Depending upon one's point of view, Intel's Active Management Technology (AMT) is either a great IT benefit or a massive security backdoor.
Intel advertises that AMT enables IT departments to "manage and repair not only their PC assets, but workstations and entry servers as well," but the most important capability is that "devices can be diagnosed and repaired remotely," allowing IT "to discover assets even while platforms are powered off." And it can do this while shut-down but connected to power and Ethernet. It does this via Wake-on-Lan, so it might be possible to thwart AMT-style probing by disabling Wake-on-Lan. Wake-on-LAN and network boot are enabled by default on the Intel motherboards I own.
Dariusz Wittek, Intel EMEA Biz Client Solution Architect, said that "[AMT] does not have direct access to your HDD," but if it can "remotely remediate and recover systems after OS failures," then it must be able to format and install software on the HDD.
One problem is that AMT software is proprietary. Intel might say that AMT is secure because its code is obscure. However, we have seen with Windows' never-ending security problems that this model does not always work well. Linux is much more secure than Windows because many developers in many countries are able to look at the code and point out problems (and Linux users don't generally use an admin account for regular use).
There are a few hardware requirements for AMT, including a processor which supports vPro, a motherboard with a Q-chipset (though some Q-chipsets only support Standard Manageability), and Intel networking. The BIOS must be VT-x capable, VT-d capable, TXT capable, and TPM capable, and have the proper Management Engine (ME) firmware, though all of that comes with the proper Q-chipset motherboard.
Q-chipset motherboards are sold at Newegg and other outlets, however, so it's definitely possible for someone to buy one without realizing the full implications.
Processors without vPro constitute around half of i5 and i7 desktop and mobile processors (i3 and below do not support vPro at all), so it is definitely possible to choose one without vPro. Peruse the Intel vPro Expert Center if you're curious.
Take Skylake (6th Generation Core) as an example. Of the 14 desktop i5 and i7 processors, 8 -- i7-6785R, i7-6700K, i5-6685R, i5-6600K, i5-6585R, i5-6402P, i5-6400, and i5-6400T -- are not vPro capable. Of the 22 mobile i5 and i7 processors, 14 -- i7-6970HQ, i7-6870HQ, i7-6820HK, i7-6770HQ, i7-6700HQ, i7-6567U, i7-6560U, i7-6500U, i5-6350HQ, i5-6300HQ, i5-6200U, i5-6260U, i5-6267U, and i5-6287U -- are not vPro capable.
Or take Sandy Bridge (2nd Generation Core). Of the 18 desktop i5 and i7 processors, 10 -- i7-2700K, i7-2600K, i5-2550K, i5-2500K, i5-2405S, i5-2450P, i5-2300, i5-2310, i5-2320, and i5-2380P -- are not vPro capable. Of the 29 mobile i5 and i7 processors, 10 -- i7-2630QM, i7-2635QM, i7-2670QM, i7-2675QM, i7-2629M, i5-2410M, i5-2430M, i5-2450M, i5-2467M, and i5-2435M -- are not vPro capable.
One pattern that jumps out is that all of the K / X processors, with an unlocked cores, are not vPro capable, probably because IT departments do not overclock their systems. Xeon (server) and embedded processors appear to always be vPro capable.
Another requirement for AMT is a server to manage the various assets, with this server being managed by Intel or third party software modeled after AMT.
One ME module, ThreadX, comes from Express Logic, which offers a user's guide and programmer's reference card on its website, so it might be possible to reverse engineer some of ME's functionality.
ME software is offered by Windows Update (8/8.1 have it defined as an important update, while 10 automatically installs it) and Intel's downloads. When Intel made motherboards, its CD-ROMs contained ME and implied that it was required (its checkbox was selected). If ME is not installed, Windows Device Manager and Devices and Printers will indicate errors.
Linux is pretty much the same story, but it substitutes AMT Linux Enablement for ME.
I installed ME as a test on two freshly-built Windows systems, one with a vPro processor and another with a non-vPro processor, both with non-Q chipsets. After installation, the vPro system had an AMT folder while the non-vPro system did not, suggesting that vPro processors just assume they are running in an AMT system. I do not have a Q-chipset motherboard so I could not determine if all AMT folders are the same. Neither of my test systems displayed any AMT-related elements in the BIOS.
The best proof that AMT could provide an unintentional backdoor is the DZ68BC motherboard. This should have been one of Intel's premier boards, with world-class heatsinks and the ability to overclock. However, the bugs in the firmware -- just search on "DZ68BC" at https://communities.intel.com/community/tech/desktop -- convinced many users to try a less-complicated board or even a non-Intel board. I ran a test on a DZ68BC and found that if Wake-on-LAN was disabled, pressing the power switch no longer powered-up the system. I needed to press and hold the power switch for a few seconds to force it to power on. Not to mention the fact that Wake-on-LAN is enabled by default on all Intel motherboards, something most non-corporate users would not want.
A retired Intel engineer who worked on ME and motherboards and sometimes answers questions in Intel forums admitted that he does not install ME on his personal systems. He explained that ME is only necessary for those "using AMT (on vPro systems) or the soft TPM (on newer systems)."
One should feel fairly secure with a non-vPro processor installed into a motherboard with any chipset other than a Q, without ME being installed, with network boot being disabled, and with Wake-on-LAN being disabled (the last two are done in BIOS). I'm not convinced that the presence of an Intel NIC by itself opens any backdoors.
AMD, Intel's only real processor competition, does not have an equivalent to AMT but it does offer something similar to vPro. AMD's Secure Processor (formally Platform Security Processor) is an ARM core on the same die. The folks working on Libreboot, an open source BIOS replacement, believe Secure Processor to be the same kind of threat, but I don't think they're even in the same league. Secure Processor made its debut in AMD's Pro A-Series, so it's unlikely customers will buy one by mistake. Wake-on-LAN and network boot should be disabled in BIOS, as on Intel systems.
One of the problems with this entire subject is communication, or lack thereof. Intel rightfully believes AMT, vPro, and ME to be trade secrets worth protecting. Intel's Wittek denigrates those who throw darts, but given that the source code is not available to non-partners, there's no way of proving it one way or the other. Qubes OS' Joanna Rutkowska wrote Intel x86 considered harmful, giving the impression that AMT, vPro, and ME are the devil, but then again Intel's documentation is far better than the competition allowing us to know more about it, not to mention that Qubes OS would fare better in the marketplace if people accepted that no processors were trustworthy. Intel could allow a respected expert to look at the code, but some people would not believe those findings either. We'll just have to wait and see how it plays out.