Is it possible to COMPLETELY disable the Intel Management Engine (IME functions) and the related (AMT functions) and if so how is it done ?
The reason I ask is because I have found two different Intel documents the first which would "seem" to suggest that it is NOT possible - see:
And the other document which would "seem" to indicate that it IS possible - see:
http://www.dell.com/support/article/us/en/04/sln295179/disable-intel-amt-intel-management-engine-sta... Disable Intel AMT - Intel Management Engine State Control | Dell US
Please note that on the first link above that the description details (far right column) for the Intel ME State Control parameter (second page) says that disabling
this parameter only basically very temporarily turns the IME off so that debugging can be accomplished, plainly says that it does not actually disable the IME.
Which of these two sources is correct ?
And also, is it possible that by manipulating / changing some of the many parameter settings that are listed in the first link
above (the PDF), that the IME and AMT can for all intents and purposes be disabled or made to be impossible for some
unauthorized computer user to access or is it possible that just simply changing the default password from admin to something
else accomplishes securing access to the IME and AMT from unauthorized use ?
I don't have the link available, but some people devised a solution to disable ME, but it usually forces a reboot every 30 seconds, in other words, it's not usable. One thing to remember is that AMT depends on a vPro processor, a q-chipset or another corporate chipset, and Ethernet on the board. If either of the first two are missing, AMT does not run. The following link explains why adding an Ethernet card to a desktop -- laptops are different, of course -- defeats AMT out-of-bound. And don't install the ME application on W-7 or W-8.1 -- on W-10, you're stuck -- as it's not needed on systems without AMT.
Thanks for the info regarding the separate nic (I had already read about that somewhere), however
it would not be practical nor economical to have to purchase a separate NIC for a used computer
which I only paid a little over $200 for (which runs just great for what I am doing - has a perfectly
fine NIC onboard.
I know that there are some really GOOD reasons for Intel and Dell having put these IME and AMT
capabilities into some computer systems BUT when thinking about doing this, one of the very first
thoughts that should have went thru their brains should have been to devise a very simple/non-complex
way for the normal non-business users of these computers to completely DISABLE these IME and
AMT features. Also, should have put a very clear warning to users that these capabilities were
present, so that the user would be aware that they needed to turn them OFF.
So far, I have found no plain English documentation of how it is that one goes about disabling
these capabilities on systems with these features.
Intel PWLA8391GT (PCI) and EXPI9301CTBLK (PCIe x1) are only $30 at Newegg. And you won't find the documentation you are seeking because Intel considers it to be proprietary. Intel, and now AMD, make more money in the enterprise sector and made a business decision to cater to it at the expense of individual consumers.
Thanks for your reply but surely the workings of these IME and AMT are not so proprietary
that no one somewhere (here or on the Internet) has the knowledge to give advice on how
to configure the IME and AMT so that they do not pose a security risk to the computer. Or is
it true that the mere inclusion of these features on the computer, make it insecure to the point
that REGARDLESS of how they are CONFIGURED, that they still pose a security threat ?
So far, I have figured out how to change the password for the extended BIOS (which includes
both the IME and AMT) and also I turned off the REMOTE access/configuration to the AMT, shouldn't doing
those two things make the IME and AMT non-accessible to outside parties ? However, even after
doing those 2 things, the Intel Detection Tool still reports that the IME poses a VULNERABILITY, but I
am thinking that the Intel Detection Tool is ONLY making this report based on the mere fact that the
IME version that is found on the computer and not necessarily on how it has been configured, i.e.
it is just detecting the IME from a version listing included in the tool.
Yes, it is that proprietary. The only people who understand it are current Intel employees and retired ones like Scott. The people who have managed to disable ME have done so via reverse engineering and lots of educated guesses, but the result was not perfect. I asked a similar question a while back (search for it via my alias) and Scott gave some answers.
The problem is that ME serves a purpose for all PCs, but it is also a component of AMT. In my opinion, there should have been more of a separation between consumers and enterprise users, but it is what it is now.
From your last paragraph, it appears that you have both an enterprise motherboard and a vPro processor. Your only option is to install an Ethernet card and even that only disables part of AMT.
I did some more looking at the IME and AMT parameters this morning.
I found 2 parameters under that AMT section, the first by the name of USER CONSENT and the
second by the name of OPT-IN CONFIGURABLE FROM REMOTE IT, which was sub under the
I set the user consent to NONE and I set the opt-in configurable from remote IT to disabled.
Also, I have changed the password of the extended BIOS from the default to my own password.
I also looked at the network settings and there are NO data/names entered for the various
parameters, host, server, etc.
So can you tell me if I am flawed in my thinking that setting the user consent to none, the opt-in to
disable and the extended BIOS password to not default would effectively keep any outside access
to either the IME or AMT or access to higher computer functions without having actual physical access to
the computer ? And if so, would that possibly be because something in the IME supersedes the
AMT parameter settings that an outside party could still gain access to the system as long as it
was plugged into AC and had a physical or wireless route to the Internet.
This is on a Dell Optiplex model 980 desktop with the A17 version of the bios released approx.
Same question here. Past experience with security issues makes me very leary that yet another security problem might silently be lurking, so I want to completely disable IME and AMT, but I have also been reading about only temporary solutions or bad side effects of disabling it.