They put some power switches on the webcam/microphone and wireless modules. That's about it.
They also disabled signature verification on the chipset firmware, but it's not clear that solves any privacy issues, given that the only extant firmware is the closed-source one from Intel. (If anything, disabling signatures is a net negative for privacy, as the authors of a malicious replacement wouldn't even need access to Intel's signing key to create one.)
