Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

AMT MEBx Password

Mohamed_A_1
Beginner
4,480 Views

Guys i need your help in this 

i am new for using AMT technology, and i want to know if it's applicable or not 

Is MEBx Password can be randomly as KVM "user consent" 

IF the answer is NO 

Am i able to change the multi Machines 100X remotely ? 

i tried intel AMT profile Design and already created test profile but i don't know how to deploy it over those number of machines 

conclusion**

I need to change the MEBx password many times in case its being knowing from colleagues 

 

0 Kudos
8 Replies
Joseph_O_Intel1
Employee
4,480 Views

Hey Mohammed

The MEBx password can only be changed in mass by deploying a delta profile from a SCS server. The profile will use a preconfigured password and not a random password.

Utilizing the SCS Server will require a Intel AMT provisioning certificate purchased from a third party.

I hope that helps

Joe

 

 

0 Kudos
Mohamed_A_1
Beginner
4,480 Views

Thanks joe for your responding :) , 

 

Can i use delta profile only without a Certificate ?! 

0 Kudos
Joseph_O_Intel1
Employee
4,480 Views

You must use the certificate

The MEBx password can only be changed in a secure manner, which means you need direct physical access or using SCS w/ certificates.

Without the certificate you would be using the Host Based Provisioning (HBP) model and the action of changing the MEBx password is not allowed.

 

0 Kudos
Mohamed_A_1
Beginner
4,480 Views
here is something else i want to validate i created profile and i used this command line ((Acuconfig.exe /lowsecurity configamt C:\Configurator\Passwordchange.xml /decryptionpassword ****** /adminpassword ******)) to change the password only , here is the result 2016-02-11 16:29:08:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2016-02-11 16:29:08 2016-02-11 16:29:08:(INFO) : ACU Configurator, Category: : ACUConfig 11.0.0.214 2016-02-11 16:29:08:(INFO) : ACU Configurator, Category: -Unknown Operation-: *************************: Starting to configure AMT... 2016-02-11 16:29:18:(INFO) : localhost, Category: AMT Interface : Wire support:************** 1 2016-02-11 16:29:21:(INFO) : localhost, Category: AMT Interface : Wire support:************** 1 2016-02-11 16:29:31:(SUCCESS) : ACU Configurator, Category: Exit: ***********Exit with code 0. Details: Success. but when i restart and try to login , i still use the same old password . am i missing something ?
0 Kudos
Joseph_O_Intel1
Employee
4,480 Views

Hey Mohammed

When you state that you reboot and use the same password, it is my belief that you are using Ctrl+P or similar on the local machine to access the MEBx, as such this behavior is as expected. Let me address vPro passwords. There are three basic passwords and they are as follows.

  1. MEBx - This password can be thought of as the physical access password. It is only used when you are sitting at the system and accessing the MEBx during the Boot Process. This password is only changed during access via the MEBx, USB Configuration or when configuring with SCS with the provisioning certificate. This password has a requirement for up to 32 characters, upper/lower case, numbers and special characters.
  2. AMT Digest User- This password is the default "admin" password. This password is used for all remote connection to the AMT. During initial provisioning this password is the same as the MEBx. Note: The password may be the same as the MEBx password, however they are separate values stored in the firmware. This password has a requirement for up to 32 characters, upper/lower case, numbers and special characters.
  3. RFB5900 - This password is optional and can only be set via during configuration using SCS tools. This password is only used when electing to use a VNC client to make the KVM connection. This password has a requirement for 8 character, upper/lower/ numbers and special characters.

By using configamt switch with acuconfig.exe tool, you are not leveraging a SCS server(with provisioning certificate), you are merely doing a host based delta configuration that will only effect the AMT password.

 

 

 

 

\

0 Kudos
Mohamed_A_1
Beginner
4,480 Views

hello joseph 

thanks for your reply i appreciate so much 

actually know these kind of password differences , but my question was yes i change the password with no error message and yes i use CTRL + P but the password still the same as i mentioned previously

Update

i tried again the command and the password still not working HOWEVER its working from webUI

honestly i don't understand how it's working on webui without being accessed from the AMT itself " MEBx

0 Kudos
Joseph_O_Intel1
Employee
4,480 Views

If the password is changing for the WebUI and not the MEBx, that is the expected behavior when updating the password with acuconfig configamt ....  using this method only changes the digest Master password. The WebUI and remote control commands all use this password for management.

When AMT is configured using the following methods: SCS w/certificate, Manually thru Ctrl+P and via USB Key. The passwords for Digest Master Password and the MEBx password are the same, however they are distinct separate values within the firmware, hence the passwords can get out of synch do to technician interaction.

0 Kudos
Roman_S_4
Novice
4,480 Views

Mohamed, you have that situation:

Difference of AMT passwords

(picture is for some old Intel AMT version, but sense is the same)

If you want to change MEBx-password without buying vPro-certificate you have to add your own certificate (hash) to Intel AMT CertStore and start provision process. You can do it with to example Manageablilty Director with option "Part Unprovision". But this means that you'll have to repeat this procedure with Manageablilty Director and any your previously initialized Intel AMT computers. Alternative and more certain variant is using USB flash for preconfigure Intel AMT, where you can set MEBx password, but it expects your manually doing on each AMT computer.

0 Kudos
Reply