Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. Trademarks used in this text: Dell, Latitude, and the DELL logo are trademarks of Dell Inc.; Intel is a registered trademark of Intel Corporation in the U.S.
Information on this page provided by Intel. Back to Contents Page NOTE: The Intel Management Engine BIOS Extension (MEBx) is an optional ROM module provided to Dell™ from Intel that is included in the Dell BIOS. The MEBx has been customized for Dell computers.
The following materials are available with an Intel™ Active Management Technology (Intel AMT) computer: Factory installation Intel AMT 6.0 is shipped in the factory-default state from Dell factories. Setup and Quick Reference Guide Intel AMT overview with link to the Dell Technology Guide.
Back to Contents Page Operational Modes ® Earlier versions of Intel AMT supported two operational modes – Small and Medium Business (SMB) and Enterprise. In the current version, their functionality has been integrated to exhibit the functionality of the earlier Enterprise mode. The new configuration options for SMB customers are: Manual Setup and Configuration and Automatic Setup and Configuration.
The SCS can create a custom certificate, which can be deployed on the AMT computer by means of a desk-side visit with a specially formatted USB thumb drive as detailed in the Configuration Service section of this document. The SCS could use a custom certificate which was pre-programmed at the Dell factory through the Custom Factory Integration (CFI) process.
Page 6
connection with the AMT computer. These 52-character keys can be created by the SCS, and then deployed on the AMT computer with a desk-side visit in one of two ways: The key can be manually typed into the MEBx. The SCS can create a list of custom keys, and put them onto a specially formatted USB thumb drive. Then each AMT computer retrieves a custom key from the specially formatted USB thumb drive during BIOS boot as detailed in the Configuration Service section of this document.
Page 7
Accessing the MEBx Configuration User Interface The MEBx configuration user interface can be accessed on a computer through the following steps: 1. Turn on (or restart) your computer. 2. When the blue DELL™ logo appears, press <F12> immediately and select MEBx. ® ®...
Page 8
The main menu presents three function selections: Intel ME General Settings Intel AMT Configuration Exit NOTE: Intel MEBx will display only detected options. If one or more of these options do not appear, verify that the system supports the relevant missing feature. Changing the Intel ME Password The default password is admin and is the same on all newly deployed platforms.
Page 10
ME General Settings ® To navigate to the Intel Management Engine (ME) Platform Configuration page, follow these steps: 1. Under the Management Engine BIOS Extension (MEBx) main menu, select Intel ME General Settings. Press <Enter>. 2. The following message appears: Acquiring General Settings configuration The ME General Configuration page appears.
Page 11
Previous Menu Set PRTC Power Control Intel ME ON in Host Sleep Idle Time Out Previous Menu Intel ME State Control When the ME State Control option is selected on the ME Platform Configuration menu, the ME State Control menu appears.
Password Policy This option determines when the user is allowed to change the Intel MEBx password through the network. NOTE: The Intel MEBx password can always be changed via the Intel MEBx user interface. Description of these options.
Default Password Only — The Intel MEBx password can be changed through the network interface if the default password has not been changed yet. During Setup and Configuration — The Intel MEBx password can be changed through the network interface during the setup and configuration process but at no other time.
2. Domain Name Under the Intel ME Network Name Settings, select Domain Name and press Enter. A domain name can be assigned to the Intel AMT machine. 3. Shared/Dedicated FQDN...
Under the Intel ME Network Name Settings, select Shared/Dedicated FQDN and press Enter. This setting determines whether the Intel ME Fully Qualified Domain Name (FQDN) (that is, the "HostName.DomainName") is shared with the host and identical to the operating system machine name or dedicated to the Intel ME. Option Description Dedicated The FQDN domain name is dedicated to ME...
Page 16
If Dynamic DNS Update is enabled, then the firmware will actively try to register its IP addresses and FQDN in DNS using the Dynamic DNS Update protocol. If DDNS Update is disabled, then the firmware will not make an attempt to update DNS using DHCP option 81 or Dynamic DNS update.
