HP Business Notebook Intel® vProTM setup and configuration 2011 Business Notebook Models Technical white paper Table of contents Executive summary............................................................................................................................... 2 Supported models and background ....................................................................................................... 2 Intel Active Management Technology (AMT) setup and configuration ................................
Executive summary Select HP ProBook and EliteBook models use Intel vPro processor technology to simplify PC management and reduce IT related expenditures. Intel vPro processor technology uses Intel Active Management Technology (AMT), which allows for improved management of PC systems and better security. AMT provides Out-of-Band (OOB) remote access to a system regardless of the system power state or operating system condition as long as the system is connected to a power source and a network.
Intel Active Management Technology (AMT) setup and configuration AMT must be set up and configured in a system before it can be used. AMT setup involves the necessary steps to enable AMT, such as setting up the system for AMT mode and enabling network connectivity. It is generally performed only once for the lifetime of the system. When AMT is enabled, it can be discovered by management software over a network.
MEBx password guidelines MEBx passwords must meet the minimum criteria to be accepted. These restrictions are enforced by the MEBx to reduce vulnerability of passwords to a dictionary attack. The criteria are as follows: Password must be between 8 and 32 characters long. Password must contain both upper and lower case Latin characters (e.g. A, a, B, b). Password must have at least one digit character (e.g. 0, 1, 2 … 9).
4. Go into the Intel ME General Settings. 5. FW Update Settings Local FW Update Default Setting : Enabled Recommended Setting : Enabled By default, the system BIOS allows for local ME FW updates without the password protected. However, the administrator can modify the Local FW Update setting with the Password Protected. 6. Set PRTC Default Setting : None Recommended Setting : Current Date and Time This option sets the PRTC (Protected Real Time Clock).
Recommended Setting Select Enabled. : Enabled This option allows users and passwords to be added from the WebGUI. If it is disabled, then only the administrator has MEBx remote access. b. SOL Default Setting Recommended Setting Select Enabled. : Enabled : Enabled This option enables / disables Serial Over LAN (SOL) functionality. c. IDER Default Setting Recommended Setting Select Enabled. : Enabled : Enabled This option enables / disables IDE Redirection (IDE-R) functionality. d.
Select Default Password Only. This option determines when the user is allowed to change the Intel MEBX password through the network. The Intel MEBX password can always be changed via the Intel MEBX user interface. Default Password Only – The Intel MEBX password can be changed through the network interface if the default password has not been changed yet.
If Dynamic DNS Update is enabled then the firmware will actively try to register its IP addresses and FQDN in DNS using the Dynamic DNS Update protocol. If DDNS Update is disabled then the firmware will make no attempt to update DNS using DHCP option 81 or Dynamic DNS update.
Leave as default value and hit Enter Default Setting : 0.0.0.0 Recommended Setting : Network Dependent Leave as 0.0.0.0 if this option is not needed. f. Alternate DNS Address Leave as default value and hit Enter Default Setting : 0.0.0.0 Recommended Setting : Network Dependent g. Wired LAN IPV6 Configuration Select Enabled option for IPV6IPV6 Feature Selection If DHCP is disabled, then steps 15b through 15f are required to configure the IPV6 static IP address i.
v. Alternate DNS IPV6 Address Enter the Alternate DNS IPV6 Address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab h. Wireless LAN IPV6 Configuration Select Enabled option for IPV6 Feature Selection. If DHCP is disabled, then steps 15b through 15f are required to configure the IPV6 static IP address i. IPV6 Interface ID Type.
PIDs are 8 characters long and PPS are 32 characters. There are dashes between every set of four characters so, counting dashes, PIDs are 9 characters and PPS are 40 characters. Once these PIDs and PPS are generated, they are added to the Setup and Configuration Server’s secure PSK database. This database can be transferred to another Setup and Configuration Server’s database. Here is a brief outline of the initial communication between an AMT client system and an SCS: 1.
This option will determine if the local MEBx password can be modified from a remote console. Option Default Password Only During Setup and Configuration Anytime Effect This option will allow the MEBx password to be remotely modified only if it is the default “admin” password. This option will allow the MEBx password to be remotely modified only during setup and configuration of the AMT platform. This option will allow the MEBx password to be remotely modified at any time. 10.
Enter the Preferred DNS IPV6 Address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab v. Alternate DNS IPV6 Address Enter the Alternate DNS IPV6 Address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab 12. Skip Activate Network Access. 13. Skip Un-Configure Network Access. 14. Go into Remote Setup And Configuration. This is the menu where the Enterprise mode provisioning data is entered. a. Current Provisioning Mode.
Recommended Setting : Network Dependent This option is used in Enterprise mode when an Intel AMT Setup and Configuration (Provisioning) Server is available. It points to the IP address of the SCS. If the IP is left as the default, the ME will look for “ProvisionServer” on DNS. The default port for many SCS is at 9971. Some ISV’s may require additional settings, such as the SCS port number and SCS IP address. Contact your Management Console ISV for more details. d. Provisioning Server FQDN. i.
