FAQ for Remote Secure Erase

Presented here is a collection of frequently asked questions for Intel® Remote Secure Erase (RSE).

RSE is a new feature introduced with Intel® Active Management Technology (Intel AMT) version 11.0. RSE is designed to allow IT administrators to wipe the Intel Solid State Drive of the client device from a management console. For more information on RSE, see Remote Secure Erase with Intel AMT.

Frequently Asked Questions:

Is it possible to remotely detect if Remote Secure Erase (RSE) is supported on a device?

  • Capability is found using the BootCapabilities.SecureErase method of the Intel® AMT High Level API.
    • If BootCapabilities.SecureErase is set to false, the device does not support RSE.
  • Behavior Notes: When the BIOS detects the installed hardware, it passes the relevant data to the Intel® Active Management Technology (Intel AMT) firmware (FW). The Intel AMT FW looks for a specific BIOS flag to designating the drive as an Intel SSD supporting RSE.

What versions of Intel AMT supports RSE?

  • Intel AMT 11 and newer

Which Intel SSD drives support RSE?

  • Intel® SSD Pro 1500 Series, Pro 2500 Series, Pro 5400s Series and Pro 6000p Series

Can SCSDiscovery.exe or the Acuconfig.exe "System Discovery" option identify RSE enabled clients?

  • No, the Intel SCS tools (as of SCS 11) do not have the ability to determine if RSE is available.

Does the BIOS require any configuration for RSE to function?

  • The platform’s BIOS must support Remote Secure Erase, and support varies by platform.

Does Intel AMT need to be configured for RSE to function?

  • Yes, Intel AMT needs to be enabled on the device.  It is through Intel AMT’s Remote Power Management feature that the RSE boot options are available.

Is there a programmatic way to determine if a hard drive password is set or not?

  • No, the Hard-drive Password is set in the BIOS and the information is not available to the MEBx or to Intel AMT.

There are 2 different passwords (User and Admin) for the SSD, do they both need to be set?

  • Conceptually, for SATA devices, both Master and User passwords must be set for Secure Erase to work, they do not need to be the same.
  • Depending on BIOS integration by the OEM, Remote Secure Erase my also work if no ATA passwords are set.

Where in the BIOS do you set the SSD passwords to allow for RSE operations?

  • The exact path will differ between OEMS and BIOS versions, however in general sshould be something like this;
    • Boot Maintenance Manager Menu -> HDD Security Configuration Menu -> HDD 0:INTEL SSDSC -> Set User Password
    • Boot Maintenance Manager Menu -> HDD Security Configuration Menu -> HDD 0:INTEL SSDSC -> Set Master Password 

Will Remote Secure Erase work if ATA passwords are set on NVMe SSDs?

  • No  ATA password management on NVMe SSDs is available with select OEM systems, and is not supported with Remote Secure Erase.
  • In order to complete Remote Secure Erase on an NVMe Intel SSD which has an ATA password set, first remove the ATA password using the same tools used to set the password.

When requesting a Remote Secure Erase operation, is User Consent required?

  • If in Client Control Mode: User Consent is required for the Remote Secure Boot to be set.
  • If in Admin Control Mode: If the User Consent value is set to always, then the request will require the User Consent. If the user consent value is set to “None” or “KVM Only”, then consent is not required.

Will Remote Secure Erase work if Opal is activated?

  • No, Opal activation will block the commands which are sent with the Remote Secure Erase action.
  • In order to complete Remote Secure Erase on an Opal-activated Intel SSD, first revert Opal activation using the encryption management console.
For more complete information about compiler optimizations, see our Optimization Notice.