AMT Setup and Configuration for the Z200 Workstation with Intel AMT Technology March 2010 Table of Contents: Introduction ......................2 AMT Setup and Configuration ................2 AMT System Phases ..................3 Manual Mode – AMT Setup and Configuration with MEBx ........ 3 BIOS Prerequisite ....................
Introduction The HP Z200 workstation utilizes Intel AMT processor technology to simplify PC management and reduce IT related expenditures. Intel AMT processor technology allows for improved management of PC systems and better security. AMT provides Out-of-Band (OOB) remote access to a system regardless of the system power state or operating system condition as long as the system is connected to a power source and a network.
AMT System Phases An AMT system can be in one of three phases in regards to its current stage of AMT Setup and Configuration. Three Phases of AMT Setup and Configuration: Factory • In-Setup • Operational • The Factory phase is the initial stage. The system had been built from the factory. No AMT Setup and Configuration has been done.
Criteria: Password must be between 8 and 32 characters long. • Password must contain both upper and lower case Latin characters (e.g. A, a, • B, b). Password must have at least one digit character (e.g. 0, 1, 2, … 9). •...
BIOS Prerequisite This whitepaper is for the HP Z200 workstation. The HP Z200 workstation uses the 786H3 BIOS family. The system BIOS and the ME FW must be updated individually. Refer to the BIOS Flash Whitepaper at www.hp.com for more information on flashing the system BIOS and ME FW.
The user must change the default password before any changes can be made in the MEBx. Change the password for the MEBx. The new password must meet the criteria defined in the Password Guideline Section, also known as a strong password. It must be entered twice for verification.
Note that if the ME is disabled, then all AMT functions are also disabled. The system will not be remotely manageable. Check Password Policy. Default Setting : Default Password Only Recommended Setting : Default Password Only Select Default Password Only This option determines when the user is allowed to change the Intel MEBX password through the network.
Default Setting : None Recommended Setting : User Dependent Note that spaces are not accepted in the host name. Make sure there is not a duplicate host name on the network. Hostnames can be used in place of the system’s IP for any applications requiring the IP address. Domain Name Enter a domain name Default Setting...
TCP/IP Settings. AMT 6.0 supports IPV4 and IPV6 interface. Follow steps 8a-8f to configure for IPV4 and 8g-8h for IPV6. Figure 4: Intel ME TCP/IP Settings Screen Wired LAN IPV4 Configuration DHCP Mode Default Setting : Enabled Recommended Setting : Enabled DHCP can be used if it is available (TCP/IP settings will be configured by a DHCP server).
Figure 5: Intel ME Wired LAN IPv4 Configuration Screen IPV4 Address Enter a static address Default Setting : 0.0.0.0 Recommended Setting : Network Dependent Example: 192.168.0.1 Make sure all AMT systems have a unique static IP address. Multiple systems sharing the same IP address can lead to network collisions, which will cause the systems to not respond correctly.
Alternate DNS Address Leave as default value and hit Enter Default Setting : 0.0.0.0 Recommended Setting : Network Dependent Wired LAN IPV6 Configuration Select Enabled option for IPv6 Feature Selection If DHCP is disabled, then steps 8h through 8i are required to configure the IPV6 static IP address.
IPv6 Address. AMT 6.0 supports IPv6 network interface. Enter a static IPv6 address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab iii. IPv6 default Router. Enter the IPv6 Default Router address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab Preferred DNS IPv6 Address...
Figure 7: Intel ME Activate Network Access Screen FW Update Settings. a. Local FW Update Qualifier. Intel ME Firmware Local Update Qualifier Default Setting : Always Open Recommended Setting : Always Open...
Figure 8: Intel ME FW Update Settings Screen This option allows the BIOS to override the ME Firmware Locale Update option and to permit local updates. By default, the system BIOS allows for an unlimited number of local ME FW updates.
b. Secure FW Update. Intel ME Firmware Local Update Qualifier Default Setting : Enabled Recommended Setting : Enabled The Secure Firmware Update function requires an administrator user name and password. If the administrator user name and password are not supplied, the firmware cannot be updated. When the Secure Firmware Update feature is enabled, the IT administrator can update the firmware using the secure method.
Note: The ME On in Host Sleep State mode will automatically set to Desktop: ON in S0, ME Wake in S3, S4-5 after Activating the Network Access (step 9). b. Idle Timeout Default Setting : 65535 Recommended Setting : 65535 This option sets the timeout value for Wake-On-ME.
