Home » HP Manuals » Desktops » HP Dc7800 » Manual Viewer

HP Dc7800 vPro Setup and Configuration for the dc7800p Business PC with Intel - Page 3

AMT Setup and Configuration

UPC - 883585764365

Add to My Manuals
Save this manual to your list of manuals

Page 3 highlights

AMT Setup and Configuration AMT Setup involves the necessary steps to enable AMT such as setting up the system for AMT mode and enabling network connectivity. This setup is generally performed only once in the lifetime of a system. When AMT is enabled, it can be discovered by management software over a network. AMT Configuration sets up all other AMT options not covered in AMT Setup, such as enabling the system for Serial-Over-LAN (SOL) or IDE-Redirect (IDE-R). Settings modified in the configuration phase can be changed many times over the course of a system's life span. Changes can be made to the system locally or through a management console. AMT System Phases An AMT system can be in one of three phases in regards to its current stage of AMT Setup and Configuration, as follows: • Factory • In-Setup • Operational The Factory phase is the initial stage in which the system has been built from the factory and no AMT Setup and Configuration has been done. The only way to access AMT in Factory phase is through the MEBx. This phase will end for SMB mode systems after changing the default password. Enterprise mode systems also require that you set the Provisioning ID (PID) and Provisioning Passphrase (PPS). The In-Setup phase is the next stage and is where most AMT options are set. This can be a manual or automated procedure with a Setup and Configuration Server. The Operational phase is the final stage in which AMT is fully setup and configured in the system and ready for normal use. SMB Mode - AMT Setup and Configuration with MEBx SMB mode is for customers who do not have Independent Software Vendor (ISV) management consoles, or the necessary network and security infrastructures to use encrypted Transport Layer Security (TLS). SMB mode AMT set up and configuration is a manual process done through the Intel ME BIOS Extension (MEBx). SMB mode is the easiest to implement since it does not require much infrastructure, but is the least secure since all network traffic is not encrypted. HP recommends using this process only in a closed network. NOTE: The MEBx is an option ROM module that is provided to HP by Intel to be included in the HP system BIOS. The MEBx is not HP-specific and contains options that are not used by HP. If an option is not used by HP, ignore it and do not modify from its default state. Password Guidelines MEBx passwords must meet minimum criteria. These restrictions are enforced by the MEBx to reduce vulnerability of passwords to a dictionary attack. 3

