cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
amirda
Punch Card
Posts: 13
Registered: ‎08-06-2017
Location: US
Views: 4,263
Message 1 of 4

Changing Intel AMT BIOS Setting from WMI/PowerShell

Hello,
I would like to disable Intel AMT over PowerShell/WMI,
from the BIOS we have 3 options, Enabled/Disabled/'Permanently Disabled'
From PowerShell/WMI, when using the below command:

(gwmi –class Lenovo_GetBiosSelections –namespace root\wmi).GetBiosSelections("AMTControl") | Format-List Selections

I get the output:
Selections : Disable,Enable,Disable

Seems like 'Disable' is listed twice, and there is no 'Permanently Disable'

 

I really don't want to make a change which cannot be reverted,

How can I be sure that if I use 'Disable' from PowerShell, it will only 'Disable' and not 'Permanently Disable' this option?

 

Please advise,

Thanks,

Lenovo Staff
Lenovo Staff
Posts: 1,107
Registered: ‎03-03-2016
Location: US
Views: 4,248
Message 2 of 4

Re: Changing Intel AMT BIOS Setting from WMI/PowerShell

amirda,

 

I just checked this on a T470 with Intel AMT.  I set AMTControl to Disable and it disabled it in the BIOS menu.  It did NOT Permenantly disable the AMT.  I am fairly confident that the the reason you see 2 disables in the list is that we would not give a way to permenantly disable from script.  That could be a security issue, preventing access to remote control computers.  Permenant Disable means exactly that, the Intel AMT is no longer available.  I think scripting that is an extremely high risk, so we dont do it.

 

HTH,

 

Tlawson

amirda
Punch Card
Posts: 13
Registered: ‎08-06-2017
Location: US
Views: 4,242
Message 3 of 4

Re: Changing Intel AMT BIOS Setting from WMI/PowerShell

Thank you for your quick reply,

It actually making sense not to allow permanently disable over script, but is there any way to get/find a formal answer about it?

we plan to initiate it potentially on thousands of computers (from various models), and we really need to be absolutely sure it will not get permanently disabled on any model,

 

I don't understand why we see 'disable' twice,

 

Thanks,

Lenovo Staff
Lenovo Staff
Posts: 1,107
Registered: ‎03-03-2016
Location: US
Views: 4,230
Message 4 of 4

Re: Changing Intel AMT BIOS Setting from WMI/PowerShell

amirda,

 

The only thing I can guess at for why Disable is presented twice is that there are 3 entries in the BIOS menu, therefore there would have to be corresponding entries in WMI.  The mapping from BIOS menu to WMI would be something like:
BIOS Menu           WMI Mapping
    Disable         >      Disable

    Enable          >      Enable

Perm Disable   >     Disable
Permenantly Disable maps to Disable therefore preventing the Permenant disablement by script.  That is why you see 2 Disables.

 

As I said, I have tested this on a T470 and it ONLY disabled and did NOT Permenantly Disable the Intel AMT.  If you have any concern about the repercussions, feel free to manually disable the setting in the BIOS menu and then query it from WMI.  That should help.  I would perform this task on each model you want to configure.

 

HTH,

 

Tlawson

Check out current deals!


Shop current deals

Top Kudoed Authors