Intel® Active Management Technology (Intel® AMT) version 11.0 introduces a new feature called Remote Secure Erase (RSE). RSE is designed to allow IT administrators to remotely wipe the hard disk of the client device supporting AMT (v11.0 or above).
When an employee leaves the organization, the IT administrator will collect the PC - erase the disk drive, reload the OS and applications as needed. Remote Secure Erase combined with other Intel® AMT redirection features (IDE-R, KVM) allows the IT administrator to securely erase the whole disk drive (bootable partition) and using KVM and IDE-R can provision OS and applications remotely.
Below are the platform requirements for RSE support:
- Platform with Intel® AMT 11.0 or later
- BIOS supporting Remote Secure Erase capability
- Intel® SSD Professional Family (Pro 5400s series, Pro 2500 series, Pro 1500 series, ...)
Here is the expected flow for implementing the RSE solution:
- IT administrator sets user and master hard drive password on the PC before deploying it to the employee
- System discovery – ISV to verify if the system supports RSE feature or not (AMT_BootCapabilities.SecureErase)
- Only for the systems supporting RSE feature, ISV application would provide an option to perform secure erase in their management console
- When initiating the secure erase operation, ISV console will prompt the IT administrator for master password configured for the drive.
- ISV will use the IT administrator provided master password to set boot options to secure erase and send password to AMT and reboot the platform. See AMT documentation here for more details.
- To check the progress of the erase operation, ISV queries AMT_BootSettingsData.BIOSLastStatus and expects to see first element of status to report as InProgress. This indicates that remote secure erase operation has started. Erase operation time varies by the size of the disk being operated on.
- First item of BIOSLastStatus would change to either 0 – success or 65535 – failed.
- If status changes to 0, BIOS automatically clears the boot options and ISV console can display a message for successful erase operation.
- If status changes to 65535, examine the second item of BIOSLastStatus to get the detailed error message. In case of failure, boot options are not cleared. So depending on the detailed error message, ISV console can either stop the operation or retry. If it is decided to stop the operation, boot options will need to be cleared through WS-man command. For a retry attempt, depending on system power state, either power up or reset the platform to try the secure erase operation on the next boot.
The PowerShell script (see attachments) demonstrates the usage of the AMT Remote Secure Erase feature with code snippets. For information on running PowerShell scripts with the Intel® vPro module please refer to the AMT SDK and related Intel® AMT Implementation and Reference Guide. More information about configuring Intel vPro PowerShell module can be found here.
After establishing a connection (note: you will need to enter the proper credentials and machine address for your client system), the script demonstrates the flow as described above.
This should provide all the items you need to start using the feature. If you have questions please post them to the Intel® Business Client Software Development Discussion Forum.
In summary, this feature is designed to allow the IT administrators to remotely wipe the entire SSD in a secure fashion for repurposing a PC or mobile device.
About the Authors/Contributors
Ajith Illendula is a Senior Software Engineer enabling Business Client and Security Applications for large enterprises.