Nuc Password Management

Starting with build 244 (including restore media) there are key changes to how the local admin password is managed for both MTR and Zoom.

This document has the following information:

1. Password Set Precedence

2. When to use which password option

3. Resetting the admin password

4. Microsoft LAPS (Local Administrator Password Solution) for MTR and Zoom

5. AutoPilot is for MTR only

Password Set Precedence

On our NUCs, the OOBE password is set in the following order:

1. Checks if the system is configured for LAPS via AutoPilot.

2. Looks for a file on the local system: c:\oem\defualtpass.txt.  That file has one single line that has the password in clear text. The password will be set and the file will be deleted.

3. Checks for a file on the root USB drive: defaultpass.txt  That file has one single line that has the password in clear text. The password will be set, but no file is deleted.

4. Default Password

When to use which password option

Local File: This is best used when doing a restore.  To accomplish this, after you mount the restore media and copied it to the USB drive, go to $oem$\$1\oem\ on the usb drive and place the defaultpass.txt in that folder

USB Drive: This is best used for new systems, out of box.  Place the defualtpass.txt file in the root of the USB drive.  Leave the drive in the system until after the first automatic first boot.  The file will not be deleted. If the Local file is used, and there is a USB drive with the file, it will use the local file, and ignore the USB drive.

Default Password:

• Teams Room on Windows: username: admin password: sfb

• Zoom Room on Windows: Username: ZoomAdmin password: blank and forced to change at first logon.

Resetting the admin password

Rooms are becoming more complex.  It is no longer just a Windows PC.  IT organizations may have to install Endpoint Protection before it is allowed on the network.  There may be DSP or device controls. There is even room management and monitoring tools as well, like Sync.  This means having to re-image a system due to a unknown admin password can cause days of outages for that room, and even more for a remote space. 

1. When the system is done imaging, an exported certificate will be places in c:\certbackup.  The file will be named SerialNumber-passwordreset.cer.  As an example 123AWSD-passwordreset.cer. This file must be backed up and stored in a secure location.

2. Create a text file with just one line in it, with the password in clear text.  There are no requirements for password complexity.

   1. Import that certificate into the user certificate store
      

      

      

   2. The Certificate will be named SerialNumber Password Reset Cert
      

      

   3. You will need to get the thumbprint of that certificate by double clicking on it and going to Details.
      

      

   4. Copy the string shown

      1. Run the following PowerShell Commands. Change PathTo to a drive and directory to put the file, DO NOT change the filename itself. Change the PathToFileWithPassword to the location where the file just created is located. Replace Thumbprint with the value above in quotes 

         encrypting file

         Copy

         #PowerShell
         $exportfile = "PathTo\pwdencrypted.txt"
         Protect-CmsMessage -To "Thumbprint" -Path PathToFileWithPassword -OutFile $exportfile

   5. Rather than doing the manual importing, you can run this all with PowerShell. Make sure to change all of the PathTos to the proper location.  Do NOT change the filename pwdencrypted.txt

      encrypting file

      Copy

      #PowerShell
      $cert=Import-Certificate -FilePath PathTo.cer -CertStoreLocation Cert:\CurrentUser\My\
      $pwd1 = Read-Host -Prompt "Enter Password"
      $pwd2 = Read-Host -Prompt "Confirm Password"
      if ($pwd1 -ceq $pwd2) {
      $exportfile = "PathTo\pwdencrypted.txt"
      Protect-CmsMessage -To $cert.thumbprint -Path $inputfile -OutFile $exportfile
      }

3. Copy the pwdencrypted.txt file to a thumb drive

4. Insert the thumb drive into a Nuc

5. Reboot the system

6. You can now logon with the new password.

Auditing of process

When a password reset is started, each step successful or failure is logged.

Event Log

Log Name: Application

Source: Logitech Admin Password Reset

Event IDs

65000: "Password Updated"

65001: "Could not find file pwdencrypted on USB drive". This should never happen because if the script got this far, the file was found in an earlier step.

65002: "Could not find username to update"  This would only happen if the admin (Teams) or zoomadmin (Zoom) username was changed

65003: "Could not updated password due to access to current logged in user" . Only happens if security is changed to disallow the changing the admin password.

65004: Something else.

Logged to the USB drives

The same information is logged to the USB drive at the same time: SerialNumber.log

AutoPilot

For Teams Room Only

Autopilot allows for a room compute to be configured automatically without any user user interaction on the system.  This is ONLY available for MTRoW systems.  This is due to how Windows Licensing is done between an MTRoW and Zoom Room.  There are no plans for Microsoft to let Zoom to support Autopilot.

However, AutoPilot is available for all new Nucs, Lenovo Cores, and Dell 7000s.  If you have issues with AutoPilot contact your reseller/distributor/or system integrator. This process is managed by them.

On the compute itself there will be a sticker that is needed for AutoPilot.  Depending on the customer, Lenovo or Dell may add the device to their tenant automatically.  We do not have any control over this, and they need to reach out to the manufacturer to enable this.  Because of our selling model, the NUC will never be automatically updated into a customers portal.  Either a VAR/Reseller or the customer themselves will have to do it.  The key will look something like this.

You can find the official documentation at https://learn.microsoft.com/en-us/microsoftteams/rooms/autopilot-autologin

LAPS

For Teams and Zoom Rooms

Local Administrator Password Solution is supported on both Zoom and Microsoft.  It allows for the admin password to be managed automatically.  Microsoft has created a document specifically for MTRoW.  That can be found here: https://learn.microsoft.com/en-us/microsoftteams/rooms/laps-authentication.  However, for Zoom, more work needs to be done to set this up.  The basic process is the same. https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-azure-active-directory

Auotpilot + LAPS

By using AutoPilot + LAPS a Teams room system can be fully deployed without ever having to physically needing a keyboard or mouse.