Intel® Active Management Technology v4.
Back to Contents Page Overview Intel® Active Management Technology (Intel AMT) allows companies to easily manage their networked computers in the following ways: Discover computing assets on a network regardless of whether the computer is turned on or off – Intel AMT uses information stored in nonvolatile system memory to access the computer. The computer can even be accessed while it is powered off (also called out-of-band or OOB access).
Back to Contents Page Operational Modes Intel® AMT can be set up for either Enterprise or Small and Medium Business operational modes (also called provisioning models). Both operational modes support dynamic and static IP networking. If you use dynamic IP networking (DHCP), the Intel AMT host name and the operating system host name must match. You must also configure both the operating system and Intel AMT to use DHCP as well.
Back to Contents Page Setup and Configuration Overview The following is a list of important terms related to the Intel® AMT setup and configuration. Setup and configuration — The process that populates the Intel AMT-managed computer with usernames, passwords, and network parameters that enable the computer to be administered remotely. Provisioning — The act of setting up and configuring Intel AMT. Configuration service — A third-party application that completes the Intel AMT provisioning.
Back to Contents Page The act of setting up and configuring Intel® AMT is known as provisioning. There are two methods of provisioning a computer with Enterprise mode: Legacy IT TLS-PSK Legacy If you want Transport Layer Security (TLS), execute the legacy method of Intel AMT setup and configuration on an isolated network separate from the corporate network.
Back to Contents Page MEBx Settings Overview The Intel® Management Engine BIOS Extension (MEBx) provides platform-level configuration options for you to configure the behavior of Management Engine (ME) platform. Options include enabling and disabling individual features and setting power configurations. This section provides details about MEBx configuration options and constraints, if any. All the ME Platform Configuration setting changes are not cached in MEBx.
Intel AMT Configuration Change Intel ME Password The Intel ME Configuration and Intel AMT Configuration menus are discussed on the following pages. First, the password must be changed in order to proceed through these menus. Changing the Intel ME Password The default password is admin and is the same on all newly deployed platforms. You must change the default password before changing any feature configuration options.
Back to Contents Page ME Configuration Menu To reach the Intel® Management Engine (ME) Platform Configuration page, follow these steps: 1. Under the Management Engine BIOS Extension (MEBx) main menu, select ME Configuration. Press . 2. The following message appears: System resets after configuration changes. Continue: (Y/N) 3. Press . The ME Platform Configuration page opens. This page allows you to configure the specific functions of the ME such as features, power options, and so on.
When enabled, the ME State Control option lets you disable ME to isolate the ME computer from the main platform while debugging a field malfunction. The table below illustrates the details of the options. ME Platform State Control Option Description Enabled Enable the Management Engine on the platform Disabled Disable the Management Engine on the platform In fact, the ME is not really disabled with the Disabled option.
Intel ME Features Control The ME Features Control menu contains the following configuration selection. Manageability Feature Selection When you select the Manageability Feature Selection option on the ME Features Control menu, the ME Manageability Feature menu appears.
You can use this option to determine which manageability feature is enabled. ASF — Alert Standard Format. ASF is a standardized corporate assets management technology. The Intel ICH9 platform supports ASF specification 2.0. Intel AMT — Intel Active Management Technology. Intel AMT is an improved corporate assets management technology. The table below explains these options.
menu loads. The power package selected determines when the ME is turned ON. The default power package is Mobile: ON in S0. The end user administrator can choose which power package is used depending on computer usage. The power package selection page can be seen above. * Information on this page provided by Intel.
Back to Contents Page AMT Configuration Menu After you completely configure the Intel® Management Engine (ME) feature, you must reboot before configuring the Intel AMT for a clean system boot. The image below shows the Intel AMT configuration menu after a user selects the Intel AMT Configuration option from the Management Engine BIOS Extension (MEBx) main menu. This feature allows you to configure an Intel AMT capable computer to support the Intel AMT management features.
