ThinkCentre M90p with

ThinkCentre M90p withIntel Active Management TechnologyConfiguration Guide

First Edition (January 2010)

© Copyright Lenovo 2010.

LENOVO products, data, computer software, and services have been developed exclusively at private expense andare sold to governmental entities as commercial items as defined by 48 C.F.R. 2.101 with limited and restrictedrights to use, reproduction and disclosure.

LIMITED AND RESTRICTED RIGHTS NOTICE: If products, data, computer software, or services are deliveredpursuant a General Services Administration ″GSA″ contract, use, reproduction, or disclosure is subject to restrictionsset forth in Contract No. GS-35F-05925.

Contents

About this document . . . . . . . . . v

Chapter 1. Introduction to Intel vPro andIntel AMT . . . . . . . . . . . . . . 1Acronyms . . . . . . . . . . . . . . . 1

Chapter 2. Features and benefits of IntelAMT . . . . . . . . . . . . . . . . 3Features and benefits . . . . . . . . . . . 3

Chapter 3. Introduction to ISVapplications . . . . . . . . . . . . . 5

Chapter 4. Main features of computersbuilt with Intel AMT . . . . . . . . . . 7CIRA . . . . . . . . . . . . . . . . . 7KVM redirection . . . . . . . . . . . . . 8

Chapter 5. Intel AMT setup andconfiguration on Lenovo ThinkCentreM90p desktop computers . . . . . . . 9Intel AMT configuration settings in Setup Utility . . 9Intel MEBx setup and configuration . . . . . . 10

Entering the MEBx configuration user interface 11Intel(R) ME General Settings. . . . . . . . 11Intel(R) AMT Configuration . . . . . . . . 19

Intel(R) Quiet System Technology Configuration 20Driver description . . . . . . . . . . . . 20

MEI . . . . . . . . . . . . . . . . 20LMS . . . . . . . . . . . . . . . . 21SOL . . . . . . . . . . . . . . . . 21

Chapter 6. Web user interface . . . . . 23Accessing the Web user interface . . . . . . . 23

Provisioning the Intel AMT computer . . . . 23Logging on to the client . . . . . . . . . 24

Functions in the Web user interface . . . . . . 24

Appendix A. Examples of configuringIntel AMT in manual and automaticsetup and configuration modes . . . . 25Configuring Intel AMT in manual setup andconfiguration mode. . . . . . . . . . . . 25Configuring Intel AMT in automatic setup andconfiguration mode. . . . . . . . . . . . 25

ZTC provisioning . . . . . . . . . . . 25USB provisioning . . . . . . . . . . . 26

Appendix B. Factory default settingsfor the Intel MEBx . . . . . . . . . . 27

Appendix C. Notices . . . . . . . . . 29Trademarks . . . . . . . . . . . . . . 30

© Copyright Lenovo 2010 iii

iv ThinkCentre M90p with Intel AMT Configuration Guide

About this document

This document provides information about Intel® Active Management Technology(Intel AMT) for Lenovo® ThinkCentre® M90p desktop computers. This documentprovides step-by-step instructions on how to use Intel AMT.

This document is intended for trained IT professionals or those responsible forconfiguring computers throughout their organizations. The readers should havebasic knowledge of network and computer technology, and be familiar with theterms TCP/IP, DHCP, IDE, DNS, Subnet Mask, Default Gateway, Domain Name,and so on.

This document provides information about the following topics:

Chapter 1, “Introduction to Intel vPro and Intel AMT,” on page 1: This chapterprovides a general introduction to Intel vPro™ and Intel AMT.

Chapter 2, “Features and benefits of Intel AMT,” on page 3: This chapterintroduces the features and benefits of Intel AMT.

Chapter 3, “Introduction to ISV applications,” on page 5: This chapter provides ageneral introduction to ISV applications.

Chapter 4, “Main features of computers built with Intel AMT,” on page 7: Thischapter introduces the main features of Intel AMT built-in computers.

Chapter 5, “Intel AMT setup and configuration on Lenovo ThinkCentre M90pdesktop computers,” on page 9: This chapter provides detailed instructions on howto configure Intel AMT settings on Lenovo ThinkCentre M90p desktop computers.

Chapter 6, “Web user interface,” on page 23: This chapter provides instructions onhow to access the Intel AMT Web user interface.

© Copyright Lenovo 2010 v

vi ThinkCentre M90p with Intel AMT Configuration Guide

Chapter 1. Introduction to Intel vPro and Intel AMT

Intel vPro is a business computer platform that provides business computers withenhanced remote management capabilities. For computers built with Intel vPro, ITadministrators can use a third party software to remotely collect inventoryinformation, diagnose problems, and provide various services regardless of thecomputer power state or the operating system state. IT administrators can alsoisolate and protect individual computers and the network from threats.

As a feature of Intel vPro, Intel AMT is designed to provide remote managementof computers regardless of the computer power state or the operating system stateas long as the computers are connected to an electrical outlet and a network.

AcronymsThe following table lists and explains some acronyms used in this document.

