PDA

View Full Version : How to disable the Intel Management Engine?



karl_spqr
01-06-2015, 01:12 AM
I have a G750JZ laptop and I'd like to fully disable the so-called "Intel Management Engine" (sometimes called Intel Active Management Technology). I don't see any related options in the BIOS, and that's quite strange, most BIOSes allow you to disable it.

For those who don't know, and for how unbelievable it might sound, this "brilliant" thing is a chip that has direct access to the ethernet card and can autonomously establish a remote connection without the OS knowing anything about it. It can work even when your computer is powered off (!), as long as it is connected to a power source. It doesn't take a genius to imagine the potential security risks:
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Security

hmscott
01-06-2015, 06:36 AM
I have a G750JZ laptop and I'd like to fully disable the so-called "Intel Management Engine" (sometimes called Intel Active Management Technology). I don't see any related options in the BIOS, and that's quite strange, most BIOSes allow you to disable it.

For those who don't know, and for how unbelievable it might sound, this "brilliant" thing is a chip that has direct access to the ethernet card and can autonomously establish a remote connection without the OS knowing anything about it. It can work even when your computer is powered off (!), as long as it is connected to a power source. It doesn't take a genius to imagine the potential security risks:
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Security

karl_spqr,

Intel® Active Management Technology (Intel® AMT) Start Here Guide (Intel AMT 9.0)
https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9#2

"2.1 What is Intel® Active Management Technology?
Intel AMT is part of the Intel® vPro™ technology[i] offering."

The 4700HQ doesn't have Intel vPro Technology available in the CPU (from ark.intel.com):

http://ark.intel.com/products/75116/Intel-Core-i7-4700HQ-Processor-6M-Cache-up-to-3_40-GHz

45119

That's why it's not in the BIOS.

Intel vPro is also not present in the 4710HQ.

Intel vPro is available in the 4860HQ - but I doubt Asus implemented or enabled it in the BIOS - which it needs to be in order to set up. Check your BIOS if you have a 4860HQ to be sure.

These aren't corporate laptops that need such Orwellian controls, these are consumer laptops for enjoyment of personal use.

karl_spqr
01-06-2015, 10:47 AM
Intel AMT is part of the Intel® vPro™ technology
...
The 4700HQ doesn't have Intel vPro Technology available in the CPU



Technically true, but Intel's website has ambiguos wording on this issue. While Intel AMT is supposed to be part of vPro, that my CPU doesn't support (and I already knew that), at the same time their website states that AMT is inside the Intel Management Engine firmware, which is a non-optional component of the laptop's HM87 architecture, and whose driver is also visible in Windows Device Manager. So it might be in the motherboard instead of the CPU. From Intel's website:


"The Intel AMT functionality is contained in the Intel ME firmware.

The firmware image is stored in flash memory.
The Intel AMT capability is enabled using the Intel® Manageability Engine (Intel® ME) BIOS extension as implemented by an OEM platform provider. A remote application can be used to perform enterprise setup and configuration."

https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9#2



Here the HM87 architecture, including Intel ME:

http://www.intel.com/content/www/us/en/chipsets/performance-chipsets/mobile-chipset-hm87.html




karl_spqr, warm milk and cookies, and a good nights sleep, that is what I recommend.

And I recommend answering only questions on issues that one has complete knowledge about, rather than joking on legitimate doubts. It's not paranoia, it might be a serious security issue.

karl_spqr
01-06-2015, 01:18 PM
Thanks for the non-answer. I'm going to ask Intel directly, rather than some random Asus customer support guy.

karl_spqr
01-06-2015, 01:34 PM
Don't do bad things and you won't need to worry about getting caught. :)


I agree with this statement. And one of the bad things that one shouldn't do is defamation, for which one might risk to be sued.

hmscott
01-06-2015, 03:35 PM
Karl, System Discovery is a utility from Intel that you can run on your laptop/computer to prove to yourself that there is no AMT active on your system.

Intel® Setup and Configuration Software
(Intel® SCS)
Standalone System Discovery Utility
http://www.intel.com/content/dam/www/public/us/en/documents/guides/scs-system-discovery-utility-guide.pdf

Here are all the tools, pdfs, plugin's, etc, associated with the vPro AMT Management tools
https://downloadcenter.intel.com/SearchResult.aspx?lang=eng&ProdId=3051

Intel® Setup and Configuration Software (Intel® SCS)
https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=24563&lang=eng&ProdId=3051

File name: IntelSCS_10.0.11.35.zip
Version: 10.0 (Latest)
Date: 12/21/2014
Size: 104.27 MB
Language: English
Operating Systems: Windows 7 *, Windows 8*, Windows 8.1*
https://signin.intel.com/?appid=514&TARGET=https%3a%2f%2fdownloadcenter.intel.com%2fEn titleHandler.aspx?httpDown=https://aiedownload.intel.com/entitled/24563/eng/IntelSCS_10.0.11.35.zip|lang=eng|Dwnldid=24563|ent =Y&Lang=eng&Dwnldid=24563

The System Discovery Utility is contained in that package, and when unpacked can be run as Administrator to determine the vPro AMT capabilities and configuration on your computer.

