Compaq 8000 - Elite Convertible Minitower PC, 8000f - Elite Ultra-slim Desktop PC Configuration

vPro Setup and Configuration for the 8000 Elite Business PC
with Intel vPro Processor Technology

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

AMT Setup and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

AMT System Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SMB Mode - AMT Setup and Configuration with MEBx . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SMB Mode - AMT Setup and Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Intel AMT WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Connecting with the Intel AMT WebGUI - SMB Example . . . . . . . . . . . . . . . . . . . . . . . . . 13

Setup and Configuration Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Setup and Configuration Server Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Enterprise Mode Setup and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Enterprise Mode - AMT Setup and Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Provisioning Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Legacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

IT TLS-PSK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

OEM TLS-PSK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

USB Drive Key Set Up and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

USB Drive Key Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Remote Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Remote Configuration: Bare-Metal vs. Delayed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Remote Configuration Time-outs in HP Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Remote Configuration Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

MEBx and Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

List of Supported CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Return to Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Full Return to Factory Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Appendix A: Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Appendix B: Power / Sleep / Global States Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Appendix C: Wake-On-ME Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

1

Introduction

The HP Compaq 8000 Elite Business PC uses Intel vPro processor technology to simplify PC management
and reduce IT-related expenditures. Intel vPro processor technology is a combination of Active Manage­ment Technology (AMT) and Intel Virtualization Technology (VT), which allows for improved management
of PC systems and enhanced security.

Intel vPro processor technology no longer supports Virtual Appliances. This is a change from previous
generations of HP Compaq dx7 Business PCs with Intel vPro processor technology.

AMT provides Out-of-Band (OOB) remote access to a system regardless of the system power state or oper­ating system condition as long as the system is connected to a power source and a network. AMT is a
hardware and firmware platform resident solution relying upon the Management Engine (ME) within the
Intel Q965, Q35, and Q45 Express chipsets.

The following is a brief history of AMT evolution:

• AMT 1.0 - Introduced with the Intel 945 chipset, but was not shipped with HP Business PCs.

• AMT 2.0 - Introduced with the Intel Q965 chipset and was shipped with HP Compaq dc7700p Busi-

ness PCs.

• AMT 2.1 - Introduced in March 2007 and was shipped with HP Compaq dc7700p Business PCs.

• AMT 2.2 - Will be available as a Web download in the Fall of 2007 with HP Compaq dc7700p

Business PCs.

• AMT 3.0 - Introduced with the Intel Q35 Express chipset and will be shipped with HP Compaq

d7800p systems.

• AMT 3.2 - Introduced with the HP Compaq dc7800p April 2008 Refresh.

• AMT 5.0 - Introduced with the Intel Q45 Express chipset and shipped with HP Compaq dc7900 sys-

tems.

• AMT 5.2 – Shipped on the HP Compaq 8000 Elite Business PCs.

AMT 5.0 is an important update that provides new features over the existing AMT 3.x feature set. This
white paper has been updated to include the new features of AMT 5.0.

By default, AMT shipping on the HP Compaq 8000 Elite Business PC will be inactive. It must be set up
and configured in the system before it can be used. The setup and configuration process is also known as
provisioning. There are two methods of AMT set up and configuration:

• Small Business (SMB) mode

• Enterprise mode

This white paper details Small Business mode and Enterprise mode setup and configuration for the client
PC along with the usage of a Setup and Configuration Server (SCS) in Enterprise mode. Please consult
with your Management Console ISV provider for details regarding installation procedures for a Setup and
Configuration Server.

Basic knowledge of Intel AMT and networking are required.

Please refer to www.hp.com for other white papers and technical information regarding new HP Com-
paq 8000 Elite Business PCs and new Intel vPro processor technology.

2

AMT Setup and Configuration

AMT must be set up and configured in a system before it can be used. AMT setup involves the necessary
steps to enable AMT such as setting up the system for AMT mode and enabling network connectivity. This
setup is generally performed only once in the lifetime of a system. When AMT is enabled, it can be dis­covered by management software over a network.

AMT Configuration sets up all other AMT options not covered in AMT Setup, such as enabling the system
for Serial-Over-LAN (SOL) or IDE-Redirect (IDE-R). Settings modified in the configuration phase can be
changed many times over the course of a system’s life span. Changes can be made to the system locally
or through a management console.

