Dell OptiPlex 790 (Early 2011) Administrator's Guide
Contents
1. Reports Tasks Bin veri Y Introvisioning Records AN vero status i I Favorites B fila T E vi BS By mof Ey Fram rrr coe Spm en m nama default 2 juin E datei 527 2005 LZIDOIDQ AM Bb nts console Hore Order by uutt direction Ascending Done eee ere im 4 40 The computers for which profiles were assigned appear in the list Each computer is identified by the FQDN UUID and Profile Name columns Vf Altiris Console 65 IIS nternet Explorer tuus CUP be AbWis Console 6 5 i altiris console l Home View Manage Tools Reports Configure Help gt Ea eee ee heed peg S Gut of Band Management T o Jmm i K eoi aaa cuwes Profile Assignments Colecbor Configuration Ej Intel AMT Garteng Started E C Sector 1 Provisioning z Bane Prvssanna Qwifhiout TLS d Step L Configure DS Sh Step 2 Decover Capsb bes D Siep 3 View Intel AMT Capable Computers af mega Create Profis gf sten 5 Generate Security Keys e Step 6 Configure Autpmabc Profe Assignment 4 Step 7 Monitor Provisioning Process Mj Sten 8 Monitor Profle Assignments Enable Security TES ii Secton 2 Intel AMT Tasks amp O Reports Tasks L unrtal ster frip lom RR isi Ew Arminia E E FODN UUID Profile Name iL Favorites My Fa irte By UUI f By FGQDN By Profile dala 3 E wy Peo J Ordar iy uui direction Ascending Oy AD Ou AP2. Resolved ProvissonServer IP 192 168 20 10 Resolved Intel SES IP 192 168 20 10 Intel AMT Devices Ensure that the DNS is configured with the Fully Qualified Domain Names FQDN of the Intel AMT enabled machines that are being configured Intel AMT devices must be configured to have the same FOON as the host OS This stems from the fact the Intel AMT device is not a secure DNS client and it relies on the host OS to maintain the DNS record For this reason the Intak amp AMT device snoops the DHCP requests and responses issued by tha host OS Tha Intel AMT device then uses the IP provided by the DHCP to the host DS as its own When the host OS is down the Intek AMT device requests DNS registration of its Configured FQON from the DHCP option 81 This works only if the DNS and DHCP are D Siep 3 View Intel AMT Capable Computers Step 4 Create Profs i Stes 5 Generate Security Keys Step amp Configure Automatic Prose Assignments Siep 7 Monitor Provisioning Process d Sten 8 Monitor Profle Assignments B O Enable Security TL5 B C Section 2 Inteldh AMT Tasks amp O Reports E D Tasks 12 Verify that the setting is Enabled If Disabled select the check box next to Disabled and click Apply Altiris Domsole 6 5 Iu cata E Bibei repro oca TNUDRONAdeninieE EG 3 Qut of Band Management Hs EM alert Standard Foret Getting Started i 7 Colecbons E 7 C
3. PKI DNS Suffix Manage Hashes Previous Menu There were no hashes detected in the system Do you want to add a hash N may cause Intel R AMT partial unprovision Answering Yes will begin the process of adding customized hash The Manage Certificate Hash screen provides keyboard controls for managing the hashes on the system The following keys are valid when in the Manage Certificate Hash menu Escape Exits from the menu Insert Adds a customized certificate hash to the system Deletes the currently selected certificate hash from the system Changes the active state of the currently selected certificate hash Enter Displays the details of the currently selected certificate hash Adding Customized Hash tS When the Insert key is pressed in the Manage Certificate Hash screen the following screen is displayed Intel R Management Engine BIUS Extension v7 H H HH43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu Enter Hash Mame ESC Exit ENTER Submit To add a customized certificate hash Type the hash name up to 32 characters When you press lt Enter gt you are prompted to select the algorithm of hash being used for PKI provisioning Type Y if SHA1 is being used otherwise e
4. IDER KUM User Consent Password Policy Network Setup Remote setup And Configuration Previous Menu ESC Exit t Select ENTER Access Full Unprovision Partial Unprovision The IPv6 Interface ID is automatically generated using a random number as described in RFC 3041 This is the default Full unprovision will unprovision AMT and remove all the PI D PPS Full Unprovision information or any new certificate information populated The IPv6 Interface ID is automatically generated using the MAC address Partial Unprovision Partial Unprovisoin will unprovision AMT but will retain PI D PPD information entered or any new certification information entered Unprovisioning in progress SICH Management Engine BIUS Extension v H H HHd3 InteltR ME v 1I Lopu ight 1 ULL ERES Intel Li rpc jb luo Dll its Reserve INTELCR AMT CONFIGURATION Manageability Feature Selection SOL IDER KUM User Consent Password Policy Network Setup Remote Setup And Configuration Previous Menu Full Unprovision Partial Unprovision gt _ A m JR e p al gu E 2 E Pj c PA A 1 l y T I na An r r f peu a ry ii li r em 7 I rk eme j aee oe I emm a 1 EI remm A Q if i T Va tes W Wes Un V IND Ce x Chas Wu B a Vg UA E Ce Ge WI 3l Under the Intel AMT Configuration select Remote Setup and Configuration and press Enter The Intel Auto
5. Step 6 Configure automatic Profle assignments Siep 7 Monitor Provisioning Process M 5180 8 Monitor Profle Assignments it Ene Security TL5 E 2 Section 2 Intel AMT Tasks O Reports amp D Tasks a E E LN p3 OLD FADN Status Provision Dale Version Protile E caen veria m eo Recordsi a CANTERA z By profile By o rem ELI zm mis mei 19 27 2006 12 00 00 AM m My Favorites nama Bh Altis Console Home Grder by vuit rm direction Ascending x BO PT TIE R Select Step 8 Monitor Profile Assignments Infrowsioning defoult_ gt F Altiris Console 5 5 Windows Internet Explorer dy de Z9 Akiris Console 6 5 AE page too Sr altiris console i o Home View Hanage Tools Reports Configure Help gt EJ Art Standard Format Getting Started Intel AMT Syste ms Colecbor Configuration 3 Intel AMT Getang Started El C Section 1 Provisioning E Bae Prenseoning Without TLS d Step L Configure DS Sh Step 2 Discover Cepab tes D Siep 3 View Intel AMT Capable Computers af mega Create Profis gf sten 5 Generate Security Keys e Step 6 Configure Automatt Profe Assignment We Sep 7 Monitor Provisioning Process ih Step 3 Monitor Profie Assignments O Enase Security TL B D Section 2 miam AMT Tasks ghirinBhicx Fr prn Incg TE Armi mig Ere D FQDN Status Provision Oale Yersion Frotile LI
6. Colectons B O Configuration B 3 intel AMT Geteng Started B Section 1 Provisiening i I Base Provsioning without TLS i Step L Configure OS Hh Step 2 Oecover Canshlites D Siep 3 Vaew Intel AMT Capable Computers aT iep 4 Create Profs g Step 5 Generate Security Keys el Step amp Configure Automate Profie Assignments d 2180 8 Monitor Profle Assignments i O Ense Security 1 5 amp C Section 2 Intel AMT Tasks i Jj Reports B G Tasks Favorites E Favorites _ Apply tance f n b ABD Internet AIDS m e 38 The computers for which the keys were applied are updated in the system list At first the status is Unprovisioned then the system status changes to In provisioning and finally it changes to Provisioned at the end of the process 39 p Altiris Console B 5 Winders Internet Explorer KS coo E hitestteltrisbos trepro localjaristCorsole Del aut aspxtCoreoleGuide St aaGb67 250b 422d 1 Bi Fez Ge TO TB ident wx de Z9 Akvis Console 6 5 c altiris console Home Vew Hanage Tools Reports Configure Help A vt f NS MEE ls S Mirada oe Ge E Gi E3 alert Standard Format Getting Started Intel AMT S amp C Colectens em amp D Configuration E E Intel AMT Gateng Started im LI Base Prisong iSu TLS e Step L Configure De Bh Step 2 Discover Capsniites Di Step 3 view Intel AMT Capable Computers af meg 4 Create Prose gf sten 5 Generate Security Keys
7. Lm p B lin Ww a EE el o Ln LE Ta An eret Se LGR o 16 Click the plus symbol to add a new profile 17 Vf Altiris Console 65 IIS nternet Explorer ge T Pe i cn T CUP dA Zakri Console 6 5 H E o Bec too d altiris console ghirisbox Fr prn Inca TRUTH DUAE mi mitra ee WU Home View Hanage Tools Reports Configure Help gt 3 E3 Cut of Banc Management Ole 4 Alert Standard Foret Gering Started Manage Profiles Colecbons Configuration Ej IntelX AMT Gerteng Started E C Sector 1 Provisioning i Beet Prasanna without TLS i Step L Configure Dec E Step 2 Denove Capab tes D Siep 3 View Intel AMT Capable Computers af mega Create Profs M Step 5 Generate Security Keys e Step 6 Configure Autpmabe Profe Assoenments e Step 7 Monitor Provisioning Process a 5160 8 Monitor Profis Assignments B Lj Ehe Security TL5 ai Section 2 Intel AMT Tasks amp O Reports B 73 Tasks em Profile ID Profile Name Devices Description iL Favorites w My Panvoritees AP Ars Consola Hore Done LIT TT TF De aene Aili 2 s On the General tab the administrator can modify the profile name and description along with the password The administrator sets a standard password for easy maintenance in the future Select the manual radio button and type a new password Altiris Console Webpage Dialog Configure Intel AMT Setup amp Configuration Service Profil
8. Previous Menu ESC Exit T Select ENTER 1 ficcess Dedicated x Shared This setting determines whether the Intel ME Fully Qualified Domain Name FQDN HostName DomainName is shared with the host and identical to the operating system machine name or dedicated to the Intel ME Description The FQDN domain name is dedicated to ME The FQDN domain name is shared with the Host A Awun amir DA i C lind ata 4 D ynamic D NS Update a Under the Intel ME Network Name Settings select Dynamic DNS Update and press lt Enter gt 34 d Ti L E l L R M J Wr F 7 E a a a E pu FA 245 288 2 Ma nad eme Tn ct R1 igine D OS Extension v H H HH Copyright C 2003 09 Intel Corporation All Rights Reserved INTEL R ME NETWORK NAME SETTINGS Host Name Domain Name Shared Dedicated FODM Previous Menu If Dynamic DNS Update is enabled then the firmware will actively try to register its IP addresses and FQDN in DNS using the Dynamic DNS Update protocol If DDNS Update is disabled then the firmware will not make an attempt to update DNS using DHCP option 81 or Dynamic DNS update If the DDNS Update state Enabled or Disabled is not configured by the user then the firmware will assume its old implementation where the firmware used DHCP option 81 for DNS registration but did not directly update DNS using the DDNS update protocol For selecting Enabled for Dynamic DNS Up
9. for the ME The FQDN is the combination of the host name and domain example nttp host name 16992 Or http system1 16992 The management computer makes a TCP connection to the Intel AMT capable computer and accesses the top level Intel AMT embedded Web page within the Management Engine of the Intel AMT capable computer Type the username and password The default username is admin and the password is what was set during Intel AMT setup in the MEBx Review the computer information and make any necessary changes L NOTE You can change the MEBx password for the remote computer in the WebUI Changing the password in the WebUI or a remote console results in two passwords The new password known as the remote MEBx password only works remotely with the WebUI or remote console The local MEBx password used to locally access the MEBx is not changed You have to remember both the local and remote MEBx passwords to access the computer MEBx locally and remotely When the MEBx password is initially set in Intel AMT setup the password serves as both the local and remote password If the remote password is changed then the passwords are out of sync Select Exit AMT Redirection Overview Intel AMT makes it possible to redirect serial and IDE communications from a managed client to a management console regardless of the boot and power state of the managed client The client need only have the Intel AMT capability a connection to a pow
10. 5KB Fiom aeisbox trvpro ocal m hie fles mom the Interred can be useful zome les can potentiale g ham sou computer IF you do not trust the source do mot find a Mas the risk peogiam to open this fie or tarve this ie b Verify that the Save in location is directed to the USB device Click Save Downlad complete n mp rU eR RIPE py e rca m 30 The setup bin file is now visible in the drive explorer window 31 32 33 ee ipi xi Ele Edt Wew Forbes Took Help Fid T seach gt Folders i er EJ Sre Type Date Meefied Attributes File and Folder Tasks gt mugs Z amp kB BIN Pile amp J27 2007 Liz AM A Other Places T Details A Removable Disk E Removable Disk Fike Sysbem FAT Close the Export Security Keys to USB Key and drive explorer windows to return to the Altiris Console Insert the USB device and turn on the computer The USB device is recognized immediately and you are prompted to Continue with Auto Provisioning Y N Press Y Intel R Management Engine BIOS Extension Copyright C 2643 67 Intel Corporation All Rights Reserved Found USB Key for provisioning Intel R AMT Continue with Auto Provisioning Y N Press any key to continue with system boot Intel R Management Engine BIOS Extension Copyright l ZHM3 M Intel Corporation HII Rights Reserved Found USB Key for provisioning Intel R AMT Continue with Auto Provisioning Y N Intel R A
11. Alis Consola Home bm o E e XI s Once the computers are provisioned they are visible under the Collections folder in All configured I ntel AMT computers Altiris Console 56 5 Windows Internat t Eupeore F THY PPA Umi iL rat tor E a E Ej Alert Standard Format Getting Started E 7 Collections D sisrondzom ASF capable computers Gi Al configured intel AMT computers D Al Intel AMT capable computers v This collection has no members B E Provisioning BB 71 Configuration B E3 Intel E AMT Getting Started amp D Reports i J Tasks AN I Configured Intel AMT Computers ubar in this collection ara configured Intel AMT computers di 7 11 2007 11 37 16 AM zi E C TI P LR m HERD nmAAPS T T Ts ae S System Deployment Once you are ready to deploy a computer to a user plug the computer into a power source and connect it to the network Use the integrated Intel 82566DM Network Interface Card NIC Intel Active Management Technology Intel AMT does not work with any other NIC solution When the computer is turned on the computer immediately looks for a Setup and Configuration Server SCS If the computer finds this server the Intel AMT capable computer sends a Hello message to the server K NOTE User must first activate network access either via MEBx or using Intel Activator DHCP and DNS must be available for the setup and configuration server search to automatically suc
12. H8 Intel Corporatio ALL Rights Reserve HIRELESS LAN IPV6 CONF IGURATIONI IPUB Interface ID Type Previous Menu a 8E Fm lm nadie an d rU y LJ X I nFarfar r a 1 Ung Under the Wired LAN IPv6 Configuration select I Pv6 Interface I D Type and press Enter The auto configured IPv6 address consists of two parts e Pv6 Prefix set by the IPv6 router e Interface ID 64 bits each Random ID The IPv6 Interface ID is automatically generated using a random number as described in RFC 3041 This is the default option The IPv6 Interface ID is automatically generated using the MAC address Manual 1D The IPv6 Interface ID is configured manually Selecting this type requires that the Manual Interface ID is set with a valid value Intel R Management Engine BIUS Extension v 7 H H HHd43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I IPYB Feature Selection IPUB Interface ID Type Previous Menu ESC Exit T Select ENTER Access x Random ID oe oe a ID Manual ID To select Manual ID Select Manual ID Press Enter A new option of IPV6 Interface ID will be displayed below IPV6 Interface ID Type Select IPV6 Interface ID Press Enter Type the preferred Manual ID IntelCR Management Engine BIOS Extension v7 H H HHS51 InteltR ME v7 H H 114Bb Copyright C ZHH3 H8 Intel Corporation All Rights Reserved I I
