Lenovo ThinkCentre M91p Configuration Guide [en, ar, bg, cs, da, de, el, es, fi, fr, he, hr, hu, id, it, ja, ko, nl, pl, pt, ro, ru, sk, sl, sr, sv, th, tr, uk, zc, zh]

Download

Page 1

ThinkCentreM91p IntelActiveManagementTechnology CongurationGuide

Page 2

Page 3

ThinkCentreM91p IntelActiveManagementTechnology CongurationGuide

Page 4

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationinAppendixC “Notices”onpage27.

FirstEdition(March2011)

©CopyrightLenovo2011.

LENOVOproducts,data,computersoftware,andserviceshavebeendevelopedexclusivelyatprivateexpenseandare soldtogovernmentalentitiesascommercialitemsasdenedby48C.F.R.2.101withlimitedandrestrictedrightsto use,reproductionanddisclosure.

LIMITEDANDRESTRICTEDRIGHTSNOTICE:Ifproducts,data,computersoftware,orservicesaredeliveredpursuant aGeneralServicesAdministration“GSA”contract,use,reproduction,ordisclosureissubjecttorestrictionssetforth inContractNo.GS-35F-05925.

Page 5

Contents

Aboutthisdocument.........v

Chapter1.IntroductiontoIntelvPro

andIntelAMT.............1

Acronyms................1

Chapter2.Featuresandbenetsof

IntelAMT...............3

Featuresandbenets............3

Chapter3.Mainfeaturesof

computersbuiltwithIntelAMT....5

CIRA..................5

KVMredirection..............6

HostBasedProvisioning...........6

Chapter4.IntelAMTsetupand congurationonLenovoThinkCentre

M91pdesktopcomputers......7

IntelAMTcongurationsettingsinSetupUtility..7

IntelMEBxsetupandconguration......8

EnteringtheMEBxcongurationuser

interface...............8

Intel(R)MEGeneralSettings.......8

Intel(R)AMTConguration........11

Driverdescription.............19

MEI.................19

LMS.................20

SOL.................20

Chapter5.Webuserinterface....21

AccessingtheWebuserinterface.......21

ConguringtheIntelAMTcomputer....21

Loggingontotheclient.........22

FunctionsintheWebuserinterface......22

AppendixA.Examplesofconguring IntelAMTinmanualandautomatic setupandcongurationmodes...23

ConguringIntelAMTinmanualsetupand

congurationmode.............23

ConguringIntelAMTinautomaticsetupand

congurationmode.............23

ZTCprovisioning............23

USBprovisioning............24

AppendixB.Factorydefaultsettings

fortheIntelMEBx...........25

AppendixC.Notices.........27

Trademarks................28

©CopyrightLenovo2011

iii

Page 6

ivThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 7

Aboutthisdocument

ThisdocumentprovidesinformationaboutIntel

ActiveManagementT echnology(IntelAMT)forLenovo ThinkCentre®M91pdesktopcomputers.Thisdocumentprovidesstep-by-stepinstructionsonhowtouse IntelAMT .

ThisdocumentisintendedfortrainedITprofessionalsorthoseresponsibleforconguringcomputers throughouttheirorganizations.Thereadersshouldhavebasicknowledgeofnetworkandcomputer technology,andbefamiliarwiththetermsTCP/IP,DHCP ,IDE,DNS,SubnetMask,DefaultGateway,Domain Name,andsoon.

Thisdocumentprovidesinformationaboutthefollowingtopics:

Chapter1“IntroductiontoIntelvProandIntelAMT”onpage1:Thischapterprovidesageneralintroduction toIntelvPro

™

andIntelAMT.

Chapter2“FeaturesandbenetsofIntelAMT”onpage3:Thischapterintroducesthefeaturesand benetsofIntelAMT.

Chapter3“MainfeaturesofcomputersbuiltwithIntelAMT”onpage5:Thischapterintroducesthemain featuresofIntelAMTbuilt-incomputers.

Chapter4“IntelAMTsetupandcongurationonLenovoThinkCentreM91pdesktopcomputers”on page7:ThischapterprovidesdetailedinstructionsonhowtocongureIntelAMTsettingsonLenovo ThinkCentreM91pdesktopcomputers.

Chapter5“Webuserinterface”onpage21:Thischapterprovidesinstructionsonhowtoaccessthe IntelAMTWebuserinterface.

©CopyrightLenovo2011

Page 8

viThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 9

Chapter1.IntroductiontoIntelvProandIntelAMT

IntelvProisabusinesscomputerplatformthatprovidesbusinesscomputerswithenhancedremote managementcapabilities.ForcomputersbuiltwithIntelvPro,ITadministratorscanuseathirdpartysoftware toremotelycollectinventoryinformation,diagnoseproblems,andprovidevariousservicesregardlessof thecomputerpowerstateortheoperatingsystemstate.ITadministratorscanalsoisolateandprotect individualcomputersandthenetworkfromthreats.

AsafeatureofIntelvPro,IntelAMTisdesignedtoprovideremotemanagementofcomputersregardless ofthecomputerpowerstateortheoperatingsystemstateaslongasthecomputersareconnectedtoan electricaloutletandanetwork.

IntelAMTisdesignedasabuildingblockandnotacompletesolution.ThisenablesOriginalEquipment Manufacturers(OEMs)toincorporateIntelAMTintotheirclientandserverhardwareplatforms.Competent andauthorizedthirdpartyapplicationsprovidemanagementandsecurityservicesthattakeadvantageof theIntelAMTfeatures,suchasout-of-bandaccesstoassetinformation,eventlogs,hardwareandsoftware tables,andembeddedcapabilities.

Acronyms

Thefollowingtablelistsandexplainssomeacronymsusedinthisdocument.

AcronymDescription

ACLAccessControlList

AMTActiveManagementTechnology

ASFAlertStandardFormat

BIOSBasicInputOutputSystem

CIRAClientInitiatedRemoteAccess

DHCPDynamicHostCongurationProtocol

DNSDomainNameServer

FQDNFullyQualiedDomainName

FWFirmware

HBPHostBasedProvisioning

HECIHostEmbeddedControllerInterface

IDE-RIntegratedDeviceElectronics-Redirection

IPInternetProtocol

ISVIndependentSoftwareVendor

KVMKeyboard-Video-Mouse

LMSLocalManageabilityService

MEManagementEngine

MEBx

MEI

NVMNonvolatilememory

OEMOriginalEquipmentManufacturer

ManagementEngineBIOSExtension

ManagementEngineInterface

©CopyrightLenovo2011

Page 10

AcronymDescription

OOBOut-of-band

PID/PPS

PKI

PRTCProtectedRealTimeClock

PSK

PXEPrebootExecutionEnvironment

RCFGRemoteConguration

SHASecureHashAlgorithm

SMBSmallandMediumBusinesses

SOLSerial-over-LAN

TCPTransmissionControlProtocol

TLSTransportLayerSecurity

WOL

ZTCZeroTouchConguration

ProvisioningIDandProvisioningPre-sharedKey

PublicKeyInfrastructure

Pre-sharedKey

WakeonLan

2ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 11

Chapter2.FeaturesandbenetsofIntelAMT

ThischapterintroducesthefeaturesandbenetsofIntelAMT.

ThefollowingtableliststheLenovobusinesscomputerswithIntelAMTinstalled.