AMT System Phases

An AMT system can be in one of three phases in regards to its current stage of AMT Setup and Configu­ration, as follows:

• Factory

• In-Setup

• Operational

The Factory phase is the initial stage in which the system has been built from the factory and no AMT
setup and configuration has been done. The only way to access AMT in Factory phase is through the
MEBx. This phase will end for SMB mode systems after changing the default password. Enterprise mode
systems also require that you set the Provisioning ID (PID) and Provisioning Passphrase (PPS). More details
about passwords, PIDs, and PPS are provided in later sections of this paper.

The In-Setup phase is the next stage and is where most AMT options are set. This can be a manual or
automated procedure with a Setup and Configuration Server.

The Operational phase is the final stage in which AMT is fully setup and configured in the system and
ready for normal use.

SMB Mode - AMT Setup and Configuration with MEBx

SMB mode is for customers who do not have Independent Software Vendor (ISV) management consoles,
or the necessary network and security infrastructures to use encrypted Transport Layer Security (TLS). SMB
mode AMT set up and configuration is a manual process done through the Intel ME BIOS Extension
(MEBx).

SMB mode is the easiest to implement since it does not require much infrastructure, but is the least secure
since all network traffic is not encrypted. HP recommends using this process only in a closed network.

NOTE: The MEBx is an option ROM module that is provided to HP by Intel to be included in the HP sys­tem BIOS. The MEBx is not HP-specific and contains options that are not used by HP. If an option is not
used by HP, ignore it and do not modify from its default state.

3

Password Guidelines

MEBx passwords must meet minimum criteria. These restrictions are enforced by the MEBx to reduce vul­nerability of passwords to a dictionary attack.

Passwords must:

• Be between 8 and 32 characters long.

• Contain both upper and lower case Latin characters (e.g. A, a, B, b).

• Have at least one digit character (e.g. 0, 1, 2, … 9).

• Have at least one 7-bit ASCII non-alphanumeric character with an ASCII value between 33d and

126d that is not part of the invalid character list below.

Examples of valid characters include:

•Exclamation !

•At @

•Number #

•Dollar $

•Percent %

•Caret ^

•Asterisk *

The underscore '_' is considered alpha-numeric.

The following characters are not allowed:

• Quotation mark "

• Apostrophe '

• Comma ,

• Greater than >

•Less than <

•Colon :

•Ampersand &

• Space

BIOS Prerequisite

This white paper is for use with HP Compaq 8000 Elite Business PCs. The HP Compaq 8000 Elite Busi­ness PC uses the 786G7 BIOS family.

For best performance and to take advantage of AMT 5.2 features, use the latest version of BIOS and ME
firmware for HP Compaq 8000 Elite Business PC, which is available at www.hp.com.

The system BIOS and the ME firmware must be updated individually. Refer to the BIOS Flash white paper
at www.hp.com for more information about flashing the system BIOS and ME firmware.

4

SMB Mode - AMT Setup and Configuration Steps

When going through the options in the MEBx for the first time (Factory phase), the default settings are in
place. This white paper details HP-recommended settings for options, some of which may be the same as
the default selection. Even though the default setting is set and used for certain options, it is good practice
to double-check important options.

1. Press Ctrl+P during POST to enter Manageability Engine BIOS Extension (MEBx) Setup. You can dis-

play this option only during POST if set in F10-Setup.

Figure 1 Intel MEBx Password Screen

2. Type the default password, which is admin. Passwords are case-sensitive.

NOTE: You must change the default password before making changes to the MEBx options.

3. Change the MEBx password. The new password must meet the Strong Password criteria defined in

the Password Guidelines Section. Type the password twice for verification.

Change the password to establish AMT ownership. The system will go from Factory phase to In-Setup

phase. The ME and AMT options within the MEBx are accessible and you can access the system

using the AMT WebGUI.

4. Select the Intel ME Platform Configuration. A window displays indicating that the system resets after

configuration.

5

5. Select Y. ME platform configuration allows IT personnel to configure ME features such as AMT/ASF

selection, power options, firmware update capabilities, and so on.