Acronym Description

ACL Access Control List

AMT Active Management Technology

ASF Alert Standard Format

CIRA Client Initiated Remote Access

DHCP Dynamic Host Configuration Protocol

DNS Domain Name Server

FQDN Fully Qualified Domain Name

FW Firmware

HECI Host Embedded Controller Interface

IDE-R Integrated Device Electronics - Redirection

IP Internet Protocol

ISV Independent Software Vendor

KVM Keyboard-Video-Mouse

LMS Local Manageability Service

ME Management Engine

MEBx Management Engine BIOS Extension

MEI Management Engine Interface

NVM Nonvolatile memory

OEM Original Equipment Manufacturer

OOB Out-of-band

PID/PPS Provisioning ID and Provisioning Pre-shared Key

PKI Public Key Infrastructure

PRTC Protected Real Time Clock

PSK Pre-shared Key

PXE Preboot Execution Environment

SHA Secure Hash Algorithm

© Copyright Lenovo 2010 1

SMB Small and Medium Businesses

SOL Serial-over-LAN

TCP Transmission Control Protocol

TLS Transport Layer Security

WOL Wake on Lan

ZTC Zero Touch Configuration

2 ThinkCentre M90p with Intel AMT Configuration Guide

Chapter 2. Features and benefits of Intel AMT

This chapter introduces the features and benefits of Intel AMT.

The following table lists the Lenovo business computers with Intel AMT installed.

Lenovo computer Intel AMT version

ThinkCentre M90p Intel AMT 6.X




Features and benefitsThinkCentre M90p computers built with Intel AMT enable IT administrators tobetter discover, heal, and protect the networked computing assets.v Discover: Intel AMT stores hardware and software information in nonvolatile

memory (NVM). With built-in manageability, Intel AMT enables ITadministrators to discover assets remotely, even when computers are turned off.

v Heal: The built-in manageability of Intel AMT provides out-of-band (OOB)management capabilities, which enable IT administrators to remotely diagnosecomputer problems and recover computers even if the operating systems areinoperable. Proactive alerting and event logging help IT administrators detectproblems quickly to reduce computer downtime.

v Protect: The Intel AMT system defense feature enables better protection forcomputers by proactively blocking incoming threats, controlling infectedcomputers before the computers cause problems in the network, and alerting ITadministrators when critical software agents are removed from the computers.

The following table shows the features and benefits of Intel AMT.

Table 1. Features and benefits of Intel AMT

Features Benefits

OOB system access Enables remote management of clients regardless of client powerstate and operating system state

Remotetroubleshooting andrecovery

Significantly reduces IT helpdesk visits and increases IT serviceefficiency

Proactive alerting Decreases computer downtime and minimizes IT service time

Remote hardware assettracking

Increases speed and accuracy with reduced accounting costs,compared with manual inventory tracking



Chapter 3. Introduction to ISV applications

Intel AMT is designed as a building block and not a complete solution. Thisenables Original Equipment Manufacturers (OEMs) to incorporate Intel AMT intotheir client and server hardware platforms. Competent and authorized third partyapplications provide management and security services that take advantage of theIntel AMT features, such as out-of-band access to asset information, event logs,hardware and software tables, and embedded capabilities.

The following table lists the common third party Independent Software Vendor(ISV) management applications.

Table 2. List of common third party management applications

Application ISV

Microsoft® System Management Server 2003 Microsoft

Microsoft System Center Configuration Manager Microsoft

LANDesk Management Suite LANDesk

Altiris Real Time System Manager Altiris



Chapter 4. Main features of computers built with Intel AMT

Computers built with Intel AMT version 2.0 or later have the following featuresand improvements:v Remote power control

– Power on– Power off– Power reset– Power cycle

v Asset management– E-Asset tag– OOB hardware inventory

v Integrated Device Electronics - Redirection (IDE-R)– Floppy redirection– CD redirection

v Serial-over-LAN (SOL)– Screen redirection based on text– Keyboard redirection– Network redirection

v Remote restart– Restart from a local hard disk drive– Restart from a local CD or DVD drive– Restart from a local Preboot Execution Environment (PXE)

v Event management– Event alerting– Event logging– Audit log

v Agent presencev System defensev “CIRA”v “KVM redirection” on page 8

CIRAThinkCentre M90p computers built with Intel AMT support the Client InitiatedRemote Access (CIRA) function. You can perform this function through ISVapplications. For more information about ISV applications, see Chapter 3,“Introduction to ISV applications,” on page 5.

The CIRA function enables client-initiated, secure OOB communication to themanageability console, which includes:v User-initiated call-home featurev Scheduled, automated call-home feature (no user input required)v Transport Layer Security (TLS) session established through client initiation


KVM redirectionThinkCentre M90p computers built with Intel AMT 6.X supportKeyboard-Video-Mouse (KVM) redirection over Internet Protocol (IP). As animportant new feature in Intel AMT 6.X, KVM redirection enables ITadministrators to remotely control the keyboard, video or visual display unit, andmouse of the managed clients. KVM redirection has the following advantages:v Work stablyv Based on hardware

Note: KVM redirection is based on hardware so that it can work correctlyregardless of the operating system state of the managed clients.

v Manage clients through management servers remotelyv Healing, installation and applications support

Notes:

1. KVM redirection in Intel AMT 6.X can be used only on computers with Intelintegrated graphics. For computers with discrete graphics cards, theSerial-over-LAN (SOL) function can be used to support remote diagnostics andrepair.

2. The KVM user interfaces are only available on computers that support KVMredirection. For more information about KVM user interfaces, see “KVMConfiguration” on page 20.


Chapter 5. Intel AMT setup and configuration on LenovoThinkCentre M90p desktop computers

The Intel Management Engine (ME) is an isolated and protected computingresource that runs on an Intel AMT computer. The Intel Management Engine BIOSExtension (MEBx) provides a user interface to change or configure settings thatcontrol the operation of the Intel Management Engine (ME).

All changes to the ME platform configuration settings are not cached in the MEBx,but committed to the ME nonvolatile memory until you exit the MEBx. If the IntelMEBx crashes in the process of the configuration, the changes that you have madewill not be saved.

