Provisioning an HP device for remote secure erase

The FAT32-formatted USB drive you use to provision devices for remote secure erase should have these HP remote secure erase (RSE) files in the root directory:

  • hprse.desc
  • LDProvisionSecureErase.exe:
  • rse.bin

LDProvisionSecureErase.exe is the executable that you run on the mobile device to provision it. Running this file shows the HP Secure Erase Powered by LANDESK Software dialog box. Users can then click Provision or Exit. If the standard Ivanti agent isn't on the device, this utility will show an error message and won't run. If CASL/DASL with the correct version isn't installed or the device's BIOS doesn't support HP RSE, you'll see error messages.

If the user clicks Provision, the device will shut down the OS, reboot, and display a BIOS screen for the remote secure erase feature activation. The screen will tell the user to use the on-screen keyboard to type in the four-digit random number that's shown, and then tap Enter. Entering the number allows the BIOS to load the rse.bin BIOS image.

If the a user has pressed Esc and declined the next three reboots, the prompt stops showing and you'll have to restart the provisioning process on the device again by inserting the USB drive and running LDProvisionSecureErase.exe. The boot BIOS screen only appears while the USB drive is plugged in.

When the BIOS flash finishes, the ElitePad will reboot. If you go to the Windows 8 desktop after the first reboot you can see an informational dialog box saying that HP RSE has been successfully activated. This dialog box only appears after the first boot and it won't reappear again.

To first-time provision a device
  1. Copy the RSE provisioning files you generated to the root of a FAT32-formatted USB thumb drive.
  2. Plug the thumb drive into the ElitePad you want to provision.
  3. From the thumb drive, run LDProvisionSecureErase.exe. If HP's CASL/DASL utility or the standard Ivanti agent isn't installed or the device's BIOS doesn't support secure erase, the utility will show an error message.
  4. Click the Provision button and the device will reboot immediately.
  5. At the remote secure erase feature activation BIOS screen, use the on-screen keyboard to enter the four-digit random code.
  6. After the device reboots again, remote secure erase will be enabled.

About the "first time" remote secure erase provisioning package

When you run the HP RSE setup utility on the core server, it creates an rse.bin BIOS flashing file and public/private key files. Each rse.bin file is signed with the public key and includes the company and package name strings. You can create additional first time provisioning packages in the console. Since the company and package names are saved in rse.bin, make sure you use the rse.bin version that includes the strings you require.

The RSE utility and the corresponding RSE dialog boxes in the console will save the RSE BIOS flash files to a generic folder. To provision a device, you must copy these files to the root directory of a removable USB drive that you provide. The USB drive must have a FAT or FAT32 format. The USB drive doesn't need to be bootable.

Make sure you back up ALL HP RSE keys that you're using. This is very important.

If you lose the keys for whatever reason, such as a core server getting wiped, any HP devices that you've provisioned will permanently no longer be able to use the remote secure erase feature and you won't be able to reprovision those devices with a new HP RSE key.

Devices that you want to provision must have a current version of HP's client CASL/DASL software installed. This software is usually part of the stock HP OS image, but it will need to be updated. If you have a custom image you may have to install it separately. You can install this from the Patch and compliance tool by making the ElitePad Softpack a required patch on supported HP devices.

Devices that you want to provision must also have a Ivanti agent installed on them.