TCP/IP Allows you to change the following TCP/IP configuration of Intel AMT. Network interface – ENABLE** / DISABLED If the network interface is disabled, all the TCP/IP settings are no longer needed. DHCP Mode – ENABLE** / DISABLED If DHCP Mode is enabled, TCP/IP settings are configured by a DHCP server. If DHCP mode is disabled, the following static TCP/IP settings are required for Intel AMT. If a computer is in static mode it needs a separate MAC address for the Intel Management Engine.
Current Provisioning Mode – Displays the current provisioning TLS Mode: None, PKI, or PSK. This configuration is only shown in Enterprise Provision Model. Provisioning Record – Displays the provision PSK/PKI record data of the computer. If the data has not been entered, the MEBX displays a message that states "Provision Record not present". If the data is entered, the Provision Record displays the following: TLS provisioning mode – Displays the current configuration mode of the computer: None, PSK or PKI.
change the active status of the certificate press the <+> key. To delete the hash press the key. To add another key press the key. Set FQDN – Sets the fully qualified domain name for the computer. Set PKI DNS suffix – Sets the PKI DNS suffix. TLS PSK The submenu contains the settings for TLS PSK configuration settings. Setting or deleting the PID/PPS causes a partial unprovision if the setup and configuration is "In-process". Set PID and PPS – Sets the PID and PPS.
Remote Configuration Enable/Disable The selectable options are Enable and Disable. If Remote Configuration is disabled, the menu options underneath are still displayed, but are not be used until Remote Configuration is enabled. This option cannot be modified once the setup and configuration process is in process. This parameter can only be modified while the computer is in the factory default or un-provisioned state.
The Manage Certificate Hash screen has several keyboard controls available to you to manage the hashes on the computer.
Change the active state of this hash? (Y/N) prompt. Answering yes to this question toggles the active state of the currently selected certificate hash. Setting a hash as active indicates that the hash is available to use when during PSK provisioning. Viewing a Certificate Hash Press in the Manage Certificate Hash screen. The details of the selected certificate hash are displayed to include: the hash name, the certificate hash data, and the active and default states.
Un-provision The Un-Provision option allows you to reset the Intel AMT configuration to factory defaults. There are two types of unprovision: Full Un-provision – This option resets all of the Intel AMT settings to their default values. If a PID/PPS value is present, both values are lost. The MEBx password remains untouched. CMOS clear – This un-provision option is not available in the MEBx. This option clears all values to their default values. If a PID/PPS is present, both values are lost.
SOL/IDE-R Username and Password – DISABLED** / ENABLED This option provides the user authentication for SOL/IDER session. If the Kerberos protocol is used, set this option to Disabled and set the user authentication through Kerberos. If Kerberos is not used, you have the choice to enable or disable user authentication on the SOL/IDER session. Serial-Over-LAN (SOL) – DISABLED** / ENABLED SOL allows the Intel AMT managed client console input/output to be redirected to the management server console.
Password Policy There are two passwords present for the firmware. The MEBX password is the password that is entered when a user is physically at the system. The network password is the password that is entered when accessing an ME enabled system through the network. This option determines when network password and the MEBX password will be synched. The MEBX password can still be modified by users directly in front of the system.
Secure Firmware Update This option allows you to enable/disable secure firmware updates. Secure firmware update requires an administrator user name and password. If the administrator user name and password are not supplied, the firmware cannot be updated. When the secure firmware update feature is enabled, you are able to update the firmware using the secure method. Secure firmware updates pass through the LMS driver.
Set PRTC Enter PRTC in GMT (UTC) format (YYYY:MM:DD:HH:MM:SS). Valid date range is 1/1/2004 – 1/4/2021. Setting PRTC value is used for virtually maintaining PRTC during power off (G3) state. This configuration is only displayed for the Enterprise Provision Model.
Idle Timeout Use this setting to define the ME WOL idle timeout. When this timer expires, the ME enters a low-power state. This timeout only takes affect when one of the ME WOL power policies is selected. Enter the value in minutes.
Intel AMT in DHCP Mode Settings Example The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in DHCP mode. Intel AMT Configurations Example in DHCP Mode Intel AMT Configuration Parameters Values Intel AMT Configuration Select and press . Host Name Example: IntelAMT This is the same as the operating system machine name. Set the parameters as follows: TCP/IP Enable Network interface Enable DHCP Mode Set a domain name (e.g., amt.
