Intel Active Management Technology v6.

0
Administrator's Guide
Overview

Management

Product Overview
Out of Box Experience
Operational Modes
Setup and Configuration Overview

Intel AMT Web GUI

Menus and Defaults

AMT Redirection Overview

MEBx Settings Overview

ME General Settings
AMT Configuration
Intel Fast Call for Help
ME General Settings
AMT Configuration

Intel Management and

Security Status Application

Setup and Configuration

Methods Overview
Configuration Service--Using a USB Device
Configuration Service--USB Device Procedure
System Deployment
Operating System Drivers

AMT Redirection (SOL/IDE-R)

Intel Management and Security Status

Application

Troubleshooting
Troubleshooting

If you purchased a DELL n Series computer, any references in this document to Microsoft Windows operating systems
are not applicable.
Information in this document is subject to change without notice.
2010DellInc.Allrightsreserved.
Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.
Trademarks used in this text: Dell, Latitude, and the DELL logo are trademarks of Dell Inc.; Intel is a registered trademark of Intel Corporation in
the U.S. and other countries; Microsoft and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States
and/or other countries.
Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products.
Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.
April 2010 Rev. A00

Back to Contents Page

Overview
Intel Active Management Technology (Intel AMT) allows companies to easily manage their networked computers.
Discover computing assets on a network regardless of whether the computer is turned on or off Intel AMT uses
information stored in nonvolatile system memory to access the computer. The computer can even be accessed while it
is powered off (also called out-of-band or OOB access).
Remotely repair computers even after operating system failures In the event of a software or operating system
failure, Intel AMT can be used to access the computer remotely for repair purposes. IT administrators can also detect
computer system problems easily with the assistance of Intel AMT's out-of-band event logging and alerting.
Protect networks from incoming threats while easily keeping software and virus protection up to date across the
network.

Software Support
Several independent software vendors (ISVs) are building software packages to work with Intel AMT features. This provides IT
administrators many options when it comes to remotely managing the networked computer assets within their company.

Features and Benefits

Intel AMT
Features

Benefits

Out-of-band (OOB) access

Allows remote management of platforms regardless of system power or operating

system state

Remote troubleshooting and

recovery

Significantly reduces desk-side visits, increasing the efficiency of IT technical staff

Proactive alerting

Decreases downtime and minimizes repair times

Computer Requirements
The computer referred to in this document consists of the Intel 5 Series Chipset Family/Intel PCH platform, and is
managed by Intel Management Engine. The following firmware and software requirements are required for the installation and
set up before the Intel Management Engine can be configured and run in the client computer:
An SPI flash device programmed with Intel AMT 6.0 flash image integrating BIOS, Intel Management Engine, and GbE
component images.
BIOS set up with Intel AMT enabled can access MEBx setup from F12 menu.
To enable all of the Intel Management Engine features within Microsoft Operating System, device drivers (Intel
MEI/SOL/LMS) must be installed and configured on the client system for features to work/run correctly run in the client
system.
* Information on this page provided by Intel.

Back to Contents Page

NOTE: The Intel Management Engine BIOS Extension (MEBx) is an optional ROM module provided to Dell from Intel
that is included in the Dell BIOS. The MEBx has been customized for Dell computers.

Back to Contents Page

Out of Box Experience

The following materials are available with an Intel Active Management Technology (Intel AMT) computer:
Factory installation
Intel AMT 6.0 is shipped in the factory-default state from Dell factories.
Setup and Quick Reference Guide
Intel AMT overview with link to the Dell Technology Guide.
Dell Technology Guide
High-level Intel AMT overview, setup, provisioning, and support.
Backup media
Firmware and critical drivers are available on the Resource CD.
See the Administrator Guide for detailed information about Intel AMT. The guide is posted on the Web and is available with
the computer manuals on support.dell.com.
Back to Contents Page

Back to Contents Page

Operational Modes
Earlier versions of Intel AMT supported two operational modes Small and Medium Business (SMB) and Enterprise. In the current
version, their functionality has been integrated to exhibit the functionality of the earlier Enterprise mode.
The new configuration options for SMB customers are: Manual Setup and Configuration and Automatic Setup and Configuration.

Setting

Intel AMT 5.0 Default

Intel AMT 6.0 Default

Enterprise Mode

SMB Mode

TLS mode

Enabled

Disabled

Disabled, can be enabled at

a later time

Web UI

Disabled

Enabled

Enabled

IDER/SOL/KVM
Redirection network
interface enabled

Disabled

Enabled if feature
enabled in Intel MEBx

Enabled, can be disabled at

a later time

Disabled

Enabled if feature
enabled in Intel MEBx

Disabled (set to Enabled to

work with Legacy SMB
consoles)

Legacy Redirection
Mode (Controls FW
listening for incoming
redirection
connections)

NOTE: KVM is supported only with integrated graphics CPU. The system should be in the integrated
graphics mode.
Perform manual configuration using the following steps:
1. Flash image with system BIOS and FW.
2. Navigate to the Intel MEBx by pressing the F12 menu and typing the default password admin. After you are logged in,
change the password.
3. Navigate to Intel ME General Settings menu.
4. Select Activate Network Access.
5. Choose Y in the confirmation message.
6. Exit the Intel MEBx.

NOTE: You can also accomplish the activation through external means or through the operating
system using the IntelActivator tool.
Back to Contents Page

Back to Contents Page

Setup and Configuration Overview

The following is a list of important terms related to the Intel AMT setup and configuration.
Setup and configuration The process that populates the Intel AMT-managed computer with usernames,
passwords, and network parameters that enable the computer to be administered remotely.
Configuration service A third-party application that completes the Intel AMT provisioning.
Intel AMT WebGUI A Web browser-based interface for limited remote computer management.
You must set up and configure Intel AMT on a computer before using it. Intel AMT setup readies the computer for Intel AMT
mode and enables network connectivity. This setup is generally performed only once in the lifetime of a computer. When Intel
AMT is enabled, it can be discovered by management software over a network.
Once Intel AMT is set up in Enterprise mode, it is ready to initiate configuration of its own capabilities. When all required
network elements are available, simply connect the computer to a power source and the network and Intel AMT automatically
initiates its own configuration. The configuration service (a third-party application) completes the process for you. Intel AMT is
then ready for remote management. This configuration typically takes only a few seconds. When Intel AMT is set up and
configured, you can reconfigure the technology as needed for your business environment.
Once Intel AMT is set up in the SMB mode, the computer does not have to initiate any configuration across the network. It is
set up manually and is ready to use with the Intel AMT Web GUI.

Intel AMT Setup and Configuration States

The act of setting up and configuring Intel AMT is also known as provisioning. An Intel AMT-capable computer can be in one
of three setup and configuration states (SCS):
Factory-default state
Setup state
Provisioned state
The factory-default state is a fully un-configured state in which security credentials are not yet established and Intel AMT
capabilities are not yet available to management applications. In the factory-default state, Intel AMT has the factory-defined
settings.
The setup state is a partially configured state in which Intel AMT has been set up with initial networking and transport layer
security (TLS) information: an initial administrator password, the provisioning passphrase (PPS), and the provisioning
identifier (PID). When Intel AMT has been set up, Intel AMT is ready to receive enterprise configuration settings from a
configuration service.
The provisioned state is a fully configured state in which the Intel Management Engine (ME) has been configured with power
options, and Intel AMT has been configured with its security settings, certificates, and the settings that activate the Intel AMT
capabilities. When Intel AMT has been configured, the capabilities are ready to interact with management applications.

Provisioning Methods
TLS-PKI
TLS-PKI is also known as "Remote Configuration". The SCS uses TLS-PKI (Public Key Infrastructure) certificates to securely
connect to an Intel AMT-enabled computer. The certificates can be generated in the following ways:
The SCS can connect using one of the default certificates pre-programmed on the computer, as detailed in the MEBx
interface section of this document.
The SCS can create a custom certificate, which can be deployed on the AMT computer by means of a desk-side visit
with a specially formatted USB thumb drive as detailed in the Configuration Service section of this document.
The SCS could use a custom certificate which was pre-programmed at the Dell factory through the Custom Factory
Integration (CFI) process.

