Technical white paper Setting up and configuring Intel AMT in HP Business Notebooks, Desktops, and Workstations Detailed instructions for the IT professional Table of contents Executive summary ..............................................................................................................................................................2 Introduction................................................................................................................................................
Executive summary Select HP models use Intel® vPro processor technology to simplify PC management and reduce IT-related expenditures. A key element of vPro is Intel Active Management Technology (Intel AMT), a platform-resident solution that includes both hardware and firmware, and relies on the Management Engine (ME) integrated into supported Intel chipsets.
Support Intel AMT technology is available on the following select HP models: Note Remote access to a client PC can be wired or wireless, depending on the particular HP model.
Setting up and configuring Intel AMT Before it can be used, Intel AMT must be setup and configured, which involves the following activities: • Setup – Generally performed once in the lifetime of a system, Intel AMT setup involves the steps necessary to enable Intel AMT, such as setting up the system and enabling network connectivity. After Intel AMT has been enabled, it can be discovered by management software over a network.
Creating a password To reduce vulnerability to a dictionary attack, MEBx enforces the following minimum criteria for a password: • 8 – 32 characters long • Upper- and lower-case Latin characters (for example: A, a, B, b) • At least one digit (for example: 0, 1, 2, … , 9). • One of the following non-alphanumeric characters: – Exclamation ! – At @ – Number # – Dollar $ – Percent % – Caret ^ – Asterisk * Note that the underscore character ( _ ) is considered alpha-numeric.
Setup and configuration procedure When you explore MEBx options for the first time (Factory phase), default settings are in place. This white paper details the settings recommended by HP, some of which may be the same as the default selections. Even though the default setting is used for many options, it is good practice to double-check important options. For setup and configuration, perform the following procedure: 1.
4. From the MEBX main menu, select Intel ME General Settings, as shown in Figure 2. Figure 2. Selecting the Local FW Update option 5. Select Local FW Update from the Intel ME Platform Configuration menu. Figure 3.
6. As shown in Figure 4, HP recommends enabling Local FW Update, which is the default setting. Unless otherwise specified, the system BIOS allows ME FW to be updated locally without password protection. If desired, you can modify the Local FW Update setting to enable password protection. Figure 4. Local FW Update has been enabled 7. 8. 8 Return to the MEBx Main Menu (Figure 1). Select Configure Intel AMT.
. From the Intel AMT Configuration menu (shown in Figure 5), select Manageability Feature Selection. This option allows Intel AMT to be enabled (recommended) or disabled. By default, HP systems are set to enable Intel AMT. Note that disabling Manageability Feature Selection also disables all remote management capabilities and unprovisions any Intel AMT settings. Figure 5.
. From the Intel AMT Configuration menu, select SOL/IDER/KVM. The SOL/IDER/KVM screen appears, as shown in Figure 6. Review the following settings: – Username and password: Enabled (Recommended setting; default) When enabled, this setting allows users and passwords to be added via the WebUI; if it is disabled, only the administrator has MEBx remote access. – SOL: Enabled (Recommended setting; default) This setting enables or disables Serial-over-LAN (SOL) functionality.
. From the Intel AMT Configuration menu, select User Consent. The User Consent screen appears, as shown in Figure 7. Review the following settings: – User Opt-in: KVM (Setting is user-dependent; KVM by default) – Opt-in Configurable from Remote IT: Enabled (Setting is user-dependent; Enabled by default) This setting enables or disables a remote user’s ability to select user opt-in policy. If set to disabled, only the local user can control the opt-in policy. Figure 7.
. Review the Password Policy setting shown in the Intel AMT Configuration screen. This setting specifies when it is possible to change the MEBx password over the network. Note The MEBx password can always be changed locally through the MEBx user interface. As shown in Figure 8, options are: – Default Password Only You can change the MEBx password via the network interface if the default password has not yet been changed.
. Select Network Setup from the Intel AMT Configuration menu. The Intel ME Network Setup screen appears, as shown in Figure 9, allowing you to configure Intel AMT so that it can be accessed by a remote system. Figure 9.
. Select Intel ME Network Name Settings from the Intel ME Network Setup menu. The Intel ME Network Name Settings screen appears, as shown in Figure 10. Figure 10. Setting up the ME network names Review the following settings: – Host Name: (Setting is user-dependent; there is no default) Host names can be used in place of the system’s IP address for any application that requires this address. Note Spaces are not acceptable in a host name. Make sure there is not a duplicate host name on the network.
– Dynamic DNS Update: Disabled (Recommended setting; default) If Dynamic DNS (DDNS) update is enabled, the firmware will actively try to register its IP addresses and FQDN in DNS using DDNS update protocol.
Configuring IPv4 Select Wired LAN IPV4 Configuration and then configure the parameters shown in Figure 12. Figure 12. Configuring the network for IPv4 – DHCP Mode: Enabled (Recommended setting; default) If DHCP is enabled (recommended), skip to Step 16. If DHCP is disabled, complete steps (i) – (v) of Implementing wireless connectivity for Intel AMT to configure an IPv4 static IP address for Intel AMT. – IPV4 Address: (Network-dependent; default is 0.0.0.
