Intel vPro® Platform
Intel Manageability Forum (Intel® EMA, AMT & Manageability Commander)
Announcements
The Intel sign-in experience is changing in February to support enhanced security controls. If you sign in, click here for more information.
2663 Discussions

Remote Platform Erase

SistemasLVDG
Beginner
658 Views

 

Hello 

We have the following scenario:

- EMA Server version 1.8.1 over a Windows Server 2019 DCE VM.

- Endpoint: 

Model: "Dynabook Portégé X40L-K-110"

Processor: "Intel Core i5-1250P vPro"

BIOS version :2.30  (latest version)

Disk SSD : Model SAMSUNG MZVLQ512HBLU-00B00

The Endpoint is AMT provisioned in ACM Mode

 

SistemasLVDG_0-1674048771246.png

 

 

We have tried the Action "Platform Erase" with no success.

 

We tried this action with the Endpoint in differents States:

 

a- S0 Power State at BIOS Setup 

b- S0 Power State at Operating System Windows 10 Running

c- S5 Power State. 

 

Only in State (a) we get this KVM outputs 

SistemasLVDG_1-1674049078938.png

Secure Erase !!!!

 

SistemasLVDG_2-1674049087923.png

Disk erase completed. Exiting SSD Erase in 2 seconds

 

SistemasLVDG_3-1674049096098.png

Operating system not found

 

But Partition Table and File Systems in that partitions have not been erased.

 

Is there any log we can check or utility we can use to check and determine what was going wrong while did the erase?

 

We have seen that this feature depends on BIOS version and Hard Disk,

 

SistemasLVDG_4-1674049590787.png

 

 

how can we check that our Endpoint (described above) supports the Feature "Secure Erase" ?

 

Thank you very much in advance

 

0 Kudos
15 Replies
JoseH_Intel
Moderator
597 Views

Hello SistemasLVDG,


Thank you for joining the community


In order to confirm if your system supports this "Remote Secure Erase" feature, you want to check directly with the OEM (Dynabook in this case). The BIOS is developed by the manufacturer directly and Intel is not involved at any level.


About the logs, you can check at this path <Installer Directory>/EMALog-Intel®EMAInstaller.txt


Regards


Jose A.

Intel Customer Support Technician


SistemasLVDG
Beginner
573 Views

Hello Jose 

 

We have executed a Secure Erase with Success from BIOS Setup

 

SistemasLVDG_0-1674224746615.png

 

 GPT Disk's Partition Table was correctly removed, so this operation was successfull, what confirms our BIOs  and our SSD Disk support this feature.

 

So we need to know why this "Platform Erase" Action does not work , because the logs,  in the path you indicated are associated to the log of the Installer 

 <Installer Directory>/EMALog-Intel®EMAInstaller.txt

 

is there any alternative log file  ?

 

We have reviewed this directory and its files 

c:\Program Files (x86)\Intel\Platform Manager\EMALogs\

 

but we don't find the reason why this erase does not progress .

 

Thanks in advance

 

 

 

 

 

 

JoseH_Intel
Moderator
534 Views

Hello SistemasLVDG,


So just to clarify. Whenever you apply the Secure Erase option directly from BIOS it works fine. But when you try to apply it from the EMA console, it shows as successful, the OS is not found, but the partition tables are not fully deleted.


I am still investigating if there are any alternate logs that can be retrieved.


We will look forward to your update


Regards


Jose A.

Intel Customer Support Technician


SistemasLVDG
Beginner
518 Views

Hello Jose

 

We answer on your email:

 

So just to clarify. Whenever you apply the Secure Erase option directly from BIOS it works fine.

yes, that´s correct

But when you try to apply it from the EMA console, it shows as successful, the OS is not found, but the partition tables are not fully deleted.

yes, partition table of the GPT disk is intact and the contents of the filesystems inside that partitions too.

 

I am still investigating if there are any alternate logs that can be retrieved.

thanks, that´s what we need

 

As a complementary information. The only way that the BIOS Setup of our Dynabook endpoints show the "Secure Erase" option as available is unsetting/unregistering/clearing de "SSD Master Password". As you know, the RPE (Remote Platform Erase) asks for the 

"SSD Master Password" in order to do the Remote Erase. We have tested the RPE in two different scenarios:

1- With the "SSD Master Password" set

2- With the "SSD Master Password" unset/unregistered and using de "BIOS Supervisor Password" at the RPE form (instead of the
"SSD Master Password")
but the results were the same (partition table of the GPT disk is intact and the contents of the filesystems inside that partitions too)

 

We will look forward to your update

 

 

 

 

JoseH_Intel
Moderator
465 Views

Hello SistemasLVDG,


Based on the documentation in 

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-...

in section 1.2.9 it seems that your system complies with the requirements; nevertheless, after reviewing the https://www.intel.com/content/www/us/en/develop/documentation/amt-developer-guide/top/remote-secure-... it specifies that the SSD should be Intel® SSD Professional Family (Pro 6000p Series, Pro 5400s Series, Pro 2500 Series, Pro 1500 Series, ). Since you are using an OEM disk, this could be the reason for the feature not working as expected


Regards


Jose A.