13. LI Base Provoning wiu TLS e Step L Configure DS Sh Step 2 Discover Capabilities D Siep 3 View Intel AMT Capable Computers AT Sen 4 Create Profile Step 5 Generate Security Keys e Step 6 Configure Autpmabe Profe Assignment e Step 7 Monitor Provisioning Process M 5180 8 Monitor Profle Assignments Enable Security TL5 ie Section 2 Intel AMT Tasks O Reports Tasks Profile ID Profile Name Jet cp s Description default 3 Default profile Aca itolsofi Page 1 ofi Rond per pace fan Be OFEFTFTT TM XIX Select the icon with the arrow pointing out to Export Security Keys to USB Key F Altiris Console 5 5 Windows Internet Explorer lt r altiris console Ty sf fo Gti Home View Manage Tools Reports Configure Help gt 4 s aed ge WHEN amp B E Out of Bard Management Ex HIE EIE a E Mert Standerd Format Getting started Manage Security Keys Codechors E Configuration B 3 Intel AMT Gating Started E C Sector 1 Provisioning i LI Base Prisong without TLS d Step L Configure DS Sh Step 2 Decover Capsb bes D Siep 3 View Intel AMT Capable Computers af 5162 4 Create ProSie i Step 5 Generate Security Keys e Step 6 Configure Autpmabc Profe Assignment e Step 7 Monitor Provisioning Process i 5180 8 Monitor Profis Assignments Eran Security TLS E O Secten 2 Intel AMT Tasks E O Reports Tasks r ox Liv Shores F 3 hiep altiris bax traro Joc al ar
14. a random number as described in RFC 3041 This is the default option The IPv6 Interface ID is automatically generated using the MAC address The IPv6 Interface ID is configured manually Selecting this type requires that the Manual Interface ID is set with a valid value Engine BIUS Extension v7 H H BHHd3 IntelCH ME v7 H H 18B88Z Inte Co pore tion Al HIRED LAN IPUB CONFIGURATION IPUB Feature Selection IPUB Address IPYB Default Router Preferred DMS IPY6 Address Alternate DMS IPUBE Address Previous Menu Intel ID L Manual ID To select Manual ID Select Manual ID Press Enter A new option of IPV6 Interface ID will be displayed below IPV6 Interface ID Type Select IPV6 Interface ID Press Enter Enter preferred Manual ID Ui BWN H Intel R Management Engine BIOS Extension v7 H H HHS5Z InteltR ME v7 H H 114Bb Copyright C ZHH3 H8 Intel Corporation All Rights Reserved I IPUB Feature Selection IPUEbE Interface ID Type IPUB Interface ID IPUB Address IPUB Default Router Preferred UWS IPUB Address Alternate UWS IPUB Address Previous Menu Interface ID ESC J Exit ENTER Submit 3 IPv6 Address Under the Wired LAN IPv6 Configuration select IPv6 Address and press Enter Type the IPv6 Address and press Enter Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H83Z Copyright C ZBH3 H8 Intel Corporation All Ri
15. and dosmlsad USE bey Mle Peat caniegure setings 4nd click caniarats lila and than fick Dawnload USS hey fe Placa Bennloadad Sa Ex the USE Storage Device Avadable Ho data exported yet ate 28 Insert the previously formatted USB device into a USB connector on the ProvisioningServer 29 Click the Download USB key file link to download setup bin file to the USB device The USB device is recognized by default save the file to the USB device NOTE If additional keys are needed in the future the USB device must be reformatted before saving the setup bin file to it Ig Altiris L console Me Webpage Dialog pg Petps fakirisbox trp cae sos SOT ESET Export Security Keys to USB Key 4 altiris C AN C Only selected amp Generate keys before export Humber of security keys to generate sa Factory Default Intel Management Engine Password Intel ME Password admin SCIEN Management Engine Password it pazrenrd ip either uphasaeded from USS bey or typed in manually into the Managernani Engine BIOE Exten Hee HT Intel ME Password Dell123 To cuente and dcwnlcad UED key fle Put canbgurg settings and click Generate Ale and ten T E dick Download USA key Mim Place downloaded fle tp the USE 5 borage Devirm erate cose EF Available a Click Save on the File Download dialog box SIT i x Du vou cet o xav Ue De CHO at lar onn o op Ej Mame saup bin Topa Unknown Fie Type 25
16. last option titled I ntel Fast Call for Help e From Windows l Launch the Intel AMT privacy icon application I ntel Management Security Status 2 Switch to the I ntel AMT tab 3 In the Remote Connectivity box click Connect ME General Settings The table below lists the default settings for the Intel Management Engine BIOS Extension MEBx on general settings page Password Change Intel ME Password SET PRTC Power Control Power Control Mobile ON is SO Intel ME ON in Host Sleep Mobile ON is SO ME Wake in S3 S4 5 AC only Default setting May cause Intel AMT partial unprovision l Intel ME Platform State Control is only changed for Management Engine ME troubleshooting 2 Un provision setting only seen if the box is provisioned AMT Configuration The table below lists the default settings for the Intel Management Engine BIOS Extension MEBx on AMT configuration page Manageability Feature Selection SOL IDER Legacy Redirection Mode Disabled KVM Enabled None User Opt in KVM All l Disable Remote Control of KVM Opt In Policy OP EOR OA E EEE Enable Remote Control of KVM Opt In Policy L NOTE In order for KVM to work the requirement must be an Intel i3 i5 i7 Celeron Pentium CPU Password Policy Default Password Only Password Policy During Setup and Configuration Anytime Network Setup Network Name Settings l Dedicated I x Dynamic DNS Update EEN TCP IP
17. v 7 H H HH43 InteltR ME v7 H H 1H8Z Copyright C ZHBH3 H8 Intel Corporation All Rights Reserved I Intel R ME Network Mame Settings F TCP IP Settings Previous Menu ESC Exit t Select ENTER Access 1 Host Name Under the Intel ME Network Name Settings select Host Name and press lt Enter gt A host name can be assigned to the Intel AMT machine This will be the hostname of the Intel AMT enabled system Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H83Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Domain Name Shared Dedicated FODN Dynamic DNS Update Previnus Menu Conputer Host Mame ESC I Exit ENTER Submit 2 Domain Name Under the Intel ME Network Name Settings select Domain Name and press Enter A domain name can be assigned to the Intel AMT machine Intel R Management Engine BIOS Extension v 7 H H HBHB43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Host Name Shared Dedicated FODN Dynamic DNS Update Previous Menu Conputer Domain nane ESC Exit ENTER Submit 3 Shared Dedicated FQDN Under the Intel ME Network Name Settings select Shared Dedicated FQDN and press lt Enter gt Intel R Management Engine BIOS Extension v 7 H H HHd43 InteltR ME v7 H H 1H83Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Host Name Domain Name Shared Dedicated FOUN Dynamic DNS Update
18. 43 Intelth yright C 2663 869 Intel Corporat ior 1 Rights USER CONSENT CONFIGURATION User Opt in Previous Menu Enable Remote Control of KUM Opt In Policy Description Disables the remote user s ability to select User OPT IN Policy In this case only the local user can control the opt in policy Enables remote user s ability to select User OPT IN Policy EE n A gt a EE n mm tA LL Ll Previous vien B i Ss Y f b 4 ul e j a ENa E S Under the User Consent Configuration page select Previous Menu and press lt Enter gt The Intel AMT Configuration page appears me m E ga gm Fm mu pc Bum I paw p P AG G B 4 OLE CW WE m aw WI rd wil ww B B Gs y Under the Intel AMT Configuration page select Password Policy and press Enter This option determines when the user is allowed to change the Intel MEBx password through the network e here are two passwords for the firmware e he Intel MEBx password is the password that is entered when a user is physically at the system e he network password is the password that is entered when accessing an Intel ME enabled system through the network NOTE By default they are both the same until the network password is changed via the network Once changed over the network the network password will always be kept separate from the local Intel MEBx password This option determines when the user is allowed to change the
19. E Platform Configuration menu select Power Control and press lt Enter gt The Intel Power Control page appears L A n YT 400 I n KL r 8 8 BBS AM NM oA H i n MEUM oo Leos nteltik Management Engine Bil EXxte Copyright C 2683 89 Intel All Rig INTEL R ME EUN DEM Mes aua LI POHER CONTROL Idle Timeout Previous Menu To comply with ENERGY STAR and EUP LOT6 requirements the Intel ME can be turned off in various sleep states The Intel ME Power Control menu configures the Intel ME platform power related policies CM 1 E B m mmm ge m BE em j HE i _ aes E ATA VI i Tea LI ACF QLlaan WwT Tac i es Vill a p IN i i EEE B H gt i F PD 33 4 1 a qt I BB Ga Ques ad i ike Ws B uU EN Eww wit I uw UGCA amp eos aw Under the Intel ME Power Control menu select Intel ME ON in Host Sleep States and press lt Enter gt Move the Up Down arrow key to select the desired power policy and press lt Enter gt Intel R Management Engine BIOS Extension v H H HHd3 InteltR ME v 7 H H 1H8Z opyright C 2663 89 Intel Corporation All Rights Reserved INTELCR ME POWER CONTROL Idle Timeout Previous Menu x Mobile OM in SH ME Wake in 53 54 5 CAC only The end user administrator can select the desired power package to use depending on the system usage With Intel ME WoL after the time out timer expires the Intel M
20. E remains in the M off state until a command is sent to the ME After this command has been sent the Intel ME will transition to an MO or M3 state and will respond to the next command that is sent A ping to the Intel ME will also cause the Intel ME to go into an MO or M3 state The Intel ME takes a short time to transition from the M off state to the MO or M3 state During this time Intel AMT will not respond to any Intel ME commands When the Intel ME has reached the MO or M3 state the system will respond to Intel ME commands The following table illustrates the details of the power packages Power Package NOTE E Changing a system into the provisioning state will automatically switch to Power Package 2 This can later be changed through WebUI the management console or MEBx Under the Intel ME Power Control menu select I dle Time Out and press Enter Intel R Management Engine BIOS Extension v7 H H HE ntel R HE 4 4 14 Copuright C 2643 89 Intel Corporat ior All Righ Reserved INHTELCRH HE POWER CONTROL Intel R ME OM in Host Sleep States Previous Menu Timeout Value 1 65535 ESI ix it INTER 5ubmii i This setting is used to set time out value as to define the Intel ME idle timeout in M3 state The value should be entered in minutes The value indicates the amount of time that the Intel ME is allowed remain idle in M3 before transitioning to the M off state NOTE If the In
21. Hash Algorithm ESC I Exit ENTER 1 Submit After selecting desired Hash Algorithm you are prompted to type the certificate hash value Intel R Management Engine BIUS Extension v 7 H H HH43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu Enter Certificate e g ABCD 1234 ABCD 1234 ABCD 12434 ABCD 1234 ABCD 1254 ESC I Exit ENTER Submit The Certificate hash value is a hexadecimal number for SHA 1 it is 20 bytes for SHA 2 it is 32 bytes If the value is not entered in the correct format the message Invalid Hash Certificate Entered Try Again is displayed When you press lt Enter gt you are prompted to set the active state of the hash Intel R Management Engine BIOS Extension v 7 H H HBH43 InteltR HE v7 H H 1H83Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu Set this hash certificate as active Y N ESC Exit ENTER 1 Submit Your response sets the active state of the customized hash as follows e Yes The customized hash will be marked as active e No Default The customized hash will add to the EPS but will not be active Deleting a Hash When the Delete is pressed in the Manage Certificate Hash screen the following screen is displayed 4 NOTE A certificate hash that is set to Default cannot be deleted
22. IVUuUS a ha Sal Under the Intel TLS PSK Configuration menu select Previous Menu and press Enter The Intel Automated Setup and Configuration page appears Under the Intel Automated Setup and Configuration menu select TLS PKI and press Enter The Intel Remote Configuration page appears m m gm ga g LP AA fry ies E a Fo B9 T Tal BENE a mm fr Remote Cont iquration Under the Intel Remote Configuration menu select Remote Configuration and press lt Enter gt Enabling Disabling Remote configuration will cause a partial un provision if the setup and configuration server is In process Option eseription Disabled Remote configuration is disabled Only Remote Configuration and Previous Menu items are visible To disable select this option and press Enter Remote configuration is enabled this will show additional fields To enable select this option Enabled and press Intel R Management Engine BIOS Extension v 7 H H HHd43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI DNS Suffix Manage Hashes Previous Menu ESC Exit T Select ENTER Access xx may cause Intel R AMT partial unprovision PKI DNS Suffix Under the Intel Remote Configuration menu select PKI DNS Suffix and press Enter Type the PKI DNS Suffix and press Enter Key Value will be maintained in the EPS Intel R M
23. Intel Active Management Technology v7 0 Administrator s Guide Overview Management Product Overview Intel AMT Web GUI Out of Box Experience Operational Modes Setup and Configuration Overview e i AMT Redirection SOL I DE R AMT Redirection Overvi Menus and Defaults AMI Redirection Overview MEBx Settings Overview ME General Settings I ntel Management and AMT Configuration Security Status Application Intel Fast Call for Help Intel Management and Security Status MEBx Defaults Application ME General Settings AMT Configuration Troubleshooting Setup and Configuration Troubleshootin Methods Overview Configuration Service Using a USB Device Configuration Service USB Device Procedure System Deployment Operating System Drivers If you purchased a DELL n Series computer any references in this document to Microsoft Windows operating systems are not applicable Information in this document is subject to change without notice 2011 Dell Inc All rights reserved Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc is strictly forbidden Trademarks used in this text Dell the DELL logo Dell Precision Precision ON ExpressCharge Latitude Latitude ON OptiPlex Vostro and Wi Fi Catcher are trademarks of Dell Inc Intel Pentium Xeon Core Atom Centrino and Celeron are registered trademarks or trademarks of Intel Corporation in the U S an
24. Intel MEBx password through the network ITE The Intel MEBx password can be changed via the Intel MEBx user interface ntel R Management Engine BIOS Ger ension v H H Hi i43 Intel R HE v7 H B8H 1892 Copuright C ZBH3 H8 3 Corporation 111 Rights Reserved INTEL R AMT CONFIGURATION Manageability Feature Selection SOL IDER KUM User Consent Network Setup Unconf igure Network Access Remote Setup And Configuration Previous Menu During Setup And Configuration Anytime The options are Description Default Password Only The Intel MEBx password can be changed through the network interface if the default password has not been changed During Setup The Intel MEBx password can be changed through the network interface during the setup and configuration process but at no other time Once the setup and configuration process is complete the Configuration ntel MEBx password cannot be changed via the network interface The Intel MEBx password can be changed through the network interface at any time gen Ji Network Setup un m WE g Under the Intel ME Platform Configuration menu select Network Setup and press lt Enter gt The Intel ME Network Setup page appears Network Name Se D E e D O V Under the Intel ME Network Name Settings select I ntel ME Network Name Settings and press Enter Intel R Management Engine BIOS Extension
