Intel vPro Technology Setup and Configuration Guide

ManualsBrandsIntel ManualsOtherIntel Desktop Board DQ57TM

Intel® Desktop Boards

DQ67SW, DQ67EP, DQ67OW

Intel® vPro™ Technology Setup and

Configuration Guide

September 2011

Part Number: G45734-001

Summary of content (33 pages)

PAGE 1
Intel® Desktop Boards DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide September 2011 Part Number: G45734-001
PAGE 2
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Revision History Revision Revision History Date -001 First release of the Intel® vPro™ Technology Setup and Configuration Guide for Intel® Desktop Boards DQ67SW, DQ67EP, DQ67OW September 2011 INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.
PAGE 3
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Contents Revision History..................................................................................................................................................................... 2 Contents ..................................................................................................................................................................................... 3 Figures....................
PAGE 4
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Figure 14. Figure 15. Figure 16. Figure 17. Figure 18. Figure 19. Figure 20. Figure 21. Figure 22. Figure 23. Figure 24. Figure 25. Figure 26. Figure 27. Figure 28. Figure 29. Figure 30. Figure 31. Figure 32. Figure 33. Figure 34. Figure 35. Intel AMT TLS with PSK Provisioning Passphrase (PPS) .................................................... 17 Intel AMT - Local Configuration .............................
PAGE 5
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Preface This Setup and Configuration Guide specifies the steps necessary for enabling the different features of Intel® vPro™ technology for the Intel® Desktop Boards DQ67SW, DQ67EP and DQ67OW. It does not cover the various third-party software applications that take advantage of these features.
PAGE 6
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Feature Summary Intel Desktop Boards DQ67SW, DQ67EP and DQ67OW support the Intel® Core™ i3, Intel® Core™ i5, Intel® Core™ i7, and Intel® Xeon® E3 processor families in the LGA1155 package. They use the Intel® Q67 Express Chipset to provide the latest in remote management via Intel® vPro™ technology. Table 1 summarizes the major Intel® vPro™ technology features of the board.
PAGE 7
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1. Intel® vPro™ Technology Setup and Configuration 1.1 BIOS Setup 1.1.1 Overview The Intel Desktop Boards DQ67SW, DQ67EP and DQ67OW BIOS interface is based upon the UEFI specification. As a result, the Intel® vPro™ technology features are accessed from the BIOS Setup screens. The menus of interest to the Intel vPro technology user are Configuration, Security and Intel® Management Engine (Intel® ME).
PAGE 8
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Figure 2. BIOS Setup - Main Menu 1.1.3 BIOS Setup – Configuration Menu The Configuration Menu, shown in Figure 3, contains settings for On-Board Devices, as well as access to the system Event Log.
PAGE 9
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Figure 3. BIOS Setup - Configuration Menu TPM is enabled or disabled by means of the Configuration / On-Board Devices menu as shown in Figure 4. Figure 4.
PAGE 10
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.4 BIOS Setup – Security Menu Figure 5 displays the Security menu. This menu gives you access to virtualization-related features such as Intel VT, Intel TXT and Intel VT-d. It also allows you to set passwords for platform- and hard drive-level security and to control the Execute Disable Bit (XD) technology and Chassis Intrusion features. Figure 5.
PAGE 11
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.5 BIOS Setup – Intel® ME Menu When first accessing the Intel ME menu, the user will be asked to change the default password of “admin”. The new password must be at least eight characters long and be composed of upper- and lower-case letters, numbers and symbols (excluding colon, comma and double quotes). Figure 6 illustrates the initial Intel ME menu. Figure 6.
PAGE 12
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Once the administrator password is set, the user is presented the Intel ME main menu, shown in Figure 7. Figure 7.
PAGE 13
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.5.1 Intel ME – Intel ME Configuration Under the Intel ME Configuration menu, the user will be able to disable Intel AMT (enabled by default); select the Intel ME Power Policy; and set the Idle Timeout, the amount of time, in seconds, Intel ME must be idle before it will enter its lowest-power state (valid values are from 1 – 65535). These options are shown in Figure 8. Figure 8.
PAGE 14
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.5.2 Intel® ME – Intel® AMT Configuration Figure 9 displays the main Intel AMT Configuration screen. From here, the user can select the Setup and Configuration (Provisioning) Mode as well as reset Intel AMT back to factory defaults (except the Intel ME administrator password). Figure 9.
PAGE 15
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.5.2.1 Intel AMT Configuration – Remote Configuration Once the user selects the provisioning mode to use, the detailed settings of these modes can be viewed and configured. Figure 10 shows the details of Remote Setup and Configuration Mode (previously known as Enterprise, or Standard/Advanced, Provisioning). Figure 10.
PAGE 16
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.5.2.1.1 Remote Configuration – TLS with PKI Figure 11 shows the options for TLS with PKI configuration. Figure 12 follows with a view of the Permanent Certificate Manager; the User Certificate Manager operates in a similar manner. Figure 11. Intel AMT TLS with PKI Provisioning Options Figure 12.
