Technical white paper Setting up and configuring Intel AMT in HP Business Notebooks, Desktops, and Workstations Detailed instructions for the IT professional Table of contents Executive summary 3 Introduction Support 3 4 Setting up and configuring Intel AMT Setup and configuration phases 5 5 Manual mode setup and configuration Creating a password BIOS prerequisites Setup and configuration procedure Using the WebGUI 5 6 6 7 25 Enterprise mode setup and configuration Using the TLS-PSK method OEM TLS
Appendix A: Frequently asked questions 38 Appendix B: Overview of power, sleep, and global states ME power states 40 40 Appendix C: Wake-On-ME overview 41 Appendix D: Supported certificates 42 For more information 43 2
Executive summary Select HP models use Intel® vPro1 processor technology to simplify PC management and reduce IT-related expenditures. A key element of vPro is Intel Active Management Technology2 (Intel AMT), a platform-resident solution that includes both hardware and firmware, and relies on the Management Engine (ME) integrated into supported Intel chipsets.
Support Intel AMT technology is available on the following select HP models: Note Remote access to a client PC can be wired or wireless, depending on the particular HP model.
Setting up and configuring Intel AMT Before it can be used, Intel AMT must be setup and configured, which involves the following activities: Setup – Generally performed once in the lifetime of a system, Intel AMT setup involves the steps necessary to enable Intel AMT, such as setting up the system and enabling network connectivity. After Intel AMT has been enabled, it can be discovered by management software over a network.
Creating a password To reduce vulnerability to a dictionary attack, MEBx enforces the following minimum criteria for a password: 8 – 32 characters long Upper- and lower-case Latin characters (for example: A, a, B, b) At least one digit (for example: 0, 1, 2, … , 9). One of the following non-alphanumeric characters: – Exclamation ! – At @ – Number # – Dollar $ – Percent % – Caret ^ – Asterisk * Note that the underscore character ( _ ) is considered alpha-numeric.
Setup and configuration procedure When you explore MEBx options for the first time (Factory phase), default settings are in place. This white paper details the settings recommended by HP, some of which may be the same as the default selections. Even though the default setting is used for many options, it is good practice to double check important options. For setup and configuration, perform the following procedure: 1. Press Ctrl-P during POST to enter the main menu for MEBx setup, as shown in Figure 1.
4. Select Local FW Update from the Intel ME Platform Configuration menu (shown in Figure 2). Figure 2. Selecting the Local FW Update option 5. As shown in Figure 3, HP recommends enabling Local FW Update, which is the default setting. Unless otherwise specified, the system BIOS allows ME FW to be updated locally without password protection. If desired, you can modify the Local FW Update setting to enable password protection. Figure 3.
6. Select Power Control from the ME Platform Configuration menu (shown in Figure 2). Select the appropriate Intel ME ON in Host Sleep States setting, as shown in Figures 4 and 5. – Default setting: Desktop ON in S0 – Recommended setting: Desktop ON in S0, ME Wake in S3, S4-5 Note After you activate network access (Step 16), Intel ME On in Host Sleep States is automatically set to Desktop: ON in S0, ME Wake in S3, S4-5.
Figure 5.
7. Select the appropriate Idle Timeout value for Wake-On-ME in minutes, as shown in Figure 6. – Idle Timeout: 65535 (Recommended setting; default) The timeout must be set to a non-zero value for the ME to take advantage of Wake-On-ME. The timeout is not used when the system is in active state (S0); it is only used when the ME ON in Host Sleep States setting is configured to allow Wake-On-ME. Figure 6. Selecting the Idle Timeout value 8. Return to the MEBx Main Menu (Figure 1). 9.
10. From the Intel AMT Configuration menu (shown in Figure 7), select Manageability Feature Selection. This option allows Intel AMT to be enabled (recommended) or disabled. By default, HP systems are set to enable Intel AMT. Note that disabling Manageability Feature Selection also disables all remote management capabilities and unprovisions any Intel AMT settings. Figure 7.
11. From the Intel AMT Configuration menu, select SOL/IDER/KVM. The SOL/IDER/KVM screen appears, as shown in Figure 8. Review the following settings: – Username and password: Enabled (Recommended setting; default) When enabled, this setting allows users and passwords to be added via the WebGUI; if it is disabled, only the administrator has MEBx remote access. – SOL: Enabled (Recommended setting; default) This setting enables or disables Serial-over-LAN (SOL) functionality.
12. From the Intel AMT Configuration menu, select User Consent. The User Consent screen appears, as shown in Figure 9. Review the following settings: – User Opt-in: KVM (Setting is user-dependent; KVM by default) – Opt-in Configurable from Remote IT: Enabled (Setting is user-dependent; Enabled by default) This setting enables or disables a remote user’s ability to select user opt-in policy. If set to disabled, only the local user can control the opt-in policy. Figure 9.
13. Review the Password Policy setting shown in the Intel AMT Configuration screen. This setting specifies when it is possible to change the MEBx password over the network. Note The MEBx password can always be changed locally through the MEBx user interface. As shown in Figure 10, options are: – Default Password Only You can change the MEBx password via the network interface if the default password has not yet been changed.
