Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2879 Discussions

Unprovision-IntelAMTOnIntelEMAEndpoints.ps1 script and possible issue with password format

neilbrin
New Contributor I
2,294 Views

Hi Intel,

 

I was using the Intel provded 'Unprovision-IntelAMTOnIntelEMAEndpoint.ps1' to deprovision terminals that are being onboarded on to our 1.10.1.0 EMA platform. This seems to be working fine, however I came across an error with a particular workstation that we had previously provisioned in Intel EMA and then completed a 'emaagenet.exe -resetnodeid'. This then created a new Endpoint object in Intel EMA. I then wanted to unprovision AMT on the terminal so that it would auto-provision under the new Endpoint object/ID. I have done this a number of times, but I come across an error that occurred and aI would like to have this ratified by Intel to determine whether it's a bug or not. 

I received the REST Response; 400; Bad Request
Invoke-WebRequest : {"Message":"{\"ExtendedCode\":3011,\"ExtendedMessage\":\"Invalid password format\"}"}

The password that was set for the AMT on this terminal was;
/Kp3ihYb5ZpWaCMtm/rf

so just wondering if there are any issues with the unprovision API where the AMT password set starts with a forward slash ie. /

 

To confirm this I actually reset the AMT manually using the BIOS. Removed the Endpoint from Intel EMA, uninstalled/re-installed the Intel EMA Agent which then auto provisioned the AMT and then I proceeded to unprovision again using the Intel script and this time it was successful and I can confirm that the new password set did not start with a slash ie:
qOXTJoUSpEoF/+oZu2C9

 

0 Kudos
7 Replies
Eduardo_B_Intel
Employee
2,278 Views

Dear neilbrin, 


I wish you an excellent day and thank you for contacting Intel Customer Support.


So far it is not of my knowledge that our API interprets that as a special character, thus impeding script continue. It does not show within our documentation in regards to Passwords: Valid Usernames and Passwords https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/setadminuserinformation.htm.


I will check with my team and will come back once there is a response about it. 


Best regards, 


Eduardo B.

Intel Customer Support. 


0 Kudos
Eduardo_B_Intel
Employee
2,247 Views

Dear neilbrin, 


This is not a bug, as it is visible in the EMA GUI that this character is not allowed for the Admin Password. This is likely due to security reasons since MEBX can be set locally where the API is allowing remote configuration. Regardless if you look at the error returned by the API via the Samples it is consistent with the output of the API guide. In regards to ECT, it can only be run locally with Admin privileges and you should be able to unprovision with it. please let me know if this requires more clarifications and I will follow up accordingly. 


Best regards, 


Eduardo B.

Intel Customer Support. 


0 Kudos
neilbrin
New Contributor I
2,234 Views

Thanks Eduardo_B_Intel,

 

You state that the character is not allowed for the Admin password, but we are not manually setting the password. The password is being set randomly by Intel EMA as we have the option set in the Endpoint Group - Intel AMT autosetup to 'randomize (recommended) for the Administrator password.

The Intel script I am using and the one that Intel has provided is just using the password as a parameter and I whether I manually retrieve from the EMA console or script this up to automatically exctract the password, it fails, but only for this password. Sop far, every other password seems to work as expected but this one threw the exception. I will continue to monitor and if I receive another error from the script I will retrieve the AMT Admin password manually and see if this is alos consistent with th issue that I am seeing.

 

regards,

Neil...

0 Kudos
Eduardo_B_Intel
Employee
2,217 Views

Dear neilbrin, 


I will share this information with my team in regards to that being added by the recommended option. Fair enough. Please do not hesitate to contact us back if you consider additional feedback important to share.


Best regards,


Eduardo B

Intel Customer Support.


0 Kudos
neilbrin
New Contributor I
2,059 Views

I have come across this issue once again whereby we can't unprovision the Intel AMT, as the password that was randomly set by Intel EMA begins with a 'slash' ie. /

Here is a screen shot of the script outpout showing the error returned and the password

 

 

0 Kudos
neilbrin
New Contributor I
1,791 Views

Hi Intel,

 

I have come across another instance whereby the Intel AMT password is being set with a random password as set by Intel EMA and again we now can't unprovision this endpoint if the password is set starting with a slash '/'  (we receive an error 400 Bad Request). This is the third system we have come across now that has been randomly set with a a password starting with a slash and now we can't unprovision the newly rebuilt system. So after a rebuild of the terminal, we now have two endpoints in the Environment with the same name and one is provisioned with the Intel EMA client that we can access in-band and one Intel EMA endpoint that is CIRA Connected, but we can't unprovision using this password. WE have successfully unprovisioned many systems this way where the password does not start with a slash '/'. This doesn't occur for any other systems where the password does not start with a slash. Please refer to screen shots

 

0 Kudos
neilbrin
New Contributor I
1,685 Views

Hi Intel,

 

Has anyone had a chance to look at this issue, as we have an endpoint that has been rebuilt that now has two Endpoint IDs, but with the same MAC Address and same Computer Name ID's.?

We can't unprovision this endpoint via the API using the Intel provided script (Unprovision-IntelAMTOnIntelEMAEndpoint.ps1) as it appears that a random AMT password that was generated by Intel EMA and originally set by EMA that starts with a 'slash' fails with an Error 400 ' Bad response'

 

Regards,

Neil B

0 Kudos
Reply