This site has very good directions for disabling Intel AMT. This is an Intel site by the way.

https://www.dell.com/support/article/en-us/sln295179/disable-intel-amt-intel-management-engine-state-control?lang=en

Ctrl-P only works when the post screen is displaying "Intel® MEBX: "  if you don't see that prompt, your bios is either lacking the configuration, or it is not enabled. if you don't have options related to the AMT/ME, look for an updated bios, and contact the manufacturer.  NEWER Versions use CTRL I or CTRL M or another key.

https://www.dell.com/community/Desktops-General-Read-Only/What-is-the-MEBx-hotkey-on-a-Optiplex-7040/td-p/5091249

MEBx Password Reset for Skylake desktop systems such as the OptiPlex 7040

Skylake systems which have previously gone through set up and configuration using MEBx will not revert by selecting full un-provision in BIOS settings.

Older system versions of OptiPlex systems which used Legacy settings could undergo a reset by selection of settings in BIOS under the MEBx interface.

Skylake systems are unable to use BIOS options to reset the system settings in case of lock out. In order to restore MEBx to default settings (See Figure 1.), a CMOS reset using the RTCRST jumper pins on the motherboard must be completed.

Use the RTCRST Reset Jumper .

MEBx Password Reset is completed using the Real Time Clock Reset (RTCRST) Jumper pins on the motherboard to Clear Previous Configurations

1. Turn the system off and disconnect all cables and connected devices from the system
2. Remove the system cover
3. Locate the 2-pin password (PSWD) jumper on the system board
4. Remove the 2-pin jumper plug
5. Locate the 2-pin RTCRST jumper on the system board (usually located near the CMOS battery on desktop systems, see Figure 2. below for example)

Thanks for your replies.  We are looking for an option to disable Intel AMT.  The Ctrl-P options in the Bios only allows you to enable or disable Intel ME management, setup remote control and power options and change/set the MBX password. So, while you can configure or unconfigure Intel AMT from this area, you cannot disable it. 

Since we don't need or want Intel AMT, don't want to update its firmware and rather not leave these systems vulnerable, we want to disabled Intel AMT using a command line option or Bios tool. 

Is that possible?

Thanks,

Leo

Enable or Disable AMT is usually a one time choice.

Disable Intel AMT

I'm not Dell So I can't speak for all models all years all versions etc.

You have yet to specify which model we are talking about.

Control P means these are VERY OLD models.

Dell says you press Control P then use the up and down arrows to ENABLE or Disable.

You may have to reset the MEBX password if you do not remember it.

Note: If you are prompted to change the password, the password criterion includes the following: eight characters, one capital letter, one number and one special character (*, !,%).

After entering the password, select Intel (R) ME Configuration by using the up and down arrow keys on the keyboard to highlight the option, and then press enter to select.
A caution message appears stating the following: System resets after configuration changes Continue:(Y/N). Choose Y.
On the next screen, use the up and down arrow keys on the keyboard to select Intel ( R ) ME State Control and press enter.
Use the up and down arrows keys to highlight and select Disabled and then press enter. Use the ESC key to exit after the change has been made to Disabled. The system should restart and no longer default to the Intel AMT – MEBx password screen.

We are not looking for that kind of solution, as we have many of these machines and would rather this not be a manual process.  This is why we are looking for a command line or Bios tool option to disable Intel AMT.

Leo

Thanks for your reply.  I didn't specify the model as this issue pertains to all of our Optiplex models.

Thanks,

Leo

why not post what PC you have, by model # and SIZE, MT, or ? and with BIOS versions on them.

not telling this makes answers wrong or crazy complex.

all you said was optiplex.

There is no one size fits all for ALL optiplex models or all Optiplex years or ALL Dell machines with AMT in general.  Thats why I indicated that the CTRL P or some other key combination is required along with the Password to get in and DISABLE it.

MEBx Menu Setting Options              Description / Purpose

Intel® ME Configuration  Setting  Intel® ME State  Control

• Disabled
• Enabled

The Intel Management Engine State Control (enable/disable)

option provides a detach capability during field malfunction

debug. You can use this option to disable the Intel Management Engine in order to isolate the Intel Management Engine subsystem from the main platform until the debugging process is complete.

when disabled via the Disable option. AMT is paused at a very early stage of the Intel

Management Engine boot process so that the system has no traffic originating from the Intel Management Engine on any bus.

Thanks, what we will probably do is to change the default password in the Bios for Intel AMT and disable the management features.  It won't stop the machine from showing Intel AMT as active, but it will prevent anyone with access to the machine (who knows the default password for Intel AMT) from enabling it from the Bios.

Leo

Dell Command | Configure Version 4.2 Command Line Interface Reference Guide | Dell US

If the BIOS of the model supports it, setting the 'AmtCap' setting to 'Disabled' should do it.  You can't do this if the system is already provisioned.

cctk --AmtCap=Disabled

Will disable Intel AMT, however be warned if you want to re-enable it in the future you have to do it manually in the BIOS (Dell guide linked below confirms that). Not all Intel CPU's have AMT, CPU's with vPro have AMT. AMT runs on top of ME & I believe handles all the remote control aspects. ME apparently cannot be disabled by itself.

https://www.dell.com/support/manuals/en-us/command-configure/dellcommandconfigure_rg_4.x/-amtcap?guid=guid-522a74ff-7ece-44f4-8933-73bd7aea9df0&lang=en-us

https://en.wikipedia.org/wiki/Intel_Management_Engine#Difference_from_Intel_AMT

https://security.stackexchange.com/questions/170036/intel-management-engine-vulnerabilities-in-cpus-without-vpro

https://puri.sm/learn/intel-me/