End of Life (EOL)

Last updated
Save as PDF

From WinPE PreBoot version 1.8.3 Empirum End Of Life is supported.
The methods DoD5220.22M and BSI/VSITR are also supported fromWinPE PreBoot version 1.8.8.
End Of Life deletes all mass storage devices (not USB) of the connected client.

Empirum End Of Life is a fast and practical deletion method of Matrix42 Client Lifecycle Management
- Each partition is formatted with different file systems.
- The corresponding partitions are then deleted.
- Then random data with a predefined number (standard 10 GB) is distributed on the disk.
- Finally, the disk is set to a defined "clean" state.
DoD5220.22M is a standardized, secure erasure method for deleting rotating hard disks
- Standard of the US Department of Defense.
- Triple erasure of the disk with the bit patterns: 0xAA, 0x55 and Random.
- A long runtime (several hours) is required.
BSI/VSITR is a standardized, secure erasure method for erasing rotating hard disks
- Standard of the German Federal Office for Information Security (BSI).
- Seven deletions of the data carrier with the bit patterns: Random, 0xF0, 0x0F, 0xCC,0x33, 0xAA and 0x55
- A very long runtime (several hours, up to several days) is required.

If an NVME disk is detected, a secure deletion is carried out via "NVME format", this applies from WinPE PreBoot version 1.8.5 and from the EndOfLife 1.1 package.
For all other disks an "NVME format" function is not yet part of EndOfLife via WinPE.

Configure End Of Life

Independently of Empirum-LDAPSync, a computer can be deleted from the AD via the RSAT tool during EndOfLife runtime.
- See also EndOfLife

Integrate the current WinPE support package via "Download Latest WinPE Support Package".
- See also Integrate current WinPE PreBoot version.
In the Matrix42 Management Console, create a dedicated configuration group (in the example EndOfLife (EOL)) as high up the middle tree as possible to prevent PreOS packages or variables from being inherited.
The inheritance of PreOS packages or variables can lead to the EndOfLife package being terminated with an error message even though the disks have been successfully deleted.
Assign (only) the PreOS package EndOfLife to this group.
Check that this group does not inherit any other WinPE packages or variables.
Assign a dedicated and up-to-date WinPE boot image that (if you want to completely overwrite the disk(s)) was created with a higher timeout value.
Here the default is 3600 seconds (1 hour) - for a complete overwrite 36000 seconds (10 hours) or more is recommended, for the methods DoD5220.22M and BSI/VSITR timeout values of 72000 seconds (20 hours) and more are recommended.
Create a variable configuration with the variables of the EndOfLife package.
- See also Create variables configuration.
- EraseMethod
  There are three erasure methods to choose from:
  Empirum (default) - if an NVME SSD is detected, it is securely erased with NVME format. All other hard disks are erased using the Empirum method (formatting, sector-by-sector erasure and clean).
  DoD5220.22M secure erasure of spinning disks according to DoD standard (not useful for SSDs).
  BSI/VSITR secure erasure of spinning disks according to BSI standard (not useful for SSDs).
- GBytesWrite (Empirum method only)
  Specifies the amount of random data (default 10 GB) that is written to each disk. Can be set in GB increments. The value "0" overwrites the entire disk once with random data. Depending on the number and size of the disks, this process can take several hours. The time-out value of the WinPE boot image may have to be adjusted here.
  You can change this value in the file Matrix42.Empirum.PeAgent.dll.config in the directory ".\Empirum\EmpInst\Sys\Images\WinPE\binaries\UAF\".
  
  If this value is changed, the WinPE boot image must be recreated so that the change is also applied!
- RemoveFromEmpirum
  Controls the client specific behavior after an End Of Life procedure.
  By assigning the value "0", you can specify that the client remains in the EMC and Empirum as a managed object after the End Of Life procedure. If this variable is set to "1" (default), the client is removed from the EMC and Empirum after the End Of Life procedure.
- RemoveFromAD
  Controls the client specific behavior after an End Of Life procedure.
  By assigning the value "1", you can specify that the client is deleted from the AD (Active Directory) after the End Of Life procedure.
  The RemoveFromAD feature was introduced with EOL 1.4, and currently has experimental status.
  In comparison to the EPE EOL implementation, a running LDAP sync is required to use this feature!
- NVMEFallback (Empirum method only)
  Controls the behavior in case of NVME format errors. Default: If an error occurs with the NVME format, the disk is then deleted in the classic way sector by sector (NVMEFallback="1"). By assigning the value "0", you can specify that NVME format errors lead to an abort and the disk remains undeleted.
- ActivateEndOfLife
  This variable is a safety function and must be manually set to 1 for End Of Life to start.
  If the variable has the value 0, execution is aborted and a corresponding error message is displayed in the log.
Assign the clients to be deleted and activate them (PULL via DDS/DDC and PXE). End Of Life is executed at the next boot.

End Of Life Logs and Reports

After a client has been deleted via EOL, client-specific log information is available via the Empirum functions Info and Reports.

Matrix42 Management Console > Management > Administration > Menu Info > EndOfLife Log

A successful EndOfLife log looks like this:

Matrix42 Management Console > File > Reports > General Information > End Of Life