Note: To perform the CIRA function, configure your computer in the MEBx formanual setup and configuration mode or automatic setup and configurationmode, and then use the CIRA function through ISV applications. You do notneed to do any additional setup and configuration in the MEBx.

Intel AMT configuration settings in Setup UtilityThe Setup Utility program enables you to view and change the Intel AMT relatedconfiguration settings for your computer.

To view or change the Intel AMT configuration settings, do the following:1. Repeatedly press and release the F1 key when turning on the computer. When

you hear multiple beeps or see a logo screen, release the F1 key. The SetupUtility program starts.


2. From the Setup Utility program main menu, select Advanced → Intel(R) AMT.The following window will be displayed.

In the window, you can view the following Intel AMT configuration settings:

Option Default setting Description

Intel(R) AMT Control Enabled Used to enable or disable the Intel AMTinterface.

Intel(R) AMT Reset Disabled Used to enable or disable the Intel AMT resetfunction.

Press <Ctrl-P> to EnterMEBx

Enabled Used to enable or disable the entrance of theMEBx setup configuration menu.

For more information, see the instructions and the help messages on the screen.

Intel MEBx setup and configurationThis section provides instructions on how to set up and configure Intel AMT foryour computer.

Figure 1. Intel AMT configuration settings in Setup Utility


Entering the MEBx configuration user interfaceRepeatedly press and release Ctrl+P when turning on the computer. When you seethe Intel Management Engine BIOS Extension window, release the Ctrl and P keys.Press 1 to enter the Intel MEBx MAIN MENU window (Figure 2). You will beprompted to enter the Intel ME password. Type the Intel ME default passwordadmin and then you will be promoted to type a new password. To set a new IntelME password, see “Change ME Password” on page 12.

Intel(R) ME General SettingsSelect Intel(R) ME General Settings in the Intel MEBx MAIN MENU window andpress Enter. The INTEL(R) ME PLATFORM CONFIGURATION window opens(Figure 3). This window enables you to configure the general settings of the IntelME, such as ME state, ME password, power control, and so on.

Figure 2. Intel MEBx MAIN MENU window

Figure 3. INTEL(R) ME PLATFORM CONFIGURATION window

Chapter 5. Intel AMT setup and configuration on Lenovo ThinkCentre M90p desktop computers 11

The following options are listed in the INTEL(R) ME PLATFORMCONFIGURATION window:

Intel(R) ME State ControlThe Intel(R) ME State Control option allows you to enable the Intel ME on theplatform or disable the Intel ME for debugging purposes.

Note: The DISABLED option allows you to disable the Intel ME for debuggingpurposes. The DISABLED option is used to stop the Intel ME code fromexecuting at the early stage of the Intel ME boot process so that the systemhas no traffic originating from the Intel ME on any of the buses. Disablingthe Intel ME enables an IT technician to debug a system problem withoutany interference from the Intel ME.

Change ME PasswordThe Change ME Password option enables you to change the Intel ME password.

To change the Intel ME password, select Change ME Password and press Enter.Type your new password and press Enter. When prompted to confirm the newpassword, type your new password again.

Password considerations: For security reasons, it is recommended to use a strongpassword that cannot be easily compromised. To set a strong password, use thefollowing guidelines:v Have eight to 32 characters in lengthv Contain at least one alphabetic character, one numeric character, and one symbol

(! @ # $ % ^ & * and so on)v Contain at least one upper case letter and one lower case letterv You can also use the space bar and underscore (_).

Password PolicyThe Password Policy option specifies when you can change the MEBx passwordthrough the network interface.

Select Password Policy and press Enter, the following three options will bedisplayed.

Option Description

DEFAULTPASSWORD ONLY

This option enables you to change the MEBx password when theMEBx password has not been modified.

DURING SETUPANDCONFIGURATION

This option enables you to change the MEBx password during thesetup and configuration. You cannot modify the MEBx passwordafter the setup and configuration process is completed.

ANYTIME This option enables you to change the MEBx password anytime.

Network SetupThe Network Setup menu enables you to configure network settings. SelectNetwork Setup and press Enter. The INTEL(R) NETWORK SETUP window opens.The following options will be displayed:v “Intel(R) ME Network Name Settings” on page 13v “TCP/IP Settings” on page 13


Intel(R) ME Network Name Settings: In the INTEL(R) NETWORK SETUPwindow, select Intel(R) ME Network Name Settings and press Enter. Thefollowing options will be displayed.

Option Description

Host Name Enables you to set a host name for your Intel AMT computer.

Domain Name Enables you to set a domain name for your Intel AMT computer.

Shared/DedicatedFQDN

Enables you to specify whether the Fully Qualified Domain Name(FQDN) is a dedicated domain name for Intel AMT or shared by bothIntel AMT and your operating system.

Dynamic DNSUpdate

Used to enable or disable the Dynamic DNS (Domain Name Server)Update Client in the firmware. When the Dynamic DNS Update featureis set to ENABLED, the firmware will automatically register its IPaddress and FQDN on the DNS using the Dynamic DNS Updateprotocol.Note: Set the host name and domain name before you enable theDynamic DNS Update feature.

Periodic UpdateInterval

Enables you to set the interval between every two successional updatesthat the Dynamic DNS Update Client in the firmware sends to the DNS.

Notes:

1. The Periodic Update Interval option is only available when theDynamic DNS Update feature is enabled.

2. The interval unit is minute. The interval value should be zero or nosmaller than 20. By setting the interval value to zero, you disable theperiodic update feature.

TTL Enables you to set the Time To Live (TTL) value in seconds.

