
45. ct this dek lt CD Drive D CD Drive Removable Disk Other Places A Open Explore V My Network Places Search G3 My Documents AutoPlay eee Sharing and Security Open as Portable Media Device Details E Eject Removable Disk E Removable Disk cut File System FAT Copy Create Shortcut Rename Properties Format Removable Disk E 2 xl Capacity fsm 1 rl File system FAT Allocation unit size Default allocation size Volume label Format options F Enable compression F Greate an MS DOS startup disk Select AMT Quick Start from the left navigation menu to open the Altiris Console f Altiris Quick Start Console Windows Internet Explorer le x So ESA T BE tps fattirisbox trvpro local Aliris INS QuiekStat aspx ConsoleGuida 96 1 4480 4 168 4001 Sadd e2F 1d5 74 acf vitri Xie Sesch s WE SE Faris Quek Stat Console m o o eae Tose D AL Dell Client Manager Standard anesossuee NM EN mri F Dell Client Manager Standard c Getting Started Discover Manageable Resources install the Altris Agent Configure Altiris Agent settings ZEN Enable Hardware Management HARDWARE Discover Dell Client Systems MANAGEMENT Configure Agents for 32 bit Hardware Management Welcome Configure Agents for 64 bit Welcome to Dell Client Manager Standard This hardware management solution lets you manage your Dell Hardware Management Precision workstations OptiPlex desktops
46. ctions of the ME such as features power options and so on Below are quick links to the various sections Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATIOM Intelth ME otate Lontrel Intel R ME Firmware Local Update Intel R ME Features Control Intel R ME Power Control Return to Previous Menu ESC Exit tl Select ENTER Access Intel ME State Control When the ME State Control option is selected on the ME Platform Configuration menu the ME State Control menu appears You can disable ME to isolate the ME computer from main platform until the end of the debugging process Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmware Local Update Intel R ME Features Control Intel R ME Power Control Return to Previous Menu ESC 1 Exit tl Select CENTER Access SABLED x ENABLED When enabled the ME State Control option lets you disable ME to isolate the ME computer from the main platform while debugging a field malfunction The table below illustrates the details of the options ME Platform State Control Opi Bewrpio Enabled Enable the Management Engine on the platform Disabled Disable the Management Engine on the platform In fact the ME is not really disabled with the Disabled option Instead it is p
47. d Disable f Remote Configuration is disabled the menu options underneath are still displayed but are not be used until Remote Configuration is enabled This option cannot be modified once the setup and configuration process is in process This parameter can only be modified while the computer is in the factory default or un provisioned state Enabling disabling remote configuration causes a partial un provision if the setup and configuration is In process Manage Certificate Hashes Select the Manage Certificate Hashes option under the Remote Configuration menu to display the Manage Certificate Hashes menu Four default hashes are available from the factory Hashes can be deleted or added per customer needs Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR REMOTE CONFIGURATION Remote Configuration Enable Disable Manage Certificate Hashes Set FQDM Set PKI DNS Suffix Return to Previous Menu Hash Name Active Default VeriSign Clas Primary CA G3 Go Daddy Class 2 CA Comodo AAA CA Starfield Class 2 CA i ESC Exit CINS Add DEL Del fictive CENTER View The Manage Certificate Hash screen has several keyboard controls available to you to manage the hashes on the computer The following keys are valid when in the Manage Certificate Hash menu Escape key Exits from the menu Insert key Adds a customized certificate hash to the compute
48. e Delete PID and PPS option This option returns the computer to factory defaults See the section for more information about unprovisioning 19 Select Return to Previous Menu and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R TLS PSK CONFIGURATION 3 Set PID and PPS Delete PID and PPS CESC Exit EE BESTIA ENTER fccess i xx may cause Intel R AMT partial unprovision 20 Select TLS PKI from the menu and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R SETUP AND CONFIGURATION Current Provisioning Mode Provisioning Record Provisioning Server TLS PSK Return to Previous Menu ESC Exit th Select CENTER Access 21 Select Remote Configuration Enable Disable from the menu and then press lt Enter gt This option is Disabled by default and can be Enabled if the network infrastructure does not support a Certificate Authority CA Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R REMOTE CONFIGURATION nc Return to Previous Menu ESC Exit it l Select ENTER Access D SABI E ENABLED xx may cause Intel R AMT partial unprovision 22 If Enabled refer to steps 19 through 21 I
49. ection Ascending x Fe sou B 0 FFrFTFTrTsQwes XR Once the computers are provisioned they are visible under the Collections folder in All configured Intel AMT computers s Internet Explorer LIC MEN altiris console Home View Manage Tools Reports Configure Help gt 41S z E E Outof Band Management GH Gy Aet Standard Format Getting Started iS C Colectons Qi Al Broadcom ASF capable computers Gi Al configured intel AMT computers Qi Al Intel AMT capable computers S Provisioning C3 Configuration amp amp amp Intel AMT Gettng Started i C Reports C Tes Last Updated 7 11 2007 11 37 16 AM ie 8 My Favorites Bh Altiris Console Home Dore LT TTTTsQree Xm 7 Back to Contents Page
50. elect Set PKI DNS Suffix from the menu Press lt Enter gt 26 Type the PKI DNS Suffix in the text field and press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR REMOTE CONFIGURATION Remote Configuration Enable Disable Manage Certificate Hashes Set FQDN Return to Previous Menu Enter PKI DNS Suffix ESC Exit CENTER Submit 27 Select Return to Previous Menu and press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR REMOTE CONFIGURATION Remote Configuration Enable Disable ESC 1 Exit th Select CENTER Access x may cause Intel R AMT partial unprovision 28 Select Return to Previous Menu and then press lt Enter gt This returns you to the I ntel AMT Configuration menu Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation AlI Rights Reserved INTEL R SETUP AND CONFIGURATION Current Provisioning Mode Provisioning Record Provisioning Server TLS PSK TLS PKI ESC I Exit tl Select ENTER Access Skip the Un Provision option This option returns the computer to factory defaults See the section for more information about unprovisioning Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rig
51. f not Enabled skip to Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL CH REMOTE CONFIGURATION Manage Certificate Hashes Set FQDN Set PKI DNS Suffix Return to Previous Menu ESC Exit fi Select CENTER Access j xx may cause Intel R AMT partial unprovision Manage Certificate Hashes option is the next option Four hashes are configured by default Hashes can be deleted or added per customer needs Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR REMOTE CONFIGURATION Remote Configuration Enable Disable Manage Certificate Hashes Set FQDM Set PKI DNS Suffix Return to Previous Menu Hash Name Default JE 31 HASS e t t ary ind VeriSign Class 3 Primary CA G3 Go Daddy Class 2 CA Comodo AAA CA Starfield Class 2 CA i ESC Exit CINS Add DEL1 Del fictive ENTER View 23 Select Set FQDN from the menu and then press Enter 24 Type the FQDN of the provisioning server in the text field and press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR REMOTE CONFIGURATION Remote Configuration Enable Disable Manage Certificate Hashes Set PKI DNS Suffix Return to Previous Menu Enter FQDN of provisioning server ESC Exit CENTER Submit 25 S
