How to completely deactivate Intel AMT

How to completely deactivate Intel AMT

Dear all,

I am using a Lenovo ThinkPad T420 and Windows 7 prof. x64 as my main workstation. Yesterday I did a reinstallation of Windows 7 (ISO image from MSDNAA and not the Lenovo DVD). After the OS and all drivers (using Lenovo System Update) were installed, I had a look at the device manager and recognized the "Intel management engine interface". Since I don't need this function I researched how this device can be disabled. First I had a look in the System BIOS which stated that AMT is disabled:

So I went back to Windows and had a look in the device manger. The device was still there. I decided to use the "Management and Security Status" Tool which stated, that AMT is active ("Aktiviert" in german):

...but that the connections are disconnected ("Verbindung getrennt"):

I did some further googling which led me to the conclusion, that I have to use the "Management Enging BIOS Extension" (MEBx) to disable AMT. I went back to BIOS, reenabled AMT (otherwise you can't enter MEBx), pressed Ctrl+P on restart and used MEBx to disable AMT:

After exiting MEBx and restarting Windows 7 "Management and Security Status" said, that AMT is disabled ("Deaktiviert"):

...and also the details looked different ("Informationen nicht verfügbar" -> information not available)

I thought that I've finally got rid of AMT, restarted the ThinkPad, entered BIOS and set "Intel AMT Control" back to "disabled". While restarting, the BIOS prompted "Intel ME unconfiguration in progress..."

BUT then this flashed up and stated that AMT is "enabled" (I had to take a movie, sorry for bad quality):

And when Windows 7 was started this happend...

...also the "Management and Security Status" states, that AMT is ACTIVATED

So my question is:

Is it necessary that the BIOS Option "Intel AMT Control" stays "Enabled" to get rid of AMT? Sound strange to me!

Thanks a lot,

Simon

8 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

That particular BIOS setting is particular to the device manufacturer. However, I do not think it activates/de-activates AMT, only whether MEBx can be entered. (A corporation might not want to allow users to enter in MeBX and change settings).  But to be sure, check with the OEM.

It seems, that switching "Intel (R) AMT Control" to "Disabled" in BIOS just resets AMT to defaults. When you switch this option back to "Enabled" and access MEBx, the password is "admin" again, all settings are lost and AMT is active (what seems to be the default setting).
So leaving the BIOS option "Enabled" and disable AMT in MEBx seems to be the only way to deactivate AMT.

Another Question:
Is selecting "Disabled" for "Manageability Feature Selection" in MEBx the correct way to disable AMT and therefore remote access?

Edit:

Even when "Management and Security Status" claims that AMT is disabled, the AMT Webserver seems to be running and is accessible in the local Broser:

BTW, this is how the Webinterface looks like when AMT ist disabled in BIOS ("Management and Security Status" states that AMT is enabled):

Edit 2:

When I disable the "Intel(R) Management and Security Application Local Management Service", I can't access Port 16992 an no Intel AMT message is shown as mentioned above. But this leads me back to my old question: Is selecting "Disabled" for "Manageability Feature Selection" in MEBx the correct way to disable AMT and therefore remote access?

I want to add another question: Why is the "Management and Security Status" stating that "Intel AT" is "active", while the BIOS setting claims that it is "Disabled" and "Not Activated"?

Now I have two different opinions from four different programs about the AT situation on my system! The "Intel Anti-Theft Status Tool" and the "Intel Anti-Theft Status Utility" claim that AT is "Inactive". The "Intel Management and Securtiy Status" and "MEInfo" state that it is "active" or "present/enabled".

Which one can I trust?

It would be really nice if an offical Intel representative can clear things up! The lenovo support is pretty useless...

Is selecting "Disabled" for "Manageability Feature Selection" in MEBx the correct way to disable AMT and therefore remote access?

The best way to disable any access to Intel AMT is a setup it at some fake Intel MPS server. ;) In that case all AMT ports are blocked by Intel AMT firmware and anyone can't use them (as well in the local network and moreover remote).

Here's a concise, plain English guide on how to disable Intel AMT.

There is additional information on AMT disabling in the Intel SA 00075 Mitigation Guide

Leave a Comment

Please sign in to add a comment. Not a member? Join today