1.3.3. Hardware BIOS & Firmware Update/Configuration

1.3.3.1. Hardware BIOS & Firmware Update/Configuration for alicesynthesis30

1.3.3.1.1. Dell Precision 3431, BIOS Update for alicesynthesis30

Important

Currently if Remote Management if desired, then it must be done at factory to load the correct BIOS version that enabled the Intel vManagement platform. Enabling this feature, if not already enabled in BIOS menu, will not be coverted in these instructions.

  1. Download Version 1.3.1 BIOS upgrade file from https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=gh411&oscode=biosa&productcode=precision-3431-workstation and copy to a USB drive

  2. Connect the USB drive to Dell 3431 Workstation

  3. Restart or Power On (if Off) the Dell 3431 Workstation

  4. F12 when Dell 3431 powers on and shows Dell logo

  5. At Boot Options Menu, under OTHER OPTIONS: BIOS Flash Update

  6. At BIOS Flash Update window, and browse through the different File Systems: FS# until you find the USB drive you inserted

  7. Precision_3431_1.3.1.exe then OK

  8. Once file is verified, verify the listed information is correct under System BIOS Information

    • System: Precision Tower 3431

    • Revision: <Currently installed BIOS version> (Should be lower than listed BIOS Update Information, Revision version)

    • Vendor: Dell Inc.

  9. Verify the listed information is correct under BIOS UpdateInformation

    • BIOS update file: <FS#>:\Precision_3431_1.3.1.exe (File you copied to USB drive)

    • System: Precision Tower 3431

    • Revision: 1.3.1

    • Vendor: Dell Inc.

  10. Begin Flash Update

  11. When prompted, Yes to proceed with flashing of BIOS

  12. Once flashing of BIOS is complete and Dell 3431 reboots and shows shows Dell logo, F12 to enter BIOS Boot Options Menu

  13. Verify that bottom banner of Boot Options Menu shows BIOS Revision 1.3.1 indicating a complete BIOS update.

  14. Remove USB drive with BIOS update file from Dell 3431

  15. If updating the BIOS version was the only need at this time, reboot Dell 3431 so it boots into its normal boot cycle. Otherwise continue to BIOS Configuration section

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    alicesynthesis30

1.3.3.1.2. Dell Precision 3431, BIOS Configuration for for alicesynthesis30

  1. If not already at Boot Option Menu, Restart or Power On (if Off) the Dell 3431 Workstation and F12 when Dell 3431 powers on and shows Dell logo

  2. BIOS Configuration

    Note

    If the BIOS has already been configured then you will need to Unlock and <Admin Password> to be able to change any settings.

    Important

    If prompted after Apply, Check Save as Custom User Settings then OK

  3. General –> Boot Sequence

    Important

    The Boot Sequence menu may only list options set from factory and will require completing configuration of BIOS and installation of OS to populate menu options in documentation.

    1. Configure the Boot List Option to UEFI

    2. Configure the Boot Sequence to the following order:

      • UEFI: Windows (If installed)

      • Onboard NIC(IPV4)

      • Onboard NIC(IPV6)

    3. Apply

  4. General –> Advanced Boot Options

    • Uncheck Enable Legacy Options ROMs

    • Apply

  5. General –> UEFI Boot Path Security

    • Always, Except Internal HDD & PXE

    • Apply

  6. General –> Date/Time

    • Configure Time and Date to local UTC time.

  7. System Configuration –> Integrated NIC

    • Check Enable UEFI Network Stack

    • Enabled w/PXE

    • Apply

  8. System Configuration –> Serial Port

    • COM1

    • Apply

  9. System Configuration –> SATA Operation

    • ACHI

    • Apply

  10. System Configuration –> Drives

    • Check SATA-0

    • Check SATA-2

    • Check SATA-3

    • Check SATA-4

    • Check M.2 PCIe SSD-0

    • Apply

  11. System Configuration –> SMART Reporting

    • Check Enable SMART Reporting

    • Apply

  12. System Configuration –> USB Configuration

    • Check Enable USB Boot Support

    • Check Enable Front USB Ports

    • Check Enable Rear USB Ports

    • Apply

  13. System Configuration –> Front USB Configuration

    • Check Front Port 1(Bottom Right)

    • Check Front Port 1 w/Power Share(Top Right)

    • Check Front Port 2(Bottom Left)

    • Check Front Port 2(Top Left)

    • Apply

  14. System Configuration –> Rear USB Configuration

    • Check Rear Port 1(Left)

    • Check Rear Port 2(Left Middle)

    • Check Rear Port 3(Right Middle)

    • Check Rear Port 4(Right)

    • Check Rear Port 1(Left)

    • Check Rear Port 2(Right)