Page 17
NOTE: This option is only available when Dynamic DNS Update is enabled. Defines the interval at which the firmware DDNS Update client will send periodic updates. It should be set according to corporate DNS scavenging policy. Units are minutes. A value of 0 disables periodic update. The value set should be equal or greater than 20 minutes.
Page 18
NOTE: This option is only available when Dynamic DNS Update is enabled. This setting allows configuring the TTL time in seconds. This number should be greater than zero. If set to zero, the firmware uses its internal default value, which is 15 min or 1/3 of lease time for DHCP. 7.
Page 19
1. DHCP Mode Under Wired LAN IPv4 Configuration, select DHCP Mode and press Enter. The TCP/IP Settings menu changes to the Wired LAN IPv4 Configuration page. ENABLED: If DHCP Mode is enabled, TCP/IP settings will be configured by a DHCP server. More options will be displayed on the screen.
Select DISABLED and press Enter. If you disable DHCP, more options will be displayed. DHCP mode disabled. 2. IPv4 Address Select IPv4 Address and press Enter. Type the IPv4 Address in the address column and press Enter.
3. Subnet Mask Address Select Subnet Mask Address and press Enter. Type the Subnet Mask Address in the address column and press Enter. 4. Default Gateway Address Select Default Gateway Address and press Enter. Type the Default Gateway Address in the address column and press Enter.
Page 22
5. Preferred DNS Address Select Preferred DNS Address and press Enter. Type the Preferred DNS Address in the address column and press Enter. 6. Alternate DNS Address Select Alternate DNS Address and press Enter. Type the Alternate DNS Address in the address column and press Enter.
Page 23
7. Previous Menu Under the Wired LAN IPv4 Configuration, select Previous Menu and press Enter. The Wired LAN IPv4 Configuration menu changes to the TCP/IP Settings menu. Wired LAN IPv6 Configuration Under the TCP/IP Settings, select Wired LAN IPv6 Configuration and press Enter. The TCP/IP Settings menu changes to the Wired LAN IPv6 Configuration page.
Page 24
ENABLED: select 'Enabled' and press Enter. IPv6 Feature Selection is enabled as more configuration is allowed. 2. IPv6 Interface ID Type Under the Wired LAN IPv6 Configuration, select IPv6 Interface ID Type and press Enter. The auto-configured IPv6 address consists of two parts; the IPv6 Prefix set by the IPv6 router is the first part and the interface ID is the second part (64 bits each).
Option Description Random The IPv6 Interface ID is automatically generated using a random number as described in RFC 3041. This is the default. Intel ID The IPv6 Interface ID is automatically generated using the MAC address. Manual The IPv6 Interface ID is configured manually. Selecting this type requires that the Manual Interface ID is set with a valid value.
Page 26
4. IPv6 Default Router Under the Wired LAN IPv6 Configuration, select IPv6 Default Router and press Enter. Type the IPv6 Default Router and press Enter. 5. Preferred DNS IPv6 Address...
Page 27
Under the Wired LAN IPv6 Configuration, select Preferred DNS IPv6 Address and press Enter. Type the Preferred DNS IPv6 Address and press Enter. 6. Alternate DNS IPv6 Address Under the Wired LAN IPv6 Configuration, select Alternate DNS IPv6 Address and press Enter. Type the Alternate DNS IPv6 Address and press Enter.
Page 28
7. Previous Menu Under the Wired LAN IPv6 Configuration, select Previous Menu and press Enter. The Wired LAN IPv6 Configuration menu changes to the TCP/IP Settings menu. Wireless LAN IPv6 Configuration Under the TCP/IP Settings, select Wireless LAN IPv6 Configuration and press Enter. The TCP/IP Settings menu changes to the Wireless LAN IPv6 Configuration page.
Page 29
2. IPv6 Interface ID Type Under the Wired LAN IPv6 Configuration, select IPv6 Interface ID Type and press Enter. The auto-configured IPv6 address consists of two parts; the IPv6 Prefix set by the IPv6 router is the first part and the interface ID is the second part (64 bits each).
