How to completely deactivate Intel AMT on T420?

[SimonSt]

Dear all,

I already asked this question on the Intel and Lenovo support forum but that got me nowhere. Maybe somebody here is more informed about AMT, especially on ThinkPads.

I am using a Lenovo ThinkPad T420 and Windows 7 prof. x64. Some days ago I did a reinstallation of Windows 7 (ISO image from MSDNAA and not the Lenovo DVD). After the OS and all drivers (using Lenovo System Update) were installed, I had a look at the device manager and recognized the "Intel management engine interface". Since I don't need this function (and don't want it because it's a potential security risk!) I researched how this device can be disabled. First I had a look in the System BIOS. This stated that "Intel (R) AMT control" is "Disabled":

https://origin-software.intel.com/sites ... sabled.jpg

So I went back to Windows and decided to use the "Management and Security Status" Tool which stated, that AMT is active ("Aktiviert" in german):

https://origin-software.intel.com/sites ... _small.png

I did some further googling which led me to the conclusion, that I have to use the "Management Enging BIOS Extension" (MEBx) to disable AMT. I went back to BIOS, reenabled "Intel (R) AMT control", (otherwise you can't enter MEBx), pressed Ctrl+P on restart and used MEBx to disable "Manageability Feature Selection":

https://origin-software.intel.com/sites ... sabled.jpg

After exiting MEBx and restarting Windows 7 the "Management and Security Status" said, that AMT is disabled ("Deaktiviert"):

https://origin-software.intel.com/sites ... _small.png

I thought that I've finally got rid of AMT, restarted the ThinkPad, entered BIOS and set "Intel AMT Control" back to "disabled". While restarting, the BIOS prompted "Intel ME unconfiguration in progress..." which sounded pretty promising to me.

BUT then this flashed up and stated that AMT is "enabled" (I had to take a movie, sorry for bad quality):

https://origin-software.intel.com/sites ... essage.png

Back in Windows the "Management and Security Status" states, that AMT is ACTIVATED.


So my questions are:

Is an active AMT the default setting on the T420 when the BIOS Option "Intel (R) AMT control" is disabled? Can somebody with a T420 verify this?
Is disabling the "Manageability Feature Selection" in MEBx the correct way to REALLY disable AMT or are there any other steps left?

Thanks a lot,

Simon

[Kilkenny]

I discovered this with my X201. The option in the BIOS that says AMT Control is enabled/disabled only refers to the control interface for AMT, not AMT itself. You will need to have that set to enabled, then hit Ctrl+P during boot go into the AMT interface and disable it from there. It confused the heck out of me until I figured that out.

http://download.lenovo.com/ibmdl/pub/pc ... -d0098.pdf

I read somewhere that pulling the CMOS battery will unconfigure AMT as well, but have never tried that.

Apologies if I'm misunderstanding your post; I have never run Windows on my ThinkPads and am not familiar with its AMT management tools.

[SimonSt]

Can you remeber what exactly you configured in MEBx to disable AMT? I'm not sure, if disabling the "Manageability Feature Selection" is the only thing to do.
Were you able to set the BIOS option "Intel (R) AMT control" back to "Disabled" without reactivating the AMT (this is what happens on my T420).

Thanks a lot!

[dr_st]

So, there are several components to the AMT, and it appears they are at least a little bit independent.

The ME (Management Engine) that you turn off via the BIOS Ctrl+P is one of them. There are also two Windows services:

Intel(R) Management and Security Application Local Management Service
Intel(R) Management and Security Application User Notification Service

You can control both via the services.msc applet.

On my X220, with the ME unconfigured in the BIOS, the Management and Security Status utility shows Intel Management Engine: unconfigured in the "Advanced" tab, but the AMT itself shows enabled, if these services are running (which is the default).

After disabling the services it shows "Information unavailable". So I think you should disable them.

Edit: I was probably too hasty here, because it's possible that these services may in fact only reflect the internal firmware state. I'll read some more about it.

