Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. Trademarks used in this text: Dell, Latitude, and the DELL logo are trademarks of Dell Inc.; Intel is a registered trademark of Intel Corporation in the U.S.
Information on this page provided by Intel. The Intel® Management Engine BIOS Extension (MEBx) is an optional ROM module provided to Dell™ from Intel that is included in the Dell BIOS. The MEBx has been customized for Dell computers.
Transport Layer Security (TLS) and requires a configuration service. Enterprise mode allows IT administrators to set up and configure Intel AMT securely for remote management. The Dell™ computer is defaulted to Enterprise mode when it leaves the factory. The mode can be changed during the setup and configuration process.
Page 4
Back to Contents Page Setup and Configuration Overview The following is a list of important terms related to the Intel® AMT setup and configuration. Setup and configuration — The process that populates the Intel AMT-managed computer with usernames, passwords, and network parameters that enable the computer to be administered remotely. Provisioning —...
The SCS can create a custom certificate, which can be deployed on the AMT computer by means of a desk-side visit with a specially formatted USB thumb drive as detailed in the Configuration Service section of this document. The SCS could use a custom certificate which was pre-programmed at the Dell factory through the Custom Factory Integration (CFI) process.
Page 6
computer with a desk-side visit in one of two ways: The key can be manually typed into the MEBx. The SCS can create a list of custom keys, and put them onto a specially formatted USB thumb drive. Then each AMT computer retrieves a custom key from the specially formatted USB thumb drive during BIOS boot as detailed in the Configuration Service section of this document.
Page 7
The MEBx configuration user interface can be accessed on a computer through the following steps: 1. Turn on (or restart) your computer. 2. When the blue DELL™ logo appears, press <Ctrl><p> immediately. If you wait too long and the operating system logo appears, continue to wait until you see the Microsoft® Windows®...
Page 8
Intel AMT Configuration Change Intel ME Password The Intel ME Configuration and Intel AMT Configuration menus are discussed on the following pages. First, the password must be changed in order to proceed through these menus. Changing the Intel ME Password The default password is admin and is the same on all newly deployed platforms.
Page 9
Back to Contents Page ME Configuration Menu To reach the Intel® Management Engine (ME) Platform Configuration page, follow these steps: 1. Under the Management Engine BIOS Extension (MEBx) main menu, select ME Configuration. Press <Enter>. 2. The following message appears: System resets after configuration changes.
Page 10
When enabled, the ME State Control option lets you disable ME to isolate the ME computer from the main platform while debugging a field malfunction. The table below illustrates the details of the options. ME Platform State Control Option Description Enabled Enable the Management Engine on the platform Disabled...
Page 11
Intel ME Features Control The ME Features Control menu contains the following configuration selection. Manageability Feature Selection When you select the Manageability Feature Selection option on the ME Features Control menu, the ME Manageability Feature menu appears.
Page 12
You can use this option to determine which manageability feature is enabled. None — Choosing this option means that manageability will not be enabled. . Intel AMT/Intel Standard Manageability — Intel Active Management Technology (Intel AMT). If the system does not meet the minimum system requirements for Intel AMT, only Intel Standard Manageability will be selectable.
Page 13
The power package selected determines when the ME is turned ON. The default power package is Desktop: ON in S0. The end user administrator can choose which power package is used depending on computer usage. The power package selection page can be seen above. Information on this page provided by Intel.
Back to Contents Page AMT Configuration Menu After you completely configure the Intel® Management Engine (ME) feature, you must reboot before configuring the Intel AMT for a clean system boot. The image below shows the Intel AMT configuration menu after a user selects the Intel AMT Configuration option from the Management Engine BIOS Extension (MEBx) main menu.
A hostname can be assigned to the Intel AMT capable computer. This is the host name of the Intel AMT-enabled computer. If Intel AMT is set to DHCP, the host name MUST be identical to the operating system machine name. TCP/IP Allows you to change the following TCP/IP configuration of Intel AMT.
Page 16
Current Provisioning Mode – Displays the current provisioning TLS Mode: None, PKI, or PSK. This configuration is only shown in Enterprise Provision Model. Provisioning Record – Displays the provision PSK/PKI record data of the computer. If the data has not been entered, the MEBX displays a message that states "Provision Record not present".
Page 17
change the active status of the certificate press the <+> key. To delete the hash press the <del> key. To add another key press the <ins> key. Set FQDN – Sets the fully qualified domain name for the computer. Set PKI DNS suffix – Sets the PKI DNS suffix. TLS PSK The submenu contains the settings for TLS PSK configuration settings.
Page 18
Remote Configuration Enable/Disable The selectable options are Enable and Disable. If Remote Configuration is disabled, the menu options underneath are still displayed, but cannot be used until Remote Configuration is enabled. This option cannot be modified once the setup and configuration process is in process. This parameter can only be modified while the computer is in the factory default or un-provisioned state.
Page 19
The Manage Certificate Hash screen has several keyboard controls available to you to manage the hashes on the computer. The following keys are valid when in the Manage Certificate Hash menu: Escape key – Exits from the menu Insert key – Adds a customized certificate hash to the computer Delete key –...
Page 20
Change the active state of this hash? (Y/N) prompt. Answering yes to this question toggles the active state of the currently selected certificate hash. Setting a hash as active indicates that the hash is available to use during PSK provisioning. Viewing a Certificate Hash Press <Enter>...
Page 21
SOL/IDE-R Username and Password – DISABLED** / ENABLED This option provides the user authentication for SOL/IDER session. If the Kerberos protocol is used, set this option to Disabled and set the user authentication through Kerberos. If Kerberos is not used, you have the choice to enable or disable user authentication on the SOL/IDER session.
Password Policy This option determines when the user is allowed to change the MEBx password through the nework. Note: The MEBx password can always be changed via the MEBx user interface. The options are: Default Password Only – The MEBx password can be changed through the network interface if the default password has not been changed yet.
Page 23
Secure Firmware Update This option allows you to enable/disable secure firmware updates. Secure firmware update requires an administrator user name and password. If the administrator user name and password are not supplied, the firmware cannot be updated. When the secure firmware update feature is enabled, you are able to update the firmware using the secure method. Secure firmware updates pass through the LMS driver.
Page 24
Set PRTC Enter PRTC in GMT (UTC) format (YYYY:MM:DD:HH:MM:SS). Valid date range is 1/1/2004 – 1/4/2021. Setting PRTC value is used for virtually maintaining PRTC during power off (G3) state. This configuration is only displayed for the Enterprise Provision Model.
Idle Timeout This setting is used to enable the Intel ME Wake on LAN feature and to define the Intel ME idle timeout in M1 state. The value should be entered in minutes. The value indicates the amount of time that the Intel ME is allowed to remain idle in M1 before transitioning to the M-off state.
Page 26
Intel AMT in DHCP Mode Settings Example The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in DHCP mode. Intel AMT Configurations Example in DHCP Mode Intel AMT Configuration Parameters Values Intel AMT Configuration Select and press <Enter>.
Page 27
The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in static mode. The computer requires two MAC addresses (GBE MAC address and Manageability MAC Address) to operate in static mode. If there is no Manageability MAC address, Intel AMT cannot be set in static mode. Intel AMT Configurations Example in Static Mode Intel AMT Configuration Parameters Values...
Once the feature has been fully configured, there are three methods for initiating an Intel Fast Call for help session. These include: At the Dell splash screen press <Ctrl><h>. At the Dell splash screen press <F12> for the One Time Boot Menu. Select the last option titled Intel Fast Call for Help. From Windows: 1.
Page 29
Back to Contents Page Setup and Configuration Methods Overview Setup and Configuration Overview As discussed in the section, the computer has to be configured before the Intel AMT capabilities are ready to interact with management application. There are two methods to complete the provisioning process (in order from least complex to most complex): Configuration service —...
Page 30
USB provisioning only works if the MEBx password is set to the factory default of admin. If the password has been changed, reset it to the factory default by clearing the CMOS. The following is a typical USB drive key setup and configuration procedure. For a detailed walk-through using Altiris® Dell™ Client Manager (DCM), refer to the USB device procedure page.
Page 31
1. Format a USB device with the FAT16 file system and no volume label and then set it aside. 2. Open the Altiris® Dell Client Manager application by double clicking the desktop icon or through the Start menu. 3. Select AMT Quick Start from the left navigation menu to open the Altiris Console.
Page 32
4. Click the <+> to expand the Intel AMT Getting Started section.
Page 33
5. Click the <+> to expand the Section 1. Provisioning section.
Page 34
6. Click the <+> to expand the Basic Provisioning (without TLS) section.
Page 35
7. Select Step 1. Configure DNS. The notification server with an out-of-band management solution installed must be registered in DNS as "ProvisionServer."...
Page 36
8. Click Test on the DNS Configuration screen to verify that DNS has the ProvisionServer entry and that it resolves to the correct Intel setup and configuration server (SCS).
Page 37
The IP address for the ProvisionServer and Intel SCS are now visible.
Page 43
13. Click the plus symbol to add a new profile.
Page 44
On the General tab the administrator can modify the profile name and description along with the password. The administrator sets a standard password for easy maintenance in the future. Select the manual radio button and enter a new password.
