A team of researchers from Positive Technologies have dug into the innards of Intel Management Engine (ME) 11 and have found a way to turn the feature off. If you aren't familiar with ME, it's a separate processor that is tucked away inside Intel CPUs that allows companies to manage the computers on their networks. Essentially, it allows the IT team to get into your machine to fix issues or apply updates among other things. The catch is that ME 11 is essentially a backdoor leaving some concerned about potential exploits.
That fact has left many people who use Intel CPUs and have no need for that feature unhappy that a potential backdoor is in their system. This is where Positive Technologies comes in with its discovery of an undocumented mode (to partially disable ME) and the fact that it is connected with the High Assurance Platform (HAP) program. Positive Technologies does warn people that following these steps could damage your PC.
If you want to follow the steps anyway, the researchers put the utility needed on GitHub. Once that software is unpacked, you can begin the process or turning off ME 11. One bit of warning is that you cannot completely turn this off. ME is part of the boot process and required for launching of the main processor.
Positive Technologies wrote, "The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards."
Intel provides mainboard makers with a tool so they can program some limited functionality for ME including a Flash Image Tool (FIT) and a Flash Programming Tool (FPT). While not provided to end users, they are said to be freely available on the internet.
The full post by the researchers over at Positive Technologies is very technical and at it's core, the team found that there is a hidden switch in the firmware code for ME and when set to "1" it will turn off ME after the computer is booted up and the ME component in the boot sequence are no longer needed. The bit is called "reserve_hap" and is described in the code as "High Assurance Platform (HAP) enable reports BleepingComputer.
The bit was reportedly added at the request of the NSA for PCs running in highly secure environments. Intel did confirm the kill switch for ME telling the researchers, "In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s 'High Assurance Platform'program. These modifications underwent a limited validation cycle and are not an officially supported configuration."