The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in static mode. The computer requires two MAC addresses (GBE MAC address and Manageability MAC Address) to operate in static mode. If there is no Manageability MAC address, Intel AMT cannot be set in static mode.
Back to Contents Page MEBx Defaults The table below lists all the default settings for the Intel® Management Engine BIOS Extension (MEBx).
Anytime Secure Firmware Update Disabled Enabled * Set PRTC blank Idle Timeout Timeout Value (0x0-0xFFFF) 1 *Default setting **May cause Intel AMT partial unprovision 1 Intel ME Platform State Control is only changed for Management Engine (ME) troubleshooting. 2 In Enterprise mode, DHCP automatically loads the domain name. 3 Un-provision setting only seen if the box is provisioned.
Back to Contents Page Setup and Configuration Methods Overview As discussed in the Setup and Configuration Overview section, the computer has to be configured before the Intel AMT capabilities are ready to interact with management application.
Back to Contents Page Configuration Service This section discusses Intel® AMT setup and configuration using a USB storage device. You can set up and locally configure password, provisioning ID (PID), and provisioning passphrase (PPS) information with a USB drive key. This is also called USB provisioning. USB provisioning allows you to manually set up and configure computers without the problems associated with manually typing in entries.
Back to Contents Page MEBx Interface (Enterprise Mode) The Intel® Management Engine BIOS Extension (MEBx) is an optional ROM module that Intel provides to Dell™ to be included in the Dell BIOS. The MEBx has been customized for Dell computers. Enterprise mode (for large corporate customers) requires a setup and configuration server (SCS). An SCS runs an application over a network that performs Intel AMT setup and configuration. The SCS is also known as a provisioning server as seen in the MEBx.
One uppercase letter One lowercase letter A number A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.) The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity. 4. Change the password to establish Intel AMT ownership. The computer then goes from the factory-default state to the setup state. 5. Select Intel ME Configuration, and then press .
6. Press when the following message appears: System resets after configuration change. Continue (Y/N).
Intel ME State Control is the next option. The default setting for this option is Enabled. Do not change this setting to Disabled. If you want to disable Intel AMT, change the Manageability Feature Selection option to None in step 9.
7. Select Intel ME Firmware Local Update. Press . 8. Then, select either Enabled or Disabled, and press . The default setting for this option is Disabled.
9. Select Intel ME Features Control, and then press .
Manageability Feature Selection is the next option. This feature sets the platform management mode. The default setting is Intel AMT. Selecting the None option disables all remote management capabilities.
10. Select Return to Previous Menu, and then press .
11. Select Intel ME Power Control, and then press .
Intel ME ON in Host Sleep States is the next option. The default setting is Mobile: ON in S0.
12. Select Return to Previous Menu, and then press .
13. Select Return to Previous Menu, and then press .
14. Exit the MEBx Setup and save the ME configuration. The computer displays an Intel ME Configuration Complete message and then restarts. After the ME configuration is complete, you can configure the Intel AMT settings. Intel AMT Configuration To enable Intel AMT Configuration settings on the target platform, perform the following steps: 1. At the initial boot screen, press to re-enter the MEBx screens as seen in step 1 of "Enabling Management Engine for Enterprise Mode." 2.
4. Select Host Name, and then press . 5. Type in a unique name for this Intel AMT machine, and then press . Spaces are not accepted in the host name. Make sure there is not a duplicate host name on the network. Host names can be used in place of the computer's IP for any applications requiring the IP address.
6. Select TCP/IP. Press . 7.
8. Type the domain name into the Domain name field.
9. Select Provision Model from the menu, and then press . 10.
11. Select Setup and Configuration from the menu, and then press .
12. Select Current Provisioning Mode to display the current mode, and then press . The current provisioning mode is displayed. Press or to exit.