Intel Customer Support Technician


SistemasLVDG
Beginner
455 Views

Please Jose, 

could you confirm us 100% secure that "Remote Secure Erase" and "Remote Platform Erase" can only succeed with Intel® SSD Professional Family (Pro 6000p Series, Pro 5400s Series, Pro 2500 Series, Pro 1500 Series, )?
 
Thanks
JoseH_Intel
Moderator
427 Views

Hello SistemasLVDG,

 

Based on the Intel documentation, that particular SSD series models are the supported ones for the Remote Secure Erase feature

 

Below are the platform requirements for RSE support:

  • Platform with Intel AMT 11.0 or later
  • BIOS supporting Intel RSE capability
  • Intel® SSD Professional Family (Pro 6000p Series, Pro 5400s Series, Pro 2500 Series, Pro 1500 Series, )

But if you are planning to purchase a new SSD for this purpose only, I could suggest you try to get a similar one and test it before.

 

Regards

 

Jose A.

Intel Customer Support Technician

 

SistemasLVDG
Beginner
391 Views

Thanks for the answer Jose

Please, may we maintain the case open while our OEM (Dynabook) clarifies its support of this Feature?

JoseH_Intel
Moderator
347 Views

Hello SistemasLVDG,

 

Could you please try the following?

 

Run the ECT tool on your system and save to .xml file

Open the .xml file and there will be two entries for RSE, do a search for:

 

<IsRSEEnabled>Value</IsRSEEnabled>

<RSESupported>Value</RSESupported>

 

Do you have True or False value for each?

 

Regards

 

Jose A.

Intel Customer Support Technician

 

 

SistemasLVDG
Beginner
325 Views

Hello Jose

 

Both values have True value

SistemasLVDG_3-1675068689905.png

 

 

SistemasLVDG_2-1675068651933.png

 

 

 

JoseH_Intel
Moderator
290 Views

Hello SistemasLVDG,

 

Thank you. Let me analyze this and will get back to you.

 

Regards

 

Jose A.

Intel Customer Support Technician


JoseH_Intel
Moderator
100 Views

Hello SistemasLVDG,


We apologize for the ongoing and repetitive questions, but could you please confirm the following:


We will look forward to your comments


Regards


Jose A.

Intel Customer Support Technician


SistemasLVDG
Beginner
80 Views

 

Hello Jose
 
We answer directly on your email
 
Thank you
Best Regards

 

On Fri, 3 Feb 2023 at 05:40, Intel Community <noreply@community-mail.intel.com> wrote:

Hi SistemasLVDG,

 

JoseH_Intel (Moderator) posted a new reply in Intel vPro® Platform on 02-03-2023 05:40 AM:

 


 

Re:Remote Platform Erase

 

 

Hello SistemasLVDG,

 

We apologize for the ongoing and repetitive questions, but could you please confirm the following:

Is the SSD in the client system one that is in the supported list here? https://www.intel.com/content/www/us/en/develop/documentation/amt-developer-guide/top/remote-secure-...
 
In the details of the first post of this case/thread, we gave the following details:

 

Model: "Dynabook Portégé X40L-K-110"

Processor: "Intel Core i5-1250P vPro"

BIOS version :2.30  (latest version)

Disk SSD : Model SAMSUNG MZVLQ512HBLU-00B00

As you can see, disk model is NOT one of the list 

 
SistemasLVDG_2-1675411704391.png

 

 
Do you know if this requirement has changed last months and therefore it is allowed to do RSE with disks of other OEMs than Intel?

 

 

 
 
Do they have remote platform erase enabled in the AMT profile?
 
Our AMT Profile has enabled the RPE (Remote Platform Erase -> New action associated to a RSE/RemoteSecureErase) management interface
 
SistemasLVDG_3-1675411731274.png

 

 
Due to the previous, ECT launched on a endpoint where this AMT profile is applied to its endpoints groups through "Intel AMT Autosetup"  does show the IsRSEEnabled with True value
SergioS_Intel
Moderator
61 Views

Hello SistemasLVDG,


Thank you for waiting for our updates.  


In order to continue troubleshooting your issue, you need to contact the OEM to get the instructions to turn OFF "Demo Mode". The drive will actually get wiped by EMA when this is changed.


In case you need more assistance please let us know.


Best regards,

Sergio S.

Intel Customer Support Technician


SistemasLVDG
Beginner
29 Views

Thanks for answer Sergio

We have just forwarded to the OEM these questions:
- is "Demo Mode" turned ON in our endpoints?

- if so, which is the procedure to turn it OFF?

Reply