Unfortunately not all consumers place high value on the security of their computers, but one group that tends to focus on security are businesses with a dedicated IT group. When buying computers for users, these groups tend to have higher demands, like making sure the Intel Management Engine (IME) has been disabled. To that end, Reddit user [netsec_burn] has outlined a pretty simple method to where “normal people” can purchase one of these IME-disabled devices for themselves.
For those unfamiliar with the IME, it is a coprocessor on all Intel devices since around 2007 that allows access to the memory, hard drive, and network stack even when the computer is powered down. Intel claims it’s a feature, not a bug, but it’s also a source of secret, unaudited code that’s understandably a desirable target for any malicious user trying to gain access to a computer. The method that [netsec_burn] outlined for getting a computer with the IME disabled from the factory is as simple as buying a specific Dell laptop, intended for enterprise users, and selecting the option to disable the IME.
Of course Dell warns you that you may lose some system functionality if you purchase a computer with the IME disabled, but it seems that this won’t really effect users who aren’t involved in system administration. Also note that this doesn’t remove the management engine from the computer. For that, you’ll need one of only a handful of computers made before Intel made complete removal of the IME impossible. In the meantime, it’s good to see that at least one company has a computer available that allows for it to be disabled from the factory.