Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Failure Using acuconfig.exe and maintainamt/maintainviaRCSonly switch

DPopr
Beginner
1,898 Views

To give a sense of what I am trying to do:

We have over 2000 machines that are all vpro capable and provisioned. At the end of their life cycle (4 years) in our department we phase them out and they go to a surplus group at our or organization that then offers up these "new to you" machines to other groups/departments within our organization at essentially no cost. As vPro has matured and become the standard in our machines we have been passing down machines for about 6 years that are now capable of remote management.

What we are being asked is if we can wipe/reset the Management Engine password. Having reviewed this forum I have found that it is not possible without entry in to the machine. Our "Plan B" is to set the ME password to something other than what we normally use and then provide that as a mutually shared password.

Herein lies the problem. I have been working with the ACUCONFIG.EXE program and its command line option to try to accomplish this task.

There are two commands, MaintainAMT and a MaintainviaRCSOnly that each have a task within them that state they can "RenewAdminPassword"

To define that directive:

RenewAdminPassword – Changes the password of the default Digest admin user in the Intel AMT device according to the password setting defined in the profile.

The command lines I have tried are:

acuconfig.exe MaintainAMT WIPE_AMT_PROFILE.xml RenewAdminPassword /AdminPassword XXXXXXX <-- tried with and without the last switch for password</span>

acuconfig.exe MaintainViaRCSOnly vpro.xxxxxxxxxxx.tamu.edu WIPE_AMT_PROFILE RenewAdminPassword

In either case the return result is error 50 which in the users guide for SCS read: The Intel AMT device is in a state that does not support the Maintenance command

Clearly it understands I am issuing a maintenance command and has no fault with the syntax. The error indicates it is the machines AMT module that is unwilling to process the command.

We were also wanting to deprovision the machine and I found the unconfigure command for ACUCONFIG and it works just fine. It makes little sense that I can remove provisioning but not set a password?!

All this is being done via a WinPE 8 (SCCM 2012 R2) image we PXE boot the machine to when preparing it for our surplus division. It currently wipes the machines drive but we need it to set the password to the one we will hand out and then perform the unprovision I mentioned above having figured out.

If anyone else has any experience with the maintenance command and can point me in the correct direction it would be appreciated.

 

 

0 Kudos
4 Replies
Alan_A_Intel
Employee
601 Views

Hi David,

MaintainAMT and MaintainviaRCSOnly only allow you to change the built-in Admin account password. There is no way to remotely alter the MEBx password; this has to be done locally. Without seeing log files from both the client and the RCS I'm not sure why you're seeing this error when running these commands.

I see a couple of ways you could go about solving this problem.

 

  1. The best option would be to manually change the MEBx password. Adding this step to your preexisting process of computer cleanup before giving them to other departments. This would give the receiving department full control over the vPro computer.
  2. Another option is to create a new profile, one that has a different value for the Admin account password. Then use that new profile to configure "over the top" of the old profile. Doing this will change the Admin account password, but keep the MEBx password intact. This would allow the receiving department the ability to configure/unconfigure these computers, but not enter the MEBx.

-Alan

0 Kudos
IT_C_Intel
Employee
601 Views

Content moved from a duplicate thread.

Alan, thanks for responding.

 

If you note in my post above, although I didn't explain it as such, I did make a new profile named "WIPE_AMT_PROFILE" which is a duplicate of the normal profile used with the password changed.

 

I then tried to apply these changes via command line using acuconfig.exe in the following manner. The first command is with the exported XML file and with/without adminpassword and decryptionpassword switches for the encrypted XML file . The second method used the RCS server and directed it to apply the new profile again with/without the adminpassword switch for the ME.

 

acuconfig.exe MaintainAMT WIPE_AMT_PROFILE.xml RenewAdminPassword /AdminPassword XXXXXXX

acuconfig.exe MaintainViaRCSOnly vpro.xxxxxxxxxxx.tamu.edu WIPE_AMT_PROFILE RenewAdminPassword

I need a way to be able to apply these changes on command and expected the supplied tool to do the job but seem to be missing something.

Currently we PXE boot to an image on our SCCM server and from PE we DOD wipe the drive, delete the computer from the domain, clear bios passwords and settings to default etc.. etc.. I have even successfully used acuconfig.exe to fully unprovision a machine from WinPE. The only piece missing to complete this process is setting the password to one we can hand out but that is failing as mentioned above.

0 Kudos
DPopr
Beginner
601 Views

Alan, Sorry I missed the top of your response where you said not to use the maintain command rather configure again.

I am trying that with the new profile that has a different password only (duplicated original) and get exitcode 78. Yesterday I had a doc. open with those exitcodes and am trying to find it again today.

0 Kudos
Alan_A_Intel
Employee
601 Views

David, I believe the reason you're having issues with your ACUConfig commands is your WinPE image doesn't contain the MEI drivers.

When migrating systems out of your environment it's best practice to change your vPro configuration settings before you remove them from the domain. This will eliminate any potential OS and ME FQDN mismatch errors.

My guess is if you try issuing these ACUConfig commands while the computer still has its OS and is still joined to the domain they will work.

-Alan

0 Kudos
Reply