    • Apply

  15. System Configuration –> USB PowerShare

    • Uncheck Enable USB PowerShare

    • Apply

  16. System Configuration –> Audio

    • Check Enable Audio

    • Check Enable Microphone

    • Check Enable Internal Speaker

    • Apply

  17. System Configuration –> Dust Filter Maintenance

    • 90 days

    • Apply

  18. System Configuration –> Miscellaneous Devices

    • Uncheck Enable Secure Digital (SD) Card

    • Uncheck Secure Digital (SD) Card Boot

    • Uncheck Secure Digital (SD) Card Read-Only Mode

    • Apply

  19. Video –> Primary Display

    • Intel HD Graphics

    • Apply

  20. Security –> System Password

    • Should be Not Set

    • Apply

  21. Security –> Internal HDD-3 Password

    • Should be Not Set

    • Apply

  22. Security –> Strong Password

    • Check Enable Strong Password

    • Apply

  23. Security –> Password Configuration

    • Admin Password Min. 8

    • Admin Password Max. 32

    • System Password Min. 08

    • System Password Max. 32

    • Apply

  24. Security –> Password Bypass

    • Disabled

    • Apply

  25. Security –> Password Change

    • Check Allow Non-Admin Password Changes

    • Apply

  26. Security –> UEFI Capsule Firmware Updates

    • Check Enable UEFI Capsule Firmware Updates

    • Apply

  27. Security –> HDD Security

    • Uncheck SED Block SID Authentication

    • Uncheck PPI Bypass for SED Block SID Command

    • Apply

  28. Security –> TPM 2.0 Security

    • Check TPM On

    • Uncheck PPI Bypass for Enable Commands

    • Uncheck PPI Bypass for Disable Commands

    • Uncheck PPI Bypass for Clear Commands

    • Uncheck Clear

    • Check Attestation Enable

    • Check Key Storage Enable

    • Check SHA-256

    • Enabled

    • Apply

  29. Security –> Absolute

    • Enabled

    • Apply

  30. Security –> Chassis Intrusion

    • Uncheck Clear Intrusion Warning

    • On-Silent

    • Apply

  31. Security –> OROM Keyboard Access

    • Enabled

    • Apply

  32. Security –> Admin Setup Lockout

    • Uncheck Enable Admin Setup Lockout

    • Apply

  33. Security –> Master Password Lockout

    • Uncheck Enable Master Password Lockout

    • Apply

  34. Security –> SMM Security Mitigation

    • Uncheck SMM Security Mitigation

    • Apply

  35. Secure Boot –> Secure Boot Enable

    • Uncheck Secure Boot Enable

    • Apply

  36. Secure Boot –> Secure Boot Mode

    • Deployed Mode

    • Apply

  37. Secure Boot –> Expert Key Management

    • Uncheck Enable Custom Mode

    • PK

    • Apply

  38. Intel Software Guard Extensions –> Intel SGX Enable

    • Software Controlled

    • Apply

  39. Intel Software Guard Extensions –> Enclave Memory Size

    • 128MB Grayed out due to previous setting

  40. Performance –> Multi Core Support

    • All

    • Apply

  41. Performance –> Intel SpeedStep

    • Check Enable Intel SpeedStep

    • Apply

  42. Performance –> C-States Control

    • Check C States

    • Apply

  43. Performance –> Intel TurboBoost

    • Check Enable Intel TurboBoost

    • Apply

  44. Performance –> HyperThread control

    • Enabled

    • Apply

  45. Power Management –> AC Recovery

    • Last Power State

    • Apply

  46. Power Management –> Enable Intel Speed Shift Technology

    • Check Enable Intel Speed Shift Technology

    • Apply

  47. Power Management –> Auto On Time

    • Disabled

    • Apply

  48. Power Management –> Deep Sleep Control

    • Enabled in S4 and S5

    • Apply

  49. Power Management –> Fan Control Override

    • Uncheck Fan Control Overide

    • Apply

  50. Power Management –> USB Wake Support

    • Uncheck Enable USB Wake Support

    • Apply

  51. Power Management –> Wake on LAN/WLAN

    • Disabled

    • Apply

  52. Power Management –> Block Sleep

    • Uncheck Block Sleep

    • Apply

  53. POST Behavior –> Numlock LED

    • Check Enable Numlock LED

    • Apply

  54. POST Behavior –> Keyboard Errors

    • Uncheck Enable Keyboard Error Detection

    • Apply

  55. POST Behavior –> Fastboot

    • Thorough

    • Apply

  56. POST Behavior –> Extend BIOS POST Time

    • 5 seconds

    • Apply

  57. POST Behavior –> Full Screen Logo

    • Uncheck Enable Full Screen Logo

    • Apply

  58. POST Behavior –> Warnings and Errors

    • Prompt on Warning and Errors

    • Apply

  59. Manageability –> Intel AMT Capability

    Important

    This menu option will only appear if the Intel AMT capability was added at factory

    • Enabled

    • Apply

  60. Manageability –> USB Provision

    • Uncheck Enable USB Provision

    • Apply

  61. Manageability –> MEBx Hotkey

    • Check Enable MEBx Hotkey

    • Apply

  62. Virtualization Support –> Virtualization

    • Check Enable Intel Virtualization Technology

    • Apply

  63. Virtualization Support –> VT for Direct I/O

    • Check Enable VT for Direct I/O

    • Apply

  64. Virtualization Support –> Trusted Execution

    • Check Trusted Execution

    • Apply

  65. Wireless –> Wireless Device Enable

    • Uncheck WLAN/WiGig

    • Uncheck Bluetooth

    • Apply

  66. Maintenance –> SERR Messages

    • Check Enable SERR Messages

    • Apply

  67. Maintenance –> BIOS Downgrade

    • Check Allow BIOS Downgrade

    • Apply

  68. Maintenance –> Data Wipe

    • Uncheck Wipe on Next Boot

    • Apply

  69. Maintenance –> BIOS Recovery

    • Uncheck BIOS Recovery from Hard Drive

    • Apply

  70. System Logs –> BIOS Events

    • Review BIOS Event Logs

    • Clear Log –> Yes

  71. Advanced configurations –> ASPM

    • Auto

    • Apply

  72. SupportAssist System Resolution –> Auto OS Recovery Threshold

    • OFF

    • Apply

  73. SupportAssist System Resolution –> SupportAssist OS Recovery

    • Uncheck SupportAssist OS Recovery

    • Apply

  74. SupportAssist System Resolution –> BIOSConnect

    • Uncheck BIOSConnect

    • Apply

  75. Security –> Admin Password If not already set

    • Enter new *Admin level password*

    • Confirm new *Admin level password*

    • OK

  76. Exit

  77. Dell 3431 Workstation will reboot. If configuration of the BIOS version was the only need at this time, let Dell 3431 boot into its normal boot cycle. Otherwise F12 and continue to Intel(R) Management Engine BIOS Extension (MEBx) Configuration section

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    alicesynthesis30

1.3.3.2. Hardware BIOS & Firmware Update/Configuration for gerudo

1.3.3.2.1. Dell Precision 3431, BIOS Update for gerudo

Important

Currently if Remote Management if desired, then it must be done at factory to load the correct BIOS version that enabled the Intel vManagement platform. Enabling this feature, if not already enabled in BIOS menu, will not be coverted in these instructions.

  1. Download Version 1.3.1 BIOS upgrade file from https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=gh411&oscode=biosa&productcode=precision-3431-workstation and copy to a USB drive

  2. Connect the USB drive to Dell 3431 Workstation

  3. Restart or Power On (if Off) the Dell 3431 Workstation

  4. F12 when Dell 3431 powers on and shows Dell logo

  5. At Boot Options Menu, under OTHER OPTIONS: BIOS Flash Update

  6. At BIOS Flash Update window, and browse through the different File Systems: FS# until you find the USB drive you inserted

  7. Precision_3431_1.3.1.exe then OK

  8. Once file is verified, verify the listed information is correct under System BIOS Information

    • System: Precision Tower 3431

    • Revision: <Currently installed BIOS version> (Should be lower than listed BIOS Update Information, Revision version)

    • Vendor: Dell Inc.

  9. Verify the listed information is correct under BIOS UpdateInformation

    • BIOS update file: <FS#>:\Precision_3431_1.3.1.exe (File you copied to USB drive)

    • System: Precision Tower 3431

    • Revision: 1.3.1

    • Vendor: Dell Inc.

  10. Begin Flash Update

  11. When prompted, Yes to proceed with flashing of BIOS

  12. Once flashing of BIOS is complete and Dell 3431 reboots and shows shows Dell logo, F12 to enter BIOS Boot Options Menu

  13. Verify that bottom banner of Boot Options Menu shows BIOS Revision 1.3.1 indicating a complete BIOS update.

  14. Remove USB drive with BIOS update file from Dell 3431

  15. If updating the BIOS version was the only need at this time, reboot Dell 3431 so it boots into its normal boot cycle. Otherwise continue to BIOS Configuration section

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    gerudo

1.3.3.2.2. Dell Precision 3431, Intel Management Engine Configuration for gerudo

Important

You cannot access the BIOS configuration menu for the Intel AMT system if connected via the Intel AMT Remote Desktop, once you set a BIOS Admin password. The menu option will dissapear from menu.

  1. If not already at Boot Option Menu, Restart or Power On (if Off) the Dell 3431 Workstation and F12 when Dell 3431 powers on and shows Dell logo

  2. Intel(R) Management Engine BIOS Extension (MEBx)

  3. MEBx Login

  4. You will be prompted for factory Intel(R) ME Password admin then Enter

  5. You will be prompted to set new password for MEBx login, <Desired Admin Password> then Enter

  6. Verify password by <Desired Admin Password> again then Enter

    Important

    To change the Intel MEBx password for admin user in future from BIOS:

    1. Intel(R) ME General Settings

    2. Change ME Password

  7. Verify Intel(R) AMT is set to <Enabled>

  8. Intel(R) AMT Configuration

    1. Managebility Feature Selection set to <Enabled>

    2. SOL/Storage Redirection/KVM

      • SOL set to <Enabled>

      • Storage Redirection set to <Enabled>

      • KVM Feature Selection set to <Enabled>

    3. Escape

    4. User Consent

      Important

      It is critical that if you do not have on-site personnel with equipment that User Opt-in is set to <None> otherwise you will not be able to establish a remote KVM session without user approval from local KB/Display connected to workstation.