52. figuration state After the setup and configuration process is complete the passwords maybe different e Anytime MEBX password and network password will be synched when either the MEBX password or the network password is changed Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Name TCP IP Provision Model Setup and Configuration Un Provision SOLZIDE R Secure Firmware Update ESC 1 Exit th Select CENTER1 Access EFAULT PASSWORD ONL URING SETUP AND CONFIGURATION NYTIME Secure Firmware Update This option allows you to enable disable secure firmware updates Secure firmware update requires an administrator user name and password If the administrator user name and password are not supplied the firmware cannot be updated When the secure firmware update feature is enabled you are able to update the firmware using the secure method Secure firmware updates pass through the LMS driver If secure and local firmware update is disabled the user must enable secure firmware update or local firmware update to allow the firmware updates Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Mame TCP IP Provision Model Setup and Configuration Un Provision SOL IDE R Password Policy ESC 1 Exit tt Select ENTER Acces
53. hts Reserved INTELCR AMT CONFIGURATION Host Mame TCP IP Provision Model Setup and Configuration OUISIC SOL IDE R Password Policy Secure Firmware Update ESC Exit tl Select ENTER Access 29 Select SOL IDE R and then press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION J Host Name TCP IP Provision Model setup and Configuration Un Provision Password Policy Secure Firmware Update ESC Exit t Select CENTER Access 30 Press lt y gt when the following message appears o Caution System resets after configuration changes Continue Y N Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Mame TCP IP Provision Made Setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update ESC 1 Exit t Select ENTER Access Caution System resets after configuration changes Continue Y N o User name amp Password 31 Select Enabled and then press Enter This option allows you to add users and passwords from the WebGUI If the option is disabled then only the administrator has MEBx remote access Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL
54. i Select ENTER Access Enterprise Change to Small Business Y N 11 Select Setup and Configuration from the menu and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION Host Mame TCP IP Provision Madel Setup and Configuration P Un Provision SOL IDE R Password Policy Secure Firmware Update ESC Exit tl Select ENTER Access 12 Select Current Provisioning Mode to display the current mode and then press lt Enter gt The current provisioning mode is displayed Press lt Enter gt or lt Esc gt to exit Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R SETUP AND CONFIGURATION 1 Current Provisioning Mode Provisioning Record Provisioning Server TLS PSK gt TLS PKI gt Return to Previous Menu ESC 1 Exit SE BESTIA ENTER Access Provisioning Mode NONE 13 Select Provisioning Record from the menu and then press lt Enter gt The screen displays the provision PSK PKI record data of the computer If the data has not been entered the MEBX displays a message that states Provision Record not present If the data is entered the Provision Record displays one of several Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Rese
55. in the next few sections Back to Contents Page Back to Contents Page Configuration Service This section discusses Intel AMT setup and configuration using a USB storage device You can set up and locally configure password provisioning ID PID and provisioning passphrase PPS information with a USB drive key This is also called USB provisioning USB provisioning allows you to manually set up and configure computers without the problems associated with manually typing in entries USB provisioning only works if the MEBx password is set to the factory default of admin If the password has been changed reset it to the factory default by clearing the CMOS The following is a typical USB drive key setup and configuration procedure For a detailed walk through using Altiris Dell Client Manager DCM refer to the USB device procedure page 1 An IT technician inserts a USB drive key into a computer with a management console 2 The technician requests local setup and configuration records from a setup and configuration server SCS through the console 3 The SCS does the following 1 Generates the appropriate passwords PI D and PPS sets 2 Stores this information in its database 3 Returns the information to the management console 4 The management console writes the password PID and PPS sets to a setup bin file in the USB drive key 5 The technician takes the USB drive key to the staging area where new Intel AMT capable computer
56. input output to be redirected to the management server console IDE Redirection I DE R DISABLED ENABLED IDE R allows the Intel AMT managed client to be booted from remote disk images at the management console Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION J Host Name TCP IP Provision Model Setup and Configuration Un Provision Password Policy Secure Firmware Update ESC Exit t Select CENTER Access Password Policy There are two passwords present for the firmware The MEBX password is the password that is entered when a user is physically at the system The network password is the password that is entered when accessing an ME enabled system through the network This option determines when network password and the MEBX password will be synched The MEBX password can still be modified by users directly in front of the system However depending on the option selected below the network password and the MEBX password may be different The settings are e Default Password Only MEBX password and the network password will only be synched when the password is changed from the default password After the MEBX password is changed from the default value the network password and the MEBX password maybe different e During Setup and Configuration MEBX password and the network password will be synched during the setup and con
57. isioning a computer with Enterprise mode e Legacy e IT TLS PSK Legacy If you want Transport Layer Security TLS execute the legacy method of Intel AMT setup and configuration on an isolated network separate from the corporate network A setup and configuration server SCS requires a secondary network connection to a certification authority an entity which issues digital certificates for TLS configuration Initially the computers are shipped in the factory default state with Intel AMT ready for configuration and provisioning These computers must go through Intel AMT setup in order to go from the factory default state to the setup state Once the computer is in the setup state you can continue to configure it manually or connect it to a network where it connects with an SCS and begin Enterprise Mode Intel AMT configuration IT TLS PSK IT TLS PSK Intel AMT setup and configuration is usually performed in a company s IT department The following are required e Setup and configuration server e Network and security infrastructure Intel AMT capable computers in the factory default state are given to the IT department which is responsible for Intel AMT setup and configuration The IT department can use any method to input Intel AMT setup information after which the computers are in Enterprise Mode and in the In Setup phase An SCS must generate PID and PPS sets Intel AMT configuration must occur over a network The network can be en
