texhex
commented
6 years ago I’m giving up on this. I have no idea where to store the current state if the ME version is UNKNOWN and a restart was requested so the second start of the script does not want to trigger a BIOS change again and causing a loop, without breaking the general expectations of the operator.
The registry would be the most obvious choice, but this could lead to the following situation:
- Run 1, ME version is UNKNOWN. BIOS changes are requested, and state is stored in registry
- Restart, BIOS requests change to AMT but Admin denies it
- Run 2, ME version is still UNKNOWN, BIOS Sledgehammer errors out and sets the registry value to “Tried change, no gain”
- Admin runs BIOS Sledgehammer again and want to allow the changes now
- Run 3, ME version is UNKNOWN, however registry contains the value that this was already tried so the section is skipped.
- Result: Admins expects the script to update ME and relies on it, but in fact we just ignored it
Somewhat encoding the current version of BIOS Sledgehammer and the target ME version would help a little, but if the admin just restarts (as noted above) with the same version and ME version, this won’t help at all.
The only real solution I could think of would be to check the BIOS value, controlling AMT, directly and trigger the restart if those value need to changed (e.g. AMT == Disabled to AMT == Enabled). However, I have seen several cases where BCU reports a BIOS value to be changed, while in fact it was unchanged. This would again cause a loop.
If a computer has a BIOS setting that disables Intel AMT/vPro/ME, the Intel SA detection tool reports that a ME is not found. This in turns causes BIOS Sledgehammer to throw an error if there is a ME-Update.txt file in place; as the ME version is unknown but an update should be performed.
The only solution right now is to disable ME-Update.txt, so no update will take place even if ME is first ON. This could mean that the system is later on enrolled into AMT with an outdated ME firmware.
A proposed solution could be: