Dell™ Systems Management Administrator's Guide
Intel MEBx Overview
Configuring the Intel Management Engine (ME)
Configuring Your Computer to Support Intel AMT Features
MEBx Default Settings
MEBx Overview
The Intel® Management Engine BIOS Extension (MEBx) provides platform-level configuration options for you to configure the behavior of Management Engine (ME) platform. Options include enabling and disabling individual features and setting power configurations.
This section provides details about MEBx configuration options and constraints, if any.
All the ME Configuration setting changes are not cached in MEBx. They are note committed to ME nonvolatile memory (NVM) until you exit MEBx. Hence, if MEBx crashes, the changes made until that point are NOT going to be committed to ME NVM.
NOTE: Briscoe AMT is shipped in enterprise mode as default.
Accessing MEBx Configuration User Interface
The MEBx configuration user interface can be accessed on a computer through the following steps:
Turn on (or restart) your computer.
When the blue DELL™ logo appears, press
immediately.
If you wait too long and the operating system logo appears, continue to wait until you see the Microsoft® Windows® operating system desktop. Then shut down your computer and try again.
Type the ME password. Press
The MEBx screen appears as shown below.
The main menu presents three function selections:
Intel ME Configuration
Intel AMT Configuration
Change Intel ME Password
The Intel ME Configuration and Intel AMT Configuration menus are discussed in the following sections. First, you must change the password before you can proceed through these menus.
Changing the Intel ME Password
The default password is admin and is the same on all newly deployed platforms. You must change the default password before changing any feature configuration options.
The new password must include the following elements:
Eight characters
One uppercase letter
One lowercase letter
A number
A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.)
The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity.
Configuring the Intel® Management Engine (ME)
To reach the Intel® Management Engine (ME) Platform Configuration page, follow these steps:
Under the Management Engine BIOS Extension (MEBx) main menu, select ME Configuration. Press
The following message appears:
System resets after configuration changes. Continue: (Y/N)
Press
The ME Platform Configuration page opens. This page allows you to configure the specific functions of the ME such as features, power options, and so on. Below are quick links to the various sections.
Intel ME State Control
Intel ME Firmware Local Update
Intel ME Features Control
Manageability Feature Selection
LAN Controller
Intel ME Power Control
Intel ME ON in Host Sleep States
Intel ME State Control
When the ME State Control option is selected on the ME Platform Configuration menu, the ME State Control menu appears. You can disable ME to isolate the ME computer from main platform until the end of the debugging process.
When enabled, the ME State Control option lets you disable ME to isolate the ME computer from the main platform while debugging a field malfunction. The table below illustrates the details of the options.
ME Platform State Control
Option Description
Enabled Enable the Management Engine on the platform
Disabled Disable the Management Engine on the platform
In fact, the ME is not really disabled with the Disabled option. Instead, it is paused at the very early stage of its booting so the computer has no traffic originating from the ME on any of its busses, ensuring that an you can debug a computer problem without worrying about any role the ME might have played in it.
Intel ME Firmware Local Update
This option on the ME Platform Configuration menu sets the policy for allowing the MEBx to be updated locally. The default setting is Always Open. The other settings available are Never Open and Restricted.
To assist with the manufacturing process as well as OEM-specific in-field firmware update processes, ME firmware provides an OEM- configurable capability that leaves the local firmware update channel always open no matter what value you select for the ME Firmware Local Update option.
The Always Open option allows OEMs to use the ME firmware local update channel to update the ME firmware without going through MEBx every time. If you select Always Open, the ME FW Local Update option does not appear under the ME configuration menu. The table below illustrates the detail of the options.
ME Firmware Local Update Option
Option Description
Always Open The ME firmware local update channel is always enabled. A boot cycle does not change enabled to disabled. The ME FW Local Update option can be ignored.
Never The ME firmware local update channel is controlled by the ME FW Local Update option, which can be enabled or disabled. A boot cycle changes enabled to disabled.
Restricted The ME firmware local update channel is always enabled only if Intel AMT is in un-provision state. A boot cycle does not change enabled to disabled.