LenovocomputerIntelAMTversion

ThinkCentreM91p

ThinkCentreM90p

ThinkCentreM58p

ThinkCentreM57p

ThinkCentreM55p

Featuresandbenets

ThinkCentreM91pcomputersbuiltwithIntelAMTenableITadministratorstobetterdiscover,heal,and protectthenetworkedcomputingassets.

•Discover:IntelAMTstoreshardwareandsoftwareinformationinnonvolatilememory(NVM).Withbuilt-in

manageability,IntelAMTenablesITadministratorstodiscoverassetsremotely,evenwhencomputersare turnedoff.

•Heal:Thebuilt-inmanageabilityofIntelAMTprovidesout-of-band(OOB)managementcapabilities,which

enableITadministratorstoremotelydiagnosecomputerproblemsandrecovercomputersevenifthe operatingsystemsareinoperable.ProactivealertingandeventlogginghelpITadministratorsdetect problemsquicklytoreducecomputerdowntime.

•Protect:TheIntelAMTsystemdefensefeatureenablesbetterprotectionforcomputersbyproactively

blockingincomingthreats,controllinginfectedcomputersbeforethecomputerscauseproblemsinthe network,andalertingITadministratorswhencriticalsoftwareagentsareremovedfromthecomputers.

IntelAMT7.X

IntelAMT6.X

IntelAMT5.X

IntelAMT3.X

IntelAMT2.X

ThefollowingtableshowsthefeaturesandbenetsofIntelAMT.

Table1.FeaturesandbenetsofIntelAMT

FeaturesBenets

OOBsystemaccess

Remotetroubleshootingandrecovery

ProactivealertingDecreasescomputerdowntimeandminimizesITservice

RemotehardwareassettrackingIncreasesspeedandaccuracywithreducedaccounting

©CopyrightLenovo2011

Enablesremotemanagementofclientsregardlessof clientpowerstateandoperatingsystemstate

SignicantlyreducesIThelpdeskvisitsandincreasesIT serviceefciency

time

costs,comparedwithmanualinventorytracking

Page 12

4ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 13

Chapter3.MainfeaturesofcomputersbuiltwithIntelAMT

ComputersbuiltwithIntelAMTversion2.0orlaterhavethefollowingfeaturesandimprovements:

•Remotepowercontrol

–Poweron

–Poweroff

–Powerreset

–Powercycle

•Assetmanagement

–E-Assettag

–OOBhardwareinventory

•IntegratedDeviceElectronics-Redirection(IDE-R)

–Floppyredirection

–CDredirection

•Serial-over-LAN(SOL)

–Screenredirectionbasedontext

–Keyboardredirection

–Networkredirection

•Remoterestart

–Restartfromalocalharddiskdrive

–RestartfromalocalCDorDVDdrive

–RestartfromalocalPrebootExecutionEnvironment(PXE)

•Eventmanagement

–Eventalerting

–Eventlogging

–Auditlog

•Agentpresence

•Systemdefense

•ClientInitiatedRemoteAccess(CIRA)

•Keyboard-Video-Mouse(KVM)redirection

•HostBasedProvisioning(HBP)

CIRA

ThinkCentreM91pcomputersbuiltwithIntelAMTsupporttheClientInitiatedRemoteAccess(CIRA) function.Y oucanperformthisfunctionthroughISVapplications..

TheCIRAfunctionenablesclient-initiated,secureOOBcommunicationtothemanageabilityconsole, whichincludes:

•User-initiatedcall-homefeature

©CopyrightLenovo2011

Page 14

•Scheduled,automatedcall-homefeature(nouserinputrequired)

•T ransportLayerSecurity(TLS)sessionestablishedthroughclientinitiation

KVMredirection

ThinkCentreM91pcomputersbuiltwithIntelAMT7.XsupportKeyboard-Video-Mouse(KVM)redirection overInternetProtocol(IP).KVMredirectionenablesITadministratorstoremotelycontrolthekeyboard,video orvisualdisplayunit,andmouseofthemanagedclients.KVMredirectionhasthefollowingadvantages:

•Workstably

•Basedonhardware

Note:KVMredirectionisbasedonhardwaresothatitcanworkcorrectlyregardlessoftheoperating systemstateofthemanagedclients.

•Manageclientsthroughmanagementserversremotely

•Healing,installationandapplicationssupport

Notes:

1.KVMredirectioninIntelAMT7.XcanbeusedonlyoncomputerswithIntelintegratedgraphics.For computerswithdiscretegraphicscards,theSerial-over-LAN(SOL)functioncanbeusedtosupport remotediagnosticsandrepair.

2.TheKVMuserinterfacesareonlyavailableoncomputersthatsupportKVMredirection.Formore informationaboutKVMuserinterfaces,see“SOL/IDER/KVM”onpage12.

HostBasedProvisioning

ThinkCentreM91pcomputersbuiltwithIntelAMTsupporttheHostBasedProvisioning(HBP)function.As anewfeatureinIntelAMT7.X,thisfunctionprovidesnewinterfacesforsystemsetupandconguration throughoperatingsystems.Italsohelpsreducecostandeffortsrelatedtosystemsetup,conguration, andmaintenance.

ByenablingHBPfunction,youcansimplifyIntelvProtechnologyactivationthroughthefollowingways:

•FullyactivatevProthroughsoftware

•RemotelyndandactivateIntelvProtechnologyinanautomaticmanner

6ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 15

Chapter4.IntelAMTsetupandcongurationonLenovo ThinkCentreM91pdesktopcomputers

TheIntelManagementEngine(ME)isanisolatedandprotectedcomputingresourcethatrunsonanIntel AMTcomputer.TheIntelManagementEngineBIOSExtension(MEBx)providesauserinterfacetochangeor conguresettingsthatcontroltheoperationoftheIntelManagementEngine(ME).

AllchangestotheMEplatformcongurationsettingsarenotcachedintheMEBx,butcommittedtotheME nonvolatilememoryuntilyouexittheMEBx.IftheIntelMEBxcrashesintheprocessoftheconguration,the changesthatyouhavemadewillnotbesaved.

Note:ToperformtheCIRAfunction,congureyourcomputerintheMEBxformanualsetupand congurationmodeorautomaticsetupandcongurationmode,andthenusetheCIRAfunctionthroughISV applications.YoudonotneedtodoanyadditionalsetupandcongurationintheMEBx.

IntelAMTcongurationsettingsinSetupUtility

TheSetupUtilityprogramenablesyoutoviewandchangetheIntelAMTrelatedcongurationsettings foryourcomputer.

TovieworchangetheIntelAMTcongurationsettings,dothefollowing:

1.RepeatedlypressandreleasetheF1keywhenturningonthecomputer.Whenyouhearmultiplebeeps orseealogoscreen,releasetheF1key.TheSetupUtilityprogramstarts.

2.FromtheSetupUtilityprogrammainmenu,selectAdvanced➙Intel(R)Managebility.Thefollowing windowwillbedisplayed.

Figure1.Intel(R)ManageabilitycongurationsettingsinSetupUtility

Inthewindow,youcanviewthefollowingIntelAMTcongurationsettings:

©CopyrightLenovo2011

Page 16

Option

Intel(R)ManageabilityControl

Intel(R)AMTReset

Press<Ctrl-P>toEnterMEBx

DefaultsettingDescription

Enabled

DisabledUsedtoenableordisabletheIntel

EnabledUsedtoenableordisablethe

UsedtoenableordisabletheIntel(R) Manageabilityinterface.

AMTresetfunction.

entranceoftheMEBxsetup congurationmenu.

Formoreinformation,seetheinstructionsandthehelpmessagesonthescreen.

