Secure Wipe with logging using ConfigMgr Task Sequence

First off, I want to give credit where Due, I first borrowed this idea from Jeremy @ syswow
http://syswow.blogspot.com/2012/05/secure-dod-drive-wiping-with-sccm.html

Then Modified it to give feed back to our Service Desk, and keep a record on the Server
Also changed it from one 1 step to run 7 passes, to having 7 steps run a single pass, so when you look at the TS Progress, you know what pass it is on.
Look back to his blog for more details, as he explains the sdelete command and parameters used.

0AFFBE3901D4EFF97157F1DD6499471F03058598

Overview of TS

  1. Restart to WinPE (x86)
  2. Bios Settings – We have it clear our Bios Password, since they machines will be going recycle
  3. Wipe Drive Section
  4. Copy SDELETE – Copies the Files the “OS” to be used (sdelete.reg, diskpart-clean.txt, and batch file used at end)
        Run Command Line – xcopy.exe “.\*.*” “%WinDir%” /E /C /Q /H /R /Y /I
  5. Accept the EULA – adds registry key to OS Registry
        regedit /s sdelete.reg
        Start in: %WinDir%
  6. Format and Partition Disk – Runs a TS format Step
  7. 7-13 – Runs a Pass of sdelete (Running 7 separate passes so you can label each pass, so the someone watching knows what pass they are on)
        Run Command Line – sdelete.exe -p 1 -c -z
  8. Diskpart – Clean – Removes any Paritions and leaves the drive a blank
        Run Command Line – diskpart -s X:\Windows\diskpart-clean.txt
  9. Map Drive L: – Report Share – This maps a Drive, granting access for the Next Step to save a file on the Network
        Run Command Line – net use l: \\server.fqdn\share$\DiskWipeResults /user:domain\username password
  10. Posts information once Wipe is completed, and saves logs on the Servers
        Run Command Line – x:\Windows\JobComplete.bat
        2 Logs are Modified.  It first will create a log for the indivdual machine, which can be printed and attached to the machine
                                        It then appends to a log showing all computers that have undergone this process

Screen Captures:

Step: Copy SDelete
18D27D7BCC6DDAC31E417912C0E99725D2A9AF26

Step: Accept the EULA
303273F7C8EB8B8560A1D1D8C9BFEF837FE6B2AE

Step Format and Partition Disk
16E2E07DEC4BB25934688525D14CD832F6E9A578

Step: Wipe Disk Pass 1 – 7
E5D5EACB27C4FA67EF3E4452D4529184AAAA4F7A

Step: DiskPart – Clean
BFC18BF18E817ED11476A318ABBB6B056B07D7E4

Step: Map Drive l: (requires an account with permissions to the share specified.  Recommend a Service Account that is locked down to only that share, and does not have logon rights)
D33C5BC6E89BAC7D5EBEB22A81A94DA13162140B

Step: The HDD has been Wiped Clean
3D5371ED79DC4F45CE45D6C003B347929BE3C28D

Capture of Process:

4160BC3D7D0470A159428D9A4D575DC7971FB5DA

BA2BA894CF812FED1A4F9C495E22A563F7993AE3

Logs on Server:
Creates a DiskWipe-SERIAL.txt file &  Appends to the DiskWipeResults.txt file.

14581C8FD05883522E163764DCE8E4B04E329769

DiskWipe-Serial.txt:
1643D07272475EB1A54B8A6E647C62BDBD325B6E

DiskWipeResults.txt:
It will then append the next computer, and so on to keep a running log of all.
D195347F57E1D1068C3BC25F9782F54FDE3BD4C3

Files Needed: (Also available in LINK at bottom)

JobComplete.bat file:
——

Echo off
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic systemenclosure get serialnumber /FORMAT:csv’) do (set “serial=%%A”)
set serial=%serial:~-15%

for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic csproduct get vendor /FORMAT:csv’) do (set “compvendor=%%A”)

for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic csproduct get name /FORMAT:csv’) do (set “compname=%%A”)

for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic CPU get name /FORMAT:csv’) do (set “CPUname=%%A”)

for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic computersystem get totalphysicalmemory /FORMAT:csv’) do (set “memory=%%A”)
set /a memory = memory / 1048576

for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic diskdrive get size /FORMAT:csv’) do (set “hddsize=%%A”)
set hdd=%hddsize:~0,-4%
set /a hdd=hdd/1048576

set TimeStamp=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%

REM Creates Network Log File
echo. >>l:\DiskWipeResults.txt
echo Date:       %TimeStamp% >>l:\DiskWipeResults.txt
echo Serial:     %serial% >>l:\DiskWipeResults.txt
echo Vendor:     %compvendor% >>l:\DiskWipeResults.txt
echo Model:      %compname% >>l:\DiskWipeResults.txt
echo CPU Type \ Speed:   %CPUname% >>l:\DiskWipeResults.txt
echo Memory:    %Memory%MB >>l:\DiskWipeResults.txt
echo HDD Size:   %hdd%GB >>l:\DiskWipeResults.txt
echo ____________________________________________________________ >>l:\DiskWipeResults.txt

