Based on the Intel documentation, my Surface Pro 4 is vulnerable (its a 7th gen with 184.108.40.2062) but its also disabled and I'm not sure whether or not that 'saves' me here (as the driver in the OS is disabled but it is unclear if a local network attack would work or not).
EDIT: Ok so it seems all Intel CPUs that have AMT from Nehalem processors to the current Kaby Lake's are vulnerable. Even if AMT isn't enabled, it's still vulnerable to a local privilege escalation to ring 0. So all you people that have Celeron or AMD CPUs and got picked on for years, enjoy your moment of schadenfreude.
One thing to remember is that hardware costs money each time they instantiate a new mask set. Integrations cost money, too. That's on top of developing the individual components. So, a common trick in the hardware industry for a product family is to create one product that pretends to be several with a factory switch. Two examples come to mind: hard disks; mobile SOC's as embedded chips. In hard disks, there was at least one instance where vendor had same highest amount of space on all the drives with a switch saying how much to present to user based on what they paid. More profitable since mass producing one platter was cheaper. Another was in machines that people thought wouldn't connect to anything since they just had standalone-ish ARM chips. They actually had wireless functionality one could turn on with the right code. The ASIC guy that told me said he determined with was a chip used in cheap, mobile phones that they probably had a volume deal on and/or surplus. So, they just changed the firmware or something to make it pretend to be something else without notifying users.
Intel's stuff costs vastly more to mask out and verify than the above examples. That means they probably reuse silicon for anything that ends up in a lot of processors while turning some of it off with hardware or firmware switch at factory depending on what people bought. We can't know if any of this remote access is similar. That means that, if you don't want that, you can't trust any Intel CPU's made after that was introduced. Back to buying used multi-CPU boxes with 3GHz P4's. :)
Note: The PowerPC Amiga's like MorphOS suddenly look like they could have a purpose. Beautiful desktop with good performance that's probably not backdoored. Yet.
When Intel indicates that my B250 and Z270 chipsets don't support AMT, it's still quite possible that the ME firmware on those motherboards has the vulnerable code present but not currently running.
My Intel network card would not work at all with AMT disabled. It simply refused to work, resetting every few seconds.
I ended up simply using an old Realtek network card, but that’s no long-term solution either.