Figure 2 Intel ME Platform Configuration screen

6. Select Intel ME State Control, and then select Enabled.

Default Setting = Enabled, Recommended Setting = Enabled

This option enables or disables the ME and is used for diagnostic purposes. If set to Disabled, the

ME is still initialized during POST, but is halted soon afterward so that it does not generate any traffic.

If there is a problem that affects the ME, it can be removed from the system to eliminate it from the

suspect list until root cause is found.

Note that if the ME is disabled, then all AMT and ASF functions are also disabled. The system will not

be remotely manageable.

7. Select Intel ME Firmware Local Update Qualifier.

Default Setting = Always Open, Recommended Setting = Always Open

This option allows the BIOS to override the ME Firmware Locale Update option and to permit local

ME firmware updates.

Always Open is the default and allows for as many local updates as the system BIOS allows,

which is unlimited.

Choosing Never Open or Restricted adds the Intel ME Firmware Local Update option, which can

be set to Enable or Disable. By default it is Disabled. This option, along with the Qualifier, dictates

whether ME firmware local updates are allowed. "Never Open" ignores what is set in the system

BIOS and follows the Intel ME Firmware Local Update option.

6

"Restricted" ignores what is set in the system BIOS and allows local ME firmware updates until the ME

is configured.

Never Open Restricted

ME

Firmware Local Update

Enabled

ME

Firmware Local Update

Disabled

Local ME firmware updates
allowed.

Local ME firmware updates
NOT allowed.

Local ME firmware updates allowed.

Local ME firmware updates allowed
only until the ME is configured.

8. Select Intel ME Features Control.

a. Select Manageability Feature Selection.

Default Setting = Intel AMT, Recommended Setting = Intel AMT

This option sets the platform management mode: None, Intel AMT, or ASF.

By default, HP Compaq 8000 Elite Business PCs are set to Intel AMT, and ASF is an available
option.

Note that setting the None option will disable all remote management capabilities. Setting
None will also unprovision any AMT settings.

i. Select Intel AMT.

ii. Select Return to previous menu.

Figure 3 Intel ME Features Control Screen with AMT selected

iii. Select Return to the previous menu.

7

9. Select Intel ME Power Control.

Figure 4 Intel ME Power Control Screen

a. Select Intel ME ON in Host Sleep States, and then select Desktop:ON in S0, S3, ME

WoL in S3, S4-5, OFF After Power Loss.

Default Setting = Desktop: ON in S0, Recommended Setting = Desktop: ON is S0, S3, ME WoL
in S3, S4-5, OFF After Power Loss

This option sets the ME power policy when the system is in a sleep state (Sx) and when returning
from a G3 power loss.

Table 2: ME Power State During Host Sleep State

ME ON in Host
Sleep State

Option 1 ME is ON only when the system is in S0.

Option 2 ME is ON only when the system is in S0 or S3.

Option 3 ME is ON at all times S0, S3, S4, and S5.

Option 4 ME is ON only when the system is in S0. It will be asleep in S3 unless it is

Option 5 ME is ON only when the system is in S0. It will be asleep in S3 - S5 unless it is

Option 6 ME is ON at all times S0, S3, S4, and S5. ME will not automatically initialize

Option 7 ME is ON only when the system is in S0. It will be asleep in S3 - S5 unless it is

ME Behavior

called upon. Timer for ME sleep is set by the Idle Timeout option.

called upon. Timer for ME sleep is set by the Idle Timeout option.

after recovering from a G3 power loss.

called upon. Timer for ME sleep is set by the Idle Timeout option. ME will not
automatically initialize after recovering from a G3 power loss.

8

See “Appendix B: Power / Sleep / Global States Explained” on page 34 for an explanation of
sleep/ power states.

See “Appendix C: Wake-On-ME Explained” on page 35 for an explanation of Wake-On-ME/
ME WoL.

b. Select Return to the previous menu.

10. Return to previous menu to exit the MEBx Setup and save ME configuration. The system will display an

Intel ME Configuration Complete message and reboot. After the ME Configuration is complete, you

can configure the AMT on the next boot.

11 . Press Ctrl-P during POST to enter MEBx Setup again.

12 . Type the MEBx password.

13 . Select Intel AMT Configuration.

Figure 5 Intel AMT Configuration screen

14. Select Host Name, and then type a host name.

Default Setting = HPSystem, Recommended Setting = User Dependent

NOTES: Spaces are not accepted in the host name. Make sure there is not a duplicate host name on the
network. You can use host names in place of the system’s IP for any applications requiring the IP address.

