Yep we use that too but it has nothing to do with IME.

We also have Dells with iDRAC cards. But it's a nice thing with iLO that it's built-in, and it can be managed on a completely dedicated out-of-band network. Unlike the IME thing.

I understand there's a point to this in stuff like servers, but for workstations?

I use it to segment network access.

The devices are on an untrusted network and VPN into a LAN based on the device assignment. Things like printers are on a separate network, and there’s no cleartext on the network.

In the case of laptops, if they fall out of certain compliance baselines, they get remote wiped or bricked.

We do this too, but based on 802.1x certificates. Devices without this don't get access to the internet and are relegated to a closed VLAN.

But IME is not needed for this. The certs are issued through windows / mac management systems e.g. SCCM/Intune. They are also dependent on the current security state of the machine (e.g. no EDR installed -> only access to remediation network). Is IME really used in your case?

Depends on the requirements. One I set this up years ago and it uses AMT - IME only provides a few functions although I don’t recall exactly what from memory.

The key difference is that you can provide a level of assurance and multi-tenant access without an OS. For example you can run a hypervisor on the PC and have a few OS instances running.

I've used that and Dell's DRAC. They have their uses. We ran those on a separate network, and it was somewhat routine to use them to get into a host that was locked up or had disconnected from the network somehow.

It's definitely a security risk, but at a big company with a poorly managed IT department it wasn't the worst offender.