08-22-2017 09:24 AM
I would like to disable Intel AMT over PowerShell/WMI,
from the BIOS we have 3 options, Enabled/Disabled/'Permanently Disabled'
From PowerShell/WMI, when using the below command:
(gwmi –class Lenovo_GetBiosSelections –namespace root\wmi).GetBiosSelections("AMTControl") | Format-List Selections
I get the output:
Selections : Disable,Enable,Disable
Seems like 'Disable' is listed twice, and there is no 'Permanently Disable'
I really don't want to make a change which cannot be reverted,
How can I be sure that if I use 'Disable' from PowerShell, it will only 'Disable' and not 'Permanently Disable' this option?
08-22-2017 10:36 AM
I just checked this on a T470 with Intel AMT. I set AMTControl to Disable and it disabled it in the BIOS menu. It did NOT Permenantly disable the AMT. I am fairly confident that the the reason you see 2 disables in the list is that we would not give a way to permenantly disable from script. That could be a security issue, preventing access to remote control computers. Permenant Disable means exactly that, the Intel AMT is no longer available. I think scripting that is an extremely high risk, so we dont do it.
08-22-2017 10:44 AM
Thank you for your quick reply,
It actually making sense not to allow permanently disable over script, but is there any way to get/find a formal answer about it?
we plan to initiate it potentially on thousands of computers (from various models), and we really need to be absolutely sure it will not get permanently disabled on any model,
I don't understand why we see 'disable' twice,
08-22-2017 11:24 AM
The only thing I can guess at for why Disable is presented twice is that there are 3 entries in the BIOS menu, therefore there would have to be corresponding entries in WMI. The mapping from BIOS menu to WMI would be something like:
BIOS Menu WMI Mapping
Disable > Disable
Enable > Enable
Perm Disable > Disable
Permenantly Disable maps to Disable therefore preventing the Permenant disablement by script. That is why you see 2 Disables.
As I said, I have tested this on a T470 and it ONLY disabled and did NOT Permenantly Disable the Intel AMT. If you have any concern about the repercussions, feel free to manually disable the setting in the BIOS menu and then query it from WMI. That should help. I would perform this task on each model you want to configure.