vPro Setup and Configuration for the 8000 Elite Business PC with Intel vPro Processor Technology Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 AMT Setup and Configuration . . . . . . . . . . . . . . . . . . . . AMT System Phases . . . . . . . . . . . . . . . . . . . . . . . . . SMB Mode - AMT Setup and Configuration with MEBx SMB Mode - AMT Setup and Configuration Steps . . . . .. .. .. .. .. .. .. .. . . . . .. ..
Introduction The HP Compaq 8000 Elite Business PC uses Intel vPro processor technology to simplify PC management and reduce IT-related expenditures. Intel vPro processor technology is a combination of Active Management Technology (AMT) and Intel Virtualization Technology (VT), which allows for improved management of PC systems and enhanced security. Intel vPro processor technology no longer supports Virtual Appliances.
AMT Setup and Configuration AMT must be set up and configured in a system before it can be used. AMT setup involves the necessary steps to enable AMT such as setting up the system for AMT mode and enabling network connectivity. This setup is generally performed only once in the lifetime of a system. When AMT is enabled, it can be discovered by management software over a network.
Password Guidelines MEBx passwords must meet minimum criteria. These restrictions are enforced by the MEBx to reduce vulnerability of passwords to a dictionary attack. Passwords must: • Be between 8 and 32 characters long. • Contain both upper and lower case Latin characters (e.g. A, a, B, b). • Have at least one digit character (e.g. 0, 1, 2, … 9). • Have at least one 7-bit ASCII non-alphanumeric character with an ASCII value between 33d and 126d that is not part of the invalid character list below.
SMB Mode - AMT Setup and Configuration Steps When going through the options in the MEBx for the first time (Factory phase), the default settings are in place. This white paper details HP-recommended settings for options, some of which may be the same as the default selection. Even though the default setting is set and used for certain options, it is good practice to double-check important options. 1. Press Ctrl+P during POST to enter Manageability Engine BIOS Extension (MEBx) Setup.
5. Select Y. ME platform configuration allows IT personnel to configure ME features such as AMT/ASF selection, power options, firmware update capabilities, and so on. Figure 2 Intel ME Platform Configuration screen 6. Select Intel ME State Control, and then select Enabled. Default Setting = Enabled, Recommended Setting = Enabled This option enables or disables the ME and is used for diagnostic purposes.
"Restricted" ignores what is set in the system BIOS and allows local ME firmware updates until the ME is configured. Never Open Restricted ME Firmware Local Update Enabled Local ME firmware updates allowed. Local ME firmware updates allowed. ME Firmware Local Update Disabled Local ME firmware updates NOT allowed. Local ME firmware updates allowed only until the ME is configured. 8. Select Intel ME Features Control. a. Select Manageability Feature Selection.
9. Select Intel ME Power Control. Figure 4 Intel ME Power Control Screen a. Select Intel ME ON in Host Sleep States, and then select Desktop:ON in S0, S3, ME WoL in S3, S4-5, OFF After Power Loss. Default Setting = Desktop: ON in S0, Recommended Setting = Desktop: ON is S0, S3, ME WoL in S3, S4-5, OFF After Power Loss This option sets the ME power policy when the system is in a sleep state (Sx) and when returning from a G3 power loss.
See “Appendix B: Power / Sleep / Global States Explained” on page 34 for an explanation of sleep/ power states. See “Appendix C: Wake-On-ME Explained” on page 35 for an explanation of Wake-On-ME/ ME WoL. b. Select Return to the previous menu. 10. Return to previous menu to exit the MEBx Setup and save ME configuration. The system will display an Intel ME Configuration Complete message and reboot. After the ME Configuration is complete, you can configure the AMT on the next boot. 11.
This option is a toggle, and the next time you access it you are prompted with the opposite setting. b. Select DHCP Disable, and then select Y. Default Setting = DHCP Enabled, Recommended Setting = User Dependent You can use DHCP if it is available. If you use DHCP, then steps 15c through 15g are not necessary. Otherwise, the system administrator will have to configure TCP/IP settings. For the purpose of this white paper, DHCP is disabled so steps 15c through 15g can be illustrated.
16. Select Provision Model. a. Change to Small Business, and the select Y. Default Setting = Enterprise, Recommended Setting = Small Business This option is a toggle, and the next time you access it you are prompted with the opposite setting. Notice that the Setup and Configuration option is no longer available once the system is in Small Business mode. This option is only used in Enterprise Mode. b. Select Return to previous menu. 17. Skip Un-Provision. This option returns the system to factory defaults.
