Intel AMT Configuration Guide for SMB Environments

Notebook and Desktop PCs with Intel® vPro™ Technology in Small- and Medium-Size Business Environments

Solution Configuration Guide

Rev date: Nov, 2007 V 1.0

Intel® AMT Configuration Guide for SMB Environments

The information contained in this document is provided for informational purposes only and represents the current view of Intel Corporation (“Intel”) and its contributors (“Contributors”), as of the date of publication. Intel and the Contributors make no commitment to update the information contained in this document, and Intel reserves the right to make changes at any time, without notice. THIS DOCUMENT IS PROVIDED “AS IS.” NEITHER INTEL, NOR THE CONTRIBUTORS MAKE ANY REPRESENTATIONS OF ANY KIND WITH RESPECT TO PRODUCTS REFERENCED HEREIN, WHETHER SUCH PRODUCTS ARE THOSE OF INTEL, THE CONTRIBUTORS, OR THIRD PARTIES. INTEL AND ITS CONTRIBUTORS EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, IMPLIED OR EXPRESS, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY ARISING OUT OF THE INFORMATION CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION, ANY PRODUCTS, SPECIFICATIONS, OR OTHER MATERIALS REFERENCED HEREIN. INTEL AND ITS CONTRIBUTORS DO NOT WARRANT THAT THIS DOCUMENT IS FREE FROM ERRORS, OR THAT ANY PRODUCTS OR OTHER TECHNOLOGY DEVELOPED IN CONFORMANCE WITH THIS DOCUMENT WILL PERFORM IN THE INTENDED MANNER, OR WILL BE FREE FROM INFRINGEMENT OF THIRD PARTY PROPRIETARY RIGHTS, AND INTEL AND ITS CONTRIBUTORS DISCLAIM ALL LIABILITY THEREFORE. INTEL AND ITS CONTRIBUTORS DO NOT WARRANT THAT ANY PRODUCT REFERENCED HEREIN OR ANY PRODUCT OR TECHNOLOGY DEVELOPED IN RELIANCE UPON THIS DOCUMENT, IN WHOLE OR IN PART, WILL BE SUFFICIENT, ACCURATE, RELIABLE, COMPLETE, AND FREE FROM DEFECTS OR SAFE FOR ITS INTENDED PURPOSE, AND HEREBY DISCLAIM ALL LIABILITIES THEREFORE. ANY PERSON MAKING, USING OR SELLING SUCH PRODUCT OR TECHNOLOGY DOES SO AT HIS OR HER OWN RISK. Licenses may be required. Intel its contributors and others may have patents or pending patent applications, trademarks, copyrights or other intellectual proprietary rights covering subject matter contained or described in this document. No license, express, implied, by estoppels or otherwise, to any intellectual property rights of Intel or any other party is granted herein. It is your responsibility to seek licenses for such intellectual property rights from Intel and others where appropriate. Intel hereby grants you a limited copyright license to copy this document for your use and internal distribution only. You may not distribute this document externally, in whole or in part, to any other person or entity. IN NO EVENT SHALL INTEL OR ITS CONTRIBUTORS HAVE ANY LIABILITY TO YOU OR TO ANY OTHER THIRD PARTY, FOR ANY LOST PROFITS, LOST DATA, LOSS OF USE OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF YOUR USE OF THIS DOCUMENT OR RELIANCE UPON THE INFORMATION CONTAINED HEREIN, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY, AND IRRESPECTIVE OF WHETHER INTEL OR ANY CONTRIBUTOR HAS ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. Intel® vProTM technology includes Intel® Active Management Technology (Intel® AMT) and Intel® Virtualization Technology (Intel® VT). Intel® Active Management Technology (Intel® AMT) requires the computer system to have an Intel AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. Setup requires configuration by the purchaser and may require scripting with the management console or further integration into existing security frameworks to enable certain functionality. It may also require modifications of implementation of new business processes. With regard to notebooks, Intel AMT may not be available or certain capabilities may be limited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. For more information, see www.intel.com/technology/platform-technology/intel-amt/. Intel® Virtualization Technology (Intel® VT) requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM), and for some uses, certain platform software enabled for it. Functionality, performance, or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor. Any third party links in this material are not under the control of Intel and Intel is not responsible for the content of any third party linked site or any link contained in a third party linked site. Intel reserves the right to terminate any third party link or linking program at any time. Intel does not endorse companies or products to which it links. If you decide to access any of the third party sites linked to this material, you do so entirely at your own risk. Intel, the Intel logo, Centrino, Intel vPro, and Intel Core are trademarks of Intel Corporation in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2007 Intel Corporation. All rights reserved.

Part Number: 317307-001

- 2 - Intel® AMT Configuration Guide for SMB Environments

Revision History

Revision Revision History Date 1.0 First release Nov 2007

- 3 - Intel® AMT Configuration Guide for SMB Environments

Table of Contents

Introduction Audience...... 7 Scope...... 7 Contents...... 7 Where to get the solution...... 8 Related documentation ...... 9

Section 1: Quick Start for Desktop PCs Introduction...... 11 Configure Intel AMT for a desktop PC...... 11 Configuration settings for wired operation ...... 12 Configure Intel AMT for wired DHCP...... 14 Validate Intel AMT wired configuration using a Web browser ...... 16 Where to go from here...... 16

Section 2: Deployment Requirements Introduction...... 17 Hardware and software requirements...... 18 Requirements for desktop PCs ...... 18 Requirements for notebooks ...... 18 Configuration requirements...... 19 DHCP networking vs. static IP addressing...... 19 Operational settings for Intel AMT ...... 20 Where to find certain types of information...... 23 Important considerations ...... 23 Security considerations and best practices...... 24 Intel AMT administrator passwords...... 25 Important considerations for passwords ...... 26 Password requirements ...... 27 Where to go from here...... 27

Section 3: Configure and Validate Intel® AMT Overview...... 28 Configuration features in the PC...... 28 Configure Intel AMT...... 30 Desktop PC: Configure Intel AMT for wired operation ...... 30 Notebooks: Configure Intel AMT...... 33 Notebooks: Configure Intel AMT for wired operation ...... 33 Notebooks: Configure wireless radio parameters ...... 38 Validate configuration ...... 40 Notebooks and desktop PCs: Validate wired operation using a Web browser ...... 41 Notebooks: Validate wireless communication ...... 41 If you have trouble validating configuration ...... 41 Intel AMT Commander ...... 42 Where to go from here...... 42

- 4 - Intel® AMT Configuration Guide for SMB Environments

Section 4: Reconfigure and Unconfigure Intel® AMT 43 Introduction...... 43 Change a host name for a wired or wireless PC or move the wired PC...... 43 Return Intel AMT to factory defaults ...... 43 Remove device from management domain ...... 44 Unconfigure Intel AMT by changing manageability mode ...... 45 Unconfigure Intel AMT and erase security credentials via MEBx ...... 46 Unconfigure Intel AMT and erase security credentials via hardware jumpers ...... 47 For more information...... 47

Appendix A: Accessing BIOS

Appendix B: Acronyms and Glossary Glossary ...... 49 Acronyms...... 50

List of Tables Table 1-1. Quick start: Wired configuration settings for desktop PC...... 13 Table 2-1. Hardware and software requirements: Desktop PC...... 18 Table 2-2. Hardware and software requirements: Notebooks...... 19 Table 2-3. Network elements required for DHCP or static IP addressing ...... 20 Table 2-4. Configuration settings: Wired notebook or desktop PC...... 21 Table 2-5. Configuration settings: Wireless notebooks ...... 22 Table 2-6. How to find information required to configure Intel AMT ...... 23 Table 2-7. Special considerations for specifying Intel AMT parameters...... 23 Table 2-8. Administrator passwords ...... 25 Table 2-9. Considerations and best practices for passwords ...... 26 Table 4-1. Unconfiguring Intel AMT vs. erasing security credentials...... 44 Table B-1. Commands/keys to access BIOS...... 48

List of Figures Figure 1-1. Deployment process ...... 12 Figure 3-1. Deployment process ...... 29 Figure 3-2. Sample BIOS screen for a notebook...... 34 Figure 3-3. Sample Intel AMT screen for a notebook...... 34 Figure 3-4. Sample configuration screen for notebooks...... 35 Figure 3-5. Enabling wireless management and entering a wireless profile name ...... 39 Figure 3-6. Entering wireless profile information ...... 40

- 5 - Intel® AMT Configuration Guide for SMB Environments

Introduction

Welcome to the solution guide Notebook and Desktop PCs with Intel® vPro™ Technology in Small-and Medium-Size Business Environments. This guide explains how to configure: • Notebooks with Intel® Centrino® with vPro™ technology • Desktop PCs with select Intel® Core™2 processors with vPro™ technology This guide explains how to configure notebook and desktop PCs for small- and medium-business (SMB) environments, so the PCs can be remotely managed by a third-party management application. This guide explains how to configure Intel AMT for wired operation for notebook and desktop PCs. This guide also explains how to configure Intel AMT for wireless operation on notebooks.