58. ithout TLS Step 1 Configure ONS 2 Oscover Capeb tes WV Enable currently enabled Name Out of Band Discovery Description Detects Out of Band capability of client system Package name Out of Band Discovery Package Program name out of Band Discovery Program gt Siep 4 Create Profie VV Enable Verbose Reporting of Status Events Step 5 Generate Security Keys 7 Appi lecti Al 32 bit essei N All 64 bit Windows Vista a Toe aks KA Sh 2 LAS pt m vista peril 5160 8 Monitor Profile Assignments B O Enable Security 715 E C Section 2 Intel AMT Tasks O Reports tasks Package Multicast T oiatje esd via muticast C Manual F Run once ASAP Scheduled F Schedule No schedule has been defined only run at scheduled time Run as soon as possible after the scheduled time F User Can Run T Notify user when the task is available Any Intel AMT capable computers on the network are visible in this list Hd ES Alert Standard Format Getting Started i Cj Collections amp O Configuration S amp Intel ANT Getting Started amp C Secton i Provisioning S O Basic Provieioning vethout TLS Step L Configure Ons A Step 2 Oscover Capabilbes Gi Siep 3 view Intel AMT Capable Computers Step 4 Create Profile Sten 5 Generate Secunty Keys Step 6 Configure Automatic Profle Assigaments Q Step 7 Monitor Provisioning Process Step 8 Monitor Profile A
59. lay the Change the active state of this hash Y N prompt Answering yes to this question toggles the active state of the currently selected certificate hash Setting a hash as active indicates that the hash is available to use when during PSK provisioning Viewing a Certificate Hash Press Enter in the Manage Certificate Hash screen The details of the selected certificate hash are displayed to include the hash name the certificate hash data and the active and default states Set FQDN When the Set FQDN option is selected under the Remote Configuration menu you are prompted to enter the Fully Qualified Domain Name FQDN of the Provisioning Server Intel R Management Engine BIOS Extension v4 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R REMOTE CONFIGURATION Remote Configuration Enable Disable Manage Certificate Hashes Set PKI DNS Suffix Return to Previous Menu Enter FQDN of provisioning server ESC Exit CENTER Submit Set PKI DNS Suffix When the Set PKI DNS Suffix option is selected under the Remote Configuration menu you are prompted to enter the PKI DNS Suffix of the Provisioning Server The Key Value is maintained in EPS Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R REMOTE CONFIGURATION Remote Configuration Enable Disable Manage Certificate Hashes Set FQDN Return to
60. lities and so on Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU Intel R ME Cont guration Intel R AMT Configuration Change Intel R ME Password Exit ESC Exit tl Select ENTER Access 7 Press lt y gt when the following message appears System resets after configuration change Continue Y N Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation AlI Rights Reserved MAIN MENU Intel R ME Configuration Intel R AMT Configuration Change Intel R ME Password Exit ESC Exit BE BESTIA CT ENTER Access Caution System resets after configuration changes Continue Y N Intel ME State Control is the next option The default setting for this option is Enabled Do not change this setting to Disabled If you want to disable Intel AMT change the Manageability Feature Selection option to None later in this procedure Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION intelinJ ME otate Control Intel R ME Firmware Local Update Intel R ME Features Control Intel R ME Power Control Return to Previous Menu ESC Exit t Select ENTER Access T T 2 AR I p x ENABLED 8 Select Intel ME Firmware Local Update and then press lt Enter gt 9 Select ei
61. madd Iv Enable ping response VLAN I Use VLAN Enabled Interfaces l Web UI V Serial over LAN M IDE redirection The TLS Transport Layer Security tab provides the ability to enable TLS If enabled several other pieces of information are required including the certificate authority CA server name CA common name CA type and certificate template n Altiris Console Webpage Dialog P htp akirisbox trvpro localj Akrisj OO6SC JEdRProfleD g asp actione add Configure Intel AMT Setup amp Configuration Service Profile c altiris M Use TLS Configure the Profile Certificates E EESSSSSSSSSaZ DDL Enterprise z n R M The ACL access control list tab is used to review users already associated with this profile and to add new users and define their access privileges E Atis Console webpage pion x le hittp akirisbox trypro local Altiris OCESC EdkProfileOlg aspx action add j Configure Intel AMT Setup amp Configuration Service Profile o altiris View and Configure the Profile ACL User Access Permission Realms OK Cancel The Power Policy tab has configuration options to select the sleep states for Intel AMT as well as an Idle Timeout setting It is recommended that Idle timeout is always set to 0 for optimal performance The setting for the Power Policy tab can potentially impact a computer s ability to remain E Star 4 0 compliant be LE Console Webpage Dialog
62. matted with the FAT16 file system The sector size must be 1 KB The USB drive key is not bootable The setup bin file must be the first file landed on the USB drive key The USB key must not contain any other files whether hidden deleted or otherwise Back to Contents Page MEBx I nterface Enterprise Mode The Intel Management Engine BIOS Extension MEBx is an optional ROM module that Intel provides to Dell to be included in the Dell BIOS The MEBx has been customized for Dell computers Enterprise mode for large corporate customers requires a setup and configuration server SCS An SCS runs an application over a network that performs Intel AMT setup and configuration The SCS is also known as a provisioning server as seen in the MEBx An SCS is typically provided by independent software vendors ISVs and is contained within the ISV management console product Consult with the management console supplier for more information Follow the steps below to set up and configure Intel AMT in the Enterprise mode ME Configuration To enable Intel Management Engine ME on the target platform 1 Press Ctrl p at the Dell logo screen to enter the MEBx screens 2 Type admin in the Intel ME Password field Press Enter Passwords are case sensitive You must change the default password before making changes to the MEBx options Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation
63. n 2 Intel AMT Tasks O Reports O tasks UUID FQDN Status Provision Date Version Profile Lo veis zl i o mrewsewas X Records an z nj null TTC mir aan pem 6 27 2006 12 00 00 am Bh altes Console Home I Order by uutc direction Ascending ed Select Step 8 Monitor Profile Assignments Go oe _ ae E Akiris Console 6 5 altiris console Home View Manage 14 amp E Outof Banc Management ie Ej Alert Standard Format Getting Started i C Collections amp C3 Config raton E amp intel AMT Gettng Started S O Sector 1 Provisioning S O Basic Provisioning without TLS Step 1 Configure ONS SB Step 2 Discover Capables Di Siep 3 View Intel AMT Capable Computers ST Step 4 Create Profle d Step 5 Generate Security Keys Step 6 Configure Automatic ProSie Assignments Step 7 Monitor Provisioning Process amp C Enable Security MS i C Section 2 Intel AMT Tasks C Reports amp C tasks 3 a Favorites Sd B profile amp My Favorites T Order by atirisbox trpeo Soci UUID FODN Status gt BT TRUPRONAdministrator Provision Date Version Profile Altiris Console 6 5 Windows Internet Explorer 5i x preteens troo locati oreet aspx ConsoleGuids 3f aa8b67 250b 42ad 8186 fe2 4909e7076 Vie wGuder v je nm me Search En sA f Verso rie inerevisioning x Records ur