TLS-PSK
TLS-PSK is also known as "One-Touch Configuration". The SCS uses PSK's (Pre-Shared Key's) to establish a secure

connection with the AMT computer. These 52-character keys can be created by the SCS, and then deployed on the AMT
computer with a desk-side visit in one of two ways:
The key can be manually typed into the MEBx.
The SCS can create a list of custom keys, and put them onto a specially formatted USB thumb drive. Then each AMT
computer retrieves a custom key from the specially formatted USB thumb drive during BIOS boot as detailed in the
Configuration Service section of this document.
Back to Contents Page

Back to Contents Page

MEBx Settings Overview

The Intel Management Engine BIOS Extension (MEBx) provides platform-level configuration options for you to configure the
behavior of the Management Engine (ME) platform. Options include enabling and disabling individual features and setting
power configurations.
This section provides details about MEBx configuration options and constraints, if any.
NOTE: All the ME Platform Configuration setting changes are not cached in MEBx. They are committed to ME nonvolatile memory (NVM) until you exit MEBx. Hence, if MEBx crashes, the changes made until that point are NOT going
to be committed to ME NVM.

Accessing the MEBx Configuration User Interface

The MEBx configuration user interface can be accessed on a computer through the following steps:
1. Turn on (or restart) your computer.
2. When the blue DELL logo appears, press <F12> immediately and select MEBx.
If you wait too long and the operating system logo appears, continue to wait until you see the Microsoft Windows
desktop. Then shut down your computer and try again.
3. Type the ME password. Press <Enter>.The default password is 'admin'. and it can be altered by the user.
NOTE: Another method to access the MEBx is to press <F12> for the one-time boot menu. When the menu appears,
use the up- and down-arrow keys to select Intel Management Engine BIOS Extension (MEBx). Press <Enter>.
The MEBx screen appears as shown below.

The main menu presents three function selections:

Intel ME General Settings
Intel AMT Configuration
Exit
NOTE: Intel MEBx will display only detected options. If one or more of these options do not appear, verify that the
system supports the relevant missing feature.

Changing the Intel ME Password

The default password is admin and is the same on all newly deployed platforms. You must change the default password before
changing any feature configuration options.
When an IT administrator first enters the Intel MEBx configuration menu with the default password, he or she must change
the default password before any feature can be used.
The new password must include the following elements:
Eight characters, no more than 32
One uppercase letter
One lowercase letter
A number
A special (non-alphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.)
NOTE: The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity.
* Information on this page provided by Intel.

Back to Contents Page

ME General Settings
To navigate to the Intel Management Engine (ME) Platform Configuration page, follow these steps:
1. Under the Management Engine BIOS Extension (MEBx) main menu, select Intel ME General Settings. Press <Enter>.
2. The following message appears:
Acquiring General Settings configuration
The ME General Configuration page appears. This page allows the IT administrator to configure the specific functionality of
the Intel ME, such as password, power options, and so on. Below are quick links to the various sections.
Intel ME State Control
Change Intel ME Password
Password Policy
Network Setup
Network Name Settings
Host Name
Domain Name
FQDN
Dynamic DNS
Periodic Update Interval
TTL
Previous Menu
TCP/IP Settings
Wired LAN IPv4 Configuration
DHCP Mode
IPv4 Address
Default Gateway Address
Preferred DNS Address
Alternate DNS Address
Previous Menu
Wired LAN IPv6 Configuration
IPv6 Feature Selection
IPv6 Interface ID Type
IPv6 Address
IPv6 Default Router
Preferred DNS IPv6 Address
Alternate DNS IPv6 Address
Previous Menu
Wireless LAN IPv6 Configuration
IPv6 Feature Selection
IPv6 Interface ID Type
Previous Menu
Unconfigure Network Access
Remote Setup And Configuration
Current Provisioning Mode
Provisioning Record
Start Configuration
Previous Menu
Provisioning Server IPv4/IPv6
Provisioning Server FQDN
TLS PSK
Set PID and PPS
Deleting PID and PPS
Previous Menu
TLS PKI
Remote Configuration
PKI DNS Suffix
Manage Hashes
Adding Customized Hash
Deleting a Hash
Changing the Active State
Viewing a Certificate Hash
Previous Menu
Previous Menu
FW Update Settings
Local FW Update
Secure FW Update

Previous Menu
Set PRTC
Power Control
Intel ME ON in Host Sleep
Idle Time Out
Previous Menu

Intel ME State Control

When the ME State Control option is selected on the ME Platform Configuration menu, the ME State Control menu
appears. You can disable ME to isolate the ME computer from the main platform until the end of the debugging process.

The Intel ME State Control option (enable/disable) provides the ability to disable the Intel ME for debugging purposes.
Disabling the Intel ME through the MEBx prevents the Intel ME code from executing. This allows an IT technician to eliminate
the Intel ME as the potential problem.
ME Platform State Control
Option

Description

Enabled

Enable the Management Engine on the platform

Disabled

Disable the Management Engine on the platform

NOTE: Disabling the Intel ME does not really disable it. It causes the Intel ME code to be halted at an early stage of
the Intel MEs booting so that the system has no traffic originating from the Intel ME on any of the buses. This is not
intended to be normal operation mode nor is it supported configuration and is for debug only. This allows an IT
technician to debug a system problem without any interference from the Intel ME.

Change Intel ME Password

1. At the Intel ME New Password prompt, type your new password. (Please be aware of the password policies and
restrictions mentioned in changing the Intel ME Password requirement)
2. At the Verify Password prompt, re-type your new password.

Password Policy
This option determines when the user is allowed to change the Intel MEBx password through the network.
NOTE: The Intel MEBx password can always be changed via the Intel MEBx user interface.

Description of these options.

Default Password Only The Intel MEBx password can be changed through the network interface if the default
password has not been changed yet.
During Setup and Configuration The Intel MEBx password can be changed through the network interface during
the setup and configuration process but at no other time. Once the setup and configuration process is complete, the
Intel MEBx password cannot be changed via the network interface.
Anytime The Intel MEBx password can be changed through the network interface at any time.

Network Setup
Under the Intel ME Platform Configuration menu, select Network Setup and press Enter.
The Intel ME Platform Configuration menu changes to the Intel ME Network Setup page.

Network Name Settings

Under the Intel ME Network Name Settings, select Intel ME Network Name Settings and press Enter.

1. Host Name
Under the Intel ME Network Name Settings, select Host Name and press Enter.
A host name can be assigned to the Intel AMT machine. This will be the host name of the Intel AMT-enabled system.

2. Domain Name
Under the Intel ME Network Name Settings, select Domain Name and press Enter.
A domain name can be assigned to the Intel AMT machine.

3. Shared/Dedicated FQDN

Under the Intel ME Network Name Settings, select Shared/Dedicated FQDN and press Enter.

This setting determines whether the Intel ME Fully Qualified Domain Name (FQDN) (that is, the "HostName.DomainName") is
shared with the host and identical to the operating system machine name or dedicated to the Intel ME.
Option

Description

Dedicated The FQDN domain name is dedicated to ME

Shared

The FQDN domain name is shared with the Host

4. Dynamic DNS Update

Under the Intel ME Network Name Settings, select Dynamic DNS Update and press Enter.

If Dynamic DNS Update is enabled, then the firmware will actively try to register its IP addresses and FQDN in DNS using the
Dynamic DNS Update protocol. If DDNS Update is disabled, then the firmware will not make an attempt to update DNS using
DHCP option 81 or Dynamic DNS update. If the DDNS Update state (Enabled or Disabled) is not configured by the user at all,
then the firmware will assume its old implementation where the firmware used DHCP option 81 for DNS registration but did
not directly update DNS using the DDNS update protocol. For selecting Enabled for Dynamic DNS Update, it is required that
the Host Name and Domain Name are set.
Option

Description

Enabled

The Dynamic DNS Update Client in FW is enabled.

