Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2920 Discussions

Remote Platform Erase

SistemasLVDG
Beginner
6,275 Views

 

Hello 

We have the following scenario:

- EMA Server version 1.8.1 over a Windows Server 2019 DCE VM.

- Endpoint: 

Model: "Dynabook Portégé X40L-K-110"

Processor: "Intel Core i5-1250P vPro"

BIOS version :2.30  (latest version)

Disk SSD : Model SAMSUNG MZVLQ512HBLU-00B00

The Endpoint is AMT provisioned in ACM Mode

 

SistemasLVDG_0-1674048771246.png

 

 

We have tried the Action "Platform Erase" with no success.

 

We tried this action with the Endpoint in differents States:

 

a- S0 Power State at BIOS Setup 

b- S0 Power State at Operating System Windows 10 Running

c- S5 Power State. 

 

Only in State (a) we get this KVM outputs 

SistemasLVDG_1-1674049078938.png

Secure Erase !!!!

 

SistemasLVDG_2-1674049087923.png

Disk erase completed. Exiting SSD Erase in 2 seconds

 

SistemasLVDG_3-1674049096098.png

Operating system not found

 

But Partition Table and File Systems in that partitions have not been erased.

 

Is there any log we can check or utility we can use to check and determine what was going wrong while did the erase?

 

We have seen that this feature depends on BIOS version and Hard Disk,

 

SistemasLVDG_4-1674049590787.png

 

 

how can we check that our Endpoint (described above) supports the Feature "Secure Erase" ?

 

Thank you very much in advance

 

0 Kudos
27 Replies
JoseH_Intel
Moderator
5,235 Views

Hello SistemasLVDG,


Thank you for joining the community


In order to confirm if your system supports this "Remote Secure Erase" feature, you want to check directly with the OEM (Dynabook in this case). The BIOS is developed by the manufacturer directly and Intel is not involved at any level.


About the logs, you can check at this path <Installer Directory>/EMALog-Intel®EMAInstaller.txt


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
SistemasLVDG
Beginner
5,211 Views

Hello Jose 

 

We have executed a Secure Erase with Success from BIOS Setup

 

SistemasLVDG_0-1674224746615.png

 

 GPT Disk's Partition Table was correctly removed, so this operation was successfull, what confirms our BIOs  and our SSD Disk support this feature.

 

So we need to know why this "Platform Erase" Action does not work , because the logs,  in the path you indicated are associated to the log of the Installer 

 <Installer Directory>/EMALog-Intel®EMAInstaller.txt

 

is there any alternative log file  ?

 

We have reviewed this directory and its files 

c:\Program Files (x86)\Intel\Platform Manager\EMALogs\

 

but we don't find the reason why this erase does not progress .

 

Thanks in advance

 

 

 

 

 

 

0 Kudos
JoseH_Intel
Moderator
5,172 Views

Hello SistemasLVDG,


So just to clarify. Whenever you apply the Secure Erase option directly from BIOS it works fine. But when you try to apply it from the EMA console, it shows as successful, the OS is not found, but the partition tables are not fully deleted.


I am still investigating if there are any alternate logs that can be retrieved.


We will look forward to your update


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
SistemasLVDG
Beginner
5,156 Views

Hello Jose

 

We answer on your email:

 

So just to clarify. Whenever you apply the Secure Erase option directly from BIOS it works fine.

yes, that´s correct

But when you try to apply it from the EMA console, it shows as successful, the OS is not found, but the partition tables are not fully deleted.

yes, partition table of the GPT disk is intact and the contents of the filesystems inside that partitions too.

 

I am still investigating if there are any alternate logs that can be retrieved.

thanks, that´s what we need

 

As a complementary information. The only way that the BIOS Setup of our Dynabook endpoints show the "Secure Erase" option as available is unsetting/unregistering/clearing de "SSD Master Password". As you know, the RPE (Remote Platform Erase) asks for the 

"SSD Master Password" in order to do the Remote Erase. We have tested the RPE in two different scenarios:

1- With the "SSD Master Password" set

2- With the "SSD Master Password" unset/unregistered and using de "BIOS Supervisor Password" at the RPE form (instead of the
"SSD Master Password")
but the results were the same (partition table of the GPT disk is intact and the contents of the filesystems inside that partitions too)

 

We will look forward to your update

 

 

 

 

0 Kudos
JoseH_Intel
Moderator
5,103 Views

Hello SistemasLVDG,


Based on the documentation in 

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=13

in section 1.2.9 it seems that your system complies with the requirements; nevertheless, after reviewing the https://www.intel.com/content/www/us/en/develop/documentation/amt-developer-guide/top/remote-secure-erase/remote-secure-erase-implementation.html it specifies that the SSD should be Intel® SSD Professional Family (Pro 6000p Series, Pro 5400s Series, Pro 2500 Series, Pro 1500 Series, ). Since you are using an OEM disk, this could be the reason for the feature not working as expected


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
SistemasLVDG
Beginner
5,093 Views

Please Jose, 

could you confirm us 100% secure that "Remote Secure Erase" and "Remote Platform Erase" can only succeed with Intel® SSD Professional Family (Pro 6000p Series, Pro 5400s Series, Pro 2500 Series, Pro 1500 Series, )?
 