IntelMEBxsetupandconguration

ThissectionprovidesinstructionsonhowtosetupandcongureIntelAMTforyourcomputer.

EnteringtheMEBxcongurationuserinterface

RepeatedlypressandreleaseCtrl+Pwhenturningonthecomputer.WhenyouseetheIntelManagement EngineBIOSExtensionwindow,releasetheCtrlandPkeys.Youwillbepromptedtopress1toenterthe IntelMEBxMAINMENUwindow(Figure2)Press1toenterMEcongurationscreenswindow.Y ouwillbe promptedtoentertheIntelMEpassword.TypetheIntelMEdefaultpasswordadminandthenyouwillbe promotedtotypeanewpassword.TosetanewIntelMEpassword,see“ChangeMEPassword”onpage9

Figure2.IntelMEBxMAINMENUwindow

Intel(R)MEGeneralSettings

SelectIntel(R)MEGeneralSettingsintheIntelMEBxMAINMENUwindowandpressEnter.TheINTEL(R)ME PLATFORMCONFIGURATIONwindowopens(Figure3).Thiswindowenablesyoutocongurethegeneral settingsoftheIntelME,suchasMEstate,MEpassword,powercontrol,andsoon.

8ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 17

Figure3.INTEL(R)MEPLATFORMCONFIGURATIONwindow

ThefollowingoptionsarelistedintheINTEL(R)MEPLATFORMCONFIGURATIONwindow:

ChangeMEPassword

TheChangeMEPasswordoptionenablesyoutochangetheIntelMEpassword.

TochangetheIntelMEpassword,selectChangeMEPasswordandpressEnter.Typeyournewpassword andpressEnter.Whenpromptedtoconrmthenewpassword,typeyournewpasswordagain.

Passwordconsiderations:Forsecurityreasons,itisrecommendedtouseastrongpasswordthatcannot beeasilycompromised.T osetastrongpassword,usethefollowingguidelines:

•Haveeightto32charactersinlength

•Containatleastonealphabeticcharacter,onenumericcharacter,andonesymbol (!@#$%^&*andsoon)

•Containatleastoneuppercaseletterandonelowercaseletter

•Y oucanalsousethespacebarandunderscore(_).

Notes:

•TheIntelMEpasswordhasalengthlimitof32characters.Ifyouentermorethan32characters,the 32ndcharacterwillbereplacedbythelastcharacteryouenter.Thus,thepasswordwillbecomprised oftherst31charactersandthelastcharacter.

•TheIntelMEpasswordcanberesettothedefaultoneadminintheSetupUtilityprogram.Ifyouwant toresetthepassword,settheIntel(R)AMTResetoptionfromDISABLEDtoENABLED.See“Intel AMTcongurationsettingsinSetupUtility”onpage7.Whenthesystemrestarts,amessageFound uncongurationofIntel(R)MEContinuewithunconguration(Y/N)willbedisplayed.PressY.When youentertheMEBxagain,youwillndthatthepasswordhasbeensuccessfullyresettoadmin.

FWUpdateSettings

SelectFWUpdateSettingsandpressEnter.TheFWUpdateSettingswindowopens.

Chapter4.IntelAMTsetupandcongurationonLenovoThinkCentreM91pdesktopcomputers9

Page 18

Option

LocalFWUpdateYoucanenable,disable,orusetheMEBxpasswordto

protecttheIntelMErmwarelocalupdate.Whenthe LocalFWUpdateoptionissettoENABLED,theIT administratorcanupdatetheIntelMErmwarelocally throughthelocalIntelMEinterfaceorthroughthelocal secureinterface.WhentheLocalFWUpdateoptionis settoDISABLED,thelocalIntelMErmwareupdateis notallowed.WhentheLocalFWUpdateoptionissetto PasswordProtected,LocalFWupdateisprotectedby theMEBxpassword.

Description

SetPRTC

SelectSetPRTCintheINTEL(R)MEPLA TFORMCONFIGURATIONwindowandpressEnter.Y ouare promptedtoentertheProtectedRealTimeClock(PRTC)valueinCoordinatedUniversalTime(UTC)format (YYYY:MM:DD:HH:MM:SS).SettingaPRTCvaluehelpsmaintainthePRTCwhenyourcomputeristurned off.ThevalidPRTCdaterangesfromJanuary1,2004toJanuary4,2021.

PowerControl

ThePowerControlmenuenablesyoutoconguretheMEpowercontrolpolicies.Toconformwiththe ENERGYSTARprogramandtheEuPLot6requirements,theIntelMEcanbeturnedoffinvarioussleep states.SelectPowerControlandpressEnter.TheINTEL(R)MEPOWERCONTROLwindowopens.Inthe INTEL(R)MEPOWERCONTROLwindow,thefollowingoptionswillbedisplayed.

10ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 19

Option

Intel(R)MEONinHostSleepStates

IdleTimeout

Description

UsedtospecifywhentheIntelMEwillbeturnedon. SelectIntel(R)MEONinHostSleepStatesandpress Enter.Youcanchoosewhichpowerpackagewillbeused.

•Desktop:ONinS0–Thisoptionmeansonlywhen yourcomputeristurnedonandoperationalwillthe IntelMEbeturnedon.

•Desktop:ONinS0,MEWakeinS3,S4-5–This optionmeanstheIntelMEwillbeturnedonwhenyour computeristurnedonandoperational.TheIntelME canberemotelywokenupwhenyourcomputerisin sleepmode,hibernationmode,orturnedoff.

Notes:

–S0:Poweronstate

–S3:Standbysleepstate

–S4:Hibernatesleepstate

–S5:Shutdownsleepstate

WithIntelMEWakeonLan(WOL),afterthetime-outtimer expires,theIntelMEremainsintheM-off commandissenttotheIntelME.Afterthiscommandis sent,theIntelMEwilltransitiontotheM0 andwillrespondtothenextcommand.Apingtothe IntelMEcanalsomaketheIntelMEtransitiontoanM0 orM3state.IntelMEtakesashorttimetotransitionfrom theM-offstatetotheM0orM3state.Duringthistime, thesystemwillnotrespondtoanyIntelMEcommands. WhentheIntelMEisintheM0orM3state,thesystem willrespondtoIntelMEcommands.

UsedtoenabletheIntelMEtowakeupanddenethe IntelMEidletimeoutintheM3state.Theidletimeout valueindicatestheamountoftimethattheIntelMEis allowedtoremainidleintheM3statebeforetransitioning totheM-offstate.Theidletimeoutvalueshouldbe enteredinminutes. Note:IftheIntelMEisintheM0state,itwillnottransition totheM-offstate.

stateuntila

orM3

state

Intel(R)AMTConguration

TheIntel(R)AMTCongurationmenuenablesyoutocongureanIntelAMTcapablecomputertosupport theIntelAMTmanagementfeatures.

SelectIntel(R)AMTCongurationfromtheIntelMEBxMAINMENUwindowandpressEnter.Amessage willbedisplayedindicatingthatyoucanupdatenetworksettingsfromtheIntel(R)MEGeneralSettings menu.PressEnterandtheINTEL(R)AMTCONFIGURATIONwindowopens(Figure4).

1.M-off:AnIntelMEFWpowerstatewhentheIntelMEFWisshutdown.

2.M0:AnIntelMEFWpowerstatewhentheIntelAMTcomputeristurnedonandoperational.

3.M3:AnIntelMEFWpowerstatewhentheIntelAMTcomputerisinsleepmode,hibernationmode,orturnedoff.