Disabled The Dynamic DNS Update Client in FW is disabled.

5. Periodic Update Interval

1. Under the Intel ME Network Name Settings, select Periodic Update Interval and press Enter.
2. Type the desired interval and press Enter.

NOTE: This option is only available when Dynamic DNS Update is enabled.
Defines the interval at which the firmware DDNS Update client will send periodic updates. It should be set according to
corporate DNS scavenging policy. Units are minutes. A value of 0 disables periodic update. The value set should be equal or
greater than 20 minutes. The default value for this property is 24 hours - 1440 minutes.

6. TTL
1. Under the Intel ME Network Name Settings, select TTL and press Enter.
2. Type the desired time (in seconds) and press Enter.

NOTE: This option is only available when Dynamic DNS Update is enabled.
This setting allows configuring the TTL time in seconds. This number should be greater than zero. If set to zero, the firmware
uses its internal default value, which is 15 min or 1/3 of lease time for DHCP.

7. Previous Menu
1. Under the Intel ME Network Name Settings, select Previous Menu and press Enter.
2. The Intel ME Network Name Settings menu changes to the Intel Network Setup page.

TCP/IP Settings
1. Under the Network Setup menu, select TCP/IP Settings and press Enter.
2. The Intel ME Network Name Settings menu changes to the Intel Network Setup page.
The Intel Network Setup menu changes to the TCP/IP Settings page.
NOTE: The Intel MEBx has menus for Wireless IPv6, but no menu for wireless IPv4. When the Intel MEBx starts, it will
check for the wireless interface to make the decision to display the wireless IPv6 menu or not.

Wired LAN IPv4 Configuration

Under the TCP/IP Settings, select Wired LAN IPv4 Configuration and press Enter.
The TCP/IP Settings menu changes to the Wired LAN IPv4 Configuration page.

1. DHCP Mode
Under Wired LAN IPv4 Configuration, select DHCP Mode and press Enter.
The TCP/IP Settings menu changes to the Wired LAN IPv4 Configuration page.
ENABLED: If DHCP Mode is enabled, TCP/IP settings will be configured by a DHCP server. More options will be displayed on
the screen. Select ENABLED and press Enter, no additional steps are required.
DHCP mode enabled.

Select DISABLED and press Enter. If you disable DHCP, more options will be displayed.
DHCP mode disabled.

2. IPv4 Address
Select IPv4 Address and press Enter.
Type the IPv4 Address in the address column and press Enter.

3. Subnet Mask Address

Select Subnet Mask Address and press Enter.
Type the Subnet Mask Address in the address column and press Enter.

4. Default Gateway Address

Select Default Gateway Address and press Enter.
Type the Default Gateway Address in the address column and press Enter.

5. Preferred DNS Address

Select Preferred DNS Address and press Enter.
Type the Preferred DNS Address in the address column and press Enter.

6. Alternate DNS Address

Select Alternate DNS Address and press Enter.
Type the Alternate DNS Address in the address column and press Enter.

7. Previous Menu
Under the Wired LAN IPv4 Configuration, select Previous Menu and press Enter.
The Wired LAN IPv4 Configuration menu changes to the TCP/IP Settings menu.

Wired LAN IPv6 Configuration

Under the TCP/IP Settings, select Wired LAN IPv6 Configuration and press Enter.
The TCP/IP Settings menu changes to the Wired LAN IPv6 Configuration page.
The Intel ME IPv6 addresses are dedicated and not shared with the host operating system. To enable Dynamic DNS
registration for IPv6 addresses, a dedicated FQDN must be configured.

NOTE: The Intel ME network stack supports a multi-homed IPv6 interface. Each network interface can be configured
with the following IPv6 addresses:
1.
2.
3.
4.

One link local auto-configured address

Three auto-configured global addresses
One DHCPv6 configured address
One statically configured IPv6 address

1. IPv6 Feature Selection

Under the Wired LAN IPv6 Configuration, select IPv6 Feature Selection and press Enter.
DISABLED: select 'Disabled' and press Enter. IPv6 Feature Selection is disabled.

ENABLED: select 'Enabled' and press Enter.

IPv6 Feature Selection is enabled as more configuration is allowed.

2. IPv6 Interface ID Type

Under the Wired LAN IPv6 Configuration, select IPv6 Interface ID Type and press Enter.
The auto-configured IPv6 address consists of two parts; the IPv6 Prefix set by the IPv6 router is the first part and the
interface ID is the second part (64 bits each).

Option

Description

Random
ID

The IPv6 Interface ID is automatically generated using a random number

as described in RFC 3041. This is the default.

Intel ID

The IPv6 Interface ID is automatically generated using the MAC address.

Manual
ID

The IPv6 Interface ID is configured manually. Selecting this type requires

that the Manual Interface ID is set with a valid value.

3. IPv6 Address
Under the Wired LAN IPv6 Configuration, select IPv6 Address and press Enter.
Type the IPv6 Address and press Enter.

4. IPv6 Default Router

Under the Wired LAN IPv6 Configuration, select IPv6 Default Router and press Enter.
Type the IPv6 Default Router and press Enter.

5. Preferred DNS IPv6 Address

Under the Wired LAN IPv6 Configuration, select Preferred DNS IPv6 Address and press Enter.
Type the Preferred DNS IPv6 Address and press Enter.

6. Alternate DNS IPv6 Address

Under the Wired LAN IPv6 Configuration, select Alternate DNS IPv6 Address and press Enter.
Type the Alternate DNS IPv6 Address and press Enter.

7. Previous Menu
Under the Wired LAN IPv6 Configuration, select Previous Menu and press Enter.
The Wired LAN IPv6 Configuration menu changes to the TCP/IP Settings menu.

Wireless LAN IPv6 Configuration

Under the TCP/IP Settings, select Wireless LAN IPv6 Configuration and press Enter.
The TCP/IP Settings menu changes to the Wireless LAN IPv6 Configuration page.

1. IPv6 Feature Selection

Under the Wireless LAN IPv6 Configuration, select IPv6 Feature Selection and press Enter.

2. IPv6 Interface ID Type

Under the Wired LAN IPv6 Configuration, select IPv6 Interface ID Type and press Enter.
The auto-configured IPv6 address consists of two parts; the IPv6 Prefix set by the IPv6 router is the first part and the
interface ID is the second part (64 bits each).
Option

Description

Random
ID

The IPv6 Interface ID is automatically generated using a random number

as described in RFC 3041. This is the default.

Intel ID

The IPv6 Interface ID is automatically generated using the MAC address.

Manual
ID

The IPv6 Interface ID is configured manually. Selecting this type requires

that the Manual Interface ID is set with a valid value.

3. Previous Menu
Under the Wireless LAN IPv6 Configuration, select Previous Menu and press Enter.
The Wireless LAN IPv6 Configuration menu changes to the TCP/IP Settings menu.

Unconfigure Network Access

1. Under the Intel ME Platform Configuration menu, select Unconfigure Network Access and press Enter.
NOTE: This will cause Intel ME to transition to the PRE-provisioning state.

2. Select Y to unconfigure.

3. Select Full Unprovisioning and press Enter.

4. Unprovisioning in progress.

Remote Setup and Configuration

Under the Intel ME Platform Configuration menu, select Automated Remote Setup and Configuration and press Enter.
The Intel ME Platform Configuration menu changes to the Automated Remote Setup and Configuration page.

Current Provisioning Mode

Under Automated Setup and Configuration, select Current Provisioning Mode and press Enter.
Current Provisioning Mode Displays the current provisioning TLS Mode: None, PKI, or PSK.

Provisioning Record

Under Automated Setup and Configuration, select Provisioning Record and press Enter.
Provisioning Record Displays the systems provision PSK/PKI record data. If the data has not been entered, the Intel
MEBx displays a message stating Provision Record not present.

