The CPU/chipset has an integrated keyboard/video/mouse (via VNC), serial console, power control (on/off) and some settings exposed via this webserver over some kind of XMLRPC.
It is activated either by configuring it locally through the BIOS or some special key combination at boot, or when connecting to a network that has a setup server with a special certificate (not really a security feature, just a money grab) present. Some vendors might also ship it always-on. Network can be either wired or WiFi, not sure about mobile networks.
The threat is extreme, hidden remote access, several known vulnerabilities in the past in e.g. the broken XML parser, activation and takeover via brief physical access at boot (press the magic key, set username and password, boom, it is not your machine anymore) or connecting to a network with a magic setup server and certificate (corporate WiFi might do this accidentially to your machine). No good consistent and easy way to deactivate or prevent, it is different for each generation and vendor unfortunately, if at all possible.
I've edited my text to be more precise. But to elaborate:
Eh! Read what your link says:
> Beginning in Release 12.0, it is possible to globally disable Intel AMT.
It took them 12 versions to put in an off-switch, so only newer hardware even has one. And:
> Intel AMT can be disabled using one of the following methods: Through the MEBX menu: Make sure that Manageability Feature State is disabled, then open the MEBX menu and change the Intel ® AMT option to Disabled. This option can only be reenabled after a reboot.
That only works if your hardware vendor exposes the MEBX menu, which not all vendors do.
> Through an MEI command invoked by OS software: Invoke the CFG_DisableAndClearAMT MEI command.
For that AMT has to be already enabled and configured in the operating system.
The Intel Management Engine is part of the CPU, and it's there for remote management of a system so you can do things like control power on/off or configure the BIOS from over the network.
It's a remote console to the management engine for "lights out management" or remotely being able to to what a hardware tech would generally need physical access for like accessing the preboot environment.
It's bad if you don't know it's on because it lets you remotely access pieces of the computer you normally need physical access for like accessing the preboot environment.
The vpro cpus include things like
AMT (Active Management Technology), which is similar to IPMI. A way to remotely manage the device even if it's not booted yet.
The internal web server shown here lets you configure AMT, disable it if you wish, etc.
The CPU/chipset has an integrated keyboard/video/mouse (via VNC), serial console, power control (on/off) and some settings exposed via this webserver over some kind of XMLRPC.
It is activated either by configuring it locally through the BIOS or some special key combination at boot, or when connecting to a network that has a setup server with a special certificate (not really a security feature, just a money grab) present. Some vendors might also ship it always-on. Network can be either wired or WiFi, not sure about mobile networks.
The threat is extreme, hidden remote access, several known vulnerabilities in the past in e.g. the broken XML parser, activation and takeover via brief physical access at boot (press the magic key, set username and password, boom, it is not your machine anymore) or connecting to a network with a magic setup server and certificate (corporate WiFi might do this accidentially to your machine). No good consistent and easy way to deactivate or prevent, it is different for each generation and vendor unfortunately, if at all possible.