Would someone explain Intel Management Engine and Intel ME)

Topic

New Reply

This has always baffled me:

What is the difference between the Intel Management Engine Software and the Intel ME Firmware updates.  I see listings for both.  Some questions that maybe someone could answer.

1.  Would a Bios update supersede a security update for Intel ME Firmware ?  Or, are these two completely different things?
2.  What is the order of installation:  Bios, Chipset, Intel Management Engine Software and then Intel ME Firmware update?  Is this the recommended order?

If you want to dig deeper and likely more confusing head here:  https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/legion-series/legion-7-16ithg6/downloads/driver-list/component?name=BIOS%2FUEFI

or see attached txt file.

Thanks, Mike

 

Reply | Quote

Replies

Here might be a good place to start with a search box to the upper right:
https://www.intel.com/content/www/us/en/company-overview/company-overview.html

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Mike

Reply | Quote

Mike wrote:

Would a Bios update supersede a security update for Intel ME Firmware ?  Or, are these two completely different things?

These are completely different things.
BIOS is build by the OEM.
Intel Management Engine deals with Intel chipset/CPU.

1 user thanked author for this post.

Mike

Reply | Quote

I’ve read just about every link out there but I appreciate you reposting them. The How-to-geek one was probably the best.  Forget about getting anything directly from Intel websites.

If you’re still following this post I was looking for a more detailed explanation.  For instance, there appears to be both firmware and software updates for the Intel Management Engine.

And, whether or not the order of installation matters. Refer to my original post.

Reply | Quote

This article is virus-related, but there are pictures and explanations of Intel’s working parts:
https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/

It looks like the Intel Management Engine is its own mini-system wherein the code and operations are hidden.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Mike

Reply | Quote

Intel Management Engine (ME) Basic Starter Kit explanation:
https://en.wikipedia.org/wiki/Intel_Management_Engine

From reading this and other sources, it looks like there are ME drivers, microprocessor (hardware), and ME firmware where “ME firmware is stored in a partition of the SPI BIOS Flash…”

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Mike

Reply | Quote

Alex5723 is correct, the BIOS and Intel ME firmware are two different things. Both are stored within chips on your motherboard but are physically separate.

I will describe the answers to your questions in more detail below. Just to add to the confusion, the Intel ME software and Intel ME firmware use different version number schemes e.g. 1909.12.0.1236 for the software. The firmware may be 11.12.92.2222

I hope these explanations are useful, despite their length. Thanks.

======================
1. No, a BIOS update is separate to an Intel ME firmware update. However, to add to the confusion some manufacturers e.g., Dell and Asus sometimes include Intel ME firmware updates within some of their BIOS updates for their systems.

When running such a bundled BIOS update, it checks if the current in-use ME firmware is older than the version bundled with the BIOS update, if it is the ME firmware is also updated. If the currently installed ME is the same version or newer, only the BIOS update is installed. While you have only initiated the installation of the BIOS update, the check on the Intel ME firmware is performed in the background.

From having installed such bundled updates myself, you usually aren’t aware multiple stages of updates are taking place but I have noticed that such updates cause the system to reboot twice automatically. When control is returned to you, you’ll see both the BIOS and Intel ME have been updated (both version numbers are higher).

However, most of the time, Intel ME firmware updates and BIOS updates are carried out separately. In general, you download and install the updates separate to one another.

2. Yes, I would agree with that order of installation you listed. I don’t recall where I read this (I believe it was from Intel’s ME firmware release notes) but when you are routinely updating the Intel ME firmware you should first update the Intel ME software (if such an update is available). Intel ME software updates may or may not be updated at the same time as the Intel ME firmware, in such cases just use the most recent software available at the time.

I say routine here since this would be a later time after first setting up your system.

The Intel ME software consists of components such as management software for the TPM and an Intel Licensing service (I’m not sure what that is used for) and some other utilities. The ME software also generally includes the MEI (Management Engine Interface) driver for Windows. The MEI driver is the most critical part of the ME software to keep updated.