64. network It is set up manually and is ready to use with the Intel AMT Web GUI I ntel AMT Setup and Configuration States The act of setting up and configuring Intel AMT is also known as provisioning An Intel AMT capable computer can be in one of three setup and configuration states e The factory default state is a fully unconfigured state in which security credentials are not yet established and Intel AMT capabilities are not yet available to management applications In the factory default state Intel AMT has the factory defined settings e The setup state is a partially configured state in which Intel AMT has been set up with initial networking and transport layer security TLS information an initial administrator password the provisioning passphrase PPS and the provisioning identifier PID When Intel AMT has been set up Intel AMT is ready to receive enterprise configuration settings from a configuration service e The provisioned state is a fully configured state in which the Intel Management Engine ME has been configured with power options and Intel AMT has been configured with its security settings certificates and the settings that activate the Intel AMT capabilities When Intel AMT has been configured the capabilities are ready to interact with management applications Back to Contents Page Back to Contents Page The act of setting up and configuring Intel amp AMT is known as provisioning There are two methods of prov
65. ning on a different port enter it here Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR SETUP AND CONFIGURATION Current Provisioning Mode Provisioning Record TLS PSK TLS PKI Return to Previous Menu Port number 0 65535 ESC Exit CENTER Submit 17 Select TLS PSK from the menu and then press lt Enter gt 18 Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR SETUP AND CONFIGURATION Current Provisioning Mode Provisioning Record Provisioning Server TLS PSk TLS PKI gt Return to Previous Menu ESC 1 Exit ti l Select ENTER Access Set PID and PPS is the next option The PID and PPS can be input manually or by using a USB key once the SCS generates the codes This option is for entering the provisioning ID PID and provisioning passphrase PPS PIDs are eight characters and PPS are 32 characters There are dashes between every set of four characters so including dashes PIDs are nine characters and PPS are 40 characters An SCS must generate these entries Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL CR TLS PSK CONFIGURATION Set PID and PPS Delete PID and PPS xx Return to Previous Menu Enter PID e g ABCD 1234 ESC Exit CENTER 1 Submit Skip th
66. nload setup bin file to the USB device The USB device is recognized by default save the file to the USB device If additional keys are needed in the future the USB device must be reformatted before saving the setup bin file to it n Altiris Console Webpage Dialog Export Security Keys to USB Key T altiris Export keys CAR Only selected Generate keys before expo Generate Security Keys Number of security keys to generate so Factory Default Intel Management Engine Password Intel ME Password admin New Intel Management Engine Password This password is either uploaded from USB key or typed in manually into the Management Engine BIOS Extension screen Intel ME Password pen123 To creste and download USB key file frat configure settings and click Generate file and then riick Download USB key file Place downloaded file to the USB Storage Device Available 5 27 2007 11 12143 AM ese hito f skrisbox trvpeo keal Aris JOOBSC SecurikyMEBxSettingsP age aspx e Internet p a Click Save in the File Download dialog box File Download The setup bin file is now visible in the drive explorer window CL alo xi File Edt Yew Favertes Took Heb Fd 3 Search gt Folders gt Address PE x Go Name See T Date Modified Attributes File and Folder Tasks Y i setup bin 26kKB BIN Fide 6 27 2007 11 12AM A Other Places Y Details a Removable Disk E Removable Disk File System FAT
67. nments Enable Security TLS E C Section 2 Intel AMT Tasks a O Reports C Tees Favorites My Favontes gh Altes Console Home gt Altiris Console 6 5 Windows Internet Explorer go Zo rete iffaltirisbox trypro local Akiris Console Def sult aspx ConcoleGuid 3f aa8b67 250b 42ad 8186 fe2 4949e 7078 iewGude v 9 IL XI ure Search T O gitirisbox tripro Toca TRYVPRO Administrator Home View Manage Tools Reports Configure Help gt SIR ZI x Manage Profiles Profile ID Profile Name Devic es Descnpton p FRage Tons Bap PE PG On the General tab the administrator can modify the profile name and description along with the password The administrator sets a standard password for easy maintenance in the future Select the manual radio button and enter a new password otn ee pe pner Configure Intel AMT Setup amp Configuration Service Profile Profile name Profile description Default profile Kerberos Max clock tolerance Administrator Credentials User name Eom N Intel AMT 2 0 password C Random creation C Manual T altiris The Network tab provides the option to enable ping responses VLAN WebUI Serial over LAN and IDE Redirection If you are configuring Intel AMT manually all these settings are also available in the MEBx F Altiris Console Webpage Dialog jE htp j akirisbox trvpro local Altirts OOGSC EGRPr ofleOlg aspx action
68. nto the Intel AMT capable computer s MEBx The Hello message contains the following information Provisioning ID PID Universally Unique Identifier UUI D IP address ROM and firmware FW version numbers The Hello message is transparent to the end user There is no feedback mechanism to tell you that the computer is broadcasting the message The SCS uses the information in the Hello message to initiate a Transport Layer Security TLS connection to the Intel AMT capable computer using a TLS Pre Shared key PSK cipher suite if TLS is supported The SCS uses the PID to look up the provisioning passphrase PPS in the provisioning server database and uses the PPS and PID to generate a TLS Pre Master Secret TLS is optional For secure and encrypted transactions use TLS if the infrastructure is available If you do not use TLS then HTTP Digest is used for mutual authentication HTTP Digest is not as secure as TLS The SCS logs into the Intel AMT computer with the username and password and provisions the following required data items New PPS and PID for future setup and configuration TLS certificates Private keys Current date and time HTTP Digest credentials HTTP Negotiate credentials The computer goes from the setup state to the provisioned state and then Intel AMT is fully operational Once in the provisioned state the computer can be remotely managed Back to Contents Page Back to Contents Page Operating System Drive