Always Open qualifies the override counter and allows local ME firmware updates. The override counter is a value set in the factory that, by default, allows local ME firmware updates. The Never Open and Restricted options disqualify the override counter and do not allow local ME firmware updates unless explicitly permitted with the Intel ME Firmware Local Update option. Selecting Never Open or Restricted adds the Intel ME Firmware Local Update option, which can be set to Enable or Disable. By default it is disabled.
LAN Controller
Many OEMs' platforms supply a BIOS setup option to enable or disable the integrated LAN controller. In an ME operating system with AMT or ASF (Alert Standard Format) capabilities, the LAN controller is shared between the ME and host and must be enabled for AMT to work correctly. Disabling the controller may unintentionally affect the ME subsystem functionality. Therefore, you should not disable the LAN controller as long as the ME uses it to provide AMT or ASF. However, if the platform's integrated LAN controller BIOS option is set to None, then the LAN Controller option on the ME Platform Configuration menu has Enabled and Disabled options.
When you select the LAN Controller option on the ME Platform Configuration menu when the ME feature (Intel AMT or Intel QST) is selected, the following message displays: Please set Manageability Feature to None before changing this option. For the ME platform client, the default LAN Controller setting is Enabled.
Intel ME Features Control
The ME Features Control menu contains the following configuration selection.
Manageability Feature Selection
When you select the Manageability Feature Selection option on the ME Features Control menu, the ME Manageability Feature menu appears.
You can use this option to determine which manageability feature is enabled.
ASF — Alert Standard Format. ASF is a standardized corporate assets management technology. The Intel ICH9 platform supports ASF specification 2.0.
Intel AMT — Intel Active Management Technology. Intel AMT is an improved corporate assets management technology. Intel ICH9 platform supports Intel AMT 2.6.
The table below explains these options.
Management Feature Select Option
Option Description
None Manageability Feature is not selected
Intel AMT Intel AMT manageability feature is selected
ASF ASF manageability feature is selected
When you change the option from Intel AMT to None, a warning that Intel AMT un-provisions automatically if you accept the change appears.
The None option has no manageability feature provided by the ME computer. In this case, the firmware is loaded (that is, ME is still enabled) but the management applications remain disabled.
Intel ME Power Control
The ME Power Control menu configures the ME platform power-related options. It contains the following configuration selection.
ME On in Host Sleep States
When the ME ON in Host Sleep States option is selected on the ME Power Control menu, the ME in Host Sleep States menu loads.
The power package selected determines when the ME is turned ON. The default power package turns off the ME in all Sx (S3/S4/S5) states.
The end user administrator can choose which power package is used depending on computer usage. The power package selection page can be seen above.
Supported Power Packages
Power Package
1 2 3 4 5 6 7
S0 (Computer On) ON ON ON ON ON ON ON
S3 (Suspend to RAM) OFF ON ON ME
WoL ME
WoL ON ON
S4/S5 (Suspend to disk/Soft off) OFF OFF ON ON ME
WoL ON ME
WoL
ME OFF After Power Loss No No No No No Yes Yes
* WoL – Wake on LAN
If the power package selected indicates OFF After Power Loss, Intel ME remains off after returning from a mechanical off (G3) state. If the power package selected does NOT indicate OFF After Power Loss Intel ME powers the computer on (S0) briefly, then turn the computer off (S5).
Configuring Your Computer to Support Intel AMT Management Features
After you completely configure the Intel® Management Engine (ME) feature, you must reboot before configuring the Intel AMT for a clean boot. The image below shows the Intel AMT configuration menu after a user selects the Intel AMT Configuration option from the Management Engine BIOS Extension (MEBx) main menu. This feature allows you to configure an Intel AMT capable computer to support the Intel AMT management features.
You need to have a basic understanding of networking and computer technology terms, such as TCP/IP, DHCP, VLAN, IDE, DNS, subnet mask, default gateway, and domain name. Explaining these terms is beyond the scope of this document.
