Hello everybody,
as it seems, there are real IME experts here - may I bother you with some beginner questions?
I don’t need Intel AMT nor the Intel Management Engine (ME), so I appreciate the possibility to disable both in the bios of current HP devices.
Among other things, I “save” myself and the system the installation of 6 drivers and software components.
As far as I know, parts of the ME remain active anyway.
So you can’t avoid to switch them on before a Bios update, because otherwise the ME won’t be updated.
This is of course a bit inconvenient, especially if Bios updates are automated or carried out from Windows.
The times where you practically didn’t update the Bios as long as everything was running are unfortunately over for security reasons.
TL;DR
What is better… an outdated Intel ME which is “more or less deactivated” or a current one which is fully active (except for AMT)?
Updates for the ME firmware (not the drivers!) still only come together with the Bios/UEFI update from the mainboard OEM or system vendor (like Lenovo, Dell, HP…) and not separately via Windows Update - correct?
Thanks and greetings,
Martin
Firstly,they are not the same thing. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME
the ME itself is built into all Intel chipsets since 2008,to the system (even has ties to network chips) and its microprocessor continues to execute code
The people who have managed to disable ME have done so via reverse engineering and lots of educated guesses, but the results were not perfect.
all you can do is update the firmware and it’s software.
Via bios or other ways.you just need the updated driver.you don’t actually need the software or it’s service in OS after then.you can remove it from environment variables’s path and disable/delete the service (using Autoruns for example)
after the spectre and meltdown incidents in 2018, windows 10 has now safeguards in place in registry
Also Microsoft is releasing microcode updates regularly since then
Not to be least,almost all major manufacturers released either a Me firmware or bios update or even both after the incident (although most did not put them in product’s support page but in blogs/announcement pages,logic)
In short,
Use latest windows 10.even 10years+ old machines are capable of running windows 10 without problems (WinMe-Xp era)
Update your drivers.and you will be fine
Visit appropriate sections for guides,driver updates,bios files etc
Intel-SA-00125 Detection Tool (The INTEL-SA-00125 Detection Tool assists with detection of the security vulnerabilies described in INTEL-SA-00125)
InSpectre (Meltdown and Spectre vulnerability check tool,can enable/disable windows registry entries)
Intel CSME Version Detection Tool (The Intel Converged Security and Management Engine Version Detection Tool (Intel CSMEVDT) assists with detection of the security vulnerabilities described in recent Intel security advisories with installed management engine version in system))
Summary of Intel Microcode Updates Windows microcode updates KB Numbers and Descriptions