Notes:

1. The TTL option is only available when the Dynamic DNS Updatefeature is enabled.

2. The TTL value should be greater than zero. If the TTL value is set tozero, the firmware will use the default value, which is 900 seconds.

TCP/IP Settings: Select TCP/IP Settings and press Enter. The TCP/IP SETTINGSwindow opens. The following options will be displayed:v “Wired LAN IPV4 Configuration”v “Wired LAN IPV6 Configuration” on page 14

Wired LAN IPV4 Configuration: Select Wired LAN IPV4 Configuration → DHCPMode. The DHCP Mode option is used to enable or disable DHCP mode. WithDHCP mode enabled, the TCP/IP settings will be configured by a DHCP server.

With DHCP mode disabled, the options in the following table will be displayed.You will be required to configure the static TCP/IP settings for the Intel AMTcomputer. If the system is in static mode, a second IP address is required. Thissecond IP address is often called the Intel ME IP address and is different from thehost IP address.

Option Description

IPV4 Address Enables you to enter the Intel ME IP address for your Intel AMTcomputer.

Subnet MaskAddress

Enables you to enter the subnet mask address for your Intel AMTcomputer.


Default GatewayAddress

Enables you to enter the default gateway address for your IntelAMT computer.

Preferred DNSAddress

Enables you to enter the preferred DNS address for your Intel AMTcomputer.

Alternate DNSAddress

Enables you to enter the alternate DNS address for your Intel AMTcomputer.

Wired LAN IPV6 Configuration: Select Wired LAN IPV6 Configuration and pressEnter. The WIRED LAN IPV6 CONFIGURATION window opens.

The Intel ME network stack supports a multihomed IPv6 interface. Each IPv6network interface can be configured with the following IPv6 addresses:v One auto-configured link-local addressv Three auto-configured global addressesv One DHCPv6-configured addressv One statically configured IPv6 address

The Intel ME IPv6 addresses are dedicated and not shared with the host operatingsystem. To enable Dynamic DNS registration for IPv6 addresses, you will need toconfigure a dedicated FQDN.

The IPV6 Feature Selection option is used to enable or disable the IPv6 interface.With IPV6 Feature Selection enabled, the following options will be displayed.

Option Description

IPV6 Interface IDType

Used to specify the IPv6 Interface ID type.There are three types of IPv6 Interface IDs:

v Random ID: The IPv6 Interface ID is automatically generatedusing a random number as described in Request for Comments(RFC) 3041.

v Intel ID: The IPv6 Interface ID is automatically generated usingthe Media Access Control (MAC) address.

v Manual ID: The IPv6 Interface ID is manually configured.Selecting this option requires that the Manual Interface ID is setto a valid value.

IPV6 Address Enables you to enter the IPv6 address for your Intel AMTcomputer.

IPV6 Default Router Enables you to enter the IPv6 default router for your Intel AMTcomputer.

Preferred DNS IPV6Address

Enables you to enter the preferred DNS IPv6 address for your IntelAMT computer.

Alternate DNS IPV6Address

Enables you to enter the alternate DNS IPv6 address for your IntelAMT computer.

Activate Network AccessThe Activate Network Access option enables you to activate the current networksettings and open the Intel ME network interface. Select Activate Network Accessand press Enter. Press Y or N depending on whether you want to activate thecurrent network settings.

Activating network access will cause the Intel ME to transition to the postprovisioning state if all required settings have been configured.


Unconfigure Network AccessThe Unconfigure Network Access option enables you to reset network settingsincluding network access control lists (ACLs) to factory default settings. SelectUnconfigure Network Access and press Enter. Press Y or N when prompted.

If you press Y, the following options will be displayed.

Option Description

Full Unprovision Used to reset all the Intel AMT settings to the factory default settingsexcept the MEBx password.

PartialUnprovision

Used to reset all the Intel AMT settings to the factory default settingsexcept the PID/PPS and the MEBx password.

Remote Setup And ConfigurationSelect Remote Setup And Configuration and press Enter. The INTEL(R)AUTOMATED SETUP AND CONFIGURATION window opens. The followingoptions will be displayed:v “Current Provisioning Mode”v “Provisioning Record”v “RCFG” on page 16v “Provisioning Server IPV4/IPV6” on page 16v “Provisioning Server FQDN” on page 16v “TLS PSK” on page 16v “TLS PKI” on page 16

Current Provisioning Mode: The Current Provisioning Mode option shows youthe current provisioning TLS mode: None, PKI (Public Key Infrastructure), or PSK(Pre-shared Key).

Provisioning Record: The Provisioning Record option shows you the provisionPSK or PKI record data of your computer. If no data has been entered, a messagewill be displayed indicating that the provision record is not present. If the recorddata has been entered, the following provision records will be displayed:v TLS provisioning mode – Displays the current configuration mode of the system:

None, PSK, or PKI.v Provisioning IP – Displays the IP of the setup and configuration server.v Date of Provision – Displays the date and time of the provision.v DNS – Indicates whether the PKI DNS suffix was configured in the Intel MEBX

before remote configuration takes effect. A value of 0 indicates that the PKI DNSsuffix was not configured. A value of 1 indicates that the PKI DNS suffix wasconfigured.

v Host Initiated – Displays whether the setup and configuration process wasinitiated by the host: No indicates the setup and configuration process was notinitiated by the host; Yes indicates the setup and configuration process wasinitiated by the host. (PKI only)

v Hash Data – Displays the 40-character certificate hash data. (PKI only)v Hash Algorithm – Describes the hash type. Currently only SHA1 (Secure Hash

Algorithm 1) is supported. (PKI only)v Is Default – Displays Yes if the Hash algorithm is the default algorithm.