In this guide...

• Wired means the notebook or desktop PC is on AC power and is connected to the network via an Ethernet cable.

• Wireless means the notebook is connected wirelessly to the network.

Intel vPro technology delivers many high-performance features and innovative capabilities for both users and IT administrators — all in an energy-efficient platform that is Microsoft Windows Vista* ready. Among the innovative capabilities of Intel vPro technology are Intel Active Management Technology (Intel® AMT). Intel AMT is a powerful hardware-based technology for security and remote management of PCs. With Intel AMT, managed service providers (MSPs) can monitor and manage PCs anytime — even if a wired PC’s power is off, the OS on a wired or wireless PC is inoperable, management agents are missing, or hardware (such as a hard drive) has failed. When integrated into a third-party management solution, PCs with Intel vPro technology let service providers spend less time managing the PC and more time focusing on strategic business initiatives.

Caution: You must access the PC and configure Intel AMT (via BIOS and the Intel® Management Engine BIOS extension, or MEBx) with the appropriate security, network, and operational parameters before a third-party management application can access the Intel AMT capabilities. If you do not configure Intel AMT before trying integration into the management application, the integration process will fail.

- 6 - Intel® AMT Configuration Guide for SMB Environments

Caution: You must remotely configure the wireless radio parameters on the notebook when the notebook is in a wired state, before you can use wireless features. If you do not configure wireless radio parameters via the Intel AMT Web console, the notebook will not be able to connect wirelessly to the network.

This guide explains how to configure Intel AMT for remote management by third-party software-based management solutions.

Audience This guide is intended for IT administrators who are deploying notebooks and desktop PCs with Intel vPro technology for remote-management in an SMB environment. Users of this guide should be experienced in: • System administration • Security and communication methodologies and technologies, including TCP/IP, HTTP, HTTPS, and secure sockets layer (SSL) • Network and firewall setup and configuration in SMB environments • IT management tools and applications

Scope This guide includes step-by-step integration procedures for setting up and configuring an Intel AMT-enabled notebook or desktop PC for use in a remote- management environment. This guide does not explain how to integrate an Intel AMT-enabled PC into a third- party management application. Refer to your third-party documentation or to your Intel AMT integration guide for your management solution for that information.

Contents This configuration guide includes these main discussions: • Quick start. A streamlined set of steps for wired desktop PCs, for configuring Intel AMT in SMB mode for dynamic IP addressing (DHCP). • Deployment requirements. Detailed information about hardware, networking, operational, security and other requirements for configuring Intel AMT for notebook or desktop PCs.

- 7 - Intel® AMT Configuration Guide for SMB Environments

• Configure Intel AMT. Step-by-step procedures to configure Intel AMT in dynamic IP networks and static IP networks for notebook and desktop PCs. This section explains wired and wireless configuration, and includes a validation procedure.

Caution: Configuring Intel AMT is a separate process from integration. You must configure the Intel AMT security, networking, and operational parameters on the PC, via BIOS and MEBx, before you can integrate the PC into a third-party management application. If you try to integrate the PC before enabling and configuring Intel AMT, the management application will not be able to access Intel AMT capabilities.

• Unconfigure Intel AMT. Brief explanation of how to reset parameters if you change a host name or move the PC after configuration.

Where to get the solution The following table provides URLs or contact information for Intel vPro technology.

Table 1. Where to get the solution

Download from Deployment aspect Description Intel Web site at:

Vendors for desktop PCs For a list of desktop PC vendors http://www.intel.com/buy/vPro with Intel® vProTM who supply PCs with Intel vPro .htm technology technology, refer to the Intel Web site.

Intel vPro technology For information about Intel vPro www.intel.com/vpro technology used in the SMB market, refer to the Intel Web site.

- 8 - Intel® AMT Configuration Guide for SMB Environments

Related documentation Tables 2 and 3 list sources for documentation that may be useful during deployment, or which can give you additional details about Intel vPro technology.

Table 2. Sources for related documentation from Intel

Intel deployment Source / download from documentation Description Intel Web site at:

Intel® Active Management (This guide.) Requirements and http://www3.intel.com/cd/chan Technology Configuration step-by-step procedures for nel/reseller/asmo- Guide for SMB configuring the Intel® AMT na/eng/347046.htm Environments, v1.0 security, networking, and operational parameters on the notebook or desktop PC, via BIOS, MEBx, and the Intel AMT Web console.

Intel® vProTM technology Requirements and step-by-step Contact your Intel integration guide for your procedures to integrate Intel AMT- representative or your third- third-party management enabled PCs into your third-party party vendor. solution management solution.

Intel vPro technology SDK Intel offers a software http://softwarecommunity.intel.co development kit (SDK) for Intel m/isn/home/manageability.aspx vPro technology. The SDK includes developer tools which may be of use for validation and troubleshooting during deployment.

Intel Active Management Aimed at enterprise markets, but http://download.intel.com/busi Technology Deployment and includes details about deployment ness/vpro/pdfs/deployment_gui Reference Guide, v1.0 planning (including proof of de.pdf concepts and pilots), security methodologies / technologies, and use-case capabilities of Intel AMT.

Intel platform training A resource site that shows how to www.intelplatformtraining.com integrate PCs with Intel vPro technology into an SMB IT management infrastructure

- 9 - Intel® AMT Configuration Guide for SMB Environments

Table 3. Sources for information about Intel vPro technology, including Intel AMT

Intel product Download from information Description Intel Web site at:

Intel® vProTM technology A Web entry point for information http://msp.intel.com/ Portal about the Intel vPro technology line of business notebook and http://intel.com/reseller/vpro desktop PC.

Intel® AMT Technology Brief Overview of the hardware-based http://www.intel.com/technolo Intel AMT capabilities and benefits gy/manage/iamt/303749.pdf to MSPs.

A New Level of Remote Explanation of how hardware- http://cache- Managed Services for PCs in based capabilities of Intel vPro www.intel.com/cd/00/00/31/87 Small-Business technology address critical /318739_318739.pdf Environments challenges facing MSPs to help them eliminate site visits, increase service efficiencies, and improve revenue streams and margins.

Improving Security and Explains how to plan and install a http://www.intel.com/business/ Compliance with Intel® more secure and compliant PC vpro/pdfs/amt_security_and_co Active Management fleet. mpliance.pdf Technology

Intel AMT architecture Detailed information about Intel http://softwarecommunity.intel AMT architecture. .com/articles/eng/1004.htm

Technical support For technical support questions http://supportmail.intel.com/sc related to Intel® Software ripts- Solution. emf/welcome.aspx?id=2556,25 57

- 10 - Intel® AMT Configuration Guide for SMB Environments

Section 1: Quick Start for Desktop PCs

Introduction This quick-start section briefly explains how to configure Intel AMT for DHCP addressing on a wired desktop PC. This section can help you streamline your configuration processes after you are familiar with the basic deployment process. Make sure you are familiar with all deployment requirements and considerations before configuring Intel AMT on any PC. This section assumes: • You are using DHCP networking. • You are using password-based security • You are configuring a wired desktop PC This section includes: • Table of required BIOS and MEBx settings for DHCP addressing. (For ease of integration, the table also includes a list of settings used for static IP addressing.) • Steps to configure Intel AMT in SMB mode for DHCP addressing. • Steps to validate the configuration. For information about configuring Intel AMT for static-IP addressing, refer to the configuration section of this guide. The configuration section also includes more detail about configuring Intel AMT for DHCP networking, and information about configuring wireless radio parameters for notebooks. Figure 1-1 shows the general deployment process. The quick-start procedure explains how to do step 2, configure Intel AMT.

Configure Intel AMT for a desktop PC Procedure for: Wired desktop PCs

This discussion lists the BIOS and MEBx settings required for configuring Intel AMT for wired operation; describes the configuration process, and provides a short validation process for desktop PCs.

- 11 - Intel® AMT Configuration Guide for SMB Environments

Figure 1-1. Deployment process Configuration settings for wired operation Table 1-1 lists the BIOS and MEBx settings required for DHCP addressing. (For ease of integration, the table also includes a list of settings used for static IP addressing.)

