Community
cancel
Showing results for 
Search instead for 
Did you mean: 
JOver1
Beginner
8,288 Views

Is it possible to disable Intel Management Engine IME and if so, how

Is it possible to COMPLETELY disable the Intel Management Engine (IME functions) and the related (AMT functions) and if so how is it done ?

The reason I ask is because I have found two different Intel documents the first which would "seem" to suggest that it is NOT possible - see:

https://www.intel.com/content/dam/support/us/en/documents/motherboards/desktop/sb/intelmebxsettings_... https://www.intel.com/content/dam/support/us/en/documents/motherboards/desktop/sb/intelmebxsettings_...

And the other document which would "seem" to indicate that it IS possible - see:

http://www.dell.com/support/article/us/en/04/sln295179/disable-intel-amt-intel-management-engine-sta... Disable Intel AMT - Intel Management Engine State Control | Dell US

Please note that on the first link above that the description details (far right column) for the Intel ME State Control parameter (second page) says that disabling

this parameter only basically very temporarily turns the IME off so that debugging can be accomplished, plainly says that it does not actually disable the IME.

Which of these two sources is correct ?

And also, is it possible that by manipulating / changing some of the many parameter settings that are listed in the first link

above (the PDF), that the IME and AMT can for all intents and purposes be disabled or made to be impossible for some

unauthorized computer user to access or is it possible that just simply changing the default password from admin to something

else accomplishes securing access to the IME and AMT from unauthorized use ?

Thanks.

0 Kudos
8 Replies
ppara5
Valued Contributor I
4,295 Views

I don't have the link available, but some people devised a solution to disable ME, but it usually forces a reboot every 30 seconds, in other words, it's not usable. One thing to remember is that AMT depends on a vPro processor, a q-chipset or another corporate chipset, and Ethernet on the board. If either of the first two are missing, AMT does not run. The following link explains why adding an Ethernet card to a desktop -- laptops are different, of course -- defeats AMT out-of-bound. And don't install the ME application on W-7 or W-8.1 -- on W-10, you're stuck -- as it's not needed on systems without AMT.

JOver1
Beginner
4,295 Views

paramountain:

Thanks for the info regarding the separate nic (I had already read about that somewhere), however

it would not be practical nor economical to have to purchase a separate NIC for a used computer

which I only paid a little over $200 for (which runs just great for what I am doing - has a perfectly

fine NIC onboard.

I know that there are some really GOOD reasons for Intel and Dell having put these IME and AMT

capabilities into some computer systems BUT when thinking about doing this, one of the very first

thoughts that should have went thru their brains should have been to devise a very simple/non-complex

way for the normal non-business users of these computers to completely DISABLE these IME and

AMT features. Also, should have put a very clear warning to users that these capabilities were

present, so that the user would be aware that they needed to turn them OFF.

So far, I have found no plain English documentation of how it is that one goes about disabling

these capabilities on systems with these features.

ppara5
Valued Contributor I
4,295 Views

Intel PWLA8391GT (PCI) and EXPI9301CTBLK (PCIe x1) are only $30 at Newegg. And you won't find the documentation you are seeking because Intel considers it to be proprietary. Intel, and now AMD, make more money in the enterprise sector and made a business decision to cater to it at the expense of individual consumers.

JOver1
Beginner
4,295 Views

Paramountain:

Thanks for your reply but surely the workings of these IME and AMT are not so proprietary

that no one somewhere (here or on the Internet) has the knowledge to give advice on how

to configure the IME and AMT so that they do not pose a security risk to the computer. Or is

it true that the mere inclusion of these features on the computer, make it insecure to the point

that REGARDLESS of how they are CONFIGURED, that they still pose a security threat ?

So far, I have figured out how to change the password for the extended BIOS (which includes

both the IME and AMT) and also I turned off the REMOTE access/configuration to the AMT, shouldn't doing

those two things make the IME and AMT non-accessible to outside parties ? However, even after

doing those 2 things, the Intel Detection Tool still reports that the IME poses a VULNERABILITY, but I

am thinking that the Intel Detection Tool is ONLY making this report based on the mere fact that the

IME version that is found on the computer and not necessarily on how it has been configured, i.e.

it is just detecting the IME from a version listing included in the tool.

Thanks.

n_scott_pearson
Super User Retired Employee
4,295 Views

See my comments here: .

...S

ppara5
Valued Contributor I
4,295 Views

Yes, it is that proprietary. The only people who understand it are current Intel employees and retired ones like Scott. The people who have managed to disable ME have done so via reverse engineering and lots of educated guesses, but the result was not perfect. I asked a similar question a while back (search for it via my alias) and Scott gave some answers.

The problem is that ME serves a purpose for all PCs, but it is also a component of AMT. In my opinion, there should have been more of a separation between consumers and enterprise users, but it is what it is now.

From your last paragraph, it appears that you have both an enterprise motherboard and a vPro processor. Your only option is to install an Ethernet card and even that only disables part of AMT.

JOver1
Beginner
4,295 Views

Paramountain:

I did some more looking at the IME and AMT parameters this morning.

I found 2 parameters under that AMT section, the first by the name of USER CONSENT and the

second by the name of OPT-IN CONFIGURABLE FROM REMOTE IT, which was sub under the

user consent.

I set the user consent to NONE and I set the opt-in configurable from remote IT to disabled.

Also, I have changed the password of the extended BIOS from the default to my own password.

I also looked at the network settings and there are NO data/names entered for the various

parameters, host, server, etc.

So can you tell me if I am flawed in my thinking that setting the user consent to none, the opt-in to

disable and the extended BIOS password to not default would effectively keep any outside access

to either the IME or AMT or access to higher computer functions without having actual physical access to

the computer ? And if so, would that possibly be because something in the IME supersedes the

AMT parameter settings that an outside party could still gain access to the system as long as it

was plugged into AC and had a physical or wireless route to the Internet.

This is on a Dell Optiplex model 980 desktop with the A17 version of the bios released approx.

June 2017.

Thanks.

PChok1
Beginner
4,295 Views

Same question here. Past experience with security issues makes me very leary that yet another security problem might silently be lurking, so I want to completely disable IME and AMT, but I have also been reading about only temporary solutions or bad side effects of disabling it.

Reply