Displays No if the hash algorithm is not the default algorithm. (PKI only)


v FQDN – Displays the FQDN of the provisioning server mentioned in thecertificate. (PKI only)

v Serial Number – Displays the 32-character Certificate Authority serial number.v Time Validity Pass – Indicates whether the certificate has passed the time

validity check.

RCFG: Select RCFG and press Enter. The INTEL(R) REMOTE CONFIGURATIONwindow opens. Select Start Configuration and press Enter. Press Y or N when youare prompted to activate the remote configuration.

Provisioning Server IPV4/IPV6: The Provisioning Server IPV4/IPV6 optionenables you to enter the IP address of the Intel AMT provisioning server and theport number of the Intel AMT provisioning server. The port number ranges from 0to 65535. The default port number is 9971.

Provisioning Server FQDN: Select Provisioning Server FQDN and press Enter.You will be prompted to enter the FQDN of the Intel AMT provisioning server.

TLS PSK: Select TLS PSK and press Enter. The INTEL(R) TLS PSKCONFIGURATION window opens. The following options will be displayed.

Option Description

Set PID and PPS Used to enter the Provisioning ID (PID) and Provisioning Pre-sharedKey (PPS). The PID and PPS should be entered in the dash format(for example, 1234-ABCD for PID and 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCD for PPS).

Notes:

1. A PPS value of 0000-0000-0000-0000-0000-0000-0000-0000 will notchange the setup configuration state. If this value is used, thesetup and configuration state will stay as Not-started.

2. Setting the PID/PPS will cause a partial unprovision if the setupand configuration is In-process.

Delete PID and PPS Used to delete the current PID and PPS stored on the Intel ME.Note: Deleting the PID and PPS will cause a partial unprovision ifthe setup and configuration is In-process.

TLS PKI: Select TLS PKI and press Enter. The INTEL(R) REMOTECONFIGURATION window opens. The Remote Configuration option is used toenable or disable the remote configuration. Enabling or disabling remoteconfiguration will cause a partial unprovision if the setup and configuration serveris In Process. When the Remote Configuration option is enabled, the followingoptions will be displayed.

Option Description

PKI DNS Suffix Used to enter the PKI DNS Suffix for your Intel AMT computer. Keyvalue will be maintained in the EPS.


Manage Hashes Used to list all the hashes on the system, including the hash namesand the hash states. The following keys are used to manage thehashes:

v Esc: Used to exit from the hash management window.

v Insert: Used to add a customized certificate hash to the system. Toadd a new certificate hash, do the following:

1. Press Insert and type the new hash name.Note: The hash name must be no longer than 32 characters.

2. Enter the certificate hash data for Intel AMT when prompted.The Certificate hash data is a 20-byte hexadecimal number. Enterthe hash data in the correct format and then press Enter.

3. Press Y to activate the certificate hash when prompted.

v Delete: Used to delete the currently selected certificate hash. Acertificate hash that is not active cannot be deleted.

v +: Used to change the active state of the currently selected certificatehash. Setting a hash as active indicates that the hash is available foruse during PSK provisioning.

v Enter: Used to view the details of the currently selected certificatehash. Press Enter in the hash management window. The details ofthe selected certificate hash will be displayed, including the hashname, certificate hash data, and the active and default states.

FW Update SettingsSelect FW Update Settings and press Enter. The FW Update Settings windowopens. The following options will be displayed.

Option Description

Local FW Update Used to enable or disable the Intel ME firmware local update. Whenthe Local FW Update function is set to ENABLED, the ITadministrator can update the Intel ME firmware locally through thelocal Intel ME interface or through the local secure interface.Note: The local firmware update does not require an administratoruser name and password. Therefore, when the local firmware updateis completed, this setting is automatically set to DISABLED by theIntel ME firmware. You need to manually set the Local FW Updatefunction to ENABLED when a local update is needed.

Secure FWUpdate

Used to enable or disable the secure firmware update. You need tohave an administrator user name and password to use the SecureFirmware Update function. When the Secure Firmware Updatefunction is enabled, the IT administrator can update the firmwaresecurely through the Local Manageability Service (LMS) driver.

Set PRTCSelect Set PRTC in the INTEL(R) ME PLATFORM CONFIGURATION window andpress Enter. You are prompted to enter the Protected Real Time Clock (PRTC) valuein Coordinated Universal Time (UTC) format (YYYY:MM:DD:HH:MM:SS). Setting aPRTC value helps maintain the PRTC when your computer is turned off. The validPRTC date ranges from January 1, 2004 to January 4, 2021.


Power ControlThe Power Control menu enables you to configure the ME power control policies.To conform with the ENERGY STAR program and the EuP Lot 6 requirements, theIntel ME can be turned off in various sleep states. Select Power Control and pressEnter. The INTEL(R) ME POWER CONTROL window opens. In the INTEL(R) MEPOWER CONTROL window, the following options will be displayed.

Option Description

Intel(R) ME ON in HostSleep States

Used to specify when the Intel ME will be turned on. SelectIntel(R) ME ON in Host Sleep States and press Enter. You canchoose which power package will be used.

v Desktop: ON in S0 – This option means only when yourcomputer is turned on and operational will the Intel ME beturned on.

v Desktop: ON in S0, ME Wake in S3, S4-5 – This optionmeans the Intel ME will be turned on when your computeris turned on and operational. The Intel ME can be remotelywoken up when your computer is in sleep mode,hibernation mode, or turned off.