Here is what it looks like when run in an Administrator cmd window:

C:\Users\hmscott\Downloads\Intel AMT\intelscs_10.0.11.35\IntelSCS\SCS_Discovery>
SCSDiscovery.exe SystemDiscovery

45132

And, as I said, there is no such hardware in the ROG laptops. Here are excerpts from the log, and from the xml file:

2015-01-06 07:19:02:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2015-01-06 07:19:02
2015-01-06 07:19:02:(INFO) : SCSDiscovery, Category: -SystemDiscovery-: hmscott-g750h: Discovering the System information...
2015-01-06 07:20:47:(ERROR) : ACU Configurator , Category: Error message: Failed to connect to the Intel(R) Management Engine Interface PTHI client. (0xc000001c)
2015-01-06 07:21:08:(ERROR) : hmscott-g750h, Category: AMT Interface error: Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error 0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. , error in discover 0xc000521c
2015-01-06 07:21:25:(ERROR) : hmscott-g750h, Category: AMT Interface error: Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error 0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. , error in discover 0xc000521c
2015-01-06 07:21:28:(WARN) : SCSDiscovery.exe, Category: System Discovery: System Discovery finished with warnings: System Discovery failed to get data from some of the interfaces on this system. (0xc00027ff). Failed to get data from the MEI interface. (0xc000283d). Failed to connect to the Intel(R) Management Engine Interface PTHI client. (0xc000001c). This system does not have Intel(R) AMT (or it is disabled in the Intel MEBX, or the correct drivers are not installed or enabled, or the current user does not have permissions to the drivers). (0xc0000063). Failed to get data from the OS Registry interface. (0xc0002840). Failed to read the registry value (Primary DNS suffix). (0xc0001f52). Failed to open the registry Key (SYSTEM\CurrentControlSet\Services\LMS). The system cannot find the file specified. (0xc0001f50). The registry key not found.(SYSTEM\CurrentControlSet\Services\LMS) (0xc0001f58). Failed to get data from the Intel(R) AMT WSMAN Discovery interface. (0xc0002841). Initial connection to the Intel(R) AMT device failed. (0xc00007d2). A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. (0xc000521c). Failed to get data from the GetDNSLookupName interface. (0xc0002842). Failed to retrieve the host onboard IPv4 IP (please check the LAN settings). (0xc0002836).
2015-01-06 07:21:28:(INFO) : SCSDiscovery, Category: Exit: ***********Exit with code 32 - Intel(R) AMT operation completed with warnings: Details: Success. System Discovery finished with warnings: System Discovery failed to get data from some of the interfaces on this system. (0xc00027ff). Failed to get data from the MEI interface. (0xc000283d). Failed to connect to the Intel(R) Management Engine Interface PTHI client. (0xc000001c). This system does not have Intel(R) AMT (or it is disabled in the Intel MEBX, or the correct drivers are not installed or enabled, or the current user does not have permissions to the drivers). (0xc0000063). Failed to get data from the OS Registry interface. (0xc0002840). Failed to read the registry value (Primary DNS suffix). (0xc0001f52). Failed to open the registry Key (SYSTEM\CurrentControlSet\Services\LMS). The system cannot find the file specified. (0xc0001f50). The registry key not found.(SYSTEM\CurrentControlSet\Services\LMS) (0xc0001f58). Failed to get data from the Intel(R) AMT WSMAN Discovery interface. (0xc0002841). Initial connection to the Intel(R) AMT device failed. (0xc00007d2). A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. (0xc000521c). Failed to get data from the GetDNSLookupName interface. (0xc0002842). Failed to retrieve the host onboard IPv4 IP (please check the LAN settings). (0xc0002836).

45133

Please run SCSDiscovery.exe SystemDiscovery on your G750JZ and prove to yourself there is no AMT running, configured, or in existence in your laptop.

Please post your results here.

hmscott
01-07-2015, 05:51 AM
hwinfo64 also shows the statues of the vPro and ME has ATM and other remote management showing as disabled:

45191

45188