      • User Opt-in set to <None>

      • Opt-in Configurable from Remote IT set to <Enabled>

    5. Escape

    6. Password Policy set to <Anytime>

    7. Network Setup

    8. Intel(R) ME Network Name Settings

      • Host Name gerudo-mgmt

      • Domain Name hyrule.binarylandscapes.com

      • Shared/Dedicated FQDN set to <Dedicated>

      • Dynamic DNS Update set to <Disabled>

    9. Escape

    10. TCP/IP Settings

    11. Wired LAN IPV4 Settings

      • DHCP Mode set to <Disabled>

      • IPV4 Address 10.1.10.191

      • Subnet Mask Address 255.255.255.0

      • Default Gateway Address 10.1.10.1

      • Preferred DNS Address 10.1.10.1

      • Alternate DNS Address 0.0.0.0

    12. Escape

    13. Escape

    14. Escape

    15. Activate Network Access then Y

    16. Power Control

      • Intel(R) AMT ON in Host Sleep States set to <Desktop: ON in S0, ME Wake in S3, S4-5>

      • Idle Timeout set to 65535 You may want lower in a non lab environment for security reasons

    17. Escape

    18. Escape

    19. MEBx Exit then Y and workstation will Reboot.

  9. Verify connectivity by using a Web Browser and going to the Intel AMT Web Interface at http://10.1.10.191:16992 and logging in with admin as username and the password you configured.

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    gerudo

1.3.3.2.2.1. Intel AMT Remote Desktop Configuration for gerudo

  1. Go to your Windows workstation and download and install MeshCommander from https://www.meshcommander.com/

  2. Run MeshCommander

  3. Computer Management (Networked Computers Icon)

  4. Add Computer…

    • Friendly Name gerudo-mgmt

    • Group Name Leave blank

    • Hostname 10.1.10.191

    • Auth/Security Digest/None

    • Username admin

    • Password* Configured MEBx Login Password or Default is admin (But will not let you connect with default password)

  5. OK

  6. On the connection for gerudo-mgmt Connect

  7. Once first time connection is complete, Switch to TLS in top left

  8. OK

  9. OK If needed

  10. System Status –> Primary display, 3 minutes session timeout

  11. Update Session timeout (Minutes) to 10 then OK

  12. Displayed Date & Time

  13. When prompted to sync with this computer OK

  14. Remote Desktop and then click red banner to enable the feature.

    • Check Redirection Port

    • Check KVM Remote Desktop

    • Check IDE-Redirection

    • Check Serial-over-LAN

  15. OK

  16. Connect and verify you can establish a Remote KVM session with computer and then disconnect.

    Important

    The Remote KVM requires the system to have an active display connected to it in order to function. So if connected to a physical KVM but off-channel, it will have issues and if display is unplugged it will not work. You will need a DisplayPort Headless Ghost Display plug like the following Recommended Ghost Display Plug

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    gerudo

1.3.3.2.3. Dell Precision 3431, BIOS Configuration for for gerudo

  1. If not already at Boot Option Menu, Restart or Power On (if Off) the Dell 3431 Workstation and F12 when Dell 3431 powers on and shows Dell logo

  2. BIOS Configuration

    Note

    If the BIOS has already been configured then you will need to Unlock and <Admin Password> to be able to change any settings.

    Important

    If prompted after Apply, Check Save as Custom User Settings then OK

  3. General –> Boot Sequence

    Important

    The Boot Sequence menu may only list options set from factory and will require completing configuration of BIOS and installation of OS to populate menu options in documentation.

    1. Configure the Boot List Option to UEFI

    2. Configure the Boot Sequence to the following order:

      • UEFI: Samsung USB or VMware ESXi (If installed)

      • Onboard NIC(IPV4)

      • Onboard NIC(IPV6)

    3. Apply

  4. General –> Advanced Boot Options

    • Uncheck Enable Legacy Options ROMs

    • Apply

  5. General –> UEFI Boot Path Security

    • Always, Except Internal HDD & PXE

    • Apply

  6. General –> Date/Time

    • Configure Time and Date to local UTC time.

  7. System Configuration –> Integrated NIC

    • Check Enable UEFI Network Stack

    • Enabled w/PXE

    • Apply

  8. System Configuration –> Serial Port

    • COM1

    • Apply

  9. System Configuration –> SATA Operation

    • ACHI

    • Apply

  10. System Configuration –> Drives

    • Check SATA-0

    • Check SATA-2

    • Check SATA-3

    • Check SATA-4

    • Check M.2 PCIe SSD-0

    • Apply

  11. System Configuration –> SMART Reporting

    • Check Enable SMART Reporting

    • Apply

  12. System Configuration –> USB Configuration

    • Check Enable USB Boot Support

    • Check Enable Front USB Ports

    • Check Enable Rear USB Ports

    • Apply

  13. System Configuration –> Front USB Configuration

    • Check Front Port 1(Bottom Right)

    • Check Front Port 1 w/Power Share(Top Right)

    • Check Front Port 2(Bottom Left)

    • Check Front Port 2(Top Left)

    • Apply

  14. System Configuration –> Rear USB Configuration

    • Check Rear Port 1(Left)

    • Check Rear Port 2(Left Middle)

    • Check Rear Port 3(Right Middle)

    • Check Rear Port 4(Right)

    • Check Rear Port 1(Left)

    • Check Rear Port 2(Right)