Page 30
3. Previous Menu Under the Wireless LAN IPv6 Configuration, select Previous Menu and press Enter. The Wireless LAN IPv6 Configuration menu changes to the TCP/IP Settings menu. Unconfigure Network Access 1. Under the Intel ME Platform Configuration menu, select Unconfigure Network Access and press Enter. NOTE: This will cause Intel ME to transition to the PRE-provisioning state.
Page 31
2. Select Y to unconfigure. 3. Select Full Unprovisioning and press Enter.
Page 32
4. Unprovisioning in progress. Remote Setup and Configuration Under the Intel ME Platform Configuration menu, select Automated Remote Setup and Configuration and press Enter. The Intel ME Platform Configuration menu changes to the Automated Remote Setup and Configuration page.
Page 33
Current Provisioning Mode Under Automated Setup and Configuration, select Current Provisioning Mode and press Enter. Current Provisioning Mode – Displays the current provisioning TLS Mode: None, PKI, or PSK. Provisioning Record...
Page 34
Under Automated Setup and Configuration, select Provisioning Record and press Enter. Provisioning Record – Displays the system’s provision PSK/PKI record data. If the data has not been entered, the Intel MEBx displays a message stating “Provision Record not present”. If the data is entered, the Provision record will display as below: Option Description provisioning...
Under the Intel Automated Remote Setup and Configuration menu, select RCFG and press Enter. The Intel Automated Remote Setup and Configuration menu changes to the Intel Remote Configuration page. Start Configuration Under the Intel Remote Configuration menu, select Start Configuration and press Enter. If Remote Configuration is not activated, Remote configuration cannot occur.
Page 36
Previous Menu Under the Intel Remote Configuration menu, select Previous Menu and press Enter. The Intel Remote Configuration menu changes to the Intel Automated Setup and Configuration page. Provisioning Server IPv4/IPv6 Under the Intel Automated Setup and Configuration menu, select Provisioning Server IPv4/IPv6 and press Enter. 1.
Page 37
Provisioning Server FQDN Under the Intel Automated Remote Setup and Configuration menu, select Provisioning Server FQDN and press Enter. Type the FQDN of the provisioning server and press Enter. FQDN of the provisioning server mentioned in the certificate (PKI only). This is also the FQDN of the server that AMT sends hello packets to for both PSK and PKI.
Page 38
TLS PSK Under the Intel Automated Setup and Configuration menu, select TLS PSK and press Enter. The Intel Automated Remote Setup and Configuration menu changes to the Intel TLS PSK Configuration page. This submenu contains the settings for TLS PSK configuration settings Set PID and PPS Under the Intel TLS PSK Configuration menu, select Set PID and PPS and press Enter.
Page 39
Setting the PID/PPS will cause a partial unprovision if the setup and configuration is “In-process”. The PID and PPS should be entered in the dash format. (Ex. PID: 1234-ABCD ; PPS: 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCD). NOTE: A PPS value of ‘0000-0000-0000-0000-0000-0000-0000-0000’ will not change the setup configuration state. If this value is used, the setup and configuration state will remain ‘Not-started’.
Previous Menu Under the Intel TLS PSK Configuration menu select Previous Menu and press Enter. The Intel TLS PSK Configuration menu changes to the Intel Automated Setup and Configuration page. TLS PKI Under the Intel Automated Setup and Configuration menu, select TLS PKI and press Enter. The Intel Automated Remote Setup and Configuration menu changes to the Intel Remote Configuration page.
Page 41
PKI DNS Suffix Under the Intel Remote Configuration menu, select PKI DNS Suffix and press Enter. Type the PKI DNS Suffix and press Enter. Manage Hashes...
Page 42
Under the Intel Remote Configuration menu, select Manage Hashes and press Enter. Selecting this option will enumerate the hashes in the system and display the Hash Name and the active and default state. If the system does not contain any hashes yet, Intel MEBx will display the following screen. Answering ‘Yes’...
