For those just tuning in, the Intel Management Engine is part of the hardware SoC on modern Intel processors. It can be used for a variety of remote administration and system-monitoring tasks, and it runs its own operating system completely outside the control of Windows 10. Intel has never shared much public information about the IME, but that didn't stop security researchers from disclosing some critical flaws not long ago. In the wake of those disclosures, the IME has come under fire as a fundamentally insecure system. When eagle-eyed customers found the following configuration options under three Dell systems -- the Dell Latitude 14 Rugged, the Latitude 15 E5570, and the Latitude 12 Rugged Tablet, it seemed to confirm that the company was preparing to offer this feature to a wider customer base.
This is what the menu looked like, these options are no longer displayed on the order page.
Here's what Dell told us when we inquired about the company's future plans for IME-free systems.
Dell has offered a configuration option to disable the Intel vPro Management Engine (ME) on select commercial client platforms for a number of years (termed Intel vPro - ME inoperable, custom order on Dell.com). Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs. As this SKU can also disable other system functionality it was not previously made available to the general public. Recently, this option was inadvertently offered online as a configuration option for a couple of systems on Dell.com. Customers interested in purchasing this SKU should contact their sales representative as it is intended to be offered as a custom option for a select number of customers who specifically require this configuration.
We followed up with Dell with some additional questions about the Intel Management Engine and what it brings to the table. First, all current Intel Core and Intel Atom-derived systems from Dell ship with the IME enabled. As far as we know, this has been the case for years, both at Dell and at other OEMs. Dell explained that it enables IME because the functionality is an "integral part of normal system operation." This includes configuring system clocks, thermal management, and security features used to ensure code integrity. It also enables DRM video content playback.
Back in 2015, we covered Windows 10's then-upcoming PlayReady 3.0 DRM system. One of the points Microsoft made up-front is that DRM compliance required a new hardware security processor and a secure media pipeline implemented within the GPU, and the Intel Management Engine seems to be designed to fit those goals (even if 4K streaming is confined to Kaby Lake and other chips).
Hardware DRM implementations in Windows 10
Dell also told us that it doesn't use the Intel Management Engine for any custom purpose, though some of its commercial products do use Intel's Active Management Technology (AMT). AMT is only available on PCs that also offer vPro and is used for remote system maintenance.
There are ways to put a laptop into "High Assurance Mode," which was apparently created by Intel for the NSA and locks down any avenue that might be exploited to steal data. It's also sometimes possible to disable the IME(Opens in a new window), though this can also brick your system permanently.
One central problem is this: While some individuals might want to buy laptops that they can lock down, these systems are going to be prevented from working properly with various services that use DRM. Despite rumors that AMD might start shipping laptops with the ability to turn off their ARM-derived security processor, this seems similarly unlikely. AMD appears to use its own security chip for secure boot and DRM authentication the same way Intel does, which means any attempt to ship these systems to consumers could create a great deal of confusion. Most buyers care more about streaming 4K video than they do about buying a system that doesn't have a feature they've never even heard of. We have some questions into AMD about this, as we're aware of some claiming this feature can be disabled in UEFI, but our current understanding is that it can't be -- not without disabling some significant Windows capabilities in the first place.
This situation is evolving and could change in the future, but for now, no one seems to be making any plans to start shipping Windows laptops publicly advertised as not using IME or AMD's equivalent, the Platform Security Processor (PSP).
