Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

How to completely deactivate Intel AMT

Simon_S_3
Beginner
29,837 Views

Dear all,

I am using a Lenovo ThinkPad T420 and Windows 7 prof. x64 as my main workstation. Yesterday I did a reinstallation of Windows 7 (ISO image from MSDNAA and not the Lenovo DVD). After the OS and all drivers (using Lenovo System Update) were installed, I had a look at the device manager and recognized the "Intel management engine interface". Since I don't need this function I researched how this device can be disabled. First I had a look in the System BIOS which stated that AMT is disabled:

AMT_BIOS_disabled.jpg

So I went back to Windows and had a look in the device manger. The device was still there. I decided to use the "Management and Security Status" Tool which stated, that AMT is active ("Aktiviert" in german):

Intel_Managment_and_Security_Status_AMT_activated_small.png

...but that the connections are disconnected ("Verbindung getrennt"):

Intel_Managment_and_Security_Status_AMT_activated_2.png

I did some further googling which led me to the conclusion, that I have to use the "Management Enging BIOS Extension" (MEBx) to disable AMT. I went back to BIOS, reenabled AMT (otherwise you can't enter MEBx), pressed Ctrl+P on restart and used MEBx to disable AMT:

AMT_MEBx_disabled.jpg

After exiting MEBx and restarting Windows 7 "Management and Security Status" said, that AMT is disabled ("Deaktiviert"):

Intel_Managment_and_Security_Status_AMT_deactivated_small.png

...and also the details looked different ("Informationen nicht verfügbar" -> information not available)

Intel_Managment_and_Security_Status_AMT_deactivated_2.png

I thought that I've finally got rid of AMT, restarted the ThinkPad, entered BIOS and set "Intel AMT Control" back to "disabled". While restarting, the BIOS prompted "Intel ME unconfiguration in progress..."

BUT then this flashed up and stated that AMT is "enabled" (I had to take a movie, sorry for bad quality):

flashed_message.png

And when Windows 7 was started this happend...

Intel_Managment_and_Security_Status_AMT_activated__taskbar.png

...also the "Management and Security Status" states, that AMT is ACTIVATED

So my question is:

Is it necessary that the BIOS Option "Intel AMT Control" stays "Enabled" to get rid of AMT? Sound strange to me!

Thanks a lot,

Simon

0 Kudos
7 Replies
Colleen_C_Intel
Employee
29,837 Views

That particular BIOS setting is particular to the device manufacturer. However, I do not think it activates/de-activates AMT, only whether MEBx can be entered. (A corporation might not want to allow users to enter in MeBX and change settings).  But to be sure, check with the OEM.

0 Kudos
Simon_S_3
Beginner
29,837 Views

It seems, that switching "Intel (R) AMT Control" to "Disabled" in BIOS just resets AMT to defaults. When you switch this option back to "Enabled" and access MEBx, the password is "admin" again, all settings are lost and AMT is active (what seems to be the default setting).
So leaving the BIOS option "Enabled" and disable AMT in MEBx seems to be the only way to deactivate AMT.

Another Question:
Is selecting "Disabled" for "Manageability Feature Selection" in MEBx the correct way to disable AMT and therefore remote access?

Edit:

Even when "Management and Security Status" claims that AMT is disabled, the AMT Webserver seems to be running and is accessible in the local Broser:

AMT_Webbrowser_enabled_in_BIOS_disabled_in_MEBx.png

BTW, this is how the Webinterface looks like when AMT ist disabled in BIOS ("Management and Security Status" states that AMT is enabled):

AMT_Webbrowser_disabled_in_BIOS.png

Edit 2:

When I disable the "Intel(R) Management and Security Application Local Management Service", I can't access Port 16992 an no Intel AMT message is shown as mentioned above. But this leads me back to my old question: Is selecting "Disabled" for "Manageability Feature Selection" in MEBx the correct way to disable AMT and therefore remote access?

0 Kudos
Simon_S_3
Beginner
29,837 Views

I want to add another question: Why is the "Management and Security Status" stating that "Intel AT" is "active", while the BIOS setting claims that it is "Disabled" and "Not Activated"?

Intel_AT_deactivated_BIOS.jpg

0 Kudos
Simon_S_3
Beginner
29,836 Views

Now I have two different opinions from four different programs about the AT situation on my system! The "Intel Anti-Theft Status Tool" and the "Intel Anti-Theft Status Utility" claim that AT is "Inactive". The "Intel Management and Securtiy Status" and "MEInfo" state that it is "active" or "present/enabled".

Which one can I trust?

It would be really nice if an offical Intel representative can clear things up! The lenovo support is pretty useless...

Intel_AT_different_states_0.PNG

0 Kudos
Roman_S_4
Novice
29,836 Views

Is selecting "Disabled" for "Manageability Feature Selection" in MEBx the correct way to disable AMT and therefore remote access?

The best way to disable any access to Intel AMT is a setup it at some fake Intel MPS server. ;) In that case all AMT ports are blocked by Intel AMT firmware and anyone can't use them (as well in the local network and moreover remote).

0 Kudos
E_B_
Beginner
29,838 Views

Here's a concise, plain English guide on how to disable Intel AMT.

0 Kudos
Joseph_O_Intel1
Employee
29,838 Views

There is additional information on AMT disabling in the Intel SA 00075 Mitigation Guide

0 Kudos
Reply