Is there any way I can enable ME/AMT and change the default ME password (ie 'admin') via Windows OS or remotely? That is, I do not have to restart the PC and go into the bios setup page to change it.
No, the ME is completely cut-off from the OS until after AMT has been configured. The OS could have been compromised by a some malicious code, so the AMT code is written to not trust the OS in any way. In my experience, the best ways to get AMT configured are either: pay the money for a commercial Remote Configuration Certificate, or pay your OEM to pre-provision the system so that the credentials needed to configure AMT have been pre-loaded from the factory. The Remote config cert would allow you to get AMT configured by just running the activation agent, which can be done remotely. The factory pre-provisioning would get configured without any touch at all, because the one touch that is required would be done at the factory.
Roger pretty much captured the details here. It is possible to reset the MEbx password with a USB key instead of in the BIOS setup page, but that still requires rebooting the machine and physical presence at the machine to connect the USB key, so it's not too much different than just going into the MEBx. There are other configurations that can also be set via USB key, so it does remove the need to repeatedly type things into the MEBx.
I tried using USB to reboot and configure.
It seems that it works on some systems and not on other systems. I have 2 PCs of the same model (Intel Q45 chipset), and both allow USB boot. But the USB configuration only works for 1 of the system. Do you know why I am observing this behavior?
Another thing is that I find that if I try to provision it many times using the USB, after some time, the PC could no longer boot into the USB-ME environment. Is there a protection mechanism for the USB configuration such that it prevents excessive times of USB configuration? Or is it due to my USB or problem with the PC?
This may be just semantics, but USBprovisioning of the ME through USB is very different and has nothing to do with USB booting of the system. USBprovisioning may be enabled or disabled through the BIOS setup on your system, so you need to check the AMT settings of each system in the BIOS setup of the system. Some OEMs enable USB provisioning out of the factory, and other OEMs disable USB provisioning of the ME out of the factory. You need to check the BIOS setup on each of your systems to seehow they set the state of USB provisioning.
Roger's distinction between USB OS boot and USB ME provisioning is an important point. If we are truly talking about using a USB key for provisioning, can you tell me what version of the SDK you are using?This will let me know what documentation you used to create the setup.bin file used in USB setup. Also, when you created the setup file how many PID/PPS pairs are you utilizing and could this be the limit you are hitting when you say "...prevents excessive times of USB configuration?"
I am using Intel Setup and Configuration Service console V220.127.116.11.
I have re-exported the USB keys to the USB just before using it on the machine. Previously, the machine was able to be provisioned via USB. After I remove the CMOS battery for a reset, it no longer responds to USB provisioning. I believe it's some options in BIOS.
The machine is a HP machine. I have enabled "Removable Media Boot". Are there some other options that I miss out?
What HP system do you have? Is it a desktop or a notebook? Also, remember, the removeable media boot option has absolutely nothing to do with USB provisioning. You need to look for menu in the BIOS setup for AMT settings or vPro settings.
I'm not sure what system you are working with, but on an HP 6930p there is a setting in BIOS under AMT Optionscalled "USB Key Provisioning Support". As Roger stated, look for something similar to this on your system. If such a setting is not there, please let us know your model number and BIOS version.