Use configuration baseline disable windows service

Lots of news about vulnerability Intel AMT, example Lenovo published an article (CVE-2017-5689)  https://support.lenovo.com/fi/en/product_security/len-14963

In Intel Mitigation Guide  https://downloadcenter.intel.com/download/26754 , it mentions about disable LMS service, so here is a sample how to use SCCM compliance settings disable LMS service.

I don’t write details how to do compliance settings, there are lots of blogs about it, example: http://www.scconfigmgr.com/2017/04/09/configmgr-configuration-baselines-a-beginners-guide/

So I only give you the discovery script and the remediation script:

  1. Create Configuration Items, name Disable Intel AMT LMS service, remember, the service name is LMS, not LSM, they are not the same! 🙂
    Discovery script:

    Remediation script:

     
  2. Create Configuration Baseline name Disable Intel AMT LMS service, add the “Disable Intel AMT LMS service” Configuration Item” in it.
  3. Deploy to your clients.

You can download my baseline and import to your SCCM: click here

If you want to query Intel AMT versions, here is the query:

And here is the query for find out if “Intel(R) Management Engine” installed on clients :

x86:

x64:

 

One thought on “Use configuration baseline disable windows service

  1. curtiz p

    Very simply put, I will say through experience. The A.M.T.; lms.exe, A.R.M. with A.M.Dx64.sys drivers are dangerous when used by malicious hackers. There needs to be more safeguards available. Also more forth coming from Intel with regards to the power of these tools. That is all.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *