Enable KVM AMT on Dell 9020

osk866 · October 22, 2020, 2:51pm

I have a Dell 9020 (called Eastburn), chipset is Intel 8 Series/C220 (found by looking in Device Manager). I’m trying to enable ME on it, ideally full vPro. With (a lot) help from plutomaniac we managed to upgrade Dell 7070 ME to vPro - Upgrade Dell Optiplex 7070 ME from Standard to Intel Managed vPro (2) but with this 9020 I’m stuck.

A bit of background…

From the F12 boot menu there was no MEBx option, CTRL-P didn’t do anything either. It looks like ME was disabled. The BIOS version was A08 (I think, didn’t note this down but it was old, A08 or A09).

I pursued anyway and downloaded ‘Intel ME System Tools v9.1 r7 - (2018-09-01) For 8/9/X99/C220/C610-series systems which run ME v9.0 - v9.1’ (https://mega.nz/#!uQV12IxD!KGAUutQZrdL7TC8p_nVi_NoVa8RESugQhzGkt5K5EWU) and saved on USB stick. I then proceeded with the following steps.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

- Turn off PC
- Add Service Jumper
- Turn PC on
- Press F1 when warned about the PC booting into service model
- Boot into Windows, log in as local admin
- Run an admin cmd window
- cd to USB drive.
- cd E:\Intel ME System Tools v9.1 r7\Flash Programming Tool\WIN64
- run fptw64.exe -d eastburn.bin -me
- move eastburn.bin e:\
- cd "e:\Intel ME System Tools v9.1 r7\Flash Image Tool\WIN32\
- run fitc.exe
- load e:\eastburn.bin
- expand 'ME Region' -> 'Confirmation' -> 'Features Supported'
- Set the following:
    "Enable Intel (R) Standard Manageability; Disable Intel (R) AMT" = No
    "Manageability Application Permanently Disabled?" = No
    "PAVP Permanently Disabled?" = No
    "KVM Permanently Disabled?" = No
    "TLS Permanently Disabled?" = No
    "Intel (R) Anti-Theft Technology Permanently Disabled?" = Yes
    "Intel (R) ME Network Service Permanently Disabled?" = No
    "Service Advertisement and Discovery Permanently Disabled?" = No
    "Manageability Application Enable/Disable" = Enabled
- Expand 'Descriptor Region' -> 'Descriptor Map'
- Set 'Number of Flash Components' = 0
- Build menu -> Build Settings -> untick 'Generate intermediate build files'
- File -> SaveAs -> E:\Intel ME System Tools v9.1 r7\Flash Image Tool\WIN32\eastburn.xml
- Build menu -> Build.  Yes to prompt for 'Are you sure you want to choose the Boot Guard Profile: "Boot Guard Profile 0 - No_FVME" for this build?'
- Output .bin file will be "E:\Intel ME System Tools v9.1 r7\Flash Image Tool\WIN32\Build\outimage.bin"
- copy outimage.bin to "E:\Intel ME System Tools v9.1 r7\Flash Programming Tool\WIN64\outimage.bin"
- cd E:\Intel ME System Tools v9.1 r7\Flash Programming Tool\WIN64
- run fptw64.exe -f outimage.bin -me MAKE SURE YOU INCLUDE THE -me SWITCH.  Answer Y to '...fill enough data...'
- run fptw64.exe -greset
- pc reboots. Remove service jumper when PC is shutdown.
- turn pc on.  It may restart a few times, then it will boot OS.
- reboot PC this time boot into the MEBx menu and configure settings with:
    MEBx login -> default password is 'admin', change to 'Jacobs5%' (no quotes)
    Intel AMT Configuration ->  Manageability Feature Selection = Enabled
                                User Consent -> User opt-in = None
                                                Opt-in configuratuion from remote IT = Disabled
                                Network setup ->  Intel ME Network Name Settings ->  Host name = (blank)
                                                                                    Domain name = (blank)
                                                                                    Shared/Dedicated FQDN = Shared
                                                                                    Dynamic DNS update = Disabled
                                                  TCP/IP settings -> Wired Lan IPv4 Configuration ->  DHCP mode = Enabled
                                Activate Network Access = Y (should change to 'Full Unprovision'
 
- Exit the MEBx menu and boot the OS.  Access is now visible via MeshCentral, MeshCommander etc.

At this point I have an AMT available PC, the 'System Status' output in MechCommander shows:

but there’s no KVM, no remote desktop option in ‘Active Features’.

I then upgraded the BIOS using an exe from Dell for the 9020 model, A05. Rebooted the PC, F12, run the upgrade BIOS option, upgraded to A25.

Rebooted, F12, check the MEBx settings are as above. Booted back onto the OS (Win10)

Still no KVM option. If in MechCommander I try to enable ‘IDE Redirection’ in ‘Active Features’ I can tick the IDE box, OK the window but when I refresh the ‘System Status’ window ‘IDE Redirection’ is turned off again.

The question is what have I done wrong to not enable KVM? Was it that I set up AMT with the old BIOS? Help.

A copy of the eastburn.bin file created after running Build is at HERE

Thank you in advance for any guidance.

plutomaniac · October 22, 2020, 3:09pm

I don’t see something wrong in the procedure (you could also disable Hide FW Update Control at Configuration > ME to have that option in MEBx but that’s not KVM related). What I suggest is to dump the entire SPI image, follow [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization and adjust all AMT settings during Step 5. Basically do a ME firmware cleanup while also adjusting AMT settings to your preference. Once you flash it back and restore the jumper, remove all power from the system (AC, battery) for 1 minute and press the power button a few times while it’s off. Plug it back in and test if everything is working.

lfb6 · October 22, 2020, 3:36pm

Which CPU?

osk866 · October 22, 2020, 4:03pm

Thanks for your quick reply. I’ve just done as you suggested, exactly the same result, KVM not available.

Is it possible that KVM isn’t available on all Intel AMT?

Can the order of enabling AMT and upgrading the BIOS make KVM work or not work?

Thanks

osk866 · October 22, 2020, 4:05pm

Intel Core i3-4150 3.5GHz

lfb6 · October 22, 2020, 4:14pm

Core i3 isn’t vpro capable. If you put it into a machine with vpro- enabled ME you’ll get some standard manageability features but no full AMT. Put in an i5 and it’ll work.

https://ark.intel.com/content/www/us/en/…e-3-50-ghz.html
Check: “Intel vPro® Platform Eligibility”

(For Haswell it’s mormally i5 and i7, but not the i7-‘K’ types, Xeon E3 v3)

osk866 · October 22, 2020, 4:16pm

That’s it, thank you, I should of checked this.

Thanks again, I can now stop banging my head against the wall :).

Cheers

lfb6 · October 22, 2020, 4:28pm

Don’t worry and don’t do that to the wall. I have a Q87 board with an i5-4570 just for testing and changed the cpu once for an pentium- needed the i5 another place. Took me some weeks later several hours to find out what was wrong to vpro since I had forgotten that cpu exchange completely…