If the data is entered, the Provision record will display as below:

Option

Description

TLS
provisioning
mode

Displays the current configuration mode of the system: None, PSK or PKI.

Provisioning IP

The IP address of the setup and configuration server.

Date of
Provision

Displays the date and time of the provisioning in the format MM/DD/YYYY at HH:MM.

DNS

Indicates whether the "PKI DNS Suffix" was configured in Intel MEBx before remote
configuration took place or not. A value of 0 indicates that the DNS suffix was not
configured and the firmware will rely on DHCP option 15 and compare this suffix to the
FQDN in the Configuration Server's client certificate. A value of 1 indicates that the DNS
suffix was configured and the firmware matched it against the DNS suffix in the
Configuration Server's client certificate.
Host Initiated Indicates whether the setup and configuration process was initiated by the
host: No indicates that the setup and configuration process was NOT host-initiated, Yes
indicates the setup and configuration process was host-initiated (PKI only).

Hash Data

Displays the 40-character certificate hash data (PKI only).

Hash Algorithm

Describes the hash type. Currently, only SHA1 is supported. (PKI only).

IsDefault

Displays Yes if the hash algorithm is the default algorithm selected. Displays No if the
hash algorithm is NOT the default algorithm used (PKI only).

FQDN

FQDN of the provisioning server mentioned in the certificate (PKI only).

Serial Number

The 32-character string that indicates the Certificate Authority serial numbers.

Time Validity
Pass

Indicates whether the certificate passed the time validity check.

RCFG

Under the Intel Automated Remote Setup and Configuration menu, select RCFG and press Enter.
The Intel Automated Remote Setup and Configuration menu changes to the Intel Remote Configuration page.

Start Configuration
Under the Intel Remote Configuration menu, select Start Configuration and press Enter.
If Remote Configuration is not activated, Remote configuration cannot occur.
To activate (enable) remote configuration, select Y.

Previous Menu
Under the Intel Remote Configuration menu, select Previous Menu and press Enter.
The Intel Remote Configuration menu changes to the Intel Automated Setup and Configuration page.

Provisioning Server IPv4/IPv6

Under the Intel Automated Setup and Configuration menu, select Provisioning Server IPv4/IPv6 and press Enter.
1. Type the provisioning server address and press Enter.

2. Type the provisioning server port number and press Enter.

The port number (0 65535) of the Intel AMT provisioning server. The default port number is 9971.

Provisioning Server FQDN

Under the Intel Automated Remote Setup and Configuration menu, select Provisioning Server FQDN and press Enter.
Type the FQDN of the provisioning server and press Enter.

FQDN of the provisioning server mentioned in the certificate (PKI only). This is also the FQDN of the server that AMT
sends hello packets to for both PSK and PKI.

TLS PSK
Under the Intel Automated Setup and Configuration menu, select TLS PSK and press Enter.
The Intel Automated Remote Setup and Configuration menu changes to the Intel TLS PSK Configuration page.
This submenu contains the settings for TLS PSK configuration settings

Set PID and PPS

Under the Intel TLS PSK Configuration menu, select Set PID and PPS and press Enter.
Type PID and press Enter.
Type PPS and press Enter.

Setting the PID/PPS will cause a partial unprovision if the setup and configuration is In-process. The PID and PPS should be
entered in the dash format. (Ex. PID: 1234-ABCD ; PPS: 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCD).
NOTE: A PPS value of 0000-0000-0000-0000-0000-0000-0000-0000 will not change the setup configuration state. If
this value is used, the setup and configuration state will remain Not-started.

Deleting PID and PPS

Under the Intel TLS PSK Configuration menu, select Delete PID and PPS and press Enter.
This option deletes the current PID and PPS stored in Intel ME. If the PID and PPS were not entered previously, the Intel
MEBx will return an error message.
To delete the PID and PPS entries, select Y, else N.

Previous Menu
Under the Intel TLS PSK Configuration menu select Previous Menu and press Enter.
The Intel TLS PSK Configuration menu changes to the Intel Automated Setup and Configuration page.

TLS PKI
Under the Intel Automated Setup and Configuration menu, select TLS PKI and press Enter.
The Intel Automated Remote Setup and Configuration menu changes to the Intel Remote Configuration page.

Remote Configuration
Under the Intel Remote Configuration menu, select Remote Configuration and press Enter.
Enabling/Disabling Remote configuration will cause a partial un-provision if the setup and configuration server is In-process.
Option

Description

Disabled

Remote configuration is disabled. Only Remote Configuration and

Previous Menu items are visible.

Enabled

Remote configuration is enabled, this will show additional fields.

To Disabled: Select Disabled and press Enter.

To Enabled: Select Enabled and press Enter.

PKI DNS Suffix

Under the Intel Remote Configuration menu, select PKI DNS Suffix and press Enter.
Type the PKI DNS Suffix and press Enter.

Manage Hashes

Under the Intel Remote Configuration menu, select Manage Hashes and press Enter.

Selecting this option will enumerate the hashes in the system and display the Hash Name and the active and default state. If
the system does not contain any hashes yet, Intel MEBx will display the following screen.

Answering Yes will begin the process of adding customized hash. Please see the next section below.
The Manage Certificate Hash screen provides keyboard controls for managing the hashes on the system. The following keys
are valid when in the Manage Certificate Hash menu.
Key

Description

Escape

Exits from the menu.

Insert

Adds a customized certificate hash to the system.

Delete

Deletes the currently selected certificate hash from the system.

Changes the active state of the currently selected certificate hash.

Enter

Displays the details of the currently selected certificate hash.

Adding Customized Hash

When the Insert key is pressed in the Manage Certificate Hash screen, the following screen is displayed:

To add a customized certificate hash: Type the hash name (up to 32 characters). When you press Enter, you are
prompted to enter the certificate hash value.

The Certificate hash value is a hexadecimal number (for SHA-1 it is 20 bytes for SHA-2 it is 32 bytes). If the value is not
entered in the correct format, the message Invalid Hash Certificate Entered - Try Again is displayed. When you press

Enter, you are prompted to set the active state of the hash.

Your response sets the active state of the customized hash as follows:
Yes The customized hash will be marked as active.
No (Default) The customized hash will add to the EPS but will not be active.

Deleting a Hash
When the Delete key is pressed in the Manage Certificate Hash screen, the following screen is displayed:
NOTE: A certificate hash that is set to Default cannot be deleted.

This option allows deleting of the selected certificate hash.

Yes Intel MEBx sends the firmware a message to delete the selected hash.
No Intel MEBx does not delete the selected hash, and returns to Remote Configuration.

Changing the Active State

When the + key is pressed in the Manage Certificate Hashes screen, the following screen is displayed:

Answering Y toggles the active state of the currently selected certificate hash. Setting a hash as active indicates that the hash
is available for use during PSK provisioning.

Viewing a Certificate Hash

When the Enter key is pressed in the Manage Certificate Hash screen, the following screen is displayed:

The details of the selected certificate hash are displayed to the user and include the following:
Hash Name
Certificate Hash Data
Active and Default States

Previous Menu
Under the Intel Remote Configuration menu, select Previous Menu and press Enter.
The Intel Remote Configuration menu changes to the Intel Automated Setup and Configuration page.

FW Update Settings
Under the Intel ME Platform Configuration menu, select FW Update Settings and press Enter.
The Intel ME Platform Configuration menu changes to the FW Update Settings page.

Local FW Update
Under the FW Update Settings menu, select Local FW Update and press Enter.

Intel ME Firmware Local Update provides the capability to allow or prevent firmware local update in the field. When the
Enabled option is selected, the IT-admin is able to update the Intel ME firmware locally via the local Intel Management
Engine interface or via the local secure interface.
This local firmware update does not require an administrator user name and password. Therefore, once the local update is
complete, this setting is automatically set to Disabled by the Intel ME firmware. This option must be set to Enabled when

a local update is needed.

Secure FW Update
Under the FW Update Settings menu, select Secure FW Update and press Enter.

