What does "ME disabled" really mean?

I sure cant speak  for labels,

but all that can be turned off in BIOS, if you look, did you first and upgrade BIOS? Freedos method more safe?

yes disable it , it is bug ridden for sure on old PC.

ME/AMT BIOS is very complex and with PCs advanced security packages works as team. and  is risky.

its cute though, tried it 1 time on HP, and found later the w10 software for it is no good,(exploits) and will never be upgraded from my PC with it, so its is gone.

I think if BIOS PW is off, fully there is no AMT, (my theory)

Hi savvy2.

No.  Intel Management Engine (ME) cannot be disabled in BIOS, only Active Management Technology (AMT) can. There is a huge difference between ME and AMT.  I am talking about the former, the autonomous subsystem that runs inside the Platform Controller Hub (PCH) on most mainboards manufactured in the last decade.

I fail to see how it can be related to BIOS not being updated. Indeed, the BIOS on these desktops has been updated to its most recent release (A15) using a Dell Real-Mode Kernel bootable USB drive (a Dell RMK bootable drive that only contains COMMAND.COM, DELLBIO.BIN and DELLRMK.BIN plus the O780-A15.EXE executable).

I know for sure these desktops do not have —and never had— support for AMT on BIOS, nor a hotkey to enter the Management Engine BIOS extension (MEBx).  But —as I said on the first post— AMT is not the problem, ME is.

Edit: note that Intel ME is a requirement for AMT, but the reverse is not true.  In other words, you cannot have AMT without ME but you can have ME without AMT.  I never though on AMT being a backdoor (at most it can have horrifying bugs like CVE-2017-5689), but ME is another matter.  This engine is running on most processors built in the last decade even if AMT is fully unprovisioned; it is the right place to build a backdoor if the intelligence community wants one.

Now Dell is selling workstations like the Precision 3431 Desktop with two different non-manageable processor options ("AMT disabled" and "both ME and AMT disabled").  The latter is the right one for someone that cares about security at the hardware level.

Hello U2CAMEB4ME.

That is interesting... so, if there is no S1 power state configurable on the BIOS setup then there is no support for Intel ME?  These are great news, as the BIOS on these desktops never had a "Power Management → Suspend Mode" option at all.

That's odd, I downloaded that manual some time ago and looked at the BIOS settings.  But, for some reason, I missed the description of the power state configuration.  To be honest, I had spent more time on the Dell OptiPlex 780 Technical Guidebook as it has a more pleasant format and supposedly has the same information about BIOS defaults.  I guess it is time to read more carefully the service manual.

If someone disagrees please say it loud!  But, as I understand it now, this one is the right answer; as the BIOS setup never had an option to enable the S1 power state it seems not only AMT but also ME have been disabled on factory.  These are fine desktops with the configuration I am looking for.

Thank you.

The QR code reads:

CN0G451FC088737T06YKA0

CN0G451FC088737T06YKA

https://drive.google.com/file/d/16vOSn9Y9l59n-lW3SWqiWx2ubvuxRYA-/view?usp=drivesdk 

@speedstep​ What program is that in your screenshot? Where did you get it? Will picking option 3 permanently disable the ME? Thanks.

Speedstep hasn't been on this forum for a year now.  One of our other contributors might answer if they can.

Meanwhile, the screenshot is the F12 Boot and Diagnostics menu.  Immediately and repeatedly press F12 upon startup.  I've never seen the text in green before.

@XJR8942​ , the screenshot from speedstep's post is the first boot screen of a new motherboard replacement, not from a program.

Selecting option 3 will disable Intel AMT.  It won't disable Intel ME. 

"Selecting option 3 will disable Intel AMT. It won't disable Intel ME."  Why would it be that way?  I'm genuinely thoroughly confused.

Thank you. I have a few more questions:

1. Just to be clear, is the "Manageability Engine (ME)" the same thing as the Intel Management Engine, correct?
2. Here's a list of configurations (or "management modes"):
https://www.dell.com/support/kbdoc/en-us/000142462/manufacturing-management-mode-settings-guide-intel-amt-on-dell-systems
What is the difference between Configuration 3 ME Disabled and Configuration 6 ME Lockout?

3. Is there any way to set the Configuration to 6 ME Lockout?
4. If I choose Configuration 1, then enter the Management Engine menu on the F12 screen, and change "Manageability" to "Disabled", does that put the motherboard in the same state as Configuration 3 (without the menu option in the future)?

Thanks!

Selecting option 3 will disable AMT function of Intel ME, no more vPro.

Selecting option 6 will lock users out of configuration of Intel ME itself, no more MEBx.

Intel ME is still function to manage other tasks it was designed for.

Remember, this is sharing user's point of view.  You must contact Dell for official response prior to purchase selection as these features are permanently set. 

For better understanding about Intel ME, you may consider to view this video.  It's a long watch and a bit hard for me to cover in a few words.

@bradthetechnut​ From what I understand, the ME starts first, prepares the system, then starts the main processor. If it's "disabled" then it stops there and/or keeps doing necessary background tasks, but it can no longer be used for AMT. (Running the ME Cleaner zeros out the code that it needs for AMT and access to the NIC, so it's an additional layer of protection.)

So given the options of 1) Configuration 3 ME Disabled or 2) Configuration 1 Default, what's more effective in disabling the ME?

Seems like Configuration 1 Default is better, since configuring the MEBx is still an option, and it can be disabled from there. But if I choose Configuration 3 ME Disabled, then MEBx is gone from the menu and I won't be able to get it back, and I have to trust Dell or Intel that the ME is actually disabled.

I once disabled HECI and it was partially crippling the IME from both BIOS and operating system.  As for a permanent solution, you may try HAP method.  But it seems that you already knew about using ME cleaner from Nicola Corna.  The video I linked is related to Positive Technologies.