    • Apply

  15. System Configuration –> USB PowerShare

    • Uncheck Enable USB PowerShare

    • Apply

  16. System Configuration –> Audio

    • Check Enable Audio

    • Check Enable Microphone

    • Check Enable Internal Speaker

    • Apply

  17. System Configuration –> Dust Filter Maintenance

    • 90 days

    • Apply

  18. System Configuration –> Miscellaneous Devices

    • Uncheck Enable Secure Digital (SD) Card

    • Uncheck Secure Digital (SD) Card Boot

    • Uncheck Secure Digital (SD) Card Read-Only Mode

    • Apply

  19. Video –> Primary Display

    • Intel HD Graphics

    • Apply

  20. Security –> System Password

    • Should be Not Set

    • Apply

  21. Security –> Internal HDD-3 Password

    • Should be Not Set

    • Apply

  22. Security –> Strong Password

    • Check Enable Strong Password

    • Apply

  23. Security –> Password Configuration

    • Admin Password Min. 8

    • Admin Password Max. 32

    • System Password Min. 08

    • System Password Max. 32

    • Apply

  24. Security –> Password Bypass

    • Disabled

    • Apply

  25. Security –> Password Change

    • Check Allow Non-Admin Password Changes

    • Apply

  26. Security –> UEFI Capsule Firmware Updates

    • Check Enable UEFI Capsule Firmware Updates

    • Apply

  27. Security –> HDD Security

    • Uncheck SED Block SID Authentication

    • Uncheck PPI Bypass for SED Block SID Command

    • Apply

  28. Security –> TPM 2.0 Security

    • Check TPM On

    • Uncheck PPI Bypass for Enable Commands

    • Uncheck PPI Bypass for Disable Commands

    • Uncheck PPI Bypass for Clear Commands

    • Uncheck Clear

    • Check Attestation Enable

    • Check Key Storage Enable

    • Check SHA-256

    • Enabled

    • Apply

  29. Security –> Absolute

    • Enabled

    • Apply

  30. Security –> Chassis Intrusion

    • Uncheck Clear Intrusion Warning

    • On-Silent

    • Apply

  31. Security –> OROM Keyboard Access

    • Enabled

    • Apply

  32. Security –> Admin Setup Lockout

    • Uncheck Enable Admin Setup Lockout

    • Apply

  33. Security –> Master Password Lockout

    • Uncheck Enable Master Password Lockout

    • Apply

  34. Security –> SMM Security Mitigation

    • Uncheck SMM Security Mitigation

    • Apply

  35. Secure Boot –> Secure Boot Enable

    • Uncheck Secure Boot Enable

    • Apply

  36. Secure Boot –> Secure Boot Mode

    • Deployed Mode

    • Apply

  37. Secure Boot –> Expert Key Management

    • Uncheck Enable Custom Mode

    • PK

    • Apply

  38. Intel Software Guard Extensions –> Intel SGX Enable

    • Software Controlled

    • Apply

  39. Intel Software Guard Extensions –> Enclave Memory Size

    • 128MB Grayed out due to previous setting

  40. Performance –> Multi Core Support

    • All

    • Apply

  41. Performance –> Intel SpeedStep

    • Check Enable Intel SpeedStep

    • Apply

  42. Performance –> C-States Control

    • Check C States

    • Apply

  43. Performance –> Intel TurboBoost

    • Check Enable Intel TurboBoost

    • Apply

  44. Performance –> HyperThread control

    • Enabled

    • Apply

  45. Power Management –> AC Recovery

    • Last Power State

    • Apply

  46. Power Management –> Enable Intel Speed Shift Technology

    • Check Enable Intel Speed Shift Technology

    • Apply

  47. Power Management –> Auto On Time

    • Disabled

    • Apply

  48. Power Management –> Deep Sleep Control

    • Enabled in S4 and S5

    • Apply

  49. Power Management –> Fan Control Override

    • Uncheck Fan Control Overide

    • Apply

  50. Power Management –> USB Wake Support

    • Uncheck Enable USB Wake Support

    • Apply

  51. Power Management –> Wake on LAN/WLAN

    • Disabled

    • Apply

  52. Power Management –> Block Sleep

    • Uncheck Block Sleep

    • Apply

  53. POST Behavior –> Numlock LED

    • Check Enable Numlock LED

    • Apply

  54. POST Behavior –> Keyboard Errors

    • Uncheck Enable Keyboard Error Detection

    • Apply

  55. POST Behavior –> Fastboot

    • Thorough

    • Apply

  56. POST Behavior –> Extend BIOS POST Time

    • 5 seconds

    • Apply

  57. POST Behavior –> Full Screen Logo

    • Uncheck Enable Full Screen Logo

    • Apply

  58. POST Behavior –> Warnings and Errors

    • Prompt on Warning and Errors

    • Apply

  59. Manageability –> Intel AMT Capability

    Important

    This menu option will only appear if the Intel AMT capability was added at factory

    • Enabled

    • Apply

  60. Manageability –> USB Provision

    • Uncheck Enable USB Provision

    • Apply

  61. Manageability –> MEBx Hotkey

    • Check Enable MEBx Hotkey

    • Apply

  62. Virtualization Support –> Virtualization

    • Check Enable Intel Virtualization Technology

    • Apply

  63. Virtualization Support –> VT for Direct I/O

    • Check Enable VT for Direct I/O

    • Apply

  64. Virtualization Support –> Trusted Execution

    • Check Trusted Execution

    • Apply

  65. Wireless –> Wireless Device Enable

    • Uncheck WLAN/WiGig

    • Uncheck Bluetooth

    • Apply

  66. Maintenance –> SERR Messages

    • Check Enable SERR Messages

    • Apply

  67. Maintenance –> BIOS Downgrade

    • Check Allow BIOS Downgrade

    • Apply

  68. Maintenance –> Data Wipe

    • Uncheck Wipe on Next Boot

    • Apply

  69. Maintenance –> BIOS Recovery

    • Uncheck BIOS Recovery from Hard Drive

    • Apply

  70. System Logs –> BIOS Events

    • Review BIOS Event Logs

    • Clear Log –> Yes

  71. Advanced configurations –> ASPM

    • Auto

    • Apply

  72. SupportAssist System Resolution –> Auto OS Recovery Threshold

    • OFF

    • Apply

  73. SupportAssist System Resolution –> SupportAssist OS Recovery

    • Uncheck SupportAssist OS Recovery

    • Apply

  74. SupportAssist System Resolution –> BIOSConnect

    • Uncheck BIOSConnect

    • Apply

  75. Security –> Admin Password If not already set

    • Enter new *Admin level password*

    • Confirm new *Admin level password*

    • OK

  76. Exit

  77. Dell 3431 Workstation will reboot. If configuration of the BIOS version was the only need at this time, let Dell 3431 boot into its normal boot cycle. Otherwise F12 and continue to Intel(R) Management Engine BIOS Extension (MEBx) Configuration section

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    gerudo

1.3.3.3. Hardware BIOS & Firmware Update/Configuration for hebra

1.3.3.3.1. Dell Precision 3431, BIOS Update for hebra

Important

Currently if Remote Management if desired, then it must be done at factory to load the correct BIOS version that enabled the Intel vManagement platform. Enabling this feature, if not already enabled in BIOS menu, will not be coverted in these instructions.

  1. Download Version 1.3.1 BIOS upgrade file from https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=gh411&oscode=biosa&productcode=precision-3431-workstation and copy to a USB drive

  2. Connect the USB drive to Dell 3431 Workstation

  3. Restart or Power On (if Off) the Dell 3431 Workstation

  4. F12 when Dell 3431 powers on and shows Dell logo

  5. At Boot Options Menu, under OTHER OPTIONS: BIOS Flash Update

  6. At BIOS Flash Update window, and browse through the different File Systems: FS# until you find the USB drive you inserted

  7. Precision_3431_1.3.1.exe then OK

  8. Once file is verified, verify the listed information is correct under System BIOS Information

    • System: Precision Tower 3431

    • Revision: <Currently installed BIOS version> (Should be lower than listed BIOS Update Information, Revision version)

    • Vendor: Dell Inc.

  9. Verify the listed information is correct under BIOS UpdateInformation

    • BIOS update file: <FS#>:\Precision_3431_1.3.1.exe (File you copied to USB drive)

    • System: Precision Tower 3431

    • Revision: 1.3.1

    • Vendor: Dell Inc.

  10. Begin Flash Update

  11. When prompted, Yes to proceed with flashing of BIOS

  12. Once flashing of BIOS is complete and Dell 3431 reboots and shows shows Dell logo, F12 to enter BIOS Boot Options Menu

  13. Verify that bottom banner of Boot Options Menu shows BIOS Revision 1.3.1 indicating a complete BIOS update.

  14. Remove USB drive with BIOS update file from Dell 3431

  15. If updating the BIOS version was the only need at this time, reboot Dell 3431 so it boots into its normal boot cycle. Otherwise continue to BIOS Configuration section

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    hebra

1.3.3.3.2. Dell Precision 3431, Intel Management Engine Configuration for hebra

Important

You cannot access the BIOS configuration menu for the Intel AMT system if connected via the Intel AMT Remote Desktop, once you set a BIOS Admin password. The menu option will dissapear from menu.