This option allows the user to enable or disable secure firmware updates. The Secure Firmware Update function requires an
administrator user name and password. If the administrator user name and password are not supplied, the firmware cannot
be updated.
When the Secure Firmware Update feature is enabled, the IT administrator can update the firmware using the secure method.
Secure firmware updates are performed via the LMS driver.

Previous Menu
Under the FW Update Settings menu, select Previous Menu and press Enter.
The FW Update Settings menu changes to the Intel ME Platform Configuration page.

Set PRTC
Under the Intel ME Platform Configuration menu, select Set PRC and press Enter.

Valid date range: 1/1/2004 1/4/2021. Setting the PRTC value is used for virtually maintaining PRTC during the power-off
(G3) state.
Type PRTC in GMT (UTC) format (YYYY:MM:DD:HH:MM:SS) and press Enter.

Power Control
Under the Intel ME Platform Configuration menu, select Power Control and press Enter.
The Intel ME Platform Configuration menu changes to the Intel Power Control page.

To comply with ENERGY STAR* and EUP LOT6 requirements, the Intel ME can be turned off in various sleep states. The Intel
ME Power Control menu configures the Intel ME platform power-related policies.

Intel ME ON in Host Sleep States

Under the Intel ME Power Control menu, select Intel ME ON in Host Sleep States and press Enter.

The selected power package determines when the Intel ME is turned ON. The default power package can be modified by using
FITC or by FPT.
The end user administrator can choose which power package to use depending on the systems usage.
The following table illustrates the details of the power packages.
With Intel ME WoL, after the time-out timer expires, the Intel ME remains in the M-off state until a command is sent to the
ME. After this command has been sent, the Intel ME will transition to an M0 or M3 state and will respond to the next
command that is sent. A ping to the Intel ME will also cause the Intel ME to go into an M0 or M3 state.
The Intel ME takes a short time to transition from the M-off state to the M0 or M3 state. During this time, Intel AMT will not
respond to any Intel ME commands. When the Intel ME has reached the M0 or M3 state, the system will respond to Intel ME
commands.
Power Package

S0

ON

ON

S3

OFF

ON/ ME WoL

S4/S5

OFF

ON/ ME WoL

Select the desired Power Policy and press Enter.

NOTE: Putting a system into the provisioning state will automatically switch to Power Package 2. This can later be
changed through WebUI, the management console, or MEBx.

Idle Time Out

Under the Intel ME Power Control menu, select Idle Time Out and press Enter.

This setting is used to enable the Intel ME Wake on and to define the Intel ME idle timeout in M3 state. The value should be
entered in minutes. The value indicates the amount of time that the Intel ME is allowed remain idle in M3 before transitioning
to the M-off state.
NOTE: If the Intel ME is in M0, it will NOT transition to M-off.

Previous Menu
Under the Intel ME Platform Configuration menu, select Previous Menu and press Enter.
The Intel ME Power Control menu changes to the Intel ME Platform Configuration page.

* Information on this page provided by Intel.

Back to Contents Page

AMT Configuration
After you completely configure the Intel Management Engine (ME) feature, you must reboot before configuring the Intel AMT
for a clean system boot. Select the Intel AMT configuration option from the Management Engine BIOS Extension
(MEBx) main menu. This feature allows you to configure an Intel AMT-capable computer to support the Intel AMT
management features.
NOTE: You need to have a basic understanding of networking and computer technology terms, such as TCP/IP, DHCP,
VLAN, IDE, DNS, subnet mask, default gateway, and domain name. Explaining these terms is beyond the scope of this
document.
The Intel AMT Configuration page appears. Below are quick links to the various sections.
Manageability Feature Selection
SOL/IDER
Username and Password
SOL
Redirection Mode
Previous Menu
KVM Configuration
KVM Feature Selection
User Opt-in
Opt-in Configurable from remote IT
Previous Menu
Previous Menu
The Intel AMT Configuration page contains the user-configurable options listed below.

Manageability Feature Selection

Under the Main Menu, select Intel AMT Configuration and press Enter. The Main Menu changes to the Intel AMT
Configuration page.
Under the Intel AMT Configuration menu, select Manageability Feature Selection and press Enter.

When the Manageability Feature Selection is enabled, the Intel ME manageability feature menu will be shown. Leaving it
disabled means that manageability will not be enabled.

SOL/IDER
Under the Intel AMT Configuration page (with Intel AMT enabled), select SOL/IDER and press Enter.
The Intel AMT Configuration page changes to the SOL/IDER page.

Username and Password

Under the SOL/IDER page select, Username and Password and press Enter.

This option provides the user authentication for SOL/IDER session. If Kerberos* is used, this option should be set to
DISABLED. The user authentication is handled through Kerberos. If Kerberos is not used, the IT administrator has the choice
to enable or disable user authentication on SOL/IDER session.
Option

Description

Enabled

Username and Password is enabled

Disabled

Username and Password is disabled.

SOL
Under the SOL/IDER page, select SOL and press Enter.

SOL allows the console input/output of an Intel AMT-managed client to be redirected to a management server console (if the
client system supports SOL). If the system does not support SOL, this value cannot enable it.
Option

Description

Enabled

SOL is enabled

Disabled

SOL is disabled.

NOTE: Disabling SOL does not remove this feature but only blocks it from being used.

IDER
Under the SOL/IDER page, select IDER and press Enter.

IDE-R allows an Intel AMT-managed client to be booted by a management console from a remote disk image. If the client
system does not support IDE-R, this value cannot enable it.
Option

Description

Enabled

IDER is enabled

Disabled

IDER is disabled.

NOTE: Disabling IDER does not remove this feature but only blocks it from being used.

Redirection Mode
Under the SOL/IDER page select, Redirection Mode and press Enter.

Legacy Redirection Mode controls how the redirection works. If set to disabled, the console needs to open the redirection
ports before each session. This is meant for enterprise consoles and new SMB consoles that support opening the redirection
ports. The old SMB consoles (before Intel AMT 6.0) which do not support opening the redirection ports function need to
manually turn on the redirection port through this Intel MEBx option.
When selecting the mode, the following message is displayed:

Option

Description

Disabled Legacy redirection Mode is disabled.(Default)

The port is left open at all times when redirection is enabled in the Intel MEBx. It is the

Enabled

same as what used to be SMB mode in previous projects. Old (before Intel AMT 6.0)
SMB consoles will need this mode to succeed opening redirection sessions.

Previous Menu
Under the SOL/IDER page, select Previous Menu and press Enter.
The SOL/IDER page changes to the Intel AMT Configuration page.

KVM Configuration
Under the Intel AMT Configuration page, select KVM Configuration and press Enter.
The Intel AMT Configuration page changes to the KVM Configuration page.

KVM Feature Selection

Under the IKVM Configuration page, select KVM Feature Selection and press Enter.

Option

Description

Disabled

Disable KVM Feature

Enabled

Enable KVM Feature

NOTE: Disabling KVM does not remove this feature but disables it. KVM will not work in this case.

User Opt-in
Under the IKVM Configuration page, select User Opt-in and press Enter.

The following options can be selected:

Local User Consent is not required for remote establishment of KVM session
Local User Consent is required for remote establishment of KVM session

Opt-in Configurable from remote IT

Under the IKVM Configuration page, select Opt-in Configurable from remote IT and press Enter.

Option

Description

Disable Remote Control

of KVM Opt-in Policy

This option disables the Remote Users ability to select User OPT-IN Policy.
In this case only the local user can control the opt-in policy.

Enable Remote Control

of KVM Opt-in Policy

Enables Remote Users ability to select User OPT-IN Policy.

Previous Menu
Under the KVM Configuration page, select Previous Menu and press Enter.
The KVM Configuration page changes to the Intel AMT Configuration page.

Previous Menu
Under the Intel AMT Configuration page, select Previous Menu and press Enter.
The Intel AMT Configuration page changes to Main Menu page.
* Information on this page provided by Intel.

