Ask HN: How to know if laptop enrolled in Intel Management Engine?
I am looking to purchase a old laptop from what seems to be a reseller of decommissioned laptops.
I read about Intel Management Engine and how it is a backdoor at the CPU level and does is not installed at the operating system level.
I tried googling this but how would I know if the laptop is still enrolled into some network? I would hate if some sysadmin could remotely do stuff to my PC. There's two different components here. The first is the Management Engine. Unless this laptop is extremely old, it has one, and it's running. Depending on age, you may be able to prevent it from booting while still allowing the rest of the system to run, but probably not. The second is Intel's Advanced Management Technology (AMT). This is only available on systems with VPro badging, which generally means higher-end business laptops. AMT is much less widely used than you might think, so it's probably not enrolled anywhere. You can confirm whether AMT has been provisioned with https://github.com/mjg59/mei-amt-check, and as long as you have the system firmware password you should be able to reset the ME regardless. (Edit: I didn't make the relationship between these clear. All modern Intel laptops have ME. AMT is a software component that runs on top of the ME, but is only provisioned for systems that have VPro badging) > you may be able to prevent it from booting while still allowing the rest of the system to run, but probably not. To be clear, this is not a technical side-effect of some incidental reliance of the boot process on the management engine (ME). Instead, Intel has deliberately made it impossible for consumers to disable the ME, has obfuscated how the ME works, and offered ME-disabled computers only to "military, government and intelligence agencies". All under the guise that "Intel considers disabling ME to be a security vulnerability, as a malware could abuse it to make the computer lose some of the functionality that the typical user expects, such as the ability to play media with DRM" - which is beyond laughable. In short, it could not be more obvious that the ME is malicious. Source: https://en.wikipedia.org/wiki/Intel_Management_Engine "Intel considers SGX instructions to be a security vulnerability, as a malware could abuse it to make the computer lose some of the functionality that the typical user expects, such as the ability to play media with DRM." fixed it So what does Intel Management Engine do when AMT is disabled or not present? >Depending on age, you may be able to prevent it from booting while still allowing the rest of the system to run, but probably not. How old? Wikipedia says 2008. If your computer isn't connected to Ethernet or WiFi, why does having a secret Intel management engine running in your CPU matter if it can't publish your data anywhere? who runs a laptop in that kind of setup? hypothetical responses to a legitimate question/response is just lazy and lame I'm sorry, I misunderstood. I thought this post was asking from the perspective of "How can I tell if I'm enrolled in that secret thing we learned about that Intel has a secret backdoor to our computers" from the perspective of "I want to make sure it is off/I'm not enrolled". I was suggesting, if the PC isn't connected to the Internet in this hypothetical case, why does the Intel backdoor matter? It wasn't clear to me the OP was trying to actually use the Intel Management Engine for legitimate purposes. I apologize. What you're interested in is called Active Management Technology, it's not supported by all boards, but typically if it is there's a bios screen labelled something like "AMT Configuration" where it can be enabled or disabled. https://virtualizationreview.com/articles/2020/01/13/configu... Intel ME is its own can of worms and can only be fully disabled by modifying the firmware image, see tools like me_cleaner. You could see if the laptop is support by coreboot and if so use coreboot to remove intel ME. Says you need to desolder a chip from the motherboard. Not all the time. It all depends on the machine/main board. I flashed my x220 with a flasher and an 8 clip. It's rather simple, if you don't have the hardware around it's a little bit of an expense. https://framagit.org/GNUtoo/coreboot-scripts/-/tree/master/f... Check the OEM's manual. There are nearly always options in the BIOS to disable. Also Intel's AMT engine rolls by during POST. You can do a <Ctrl-P> to go into the AMT (not BIOS) settings to see provisioning status and/or reset the ME AMT configuration in all cases I've seen. On really old or some oddball systems the process requires a CMOS battery pull for a few minutes. This all assumes your device was enterprise targeted to start with. If it lacks vPro/DASH it's irrelevant. You can double check your own device in other ways too like seeing if there is a web server at http{s}://your_local_ip:{16992,16993}/ (from another host on your LAN not the same one). You can check it in the firmware settings. To know if there is even the option to enrol, check the manual of the device. If there is no manual, check the SKU for the CPU and PCH, only some SKUs have full management enrolment. Keep in mind that regardless of the status, you can always reset it. In some cases you can also remove most of it, but since the ME also controls a lot of power functions and on laptops might also hinder EC usage if disabled, you might simply not have much choice. If the ME (or AGESA) is a problem for you, there are two options: > 2. Get a machine that doesn't use Intel or AMD processors The only other commercially available x86 processors I'm aware of are Zhaoxin, and I would be very surprised if those didn't have something ME-like baked in. There are architectures that aren't x86. IMO alternative architectures such as ARM64 are not suitable (yet) for use on general purpose workstations, which is what I assume the OP wants. Not because these architectures are necessarily deficient in some way, but simply that there is far too many applications that only target X86_64. Last time I tinkered with an ARM based desktop about 90% of what I wanted was there and worked well, but there were too many edge cases for me to feel comfortable recommending it. It's a network effect thing, and it's slowly changing, but we're not quite there yet.
And just in case: ME "enrolment" doesn't actually mean much. It's not some cool remote control thing or remote wipe or something like that; it's mostly just crappy VNC and a janky XML API that only works on the local network. So even if it contains provisioning profiles for some company, it's not like they have 'access' to your laptop. It's not like Apple's DEP or the legacy CompuTrace or Intel AT products. Those two are also not really all that exciting considering they mostly just work like rootkits on specific windows versions. If anything, getting your hands on a provisioned laptop gets YOU access to the company network in some badly configured NACs. 1. Get a very old machine that doesn't have it
2. Get a machine that doesn't use Intel or AMD processors