Recommended Setting : Enabled By default BIOS allows to update the ME firmware without password protected, the administrator can select the Password Protected (the user must provide the password in order to upgrade the ME firmware. 16. Skip Set PRTC 17. Power Control a. Intel ME ON in Host Sleep States. Default Setting : Desktop: ON in S0 Recommended Setting : Desktop: ON is S0, ME Wake in S3, S4-5 b.
This option allows users and passwords to be added from the WebGUI. If it is disabled, then only the administrator has MEBx remote access. c. Serial Over LAN Default Setting Recommended Setting : Enabled : Enabled i. Select Enabled. d. IDE Redirection Default Setting Recommended Setting : Enabled : Enabled i. Select Enabled. f. Legacy Redirection Mode. Default Setting : Disabled Recommended Setting : Disabled Select Disabled. This option allows the Redirection feature to work with the pre-AMT 7.
24. System will reboot. 25. Turn off system and remove power. At this point the system is out of Factory Mode and is in In-Setup mode. It is ready to be deployed in a corporation. 26. User plugs system into a power source and connects the network. Only use the integrated Intel NIC. Intel AMT does not work with any other NIC solution. 27. When power is reapplied to the system, it will immediately look for a Setup and Configuration Server.
31. The system goes from In-Setup phase to Operational phase. AMT is fully operational. Once in the Operational phase, the system can be remotely managed and can be provided to the end-user for regular use.
Alternatively, the customer can provide HP with their own set of Admin Password, PID, and PPS to use for the order. HP will use the customer generated Admin PW, PID and PPS to bring the systems into the In-Setup phase. In the second stage, the customer receives the In-Setup systems and the PID, PPS, and password information. The PID, PPS, and password information is integrated into the customer Setup and Configuration Server. The In-Setup systems are then connected to the network and powered on.
6. The system BIOS will detect for a USB drive key. a. If found, the BIOS will look for a Setup.bin file at the beginning of the drive key. i. Go to Step 7. b. If no USB drive key or Setup.bin file is found, then boot normally. ii. Ignore Steps 7-11. 7. The system BIOS will display a message that automatic setup and configuration will occur. a. The first available record in the Setup.bin will be read into memory. iii. Validate the file header record. iv. Locate the next available record. v.
remote console application initiates the process by communicating with the ME through the HECI driver. This requires a functional OS and agent to be installed on the AMT system. Optionally, OTP authentication can be used. The remote console provides the OTP to the AMT system and to the SCS. Consult your ISV management console provider for details on OS agents for Delayed remote configuration support.
a. Remote Configuration Enable/Disable Default Setting : Enabled Recommended Setting : Enabled This option enables or disables Remote Configuration. b. Set PKI DNS Suffix This option allows the PKI DNS Suffix of the SCS to be entered. c. Manage Certificate Hashes This option shows the hashes in the system including the name of the hash and whether it is active or not. If no hashes are in the system, then an option to add one is available.
will be deleted and the default hash will be made active. It does not reset all ME Configuration settings or passwords. Partial unprovisioning is available for Enterprise mode provisioned systems. Partial unprovisioning will return all AMT Configuration setting to factory defaults with the exception of the PID, PPS, and PKI-CH. It does not reset ME Configuration settings or passwords. b. Un-provisioning message will appear. This usually takes about one minute. c.
Connecting with the Intel AMT WebGUI - SMB Example: 1. Power on an AMT system that has completed AMT Setup and Configuration. 2. Execute a web browser from a separate system – a management PC that is also on the same subnet as the AMT PC. 3. Connect to the IP address specified in the MEBx and port of the AMT system. a. By default the port is 16992. b. If DHCP was used, then use the Fully Qualified Domain Name (FQDN) for the ME. The FQDN is the combination of the hostname and domain. Example A: http://192.
Appendix A: Frequently Asked Questions Q: How can the MEBx be locally accessed? A: The MEBx can be locally accessed by pressing CTRL-P during POST. Q: Why is the CTRL-P prompt not displayed during POST? A: By default the CTRL-P prompt is hidden during POST, but it can be displayed if set in F10 Setup. Q: What is the default username and password for the MEBx? A: The default username and password are both “admin”.
Q: Why does Wake-On-ME not work after the Idle Timeout is set? A: The Wake-On-ME feature only works if the ME ON in Host Sleep State setting is set to allow ME WoL and the system is fully provisioned.
Appendix B: Power / Sleep / Global states explained Under Advanced Configuration and Power Interface (ACPI) specification a PC can be in one of several Power states. These power states are also known as Sleep (Sx) states or Global (Gx) states. S0 is the ON state. The PC is fully functioning. All system devices and operating system, if available, are running. S0 is also known as G0. S3 is the Standby (Microsoft terminology) or Suspend-to-RAM state.
Appendix C: Wake-On-ME explained Wake-On-ME, also known as ME WoL, is a feature that allows the ME to go into a low power state when it is not used. Two conditions must be met for Wake-On-ME to function. The system is in a sleep state: S3, S4, or S5 ME On in Host Sleep State setting is set to allow ME WoL. The system must be in a sleep state (S3, S4, or S5) for Wake-On-ME to function. If the system is running (S5), then the ME is also running.
For more information To learn more about HP business notebooks, contact your local HP sales representative or visit www.hp.com/go/notebooks. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.