13. Select Provisioning Record from the menu, and then press . The screen displays the provision PSK/PKI record data of the computer. If the data has not been entered, the MEBX displays a message that states Provision Record not present If the data is entered, the Provision Record displays one of several messages.
14. Select Provisioning Server from the menu, and then press .
15. Type the provisioning server IP in the Provisioning server address field and press . The default setting is 0.0.0.0. This default setting works only if the DNS server has an entry that can resolve the provision server to the IP of the provisioning server.
16. Type the port in the Port number field and press . The default setting is 0. If left at the default setting of 0, the Intel AMT attempts to contact the provisioning server on port 9971. If the provisioning server is listening on a different port, enter it here.
17. Select TLS PSK from the menu, and then press .
18. Set PID and PPS is the next option. The PID and PPS can be input manually or by using a USB key once the SCS generates the codes. This option is for entering the provisioning ID (PID) and provisioning passphrase (PPS). PIDs are eight characters and PPS are 32 characters. There are dashes between every set of four characters, so including dashes, PIDs are nine characters and PPS are 40 characters. An SCS must generate these entries.
Skip the Delete PID and PPS option. This option returns the computer to factory defaults. See the "Return to Default" section for more information about unprovisioning. 19. Select Return to Previous Menu, and then press .
20. Select TLS PKI from the menu, and then press .
21. Select Remote Configuration Enable/Disable from the menu, and then press . This option is Disabled by default and can be Enabled if the network infrastructure does not support a Certificate Authority (CA).
22. If Enabled, refer to steps 19 through 21. If not Enabled, skip to step 22.
Manage Certificate Hashes option is the next option. Four hashes are configured by default. Hashes can be deleted or added per customer needs.
23. Select Set FQDN from the menu, and then press . 24. Type the FQDN of the provisioning server in the text field and press .
25. Select Set PKI DNS Suffix from the menu. Press . 26. Type the PKI DNS Suffix in the text field and press .
27. Select Return to Previous Menu, and press .
28. Select Return to Previous Menu, and then press . This returns you to the Intel AMT Configuration menu.
Skip the Un-Provision option. This option returns the computer to factory defaults. See the "Return to Default" section for more information about unprovisioning.
29. Select SOL/IDE-R, and then press .
30. Press when the following message appears: [Caution] System resets after configuration changes. Continue: (Y/N) .
User name & Password 31. Select Enabled and then press . This option allows you to add users and passwords from the WebGUI. If the option is disabled, then only the administrator has MEBx remote access.
32. For Serial Over LAN (SOL/IDE-R), select Enabled and then press .
33. For IDE Redirection<, select Enabled and then press .
Secure Firmware Update is the next option. The default setting is Enabled.
Skip Set PRTC.
Idle Timeout is the next option. The default setting is 1. This timeout is applicable only when a WoL option is selected for enabling ME for the Enterprise operating mode.
34. Select Return to Previous Menu, and then press .
35. Select Exit, and then press .
36.
The computer restarts. Turn off the computer and disconnect the power cable. The computer is now in setup state and is ready for deployment.
Back to Contents Page MEBx Interface (SMB Mode) The Intel® Management Engine BIOS Extension (MEBx) is an optional ROM module that Intel provides to Dell™ to be included in the Dell BIOS. The MEBx has been customized for Dell computers. Dell also supports setup and configuration of Intel AMT in the small and medium business (SMB) mode. The only setting not required in the SMB mode is the Set PID and PPS option. Also, the Provision Model option is set to Small Business instead of Enterprise.
A number A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.) The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity. 5. Change the password to establish Intel AMT ownership. The computer then goes from the factory-default state to the setup state. 6. Select Intel ME Configuration, and then press .
7. Press when the following message appears: System resets after configuration change. Continue (Y/N).
Intel ME State Control is the next option. The default setting for this option is Enabled. Do not change this setting to Disabled. If you want to disable Intel AMT, change the Manageability Feature Selection option to None later in this procedure.
8. Select Intel ME Firmware Local Update and then press . 9. Select either Enabled or Disabled, and then press . The default setting for this option is Disabled.