The Intel AMT Configuration page contains the user-configurable options listed below.
For images of these menu options, see Enterprise Mode and SMB Mode.
Menu Options
Host Name
TCP/IP
Provisioning Server
Provision Model
Set PID and PPS
Un-Provision
SOL/IDE-R
Secure Firmware Update
Set PRTC
Idle Timeout
Host Name
A hostname can be assigned to the Intel AMT capable computer. This is the host name of the Intel AMT-enabled computer. If Intel AMT is set to DHCP, the host name MUST be identical to the operating system machine name.
TCP/IP
Allows you to change the following TCP/IP configuration of Intel AMT.
Network interface – ENABLE** / DISABLED
If the network interface is disabled, all the TCP/IP settings are no longer needed.
DHCP Mode – ENABLE** / DISABLED
If DHCP Mode is enabled, TCP/IP settings are configured by a DHCP server.
If DHCP mode is disabled, the following static TCP/IP settings are required for Intel AMT. If a computer is in static mode it needs a separate MAC address for the Intel Management Engine. This extra MAC address is often called the Manageability MAC (MNGMAC) address. Without a separate Manageability MAC address, the computer can NOT be set to static mode.
IP address – Internet address of the Intel Management Engine.
Subnet mask – The subnet mask used to determine what subnet IP address belongs to.
Default Gateway address – The default gateway of the Intel Management Engine.
Preferred DNS address – Preferred domain name server address.
Alternate DNS address – Alternate domain name server address.
Domain name – Domain name of the Intel Management Engine.
Provisioning Server
Sets the IP address and port number (0–65535) for an Intel AMT provisioning server. This configuration only appears for Enterprise Provision Model.
Provision Model
The following provisioning models are available:
Compatibility Mode – Intel AMT 2.6** / Intel AMT 1.0
Compatibility mode allows user to switch between Intel AMT 2.6 and Intel AMT 1.0.
Provisioning Mode – Enterprise** / Small Business
This allows you to select between small business and enterprise mode. Enterprise mode may have different security settings than small business mode. Because of the different security settings, each of these modes requires a different process to complete the setup and configuration process.
Set PID and PPS
Setting or deleting the PID/PPS causes a partial un-provision if the setup and configuration is "In-process".
Set PID and PPS – Sets the PID and PPS. Enter the PID and PPS in the dash format. (Ex. PID: 1234-ABCD ; PPS: 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCD) Note - A PPS value of '0000-0000-0000-0000-0000-0000-0000-0000' does not change the setup configuration state. If this value is used the setup and configuration state stays as "Not-started."
Un-Provision
The Un-Provision option allows you to reset the Intel AMT configuration to factory defaults. There are three types of un-provision:
Partial Un-provision – This option resets all of the Intel AMT settings to their default values but leaves the PID/PPS. The MEBx password remains untouched.
Full Un-provision – This option resets all of the Intel AMT settings to their default values. If a PID/PPS value is present, both values are lost. The MEBx password remains untouched.
CMOS clear – This un-provision option is not available in the MEBx. This option clears all values to their default values. If a PID/PPS is present, both values are lost. The MEBx password resets to the default value (admin). To invoke this option, you need to clear the CMOS (i.e. system board jumper).
SOL/IDE-R
Username and Password – DISABLED** / ENABLED
This option provides the user authentication for SOL/IDER session. If the Kerberos protocol is used, set this option to Disabled and set the user authentication through Kerberos. If Kerberos is not used, you have the choice to enable or disable user authentication on the SOL/IDER session.
Serial-Over-LAN (SOL) – DISABLED** / ENABLED
SOL allows the Intel AMT managed client console input/output to be redirected to the management server console.
IDE Redirection (IDE-R) – DISABLED** / ENABLED
IDE-R allows the Intel AMT managed client to be booted from remote disk images at the management console.
Secure Firmware Update
This option allows you to enable/disable secure firmware updates. Secure firmware update requires an administrator user name and password. If the administrator user name and password are not supplied, the firmware cannot be updated.