25. Intel R Management Engine BIUS Extension v 7 H H HH43 InteltR ME v7 H H 1H8Z Copyright C ZHBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu Hash Name Active Default Algorithm Type GTE CyberTrust Global Root 3 3HR1 Baltimore CyberTrust Root EJ x 3HR1 Delete this certificate hash Y N PAE Lab Certificate LESCI Exit INS 1 Add DEL De1 Active ENTER 1 Uieu This option allows deleting of the selected certificate hash e Yes Intel MEBx sends the firmware a message to delete the selected hash e No Intel MEBx does not delete the selected hash and returns to Remote Configuration gm i Tw sega BN n AL C BL oe d a g A r g21Ndmd AGA ACTIJGO arara b id I Q I G ti iS FAX Cl Vo LALE E d When the is pressed in the Manage Certificate Hashes screen the following screen is displayed as seen in the following screen LIHTELCR REMOTE CONFIGURATION Remote Configuration PEI DNS Suffix Manage Hashes Previous Menu Hash Mame Default Algorithm Type GTE CyberTrust Global Foot SHAL Baltimore CyberTrust Hoot L SHALL PAE Lab Certificate SHA Answering Y toggles the active state of the currently selected certificate hash Setting a hash as active indicates that the hash is available for use during PSK provisioning Viewing a Certificate Hash When lt Enter gt is pressed in the Manage Certificate Ha
26. L IDERZ KUM User Consent Password Policy Network Setup Activate Network ficcess Unconfigure Network ccess Remote Setup And Configuration Previous Menu L NOTE Power policy will change to PP2 after activating if the default power policy is set to PP1 i li P T m E a A Em 2 gF gt 1a Y E p 1 meal 8 E RUN D a y f A a df PE V 4 j A A ge ER Sim 8 qu ex u S q l I J a l uu i NI Wie BE AY a Gun i LN WP BRE WWAR RR NB WO RR Wes BW es S WW WP RB RS PASO es D Bai Under the Intel ME Platform Configuration menu select Unconfigure Network Access and press Enter oe vr us IN ILE This will cause Intel ME to transition to the PRE provisioning state Select Y to unconfigure Intel R Management Engine BIOS Extension v7 H H HHd43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Manageability Feature Selection SOL IDER KUM User Consent Password Policy Network Setup Unconfigure Network Access Remote setup And Configuration Previous Menu ESC Exit t Select ENTER Access Resets network settings including network ACLs to factory defaults Continue Y N Select Full Unprovisioning and press Enter Intel R Management Engine BIUS Extension v 7 H H HHd43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Manageability Feature Selection SOL
27. L IDER Legacy Redirection Mode KUM Previous Menu Copyright C This option provides the user authentication for SOL IDER session If Kerberos is used this option should be set to DISABLED The user authentication is handled through Kerberos If Kerberos is not used the IT administrator has the choice to enable or disable user authentication on SOL IDER session Option Description Enabled Username and Password is enabled Disabled Username and Password is disabled gma fr j CAO E g uw u Under the SOL IDER page select SOL and press Enter ntel R Management Engine BIOS Extension v7 B8 8 B8B843 InteltR Copuright C 2643 89 Intel Corporat ior All Rights SOLZ IDER EVUM Username and Password IDER Legacy Redirection Mode KUM Previous Menu SOL allows the console input output of an Intel AMT managed client to be redirected to a management server console if the client system supports SOL If the system does not support SOL this value cannot enable it Enabled SOL is enabled SOL is disabled 4 NOTE Disabling SOL does not remove this feature but prevents it from being used Under the SOL IDER page select I DER and press Enter Intel R Management Engine BIOS Extension v 7 4 40 0643 Intel R ME v 8 8 1892 ME Copuright C 2643 89 Intel Corporat ior SOL IDER KUH Username and Pas
28. MT Provisioning complete Press any key to continue with system boot Intel R Management Engine BIOS Extension Lopyright l 083 87 Intel Corporation HII Rights Reserved Found USB Key for provisioning Intel R AMT Continue with Auto Provisioning Y N Intel R AMT Provisioning complete Press any key to continue with system boot ME BIOS Sync Successful 34 Once complete turn off the computer and move back to the management server 35 Select Step 6 Configure Automatic Profile Assignments F Altiris Console 6 5 Windows Internet Explorer Jost 89 hitplfeltirisbostrepra localfAirie Console Defaut asp consaleGuide S aaDb67 2506 42 d 8186 Fe2f4QaQe 7076New ida E CUP be AbWis Console 6 5 i altiris console Home View Hanage Tools Reports Configure Help TI epe re ats Qut of Band Management MI Metomnen Forme GE Red Manage Security Keys iecit Configuration Ej Intel AMT Garteng Started E T Sect 1 Provisioning m Beet Prasanna witout TLS e Seo L Configure Dies Sh Step 2 Decover Capsblites D Siep 3 vien Intel AMT Capable Computers af 5162 4 Create ProSie M Step 5 Generate Security Keys Step 6 Configure Automatic Profile Assigements e Step 7 Monitor Provisioning Process M 5180 8 Monitor Profle Assignments Ena Security TLS ai Section 2 Intel AMT Tasks LU i amp g E KR zm IPPS Factory Default Password New Password R
29. PUB Feature Selection IPUE Interface ID Type IPYB Interface ID Previous Menu Interface ID ESC J Exit ENTER Submit 3 Previous Menu Under the Wireless LAN IPv6 Configuration select Previous Menu and press Enter The TCP IP Settings menu appears Dravinec Mani Previous Menu Under the TCP IP Setting menu select Previous Menu and press lt Enter gt The Intel ME Network Setup menu appears p oe mm A gH g pm Vv Fate us Menu b l mau L e Gass E WE Under the Intel ME Network Setup menu select Previous Menu and press Enter The AMT Configuration menu appears A uA u summ din A m TOES ps am u aN 4 I i pum Him m US Im m j 1 um gm Io ZR 2 TAN l p 1 N g 7 b N 75 Y y A g e sl Vd a 1 a a x ae M a gm ig g E WW E E ba quem um um rAN GEV ca T ar T C CVV VIn ALTU wu Under the Intel AMT Configuration page select Activate Network Access and press Enter Press Y to activate or press N to cancel Activate Network Access causes the Intel ME to transition to the POST provisioning state if all required settings are configured Without Activating Network Access ME will not be able to connect to the network ite lCR Management Engine BIUS Extension v H 40 HH45 Intel R ME v H 8 1k D DU i 3 H ntel Corporation All Rights Rese LINTELCR AMT CONFIGURATION SO
30. Provisioning Mode Provisioning Record RCFG d Provisioning server IPU4 IPUE Provisioning Server FODMN TLS PSE a IL5 PKI b Previous Menu If the data is entered the Provision record will display as below Description TLS provisioning mode Displays the current configuration mode of the system None PSK or PKI Provisioning IP The IP address of the setup and configuration server Date of JT l Proven Displays the date and time of the provisioning in the format MM DD YYYY at HH MM Indicates whether the PKI DNS Suffix was configured in Intel MEBx before remote configuration took place or not A value of O indicates that the DNS Suffix was not configured and the firmware will rely on DHCP option 15 and compare this suffix to the FQDN in the Configuration Server s client certificate A value of 1 indicates that the DNS Suffix was configured and the firmware matched it against the DNS Suffix in the Configuration Server s client certificate Host Initiated Indicates whether the setup and configuration process was initiated by the host No indicates that the setup and configuration process was NOT host initiated Yes indicates the setup and configuration process was host initiated PKI only Hash Data Displays the 40 character certificate hash data PKI only Hash Algorithm Describes the hash type Currently only SHA1 is supported PKI only Displays Yes if the Hash algorithm is the default algorithm s
31. Pv6 addresses 1 One link local auto configured address 2 Three auto configured global addresses 3 One DHCPv6 configured address 4 One statically configured IPv6 address Under the Wired LAN IPv6 Configuration select I Pv6 Feature Selection and press Enter DI SABLED select Disabled and press Enter IPv6 Feature Selection disabled Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I IPUB Feature Selection Previous Menu ESC Exit T Select ENTER 1 ficcess x Disabled Enabled ENABLED select Enabled and press Enter I Pv6 Feature Selection enabled as more configuration allowed Intel R Management Engine BIUS Extension v 7 H H HBH43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved IPUB Feature Selection IPUBb Interface ID Type IPUB Address IPYB Default Router Preferred DMS IPY6 Address Alternate DMS IPY6 Address Previous Menu ESC Exit t Select ENTER Access Disabled Enabled 2 IPv6 Interface ID Type Under the Wired LAN IPv6 Configuration select I Pv6 I nterface I D Type and press Enter The auto configured IPv6 address consists of two parts the IPv6 Prefix set by the IPv6 router is the first and the interface ID is following part 64 bits each Random TD The IPv6 Interface ID is automatically generated using
32. QDN of the provisioning server and press lt Enter gt Intel R Management Engine BIUS Extension v7 H H HH43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Current Provisioning Mode Provisioning Record RCFG b Provisioning Server MIC PEUT TLS PSK d TLS PKI b Previous Menu Enter FOUN of provisioning server ESC I Exit ENTER 1 Submit FQDN of the provisioning server mentioned in the certificate PKI only This is also the FQDN of the server that AMT sends hello packets to for both PSK and PKI g mu ET ILS PSK E Emu B wi Under the Intel Automated Setup and Configuration menu select TLS PSK and press Enter The Intel TLS PSK Configuration page appears This submenu contains the settings for TLS PSK configuration settings l I Pyr F DEF T J a 25 1 y i Copyright C 2683 89 Intel Corporatio 411 Rights Reserve INTEL R REMOTE CONFIGURATION Managemen Delete PII and PPS Previous Menu S et P D m 9 8 DDEC A E iue B B EB hn Bas 9m set PID and PPS Under the Intel TLS PSK Configuration menu select Set PID and PPS and press lt Enter gt Type the PID and press lt Enter gt Type the PPS and press lt Enter gt Intel R Management Engine BIOS Extension v7 H H HBHd43 InteltR ME v7 H H 1H83Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I oet PID and PPS Delete PID and PPS Previous Menu Ent
33. Rights Reserved I Username and Password SOL IDER Legacy Redirection Mode KUM Previous Menu ESC Exit T Select ENTER Access Redirection Mode must be enabled when using a legacy SMB Redirection Console Option Description Disabled Legacy redirection Mode is disabled Default The port is left open at all times when redirection is enabled in the Intel MEBx SMB consoles before Intel AMT 6 0 require this mode enabled for redirection sessions Enabled Under the SOL IDER page select KVM and press Enter Intel R Management Engine BIOS Extension v7 H H BBd3 InteltCR ME v7 8 H 18H8Z Cor Ir ight CE 7883 89 Intel Co poration All Rights Reserved SOL IDER KVH Username and Password SOL IDER Legacy Redirection Mode Previous Menu Enabled KVM feature is disabled Enabled KVM feature is enabled pee IIMALIEPAL Se rw ANE IE cr Bl Menu Under the SOL IDER page select Previous Menu and press Enter The SOL IDER page changes to the I ntel AMT Configuration page y a EB BL a O c Fy mne a ra E a B i j Cor COI I S CT Q mod hus Q Vind E A Bl Under the Intel AMT Configuration page select User Consent and press Enter The User Consent Configuration screen appears Sets whether local user consent is required before remote computer can establish a KVM Remote Control session to th
34. SB drive key into the computer with a management console 2 3 The SCS does the following Request the local setup and configuration records from a setup and configuration server SCS through the console l Generates the appropriate passwords PID and PPS sets 2 Stores this information in its database 3 Returns the information to the management console The management console writes the password PID and PPS sets to a setup bin file in the USB drive key Take the USB drive key to the staging area where new Intel AMT capable computers are located Perform the following 1 Unpack and connect the computers if necessary 2 Insert the USB drive key into a computer 3 Turn on that computer The computer BIOS detects the USB drive key o If found the BIOS looks for a setup bin file at the beginning of the drive key Go to step 7 o If no USB drive key or setup bin file is found then restart the computer Ignore the remaining steps The computer BIOS displays a message that automatic setup and configuration will occur l The first available record in the setup bin file is read into memory The process accomplishes the following Validates the file header record Locates the next available record If the procedure is successful the current record is invalidated so it cannot be used again 2 The process places the memory address into the MEBx parameter block 3 The process calls MEBx MEBx processes the record MEBx writ
35. Settings Wired LAN IPv4 Configuration Disabled DHCP Mode Enabled Below configuration page will only available if enabled selected IPv4 Address 0 0 0 0 Disabled I Pv6 Feature Selection Enabled Below configuration page will only available if enabled selected Random ID IPv6 Interface ID Type Intel ID Manual ID Remote Setup and Configuration Set PID and PPS Delete PID and PPS TLS PKI Disabled Remote Configuration Enabled PKI ONS Suffix Manage Hashes Default setting May cause Intel AMT partial unprovision l Intel ME Platform State Control is only changed for Management Engine ME troubleshooting 2 n Enterprise mode DHCP automatically loads the domain name 3 Un provision setting only seen if the box is provisioned Methods Overview As discussed in the Setup and Configuration Overview section the computer has to be configured before the Intel AMT capabilities are ready to interact with management application There are three methods to complete the provisioning process from least complex to most complex e Configuration service A configuration service allows you to complete the provisioning process from a GUI console on their server with only one touch on each of the Intel AMT capable computers The PPS and PID fields are completed using a file created by the configuration service saved to a USB mass storage device e MEBx interface The IT administrator manually configures the Manage
36. State Control appearing in previous versions of MEBx has been removed in order to avoid end users accidentally disable Intel ME The option can now be offered by system BIOS ME Password 1 At the Intel ME New Password prompt type your new password The password policies and restrictions are available 2 At the Verify Password prompt re type your new password Your password is now changed Intel R Management Engine BIUS Extension v 7 H H HHd43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Change Intel R HE Password Set PRIC Power Control Previous Menu Intel R ME Heu Password ESC I Exit ENTER 1 Submit Set PRTC Under the Intel ME Platform Configuration menu select Set PRC and press Enter Intel R Management Engine BIUS Extension v7 H BH HBd3 IntelCR ME v 7 H H 1H87Z Copyright C ZHH3 B8 Intel Corporation All Rights Reserved I Change Intel R ME Password set PRIC Power Control Previous Menu Enter PRTC in GMTCUTIC formatt YYYY MM DDIB HH HMH S35 ESC I Exit ENTER Submit Valid date range 1 1 2004 to 1 4 2021 Setting the PRTC value is used for virtually maintaining PRTC during the power off G3 state Type PRTC in GMT UTC format YYYY MM DD HH MM SS and press lt Enter gt Meme rss ij iP uAmN amp mnc fo Fan mm dm nS ea OW CI q O nuc ww WW Nol as S7 B B E WW i a Under the Intel M