Chapter4.IntelAMTsetupandcongurationonLenovoThinkCentreM91pdesktopcomputers11

Page 20

Figure4.INTEL(R)AMTCONFIGURA TIONwindow

ThefollowingoptionsarelistedintheINTEL(R)AMTCONFIGURATIONwindow:

•“ManageabilityFeatureSelection”onpage12

•“SOL/IDER/KVM”onpage12

•“UserConsent”onpage13

•“PasswordPolicy”onpage14

•“NetworkSetup”onpage14

•“ActivateNetworkAccess”onpage16

•“UncongureNetworkAccess”onpage16

•“RemoteSetupAndConguration”onpage17

ManageabilityFeatureSelection

TheManageabilityFeatureSelectionoptionisusedtoenableordisabletheIntelMEmanageability feature.ThedefaultsettingisENABLED.

Note:IfyoudisabletheManageabilityFeatureSelectionfunction,allthenetworksettingsincludingACLs willberesettofactorydefaultsettings.

SOL/IDER/KVM

SelectSOL/IDER/KVMintheINTEL(R)AMTCONFIGURATIONwindowandpressEnter.TheSOL/IDER/KVM windowopens.Thefollowingoptionswillbedisplayed.

Option

Username&Password

Description

Usedtoenableordisabletheusernameandpassword fortheSOL/IDERsession.IftheKerberosnetwork authenticationprotocolisused,thisoptionshouldbe settoDISABLEDbecausetheuserauthenticationis managedthroughKerberos.IftheKerberosnetwork authenticationprotocolisnotused,theITadministrator canchoosetoenableordisabletheusernameand passwordfortheSOL/IDERsession.

12ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 21

Option

SOLUsedtoenableordisableSOL.Iftheclientsupports

IDER

LegacyRedirectionModeUsedtoenableordisablelegacyredirectionmode.

KVM

Description

SOLandSOLisenabledontheclient,theIntelAMT managedclientinputoroutputcanberedirectedto themanagementserverconsole.Iftheclientdoesnot supportSOL,theSOLoptioncannotbeenabled.

UsedtoenableordisableIDE-R.IfIDE-Risenabled,the IntelAMTmanagedclientcanbebootedfromremote diskimagesthroughamanagementserverconsole.Ifthe clientdoesnotsupportIDE-R,theIDERoptioncannot beenabled.

Legacyredirectionmodecontrolshowtheredirection works. Attention:ThedefaultsettingisDISABLED,whichis usedforenterpriseconsolesandnewSmallandMedium Businesses(SMB)consoles.Ifyouareusingalegacy SMBRedirectionConsole,youmustsettheLegacy RedirectionModefeaturetoENABLED.

UsedtoenableordisableKVMfeature.

UserConsent

TheUserConsentoptionspecieswhetherthelocaluserconsentisrequiredtoestablishaKVMremote controlsessionoveracomputer,andwhethertheuserofthecomputercanconguretheKVMOpt-InPolicy.

IfyoupressEnter,thefollowingoptionswillbedisplayed.

•UserOpt-in

UsedtospecifywhethertheuserconsentisrequiredtoestablishaKVMremotecontrolsessionovera computer.

–WhenthisoptionissettoNone,thelocaluserconsentisnotrequiredtoestablishaKVMremote

controlsessionoveracomputer.

–WhenthisoptionissettoKVM,thelocaluserconsentisrequiredtoestablishaKVMremotecontrol

sessionoveracomputer.

–WhenthisoptionissettoAll,thelocaluserconsentisrequiredtoestablishanIDER,KVM,orSOL

remotecontrolsessionoveracomputer.

Note:WhenusingHostBasedProvisioning,clientmodewilloverridethissettingandonly“ALL”option canbeselectedandtheothertwooptionswillbedisabled.

•Opt-inCongurablefromRemoteIT

UsedtoenableordisableremotecongurationoftheUserOpt-insetting.

IfyoupressEnter,thefollowingoptionswillbedisplayed:

•DisableRemoteControlofKVMOpt-inPolicy–Whenthisoptionisselected,remoteuserscannot changetheUseropt-inpolicy,andonlythelocalusercanmodifythepolicy.

•EnableRemoteControlofKVMOpt-inPolicy–Whenthisoptionisselected,remoteuserscanchange theUseropt-inpolicy,andcanchoosewhethertorequestconsentfromthelocaluserbeforetheKVM remotecontrolsessionoveracomputerisestablished.

Chapter4.IntelAMTsetupandcongurationonLenovoThinkCentreM91pdesktopcomputers13

Page 22

PasswordPolicy

ThePasswordPolicyoptionspecieswhenyoucanchangetheMEBxpasswordthroughthenetwork interface.

TheIntelMEBxpasswordisthepasswordenteredbytheuseraftertheuserpressesCtrl+P.Thenetwork passwordisthepasswordenteredbytheuserwhentheuserisaccessinganIntelMEenabledcomputer throughthenetwork.

Note:Bydefault,thetwopasswordsarethesameuntilthenetworkpasswordischangedthroughthe network.Oncechangedoverthenetwork,thenetworkpasswordwillalwaysbekeptseparatefromthelocal IntelMEBXpassword.

SelectPasswordPolicyandpressEnter,thefollowingthreeoptionswillbedisplayed.

Option

DEFAUL TPASSWORDONL Y

DURINGSETUPANDCONFIGURATION

ANYTIMEThisoptionenablesyoutochangetheMEBxpassword

ThisoptionenablesyoutochangetheMEBxpassword whentheMEBxpasswordhasnotbeenmodied.

ThisoptionenablesyoutochangetheMEBxpassword duringthesetupandconguration.Youcannotmodify theMEBxpasswordafterthesetupandconguration processiscompleted.

anytime.

Description

NetworkSetup

TheNetworkSetupmenuenablesyoutocongurenetworksettings.SelectNetworkSetupandpressEnter. TheINTEL(R)NETWORKSETUPwindowopens.Thefollowingoptionswillbedisplayed:

•“Intel(R)MENetworkNameSettings”onpage14

•“TCP/IPSettings”onpage15

Intel(R)MENetworkNameSettings

IntheINTEL(R)NETWORKSETUPwindow,selectIntel(R)MENetworkNameSettingsandpressEnter. Thefollowingoptionswillbedisplayed.

Option

HostName

DomainName

Shared/DedicatedFQDNEnablesyoutospecifywhethertheFullyQualiedDomain

DynamicDNSUpdateUsedtoenableordisabletheDynamicDNS(Domain

EnablesyoutosetahostnameforyourIntelAMT computer.

EnablesyoutosetadomainnameforyourIntelAMT computer.

Name(FQDN)isadedicateddomainnameforIntelAMT orsharedbybothIntelAMTandyouroperatingsystem.

NameServer)UpdateClientinthermware.Whenthe DynamicDNSUpdatefeatureissettoENABLED, thermwarewillautomaticallyregisteritsIPaddress andFQDNontheDNSusingtheDynamicDNSUpdate protocol. Note:Setthehostnameanddomainnamebeforeyou enabletheDynamicDNSUpdatefeature.

Description

14ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 23

Option

PeriodicUpdateIntervalEnablesyoutosettheintervalbetweeneverytwo

successionalupdatesthattheDynamicDNSUpdate ClientinthermwaresendstotheDNS.

Notes:

1.ThePeriodicUpdateIntervaloptionisonlyavailable whentheDynamicDNSUpdatefeatureisenabled.