- 12 - Intel® AMT Configuration Guide for SMB Environments

Table 1-1. Quick start: Wired configuration settings for desktop PC

Parameter Dynamic IP Static IP

Intel® Management Engine Intel AMT1 Intel AMT1 Configuration

Sleep-state power policies Always / Enabled Always / Enabled

Sleep-state idle timeout 65535 65535

Intel ME after-power failure2 Power on2 Power on2

Provisioning mode3 SMB3 SMB3

Compatibility configuration For desktop PCs: Intel AMT Intel AMT For notebooks: Intel AMT Generation 2.02 Intel AMT Generation 2.02

TLS NA NA

Machine name iDBO iDBO (same machine name as (same machine name as specified specified for host OS) for host OS)

SOL/IDE-R Username Password Username Password

DHCP Enabled Disabled

TCP/IP settings DHCP server will set Enter the appropriate values for: networking parameters • IP address for Intel AMT • Subnet mask • Default gateway address (optional) • Preferred DNS server address (optional) • Alternate DNS server address (optional)

Domain name The Windows domain The Windows domain name or name or vPro.local vPro.local

VLAN4 NA4 NA4

1 The Intel® Management Engine and Intel AMT must be enabled in order for you to configure and use Intel AMT capabilities. Note that Intel AMT will be disabled and all configuration information erased if you select ASF or None for this field. 2 This field is typically located under a provisioning configuration option in MEBx. 3 This field is available only on desktop PCs. 4 Wireless settings, including VLAN settings, are configured on notebooks via the Intel AMT Web console.

- 13 - Intel® AMT Configuration Guide for SMB Environments

Configure Intel AMT for wired DHCP Procedure for: Wired desktop PCs

This procedure explains how to configure Intel AMT for wired desktop PCs. This procedure can also be used to configure Intel AMT for wired notebooks; however, the notebook’s wireless radio parameters must then be configured remotely via the Intel AMT Web console (refer to Section 3).

Caution: You must access the wired PC and configure Intel AMT (via BIOS and MEBx) before a third-party management application can access the Intel AMT capabilities. If you do not configure Intel AMT before trying to integrate the PC into your management application, the management application will not be able to access Intel AMT capabilities.

Note: Many notebook OEMs offer USB key provisioning as a BIOS option. USB key provisioning allows you to input setup and configuration information via a USB key, instead of through manual entry. Wireless radio parameters for notebooks must still be configured remotely via the Intel Web console.

Follow these steps to configure Intel AMT for wired DHCP networking for desktop PCs: 1. Connect the desktop PC to a power source and power up the system. 2. Access the PC and log into BIOS. • If necessary, enter the administrator username and password appropriate for your BIOS. 3. In BIOS, select the Intel AMT option and/or enter MEBx. 4. When prompted, log into MEBx using the factory-default administrator username and password. For Intel motherboards, the default password is usually admin. (The default administrator password may be different for other motherboards.)

Because this is the first login to the device, the system will require that you change the default administrator password. 5. Change the administrator password. The new password must be a strong password, as described in the deployment requirements section of this guide. 6. Using MEBx features, make sure the Intel® Management Engine configuration is set to Intel AMT.

Caution: Intel AMT will be disabled if you select any manageability mode other than Intel AMT.

- 14 - Intel® AMT Configuration Guide for SMB Environments

Caution: Changing the manageability mode from Intel AMT to either ASF or None will unconfigure Intel AMT. If you unconfigure Intel AMT, you will have to repeat the configuration process before you can once again integrate the PC into a third-party management application and use Intel AMT capabilities.

7. Now enter the machine name. Set this field to the same name used for the host (the PC’s OS). 8. Set power policies to be always on. 9. Change the provisioning mode to SMB. 10. Under the provisioning-configuration option, use the compatibility-mode feature to set the system’s compatibility mode to Intel AMT Generation 2.0. 11. Select the TCP/IP option to display the menu for networking parameters. 12. Enter the domain name via the TCP/IP menu features. 13. Make sure DHCP is enabled. The DNS server will then set the networking parameters as appropriate for your environment. 14. Now return to the MEBx main menu. 15. Make sure the SOL/IDE-R option is set to Username Password. 16. Exit the MEBx screen. 17. Save BIOS settings and exit BIOS. 18. If prompted, confirm your changes.

Caution: Do not power down the PC during this process. The BIOS must be allowed to finish loading in order to activate the settings and complete the configuration process.

- 15 - Intel® AMT Configuration Guide for SMB Environments

Validate Intel AMT wired configuration using a Web browser Procedure for: Wired desktop PCs

To validate the Intel AMT configuration on the desktop PC for your SMB environment, follow these steps: 1. Open any Web browser on a PC that is currently on the local network. 2. Using the port 16992, enter the IP address of the target desktop PC using this format: http://xxx.xxx.xxx.xxx:16992. For example, HTTP://192.168.1.100:16992. The system should then display an option to log onto the target PC. 3. When prompted, enter the administrator password for Intel AMT. The Intel AMT Web console should then be displayed. 4. View the Intel AMT hardware asset information for the PC displayed by the Web console, and compare it to the PC’s physical configuration. Confirm that the information reported by the Web console is accurate. 5. Exit the Intel AMT Web console. 6. Log out of the Web browser. Once you have validated the configuration for one PC, you are ready to configure other PCs for that site. Or, you can integrate this Intel AMT-enabled PC into your third-party management application.

Where to go from here For information about integrating an Intel AMT-enabled PC into your management solution, refer to your third-party documentation and to the Intel integration guide for your management application. For more information about Intel AMT parameters, deployment considerations, and other details, refer to the deployment requirements section of this guide.

- 16 - Intel® AMT Configuration Guide for SMB Environments

Section 2: Deployment Requirements

Intel® Centrino® with vPro™ technology and select Intel® Core™2 processors with vPro™ technology

Introduction This section explains important considerations and best practices for configuring the security, networking, and operational parameters for Intel AMT. In particular, there are three keys to deploying PCs with Intel vPro technology in SMB environments. • Desktop PCs: You must configure Intel AMT in SMB mode The default operational mode for desktop PCs with Intel vPro technology is usually enterprise mode. However, most MSP third-party management applications are designed to work only in SMB environments. For these applications, you must configure Intel AMT in SMB mode, not enterprise mode on desktop PCs. Notebooks do not have an SMB vs. enterprise mode. When configuring notebooks, you simply set the BIOS and MEBx parameters appropriately for an SMB environment.

• Notebooks and desktop PCs: You must configure Intel AMT for wired operation via BIOS and MEBx Configuring Intel AMT (via BIOS and MEBx features) is a separate process from integrating the PC into a third-party management application. In SMB mode, you must access BIOS and MEBx on the PC and configure the networking, and operational parameters that enable remote communication between Intel AMT and the management application. • Notebooks: You must configure wireless radio parameters remotely, via the Intel AMT Web console Wireless radio configuration for notebooks in SMB mode is done remotely, from a PC other than the notebook being configured. Radio configuration for notebooks must be done using the Intel AMT Web console. The notebook being configured must be wired (connected to the network via an Ethernet cable) during the configuration process.

- 17 - Intel® AMT Configuration Guide for SMB Environments

Hardware and software requirements This discussion includes requirements tables for desktop and notebook PCs. Requirements for desktop PCs Table 2-1 lists requirements for configuring the desktop PC and Intel AMT in order for a third-party management application to access the Intel AMT capabilities. For more information about considerations and best practices, refer to the configuration section.

Table 2-1. Hardware and software requirements: Desktop PC

Component Requirement

Hardware • PC with Intel® vProTM technology, including: • Intel AMT v2.1 or higher. • Motherboard series DQ965GF, DQ965CO, DQ965WC, DQ35JO or higher. • BIOS Version 5882 [CO96510J.86A ] or higher.

Software • An OS appropriate for your management environment. For example, Microsoft Windows XP* or higher version.

Information • BIOS-level administrator password (if necessary) to enter BIOS. • Intel® AMT administrator username and password to enter MEBx. For Intel motherboards, the factory-default password is usually admin. (The default administrator password may be different for other motherboards.) • Host (PC’s OS) name. • TCP/IP settings.

Special • Intel AMT must be configured before you can integrate the PC into a considerations third-party management application. Configuration is performed at the PC via BIOS and MEBx features. Integration (a separate process) is typically performed at the remote server site, via the management application. • Do not assume the administrator username-password pair when logging into MEBx. Verify the username-password pair as per the OEM documentation for the PC.

Requirements for notebooks Table 2-2 lists requirements for configuring the notebook and Intel AMT in order for a third-party management application to access the Intel AMT capabilities. For more information about considerations and best practices, refer to the configuration section.

- 18 - Intel® AMT Configuration Guide for SMB Environments

Table 2-2. Hardware and software requirements: Notebooks

Component Requirement

Hardware • PC with Intel® Centrino® with vPro™ technology, including: • Intel AMT v2.5 or higher. • Wireless access point that is 802.11a-, b-, g-, or n-capable.

Software • An OS appropriate for your management environment. For example, Microsoft Windows XP* or higher version. • Microsoft Internet Explorer 6.0 or later.