10. Select Intel ME Features Control, and then press .
Manageability Feature Selection is the next option. This feature sets the platform management mode. The default setting is Intel AMT. Selecting the None option disables all remote management capabilities.
11. Select Return to Previous Menu, and then press .
12. Select Intel ME Power Control, and then press .
Intel ME ON in Host Sleep States is the next option. The default setting is Mobile: ON in S0.
13. Select Return to Previous Menu and then press .
14. Select Return to Previous Menu, and then press .
15. Exit the MEBx Setup and save the ME configuration. The computer displays an Intel ME Configuration Complete message and then restarts. After the ME configuration is complete, you can configure the Intel AMT settings. Intel AMT Configuration Enabling Intel AMT for SMB Mode 1. At the initial boot screen, press to re-enter the MEBx screens. 2. When a prompt for the password appears, enter the new Intel ME password. 3. Select Intel AMT Configuration, and then press .
4. Select Host Name, and then press . 5. Type in a unique name for this Intel AMT machine, and then press . Spaces are not accepted in the host name. Make sure there is not a duplicate host name on the network. Host names can be used in place of the computer's IP for any applications requiring the IP address.
6. Select TCP/IP, and then press . 7.
8. Type the domain name into the field.
9. Select Provision Model from the menu, and then press . 10.
11. Skip the Un-Provision option. This option returns the computer to factory defaults. See the "Return to Default" section for more information about unprovisioning. 12. Select SOL/IDE-R. Press .
13. Press when The following message appears: [Caution] System resets after configuration changes.
14. Select Enabled for Username & Password, and then press . This option allows you to add users and passwords from the WebGUI. If the option is disabled, then only the administrator has MEBx remote access.
15. For Serial Over LAN, select Enabled and then press .
16. For IDE Redirection, select Enabled and then press .
Secure Firmware Update is the next option. The default setting is Enabled.
17. Skip Set PRTC.
Idle Timeout is the next option. The default setting is 1. This timeout is applicable only when a WoL option is selected for Intel ME ON in Host Sleep States screen of the process for enabling ME for the Enterprise operating mode.
18. Select Return to Previous Menu, and then press .
19. Select Exit, and then press .
20.
21. After the computer restarts, turn off the computer and disconnect the power cable. The computer is now in setup state and is ready for deployment.
Back to Contents Page System Deployment Once you are ready to deploy a computer to a user, plug the computer into a power source and connect it to the network. Use the integrated Intel® 82566DM NIC. Intel Active Management Technology (Intel AMT) does not work with any other NIC solution. When the computer is turned on, it computer immediately looks for a setup and configuration server (SCS). If the computer finds this server, the Intel AMT capable computer sends a Hello message to the server.
Back to Contents Page Operating System Drivers Within the operating system, two drivers must be installed to remove unknown devices in the Device Manager. These drivers are discussed below. SOL/LMS Driver The Intel® AMT Serial-Over-LAN (SOL) / Local Manageability Service (LMS) driver is available on support.dell.com and on the ResourceCD under Chipset Drivers. The driver is labeled Intel AMT SOL/LMS.
Back to Contents Page Intel AMT WebGUI The Intel® AMT WebGUI is a Web browser-based interface for limited remote computer management. The WebGUI is often used as a test to determine if Intel AMT setup and configuration was performed properly on a computer. A successful remote connection between a remote computer and the host computer running the WebGUI indicates proper Intel AMT setup and configuration on the remote computer.
Back to Contents Page AMT Redirection Overview Intel® AMT makes it possible to redirect serial and IDE communications from a managed client to a management console regardless of the boot and power state of the managed client. The client need only have the Intel AMT capability, a connection to a power source, and a network connection. Intel AMT supports Serial Over LAN (SOL, text/keyboard redirection) and IDE Redirection (IDER, CD-ROM redirection) over TCP/IP.
Back to Contents Page Troubleshooting This page describes a few basic troubleshooting steps to follow if problems are experienced with the Intel® AMT configuration. Remember to always check DSN for more troubleshooting options. Return to Default Return to default is also known as un-provisioning. An Intel AMT setup and configured computer can be un-provisioned using the Intel AMT Configuration screen and the Un-Provision option. Follow the steps below to un-provision a computer: 1.