2.Theintervalunitisminute.Theintervalvalueshould bezeroornosmallerthan20.Bysettingtheinterval valuetozero,youdisabletheperiodicupdatefeature.

TTL

EnablesyoutosettheTimeT oLive(TTL)valuein seconds.

Notes:

1.TheTTLoptionisonlyavailablewhentheDynamic DNSUpdatefeatureisenabled.

2.TheTTLvalueshouldbegreaterthanzero.IftheTTL valueissettozero,thermwarewillusethedefault value,whichis900seconds.

Description

TCP/IPSettings

SelectTCP/IPSettingsandpressEnter.TheTCP/IPSETTINGSwindowopens.Thefollowingoptions willbedisplayed:

•“WiredLANIPV4Conguration”onpage15

•“WiredLANIPV6Conguration”onpage15

WiredLANIPV4Conguration

SelectWiredLANIPV4Conguration➙DHCPMode.TheDHCPModeoptionisusedtoenableor disableDHCPmode.WithDHCPmodeenabled,theTCP/IPsettingswillbeconguredbyaDHCPserver.

WithDHCPmodedisabled,theoptionsinthefollowingtablewillbedisplayed.Youwillberequiredto congurethestaticTCP/IPsettingsfortheIntelAMTcomputer.Ifthesystemisinstaticmode,asecond IPaddressisrequired.ThissecondIPaddressisoftencalledtheIntelMEIPaddressandisdifferent fromthehostIPaddress.

Option

IPV4Address

SubnetMaskAddress

DefaultGatewayAddress

PreferredDNSAddressEnablesyoutoenterthepreferredDNSaddressforyour

AlternateDNSAddressEnablesyoutoenterthealternateDNSaddressforyour

EnablesyoutoentertheIntelMEIPaddressforyourIntel AMTcomputer.

Enablesyoutoenterthesubnetmaskaddressforyour IntelAMTcomputer.

Enablesyoutoenterthedefaultgatewayaddressforyour IntelAMTcomputer.

IntelAMTcomputer.

Description

WiredLANIPV6Conguration

SelectWiredLANIPV6CongurationandpressEnter.TheWIREDLANIPV6CONFIGURATIONwindow opens.

Chapter4.IntelAMTsetupandcongurationonLenovoThinkCentreM91pdesktopcomputers15

Page 24

TheIntelMEnetworkstacksupportsamultihomedIPv6interface.EachIPv6networkinterfacecanbe conguredwiththefollowingIPv6addresses:

•Oneauto-conguredlink-localaddress

•Threeauto-conguredglobaladdresses

•OneDHCPv6-conguredaddress

•OnestaticallyconguredIPv6address

TheIntelMEIPv6addressesarededicatedandnotsharedwiththehostoperatingsystem.Toenable DynamicDNSregistrationforIPv6addresses,youwillneedtocongureadedicatedFQDN.

TheIPV6FeatureSelectionoptionisusedtoenableordisabletheIPv6interface.WithIPV6Feature

Selectionenabled,thefollowingoptionswillbedisplayed.

Option

IPV6InterfaceIDType

IPV6Address

IPV6DefaultRouter

PreferredDNSIPV6AddressEnablesyoutoenterthepreferredDNSIPv6addressforyourIntel

AlternateDNSIPV6AddressEnablesyoutoenterthealternateDNSIPv6addressforyourIntel

UsedtospecifytheIPv6InterfaceIDtype. TherearethreetypesofIPv6InterfaceIDs:

•RandomID:TheIPv6InterfaceIDisautomaticallygenerated usingarandomnumberasdescribedinRequestforComments (RFC)3041.

•IntelID:TheIPv6InterfaceIDisautomaticallygeneratedusingthe MediaAccessControl(MAC)address.

•ManualID:TheIPv6InterfaceIDismanuallycongured.Selecting thisoptionrequiresthattheManualInterfaceIDissettoavalid value.

EnablesyoutoentertheIPv6addressforyourIntelAMTcomputer.

EnablesyoutoentertheIPv6defaultrouterforyourIntelAMT computer.

AMTcomputer.

Description

ActivateNetworkAccess

TheActivateNetworkAccessoptionenablesyoutoactivatethecurrentnetworksettingsandopenthe IntelMEnetworkinterface.WithoutActivatingNetworkAccess,MEwillnotbeabletoconnecttothe network.SelectActivateNetworkAccessandpressEnter.PressYorNdependingonwhetheryouwant toactivatethecurrentnetworksettings.

ActivatingnetworkaccesswillcausetheIntelMEtotransitiontothepostprovisioningstateifallrequired settingshavebeencongured.

UncongureNetworkAccess

TheUncongureNetworkAccessoptionenablesyoutoresetnetworksettingsincludingnetworkaccess controllists(ACLs)tofactorydefaultsettings.SelectUncongureNetworkAccessandpressEnter.PressY orNwhenprompted.

IfyoupressY,thefollowingoptionswillbedisplayed.

16ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 25

Description

FullUnprovision

PartialUnprovision

Option

UsedtoresetalltheIntelAMTsettingstothefactory defaultsettingsexcepttheMEBxpassword.

UsedtoresetalltheIntelAMTsettingstothefactory defaultsettingsexceptthePID/PPSandtheMEBx password.

RemoteSetupAndConguration

SelectRemoteSetupAndCongurationandpressEnter.TheINTEL(R)AUTOMATEDSETUPAND CONFIGURATIONwindowopens.Thefollowingoptionswillbedisplayed:

•“CurrentProvisioningMode”onpage17

•“ProvisioningRecord”onpage17

•“RCFG”onpage18

•“ProvisioningServerIPV4/IPV6”onpage18

•“ProvisioningServerFQDN”onpage18

•“TLSPSK”onpage18

•“TLSPKI”onpage18

CurrentProvisioningMode

TheCurrentProvisioningModeoptionshowsyouthecurrentprovisioningTLSmode:None,PKI(Public KeyInfrastructure),orPSK(Pre-sharedKey).

ProvisioningRecord

TheProvisioningRecordoptionshowsyoutheprovisionPSKorPKIrecorddataofyourcomputer.Ifno datahasbeenentered,amessagewillbedisplayedindicatingthattheprovisionrecordisnotpresent.Ifthe recorddatahasbeenentered,thefollowingprovisionrecordswillbedisplayed:

•TLSprovisioningmode–Displaysthecurrentcongurationmodeofthesystem:None,PSK,orPKI.

•ProvisioningIP–DisplaystheIPofthesetupandcongurationserver.

•DateofProvision–Displaysthedateandtimeoftheprovision.

•DNS–IndicateswhetherthePKIDNSsufxwasconguredintheIntelMEBXbeforeremoteconguration takeseffect.Avalueof0indicatesthatthePKIDNSsufxwasnotcongured.Avalueof1indicates thatthePKIDNSsufxwascongured.

Chapter4.IntelAMTsetupandcongurationonLenovoThinkCentreM91pdesktopcomputers17

Page 26

•HostInitiated–Displayswhetherthesetupandcongurationprocesswasinitiatedbythehost:No indicatesthesetupandcongurationprocesswasnotinitiatedbythehost;Yesindicatesthesetupand congurationprocesswasinitiatedbythehost.(PKIonly)

•HashData–Displaysthe40-charactercerticatehashdata.(PKIonly)

•HashAlgorithm–Describesthehashtype.CurrentlyonlySHA1(SecureHashAlgorithm1)issupported. (PKIonly)

•IsDefault–DisplaysYesiftheHashalgorithmisthedefaultalgorithm.DisplaysNoifthehashalgorithm isnotthedefaultalgorithm.(PKIonly)

•FQDN–DisplaystheFQDNoftheprovisioningservermentionedinthecerticate.(PKIonly)

•SerialNumber–Displaysthe32-characterCerticateAuthorityserialnumber.

