Intel® Active Management Technology (AMT) version 11.0 introduces a new feature called Remote Secure Erase (RSE). RSE is designed to allow IT administrators to remotely wipe the hard disk of the client device supporting AMT (v11.0 or above).

There may be many reasons to perform this remote disk wipe operation, but the following two usages are significant to IT administrators:

1. Repurpose PC – When an employee is leaving the organization or changing job roles, the IT administrator has to repurpose the PC.

2. Stolen PC – When an employee notifies IT of their PC being lost or stolen, protecting business content on the PC is very important.

When an employee leaves the organization, the IT administrator will collect the PC - erase the disk drive, reload the OS and applications as needed. Remote Secure Erase combined with other Intel® AMT redirection features (IDE-R, KVM) allows the IT administrator to securely erase the whole disk drive (bootable partition) and using KVM and IDE-R can provision OS and applications remotely.

In the case of a stolen PC scenario, Remote Secure Erase along with Intel® AMT Fast Call for Help enables IT to remotely issue the disk erase command to the PC when it connects to the internet and protect the business sensitive content on the drive.

Below are the platform requirements for RSE support:

• Platform with Intel® AMT 11.0 or later

• BIOS supporting Remote Secure Erase capability

• Intel® SSD Pro 1500/2500

In order to add support for Remote Secure Erase to your solution, you will need AMT SDK, and AMT SDK Documentation.

Here is the expected flow for implementing the RSE solution:

1. IT administrator sets user and master hard drive password on the PC before deploying it to the employee

2. System discovery – ISV to verify if the system supports RSE feature or not (AMT_BootCapabilities.SecureErase)

3. Only for the systems supporting RSE feature, ISV application would provide an option to perform secure erase in their management console

4. When initiating the secure erase operation, ISV console will prompt the IT administrator for master password configured for the drive.

5. ISV will use the IT administrator provided master password to set boot options to secure erase and send password to AMT and reboot the platform. See AMT documentation here for more details.

6. To check the progress of the erase operation, ISV queries AMT_BootSettingsData.BIOSLastStatus and expects to see first element of status to report as InProgress. This indicates that remote secure erase operation has started. Erase operation time varies by the size of the disk being operated on.

7. First item of BIOSLastStatus would change to either 0 – success or 65535 – failed.

8. If status changes to 0, BIOS automatically clears the boot options and ISV console can display a message for successful erase operation.

9. If status changes to 65535, examine the second item of BIOSLastStatus to get the detailed error message. In case of failure, boot options are not cleared. So depending on the detailed error message, ISV console can either stop the operation or retry. If it is decided to stop the operation, boot options will need to be cleared through WS-man command. For a retry attempt, depending on system power state, either power up or reset the platform to try the secure erase operation on the next boot.

The PowerShell script (see attachments) demonstrates the usage of the AMT Remote Secure Erase feature with code snippets. For information on running PowerShell scripts with the Intel® vPro module please refer to the AMT SDK and related Intel® AMT Implementation and Reference Guide. More information about configuring Intel vPro PowerShell module can be found here.

After establishing a connection (note: you will need to enter the proper credentials and machine address for your client system), the script demonstrates the flow as described above.

Ajith Illendula is a Senior Software Engineer enabling Business Client and Security Applications for large enterprises.

Hi,

A customer has a Lenovo M93p with AMT 9.1.0. I have set it up for remote KVM and it works fine.

Last week, I restored this system from a Windows backup. While the restore was running, I left the customer site and returned to my office. When I got back to my office, I was able to connect to the machine using the Intel Manageability Commander Tool, start the remote VNC Viewer, watch the restore complete, and click OK to initiate the required reboot. So far so good.

However, after the reboot, the machine did not start properly; it needed a startup repair. I saw error 0xc00000e as white text on a black background. I believe it was at this point that I tried to use Take Control to reboot the machine. Soon I was no longer able to connect remotely to the machine using the Commander Tool. The machine was not even responding to ping. It was like AMT it was no longer pulling an IP address for the machine. I had to drive back on site to complete the startup repair.

Once I completed the startup repair, AMT remote KVM started working again.

Obviously this is the exact situation where you want out-of-band manageability, and the reason to pay a premium for advanced AMT machines. But it failed.

Is there a known issue with controlling a machine that is displaying a boot error? Is there something I could have done to restore connectivity while off-site?

Thanks,

Mark Berry
MCB Systems