XPS 8910 Problems with Intel Managment Engine Update

Well it looks as if my first post made it so here is the second.

Here are the results from the Intel SA-0086 Detection Tool:

Note that the version of the IME reported does not match the version of the IME Interface or the version of the driver. I can’t explain that and I don’t know where to look for the version of the IME.

For some reason it seems I am having problem posting so hopefully you are not seeing this a second time. I will break up my post to smaller ones.

I have an XPS 8910 with an i7-6700 @ 3.4 GHz with 32 GB RAM. On 1/9/18, I updated the BIOS to version 1.1.5 (first version) and ran Intel-Management-Engine-Interface-Driver_RCGJ3_WIN_11.7.0.1054_A03.EXE.

If you updated your BIOS on 1/18 it must have been the older first version since that version was pulled around 1/22 and not re-posted until around 2/8. There is no difference between the first and second BIOS release. The following document states that Dell re-released the BIOS without modification: http://www.dell.com/support/article/us/en/04/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products?lang=en

Device Manage says my Intel Management Engine (IME) Interface driver is version 11.7.0.1045. Note that this is the IME Interface version, I am not sure it is the same thing as the IME.

I have had no problems with the BIOS or the IME driver.

Sorry - couldn't see the results for your test.  My i7-6700 machine has no outward appearance of any problems.  But there is a hidden vulnerability issue.

Here's my deal:

1. I have an XPS 8910 with the Intel i7-6700@4GHz chipset - the Intel SA00086 Detection test result = "Vulnerable"
2. BIOS has been updated to 1.1.5 per Dell.
3. Dell SupportAssist keeps asking for an update to the Intel Management Interface Engine.  I attempted to update this driver but the update failed - Dell subsequently "suspended release" of this driver with no current update.
4. The Intel SA000086 Detection test result indicates that my #1 machine is "vulnerable".

When you install the intel detection tool, look in the install directory for a pdf document file called "Intel-SA-00086_Detection_UG.pdf".  This User's Guide has a lot of valuable information.

Hope that helps.

For some reason it seems I have more problems posting to this thread than others.

I don't know why the image of my results does not display here; it does for me. My problem is that sometimes my entire post does not appear. I will post the text of the results in the next post, making sure this one goes through first.

I don't see where Dell suspended release of the IME driver; when I checked just now it is still available in Drivers & downloads.

Malware and Corruption of Package Certificates can be an issue.

Bios updates are risky when you have Antivirus software installed.

MCPR is Highly recommended if you have Mcafee installed.

The Norton Nuke the Norton utility is also recommended if you use Symantec Antivirus

THERE IS NO ANTIVIRUS SOFTWARE ON EARTH RECOMMENDED TO STAY INSTALLED If you are updating bios.   If you need to download the bios to a flash drive and clean install windows from scratch then update bios.  Otherwise you may update your system to death and brick the machine.

There are also multiple microsoft issues with going from 1511  to 1607 to 1703 to 1709.  You have to update BIOS BEFORE the ME software.

I got tired of endless "feature updates from **bleep**" and got a windows 10 1709 OEM System builder Disk.

This clean installs starting with 1709 and then updates go from there.

The Fixes: from BIOS
- Updated Intel ME(Management Engine) Firmware to address security advisory INTEL-SA-00086 (CVE-2017-5705 & CVE-2017-5708)
- Updated to the latest CPU microcode to address CVE-2017-5715 and associated Intel Reboot issue.

http://downloads.dell.com/published/pages/xps-8910-desktop.html

Description	Released	Supported OS	Download
Intel Management Engine Interface Driver This package provides the driver for the Intel AMT HECI (ME) and is supported on the Alienware Alpha R2, Alienware Aurora R5, Alienware Aurora R6, XPS 8910 and XPS 8920 running the following Windows operating systems: Windows 10 64-bit.More details	1/9/2018	WT64A

Description	Version	Download
Dell XPS 8910 System BIOS this is from JAN 9 2018 This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.1.5
Dell XPS 8910 System BIOS This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.1.3
Dell XPS 8910 System BIOS This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.1.2
Dell XPS 8910 System BIOS This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.1.1
Dell XPS 8910 System BIOS This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.1.0
Dell XPS 8910 System BIOS This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.0.10
Dell XPS 8910 System BIOS This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.0.9
Dell XPS 8910 System BIOS This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.0.7
Dell XPS 8910 System BIOS This package provides the Dell System BIOS update and is supported on Dell XPS 8910 for Windows and DOS Operating Systems.More details	1.0.3

I think I am going to give up trying to post the Intel SA-0086 Detection Tool results here. Every time I post it says "Success!" but nothing appears. I will say that the version of the tool was 1.0.0.152 and the IME version was 11.8.50.3426 and SVN=3. If you have any questions about the results you can ask me here. The results were in the registry as per your document.

Yup.  I've run every current update from the Dell list you referenced.

I've disconnected from the internet, shut down my firewall, loaded a clean Windows 10 Pro, run the Dell BIOS and then the IME updates and still get the same results.  The Intel SA000086 detection took shows me as "vulnerable".

I am running the Intel i7-6700K CPU @ 4.00GHz in a Dell XPS 8910.  I'm pretty convinced this is an issue with that specific chipset.  What chipset are you running?  If it's a different set, then that's further confirmation to me that it might be my chipset (not my machine).

Lastly, have you actually run the Intel SA000086 Detection Tool?  If not - if your input is based on the fact that you "think" your machine is fine, I strongly recommend you run the Intel test.  At face **bleep**, my machine appears to be fine - until you run the detection tool.

Interesting - the results you referenced are quite different from mine.  I'm using the GUI version of the test.  It produces a popup results box - here's a screenshot of what my results say:

-------------------------

Intel Results my machine

My CPU is an i7-6700 (no K) at 3.4 GHz. The chipset is Intel Z170 (Skylake PCH-H) as reported by HWINFO64. 

I actually ran the Intel SA-0086 Detection Tool (GUI version, in the DiscoveryTool.GUI folder). The image I posted that you cannot see is a screen capture of the results. The results state "Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched."

I cannot see your image, all I see is a triangle where the image is supposed to be. Clicking on your image does not help. I can still see my image in this thread. The results in my image match the results in the registry as stated in the Intel PDF.

I sent you a private message with the image of the detection tools results. I hope that will work for you.

I will take one more shot at this. The image is posted here: https://imgur.com/SUeVcmi

Ok, that one I could see.  It looks to me like the only difference is the "K" variant in my i7-6700K.  As reported by HWinFO64, it looks to me like the IME on the motherboard is locked down and will not allow the BIOS update to change its status.  I tried several different settings for the Intel Software Guard in the BIOS and nothing seems to change this status.  I'll forward this information to Dell along with the software installation logs/reports and we'll see if that helps.

Thanks again for all of your dedicated assistance. Being able to narrow this issue down to the difference in our processor chips has been absolutely invaluable to me.  Great work!

This issue is not solved, but I think I can get back to working with Dell to find a solution.

I hope Dell can resolve you problem. The thing that concerns me about my results is that the IME version reported by the Intel SA-0086 Detection Tool (11.8.50.3426) does not match the version of the IME driver Dell posted (11.7.0.1054) which I installed. The SA=0086 (Table 2-5) does indicate that version 11.8 and higher SVM >=3 are not vulnerable. This makes you wonder if the Dell IME driver is special to Dell since the Dell version does not seem to match this criteria.