•TimeValidityPass–Indicateswhetherthecerticatehaspassedthetimevaliditycheck.

RCFG SelectRCFGandpressEnter.TheINTEL(R)REMOTECONFIGURATIONwindowopens.SelectStart

CongurationandpressEnter.PressYorNwhenyouarepromptedtoactivatetheremoteconguration.

ProvisioningServerIPV4/IPV6

TheProvisioningServerIPV4/IPV6optionenablesyoutoentertheIPaddressoftheIntelAMTprovisioning serverandtheportnumberoftheIntelAMTprovisioningserver.Theportnumberrangesfrom0to65535. Thedefaultportnumberis9971.

ProvisioningServerFQDN

SelectProvisioningServerFQDNandpressEnter.YouwillbepromptedtoentertheFQDNoftheIntel AMTprovisioningserver.

TLSPSK

SelectTLSPSKandpressEnter.TheINTEL(R)TLSPSKCONFIGURATIONwindowopens.Thefollowing optionswillbedisplayed.

Option

SetPIDandPPSUsedtoentertheProvisioningID(PID)andProvisioning

Pre-sharedKey(PPS).ThePIDandPPSshouldbeentered inthedashformat(forexample,1234-ABCDforPIDand 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCDfor PPS).

Notes:

1.APPSvalueof 0000-0000-0000-0000-0000-0000-0000-0000will notchangethesetupcongurationstate.Ifthis valueisused,thesetupandcongurationstatewill stayasNot-started.

2.SettingthePID/PPSwillcauseapartialunprovisionif thesetupandcongurationisIn-process.

DeletePIDandPPSUsedtodeletethecurrentPIDandPPSstoredonthe

IntelME. Note:DeletingthePIDandPPSwillcauseapartial unprovisionifthesetupandcongurationisIn-process.

Description

TLSPKI SelectTLSPKIandpressEnter.TheINTEL(R)REMOTECONFIGURATIONwindowopens.TheRemote

Congurationoptionisusedtoenableordisabletheremoteconguration.Enablingordisablingremote

18ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 27

congurationwillcauseapartialunprovisionifthesetupandcongurationserverisInProcess.Whenthe RemoteCongurationoptionisenabled,thefollowingoptionswillbedisplayed.

Option

PKIDNSSufxUsedtoenterthePKIDNSSufxforyourIntelAMT

computer.KeyvaluewillbemaintainedintheEPS.

ManageHashesUsedtolistallthehashesonthesystem,includingthe

hashnamesandthehashstates.Thefollowingkeysare usedtomanagethehashes:

•Esc:Usedtoexitfromthehashmanagementwindow.

•Insert:Usedtoaddacustomizedcerticatehashto thesystem.Toaddanewcerticatehash,dothe following:

1.PressInsertandtypethenewhashname.

Note:Thehashnamemustbenolongerthan32 characters.

2.EnterthecerticatehashdataforIntelAMTwhen prompted.TheCerticatehashdataisa20-byte hexadecimalnumberforSHA-1anda32-bytefor SHA-2.Enterthehashdatainthecorrectformat andthenpressEnter.

Note:

Youcanchoosewhichhashalgorithmwillbeused.

a.SHA1

b.SHA2-256

c.SHA2-384

3.PressYtoactivatethecerticatehashwhen prompted.

•Delete:Usedtodeletethecurrentlyselectedcerticate hash.Acerticatehashthatisnotactivecannotbe deleted.

•+:Usedtochangetheactivestateofthecurrently selectedcerticatehash.Settingahashasactive indicatesthatthehashisavailableforuseduringPSK provisioning.

•Enter:Usedtoviewthedetailsofthecurrentlyselected certicatehash.PressEnterinthehashmanagement window.Thedetailsoftheselectedcerticatehashwill bedisplayed,includingthehashname,certicatehash data,andtheactiveanddefaultstates.

Description

Driverdescription

ThissectionprovidesinformationaboutAMTdrivers.Readthefollowingdriverdescriptionsifyouaregoing touseIntelAMTintheMicrosoftWindows

environment.

MEI

TheIntelAMTManagementEngineInterface(MEI)istheinterfacebetweenthehostandtheIntelME.The IntelAMTMEIisbi-directionalsothatboththehostandtheIntelAMTrmwarecaninitiatetransactions.

Chapter4.IntelAMTsetupandcongurationonLenovoThinkCentreM91pdesktopcomputers19

Page 28

Inaddition,transactionscanbecompletedbytheIntelMErstandthenthehostcanbesynchronized withtheIntelMElater.

LMS

LocalManageabilityService(LMS)isaservicethatrunslocallyinthehostoperatingsystem.LMSexposes AMTfunctionalitythroughstandardinterfaces(forexample,general-informationinterface,rmwareupdate interface,localagent-presenceinterface,andsoon.)LMSisanabstractionthatsitsontopoftheHost EmbeddedControllerInterface(HECI)driver(andtheME)thatinteractswiththeMEusingstandardinterfaces.

LMSlistensfortherequestdirectedtotheAMTlocalhost.WhenanapplicationsendsSOAP/HTTP messagestothelocalhost,LMSinterceptstherequestandsendstherequesttotheManagementEngine InterfacethroughtheHECIdriver.

SOL

TheSOLdriverisanIntelAMTMEdriver.Thisdriverenablestheremotedisplayofthemanagedclientuser interfacethroughamanagementconsoleandemulatesserialcommunicationoverastandardnetwork connection.

20ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 29

Chapter5.Webuserinterface

BesidesmanagingyourcomputerswithISVapplications,youcanalsoperformsomebasicmanagement functionsthroughtheWebuserinterface,suchaspowercontrollingandassetinventory.

TheIntelMEprovidesaWebuserinterface,whichenablesyoutocheckthestatusofIntelAMTaswell.If youcanaccesstheWebuserinterface,yourAMTsetupandcongurationiscorrect.

AccessingtheWebuserinterface

ThissectionprovidesinstructionsonhowtoaccesstheAMTWebuserinterface.

ConguringtheIntelAMTcomputer

ToaccesstheWebuserinterface,youneedtoconguretheIntelAMTcomputerrst.ToconguretheIntel AMTsettingsforaccessingtheWebuserinterface,dooneofthefollowing:

•Manualsetupandcongurationmode

1.RepeatedlypressandreleaseCtrl+Pwhenturningonthecomputer.WhenyouseetheIntel ManagementEngineBIOSExtensionwindow,releasetheCtrlandPkeys.Press1toenterthe IntelMEBxMAINMENUwindow.TypethedefaultpasswordadminandthenchangetheIntelME password.

2.SelectIntel(R)AMTconguration➙NetworkSetup.

3.IntheINTEL(R)NETWORKSETUPwindow,selectIntel(R)MENetworkNameSettingsandthen pressEnter.SetthehostnameanddomainnameforyourIntelAMTcomputer.

4.IntheINTEL(R)NETWORKSETUPwindow,selectTCP/IPSettingsandpressEnter.Congure TCP/IPsettingsintheTCP/IPSETTINGSwindow.