PAGE 17
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.5.2.1.2 Remote Configuration – TLS with PSK For TLS with PSK, the options are shown in Figure 13. The Provisioning Identifier (PID) is an eight-character string formatted as two quartets separated by a dash. Figure 13. Intel AMT TLS with PSK Provisioning Identifier (PID) Figure 14.
PAGE 18
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.5.2.2 Intel AMT Configuration – Local Configuration As can be seen from Figure 15 through Figure 17, the user can manually set Computer and Domain Name in the Local Setup and Configuration screen (previously known as SMB/Small-Medium Business Mode).
PAGE 19
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Figure 16. Intel AMT - Local Configuration, IPV4 Configuration Options Figure 17.
PAGE 20
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.1.5.2.3 Intel AMT Configuration – Other Options The following screens highlight several of the common features of Intel AMT provisioning. These include: SOL/IDE-R (Serial-over-LAN/IDE-Redirection) configuration in Figure 18; KVM Remote Control (Keyboard Video Mouse) Configuration in Figure 19; and PRTC (Protected Real Time Clock). Figure 18.
PAGE 21
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Figure 19. Intel AMT KVM Remote Control Configuration As shown in Figure 19, the options for KVM Remote Control not only include enabling and disabling the KVM Remote Control feature, but also include the ability to set the level of user-controlled security.
PAGE 22
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.2 Intel® AMT – Quick Configuration: Local As described in the previous sections, Intel AMT Setup and Configuration is divided into two provisioning modes: Local (aka SMB or Basic) and Remote (aka Enterprise or Standard/Advanced). To provision Intel Desktop Boards DQ67SW, DQ67EP and DQ67OW in Local Mode, the user needs to: - Enter Intel ME in BIOS Setup.
PAGE 23
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Figure 21 and Figure 22 show the results of the MEINFO utility before and after Local Configuration. Figure 21. MEINFO Output - Intel AMT Defaults Figure 22. MEINFO Output - Local Configuration The platform is now ready for remote management.
PAGE 24
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.3 Intel AMT – Remote Configuration, TLS-PSK Intel AMT Remote Configuration using TLS with PSK can be configured manually as shown in Section 1.1.5.2.1.2 and Figure 13 and Figure 14, or the user can insert a USB flash drive containing a SETUP.BIN file created by a Setup and Configuration Server (SCS). This method of provisioning is known as One Touch Configuration.
PAGE 25
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.4 Intel AMT – Remote Configuration, TLS-PKI TLS with PKI configuration requires a provisioning server configured with an Intel AMT Remote Configuration certificate that is rooted in one of the 15 pre-installed permanent certificates. This method of configuration is shown in Section 1.1.5.2.1.1 and Figure 11 and Figure 12.
PAGE 26
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Figure 25.
PAGE 27
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.7 KVM Remote Control KVM Remote Control is available on Intel vPro Q67 Express Chipset-based desktop boards that contain 2011 Intel Core i5 and Core i7 vPro and Intel Xeon processors with integrated Intel HD Graphics. Note: KVM Remote Control is not supported on platforms with discrete graphics. Note: For the purposes of this guide, the Intel AMT client system is provisioned in Local (SMB) mode.
PAGE 28
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide Figure 28. VNC Viewer+ Management Console Access Code Screen Figure 29.
PAGE 29
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.8 Intel® Identity Protection Technology (Intel® IPT) Although not part of Intel vPro technology, Intel® Identity Protection Technology (Intel® IPT) is an integral element in Intel’s comprehensive security model. Intel IPT is available on most Intel Desktop Boards with 6 Series Express chipsets.
PAGE 30
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 1.9 BIOS Maintenance Mode A quick way to reset Intel AMT to default settings (including the Intel ME administrator password) is to enter BIOS Maintenance Mode. This is done by moving the BIOS_CFG jumper from the Normal to the Config position and powering on the board (see Figure 35 for location).
PAGE 31
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide During reset, the screen of Figure 33 is shown. Once finished, the user will receive the notification shown in Figure 34. The user must then save and exit BIOS Setup, power off the system and restore the BIOS_CFG jumper back to the Normal position. These steps are necessary for proper reset of Intel AMT. Figure 33. Intel AMT Reset in Progress Figure 34.
PAGE 32
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide One other way to reset Intel AMT back to defaults is to use the MEBX_RST header. First, the user must remove all power from the board. A jumper is then placed for 5 seconds shorting pins 1 and 2 of the MEBX_RST header. It is imperative that the jumper is removed before power is reapplied to the board. Failure to do so may cause damage to the board and/or its firmware.
PAGE 33
Intel® Desktop Board DQ67SW, DQ67EP, DQ67OW Intel® vPro™ Technology Setup and Configuration Guide 2. References http://www.intel.com/support/vpro/sb/CS-030703.htm for a complete list of 1st- and 2ndgeneration Intel Core i5 and Core i7 vPro processors. http://www.intel.com/content/www/us/en/processors/vpro/vpro-technology-referenceguide.html for a high-level overview of Intel vPro technology and use cases. http://www.intel.com/technology/security/downloads/TrustedExec_Overview.