background image

29

Figure 11

Intel Remote Configuration Screen

1.

Select 

Remote Configuration Enable/Disable

.

Default Setting = Enabled, Recommended Setting = Enabled
This option enables or disables remote configuration.

2.

Skip 

Manage Certificate Hashes

.

This option shows the hashes in the system, including the name of the hash and whether it is active.
If no hashes are in the system, then an option to add one is available. If hashes are available, then 

an option to delete one or more is available.
To add a hash:
a. Press 

Insert

.

b. Type a name for the hash.
c. Type the fingerprint of the hash.
d. Select whether this hash is active. Hashes can be made active, not active, default, or not default in 

this screen.

3.

Set 

PKI DNS Suffix

. This option allows you to enter the PKI DNS Suffix of the SCS.

4.

Select 

Return to the Previous Menu

.

Summary of Contents for 8000 - Elite Convertible Minitower PC

Page 1: ...rise Mode Setup and Configuration 16 Enterprise Mode AMT Setup and Configuration Steps 16 Provisioning Methods 24 Legacy 24 IT TLS PSK 24 OEM TLS PSK 24 USB Drive Key Set Up and Configuration 25 USB Drive Key Requirements 26 Remote Configuration 26 Remote Configuration Bare Metal vs Delayed 27 Remote Configuration Time outs in HP Systems 27 Remote Configuration Prerequisites 28 MEBx and Hashes 28 ...

Page 2: ...Web download in the Fall of 2007 with HP Compaq dc7700p Business PCs AMT 3 0 Introduced with the Intel Q35 Express chipset and will be shipped with HP Compaq d7800p systems AMT 3 2 Introduced with the HP Compaq dc7800p April 2008 Refresh AMT 5 0 Introduced with the Intel Q45 Express chipset and shipped with HP Compaq dc7900 sys tems AMT 5 2 Shipped on the HP Compaq 8000 Elite Business PCs AMT 5 0 ...

Page 3: ...after changing the default password Enterprise mode systems also require that you set the Provisioning ID PID and Provisioning Passphrase PPS More details about passwords PIDs and PPS are provided in later sections of this paper The In Setup phase is the next stage and is where most AMT options are set This can be a manual or automated procedure with a Setup and Configuration Server The Operationa...

Page 4: ...amation At Number Dollar Percent Caret Asterisk The underscore _ is considered alpha numeric The following characters are not allowed Quotation mark Apostrophe Comma Greater than Less than Colon Ampersand Space BIOS Prerequisite This white paper is for use with HP Compaq 8000 Elite Business PCs The HP Compaq 8000 Elite Busi ness PC uses the 786G7 BIOS family For best performance and to take advant...

Page 5: ...ring POST if set in F10 Setup Figure 1 Intel MEBx Password Screen 2 Type the default password which is admin Passwords are case sensitive NOTE You must change the default password before making changes to the MEBx options 3 Change the MEBx password The new password must meet the Strong Password criteria defined in the Password Guidelines Section Type the password twice for verification Change the ...

Page 6: ... list until root cause is found Note that if the ME is disabled then all AMT and ASF functions are also disabled The system will not be remotely manageable 7 Select Intel ME Firmware Local Update Qualifier Default Setting Always Open Recommended Setting Always Open This option allows the BIOS to override the ME Firmware Locale Update option and to permit local ME firmware updates Always Open is th...

Page 7: ...MT and ASF is an available option Note that setting the None option will disable all remote management capabilities Setting None will also unprovision any AMT settings i Select Intel AMT ii Select Return to previous menu Figure 3 Intel ME Features Control Screen with AMT selected iii Select Return to the previous menu Never Open Restricted ME Firmware Local Update Enabled Local ME firmware updates...

Page 8: ...Option 2 ME is ON only when the system is in S0 or S3 Option 3 ME is ON at all times S0 S3 S4 and S5 Option 4 ME is ON only when the system is in S0 It will be asleep in S3 unless it is called upon Timer for ME sleep is set by the Idle Timeout option Option 5 ME is ON only when the system is in S0 It will be asleep in S3 S5 unless it is called upon Timer for ME sleep is set by the Idle Timeout opt...

Page 9: ...nter MEBx Setup again 12 Type the MEBx password 13 Select Intel AMT Configuration Figure 5 Intel AMT Configuration screen 14 Select Host Name and then type a host name Default Setting HPSystem Recommended Setting User Dependent NOTES Spaces are not accepted in the host name Make sure there is not a duplicate host name on the network You can use host names in place of the system s IP for any applic...