Section	Page
vPro Setup and Configuration for the dc7800p Business PC with Intel vPro Processor Technology	1
Introduction	2
AMT Setup and Configuration	3
AMT System Phases	3
SMB Mode - AMT Setup and Configuration with MEBx	3
Password Guidelines	3
BIOS Prerequisite	4
SMB Mode - AMT Setup and Configuration Steps	5
1. Press Ctrl+P during POST to enter Manageability Engine BIOS Extension (MEBx) Setup. You can dis play this option only during POST if set in F10-Setup.	5
Figure 1 Intel MEBx Password Screen	5
2. Type the default password, which is admin. Passwords are case-sensitive.	5
3. Change the MEBx password. The new password must meet the Strong Password criteria defined in the Password Guidelines Section. Type the password twice for verification.	5
4. Select the Intel ME Platform Configuration. A window displays indicating that the system resets after configuration.	6
5. Select Y. ME platform configuration allows IT personnel to configure ME features such as AMT/ASF selection, power options, firmware update capabilities, and so on.	6
Figure 2 Intel ME Platform Configuration screen	6
6. Select Intel ME State Control, and then select Enabled.	6
7. Select Intel ME Firmware Local Update Qualifier.	6
8. Select Intel ME Features Control.	7
Figure 3 Intel ME Features Control Screen with AMT selected	7
9. Select Intel ME Power Control.	8
Figure 4 Intel ME Power Control Screen	8
10. Return to previous menu to exit the MEBx Setup and save ME configuration. The system will display an Intel ME Configuration Complete message and reboot. After the ME Configuration is complete, you can configure the AMT on the next boot.	9
11. Press Ctrl-P during POST to enter MEBx Setup again.	9
12. Type the MEBx password.	9
13. Select Intel AMT Configuration.	9
Figure 5 Intel AMT Configuration screen	9
14. Select Host Name, and then type a host name.	9
15. Select TCP/IP.	10
16. Select Provision Model.	11
17. Skip Un-Provision. This option returns the system to factory defaults.	11
18. Skip VLAN.	11
19. Select SOL/IDE-R.	11
20. Select Secure Firmware Update, and then select Enabled.	12
21. Skip Set PRTC.	12
22. Select Idle Timeout.	12
23. Select Return to previous menu.	12
24. Select Exit, and then select Y to exit the MEBx Setup and save settings.	12
Intel AMT WebGUI	12
Connecting with the Intel AMT WebGUI - SMB Example	13
1. Power on an AMT system that has completed AMT Setup and Configuration.	13
2. Execute a Web browser from a separate system - a Management computer on the same subnet as the AMT computer.	13
3. Connect to the IP address specified in the MEBx and port of the AMT system.	13
4. Type the user name and password. The default username is admin and the password is what you set during AMT Setup in the MEBx.	14
Figure 6 Intel AMT WebGUI Screen	14
5. Review system information and/or make any necessary changes.	14
6. Select Exit.	14
Setup and Configuration Server	15
1. The AMT system sends out a “hello” message that includes the PSK over the network.	15
2. The SCS receives the “hello” message and verifies the PSK.	15
3. If the verification passes, then the SCS begins setup and configuration.	15
4. Once setup and configuration completes, the original PSK is deleted from the AMT client system, and a new PSK is given.	15
Setup and Configuration Server Availability	15
Enterprise Mode Setup and Configuration	16
Enterprise Mode - AMT Setup and Configuration Steps	16
1. Access the MEBx by pressing Ctrl-P during POST.	16
2. Type the default password, which is admin.	16
3. Change the MEBx password, following strong password guidelines.	16
4. Select Intel ME Platform Configuration.	16
5. In Intel ME State Control, select Enabled.	16
6. In Intel ME Firmware Local Update Qualifier, select Always Open.	16
7. Select Intel ME Features Control.	16
8. Select Intel ME Power Control.	16
9. Select Exit and save. The system displays the Intel ME Configuration Complete message, and then reboots.	16
10. Press Ctrl+P during POST to enter MEBx Setup again.	16
11. Type the MEBx password.	16
12. Select Intel AMT Configuration. The Intel AMT Configuration screen includes numerous options, which are available by scrolling down the menu.	17
Figure 7 Intel AMT Configuration Screen	17
Figure 8 Intel AMT Configuration Screen Continued	17
13. Select Host Name, and then type a host name	17
14. Select TCP/IP.	18
15. Select Provision Model.	18
16. Select Setup and Configuration.	18
Figure 9 Intel Setup and Configuration Screen	18
Figure 10 Intel TLS PSK Configuration Screen	20
17. Skip Un-Provision. This option returns the system to factory defaults. See the Return to Default sec tion for more information about unprovisioning.	20
18. Skip VLAN.	20
19. Select SOL/IDE-R, and then select Y.	21
20. Select Remote Firmware Update, and then select Enabled.	21
21. Skip Set PRTC.	21
22. Select Idle Timeout.	21
23. Select Return to previous menu.	21
24. Select Exit, and then select Y to exit the MEBx Setup and save settings. The system displays an Intel ME Configuration Complete message (only once) and reboots.	21
25. Turn off the system and remove power. The system is now in In-Setup Mode and is ready for deploy ment.	21
26. Plug the system into a power source and connect the network. Use the integrated Intel 82566DM NIC. Intel AMT does not work with any other NIC solution.	22
Provisioning Methods	23
Legacy	23
IT TLS-PSK	23
OEM TLS-PSK	23
USB Drive Key Set Up and Configuration	24
1. An IT technician inserts a USB drive key into a system with a management console.	24
2. The technician request local setup and configuration records from an S&CS through the console.	24
3. The S&CS:	24
4. The management console writes the password, PID, and PPS sets to a Setup.bin file in the USB drive key.	24
5. The technician takes the USB drive key to the staging area where new AMT platforms are located. The technician:	24
6. The system BIOS detects the USB drive key.	24
7. The system BIOS displays a message that automatic setup and configuration will occur.	25
8. MEBx processes the record.	25
9. MEBx writes a completion message to display.	25
10. The IT technician powers down the system. The system is now in In-Setup phase and is ready to be dis tributed to users in an Enterprise mode environment.	25
11. Repeat Step 5 if necessary (more than one system).	25
USB Drive Key Requirements	25
Remote Configuration	25
Remote Configuration: Bare-Metal vs. Delayed	26
Remote Configuration Time-outs in HP Systems	27
Remote Configuration Prerequisites	27
MEBx and Hashes	27
1. Press Ctrl+P for the MEBx, and then type the MEBx password.	27
2. Select Intel AMT Configuration.	27
3. Select Setup and Configuration.	27
4. Select TLS PKI.	28
Figure 11 Intel Remote Configuration Screen	28
1. Select Remote Configuration Enable/Disable.	28
2. Skip Manage Certificate Hashes.	28
3. Set FQDN. This option allows the Fully Qualified Domain Name (FQDN) of the SCS to be entered.	28
4. Set PKI DNS Suffix. This option allows you to enter the PKI DNS Suffix of the SCS.	28
5. Select Return to the Previous Menu.	28
List of Supported CA Certificates	29
Return to Default	30
Figure 12 Intel AMT Unprovisioning Screen	30
1. Select Un-Provision, and then select the appropriate unprovision mode.	30
2. Select Return to previous menu.	30
3. Select Exit, and then select Y.	30
Full Return to Factory Defaults	31
Appendix A: Frequently Asked Questions	31
Appendix B: Power / Sleep / Global States Explained	33