14. Select Network Setup from the Intel AMT Configuration menu. The Intel ME Network Setup screen appears, as shown in Figure 11, allowing you to configure Intel AMT so that it can be accessed by a remote system. Figure 11.
15. Select Intel ME Network Name Settings from the Intel ME Network Setup menu. The Intel ME Network Name Settings screen appears, as shown in Figure 12. Figure 12. Setting up the ME network names Review the following settings: – Host Name: (Setting is user-dependent; there is no default) Host names can be used in place of the system’s IP address for any application that requires this address. Note Spaces are not acceptable in a host name. Make sure there is not a duplicate host name on the network.
– Dynamic DNS Update: Disabled (Recommended setting; default) If Dynamic DNS (DDNS) update is enabled, the firmware will actively try to register its IP addresses and FQDN in DNS using DDNS update protocol.
Configuring IPv4 Select Wired LAN IPV4 Configuration and then configure the parameters shown in Figure 14. Figure 14. Configuring the network for IPv4 – DHCP Mode: Enabled (Recommended setting; default) If DHCP is disabled, complete steps b – f to configure an IPv4 static IP address for Intel AMT. If DHCP is enabled (recommended), skip to Step 17. – IPV4 Address: (Network-dependent; default is 0.0.0.0) Specify the desired static IP address (such as 192.168.0.1).
Configuring IPv6 Both wired and wireless9 IPv6 can be enabled via an SCS or, as in this example, the WebGUI. Review the TCP/IPv6 settings for wired and wireless connections, as shown in Figure 15: – Enable IPv6 (wired): Enabled – Enable IPv6 (wireless): (Recommended setting; default setting is Disabled) (Implementation-dependent; default setting is Disabled) Figure 15.
If you wish to use wireless Intel AMT connectivity, you must first connect to the Intel AMT system from a remote system using the wired LAN in order to create a wireless profile. Carry out the following steps: i. Using the WebGUI (for example), select the Wireless Settings option to configure the wireless management settings, as shown in Figure 16. ii. Select the Wireless Settings option to configure wireless power policy. Set Enabled in S0, Sx/AC. Figure 16.
iii. In the Profiles field box (Figure 17), click New to create a new wireless profile. Figure 17.
iv. Enter the following data for the new wireless profile, as shown in Figure 18: – Profile name: (any name) – Network name (SSID): (the wireless network SSID name) – Network authentication: – Encryption: – Pass phrase: (implementation-dependent; default is WPA-PSK) CCMP (recommended setting; default) (wireless network pass phrase) On completion, click Submit. Figure 18.
v. Select System Status to display the Wireless IP address, as shown in Figure 19. Note Wireless Intel AMT only supports IPv6 addresses. Figure 19. Verifying that you have configured a wireless IP address A remote system should now be able to access the ME.
17. Having completed the network setup, select Activate Network Access from the Intel AMT Configuration menu, as shown in Figure 20. This setting causes the ME to transition to the newly-provisioned state if all required settings have been configured. The Unconfigure Network Access option causes the ME to transition to the pre-provisioned state. For more information, refer to Unprovisioning an Intel AMT system or Making a full return to factory default settings. Figure 20.
WebGUI support is enabled by default for Manual mode setup and configuration. Connecting with the WebGUI in Manual mode 1. Power on an Intel AMT system that is in its operational phase. 2. Invoke a web browser on a separate system (such as a management PC) that is on the same subnet as the Intel AMT system. 3. Connect to the Intel AMT system using the IP address and port specified in the MEBx.
Enterprise mode setup and configuration This section provides instructions and guidelines for Intel AMT setup and configuration (provisioning) in Enterprise mode. Intel AMT is designed to support a range of SMB and enterprise provisioning scenarios that involve tradeoffs between security, cost, and convenience. At one end of the spectrum, it is possible to manually configure Intel AMT in a matter of minutes on a local machine.
Using a USB drive key – A USB drive key can be used for zero-touch provisioning. With this method, password, PID, and PPS information is loaded to the MEBx on system boot using a specially formatted setup.bin file. After this information has been loaded, the Intel AMT system starts requesting provisioning. For more information, refer to Using a USB drive key for provisioning.
4. The SCS logs into the Intel AMT system and provisions all required data items, including the following: – New PPS and PID for future configuration – TLS certificates – Private keys – Current date and time – HTTP Digest credentials – HTTP Negotiate credentials Other options can be set depending on the particular SCS implementation. The system goes from In-Setup to Operational phase; Intel AMT is fully operational.
Using the key The following are typical stages in the use of a USB drive key: 1. 2. 3. 4. 5. An IT technician inserts a USB drive key into the system hosting the SCS. Through the SCS, the IT technician requests local setup and configuration records. The SCS generates the appropriate passwords and PID/PPS sets and stores them in its database. The SCS writes the passwords and PID/PPS sets to a setup.bin file in the USB drive key.
