Intel® Active Management Technology Developers Guide

ID 772055
Date 1/05/2021
Public
Document Table of Contents

Remote Secure Erase FAQ

Presented here is a collection of frequently asked questions for Intel® Remote Secure Erase (Intel® RSE).

Intel RSE is a new feature introduced with Intel® Active Management Technology (Intel® AMT) version 11.0. Intel RSE is designed to allow IT administrators to wipe the Intel® Solid State Drive (Intel® SSD) of the client device from a management console. For more information on Intel RSE, see Remote Secure Erase with Intel AMT.

(Q) Is it possible to remotely detect if Intel RSE is supported on a device?

  • Capability is found using the ;BootCapabilities.SecureErase method of the Intel® AMT High-level API.
    • If BootCapabilities.SecureErase is set to false, the device does not support Intel RSE.
  • Behavior notes: When the BIOS detects the installed hardware, it passes the relevant data to the Intel AMT firmware (FW). The Intel AMT FW looks for a specific BIOS flag to designate the drive as an Intel SSD supporting Intel RSE.

(Q) What versions of Intel AMT support Intel RSE?

  • Intel AMT 11 and newer.

(Q) Which Intel SSDs support Intel RSE?

  • Intel® SSD Pro 1500 Series, Pro 2500 Series, Pro 5400s Series, Pro 6000p Series.

(Q) Can SCSDiscovery.exe or the Acuconfig.exe "System Discovery" option identify Intel RSE-enabled clients?

  • No, the Intel SCS tools (as of SCS 11) do not have the ability to determine if Intel RSE is available.

(Q) Does the BIOS require any configuration for Intel RSE to function?

  • The platform’s BIOS must support Intel RSE; support varies by platform.

(Q) Does Intel AMT need to be configured for Intel RSE to function?

  • Yes, Intel AMT needs to be enabled on the device. It is through Intel AMT’s Remote Power Management feature that the Intel RSE boot options are available.

(Q) Is there a programmatic way to determine if a hard drive password is set or not?

  • No, the hard drive password is set in the BIOS and the information is not available to the MEBX or to Intel AMT.

(Q) Where in the BIOS do you set the SSD passwords to allow for Intel RSE operations?

  • The exact path will differ between OEM and BIOS versions; however, in general it should be something like this:
    • Boot Maintenance Manager Menu -> HDD Security Configuration Menu -> HDD 0:INTEL SSDSC -> Set User Password
    • Boot Maintenance Manager Menu -> HDD Security Configuration Menu -> HDD 0:INTEL SSDSC -> Set Master Password

(Q) There are two different passwords (User and Admin) for the SSD, do they both need to be set?

  • Master and User passwords must be set for Intel RSE to work, they do not need to be the same.

(Q) When requesting an Intel RSE operation, is User Consent required?

  • If in Client Control Mode: User Consent is required for the RSE to be set.
  • If in Admin Control Mode: If the User Consent value is set to always, then the RSE boot request will require the User Consent. If the user consent value is set to “None” or “KVM Only,” then consent is not required.

(Q) Does Intel provide any other management tools for managing Professional Series SSDs?

 

*No product or component can be absolutely secure.