This text has been moved to https://weblog.lenovocdrt.com/#/2021/thinkshield_secure_wipe
OVERVIEW
ThinkShield safe wipe is the successor to the ThinkPad Drive Erase Utility and is designed to offer the wipe out perform of the SSD.
Though the Drive Erase Utility remains to be supported and supplied as an exterior software, ThinkShield safe wipe is absolutely built-in within the BIOS picture and doesn’t require any exterior instruments.
Safe wipe will be executed regionally by BIOS from the appliance menu of the Startup Boot Menu invoked by [F12] or remotely from OS by means of the WMI interface, which is what this put up might be masking.
Supported Programs
- All Comet Lake (2020) ThinkPad
- ThinkCentre (Awaiting Affirmation)
- ThinkStation (Awaiting Affirmation)
DISCLAIMER: These examples are meant to exhibit a number of totally different strategies accessible to deploy the answer and never essentially a “Greatest Apply”. Modify accordingly to suit your setting’s wants. There’s additionally no auditing/reporting supplied by these strategies.
REQUIREMENTS
The WMI service for ThinkShield safe wipe is accessible solely when one of many following is ready
- Supervisor Password (SVP)
- System Administration Password (SMP)
OR
Pattern PowerShell script that executes safe wipe on course system.
https://github.com/CDRT/Library/tree/grasp/secure-wipe
Save as Invoke-ThinkShieldSecureWipe.ps1
EXAMPLE SCENARIO 1a – Deploy from MEMCM utilizing Run Scripts
Navigate to Software program Library > Scripts > Create Script and both import Invoke-ThinkShieldSecureWipe.ps1 or copy the contents into the script editor subject
Specify the EraseMethod, PasswordType, and Password parameters. Particulars for every parameter is defined within the script header.
Full the Create Script wizard and Approve it
Deploy to a single system or assortment of methods. If profitable, you must see a message stating the safe wipe succeeded and that the system must reboot to complete.
EXAMPLE SCENARIO 1b – Deploy from MEMCM as a Activity Sequence
Create a brand new Customized Activity Sequence. Edit the Activity Sequence and add a Run PowerShell Script step. Tick the radio button Enter a PowerShell script and click on Edit Script…
Browse to Invoke-ThinkShieldSecureWipe.ps1 or copy the contents into the script editor.
Within the Parameters subject, enter the required parameters.
Add a Restart Pc step to transition the system to safe wipe. In my lab, I deployed as an accessible Activity Sequence and customised the notification texts.
EXAMPLE SCENARIO 2 – Deploy from Intune
Bundle the Invoke-ThinkShieldSecureWipe.ps1 as a Win32 app utilizing the Microsoft Win32 Content material Prep Software.
Log into the MEM admin middle and add a brand new Win32 app. Browse to the Invoke-ThinkShieldSecureWipe.intunewin file and add it for add.
Specify App Data akin to a Identify, Description, and Writer
Specify Program particulars:
- Set up Command: powershell.exe -ExecutionPolicy Bypass -File “.Set off-ThinkShieldSecureWipe.ps1” -EraseMethod ATAN -PasswordType SVP -Password secretsvp
- Uninstall Command: cmd.exe /c
- System Restart Conduct: Decide based mostly on return codes
Set the OS structure to x64 and Minimal OS to 1607
Add an extra requirement rule to verify the system is actually a Lenovo system.
- Registry Kind
- Key Path: HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemBIOS
- Worth Identify: SystemManufacturer
- Key Requirement: String Comparability
- Operator: Equals
- Worth: LENOVO
Set the detection rule to verify the presence of a File
This file might be created routinely when the script is run.
- Path: %ProgramDatapercentLenovoThinkShield
- File or folder: SecureWipe.tag
- Detection technique: File or folder exists
Deploy the app to a gaggle. In my testing, I deployed as accessible and put in by means of the Firm Portal. After a profitable set up, a toast notification is introduced instructing for the reboot.
As soon as a system has restarted, the ultimate outcome will appear to be this. The system will routinely shut down.