Information • BIOS-level administrator password (if necessary) to enter BIOS. • Intel® AMT administrator username and password to enter MEBx and to use the Web console. For Intel motherboards, the factory-default password is usually admin. (The default administrator password may be different for other motherboards.) • Host (PC’s OS) name. • TCP/IP settings. • Wireless radio profile information.

Special • Intel AMT must be configured before you can integrate the PC into a considerations third-party management application. Configuration is performed at the notebook via BIOS and MEBx features, then remotely via the Intel AMT Web console. Integration (a separate process) is typically performed at the remote server site, via the management application. • Do not assume the administrator username-password pair when logging into MEBx or the Web console. Verify the username-password pair as per the OEM documentation for the notebook. • Wireless radio configuration is done remotely, via the Intel AMT Web console. • Wireless radio configuration is done when the notebook is in the wired state. Once wireless parameters are configured, the notebook can be accessed wirelessly. • Wireless LAN radio must be enabled (on) for wireless connections for notebooks.

Configuration requirements You will need certain networking, security, and configuration information in order to configure Intel AMT, as described in this discussion. DHCP networking vs. static IP addressing Intel AMT-enabled PCs can be configured for dynamic (DHCP) or static IP addressing (see Table 2-3).

- 19 - Intel® AMT Configuration Guide for SMB Environments

To allow you to choose the best networking mode for your environment, hardware vendors configure the PCs with two MAC addresses: • MAC address for the host (the PC’s OS) • Manageability MAC address for the Intel Management Engine The IP address for Intel AMT (part of the Intel Management Engine) is specified during setup of Intel AMT. Setup is the process of establishing security credentials for Intel AMT. In SMB mode, setup means establishing the administrator password. In SMB mode, you typically do both setup and configuration of the Intel AMT networking and operational parameters at the same time.

Table 2-3. Network elements required for DHCP or static IP addressing

Network element DHCP Static IP

DHCP service Required —

DNS service Required Optional

Dynamic IP (DHCP) environments. Typically, your PC manufacturer sets up Intel AMT to use dynamic IP addressing by default, via DHCP and DNS. In dynamic IP addressing, the same IP address is used for both the host (the computer’s OS) and Intel AMT. Intel AMT can tell the difference between communication intended for Intel AMT and communication intended for the OS. To do this, the firmware stack in Intel AMT looks at the communication port. Keep this in mind when setting up Intel AMT in a DHCP environment: • Intel AMT conforms its settings to the host (the PC’s OS) network settings. Static IP environments. In static IP addressing, the PC has fixed network settings. When using static-IP addressing in enterprise environments, you can define different IP addresses for Intel AMT and the host (the PC’s OS). When using static-IP addressing for SMB mode, you should: • Use a different IP address for Intel AMT and the host (the PC’s OS). • Use a different host name for Intel AMT and the host (the PC’s OS). Operational settings for Intel AMT

Note: BIOS is vendor-dependent. Actual names for fields and parameters will vary, depending on your BIOS.

Tables 2-4 and 2-5 briefly describe common MEBx settings typically set in order to enable remote communication with the Intel AMT capabilities in SMB environments. Table 2-4 describes settings for wired communication. Table 2-5 describes settings that enable wireless communication on a notebook.

- 20 - Intel® AMT Configuration Guide for SMB Environments

Table 2-4. Configuration settings: Wired notebook or desktop PC

BIOS or Value after MEBx setting configuration Notes

Intel Management Intel® AMT Other options include ASF or None. The Intel Engine Management Engine and Intel AMT must be enabled in Configuration order for you to configure and use Intel AMT capabilities. This field might also be called manageability mode or something similar.

Caution: Intel AMT will be disabled and all configuration information erased if any value other than Intel AMT is selected.

Sleep-state power Always / Specifies that the Intel Management Engine is always on policies Enabled for S1-S5. This allows Intel AMT to respond to a third- party management application in any power state (wired PC) or OS state (wired or wireless PC), as soon as the PC is connected to power and plugged into the network. This field might be called Intel AMT power policies, Intel AMT sleep state power policies, Turn on Intel ME Sleep States, or something similar.

Sleep-state idle 65535 Make sure this setting is set to the maximum value of timeout 65535.

Intel ME after-power Power on Make sure this setting is set to the default value of failure Power on.

Provisioning mode SMB On desktop PCs, this field is typically set to enterprise mode. You must reset this field to SMB mode. This field might also be called provisioning model, operational model, configuration mode, or something similar. (Notebooks do not include an SMB vs. enterprise setting.)

Compatibility Typically located under the provisioning configuration configuration option in MEBx. This field may also be called compatibility mode or something similar. For desktop PCs: Intel AMT

For notebooks: Intel AMT Generation 2.0

TLS NA On desktop PCs, once the provisioning mode is set to SMB, the TLS field should no longer be displayed.

Machine iDBO Set this field to the same machine name as specified for name the host OS. The machine-name field might also be called host name, computer name, or something similar.

- 21 - Intel® AMT Configuration Guide for SMB Environments

Table 2-4. Configuration settings: Wired notebook or desktop PC - continued

BIOS or Value after MEBx setting configuration Notes

TCP/IP settings Defined by For DHCP networking, the DNS server will set the DHCP or static networking parameters. IP addressing For static IP addressing, you will need: • IP address for Intel® AMT • Subnet mask • Default gateway address (optional) • Preferred DNS server address (optional) • Alternate DNS server address (optional)

Domain name The Windows* If there is a Windows domain in your LAN environment, domain name set this field to the Windows domain name. or vPro.local Otherwise if this PC is not part of a domain, set this field to vPro.local.

VLAN NA On desktop PCs, once the provisioning mode is set to SMB, the VLAN field should no longer be displayed. On notebooks, wireless settings, including VLAN settings, are configured via the Intel AMT Web console.

SOL/IDE-R Username Specifies the type of security used for access to Intel Password AMT capabilities.

Table 2-5. Configuration settings: Wireless notebooks

BIOS or Value after MEBx setting configuration Notes

Port address for Intel 16992 IP address required for remotely accessing the notebook AMT Web console via the Intel AMT Web console.

Wireless radio Defined by For DHCP networking, the DNS server will set the profile DHCP or static networking parameters. IP addressing For static IP addressing, you will need: • Unique profile name • SSID for your wireless access point • Name of network authentication protocol that matches your wireless access point authentication configuration • Name of encryption scheme that matches your wireless access point encryption scheme • Password (passphrase) for logging into wireless access point

- 22 - Intel® AMT Configuration Guide for SMB Environments

Where to find certain types of information Table 2-6 briefly explains how to find some of the information needed for configuration.

Table 2-6. How to find information required to configure Intel AMT

Information needed Obtain the information by

Key or command Refer to the appendix about BIOS for examples of accessing sequence to access BIOS BIOS for common PC manufacturers. Or, refer to the OEM’s information for your PC.

Computer name 1. Follow these steps to identify the computer name: 2. In Microsoft Windows*, right click My Computer. 3. Select Properties from the pop-up menu. 4. Click the Computer Name tab. 5. Note the PC’s name in a handy location for use later during the Intel AMT setup and configuration procedures.

TCP/IP settings Follow these steps to identify the TCP/IP settings: 1. In Microsoft Windows*, open the Control Panel. 2. Open Network Connections. 3. Right click the appropriate connection. 4. Select Properties > TCP/IP > Properties. 5. Note the TCP/IP settings in a handy location for use later during the Intel AMT setup and configuration procedures.

Important considerations Table 2-7 briefly describes important considerations for configuring Intel AMT through BIOS and MEBx features and for setting the networking parameters.

Table 2-7. Special considerations for specifying Intel AMT parameters

Consideration Description

You must configure Intel AMT in Many SMB-oriented management applications are SMB mode on desktop PCs designed only for SMB environments. If you try to integrate a desktop PC while Intel® AMT is still configured in its default enterprise mode, integration into these environments will fail. (Notebooks do not include an SMB vs. enterprise option.)

You must configure Intel AMT Configuration of Intel AMT via BIOS and MEBx on the PC before integrating parameters must occur before you try to integrate the with a third-party management PC into the management application application

- 23 - Intel® AMT Configuration Guide for SMB Environments

Table 2-7. Special considerations for specifying Intel AMT parameters - continued

Consideration Description

Automated remote Intel AMT can be configured remotely and automatically configuration is not usually in enterprise mode by taking advantage of Microsoft available to SMBs Active Directory* (Kerberos). Because most SMBs do not use Kerberos, they must typically configure Intel AMT as a manual process, as described in this guide.

Access to BIOS is vendor- Refer to the BIOS appendix for ways to access BIOS dependent from common manufacturers, or refer to the documentation provided by your PC manufacturer.

