Factory Laptop With IME Disabled

Unfortunately not all consumers place high value on the security of their computers, but one group that tends to focus on security are businesses with a dedicated IT group. When buying computers for users, these groups tend to have higher demands, like making sure the Intel Management Engine (IME) has been disabled. To that end, Reddit user [netsec_burn] has outlined a pretty simple method to where “normal people” can purchase one of these IME-disabled devices for themselves.

For those unfamiliar with the IME, it is a coprocessor on all Intel devices since around 2007 that allows access to the memory, hard drive, and network stack even when the computer is powered down. Intel claims it’s a feature, not a bug, but it’s also a source of secret, unaudited code that’s understandably a desirable target for any malicious user trying to gain access to a computer. The method that [netsec_burn] outlined for getting a computer with the IME disabled from the factory is as simple as buying a specific Dell laptop, intended for enterprise users, and selecting the option to disable the IME.

Of course Dell warns you that you may lose some system functionality if you purchase a computer with the IME disabled, but it seems that this won’t really effect users who aren’t involved in system administration. Also note that this doesn’t remove the management engine from the computer. For that, you’ll need one of only a handful of computers made before Intel made complete removal of the IME impossible. In the meantime, it’s good to see that at least one company has a computer available that allows for it to be disabled from the factory.

34 thoughts on “Factory Laptop With IME Disabled

  1. It mentions it in the thread, but for those who also hate digging through Reddit you can also order laptops from system76 and purism that are better and cheaper than Dell’s stuff. Dunno why someone would want a Dell when those options exist.

          1. Oh, I forgot you couldn’t get Windows unless it came preinstalled…

            I think I blacked out when I built my system and when I came to it had just appeared.

      1. Sorry, no idea. Browsing through gitlab issues and google I noticed people got it working with 2017 mac notebooks. And I know for a fact that not that long ago it was possible to run functional macos including icloud access in a virtual machine, after only adjusting some information reported by virtual machine firmware to the OS. Because virtual machines do not implement ME so I assume it might not be utilized at all or used only for niche features like DRM

    1. Hey now, looking at that me_cleaner info page, mentioning the 30 minute shutdown for invalid firmware. Now is it the IME doing that when you put say an i5 in a pentium or celeron system and it shuts down in 30 min. Despite voltages, chipset, socket, TDP, process generation and every other detail being right??? Just thinking that if it’s the IME getting in the way rather than a BIOS thing (They usually work great for 30 mins, ppl that have reported this) then nobbling the ME with this might allow these upgrades to work properly.

      1. Are you talking about HM70 chipset? I remember this issue and AFAIR disabling ME did not help. This “feature” is probably handled in the chipset boot ROM before loading ME image is even attempted.

  2. > For that, you’ll need one of only a handful of computers made before Intel made complete removal of the IME impossible.

    Or, presumably, a non-Intel chipset? Do AMD have an equivalent to the IME, and can it be disabled?

  3. The irony being that the ME is aimed at enterprise customers who are buying 500 identical computers and want to be able to manage them all at once.
    I’m still not sure why Intel decided to put it in all their chips, instead of leaving it as an expensive add-in option for businesses.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.