With Intel ME Wake on Lan (WOL), after the time-out timerexpires, the Intel ME remains in the M-off1 state until acommand is sent to the Intel ME. After this command is sent,the Intel ME will transition to the M02 or M33 state and willrespond to the next command. A ping to the Intel ME can alsomake the Intel ME transition to an M0 or M3 state. Intel MEtakes a short time to transition from the M-off state to the M0or M3 state. During this time, the system will not respond toany Intel ME commands. When the Intel ME is in the M0 orM3 state, the system will respond to Intel ME commands.

Idle Timeout Used to enable the Intel ME to wake up and define the IntelME idle timeout in the M3 state. The idle timeout valueindicates the amount of time that the Intel ME is allowed toremain idle in the M3 state before transitioning to the M-offstate. The idle timeout value should be entered in minutes.Note: If the Intel ME is in the M0 state, it will not transition tothe M-off state.

1. M-off: An Intel ME FW power state when the Intel ME FW is shut down.

2. M0: An Intel ME FW power state when the Intel AMT computer is turned on and operational.

3. M3: An Intel ME FW power state when the Intel AMT computer is in sleep mode, hibernation mode, or turned off.


Intel(R) AMT ConfigurationThe Intel(R) AMT Configuration menu enables you to configure an Intel AMTcapable computer to support the Intel AMT management features.

Select Intel(R) AMT Configuration from the Intel MEBx MAIN MENU windowand press Enter. A message will be displayed indicating that you can updatenetwork settings from the Intel(R) ME General Settings menu. Press Enter and theINTEL(R) AMT CONFIGURATION window opens (Figure 4).

The following options are listed in the INTEL(R) AMT CONFIGURATIONwindow:v “Manageability Feature Selection”v “SOL/IDER”v “KVM Configuration” on page 20

Manageability Feature SelectionThe Manageability Feature Selection option is used to enable or disable the IntelME manageability feature. The default setting is ENABLED.

Note: If you disable the Manageability Feature Selection function, all the networksettings including ACLs will be reset to factory default settings.

SOL/IDERSelect SOL/IDER in the INTEL(R) AMT CONFIGURATION window and pressEnter. The SOL/IDER window opens. The following options will be displayed.

Option Description

Username & Password Used to enable or disable the username and password for theSOL/IDER session. If the Kerberos network authenticationprotocol is used, this option should be set to DISABLED becausethe user authentication is managed through Kerberos. If theKerberos network authentication protocol is not used, the ITadministrator can choose to enable or disable the username andpassword for the SOL/IDER session.

Figure 4. INTEL(R) AMT CONFIGURATION window


SOL Used to enable or disable SOL. If the client supports SOL andSOL is enabled on the client, the Intel AMT managed client inputor output can be redirected to the management server console. Ifthe client does not support SOL, the SOL option cannot beenabled.

IDER Used to enable or disable IDE-R. If IDE-R is enabled, the IntelAMT managed client can be booted from remote disk imagesthrough a management server console. If the client does notsupport IDE-R, the IDER option cannot be enabled.

Legacy RedirectionMode

Used to enable or disable legacy redirection mode. Legacyredirection mode controls how the redirection works.

Attention: The default setting is DISABLED, which is used forenterprise consoles and new Small and Medium Businesses(SMB) consoles. If you are using a legacy SMB RedirectionConsole, you must set the Legacy Redirection Mode feature toENABLED.

KVM ConfigurationSelect KVM Configuration in the INTEL(R) AMT CONFIGURATION window andpress Enter. The KVM Configuration window opens and you can configure thefollowing KVM settings.

Option Description

KVM Feature Selection Used to enable or disable the KVM feature.

User Opt-in Used to specify whether the user consent is required for theKVM session.

Opt-in Configurable fromremote IT

Used to enable or disable remote configuration of the UserOpt-in setting.

Intel(R) Quiet System Technology ConfigurationThe Intel Quiet System Technology (Intel QST) is the advanced system temperatureand fan speed control technology of Intel, which utilizes the internal and externalthermal sensors to optimize the acoustic and thermal performance of the computerin steady state and transient power conditions.

Select Intel(R) Quiet System Technology Configuration and press Enter. Then,you can enable or disable the Intel QST feature.

Driver descriptionThis section provides information about AMT drivers. Read the following driverdescriptions if you are going to use Intel AMT in the Microsoft Windows®

environment.

MEIThe Intel AMT Management Engine Interface (MEI) is the interface between thehost and the Intel ME. The Intel AMT MEI is bi-directional so that both the hostand the Intel AMT firmware can initiate transactions. In addition, transactions canbe completed by the Intel ME first and then the host can be synchronized with theIntel ME later.


LMSLocal Manageability Service (LMS) is a service that runs locally in the hostoperating system. LMS exposes AMT functionality through standard interfaces (forexample, general-information interface, firmware update interface, localagent-presence interface, and so on.) LMS is an abstraction that sits on top of theHost Embedded Controller Interface (HECI) driver (and the ME) that interacts withthe ME using standard interfaces.

LMS listens for the request directed to the AMT local host. When an applicationsends SOAP/HTTP messages to the local host, LMS intercepts the request andsends the request to the Management Engine Interface through the HECI driver.

SOLThe SOL driver is an Intel AMT ME driver. This driver enables the remote displayof the managed client user interface through a management console and emulatesserial communication over a standard network connection.



Chapter 6. Web user interface

Besides managing your computers with ISV applications, you can also performsome basic management functions through the Web user interface, such as powercontrolling and asset inventory.

The Intel ME provides a Web user interface, which enables you to check the statusof Intel AMT as well. If you can access the Web user interface, your AMT setupand configuration is correct.

Accessing the Web user interfaceThis section provides instructions on how to access the AMT Web user interface.