Back to Contents Page

Back to Contents Page

Intel Fast Call

Intel Fast Call for help is a feature that is available for VPro SKUs. An Intel Fast Call for help connection allows the end user
to request assistance if the VPro system is outside the corporate network. If the BIOS allows an Intel Fast Call for help
connection, the user can press the hot key/button (<Ctrl><h>) while the system is loading to initiate an Intel Fast Call
connection. It is recommended to press F12 and select Fast Call for Help.
NOTE: This feature will only be available when the IT administrator has configured the system to support it.

Requirements
Before an Intel Fast Call connection can be established from the Operating System, the VPro system must have:
1. Environment detection enabled
2. Remote Connection policy
3. Management Presence Server (MPS)

Putting it all Together

In order to get the Intel Fast Call for help, the system needs to be in provisioned state. If the system supports Full VPro, Intel
Fast Call for help will be available for use. If the system only supports Intel Standard Manageability, Intel Fast call for help is
not enabled.
1. Before an Intel Fast Call for help can be started, environment detection must be enabled. This allows Intel AMT to
determine if the system is within the corporate network. This is configured through an ISV app.
2. A remote connection policy must be created before an Intel Fast call for help can be initiated. The policy for the BIOSinitiated call does not need to be configured, but another policy must exist before initiating a help call from the BIOS.
The BIOS must support the hot key that initiates the Intel Fast call for help.
3. A management presence server must exist to answer the Intel fast calls for help. The management presence server
resides in the DMZ zone.
When all of these conditions are satisfied, the system is able to initiate an Intel Fast Call for help.

Initiating Intel Fast Call for Help

Once the feature has been fully configured, there are three methods for initiating an Intel Fast Call for help session. These
include:
At the Dell splash screen press <Ctrl><h>.
At the Dell splash screen press <F12> for the One Time Boot Menu.
Select the last option titled Intel Fast Call for Help.
From Windows:
1. Launch the Intel AMT privacy icon/application Intel Management Security Status.
2. Switch to the Intel AMT tab.
3. In the Remote Connectivity box, click Connect.

* Information on this page provided by Intel.

Back to Contents Page

ME General Settings
The following table lists the default settings for the Intel Management Engine BIOS Extension (MEBx) on general settings
page.

Password
Password

admin

Change Intel ME Password

Change Intel ME Password

blank

Password Policy
Password Policy

Default Password Only *

During Setup and Configuration
Anytime

Network Setup
Network Name Settings
Host Name

blank

Domain Name

blank

FQDN

Dedicated
Shared *

Dynamic DNS

Disabled *
Enabled

TCP/IP Settings
Wired LAN IPv4 Configuration
DHCP Mode

Disabled
Enabled *

Wired LAN IPv6 Configuration

IPv6 Feature Selection

Disabled *
Enabled
The configuration page is displayed only if enabled is selected.

IPv6 Interface ID Type

Random ID *
Intel ID
Manual ID

IPv6 Address

blank

IPv6 Default Router

blank

Preferred DNS IPv6 Addrress

blank

Alternate DNS IPv6 Address

blank

Activate Network Access

Y/N

Unconfigure Network Access

Y/N

Remote Setup and Configuration

Current Provisioning Mode
Provisioning Record
RCFG
Start Configuration

Y/N

Provisioning Server IPv4/IPv6

blank

Provisioning Server FQDN

blank

TLS PSK
Set PID and PPS

blank

Delete PID and PPS

Y/N

TLS PKI
Remote Configuration

Disabled
Enabled *

PKI DNS Suffix

blank

Manage Hashes

FW Update Settings
FW Update Settings
Local FW Update Qualifier

Always Open *
Never Open
Restricted

Secure FW Update

Disabled
Enabled *

*Default setting
**May cause Intel AMT partial unprovision
1 Intel ME Platform State Control is only changed for Management Engine (ME) troubleshooting.
2 Un-provision setting only seen if the box is provisioned.

AMT Configuration
The following table lists the default settings for the Intel Management Engine BIOS Extension (MEBx) on AMT configuration
page.

Manageability/Feature Selection
SOL/IDER
Username and Password

Disabled
Enabled *

SOL

Disabled
Enabled *

IDER

Disabled
Enabled *

Legacy Redirection Mode

Disabled
Enabled *

KVM Configuration
KVM feature Selection

Disabled
Enabled *

User Opt-in

User Consent is not required for KVM session

User Consent is required for KVM session *

Opt-in Configurable from remote IT

Disable Remote Control of KVM Opt-In Policy

Enable Remote Control of KVM Opt-In Policy *

NOTE: In order for KVM to work, the requirement must be Clarkdale/Arrandale CPU
*Default setting
**May cause Intel AMT partial unprovision
1 Intel ME Platform State Control is only changed for Management Engine (ME) troubleshooting.
2 In Enterprise mode, DHCP automatically loads the domain name.
3 Un-provision setting only seen if the box is provisioned.

Back to Contents Page

Setup and Configuration Methods Overview

As discussed in the Setup and Configuration Overview section, the computer has to be configured before the Intel AMT
capabilities are ready to interact with management application. There are two methods to complete the provisioning process
(in order from least complex to most complex):
Configuration service A configuration service allows you to complete the provisioning process from a GUI console
on their server with only one touch on each of the Intel AMT-capable computers. The PPS and PID fields are completed
using a file created by the configuration service saved to a USB mass storage device.
MEBx interface The IT administrator manually configures the Management Engine BIOS Extension (MEBx) settings
on each Intel AMT-ready computer. The PPS and PID fields are completed by typing the 32 character and 8 character
alphanumeric keys created by the configuration service into the MEBx interface.
TLS-PKI Commonly referred to as Remote Configuration (RCFG) or Zero Touch Configuration (ZTC). This process
utilizes a certificate associated with the ProvisionServer. The associated certificate hash must be listed within the Intel
Management Engine BIOS Extension (MEBx).
Details on using these various methods are available in the next few sections.
Back to Contents Page

Back to Contents Page

Configuration Service--Using a USB Device

This section discusses Intel AMT setup and configuration using a USB storage device. You can set up and locally configure
password, provisioning ID (PID), and provisioning passphrase (PPS) information with a USB drive key. This is also called USB
provisioning. USB provisioning allows you to manually set up and configure computers without the problems associated with
manually typing in entries.
NOTE: USB provisioning only works if the MEBx password is set to the factory default of admin. If the password has
been changed, reset it to the factory default by clearing the CMOS.

The following is a typical USB drive key setup and configuration procedure. For a detailed walk-through using Altiris Dell
Client Manager (DCM), refer to the USB device procedure page.
1. An IT technician inserts a USB drive key into a computer with a management console.
2. The technician requests local setup and configuration records from a setup and configuration server (SCS) through the
console.
3. The SCS does the following:
1. Generates the appropriate passwords, PID, and PPS sets.
2. Stores this information in its database.
3. Returns the information to the management console.
4. The management console writes the password, PID, and PPS sets to a setup.bin file in the USB drive key.
5. The technician takes the USB drive key to the staging area where new Intel AMT-capable computers are located. The
technician then does the following:
1. Unpacks and connects computers, if necessary.
2. Inserts the USB drive key into a computer.
3. Turns on that computer.
6. The computer BIOS detects the USB drive key.
If found, the BIOS looks for a setup.bin file at the beginning of the drive key. Go to step 7.
If no USB drive key or setup.bin file is found, then restart the computer. Ignore the remaining steps.
7. The computer BIOS displays a message that automatic setup and configuration will occur.
1. The first available record in the setup.bin file is read into memory. The process accomplishes the following:
Validates the file header record.
Locates the next available record.
If the procedure is successful, the current record is invalidated so it cannot be used again.
2. The process places the memory address into the MEBx parameter block.
3. The process calls MEBx.
8. MEBx processes the record.
9. MEBx writes a completion message to the display.
10. The IT technician turns off the computer. The computer is now in the setup state and is ready to be distributed to
users in an Enterprise-mode environment.
11. Repeat step 5 if you have more than one computer.
Refer to the management console supplier for more information on USB drive key setup and configuration.