Go into the Intel AMT Configuration. Figure 10: Intel AMT Configuration Screen Press the Enter key when MEBx displays “Update Network settings in the General Settings menu”. Press ’Y’ at the MEBx prompt below:...
Figure 1 1: Intel AMT Configuration Screen a. Check the Manageability Feature Selection. Default Setting : Enabled Recommended Setting : Enabled This option allows Intel AMT to be enabled or disabled. By default, the HP Z200 workstation is set to enable Intel AMT. Note that setting the Disabled option will disable all remote management capabilities.
Figure 12: Intel ME Features Control Screen with AMT Selected b. Check SOL/IDE-R. Figure 13: Intel ME SOL-IDE-R Configuration Screen...
a) Username & Password Default Setting : Enabled Recommended Setting : Enabled Select Enabled. This option allows users and passwords to be added from the WebGUI. If it is disabled, then only the administrator has MEBx remote access. b) SOL. Default Setting : Enabled Recommended Setting...
Figure 14: Intel ME KVM Configuration Screen KVM feature Selection. Default Setting : Enabled Recommended Setting : Enabled Figure 15: Intel ME KVM Configuration Screen...
ii. User opt-in. Default Setting : User Consent is required for KVM session Recommended Setting : User Dependent iii. Opt-in Configuration from remote IT Default Setting : Enabled Remote Control of KVM Opt-in Policy Recommended Setting : User Dependent Disable Remote Control of KVM Opt-in Policy – This option disables the Remote User’s ability to select User OPT-IN Policy.
Intel AMT WebGUI The Intel AMT WebGUI is a web browse-based interface for limited remote system management. The WebGUI is often used as a test to determine if AMT Setup and Configuration was performed properly on a system. A successful remote connection between a remote system and the host system running the WebGUI indicates proper AMT Setup and Configuration on the remote system.
Figure 16: Intel AMT WebGUI Screen 6) Review system information and/or make any necessary changes. Important Note: The MEBx password can be changed for the remote system in the WebGUI. Changing the password in the WebGUI or a remote console will result in two passwords.
Setup and Configuration Server A Setup and Configuration Server (SCS) is simply an application that executes over a network performing AMT Setup and Configuration. It is required for Enterprise mode setup and configuration. In a PSK Setup and Configuration, both the AMT client system and the SCS must share a set of Provisioning ID (PID) and Provisioning Passphrase (PPS).
Enterprise Mode – AMT Setup and Configuration Steps: The AMT Setup portion for Enterprise mode is the same as SMB mode. Repeat Steps 1 through 15 to perform AMT Setup. This will take the system from Factory mode to In Setup Mode. Refer to Manual Mode –...
Figure 17a: Intel ME Platform Configuration Screen Figure 17b: Intel AMT Configuration Screen Continued...
10) Go into Network Setup & select Host Name. Enter a host name Default Setting : None Recommended Setting : User Dependent Spaces are not accepted in the host name. 11) Go into Network Setup and select TCP/IP. a. Wired LAN IPv4 Configuration DHCP Mode Default Setting : DHCP Enabled...
Alternate DNS IPv6 Address Enter the Alternate DNS IPv6 Address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab 12) Skip Activate Network Access. 13) Skip Un-Configure Network Access. 14) Go into Remote Setup And Configuration. Figure 18: Intel Setup and Configuration Screen This is the menu where the Enterprise mode provisioning data is entered.
TLS Provisioning Mode Provisioning IP Date of Provisioning The provisioning record for a system with PKI provisioning will include the following information: TLS Provisioning Mode Host Initiated Hash Data Hash Algorithm Serial Number ISDefault Bit Time Validity Pass FQDN Provisioning IP Date of Provisioning This option is only for display, no changes can be made here.
Figure 19: Intel TLS PSK Configuration Screen Go into Set PID and PPS. Default Setting : None Recommended Setting : System Dependent This option is for Provisioning ID (PID) and Provisioning Passphrase (PPS) entry. PIDs are 8 characters and PPS are 32 characters. There are dashes between every set of four characters so counting dashes PIDs are 9 characters and PPS are 40 characters.