  1. If not already at Boot Option Menu, Restart or Power On (if Off) the Dell 3431 Workstation and F12 when Dell 3431 powers on and shows Dell logo

  2. Intel(R) Management Engine BIOS Extension (MEBx)

  3. MEBx Login

  4. You will be prompted for factory Intel(R) ME Password admin then Enter

  5. You will be prompted to set new password for MEBx login, <Desired Admin Password> then Enter

  6. Verify password by <Desired Admin Password> again then Enter

    Important

    To change the Intel MEBx password for admin user in future from BIOS:

    1. Intel(R) ME General Settings

    2. Change ME Password

  7. Verify Intel(R) AMT is set to <Enabled>

  8. Intel(R) AMT Configuration

    1. Managebility Feature Selection set to <Enabled>

    2. SOL/Storage Redirection/KVM

      • SOL set to <Enabled>

      • Storage Redirection set to <Enabled>

      • KVM Feature Selection set to <Enabled>

    3. Escape

    4. User Consent

      Important

      It is critical that if you do not have on-site personnel with equipment that User Opt-in is set to <None> otherwise you will not be able to establish a remote KVM session without user approval from local KB/Display connected to workstation.

      • User Opt-in set to <None>

      • Opt-in Configurable from Remote IT set to <Enabled>

    5. Escape

    6. Password Policy set to <Anytime>

    7. Network Setup

    8. Intel(R) ME Network Name Settings

      • Host Name hebra-mgmt

      • Domain Name hyrule.binarylandscapes.com

      • Shared/Dedicated FQDN set to <Dedicated>

      • Dynamic DNS Update set to <Disabled>

    9. Escape

    10. TCP/IP Settings

    11. Wired LAN IPV4 Settings

      • DHCP Mode set to <Disabled>

      • IPV4 Address 10.1.10.192

      • Subnet Mask Address 255.255.255.0

      • Default Gateway Address 10.1.10.1

      • Preferred DNS Address 10.1.10.1

      • Alternate DNS Address 0.0.0.0

    12. Escape

    13. Escape

    14. Escape

    15. Activate Network Access then Y

    16. Power Control

      • Intel(R) AMT ON in Host Sleep States set to <Desktop: ON in S0, ME Wake in S3, S4-5>

      • Idle Timeout set to 65535 You may want lower in a non lab environment for security reasons

    17. Escape

    18. Escape

    19. MEBx Exit then Y and workstation will Reboot.

  9. Verify connectivity by using a Web Browser and going to the Intel AMT Web Interface at http://10.1.10.192:16992 and logging in with admin as username and the password you configured.

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    hebra

1.3.3.3.2.1. Intel AMT Remote Desktop Configuration for hebra

  1. Go to your Windows workstation and download and install MeshCommander from https://www.meshcommander.com/

  2. Run MeshCommander

  3. Computer Management (Networked Computers Icon)

  4. Add Computer…

    • Friendly Name hebra-mgmt

    • Group Name Leave blank

    • Hostname 10.1.10.192

    • Auth/Security Digest/None

    • Username admin

    • Password* Configured MEBx Login Password or Default is admin (But will not let you connect with default password)

  5. OK

  6. On the connection for hebra-mgmt Connect

  7. Once first time connection is complete, Switch to TLS in top left

  8. OK

  9. OK If needed

  10. System Status –> Primary display, 3 minutes session timeout

  11. Update Session timeout (Minutes) to 10 then OK

  12. Displayed Date & Time

  13. When prompted to sync with this computer OK

  14. Remote Desktop and then click red banner to enable the feature.

    • Check Redirection Port

    • Check KVM Remote Desktop

    • Check IDE-Redirection

    • Check Serial-over-LAN

  15. OK

  16. Connect and verify you can establish a Remote KVM session with computer and then disconnect.

    Important

    The Remote KVM requires the system to have an active display connected to it in order to function. So if connected to a physical KVM but off-channel, it will have issues and if display is unplugged it will not work. You will need a DisplayPort Headless Ghost Display plug like the following Recommended Ghost Display Plug

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    hebra

1.3.3.3.3. Dell Precision 3431, BIOS Configuration for for hebra

  1. If not already at Boot Option Menu, Restart or Power On (if Off) the Dell 3431 Workstation and F12 when Dell 3431 powers on and shows Dell logo

  2. BIOS Configuration

    Note

    If the BIOS has already been configured then you will need to Unlock and <Admin Password> to be able to change any settings.

    Important

    If prompted after Apply, Check Save as Custom User Settings then OK

  3. General –> Boot Sequence

    Important

    The Boot Sequence menu may only list options set from factory and will require completing configuration of BIOS and installation of OS to populate menu options in documentation.

    1. Configure the Boot List Option to UEFI

    2. Configure the Boot Sequence to the following order:

      • UEFI: Samsung USB or VMware ESXi (If installed)

      • Onboard NIC(IPV4)

      • Onboard NIC(IPV6)

    3. Apply

  4. General –> Advanced Boot Options

    • Uncheck Enable Legacy Options ROMs

    • Apply

  5. General –> UEFI Boot Path Security

    • Always, Except Internal HDD & PXE

    • Apply

  6. General –> Date/Time

    • Configure Time and Date to local UTC time.

  7. System Configuration –> Integrated NIC

    • Check Enable UEFI Network Stack

    • Enabled w/PXE

    • Apply

  8. System Configuration –> Serial Port

    • COM1

    • Apply

  9. System Configuration –> SATA Operation

    • ACHI

    • Apply

  10. System Configuration –> Drives

    • Check SATA-0

    • Check SATA-2

    • Check SATA-3

    • Check SATA-4

    • Check M.2 PCIe SSD-0

    • Apply

  11. System Configuration –> SMART Reporting

    • Check Enable SMART Reporting

    • Apply

  12. System Configuration –> USB Configuration

    • Check Enable USB Boot Support

    • Check Enable Front USB Ports

    • Check Enable Rear USB Ports

    • Apply

  13. System Configuration –> Front USB Configuration

    • Check Front Port 1(Bottom Right)

    • Check Front Port 1 w/Power Share(Top Right)

    • Check Front Port 2(Bottom Left)

    • Check Front Port 2(Top Left)

    • Apply

  14. System Configuration –> Rear USB Configuration

    • Check Rear Port 1(Left)

    • Check Rear Port 2(Left Middle)

    • Check Rear Port 3(Right Middle)

    • Check Rear Port 4(Right)

    • Check Rear Port 1(Left)

    • Check Rear Port 2(Right)

