Ok, I can't turn off Intel Managment Engine. Should I upgrade it?

WizardOfBoz · 15 Apr 2020

Intel Management Engine is either a friendly bit of firmware code that ensure my computer runs great (Intel), or a big security issue, possibly with a back door for the friendly folks at the NSA. And there are, at least in theory, security issues with IMT. Apparently it CAN be disabled, but not easily. So I just did a clean install on a new-to-me Lenovo W541, and it wants to know if it can install an update to version 11.6. Given that I can't easily remove it, should I have the latest version to minimize security issues?

Or, is this just a way to get Active Management Technology and other packages (IME interface, IME serial over LAN, Dynamic Applications Loader, Identity Protection Technology, Mgmt and Security Status, Local Mgmt Service) installed?

Pejole2165 · 15 Apr 2020

Suggest you read the Wikki and decide for yourself, it's very informative.

Intel Management Engine - Wikipedia

WizardOfBoz · 15 Apr 2020

Hey Pejole,
Hope you're healthy right now. Yeah, I read that and that's what prompted me to ask. My default is "No" to install unless someone here tells me the "upgrade package" from Lenovo fixes a security hole or something.

Pejole2165 · 15 Apr 2020

In short, anything you can install, other than a system vendor/ motherboard vendor BIOS + ME FW update, will have no effect on the security or lack of regarding the ME firmware, this is because the ME firmware operates outside of any operating system.
If any of the updates are to other features such as power efficiency, sleep and/ or wake from sleep, then by all means install them if required.

WizardOfBoz · 15 Apr 2020

Ah, so because the firmware runs even when the computer is off, its security issues won't depend upon upon the software update. Got it. BTW, I just learned two new-to-me terms: in-band management, and out-of-band manangement.

I think that the only thing that this update pertains to is IME. It installs AMT. Lenovo is pretty good about separating updates into logical chunks. I think I'll pass on installing AMT.

Marking this thread as "solved", but I'll monitor in case someone comes back and says "Oh, no, no, you REALLY want to install that update!"

Many thanks to you, sir (or Madame, as the case may be).

Pejole2165 · 15 Apr 2020

Well I looked at the Intel supplied ME update and it was about 200Mb in size, contained every thing you could possibly need to access remote machines as an administrator, create scripts and all sorts of other ME interfacing goodies, none of which are to do with security.
Any OS ME patches/ updates are probably a good idea to prevent malicious ME flashes, but the knowledge and resources needed to replace the ME firmware or to hack it is beyond all but the most serious and determined "hacker" (think state sponsored).
You are most probably perfectly fine with OS updates (part of Windows normal security update procedure) and any BIOS/ UEFI updates from your vendor that specifically address ME firmware vulnerabilities, but as stated this only potentially prevents an OS based attack, the AMT I can't see any need for it unless you run a home server you might want to remote into at some point.
At the end of the day it is up to you to decide how you want to proceed, but there is the old adage "if it ain't broke, don't fix it".

Others may have additional information for you, or even different points of view, the above is only my humble opinion.

WizardOfBoz · 15 Apr 2020

The release notes state that this is the initial release for the w541 and other machines. For your amusement, this is from the Lenovo release notes:

--------------------------------------------------------------------------------
CHANGES IN THIS RELEASE
Version 11.6.0.1045

[Important updates]
Nothing.

[New functions or enhancements]
- Initial release for ThinkPad [... other machines ...,] W541...This package installs the software (Intel(R) Management Engine Components) to
enable the following devices.

Device name Device name in the Device Manager
---------------------------------- -------------------------------------
Intel Management Engine Interface Intel(R) Management Engine Interface
Intel Active Management Technology Intel(R) Active Management Technology
- Serial Over LAN (SOL) - SOL (COMx)

Other Intel(R) Management Engine Components
----------------------------------------------
Intel(R) Dynamic Application Loader (DAL)
Intel(R) Identity Protection Technology (IPT)
Intel(R) Management and Security Status (IMSS)
Intel(R) Local Management Service (LMS)

Pejole2165 · 15 Apr 2020

Yeah, that all seems like unwanted bloat, apart from having a name in device manager for a device that Windows should already identify, at least on my pre-built Acer it was identified correctly on a clean install of Windows with no Acer specific drivers.
The SOL is particularly of note as that is one of the quoted available attack vectors, bypassing Windows security and accessing the NIC directly.
I see no reason for a "normal" end user to want any of that software on their system.
If you are concerned about the security of your device (ME wise) Intel have a utility to check whether you have necessary mitigations in place or not, similar to the Spectre and Meltdown utility, the mitigations would need to come from your system/ motherboard vendor in the form of a BIOS/ ME FW update.

WizardOfBoz · 16 Apr 2020

Many thanks. I guess I'm a normal user, so... I won't install this.

Again, many thanks!

- - - Updated - - -

More info. I was reading about Intel vPro, of which AMT is a signficant part. There's some cool parlor tricks you can do with vPro (like connecting using a KVM approach, and running/booting/reloading an O/S remotely). Pretty sure stuff I never want to do. I think I'll look into turning vPro off

How to Remotely Control Your PC (Even When it Crashes)