Page 45
The Network tab provides the option to enable ping responses, VLAN, WebUI, Serial over LAN, and IDE Redirection. If you are configuring Intel AMT manually, all these settings are also available in the MEBx. The TLS (Transport Layer Security) tab provides the ability to enable TLS. If enabled, several other pieces of information are required including the certificate authority (CA) server name, CA common name, CA type, and certificate template.
Page 46
The Power Policy tab has configuration options to select the sleep states for Intel AMT as well as an Idle Timeout setting. It is recommended that Idle timeout is always set to 0 for optimal performance. The setting for the Power Policy tab can potentially impact a computer's ability to remain E-Star 4.0 compliant. 14.
Page 47
15. Select the icon with the arrow pointing out to Export Security Keys to USB Key.
Page 48
16. Select the Generate keys before export radio button.
Page 49
17. Enter the number of keys to generate (depends on the number of computers that need to be provisioned). The default is 50. 18. The Intel ME default password is admin. Configure the new Intel ME password for the environment. 19.
Page 50
20. Insert the previously formatted USB device into a USB connector on the Provisioning Serverr. 21. Click the Download USB key file link to download setup.bin file to the USB device. The USB device is recognized by default; save the file to the USB device. If additional keys are needed in the future, the USB device must be reformatted before saving the setup.bin file to it.
Page 51
a. Click Save in the File Download dialog box. b. Verify the Save in: location is directed to the USB device. Click Save.
Page 52
c. Click Close in the Download complete dialog box. The setup.bin file is now visible in the drive Explorer window. 22. Close the Export Security Keys to USB Key and drive explorer windows to return to the Altiris Console. 23. Take the USB device to the computer, insert the device, and turn on the computer. The USB device is recognized immediately and you are prompted to Continue with Auto Provisioning (Y/N) Press <y>.
Page 53
Press any key to continue with system boot... 24. Once complete, turn off the computer and move back to the management server. 25. Select Step 6. Configure Automatic Profile Assignments.
Page 54
26. Verify that the setting is enabled. In the Intel AMT 2.0+ dropdown, select the profile created previously. Configure the other settings for the environment.
Page 56
The computers for which the keys were applied begin to appearing in the system list. At first the status is Unprovisioned, then the system status changes to In provisioning, and finally it changes to Provisioned at the end of the process.
Page 61
Back to Contents Page MEBx Interface--Enterprise Mode Setup The Intel® Management Engine BIOS Extension (MEBx) is an optional ROM module that Intel provides to Dell™ to be included in the Dell BIOS. The MEBx has been customized for Dell computers.
Page 62
One lowercase letter A number A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.) The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity. 4.
Page 63
6. Press <y> when the following message appears: System resets after configuration change. Continue (Y/N).
Page 64
Intel ME State Control is the next option. The default setting for this option is Enabled. Do not change this setting to Disabled. If you want to disable Intel AMT, change the Manageability Feature Selection option to None in step...
Page 65
7. Select Intel ME Firmware Local Update Qualifier. Press <Enter>. 8. Then select either Always Open, Never Open, or Restricted. Press <Enter>. The default setting for this option is Always Open.
Page 66
9. Select Intel ME Features Control, and then press <Enter>.
Page 67
Manageability Feature Selection is the next option. This feature sets the platform management mode. The default setting is Intel AMT. Selecting the None option disables all remote management capabilities.
Page 68
10. Select Return to Previous Menu, and then press <Enter>.
Page 69
11. Select Intel ME Power Control, and then press <Enter>.
Page 70
Intel ME ON in Host Sleep States is the next option. The default setting is Mobile: ON in S0.
Page 71
12. Select Return to Previous Menu, and then press <Enter>.
Page 72
13. Select Return to Previous Menu, and then press <Enter>.
14. Exit the MEBx Setup and save the ME configuration. The computer displays an Intel ME Configuration Complete message and then restarts. After the ME configuration is complete, you can configure the Intel AMT settings. Intel AMT Configuration To enable Intel AMT Configuration settings on the target platform, perform the following steps: 1.
Page 74
4. Select Host Name, and then press <Enter>. 5. Type in a unique name for this Intel AMT machine, and then press <Enter>. Spaces are not accepted in the host name. Make sure there is not a duplicate host name on the network. Host names can be used in place of the computer's IP for any applications requiring the IP address.
