Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2942 Discussions

vPro/AMT powershell module 3.2.6 enable network access remote and change admin password

ODani
Beginner
4,865 Views

We in the IT Department of the organization I am working in, are really enjoying AMT as we a re located in our country's capitol and have branch offices all over the country . We have computers from DELL, HP and Lenovo and using Managability Commander Tool to start up, and above all; use VNC for KVM.

Our last badge of computers was Lenovo X1 Carbon. Lenovo could factory set a lot of bios and vPro/AMT settings, but not Activate Network Access: Yes

So my first, and I do realize a bit naive question (due to obvious security concerns) is; is it possible to override this by the use of the PowerShell module?

We also have a lot of computers we do have physical access to and it would save us a lot of work to set Activate Network Access remotely.

My second question is more straight forward. Most of our computers have not factory set a custom password for admin. Is it possible to change the password by the use of the PowerShell module?

The script under btw is working very well given the fact that Active Network Access is set:

import-module intelvpro

$cred = Get-Credential

Write-AmtCredential -Username $cred.UserName -Password $cred.Password # vpro admin and pw

read-amtcredential

New-PSDrive -Name amt -PSProvider AmtSystem -Root "\" -computername localhost -Credential $cred

Set-Item amt:\Config\KVM\AccessPointEnabled $true

Set-Item amt:\Config\KVM\ConsentRequired $false

Hopefully is it also possible to set credentials without prompting...(?)

0 Kudos
5 Replies
idata
Employee
2,747 Views

Greetings:

 

 

So my first, and I do realize a bit naive question (due to obvious security concerns) is; is it possible to override this by the use of the PowerShell module?

 

This is not an option available via the vPro Powershell Module

 

 

My second question is more straight forward. Most of our computer has not factory set a custom password for admin. Is it possible to change the password by the use of the PowerShell module?

 

 

No, this functionality is also not built into the PS Module, however, take a look at this link and it may assist you in creating a script:

 

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=HTMLDocuments/WS-Management_Class_Reference/AMT_SetupAndConfigurationService.htm%23SetMEBxPassword

 

 

Hopefully is it also possible to set credentials without prompting...(?)

 

From the .pdf included in the download:

 

Section 3.3:

 

 

 

3.3 Configuring a Profile for the Windows PowerShell Module for

 

Intel vPro Technology

 

Microsoft states "A well-designed profile can make it even easier to use Windows

 

PowerShell and to administer your system". This holds true for administering Intel vPro

 

technology enabled devices. A well-designed PowerShell profile can make that task

 

even easier.

 

Please view the link below from Microsoft for more information about PowerShell

 

profiles:

 

http://msdn.microsoft.com/en-us/library/bb613488(v=vs.85).aspx

 

 

 

3.3.1 Setting Up a Profile for Intel vPro Technology

 

Below is an example of a profile you can put in

 

%my documents%/WindowsPowerShell/Microsoft.PowerShell_profile.ps1.

 

function vPro

 

{

 

Import-Module IntelvPro

 

}

 

Once you have created this profile, you can type vPro from within PowerShell to load

 

the module. 3.3.2Using Intel® AMT Credential Secure StorageIntel AMT credentials can be securely stored in a PowerShell encrypted string using theWrite-AMTCredential cmdlet. This allows the privileged administrator to store theIntel AMT required credentials without the credentials being exposed in plain text forany user to view.Once credentials are stored once with Write-AMTCredential (see section 5.10.4) a laterPowershell session can read them with Read-AMTCredential without exposing them.To set your profile to load the module and set the Intel AMT credentials when you typevPro in a PowerShell session, change your profile as follows:

 

function vPro

 

{

 

Import-Module IntelvPro

 

New-Variable -Name AmtCred -Value (Read-AmtCredential)

 

}

 

Intel vPro Technology Module for Microsoft Windows PowerShell

 

16 3.3.3Making Everything Load AutomaticallyTo make the module load and the $AmtCred variable set (store first once with WriteAMTCredential (see section 5.10.4)) every time a PowerShell session is started modifythe profile to include the following (not in a function block):

 

Import-Module IntelvPro

 

New-Variable -Name AmtCred -Value (Read-AmtCredential) 3.3.4Easily Mounting an AMTSystem PowerShell DriveTo easily mount an AMTSystem Powershell Drive add the following function to theprofile:

 

function mount-AMTDrive

 

{

 

Param([string]$HostName,

 

[System.Management.Automation.PSCredential]$AMTCredential)

 

process{

 

New-PSdrive -scope global -name $HostName -psprovider amtsystem

 

-root \ -computername $HostName -credential $AMTCredential

 

}

 

}

 

Now mounting an AMTSystem Powershell drive by typing:

 

Mount-AMTDrive $HostName

 

The drive name will be $HostName and is listed when typing:

 

PSDrive

 

NOTE

 

The New-PSDrive cmdlet does not accept ~ / \ . : characters. It is recommended to

 

use the Hostname instead of an IP address

 

 

Forgive the formatting.

 

 

Regards,

 

Michael
0 Kudos
ODani
Beginner
2,747 Views

Thank you for your in depht answer!

Is it by design from Intel that Lenovo can not set Activate Network Access: Yes as a factory setting?

(Would that be a restriction for other manufacturers as well?)

0 Kudos
idata
Employee
2,747 Views

Hi,

 

 

It is by design from Intel and yes, would be a restriction for other manufacturers as well.

 

 

Regards,

 

Michael
0 Kudos
ODani
Beginner
2,747 Views

Again, thank you very much!

Do you think vPro / PowerShell module will develope into handling this?

Do large companies that purchase a lot of computers manually enter MEBx setup på each computer to set Activate Network Access: Yes?

0 Kudos
idata
Employee
2,747 Views

Hi. Normally large companies that purchase a lot of computers do not manually enter MEBx for configuration. They usually perform a remote configuration.

 

 

See section 1.4.4 of the User Guide.
0 Kudos
Reply