Lenovo ThinkCentre M90p Configuration Guide [en, ar, bg, cs, da, de, el, es, fi, fr, he, hr, hu, id, it, ko, nl, pl, pt, ro, ru, sk, sl, sr, sv, th, tr, uk, zc, zh]
ThinkCentre M90p with
Intel Active Management Technology
Configuration Guide
First Edition (January 2010)
© Copyright Lenovo 2010.
LENOVO products, data, computer software, and services have been developed exclusively at private expense and
are sold to governmental entities as commercial items as defined by 48 C.F.R. 2.101 with limited and restricted
rights to use, reproduction and disclosure.
LIMITED AND RESTRICTED RIGHTS NOTICE: If products, data, computer software, or services are delivered
pursuant a General Services Administration ″GSA″ contract, use, reproduction, or disclosure is subject to restrictions
set forth in Contract No. GS-35F-05925.
Contents
About this document .........v
Chapter 1. Introduction to Intel vPro and
Intel AMT ..............1
Acronyms ...............1
Chapter 2. Features and benefits of Intel
AMT................3
Features and benefits ...........3
Chapter 3. Introduction to ISV
applications .............5
Chapter 4. Main features of computers
built with Intel AMT ..........7
CIRA .................7
KVM redirection .............8
Chapter 5. Intel AMT setup and
configuration on Lenovo ThinkCentre
M90p desktop computers .......9
Intel AMT configuration settings in Setup Utility . . 9
Intel MEBx setup and configuration ......10
Entering the MEBx configuration user interface 11
Intel(R) ME General Settings ........11
Intel(R) AMT Configuration ........19
Intel(R) Quiet System Technology Configuration 20
Driver description ............20
MEI................20
LMS................21
SOL................21
Chapter 6. Web user interface .....23
Accessing the Web user interface .......23
Provisioning the Intel AMT computer ....23
Logging on to the client .........24
Functions in the Web user interface ......24
Appendix A. Examples of configuring
Intel AMT in manual and automatic
setup and configuration modes ....25
Configuring Intel AMT in manual setup and
configuration mode............25
Configuring Intel AMT in automatic setup and
configuration mode............25
ZTC provisioning ...........25
USB provisioning ...........26
Appendix B. Factory default settings
for the Intel MEBx ..........27
Appendix C. Notices .........29
Trademarks ..............30
© Copyright Lenovo 2010 iii
iv ThinkCentre M90p with Intel AMT Configuration Guide
About this document
This document provides information about Intel®Active Management Technology
(Intel AMT) for Lenovo®ThinkCentre®M90p desktop computers. This document
provides step-by-step instructions on how to use Intel AMT.
This document is intended for trained IT professionals or those responsible for
configuring computers throughout their organizations. The readers should have
basic knowledge of network and computer technology, and be familiar with the
terms TCP/IP, DHCP, IDE, DNS, Subnet Mask, Default Gateway, Domain Name,
and so on.
This document provides information about the following topics:
Chapter 1, “Introduction to Intel vPro and Intel AMT,” on page 1: This chapter
provides a general introduction to Intel vPro
Chapter 2, “Features and benefits of Intel AMT,” on page 3: This chapter
introduces the features and benefits of Intel AMT.
Chapter 3, “Introduction to ISV applications,” on page 5: This chapter provides a
general introduction to ISV applications.
Chapter 4, “Main features of computers built with Intel AMT,” on page 7: This
chapter introduces the main features of Intel AMT built-in computers.
Chapter 5, “Intel AMT setup and configuration on Lenovo ThinkCentre M90p
desktop computers,” on page 9: This chapter provides detailed instructions on how
to configure Intel AMT settings on Lenovo ThinkCentre M90p desktop computers.
Chapter 6, “Web user interface,” on page 23: This chapter provides instructions on
how to access the Intel AMT Web user interface.
™
and Intel AMT.
© Copyright Lenovo 2010 v
vi ThinkCentre M90p with Intel AMT Configuration Guide
Chapter 1. Introduction to Intel vPro and Intel AMT
Intel vPro is a business computer platform that provides business computers with
enhanced remote management capabilities. For computers built with Intel vPro, IT
administrators can use a third party software to remotely collect inventory
information, diagnose problems, and provide various services regardless of the
computer power state or the operating system state. IT administrators can also
isolate and protect individual computers and the network from threats.
As a feature of Intel vPro, Intel AMT is designed to provide remote management
of computers regardless of the computer power state or the operating system state
as long as the computers are connected to an electrical outlet and a network.
Acronyms
The following table lists and explains some acronyms used in this document.
Acronym Description
ACL Access Control List
AMT Active Management Technology
ASF Alert Standard Format
CIRA Client Initiated Remote Access
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
FQDN Fully Qualified Domain Name
FW Firmware
HECI Host Embedded Controller Interface
IDE-R Integrated Device Electronics - Redirection
IP Internet Protocol
ISV Independent Software Vendor
KVM Keyboard-Video-Mouse
LMS Local Manageability Service
ME Management Engine
MEBx Management Engine BIOS Extension
MEI Management Engine Interface
NVM Nonvolatile memory
OEM Original Equipment Manufacturer
OOB Out-of-band
PID/PPS Provisioning ID and Provisioning Pre-shared Key
PKI Public Key Infrastructure
PRTC Protected Real Time Clock
PSK Pre-shared Key
PXE Preboot Execution Environment
SHA Secure Hash Algorithm
© Copyright Lenovo 2010 1
SMB Small and Medium Businesses
SOL Serial-over-LAN
TCP Transmission Control Protocol
TLS Transport Layer Security
WOL Wake on Lan
ZTC Zero Touch Configuration
2 ThinkCentre M90p with Intel AMT Configuration Guide
Chapter 2. Features and benefits of Intel AMT
This chapter introduces the features and benefits of Intel AMT.
