End of Life (EOL)

+ More

Table of Contents

Configure End Of Life End Of Life Logs and Reports

From Win PE Pre Boot version 1.8.3 Empirum End Of Life is supported.
The methods Do D5220.22M and BSI/VSITR are also supported fromWin PE Pre Boot version 1.8.8.
End Of Life deletes all mass storage devices (not USB) of the connected client.

  • Empirum End Of Life is a fast and practical deletion method of Matrix42 Client Lifecycle Management
    • Each partition is formatted with different file systems.
    • The corresponding partitions are then deleted.
    • Then random data with a predefined number (standard 10 GB) is distributed on the disk.
    • Finally, the disk is set to a defined "clean" state.
  • Do D5220.22M is a standardized, secure erasure method for deleting rotating hard disks
    • Standard of the US Department of Defense.
    • Triple erasure of the disk with the bit patterns: 0x AA, 0x55 and Random.
    • A long runtime (several hours) is required.
  • BSI/VSITR is a standardized, secure erasure method for erasing rotating hard disks
    • Standard of the German Federal Office for Information Security (BSI).
    • Seven deletions of the data carrier with the bit patterns: Random, 0x F0, 0x0F, 0x CC,0x33, 0x AA and 0x55
    • A very long runtime (several hours, up to several days) is required.

If an NVME disk is detected, a secure deletion is carried out via "NVME format", this applies from Win PE Pre Boot version 1.8.5 and from the End Of Life 1.1 package.
For all other disks an "NVME format" function is not yet part of End Of Life via Win PE.

 

Configure End Of Life

Independently of Empirum-LDAPSync, a computer can be deleted from the AD via the RSAT tool during End Of Life runtime.
- See also End Of Life

 
  1. Integrate the current Win PE support package via "Download Latest Win PE Support Package".
    - See also Integrate current Win PE Pre Boot version.
  2. In the Matrix42 Management Console, create a dedicated configuration group (in the example End Of Life (EOL)) as high up the middle tree as possible to prevent Pre OS packages or variables from being inherited.
    The inheritance of Pre OS packages or variables can lead to the End Of Life package being terminated with an error message even though the disks have been successfully deleted.
  3. Assign (only) the Pre OS package End Of Life to this group.
    Check that this group does not inherit any other Win PE packages or variables.
  4. Assign a dedicated and up-to-date Win PE boot image that (if you want to completely overwrite the disk(s)) was created with a higher timeout value.
    Here the default is 3600 seconds (1 hour) - for a complete overwrite 36000 seconds (10 hours) or more is recommended, for the methods Do D5220.22M and BSI/VSITR timeout values of 72000 seconds (20 hours) and more are recommended.
  5. Create a variable configuration with the variables of the End Of Life package.
    - See also Create variables configuration.
    • Erase Method 
      There are three erasure methods to choose from:
      Empirum (default) - if an NVME SSD is detected, it is securely erased with NVME format. All other hard disks are erased using the Empirum method (formatting, sector-by-sector erasure and clean).
      Do D5220.22M secure erasure of spinning disks according to Do D standard (not useful for SSDs).
      BSI/VSITR secure erasure of spinning disks according to BSI standard (not useful for SSDs).
    • GBytes Write (Empirum method only)
      Specifies the amount of random data (default 10 GB) that is written to each disk. Can be set in GB increments. The value "0" overwrites the entire disk once with random data. Depending on the number and size of the disks, this process can take several hours. The time-out value of the Win PE boot image may have to be adjusted here.
      You can change this value in the file Matrix42.Empirum.Pe Agent.dll.config in the directory ".\Empirum\Emp Inst\Sys\Images\Win PE\binaries\UAF\".

      If this value is changed, the Win PE boot image must be recreated so that the change is also applied!
    • Remove From Empirum
      Controls the client specific behavior after an End Of Life procedure.
      By assigning the value "0", you can specify that the client remains in the EMC and Empirum as a managed object after the End Of Life procedure. If this variable is set to "1" (default), the client is removed from the EMC and Empirum after the End Of Life procedure.
    • Remove From AD
      Controls the client specific behavior after an End Of Life procedure.
      By assigning the value "1", you can specify that the client is deleted from the AD (Active Directory) after the End Of Life procedure.
      The Remove From AD feature was introduced with EOL 1.4, and currently has experimental status.
      In comparison to the EPE EOL implementation, a running LDAP sync is required to use this feature!
    • NVMEFallback (Empirum method only)
      Controls the behavior in case of NVME format errors. Default: If an error occurs with the NVME format, the disk is then deleted in the classic way sector by sector (NVMEFallback="1"). By assigning the value "0", you can specify that NVME format errors lead to an abort and the disk remains undeleted.
    • Activate End Of Life
      This variable is a safety function and must be manually set to 1 for End Of Life to start.
      If the variable has the value 0, execution is aborted and a corresponding error message is displayed in the log.

  6. Assign the clients to be deleted and activate them (PULL via DDS/DDC and PXE). End Of Life is executed at the next boot.

End Of Life Logs and Reports

After a client has been deleted via EOL, client-specific log information is available via the Empirum functions Info and Reports.

Matrix42 Management Console > Management > Administration > Menu Info > End Of Life Log

A successful End Of Life log looks like this:

Matrix42 Management Console > File > Reports > General Information > End Of Life

Related Articles