I finally got myself one of those ThinkCentre tiny form-factor PCs to experiment running VMs on, using Proxmox, courtesy of folks over at /r/homelabsales.

BLUF

• If your machine came with Windows, try and do all the BIOS/firmware updates to latest versions from official website before removing Windows, otherwise you'll have to do extra work later!
  • For some (newer) models, you may be able to perform updates from Linux
• Enable Intel AMT if your machine has it before you put it in a dark closet!
  • Some models require a physical monitor connected for VNC to work (check BIOS settings for "virtual monitor" option). However, you should still be able to make it work without a real monitor, if you get a display emulator device

Intel vPro + Intel AMT

One of the more exciting features this mini computer comes with is Intel vPro and Intel AMT (Active Management Technology). What that translates to for HomeLabbers is: fully remote management; so that you don't have to go plug in a monitor and keyboard to troubleshoot issues or perform certain low level system operations (e.g. BIOS setup, Installing new OS, etc).

Enabling Intel AMT

Once the computer arrived I went straight to the BIOS settings and enabled said management features after resetting all settings just in case the previous owner changed anything that I didn't want. I was too excited to enable this so I didn't end up taking screenshots, you can look at this blog post shows you how to enable AMT. Note that options may vary slightly among vendors and BIOS version, but you should be able to find similar settings.

Now with AMT enabled, I went on another computer in the same network and tried to connect! Intel lists the management ports here, basically port 16992 for HTTP access and 5900 for VNC.

The HTTP access worked right away and I was greeted with the Login screen, and after logging in the menu of management options:

Login screen

Management menu options

I figured all was good since I could perform some actions like restart and such, so I installed Proxmox and moved the computer to the server closet away from my desk.

Well, I couldn't get VNC to work no matter how hard I tried, and then confirmed VNC port was closed — all after I had done cable management and put everything away 🤦‍♂️.

Remote Desktop/VNC + MeshCentral

Some of the Intel tools for AMT are windows only which was a bit disappointing, but looking around I found MeshCentral which is an open source project that lets you manage more features than the one that show up on the default HTTP interface. You just have to install it from npm, which I initially setup on my laptop to play with.

That's when I learned more about the VNC feature: 1) VNC port 5900 was not already enabled and didn't see an option in the BIOS, but MeshCentral had an option to let me do that...

MeshCentral Remote Desktop Settings 2) Once enabled, I was able to connect, but I got a blank screen. Looking around the internet, I found out that depending on your computer, it may or may not require a physical display to be connected (with potentially an option in the BIOS to enable). Not having a physical monitor connected was the main use case for me!

At this point I gave up and awkwardly put a monitor in the server closet, and luckily I was able to actually use VNC from this point.

After looking around for mini monitors to help future me, I also learned that devices that emulate a display being connected exist so I ordered one to try out soon and "bypass" the requirement of having a physical monitor connected for VNC to work.

Outdated BIOS + Management Engine firmware (updates fix vulnerabilities)

I wouldn't have gone out of my way to check, but MeshCentral brought to my attention the fact that my management engine firmware version was outdated by showing a yellow warning once connected, linking to an Intel page outlining the privilege escalation vulnerability in some AMT versions. Couldn't help it, at that point needed to update the firmware.

Looking around the Lenovo website, I realized that many of those updates were only available for Windows, but I have already gotten rid of Windows the PC came with :(

I was able to get the BIOS update and run it from a Flash drive, however I couldn't find a way to update the management engine easily without Windows for my older machine (*though if you have a newer machine there may be options, check fwupd here).

Older models require Windows for updates

There are some ways to avoid running Windows on the host you want to update ... but they're too much work, essentially requiring the use of another Windows "host" (could be VM) to prepare WinPE with the firmware updates you want to install. Among others, this guide seemed promising, but it again, it looked like a lot more work than I would have liked!

Fine, Windows it is, let's get it over with

I decided to just try installing Windows on a flash drive and go through the "official" installation process - and that worked great! This was both less work than setting up all the WinPE stuff and also potentially useful in the future since I can reuse the flash drive for any further updates every now and then.

I used WinToUsb to install Windows on a flash drive, (unfortunately had to do from another Windows host) and then boot up from that and download all the Lenovo updates — through VNC!

(* I installed a Windows VM on Proxmox and mounted the Flash Drive on the ThinkCentre since I don't have any other Windows hosts home, but you can use any Windows machine you may have!)

Once running Windows, I installed "Lenovo Vantage" hoping it would do all the updates, but sadly it didn't show any of the firmware or BIOS updates for me (I had already done the BIOS using official ISO), but you may want to try it first since it may be a bit easier to get updates that way.

Since the only remaining update I had at the time was the AMT firmware, I downloaded the installer from the website and ran it — it worked right away! You'll have to look around the downloads section and since this is a process, try to get all the available updates to perform in one go.

Firmware update tool download page

Screenshot of updater tool

And now, finally, done with Windows until the next update! Rebooted to Proxmox and happily playing with VMs!