Page 75
6. Select TCP/IP, and then press <Enter>. 7. Press <n>when the following message appears: [DHCP Enable] Disable DHCP (Y/N)
Page 76
8. Type the domain name into the Domain name field.
Page 77
9. Select Provision Model from the menu, and then press <Enter>. 10. Choose between an Enterprise or Small Business configuration. The default setting is Enterprise.
Page 78
11. Select Setup and Configuration from the menu, and then press <Enter>.
Page 79
12. Select Current Provisioning Mode to display the current mode, and then press <Enter>. The current provisioning mode is displayed. Press <Enter> or <Esc> to exit.
Page 80
13. Select Provisioning Record from the menu, and then press <Enter>. The screen displays the provision PSK/PKI record data of the computer. If the data has not been entered, the MEBX displays a message that states Provision Record not present If the data is entered, the Provision Record displays one of several messages.
Page 81
14. Select Provisioning Server from the menu, and then press <Enter>.
Page 82
15. Type the provisioning server IP in the Provisioning server address field and press <Enter>. The default setting is 0.0.0.0. This default setting works only if the DNS server has an entry that can resolve the provision server to the IP of the provisioning server.
Page 83
16. Type the port number in the Port number field and press <Enter>. The default setting is 0. If left at the default setting of 0, the Intel AMT attempts to contact the provisioning server on port 9971. If the provisioning server is listening on a different port, enter it here.
Page 84
17. Select Provisioning Server FQDN from the menu, and then press <Enter>.
Page 85
18. Type the fully qualified domain name (FQDN) for the provisioning server and press <Enter>.
Page 86
19. Select TLS PSK from the menu, and then press <Enter>.
Page 87
20. Set PID and PPS is the next option. The PID and PPS can be input manually or by using a USB key once the SCS generates the codes. This option is for entering the provisioning ID (PID) and provisioning passphrase (PPS). PIDs are eight characters and PPS are 32 characters.
Page 88
Skip the Delete PID and PPS option. This option returns the computer to factory defaults. See the "Return to Default" section for more information about unprovisioning. 21. Select Return to Previous Menu, and then press <Enter>.
Page 89
22. Select TLS PKI from the menu, and then press <Enter>.
Page 90
23. Select Remote Configuration Enable/Disable from the menu, and then press <Enter>. This option is Enabled by default and can be Disabled if the network infrastructure does not support a Certificate Authority (CA).
Page 91
Manage Certificate Hashes option is the next option. Four hashes are configured by default. Hashes can be deleted or added per customer needs.
Page 92
24. Select Set PKI DNS Suffix from the menu. Press <Enter>. 25. Type the PKI DNS Suffix in the text field and press <Enter>.
Page 93
26. Select Return to Previous Menu, and press <Enter>.
Page 94
27. Select Return to Previous Menu, and then press <Enter>. This returns you to the Intel AMT Configuration menu.
Page 95
Skip the Un-Provision option. This option returns the computer to factory defaults. See the "Return to Default" section for more information about unprovisioning.
Page 96
28. Select SOL/IDE-R, and then press <Enter>.
Page 97
29. Press <y> when the following message appears: [Caution] System resets after configuration changes. Continue: (Y/N)
Page 98
For User Name & Password, select Enabled and then press <Enter>. This option allows you to add users and passwords from the WebGUI. If the option is disabled, then only the administrator has MEBx remote access.
Page 99
For Serial Over LAN (SOL/IDE-R), select Enabled and then press <Enter>.
Page 100
For IDE Redirection, select Enabled and then press <Enter>.
Page 101
Password Policy is the next option. The default setting is Default Password Only.
Page 102
Secure Firmware Update is the next option. The default setting is Enabled.
Page 104
Idle Timeout is the next option. The default setting is 1. This timeout is applicable only when a WoL option is selected for enabling ME for the Enterprise operating mode.
Page 105
30. Select Return to Previous Menu, and then press <Enter>.
Page 107
32. Press <y> when the following message appears: Are you sure you want to exit? (Y/N):...
Page 108
The computer restarts. 33. Turn off the computer and disconnect the power cable. The computer is now in setup state and is ready for deployment. Back to Contents Page...
Page 109
Dell BIOS. The MEBx has been customized for Dell computers. Dell also supports setup and configuration of Intel AMT in the small and medium business (SMB) mode. The only setting not required in the SMB mode is the Set PID and PPS option. Also, the Provision Model option is set to Small Business instead of Enterprise.
Page 110
A number A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.) The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity. 5. Change the password to establish Intel AMT ownership. The computer then goes from the factory-default state to the setup state.
Page 111
7. Press <y> when the following message appears: System resets after configuration change. Continue (Y/N).
Page 112
Intel ME State Control is the next option. The default setting for this option is Enabled. Do not change this setting to Disabled. If you want to disable Intel AMT, change the Manageability Feature Selection option to None later in this procedure.