Page 10: ...Address and then accept the default and press Enter Default Setting 0 0 0 0 Recommended Setting Network Dependent Leave as 0 0 0 0 if this option is not needed f Select Preferred DNS Address and then accept the default value and press Enter Default Setting 0 0 0 0 Recommended Setting Network Dependent Leave as 0 0 0 0 if this option is not needed g Select Alternate DNS Address and then accept the ...

Page 11: ...etworks into one virtual network 19 Select SOL IDE R a Select Y in the message window b Select Username and Password and then select Enabled Default Setting Enabled Recommended Setting Enabled This option allows users and passwords to be added from the WebGUI If the option is disabled then only the administrator has MEBx remote access c Select Serial Over LAN and then select Enabled Default Settin...

Page 12: ...700p that allowed both decimal and hexadecimal notation It must be set to a non zero value for the ME to take advantage of Wake On ME This value is not used when the system is in an active state S0 This value is used only if the ME ON in Host Sleep State setting is set to allow ME WoL See Appendix C Wake On ME Explained on page 35 for an explanation of Wake On ME ME WoL 24 Select Return to previou...

Page 13: ...efault for SMB Setup and Configured systems WebGUI support for Enterprise Setup and Configured systems is determined by the Setup and Configuration Server Connecting with the Intel AMT WebGUI SMB Example 1 Power on an AMT system that has completed AMT Setup and Configuration 2 Execute a Web browser from a separate system a Management computer on the same subnet as the AMT computer 3 Connect to the...

Page 14: ...w password known as the remote MEBx password only works remotely with the WebGUI or remote console The local MEBx password used to locally access the MEBx is not changed The user has to remember both local and remote MEBx passwords to access the system MEBx locally and remotely When the MEBx password is initially set in AMT Setup the password serves as both the local and remote password If the rem...

Page 15: ...abase can be trans ferred to another Setup and Configuration server s database The following provides a brief outline of the initial communication between an AMT client system and an SCS 1 The AMT system sends out a hello message that includes the PSK over the network 2 The SCS receives the hello message and verifies the PSK 3 If the verification passes then the SCS begins setup and configuration ...

Page 16: ...for AMT Setup 1 Access the MEBx by pressing Ctrl P during POST 2 Type the default password which is admin 3 Change the MEBx password following strong password guidelines 4 Select Intel ME Platform Configuration 5 In Intel ME State Control select Enabled 6 In Intel ME Firmware Local Update Qualifier select Always Open 7 Select Intel ME Features Control a Select Check Manageability Features b Select...

Page 17: ...options which are available by scrolling down the menu Figure 7 Intel AMT Configuration Screen Figure 8 Intel AMT Configuration Screen Continued 13 Select Host Name and then type a host name Default Setting HPSystem Recommended Setting User Dependent Spaces are not accepted in the host name ...

Page 18: ...ting DHCP Enabled Recommended Setting User Dependent For the purpose of this white paper DHCP is enabled 15 Select Provision Model a Change to Small Business and then select N Default Setting Enterprise Recommended Setting Enterprise b Select Return to previous menu 16 Select Setup and Configuration Figure 9 Intel Setup and Configuration Screen This is the menu where the Enterprise mode provisioni...

Page 19: ...play no changes can be made here c Select Provisioning Server IP i Enter Provisioning Server IP Default Setting 0 0 0 0 Recommended Setting Network Dependent ii Enter Port Default Setting 0 Recommended Setting 9971 This option is used in Enterprise mode when an Intel AMT Setup and Configuration Provisioning Server is available It points to the IP address of the SCS If the IP is left as the default...

Page 20: ... 9 characters and PPS are 40 characters They must be generated by an SCS The Admin Password PID and PPS can be pre populated by HP during manufacturing Go to the OEM TLS PSK section for details ii Skip Delete PID and PPS This option deletes the current PID and PPS entries in the system iii Select Return to previous menu e Skip TLS PKI This option is for Remote Configuration RCFG also known as Zero...

Page 21: ...on determines if the local MEBx password can be modified from a remote console 21 Select Remote Firmware Update and then select Enabled Default Setting Enabled Recommended Setting Enabled This option enables or disables the ability to remotely update the ME firmware 22 Skip Set PRTC Default Setting None Recommended Setting Current Date and Time This option sets the PRTC Protected Real Time Clock I...

Page 22: ...ied to the system the system immediately looks for a Setup and Configuration Server If the system finds this server the AMT system will send a Hello message to the server DHCP and DNS must be available for the Setup and Configuration Server search to automatically succeed If DHCP and DNS are not available then the Setup and Configuration Server s IP address must be manually entered into the AMT sy...

