5 Replies Latest reply on Oct 17, 2017 5:14 PM by Intel Corporation

    vPro/AMT powershell module 3.2.6 enable network access remote and change admin password

    HvemVet

      We in the IT Department of the organization I am working in, are really enjoying AMT as we a re located in our country's capitol and have branch offices all over the country . We have computers from DELL, HP and Lenovo and using Managability Commander Tool to start up, and above all; use VNC for KVM.

       

      Our last badge of computers was Lenovo X1 Carbon. Lenovo could factory set a lot of bios and vPro/AMT settings, but not Activate Network Access: Yes

       

      So my first, and I do realize a bit naive question (due to obvious security concerns) is; is it possible to override this by the use of the PowerShell module?

       

      We also have a lot of computers we do have physical access to and it would save us a lot of work to set Activate Network Access remotely.

       

      My second question is more straight forward. Most of our computers have not factory set a custom password for admin. Is it possible to change the password by the use of the PowerShell module?

       

      The script under btw is working very well given the fact that Active Network Access is set:

      import-module intelvpro

      $cred = Get-Credential

      Write-AmtCredential -Username $cred.UserName -Password $cred.Password # vpro admin and pw

      read-amtcredential

      New-PSDrive -Name amt -PSProvider AmtSystem -Root "\" -computername localhost -Credential $cred

      Set-Item amt:\Config\KVM\AccessPointEnabled $true

      Set-Item amt:\Config\KVM\ConsentRequired $false

       

      Hopefully is it also possible to set credentials without prompting...(?)

        • 1. Re: vPro/AMT powershell module 3.2.6 enable network access remote and change admin password
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Greetings:

          So my first, and I do realize a bit naive question (due to obvious security concerns) is; is it possible to override this by the use of the PowerShell module?
          This is not an option available via the vPro Powershell Module

          My second question is more straight forward. Most of our computer has not factory set a custom password for admin. Is it possible to change the password by the use of the PowerShell module?

          No, this functionality is also not built into the PS Module, however, take a look at this link and it may assist you in creating a script:
          https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=HTMLDocuments%2FWS-Management_Class_Reference%2FAMT_SetupAndConfigurationService.htm%23SetMEBxPassword

          Hopefully is it also possible to set credentials without prompting...(?)
          From the .pdf included in the download:
          Section 3.3:


          3.3 Configuring a Profile for the Windows PowerShell Module for
          Intel vPro Technology
          Microsoft states “A well-designed profile can make it even easier to use Windows
          PowerShell and to administer your system”. This holds true for administering Intel vPro
          technology enabled devices. A well-designed PowerShell profile can make that task
          even easier.
          Please view the link below from Microsoft for more information about PowerShell
          profiles:
          http://msdn.microsoft.com/en-us/library/bb613488(v=vs.85).aspx


          3.3.1 Setting Up a Profile for Intel vPro Technology
          Below is an example of a profile you can put in
          %my documents%/WindowsPowerShell/Microsoft.PowerShell_profile.ps1.
          function vPro
          {
          Import-Module IntelvPro
          }
          Once you have created this profile, you can type vPro from within PowerShell to load
          the module.                                                                                                  

          3.3.2Using Intel® AMT Credential Secure Storage
          Intel AMT credentials can be securely stored in a PowerShell encrypted string using the
          Write-AMTCredential cmdlet. This allows the privileged administrator to store the
          Intel AMT required credentials without the credentials being exposed in plain text for
          any user to view.
          Once credentials are stored once with Write-AMTCredential (see section 5.10.4) a later
          Powershell session can read them with Read-AMTCredential without exposing them.
          To set your profile to load the module and set the Intel AMT credentials when you type
          vPro in a PowerShell session, change your profile as follows:

          function vPro
          {
          Import-Module IntelvPro
          New-Variable -Name AmtCred -Value (Read-AmtCredential)
          }
          Intel vPro Technology Module for Microsoft Windows PowerShell
          16                                                
          3.3.3Making Everything Load Automatically
          To make the module load and the $AmtCred variable set (store first once with Write
          AMTCredential (see section 5.10.4)) every time a PowerShell session is started modify
          the profile to include the following (not in a function block):

          Import-Module IntelvPro
          New-Variable -Name AmtCred -Value (Read-AmtCredential)                                      
          3.3.4Easily Mounting an AMTSystem PowerShell Drive
          To easily mount an AMTSystem Powershell Drive add the following function to the
          profile:

          function mount-AMTDrive
          {
          Param([string]$HostName,
          [System.Management.Automation.PSCredential]$AMTCredential)
          process{
          New-PSdrive -scope global -name $HostName -psprovider amtsystem
          -root \ -computername $HostName -credential $AMTCredential
          }
          }
          Now mounting an AMTSystem Powershell drive by typing:
          Mount-AMTDrive $HostName
          The drive name will be $HostName and is listed when typing:
          PSDrive
          NOTE
          The New-PSDrive cmdlet does not accept ~ / \ . : characters. It is recommended to
          use the Hostname instead of an IP address

          Forgive the formatting.

          Regards,
          Michael

          • 2. Re: vPro/AMT powershell module 3.2.6 enable network access remote and change admin password
            HvemVet

            Thank you for your in depht answer!

             

            Is it by design from Intel that Lenovo can not set Activate Network Access: Yes as a factory setting?

            (Would that be a restriction for other manufacturers as well?)

            • 3. Re: vPro/AMT powershell module 3.2.6 enable network access remote and change admin password
              Intel Corporation
              This message was posted on behalf of Intel Corporation

              Hi,

              It is by design from Intel and yes, would be a restriction for other manufacturers as well.

              Regards,
              Michael

              • 4. Re: vPro/AMT powershell module 3.2.6 enable network access remote and change admin password
                HvemVet

                Again, thank you very much!

                 

                Do you think vPro / PowerShell module will develope into handling this?

                Do large companies that purchase a lot of computers manually enter MEBx setup på each computer to set Activate Network Access: Yes?

                • 5. Re: vPro/AMT powershell module 3.2.6 enable network access remote and change admin password
                  Intel Corporation
                  This message was posted on behalf of Intel Corporation

                  Hi.  Normally large companies that purchase a lot of computers do not manually enter MEBx for configuration.  They usually perform a remote configuration.

                  See section 1.4.4 of the User Guide.