Intel Unite® Hub Configuration on Dell OptiPlex micro PC’s

Intel Unite® Software installers do not automatically configure Windows OS or Dell OptiPlex BIOS options for the hub platform. It is important to carefully read the security section of the Intel Standalone or Enterprise setup guides to determine security best practices. The Intel setup and configuration guides are general in nature, so we created this section in Techcenter to help clarify some of the security configuration details, especially as they relate to your Dell OptiPlex 9020, 7040, or 7050 micro Hub PC’s.

**Please Note: Intel Unite Hub SW cannot be installed nor configured on replacement motherboards or refurbished systems. A new factory-configured system is required.**

1.1  Kiosk or Unattended OS configuration

Intel Unite® Hubs can be installed as completely unattended Windows PC’s when deployed in conference rooms. For this reason, it’s important for you to consider configuring the OS and BIOS of Intel Unite® Hubs as if a user is not expected to interact with the PC locally. This unattended PC deployment configuration can be common in cases where PC’s are utilized in public displays or public compute solutions (i.e. PC’s deployed for use in marketing displays, information kiosks, airport gate information displays, etc). Many of the Intel configuration recommendations in the Intel Deployment guides are based on learnings and common practices in those types of environments.

The Intel_Unite_Enterprise_Deployment_Guide.PDF sections 5.4 and 5.5 provide OS configuration recommendations for improving usability and security of the hub, summarized below.

1.1.1 Microsoft Windows should automatically login the domain or user account for Intel Unite®

This can be accomplished a number of ways, and your IT organization may have established practices for creating Kiosk or unattended OS login configurations already.

If existing policies are not available, you may want to investigate using the Windows Sysinternals Autologin configuration utility from Microsoft.

1.1.2  Windows Power Configuration Recommendations:

Intel provides several recommendations for power management settings to help create a seamless user experience for unattended Hubs. This excerpt from the Intel_Unite_Enterprise_Deployment_Guide.PDF is included here as a reference:

      • Screen savers should be disabled
      • The system should be set to never go to standby
      • The system should be set never to log out
      • Display should be set to never turn off
      • System alerts should be suppressed

Many of these settings can be managed with a command line utility such as Microsoft’s Windows native Powercfg utility.

You can also configure these settings using Windows Group PolicyGroup policy references like these one may help you to find the appropriate settings for each of the Intel power management recommendations, the policy options can vary slightly depending on the OS, but for Windows 7, 8.1, and 10, the Windows 10 ADMX spreadsheet.xlsx contains options for the older OS’s as well.

Here are some examples of policy configuration options, below:

Setting “Enable Screen Saver” to “Disable” will prevent screen savers from running.

Setting “Specify the unattended sleep timeout” to “0” will prevent the OS from sleeping automatically.

1.2  Intel® vPro™ Configuration for Intel Unite® Hubs

All Dell OptiPlex 9020, 7040, or 7050 micro PCs shipped with the Intel Unite® SKU are capable of supporting Intel® vPro™, and Intel Active Management Technology (AMT).

Deploying vPro with Intel AMT is optional for Intel Unite® deploytments, but it does provide some benefits, in that it allows you to remotely manage all of your Hub PC’s out of band, even if the OS is not accessible.  

Using AMT to remotely manage your Hubs means that you can remotely configure all of the BIOS settings required, monitor the Hub status, and even remediate issues from a remote console in realtime using Intel’s integrated remote KVM.

The Intel Setup and Configuration Software page has some helpful information regarding how to configure vPro in your enterprise environment, including a detailed SCS deployment guide which can walk you through how to discover and provision your vPro-enabled Hubs remotely, after they have been deployed in your network.

When combined with USB disable and restricted BIOS boot policies described below, enabling vPro AMT can help to transform your Hub into an embedded PC.

1.3  Dell BIOS configuration for Intel Unite® Hubs

Intel Unite does not require any BIOS configuration for basic functionality, but there are some Dell OptiPlex BIOS settings that can improve the robustness of the installation.

The Dell OptiPlex BIOS settings for Intel® Unite™ can be managed either locally in the Dell BIOS setup menu, or remotely using the Dell Client Command Suite.

Local configuration:

For local hands-on configuration, the BIOS setup menu can be accessed during the boot sequence by pressing the <F2> key when the Dell logo is displayed. Please refer to the OptiPlex 9020 micro owners manual for information regarding how to use the Dell BIOS setup menu.

Remote configuration:

For remote configuration, the Dell Client Command Suite offers a several manual or script-ready options for editing BIOS setup options.

The Dell Command | Configure utility allows both command-line and graphical solutions.

The Dell Command | PowerShell Provider allows for scripting using Microsoft Windows PowerShell.

If you are also taking advantage of the vPro capabilities of your Optiplex 9020, 7040, or 7050 micro PC, you can use the Dell Command | Intel vPro Out of Band to remotely configure the BIOS settings.