Match case Limit results 1 per page

AMT Setup and Configuration

AMT Setup involves the necessary steps to enable AMT such as setting up the system for AMT mode and

enabling network connectivity. This setup is generally performed only once in the lifetime of a system.

When AMT is enabled, it can be discovered by management software over a network.

AMT Configuration sets up all other AMT options not covered in AMT Setup, such as enabling the system

for Serial-Over-LAN (SOL) or IDE-Redirect (IDE-R). Settings modified in the configuration phase can be

changed many times over the course of a system’s life span. Changes can be made to the system locally

or through a management console.

AMT System Phases

An AMT system can be in one of three phases in regards to its current stage of AMT Setup and Configu-

ration, as follows:

•

Factory

•

In-Setup

•

Operational

The Factory phase is the initial stage in which the system has been built from the factory and no AMT

Setup and Configuration has been done. The only way to access AMT in Factory phase is through the

MEBx. This phase will end for SMB mode systems after changing the default password. Enterprise mode

systems also require that you set the Provisioning ID (PID) and Provisioning Passphrase (PPS).

The In-Setup phase is the next stage and is where most AMT options are set. This can be a manual or

automated procedure with a Setup and Configuration Server.

The Operational phase is the final stage in which AMT is fully setup and configured in the system and

ready for normal use.

SMB Mode - AMT Setup and Configuration with MEBx

SMB mode is for customers who do not have Independent Software Vendor (ISV) management consoles,

or the necessary network and security infrastructures to use encrypted Transport Layer Security (TLS). SMB

mode AMT set up and configuration is a manual process done through the Intel ME BIOS Extension

(MEBx).

SMB mode is the easiest to implement since it does not require much infrastructure, but is the least secure

since all network traffic is not encrypted. HP recommends using this process only in a closed network.

NOTE

: The MEBx is an option ROM module that is provided to HP by Intel to be included in the HP sys-

tem BIOS. The MEBx is not HP-specific and contains options that are not used by HP. If an option is not

used by HP, ignore it and do not modify from its default state.

Password Guidelines

MEBx passwords must meet minimum criteria. These restrictions are enforced by the MEBx to reduce vul-

nerability of passwords to a dictionary attack.