37. ablement e AT p authentication on S3 resume optional Add support for Desktop Workstations Other New Features related to MEFW Support for LAN ARP ME answers LAN ARP request IPV4 amp Neighbor Discovery packets IPV6 by not waking and instead notifying the console system in Sx e New Win7 LAN requirement e Only for 5MB SKU and in Power Policy 2 Deep S4 S5 This is automatically disabled when AMT is provisioned in PP2 Identify Protection Technology IPT Enable One Time Password based secure login and web transactions via ME based authentication Client System Requirements The client system referred to in this document is based on the Intel 6 Series Chipset Family Intel PCH platform and is managed by Intel Management Engine The following firmware and software requirements are required for the installation and setup before the Intel Management Engine can be configured and run on the client system e An SPI flash device programmed with Intel AMT 7 0 flash image integrating BIOS Intel Management Engine and GbE component images e BIOS set up with Intel AMT enabled can access MEBx setup from F12 menu e To enable all the Intel Management Engine features within Microsoft Operating System the device drivers Intel MEI SOL LMS must be installed and configured on the client system Information on this page provided by Intel K NOTE The Intel Management Engine BIOS Extension MEBx is an optional ROM module provi
38. agement console disk drive This drive is then passed as an argument when the management console opens the IDER TCP session Intel AMT registers the device as a virtual IDE device on the client regardless of its power or boot state Both SOL and IDER may be used together since the client BIOS may need to be configured to boot from the virtual IDE device I ntel Management and Security Status Application Intel Management and Security Status IMSS is an application that displays information about a platform s Intel Active Management Technology Intel AMT and Intel Standard Manageability services The IMSS icon indicates whether Intel AMT and Intel Standard Manageability are running on the platform The icon is located in the notification area By default the notification icon is displayed every time Windows starts The Intel Management and Security Status application has a separate version per every Intel AMT generation 4 x 5 x 6 x This is to describe the Intel Management and Security Status application for Intel AMT generation 6 x i Intel Management and Security Status A 2 x Monitor the status of management and security technologies provided by Intel za e cia Engmne Intel ME using Intel Management Engine Interface Intel n MEI Service Status Intel Active Management Technology Intel AMTY Intel Remote PC Assist Technology Intel RAPAT Event History E Application Event Tme Reviewed Intel AMT Terminal
39. ales Conesole Dist st scpx TConioleGuida 3E aab67 250b 424d 8185 fa2f 49x96 70 78 Mew ird eal X Live Sw iH CUP AO Zaki Console 6 5 A E oe hps too i altiris console Home View Hanage Tools Reports Configure Help gt 4 a z Ej Out of Bard Management E Ej alert Standard Format Getting Started E C C lections Intel AMT Getting Started Wi UH Configuration Name Type Description Modified By Modified Date Getong Started Section 1 Provisioning Folder TRYPROVdministrator 6 14 2007 1 17 14 PM gp Section 2 Intel AMT Tasks Folder TRYPROVdministrator 6 14 2007 1 1713 PM i J Basic Prisong without TLS Eryx Security TLS i 7 Section 2 Intel AMT Tasks Repris Tasis Favorites My Envoie Altre Cne Hom R to 2 oF 2 Pagar i af j Rawi par page aul Done ee R10 e Select Step 1 Configure DNS The notification server with an out of band management solution installed must be registered in DNS as ProvisionServer Vf Altiris Console 65 Windies Internet Explorer tom ED hitplfeirisbox roro local fAKiris Console Det sult apx ConsoleGukds Sf aaBb6T 250b 42 80 8 186 fe24 Qa de T0 T8 View dut E CUP AO Zaki Console 6 5 i altiris console Home View Manage Tools Reports Configure Help gt Sa Ej Out of Band Management rt Standard Format Getting Started a E Intel amp AMT Getting Started Configuration a 33O OI Hw Description Modifi
40. anagement Engine BIOS Extension v7 H H HBH43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI DNS Suffix Manage Hashes Previous Menu Enter PKI DNS Suffix ESC I Exit ENTER Submit Manage Hashes Under the Intel Remote Configuration menu select Manage Hashes and press Enter ntel R ME v 8 8 109 k 3 a ntel R Management Engine BIOS Extension v7 8 5 2HH3 H8 Intel Corporation All R IHTELCR REMOTE CONF IGURATIONI Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu i 7 MET 7 OOUT PIC eee AC s Hash Name Active Default Algorithm Type Verisign Class 3 Primary CA G3 x 3HR1 Go Daddy Class 2 CA 23 SHAL Comodo AAA CA 23 SHAL Starfield Class 2 CA SHAL Verisign Class 3 Primary CA G2 x 3HR1 UeriSign Class 3 Primary CA G1 5 EJ 3HR1 Verisign Class 3 Primary CA GS EJ 3HR1 ESI Sn INS 1 Ade JEL De l Active NTER 1 U i Selecting this option will enumerate the hashes in the system and display the Hash Name and the active and default state If the system does not contain any hashes yet Intel MEBx will display the following screen Intel R Han ment Engine BIOS Extension v7 H H HHzZb5 InteltR ME 7 H H 1H zH Co ght 49 Intel Corporation A11 Rights Reserved CLCINTELCR REMOTE CONFIGURATION Remote Configuration
41. and keyboar 6 30 2009 2 13 33 PM Reviewed Ine AMT Ternunal and kegboar 6 30 2009 2 13 23 PM Reviewed Intel AMT Terminal and keyboar 6 30 2009 2 05 56 PM Reviewed ribet AMT Terminal and keyboar 5 30 2008 2 05 41 PM P esee lnhake AMT Terminal and kenna FPS 201d PR Note No action is required on your behalf due to any of the above events IY Enable user notification 4 Intel Management and Secunty Stabus wil be avadable next tre log on to windows WhatisIntel amp AMT l Intel Active Management Technology allows IT professionals to remotely discover heal and protec Fast Callfor Help Connection Status 8 Connected Intel AMT detected that you are connected to the organization network Click this bulton to nolis IT that you need support Support session status Remote Control Connection Media Redirection SystemDefense Staus X Not achivated 3 Intel Management and Security Status What ic Intel Management E ngne Intel Management Engine it an additional component that enables management and secunty features on your computer Intel Management E nome Stabus Conhgured Firmware Version amp 0 0 7031 Secure D utput Window Seinge Message Language eme H mm zl Message Size Regus View details per Nebwork Connection View mote details re
42. ard Format Gatb g Started Colecbors B 1 Config raton IE I E Pe fir E inan AMT Get i LM Mon fx My Favorites AP Ars Consola Hore Pome a iter i F Altiris Console 6 5 Windows Internet Explorer Home View Hanage Tools Reports Configure Help Section 1 Provisianing Sechon 2 Inte AMT Tasks Folder Ao Ltodofz Pager L ofi Folder Rows par pagar all Click the lt gt to expand the Section 1 Provisioning section trlja TRYPRO Administrator By 4200 1 17 14 PM TRYPRO Wdministrator 6142007 1 17 13 PM fp Gl ah gt Bee c Geto Yu F Altiris Console 6 5 Windows Internet Explorer iz CUP w pakeis Console 6 5 altiris console Qut of Band Management E Alert 51andard Format Gettrg Started R Intel AMT Getting Started Configuration Ei Intel AMT Geteng Started iB C Section i Prenisiening di O Section 2 Intel AMT Taska LU Modified By D Em Em E Section 2 Inte AMT Tasks Folder oO Taos Favorites T biy Fanvoribes m Albrig Congo Home Rows ltolok P Pager 1 ofi Rows par pager sll T Click the lt gt to expand the Basic Provisioning without TLS section Section 1 Provisioning Folder TRYPRO Administrator 6142007 1 17 14 PM TRYPROWdministrator 6 14 2007 11713 PM Loch Yu Vf Altiris Console 65 Windies Internet Explorer oS 9 batpe iatinicbos Enero loc
43. ated Setup and Configuration page appears WP m A mn CT a BH PF IM L AE y 7 E d Ee EEA Gry Pun EUM Tee Bn BUM G a DAN L 9 c GIC n D ty Bd arver Lp Va f J VW E NW WP W M VIII SJCIVITI wer it ww mi Under the Intel Automated Setup and Configuration menu select Provisioning Server I Pv4 I Pv6 and press Enter l Type provisioning server address and press Enter EM BEM F agement Eni Ts ilUs Extension vr B E i Sa F weldkh 1h vr HH3 H tig Ail its R muright C Zl ini L INHTELCR AUTOMATED SETUP AND CONFIGURATION Current Provisioning Mode Provisioning Record RCFG b Provisioning Server FODMN TLS PSK b ILS PKI b Previous Menu Provisioning server address 2 Type provisioning server port number and press Enter The port number 0 65535 of the Intel AMT provisioning server The default port number is 9971 Intel R Management Engine BIOS Extension v 7 H H HHd43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Current Provisioning Mode Provisioning Record RCFG d Provisioning Server IPU4 TIPUE Provisioning Server FODMN TLS PSK a ILS PKI b Previous Menu Port number 6 BH 55535 ESC I Exit ENTER Submit Provisioning Server FQDN Under the Intel Automated Remote Setup and Configuration menu select Provisioning Server FQDN and press lt Enter gt Type the F
44. ceed If DHCP and DNS are not available then the setup and configuration servers SCS IP address must be manually entered into the Intel AMT capable computer s MEBx The Hello message contains the following information Provisioning ID PID Universally Unique Identifier UUID IP address ROM and firmware FW version numbers The Hello message is transparent to the end user l In the AMT 7 in the OS select IMSS 2 Under the Advanced tab select Extended System Details 3 Click Intel ME I nformation If Provisioning Mode states In Provisioning the hello packets are being sent to provision server in the network The SCS uses the information in the Hello message to initiate a Transport Layer Security TLS connection to the Intel AMT capable computer using a TLS Pre Shared key PSK cipher suite if TLS is supported The SCS uses the PID to look up the provisioning passphrase PPS in the provisioning server database and uses the PPS and PID to generate a TLS Pre Master Secret TLS is optional For secure and encrypted transactions use TLS if the infrastructure is available If you do not use TLS then HTTP Digest is used for mutual authentication HTTP Digest is not as secure as TLS The SCS logs into the Intel AMT computer with the username and password and provisions the following required data items New PPS and PID for future setup and configuration TLS certificates Private keys Current date and time HTTP Digest crede
45. ch was pre programmed at the Dell factory through the Custom Factory Integration CFI process TLS PSK TLS PSK is also Known as One Touch Configuration The SCS uses PSK s Pre Shared Key s to establish a secure connection with the AMT computer These 52 character keys can be created by the SCS and then deployed on the AMT computer with a desk side visit in one of two ways e The key can be manually typed into the MEBx e he SCS can create a list of custom keys and put them onto a specially formatted USB thumb drive Then each AMT computer retrieves a custom key from the specially formatted USB thumb drive during BIOS boot as detailed in the Configuration Service section of this document The Intel Management Engine BIOS Extension MEBx provides platform level configuration options for you to configure the behavior of Management Engine ME platform Options include enabling and disabling individual features and setting power configurations This section provides details about MEBx configuration options and constraints if any rinterface Bx Configuration Use The MEBx configuration user interface can be accessed on a computer through the following steps 1 Turn on or restart your computer 2 When the DELL logo appears press lt F12 gt immediately and select MEBx K NOTE If you wait too long and the operating system logo appears continue to wait until you see t
46. ction and press Enter 2 A message is displayed Caution Disabling reset network settings including network ACLs to factory default System resets on MEBx exit Continue Y N Press Y to change setting or N to cancel ntel i RE Management Engine BIOS Exte qa E E D uf mL T LopyurighttlL zZHHa3 Li sion v 8 8 6843 Intel R ME v7 8 8 1892 ation All Rights Reserved HTELCR AMT CONFIGURATION LN yp eee om zs ED 4 Inte Or Dl SOL IDER KUM User Consent Password Policy Network Setup Unconfigure Network Access Remote setup And Configuration Previous Menu When the Manageability Feature Selection is enabled the Intel ME manageability feature menu appears If it is disabled ME manageability feature will not be displayed gm E Em Zs EZ FR m Gl ILI00ED KMIV tna im E Red i AS I Nw M B Under the Intel AMT Configuration page with Intel AMT enabled select SOL I DER KVM and press Enter The Intel AMT Configuration page changes to the SOL IDER page Tall at m m A E NE i e E D uP tus B B Ic il Under the SOL IDER page select Username and Password and press Enter J eue CR Ed B NEM B TT am E B f Cmi T E Nw E l ITF E 7 exes i r i 4 hn Poo ee at zb 1 M Efi A LENS 10N Vr F cL O 8a INLE 1 M Ih 4 intel Lorporat iorn HII Rights SUL IDERAZKUH sername and Password SO
47. d other countries AMD is a registered trademark and AMD Opteron AMD Phenom AMD Sempron AMD Athlon ATI Radeon and ATI FirePro are trademarks of Advanced Micro Devices Inc Microsoft Windows MS DOS Windows Vista the Windows Vista start button and Office Outlook are either trademarks or registered trademarks of Microsoft Corporation in the United States and or other countries Blu ray Disc is a trademark owned by the Blu ray Disc Association BDA and licensed for use on discs and players The Bluetooth word mark is a registered trademark and owned by the Bluetooth SIG Inc and any use of such mark by Dell Inc is under license Wi Fi is a registered trademark of Wireless Ethernet Compatibility Alliance Inc Other trademarks and trade names may be used in this publication to refer to either the entities claiming the marks and names or their products Dell Inc disclaims any proprietary interest in trademarks and trade names other than its own March 2011 Rev A00 Product Overview Intel Active Management Technology Intel AMT allows companies to manage their networked computers easily e Discover computing assets on a network regardless of whether the computer is turned On or Off Intel AMT uses information stored in the non volatile system memory to access the computer The computer can be accessed even while it is powered Off also called out of band or OOB access e Remotely repair systems after op