The following table lists the Lenovo business computers with Intel AMT installed.
Lenovo computer Intel AMT version
ThinkCentre M90p Intel AMT 6.X
ThinkCentre M58p Intel AMT 5.X
ThinkCentre M57p Intel AMT 3.X
ThinkCentre M55p Intel AMT 2.X
Features and benefits
ThinkCentre M90p computers built with Intel AMT enable IT administrators to
better discover, heal, and protect the networked computing assets.
v Discover: Intel AMT stores hardware and software information in nonvolatile
memory (NVM). With built-in manageability, Intel AMT enables IT
administrators to discover assets remotely, even when computers are turned off.
v Heal: The built-in manageability of Intel AMT provides out-of-band (OOB)
management capabilities, which enable IT administrators to remotely diagnose
computer problems and recover computers even if the operating systems are
inoperable. Proactive alerting and event logging help IT administrators detect
problems quickly to reduce computer downtime.
v Protect: The Intel AMT system defense feature enables better protection for
computers by proactively blocking incoming threats, controlling infected
computers before the computers cause problems in the network, and alerting IT
administrators when critical software agents are removed from the computers.
The following table shows the features and benefits of Intel AMT.
Table 1. Features and benefits of Intel AMT
Features Benefits
OOB system access Enables remote management of clients regardless of client power
state and operating system state
Remote
troubleshooting and
recovery
Proactive alerting Decreases computer downtime and minimizes IT service time
Remote hardware asset
tracking
© Copyright Lenovo 2010 3
Significantly reduces IT helpdesk visits and increases IT service
efficiency
Increases speed and accuracy with reduced accounting costs,
compared with manual inventory tracking
4 ThinkCentre M90p with Intel AMT Configuration Guide
Chapter 3. Introduction to ISV applications
Intel AMT is designed as a building block and not a complete solution. This
enables Original Equipment Manufacturers (OEMs) to incorporate Intel AMT into
their client and server hardware platforms. Competent and authorized third party
applications provide management and security services that take advantage of the
Intel AMT features, such as out-of-band access to asset information, event logs,
hardware and software tables, and embedded capabilities.
The following table lists the common third party Independent Software Vendor
(ISV) management applications.
Table 2. List of common third party management applications
Application ISV
®
Microsoft
Microsoft System Center Configuration Manager Microsoft
LANDesk Management Suite LANDesk
Altiris Real Time System Manager Altiris
System Management Server 2003 Microsoft
© Copyright Lenovo 2010 5
6 ThinkCentre M90p with Intel AMT Configuration Guide
Chapter 4. Main features of computers built with Intel AMT
Computers built with Intel AMT version 2.0 or later have the following features
and improvements:
v Remote power control
– Power on
– Power off
– Power reset
– Power cycle
v Asset management
– E-Asset tag
– OOB hardware inventory
v Integrated Device Electronics - Redirection (IDE-R)
– Floppy redirection
– CD redirection
v Serial-over-LAN (SOL)
– Screen redirection based on text
– Keyboard redirection
– Network redirection
v Remote restart
– Restart from a local hard disk drive
– Restart from a local CD or DVD drive
– Restart from a local Preboot Execution Environment (PXE)
v Event management
– Event alerting
– Event logging
– Audit log
v Agent presence
v System defense
v “CIRA”
v “KVM redirection” on page 8
CIRA
ThinkCentre M90p computers built with Intel AMT support the Client Initiated
Remote Access (CIRA) function. You can perform this function through ISV
applications. For more information about ISV applications, see Chapter 3,
“Introduction to ISV applications,” on page 5.
The CIRA function enables client-initiated, secure OOB communication to the
manageability console, which includes:
v User-initiated call-home feature
v Scheduled, automated call-home feature (no user input required)
v Transport Layer Security (TLS) session established through client initiation
© Copyright Lenovo 2010 7
KVM redirection
ThinkCentre M90p computers built with Intel AMT 6.X support
Keyboard-Video-Mouse (KVM) redirection over Internet Protocol (IP). As an
important new feature in Intel AMT 6.X, KVM redirection enables IT
administrators to remotely control the keyboard, video or visual display unit, and
mouse of the managed clients. KVM redirection has the following advantages:
v Work stably
v Based on hardware
Note: KVM redirection is based on hardware so that it can work correctly
regardless of the operating system state of the managed clients.
v Manage clients through management servers remotely
v Healing, installation and applications support
Notes:
1. KVM redirection in Intel AMT 6.X can be used only on computers with Intel
integrated graphics. For computers with discrete graphics cards, the
Serial-over-LAN (SOL) function can be used to support remote diagnostics and
repair.
2. The KVM user interfaces are only available on computers that support KVM
redirection. For more information about KVM user interfaces, see “KVM
Configuration” on page 20.
8 ThinkCentre M90p with Intel AMT Configuration Guide
Chapter 5. Intel AMT setup and configuration on Lenovo ThinkCentre M90p desktop computers
The Intel Management Engine (ME) is an isolated and protected computing
resource that runs on an Intel AMT computer. The Intel Management Engine BIOS
Extension (MEBx) provides a user interface to change or configure settings that
control the operation of the Intel Management Engine (ME).
All changes to the ME platform configuration settings are not cached in the MEBx,
but committed to the ME nonvolatile memory until you exit the MEBx. If the Intel
MEBx crashes in the process of the configuration, the changes that you have made
will not be saved.
Note: To perform the CIRA function, configure your computer in the MEBx for
manual setup and configuration mode or automatic setup and configuration
mode, and then use the CIRA function through ISV applications. You do not
need to do any additional setup and configuration in the MEBx.
Intel AMT configuration settings in Setup Utility
The Setup Utility program enables you to view and change the Intel AMT related
configuration settings for your computer.
