End of Life (EOL)

Last updated
Save as PDF

Starting with WinPE PreBoot version 1.8.3 Empirum End Of Life is supported.
As of WinPE PreBoot version 1.8.8, the DoD5220.22M and BSI/VSITR methods are also supported.
End Of Life deletes all mass storage devices (not USB) of the connected client.
Empirum End Of Life is a fast and practical deletion method of Matrix42 Client Lifecycle Management.

Each partition is formatted with different file systems.
After that, the corresponding partitions are deleted.
Then random data with predefined number (default 10 GB) is distributed on the disk.
Finally, the disk is set to a defined "clean" state.

If a NVME disk is detected, then a safe erase via "NVME format" is performed, this applies from WinPE PreBoot version 1.8.5 and from the EndOfLife 1.1 package.
For all other disks a "NVME format" function is not yet part of EndOfLife via WinPE.

DoD5220.22M is a standardized, secure erasure method for erasing spinning hard drives.

U.S. Department of Defense standard.
Erase the volume three times with the bit patterns: 0xAA, 0x55 and Random.
A long runtime (several hours) is required.

BSI/VSITR is a standardized, secure erasure method for erasing spinning hard disks.

Standard of the German Federal Office for Information Security (BSI).
Erase the volume seven times with the bit patterns: Random, 0xF0, 0x0F, 0xCC,0x33, 0xAA, and 0x55.
A very long runtime (several hours, to a few days) is required.

Configure End Of Life

After you have downloaded the WinPE_PreBoot_Support file from version 1.8.3 from the Marketplace, you have to integrate it according to the description.
- See also Integrate current WinPE PreBoot version.
In the Matrix42 Management Console, create a dedicated configuration group (EndOfLife (EOL) in the example) as high up the middle tree as possible to prevent PreOS packages or variables from being inherited.
Inheriting PreOS packages or variables can cause the EndOfLife package to exit with an error message even though the disks were successfully deleted.
Assign (only) the PreOS package EndOfLife to this group.
Check that this group does not inherit any other WinPE packages or variables.
Assign a dedicated and up-to-date WinPE boot image that (if you want to completely overwrite the disk(s)) was created with a higher timeout value.
Here the default is 3600 seconds (1 hour) - for complete overwriting 36000 seconds (10 hours) or even more are recommended, for DoD5220.22M and BSI/VSITR methods timeout values of 72000 seconds (20 hours) and more are recommended.
Create a variable configuration with the variables of the EndOfLife package.
- See also Create variables configuration.
- EraseMethod
  Three erase methods are available: Empirum (default) - if an NVME SSD is detected, it is safely erased with NVME format. All other disks are erased using the Empirum method (format, sector erase and clean). DoD5220.22M secure erase of spinning disks according to DoD standard (not useful for SSDs). BSI/VSITR secure erase of spinning disks according to BSI standard (not useful for SSDs).
- GBytesWrite (Empirum method only)
  Specifies the amount of random data (default 10 GB) written to each disk. Can be set in GB increments. The value "0" overwrites the complete disk once with random data. Depending on the number and size of the disks, this process can take several hours. Here the Time Out value of the WinPE boot image must be adjusted if necessary.
  You can change this value in the Matrix42.Empirum.PeAgent.dll.config file in the ".\Empirum\EmpInst\Sys\Images\WinPE\binaries\UAF\" directory.
  
  If this value is changed, the WinPE boot image must be rebuilt to apply the change!
- RemoveFromEmpirum
  Controls the client specific behavior after an End Of Life procedure.
  
  You can specify that the client remains in the EMC and Empirum as a managed object after the End Of Life procedure by assigning the value "0". If this variable is set to "1" (default), the client is removed from the EMC and Empirum after the End Of Life procedure.
- RemoveFromAD
  Controls the client specific behavior after an End Of Life procedure.
  You can specify that the client is deleted from AD (Active Directory) after the End Of Life procedure by assigning the value "1".
  The RemoveFromAD feature was introduced with EOL 1.4, and currently has experimental status.
  Compared to the EPE EOL implementation, a running LDAP sync is required to use this feature!
- NVMEFallback (Empirum method only)
  Controls the behavior in case of NVME format errors. Default: If an NVME format error occurs, the disk is erased sector by sector (NVMEFallback="1"). By assigning the value "0" you can determine that NVME format errors lead to abort and the disk remains undeleted.
- ActivateEndOfLife
  This variable is a safety function and must be set manually to 1 for End Of Life to start.
  If the variable has the value 0, the execution is aborted and there is a corresponding error message in the log.
Assign the clients to be deleted and activate them (PULL via DDS/DDC and PXE). End Of Life will be executed at the next boot.

End Of Life Logs and Reports

After a client has been deleted with EOL, client-specific log information is available via the Empirum functions Info and Reports.

Matrix42 Management Console > Info > EndOfLife Log

A successful EOL looks like this:

EOL Log.JPG

Matrix42 Management Console > File > Reports > General Information > End Of Life