48. date it is required that the Host Name and Domain Name are set Enabled The Dynamic DNS Update Client in FW is enabled Disabled The Dynamic DNS Update Client in FW is disabled D Daorionrlic lindate I ntarva 32 FeriOdIic U IDUdatec i ntervVvoal Under the Intel ME Network Name Settings select Periodic Update Interval and press Enter Type the desired internal and press Enter iqement Engine BIOS Extension v7 8 8 B8B43 IntelCR ME 7 8 H 1897Z Corporation All Rights Reserved 1 z INTEL R HE NETHURK NAHME SETTINGS Host Name Domain Name Shared Dedicated FODN Dynamic DNS Update Periodic Update Interval TIL Previous Menu Value H or LAE NOTE Defines the interval at which the firmware DDNS Update client will send periodic updates It should be set according to corporate DNS scavenging policy Units are minutes A value of 0 disables periodic update The value set should be equal or greater than 20 minutes The default value for this property is 24 hours 1440 minutes e EE j m 0 Ww n E E Hum Under the Intel ME Network Name Settings select TTL and press lt Enter gt Type the desired time in seconds and press lt Enter gt Intel R Management Engine BIOS Extension v7 8 B8 BHd3 IntelCR HE v7 BH B8 1893Z Copuright l ZHH3 H8 Intel Corporat ior Hll Rights Heserver LINTELCR ME METNORK NAME SETTINGS 1 Host Name Domai
49. ded to Dell from Intel that is included in the Dell BIOS The MEBx has been customized for Dell computers Out of Box Experience The following materials are available with an Intel Active Management Technology Intel AMT computer e Factory installation o Intel AMT 7 0 is shipped in the factory default state from Dell factories e Setup and Quick Reference Guide o Intel AMT overview e Backup media o Firmware and critical drivers are available on the Resource CD See the Administrator Guide for detailed information about Intel AMT available on support dell comY manuals Operational Modes In Intel AMT 5 0 and earlier versions there were two operational modes SMB and Enterprise In Intel AMT 6 0 and AMT 7 0 their functionality has been integrated to provide the same functionality previously available in Enterprise mode The new configuration options are e Manual Setup and Configuration available for SMB customers e Automatic Setup e Configuration Intel AMT 5 0 and under Default Intel AMT 6 0 7 0 default Enterprise Mode SMB Mode options Disabled can be enabled at a WebUl UI Disabled Enabled Enabled LT NN KVM Redirection network Disabled interface enabled Enabled if feature enabled in Enabled can be disabled at a Intel amp MEBX later time Legacy Redirection Mode Controls FW listening for Disabled Enabled if feature enabled in incoming redirection Intel MEBX connections Disabled Need to set
50. e altiris Power Policy General Administrator Credentials Profile name defaut 2 User name Profile description Intel AMT 2 0 password Default profile Random craation C Manual asescososdesesesssa Kerberos Max clock tolerance 5 minutes 18 The Network tab provides the option to enable ping responses VLAN WebUI Serial over LAN and IDE Redirection If you are configuring Intel AMT manually all these settings are also available in the MEBx Altiris Console Webpage Dialog Configure Intel AMT Setup amp Configuration Service Profile T altiris General Network ACL Power Policy General I Enable ping response VLAN Use WLAN Li nI e f VESN tad E Enabled Interfaces Web UI M Serial over LAN Iv IDE redirection 19 The TLS Transport Layer Security tab provides the ability to enable TLS If enabled several other pieces of information are required including the certificate authority CA server name CA common name CA type and certificate template EN Console Miebpage Rialog hitp ffakirisbox bree local Altiris OES EGR Prof leCk arspicnac tionem add Configure Intel AMT Setup amp Configuration Service Profile General Network TLS ACL Power Policy TLS l Use TLS Configure the Profile Certificates ep internet x The ACL access control list tab is used to review users already associated with this pro
51. e local computer Also sets whether the remote computer user can configure the KVM Opt In Policy m Igi E p m 509 sri ew E m i Jj Geor UDT IIn Ww ww Ae NM I3 B Under the User Consent Configuration page select User Opt in and press Enter Intel R Management Engine BIOS Extension v H 4 44435 Intel R ME v 4 1692 HI SER CONSENT CONFIGURATION Copyright C 2683 89 Intel Corporat U Opt in Configurable from Remote IT Previous Menu The following options can be selected Description Local User Consent is not required for a remote computer to establish KVM Remote Control session Local User Consent is required for a remote computer to establish KVM Remote Control session Local User Consent is required for SOL IDER and KVM NOTE When using Host Based Provisioning Client mode will override this setting and behave as if the ALL option has been selected For more details on Host Based Provisioning and Client Mode see the Activator User guide and the UCT User Consent Tool user guide in the SDK kit er im Canft_intirahkhian fram ramnr ka IT Under the IKVM Configuration page select Opt in Configurable from remote IT and press lt Enter gt This setting determines whether a remote computer s user can configure the Opt In Policy when establishing a KVM Remote Control session to this computer Intel R Management Engine BIOS Extension v7 8 BH HHd
52. ed By OOOO Waoditiad Dpt C3 Intel AMT Gettng Started Section 1 Provisioning Falder TRYPROWdministretor amp 14 2007 1 17 14 PM Bilespior ir ptg Section 2 Intel AMT Tasks Folder TRVPROWdministrator amp 14 2007 1 17 13 PM m C Base Prisong without TLS Step L Configure Ores ae Step 2 Discover Canab ties D Siep 3 View Intel AMT Capable Commuters d Stes 4 Create Profis i Ste 5 Generate Security Keys e Step 6 Configure Autpmabc Profe Assignment 4 Step 7 Monitor Provisioning Process We 5160 8 Monitor Profile Assignments Eran Security TLS B C Section 2 Intel AMT Tasks amp O Reports Tasks E E iL Favorites My Panvorites Altris Gonera Hone Aces Lto 2 af 2 3 Pager L ofi Rows per page fan Done LE E EE Dae neret 100 y Click Test on the DNS Configuration screen to verify that DNS has the ProvisionServer entry and that it resolves to the correct Intel Setup and Configuration Server SCS Altiris Cons ole 5 5 Wy indies TE met Es plo ret GE My Favorites E Ej Alert Standard Format Getting Started if C Colectens B DJ Configuration E 3 Intelz AMT Getting Started E C Sector 1 Provisioning amp LL Base Provisioning vetout TLS el Step 1 Configure Dis ps Step 2 Discover Capsb tes D Siep 3 View Intel AMT Capable Computers d 512 4 Create Profs i Stes 5 Generate Security Keys i Step 7 Monitor Provisioning Process d Sten 8 Monitor P
53. elected Displays No if the hash algorithm is NOT the default algorithm used PKI only FQDN of the provisioning server mentioned in the certificate PKI only Serial Number The 32 character string that indicates the Certificate Authority serial numbers E waelty Indicates whether the certificate passed the time validity check amp RCF AVE Sl Under the Intel Automated Remote Setup and Configuration menu select RCFG and press Enter The Intel Remote Configuration page appears Intel R Management Engine BIUS Extension v 7 H H HBH43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Start Configuration Previous Menu ESC Exit t Select ENTER Access Start Configuration Under the Intel Remote Configuration menu select Start Configuration and press lt Enter gt If Remote Configuration is not activated Remote configuration cannot occur To activate enable remote configuration select Y Intel R Management Engine BIUS Extension v 7 H H HHd43 InteltR ME v7 H H 1H8Z Copuright C ZBH3 H8 Intel Corporation All Rights Reserved start Configuration Previous Menu ESC Exit T Select ENTER Access CAUTION This will activate Remote Configuration Continue YZH PIJ P AVAVAWEBIE ud B Y 90 1 9 M 7 l tus W I 7 Ol n Under the Intel Remote Configuration menu select Previous Menu and press Enter The Intel Autom
54. enoriz E E Teds Favorites My Panvoribes Filter by PID Fitar by PES BE Altri Console Home be 7 00 0 11 E e Xu 36 Verify that the setting is enabled In the Intel AMT 2 0 dropdown select the profile created previously Configure the other settings for the environment Altiris Console 6 5 Windows abernet E ELINGET CULUP QUS Wa sim erage at pl Me pte ete ee ts Mae erie EBay et Loo tee be ia te E re a ala Tur L H Ej Aet Standard Forset Getting Started S TE aoe pipe cam Resource Synchronization E E Configuration E E Intel AMT Getting Started 3 C Section i Peonisioning E I Basic arson aau TLS Step L Configure Ons Gd Step 3 view Intel AMT Capabie Computers Ap Step 4 Create Profs af Sen 5 Geeste tenen en S i Step 6 Configure Automatic Profile Assignments 7 i Sep 7 Monitor Provisioning Process l Step 3 Monitor Profile Assignments i Enable Security TL5 8 C Section 2 Intel AMT Tasks EB 3 Tasis E Enable currently enabled B S My Favorites E Altiris Console Home 4 ipd m x d z des as Lorum zw 37 Select Step 7 Monitor Provisioning Process ee wt m TX TER et Lad LT Inte rire t LI eds F gt Altiris Console pomum RUE ed ee Ss OE ee re han Na Bas a Y f x Arva miis rip ioca a TEVE OV RHminietrator amp Ej Alert Standard Format Getting Started amp C
55. er PID e q RBLI 1234 ESC Exit ENTER 1 Submit Setting the PID PPS will cause a partial unprovision if the setup and configuration is In process The PID and PPS should be entered in the dash format for example PID 1234 ABCD PPS 1234 ABCD 1234 ABCD 1234 ABCD 1234 ABCD NOTE A PPS value of 0000 0000 0000 0000 0000 0000 0000 0000 will not change the setup configuration state If this value is used the setup and configuration state will remain Not started If an invalid entry is attempted an error message will be displayed Intel R Management Engine BIUS Extension v 7 H H HH43 InteltR ME v7 1 H HH1 Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I oet PID and PPS x Delete PID and PPS x Previous Menu I Invalid PID Entered Try Again ESC I Exit ENTER Submit Delete PID and PPS Under the Intel TLS PSK Configuration menu select Delete PI D and PPS and press Enter This option deletes the current PID and PPS stored in Intel ME If the PID and PPS were not entered previously the Intel MEBx will return an error message To delete the PID and PPS entries select Y else N ntel R Management Engine BIUS Extension v7 H B8 HB43 InteltCR Copyright C ZHB3 B8 Intel Corporatio Rights Re 3 LIMTELCR RENOTE CONFIGURATION set PID and PPS Delete PID and PPS Previous Menu m Lunsd xum AA a Iz LJ p CAVE e c M ak i a l O V
56. er source and a network connection Intel AMT supports Serial Over LAN SOL text keyboard redirection and IDE Redirection IDER CD ROM redirection over TCP IP Serial Over LAN Overview Serial Over LAN SOL is the ability to emulate serial port communication over a standard network connection SOL can be used for most management applications where a local serial port connection is normally required When an active SOL session is established between an Intel AMT enabled client and a management console using the Intel AMT redirection library the client s serial traffic is redirected through Intel AMT over the LAN connection and made available to the management console Similarly the management console may send serial data over the LAN connection that appears to have come through the client s serial port I DE Redirection Overview IDE Redirection IDER is capable of emulating an IDE CD drive or a legacy floppy or LS 120 drive over a standard network connection IDER enables a management machine to attach one of its local drives to a managed client over the network Once an IDER session is established the managed client can use the remote device as if it were directly attached to one of its own IDE channels This can be useful for remotely booting an otherwise unresponsive computer IDER does not support the DVD format For example IDER is used to boot a client with a corrupt operating system First a valid boot disk is loaded into the man
57. erating system failures In the event of a software or an operating system failure Intel AMT can be used to access the computer remotely for repair purposes IT administrators can also detect system problems easily with the assistance of Intel AMT s OOB event logging and alerting e Protect networks from incoming threats while keeping software and virus protection up to date across the network Software Support Several Independent Software Vendors ISVs are building software packages to work with Intel AMT features Hence this provides IT administrators many options to remotely manage networked computer assets within a company Features and Benefits Intel AMT Out of band OOB access Allows remote management of platforms regardless of system power or operating System state oo ang Significantly reduces onsite visits increasing the efficiency of IT technical staff Proactive alerting Decreases downtime and minimizes repair times New Features of I ntel vPro Technology Intel AMT 7 0 e Host Based Provisioning Easy deployment of AMT capable units by the customers e Communication Proxy Support Allow AMT communication to an external network for example IT outsourced to offsite party MEFW Rollback Enable downgrading of MEFW on vPro systems to enable customers to more easily lock on BIOS revisions AT p 3 0 e WWAN 3G Support for AT p Ericsson wireless on NB only e AT p suspend resume commands for temporary dis
58. es a completion message to the display Turn off the computer The computer is now in the setup state and is ready to be distributed to users in an Enterprise 11 mode environment Repeat step 5 if you have more than one computer Refer to the management console supplier for more information on USB drive key setup and configuration USB Drive Key Requirements The USB drive key must meet the following requirements to be able to set up and configure Intel AMT It must be greater than 16 MB It must be formatted with the FAT16 or FAT32 file system The sector size must be 1 KB The USB drive key is not bootable The USB drive key AMT provisioning and not for any other purpose The USB key must not contain any other files whether hidden deleted or otherwise The setup bin file must be the first file landed on the USB drive key for Legacy BI OS or Wembley The setup bin file must be in the top directory for UEFI BIOS or RAM USB Device Procedure Dell Client Management DCM application is the default console package provided This section provides the procedure to set up and configure Intel AMT with the DCM package As mentioned earlier in the document several other packages are available through third party vendors The computer must be configured and seen by the DNS server before you begin this process A USB storage device is also required and must conform to the requirements listed on Using a USB Device page NOTE The na
59. ess Under the Wired LAN IPv6 Configuration select Alternate DNS I Pv6 Address and press Enter Type the Alternate DNS IPv6 Address and press Enter Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H83Z Copyright C ZHBH3 H8 Intel Corporation All Rights Reserved I IPUG Feature Selection IPUBb Interface ID Type IPUB Address IPVG Default Router Preferred DNS IPY6 Address Alternate DNS IPUE Address Previous Menu IPUG address e g 26H1 db6 1426 5 ab or any other valid IPY6 address ESC Exit ENTER Submit 7 Previous Menu Under the Wired LAN IPv6 Configuration select Previous Menu and press Enter The TCP IP Settings menu appears Wireless LAN IPv6 Configuration Under the TCP IP Settings select Wireless LAN IPv6 Configuration and press Enter The Wireless LAN IPv6 Configuration page appears Intel R Management Engine BIOS Extension v7 H H HBHd43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I IPUB Feature Selection Previous Menu ESC Exit T Select ENTER Access 7 P Hs pma E Rt E 1G mn Ge mz n 1 Pv6 ture Selection Under the Wireless LAN IPv6 Configuration select I Pv6 Feature Selection and press Enter EN d ra n i r g PEE D TS wi P ITs i NEM a j Tm M ia zz i a T CMEA j 7 a 245 238 8 B Management Engine BIO H Tensl1on yvr H E M4354 ntel L We Li Copyright C ZHH3