To view or change the Intel AMT configuration settings, do the following:
1. Repeatedly press and release the F1 key when turning on the computer. When
you hear multiple beeps or see a logo screen, release the F1 key. The Setup
Utility program starts.
© Copyright Lenovo 2010 9
2. From the Setup Utility program main menu, select Advanced → Intel(R) AMT.
The following window will be displayed.
Figure 1. Intel AMT configuration settings in Setup Utility
In the window, you can view the following Intel AMT configuration settings:
Option Default setting Description
Intel(R) AMT Control Enabled Used to enable or disable the Intel AMT
Intel(R) AMT Reset Disabled Used to enable or disable the Intel AMT reset
Press <Ctrl-P> to Enter
MEBx
Enabled Used to enable or disable the entrance of the
For more information, see the instructions and the help messages on the screen.
Intel MEBx setup and configuration
This section provides instructions on how to set up and configure Intel AMT for
your computer.
interface.
function.
MEBx setup configuration menu.
10 ThinkCentre M90p with Intel AMT Configuration Guide
Entering the MEBx configuration user interface
Repeatedly press and release Ctrl+P when turning on the computer. When you see
the Intel Management Engine BIOS Extension window, release the Ctrl and P keys.
Press 1 to enter the Intel MEBx MAIN MENU window (Figure 2). You will be
prompted to enter the Intel ME password. Type the Intel ME default password
admin and then you will be promoted to type a new password. To set a new Intel
ME password, see “Change ME Password” on page 12.
Figure 2. Intel MEBx MAIN MENU window
Intel(R) ME General Settings
Select Intel(R) ME General Settings in the Intel MEBx MAIN MENU window and
press Enter. The INTEL(R) ME PLATFORM CONFIGURATION window opens
(Figure 3). This window enables you to configure the general settings of the Intel
ME, such as ME state, ME password, power control, and so on.
Figure 3. INTEL(R) ME PLATFORM CONFIGURATION window
Chapter 5. Intel AMT setup and configuration on Lenovo ThinkCentre M90p desktop computers 11
The following options are listed in the INTEL(R) ME PLATFORM
CONFIGURATION window:
Intel(R) ME State Control
The Intel(R) ME State Control option allows you to enable the Intel ME on the
platform or disable the Intel ME for debugging purposes.
Note: The DISABLED option allows you to disable the Intel ME for debugging
purposes. The DISABLED option is used to stop the Intel ME code from
executing at the early stage of the Intel ME boot process so that the system
has no traffic originating from the Intel ME on any of the buses. Disabling
the Intel ME enables an IT technician to debug a system problem without
any interference from the Intel ME.
Change ME Password
The Change ME Password option enables you to change the Intel ME password.
To change the Intel ME password, select Change ME Password and press Enter.
Type your new password and press Enter. When prompted to confirm the new
password, type your new password again.
Password considerations: For security reasons, it is recommended to use a strong
password that cannot be easily compromised. To set a strong password, use the
following guidelines:
v Have eight to 32 characters in length
v Contain at least one alphabetic character, one numeric character, and one symbol
(!@#$%^&*andsoon)
v Contain at least one upper case letter and one lower case letter
v You can also use the space bar and underscore (_).
Password Policy
The Password Policy option specifies when you can change the MEBx password
through the network interface.
Select Password Policy and press Enter, the following three options will be
displayed.
Option Description
DEFAULT
PASSWORD ONLY
DURING SETUP
AND
CONFIGURATION
ANYTIME This option enables you to change the MEBx password anytime.
This option enables you to change the MEBx password when the
MEBx password has not been modified.
This option enables you to change the MEBx password during the
setup and configuration. You cannot modify the MEBx password
after the setup and configuration process is completed.
Network Setup
The Network Setup menu enables you to configure network settings. Select
Network Setup and press Enter. The INTEL(R) NETWORK SETUP window opens.
The following options will be displayed:
v “Intel(R) ME Network Name Settings” on page 13
v “TCP/IP Settings” on page 13
12 ThinkCentre M90p with Intel AMT Configuration Guide
Intel(R) ME Network Name Settings: In the INTEL(R) NETWORK SETUP
window, select Intel(R) ME Network Name Settings and press Enter. The
following options will be displayed.
Option Description
Host Name Enables you to set a host name for your Intel AMT computer.
Domain Name Enables you to set a domain name for your Intel AMT computer.
Shared/
Dedicated
FQDN
Dynamic DNS
Update
Periodic Update
Interval
TTL Enables you to set the Time To Live (TTL) value in seconds.
Enables you to specify whether the Fully Qualified Domain Name
(FQDN) is a dedicated domain name for Intel AMT or shared by both
Intel AMT and your operating system.
Used to enable or disable the Dynamic DNS (Domain Name Server)
Update Client in the firmware. When the Dynamic DNS Update feature
is set to ENABLED, the firmware will automatically register its IP
address and FQDN on the DNS using the Dynamic DNS Update
protocol.
Note: Set the host name and domain name before you enable the
Dynamic DNS Update feature.
Enables you to set the interval between every two successional updates
that the Dynamic DNS Update Client in the firmware sends to the DNS.
Notes:
1. The Periodic Update Interval option is only available when the
Dynamic DNS Update feature is enabled.
2. The interval unit is minute. The interval value should be zero or no
smaller than 20. By setting the interval value to zero, you disable the
periodic update feature.
Notes:
1. The TTL option is only available when the Dynamic DNS Update
feature is enabled.
2. The TTL value should be greater than zero. If the TTL value is set to
zero, the firmware will use the default value, which is 900 seconds.
TCP/IP Settings: Select TCP/IP Settings and press Enter. The TCP/IP SETTINGS
window opens. The following options will be displayed:
v “Wired LAN IPV4 Configuration”
v “Wired LAN IPV6 Configuration” on page 14
Wired LAN IPV4 Configuration: Select Wired LAN IPV4 Configuration → DHCP
Mode. The DHCP Mode option is used to enable or disable DHCP mode. With
DHCP mode enabled, the TCP/IP settings will be configured by a DHCP server.
