How to know if laptop enrolled in Intel Management Engine?

Question

I am looking to purchase a old laptop from what seems to be a reseller of decommissioned laptops.I read about Intel Management Engine and how it is a backdoor at the CPU level and does is not installed at the operating system level.I tried googling this but how would I know if the laptop is still enrolled into some network? I would hate if some sysadmin could remotely do stuff to my PC.

mjg59 · Accepted Answer

There's two different components here. The first is the Management Engine. Unless this laptop is extremely old, it has one, and it's running. Depending on age, you may be able to prevent it from booting while still allowing the rest of the system to run, but probably not. The second is Intel's Advanced Management Technology (AMT). This is only available on systems with VPro badging, which generally means higher-end business laptops. AMT is much less widely used than you might think, so it's probably not enrolled anywhere. You can confirm whether AMT has been provisioned with https://github.com/mjg59/mei-amt-check, and as long as you have the system firmware password you should be able to reset the ME regardless.(Edit: I didn't make the relationship between these clear. All modern Intel laptops have ME. AMT is a software component that runs on top of the ME, but is only provisioned for systems that have VPro badging)

arsome · Answer

What you're interested in is called Active Management Technology, it's not supported by all boards, but typically if it is there's a bios screen labelled something like "AMT Configuration" where it can be enabled or disabled.
https://virtualizationreview.com/articles/2020/01/13/configu...
Intel ME is its own can of worms and can only be fully disabled by modifying the firmware image, see tools like me_cleaner.
https://github.com/corna/me_cleaner

vuln · Answer

You could see if the laptop is support by coreboot and if so use coreboot to remove intel ME.https://16bit.io/pages/Installing-Coreboot.html

jtrtoo · Answer

Check the OEM's manual. There are nearly always options in the BIOS to disable. Also Intel's AMT engine rolls by during POST. You can do a to go into the AMT (not BIOS) settings to see provisioning status and/or reset the ME AMT configuration in all cases I've seen.
On really old or some oddball systems the process requires a CMOS battery pull for a few minutes.
This all assumes your device was enterprise targeted to start with. If it lacks vPro/DASH it's irrelevant.
You can double check your own device in other ways too like seeing if there is a web server at http{s}://your_local_ip:{16992,16993}/ (from another host on your LAN not the same one).

oneplane · Answer

You can check it in the firmware settings. To know if there is even the option to enrol, check the manual of the device. If there is no manual, check the SKU for the CPU and PCH, only some SKUs have full management enrolment.

Keep in mind that regardless of the status, you can always reset it. In some cases you can also remove most of it, but since the ME also controls a lot of power functions and on laptops might also hinder EC usage if disabled, you might simply not have much choice.

If the ME (or AGESA) is a problem for you, there are two options:

  1. Get a very old machine that doesn't have it
  2. Get a machine that doesn't use Intel or AMD processors

And just in case: ME "enrolment" doesn't actually mean much. It's not some cool remote control thing or remote wipe or something like that; it's mostly just crappy VNC and a janky XML API that only works on the local network. So even if it contains provisioning profiles for some company, it's not like they have 'access' to your laptop. It's not like Apple's DEP or the legacy CompuTrace or Intel AT products. Those two are also not really all that exciting considering they mostly just work like rootkits on specific windows versions. If anything, getting your hands on a provisioned laptop gets YOU access to the company network in some badly configured NACs.