60. ess Previous Menu Preferred DNS address J H H H ESC Exit ENTER Submit 6 Alternate DNS Address Select Alternate DNS Address and press Enter BL tne Alternate DNS Address in the sie SEE column and press lt Enter gt SICR Management Engine BIOS Extension v7 H H HBHd3 InteltR ME v 8 48 18692 Lonu inh tC ZHHZ a ntel C rpo atio All Rights Reserve HIRED LAN IPUA CONFIGURATION DHCP Mode IPUA Address subnet Mask Address Default Gateway Address Preferred DHS Address Previous Menu Alternate DNS Address 9 URL zzE an MAA nnn Under the Wired LAN IPv4 Configuration select Previous Menu and press lt Enter gt The TCP IP Settings menu appears eP v6 CO nfic gurat io Y MI i c ad I A R J HI D j I b 0 Ll IN Under the TCP IP Settings select Wired LAN IPv6 Configuration and press Enter The Wired LAN I Pv6 Configuration page appears The Intel ME IPv6 addresses are dedicated and not shared with the host operating system To enable Dynamic DNS registration for IPv6 addresses it is required to configure a dedicated FQDN ntel R Management Engine BIOS Extension v7 6 80 8643 Intel R ME v7 8 8 1692 spuright C z H3 Intel porat ior All Rights Reserved HIRED LAN IPUB CONFIGURATION Previous Menu NOTE The Intel ME network stack supports a multi homed IPv6 interface Each network interface can be configured with the following I
61. file and to add new users and 20 define their access privileges j Altiris Console Webpage Dialog httne Jakirisbow trvpro localfAlkris fO CESC EdRProfleCig asp actioneadd Configure Intel AMT Setup amp Configuration Service Profile Wel Tt ACL Power Policy View and Configure the Profile ACL User Access Permission hitp f Jakiribax trvpro local Albiris OSC JEditProfileD49 epo action add 21 The Power Policy tab has configuration options to select the sleep states for Intel AMT as well as an Idle Timeout setting It is recommended that Idle timeout is always set to O for optimal performance NOTE The setting for the Power Policy tab can potentially impact a computer s ability to remain E Star 4 0 compliant b Altiris Cimsole Configure Intel AMT Setup amp Configuration Service Profile 4 altiris Configure the Profile Power Policy Intel AMT is ON in the fallowit Intel AMT is ahways OM 50 55 Idle magut minutes 22 Select Step 5 Generate Security Keys 23 j Altiris Console 6 5 Windows Internet Explorer e de EI p ode X Airis Console 6 5 E yeo Gi too ghiein hes Freeper lepi s TEAR Admina Zr altiris console Home View Henage Tools Reports Configure Help gt Alert Siandard Fomai Getting Started Manage Profiles Codec bors E Configuration E E Intel AMT Getong Started amp C 5ectin 1 Prenisieun im
62. for Intel AMT mode and enables network connectivity This setup is generally performed only once in the lifetime of a computer When Intel AMT is enabled it can be discovered by management software over a network Once Intel AMT is set up in Enterprise mode it is ready to initiate configuration of its own capabilities When all required network elements are available simply connect the computer to a power source and the network and Intel AMT automatically initiates its own configuration The configuration service a third party application completes the process for you Intel AMT is then ready for remote management This configuration typically takes only a few seconds When Intel AMT is set up and configured you can reconfigure the technology as needed for your business environment Once Intel AMT is set up in SMB mode the computer does not have to initiate any configuration across the network It is set up manually and is ready to use with the Intel AMT Web GUI I ntel AMT Setup and Configuration States The act of setting up and configuring Intel AMT is also known as provisioning An Intel AMT capable computer can be in one of three setup and configuration states e Factory default state e Setup state e Provisioned state The Factory Default State is a fully unconfigured state in which security credentials are not yet established and Intel AMT capabilities are not yet available to management applications In the factory default state I
63. ghts Reserved I IPUG Feature Selection IPYG Interface ID Type IPUB Address IPUB Default Router Preferred DANS IPY6 Address Alternate DNS IPY6 Address Previous Menu IPUG address e g 260H1 db6 1426 5 7ab or any other valid IPY6 address ESC Exit ENTER Submit 4 IPv6 Default Router Under the Wired LAN IPv6 Configuration select I Pv6 Default Router and press Enter Type the IPv6 Default Router and press Enter Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H83Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved IPYB Feature Selection IPYG Interface ID Type IPUB Address IPU6B Default Router Preferred DMS IPUBE Address Alternate DMS IPUBE Address Previous Menu IPUG address e g ZHH1 dbB8 1428 5 7ab or any other valid IPY6 address ESC Exit ENTER 1 Submit 5 Preferred DNS IPv6 Address Under the Wired LAN IPv6 Configuration select Preferred DNS IPv6 Address and press Enter Type the Preferred DNS IPv6 Address and press Enter Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved IPYB Feature Selection IPYG Interface ID Type IPUB Address IPYU6B Default Router referred DNS IPUB Address Alternate DMS IPUBE Address Previous Menu IPUG address e g 2681 db6 1426 5 7ab or any other valid IPY6 address ESC I Exit ENTER 1 Submit 6 Alternate DNS IPv6 Addr
64. haracter such as or excluding the and characters ri NOTE The underscore _ and spacebar are valid password characters but do NOT add to the password complexity 4 NOTE The password can be reset to the default setting admin by shutting down the system removing AC and DC power and performing a RTC reset Information on this page provided by Intel To reach the I ntel Management Engine ME Platform Configuration page follow these steps 1 Under the Management Engine BIOS Extension MEBx main menu select Intel ME General Settings Press Enter 2 The following message appears Acquiring General Settings configuration The Intel MEBX main menu changes to the I ntel ME Platform Configuration page This page allows the IT administrator to configure the specific functionality of the Intel ME such as password power options and so on The following are quick links to the various sections e e e Oo O O e pee co mr A Ng j UTLC LVTV ET MMIgIMMMririm EET ont Engine BIUS Extension v H H8 H8B53 Inte I EE L 2 m m M h pu E FE a e T moe ai alt 7 AR a F uq Mic id i 3 ug i Ly EM E C 2663 869 Intel Corporation All Rights F INTEL R ME PLATFORM CONFIGURATION Set PRTC Power Control Previous Menu E PH RE ler Liw sm T o i eg ii 4 NOTE The option of Intel ME
65. he Microsoft Windows desktop Then shut down your computer and try again 3 Type the ME password Press lt Enter gt The default password is admin and it can be altered by the user The MEBx screen appears as shown below Intel R Management Engine BIOS Extension v7 H H HHd7 InteltR ME v7 H H 111 k a PES E REA C gt FUF Be il 1 pees em pct cu ERA capu amy a Boe El CET Eae m ce Ep p Lt EU WE ummy ee Copyright C ZHH3 HH Intel Corporation All Rights Reserved MAIN MENU Intel R ME General Settings Intel R AMT Configuration Exit Intel R HE Password LESC1 Exit ENTER Submit The main menu presents three function selections e Intel ME General Settings e Intel AMT Configuration e Exit ae NOTE Intel MEBx will display only detected options If one or more of these options does not appear verify that the system supports the relevant missing feature e Intel ME Password The default password is admin and is the same on all newly deployed platforms You must change the default password before changing any feature configuration options When an IT administrator first enters the Intel MEBx configuration menu with the default password he or she must change the default password before any feature can be used The new password must include the following elements e Eight characters no more than 32 e One uppercase letter e One lowercase letter e A number e A special Non alphanumeric c
66. ion installed with i e Intel i Siep 5 Generate Security Keys SCS Server is running on this computer must be registered in the DNS as Provisio ver Step amp Configure automatic Prosle Assignments This must be done in each DNS Domain When it sends its Hello message the Intel AMT device first uses the domain name received from the DHCP server If there is more than one z Provisioning Process e E SCS in the domain the DNS will alternate between the servers If there are multiple SCS iB C Enable Security TL ape oak a tlc a ahem V M section IER AT Tiks Click on the Test button below to verify that DNS has the ProvisionServer entry and that it iB DJ Reports Hove c Sia corre GE TEM ses sente E DJ Tasks Intel AMT Devices Ensure that the DNS is configured with the Fully Qualified Domain Names FQDN of the Intel AMT enabled machines that are being configured Intel AMT devices must be configured to have the same FOON as the host OS This stems from the fact the Intel AMT device is not a secure DNS client and it relies on the host OS to mantan the DNS record For this reason the Intel AMT device snoops the DHCP ENDE Zy requests and responses issued by the host OS The Intel AMT device then uses the IP E E My Favorites provided by the DHCP to the host Ds as its own Bh utes Console Hore When the host O5 is down the Intel AMT device requests DNS registration of its EI c
67. is Corisole IDs aspx 2 ConselleSuid SE aa BbG7 250b 42ad B B5 Fazf 4 ae PO Bev ida E LintiL iv er diu dr ani ir c SER Elio Lui craint arg Inr Gar IPPS Factory Default Password New Password Favorites tc Em fe My Favorites Filter by erp Fitter by pes AP Altes Consola Hore NL e Xm n 24 Select the Generate keys before export radio button gs Console Webpage NE uem E z E altiris Generate Security Keyr umber of security keys to generate fa Factory Default Intel Management Engine Password Inte ME Password admin New intekz Management Engine Password inie pa eer te eer ualapdecd ru jm LPS ee orbiten mentalki rnio the Meragemeni Engine BS Extasy esol EITGEYI Intel Mi Password si 1231 Ta treaie and doenlead USE bey Ja Fest cani gure setings and dick Generate lila and than fick Denwembheas USE key Pa Maed gSemunblssSad fee ta the L5Btmrage Devine Available No data exported yet Chese ape aan Internet 4 25 Type the number of keys to generate depends on the number of computers that need to be provisioned The default is 50 7 mm Webpage Dialog xj Export S Secur by Keys to USB kay o altiris Export keys CAN hin YW zeiecpbenu Generate Security Keys Number of security keys to generate sa Factory Default Intekgo Management Engine Password Intel ME Password admin This paszenr either upioaced f
68. j Configureton I enn in this collection are Intel AMT capable ian Updated 4 17 2007 11 03 21 AM E d This collection has no members E E Inm AMT Garteng Started amp C sectien i Previsioning iz O Baie Praemia veout TLS i Sip L Configure DiS Bh Step 2 Discover Capabilities Ui Step 3 view Intel AMT Capabie Computers d Step 4 Create Profle Sten 5 Generate Secunty Keys i Stes 6 Configure Automate Profle Assignments Step 7 Monitor Provisioning Process i Step 3 Monitor Profle Assignments E O Enable Security T5 E O Section 2 Intel AMT Tasks E 2j Reporcs E C Tasks P raid E s m MyPavontes Bh Altiris Console Home 15 Select Step 4 Create Profile f Altiris i onsole G 65 m Inte ret xplo rei ie CJ cpi ta amp O Configuration rcu in this collection a are iu MIEL 3 intel AMT Getong Started eat Updated 6 27 2007 11 03 11 AM S CJ Serten 1 Provisioning R d This collection has no members i I Basie Provesioning without TLS Step L Configure OS Di step 3 View Intel AMT Capable Computers i Stes 5 Generate Security Keys d Step t Configure Automatic Profle Assignments amp amp Step 7 Monitor Provisioning Process d Stead Monitor Profle Assignments i D Ense Security 15 E C Section 2 Intel AMT Tasks amp E Cj Reports B O Tasks m E My Favorites EB Altiris Console Home 7
69. l AMT enabled machines that are being configured Intel AMT devices must be configured to have the same FQDN as the host QS This stems from the fact the Intel AMT device is not a secure DNS client and it relies on the host OS to mantan the DNS record For this reason the Intal AMT device snoops the DHCP requests and responses issued by tha host OS The Intel AMT device then uses the IP provided by the DHCP to the host OS as its own When the host O5 is down the Intek AMT device requests DNS registration of its r ES NATRI I r Ls eR teret 10 The IP address for the ProvisionServer and Intel SCS are now visible Altiris Console 5 5 Windows Internet Ex plo ret E a altiris console Home View Manage Teas F Reports Configure Help gt e a B E3 Qut of Bard Management ii C Colector DNS Configuration amp O Configure aioli nite EL Intel AMT device setup and configuration requires the presence of a Domain Name System B C sact n 1 Provisioning DNS Server The DNS must have information for two entities amp O Basi Prisong without TLS The computer running Intel SCS Server must be registered in the DNS Sis Step 1 Configure Des e A configured operational Intel AMT device must be registered within DNS Bis Step 2 Discover Capab tes Di Step 3 View Intel AMT Capable Computers Intel SCS ep 4 Create Profs The Notification Server with Out of Band Management Solut
70. l AMT WebUI is a Web browser based interface for limited remote computer management The WebUI is often used as a test to determine if Intel AMT setup and configuration was performed properly on a computer A successful remote connection between a remote computer and the host computer running the WebUI indicates proper Intel AMT setup and configuration on the remote computer The Intel AMT WebUI is accessible from any Web browser such as the Internet Explorer or Netscape Limited remote computer management includes Hardware inventory Event logging Remote computer reset Changing of network settings Addition of new users K NOTE Information on using the WebUI interface is available on the Intel AMT website Perform the following steps to connect to the Intel AMT WebUI on a computer that has been configured and set up il 2 3 Turn on an Intel AMT capable computer that has completed Intel AMT setup and configuration Launch a Web browser from a separate computer such as a management computer on the same subnet as the Intel AMT computer Connect to the IP address specified in the MEBx and port of the Intel AMT capable computer example http ip address 16992 Or http 192 168 2 1 16992 o By default the port is 16992 L NOTE Use port 16993 and https to connect to the Intel AMT WebUI on a computer that has been configured and set up in the Enterprise mode o If DHCP is used then use the fully qualified domain name FQDN