With DHCP mode disabled, the options in the following table will be displayed.
You will be required to configure the static TCP/IP settings for the Intel AMT
computer. If the system is in static mode, a second IP address is required. This
second IP address is often called the Intel ME IP address and is different from the
host IP address.
Option Description
IPV4 Address Enables you to enter the Intel ME IP address for your Intel AMT
computer.
Subnet Mask
Address
Chapter 5. Intel AMT setup and configuration on Lenovo ThinkCentre M90p desktop computers 13
Enables you to enter the subnet mask address for your Intel AMT
computer.
Default Gateway
Address
Preferred DNS
Address
Alternate DNS
Address
Enables you to enter the default gateway address for your Intel
AMT computer.
Enables you to enter the preferred DNS address for your Intel AMT
computer.
Enables you to enter the alternate DNS address for your Intel AMT
computer.
Wired LAN IPV6 Configuration: Select Wired LAN IPV6 Configuration and press
Enter. The WIRED LAN IPV6 CONFIGURATION window opens.
The Intel ME network stack supports a multihomed IPv6 interface. Each IPv6
network interface can be configured with the following IPv6 addresses:
v One auto-configured link-local address
v Three auto-configured global addresses
v One DHCPv6-configured address
v One statically configured IPv6 address
The Intel ME IPv6 addresses are dedicated and not shared with the host operating
system. To enable Dynamic DNS registration for IPv6 addresses, you will need to
configure a dedicated FQDN.
The IPV6 Feature Selection option is used to enable or disable the IPv6 interface.
With IPV6 Feature Selection enabled, the following options will be displayed.
Option Description
IPV6 Interface ID
Type
IPV6 Address Enables you to enter the IPv6 address for your Intel AMT
IPV6 Default Router Enables you to enter the IPv6 default router for your Intel AMT
Preferred DNS IPV6
Address
Alternate DNS IPV6
Address
Used to specify the IPv6 Interface ID type.
There are three types of IPv6 Interface IDs:
v Random ID: The IPv6 Interface ID is automatically generated
using a random number as described in Request for Comments
(RFC) 3041.
v Intel ID: The IPv6 Interface ID is automatically generated using
the Media Access Control (MAC) address.
v Manual ID: The IPv6 Interface ID is manually configured.
Selecting this option requires that the Manual Interface ID is set
to a valid value.
computer.
computer.
Enables you to enter the preferred DNS IPv6 address for your Intel
AMT computer.
Enables you to enter the alternate DNS IPv6 address for your Intel
AMT computer.
Activate Network Access
The Activate Network Access option enables you to activate the current network
settings and open the Intel ME network interface. Select Activate Network Access
and press Enter. Press Y or N depending on whether you want to activate the
current network settings.
Activating network access will cause the Intel ME to transition to the post
provisioning state if all required settings have been configured.
14 ThinkCentre M90p with Intel AMT Configuration Guide
Unconfigure Network Access
The Unconfigure Network Access option enables you to reset network settings
including network access control lists (ACLs) to factory default settings. Select
Unconfigure Network Access and press Enter. Press Y or N when prompted.
If you press Y, the following options will be displayed.
Option Description
Full Unprovision Used to reset all the Intel AMT settings to the factory default settings
except the MEBx password.
Partial
Unprovision
Used to reset all the Intel AMT settings to the factory default settings
except the PID/PPS and the MEBx password.
Remote Setup And Configuration
Select Remote Setup And Configuration and press Enter. The INTEL(R)
AUTOMATED SETUP AND CONFIGURATION window opens. The following
options will be displayed:
v “Current Provisioning Mode”
v “Provisioning Record”
v “RCFG” on page 16
v “Provisioning Server IPV4/IPV6” on page 16
v “Provisioning Server FQDN” on page 16
v “TLS PSK” on page 16
v “TLS PKI” on page 16
Current Provisioning Mode: The Current Provisioning Mode option shows you
the current provisioning TLS mode: None, PKI (Public Key Infrastructure), or PSK
(Pre-shared Key).
Provisioning Record: The Provisioning Record option shows you the provision
PSK or PKI record data of your computer. If no data has been entered, a message
will be displayed indicating that the provision record is not present. If the record
data has been entered, the following provision records will be displayed:
v TLS provisioning mode – Displays the current configuration mode of the system:
None, PSK, or PKI.
v Provisioning IP – Displays the IP of the setup and configuration server.
v Date of Provision – Displays the date and time of the provision.
v DNS – Indicates whether the PKI DNS suffix was configured in the Intel MEBX
before remote configuration takes effect. A value of 0 indicates that the PKI DNS
suffix was not configured. A value of 1 indicates that the PKI DNS suffix was
configured.
v Host Initiated – Displays whether the setup and configuration process was
initiated by the host: No indicates the setup and configuration process was not
initiated by the host; Yes indicates the setup and configuration process was
initiated by the host. (PKI only)
v Hash Data – Displays the 40-character certificate hash data. (PKI only)
v Hash Algorithm – Describes the hash type. Currently only SHA1 (Secure Hash
Algorithm 1) is supported. (PKI only)
v Is Default – Displays Ye s if the Hash algorithm is the default algorithm.
Displays No if the hash algorithm is not the default algorithm. (PKI only)
Chapter 5. Intel AMT setup and configuration on Lenovo ThinkCentre M90p desktop computers 15
v FQDN – Displays the FQDN of the provisioning server mentioned in the
certificate. (PKI only)
v Serial Number – Displays the 32-character Certificate Authority serial number.
v Time Validity Pass – Indicates whether the certificate has passed the time
validity check.