Configuring IPv6 Both wired and wireless 6 IPv6 can be enabled via an SCS or, as in this example, the WebUI. Review the TCP/IPv6 settings for wired and wireless connections, as shown in Figure 13: – Enable IPv6 (wired): – Enable IPv6 (wireless): Enabled (Recommended setting; default setting is Disabled) (Implementation-dependent; default setting is Disabled) Figure 13.
If you wish to use wireless Intel AMT connectivity, you must first connect to the Intel AMT system from a remote system using wired LAN in order to create a wireless profile. Carry out the following steps: i. Using the WebUI (for example), select the Wireless Settings option to configure the wireless management settings, as shown in Figure 14. ii. Select the Wireless Settings option to configure wireless power policy. Set Enabled in S0, Sx/AC. Figure 14.
iii. In the Profiles field box (Figure 15), click New to create a new wireless profile. Figure 15.
iv. Enter the following data for the new wireless profile, as shown in Figure 16: – Profile name: (any name) – Network name (SSID): (the wireless network SSID name) – Network authentication: (implementation-dependent; default is WPA-PSK) – Encryption: – Pass phrase: On completion, click Submit. Figure 16.
v. Select System Status to display the Wireless IP address, as shown in Figure 17. Note Wireless Intel AMT only supports IPv6 addresses. Figure 17. Verifying that you have configured a wireless IP address A remote system should now be able to access the ME.
16. Having completed the network setup, select Activate Network Access from the Intel AMT Configuration menu, as shown in Figure 18. This setting causes the ME to transition to the newly-provisioned state if all required settings have been configured. The Unconfigure Network Access option causes the ME to transition to the pre-provisioned state. For more information, refer to Unprovisioning an Intel AMT system or Making a full return to factory default settings. Figure 18.
19. Select Power Control from the Intel AMT Configuration menu (shown in Figure 19). Select the appropriate Intel AMT ON in Host Sleep States setting, as shown in Figures 20 and 21. Figure 19. Selecting Power Control Figure 20.
Figure 21. Options for Intel AMT ON in Host Sleep States setting Recommended setting: Desktop: ON in S0, ME Wake in S3, S4-5 Note After you activate network access (Step 16), Intel AMT On in Host Sleep States is automatically set to Desktop: ON in S0, ME Wake in S3, S4-5. Note For more information on sleep states and Wake-On-ME, refer to Appendix B: Overview of power, sleep, and global states and Appendix C: Wake-On-ME overview, respectively.
20. Select the appropriate Idle Timeout value for Wake-On-ME in minutes, as shown in Figure 22. – Idle Timeout: 65535 (Recommended setting; default) The timeout must be set to a non-zero value for the ME to take advantage of Wake-On-ME. The timeout is not used when the system is in active state (S0); it is only used when the AMT ON in Host Sleep States setting is configured to allow Wake-On-ME. Figure 22. Selecting the Idle Timeout value 21.
• Adding new users and passwords • Updating ME firmware WebUI support is enabled by default for Manual mode setup and configuration. Connecting with the WebUI in Manual mode 1. Power on an Intel AMT system that is in its operational phase. 2. Invoke a web browser on a separate system (such as a management PC) that is on the same subnet as the Intel AMT system. 3. Connect to the Intel AMT system using the IP address and port specified in the MEBx.
Enterprise mode setup and configuration This section provides instructions and guidelines for Intel AMT setup and configuration (provisioning) in Enterprise mode. Intel AMT is designed to support a range of SMB and enterprise provisioning scenarios that involve tradeoffs between security, cost, and convenience. At one end of the spectrum, it is possible to manually configure Intel AMT in a matter of minutes on a local machine.
• Using a USB drive key – A USB drive key can be used for zero-touch provisioning. With this method, password, PID, and PPS information is loaded to the MEBx on system boot using a specially formatted setup.bin file. After this information has been loaded, the Intel AMT system starts requesting provisioning. For more information, refer to Using a USB drive key for provisioning.
4. The SCS logs into the Intel AMT system and provisions all required data items, including the following: – New PPS and PID for future configuration – TLS certificates – Private keys – Current date and time – HTTP Digest credentials – HTTP Negotiate credentials Other options can be set depending on the particular SCS implementation. The system goes from In-Setup to Operational phase; Intel AMT is fully operational.
Using the key The following are typical stages in the use of a USB drive key: 1. 2. 3. 4. 5. 6. An IT technician inserts a USB drive key into the system hosting the SCS. Through the SCS, the IT technician requests local setup and configuration records. The SCS generates the appropriate passwords and PID/PPS sets and stores them in its database. The SCS writes the passwords and PID/PPS sets to a setup.bin file in the USB drive key.
