search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
3.88k stars 528 forks source link

AMT password not being updated when AMT Policy is updated or device moved #4821

Open Trouble123 opened 1 year ago

Trouble123 commented 1 year ago

Have a device that as ACM activated in a group, and then either change it from Fully Automatica to manual with a specific password, or move the device to a group that has specific password

Expected behavior Expect the AMT password to login to match what is set at the group level

Server Software (please complete the following information):

Client Device (please complete the following information):

Remote Device (please complete the following information):

I can see the password in the amtactivation.log file so i can confirm that MeshCentral knows it, and testing the password works. The log.txt doesnt show anything happening when i move the device or change the AMT policy, and i dont see anything added to amtactivation.log either

Your config.json file

{
          "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
                  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
                  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
                  "settings": {
                              "cert": "XXXX.com",
                              "WANonly": true,
                              "_LANonly": false,
                              "_sessionKey": "XXXXXXXXXX",
                              "_port": 443,
                              "MpsPort":4433,
                              "log": "debug,main,web,webrequest,cert",
                              "_aliasPort": 443,
                              "_redirPort": 80,
                              "_redirAliasPort": 80
                            },
                  "domains": {
                              "": {
                                            "title": "Remote Control",
                                            "title2": "XXXX",
                                            "_minify": true,
                                            "_newAccounts": true,
                                            "_userNameIsEmail": true,
                                            "agentTag": {
                                                            "ServerName": 1,
                                                            "ServerDesc": 1,
                                                            "ServerTags": 1
                                                           },
        "PreconfiguredScripts": {
                                "name": "Run NotePad as user",
                                "file": "notepad.exe",
                                "type": "bat",
                                "runas": "agent"
                        }
                                          }
                            },
                  "letsencrypt": {
                              "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
                              "email": "XXXX",
                              "names": "XXXX",
                              "production": true
                            }
}
Ylianst commented 1 year ago

Oh. Your right that when an Intel AMT devices first joins a device group and gets activated, it will get a admin password form the device group it initially joined. If you change the device to a different group, it will not change the admin password.

Your right that when moving a device to a different device group, the admin password should be changed to match the new deice group, however, it's unlikely I am going to work on this since it's complex and I am not sure what work I will be doing with Intel AMT going forward (#4795).

Trouble123 commented 1 year ago

Understand, Is there a command the change the AMT pasword from meshcmd or anyother CLI method so i can at least do it remotely for all devices?

jirijanata commented 1 year ago

The recommended way to do it is through the MeshCommander. According to Ylian there is no cli method to do it.

https://www.reddit.com/r/MeshCentral/comments/z93b7j/can_we_change_the_amt_password_via_meshcmd/

Right now the best way to change the Intel AMT "admin" password is to use MeshCommander. MeshCmd can't do it (and MeshCtrl is for MeshCentral automation). In MeshCommander, connect to the device, go in the "User Accounts" tab and edit the "Admin" user.

dinger1986 commented 9 months ago

AMT @si458