Page 43
Adding Customized Hash When the Insert key is pressed in the Manage Certificate Hash screen, the following screen is displayed: To add a customized certificate hash: Type the hash name (up to 32 characters). When you press Enter, you are prompted to enter the certificate hash value.
Page 44
‘Enter’, you are prompted to set the active state of the hash. Your response sets the active state of the customized hash as follows: Yes – The customized hash will be marked as active. No (Default) – The customized hash will add to the EPS but will not be active. Deleting a Hash When the Delete key is pressed in the Manage Certificate Hash screen, the following screen is displayed: NOTE:...
Page 45
This option allows deleting of the selected certificate hash. Yes – Intel MEBx sends the firmware a message to delete the selected hash. No – Intel MEBx does not delete the selected hash, and returns to Remote Configuration. Changing the Active State When the ‘+’...
Page 46
The details of the selected certificate hash are displayed to the user and include the following: Hash Name Certificate Hash Data Active and Default States Previous Menu Under the Intel Remote Configuration menu, select Previous Menu and press Enter. The Intel Remote Configuration menu changes to the Intel Automated Setup and Configuration page. FW Update Settings Under the Intel ME Platform Configuration menu, select FW Update Settings and press Enter.
Page 47
Local FW Update Under the FW Update Settings menu, select Local FW Update and press Enter. Intel ME Firmware Local Update provides the capability to allow or prevent firmware local update in the field. When the “Enabled” option is selected, the IT-admin is able to update the Intel ME firmware locally via the local Intel Management Engine interface or via the local secure interface.
Page 48
a local update is needed. Secure FW Update Under the FW Update Settings menu, select Secure FW Update and press Enter. This option allows the user to enable or disable secure firmware updates. The Secure Firmware Update function requires an administrator user name and password.
Valid date range: 1/1/2004 – 1/4/2021. Setting the PRTC value is used for virtually maintaining PRTC during the power-off (G3) state. Type PRTC in GMT (UTC) format (YYYY:MM:DD:HH:MM:SS) and press Enter. Power Control Under the Intel ME Platform Configuration menu, select Power Control and press Enter. The Intel ME Platform Configuration menu changes to the Intel Power Control page.
To comply with ENERGY STAR* and EUP LOT6 requirements, the Intel ME can be turned off in various sleep states. The Intel ME Power Control menu configures the Intel ME platform power-related policies. Intel ME ON in Host Sleep States Under the Intel ME Power Control menu, select Intel ME ON in Host Sleep States and press Enter.
Page 51
This setting is used to enable the Intel ME Wake on and to define the Intel ME idle timeout in M3 state. The value should be entered in minutes. The value indicates the amount of time that the Intel ME is allowed remain idle in M3 before transitioning to the M-off state.
Back to Contents Page AMT Configuration ® After you completely configure the Intel Management Engine (ME) feature, you must reboot before configuring the Intel AMT for a clean system boot. Select the Intel AMT configuration option from the Management Engine BIOS Extension (MEBx) main menu.
When the Manageability Feature Selection is enabled, the Intel ME manageability feature menu will be shown. Leaving it disabled means that manageability will not be enabled. SOL/IDER Under the Intel AMT Configuration page (with Intel AMT enabled), select SOL/IDER and press Enter. The Intel AMT Configuration page changes to the SOL/IDER page.
Page 54
SOL allows the console input/output of an Intel AMT-managed client to be redirected to a management server console (if the client system supports SOL). If the system does not support SOL, this value cannot enable it. Option Description Enabled SOL is enabled Disabled SOL is disabled.
Page 55
IDE-R allows an Intel AMT-managed client to be booted by a management console from a remote disk image. If the client system does not support IDE-R, this value cannot enable it. Option Description Enabled IDER is enabled Disabled IDER is disabled. NOTE: Disabling IDER does not remove this feature but only blocks it from being used.
Page 56
Legacy Redirection Mode controls how the redirection works. If set to disabled, the console needs to open the redirection ports before each session. This is meant for enterprise consoles and new SMB consoles that support opening the redirection ports. The old SMB consoles (before Intel AMT 6.0) which do not support opening the redirection ports function need to manually turn on the redirection port through this Intel MEBx option.