69. on All Rights Reserved MAIN MENU Intel R ME Configuration Intel R AMT Configuration Change Intel R ME Password ESC 1 Exit t Select CENTER1 Access 20 Press lt y gt when the following message appears Are you sure you want to exit Y N Intel R Management Engine BIOS Extension v4 9 4 9003 Copyright C 2003 08 Intel Corporation All Rights Reserved MAIN MENU J Intel R ME Configuration Intel R AMT Configuration Change Intel R ME Password Exit ESC 1 Exit t Select ENTER Access Ji fire you sure you want to exit Y N 21 After the computer restarts turn off the computer and disconnect the power cable The computer is now in setup state and is ready for Back to Contents Page System Deployment Once you are ready to deploy a computer to a user plug the computer into a power source and connect it to the network Use the integrated Intel amp 82566DM NIC Intel Active Management Technology Intel AMT does not work with any other NIC solution When the computer is turned on it computer immediately looks for a setup and configuration server SCS If the computer finds this server the Intel AMT capable computer sends a Hello message to the server DHCP and DNS must be available for the setup and configuration server search to automatically succeed If DHCP and DNS are not available then the setup and configuration servers SCS IP address must be manually entered i
70. onfiguration Select and press lt Enter gt Example IntelAMT This is the same as the operating system machine name Set the parameters as follows e Enable Network interface e Enable DHCP Mode e Set a domain name e g amt intel com e Intel AMT 4 0 Mode Provision Model e Small Business e Enable SOL SOL IDE R e Enable IDE R Remote FW Update Enabled Save and exit MEBx and then boot the computer to the Windows operating system Intel AMT in Static Mode Settings Example The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in static mode The computer requires two MAC addresses GBE MAC address and Manageability MAC Address to operate in static mode If there is no Manageability MAC address Intel AMT cannot be set in static mode I ntel AMT Configuration Parameters Set the parameters as follows Enable Network interface Disable DHCP Mode Set an IP address e g 192 168 0 15 Set a subnet mask e g 255 255 255 0 The default gateway address is optional The preferred DNS address is optional The Alternate DNS address is optional Set the domain name e g amt intel com I ntel AMT 4 0 Mode Provision Model Small Business Enable SOL SOL IDE R Enable IDE R Remote FW Update Enabled Save and exit MEBx and then boot computer to the Windows operating system Information on this page provided by Intel Back to Contents Page Back
71. oo Resource Synchronization S CJ Confg raton ES amp Intel AMT Getting Started S O Sector 1 Provisioning Enable currently enabled Cree eer aal or pa ara E Stet barer Aapee Mrd en tee TORA DI Tei mwar iowpome faa Step 2 Discover Capabiites se paint RR F inte ANT 2 0 to profie oma ST Step 4 Create Profe Gf Step 5 Generate Security Keys Step 6 Configure Automate Profle Assignments LM MEN Ita AMT resources from Notification Sever database Step amp Monitor Profle Assignments amp C Enable Security MS Gi C Section 2 Intel AMT Tasks CJ Reports a C Tes The computers for which the keys were applied begin to appearing in the system list At first the status is Unprovisioned then the system status changes to In provisioning and finally it changes to Provisioned at the end of the process ahtirisbox trepro Toca TRVPEROLAdministratce N amp E Outof Band Management i C3 Alert Standard Format Getting Started CJ Collections S CJ Confg raton S amp Intel AMT Geteng Started amp Section 1 Provisioning S O Basic Provisioning without TLS Step 1 Configure ONS SP Step 2 Oscover Capables i Step 3 View Intel AMT Capable Computers ST Step 4 Create Profle d Step S Generate Security Keys Step 6 Configure Automate Profle Assignments Step 7 Monitor Provisioning Process Step amp Monitor Profile Assignments B O Enable Security M5 S C Sectio
72. ot disk is loaded into the management console disk drive This drive is then passed as an argument when the management console opens the IDER TCP session Intel AMT registers the device as a virtual IDE device on the client regardless of its power or boot state Both SOL and IDER may be used together since the client BIOS may need to be configured to boot from the virtual IDE device Back to Contents Page Back to Contents Page Troubleshooting This page describes a few basic troubleshooting steps to follow if problems are experienced with the Intel AMT configuration Remember to always check DSN for more troubleshooting options Return to Default Return to default is also known as un provisioning An Intel AMT setup and configured computer can be un provisioned using the Intel AMT Configuration screen and the Un Provision option Follow the steps below to un provision a computer 1 Select Un Provision and then select Full Un provision Full un provisioning is available for SMB Mode provisioned computers This option returns all Intel AMT configuration settings to factory defaults and does NOT reset ME configuration settings or passwords Full and partial un provisioning is available for Enterprise Mode provisioned computers Partial un provisioning returns all Intel AMT configuration settings to factory defaults with the exception of the PID and PPS Partial un provisioning does NOT reset ME configuration settings or passwords An un p
73. ous Menu ESC 1 Exit ti Select ENTER Access yl S0 S3 AC 0 3 RC 4 5 AC S0 ME Wake in S3 AC 0 ME Wake in S3 AC S4 5 AC The power package selected determines when the ME is turned ON The default power package is Mobile ON in SO The end user administrator can choose which power package is used depending on computer usage The power package selection page can be seen above Information on this page provided by AMT Configuration Menu After you completely configure the Intel Management Engine ME feature you must reboot before configuring the Intel AMT for a clean system boot The image below shows the Intel AMT configuration menu after a user selects the Intel AMT Configuration option from the Management Engine BI OS Extension MEBx main menu This feature allows you to configure an Intel AMT capable computer to support the Intel AMT management features You need to have a basic understanding of networking and computer technology terms such as TCP IP DHCP VLAN IDE DNS subnet mask default gateway and domain name Explaining these terms is beyond the scope of this document Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION TCP IP Provision Model setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update ESC Exit fi Select CENTER Access The Intel
74. r Delete key Deletes the currently selected certificate hash from the computer lt gt key Changes the active state of the currently selected certificate hash Enter key Displays the details of the currently selected certificate hash Adding a Customized Hash Press lt Insert gt in the Manage Certificate Hash screen A text field is displayed requesting the hash name You must enter the hash name The hash name must be a maximum of 32 characters Upon pressing lt Enter gt you are prompted to enter the certificate hash value 3 The certificate hash value is a 20 byte hexadecimal number You must enter the hash data in the correct format or the message Invalid Hash Certificate Entered Try Again is displayed Upon pressing Enter you are asked about setting the active state of the hash 4 This query allows for setting the active state of the customized hash o Yes The customized hash is be marked as active o No Default VA Hash is be maintained within EPS NJ HG Deleting a Hash 1 Press Delete in the Manage Certificate Hash screen to display the Delete this certificate hash Y N prompt 2 This option allows deleting of the selected certificate hash o Yes MEBx shall send the message to FW to delete the selected hash o No MEBx shall not delete the selected hash and returns to the Remote Configuration Changing the Active State Press the lt gt key in the Manage Certificate Hash screen to disp
