8 Replies Latest reply on Jan 16, 2018 10:35 AM by wpshooter

    Is it possible to disable Intel Management Engine IME and if so, how

    wpshooter

      Is it possible to COMPLETELY disable the Intel Management Engine (IME functions) and the related (AMT functions) and if so how is it done ?

       

      The reason I ask is because I have found two different Intel documents the first which would "seem" to suggest that it is NOT possible - see:

       

             https://www.intel.com/content/dam/support/us/en/documents/motherboards/desktop/sb/intelmebxsettings_v02.pdf

       

      And the other document which would "seem" to indicate that it IS possible - see:

       

           Disable Intel AMT - Intel Management Engine State Control | Dell US

       

      Please note that on the first link above that the description details (far right column) for the Intel ME State Control parameter (second page) says that disabling

      this parameter only basically very temporarily turns the IME off so that debugging can be accomplished, plainly says that it does not actually disable the IME.

       

      Which of these two sources is correct ?

       

      And also, is it possible that by manipulating / changing some of the many parameter settings that are listed in the first link

      above (the PDF), that the IME and AMT can for all intents and purposes be disabled or made to be impossible for some

      unauthorized computer user to access or is it possible that just simply changing the default password from admin to something

      else accomplishes securing access to the IME and AMT from unauthorized use ?

       

      Thanks. 

        • 1. Re: Is it possible to disable Intel Management Engine IME and if so, how
          paramountain

          I don't have the link available, but some people devised a solution to disable ME, but it usually forces a reboot every 30 seconds, in other words, it's not usable. One thing to remember is that AMT depends on a vPro processor, a q-chipset or another corporate chipset, and Ethernet on the board. If either of the first two are missing, AMT does not run. The following link explains why adding an Ethernet card to a desktop -- laptops are different, of course -- defeats AMT out-of-bound. And don't install the ME application on W-7 or W-8.1 -- on W-10, you're stuck -- as it's not needed on systems without AMT. Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

          • 2. Re: Is it possible to disable Intel Management Engine IME and if so, how
            wpshooter

            paramountain:

             

            Thanks for the info regarding the separate nic (I had already read about that somewhere), however

            it would not be practical nor economical to have to purchase a separate NIC for a used computer

            which I only paid a little over $200 for (which runs just great for what I am doing - has a perfectly

            fine NIC onboard.

             

            I know that there are some really GOOD reasons for Intel and Dell having put these IME and AMT

            capabilities into some computer systems BUT when thinking about doing this, one of the very first

            thoughts that should have went thru their brains should have been to devise a very simple/non-complex

            way for the normal non-business users of these computers to completely DISABLE these IME and

            AMT features.  Also, should have put a very clear warning to users that these capabilities were

            present, so that the user would be aware that they needed to turn them OFF.

             

            So far, I have found no plain English documentation of how it is that one goes about disabling

            these capabilities on systems with these features.

            • 3. Re: Is it possible to disable Intel Management Engine IME and if so, how
              paramountain

              Intel PWLA8391GT (PCI) and EXPI9301CTBLK (PCIe x1) are only $30 at Newegg. And you won't find the documentation you are seeking because Intel considers it to be proprietary. Intel, and now AMD, make more money in the enterprise sector and made a business decision to cater to it at the expense of individual consumers.

              • 4. Re: Is it possible to disable Intel Management Engine IME and if so, how
                wpshooter

                Paramountain:

                 

                Thanks for your reply but surely the workings of these IME and AMT are not so proprietary

                that no one somewhere (here or on the Internet) has the knowledge to give advice on how

                to configure the IME and AMT so that they do not pose a security risk to the computer.  Or is

                it true that the mere inclusion of these features on the computer, make it insecure to the point

                that REGARDLESS of how they are CONFIGURED, that they still pose a security threat ?

                 

                So far, I have figured out how to change the password for the extended BIOS (which includes

                both the IME and AMT) and also I turned off the REMOTE access/configuration to the AMT, shouldn't doing

                those two things make the IME and AMT non-accessible to outside parties ?  However, even after

                doing those 2 things, the Intel Detection Tool still reports that the IME poses a VULNERABILITY, but I

                am thinking that the Intel Detection Tool is ONLY making this report based on the mere fact that the

                IME version that is found on the computer and not necessarily on how it has been configured, i.e.

                it is just detecting the IME from a version listing included in the tool.

                 

                Thanks.

                • 6. Re: Is it possible to disable Intel Management Engine IME and if so, how
                  pjc123

                  Same question here.  Past experience with security issues makes me very leary that yet another security problem might silently be lurking, so I want to completely disable IME and AMT, but I have also been reading about only temporary solutions or bad side effects of disabling it.

                  • 7. Re: Is it possible to disable Intel Management Engine IME and if so, how
                    paramountain

                    Yes, it is that proprietary. The only people who understand it are current Intel employees and retired ones like Scott. The people who have managed to disable ME have done so via reverse engineering and lots of educated guesses, but the result was not perfect. I asked a similar question a while back (search for it via my alias) and Scott gave some answers.

                     

                    The problem is that ME serves a purpose for all PCs, but it is also a component of AMT. In my opinion, there should have been more of a separation between consumers and enterprise users, but it is what it is now.

                     

                    From your last paragraph, it appears that you have both an enterprise motherboard and a vPro processor. Your only option is to install an Ethernet card and even that only disables part of AMT.

                    • 8. Re: Is it possible to disable Intel Management Engine IME and if so, how
                      wpshooter

                      Paramountain:

                       

                      I did some more looking at the IME and AMT parameters this morning.

                      I found 2 parameters under that AMT section, the first by the name of USER CONSENT and the

                      second by the name of OPT-IN CONFIGURABLE FROM REMOTE IT, which was sub under the

                      user consent.

                       

                      I set the user consent to NONE and I set the opt-in configurable from remote IT to disabled.

                      Also, I have changed the password of the extended BIOS from the default to my own password.

                       

                      I also looked at the network settings and there are NO data/names entered for the various

                      parameters, host, server, etc.

                       

                      So can you tell me if I am flawed in my thinking that setting the user consent to none, the opt-in to

                      disable and the extended BIOS password to not default would effectively keep any outside access

                      to either the IME or AMT or access to higher computer functions without having actual physical access to

                      the computer ?  And if so, would that possibly be because something in the IME supersedes the

                      AMT parameter settings that an outside party could still gain access to the system as long as it

                      was plugged into AC and had a physical or wireless route to the Internet.

                       

                      This is on a Dell Optiplex model 980 desktop with the A17 version of the bios released approx.

                      June 2017.

                       

                      Thanks.