Most users are not aware of the AMT capabilities of their Intel processor. Yet, using them, a third party having physical access to a computer can easily get permanent control over it:
This highlights the following common-sense recommendations:
'End users: Never leave your laptop unwatched in an insecure location such as a public place. Contact your IT service desk to handle the device. If you’re an individual running your own device, change the AMT password to a strong one, even if you don’t plan on using AMT. If there’s an option to disable AMT, use it. If the password is already set to an unknown value, consider the device suspect.
Organizations: Adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available. Go through all currently deployed devices and configure the AMT password. If the password is already set to an unknown value consider the device suspect and initiate incident response procedure.'
In French: https://korben.info/attaquant-prendre-controle-total-dune-machine-30-secondes-grace-a-intel-amt.html
Note that it seems always possible to reset the MEBX pass on a computer (here a Lenovo laptop), which is both good and bad: https://pcsupport.lenovo.com/fr/fr/solutions/ht003903
So it is better to desactivate Intel AMD a bit more radically. Here is how to do so on Windows: https://mattermedia.com/blog/disabling-intel-amt/
Ultimately, one would want to desactivate the chip itself, but it seems very difficult.