Edit 2: It seems you are right in your research. So far it seems that enabling AMT control in the BIOS, then disabling the AMT features in the ME configuration menu is the closest thing to disabling all of manageability. There does not seem to be any option in the BIOS to completely stop the ME FW, and disabling AMT control resets all settings to default, which is "AMT enabled". I guess it's a good thing in case someone forgets the password, but it would be nice if they provided more control to the end-user.

[SimonSt]

On my X220, with the ME unconfigured in the BIOS, the Management and Security Status utility shows Intel Management Engine: unconfigured in the "Advanced" tab, but the AMT itself shows enabled, if these services are running (which is the default).

After disabling the services it shows "Information unavailable". So I think you should disable them.

Same situation on my T420 (which apparently uses the same Intel Management Engine Firmware 7.1 as your X220).
BTW: I noticed that you have to disable the two services while the "Management and Security Status" tool is running, otherwise this tool reenables them while starting.

Edit 2: It seems you are right in your research. So far it seems that enabling AMT control in the BIOS, then disabling the AMT features in the ME configuration menu is the closest thing to disabling all of manageability. There does not seem to be any option in the BIOS to completely stop the ME FW, and disabling AMT control resets all settings to default, which is "AMT enabled". I guess it's a good thing in case someone forgets the password, but it would be nice if they provided more control to the end-user.

Glad to hear that, thanks

What exactly are you doing in MEBx to disable AMT? Disabling the "Manageability Feature Selection" like I described? I'm not sure if there are any other options which have to be disabled in the MEBx.

[dr_st]

BTW: I noticed that you have to disable the two services while the "Management and Security Status" tool is running, otherwise this tool reenables them while starting.

If you change the service to "Disabled" (not just stop it), then the tool cannot re-enable it.

What exactly are you doing in MEBx to disable AMT? Disabling the "Manageability Feature Selection" like I described? I'm not sure if there are any other options which have to be disabled in the MEBx.

The same thing you described.

[SimonSt]

I have one last question, not directly relating to AMT.

The BIOS Option "Intel AT Module Activation" - "Current Setting" is set to "Disabled" on my T420:

https://software.intel.com/sites/defaul ... d_BIOS.jpg

As you can see in my previous post, the "Management and Security Status" tool states that AT is "Aktiviert" (Activated) anyway.
I did some further investigations about this and checked the status with 3 other Intel tools. Here is a screeshot I made:

https://software.intel.com/sites/defaul ... ates_0.PNG

Which one can I trust? Is Intel AT active or not?

[Kilkenny]

Can you remeber what exactly you configured in MEBx to disable AMT? I'm not sure, if disabling the "Manageability Feature Selection" is the only thing to do.
Were you able to set the BIOS option "Intel (R) AMT control" back to "Disabled" without reactivating the AMT (this is what happens on my T420).

Thanks a lot!

I didn't get very far because it required a password that I didn't have (I bought the X201 used).

One thing you can try to figure out if AMT is really enabled or not is to port scan the laptop and look for ports 16992 and 16993 being open. I'd try it with both machines on wireless, then with both on ethernet in case AMT is set to only work on ethernet. You can also try to connect to the AMT web UI using the instructions here: https://software.intel.com/sites/manage ... erface.htm

[SimonSt]

I didn't get very far because it required a password that I didn't have (I bought the X201 used).

So you weren't able to disable AMT on your X201?
The password should be the default password ("admin") after disabling and reenabling the BIOS option "Intel AMT Control".

One thing you can try to figure out if AMT is really enabled or not is to port scan the laptop and look for ports 16992 and 16993 being open. I'd try it with both machines on wireless, then with both on ethernet in case AMT is set to only work on ethernet. You can also try to connect to the AMT web UI using the instructions here: https://software.intel.com/sites/manage ... erface.htm

I wasn't able to connect to one of those ports from another PC. It only worked in the local Browser: