One of the features we added in the 3.0 Intel vPro PowerShell module was the ability to securely store and safely retrieve user credentials.
AMT credentials can be securely stored in a PowerShell encrypted string using the Write-AMTCredential Cmdlet. This allows the privileged administrator to store the AMT credentials without then being exposed in plaintext for any user to view.
Once stored an Intel vPro Cmdlet in a later Powershell session can read the AMT credentials with Read-AMTCredential without exposing them.
So what is the deal? This secure storage lets us put the AMT credentials safely into PowerShell to be retrieved later when someone is running the Cmdlets. Someone whom we might not want to have the AMT credentials – let alone other administrative rights.
Putting the credentials directly into a script is a bit of a security hole. Also assuming that every operator of a Powershell script knows the credentials is a big assumption.
So, we used the Powershell secure string to store our AMT credentials.
$AMTCreds = get-credential
Write-AmtCredential -Username $AMTCreds.UserName -Password $AMTCreds.Password
Now, in a different session we can load and use the credentials. (first I have to import the module)
$AMTCreds = Read-AmtCredential
Get-AMTFirmwareVersion -computername 192.168.1.100 -Credential $AMTCreds
But loading the module and setting a variable in every session gets tiring.
So let’s modify the basic profile located at %my documents%/WindowsPowerShell/Microsoft.PowerShell_profile.ps1 so that after we launch a PowerShell session we can then type in vpro to have the IntelvPro module loaded and the AMT credentials set.
New-Variable -Scope 1 -Name AmtCreds -Value (Read-AmtCredential)
Nice. Now all of the Cmdlets can be called passing –credential $AMTCreds to them.