When we get an Intel® AMT system and we are setting it up for the first time, we are asked to enter the Management Engine (ME) password and then to change it. Or if we are using the Setup and Config Server (Intel SCS) - we set up our profiles to change the ME password.) What we are doing here is changing both the AMT and the ME password and so the AMT password is synched with the ME password. I actually didn't realize AMT and ME both had passwords. (which makes sense since we can add AMT users..)
So when are the different passwords/users being accessed? When we hit the CTRL-P and enter a password, we are accessing the ME so this is always the ME password.
When we are using a Management console (like the AMT Commander) or simply, the AMT Web UI, we are accessing AMT. We can add and change AMT users and passwords via the Web UI and Management Consoles using APIs which can be found in the Network Interface Guide. We cannot modify the ME password without logging in directly to the ME or via a provisioning server.
During the provisioning process, there is a One Time Password API (for the ME) - it is called SetProvisioningServerOTP. There is also an API for getting the OTP, if one has already been set - it is called GetProvisioningServerOTP. If you try to set the ME Password after it has already been set (using this API,) you will get an error. Of course, you can always go into the ME and change it manually.
The service APIs that would be used to add/update/remove AMT Users are:
Note that once the AMT user's password is changed via the API or via the WebUI or other Management Console, it is no longer synched with the ME password (the ME password does not change.)