USB Drive Key Requirements

The USB drive key must meet the following requirements to be able to set up and configure Intel AMT:
It must be greater than 16 MB.
It must be formatted with the FAT16 or FAT32 file system.
The sector size must be 1 KB.
The USB drive key is not bootable.
The USB drive key is for AMT provisioning and not for any other purpose.
The USB key must not contain any other files whether hidden, deleted, or otherwise.
The setup.bin file must be the first file landed on the USB drive key (for legacy BIOS or Dell OptiPlex 980).
The setup.bin file must be in the top directory (for UEFI BIOS or Dell Latitude E6410 / E6410 ATG / E6510
or Dell Precision Mobile Workstation M4500).
Back to Contents Page

Back to Contents Page

USB Device Procedure

The default console package provided is the Dell Client Management (DCM) application. This section provides the procedure
to set up and configure Intel AMT with the DCM package. As mentioned earlier in the document, several other packages are
available through third-party vendors.
The computer must be configured and seen by the DNS server before you begin this process. Also, a USB storage device is
required and must conform to the requirements listed in Configuration Service--Using a USB Device.
NOTE: The nature of management software is that it is not always dynamic or real time. In fact, sometimes if you tell a
computer to do something, such as to reboot, you may just have to do it again before it will work.
1. Format a USB device with the FAT16 file system and no volume label and then set it aside.

2. Open the Altiris Dell Client Manager application by double clicking the desktop icon or through the Start menu.

3. Select AMT Quick Start from the left navigation menu to open the Altiris Console.

4. Click the <+> to expand the Intel AMT Getting Started section.

5. Click the <+> to expand the Section 1. Provisioning section.

6. Click the <+> to expand the Basic Provisioning (without TLS) section.

7. Select Step 1. Configure DNS.

The notification server with an out-of-band management solution installed must be registered in DNS as
"ProvisionServer."

8. Click Test on the DNS Configuration screen to verify that DNS has the ProvisionServer entry and that it resolves to
the correct Intel setup and configuration server (SCS).

The IP address for the ProvisionServer and Intel SCS are now visible.

9. Select Step 2. Discovery Capabilities.

10. Verify that the setting is Enabled. If Disabled, click the checkbox next to Disabled and click Apply.

11. Select Step 3. View Intel AMT Capable Computers.

Any Intel AMT-capable computers on the network are visible in this list.

12. Select Step 4. Create Profile.

13. Click the '+'' symbol to add a new profile.

On the General tab, the administrator can modify the profile name and description along with the password. The
administrator sets a standard password for easy maintenance in the future. Select the manual radio button and
type a new password.

The Network tab provides the option to enable ping responses, VLAN, WebUI, Serial over LAN, and IDE
Redirection. If you are configuring Intel AMT manually, all these settings are also available in the MEBx.

The TLS (Transport Layer Security) tab provides the ability to enable TLS. If enabled, several other pieces of
information are required including the certificate authority (CA) server name, CA common name, CA type, and
certificate template.

The ACL (access control list) tab is used to review users already associated with this profile and to add new
users and define their access privileges.

The Power Policy tab has configuration options to select the sleep states for Intel AMT as well as an Idle
Timeout setting. It is recommended that Idle timeout is always set to 0 for optimal performance.
CAUTION: The setting for the Power Policy tab can potentially impact a computer's ability to remain E-Star
4.0 compliant.

14. Select Step 5. Generate Security Keys.

15. Select the icon with the arrow pointing out to Export Security Keys to USB Key.

16. Select the Generate keys before export radio button.

17. Type the number of keys to generate (depends on the number of computers that need to be provisioned). The default
is 50.

18. The Intel ME default password is admin. Configure the new Intel ME password for the environment.

19. Click Generate. Once the keys have been created, a link appears to the left of the Generate button.

20. Insert the previously formatted USB device into a USB connector on the Provisioning Server.
21. Click the Download USB key file link to download setup.bin file to the USB device. The USB device is recognized by
default; save the file to the USB device.
NOTE: If additional keys are needed in the future, the USB device must be reformatted before saving the setup.bin file
to it.

a. Click Save in the File Download dialog box.

b. Verify the Save in: location is directed to the USB device. Click Save.

c. Click Close in the Download complete dialog box.

The setup.bin file is now visible in the drive Explorer window.

22. Close the Export Security Keys to USB Key and drive Explorer windows to return to the Altiris Console.
23. Take the USB device to the computer, insert the device, and turn on the computer. The USB device is recognized
immediately and you are prompted to
Continue with Auto Provisioning (Y/N)
Press <y>.

Press any key to continue with system boot...

24. Once complete, turn off the computer and move back to the management server.
25. Select Step 6. Configure Automatic Profile Assignments.

26. Verify that the setting is enabled. In the Intel AMT 2.0+ dropdown, select the profile created previously. Configure the
other settings for the environment.

27. Select Step 7. Monitor Provisioning Process.

The computers for which the keys were applied begin to appear in the system list. At first the status is
Unprovisioned, then the system status changes to In provisioning, and finally it changes to Provisioned at
the end of the process.

28. Select Step 8. Monitor Profile Assignments.

The computers for which profiles were assigned appear in the list. Each computer is identified by the FQDN,
UUID, and Profile Name columns.

Once the computers are provisioned, they are visible under the Collections folder in All configured Intel AMT
computers.

Back to Contents Page

Back to Contents Page

System Deployment
Once you are ready to deploy a computer to a user, plug the computer into a power source and connect it to the network.
Use the integrated Intel 82566DM NIC. Intel Active Management Technology (Intel AMT) does not work with any other NIC
solution.
When the computer is turned on, it immediately looks for a setup and configuration server (SCS). If the computer finds this
server, the Intel AMT-capable computer sends a Hello message to the server (user must first activate network access either
via MEBx or using Intel Activator).
DHCP and DNS must be available for the setup and configuration server search to automatically succeed. If DHCP and DNS
are not available, then the setup and configuration servers (SCS) IP address must be manually entered into the Intel AMTcapable computer's MEBx.
The Hello message contains the following information:
Provisioning ID (PID)
Universally Unique Identifier (UUID)
IP address
ROM and firmware (FW) version numbers
The Hello message is transparent to the end user. There is no feedback mechanism to tell you that the computer is
broadcasting the message. The SCS uses the information in the Hello message to initiate a Transport Layer Security (TLS)
connection to the Intel AMT-capable computer using a TLS Pre-Shared key (PSK) cipher suite if TLS is supported.
The SCS uses the PID to look up the provisioning passphrase (PPS) in the provisioning server database and uses the PPS and
PID to generate a TLS Pre-Master Secret. TLS is optional. For secure and encrypted transactions, use TLS if the infrastructure
is available. If you do not use TLS, then HTTP Digest is used for mutual authentication. HTTP Digest is not as secure as TLS.
The SCS logs into the Intel AMT computer with the username and password and provisions the following required data items:
New PPS and PID (for future setup and configuration)
TLS certificates
Private keys
Current date and time
HTTP Digest credentials
HTTP Negotiate credentials
The computer goes from the setup state to the provisioned state, and then Intel AMT is fully operational. Once in the
provisioned state, the computer can be remotely managed.
Back to Contents Page

Back to Contents Page

Operating System Drivers

Within the operating system, the AMT Unified driver must be installed to remove unknown devices in the Device Manager. The
driver is discussed below. Unlike previous versions (3, 4, or 5) where there were two separate HECI and LMS/SOL drivers
from customer re-install stand-point, the current version provides both drivers in a common package called AMT Unified
Driver. When the unified driver package is installed, it manages both PCI devices in the Device Manager.

