Use configuration baseline disable windows service

Lots of news about vulnerability Intel AMT, example Lenovo published an article (CVE-2017-5689)

In Intel Mitigation Guide , it mentions about disable LMS service, so here is a sample how to use SCCM compliance settings disable LMS service.

I don’t write details how to do compliance settings, there are lots of blogs about it, example:

So I only give you the discovery script and the remediation script:

  1. Create Configuration Items, name Disable Intel AMT LMS service, remember, the service name is LMS, not LSM, they are not the same! 🙂
    Discovery script:

    Remediation script:

  2. Create Configuration Baseline name Disable Intel AMT LMS service, add the “Disable Intel AMT LMS service” Configuration Item” in it.
  3. Deploy to your clients.

You can download my baseline and import to your SCCM: click here

If you want to query Intel AMT versions, here is the query:

And here is the query for find out if “Intel(R) Management Engine” installed on clients :




Leave a Reply

Your email address will not be published. Required fields are marked *