- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We in the IT Department of the organization I am working in, are really enjoying AMT as we a re located in our country's capitol and have branch offices all over the country . We have computers from DELL, HP and Lenovo and using Managability Commander Tool to start up, and above all; use VNC for KVM.
Our last badge of computers was Lenovo X1 Carbon. Lenovo could factory set a lot of bios and vPro/AMT settings, but not Activate Network Access: Yes
So my first, and I do realize a bit naive question (due to obvious security concerns) is; is it possible to override this by the use of the PowerShell module?
We also have a lot of computers we do have physical access to and it would save us a lot of work to set Activate Network Access remotely.
My second question is more straight forward. Most of our computers have not factory set a custom password for admin. Is it possible to change the password by the use of the PowerShell module?
The script under btw is working very well given the fact that Active Network Access is set:
import-module intelvpro
$cred = Get-Credential
Write-AmtCredential -Username $cred.UserName -Password $cred.Password # vpro admin and pw
read-amtcredential
New-PSDrive -Name amt -PSProvider AmtSystem -Root "\" -computername localhost -Credential $cred
Set-Item amt:\Config\KVM\AccessPointEnabled $true
Set-Item amt:\Config\KVM\ConsentRequired $false
Hopefully is it also possible to set credentials without prompting...(?)
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings:
So my first, and I do realize a bit naive question (due to obvious security concerns) is; is it possible to override this by the use of the PowerShell module?
This is not an option available via the vPro Powershell Module
My second question is more straight forward. Most of our computer has not factory set a custom password for admin. Is it possible to change the password by the use of the PowerShell module?
No, this functionality is also not built into the PS Module, however, take a look at this link and it may assist you in creating a script:
https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=HTMLDocuments/WS-Management_Class_Reference/AMT_SetupAndConfigurationService.htm%23SetMEBxPassword
Hopefully is it also possible to set credentials without prompting...(?)
From the .pdf included in the download:
Section 3.3:
3.3 Configuring a Profile for the Windows PowerShell Module for
Intel vPro Technology
Microsoft states "A well-designed profile can make it even easier to use Windows
PowerShell and to administer your system". This holds true for administering Intel vPro
technology enabled devices. A well-designed PowerShell profile can make that task
even easier.
Please view the link below from Microsoft for more information about PowerShell
profiles:
http://msdn.microsoft.com/en-us/library/bb613488(v=vs.85).aspx
3.3.1 Setting Up a Profile for Intel vPro Technology
Below is an example of a profile you can put in
%my documents%/WindowsPowerShell/Microsoft.PowerShell_profile.ps1.
function vPro
{
Import-Module IntelvPro
}
Once you have created this profile, you can type vPro from within PowerShell to load
the module. 3.3.2Using Intel® AMT Credential Secure StorageIntel AMT credentials can be securely stored in a PowerShell encrypted string using theWrite-AMTCredential cmdlet. This allows the privileged administrator to store theIntel AMT required credentials without the credentials being exposed in plain text forany user to view.Once credentials are stored once with Write-AMTCredential (see section 5.10.4) a laterPowershell session can read them with Read-AMTCredential without exposing them.To set your profile to load the module and set the Intel AMT credentials when you typevPro in a PowerShell session, change your profile as follows:
function vPro
{
Import-Module IntelvPro
New-Variable -Name AmtCred -Value (Read-AmtCredential)
}
Intel vPro Technology Module for Microsoft Windows PowerShell
16 3.3.3Making Everything Load AutomaticallyTo make the module load and the $AmtCred variable set (store first once with WriteAMTCredential (see section 5.10.4)) every time a PowerShell session is started modifythe profile to include the following (not in a function block):
Import-Module IntelvPro
New-Variable -Name AmtCred -Value (Read-AmtCredential) 3.3.4Easily Mounting an AMTSystem PowerShell DriveTo easily mount an AMTSystem Powershell Drive add the following function to theprofile:
function mount-AMTDrive
{
Param([string]$HostName,
[System.Management.Automation.PSCredential]$AMTCredential)
process{
New-PSdrive -scope global -name $HostName -psprovider amtsystem
-root \ -computername $HostName -credential $AMTCredential
}
}
Now mounting an AMTSystem Powershell drive by typing:
Mount-AMTDrive $HostName
The drive name will be $HostName and is listed when typing:
PSDrive
NOTE
The New-PSDrive cmdlet does not accept ~ / \ . : characters. It is recommended to
use the Hostname instead of an IP address
Forgive the formatting.
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your in depht answer!
Is it by design from Intel that Lenovo can not set Activate Network Access: Yes as a factory setting?
(Would that be a restriction for other manufacturers as well?)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It is by design from Intel and yes, would be a restriction for other manufacturers as well.
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again, thank you very much!
Do you think vPro / PowerShell module will develope into handling this?
Do large companies that purchase a lot of computers manually enter MEBx setup på each computer to set Activate Network Access: Yes?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. Normally large companies that purchase a lot of computers do not manually enter MEBx for configuration. They usually perform a remote configuration.
See section 1.4.4 of the User Guide.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page