AMT Unified Driver

The Intel AMT Serial-Over-LAN (SOL) / Local Manageability Service (LMS) driver is available on support.dell.com and on
the ResourceCD under Chipset Drivers. The driver is labeled Intel AMT SOL/LMS. Once the driver is obtained, execute the
file; it unzips and prompts the user to continue the installation process.
Once you install the SOL/LMS driver, the PCI Serial Port entry becomes the Intel Active Management Technology - SOL
(COM3) entry.

HECI Driver
The Intel AMT Host Embedded Controller Interface (HECI) driver is available on support.dell.com and on the ResourceCD
under Chipset Drivers. The driver is labeled Intel AMT HECI. Once the driver is obtained, execute the file; it unzips and
prompts the user to continue the installation process.
Once you install the HECI drivers, the PCI Simple Communications Controller entry becomes the Intel Management
Engine Interface entry.
Back to Contents Page

Back to Contents Page

Intel AMT WebGUI

The Intel AMT WebGUI is a Web browser-based interface for limited remote computer management. The WebGUI is often
used as a test to determine if Intel AMT setup and configuration was performed properly on a computer. A successful remote
connection between a remote computer and the host computer running the WebGUI indicates proper Intel AMT setup and
configuration on the remote computer.
The Intel AMT WebGUI is accessible from any Web browser, such as Internet Explorer .
Limited remote computer management includes:
Hardware inventory
Event logging
Remote computer reset
Changing of network settings
Addition of new users
NOTE: Information on using the WebUI interface is available on the Intel AMT website.
Follow the steps below to connect to the Intel AMT WebUI on a computer that has been configured and set up.

Intel AMT WebUI

1. Turn on an Intel AMT-capable computer that has completed Intel AMT setup and configuration.
2. Launch a Web browser from a separate computer, such as a management computer on the same subnet as the Intel
AMT computer.
3. Connect to the IP address specified in the MEBx and port of the Intel AMT capable computer. (example:
http://ip_address:16992 or http://192.168.2.1:16992)
By default, the port is 16992.
NOTE: Use port 16993 and https:// to connect to the Intel AMT WebUI on a computer that has been configured
and set up in the Enterprise mode.
If DHCP is used, then use the fully qualified domain name (FQDN) for the ME. The FQDN is the combination of the host
name and domain. (example: http://host_name:16992 or http://system1:16992)
4. The management computer makes a TCP connection to the Intel AMT-capable computer and accesses the top level
Intel AMT-embedded Web page within the Management Engine of the Intel AMT-capable computer.
5. Type the username and password. The default username is admin and the password is what was set during Intel AMT
setup in the MEBx.
6. Review the computer information and make necessary changes.
NOTE: You can change the MEBx password for the remote computer in the WebUI. Changing the password in the
WebUI or a remote console results in two passwords. The new password, known as the remote MEBx password,
only works remotely with the WebUI or remote console. The local MEBx password used to locally access the
MEBx is not changed. You have to remember both the local and remote MEBx passwords to access the computer
MEBx locally and remotely. When the MEBx password is initially set in Intel AMT setup, the password serves as
both the local and remote password. If the remote password is changed, then the passwords are out of sync.
7. Select Exit.
Back to Contents Page

Back to Contents Page

AMT Redirection Overview

Intel AMT makes it possible to redirect serial and IDE communications from a managed client to a management console
regardless of the boot and power state of the managed client. The client need only have the Intel AMT capability, a
connection to a power source, and a network connection. Intel AMT supports Serial Over LAN (SOL, text/keyboard redirection)
and IDE Redirection (IDER, CD-ROM redirection) over TCP/IP.

Serial Over LAN Overview

Serial Over LAN (SOL) is the ability to emulate serial port communication over a standard network connection. SOL can be
used for most management applications where a local serial port connection is normally required.
When an active SOL session is established between an Intel AMT-enabled client and a management console using the Intel
AMT redirection library, the client's serial traffic is redirected through Intel AMT over the LAN connection and made available
to the management console. Similarly, the management console may send serial data over the LAN connection that appears
to have come through the client's serial port.

IDE Redirection Overview

IDE Redirection (IDER) is capable of emulating an IDE CD drive, a legacy floppy, or an LS-120 drive over a standard network
connection. IDER enables a management machine to attach one of its local drives to a managed client over the network.
Once an IDER session is established, the managed client can use the remote device as if it were directly attached to one of
its own IDE channels. This can be useful for remotely booting an otherwise unresponsive computer. IDER does not support
the DVD format.
For example, IDER is used to boot a client with a corrupt operating system. First, a valid boot disk is loaded into the
management console disk drive. This drive is then passed as an argument when the management console opens the IDER
TCP session. Intel AMT registers the device as a virtual IDE device on the client, regardless of its power or boot state. Both
SOL and IDER may be used together since the client BIOS may need to be configured to boot from the virtual IDE device.
Back to Contents Page

Back to Contents Page

Intel Management and Security Status Application

Intel Management and Security Status (IMSS) is an application that displays information about a platforms Intel Active
Management Technology (Intel AMT) and Intel Standard Manageability services.
The Intel Management and Security Status icon indicates whether Intel AMT and Intel Standard Manageability are running on
the platform. The icon is located in the notification area. By default, the notification icon is displayed every time Windows*
starts.
The Intel Management and Security Status application has a separate version per every Intel AMT generation (4.x, 5.x, 6.x).
This is to describe the Intel Management and Security Status application for Intel AMT generation 6.x.
Click here for more information Intel Management and Security Status Application.
NOTE: If the Intel Management and Security Status application starts automatically as a result of the user logging on
to Windows, the icon will be loaded to the notification area only if Intel AMT or Intel Standard Manageability is enabled
on the platform. If the Intel Management and Security Status application is started manually (via the Start menu), the
icon is loaded even if none of these technologies is enabled, as long as all the drivers have been installed.
NOTE: The information displayed in the Intel Management and Security Status is not shown in real time. The data is
refreshed at different intervals.
* Information on this page provided by Intel.

Back to Contents Page

Back to Contents Page

Troubleshooting
This page describes a few basic troubleshooting steps to follow if problems are experienced with the Intel AMT configuration.
Remember to always check DSN for more troubleshooting options.

Return to Default
Return to default is also known as un-provisioning. An Intel AMT setup and configured computer can be un-provisioned using
the Intel AMT Configuration screen and the Un-Provision option.
Follow the steps below to un-provision a computer:
1. Select Un-Provision and then select Full Un-provision.
Full un-provisioning is available for SMB Mode provisioned computers. This option returns all Intel AMT configuration
settings to factory defaults and does NOT reset ME configuration settings or passwords. Full and partial un-provisioning
is available for Enterprise Mode provisioned computers. Partial un-provisioning returns all Intel AMT configuration
settings to factory defaults with the exception of the PID and PPS. Partial un-provisioning does NOT reset ME
configuration settings or passwords.
An un-provisioning message displays after about 1 minute. After un-provisioning completes, control is passed back to
the Intel AMT Configuration screen. Provisioning Server, Set PID and PPS, and Set PRTC options are available
again because the computer is set to the default Enterprise Mode.
2. Select Return to previous menu.
3. Select Exit and then press <y>.
The computer restarts.

Firmware Flash
Flash the firmware to upgrade to newer versions of Intel AMT. The automatic flash feature can be disabled by selecting
Disabled under the Secure Firmware Update setting in the MEBx interface. If this setting is disabled, a firmware error
message appears when flashing the BIOS.
The firmware CANNOT be flashed to an older version or to the current version installed. The firmware flash, when available, is
located on the support.dell.com site for download.

Serial-Over-LAN (SOL) / IDE Redirection (IDE-R)

If you cannot use IDE-R and SOL, follow these steps:
1.
2.
3.
4.
5.
6.

At the initial boot screen, press <Ctrl><p> to enter the MEBx screens.
When a prompt for the password appears, type the new Intel ME password.
Select Intel AMT Configuration, and then press Enter.
Select Un-Provision, and then press Enter.
Select Full Unprovision, and then press Enter.
Reconfigure the settings under the Intel AMT Configuration menu option shown here.

Back to Contents Page