The Dell Command | Intel vPro Out of Band plugin for for the Dell Command | Integration Suite for Microsoft System Center also allows you to remotely configure the BIOS settings.

 

1.3.1  Dell BIOS Setup Password

Dell recommends configuring a BIOS Setup Password to protect the configuration selections in the BIOS setup menu.

This setting can be found under the Settings > Security > Admin Password menu in BIOS setup.

With the Dell Command | Configure tool, the command line option is:

-–setuppwd=<new-password>

As an additional benefit, setting the BIOS setup password will not only prevent changes to BIOS setup, but it will also restrict <F12> boot menu choices, if unused boot devcies are disabled in the Advanced Boot Options menu.

1.3.2  Intel® TXT BIOS option

Intel® Trusted Execution Technology (TXT) is supported, but not enabled in BIOS by default on Dell OptiPlex systems, including those offered for use with Intel Unite®.

Dell does not recommended to enable TXT in BIOS setup without a supported Measured Launch Environment (MLE). The TXT BIOS option should only be enabled if the operating system will be replaced with a Virtual Machine Monitor (VMM) or Type 2 Hypervisor capable of launching Intel TXT MLE’s. For more information regarding supported software vendors and setup of Intel TXT MLE’s, please refer to Intel’s TXT information site: www.intel.com/txt

For more info on the usage and deployment of Intel TXT on client systems: https://software.intel.com/en-us/articles/intel-trusted-execution-technology-intel-txt-enabling-guide

Intel TXT is disabled by default in BIOS setup. To confirm this setting, it can be found under the Settings > Virtualization Support > Trusted Execution menu in BIOS setup.

With the Dell Command | Configure tool, the command line option is:

--trustexecution=off

1.3.3  USB Boot and USB Port disable

It is possible to disable USB functionality inside of the OS, however Dell also recommends using BIOS to disable USB input and storage devices to improve the security of the OS. These setting will prevent all USB devices from being exposed to the OS, so

The USB port settings can be found under the Settings > System Configuration > USB Configuration menu in BIOS setup.

With the Dell Command | Configure tool, the command line option is:

--usbports=disable

In cases where BIOS-level USB disable is not possible, there are options within the Intel Unite® Hub application which can disable keyboard/mouse devices from within the OS, as well. These mechanisms do not prevent pre-boot access to mouse and keyboard, but they help to prevent use of a keyboard or mouse to take control of the Hub once the Unite application has been launched.

      • Enterprise mode – You can navigate to the Intel Unite Management console, and enable the setting called “HubLockKeyboard”
      • Standalone mode – You can modify the Intel Unite configuration XML file on the hub machine - “HubLockKeyboard = True”

1.3.4  Boot Menu and Boot Configuration

Dell recommendeds disabling all unused boot devices in BIOS setup (examples would be PXE network boot and USB removable device boot).

This setting can be found under the Settings > General > Advanced Boot Options menu in BIOS setup.

With the Dell Command | Configure tool, the command line option is:

bootorder –-disabledevice=<device number or short form> 

1.3.5  Networking, Wireless, and Bluetooth

For the highest quality Unite Hub display responsiveness, Intel recommends that Hubs are connected using the RJ45 Ethernet connection to your company’s LAN, however Wireless connections to your company’s network can be supported if other limitations prevent use of a wired network connection. Depending on which option is used, the other unused network devices may be disabled in BIOS setup.

Dell recommends disabling any unused network devices on the Hub, such as Wireless or Bluetooth® radios, using BIOS configuration options.  

The LAN can be found under the Settings > System Configuration > Integrated NIC menu in BIOS setup.

The WLAN and Bluetooth® can be found under the Settings > Wireless > Wireless Device Enable menu in BIOS setup.

With the Dell Command | Configure tool, the command line options are:

--embnic1=off (for LAN)

--wirelesslan=disable (for WLAN)

--bluetoothdevice=disable (for Bluetooth)

1.3.6  Auto On Time

Intel Unite® hubs can be turned off when not in use to save power. Power management software or power profile settings in the OS can be used to turn off Hubs after a certain number of hours, or at a certain time of day. One example might be to deploy a task, using Windows Task Manager which could launch shutdown.exe (with a /s switch) at a certain time every night.

After you have created or scheduled a nightly shutdown operation, you can subsequently use the Dell BIOS Auto On Time setting to power the Hub back on before the beginning of the next work day. This allows BIOS to boot the Hub back up to Windows automatically before the first meeting, assuming the OS has been configured for automatic login.

The Auto On Time setting can be configured to power on at a certain time every day. It can also be limited so that it will only power on during weekdays, or on specific days of the week that you select through the Dell BIOS.

The Auto On Time setting can be found under the Settings > Power Management > Auto On Time menu in BIOS setup.

With the Dell Command | Configure tool, the command line options are:

--autoon=<everyday, weekdays, selectdays>

--autoonhr=<hour of day 0-23>

--autoonmn=<minute of hour 0-59>