RCFG: Select RCFG and press Enter. The INTEL(R) REMOTE CONFIGURATION
window opens. Select Start Configuration and press Enter. Press Y or N when you
are prompted to activate the remote configuration.
Provisioning Server IPV4/IPV6: The Provisioning Server IPV4/IPV6 option
enables you to enter the IP address of the Intel AMT provisioning server and the
port number of the Intel AMT provisioning server. The port number ranges from 0
to 65535. The default port number is 9971.
Provisioning Server FQDN: Select Provisioning Server FQDN and press Enter.
You will be prompted to enter the FQDN of the Intel AMT provisioning server.
TLS PSK: Select TLS PSK and press Enter. The INTEL(R) TLS PSK
CONFIGURATION window opens. The following options will be displayed.
Option Description
Set PID and PPS Used to enter the Provisioning ID (PID) and Provisioning Pre-shared
Key (PPS). The PID and PPS should be entered in the dash format
(for example, 1234-ABCD for PID and 1234-ABCD-1234-ABCD-1234ABCD-1234-ABCD for PPS).
Notes:
1. A PPS value of 0000-0000-0000-0000-0000-0000-0000-0000 will not
change the setup configuration state. If this value is used, the
setup and configuration state will stay as Not-started.
2. Setting the PID/PPS will cause a partial unprovision if the setup
and configuration is In-process.
Delete PID and PPS Used to delete the current PID and PPS stored on the Intel ME.
Note: Deleting the PID and PPS will cause a partial unprovision if
the setup and configuration is In-process.
TLS PKI: Select TLS PKI and press Enter. The INTEL(R) REMOTE
CONFIGURATION window opens. The Remote Configuration option is used to
enable or disable the remote configuration. Enabling or disabling remote
configuration will cause a partial unprovision if the setup and configuration server
is In Process. When the Remote Configuration option is enabled, the following
options will be displayed.
Option Description
PKI DNS Suffix Used to enter the PKI DNS Suffix for your Intel AMT computer. Key
value will be maintained in the EPS.
16 ThinkCentre M90p with Intel AMT Configuration Guide
Manage Hashes Used to list all the hashes on the system, including the hash names
and the hash states. The following keys are used to manage the
hashes:
v Esc: Used to exit from the hash management window.
v Insert: Used to add a customized certificate hash to the system. To
add a new certificate hash, do the following:
1. Press Insert and type the new hash name.
Note: The hash name must be no longer than 32 characters.
2. Enter the certificate hash data for Intel AMT when prompted.
The Certificate hash data is a 20-byte hexadecimal number. Enter
the hash data in the correct format and then press Enter.
3. Press Y to activate the certificate hash when prompted.
v Delete: Used to delete the currently selected certificate hash. A
certificate hash that is not active cannot be deleted.
v +: Used to change the active state of the currently selected certificate
hash. Setting a hash as active indicates that the hash is available for
use during PSK provisioning.
v Enter: Used to view the details of the currently selected certificate
hash. Press Enter in the hash management window. The details of
the selected certificate hash will be displayed, including the hash
name, certificate hash data, and the active and default states.
FW Update Settings
Select FW Update Settings and press Enter. The FW Update Settings window
opens. The following options will be displayed.
Option Description
Local FW Update Used to enable or disable the Intel ME firmware local update. When
the Local FW Update function is set to ENABLED, the IT
administrator can update the Intel ME firmware locally through the
local Intel ME interface or through the local secure interface.
Note: The local firmware update does not require an administrator
user name and password. Therefore, when the local firmware update
is completed, this setting is automatically set to DISABLED by the
Intel ME firmware. You need to manually set the Local FW Update
function to ENABLED when a local update is needed.
Secure FW
Update
Used to enable or disable the secure firmware update. You need to
have an administrator user name and password to use the Secure
Firmware Update function. When the Secure Firmware Update
function is enabled, the IT administrator can update the firmware
securely through the Local Manageability Service (LMS) driver.
Set PRTC
Select Set PRTC in the INTEL(R) ME PLATFORM CONFIGURATION window and
press Enter. You are prompted to enter the Protected Real Time Clock (PRTC) value
in Coordinated Universal Time (UTC) format (YYYY:MM:DD:HH:MM:SS). Setting a
PRTC value helps maintain the PRTC when your computer is turned off. The valid
PRTC date ranges from January 1, 2004 to January 4, 2021.
Chapter 5. Intel AMT setup and configuration on Lenovo ThinkCentre M90p desktop computers 17
Power Control
The Power Control menu enables you to configure the ME power control policies.
To conform with the ENERGY STAR program and the EuP Lot 6 requirements, the
Intel ME can be turned off in various sleep states. Select Power Control and press
Enter. The INTEL(R) ME POWER CONTROL window opens. In the INTEL(R) ME
POWER CONTROL window, the following options will be displayed.
Option Description
Intel(R) ME ON in Host
Sleep States
Idle Timeout Used to enable the Intel ME to wake up and define the Intel
Used to specify when the Intel ME will be turned on. Select
Intel(R) ME ON in Host Sleep States and press Enter. You can
choose which power package will be used.
v Desktop: ON in S0 – This option means only when your
computer is turned on and operational will the Intel ME be
turned on.
v Desktop: ON in S0, ME Wake in S3, S4-5 – This option
means the Intel ME will be turned on when your computer
is turned on and operational. The Intel ME can be remotely
woken up when your computer is in sleep mode,
hibernation mode, or turned off.
With Intel ME Wake on Lan (WOL), after the time-out timer
expires, the Intel ME remains in the M-off
command is sent to the Intel ME. After this command is sent,
the Intel ME will transition to the M0
1
state until a
2
or M33state and will
respond to the next command. A ping to the Intel ME can also
make the Intel ME transition to an M0 or M3 state. Intel ME
takes a short time to transition from the M-off state to the M0
or M3 state. During this time, the system will not respond to
any Intel ME commands. When the Intel ME is in the M0 or
M3 state, the system will respond to Intel ME commands.