5.IntheINTEL(R)MEPLATFORMCONFIGURATIONwindow,selectActivateNetworkAccessand pressEnter.PressYwhenprompted.

6.SelectExitintheIntelMEBxMAINMENUwindowtoexittheMEBx.

•Automaticsetupandcongurationmode

2.SelectIntel(R)AMTconguration➙NetworkSetup➙TCP/IPSettings.CongureTCP/IP settingsintheTCP/IPSETTINGSwindow.

3.SelectIntel(R)AMTconguration➙RemoteSetupAndConguration➙TLSPKIorTLSPSK. SetyourvalidhashorPID/PPS.

4.SelectIntel(R)AMTconguration➙RemoteSetupAndConguration➙RCFG.TheINTEL(R) REMOTECONFIGURATIONwindowopens.SelectStartCongurationandpressEnter.PressY whenyouarepromptedtoactivatetheremoteconguration.

5.SelectExitintheIntelMEBxMAINMENUwindowtoexittheMEBx.

6.WaituntiltheprovisionserversuccessfullyprovisionsyourIntelAMTcomputer.

Note:Youcanrefertodetailedcongurationexamplesforbothmanualsetupandcongurationmodeand automaticsetupandcongurationmodeinAppendixA“ExamplesofconguringIntelAMTinmanualand automaticsetupandcongurationmodes”onpage23

Page 30

Loggingontotheclient

TheclientcanbeaccessedfromamanagementconsoleonthenetworkthathasasupportedWebbrowser.

1.OpenaWebbrowseronthemanagementconsoleandtypeoneofthefollowingintheaddressbox:

•Formanualsetupandcongurationmode: http://IP_Address:16992(forexample,http://192.168.1.13:16992)

•Forautomaticsetupandcongurationmode(forTLS): https://IP_Address:16993(forexample,https://192.168.1.13:16993)

2.ClickLogOnintheIntelActiveManagementTechnologywindow.

3.IntheEnterNetworkPasswordwindow,enteryourusernameandpasswordandthenclickOK.Youwill gototheclientWebuserinterface.

FunctionsintheWebuserinterface

TheWebuserinterfaceenablesyoutoperformthefollowingtasks:

•Viewthesystemstatus

•ViewthehardwareinformationofyourAMTcomputer,includingsystem,processor,memory,andhard diskdrive

•View,start,stop,andcleareventlogs

•Remotepowercontrol,including:turnthecomputeroff,cyclepoweroffandon,reset,normalstartup, startthecomputerfromalocalopticaldrive,andstartthecomputerfromalocalharddiskdrive

•ViewandmanagetheIntelAMTpowerpolicies

•ViewandmanagetheIntelAMTnetworksettings

•ViewandmanagetheIntelAMTIPv6networksettings

•ViewandmanagetheIntelAMTsystemnamesettings

•ViewandmanagetheIntelAMTuseraccounts

22ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 31

AppendixA.ExamplesofconguringIntelAMTinmanualand automaticsetupandcongurationmodes

ThisappendixprovidesexamplesofconguringIntelAMTinmanualandautomaticsetupandconguration modes.

ConguringIntelAMTinmanualsetupandcongurationmode

ThefollowingarequickstepsforconguringIntelAMTinmanualsetupandcongurationmode:

1.RepeatedlypressandreleaseCtrl+Pwhenturningonthecomputer.WhenyouseetheIntel ManagementEngineBIOSExtensionwindow,releasetheCtrlandPkeys.Press1toentertheIntel MEBxMAINMENUwindow.TypethedefaultpasswordadminandthenchangetheIntelMEpassword.

2.SelectIntel(R)AMTConguration➙NetworkSetup➙Intel(R)MENetworkNameSettings.

3.IntheINTEL(R)MENETWORKNAMESETTINGSwindow,congurethehostnameanddomainname foryourIntelAMTcomputer.

4.IntheINTEL(R)MEPLATFORMCONFIGURATIONwindow,selectPowerControl.

5.SelectIntel(R)MEONinHostSleepStatesandpressEnter.

6.SelectDesktop:ONinS0,MEWakeinS3,S4-5andpressEnter.

7.IntheINTEL(R)MEPLATFORMCONFIGURA TIONwindow,selectActivateNetworkAccessand pressEnter.PressYwhenprompted.

8.SelectExitintheIntelMEBxMAINMENUwindowtoexittheMEBx.

ConguringIntelAMTinautomaticsetupandcongurationmode

Therearethefollowingtwocongurationmethodsinautomaticsetupandcongurationmode:

•“ZTCprovisioning”onpage23

•“USBprovisioning”onpage24

ZTCprovisioning

ThissectionprovidesinstructionsonhowtousetheZTCprovisioningmethod.

1.RepeatedlypressandreleaseCtrl+Pwhenturningonthecomputer.WhenyouseetheIntel ManagementEngineBIOSExtensionwindow,releasetheCtrlandPkeys.Press1toentertheIntel MEBxMAINMENUwindow.TypethedefaultpasswordadminandthenchangetheIntelMEpassword.

2.SelectIntel(R)AMTConguration➙NetworkSetup➙Intel(R)MENetworkNameSettings.

3.IntheINTEL(R)MENETWORKNAMESETTINGSwindow,congurethedomainnameandhostname foryourIntelAMTcomputer.

4.IntheINTEL(R)AMTCONFIGURATIONwindow,selectRemoteSetupAndConguration➙TLSPKI ➙MangeHashes.PressInsertandthensetupyourowncerticatehashes.

5.IntheINTEL(R)AMTCONFIGURA TIONwindow,selectRemoteSetupAndConguration➙ ProvisioningServerIPV4/IPV6.Enterthepropervalueifneeded

6.IntheINTEL(R)AMTCONFIGURA TIONwindow,selectRemoteSetupAndConguration➙ ProvisioningServerFQDN.Enterthepropervalueifneeded

7.IntheINTEL(R)MEPLATFORMCONFIGURATIONwindow,selectPowerControl➙Intel(R)MEON

inHostSleepStates.

Page 32

8.SelectDesktop:ONinS0,MEWakeinS3,S4-5andpressEnter.

9.IntheINTEL(R)MEPLATFORMCONFIGURA TIONwindow,selectRemoteSetupAndConguration➙

RCFG

10.SelectStartCongurationandpressEnter.PressYwhenprompted.

11.SelectExitintheIntelMEBxMAINMENUwindowtoexittheMEBx.

USBprovisioning

ThissectionprovidesinstructionsonhowtousetheUSBprovisioningmethod.

1.RepeatedlypressandreleasetheF1keywhenturningontheIntelAMTcomputer.Whenyouhear multiplebeepsorseealogoscreen,releasetheF1key.TheSetupUtilityprogramstarts.

2.FromtheSetupUtilityprogrammainmenu,selectAdvanced➙Intel(R)Manageability➙Intel(R) ManageabilityReset.SelectEnabledandpressEnter.

3.PressF10tosaveyoursettingsandexittheSetupUtilityprogram.Thecomputerwillrestarttoreset allIntelMEsettingstofactorydefaultsettings.

4.PressYwhenyouarepromptedtocontinuewiththeIntelMEunconguration.

5.FormatyourUSBmemorykeyintoFATformat.

Note:ThecapacityofUSBmemorykeyshouldbenomorethan2GB.

6.UseanISVapplicationtocreateaUSBkeylenamedsetup.binonthemanagementconsole.

7.Exportthesetup.binletoyourUSBmemorykey.

8.ConnecttheUSBmemorykeytoyourIntelAMTcomputerandrestartyourcomputerfromtheUSB memorykey.

