Back to Contents Page

AMT Configuration Menu

After you completely configure the Intel® Management Engine (ME) feature, you must reboot before configuring the Intel AMT for a clean system boot. The image below shows the Intel AMT configuration menu after a user selects the Intel AMT Configuration option from the Management Engine BIOS Extension (MEBx) main menu. This feature allows you to configure an Intel AMT capable computer to support the Intel AMT management features.

The Intel AMT Configuration page contains the user-configurable options listed below.

Menu Options

Host Name

A hostname can be assigned to the Intel AMT capable computer. This is the host name of the Intel AMT-enabled computer. If Intel AMT is set to DHCP, the host name MUST be identical to the operating system machine name.

TCP/IP

Allows you to change the following TCP/IP configuration of Intel AMT.

• Network interface – ENABLE** / DISABLED
  If the network interface is disabled, all the TCP/IP settings are no longer needed.
• DHCP Mode – ENABLE** / DISABLED
  If DHCP Mode is enabled, TCP/IP settings are configured by a DHCP server.

If DHCP mode is disabled, the following static TCP/IP settings are required for Intel AMT. If a computer is in static mode it needs a separate MAC address for the Intel Management Engine. This extra MAC address is often called the Manageability MAC (MNGMAC) address. Without a separate Manageability MAC address, the computer can NOT be set to static mode.

• IP address – Internet address of the Intel Management Engine.
• Subnet mask – The subnet mask used to determine what subnet IP address belongs to.
• Default Gateway address – The default gateway of the Intel Management Engine.
• Preferred DNS address – Preferred domain name server address.
• Alternate DNS address – Alternate domain name server address.
• Domain name – Domain name of the Intel Management Engine.

Provision Model

The following provisioning models are available:

• Provisioning Mode – Enterprise** / Small Business
  This allows you to select between small business and enterprise mode. Enterprise mode may have different security settings than small business mode. Because of the different security settings, each of these modes requires a different process to complete the setup and configuration process.

Setup and Configuration

The menu contains the parameters for the setup and configuration server. This menu also contains the security settings for PSK and PKI configurations.

• Current Provisioning Mode – Displays the current provisioning TLS Mode: None, PKI, or PSK. This configuration is only shown in Enterprise Provision Model.
• Provisioning Record – Displays the provision PSK/PKI record data of the computer. If the data has not been entered, the MEBX displays a message that states "Provision Record not present". If the data is entered, the Provision Record displays the following:
  • TLS provisioning mode – Displays the current configuration mode of the computer: None, PSK or PKI.
  • Provisioning IP – The IP of the setup and configuration server.
  • Date of Provision – Displays the date and time of the provisioning in the format MM/DD/YYYY at HH:MM.
  • DNS – Displays if Secure DNS is being used or not. 0 indicates DNS is not in use, 1 indicates secure DNS is being used (PKI only).
  • Host Initiated – Displays if the setup and configuration process was initiated by the host: 'No' indicates the setup and configuration process was not host initiated; 'Yes' indicates the setup and configuration process was host initiated (PKI only).
  • Hash Data – Displays the 40 character certificate hash data (PKI only).
  • Hash Algorithm – Describes the hash type. Currently only SHA1 is supported (PKI only).
  • IsDefault – Displays 'Yes' if the Hash algorithm is the default algorithm selected. Displays 'No' if the hash algorithm is not the default algorithm used (PKI only).
  • FQDN – FQDN of the provisioning server mentioned in certificate (PKI only).
  • Serial Number – The 32 character that indicate the Certificate Authority serial numbers.
  • Time Validity Pass – Indicates whether the certificate passed the time validity check.
• Provisioning Server – The IP address and port number (0 – 65535) for an Intel AMT provisioning server. This configuration is only shown for the enterprise provision model. The default port number is 9971.
• TLS PSK – Contains the settings for TLS PSK configuration settings.
  • Set PID and PPS – Sets the provisioning identifier (PID) and provisioning passphrase (PPS). Enter the PID and PPS in the dash format. (Ex. PID: 1234-ABCD ; PPS: 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCD) NOTE - A PPS value of ' '0000-0000-0000-0000-0000-0000-0000-0000' does not change the setup configuration state. If this value is used the setup and configuration state stays as 'Not-started'.
  • Delete PID and PPS – Deletes the current PID and PPS stored in ME. If there is no PID and PPS entered, the MEBX returns an error message. Using this option does NOT set the setup and configuration process parameter to "Not Started." This option sets the setup and configuration process parameter to "In Process."
• TLS PKI – Contains the settings for the TLS PKI configuration settings.
  • Remote Configuration Enable/Disable – Disables or enables remote configuration. If this option is not enabled, remote configuration cannot occur.
  • Manage Certificate Hashes – Displays the list of hashes that are currently stored and the current status. To change the active status of the certificate press the <+> key. To delete the hash press the <del> key. To add another key press the <ins> key.
  • Set FQDN – Sets the fully qualified domain name for the computer.
  • Set PKI DNS suffix – Sets the PKI DNS suffix.