REM Creates Network Label for Machine
echo Vendor:     %compvendor% >>l:\DiskWipe-%serial%.txt
echo Model:      %compname% >>l:\DiskWipe-%serial%.txt
echo Serial:     %serial% >>l:\DiskWipe-%serial%.txt
echo CPU Type \ Speed:   %CPUname% >>l:\DiskWipe-%serial%.txt
echo Memory:    %Memory%MB >>l:\DiskWipe-%serial%.txt
echo HDD Size:   %hdd%GB >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo Asset Tag:  ____________________ >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo DoD 5220.22-M sanitization Wipe using MS SDELETE – 7 Passes >>l:\DiskWipe-%serial%.txt
echo Date Sanitzed: %TimeStamp% >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo Sanitized and Verified By:  ______________________________ >>l:\DiskWipe-%serial%.txt

REM Creates Local Log file that displays at end of Process

echo Disk Wipe Complete, Please Record Data for Records >>X:\Windows\JobComplete.txt
echo This computer has finished with a DoD 5220.22-M sanitization of the local hard drive. >>X:\Windows\JobComplete.txt
echo Please close this file and turn off the computer. >>X:\Windows\JobComplete.txt
echo. >>X:\Windows\JobComplete.txt
echo Date:       %TimeStamp% >>X:\Windows\JobComplete.txt
echo Serial:     %serial% >>X:\Windows\JobComplete.txt
echo Vendor:     %compvendor% >>X:\Windows\JobComplete.txt
echo Model:      %compname% >>X:\Windows\JobComplete.txt
echo CPU Type \ Speed:   %CPUname% >>X:\Windows\JobComplete.txt
echo Memory:    %Memory%MB >>X:\Windows\JobComplete.txt
echo HDD Size:   %hdd%GB >>X:\Windows\JobComplete.txt
X:\Windows\JobComplete.txt

——-

sdelete.reg file:
——-
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Sysinternals\SDelete]
“EulaAccepted”=dword:00000001
——–

Package Contents (Scripts and Files used): http://garytown.com/Downloads/SDelete.zip
Sdelete download: http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

26 thoughts on “Secure Wipe with logging using ConfigMgr Task Sequence”

    • I’m currently running ConfigMgr R2 SP1, with Window 10 x86 WinPE, and it is working without adding the /AcceptEULA. The Step to accept EULA takes care of it. I’m running the TS right now to confirm that it is working… on Wipe Disk Pass 1, might be awhile before it finishes. But so far so good.

      Reply
  1. Thx, great article.
    I’ve added a JobStart.bat to write startdate and starttime to txt files and in JobComplete read starttime to compare the white duration. Also I’ve added mic csproduct get version (lenovo device names are in version).

    Br
    Pat

    Reply
    • Thanks, I appreciate the information. I haven’t used this method since we went with Active Killdisk. (Business Requirement, I can’t say it’s actually any better, it’s definitely more complicated).

      Reply
  2. Hi Guys, can any one give me a indication as to how long this process took to complete? I am using SDelete.exe 1.61 and it has been running for 4 hours now, still on Pass 2

    Reply
    • I forget off hand, it’s in the HP Docs. Basically you’re just setting a password of blank. If I was re-writing today, I’d probably leverage HPCMSL, but watch https://miketerrill.net/, I know he has been working. You do need to know the current password to be able to remove the password.

      Reply
  3. Doesn’t work, I get this error immediately after booting into winpe:
    “The task sequence execution engine failed execution of a task sequence. The operating system reported error 2147942403: The system cannot find the path specified.”

    I guess this was the first step of the sdelete copy command, it does not have much more detail from the alerts.

    Reply
    • Typically if it can’t find the path, it can’t find the path to the file you’re calling, sdelete.
      Follow standard troubleshooting methods at this point, Add a Pause and see if you can run the command manually.

      Reply
  4. Does anyone know if this article is still valid with the current SCCM build. I am on version 2010. I have the task sequence created, and it goes to the formatting of the drive, and then when it goes to do the SDelete part, it errors out.

    Any assistance would be greatly appreciated.

    Thank you.

    Reply
    • You’ll need to confirm that you’re formatting the drive before hand. If you have more details on the error message, that would be helpful. Typically the SMSTS.log would provide the clues needed.

      Reply
  5. Hi sir,

    Just a bit confused about Runs a Pass of sdelete steps. Do I run same command in each step or I need to change the number as per below:
    sdelete.exe -p 1 -c -z
    sdelete.exe -p 2 -c -z
    sdelete.exe -p 3 -c -z
    .
    .

    Reply
    • it runs 7 single passes, the reason is because to be considered a secure wipe, it needed to run 7 times, but I didn’t want to have 1 step run the pass 7 times, I wanted to have 7 steps each run one pass so if someone was watching, or it failed, it would be easy to see how many wipes have already run.

      Reply
  6. Hi!

    your guide is amazing, thanks a lot. But i have a question: When sdelete is done wiped then can continue to installation windows 10? MDT is stuck after wiped and wont continue next task sequence.

    Reply
  7. Very good guide.
    Just wondering if it has been tested in MDT, since?
    I am trying to get something to work, in MDT, which will do a deep wipe.

    Reply
    • I don’t do any testing in MDT, but sdelete would work fine in any WinPE environment, so you should be able to use this as your guide to rebuild in MDT.

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.