9.Youwillreceiveamessage²FoundUSBKeyforprovisioning.ContinuewithAutoProvisioning(Y/N).² PressYandthentheUSBprovisioningwillbeautomaticallycompleted.

24ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 33

AppendixB.FactorydefaultsettingsfortheIntelMEBx

ThefollowingtableintroducesthefactorydefaultsettingsfortheIntelMEBx.

Table2.FactorydefaultsettingsfortheIntelMEBx

Option

IntelMEBxdefault password

ChangeMEPassword

LocalFWUpdateENABLED

SetPRTC

Intel(R)MEONinHost SleepStates

IdleTimeout65535

ManageabilityFeature Selection

Username&PasswordENABLED

SOL

IDERENABLED

LegacyRedirectionMode

KVMENABLED

UserOpt-in

Opt-inCongurablefrom RemoteIT

Defaultsetting

admin

Blank

BlankActivateNetworkAccessActivatesthecurrent

Desktop:ONinSO

ENABLEDProvisioningRecordProvisionRecordisnot

ENABLED

DISABLEDSetPIDandPPS

KVM

EnableRemoteControlof KVMOpt-InPolicy

Option

DynamicDNSUpdateDISABLED

DHCPMode

IPV6FeatureSelectionDISABLED

UncongureNetwork Access

CurrentProvisioningMode

StartConguration

ProvisioningServer IPV4/IPV6

ProvisioningServerFQDN

DeletePIDandPPS

RemoteConguration

PKIDNSSufx

Defaultsetting

ENABLED

networksettingsandopens theMEnetworkinterface Continue:(Y/N)

FullUnprovision

ProvisioningMode:PKI

present

ThiswillactivateRemote Conguration. Continue:(Y/N)

Blank

ThiswilldeletethePIDand PPSentries. Continue:(Y/N)

ENABLED

Blank

Page 34

Table2.FactorydefaultsettingsfortheIntelMEBx(continued)

Option

PasswordPolicyAnytimeManageHashes

HostNameBlank

DomainNameBlank

Shared/DedicatedFQDNShared

Defaultsetting

Option

Defaultsetting

VeriSignClass3Primary CA-G1 VeriSignClass3Primary CA-G3 GoDaddyClass2CA ComodoAAACA StareldClass2CA VeriSignClass3Primary CA-G2 VeriSignClass3Primary CA-G1.5 VeriSignClass3Primary CA-G5 GTECyberTrustGlobal Root BaltimoreCyberT rustRoot CybertrustGlobalRoot VerizonGlobalRoot Entrust.netCA(2048) EntrustRootCA VeriSignUniversalRootCA LenovoAMT

26ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 35

AppendixC.Notices

Lenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.Consult yourlocalLenovorepresentativeforinformationontheproductsandservicescurrentlyavailableinyour area.AnyreferencetoaLenovoproduct,program,orserviceisnotintendedtostateorimplythatonlythat Lenovoproduct,program,orservicemaybeused.Anyfunctionallyequivalentproduct,program,orservice thatdoesnotinfringeanyLenovointellectualpropertyrightmaybeusedinstead.However,itistheuser's responsibilitytoevaluateandverifytheoperationofanyotherproduct,program,orservice.

Lenovomayhavepatentsorpendingpatentapplicationscoveringsubjectmatterdescribedinthis document.Thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents.Y oucansend licenseinquiries,inwriting,to:

Lenovo(UnitedStates),Inc. 1009ThinkPlace-BuildingOne Morrisville,NC27560 U.S.A. Attention:LenovoDirectorofLicensing

LENOVOPROVIDESTHISPUBLICATION“ASIS”WITHOUTWARRANTYOFANYKIND,EITHEREXPRESS ORIMPLIED,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOFNON-INFRINGEMENT, MERCHANTABILITYORFITNESSFORAP ARTICULARPURPOSE.Somejurisdictionsdonotallow disclaimerofexpressorimpliedwarrantiesincertaintransactions,therefore,thisstatementmaynotapply toyou.

Thisinformationcouldincludetechnicalinaccuraciesortypographicalerrors.Changesareperiodically madetotheinformationherein;thesechangeswillbeincorporatedinneweditionsofthepublication. Lenovomaymakeimprovementsand/orchangesintheproduct(s)and/ortheprogram(s)describedinthis publicationatanytimewithoutnotice.

Theproductsdescribedinthisdocumentarenotintendedforuseinimplantationorotherlifesupport applicationswheremalfunctionmayresultininjuryordeathtopersons.Theinformationcontainedinthis documentdoesnotaffectorchangeLenovoproductspecicationsorwarranties.Nothinginthisdocument shalloperateasanexpressorimpliedlicenseorindemnityundertheintellectualpropertyrightsofLenovo orthirdparties.Allinformationcontainedinthisdocumentwasobtainedinspecicenvironmentsandis presentedasanillustration.Theresultobtainedinotheroperatingenvironmentsmayvary.

Lenovomayuseordistributeanyoftheinformationyousupplyinanywayitbelievesappropriatewithout incurringanyobligationtoyou.

Anyreferencesinthispublicationtonon-LenovoWebsitesareprovidedforconvenienceonlyanddonotin anymannerserveasanendorsementofthoseWebsites.ThematerialsatthoseWebsitesarenotpartof thematerialsforthisLenovoproduct,anduseofthoseWebsitesisatyourownrisk.

Anyperformancedatacontainedhereinwasdeterminedinacontrolledenvironment.Therefore,theresult obtainedinotheroperatingenvironmentsmayvarysignicantly.Somemeasurementsmayhavebeen madeondevelopment-levelsystemsandthereisnoguaranteethatthesemeasurementswillbethesame ongenerallyavailablesystems.Furthermore,somemeasurementsmayhavebeenestimatedthrough extrapolation.Actualresultsmayvary.Usersofthisdocumentshouldverifytheapplicabledatafortheir specicenvironment.

Page 36

Trademarks

Lenovo,theLenovologo,andThinkCentrearetrademarksofLenovointheUnitedStates,othercountries,or both.

MicrosoftandWindowsaretrademarksoftheMicrosoftgroupofcompanies.

IntelandIntelvProaretrademarksofIntelCorporationintheUnitedStates,othercountries,orboth.

Othercompany,product,orservicenamesmaybetrademarksorservicemarksofothers.

28ThinkCentreM91pIntelActiveManagementT echnologyCongurationGuide

Page 37

Page 38

PartNumber:0A23371

PrintedinUSA

(1P)P/N:0A23371

*0A23371*

Lenovo ThinkCentre M91p Configuration Guide [en, ar, bg, cs, da, de, el, es, fi, fr, he, hr, hu, id, it, ja, ko, nl, pl, pt, ro, ru, sk, sl, sr, sv, th, tr, uk, zc, zh]

Specifications and Main Features

Frequently Asked Questions

User Manual

Aboutthisdocument

Chapter1.IntroductiontoIntelvProandIntelAMT

Acronyms

Chapter3.MainfeaturesofcomputersbuiltwithIntelAMT

CIRA

KVMredirection

HostBasedProvisioning

Intel(R)MEGeneralSettings

Driverdescription

Chapter5.Webuserinterface

AccessingtheWebuserinterface

Loggingontotheclient

FunctionsintheWebuserinterface

ZTCprovisioning

USBprovisioning

AppendixB.FactorydefaultsettingsfortheIntelMEBx

AppendixC.Notices

Trademarks