TLS PSK

The submenu contains the settings for TLS PSK configuration settings. Setting or deleting the PID/PPS causes a partial un-provision if the setup and configuration is "In-process".

• Set PID and PPS – Sets the PID and PPS. Enter the PID and PPS in the dash format. (Ex. PID: 1234-ABCD ; PPS: 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCD) A PPS value of '0000-0000-0000-0000-0000-0000-0000-0000' does not change the setup configuration state. If this value is used the setup and configuration state stays as "Not-started."
• Delete PID and PPS – Deletes the current PID and PPS stored in ME. If there is no PID and PPS entered, the MEBX returns an error message.

TLS PKI – Remote Configuration Settings

The remote configuration options are contained under the TLS PKI sub menu. There are four remote configuration items:

• Remote Configuration Enable/Disable
• Manage Certificate Hashes
• Set FQDN
• Set PKI DNS Suffix

Remote Configuration Enable/Disable

The selectable options are Enable and Disable. If Remote Configuration is disabled, the menu options underneath are still displayed, but are not be used until Remote Configuration is enabled.

This option cannot be modified once the setup and configuration process is in process. This parameter can only be modified while the computer is in the factory default or un-provisioned state.

Enabling/disabling remote configuration causes a partial un-provision if the setup and configuration is In-process.

Manage Certificate Hashes

Select the Manage Certificate Hashes option under the Remote Configuration menu to display the Manage Certificate Hashes menu. Four default hashes are available from the factory. Hashes can be deleted or added per customer needs.

The Manage Certificate Hash screen has several keyboard controls available to you to manage the hashes on the computer. The following keys are valid when in the Manage Certificate Hash menu:

• Escape key – Exits from the menu
• Insert key – Adds a customized certificate hash to the computer
• Delete key – Deletes the currently selected certificate hash from the computer
• <+> key – Changes the active state of the currently selected certificate hash
• Enter key – Displays the details of the currently selected certificate hash

Adding a Customized Hash

1. Press <Insert> in the Manage Certificate Hash screen. A text field is displayed requesting the hash name.
2. You must enter the hash name. The hash name must be a maximum of 32 characters. Upon pressing <Enter> you are prompted to enter the certificate hash value.
3. The certificate hash value is a 20 byte hexadecimal number. You must enter the hash data in the correct format or the message Invalid Hash Certificate Entered - Try Again is displayed. Upon pressing <Enter> you are asked about setting the active state of the hash.
4. This query allows for setting the active state of the customized hash.
   • Yes – The customized hash is be marked as active.
   • No (Default) – VA_Hash is be maintained within EPS.

Deleting a Hash

1. Press <Delete> in the Manage Certificate Hash screen to display the
   Delete this certificate hash? (Y/N)
   prompt.
2. This option allows deleting of the selected certificate hash.
   • Yes – MEBx shall send the message to FW to delete the selected hash.
   • No – MEBx shall not delete the selected hash and returns to the Remote Configuration.

