Surface Data Eraser (IT Toolkit)

This article explains how to create a secure data wipe USB key with the Surface Data Eraser and generate a certificate of sanitization. You can use the data wipe USB key on your target device and other supported devices with matched architecture.

Supported on current devices

  • All current Surface devices, including Surface Pro 7 and later, Surface Laptop 3 and later, Surface Go 2 and later, Surface Laptop Studio and later, Surface Laptop SE, Surface Laptop Go and later.

Not supported on legacy devices

  • This version of Surface Data Eraser isn't supported on legacy devices such as Surface Laptop 2 and earlier, Surface Pro 6 and earlier, Surface Book 2 and earlier, Surface Go, and Surface Studio (1st gen).
  • To securely erase data on legacy devices, see Microsoft Surface Data Eraser (legacy).

Create the Data Eraser USB

  1. Open Surface IT Toolkit, select Data Eraser USB-Builder > Create USB.

    Screenshot of Data Eraser.

  2. On the Select device page, choose your target device from the list of Managed devices or from the dropdown list under All Devices and select Next.

    Screenshot of Select device page.

  3. Insert a USB drive in your device. Back up any existing data before proceeding.

  4. On the Final review page, confirm your selected device and choose a validation method for the data wipe. You have the option to perform a full SSD verification after the data wipe. Select None or Full depending on your requirement.

  5. Under USB Key Selection, choose the USB drive you intend to use. Select Create.

    Screenshot of Final review page.

  6. When the USB Creation process concludes, a confirmation message appears indicating Creating Bootable USB: Complete. Select Finish.

    Screenshot of USB Creation Progress page.

  7. When the tool indicates it's safe to eject the USB key, remove it from your device and plug it into the intended Surface device.

Warning

The Data Eraser process deletes all data on the device, including the operating system, installed apps, files, and settings.

  1. To continue, type CONFIRM If you're unsure or don't wish to proceed, type EXIT.
  2. Keep your device plugged into AC Power during the data wipe process.

Generate Data Sanitization Certificate

  1. On the Data Eraser tool interface, select Generate Certificate. This creates a certificate of sanitization using the log files written to the Data Eraser USB after each successful data wipe.

    Screenshot of Generate Certificate.

  2. On the Import Log File(s) page, upload the log files previously saved to the USB key. Unverified Log files or from a data wipe with Validation set to ‘None’ cannot be used to create certificates.

  3. On the Sanitization Certificate page, enter the requested details.

    Screenshot of Certificate details.

  4. Under Additional Details, input the Media Source. Use the Asset tag if available. Or you can use the Serial Number or System UUID, as listed in the Surface UEFI menu on the wiped device. Optionally, you can add custom fields by clicking + Add custom field if more information is necessary.

  5. When all the relevant details are entered, select Next to proceed to the certificate creation process.

  6. Review the certificate details and select Generate.

    Screenshot of  Certificate.

  7. When complete, select Show Files to access the Sanitization Certificate. Select Finish.

    Screenshot that shows Certificate Generation is complete.

  8. Open the newly created certificate and add signatures as appropriate, as shown in the following redacted example.

    Screenshot that shows an example Certificate.