Microsoft should disable Intel ME completly

Question

Hi, 

Since Microsoft isn't coming with a patch for INTEL-SA-00086 and the fact that someone will keep finding exploits in Intel ME any way. I think it's time to start an other discussion why doesn't Microsoft disables Intel ME completly? 

Their is proof of a kill switch that exists in Intel ME for what Intel calls "a kill switch for customers with specialized requirements" I think it's time Microsoft starts using this. 

Their are laptop brands that have the latest Intel cpu's and have disabled Intel ME completly. Why not the Microsoft Surface familiy?

Their is also a tool that calls ME cleaner that could disable Intel ME only question is how do you run that on a surface?

https://github.com/corna/me_cleaner

Answer 1

Hi everyone, 

Microsoft is aware of the Intel Management Engine vulnerability (Intel-SA-00086). The Intel vulnerability detection tool currently lists Microsoft Surface devices as vulnerable to this security advisory.

Microsoft has investigated the issue and found the following:

1. Remote exploit of this vulnerability requires Intel Active Management Technology (AMT). Current Surface devices do not allow remote connectivity to the ME because our devices do not run AMT.
2. Local exploit of this vulnerability requires Direct Connect Interface (DCI) access via USB, which is not provided on Surface devices.

Because of this, we believe exploits using this vulnerability are significantly reduced on Surface devices. We care deeply about ensuring our devices are reliable and secure and are working with Intel to generate fixes for current devices, which we expect to release in the near future.

Thanks,

Greg

Answer 2

Hi  ATXTXA,

There is already a way to disable intel management engine (IME) in Windows. Just press the Windows key and the x key on your keyboard at the same time, then from the context menu that appears on the lower left corner of your screen select "device manager" and left click your mouse on it to launch device manager . In device manager window scroll down to the "system devices" catagory, and left click your mouse on the arrow to the right of this catagory's icon to expand this catagory (known as the device tree). If you look through this catagory (you may need to scroll down more) you will find the "Intel(R) Management Engine Interface" listed. Right click your mouse on it, and from the context menu that appears, select "disable" and left click your mouse on disable. The device manager may now prompt you to restart your computer for the change to take effect, and if it does you should do so. Otherwise, you shound now see a change in the IME icon showing it is disabled. You can the close the dexice manager by left clicking your mouse on the x at the top right corner of the device manager window. Hope this works for everyone!

Answer 3

I doubt that disabling "Intel(R) Management Engine Interface" will actually remove ME from my processor

Answer 4

Thanks for the reply but this doesn't remove Intel ME at all. You could compare Intel ME with a seperated OS that runs on a lower level then Windows and therefor there is noway for Windows to check and confirm if it's running or not.

The only way to disable it would be by a real Microsoft firmware update that would disable Intel ME.

There is an Intel ME cleaner tool https://github.com/corna/me_cleaner but I don't think it would work on Microsoft Surface: Because firmware updates of a surface device get pushed and deployed together with Windows updates and I doubt you could alter / change this with the tool because a Surface device or Windows ?  would probably check the integrity of the update before installing them. So even if you could change it you can't install it. 

I would love to hear other people opinions on this.

Answer 5

The "How to apply" sounds way too complicated for an average user. Also, I would not dare tampering with my SP4 in such an unofficial way.

Instead, I'll rather wait for Microsoft to provide a proper new firmware. It was obvious that nothing much would happen here over the Thanksgiving holidays, so let's be patient for a while and see if they deliver (I bet they will).