Provisioning the Intel AMT computerTo access the Web user interface, you need to configure the Intel AMT computerfirst. To configure the Intel AMT settings for accessing the Web user interface, doone of the following:v Manual setup and configuration mode

1. Repeatedly press and release Ctrl+P when turning on the computer. Whenyou see the Intel Management Engine BIOS Extension window, release theCtrl and P keys. Press 1 to enter the Intel MEBx MAIN MENU window. Typethe default password admin and then change the Intel ME password.

2. Select Intel(R) ME General Settings → Network Setup.3. In the INTEL(R) NETWORK SETUP window, select Intel(R) ME Network

Name Settings and then press Enter. Set the host name and domain namefor your Intel AMT computer.

4. In the INTEL(R) NETWORK SETUP window, select TCP/IP Settings andpress Enter. Configure TCP/IP settings in the TCP/IP SETTINGS window.

5. In the INTEL(R) ME PLATFORM CONFIGURATION window, select ActivateNetwork Access and press Enter. Press Y when prompted.

6. Select Exit in the Intel MEBx MAIN MENU window to exit the MEBx.v Automatic setup and configuration mode

1. Repeatedly press and release Ctrl+P when turning on the computer. Whenyou see the Intel Management Engine BIOS Extension window, release theCtrl and P keys. Press 1 to enter the Intel MEBx MAIN MENU window. Typethe default password admin and then change the Intel ME password.

2. Select Intel(R) ME General Settings → Network Setup → TCP/IP Settings.Configure TCP/IP settings in the TCP/IP SETTINGS window.

3. Select Intel(R) ME General Settings → Remote Setup And Configuration →TLS PKI or TLS PSK. Set your valid hash or PID/PPS.

4. Select Intel(R) ME General Settings → Remote Setup And Configuration →RCFG. The INTEL(R) REMOTE CONFIGURATION window opens. SelectStart Configuration and press Enter. Press Y when you are prompted toactivate the remote configuration.

5. Select Exit in the Intel MEBx MAIN MENU window to exit the MEBx.6. Wait until the provision server successfully provisions your Intel AMT

computer.


Note: You can refer to detailed configuration examples for both manual setup andconfiguration mode and automatic setup and configuration mode inAppendix A, “Examples of configuring Intel AMT in manual and automaticsetup and configuration modes,” on page 25.

Logging on to the clientThe client can be accessed from a management console on the network that has asupported Web browser.1. Open a Web browser on the management console and type one of the following

in the address box:v For manual setup and configuration mode:

http://IP_Address:16992 (for example, http://192.168.1.13:16992)v For automatic setup and configuration mode (for TLS):

https://IP_Address:16993 (for example, https://192.168.1.13:16993)2. Click Log On in the Intel Active Management Technology window.3. In the Enter Network Password window, enter your username and password

and then click OK. You will go to the client Web user interface.

Functions in the Web user interfaceThe Web user interface enables you to perform the following tasks:v View the system statusv View the hardware information of your AMT computer, including system,

processor, memory, and hard disk drivev View, start, stop, and clear event logsv Remote power control, including: turn the computer off, cycle power off and on,

reset, normal startup, start the computer from a local optical drive, and start thecomputer from a local hard disk drive

v View and manage the Intel AMT power policiesv View and manage the Intel AMT network settingsv View and manage the Intel AMT IPv6 network settingsv View and manage the Intel AMT system name settingsv View and manage the Intel AMT user accounts


Appendix A. Examples of configuring Intel AMT in manual andautomatic setup and configuration modes

This appendix provides examples of configuring Intel AMT in manual andautomatic setup and configuration modes.

Configuring Intel AMT in manual setup and configuration modeThe following are quick steps for configuring Intel AMT in manual setup andconfiguration mode:1. Repeatedly press and release Ctrl+P when turning on the computer. When you

see the Intel Management Engine BIOS Extension window, release the Ctrl andP keys. Press 1 to enter the Intel MEBx MAIN MENU window. Type the defaultpassword admin and then change the Intel ME password.

2. Select Intel(R) ME General Settings → Network Setup → Intel(R) ME NetworkName Settings.

3. In the INTEL(R) ME NETWORK NAME SETTINGS window, configure the hostname and domain name for your Intel AMT computer.

4. In the INTEL(R) ME PLATFORM CONFIGURATION window, select PowerControl.

5. Select Intel(R) ME ON in Host Sleep States and press Enter.6. Select Desktop: ON in S0, ME Wake in S3, S4-5 and press Enter.7. In the INTEL(R) ME PLATFORM CONFIGURATION window, select Activate

Network Access and press Enter. Press Y when prompted.8. Select Exit in the Intel MEBx MAIN MENU window to exit the MEBx.

Configuring Intel AMT in automatic setup and configuration modeThere are the following two configuration methods in automatic setup andconfiguration mode:v “ZTC provisioning”v “USB provisioning” on page 26

ZTC provisioningThis section provides instructions on how to use the ZTC provisioning method.1. Repeatedly press and release Ctrl+P when turning on the computer. When you

see the Intel Management Engine BIOS Extension window, release the Ctrl andP keys. Press 1 to enter the Intel MEBx MAIN MENU window. Type the defaultpassword admin and then change the Intel ME password.

2. Select Intel(R) ME General Settings → Network Setup → Intel(R) ME NetworkName Settings.

3. In the INTEL(R) ME NETWORK NAME SETTINGS window, configure thedomain name for your Intel AMT computer.

4. In the INTEL(R) ME PLATFORM CONFIGURATION window, select RemoteSetup And Configuration → TLS PKI → Mange Hashes. Press Insert and thenset up your own certificate hashes.