75. ration e Setup and configuration The process that populates the Intel AMT managed computer with usernames passwords and network parameters that enable the computer to be administered remotely e Provisioning The act of setting up and configuring Intel AMT e Configuration service A third party application that completes the Intel AMT provisioning Intel AMT WebGUI A Web browser based interface for limited remote computer management You must set up and configure Intel AMT in a computer before using it Intel AMT setup readies the computer for Intel AMT mode and enables network connectivity This setup is generally performed only once in the lifetime of a computer When Intel AMT is enabled it can be discovered by management software over a network Once Intel AMT is set up in Enterprise mode it is ready to initiate configuration of its own capabilities When all required network elements are available simply connect the computer to a power source and the network and Intel AMT automatically initiates its own configuration The configuration service a third party application completes the process for you Intel AMT is then ready for remote management This configuration typically takes only a few seconds When Intel AMT is set up and configured you can reconfigure the technology as needed for your business environment Once Intel AMT is set up in SMB mode the computer does not have to initiate any configuration across the
76. rovisioning message displays after about 1 minute After un provisioning completes control is passed back to the Intel AMT Configuration screen Provisioning Server Set PI D and PPS and Set PRTC options are available again because the computer is set to the default Enterprise Mode 2 Select Return to previous menu 3 Select Exit and then press y The computer restarts Firmware Flash Flash the firmware to upgrade to newer versions of Intel AMT The automatic flash feature can be disabled by selecting Disabled under the Secure Firmware Update setting in the MEBx interface If this setting is disabled a firmware error message appears when flashing the BIOS The firmware CANNOT be flashed to an older version or to the current version installed The firmware flash when available is located on the support dell com site for download Serial Over LAN SOL IDE Redirection I DE R If you cannot use IDE R and SOL follow these steps 1 At the initial boot screen press Ctrl p to enter the MEBx screens When a prompt for the password appears enter the new Intel ME password Select Intel AMT Configuration and then press Enter 2 3 4 Select Un Provision and then press Enter 5 Select Full Unprovision and then press Enter 6 Reconfigure the settings under the I ntel AMT Configuration menu option shown here Error Message Not able to enter the MEBx on POST The MEBx requires the DIMM A slot
77. rs Within the operating system two drivers must be installed to remove unknown devices in the Device Manager These drivers are discussed below SOL LMS Driver The Intel AMT Serial Over LAN SOL Local Manageability Service LMS driver is available on support dell com and on the ResourceCD under Chipset Drivers The driver is labeled Intel AMT SOL LMS Once the driver is obtained execute the file it unzips and prompts the user to continue the installation process Once you install the SOL LMS driver the PCI Serial Port entry becomes the Intel Active Management Technology SOL COM3 entry HECI Driver The Intel AMT Host Embedded Controller Interface HECI driver is available on support dell com and on the ResourceCD under Chipset Drivers The driver is labeled Intel AMT HECI Once the driver is obtained execute the file it unzips and prompts the user to continue the installation process Once you install the HECI drivers the PCI Simple Communications Controller entry becomes the Intel Management Engine I nterface entry Back to Contents Page Back to Contents Page Intel AMT WebGUI The Intel AMT WebGUI is a Web browser based interface for limited remote computer management The WebGUI is often used as a test to determine if Intel AMT setup and configuration was performed properly on a computer A successful remote connection between a remote computer and the host computer running the WebGUI indicates proper Intel AMT
78. rved INTELCR SETUP AND CONFIGURATION Current Provisioning Mode Provisioning Record Provisioning Server TLS PSK TLS PKI gt Return to Previous Menu ESC 1 Exit th Select CENTER l Access Provision Record is not present 14 Select Provisioning Server from the menu and then press Enter Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR SETUP AND CONFIGURATION Current Provisioning Mode Provisioning Record TLS PSK b TLS PKI gt Return to Previous Menu ESC Exit th Select CENTER Access 15 Type the provisioning server IP in the Provisioning server address field and press Enter The default setting is 0 0 0 0 This default setting works only if the DNS server has an entry that can resolve the provision server to the IP of the provisioning server Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R SETUP AND CONFIGURATION Current Provisioning Mode Provisioning Record Provisioning Server TLS PSK TLS PKI Return to Previous Menu Provisioning server address ESC Exit ENTER Submit 16 Type the port in the Port number field and press lt Enter gt The default setting is 0 If left at the default setting of 0 the Intel AMT attempts to contact the provisioning server on port 9971 If the provisioning server is liste
79. s C altiris console Home View Manage Tools Reports Configure Help gt 1 15 TR DEN gt yv Management S Sr Cj Alert Standard Format Getting Started 1 i E deas Manage Security Keys CJ Configraton E E Intel AMT Geteng Started PID PPS Factory Default Password New Password S O Section 1 Provisioning m O Bas Provisioning without TLS Step 1 Configure ONS HB Step 2 Oscover Capabilities Gi Siep 3 view Intel AMT Capable Computers ST Step 4 Create Profle Step 5 Generate Security Keys Step 6 Configure Automatic Profle Assignments Step 7 Monitor Provisioning Process 5160 8 Monitor Profle Assignments O Enable Security 715 amp C Section 2 Intel AMT Tasks CJ Reports O Tasks Favorites Y amp My Favorites Filter by 210 Fiter by Pes gh atris Console Home pop ooo FTFTTTT3Qwee Xm 4 Select the Generate keys before export radio button n Altiris Console Webpage Dialog Export Security Keys to USB Key 4 altiris Export keys aja C Oniy sel Generate Security Keys Number of security keys to generate so Factory Default Intel Management Engine Password Intel ME Password samin New Intel Management Engine Password This passro is elttrec uplopgded from USE key ortypedin mpgnuslly inte the Meragement Engine BIOS Extension screen Intel ME Password 123 Export Result To crea
80. s x ENABLED Set PRTC Enter PRTC in GMT UTC format YYYY MM DD HH MM SS Valid date range is 1 1 2004 1 4 2021 Setting PRTC value is used for virtually maintaining PRTC during power off G3 state This configuration is only displayed for the Enterprise Provision Model Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR AMT CONFIGURATION TCP IP Provision Model Setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update Enter PRTC in GMT UTC format YYYY MM DD HH M SS ESC 1 Exit CENTER Submit Idle Timeout Use this setting to define the ME WOL idle timeout When this timer expires the ME enters a low power state This timeout only takes affect when one of the ME WOL power policies is selected Enter the value in minutes Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R AMT CONFIGURATION Provision Model Setup and Configuration Un Provision SOL IDE R Password Policy Secure Firmware Update Set PRTC aie Ti ICOlLTt Timeout Ualue 1 65535 ESC Exit CENTER Submit Intel AMT in DHCP Mode Settings Example The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in DHCP mode Intel AMT Configurations Example in DHCP Mode Intel AMT C
