Secure Wipe with logging using ConfigMgr Task Sequence

First off, I want to give credit where Due, I first borrowed this idea from Jeremy @ syswow

Then Modified it to give feed back to our Service Desk, and keep a record on the Server
Also changed it from one 1 step to run 7 passes, to having 7 steps run a single pass, so when you look at the TS Progress, you know what pass it is on.
Look back to his blog for more details, as he explains the sdelete command and parameters used.


Overview of TS

  1. Restart to WinPE (x86)
  2. Bios Settings - We have it clear our Bios Password, since they machines will be going recycle
  3. Wipe Drive Section
  4. Copy SDELETE - Copies the Files the "OS" to be used (sdelete.reg, diskpart-clean.txt, and batch file used at end)
        Run Command Line - xcopy.exe ".\*.*" "%WinDir%" /E /C /Q /H /R /Y /I
  5. Accept the EULA - adds registry key to OS Registry
        regedit /s sdelete.reg
        Start in: %WinDir%
  6. Format and Partition Disk - Runs a TS format Step
  7. 7-13 - Runs a Pass of sdelete (Running 7 separate passes so you can label each pass, so the someone watching knows what pass they are on)
        Run Command Line - sdelete.exe -p 1 -c -z
  8. Diskpart - Clean - Removes any Paritions and leaves the drive a blank
        Run Command Line - diskpart -s X:\Windows\diskpart-clean.txt
  9. Map Drive L: - Report Share - This maps a Drive, granting access for the Next Step to save a file on the Network
        Run Command Line - net use l: \\server.fqdn\share$\DiskWipeResults /user:domain\username password
  10. Posts information once Wipe is completed, and saves logs on the Servers
        Run Command Line - x:\Windows\JobComplete.bat
        2 Logs are Modified.  It first will create a log for the indivdual machine, which can be printed and attached to the machine
                                        It then appends to a log showing all computers that have undergone this process

Screen Captures:

Step: Copy SDelete

Step: Accept the EULA

Step Format and Partition Disk

Step: Wipe Disk Pass 1 - 7

Step: DiskPart - Clean

Step: Map Drive l: (requires an account with permissions to the share specified.  Recommend a Service Account that is locked down to only that share, and does not have logon rights)

Step: The HDD has been Wiped Clean

Capture of Process:



Logs on Server:
Creates a DiskWipe-SERIAL.txt file &  Appends to the DiskWipeResults.txt file.



It will then append the next computer, and so on to keep a running log of all.

Files Needed: (Also available in LINK at bottom)

JobComplete.bat file:

Echo off
for /F "skip=2 tokens=2 delims=," %%A in ('wmic systemenclosure get serialnumber /FORMAT:csv') do (set "serial=%%A")
set serial=%serial:~-15%

for /F "skip=2 tokens=2 delims=," %%A in ('wmic csproduct get vendor /FORMAT:csv') do (set "compvendor=%%A")

for /F "skip=2 tokens=2 delims=," %%A in ('wmic csproduct get name /FORMAT:csv') do (set "compname=%%A")

for /F "skip=2 tokens=2 delims=," %%A in ('wmic CPU get name /FORMAT:csv') do (set "CPUname=%%A")

for /F "skip=2 tokens=2 delims=," %%A in ('wmic computersystem get totalphysicalmemory /FORMAT:csv') do (set "memory=%%A")
set /a memory = memory / 1048576

for /F "skip=2 tokens=2 delims=," %%A in ('wmic diskdrive get size /FORMAT:csv') do (set "hddsize=%%A")
set hdd=%hddsize:~0,-4%
set /a hdd=hdd/1048576

set TimeStamp=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%

REM Creates Network Log File
echo. >>l:\DiskWipeResults.txt
echo Date:       %TimeStamp% >>l:\DiskWipeResults.txt
echo Serial:     %serial% >>l:\DiskWipeResults.txt
echo Vendor:     %compvendor% >>l:\DiskWipeResults.txt
echo Model:      %compname% >>l:\DiskWipeResults.txt
echo CPU Type \ Speed:   %CPUname% >>l:\DiskWipeResults.txt
echo Memory:    %Memory%MB >>l:\DiskWipeResults.txt
echo HDD Size:   %hdd%GB >>l:\DiskWipeResults.txt
echo ____________________________________________________________ >>l:\DiskWipeResults.txt