Thanks
0 Kudos
JoseH_Intel
Moderator
5,065 Views

Hello SistemasLVDG,

 

Based on the Intel documentation, that particular SSD series models are the supported ones for the Remote Secure Erase feature

 

Below are the platform requirements for RSE support:

  • Platform with Intel AMT 11.0 or later
  • BIOS supporting Intel RSE capability
  • Intel® SSD Professional Family (Pro 6000p Series, Pro 5400s Series, Pro 2500 Series, Pro 1500 Series, )

But if you are planning to purchase a new SSD for this purpose only, I could suggest you try to get a similar one and test it before.

 

Regards

 

Jose A.

Intel Customer Support Technician

 

0 Kudos
SistemasLVDG
Beginner
5,029 Views

Thanks for the answer Jose

Please, may we maintain the case open while our OEM (Dynabook) clarifies its support of this Feature?

0 Kudos
JoseH_Intel
Moderator
4,985 Views

Hello SistemasLVDG,

 

Could you please try the following?

 

Run the ECT tool on your system and save to .xml file

Open the .xml file and there will be two entries for RSE, do a search for:

 

<IsRSEEnabled>Value</IsRSEEnabled>

<RSESupported>Value</RSESupported>

 

Do you have True or False value for each?

 

Regards

 

Jose A.

Intel Customer Support Technician

 

 

0 Kudos
SistemasLVDG
Beginner
4,963 Views

Hello Jose

 

Both values have True value

SistemasLVDG_3-1675068689905.png

 

 

SistemasLVDG_2-1675068651933.png

 

 

 

0 Kudos
JoseH_Intel
Moderator
4,928 Views

Hello SistemasLVDG,

 

Thank you. Let me analyze this and will get back to you.

 

Regards

 

Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
4,738 Views

Hello SistemasLVDG,


We apologize for the ongoing and repetitive questions, but could you please confirm the following:


We will look forward to your comments


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
SistemasLVDG
Beginner
4,718 Views

 

Hello Jose
 
We answer directly on your email
 
Thank you
Best Regards

 

On Fri, 3 Feb 2023 at 05:40, Intel Community <noreply@community-mail.intel.com> wrote:

Hi SistemasLVDG,

 

JoseH_Intel (Moderator) posted a new reply in Intel vPro® Platform on 02-03-2023 05:40 AM:

 


 

Re:Remote Platform Erase

 

 

Hello SistemasLVDG,

 

We apologize for the ongoing and repetitive questions, but could you please confirm the following:

Is the SSD in the client system one that is in the supported list here? https://www.intel.com/content/www/us/en/develop/documentation/amt-developer-guide/top/remote-secure-erase/remote-secure-erase-implementation.html
 
In the details of the first post of this case/thread, we gave the following details:

 

Model: "Dynabook Portégé X40L-K-110"

Processor: "Intel Core i5-1250P vPro"

BIOS version :2.30  (latest version)

Disk SSD : Model SAMSUNG MZVLQ512HBLU-00B00

As you can see, disk model is NOT one of the list 

 
SistemasLVDG_2-1675411704391.png

 

 
Do you know if this requirement has changed last months and therefore it is allowed to do RSE with disks of other OEMs than Intel?

 

 

 
 
Do they have remote platform erase enabled in the AMT profile?
 
Our AMT Profile has enabled the RPE (Remote Platform Erase -> New action associated to a RSE/RemoteSecureErase) management interface
 
SistemasLVDG_3-1675411731274.png

 

 
Due to the previous, ECT launched on a endpoint where this AMT profile is applied to its endpoints groups through "Intel AMT Autosetup"  does show the IsRSEEnabled with True value
0 Kudos
SergioS_Intel
Moderator
4,699 Views

Hello SistemasLVDG,


Thank you for waiting for our updates.  


In order to continue troubleshooting your issue, you need to contact the OEM to get the instructions to turn OFF "Demo Mode". The drive will actually get wiped by EMA when this is changed.


In case you need more assistance please let us know.


Best regards,

Sergio S.

Intel Customer Support Technician


0 Kudos
SistemasLVDG
Beginner
4,667 Views

Thanks for answer Sergio

We have just forwarded to the OEM these questions:
- is "Demo Mode" turned ON in our endpoints?

- if so, which is the procedure to turn it OFF?

0 Kudos
JoseH_Intel
Moderator
4,611 Views

Hello SistemasLVDG,


Do you have any updates from the OEM?


Please do not hesitate to contact us back.


If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Kikolas
Beginner
4,589 Views

Hi Sergio, 

This is Enrique from dynabook..
Could you please tell us what is the "demo mode" - where is is located? (Laptop Standard BIOS or vPro BIOS), 

is it only related to the "secure errace" feature or "platform erase" feature?
and how can we enable or disable it?

 

sorry to ask , but we didn't know so far about thie "demo mode"

0 Kudos
SistemasLVDG
Beginner
4,599 Views

We have still no updates from the OEM

May you please remain the thread open until we have a final explanation from the OEM about the "Demo mode"?

Thanks

0 Kudos
JoseH_Intel
Moderator
4,515 Views

Hello SistemasLVDG,


After analyzing your situation, we want to apologize, but at this point, you need to work with the assigned Intel representative for OEM Dynabook to work through this issue as this is something that the OEM would implement.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
4,422 Views

Hello SistemasLVDG,


After doing some deeper research, we got some extra information on this. Could you please check under BIOS, for something called SSD Erase Mode and see if it's set to "simulated"?


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Reply