15) FW Update Settings. Local FW Update Qualifier. Intel ME Firmware Local Update Qualifier Default Setting : Always Open Recommended Setting : Always Open This option allows the BIOS to override the ME Firmware Locale Update option and to permit local updates. By default, the system BIOS allows for an unlimited number of local ME FW updates.
b. Idle Timeout Default Setting : 65535 Recommended Setting :65534 This option sets the timeout value for Wake-On-ME. The default timeout value is 65535 from the factory and it is in units of a minute. A value of 0 means the Wake-On-ME feature is disabled and the ME will not go to sleep when not being used in a non-active system.
d. IDE Redirection Default Setting : Enabled Recommended Setting : Enabled Select Enabled. e. Legacy Redirection Mode. Default Setting : Disabled Recommended Setting : Disabled Select Disabled. This option allows the Redirection feature to work with the pre-AMT 6.0 remote consoles (need to set to Enabled). 20) Check KVM Configuration.
26) When power is reapplied to the system, it will immediately look for a Setup and Configuration Server. If one is found, the AMT system will send a “Hello” message to the server. DHCP and DNS must be available for the Setup and Configuration Server search to automatically succeed.
Provisioning Methods There are three methods of provisioning a system with Enterprise mode: Legacy • IT TLS-PSK • • OEM TLS-PSK Legacy Legacy method of AMT Setup and Configuration should be executed on an isolated network separate from the corporate network if TLS is desired. An S&CS server would have to have a secondary network connection to Certification Authority for TLS configuration.
OEM TLS-PSK OEM TLS-PSK AMT Setup and Configuration is done in two stages. The first stage is performed during OEM manufacturing and the second stage at the customer location. In the first stage, customers purchase systems from HP. HP will setup those systems during manufacturing bringing them to the In-Setup phase.
c. Return the information to the management console. 4) The management console writes the password, PID and PPS sets to a Setup.bin file in the USB Drive Key. 5) Technician takes the USB Drive Key to the staging area where new AMT platforms are located.
Remote Configuration Remote Configuration (RCFG) is the ability to use a single OEM image to provision systems securely without the need to manually modify AMT options. RCFG uses a Public Key Infrastructure with Certificate Hashes (PKI-CH) protocol to maintain security. A DHCP environment is required. RCFG relies on several new AMT features: Embedded Hash Root Certificates •...
If no SCS responds to the Hello messages within the timeout period, then the network interface that sends out the Hello messages will be disabled. The network interface can be re-enabled to send out Hello messages again by the following methods: Restarted by a local agent.
Figure 20: Intel Remote Configuration Screen 1) Remote Configuration Enable/Disable Default Setting : Enabled Recommended Setting : Enabled This option enables or disables Remote Configuration. 2) Set PKI DNS Suffix This option allows the PKI DNS Suffix of the SCS to be entered. 3) Manage Certificate Hashes This option shows the hashes in the system including the name of the hash and whether it is active or not.
List of Supported CA Certificates The following are a list of supported Certificate Authorities and certificates. Not all of the certificates might be populated in certain configurations. VeriSign Class 3 Primary CA-G1 • SHA1 Fingerprint: 74 2C 31 92 E6 07 E4 24 EB 45 49 54 2B E1 BB C5 3E 61 74 E2 VeriSign Class 3 Primary CA-G2 •...
Return to Default Return to Default is also known as Unprovisioning. An AMT Setup and Configured system can be unprovisioned. It is done through the ME Platform Configuration Screen and the Un-Configure Network Access option. Figure 21: Intel AMT Un-configure Network Screen Depending on how the system was previously provisioned, one or both unprovisioning options may appear.
c. After unprovisioning is done, control is passed back to the AMT Configuration screen. Notice that the Setup and Configuration option is available again since the system is set to the default Enterprise mode. 2) Return to previous menu. 3) Exit. a.
Appendix A: Frequently Asked Questions Q: How can the MEBx be locally accessed? A: The MEBx can be locally accessed by pressing CTRL-P during POST. Q: Why is the CTRL-P prompt not displayed during POST? A: By default the CTRL-P prompt is hidden during POST, but it can be display if set in F10 Setup.
A: HP Client Configuration Manager and ISVs such as Altiris provide Setup and Configuration Servers. Check with your management console supplier to see if they offer this service. Q: Can AMT be set for static address and the OS set for DHCP or vice versa? A: No.
Appendix B: Power / Sleep / Global States Explained Under Advanced Configuration and Power Interface (ACPI) specification a PC can be in one of several Power states. These power states are also known as Sleep (Sx) states or Global (Gx) states. is the ON state.
Wake-On-ME feature is disabled and the ME will not go to sleep when not being used. © 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.