71. lated to the Intel Management Engine Extended System Details a FF yn Ee Li Leam more L NOTE When the user logs on to Windows the Intel Management and Security Status application may start automatically The icon will be loaded to the notification area only if Intel AMT or Intel Standard Manageability is enabled on the platform If the Intel Management and Security Status application is started manually via the Start menu the icon is loaded even if none of these technologies are enabled as long as all the drivers have been installed L NOTE The information displayed in the Intel Management and Security Status is not shown in real time The data is refreshed at different intervals Information on this page provided by Intel Troubleshooting This page describes a few basic troubleshooting steps to follow if problems are experienced with the Intel AMT configuration Check DSN for more troubleshooting options Return to Default Return to Default is also known as un provisioning An Intel AMT setup and configured computer can be un provisioned using the Unconfigure Network Access option on the ME General Settings screen Follow the step below to un provision a computer l Select Un Provision and then select Full Un provision This option returns all Intel AMT configuration settings to factory defaults and does not reset ME configuration settings or passwords An un provisioning message displays after about one min
72. lect DHCP Mode and press Enter The Wired LAN IPv4 Configuration page appears Opin MBesHpion If DHCP mode is disabled the following static TCP IP settings are required for Intel Disabled AMT If a system is in static mode the system may require a second IP address This IP address often called the Intel ME IP address may be different from the host IP address Enabled DHCP Mode is enabled TCP IP settings will be configured by a DHCP server DHCP mode enabled Intel R Management Engine BIUS Extension v 7 H H HH43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I DHCP Mode Previous Menu ESC Exit t Select ENTER Access Enabled DHCP mode disabled Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H83Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I NHCP Mode IPY4 Address subnet Mask Address Default Gateway Address Preferred DANS Address Alternate DNS Address Previous Menu LENTER Access ESC Exit t Select 2 1Pv4 Address Select I Pv4 Address and press Enter Type the IPv4 Address in the address column and press Enter Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I DHCP Hode subnet Mask Address Default Gateway Address Preferred DNS Address Alternate DNS Address Previ
73. lient systems by following the inks in the Enable Hardware Management section at fie top of tie quick start task menu on the Bert Clicking any link on the quick start task menu opens the target task policy or report in this window Click the View Repeat button on any of ihe five hardware management task pages to lean fme status ofthe task Please note mal depending upon your Hotificaion Server configuration setings and other factors mese ASF and AMT Setup and Tasks ASF Quick Stan E AMT iat Quick raputas may take some time to begin retuming data the first time you enable the policy or task tat is being Summaries reported on Dell Client Discovery and 5 installation Summary First Time Setup If you vir just iasTaliad Aliris Hobficabon Server for the first tne there are a fies thangs you BOS Configuratian need o do first before you can pertarm Dell Client Manager tasks Links to these tasks are found under the BIOS Upgrades Geng Started section of tha quick start task menu Also depending upon your environment and Management preferences you may want to consider adjusting some Hosificaion Server configuration Reports options bo beter suit your needs Dell Client Manager Agent gd Leam more sf sa PPT TF Gne O xm 4 Click the lt gt to expand the Intel AMT Getting Started section cup ode S Akiris Console 6 5 Zr altiris console ER 3 E Out of Band Management E Ej Art Stand
74. mated Setup and Configuration page appears Intel R Management Engine BIOS Extension v 7 H H HHd43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Lurrent Provisioning Mode Provisioning Record RCFG a Provisioning Server I PU4 1PU6 Provisioning Server FODMN TLS PSE a TLS PKI a Previous Menu ESC Exit T Select ENTER Access Current Provisioning Mode Under the Automated Setup and Configuration select Current Provisioning Mode and press lt Enter gt Current Provisioning Mode Displays the current provisioning TLS Mode None PKI or PSK Intel R Management Engine BIUS Extension v7 H H HHd43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved Current Provisioning Mode Provisioning Record RCFG b Provisioning Server IPUA4 IPUE Provisioning Server FODMN TLS PSE b TLS PKI d Previous Menu ESC Exit T Select ENTER Access Provisioning Mode PKI Provisioning Record Under the Automated Setup and Configuration select Provisioning Record and press Enter Provisioning Record Displays the system s provision PSK PKI record data If the data has not been entered the Intel MEBx displays a message stating Provision Record not present 14 8238 M DR Wan uypement Engine BEIM Extension vT ee eee IE v Lopu ight i ZHHBH3 H Intel Cov po t lon ALL its Reserve L INTELCR AUTOMATED SETUP AND CONFIGURATION Current
75. ment Engine BIOS Extension MEBx settings on each Intel AMT ready computer The PPS and PID fields are completed by typing the 32 character and 8 character alpha numeric keys created by the configuration service into the MEBx interface e TLS PKI Commonly referred to as Remote Configuration RCFG or Zero Touch Configuration ZTC This process utilizes a certificate associated with the ProvisionServer The associated certificate hash must be listed within the Intel Management Engine BIOS Extension MEBx TLS PKI refer as Transport Layer Security Public Key Infrastructure Details on using these various methods are available in the next section Using a USB Device This section discusses Intel AMT setup and configuration using a USB storage device You can set up and locally configure password provisioning ID PID and provisioning passphrase PPS information with a USB drive key This is also called USB provisioning USB provisioning allows you to manually set up and configure computers without the problems associated with manually typing in entries NOTE USB provisioning only works if the MEBx password is set to the factory default of admin If the password has been changed reset it to the factory default by clearing the CMOS The following is a typical USB drive key setup and configuration procedure For a detailed walk through using Altiris Dell Client Manager DCM refer to the USB device procedure page rm l Insert a U
76. n Name Shared Dedicated FODN Dynamic DNS Update Periodic Update Interval Previous Menu NOTE The TTL option is only available when Dynamic DNS Update is enabled This setting allows configuring the TTL time in seconds This number should be greater than zero If set to zero firmware uses its internal default value which is 15 min or 1 3 of lease time for DHCP m 7 Previous Menu Under the Intel ME Network Name Settings select Previous Menu and press Enter The Intel ME Network Name Settings menu changes to the Intel Network Setup page Tf re J D c disi 8c C p e T el T L Ci n a 1S T IG xd Under the Network Setup menu select TCP IP Settings and press Enter The Intel Network Setup page appears The Intel Network Setup menu changes to the TCP IP Settings page NOTE The Intel MEBx has menus for Wireless IPv6 but no menu for wireless IPv4 When the Intel MEBx starts it will check for the wireless interface to make the decision to display the wireless IPv6 menu or not A Ia yw il n N i pr a 1 Wired LAN IPv4 Configuration Under the TCP IP Settings select Wired LAN IPv4 Configuration and press Enter The Wired LAN IPv4 Configuration page appears E A A ETT he 1 TU i P 1 H Liol Wired LAN PUB Configuration d Mireless LAN IPUB Configuration Previous Menu 1 DHCP Mode Under Wired LAN IPv4 Configuration se
77. ntel AMT has the factory defined settings The Setup State is a partially configured state in which Intel AMT has been set up with initial networking and transport layer security TLS information an initial administrator password the provisioning passphrase PPS and the provisioning identifier PID When Intel AMT has been set up Intel AMT is ready to receive enterprise configuration settings from a configuration service The Provisioned State is a fully configured state in which the Intel Management Engine ME has been configured with power options and Intel AMT has been configured with its security settings certificates and the settings that activate the Intel AMT capabilities When Intel AMT has been configured the capabilities are ready to interact with management applications Provisioning Methods TLS PKI TLS PKI is also known as Remote Configuration The SCS uses TLS PKI Public Key Infrastructure certificates to securely connect to an Intel AMT enabled computer The certificates can be generated a few ways e he SCS can connect using one of the default certificates pre programmed on the computer as detailed in the MEBx interface section of this document e he SCS can create a custom certificate which can be deployed on the AMT computer by means of a desk side visit with a specially formatted USB thumb drive as detailed in the Configuration Service section of this document e he SCS could use a custom certificate whi
78. nter N Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 1 H HH1 Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu SHALL CY N D ESC Exit ENTER Submit The supported hash algorithms are 1 SHA1 2 SHA2 256 3 SHA2 384 If SHAI is not chosen in the next screen you are prompted to select the option of supported SHA2 algorithm Type Y if SHA256 is being used otherwise enter N Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 1 H HH1 Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu SHAZS67 C N ESC Exit ENTER Submit When SHA256 is not chosen in the next screen type Y to select SHA2 384 Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 1 H 7HH1 Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu SHAS647 CYN ESC I Exit ENTER 1 Submit If N is entered an error message will be shown to prompt the user to select one supported algorithm Intel R Management Engine BIOS Extension v 7 H H HHd43 InteltR ME v7 1 H HH1 Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I Remote Configuration PKI UNS Suffix Manage Hashes Previous Menu I Please Choose a supported
79. ntials HTTP Negotiate credentials The computer goes from the setup state to the provisioned state and then Intel AMT is fully operational Once in the provisioned state the computer can be remotely managed Operating System Drivers Within the operating system AMT Unified driver must be installed to remove unknown devices in the Device Manager Unlike previous version 3 4 or 5 which used to have two separate HECI and LMS SOL drivers from customer re install stand point they are both now in a common package called AMT Unified Driver When the unified driver package is installed it will take care of both PCI devices in the Device Manager AMT Unified Driver The Intel AMT Serial Over LAN SOL Local Manageability Service LMS driver is available on support dell com and on the ResourceCD under Chipset Drivers The driver is labeled Intel AMT SOL LMS Install the driver by double clicking on the installer Once you install the SOL LMS driver the PCI Serial Port entry becomes the I ntel Active Management Technology SOL COM3 entry The Intel AMT Host Embedded Controller Interface HECI driver is available on support dell com and on the ResourceCD under Chipset Drivers The driver is labeled Intel AMT HECI Install the driver by double clicking on the installer Once you install the HECI drivers the PCI Simple Communications Controller entry becomes the Intel Management Engine I nterface entry I ntel AMT Web GUI The Inte
80. om WSS key or toed in manually into the Marogemant Engine BOE Extarnzso area Intel ME Password Delltz3 Export Result To tragte and doennloed USE hey Ma Aat comtqura astings aed dick Ganarate fila and than Close tisk Deneieas USE key Se Pie donrileaded Se t the USB ja nga Device Avadable No data exported yet 26 The Intel ME default password is admin Configure the new Intel ME password for the environment J Altizis C onsole Webpage Dialog E qe e altiris CC AN Generate Security Keys Number of security keys to generate so Factory Default Intekgo Management Engine Password Intel ME Password admin New Intel Management Engine Password THis pranan ir either uploaded From ss koy rtspud in manuali inte the Management Engine BLOE Ewutungsoh Gree Intel ME Password peli123 Export Result To tremte and amp annload USE hey ia lot configure satinga and dick Generate fila and than eji Deemeas USE key TE De Soerileaced Se D the USE Sere Device Avadable No data exported yet BAR acci F Generate keys before export Number of security keys to generate sa Factory Default Intel Management Engine Password Intel ME Password admin Hew Inteks Management Engine Password inim DEZ rear ef ither iho oe fram LISS les or woei in manualls inbz thea Managemant Engine BIOE Extensson screen Inteli ME Password Del 123 TH eresie
81. onfiguration E E Intel AMT Getzng Started S Cj Sector i Protecting E D Baie amsn vet out TLS Step L Configure fee ijs Step 2 Discover Capsodnes Ui Step 3 view Intel AMT Capable Computere d Step 4 Create Profle Description Detects Out of Bond copabilty of Cont system ig ig of Status Events Cie UELUT i tet cr enn be ALONE i risit amete c cnt i amet Y i sien 5 Ganerate Secunty Keys x i 32 bit Windows XP Ci B4 bit Window ta A Step 6 Configure automate Profle Assignments Applies to collections com jte ters A 324 it Windows Vista his ET i i Step 7 Monitor Provisioning Process MM Computers ib S320 8 Monito Profle Assignments i D Grable Security 7 5 E 2 Section 2 Intel AMT Tasks E 7j Reporzs EE Dp Tasks F Run once ASAP F Schedule No schedule has been defined only non at scheduled ome T Run as Egon as possible after the scheduled tima Notify user when the task is available elucet A AA E Jp The Agent installation task has baen savad TUUS p Um Pt LED ae ee Be ee ee ee a ee ee ee ee 13 Select Step 3 View Intel AMT Capable Computers 14 F mm i Coe dr G 5 pm dows Inter wt Explorer Fy altis console Home View ya Hag Tools CE E E Out of Band Management E Eg asiaan Fomai Getting Started if I Cobectons E 3 Configuration E E Intel AMT Geteng Started am
82. onfiqured FQDN from the DHCP option B1 This works only if the DNS and DHCP are xl Done itt IS 1 oy FI ry internet 3 8 E T t 11 Select Step 2 Discovery Capabilities Altiris Cons ole 65 T T TE ret Es ple ret B8 El Outil tard Kajadian d Ej Aet Standard Format Getbeg Started i CJ Colechons B O Configuration B Ej Intel AMT Geteng Started E Sector 1 Provision uM CEN METUS DNS Configuration Intel AMT device setup and configuration requires the presence of a Domain Name System DNS Server The DNS must have information for two entities The computer running Intel SCS Server must be registered i in the DNS ek configured operational Intel AMT device must be registered within DNS Inteks SCS The Notification Server with Out of Band Management Solution installed with i e Intel SCS Server is running on this computer must be registered in the DNS as ProvisionServer This must be done in each DNS Domain When it sends its Hello message the Intel AMT device first uses tha domain name received from the DHCP server If there is more than one SCS in the domain the DNS will alternate between the servers If there are multiple SCS instances or the server platform has a different name then CNAME records need to be added to the DNS Click on the Test button below to verify that DNS has the Provisionserver entry and that it resolves to the correct Intel SCS Server
