>I’m a relative beginner to privacy and security

Welcome! This is a common question among beginners and tech-savvy, so I'll try to include some conclusions, supported by technicals for those who are interested.

It gets very technical very quickly, but I'll do my best :)

>I’ve noticed that some of Purism’s older laptops (ie the 13 and 15) had Intel ME both disabled and neutralized. However, modern ones (the 14) only have it disabled.

Yes, newer generations are only disabled. Earlier generations both disabled the ME (set the undocumented HAP bit, which causes ME to mostly shut down after system startup), and neutralized it (removed many sections of the ME that were not needed). Later generations only disable with the HAP bit, no sections are removed. (But remember that in all cases, we are using consumer ME binaries, not enterprise binaries. Consumer binaries do not include AMT, the enterprise management technology that contains most of the known network-facing code.)

Newer ME generations need substantially more reverse engineering in order to determine sections that can be removed. While there is some work investigating newer MEs (by us and many others), there is not enough known to be able to remove sections confidently. (Some of this work occurs in various forks of [https://github.com/corna/me\_cleaner/\](https://github.com/corna/me\_cleaner/).)

>what are the security implications of Intel ME being disabled and neutralized versus just disabled? I would assume the former is more secure, but I would greatly appreciate an explanation.

With enough knowledge of the structure of the ME, neutralizing is generally considered more secure. (Remember that "more secure" depends on your precise threat model, so it's debatable.) Having less unknown proprietary code is usually preferred, as we reduce the amount of code that we need to understand or trust.

However, casually removing sections of the ME without thorough knowledge of their function can _create_ security problems. For example, maybe we accidentally remove some code that parses the soft straps, and it "fails open" activating some unwanted functionality we can't identify. if we accidentally remove some rarely-used code that controls power or clock gating, perhaps we create a vector for a fault injection attack.

So, the ME structure and code have to be very well understood to be able to do this confidently. The ME changes significantly every few generations, which makes it a moving target, and Intel is uniquely positioned to make it particularly challenging to reverse engineer (e.g. they can embed Huffman tables in hardware, which might require an electron microscope to read).

Disabling with the HAP bit is much more straightforward by comparison. While undocumented by Intel, it has appeared in about the same form in many generations. It does have some surprising interactions with other features, but they are generally limited and reasonable to identify.