Since the Intel AMT system is already running an OS, provisioning can take place at any time. The local agent contacts the SCS, which responds by telling the Intel AMT system to provide a one-time password (OTP).12 Once a TLS connection has been established, the SCS can begin provisioning the Intel AMT system. The OTP is created and encrypted by the ME and is then sent to the SCS.
The SCS must have a server certificate with the appropriate object identifier (OID) or organizational unit (OU): – Unique Intel AMT OID value in the Extended Key Usage field is 2.16.840.1.113741.1.2.3 – OU value in Subject field is Intel Client Setup Certificate This OU value is case-sensitive and must be entered exactly as shown. If support for delayed provisioning is required, an OS and local agent must be installed on the Intel AMT system.
2. Review the Intel Automated Setup and Configuration menu items (shown in Figure 23). Figure 23. Menu used to enable remote provisioning – Current Provisioning Mode This menu item is used to display the provisioning mode currently selected. Options are: o None o PKI (default) o PSK No changes can be made at this menu. – Provisioning Record This menu item is used to display the data in the system’s provisioning record. The default setting is Not Present; no changes can be made at this menu.
– RCFG Remote Configuration (RCFG) is an Intel AMT feature that allows a single OEM OS image to provision systems securely, without the need to manually modify Intel AMT options. RCFG has the following requirements: o Public Key Infrastructure with Certificate Hashes (PKI-CH) protocol to maintain security o DHCP environment o OS present on the Intel AMT system – Provisioning Server IPv4/IPv6 This menu item is used in Enterprise mode to point to the IP address of the SCS. The default is 0.0.0.0.
Note The admin password, PID, and PPS can be pre-populated by HP during manufacturing. Refer to the OEM TLS-PSK provisioning section for more information. Legacy (zero-touch) provisioning uses a default certificate; no PID or PPS are needed. PKI is active in the base image, which contains 15 pre-installed certificates. o Delete PID and PPS This option is used to delete the current PID and PPS entries and should be skipped. After configuring TLS-PSK, return to the previous menu.
In Intel AMT 8.x, the MEBx allows you to manually activate a hash and add up to three additional certificate hashes. To add a hash: i. Press the Insert key in the Manage Hashes menu. 3. 4. ii. Enter a name and fingerprint for the hash. iii. Specify the status of the hash (active or not active; default or not default). After configuring TLS-PKI, return to the previous menu. Return to the MEBx Main Menu. Select MEBx Exit to exit the configuration procedure and save settings. 5.
Partial unprovisioning Only available for systems provisioned in Enterprise mode, partial unprovisioning returns all Intel AMT configuration settings to their factory defaults with the exception PID, PPS, and PKI-CH settings. This option does not reset ME configuration settings or the MEBx password. Partial unprovisioning re-opens the network interface for six hours of “hello” message broadcasts.
Appendix A: Frequently asked questions Q: How can the MEBx be accessed locally? A: The MEBx can be locally accessed by pressing CTRL-P during POST. Q: Why isn’t the CTRL-P prompt displayed during POST? A: By default, the CTRL-P prompt is hidden during POST. However, the prompt can be displayed if set in F10 Setup – except for HP Workstation PCs, which do not provide a BIOS option to display the Ctrl-P prompt during POST.
Q: Why doesn’t Wake-On-ME function after I’ve set the idle timeout? A: The Wake-On-ME feature only works if the ME ON in Host Sleep State setting has been set to allow ME WoL and the system has been fully provisioned. Q: Does Intel AMT provide wireless LAN support? A: For desktops, wireless Intel AMT is only supported on Elite 8300 Ultra Small Form Factor and All-in-One (AiO) platforms featuring the mini PCI express Intel Centrino Advanced-N 6205 Wireless LAN.
Appendix B: Overview of power, sleep, and global states Under the Advanced Configuration and Power Interface (ACPI) specification, a PC may be in one of the following power states (also known as Sleep (Sx) or Global (Gx) states). S0 S0 (also known as G0) is the On state, during which the PC is fully functional. All system devices and the operating system, if available, are running. S3 S3 is the Standby (Microsoft® terminology) or Suspend-to-RAM state.
Appendix C: Wake-On-ME overview Wake-On-ME, also known as ME Wake-on-LAN (ME WoL), is a feature that allows the ME to go into a low power state when it is not being used but awaken if required. The ME counts down from the amount of time set in Idle Timeout before going to sleep.
Appendix D: Supported certificates The following are supported certificate authorities and certificates (see also Figure D-1): Note Not all certificates may be populated in certain configurations. VeriSign Class 3 Primary CA-G1 VeriSign Class 3 Primary CA-G3 Go Daddy Class 2 CA Comodo AAA CA Starfield Class 2 CA VeriSign Class 3 Primary CA-G2 VeriSign Class 3 Primary CA-G1.
For more information Intel vPro Technology www.intel.com/technology/vpro/index.htm Get connected hp.com/go/getconnected Current HP driver, support, and security alerts delivered directly to your desktop © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.