Enabled same as what used to be SMB mode in previous projects. Old (before Intel AMT 6.0) SMB consoles will need this mode to succeed opening redirection sessions. Previous Menu Under the SOL/IDER page, select Previous Menu and press Enter. The SOL/IDER page changes to the Intel AMT Configuration page.
Page 58
The following options can be selected: Local User Consent is not required for remote establishment of KVM session Local User Consent is required for remote establishment of KVM session Opt-in Configurable from remote IT Under the IKVM Configuration page, select Opt-in Configurable from remote IT and press Enter.
Page 59
Option Description Disable Remote Control This option disables the Remote User’s ability to select User OPT-IN Policy. of KVM Opt-in Policy In this case only the local user can control the opt-in policy. Enable Remote Control Enables Remote User’s ability to select User OPT-IN Policy. of KVM Opt-in Policy Previous Menu Under the KVM Configuration page, select Previous Menu and press Enter.
Once the feature has been fully configured, there are three methods for initiating an Intel Fast Call for help session. These include: At the Dell splash screen press <Ctrl><h>. At the Dell splash screen press <F12> for the One Time Boot Menu. Select the last option titled Intel Fast Call for Help. From Windows: 1.
ME General Settings ® The following table lists the default settings for the Intel Management Engine BIOS Extension (MEBx) on general settings page. Password Password admin Change Intel ME Password Change Intel ME Password blank Password Policy Default Password Only * Password Policy During Setup and Configuration Anytime...
Page 62
Activate Network Access Y / N Unconfigure Network Access Y / N Remote Setup and Configuration Current Provisioning Mode Provisioning Record RCFG Start Configuration Y / N Provisioning Server IPv4/IPv6 blank Provisioning Server FQDN blank TLS PSK Set PID and PPS blank Delete PID and PPS Y / N...
Page 63
AMT Configuration ® The following table lists the default settings for the Intel Management Engine BIOS Extension (MEBx) on AMT configuration page. Manageability/Feature Selection SOL/IDER Disabled Username and Password Enabled * Disabled Enabled * Disabled IDER Enabled * Disabled Legacy Redirection Mode Enabled * KVM Configuration Disabled...
Page 64
Back to Contents Page Setup and Configuration Methods Overview Setup and Configuration Overview As discussed in the section, the computer has to be configured before the Intel AMT capabilities are ready to interact with management application. There are two methods to complete the provisioning process (in order from least complex to most complex): Configuration service —...
Page 65
The USB key must not contain any other files whether hidden, deleted, or otherwise. The setup.bin file must be the first file landed on the USB drive key (for legacy BIOS or Dell™ OptiPlex™ 980). The setup.bin file must be in the top directory (for UEFI BIOS or Dell™ Latitude™ E6410 / E6410 ATG / E6510 or Dell Precision™...
Page 66
Back to Contents Page USB Device Procedure The default console package provided is the Dell™ Client Management (DCM) application. This section provides the procedure ® to set up and configure Intel AMT with the DCM package. As mentioned earlier in the document, several other packages are available through third-party vendors.
Page 67
4. Click the <+> to expand the Intel AMT Getting Started section.
Page 68
5. Click the <+> to expand the Section 1. Provisioning section.
Page 69
6. Click the <+> to expand the Basic Provisioning (without TLS) section.
Page 70
7. Select Step 1. Configure DNS. The notification server with an out-of-band management solution installed must be registered in DNS as "ProvisionServer."...
Page 71
8. Click Test on the DNS Configuration screen to verify that DNS has the ProvisionServer entry and that it resolves to the correct Intel setup and configuration server (SCS).
Page 72
The IP address for the ProvisionServer and Intel SCS are now visible.
Page 78
13. Click the '+'' symbol to add a new profile.
Page 79
On the General tab, the administrator can modify the profile name and description along with the password. The administrator sets a standard password for easy maintenance in the future. Select the manual radio button and type a new password.