Since the Intel AMT system is already running an OS, provisioning can take place at any time. The local agent contacts the SCS, which responds by telling the Intel AMT system to provide a one-time password (OTP). 9 Once a TLS connection has been established, the SCS can begin provisioning the Intel AMT system. The OTP is created and encrypted by the ME and is then sent to the SCS.
• The SCS must have a server certificate with the appropriate object identifier (OID) or organizational unit (OU): – Unique Intel AMT OID value in the Extended Key Usage field is 2.16.840.1.113741.1.2.3 – OU value in Subject field is Intel Client Setup Certificate This OU value is case-sensitive and must be entered exactly as shown. • If support for delayed provisioning is required, an OS and local agent must be installed on the Intel AMT system.
2. Review the Intel Automated Setup and Configuration menu items (shown in Figure 23). Figure 23. Menu used to enable remote provisioning – Current Provisioning Mode This menu item is used to display the provisioning mode currently selected. Options are: • None • PKI (default) • PSK No changes can be made at this menu. – Provisioning Record This menu item is used to display the data in the system’s provisioning record. The default setting is Not Present; no changes can be made at this menu.
– RCFG Remote Configuration (RCFG) is an Intel AMT feature that allows a single OEM OS image to provision systems securely, without the need to manually modify Intel AMT options. RCFG has the following requirements: • Public Key Infrastructure with Certificate Hashes (PKI-CH) protocol to maintain security • DHCP environment • OS present on the Intel AMT system – Provisioning Server IPv4/IPv6 This menu item is used in Enterprise mode to point to the IP address of the SCS. The default is 0.0.0.0.
Note The admin password, PID, and PPS can be pre-populated by HP during manufacturing. Refer to the OEM TLS-PSK provisioning section for more information. Legacy (zero-touch) provisioning uses a default certificate; no PID or PPS are needed. PKI is active in the base image, which contains 15 pre-installed certificates. – Delete PID and PPS This option is used to delete the current PID and PPS entries and should be skipped. After configuring TLS-PSK, return to the previous menu.
3. 4. 5. In Intel AMT 9.x, the MEBx allows you to manually activate a hash and use up to three additional certificate hashes. To add a hash: i. Press the Insert key in the Manage Hashes menu. ii. Enter a name and fingerprint for the hash. iii. Specify the status of the hash (active or not active; default or not default). After configuring TLS-PKI, return to the previous menu. Return to the MEBx Main Menu. Select MEBx Exit to exit the configuration procedure and save settings.
• Partial unprovisioning Only available for systems provisioned in Enterprise mode, partial unprovisioning returns all Intel AMT configuration settings to their factory defaults with the exception PID, PPS, and PKI-CH settings. This option does not reset ME configuration settings or the MEBx password. Partial unprovisioning re-opens the network interface for six hours of “hello” message broadcasts.
Appendix A: Frequently asked questions Q: How can I access the MEBx locally? A: The MEBx can be locally accessed by selecting Esc from the startup menu. Alternatively, you could press F6 (notebook PCs) or Ctrl-P (desktop PCs) during POST. Q: Why isn’t the Ctrl-P prompt displayed during POST? A: By default, the Ctrl-P prompt is hidden from desktop PC users during POST; however, this prompt can be displayed if set in F10 Setup.
Q: What is the difference between the ME and Intel AMT? A: The ME is the controller that, along with Intel Protected Audio Video Path (PAVP) capability, is used to manage Intel AMT. Note that clearing Intel AMT settings does not affect the ME settings, which are separate. Q: Why doesn’t Wake-On-ME function after I’ve set the idle timeout? A: The Wake-On-ME feature only works if the ME ON in Host Sleep State setting has been set to allow ME WoL and the system has been fully provisioned.
Appendix B: Overview of power, sleep, and global states Under the Advanced Configuration and Power Interface (ACPI) specification, a PC may be in one of the following power states (also known as Sleep (Sx) or Global (Gx) states). • S0 S0 (also known as G0) is the On state, during which the PC is fully functional. All system devices and the operating system, if available, are running. • S3 S3 is the Standby (Microsoft® terminology) or Suspend-to-RAM state.
Appendix C: Wake-On-ME overview Wake-On-ME, also known as ME Wake-on-LAN (ME WoL), is a feature that allows the ME to go into a low power state when it is not being used but awaken if required. The ME counts down from the amount of time set in Idle Timeout before going to sleep.
Appendix D: Supported certificates The following are supported certificate authorities and certificates (see also Figure D-1): Note Not all certificates may be populated in certain configurations. • VeriSign Class 3 Primary CA-G1 • VeriSign Class 3 Primary CA-G3 • Go Daddy Class 2 CA • Comodo AAA CA • Starfield Class 2 CA • VeriSign Class 3 Primary CA-G2 • VeriSign Class 3 Primary CA-G1.
Resources, contacts, or additional links Intel vPro Technology www.intel.com/technology/vpro/index.htm Sign up for updates hp.com/go/getupdated Share with colleagues Rate this document © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.