When the secure firmware update feature is enabled, you are able to update the firmware using the secure method. Secure firmware updates pass through the LMS driver.
Set PRTC
Enter PRTC in GMT (UTC) format (YYYY:MM:DD:HH:MM:SS). Valid date range is 1/1/2004 – 1/4/2021. Setting PRTC value is used for virtually maintaining PRTC during power off (G3) state. This configuration is only displayed for the Enterprise Provision Model.
Idle Timeout
Use this setting to define the ME WoL idle timeout. When this timer expires, the ME enters a low-power state. This timeout takes effect only when one of the ME WoL power policies is selected. Enter the value in minutes.
Intel AMT in DHCP Mode Settings Example
The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in DHCP mode.
Intel AMT Configurations Example in DHCP Mode
Intel AMT Configuration Parameters Values
Intel AMT Configuration Select and press
Host Name Example: IntelAMT
This is the same as the operating system machine name.
TCP/IP Set the parameters as follows:
Enable Network interface
Enable DHCP Mode
Set a domain name (e.g., amt.intel.com)
Provision Model
Intel AMT 2.6 Mode
Small Business
SOL/IDE-R
Enable SOL
Enable IDE-R
Remote FW Update Enabled
Save and exit MEBx and then boot the computer to the Microsoft® Windows® operating system.
Intel AMT in Static Mode Settings Example
The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in static mode. The computer requires two MAC addresses (GBE MAC address and Manageability MAC Address) to operate in static mode. If there is no Manageability MAC address, Intel AMT cannot be set in static mode.
Intel AMT Configurations Example in Static Mode
Intel AMT Configuration Parameters Values
Intel AMT Configuration Select and press
Host Name Example: IntelAMT
TCP/IP Set the parameters as follows:
Enable Network interface
Disable DHCP Mode
Set an IP address (e.g., 192.168.0.15)
Set a subnet mask (e.g., 255.255.255.0)
The default gateway address is optional
The preferred DNS address is optional
The Alternate DNS address is optional
Set the domain name (for example., amt.intel.com)
Provision Model
Intel AMT 2.6 Mode
Small Business
SOL/IDE-R
Enable SOL
Enable IDE-R
Remote FW Update Enabled
Save and exit MEBx and then boot computer to the Microsoft® Windows® operating system.
MEBx Default Settings
The table below lists all the default settings for the Intel® Management Engine BIOS Extension (MEBx).
Password admin
Intel ME Platform Configuration Default Settings
Intel ME Platform State Control1 Enabled *
Disabled
Intel ME Firmware Local Update Enabled
Disabled*
Intel ME Features Control
Manageability Feature Selection None
Intel AMT *
ASF
Intel ME Power Control
Intel ME ON in Host Sleep States Mobile: ON in S0*
Mobile: ON in S0, S3/AC
Mobile: ON in S0, S3/AC, S4-5/AC
Mobile: ON in S0;ME WoL in S3/AC
Mobile: ON in S0; ME WoL in S3/AC, S4-5/AC
Intel AMT Configuration Default Settings
Host Name
TCP/IP
Disable Network Interface? N
DHCP Enabled. Disable? N
Domain Name blank2
Provisioning Server
Provisioning Server Address 0.0.0.0
Port Number (0-65535) 0
Provision Model
AMT 2.6 Mode N
Set PID and PPS **
Set PID and PPS ** PPS Format: 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCD
Un-Provision3
SOL/IDE-R
Username & Password Disabled
Enabled *
Serial Over LAN Disabled
Enabled *
IDE Redirection Disabled
Enabled *
Secure Firmware Update Disabled
Enabled *
Set PRTC blank
Idle Timeout
Timeout Value (0x0-0xFFFF) 1
*Default setting
**May cause Intel AMT partial unprovision
1 Intel ME Platform State Control is only changed for Management Engine (ME) troubleshooting.
2 In Enterprise mode, DHCP automatically loads the domain name.
3 Un-provision setting only seen if the box is provisioned.
No comments:
Post a Comment