Have you investigated the CMOS enable/disable method As Used by System76?

[ilikenwf]

Sounds like it is similar to the HAP bit but tells ME to more or less shut down after boot or something?

I have a 13th gen and I'm not sure if I should risk using HAP or not.

https://review.coreboot.org/c/coreboot/+/52800

[benjamindoron]

That's performed via HECI command (a command to the Management Engine Interface PCI device, run by a driver called "heci" in the ME image. "MEI" and "HECI" are basically synonyms), the CMOS value only determines whether the command is sent.

This method could be exposed by the firmware on your system if you can see an option called "ME State" in the setup menu. It's sometimes possible to unsuppress options too, you're looking for places on the internet talking about enabling the "Advanced" menus.

If not, it's unlikely you can use this method if you aren't using coreboot (or possibly MinPlatform and SlimBootloader, and any other firmware you could for your device), as the Management Engine will likely reject this command after the BIOS sends it an 'end of POST' command. Effectively, the BIOS will say, "that's it, I'm done configuring the system," and the ME should lock itself down against further changes, but I don't know and might not be able to comment on what this lockdown includes. When exactly this end of POST command is sent can vary, and if Intel's silicon code for the BIOS is sloppy, the last chance to try disabling the ME is in the UEFI shell, but I doubt it.