All of the Intel ME software only runs in Windows. The ME firmware updates are sent using the Intel firmware update utility (which also runs within Windows in a command prompt window) to the physical Intel ME firmware of your system. Once such an update is carried out the firmware updater asks for your system to restart.

When you do choose to restart the system yourself (I have observed this for my Intel X299 desktop system), usually you actually observe the system shuts down and then automatically powers back on. I assume the same happens for laptops, but the effect is more subtle and I haven’t explicitly observed the same happening.

In general, try to obtain the Intel ME firmware updates from the manufacturer of your system. My Lenovo and HP laptops offer such updates from the automatic updater software Lenovo and HP routinely install on new systems. I use these updaters since they will select and install the right firmware for you.

But the Intel ME firmware is usually easy to find for laptops (at least in the case of modern HP and Lenovo laptops) when you select the exact model number you have. You can also usually enter the serial number of your system in the downloads section of their websites and your system and a matching list of suitable downloads are displayed. The automatic update software does the same without the need to visit the website.

I say this since for custom desktop systems like my Intel X299 system, there are Intel ME firmware updates of varying sizes from Intel and they are named differently too, consumer and server versions but both will have the same version numbers.

To avoid installing the wrong version (and ruining the system), I just get them from Asus, the manufacturer of the X299 motherboard I own. I have updated the ME firmware more than 5 times over the years without any issues. The most recent update was earlier this year. They are generally released 2 to 3 times per year.

3 users thanked author for this post.

RetiredGeek, geekdom, Mike

Reply | Quote

Thanks so much AJ for this detailed, concise response.  I’m going to print it for the future.  I also have a X299 based Asus MB (Premium Deluxe II)  That’s where the Intel ME update questions first puzzled me…..Asus support didn’t know, Intel didn’t know and on and on.

So, when it recently appeared on my Lenovo laptop I was again confused.  The end result of all this is for Lenovo, you update the ME firmware and separately the software.

Thanks.

Mike

Reply | Quote

AJ2000 wrote:

The MEI driver is the most critical part of the ME software to keep updated.

Why would one need the drivers for an unused device?
I used to have the device disabled but see it is enabled now (I likely did that and forgot). I do not recall any problems with it disabled.

I have not seen anywhere where this is useful to the average consumer. I did see LoJack mentioned as possibly using it but who has LoJack on there computer? Enterprise customers who might use the AMT.

Ok I see the device driver may be used to configure TPM.

BTW AMD has a similar setup known as AMD Secure Technology.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

IME is really designed for use in corporate/large environments where you have a dedicated IT team who can manage the machines remotely.
It is of no value in a home / SOHO environment.

cheers, Paul

2 users thanked author for this post.

windbg, satrow

Reply | Quote

Should a home/SOHO office disable or uninstall any IME functions to reduce the attack surface or eliminate any unnecessary bloat?

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

Yes and no, of course.

An attack can only be launched from the same network, not from the internet.
Not having the IME software installed makes sense as you have less unused software, but you may need drivers for the IME hardware so there are no errors in Device Manager.

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

do I have to go through installing each Intel ME FW Update Tool? To be sure?

I have to flash BIOS first and MSI has three Intel ME FW Update Tool for the model I use.

 

Reply | Quote

There is probably no point in updating the firmware on a home machine, especially if you don’t have the IME software running on the machine.

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

I do not use english

Reply | Quote

https://docs.microsoft.com/en-us/windows/apps/design/input/input-method-editors

I use special characters and key combinations too on this language

Reply | Quote

the initial question though

does one need to update each rev of the Intel ME FW Update Tool or just the latest one after meeting the BIOS update requirements.

THANK YOU for replying !! 🙂

Reply | Quote

I would only use the latest update tool. No need to use each tool.

cheers, Paul

Reply | Quote