Page 113
8. Select Intel ME Firmware Local Update and then press <Enter>. 9. Select either Always Open, Never Open, or Restricted, and then press <Enter>. The default setting for this option is Disabled.
Page 114
10. Select Intel ME Features Control, and then press <Enter>.
Page 115
Manageability Feature Selection is the next option. This feature sets the platform management mode. The default setting is Intel AMT. Selecting the None option disables all remote management capabilities.
Page 116
11. Select Return to Previous Menu, and then press <Enter>.
Page 117
12. Select Intel ME Power Control, and then press <Enter>.
Page 118
Intel ME ON in Host Sleep States is the next option. The default setting is Mobile: ON in S0.
Page 119
13. Select Return to Previous Menu and then press <Enter>.
Page 120
14. Select Return to Previous Menu, and then press <Enter>.
Page 121
15. Exit the MEBx Setup and save the ME configuration. The computer displays an Intel ME Configuration Complete message and then restarts. After the ME configuration is complete, you can configure the Intel AMT settings. Intel AMT Configuration Enabling Intel AMT for SMB Mode 1.
Page 122
4. Select Host Name, and then press <Enter>. 5. Type in a unique name for this Intel AMT machine, and then press <Enter>. Spaces are not accepted in the host name. Make sure there is not a duplicate host name on the network. Host names can be used in place of the computer's IP for any applications requiring the IP address.
Page 123
6. Select TCP/IP, and then press <Enter>. 7. Press <n> when the following message appears: [DHCP Enable] Disable DHCP (Y/N)
Page 125
9. Select Provision Model from the menu, and then press <Enter>. This allows you to choose between an Enterprise or a Small Business configuration. The default setting is Enterprise. 10. Press <y> when the following message appears:...
Page 126
11. Skip the Un-Provision option. This option returns the computer to factory defaults. See the "Return to Default" section for more information about unprovisioning. 12. Select SOL/IDE-R. Press <Enter>.
Page 127
13. Press <y> when The following message appears: [Caution] System resets after configuration changes. Continue: (Y/N)
Page 128
14. Select Enabled for Username & Password, and then press <Enter>. This option allows you to add users and passwords from the WebGUI. If the option is disabled, then only the administrator has MEBx remote access.
Page 129
15. For Serial Over LAN, select Enabled and then press <Enter>.
Page 130
16. For IDE Redirection, select Enabled and then press <Enter>.
Page 131
17. For Password Policy, select Enabled and then press <Enter>.
Page 132
Secure Firmware Update is the next option. The default setting is Enabled.
Page 134
Idle Timeout is the next option. The default setting is 1. This timeout is applicable only when a WoL option is selected for Intel ME ON in Host Sleep States screen of the process for enabling ME for the Enterprise operating mode.
Page 135
19. Select Return to Previous Menu, and then press <Enter>.
Page 137
21. Press <y> when the following message appears: Are you sure you want to exit? (Y/N):...
Page 138
22. After the computer restarts, turn off the computer and disconnect the power cable. The computer is now in setup state and is ready for deployment. Back to Contents Page...
Back to Contents Page System Deployment Once you are ready to deploy a computer to a user, plug the computer into a power source and connect it to the network. Use the integrated Intel® 82566DM NIC. Intel Active Management Technology (Intel AMT) does not work with any other NIC solution.
SOL/LMS Driver The Intel® AMT Serial-Over-LAN (SOL) / Local Manageability Service (LMS) driver is available on support.dell.com and on the ResourceCD under Chipset Drivers. The driver is labeled Intel AMT SOL/LMS. Once the driver is obtained, execute the file; it unzips and prompts the user to continue the installation process.
Back to Contents Page Intel AMT WebGUI The Intel® AMT WebGUI is a Web browser-based interface for limited remote computer management. The WebGUI is often used as a test to determine if Intel AMT setup and configuration was performed properly on a computer. A successful remote connection between a remote computer and the host computer running the WebGUI indicates proper Intel AMT setup and configuration on the remote computer.
Page 142
Back to Contents Page AMT Redirection Overview Intel® AMT makes it possible to redirect serial and IDE communications from a managed client to a management console regardless of the boot and power state of the managed client. The client need only have the Intel AMT capability, a connection to a power source, and a network connection.
BIOS. The firmware CANNOT be flashed to an older version or to the current version installed. The firmware flash, when available, is located on the support.dell.com site for download. Serial-Over-LAN (SOL) / IDE Redirection (IDE-R) If you cannot use IDE-R and SOL, follow these steps: 1.