    • Apply

  15. System Configuration –> USB PowerShare

    • Uncheck Enable USB PowerShare

    • Apply

  16. System Configuration –> Audio

    • Check Enable Audio

    • Check Enable Microphone

    • Check Enable Internal Speaker

    • Apply

  17. System Configuration –> Dust Filter Maintenance

    • 90 days

    • Apply

  18. System Configuration –> Miscellaneous Devices

    • Uncheck Enable Secure Digital (SD) Card

    • Uncheck Secure Digital (SD) Card Boot

    • Uncheck Secure Digital (SD) Card Read-Only Mode

    • Apply

  19. Video –> Primary Display

    • Intel HD Graphics

    • Apply

  20. Security –> System Password

    • Should be Not Set

    • Apply

  21. Security –> Internal HDD-3 Password

    • Should be Not Set

    • Apply

  22. Security –> Strong Password

    • Check Enable Strong Password

    • Apply

  23. Security –> Password Configuration

    • Admin Password Min. 8

    • Admin Password Max. 32

    • System Password Min. 08

    • System Password Max. 32

    • Apply

  24. Security –> Password Bypass

    • Disabled

    • Apply

  25. Security –> Password Change

    • Check Allow Non-Admin Password Changes

    • Apply

  26. Security –> UEFI Capsule Firmware Updates

    • Check Enable UEFI Capsule Firmware Updates

    • Apply

  27. Security –> HDD Security

    • Uncheck SED Block SID Authentication

    • Uncheck PPI Bypass for SED Block SID Command

    • Apply

  28. Security –> TPM 2.0 Security

    • Check TPM On

    • Uncheck PPI Bypass for Enable Commands

    • Uncheck PPI Bypass for Disable Commands

    • Uncheck PPI Bypass for Clear Commands

    • Uncheck Clear

    • Check Attestation Enable

    • Check Key Storage Enable

    • Check SHA-256

    • Enabled

    • Apply

  29. Security –> Absolute

    • Enabled

    • Apply

  30. Security –> Chassis Intrusion

    • Uncheck Clear Intrusion Warning

    • On-Silent

    • Apply

  31. Security –> OROM Keyboard Access

    • Enabled

    • Apply

  32. Security –> Admin Setup Lockout

    • Uncheck Enable Admin Setup Lockout

    • Apply

  33. Security –> Master Password Lockout

    • Uncheck Enable Master Password Lockout

    • Apply

  34. Security –> SMM Security Mitigation

    • Uncheck SMM Security Mitigation

    • Apply

  35. Secure Boot –> Secure Boot Enable

    • Uncheck Secure Boot Enable

    • Apply

  36. Secure Boot –> Secure Boot Mode

    • Deployed Mode

    • Apply

  37. Secure Boot –> Expert Key Management

    • Uncheck Enable Custom Mode

    • PK

    • Apply

  38. Intel Software Guard Extensions –> Intel SGX Enable

    • Software Controlled

    • Apply

  39. Intel Software Guard Extensions –> Enclave Memory Size

    • 128MB Grayed out due to previous setting

  40. Performance –> Multi Core Support

    • All

    • Apply

  41. Performance –> Intel SpeedStep

    • Check Enable Intel SpeedStep

    • Apply

  42. Performance –> C-States Control

    • Check C States

    • Apply

  43. Performance –> Intel TurboBoost

    • Check Enable Intel TurboBoost

    • Apply

  44. Performance –> HyperThread control

    • Enabled

    • Apply

  45. Power Management –> AC Recovery

    • Last Power State

    • Apply

  46. Power Management –> Enable Intel Speed Shift Technology

    • Check Enable Intel Speed Shift Technology

    • Apply

  47. Power Management –> Auto On Time

    • Disabled

    • Apply

  48. Power Management –> Deep Sleep Control

    • Enabled in S4 and S5

    • Apply

  49. Power Management –> Fan Control Override

    • Uncheck Fan Control Overide

    • Apply

  50. Power Management –> USB Wake Support

    • Uncheck Enable USB Wake Support

    • Apply

  51. Power Management –> Wake on LAN/WLAN

    • Disabled

    • Apply

  52. Power Management –> Block Sleep

    • Uncheck Block Sleep

    • Apply

  53. POST Behavior –> Numlock LED

    • Check Enable Numlock LED

    • Apply

  54. POST Behavior –> Keyboard Errors

    • Uncheck Enable Keyboard Error Detection

    • Apply

  55. POST Behavior –> Fastboot

    • Thorough

    • Apply

  56. POST Behavior –> Extend BIOS POST Time

    • 5 seconds

    • Apply

  57. POST Behavior –> Full Screen Logo

    • Uncheck Enable Full Screen Logo

    • Apply

  58. POST Behavior –> Warnings and Errors

    • Prompt on Warning and Errors

    • Apply

  59. Manageability –> Intel AMT Capability

    Important

    This menu option will only appear if the Intel AMT capability was added at factory

    • Enabled

    • Apply

  60. Manageability –> USB Provision

    • Uncheck Enable USB Provision

    • Apply

  61. Manageability –> MEBx Hotkey

    • Check Enable MEBx Hotkey

    • Apply

  62. Virtualization Support –> Virtualization

    • Check Enable Intel Virtualization Technology

    • Apply

  63. Virtualization Support –> VT for Direct I/O

    • Check Enable VT for Direct I/O

    • Apply

  64. Virtualization Support –> Trusted Execution

    • Check Trusted Execution

    • Apply

  65. Wireless –> Wireless Device Enable

    • Uncheck WLAN/WiGig

    • Uncheck Bluetooth

    • Apply

  66. Maintenance –> SERR Messages

    • Check Enable SERR Messages

    • Apply

  67. Maintenance –> BIOS Downgrade

    • Check Allow BIOS Downgrade

    • Apply

  68. Maintenance –> Data Wipe

    • Uncheck Wipe on Next Boot

    • Apply

  69. Maintenance –> BIOS Recovery

    • Uncheck BIOS Recovery from Hard Drive

    • Apply

  70. System Logs –> BIOS Events

    • Review BIOS Event Logs

    • Clear Log –> Yes

  71. Advanced configurations –> ASPM

    • Auto

    • Apply

  72. SupportAssist System Resolution –> Auto OS Recovery Threshold

    • OFF

    • Apply

  73. SupportAssist System Resolution –> SupportAssist OS Recovery

    • Uncheck SupportAssist OS Recovery

    • Apply

  74. SupportAssist System Resolution –> BIOSConnect

    • Uncheck BIOSConnect

    • Apply

  75. Security –> Admin Password If not already set

    • Enter new *Admin level password*

    • Confirm new *Admin level password*

    • OK

  76. Exit

  77. Dell 3431 Workstation will reboot. If configuration of the BIOS version was the only need at this time, let Dell 3431 boot into its normal boot cycle. Otherwise F12 and continue to Intel(R) Management Engine BIOS Extension (MEBx) Configuration section

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    hebra

1.3.3.4. Hardware BIOS & Firmware Update/Configuration for akkala

1.3.3.4.1. Dell Precision 3431, BIOS Update for akkala

Important

Currently if Remote Management if desired, then it must be done at factory to load the correct BIOS version that enabled the Intel vManagement platform. Enabling this feature, if not already enabled in BIOS menu, will not be coverted in these instructions.

  1. Download Version 1.3.1 BIOS upgrade file from https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=gh411&oscode=biosa&productcode=precision-3431-workstation and copy to a USB drive

  2. Connect the USB drive to Dell 3431 Workstation

  3. Restart or Power On (if Off) the Dell 3431 Workstation

  4. F12 when Dell 3431 powers on and shows Dell logo

  5. At Boot Options Menu, under OTHER OPTIONS: BIOS Flash Update

  6. At BIOS Flash Update window, and browse through the different File Systems: FS# until you find the USB drive you inserted

  7. Precision_3431_1.3.1.exe then OK

  8. Once file is verified, verify the listed information is correct under System BIOS Information

    • System: Precision Tower 3431

    • Revision: <Currently installed BIOS version> (Should be lower than listed BIOS Update Information, Revision version)

    • Vendor: Dell Inc.