ME idle timeout in the M3 state. The idle timeout value
indicates the amount of time that the Intel ME is allowed to
remain idle in the M3 state before transitioning to the M-off
state. The idle timeout value should be entered in minutes.
Note: If the Intel ME is in the M0 state, it will not transition to
the M-off state.
1. M-off: An Intel ME FW power state when the Intel ME FW is shut down.
2. M0: An Intel ME FW power state when the Intel AMT computer is turned on and operational.
3. M3: An Intel ME FW power state when the Intel AMT computer is in sleep mode, hibernation mode, or turned off.
18 ThinkCentre M90p with Intel AMT Configuration Guide
Intel(R) AMT Configuration
The Intel(R) AMT Configuration menu enables you to configure an Intel AMT
capable computer to support the Intel AMT management features.
Select Intel(R) AMT Configuration from the Intel MEBx MAIN MENU window
and press Enter. A message will be displayed indicating that you can update
network settings from the Intel(R) ME General Settings menu. Press Enter and the
INTEL(R) AMT CONFIGURATION window opens (Figure 4).
Figure 4. INTEL(R) AMT CONFIGURATION window
The following options are listed in the INTEL(R) AMT CONFIGURATION
window:
v “Manageability Feature Selection”
v “SOL/IDER”
v “KVM Configuration” on page 20
Manageability Feature Selection
The Manageability Feature Selection option is used to enable or disable the Intel
ME manageability feature. The default setting is ENABLED.
Note: If you disable the Manageability Feature Selection function, all the network
settings including ACLs will be reset to factory default settings.
SOL/IDER
Select SOL/IDER in the INTEL(R) AMT CONFIGURATION window and press
Enter. The SOL/IDER window opens. The following options will be displayed.
Option Description
Username & Password Used to enable or disable the username and password for the
SOL/IDER session. If the Kerberos network authentication
protocol is used, this option should be set to DISABLED because
the user authentication is managed through Kerberos. If the
Kerberos network authentication protocol is not used, the IT
administrator can choose to enable or disable the username and
password for the SOL/IDER session.
Chapter 5. Intel AMT setup and configuration on Lenovo ThinkCentre M90p desktop computers 19
SOL Used to enable or disable SOL. If the client supports SOL and
SOL is enabled on the client, the Intel AMT managed client input
or output can be redirected to the management server console. If
the client does not support SOL, the SOL option cannot be
enabled.
IDER Used to enable or disable IDE-R. If IDE-R is enabled, the Intel
AMT managed client can be booted from remote disk images
through a management server console. If the client does not
support IDE-R, the IDER option cannot be enabled.
Legacy Redirection
Mode
Used to enable or disable legacy redirection mode. Legacy
redirection mode controls how the redirection works.
Attention: The default setting is DISABLED, which is used for
enterprise consoles and new Small and Medium Businesses
(SMB) consoles. If you are using a legacy SMB Redirection
Console, you must set the Legacy Redirection Mode feature to
ENABLED.
KVM Configuration
Select KVM Configuration in the INTEL(R) AMT CONFIGURATION window and
press Enter. The KVM Configuration window opens and you can configure the
following KVM settings.
Option Description
KVM Feature Selection Used to enable or disable the KVM feature.
User Opt-in Used to specify whether the user consent is required for the
KVM session.
Opt-in Configurable from
remote IT
Used to enable or disable remote configuration of the User
Opt-in setting.
Intel(R) Quiet System Technology Configuration
The Intel Quiet System Technology (Intel QST) is the advanced system temperature
and fan speed control technology of Intel, which utilizes the internal and external
thermal sensors to optimize the acoustic and thermal performance of the computer
in steady state and transient power conditions.
Select Intel(R) Quiet System Technology Configuration and press Enter. Then,
you can enable or disable the Intel QST feature.
Driver description
This section provides information about AMT drivers. Read the following driver
descriptions if you are going to use Intel AMT in the Microsoft Windows
environment.
MEI
The Intel AMT Management Engine Interface (MEI) is the interface between the
host and the Intel ME. The Intel AMT MEI is bi-directional so that both the host
and the Intel AMT firmware can initiate transactions. In addition, transactions can
be completed by the Intel ME first and then the host can be synchronized with the
Intel ME later.
®
20 ThinkCentre M90p with Intel AMT Configuration Guide
LMS
SOL
Local Manageability Service (LMS) is a service that runs locally in the host
operating system. LMS exposes AMT functionality through standard interfaces (for
example, general-information interface, firmware update interface, local
agent-presence interface, and so on.) LMS is an abstraction that sits on top of the
Host Embedded Controller Interface (HECI) driver (and the ME) that interacts with
the ME using standard interfaces.
LMS listens for the request directed to the AMT local host. When an application
sends SOAP/HTTP messages to the local host, LMS intercepts the request and
sends the request to the Management Engine Interface through the HECI driver.
The SOL driver is an Intel AMT ME driver. This driver enables the remote display
of the managed client user interface through a management console and emulates
serial communication over a standard network connection.
Chapter 5. Intel AMT setup and configuration on Lenovo ThinkCentre M90p desktop computers 21
22 ThinkCentre M90p with Intel AMT Configuration Guide
Chapter 6. Web user interface
Besides managing your computers with ISV applications, you can also perform
some basic management functions through the Web user interface, such as power
controlling and asset inventory.
The Intel ME provides a Web user interface, which enables you to check the status
of Intel AMT as well. If you can access the Web user interface, your AMT setup
and configuration is correct.
Accessing the Web user interface
This section provides instructions on how to access the AMT Web user interface.