Bad ME memory configuration DIMM A is located beneath the keyboard. For instructions on accessing this slot, refer to the system documentation.
Back to Contents Page USB Setup and Configuration The default console package provided is the Dell™ Client Management (DCM) application. This section provides the procedure to set up and configure Intel® AMT with the DCM package. As mentioned earlier in the document, several other packages are available through third-party vendors. The computer must be configured and seen by the DNS server before you begin this process.
Click the <+> to expand the Intel AMT Getting Started section.
Click the <+> to expand the Section 1. Provisioning section.
Click the <+> to expand the Basic Provisioning (without TLS) section.
Select Step 1. Configure DNS. The notification server with an out-of-band management solution installed must be registered in DNS as "ProvisionServer.
Click Test on the DNS Configuration screen to verify that DNS has the ProvisionServer entry and that it resolves to the correct Intel setup and configuration server (SCS).
The IP address for the ProvisionServer and Intel SCS are now visible.
Select Step 2. Discovery Capabilities.
Verify that the setting is Enabled. If Disabled, click the check box next to Disabled and click Apply.
Select Step 3. View Intel AMT Capable Computers.
Any Intel AMT capable computers on the network are visible in this list.
Select Step 4. Create Profile.
Click the plus symbol to add a new profile.
On the General tab the administrator can modify the profile name and description along with the password. The administrator sets a standard password for easy maintenance in the future. Select the manual radio button and enter a new password.
The Network tab provides the option to enable ping responses, VLAN, WebUI, Serial over LAN, and IDE Redirection. If you are configuring Intel AMT manually, all these settings are also available in the MEBx. The TLS (Transport Layer Security) tab provides the ability to enable TLS. If enabled, several other pieces of information are required including the certificate authority (CA) server name, CA common name, CA type, and certificate template.
The Power Policy tab has configuration options to select the sleep states for Intel AMT as well as an Idle Timeout setting. It is recommended that Idle timeout is always set to 0 for optimal performance. The setting for the Power Policy tab can potentially impact a computer's ability to remain E-Star 4.0 compliant. Select Step 5. Generate Security Keys.
Select the icon with the arrow pointing out to Export Security Keys to USB Key.
Select the Generate keys before export radio button.
Enter the number of keys to generate (depends on the number of computers that need to be provisioned). The default is 50. The Intel ME default password is admin. Configure the new Intel ME password for the environment. Click Generate. Once the keys have been created, a link appears to the left of the Generate button.
Insert the previously formatted USB device into a USB connector on the Provisioning Serverr. Click the Download USB key file link to download setup.bin file to the USB device. The USB device is recognized by default; save the file to the USB device. If additional keys are needed in the future, the USB device must be reformatted before saving the setup.bin file to it.
a. Click Save in the File Download dialog box. b. Verify the Save in: location is directed to the USB device. Click Save. c. Click Close in the Download complete dialog box. The setup.bin file is now visible in the drive explorer window.
Close the Export Security Keys to USB Key and drive explorer windows to return to the Altiris Console. Take the USB device to the computer, insert the device, and turn on the computer. The USB device is recognized immediately and you are prompted to Continue with Auto Provisioning (Y/N) Press . Press any key to continue with system boot...
Once complete, turn off the computer and move back to the management server. Select Step 6. Configure Automatic Profile Assignments.
Verify that the setting is enabled. In the Intel AMT 2.0+ dropdown, select the profile created previously. Configure the other settings for the environment.
Select Step 7. Monitor Provisioning Process.
The computers for which the keys were applied begin to appearing in the system list. At first the status is Unprovisioned, then the system status changes to In provisioning, and finally it changes to Provisioned at the end of the process.
Select Step 8. Monitor Profile Assignments.
The computers for which profiles were assigned appear in the list. Each computer is identified by the FQDN, UUID, and Profile Name columns.
Once the computers are provisioned, they are visible under the Collections folder in All configured Intel AMT computers.
Back to Contents Page