Option Effect During Setup and Configuration This option will allow the MEBx password to be remotely modified only during Setup and Configuration of the AMT platform. Anytime This option will allow the MEBx password to be remotely modified at any time. 21. Select Secure Firmware Update, and then select Enabled. Default Setting = Enabled, Recommended Setting = Enabled This option enables/disables the ability to remotely update the ME firmware. 22. Skip Set PRTC.
The WebGUI is often used as a test to determine if AMT Setup and Configuration was performed properly on a system. A successful remote connection between a remote system and the host system running the WebGUI indicates proper AMT Setup and Configuration on the remote system. The AMT WebGUI is accessible from the following Web Browsers: • Microsoft Internet Explorer 6 SP1 or newer • Netscape Navigator 7.1 or newer • Mozilla Firefox 1.0 or newer • Mozilla 1.
4. Type the user name and password. The default username is admin and the password is what you set during AMT Setup in the MEBx. Figure 6 Intel AMT WebGUI Screen 5. Review system information and/or make any necessary changes. NOTE: You can change the MEBx password for the remote system in the WebGUI. Changing the password in the WebGUI or a remote console results in two passwords. The new password, known as the “remote” MEBx password, only works remotely with the WebGUI or remote console.
Setup and Configuration Server A Setup and Configuration Server (SCS) is an application that executes over a network performing AMT Setup and Configuration. It is required for Enterprise mode setup and configuration. In a PSK Setup and Configuration, both the AMT client system and the SCS must share a set of Provisioning ID (PID) and Provisioning Passphrase (PPS). This pair forms a Pre-Shared Key (PSK). PIDs are 8 characters and PPS are 32 characters.
Enterprise Mode Setup and Configuration Enterprise mode is for large corporate customers. An SCS is required for Enterprise mode Setup and Configuration. The SCS is also known as a Provisioning Server as seen in the MEBx. Enterprise Mode - AMT Setup and Configuration Steps The AMT Setup portion for Enterprise mode is the same as SMB mode. Repeat Steps 1 through 15 to perform AMT Setup. This will take the system from Factory Mode to In Setup Mode.
12. Select Intel AMT Configuration. The Intel AMT Configuration screen includes numerous options, which are available by scrolling down the menu. Figure 7 Intel AMT Configuration Screen Figure 8 Intel AMT Configuration Screen Continued 13. Select Host Name, and then type a host name Default Setting = HPSystem, Recommended Setting = User Dependent Spaces are not accepted in the host name.
14. Select TCP/IP. a. Select Disabling Network Interface, and then select N. Default Setting = Network Interface Enabled, Recommended Setting = Network Interface Enabled If network is disabled, then all remote AMT capabilities are disabled and TCP/IP settings will not be necessary. This option is a toggle, and the next time you access it you are prompted with the opposite setting. b. Select DHCP Disable, and then select N.
b. Select Provisioning Record. Default Setting = Not Present This option shows provision record data of the system.
ii. Enter Port. Default Setting = 0, Recommended Setting = 9971 This option is used in Enterprise mode when an Intel AMT Setup and Configuration (Provisioning) Server is available. It points to the IP address of the SCS. e. Select TLS PSK. Figure 10 Intel TLS PSK Configuration Screen i. Select Set PID and PPS. This option is for Provisioning ID (PID) and Provisioning Passphrase (PPS) entry. PIDs are 8 characters and PPS are 32 characters.
18. Skip VLAN. Default Setting = Disabled, Recommended Setting = User Dependent This option enables or disables VLAN support. If VLAN is enabled, then the VLAN tag must be provided (1-4094). 19. Select SOL/IDE-R, and then select Y. a. A message window indicates that the system resets after configuration. b. Select Username and Password, and then select Enabled. Default Setting = Enabled, Recommended Setting = Enabled This option allows you to add users and passwords from the WebGUI.
The default timeout value is 1 from the factory and is in units of a minute. A value of 0 means the Wake-On-ME feature is disabled and the ME will not go to sleep when not being used in a nonactive system. HP recommends a setting of 1 which allows the ME to go to sleep after 1 minute of inactivity. The timeout value can only be set in decimal notation, which is a minor change from the dc7700p that allowed both decimal and hexadecimal notation.
• TLS certificates • Private keys • Current date and time • HTTP Digest credentials • HTTP Negotiate credentials You can set other options depending on S&CS implementation. The system goes from In-Setup phase to Operational phase, and AMT is fully operational. Once in the Operational phase, you can remotely manage the system and you can provide the system to endusers for regular use.
