So many years ago I blogged about using sdelete to run a secure wipe task task squence.
Secure Wipe with logging using ConfigMgr Task Sequence – GARYTOWN ConfigMgr Blog
Since then, I’ve updated it a bit, and I’m reposting and uploading the Task Sequence.
There are no packages associated with it, all content it needs is downloaded from the internet. If the devices you’re wiping don’t have internet, you’ll have to redo a bit to put the contents into packages.
Secure Wipe Task Sequence (7736 downloads )Task Sequence in Console
- If Starting from Windows
- Suspend Bitlocker
- Restart into WinPE
- Wipe Drive
- Gather – This gathers a lot of information about the device into task sequence variables, which will get used in BGInfo and in the SDELETE step
- Steps for BGInfo
- Partition Disk 0 – BIOS – Quick – Does a Quick format of the drive
- Partition Disk 0 – UEFI – Quick – Does a Quick format of the drive
- BGInfo Populate – Run PowerShell that tags a bunch of info for BGInfo Template to consume
- Set BGInfo Background – Run PowerShell that downloads BGInfo.zip from Microsoft, extracts, then downloads the BGInfo Template from my Github, and launches – recommend you copy the template and modify to your content, and host it somewhere else.
- Full Format if NOT VM
- Partition Disk 0 – BIOS – Quick – Does a Full format of the drive (For Fun)
- Partition Disk 0 – UEFI – Quick – Does a Full format of the drive (For Fun)
- Secure Delete Free Space (SDELETE) – Runs PowerShell that downloads SDELETE from Microsoft and runs it for 7 passes.
- Popup if Success… lets you know all is well
- Popup if Fail… lets you know all is not well.
Task Sequence Running
Scripts
These are all embedded scripts, so if you import the TS, they will be there, otherwise they are on GitHub too
garytown/BGInfoRegBuilderTS.ps1 at master · gwblok/garytown · GitHub
garytown/BGINFO_DL_Launch.ps1 at master · gwblok/garytown · GitHub
garytown/SecureWipeSDELETE.ps1 at master · gwblok/garytown · GitHub
GARYTOWN.COM
Works flawlessly here. Great work Gary! I added a step to wipe the TPM chip on my HP devices and set bios to factory defaults. This is done with the old tool BiosConfigUtility64.exe from HP.
Hi Gary, This works flawlessly in my environment. However, I keep seeing conflicting information on whether SDELETE will suffice for modern SSD/NVME drives. What are your recommendations or thoughts?
One more thought: Since SDelete requires a drive letter and one is created with the Full Format step, the _SMSTSLogPath variable is created. After SDelete runs, it seems that the task sequence engine places the smsts.log file back in the C:\_SMSTaskSequence\ directory after the SDelete step. Do you have any tips on how to configure the task sequence to store the log file on the X: drive instead? Currently, I simply perform another full format after the SDelete step without assigning a drive letter to delete those folders. Thanks again for all your work Gary!