BIOS features are vendor Actual names for fields and parameters will vary, dependent depending on your BIOS.

Do not assume the username- Verify the username-password pair as per the OEM password pair in MEBx documentation for the PC (for example, admin versus Administrator). If you do not enter the correct username-password pair, the configuration process will fail.

If you specify a DNS address If you want to specify a DNS address, you must use the same name that will be used by the host (PC’s OS).

If you choose to use static IP You should use DHCP mode for most MSP service addressing environments. If you choose to use static IP addressing where you use a different IP address for Intel AMT and for the host (the PC’s OS), some third-party management applications might discover and report two PCs for the same device. Refer to the Intel AMT integration guide for your third-party management application to find out if you should use DHCP for your service environment.

Security considerations and best practices Intel vPro technology supports a range of security options, from simplified security for SMB markets to enterprise-grade security with certificate-based authentication and encryption. In SMB environments, security for Intel AMT-enabled PCs is established primarily through username-password authentication. For information about other Intel AMT security methodologies and technologies, refer to the Intel AMT deployment and reference guide for enterprise environments.

- 24 - Intel® AMT Configuration Guide for SMB Environments

Intel AMT administrator passwords Remote management of PCs depends on how well each system element is networked and secured for communications. There are often several administrator passwords required during deployment of PCs with Intel vPro technology into a third-party management solution. Pay particular attention to considerations and best practices for administrator passwords when you deploy your management solution. Make sure you have the correct administrator username and password available for each step of the deployment process. Do not assume the default username or password; these can vary, depending on your PC manufacturer. Table 2-8 lists typical types of passwords that might be used during deployment.

Table 2-8. Administrator passwords

Administrator password Used for Used to

BIOS BIOS Used by an IT administrator to access BIOS. password If your OEM requires a BIOS password, you will need the administrator username and password required to access the PC’s BIOS.

Intel AMT MEBx Used by the IT administrator to access the password MEBx screens and set security, networking, and operational parameters for Intel AMT. The factory-default password is provided by the OEM and included with your PC’s documentation. You must change the default password the first time you enter MEBx.

PC security credentials in Might be required for the IT administrator, in the management order to set credentials for an Intel AMT- application enabled PC from within the management application.

Intel® AMT Web console Used by the IT administrator to remotely access Intel AMT via the Intel AMT Web console.

Wireless access Wireless access point Used by an IT administrator to log into the point password wireless access point. This password is defined in the wireless profile, via the Intel AMT Web console.

- 25 - Intel® AMT Configuration Guide for SMB Environments

Table 2-8. Administrator passwords - continued

Administrator password Used for Used to

Management Communication between Used by an IT administrator to log into the application elements of the management application. password management solution

Local site Communication between Used by the management application to password an agent and the PCs at access the PCs at a customer site. The the customer site password is typically shared by all PCs at the site and should be unique to each customer site. You create this password on each machine when you create the user account on each PC.

Important considerations for passwords Table 2-9 briefly describes special considerations and best practices for the MEBx administrator username and password.

Table 2-9. Considerations and best practices for passwords

Consideration Description

Enter correct admin username The username-password pair for each PC is provided by your OEM. For Intel motherboards, the factory-default administrator password is usually admin. The default administrator password may be different for other motherboards.

Do not assume the Verify the username-password pair as per the OEM username-password pair documentation for the PC (for example, admin versus Administrator). If you do not enter the correct username-password pair, the configuration process will fail.

Do not use a commonly If you change the administrator username, do not use a occurring account name commonly occurring account name for the username, such as Admin or Administrator. Using a less common account name helps prevent a malicious attack from easily guessing the account name.

Use high-entropy passwords Make sure to use high-entropy passwords that are difficult to guess; such as w7_uH9xb, HoS8V@y$, or u$8s#R9. These are strings that are not common names or actual words in the language, and so cannot be found in a dictionary or easily guessed.

- 26 - Intel® AMT Configuration Guide for SMB Environments

Password requirements Intel AMT requires that passwords used for authentication to the Intel Management Engine meet the following minimum criteria. Passwords must: • Be between 8 and 63 characters long. • Include only valid characters. Allowed characters are 7-bit ASCII characters in the values of 33-126 inclusive. • Not include invalid characters. The following characters are not allowed: “ (left double quote) . (period) , (comma) : (colon) • Have at least one digit character (0, 1, 2, …, 9). • Have at least one 7-bit ASCII non-alphanumeric character (such as ! or $). • Contain both lowercase (a, b, c, .z) and uppercase (A, B, C, . Z) Latin characters, or non ASCII characters (UTF+00800 and above). You should always use unique passwords when configuring each PC. Otherwise, a malicious person with knowledge of one username-password pair for one PC could compromise not only that PC, but any other system with the same username and password.

Where to go from here When you are familiar with the deployment requirements, considerations, and best practices for Intel AMT, you are ready to configure the Intel AMT parameters, as described in the next section.

- 27 - Intel® AMT Configuration Guide for SMB Environments

Section 3: Configure and Validate Intel® AMT

Overview This section explains in detail how to configure Intel AMT for DHCP networking and for static IP addressing for both notebook and desktop PCs. This section explains: • Desktop PCs: Wired configuration for dynamic or static IP networking • Notebooks: Wired configuration for dynamic or static IP networking • Notebooks: Wireless radio configuration • Both notebook and desktop PCs: Validating the configuration

Caution: Configuring Intel AMT is a separate process from integrating the PC into a third-party management application. If you don’t configure the required Intel AMT parameters via BIOS and MEBx, the third-party management application will not be able to access Intel AMT capabilities.

Note: For desktop PCs, you can access MEBx features via the BIOS. On notebooks, to access MEBx features, you will exit BIOS, then follow the Intel AMT prompts to enter MEBx

Configuration features in the PC Configuration is done through various features of your PC with Intel AMT: • Desktop PCs: Configuration is a single process via BIOS and MEBx. You can access MEBx features via the BIOS. • Notebooks: Configuration is a two-step process. First, BIOS and MEBx parameters are configured for wired notebook operation. Then wireless radio parameters are configured remotely, via the Intel AMT Web console.

Note: You cannot use wireless features until you have correctly configured wireless radio parameters, including the wireless profile(s). Wireless radio configuration is done by remotely accessing the wired notebook via the Intel AMT Web console. The notebook being configured must be wired (connected to an Ethernet LAN) during the configuration process.

MEBx is the Intel Management Engine BIOS extension. The BIOS extension specifies the security settings (administrator password), networking parameters, and operational settings that activate or disable specific Intel AMT capabilities. During configuration, you set those parameters appropriately for your SMB environment.

- 28 - Intel® AMT Configuration Guide for SMB Environments

Once Intel AMT is configured, the management application can communicate with the Intel AMT capabilities. Figure 3-1 shows the deployment process. This section explains step 2, configuring Intel AMT parameters.

Figure 3-1. Deployment process

- 29 - Intel® AMT Configuration Guide for SMB Environments

Configure Intel AMT This discussion explains how to configure Intel AMT on the notebook or desktop PC.

Note: Many notebook OEMs offer USB key provisioning as a BIOS option. USB key provisioning allows you to input setup and configuration information via a USB key, instead of through manual entry. Wireless radio parameters must still be configured remotely via the Intel Web console.

Desktop PC: Configure Intel AMT for wired operation Procedure for: Wired desktop PCs

In this procedure, you will use BIOS and MEBx to enter the administrator password, specify operational parameters, and specify the network settings for Intel AMT.

Caution: Do not power down the PC during this process. The BIOS must be allowed to finish loading in order to activate the settings and complete the configuration process.

The BIOS will then continue to load. Once the PC is up and running, it is ready to be integrated into the third-party management application. Note that the PC must sometimes be powered on for the first discovery by a third- party management application. After that, the Intel AMT-enabled PC can typically be discovered even if powered off. Follow these steps to configure Intel AMT on a wired desktop PC: 1. Connect the PC to a power source, and power up the system. 2. Access the wired PC and log into BIOS. • Some PC manufacturers require that you enter an administrator username and password in order to access BIOS features. If necessary, enter the administrator username and password appropriate for your BIOS. 3. In BIOS, select the Intel ME option. This might also be called the Intel AMT option. 4. Log into MEBx using the factory-default administrator username and password. For Intel motherboards, the factory-default password is usually admin. (The default administrator password may be different for other motherboards.) The default username and password are provided in the manual or shipping box for the PC.

Because this is the first login to the device, the system will require that you change the default administrator password.

- 30 - Intel® AMT Configuration Guide for SMB Environments

5. Change the administrator password. The new password must be a strong password, as described in the requirements section of this guide.

As soon as the password updates, the system should display an MEBx configuration screen.

