I am looking into buying a few used Lenovo ThinkCentre M92p computers but I am not sure if the last owner has setup the admin password for Intel vPro on them.
Does everything get reset if I remove the small battery on the computer?
On AMT 2-9.x CMOS battery will reset AMT to factory defaults.
On AMT 10 there is optoon to be disabled by OEM so OEM will have to provide such BIOS Option.
On AMT 11 and newer - CMOS battery will not reset AMT via MEBx but most of the OEMs added BIOS initiated AMT reset on CMOS RTC battery reset flag (some of OEM may not offer it for special applicaitons like military).
Short answer is yes.
In Lenovo BIOS there is also option to Disable Intel AMT. If you set Intel AMT to Disabled, reboot system (you may need to confirm full ME reset to factory defaults in MEBx screen during POST by pressing Y key - AMT will be reset to full factory defaults (incl MEBx Password).
Than you should go to BIOS setup again (after POST) to enable AMT again.
I strongly recommend to update Lenovo BIOS to latest one as there were some fixes improving MEBx/BIOS controls of AMT state/reset.
Please note that there are two AMT Passwords:
- MEBx -is local only -usable ONLY during POST via physical access to device.
- AMT Digest Administrator (username: admin) - is remote -over network password -if you configure Intel AMT manually or via USB Local Configuration it will be set = new MEBx password.
Both passwords are (can be) changed independently- MEBx via MEBx, AMT Administrator password via AMT Legacy WebUi or by reconfiguring AMT remotely (RCFG) or via Host Based Configuration.
with Updated BIOS you may find (depends on the model/BIOS itself) new option to Unprovision AMT on next reboot (so no need to set AMT to disabled - 2 resets and set it back to enabled).
By Intel AMT/MEBx FW design for ME FW versions up to 9.x (2014) if you disconnect RTC CMOS battery - it will set RTC battery reset flag which Intel MEBx BIOS FW module reads on next POST and it will make MEBx to reset Intel AMT (ME in general) to full factory defaults, including resetting MEBx password to default "admin".
Starting with AMT/ME FW 10 (2015) there was possibility for OEM to disable RTC CMOS battery reset of AMT at manufacturing but it was intended for embeded or military applicaitons (no batteries at all) - not used AFIK in enterprise systems.
Please note -once Intel AMT MEBx password will be reset to factory default (admin) - anyone knowing this password (ex. reading this post) and having physical access to your systems - can use it during reboot/POST to re-enter MEBx and then may configure/unconfgure Intel AMT outside of your control/wish.
Host Based Configuration -is simple but does not change MEBx Password (it stays current (if not changed manually it will be default) so other methods or changing MEBx Password (prior to Host Based Configuration) shall be considered.
Remote Configuration of Intel AMT will change MEBx Password (if it is still default one) (+ set AMT Administrator password ) remotely over AMT enabled Wired LAN.
Intel EMEA Biz Client Solution Architect