To give a sense of what I am trying to do:
We have over 2000 machines that are all vpro capable and provisioned. At the end of their life cycle (4 years) in our department we phase them out and they go to a surplus group at our or organization that then offers up these "new to you" machines to other groups/departments within our organization at essentially no cost. As vPro has matured and become the standard in our machines we have been passing down machines for about 6 years that are now capable of remote management.
What we are being asked is if we can wipe/reset the Management Engine password. Having reviewed this forum I have found that it is not possible without entry in to the machine. Our "Plan B" is to set the ME password to something other than what we normally use and then provide that as a mutually shared password.
Herein lies the problem. I have been working with the ACUCONFIG.EXE program and its command line option to try to accomplish this task.
There are two commands, MaintainAMT and a MaintainviaRCSOnly that each have a task within them that state they can "RenewAdminPassword"
To define that directive:
RenewAdminPassword – Changes the password of the default Digest admin user in the Intel AMT device according to the password setting defined in the profile.
The command lines I have tried are:
acuconfig.exe MaintainAMT WIPE_AMT_PROFILE.xml RenewAdminPassword /AdminPassword XXXXXXX <-- tried with and without the last switch for password
acuconfig.exe MaintainViaRCSOnly vpro.xxxxxxxxxxx.tamu.edu WIPE_AMT_PROFILE RenewAdminPassword
In either case the return result is error 50 which in the users guide for SCS read: The Intel AMT device is in a state that does not support the Maintenance command
Clearly it understands I am issuing a maintenance command and has no fault with the syntax. The error indicates it is the machines AMT module that is unwilling to process the command.
We were also wanting to deprovision the machine and I found the unconfigure command for ACUCONFIG and it works just fine. It makes little sense that I can remove provisioning but not set a password?!
All this is being done via a WinPE 8 (SCCM 2012 R2) image we PXE boot the machine to when preparing it for our surplus division. It currently wipes the machines drive but we need it to set the password to the one we will hand out and then perform the unprovision I mentioned above having figured out.
If anyone else has any experience with the maintenance command and can point me in the correct direction it would be appreciated.