Note: You should document the new Intel Management Engine password, store it in a secured location (a vault, safe deposit box, or off-site storage), and keep it available for future use.

6. Make sure the Intel Management Engine Configuration is set to Intel AMT.

Caution: Changing the manageability mode from Intel AMT to either ASF or None will disable and unconfigure Intel AMT. If you unconfigure Intel AMT, you will have to repeat the configuration process before you can once again integrate the PC into a third-party management application and use Intel AMT capabilities.

7. Enter the computer name. Set this field to the same name used for the host (the PC’s OS). 8. Set the sleep-state power policies for the management engine to be always enabled (always on, or S0-S5). 9. Set the idle timeout to the maximum value (65535). (This feature may not be available in all Intel AMT versions.) 10. For the management engine power state after power failures, set this field to be on. 11. Change the provisioning mode to SMB. After you have made this change, the screen should be redrawn, and only features that apply to SMB mode should be displayed. 12. Under the provisioning-configuration option, use the compatibility-mode feature to set the system’s compatibility mode to Intel AMT 13. Select the TCP/IP option to display the menu for networking parameters. 14. Enter the domain name via the TCP/IP menu features. 15. Set up the network addressing for your service environment: a. For DHCP networking, check the DHCP setting and make sure it is still enabled. The DNS server will then set the networking parameters as appropriate for your environment. b. For static IP addressing, enter the TCP/IP settings appropriate for your static-IP service environment • IP address for Intel AMT. Note that the IP address for Intel AMT must be different from the IP address specified for the host (the PC’s OS)

- 31 - Intel® AMT Configuration Guide for SMB Environments

Note: The TCP/IP address is the address for the Intel Management Engine. The host name should be set to the name assigned to the host (the PC’s OS) for identification purposes. In static IP addressing, the TCP/IP address for the Intel Management Engine must be different from the TCP/IP address.

• Subnet mask • Default gateway address (optional) c. If Intel AMT will be using DNS to resolve the IP address, you can enter DNS information: • Preferred DNS server address (optional) • Alternate DNS address (optional) 16. Make sure any other network settings are appropriate for your environment. 17. Return to the MEBx screen. 18. Make sure the provisioning model is still set to SMB. 19. Make sure the SOL/IDE-R option is set to Username Password. This sets the security requirements to an administrator password (instead of Microsoft Active Directory, or Kerberos, which is not supported in SMB mode). 20. Exit the MEBx screen. 21. Save BIOS settings and exit BIOS. 22. If prompted, confirm your changes.

Caution: Do not power down the PC during this process. The BIOS must be allowed to finish loading in order to activate the settings and complete the configuration process.

- 32 - Intel® AMT Configuration Guide for SMB Environments

Notebooks: Configure Intel AMT For notebooks, configuration is a two-step process. First, you use BIOS, then MEBx to configure Intel AMT on the wired notebook for wired operation. Then you will use the Intel AMT Web console to remotely configure wireless radio parameters. This discussion explains how to: • Configure Intel AMT for wired operation on a notebook • Configure wireless radio parameters on a notebook, via a remote PC (the notebook must be in a wired state during configuration)

Notebooks: Configure Intel AMT for wired operation Procedure for: Wired notebooks with Intel AMT 2.5 or later

In this procedure, you will use BIOS, then MEBx to enter the administrator password, specify operational parameters, and specify the network settings for Intel AMT. Notebooks do not have an SMB vs. enterprise mode. When configuring notebooks, you simply set the BIOS and MEBx parameters appropriately for an SMB environment, as described in this procedure.

Caution: Do not power down the notebook during this process. The BIOS must be allowed to finish loading in order to activate the settings and complete the configuration process.

The BIOS will then continue to load. Once the PC is up and running, it is ready to be integrated into the third-party management application. Note that the PC must sometimes be powered on for the first discovery by a third- Follow these steps to configure Intel AMT on a wired notebook: 1. Connect the notebook to a power source and power up the system. 2. Enter BIOS. This is typically done via a function key, such as F1. Appendix A lists ways to enter BIOS for some common OEMs. Figure 3-2 shows a sample BIOS screen. • Some PC manufacturers require that you enter an administrator username and password in order to access BIOS features. If necessary, enter the administrator username and password appropriate for your BIOS. 3. In BIOS, select the configuration option. 4. Select the Intel AMT option. The system should display a screen that includes the Intel AMT option, as shown in Figure 3-3. 5. Set Intel AMT to enabled (or on).

- 33 - Intel® AMT Configuration Guide for SMB Environments

Figure 3-2. Sample BIOS screen for a notebook

Figure 3-3. Sample Intel AMT screen for a notebook

- 34 - Intel® AMT Configuration Guide for SMB Environments

6. Save your changes. 7. Exit BIOS.

Settings for the next several features are accessed via the MEBx screen. 8. When prompted, press Ctrl-P to enter MEBx. 9. At the Intel ME configuration prompt, type Y (yes). 10. When prompted to log in, enter the factory-default administrator password. For Intel motherboards, the default password is usually admin. (The default administrator password may be different for other motherboards.) The default username and password are provided in the manual or shipping box for the notebook.

Because this is the first login to the device, the system will require that you change the default administrator password. 11. When prompted, change the administrator password. The new password must be a strong password, as described in the requirements section of this guide.

Note: You should document the new Intel Management Engine password, store it in a secured location (a vault, safe deposit box, or off-site storage), and have it available for future use.

Figure 3-4. Sample configuration screen for notebooks

- 35 - Intel® AMT Configuration Guide for SMB Environments

Once the password has been updated, the system will display the main MEBx menu, which includes configuration features. Figure 3-4 shows a sample configuration screen. 12. Using the Intel ME Configuration feature, set the Intel ME state control field to Enabled. 13. Set the Intel ME firmware local update qualifier to Always Open. 14. Using the manageability feature, set the Intel Management Engine field to Intel AMT.

Caution: Changing the manageability mode from Intel AMT to either ASF or None will disable and unconfigure Intel AMT. If you unconfigure Intel AMT, you will have to repeat the configuration process before you can integrate the PC into a third-party management application and/or use Intel AMT capabilities.

15. Using the management-engine state-control feature, make sure the Intel management engine is enabled. 16. Using management-engine features, set Intel ME power policies to be always on. For example make sure power-control, mobile, and wake-on-LAN (WOL) settings are appropriate: • Select power-control to be ME ON in Host Sleep States. • Select Mobile to be On in S0. • Select ME WoL to be S3/AC, S4-5/AC). 17. Return to the previous MEBx menu. 18. Select the Intel AMT configuration feature. 19. Select the host-name feature. 20. Set the host-name field to the same name used for the host (the PC’s OS). 21. Select the TCP/IP option to set up the network addressing for your service environment, and follow the prompts for either DHCP or TCP/IP (static IP) networking. a. For DHCP networking: • Make sure DHCP is enabled. If prompted to disable DHCP, select N, or No. The DNS server will then set the networking parameters as appropriate for your environment. • Enter the domain name. b. For static IP addressing: • Make sure DHCP is disabled. If prompted to disable DHCP, select Y, or Yes. • Enter the static IP address for Intel AMT. Note that the IP address for Intel AMT must be different from the IP address specified for the host (the PC’s OS)

- 36 - Intel® AMT Configuration Guide for SMB Environments

• Subnet mask • Default gateway address (optional) • If Intel AMT will be using DNS to resolve the IP address, you can enter DNS information: • Preferred DNS server address (optional) • Alternate DNS address (optional) • Enter the domain name. 22. Make sure any other network settings are appropriate for your environment. 23. Select the SOL/IDE-R feature. If prompted to continue, answer Y, or Yes. 24. Make sure the username and password, serial over LAN (SOL) and IDE redirection options are enabled 25. Return to the previous menu. 26. Enable the secure firmware update feature.

Note: Ignore the Set PRTC field.

27. Set the idle timeout value to the maximum (65535). 28. Return to the main configuration menu. 29. Exit MEBx (typically this is done by pressing Esc). 30. If prompted, confirm your changes.

Caution: Do not power down the PC during this process. The BIOS must be allowed to finish loading in order to activate the settings and complete the configuration process.

The BIOS will then continue to load. Once the notebook is up and running, it is ready to be integrated into the third-party management application. Note that the notebook must sometimes be powered on for the first discovery by a third-party management application. After that, the wireless Intel AMT-enabled notebook can typically be discovered anytime the system is awake, even if the OS is unresponsive.