Provisioning the Intel AMT computer
To access the Web user interface, you need to configure the Intel AMT computer
first. To configure the Intel AMT settings for accessing the Web user interface, do
one of the following:
v Manual setup and configuration mode
1. Repeatedly press and release Ctrl+P when turning on the computer. When
you see the Intel Management Engine BIOS Extension window, release the
Ctrl and P keys. Press 1 to enter the Intel MEBx MAIN MENU window. Type
the default password admin and then change the Intel ME password.
2. Select Intel(R) ME General Settings → Network Setup.
3. In the INTEL(R) NETWORK SETUP window, select Intel(R) ME Network
Name Settings and then press Enter. Set the host name and domain name
for your Intel AMT computer.
4. In the INTEL(R) NETWORK SETUP window, select TCP/IP Settings and
press Enter. Configure TCP/IP settings in the TCP/IP SETTINGS window.
5. In the INTEL(R) ME PLATFORM CONFIGURATION window, select Activate
Network Access and press Enter. Press Y when prompted.
6. Select Exit in the Intel MEBx MAIN MENU window to exit the MEBx.
v Automatic setup and configuration mode
1. Repeatedly press and release Ctrl+P when turning on the computer. When
you see the Intel Management Engine BIOS Extension window, release the
Ctrl and P keys. Press 1 to enter the Intel MEBx MAIN MENU window. Type
the default password admin and then change the Intel ME password.
2. Select Intel(R) ME General Settings → Network Setup → TCP/IP Settings.
Configure TCP/IP settings in the TCP/IP SETTINGS window.
3. Select Intel(R) ME General Settings → Remote Setup And Configuration →
TLS PKI or TLS PSK. Set your valid hash or PID/PPS.
4. Select Intel(R) ME General Settings → Remote Setup And Configuration →
RCFG. The INTEL(R) REMOTE CONFIGURATION window opens. Select
Start Configuration and press Enter. Press Y when you are prompted to
activate the remote configuration.
5. Select Exit in the Intel MEBx MAIN MENU window to exit the MEBx.
6. Wait until the provision server successfully provisions your Intel AMT
computer.
© Copyright Lenovo 2010 23
Note: You can refer to detailed configuration examples for both manual setup and
configuration mode and automatic setup and configuration mode in
Appendix A, “Examples of configuring Intel AMT in manual and automatic
setup and configuration modes,” on page 25.
Logging on to the client
The client can be accessed from a management console on the network that has a
supported Web browser.
1. Open a Web browser on the management console and type one of the following
in the address box:
v For manual setup and configuration mode:
http://IP_Address:16992 (for example, http://192.168.1.13:16992)
v For automatic setup and configuration mode (for TLS):
https://IP_Address:16993 (for example, https://192.168.1.13:16993)
2. Click Log On in the Intel Active Management Technology window.
3. In the Enter Network Password window, enter your username and password
and then click OK. You will go to the client Web user interface.
Functions in the Web user interface
The Web user interface enables you to perform the following tasks:
v View the system status
v View the hardware information of your AMT computer, including system,
processor, memory, and hard disk drive
v View, start, stop, and clear event logs
v Remote power control, including: turn the computer off, cycle power off and on,
reset, normal startup, start the computer from a local optical drive, and start the
computer from a local hard disk drive
v View and manage the Intel AMT power policies
v View and manage the Intel AMT network settings
v View and manage the Intel AMT IPv6 network settings
v View and manage the Intel AMT system name settings
v View and manage the Intel AMT user accounts
24 ThinkCentre M90p with Intel AMT Configuration Guide
Appendix A. Examples of configuring Intel AMT in manual and automatic setup and configuration modes
This appendix provides examples of configuring Intel AMT in manual and
automatic setup and configuration modes.
Configuring Intel AMT in manual setup and configuration mode
The following are quick steps for configuring Intel AMT in manual setup and
configuration mode:
1. Repeatedly press and release Ctrl+P when turning on the computer. When you
see the Intel Management Engine BIOS Extension window, release the Ctrl and
P keys. Press 1 to enter the Intel MEBx MAIN MENU window. Type the default
password admin and then change the Intel ME password.
2. Select Intel(R) ME General Settings → Network Setup → Intel(R) ME Network
Name Settings.
3. In the INTEL(R) ME NETWORK NAME SETTINGS window, configure the host
name and domain name for your Intel AMT computer.
4. In the INTEL(R) ME PLATFORM CONFIGURATION window, select Power
Control.
5. Select Intel(R) ME ON in Host Sleep States and press Enter.
6. Select Desktop: ON in S0, ME Wake in S3, S4-5 and press Enter.
7. In the INTEL(R) ME PLATFORM CONFIGURATION window, select Activate
Network Access and press Enter. Press Y when prompted.
8. Select Exit in the Intel MEBx MAIN MENU window to exit the MEBx.
Configuring Intel AMT in automatic setup and configuration mode
There are the following two configuration methods in automatic setup and
configuration mode:
v “ZTC provisioning”
v “USB provisioning” on page 26
ZTC provisioning
This section provides instructions on how to use the ZTC provisioning method.
1. Repeatedly press and release Ctrl+P when turning on the computer. When you
see the Intel Management Engine BIOS Extension window, release the Ctrl and
P keys. Press 1 to enter the Intel MEBx MAIN MENU window. Type the default
password admin and then change the Intel ME password.
2. Select Intel(R) ME General Settings → Network Setup → Intel(R) ME Network
Name Settings.
3. In the INTEL(R) ME NETWORK NAME SETTINGS window, configure the
domain name for your Intel AMT computer.
4. In the INTEL(R) ME PLATFORM CONFIGURATION window, select Remote
Setup And Configuration → TLS PKI → Mange Hashes. Press Insert and then
set up your own certificate hashes.