83. onment detection enabled 2 Remote Connection policy 3 Management Presence Server MPS Putting it all Together To get the Intel Fast Call for help system needs to be in provisioned stated If the system supports Full VPro Intel Fast Call for help will be available for use If the system only supports Intel Standard Manageability Intel Fast call for help is not enabled l Before an Intel Fast Call for help can be started environment detection must be enabled This allows Intel AMT to determine if the system is within the corporate network This is configured through an ISV app 2 A remote connection policy must be created before an Intel Fast call for help can be initiated The policy for the BIOS initiated call does not need to be configured but another policy must exist before initiating a help call from the BIOS The BIOS must support the hot key that initiates the Intel Fast call for help 3 A management presence server must exist to answer the Intel fast calls for help The management presence server resides in the DMZ zone When all of these conditions are satisfied the system is able to initiate an Intel Fast Call for help I nitiating Intel Fast Call for Help Once the feature has been fully configured there are three methods for initiating an Intel Fast Call for help session These include e At the Dell splash screen press Ctrl h e At the Dell splash screen press lt F12 gt for the One Time Boot Menu o Select the
84. ous Menu IP address e g 143 123 123 188 ESC I Exit ENTER 1 Submit 3 Subnet Mask Address Select Subnet Mask Address and press lt Enter gt Type the Subnet Mask Address in the address column and press lt Enter gt Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H83Z Copyright C 2663 4849 Intel Corporation All Rights Reserved I DHCP Hode IPUA Address subnet Mask Address Default Gateway Address Preferred DNS Address Alternate DNS Address Previous Menu subnet mask e g 255 255 255 H J4 H H H ESC Exit ENTER Submit 4 Default Gateway Address Select Default Gateway Address and press Enter Type the Default Gateway Address in the address column and press Enter Intel R Management Engine BIUS Extension v 7 H H HH43 InteltR HE v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I DHCP Hode IPUA Address subnet Mask Address lefault Gateway Address Preferred DNS Address Alternate DNS Address Previous Menu Default Gateway Address ESC I Exit ENTER 1 Submit 5 Preferred DNS Address Select Preferred DNS Address and press lt Enter gt Type the Preferred DNS Address in the address column and press lt Enter gt Intel R Management Engine BIOS Extension v 7 H H HH43 InteltR ME v7 H H 1H8Z Copyright C ZBH3 H8 Intel Corporation All Rights Reserved I DHCP Hode IPU4 Address subnet Mask Address LLL Gateway Address TY ym m DANS Addr
85. p C 5ectien 1 Provisioning i LI Base Prevsioning without TLS HE nn da hb el cena triste role i Stes 5 Generate Security Keys Step 6 Configure Automatic Profie Assignments Apples to collections Computers All 32 bit Windows Vista COMMITEE i Sten 7 Monitor Provisioning Process Sten 8 Monitor Profle Assignments i D Enabie Security 705 E 2 Section 2 Intel AMT Tasks i O Reports m CJ Tasks Any Intel AMT capable Wiii tr pen in irc Hii CTmyemoAdminieteator Reports Conhgure Help gt Out of Band Discovery Description Detects Out of Band capability of cient system Package name Out of Band Discovery Package Program name out of Band Discovery Program d Enable verbose Reporting of Status Events ma i amt All 32 bit Windows XP Computers All 64 bit Windows Vista Package Multicast Disable download via multicast Scheduling Options C Manual F Run once ASAP Schedule Schedule No schedule has been defined ff Only run at scheduled time Runas soon as possible after the scheduled time F User Can Run I Notify user when the task is available T Warm before running p The Agent installation task has been saved computers on the network are visible in this list E E Alert Standard Formal Getting Started ik C Colectores All Intel AMT Capable Computers amp C
86. reen are e Manageability Feature Selection e SOL IDER KVM Username and Password SOL IDER Legacy Redirection Mode KVM o Previous Menu e User Consent o User Opt in o Opt in Configurable from remote IT o Previous Menu e Password Policy e Network Setup o Network Name Settings Host Name Domain Name Shared Dedicated FODN Dynamic DNS Update Periodic Update Interval TTL Previous Menu o TCP IP Settings Wired LAN IPv4 Configuration DHCP Mode IPv4 Address Subnet Mask Address Default Gateway Address Preferred DNS Address Alternate DNS Address Previous Menu Wired LAN IPv6 Configuration Pv6 Feature Selection IPv6 Interface ID Type IPv6 Address IPv6 Default Router Preferred DNS IPv6 Address Alternate DNS IPv6 Address Previous Menu Wireless LAN IPv6 Configuration Pv6 Feature Selection IPv6 Interface ID Type Previous Menu Previous Menu o Previous Menu e Activate Network Access e Unconfigure Network Access e Remote Setup And Configuration o Current Provisioning Mode o Provisioning Record Oo O OOO a O O O B L L Oo E B uH L E a le e M mma VM gt La an y fey dis i ii Bm om C fe ra pP is gt BD ViahageaDiiitv reature selection t uus wy A D j u um us um liae es m uus ae ae 1 Under the Intel AMT Configuration menu select Manageability Feature Sele
87. rofle Assignments i O Ense Security 1 5 B O Section 2 Intel AMT Tasks iE DJ Reports E O Tasks EB Altiris Console Home a Up S s moa e 5 _confiqured FQDN from the DHCP option 81 This works only if the DNS and DHCP are m j DNS Configuration Intel AMT device setup and configuration requires the presence of a Domain Name System DNS Server The ONS must have information for two entities The computer running Intel SCS Server must be registered in the DNS a A configured operational Intel AMT device must be ragistered within DNS Intel SCS The Notification Server with Out of Band Management Solution installed with i e Intel SCS Server is running on this computer must be registered in the DNS as Provisio r This must be done in each DNS Domain When it sends its Hella message Er nR AMI device first uses the domain name received from the DHCP Server If there is more than one SCS in the domain the ONS will alternate between the servers If there are multipla SCS instances or the server platform has a different name then CNAME records n amp ed to be added to the DNS l Mero on the Test button below to verify that DNS has the Provisionserver entry and that it es to the correct Intel SCS Server Resolved Provision Server TP Resolved Intel Sscs IP Intel AMT Devices Ensure that the DNS is configured with the Fully Qualified Domain Names FQDN of he Inte
88. settings DELL Enable Hardware Management HARDWARE Discover Dell Client Syste MANAGEMENT Configure Agents for 32 bs Hardware Management _ Configure Agents for 4 ba Hardware Management View Client Systems Discovery Ra sults view Client Systems Configured for Hardware Management Welcome Welcome to Dell Client Manager Standard This hardware management solution lets you manage your Dell Preasion workstations OpliPlex desktops and Latitude notebooks from a remote Managemen consola Management capables for certain older models as well as Dell Inspiron notebooks and Dimension deskiops are imited 1o discovery only See he Product Guide for complete lisi of supported models Del Client Manager Standard includes a 30 day licenses If the license is allowed to expire Inventory functions will cease functioning To obtain a trea unlimited icense you mus register your product Gnte you have ablained your unlimited bronge you will need io install it Click hare to install a license Hardware Management Tasks Scan far Inventory Data Scan tor Current BIOS Settings Configure BIOS Selings Upgrade MOS Version Set Monitoring and Alerts Getting Started Quick Start Tasks If you ve already installed the Altiris management framework Altins Motficaton Server phus management agents on fe systems you wish to manage you are ready To enable hardware management on your qualified Dell c
89. sh screen the following screen is displayed INMTELCR REMOTE CONFIGURATION Remote Configuration PKI DNS Suffix Manage Hashes Previous Menu Cybertrust Global Root Verizon Global Root Entrast net CA 2H46 Entrast Root CA UeriSign Universal Root CA PAE Lab Certificate The details of the selected certificate hash are displayed to the user and include the following e Hash Name e Certificate Hash Data e Active and Default States Previous Menu Under the Intel Remote Configuration menu select Previous Menu and press Enter The Intel Automated Setup and Configuration page appears Previous Menu Under the Intel Automated Setup and Configuration menu select Previous Menu and press Enter The Intel AMT Configuration menu appears Previous Menu Under the Intel AMT Configuration menu select Previous Menu and press Enter The Main Menu appears Information on this page provided by Intel Intel Fast Call for Help Intel Fast Call for help is available for VPro SKUs An Intel Fast Call for help connection allows the end user to request assistance if the VPro system is outside the corporate network NOTE It is recommended that to press lt F12 gt and select Fast Call for Help It will only be available when the IT administrator has configured the system to support it Requirements Before an Intel Fast Call connection can be established from the Operating System the VPro system must have 1 Envir
90. sword SOL Legacy Redirection Mode KUM Previous Menu IDER allows an Intel AMT managed client to be booted by a management console from a remote disk image If the client system does not support IDER this value cannot enable it Enabled IDER is enabled Disabled IDER is disabled NOTE Disabling IDER does not remove this feature but prevents it from being used we oe IDs mum RAI Emm Wes 9 a LS wv Ew bw Wl E ld T Vas Vu Ww E Y il bw oe T tet ww Under the SOL IDER page select Legacy Redirection Mode and press Enter Intel R Management Engine BIOS Extension v7 H BH HBd3 Intel CR ME v 7 H H 1H87Z Copyright C ZHH3 B8 Intel Corporation All Rights Reserved I Username and Password SOL IDER KUM Previous Menu ESC Exit t Select ENTER1 Access Legacy Redirection Mode controls how the redirection works If set to disabled the console needs to open the redirection ports before each session This is meant for Enterprise consoles and new SMB consoles that support opening the redirection ports The old SMB consoles before Intel AMT 6 0 which do not support opening the redirection ports function need to manually turn on the redirection port through this Intel MEBx option When selecting the mode the following message appears Intel R Management Engine BIOS Extension v7 H H HBd3 IntelCR ME v 7 H H 1H87Z Copyright C ZHH3 B8 Intel Corporation All
91. tel ME is in MO it will NOT transition to M off sapere AAA Pest ous Menu Under the Intel ME Platform Configuration menu select Previous Menu and press lt Enter gt The Intel ME Platform Configuration page appears m ER 4 D MCI i E NE WWE o Hog pom y A ous M ue Wl wu 1 8 enu Under the Intel ME Platform Configuration menu select Previous Menu and press Enter The Main Menu appears Information on this page provided by AMT Configuration After you configure the Intel Management Engine ME feature you must reboot before configuring the Intel AMT for a clean system boot The following image shows the I ntel AMT configuration menu after a user selects the I ntel AMT Configuration option from the Management Engine BIOS Extension MEBx main menu This feature allows you to configure an Intel AMT capable computer to support the Intel AMT management features L NOTE You need to have a basic understanding of networking and computer technology terms such as TCP IP DHCP VLAN IDE DNS subnet mask default gateway and domain name Explaining these terms is beyond the scope of this document To navigate to the I ntel AMT Configuration page perform the following steps 1 Under the Management Engine BI OS Extension MEBx main menu select Intel AMT Configuration Press Enter The Intel AMT Configuration screen appears The quick links displayed on the Intel AMT Configuration sc
92. to Enabled in order to work with Legacy SMB consoles NOTE Customers may purchase TLS permanently disabled from the factory due to restrictions on encryption technology in their country of delivery therefore customers cannot re enable TLS ri NOTE KVM is supported only with integrated graphics CPU and system should be in integrated graphics mode Manual configuration can be performed using the following six steps Flash image with system BIOS and FW Enter the Intel MEBX via lt F12 gt menu and enter default password admin and then change password Enter Intel ME General Settings menu Select Activate Network Access Select Y in the confirmation message Exit the Intel MEBx O Ui 43 UJ NJ H2 NOTE You can also accomplish the activation through external means or through Operating System using Intel Activator tool Setup and Configuration Overview The following is a list of important terms related to the Intel AMT setup and configuration e Setup and configuration The process that populates the Intel AMT managed computer with usernames passwords and network parameters that enable the computer to be administered remotely e Configuration service A third party application that completes the Intel AMT provisioning e Intel AMT WebUI A Web browser based interface for limited remote computer management You must set up and configure Intel AMT in a computer before using it Intel AMT setup readies the computer
93. ture of management software is that it is not always dynamic or real time You may have to repeat an action multiple times to cause a result l Format a USB device with the FAT16 file system and no volume label and then set it aside rd My Computer Eie Edt Yew Favorites Toos Heb Format Removable Disk EJ 32 x Gre O m EP E Address 4 My Computer Capacity Name Type 243 MB System Tasks Hard Disk Drives File system a View system information et Local Disk C Local Disk Th Add or remove programs FAT jd change a setting Devices with Removable Storage l md d Sp i Allocation unit size EC amp di a CD Drive Di CD Drive Default allocation size I all de EUIS Nia Removable Dick Default allocation size Volume label ee Format options Other Places E W My Network Places Ej My Documents Je Control Panel Details 2 Enable Compression Greate an MS DOS startup disk Removable Disk E Removable Disk File Sysbem FAT E cose 2 Open the Altiris Dell Client Manager application by double clicking the desktop icon or through the Start menu epa Manager Standard 3 Select AMT Quick Start from the left navigation menu to open the Altiris Console F Altiris Quick Start Console Windows meere Een Gelimg Stared Discover Manageable Ftaesources install the abris Agent Configure Altiris Agent
94. ute After the un provisioning completes control is passed back to ME General Settings screen l Select Return to previous menu 2 Select Exit and then press y The computer restarts Firmware Flash Flash the firmware to upgrade to newer versions of Intel AMT The automatic flash feature can be disabled by selecting Disabled under the Secure Firmware Update setting in the MEBx interface If this setting is disabled a firmware error message appears when flashing the BIOS Serial Over LAN SOL IDE Redirection lI DE R If you cannot use IDE R and SOL perform these steps At the initial boot screen press Ctrl p to enter the MEBx screens A prompt for the password appears Type the new Intel ME password Select Unconfigure Network Access Press Enter Select Y Press Enter Select Full Unprovision Press Enter Reconfigure the settings under the AMT Configuration menu option shown here O Ui 43 UJ NJ r2
Download Pdf Manuals
Related Search