- 37 - Intel® AMT Configuration Guide for SMB Environments

Notebooks: Configure wireless radio parameters Procedure for: Wireless notebooks (Procedure is performed while the notebook is connected to the network via an Ethernet cable)

This procedure explains how to configure wireless radio parameters for notebooks. This procedure is done remotely, from a PC other than the notebook being configured, and is done using the Intel AMT Web console, which is included with your PC with Intel vPro technology

Caution: You must configure the wireless radio parameters on the notebook when the notebook is in a wired state, before you can use wireless features. If you do not configure wireless radio parameters via the Intel AMT Web console while the notebook is in a wired state, the notebook will not be able to connect wirelessly to the network later.

Note: Many notebook OEMs offer USB key provisioning as a BIOS option. USB key provisioning allows you to input setup and configuration information via a USB key, instead of manual entry. Wireless radio parameters must still be configured remotely via the Intel Web console.

Remote configuration in SMB mode is available for notebooks with Intel AMT release 2.5 or higher. This procedure assumes you have already configured the wired parameters for the notebook via BIOS and MEBx. Follow these steps to configure wireless radio parameters for a notebook: 1. Open any Web browser on a PC that is currently on the local network. This PC must be a system other than the target PC. 2. Using port 16992, enter the IP address of the target PC using this format: http://xxx.xxx.xxx.xxx:16992. For example, HTTP://192.168.1.100:16992. The system should then display an option to log onto the target PC. 3. When prompted, enter the administrator password for Intel AMT (the password used to access MEBx). The Intel AMT Web console should then be displayed. 4. Select Power Policies from the menu on the left to display the power policies screen. 5. Make sure power policies are set to always on by checking the radio button for S0, S3/AC, and S4-5/AC. 6. Now select Wireless Settings from the menu on the left. The wireless settings screen should then be displayed (see Figure 3-5). 7. In the wireless management field, select Enable to toggle wireless management on.

- 38 - Intel® AMT Configuration Guide for SMB Environments

8. In the profiles area, click on New to display a screen for entering new wireless profiles (see Figure 3-6). 9. In the profile name field, enter a unique profile name. 10. In the network name field, enter the SSID for your wireless access point. Make sure this is a valid SSID. 11. In the security settings area, select an appropriate network authentication protocol that matches your wireless access point authentication configuration. For wireless notebooks, Intel AMT supports the WPA-PSK or RSN-PS authentication protocols. 12. Select an appropriate encryption scheme that matches your wireless access point encryption scheme. For wireless notebooks, Intel AMT supports TKIP or CCMP encryption schemes. 13. Now enter a password (passphrase) that will be used to log into the wireless access point. The password must be 8-63 characters long, and must include at least one number digit, one symbol, and both uppercase and lowercase letters (see the password guidelines earlier in this guide).

Figure 3-5. Enabling wireless management and entering a wireless profile name

- 39 - Intel® AMT Configuration Guide for SMB Environments

Figure 3-6. Entering wireless profile information

14. Confirm the password by entering it again in the confirmation field. 15. Click Submit to save the new profile and return to the wireless settings screen. 16. Exit the Intel AMT Web console. 17. Log out of the Web browser. You are now ready to validate the Intel AMT configuration for wired and wireless operation, as described next.

Validate configuration Validation typically follows these general steps: 1. Configure Intel AMT for one PC at the customer site. 2. Validate the configuration for the first PC. 3. Configure Intel AMT on all PCs at the customer site. 4. Validate the configuration for a set of PCs. You can use: • A Web browser and the Intel AMT Web console • A development tool, such as Intel AMT Commander To use a third-party management application to validate the configuration of Intel AMT capabilities, you must first integrate the PC into the management application.

- 40 - Intel® AMT Configuration Guide for SMB Environments

Notebooks and desktop PCs: Validate wired operation using a Web browser Procedure for: Wired notebook and desktop PCs

For wired notebook and desktop PCs, you can use a Web browser and the Intel AMT Web console to validate that Intel AMT is properly configured in SMB environments. Follow these steps: 1. Open any Web browser on a PC that is currently on the local network. This must be a PC other than the target PC. 2. Using the port 16992, enter the IP address of the target PC using this format: http://xxx.xxx.xxx.xxx:16992. For example, HTTP://192.168.1.100:16992. The system should then display an option to log onto the target PC. 3. When prompted, enter the administrator password for Intel AMT (the password used to access MEBx). The Intel AMT Web console should then be displayed. 4. View the Intel AMT hardware asset information for the PC displayed by the Web console, and compare it to the PC’s physical configuration. Confirm that the information reported by the Web console is accurate. 5. Exit the Intel AMT Web console. 6. Log out of the Web browser. Once you have validated the configuration, you are ready to configure other PCs for the site. Or, you can integrate this Intel AMT-enabled notebook or desktop PC into your third-party management application Notebooks: Validate wireless communication Procedure for: Wireless notebooks

To validate that Intel AMT is properly configured in SMB environments for wireless operation, follow these general steps: 1. Disconnect the notebook from the Ethernet. 2. Make sure the notebook is awake. 3. Repeat the validation procedure for wired PCs, using Intel AMT Web console. If you have trouble validating configuration If you do not see the Intel AMT management console screen after accessing the target PC, the problem could be: • The PC’s Intel AMT configuration is not set up correctly for your network. • Your firewall is not set up correctly to allow remote communication with the PC.

- 41 - Intel® AMT Configuration Guide for SMB Environments

If you have trouble with integration, refer to the deployment requirements and special considerations earlier in this guide. These tables list specific network and operational settings required for remote communication with Intel AMT. Verify that your settings are appropriate for your SMB environment, and that your networking parameters are set correctly for your dynamic IP or static IP network environment. If you have trouble validating a notebook for wireless operation, first make sure the notebook is awake. Then check the wireless profile and make sure you have a valid SSID and appropriate authentication and encryption schemes selected. Intel AMT Commander The Intel AMT developer’s toolkit (DTK) includes a tool called Intel AMT Commander. This is not a supported validation tool for Intel AMT, but a tool for developers. However, it can also be a valuable tool during deployment to help you validate communication with Intel AMT, validate operational settings, and troubleshoot configuration issues. You can download the Intel AMT developer’s toolkit from the Intel Web site at: http://softwarecommunity.intel.com/articles/eng/1034.htm

Where to go from here When Intel AMT is configured, you are ready to integrate the PC into your third-party management application. Here are some sources for further information: • The architecture section of this guide, for an overview of Intel AMT capabilities, including out-of-band communication. • The Intel vPro technology integration guide for your third-party management application • The solution integration guide from the vendor of your third-party management application • The Intel Web site, which provides product, use case, and developer’s information about Intel vPro technology for notebook and desktop PCs. Links to Intel documentation and the Intel Web site are located in introduction section of this guide.

- 42 - Intel® AMT Configuration Guide for SMB Environments

Section 4: Reconfigure and Unconfigure Intel® AMT

Introduction This section explains how to manage changes that can affect Intel AMT settings, or erase such settings. This section includes these two main discussions: • Change a host name on a wired or wireless PC, or move a wired PC. • Return Intel AMT to factory defaults, which includes procedures to unconfigure Intel AMT as well as erase security credentials.

Change a host name for a wired or wireless PC or move the wired PC Procedure for: Wired or wireless notebook and desktop PCs

There may be some circumstances in which you need to change a host name or move a wired PC after initial integration into the management application. You should reserve IP addresses from the router for wired PCs in SMB environments. You can then move the wired PC to other locations, but it will retain its IP address. If you do not reserve IP addresses and you move a wired PC after integration with the management application, you must typically follow these steps: 1. Rediscover the wired machine via the third-party management application. 2. Add the wired PC back into the management domain as an Intel-AMT-enabled PC.

Return Intel AMT to factory defaults There may be times when you want to erase Intel AMT configuration information and/or security credentials and reconfigure Intel AMT differently for your SMB environment. Table 4-1 explains the differences between unconfiguring Intel AMT (returning some Intel AMT settings to factory defaults) and erasing security credentials (returning all Intel AMT settings to their factory-default state, including the administrator password).

- 43 - Intel® AMT Configuration Guide for SMB Environments

Table 4-1. Unconfiguring Intel AMT vs. erasing security credentials

Remote reenable Process Why do it: What happens: Intel AMT afterwards?

Remove PC Removes PC from the Intel AMT capabilities for Yes. from device remote-management the PC are no longer You can usually add the list domain. remotely accessible to Intel AMT-enabled PC the third-party back into the management application. management application Note that Intel AMT by setting credentials security, networking, again for the device from and operational para- within the management meters are not erased on application. the PC. The PC is still Intel AMT-enabled.

Unconfigure Return Intel AMT to its Erases the configuration Yes. Intel AMT unconfigured state, for information, but leaves You can use the Intel example, to move a the security credentials AMT Web console to wired PC to a new (administrator password) remotely access BIOS, location or reconfigure a established. MEBx, and wireless radio wired or wireless PC for parameters in order to a different purpose. change networking and operational settings so that Intel AMT can be remotely accessed again by the management application.