5. In the INTEL(R) ME PLATFORM CONFIGURATION window, select Power
Control → Intel(R) ME ON in Host Sleep States.
© Copyright Lenovo 2010 25
6. Select Desktop: ON in S0, ME Wake in S3, S4-5 and press Enter.
7. In the INTEL(R) ME PLATFORM CONFIGURATION window, select Remote
Setup And Configuration → RCFG.
8. Select Start Configuration and press Enter. Press Y when prompted.
9. Select Exit in the Intel MEBx MAIN MENU window to exit the MEBx.
USB provisioning
This section provides instructions on how to use the USB provisioning method.
1. Repeatedly press and release the F1 key when turning on the Intel AMT
computer. When you hear multiple beeps or see a logo screen, release the F1
key. The Setup Utility program starts.
2. From the Setup Utility program main menu, select Advanced → Intel(R) AMT →
Intel(R) AMT Reset. Select Enabled and press Enter.
3. Press F10 to save your settings and exit the Setup Utility program. The
computer will restart to reset all Intel ME settings to factory default settings.
4. Press Y when you are prompted to continue with the Intel ME unconfiguration.
5. Format your USB memory key into FAT format.
6. Use an ISV application to create a USB key file named setup.bin on the
management console.
7. Export the setup.bin file to your USB memory key.
8. Connect the USB memory key to your Intel AMT computer and restart your
computer from the USB memory key.
9. You will receive a message ″Found USB Key for provisioning. Continue with
Auto Provisioning (Y/N).″ Press Y and then the USB provisioning will be
automatically completed.
26 ThinkCentre M90p with Intel AMT Configuration Guide
Appendix B. Factory default settings for the Intel MEBx
The following table introduces the factory default settings for the Intel MEBx.
Table 3. Factory default settings for the Intel MEBx
Option Default setting Option Default setting
Intel MEBx default
password
Intel(R) ME State
Control
Change ME
Password
Password Policy Blank Manage Hashes
Host Name Blank Local FW Update
Domain Name Blank Secure FW Update ENABLED
Shared/Dedicated
FQDN
Dynamic DNS
Update
DHCP Mode ENABLED Idle Timeout 65535
IPV6 Feature
Selection
Activate Network
Access
admin Delete PID and PPS This will delete the PID
and PPS entries.
Continue: (Y/N)
ENABLED Remote
Configuration
Blank PKI DNS Suffix Blank
Qualifier
Shared Set PRTC Blank
DISABLED Intel(R) ME ON in
Host Sleep States
DISABLED Manageability
Feature Selection
Activates the current
network settings and
opens the ME
network interface
Username &
Password
ENABLED
v VeriSign Class 3
Primary CA-G1
v VeriSign Class 3
Primary CA-G3
v Go Daddy Class 2 CA
v Comodo AAA CA
v Starfield Class 2 CA
v Verisign Class 3 Primary
CA-G2
Always Open
Desktop: ON in S0
ENABLED
ENABLED
Continue: (Y/N)
Unconfigure
Network Access
Current
Provisioning Mode
Provisioning
Record
© Copyright Lenovo 2010 27
Full Unprovision SOL ENABLED
Provisioning Mode:
PKI
Provision Record is
not present
IDER ENABLED
Legacy Redirection
Mode
DISABLED
Table 3. Factory default settings for the Intel MEBx (continued)
Option Default setting Option Default setting
Start
Configuration
Provisioning
Server IPV4/IPV6
Provisioning
Server FQDN
Set PID and PPS Blank Intel(R) Quiet
TTL 900 Periodic Update
This will activate
Remote
Configuration.
Continue: (Y/N)
Blank User Opt-in User Consent is required
Blank Opt-in
KVM Feature
Selection
Configuration from
remote IT
System Technology
Configuration
Interval
ENABLED
for KVM Session
Enable Remote Control of
KVM Opt-In Policy
ENABLED
1440
28 ThinkCentre M90p with Intel AMT Configuration Guide
Appendix C. Notices
Lenovo may not offer the products, services, or features discussed in this
document in all countries. Consult your local Lenovo representative for
information on the products and services currently available in your area. Any
reference to an Lenovo product, program, or service is not intended to state or
imply that only that Lenovo product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe any
Lenovo intellectual property right may be used instead. However, it is the user’s
responsibility to evaluate and verify the operation of any other product, program,
or service.
Lenovo may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
Lenovo (United States), Inc
1009 Think Place
Building One
Morrisville, NC 27560
USA
Attention: Lenovo Director of Licensing
LENOVO GROUP LTD. PROVIDES THIS PUBLICATION “AS IS” WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some
jurisdictions do not allow disclaimer of express or implied warranties in certain
transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. Lenovo may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
The products described in this document are not intended for use in implantation
or other life support applications where malfunction may result in injury or death
to persons. The information contained in this document does not affect or change
Lenovo product specifications or warranties. Nothing in this document shall
operate as an express or implied license or indemnity under the intellectual
property rights of Lenovo or third parties. All information contained in this
document was obtained in specific environments and is presented as an
illustration. The result obtained in other operating environments may vary.
Lenovo may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Any references in this publication to non-Lenovo Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this Lenovo
product, and use of those Web sites is at your own risk.
© Copyright Lenovo 2010 29
Trademarks
Any performance data contained herein was determined in a controlled
environment. Therefore, the result in other operating environments may vary
significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Lenovo, the Lenovo logo, and ThinkCentre are trademarks of Lenovo in the United
States, other countries, or both.
Microsoft and Windows are trademarks of the Microsoft group of companies.
Intel and Intel vPro are trademarks of Intel Corporation in the United States, other
countries, or both.
Other company, product, or service names may be trademarks or service marks of
others.
30 ThinkCentre M90p with Intel AMT Configuration Guide
Part Number: 89Y0880
Printed in USA
(1P) P/N: 89Y0880
Loading...