  9. Verify the listed information is correct under BIOS UpdateInformation

    • BIOS update file: <FS#>:\Precision_3431_1.3.1.exe (File you copied to USB drive)

    • System: Precision Tower 3431

    • Revision: 1.3.1

    • Vendor: Dell Inc.

  10. Begin Flash Update

  11. When prompted, Yes to proceed with flashing of BIOS

  12. Once flashing of BIOS is complete and Dell 3431 reboots and shows shows Dell logo, F12 to enter BIOS Boot Options Menu

  13. Verify that bottom banner of Boot Options Menu shows BIOS Revision 1.3.1 indicating a complete BIOS update.

  14. Remove USB drive with BIOS update file from Dell 3431

  15. If updating the BIOS version was the only need at this time, reboot Dell 3431 so it boots into its normal boot cycle. Otherwise continue to BIOS Configuration section

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    akkala

1.3.3.4.2. Dell Precision 3431, Intel Management Engine Configuration for akkala

Important

You cannot access the BIOS configuration menu for the Intel AMT system if connected via the Intel AMT Remote Desktop, once you set a BIOS Admin password. The menu option will dissapear from menu.

  1. If not already at Boot Option Menu, Restart or Power On (if Off) the Dell 3431 Workstation and F12 when Dell 3431 powers on and shows Dell logo

  2. Intel(R) Management Engine BIOS Extension (MEBx)

  3. MEBx Login

  4. You will be prompted for factory Intel(R) ME Password admin then Enter

  5. You will be prompted to set new password for MEBx login, <Desired Admin Password> then Enter

  6. Verify password by <Desired Admin Password> again then Enter

    Important

    To change the Intel MEBx password for admin user in future from BIOS:

    1. Intel(R) ME General Settings

    2. Change ME Password

  7. Verify Intel(R) AMT is set to <Enabled>

  8. Intel(R) AMT Configuration

    1. Managebility Feature Selection set to <Enabled>

    2. SOL/Storage Redirection/KVM

      • SOL set to <Enabled>

      • Storage Redirection set to <Enabled>

      • KVM Feature Selection set to <Enabled>

    3. Escape

    4. User Consent

      Important

      It is critical that if you do not have on-site personnel with equipment that User Opt-in is set to <None> otherwise you will not be able to establish a remote KVM session without user approval from local KB/Display connected to workstation.

      • User Opt-in set to <None>

      • Opt-in Configurable from Remote IT set to <Enabled>

    5. Escape

    6. Password Policy set to <Anytime>

    7. Network Setup

    8. Intel(R) ME Network Name Settings

      • Host Name akkala-mgmt

      • Domain Name hyrule.binarylandscapes.com

      • Shared/Dedicated FQDN set to <Dedicated>

      • Dynamic DNS Update set to <Disabled>

    9. Escape

    10. TCP/IP Settings

    11. Wired LAN IPV4 Settings

      • DHCP Mode set to <Disabled>

      • IPV4 Address 10.1.10.193

      • Subnet Mask Address 255.255.255.0

      • Default Gateway Address 10.1.10.1

      • Preferred DNS Address 10.1.10.1

      • Alternate DNS Address 0.0.0.0

    12. Escape

    13. Escape

    14. Escape

    15. Activate Network Access then Y

    16. Power Control

      • Intel(R) AMT ON in Host Sleep States set to <Desktop: ON in S0, ME Wake in S3, S4-5>

      • Idle Timeout set to 65535 You may want lower in a non lab environment for security reasons

    17. Escape

    18. Escape

    19. MEBx Exit then Y and workstation will Reboot.

  9. Verify connectivity by using a Web Browser and going to the Intel AMT Web Interface at http://10.1.10.193:16992 and logging in with admin as username and the password you configured.

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    akkala

1.3.3.4.2.1. Intel AMT Remote Desktop Configuration for akkala

  1. Go to your Windows workstation and download and install MeshCommander from https://www.meshcommander.com/

  2. Run MeshCommander

  3. Computer Management (Networked Computers Icon)

  4. Add Computer…

    • Friendly Name akkala-mgmt

    • Group Name Leave blank

    • Hostname 10.1.10.193

    • Auth/Security Digest/None

    • Username admin

    • Password* Configured MEBx Login Password or Default is admin (But will not let you connect with default password)

  5. OK

  6. On the connection for akkala-mgmt Connect

  7. Once first time connection is complete, Switch to TLS in top left

  8. OK

  9. OK If needed

  10. System Status –> Primary display, 3 minutes session timeout

  11. Update Session timeout (Minutes) to 10 then OK

  12. Displayed Date & Time

  13. When prompted to sync with this computer OK

  14. Remote Desktop and then click red banner to enable the feature.

    • Check Redirection Port

    • Check KVM Remote Desktop

    • Check IDE-Redirection

    • Check Serial-over-LAN

  15. OK

  16. Connect and verify you can establish a Remote KVM session with computer and then disconnect.

    Important

    The Remote KVM requires the system to have an active display connected to it in order to function. So if connected to a physical KVM but off-channel, it will have issues and if display is unplugged it will not work. You will need a DisplayPort Headless Ghost Display plug like the following Recommended Ghost Display Plug

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    akkala

1.3.3.4.3. Dell Precision 3431, BIOS Configuration for for akkala

  1. If not already at Boot Option Menu, Restart or Power On (if Off) the Dell 3431 Workstation and F12 when Dell 3431 powers on and shows Dell logo

  2. BIOS Configuration

    Note

    If the BIOS has already been configured then you will need to Unlock and <Admin Password> to be able to change any settings.

    Important

    If prompted after Apply, Check Save as Custom User Settings then OK

  3. General –> Boot Sequence

    Important

    The Boot Sequence menu may only list options set from factory and will require completing configuration of BIOS and installation of OS to populate menu options in documentation.

    1. Configure the Boot List Option to UEFI

    2. Configure the Boot Sequence to the following order:

      • UEFI: Samsung USB or VMware ESXi (If installed)

      • Onboard NIC(IPV4)

      • Onboard NIC(IPV6)

    3. Apply

  4. General –> Advanced Boot Options

    • Uncheck Enable Legacy Options ROMs

    • Apply

  5. General –> UEFI Boot Path Security

    • Always, Except Internal HDD & PXE

    • Apply

  6. General –> Date/Time

    • Configure Time and Date to local UTC time.