Changing the Active State

Press the <+> key in the Manage Certificate Hash screen to display the

Viewing a Certificate Hash

Press <Enter> in the Manage Certificate Hash screen. The details of the selected certificate hash are displayed to include: the hash name, the certificate hash data, and the active and default states.

Set FQDN

When the Set FQDN option is selected under the Remote Configuration menu, you are prompted to enter the Fully Qualified Domain Name (FQDN) of the Provisioning Server.

Set PKI DNS Suffix

When the Set PKI DNS Suffix option is selected under the Remote Configuration menu, you are prompted to enter the PKI DNS Suffix of the Provisioning Server. The Key Value is maintained in EPS.

Un-provision

The Un-Provision option allows you to reset the Intel AMT configuration to factory defaults. There are two types of un-provision:

• Full Un-provision – This option resets all of the Intel AMT settings to their default values. If a PID/PPS value is present, both values are lost. The MEBx password remains untouched.
• CMOS clear – This un-provision option is not available in the MEBx. This option clears all values to their default values. If a PID/PPS is present, both values are lost. The MEBx password resets to the default value (admin). To invoke this option, you need to clear the CMOS (i.e. system board jumper).

SOL/IDE-R

• Username and Password – DISABLED** / ENABLED
  This option provides the user authentication for SOL/IDER session. If the Kerberos protocol is used, set this option to Disabled and set the user authentication through Kerberos. If Kerberos is not used, you have the choice to enable or disable user authentication on the SOL/IDER session.
• Serial-Over-LAN (SOL) – DISABLED** / ENABLED
  SOL allows the Intel AMT managed client console input/output to be redirected to the management server console.
• IDE Redirection (IDE-R) – DISABLED** / ENABLED
  IDE-R allows the Intel AMT managed client to be booted from remote disk images at the management console.

Password Policy

There are two passwords present for the firmware. The MEBX password is the password that is entered when a user is physically at the system. The network password is the password that is entered when accessing an ME enabled system through the network. This option determines when network password and the MEBX password will be synched. The MEBX password can still be modified by users directly in front of the system. However, depending on the option selected below, the network password and the MEBX password may be different. The settings are:

• Default Password Only – MEBX password and the network password will only be synched when the password is changed from the default password. After the MEBX password is changed from the default value, the network password and the MEBX password maybe different.
• During Setup and Configuration – MEBX password and the network password will be synched during the setup and configuration state. After the setup and configuration process is complete, the passwords maybe different.
• Anytime – MEBX password and network password will be synched when either the MEBX password or the network password is changed.

Secure Firmware Update

This option allows you to enable/disable secure firmware updates. Secure firmware update requires an administrator user name and password. If the administrator user name and password are not supplied, the firmware cannot be updated.

When the secure firmware update feature is enabled, you are able to update the firmware using the secure method. Secure firmware updates pass through the LMS driver. If secure and local firmware update is disabled, the user must enable secure firmware update or local firmware update to allow the firmware updates.

Set PRTC

Enter PRTC in GMT (UTC) format (YYYY:MM:DD:HH:MM:SS). Valid date range is 1/1/2004 – 1/4/2021. Setting PRTC value is used for virtually maintaining PRTC during power off (G3) state. This configuration is only displayed for the Enterprise Provision Model.

Idle Timeout

Use this setting to define the ME WOL idle timeout. When this timer expires, the ME enters a low-power state. This timeout only takes affect when one of the ME WOL power policies is selected. Enter the value in minutes.

Intel AMT in DHCP Mode Settings Example

The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in DHCP mode.

Intel AMT in Static Mode Settings Example

The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in static mode. The computer requires two MAC addresses (GBE MAC address and Manageability MAC Address) to operate in static mode. If there is no Manageability MAC address, Intel AMT cannot be set in static mode.

^* Information on this page provided by Intel.

Back to Contents Page