REM Creates Network Label for Machine
echo Vendor:     %compvendor% >>l:\DiskWipe-%serial%.txt
echo Model:      %compname% >>l:\DiskWipe-%serial%.txt
echo Serial:     %serial% >>l:\DiskWipe-%serial%.txt
echo CPU Type \ Speed:   %CPUname% >>l:\DiskWipe-%serial%.txt
echo Memory:    %Memory%MB >>l:\DiskWipe-%serial%.txt
echo HDD Size:   %hdd%GB >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo Asset Tag:  ____________________ >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo DoD 5220.22-M sanitization Wipe using MS SDELETE - 7 Passes >>l:\DiskWipe-%serial%.txt
echo Date Sanitzed: %TimeStamp% >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo Sanitized and Verified By:  ______________________________ >>l:\DiskWipe-%serial%.txt

REM Creates Local Log file that displays at end of Process

echo Disk Wipe Complete, Please Record Data for Records >>X:\Windows\JobComplete.txt
echo This computer has finished with a DoD 5220.22-M sanitization of the local hard drive. >>X:\Windows\JobComplete.txt
echo Please close this file and turn off the computer. >>X:\Windows\JobComplete.txt
echo. >>X:\Windows\JobComplete.txt
echo Date:       %TimeStamp% >>X:\Windows\JobComplete.txt
echo Serial:     %serial% >>X:\Windows\JobComplete.txt
echo Vendor:     %compvendor% >>X:\Windows\JobComplete.txt
echo Model:      %compname% >>X:\Windows\JobComplete.txt
echo CPU Type \ Speed:   %CPUname% >>X:\Windows\JobComplete.txt
echo Memory:    %Memory%MB >>X:\Windows\JobComplete.txt
echo HDD Size:   %hdd%GB >>X:\Windows\JobComplete.txt


sdelete.reg file:
Windows Registry Editor Version 5.00


Package Contents (Scripts and Files used):
Sdelete download:

9 thoughts on “Secure Wipe with logging using ConfigMgr Task Sequence

  • February 5, 2016 at 10:22 am

    Great article - needs one change to work in CONFIGMGR R2 Sp1 and greater.

    SDelete -p C: -c -s -z /AcceptEULA

    • February 5, 2016 at 12:31 pm

      I'm currently running ConfigMgr R2 SP1, with Window 10 x86 WinPE, and it is working without adding the /AcceptEULA. The Step to accept EULA takes care of it. I'm running the TS right now to confirm that it is working... on Wipe Disk Pass 1, might be awhile before it finishes. But so far so good.

  • June 12, 2016 at 3:18 pm

    Thx, great article.
    I've added a JobStart.bat to write startdate and starttime to txt files and in JobComplete read starttime to compare the white duration. Also I've added mic csproduct get version (lenovo device names are in version).


  • February 13, 2017 at 10:12 am

    I had to change the SDelete command to:
    sdelete64.exe -p 1 -c C: -z

    It was requiring a drive letter to work.

    • February 13, 2017 at 11:13 am

      Did you have the "Start in" part set to c:\?

    • February 14, 2017 at 10:46 am

      Thanks, I appreciate the information. I haven't used this method since we went with Active Killdisk. (Business Requirement, I can't say it's actually any better, it's definitely more complicated).

  • June 14, 2017 at 5:56 am

    Hi Guys, can any one give me a indication as to how long this process took to complete? I am using SDelete.exe 1.61 and it has been running for 4 hours now, still on Pass 2


Leave a Reply

Your email address will not be published. Required fields are marked *