Disabling the Management Engine - ISpillMyDrink/UEFI-Repair-Guide GitHub Wiki

It is possible to set a special firmware bit or clear out part of the Management Engine's firmware to disable it after system bringup. This can be done with ME Cleaner (not to be confused with the process of "cleaning" the Management Engine firmware). It may be necessary to disable the ME when using "unblessed" combinations of chipset and CPU (e.g. a mobile CPU on a desktop platform).

Soft Disabling

Versions of the Management Engine >= 11 can be disabled by setting the High Assurance Platform (HAP) bit in the Flash Descriptor effectively disabling the ME after bring up. Versions < 11 can similarly be disabled by setting the AltMeDisable bit. ME Cleaner can be used to soft-disable the Management Engine.

# Disable the ME by setting the HAP/AltMeDisable bit
me_cleaner -s

Hard Disabling

Another way to disable the Management Engine is to remove partitions and modules from its firmware not related to system bring up, effectively disabling the Management Engine after bring up by locking it up, which may or may not cause problems. ME Cleaner can again be used to hard-disable the Management Engine this way.

# Disable the ME by removing the code partitions
me_cleaner

# OR disable the ME by removing the code partitions and setting the HAP/AltMeDisable bit
me_cleaner -S

It should be noted that in addition to losing functionality such as fTPM, disabling the Management Engine can result in several issues, such as an unstable LPC bus.