5. In the INTEL(R) ME PLATFORM CONFIGURATION window, select PowerControl → Intel(R) ME ON in Host Sleep States.


6. Select Desktop: ON in S0, ME Wake in S3, S4-5 and press Enter.7. In the INTEL(R) ME PLATFORM CONFIGURATION window, select Remote

Setup And Configuration → RCFG.8. Select Start Configuration and press Enter. Press Y when prompted.9. Select Exit in the Intel MEBx MAIN MENU window to exit the MEBx.

USB provisioningThis section provides instructions on how to use the USB provisioning method.1. Repeatedly press and release the F1 key when turning on the Intel AMT

computer. When you hear multiple beeps or see a logo screen, release the F1key. The Setup Utility program starts.

2. From the Setup Utility program main menu, select Advanced → Intel(R) AMT →Intel(R) AMT Reset. Select Enabled and press Enter.

3. Press F10 to save your settings and exit the Setup Utility program. Thecomputer will restart to reset all Intel ME settings to factory default settings.

4. Press Y when you are prompted to continue with the Intel ME unconfiguration.5. Format your USB memory key into FAT format.6. Use an ISV application to create a USB key file named setup.bin on the

management console.7. Export the setup.bin file to your USB memory key.8. Connect the USB memory key to your Intel AMT computer and restart your

computer from the USB memory key.9. You will receive a message ″Found USB Key for provisioning. Continue with

Auto Provisioning (Y/N).″ Press Y and then the USB provisioning will beautomatically completed.


Appendix B. Factory default settings for the Intel MEBx

The following table introduces the factory default settings for the Intel MEBx.

Table 3. Factory default settings for the Intel MEBx

Option Default setting Option Default setting

Intel MEBx defaultpassword

admin Delete PID and PPS This will delete the PIDand PPS entries.

Continue: (Y/N)

Intel(R) ME StateControl

ENABLED RemoteConfiguration

ENABLED

Change MEPassword

Blank PKI DNS Suffix Blank

Password Policy Blank Manage Hashes v VeriSign Class 3Primary CA-G1

v VeriSign Class 3Primary CA-G3

v Go Daddy Class 2 CA

v Comodo AAA CA

v Starfield Class 2 CA

v Verisign Class 3 PrimaryCA-G2

Host Name Blank Local FW UpdateQualifier

Always Open

Domain Name Blank Secure FW Update ENABLED

Shared/DedicatedFQDN

Shared Set PRTC Blank

Dynamic DNSUpdate

DISABLED Intel(R) ME ON inHost Sleep States

Desktop: ON in S0

DHCP Mode ENABLED Idle Timeout 65535

IPV6 FeatureSelection

DISABLED ManageabilityFeature Selection

ENABLED

Activate NetworkAccess

Activates the currentnetwork settings andopens the MEnetwork interface

Continue: (Y/N)

Username &Password

ENABLED

UnconfigureNetwork Access

Full Unprovision SOL ENABLED

CurrentProvisioning Mode

Provisioning Mode:PKI

IDER ENABLED

ProvisioningRecord

Provision Record isnot present

Legacy RedirectionMode

DISABLED


Table 3. Factory default settings for the Intel MEBx (continued)

Option Default setting Option Default setting

StartConfiguration

This will activateRemoteConfiguration.

Continue: (Y/N)

KVM FeatureSelection

ENABLED

ProvisioningServer IPV4/IPV6

Blank User Opt-in User Consent is requiredfor KVM Session

ProvisioningServer FQDN

Blank Opt-inConfiguration fromremote IT

Enable Remote Control ofKVM Opt-In Policy

Set PID and PPS Blank Intel(R) QuietSystem TechnologyConfiguration

ENABLED

TTL 900 Periodic UpdateInterval

1440


Appendix C. Notices

Lenovo may not offer the products, services, or features discussed in thisdocument in all countries. Consult your local Lenovo representative forinformation on the products and services currently available in your area. Anyreference to an Lenovo product, program, or service is not intended to state orimply that only that Lenovo product, program, or service may be used. Anyfunctionally equivalent product, program, or service that does not infringe anyLenovo intellectual property right may be used instead. However, it is the user’sresponsibility to evaluate and verify the operation of any other product, program,or service.

Lenovo may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

Lenovo (United States), Inc1009 Think PlaceBuilding OneMorrisville, NC 27560USAAttention: Lenovo Director of Licensing

LENOVO GROUP LTD. PROVIDES THIS PUBLICATION “AS IS” WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUTNOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Somejurisdictions do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. Lenovo may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

The products described in this document are not intended for use in implantationor other life support applications where malfunction may result in injury or deathto persons. The information contained in this document does not affect or changeLenovo product specifications or warranties. Nothing in this document shalloperate as an express or implied license or indemnity under the intellectualproperty rights of Lenovo or third parties. All information contained in thisdocument was obtained in specific environments and is presented as anillustration. The result obtained in other operating environments may vary.

Lenovo may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Any references in this publication to non-Lenovo Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this Lenovoproduct, and use of those Web sites is at your own risk.


Any performance data contained herein was determined in a controlledenvironment. Therefore, the result in other operating environments may varysignificantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

TrademarksLenovo, the Lenovo logo, and ThinkCentre are trademarks of Lenovo in the UnitedStates, other countries, or both.

Microsoft and Windows are trademarks of the Microsoft group of companies.

Intel and Intel vPro are trademarks of Intel Corporation in the United States, othercountries, or both.

Other company, product, or service names may be trademarks or service marks ofothers.


Part Number: 89Y0880

Printed in USA

(1P) P/N: 89Y0880

Documents

ThinkCentre M90p with