Erase security Fully disable Intel AMT Erases configuration No. credentials remote management, information AND security To use Intel AMT (administrator such as for notebook or credentials capabilities again, you password) desktop PCs that will be (administrator must manually set up moved to less secure password). Intel AMT is security credentials environments. returned to its factory- (administrator This process returns default state. password), and then Intel AMT to its factory- reconfigure Intel AMT for default state. remote management.

Depending on the result you want, there are several ways to unconfigure and/or erase security credentials of Intel AMT. Remove device from management domain Procedure for: Notebook and desktop PCs

You can remove an Intel AMT-enabled PC from the management domain via your management application, so that the PC is no longer remotely accessible to the application. This is usually done simply by removing the device from the list of Intel AMT devices.

- 44 - Intel® AMT Configuration Guide for SMB Environments

This process does not unconfigure Intel AMT. This process only removes the PC’s name from the list of Intel AMT-enabled PCs available for remote management. The security, networking, and operational parameters for Intel AMT are not erased or changed. The Intel AMT capabilities remain enabled in BIOS and MEBx. You can usually add the Intel AMT-enabled PC back into the management application by setting credentials again for the device via the management application. Unconfigure Intel AMT by changing manageability mode Procedure for: Notebook and desktop PCs

Changing the manageability mode will fully unprovision Intel AMT. This means it will erase the configuration information and erase initial security credentials for Intel AMT. This process returns Intel AMT to its factory-default state. To gain remote access to the Intel AMT capabilities again, you must perform the configuration process again. Follow these general steps to change the manageability mode and return Intel AMT to its factory default state: 1. In BIOS, make sure the Intel Management Engine is enabled. 2. Enter MEBx. 3. When prompted, enter the administrator password. 4. Select the configuration screen for Intel Management Engine features. 5. Change the manageability mode from Intel AMT to ASF or to None.

Caution: Changing the manageability mode will unprovision Intel AMT. This erases networking and operational information for Intel AMT, and returns Intel AMT to its factory-default state. To gain remote access to the Intel AMT capabilities again, you must follow the configuration process again.

6. Exit MEBx. Intel AMT will be unconfigured and the administrator password will be erased. The PC will then automatically reboot. Because Intel AMT is now in its factory-default state again, you cannot remotely access the Intel AMT capabilities from the remote-management application. You must reconfigure BIOS and MEBx parameters again before you can access the Intel AMT capabilities through your management application.

- 45 - Intel® AMT Configuration Guide for SMB Environments

Unconfigure Intel AMT and erase security credentials via MEBx Procedure for: Notebook and desktop PCs

You can also unconfigure Intel AMT through the MEBx screens. To do so, follow these general steps: 1. Log into BIOS 2. Access MEBx 3. Select the Intel AMT configuration option 4. Select the option to reset Intel AMT to default factory settings. 5. When prompted, confirm your selection. 6. Exit MEBx and BIOS. 7. If prompted, answer yes to save and reboot. BIOS will then continue to load.

Caution: Do not power down the PC during this process. The BIOS must be allowed to finish loading in order to activate the settings and complete the configuration process.

This process returns the networking and operational parameters for Intel AMT to the factory default state, and resets the administrator username-password pair to the PC manufacturer’s default, such as admin-admin. In order to remotely manage the PC again through Intel AMT, you must manually reestablish security credentials and reconfigure Intel AMT parameters. For notebooks, you must also reconfigure wireless radio parameters before you can manage the notebook wirelessly.

- 46 - Intel® AMT Configuration Guide for SMB Environments

Unconfigure Intel AMT and erase security credentials via hardware jumpers Procedure for: Desktop PCs

This procedure unconfigures Intel AMT and erases security credentials, including the administrator password. You will need some information about the BIOS configuration jumper in order to follow these steps. Follow these steps to return Intel AMT to its factory default state: 1. While the PC is powered off, look at the BIOS jumper block on the motherboard diagram. Identify the BIOS configuration jumper and the jumper position that enables the BIOS configure mode. 2. Move the BIOS configuration jumper to enable the BIOS configure mode. 3. Power up the PC and allow it to enter BIOS maintenance mode. 4. Select Reset Intel AMT to return the Intel AMT security, networking, and operational parameters to their default factory settings. 5. Save your changes. 6. If prompted, confirm your changes and reboot. BIOS will then continue to load.

Caution: Do not power down the PC during this process. The BIOS must be allowed to finish loading in order to activate the settings and complete the configuration process.

7. Power off the PC. 8. Restore the BIOS configuration jumper for normal operation. Intel AMT will then be unconfigured and the administrator password erased. The desktop PC will then automatically reboot. Because Intel AMT is now in its factory-default state, you cannot remotely reconfigure Intel AMT nor access the Intel AMT capabilities from the remote service center. You must manually configure BIOS and MEBx parameters again before you can access the Intel AMT capabilities through your management application.

For more information For more information about Intel AMT, refer to various articles and product documents on the Intel Web site. The introduction section of this guide includes a link to the Intel Web site and to other documents that may be of interest.

- 47 - Intel® AMT Configuration Guide for SMB Environments

Appendix A: Accessing BIOS

The commands and/or keys used to access BIOS depend on your notebook or desktop PC’s manufacturer. Table B-1 describes typical ways to access BIOS and MEBx for a few common PC manufacturers. Refer to your PC manufacturer’s documentation for specific information on how to access BIOS and MEBx for your notebook or desktop PC.

Table B-1. Commands/keys to access BIOS

BIOS type Access BIOS via Access MEBx via

ASUS BIOS F10 key During power-on self-test (POST), press Ctrl-P

HP BIOS F10 key During power-on self-test (POST), press Ctrl-P

Intel BIOS F2 key From BIOS, Select Intel(R) ME option

Lenovo BIOS Enter key, then F1 On desktop PCs: From the BIOS setup utility, access Advanced > AMT submenu On notebooks: During power-on self-test (POST), press Ctrl-P

- 48 - Intel® AMT Configuration Guide for SMB Environments

Appendix B: Acronyms and Glossary

Glossary configured state. A fully configured credentials have been established for state, in which Intel AMT has been Intel AMT. In SMB mode, security configured with power policies, security credentials are typically only the credentials (in SMB mode, credentials administrator password. As soon as are established via the administrator security credentials have been password), and the settings that established Intel AMT is “set up” and activate Intel vPro technology ready to be configured. In enterprise capabilities. A PC whose Intel AMT mode, setup and configuration are capabilities have been configured, is often separate processes. In SMB mode, ready to be integrated into and interact setup and configuration can be with a third-party management performed as part of the same process. application. small-business mode. A simplified host. The PC’s operating system. For networking mode for desktop PCs. This static IP addressing in enterprise mode, networking mode does not support TLS, the host can have a different MAC does not require a setup application, address than the manageability MAC and does not require DHCP or DNS. If address used for the Intel Management you are configuring Intel AMT on a Engine (which includes Intel AMT). For desktop PC for an SMB environment, static IP addressing in SMB mode, you you must change the default should use the same IP address for operational mode (enterprise) to SMB both the host (the PC’s OS) and Intel mode in order for the MSP third-party AMT. management application to access Intel AMT capabilities. Notebooks with Intel MEBx. The Intel Management Engine AMT do not have an enterprise vs. SMB BIOS extension. The MEBx settings mode. that are available to IT administrators, and the default values of those settings wired notebook or desktop PC. In this are vendor-dependent. guide, the term “wired” refers to a notebook or desktop PC that is setup state. Intel AMT has three states: connected to A/C power and plugged factory-default state, setup state into an Ethernet LAN. (initial security credentials are loaded), and configured state (Intel AMT is wireless notebook. In this guide, the enabled and configured for remote term “wireless” refers to a notebook management). Setup state is the state that is on battery power and connected in which the initial, bootstrap security wirelessly to the network.

- 49 - Intel® AMT Configuration Guide for SMB Environments

Acronyms AMT Intel® Active Management Technology (Intel® AMT)

BIOS Basic input/output system

DHCP Dynamic host configuration protocol DN Domain name

DNS Domain name server

IDE-R Integrated device electronics redirect. See glossary entry for remote boot. IP Internet protocol

ISV Independent software vendor, a third-party software vendor

IT Information technology LAN Local area network

MAC Media access controller

ME Management engine MEBx Management engine BIOS extension

OEM Original equipment manufacturer

OS Operating system PC A PC with Intel AMT

SDK Software development kit

SMB Small- or medium-business SSID Service set identifier (the name of a wireless local area network)

SSL Secure sockets layer

SX Sleep state 1 through 5. (Note that S0 is the fully operational state.)

TCP/IP Transmission control protocol/internet protocol

VLAN Virtual local area network

- 50 -