15. Select TCP/IP.

a. Select Disable Network Interface, and then select N.

Default Setting = Network Interface Enabled, Recommended Setting = Network Interface
Enabled

If the network is disabled, then all remote AMT capabilities are disabled and TCP/IP settings are
not necessary.

9

This option is a toggle, and the next time you access it you are prompted with the opposite
setting.

b. Select DHCP Disable, and then select Y.

Default Setting = DHCP Enabled, Recommended Setting = User Dependent

You can use DHCP if it is available. If you use DHCP, then steps 15c through 15g are not
necessary. Otherwise, the system administrator will have to configure TCP/IP settings.

For the purpose of this white paper, DHCP is disabled so steps 15c through 15g can be
illustrated. Step h will appear for both DHCP and Static configurations.

c. Select IP Address, and then type a static address.

Default Setting = 10.0.0.2, Recommended Setting = Network Dependent

Example: 192.168.0.1

Make sure all AMT systems have a unique static IP address. Multiple systems sharing the same IP
address can lead to network collisions, which will cause the systems to not respond correctly.

d. Select Subnet Mask, and then type a subnet mask.

Default Setting = 255.255.255.0, Recommended Setting = Network Dependent

Example: 255.255.255.0

e. Select Default Gateway Address, and then accept the default and press Enter.

Default Setting = 0.0.0.0, Recommended Setting = Network Dependent,

Leave as 0.0.0.0 if this option is not needed.

f. Select Preferred DNS Address, and then accept the default value and press Enter.

Default Setting = 0.0.0.0, Recommended Setting = Network Dependent

Leave as 0.0.0.0 if this option is not needed.

g. Select Alternate DNS Address, and then accept the default value and press Enter.

Default Setting = 0.0.0.0, Recommended Setting = Network Dependent

Leave as 0.0.0.0 if this option is not needed.

h.Select Domain Name, and then type a domain name

Default Setting = none, Recommended Setting = Network Dependent

The domain name is blank by default. If not populated, then the default domain of
“Provisionserver” is used when connecting to a Setup and Configuration Server.

If the name of the S&CS is not “Provisionserver” and the domain name is blank, then an alias
must be set up in the DHCP server to redirect the connection for "Provisionserver" to the proper
S&CS domain name.

If the Domain Name field is populated, that is the domain used. However, if there is no
response after four DNS queries to the named domain, then that domain name is no longer used
and the default “Provisionserver” is used.

10

16. Select Provision Model.

a. Change to Small Business, and the select Y.

Default Setting = Enterprise, Recommended Setting = Small Business

This option is a toggle, and the next time you access it you are prompted with the opposite
setting.

Notice that the Setup and Configuration option is no longer available once the system is in Small
Business mode. This option is only used in Enterprise Mode.

b. Select Return to previous menu.

17. Skip Un-Provision. This option returns the system to factory defaults.

18. Skip VLAN.

Default Setting = Disabled, Recommended Setting = User Dependent

This option enables or disables VLAN support. If VLAN is enabled, then you must provide the VLAN

tag (label) (1-4094).

VLAN support is not necessary for AMT or Virtual Appliances. If enabled, it allows the grouping of

systems from different networks into one virtual network.

19. Select SOL/IDE-R.

a. Select Y in the message window.

b. Select Username and Password, and then select Enabled.

Default Setting = Enabled, Recommended Setting = Enabled

This option allows users and passwords to be added from the WebGUI. If the option is disabled,
then only the administrator has MEBx remote access.

c. Select Serial Over LAN, and then select Enabled.

Default Setting = Enabled, Recommended Setting = Enabled

This option enables/disables Serial Over LAN (SOL) functionality.

d. Select IDE Redirection, and then select Enabled.

Default Setting = Enabled, Recommended Setting = Enabled

This option enables/disables IDE Redirection (IDE-R) functionality.

20. Select Password Policy.

Default Setting = Default Password Only, Recommended Setting = Default Password Only

This option determines if the local MEBx password can be modified from a remote console.

Option Effect

Default Password Only This option will allow the MEBx password to be remotely modi-

fied only if it is the default "admin" password.

11