Page 80
The Network tab provides the option to enable ping responses, VLAN, WebUI, Serial over LAN, and IDE Redirection. If you are configuring Intel AMT manually, all these settings are also available in the MEBx. The TLS (Transport Layer Security) tab provides the ability to enable TLS. If enabled, several other pieces of information are required including the certificate authority (CA) server name, CA common name, CA type, and certificate template.
Page 81
The Power Policy tab has configuration options to select the sleep states for Intel AMT as well as an Idle Timeout setting. It is recommended that Idle timeout is always set to 0 for optimal performance. CAUTION: The setting for the Power Policy tab can potentially impact a computer's ability to remain E-Star 4.0 compliant.
Page 82
15. Select the icon with the arrow pointing out to Export Security Keys to USB Key.
Page 83
16. Select the Generate keys before export radio button.
Page 84
17. Type the number of keys to generate (depends on the number of computers that need to be provisioned). The default is 50. 18. The Intel ME default password is admin. Configure the new Intel ME password for the environment. 19.
Page 85
20. Insert the previously formatted USB device into a USB connector on the Provisioning Server. 21. Click the Download USB key file link to download setup.bin file to the USB device. The USB device is recognized by default; save the file to the USB device. NOTE: If additional keys are needed in the future, the USB device must be reformatted before saving the setup.bin file to it.
Page 86
a. Click Save in the File Download dialog box. b. Verify the Save in: location is directed to the USB device. Click Save.
Page 87
c. Click Close in the Download complete dialog box. The setup.bin file is now visible in the drive Explorer window. 22. Close the Export Security Keys to USB Key and drive Explorer windows to return to the Altiris Console. 23. Take the USB device to the computer, insert the device, and turn on the computer. The USB device is recognized immediately and you are prompted to Continue with Auto Provisioning (Y/N) Press <y>.
Page 88
Press any key to continue with system boot... 24. Once complete, turn off the computer and move back to the management server. 25. Select Step 6. Configure Automatic Profile Assignments.
Page 89
26. Verify that the setting is enabled. In the Intel AMT 2.0+ dropdown, select the profile created previously. Configure the other settings for the environment.
Page 91
The computers for which the keys were applied begin to appear in the system list. At first the status is Unprovisioned, then the system status changes to In provisioning, and finally it changes to Provisioned at the end of the process.
Back to Contents Page System Deployment Once you are ready to deploy a computer to a user, plug the computer into a power source and connect it to the network. ® Use the integrated Intel 82566DM NIC. Intel Active Management Technology (Intel AMT) does not work with any other NIC solution.
HECI Driver The Intel AMT Host Embedded Controller Interface (HECI) driver is available on support.dell.com and on the ResourceCD under Chipset Drivers. The driver is labeled Intel AMT HECI. Once the driver is obtained, execute the file; it unzips and prompts the user to continue the installation process.
Back to Contents Page Intel AMT WebGUI ® The Intel AMT WebGUI is a Web browser-based interface for limited remote computer management. The WebGUI is often used as a test to determine if Intel AMT setup and configuration was performed properly on a computer. A successful remote connection between a remote computer and the host computer running the WebGUI indicates proper Intel AMT setup and configuration on the remote computer.
Page 99
Back to Contents Page AMT Redirection Overview ® Intel AMT makes it possible to redirect serial and IDE communications from a managed client to a management console regardless of the boot and power state of the managed client. The client need only have the Intel AMT capability, a connection to a power source, and a network connection.
Page 100
Back to Contents Page ® Intel Management and Security Status Application ® ® Intel Management and Security Status (IMSS) is an application that displays information about a platform‘s Intel Active ® Management Technology (Intel AMT) and Intel Standard Manageability services. The Intel Management and Security Status icon indicates whether Intel AMT and Intel Standard Manageability are running on the platform.
BIOS. The firmware CANNOT be flashed to an older version or to the current version installed. The firmware flash, when available, is located on the support.dell.com site for download. Serial-Over-LAN (SOL) / IDE Redirection (IDE-R) If you cannot use IDE-R and SOL, follow these steps: 1.