81. s are located The technician then does the following 1 Unpacks and connects computers if necessary 2 Inserts the USB drive key into a computer 3 Turns on that computer 6 The computer BIOS detects the USB drive key o If found the BIOS looks for a setup bin file at the beginning of the drive key Go to step 7 o If no USB drive key or setup bin file is found then restart the computer Ignore the remaining steps 7 The computer BIOS displays a message that automatic setup and configuration will occur 1 The first available record in the setup bin file is read into memory The process accomplishes the following a Validates the file header record Locates the next available record a f the procedure is successful the current record is invalidated so it cannot be used again 2 The process places the memory address into the MEBx parameter block 3 The process calls MEBx 8 MEBx processes the record 9 MEBx writes a completion message to the display 10 The IT technician turns off the computer The computer is now in the setup state and is ready to be distributed to users in an Enterprise mode environment 11 Repeat step 5 if you have more than one computer Refer to the management console supplier for more information on USB drive key setup and configuration USB Drive Key Requirements The USB drive key must meet the following requirements to be able to set up and configure Intel AMT It must be greater than 16 MB It must be for
82. se PPS Enter the PID and PPS in the dash format Ex PID 1234 ABCD PPS 1234 ABCD 1234 ABCD 1234 ABCD 1234 ABCD NOTE A PPS value of 0000 0000 0000 0000 0000 0000 0000 0000 does not change the setup configuration state If this value is used the setup and configuration state stays as Not started o Delete PI D and PPS Deletes the current PID and PPS stored in ME If there is no PID and PPS entered the MEBX returns an error message Using this option does NOT set the setup and configuration process parameter to Not Started This option sets the setup and configuration process parameter to In Process TLS PKI Contains the settings for the TLS PKI configuration settings o Remote Configuration Enable Disable Disables or enables remote configuration If this option is not enabled remote configuration cannot occur o Manage Certificate Hashes Displays the list of hashes that are currently stored and the current status To change the active status of the certificate press the lt gt key To delete the hash press the lt del gt key To add another key press the lt ins gt key o Set FQDN Sets the fully qualified domain name for the computer o Set PKI DNS suffix Sets the PKI DNS suffix TLS PSK The submenu contains the settings for TLS PSK configuration settings Setting or deleting the PID PPS causes a partial un provision if the setup and configuration is In process e Set PID and PPS Sets the
83. se this option to determine which manageability feature is enabled e ASF Alert Standard Format ASF is a standardized corporate assets management technology The Intel ICH9 platform supports ASF specification 2 0 e Intel AMT Intel Active Management Technology Intel AMT is an improved corporate assets management technology The table below explains these options Management Feature Select Option Opin Besnpin None Manageability Feature is not selected Intel AMT Intel AMT manageability feature is selected ASF ASF manageability feature is selected When you change the option from Intel AMT to None a warning that Intel AMT un provisions automatically if you accept the change appears The None option has no manageability feature provided by the ME computer In this case the firmware is loaded i e ME is still enabled but the management applications remain disabled Intel ME Power Control To comply with ENERGY STAR requirements the Intel Management Engine can be turned off in various sleep states Intel ME Power Control menu configures Intel ME platform power policies ME On in Host Sleep States When the ME ON in Host Sleep States option is selected on the ME Power Control menu the ME in Host Sleep States menu loads Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME POWER CONTROL Intel R ME ON in Host Slee Return to Previ
84. setup and configuration on the remote computer The Intel AMT WebGUI is accessible from any Web browser such as the Internet Explorer or Netscape applications Limited remote computer management includes Hardware inventory Event logging Remote computer reset Changing of network settings Addition of new users WebGUI support is enabled by default for SMB setup and configured computers WebGUI support for Enterprise setup and configured computers is determined by the setup and configuration server Information on using the WebGUI interface is available on the Intel AMT website An older version of the WebGUI interface is available at Intel AMT Small Business Administrator s Guide under Using the Web Browser Interface on page 4 Follow the steps below to connect to the Intel AMT WebGUI on a computer that has been configured and set up 1 Turn on an Intel AMT capable computer that has completed Intel AMT setup and configuration 2 Launch a Web browser from a separate computer such as a management computer on the same subnet as the Intel AMT computer 3 Connect to the IP address specified in the MEBx and port of the Intel AMT capable computer example http ip address 16992 Or http 192 168 2 1 16992 o By default the port is 16992 Use port 16993 and https to connect to the Intel AMT WebGUI on a computer that has been configured and set up in the Enterprise mode o If DHCP is used then use the fully qualified domain name F
85. ssignments E O Enable Security LS i C Section 2 Intel AMT Tasks i amp Reports i O Tais Select Step 4 Create Profile amp E Outof Band Management E Ej Alert Standard Format Getting Started i CJ Colectons a i CJ Configraton All computers in this collection are Intel AMT capable E amp Intel AMT Getsng Started heat Updated 6 27 2007 11 03 11 AM S C Secton 1 Provisioning d This collection has no members S O Basic Provisioning without TLS Step 1 Configure NS dj Step 2 Discover Capables p _ eee Step 5 Generate Security Keys Step 6 Configure Automatic Profle Assignments Step 7 Monitor Provisioning Process Step 6 Monitor Profile Assignments amp O Enable Security 715 i C Section 2 Intel AMT Tasks i CJ Reports a O Tasks Click the plus symbol to add a new profile XE SE yaris Console 6 5 C altiris console Sabin 3 E Out of Band Management Ej Alert Standard Format Getting Started CO Collections amp C3 Config ration 3 Intel AMT Getong Started amp O Section 1 Provisioning O Basic Provisioning without TLS Step 1 Configure ONS HB Step 2 Oscover Capabiites Gi Step 3 View Intel AMT Capable Computers ST Step 4 Create Profle Step S Generate Security Keys Step 6 Configure Automatic Profle Assignments Step 7 Monitor Provisioning Process 5160 amp Monitor Profile Assig