Page 23: ...otiate credentials You can set other options depending on S CS implementation The system goes from In Setup phase to Operational phase and AMT is fully operational Once in the Operational phase you can remotely manage the system and you can provide the system to end users for regular use ...

Page 24: ...frastructure AMT systems in the Factory phase are given to the IT department which is responsible for AMT set up and configuration The IT department can use any method to enter in AMT setup information after which the systems will be in Enterprise mode and in the In Setup phase An S CS will need to generate PID and PPS sets AMT Configuration must occur over a network The network can be encrypted u...

Page 25: ...ill eliminate manual AMT Setup of each unit at the customer site Contact HP for more information about this valuable service USB Drive Key Set Up and Configuration You can set up and locally configure password PID and PPS information with a USB drive key This fea ture allows an IT technician to manually setup and configure systems without the problems associated with manually typing in entries The...

Page 26: ...our management console supplier for more information on USB drive key set up and configura tion USB Drive Key Requirements The USB drive key must meet the following requirements to be usable in USB Drive Key Setup and Config uration It must be greater than 16MB The sector size must be 1KB The USB drive key is not formatted to boot The Setup bin file must be the first file landed on the USB drive k...

Page 27: ...tive and the system is connected to a network This means that the AMT system is configured without the use of a local agent and does not use One Time Password OTP authentication Delayed as the name implies is remote configuration at a later time when an operating system has been installed on the AMT system In this implementation Setup and Configuration is started when a remote console application ...

Page 28: ...sage field 2 16 840 1 1 13741 1 2 3 This is the unique Intel AMT OID OU value in Subject field Intel Client Setup Certificate This OU value is case sensitive and must be entered exactly as shown In the case of a Delayed Setup and Configuration an operating system and local agent must be installed on the AMT system MEBx and Hashes AMT 5 0 has the feature in the MEBx to allow IT administrators to ma...

Page 29: ...he hash and whether it is active If no hashes are in the system then an option to add one is available If hashes are available then an option to delete one or more is available To add a hash a Press Insert b Type a name for the hash c Type the fingerprint of the hash d Select whether this hash is active Hashes can be made active not active default or not default in this screen 3 Set PKI DNS Suffix...

Page 30: ...6 07 E4 24 EB 45 49 54 2B E1 BB C5 3E 61 74 E2 VeriSign Class 3 Primary CA G3 SHA1 Fingerprint 13 2D 0D 45 53 4B 69 97 CD B2 D5 C3 39 E2 55 76 60 9B 5C C6 Go Daddy Class 2 CA SHA1 Fingerprint 27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7 77 70 02 8F 20 EE E4 Comodo AAA CA SHA1 Fingerprint D1 EB 23 A4 6D 17 D6 8F D9 25 64 C2 F1 F1 60 17 64 D8 E3 49 Starfield Class 2 CA SHA1 Fingerprint AD 7E 1C 28 B0 64 E...

Page 31: ...ode provisioned systems It will return all AMT Configuration settings to factory defaults All certificate hashes will be deleted and the default hash will be made active It does not reset ME Configuration settings or passwords Partial unprovisioning is available for Enterprise mode provisioned systems Partial unprovisioning will return all AMT Configuration setting to factory defaults with the exc...

Page 32: ...ault username and password are both admin Q Why does the MEBx not accept my new password A All MEBx passwords other than the default password must comply with the strong password guidelines See the Password Guidelines section for more details Q If the password is not known how can the system be recovered A Clearing CMOS will reset all AMT options including the password The password will revert bac...

Page 33: ... console supplier to see if they offer this service Q Can AMT be set for static address and the OS set for DHCP or vice versa A No Although it can be done this is not a supported setting by Intel and may cause unexpected system behavior Q What is the default port used by the Intel WebGUI A The Intel WebGUI listens to port 16992 Q What is the difference between the ME and AMT A The ME is the contro...

Page 34: ...ontext is restored from the hibernation file Vaux remains powered but all other subsystems including system memory and the processor are not powered S5 is the Soft Off state It is identical to S4 with the exception that the system context is not saved When the system resumes from S5 it powers up and going through POST S5 is also known as G2 G3 is the Mechanical Off state All subsystems are not pow...

Page 35: ... system is in a sleep state The ME counts down from the amount of time set in Idle Timeout before it will go to sleep Idle Timeout must be set to a non zero value If it is set to zero then the Wake On ME feature is dis abled and the ME will not go to sleep when not being used 2009 Hewlett Packard Development Company L P The information in this document is subject to change without notice The only ...

Reviews: