I have a Skylake i7-6700k with an Asus MAXIMUS VIII HERO (z170 motherboard). I've been trying to upgrade my Intel management engine but I've run into a problem which seems to be related to management engine itself.
I've installed the intel management engine interface drivers with no issue (220.127.116.110) as far as I can tell.
I've ran the SA00086 tool from Intel that can be downloaded from here: https://downloadcenter.intel.com/download/27150 Intel-SA-00086 Detection Tool
It reports my system as vulnerable:Risk AssessmentBased on the analysis performed by this tool: This system is vulnerable.
Processor Name: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
OS Version: Microsoft Windows 10 ProIntel(R) ME Information
Engine: Intel(R) Management Engine
I have downloaded the tool (http://dlcdnet.asus.com/pub/ASUS/mb/LGA1151/Z170-A/MEUpdateTool_UI_20171103_TP.zip http://dlcdnet.asus.com/pub/ASUS/mb/LGA1151/Z170-A/MEUpdateTool_UI_20171103_TP.zip ) from Asus for my motherboard for updating ME firmware (it uses FWUpdLcl64.exe from Intel), but when running it, it encounters an error:
Intel (R) Firmware Update Utility Version: 18.104.22.16899
Copyright (C) 2007 - 2017, Intel Corporation. All rights reserved.
Communication Mode: MEI
Error 8719: Firmware update cannot be initiated because Local Firmware update is disabled
It seems like my management engine is locked down somehow from being updated. There's no options in my UEFI/BIOS related to management engine.
Here's the output from MEInfoWin.exe:
Intel(R) MEInfo Version: 22.214.171.12416
Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.
Intel(R) ME code versions:
BIOS Version 3504
MEBx Version 0.0.0.0000
GbE Version 0.7
Vendor ID 8086
PCH Version 31
FW Version 126.96.36.1993 H
Security Version (SVN) 1
LMS Version Not Available
MEI Driver Version 188.8.131.520
Wireless Hardware Version Not Available
Wireless Driver Version Not Available
FW Capabilities 0x11111D40
Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Re-key needed False
Platform is re-key capable True
Last ME reset reason Firmware reset
Local FWUpdate Disabled
BIOS Config Lock Enabled
GbE Config Lock Enabled
Host Read Access to ME Enabled
Host Write Access to ME Disabled
Host Read Access to EC Disabled
Host Write Access to EC Disabled
SPI Flash ID 1 EF4018
SPI Flash ID 2 Unknown
BIOS boot State Post Boot
OEM ID 00000000-0000-0000-0000-000000000000
Capability Licensing Service Enabled
OEM Tag 0x00000000
Slot 1 Board Manufacturer 0x00000000
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
M3 Autotest Disabled
C-link Status Disabled
Independent Firmware Recovery Disabled
EPID Group ID 0xF87
LSPCON Ports None
5K Ports None
OEM Public Key Hash FPF 0000000000000000000000000000000000000000000000000000000000000000
OEM Public Key Hash ME 0000000000000000000000000000000000000000000000000000000000000000
ACM SVN FPF 0x0
KM SVN FPF 0x0
BSMM SVN FPF 0x0
GuC Encryption Key FPF 0000000000000000000000000000000000000000000000000000000000000000
GuC Encryption Key ME 0000000000000000000000000000000000000000000000000000000000000000
Force Boot Guard ACM Disabled Disabled
Protect BIOS Environment Disabled Disabled
CPU Debugging Enabled Enabled
BSP Initialization Enabled Enabled
Measured Boot Disabled Disabled
Verified Boot Disabled Disabled
Key Manifest ID 0x0 0x0
Enforcement Policy 0x0 0x0
I noticed that "Local FWUpdate" is set to Disabled. How can I enable this flag to upgrade my old firmware?
Would really appreciate some help on this matter. Thanks!
You should be asking this question at the Asus site, not here. We know nothing about how Asus has set up and protected their firmware hub on this board.
I contacted Asus service center regarding my motherboard and this was the response I got (copied as is):
Thank you for your patience.
Our backend team has get back to us , they mention the update is the latest.
However, the problem is liable with Intel and they unable to provide whether the security issue was fixed. They advise you to contact Intel for further assist
Regardless of whether or not there is an issue that Intel needs to help Asus resolve, you *still* need to get your solution through Asus, so our discussion here is moot. Go back to Asus and keep bugging them; you are accomplishing nothing here.