Provisioning Methods There are three methods of provisioning a system with Enterprise mode: • Legacy • IT TLS-PSK • OEM TLS-PSK Legacy If you want TLS, execute legacy method of AMT set up and configuration on an isolated network separate from the corporate network. An S&CS server requires a secondary network connection to Certification Authority for TLS configuration. Customers perform legacy AMT set up and configuration. The customer initially receives systems in the Factory phase with AMT disabled.
Alternatively, the customer can provide HP with their own Administrator password, PID, and PPS to use for the order, which HP will use to bring the systems into the In-Setup phase. In the second stage, the customer receives the In-Setup systems and the PID, PPS, and password information. The PID, PPS, and password information is integrated into the customer S&CS. The In-Setup systems are then connected to the network and powered on. Enterprise Mode - AMT Configuration occurs.
7. The system BIOS displays a message that automatic setup and configuration will occur. a. The first available record in the Setup.bin is read into memory. The process: i. Validates the file header record. ii. Locates the next available record. iii. Invalidates current record so it cannot be used again. b. The process places the memory address into the MEBx parameter block. c. The process calls MEBx. 8. MEBx processes the record. 9. MEBx writes a completion message to display. 10.
One or more hash root certificates are embedded into the AMT firmware. These certificates are integrated into the Hello messages sent by the AMT system to the SCS. The SCS must have compatible certificates to authenticate the AMT system. A self signed certificate can be generated to create a secure connection between the AMT system and the SCS. This certificate is used for encryption, not authentication.
Remote Configuration Prerequisites RCFG requires certain prerequisites before it can be used. • Both the AMT system and the SCS must be on a DHCP server. The SCS must have the name of Pro- visionserver, or if not, it must have an alias in DNS, and be on the same domain as the AMT system. • The AMT system must have at least one pre-programmed active root certificate hash. • The SCS must have a server certificate with the proper OID or OU values. • OID value in the Extended Key Usage field = 2.16.840.1.
Figure 11 Intel Remote Configuration Screen 1. Select Remote Configuration Enable/Disable. Default Setting = Enabled, Recommended Setting = Enabled This option enables or disables remote configuration. 2. Skip Manage Certificate Hashes. This option shows the hashes in the system, including the name of the hash and whether it is active. If no hashes are in the system, then an option to add one is available. If hashes are available, then an option to delete one or more is available. To add a hash: a.
List of Supported CA Certificates The following list provides supported Certificate Authorities and certificates. Not all certificates are populated in certain configurations.
Return to Default Return to Default is also know as Unprovisioning. An AMT Setup and Configured system can be unprovisioned. It is done through the AMT Configuration Screen and the Un-Provision option. Figure 12 Intel AMT Unprovisioning Screen Depending on how the system was previously provisioned, one or both unprovisioning options may appear. 1. Select Un-Provision, and then select the appropriate unprovision mode. Full unprovisioning is available for SMB and Enterprise mode provisioned systems.
Full Return to Factory Defaults All AMT settings can be returned to the factory default by clearing CMOS. This includes resetting the password to the default “admin”. This is a behavior change from the HP Compaq dc7800p Business PC, where a CMOS change only clears the AMT settings and the password. The system will need to be set up and configured again before remote management is possible. Any nondefault certificate hashes will have to be re-applied.
Q: Why does a new password set with the WebGUI cannot be used locally in the MEBx? A: A password set with the WebGUI is a remote password and will only work when accessing the MEBx remotely. It does not work with the MEBx locally. The local password must be used to locally access the MEBx. Q: Is TLS required? A: No. TLS is optional. Q: If TLS is not used, then what is used? A: HTTP Digest will be used for mutual authentication if TLS is not used.
Appendix B: Power / Sleep / Global States Explained A computer can be in one of several power states under the Advanced Configuration and Power Interface (ACPI) specification. These power states are also known as Sleep (Sx) states or Global (Gx) states. • S0 is the ON state. The computer is fully functioning. All system devices and operating system, if available, are running. S0 is also known as G0. • S3 is the Standby (Microsoft terminology) or Suspend-to-RAM state.
Appendix C: Wake-On-ME Explained Wake-On-ME, also known as ME WoL, is a feature that allows the ME to go into a low power state when it is not used. There are three conditions that must be met for Wake-On-ME to function. • The system is in a sleep state: S3, S4, or S5. • ME On in Host Sleep State setting is set to allow ME WoL. • Idle Timeout setting is set to a non-zero value. The system must be in a sleep state (S3, S4, or S5) for Wake-On-ME to function.
