We'll basically use an SCCM Task Sequences to boot into Windows PE and format the drive with a single, empty C: partition. Then we'll use sdelete to handle the DoD wipe of the empty partition.
To do this, we'll need to get SDelete to Windows PE. So to start, we'll create a package with SDelete.exe (which can be downloaded from here: http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx).
We'll also create a file called sdelete.reg with the following contents:
----------------- begin sdelete.reg -----------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Sysinternals\SDelete]
"EulaAccepted"=dword:00000001
----------------- end sdelete.reg -----------------
Once the package with these two files is created, we can now move to our task sequence.
Note: These steps only apply for systems with a single hard drive. If you have multiple hard drives, you'll need to to repeat steps 3 and 4 for each disk in the system.
Step 1: Add a task to Restart into WinPE using your favorite boot.wim.
Step 2: We're going to copy over the files from our sdelete package. To do this, add a General -> Run Command Line task. Check the box by Package and select the package created with the sdelete files in it. The command line the I use whenever I'm copying files from a package to WinPE is:
xcopy.exe ".\*.*" "%WinDir%" /E /C /Q /H /R /Y /I
(Ignore the whole Enable Remote Control section in this image. If you want to learn about using VNC to connect to WinPE, see my previous post)
regedit /s sdelete.reg
Set the Start in field to %WinDir%, since that is where we copied the files.
Step 4: Now we'll create on big C partition to fill the entire drive. Add a Disks -> Format and Partition Disk task. Set Disk number to 0 and Disk type to Standard(MBR). Create a new Volume. Set the Partition type to Primary and set it to use 100% of the free space. The File system should be NTFS and I recommend checking the Quick Format box (the seven pass 0/1 fill takes long enough).
Step 5: Now that we have one big, empty C: partition, its time to use sdelete to make sure that the old data is unrecoverable. For this we'll go back to a Run Command Line task. Our command will be:
sdelete.exe -p 7 -c -z
The -p 7 gives us seven passes. The -c tells it to clean free space. The -z tells it to zero free space.
Its important to set the Start in to C:\, otherwise you might try and clean the X: drive.
Now you're ready to go destroy some data! Just advertise your task sequence and watch it go to work making information unrecoverable. I think it goes without saying, but you should be very careful about where this is advertised, especially if you're using mandatory assignments.
How do you get the boot image to a remote computer? I have a computer that is stolen and obviously not on the network so how do you boot into WIM image when not on the network?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI would not recommend this in a corporate environment because you can never control what an administrator can make a mistake. Suppose its advertised to All System, you would be done.
ReplyDeleteWhat do you do about the log file that's left on the C: \ drive (C:\_SMSTSLog)?
ReplyDeleteCan I bump this 4 years later? Still an issue. Still no answer.
DeleteFollow this https://garytown.com/secure-wipe-with-logging-using-configmgr-task-sequence
DeleteHi, I know this is an older article. Thank you so much for the information. I just have one issue.. I think I created the sdelete package incorrectly, because I get an error "cannot find files" during the copy phase. suggestions?
ReplyDeleteGreat article - needs one change to work in CONFIGMGR R2 Sp1 and greater.
ReplyDeleteSDelete -p C: -c -s -z /AcceptEULA
Works great thanks. Know of any way to monitor progress?
Deletefor more options visit how to wipe a hard drive, erase a hard drive, wipe a hard drive
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteQuestion, does this require the system you are wiping to have an operating system, or are we talking about PXE booting?
ReplyDeleteThe more I think of this, the more I think about how simple it is to build your own pxe image anyways. You can use buildroot to make a linux based pxe image bootable over the network. This is practically what my job is. As for secure wiping, well, what is secure? You need a certificate generation for that, it needs verification.
ReplyDelete