  7. System Configuration –> Integrated NIC

    • Check Enable UEFI Network Stack

    • Enabled w/PXE

    • Apply

  8. System Configuration –> Serial Port

    • COM1

    • Apply

  9. System Configuration –> SATA Operation

    • ACHI

    • Apply

  10. System Configuration –> Drives

    • Check SATA-0

    • Check SATA-2

    • Check SATA-3

    • Check SATA-4

    • Check M.2 PCIe SSD-0

    • Apply

  11. System Configuration –> SMART Reporting

    • Check Enable SMART Reporting

    • Apply

  12. System Configuration –> USB Configuration

    • Check Enable USB Boot Support

    • Check Enable Front USB Ports

    • Check Enable Rear USB Ports

    • Apply

  13. System Configuration –> Front USB Configuration

    • Check Front Port 1(Bottom Right)

    • Check Front Port 1 w/Power Share(Top Right)

    • Check Front Port 2(Bottom Left)

    • Check Front Port 2(Top Left)

    • Apply

  14. System Configuration –> Rear USB Configuration

    • Check Rear Port 1(Left)

    • Check Rear Port 2(Left Middle)

    • Check Rear Port 3(Right Middle)

    • Check Rear Port 4(Right)

    • Check Rear Port 1(Left)

    • Check Rear Port 2(Right)

    • Apply

  15. System Configuration –> USB PowerShare

    • Uncheck Enable USB PowerShare

    • Apply

  16. System Configuration –> Audio

    • Check Enable Audio

    • Check Enable Microphone

    • Check Enable Internal Speaker

    • Apply

  17. System Configuration –> Dust Filter Maintenance

    • 90 days

    • Apply

  18. System Configuration –> Miscellaneous Devices

    • Uncheck Enable Secure Digital (SD) Card

    • Uncheck Secure Digital (SD) Card Boot

    • Uncheck Secure Digital (SD) Card Read-Only Mode

    • Apply

  19. Video –> Primary Display

    • Intel HD Graphics

    • Apply

  20. Security –> System Password

    • Should be Not Set

    • Apply

  21. Security –> Internal HDD-3 Password

    • Should be Not Set

    • Apply

  22. Security –> Strong Password

    • Check Enable Strong Password

    • Apply

  23. Security –> Password Configuration

    • Admin Password Min. 8

    • Admin Password Max. 32

    • System Password Min. 08

    • System Password Max. 32

    • Apply

  24. Security –> Password Bypass

    • Disabled

    • Apply

  25. Security –> Password Change

    • Check Allow Non-Admin Password Changes

    • Apply

  26. Security –> UEFI Capsule Firmware Updates

    • Check Enable UEFI Capsule Firmware Updates

    • Apply

  27. Security –> HDD Security

    • Uncheck SED Block SID Authentication

    • Uncheck PPI Bypass for SED Block SID Command

    • Apply

  28. Security –> TPM 2.0 Security

    • Check TPM On

    • Uncheck PPI Bypass for Enable Commands

    • Uncheck PPI Bypass for Disable Commands

    • Uncheck PPI Bypass for Clear Commands

    • Uncheck Clear

    • Check Attestation Enable

    • Check Key Storage Enable

    • Check SHA-256

    • Enabled

    • Apply

  29. Security –> Absolute

    • Enabled

    • Apply

  30. Security –> Chassis Intrusion

    • Uncheck Clear Intrusion Warning

    • On-Silent

    • Apply

  31. Security –> OROM Keyboard Access

    • Enabled

    • Apply

  32. Security –> Admin Setup Lockout

    • Uncheck Enable Admin Setup Lockout

    • Apply

  33. Security –> Master Password Lockout

    • Uncheck Enable Master Password Lockout

    • Apply

  34. Security –> SMM Security Mitigation

    • Uncheck SMM Security Mitigation

    • Apply

  35. Secure Boot –> Secure Boot Enable

    • Uncheck Secure Boot Enable

    • Apply

  36. Secure Boot –> Secure Boot Mode

    • Deployed Mode

    • Apply

  37. Secure Boot –> Expert Key Management

    • Uncheck Enable Custom Mode

    • PK

    • Apply

  38. Intel Software Guard Extensions –> Intel SGX Enable

    • Software Controlled

    • Apply

  39. Intel Software Guard Extensions –> Enclave Memory Size

    • 128MB Grayed out due to previous setting

  40. Performance –> Multi Core Support

    • All

    • Apply

  41. Performance –> Intel SpeedStep

    • Check Enable Intel SpeedStep

    • Apply

  42. Performance –> C-States Control

    • Check C States

    • Apply

  43. Performance –> Intel TurboBoost

    • Check Enable Intel TurboBoost

    • Apply

  44. Performance –> HyperThread control

    • Enabled

    • Apply

  45. Power Management –> AC Recovery

    • Last Power State

    • Apply

  46. Power Management –> Enable Intel Speed Shift Technology

    • Check Enable Intel Speed Shift Technology

    • Apply

  47. Power Management –> Auto On Time

    • Disabled

    • Apply

  48. Power Management –> Deep Sleep Control

    • Enabled in S4 and S5

    • Apply

  49. Power Management –> Fan Control Override

    • Uncheck Fan Control Overide

    • Apply

  50. Power Management –> USB Wake Support

    • Uncheck Enable USB Wake Support

    • Apply

  51. Power Management –> Wake on LAN/WLAN

    • Disabled

    • Apply

  52. Power Management –> Block Sleep

    • Uncheck Block Sleep

    • Apply

  53. POST Behavior –> Numlock LED

    • Check Enable Numlock LED

    • Apply

  54. POST Behavior –> Keyboard Errors

    • Uncheck Enable Keyboard Error Detection

    • Apply

  55. POST Behavior –> Fastboot

    • Thorough

    • Apply

  56. POST Behavior –> Extend BIOS POST Time

    • 5 seconds

    • Apply

  57. POST Behavior –> Full Screen Logo

    • Uncheck Enable Full Screen Logo

    • Apply

  58. POST Behavior –> Warnings and Errors

    • Prompt on Warning and Errors

    • Apply

  59. Manageability –> Intel AMT Capability

    Important

    This menu option will only appear if the Intel AMT capability was added at factory

    • Enabled

    • Apply

  60. Manageability –> USB Provision

    • Uncheck Enable USB Provision

    • Apply

  61. Manageability –> MEBx Hotkey

    • Check Enable MEBx Hotkey

    • Apply

  62. Virtualization Support –> Virtualization

    • Check Enable Intel Virtualization Technology

    • Apply

  63. Virtualization Support –> VT for Direct I/O

    • Check Enable VT for Direct I/O

    • Apply

  64. Virtualization Support –> Trusted Execution

    • Check Trusted Execution

    • Apply

  65. Wireless –> Wireless Device Enable

    • Uncheck WLAN/WiGig

    • Uncheck Bluetooth

    • Apply

  66. Maintenance –> SERR Messages

    • Check Enable SERR Messages

    • Apply

  67. Maintenance –> BIOS Downgrade

    • Check Allow BIOS Downgrade

    • Apply

  68. Maintenance –> Data Wipe

    • Uncheck Wipe on Next Boot

    • Apply

  69. Maintenance –> BIOS Recovery

    • Uncheck BIOS Recovery from Hard Drive

    • Apply

  70. System Logs –> BIOS Events

    • Review BIOS Event Logs

    • Clear Log –> Yes

  71. Advanced configurations –> ASPM

    • Auto

    • Apply

  72. SupportAssist System Resolution –> Auto OS Recovery Threshold

    • OFF

    • Apply

  73. SupportAssist System Resolution –> SupportAssist OS Recovery

    • Uncheck SupportAssist OS Recovery

    • Apply

  74. SupportAssist System Resolution –> BIOSConnect

    • Uncheck BIOSConnect

    • Apply

  75. Security –> Admin Password If not already set

    • Enter new *Admin level password*

    • Confirm new *Admin level password*

    • OK

  76. Exit

  77. Dell 3431 Workstation will reboot. If configuration of the BIOS version was the only need at this time, let Dell 3431 boot into its normal boot cycle. Otherwise F12 and continue to Intel(R) Management Engine BIOS Extension (MEBx) Configuration section

    Mark Complete:

    Hostname

    Print and Sign Name

    Date

    akkala