86. t a secure DNS client and it relies on the host OS to maintain the DNS record For this reason the Intel AMT device snoops the DHCP requests and responses issued by the host OS The Intel AMT device then uses the IP provided by the DHCP to the host OS as its own When the host OS is down the Intel AMT device requests ONS registration of its Select Step 2 Discovery Capabilities amp E Out of Band Management E Ej Alert Standard Format Getting Started i C Colectons C3 Config raton ES amp Intel AMT Getting Started S O Section 1 Provisioning S O Basi Provisioning without TLS i ons DNS Configuration Intel AMT device setup and configuration requires the presence of a Domain Name System DNS Server The ONS must have information for two entities The computer running Intel SCS Server must be registered in the DNS e A configured operational Intel AMT device must be registered within ONS Intel SCS The Notification Server with Out of Band Management Solution installed with i e Intel SCS Server is running on this computer must be registered in the DNS as This must be done in each DNS Domain When it sends its Hello message the Intel AMT device first uses the domain name received from the DHCP server If there is more than one SCS in the domain the DNS will altemate between the servers If there are multiple SCS instances or the server platform has a different name
87. t in trademarks and trade names other than its own August 2008 Rev A00 Back to Contents Page Overview Intel amp Active Management Technology Intel AMT allows companies to easily manage their networked computers in the following ways e Discover computing assets on a network regardless of whether the computer is turned on or off Intel AMT uses information stored in nonvolatile system memory to access the computer The computer can even be accessed while it is powered off also called out of band or OOB access e Remotely repair systems even after operating system failures In the event of a software or operating system failure Intel AMT can be used to access the computer remotely for repair purposes IT administrators can also detect computer system problems easily with the assistance of Intel AMT s out of band event logging and alerting e Protect networks from incoming threats while easily keeping software and virus protection up to date across the network Software Support Several independent software vendors ISVs are building software packages to work with Intel AMT features This provides IT administrators many options when it comes to remotely managing the networked computer assets within their company Features and Benefits Intel AMT Fetwes O J Benefis m Allows remote management of platforms regardless of system power or operating Out of band OOB access system state
88. te and download USE Ley Me fest configure settings and click Generate file and then thick Download USB key fie Place donnloaded file ta the USB Storage Device Avadable No data exported yet Close ito f skrisboxtrvpro Jocal AbrisjOOBSCSecurikyMEBxSettingsPage aspx B Internet p Enter the number of keys to generate depends on the number of computers that need to be provisioned The default is 50 CAR Oniy Generate Security Keys Number of security keys to generate so Factory Default Intel Management Engine Password Intel ME Password admin eres FAG UA atten ori ploeced from USS key or typed in manually into the Management ead aes xtangsoh sce Intel ME Password pe123 Export Result trate and download USB key Me fst configure settings aod dick Generate fila and t k Doenisad USE key Me Place domnisaded Me ta tha USE Storage Devic Available No data exported yet D Close Http Jakrtsbox trypro local Abrs OCESC SecurkyMEBsSet ngsP age aspi QU Internet shiz The Intel ME default password is admin Configure the new Intel ME password for the environment 3 Altiris Console Webpage Dialog Generate Security Keys Number of security keys to generate so Factory Default Intel Management Engine Password Intel ME Password admin M TAN ee ge passeard m either uploaded for USS key or typed in manually into the Management kat te BIOS Extansron scree
89. the setup and configuration server o Date of Provision Displays the date and time of the provisioning in the format MM DD YYYY at HH MM o DNS Displays if Secure DNS is being used or not 0 indicates DNS is not in use 1 indicates secure DNS is being used PKI only o Host Initiated Displays if the setup and configuration process was initiated by the host No indicates the setup and configuration process was not host initiated Yes indicates the setup and configuration process was host initiated PKI only o Hash Data Displays the 40 character certificate hash data PKI only o Hash Algorithm Describes the hash type Currently only SHA1 is supported PKI only o IsDefault Displays Yes if the Hash algorithm is the default algorithm selected Displays No if the hash algorithm is not the default algorithm used PKI only o FQDN FQDN of the provisioning server mentioned in certificate PKI only o Serial Number The 32 character that indicate the Certificate Authority serial numbers o Time Validity Pass Indicates whether the certificate passed the time validity check Provisioning Server The IP address and port number 0 65535 for an Intel AMT provisioning server This configuration is only shown for the enterprise provision model The default port number is 9971 TLS PSK Contains the settings for TLS PSK configuration settings o Set PID and PPS Sets the provisioning identifier PID and provisioning passphra
90. ther Enabled or Disabled and then press lt Enter gt The default setting for this option is Disabled Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTELCR ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmware Local Update Intel R ME Features Control Intel R ME Power Control Return to Previous Menu ESC Exit tl Select ENTER Access I d Q 1 T x ENABLED 10 Select Intel ME Features Control and then press lt Enter gt Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME PLATFORM CONFIGURATION Intel R ME State Control Intel R ME Firmuare Local Update n u ontroi Intel R ME Power Control Return to Previous Menu ESC Exit tl Select ENTER Access Manageability Feature Selection is the next option This feature sets the platform management mode The default setting is Intel AMT Selecting the None option disables all remote management capabilities Intel R Management Engine BIOS Extension v4 0 4 0003 Copyright C 2003 08 Intel Corporation All Rights Reserved INTEL R ME FEATURES CONTROL lanageabilitu Feature Selection Return to Previous Menu ESC Exit tl Select ENTER Access Intel R AMT ASF 11 Select Return to Previous Menu and then press lt Enter gt Intel R Management Engine B
91. tween the servers If there are multiple SCS me ee ee em Ie No added to the DNS EK on UM Test tukton Baiou tu very that DNE an tha ieniordervit eo Wk Uat iE Resolved Intel SCS IP Intel AMT Devices Ensure that the DNS is configured with the Fully Qualified Domain Names FQDN of the Intel AMT enabled machines that are being configured Intel AMT devices must be configured to have the same FQON as the host OS This stems from the fact the Intel AMT device is not a secure DNS client and it relies on the host OS to maintain the DNS record For this reason the Intel AMT device snoops the DHCP requests and responses issued by the host OS The Intel AMT device then uses the IP provided by the DHCP to the host OS as its own When the host OS is down the Intel AMT device requests DNS registration of its Mm nent n e s na amp S My Favorites Bh Alteis Console Home The IP address for the ProvisionServer and Intel SCS are now visible E E Alert Standard Format Getting Started CJ Colectons S C3 Confguraton S amp Intel AMT Getting Started S Section 1 Provisioning S O Basic Provisioning without TLS Bh Step 1 Configure ONS GPS Step 2 Discover Capsbiibes Di Siep 3 View Intel AMT Capable Computers Sien 4 Create Profie Step 5 Generate Security Keys Step 6 Configure Automatic Profle Assignments Step 7 Monitor Provisioning Process
Download Pdf Manuals
Related Search