HP Business Notebook Intel® vProTM setup and configuration 2011 Business Notebook Models - Technical white paper
21
remote console application initiates the process by communicating with the ME through the HECI
driver. This requires a functional OS and agent to be installed on the AMT system. Optionally, OTP
authentication can be used. The remote console provides the OTP to the AMT system and to the SCS.
Consult your ISV management console provider for details on OS agents for Delayed remote
configuration support.
Remote configuration timeouts in HP systems
HP notebook PCs are shipped from the factory with the Remote Configuration Timer set to 0 (no Hello
message broadcasting). In order to enable ME to broadcast Hello messages, an Activator local agent
must be used.
The Activator local agent will typically set ME to broadcast Hello messages for 6 hours when the ME
is active and the system is connected to a network. Consult your ISV management console provider
for exact details concerning delay remote configuration timeouts.
If no SCS responds to the Hello messages within the timeout period, then the network interface that
sends out the Hello messages will be disabled.
The network interface can be re-enabled to send out Hello messages again by the following methods:
Restarted by a local agent.
Partial Unprovisioning through the MEBx.
Once the network interface has been re-enabled it will send out Hello messages for the next 6
hours as long as the ME is active and the system is connected to a network.
Remote configuration prerequisites
RCFG requires certain prerequisites before it can be used.
Both the AMT system and the SCS must be on a DHCP server. The SCS must have the name of
“Provisionserver” or if not, it must have an alias in DNS, and be on the same domain as the AMT
system.
The AMT system must have at least one pre-programmed active root certificate hash.
The SCS must have a server certificate with the proper OID or OU values.
– OID value in the Extended Key Usage field = 2.16.840.1.113741.1.2.3
This is the unique Intel AMT OID.
– OU value in Subject field = “Intel(R) Client Setup Certificate”
This OU value is case sensitive and must be entered exactly as shown.
In the case of a Delayed Setup and Configuration, an OS and local agent must be installed on the
AMT system.
MEBx and Hashes
AMT 7.0 has a feature in MEBx that allows IT administrators to manually activate a hash and add up
to three additional certificate hashes. To enter the Remote Configuration screen in the MEBx:
1. Hit CTRL-P for the MEBx and enter the MEBx password.
2. Go into the Intel AMT Configuration option.
3. Go into the Setup and Configuration option.
4. Choose the TLS PKI option