[English]Microsoft offers the possibility to reset a system with Windows 10 or Windows 11 to factory settings locally or remotely (via Intune). There is also the option to remove the user files. This is desirable if a machine is perhaps to be passed on to another user. MVP Rudy Ooms has now discovered that resetting Windows including removing the user files does not work under Windows 10 and Windows 11 in version 21H2. Addendum: Note about OneDrive client als a root cause added. Addendum 2: The issue has been confirmed by Microsoft.
Advertising
Wipe does not delete user data in 21H2
In the Windows 10/11settings the operating system can be reset locally to the delivery state. In Microsoft's management solution Intune, there is also an option to wipe devices remotely. There are also options there to delete user data at this step. MVP Rudy Ooms explicitly pointed out in the following tweet that a remote wipe in Intune – or a local wipe – may not delete user data. This affects both Windows 10 21H2 and Windows 11 (21H2).
The background for this warning was a customer call: The CFO of a company wanted to pass on her Windows 11 PC to another employee and asked to ensure that all personal data was deleted from this machine. Since this customer was 160 kilometers away from the service provider's location, it was not possible to send an employee on-site to wipe the machine.
The idea of initiating a remote wipe via Intune is likely to occur to many administrators. The service company the MVP works for also opted for a remote wipe to (supposedly) ensure the device was wiped clean. At this point, I would have followed up with a check to see if the old data was placed in the Windows.old folder on the system partition or really removed. Rudy Ooms did this as well, and came across a problem in the process.
- When a remote wipe of Intune is performed on a Windows 10 21H1 device and no "Keep Data" option is selected, the device is reinstalled and "wiped" as expected, and a Bitlocker encryption is removed. A look at the Windows.old folder there shows that it is emptied by remotely wiping Intune on a Windows 10 21H1 system. So everything is as expected.
- If a remote wipe of Intune is performed on a Windows 10 21H2 device and the "Keep Data" option is not selected, this does wipe Windows 10 on the device and reinstall it. A Bitlocker encryption is also removed, but a look at the Windows.old folder there shows that remotely deleting Intune on a Windows 10 21H2 system does not empty it. There will be an access error 0x80070780 triggered, but it can be worked around.
- If a remote wipe of Intune is performed on a Windows 11 21H2 device and without the "Keep Data" option selected, the device is also reinstalled and "wiped" as expected. Bitlocker encryption is also removed. But a look into the existing Windows.old folder also shows that the old user files are still there as well. These were not removed by the remote deletion of Intune on a Windows 11 (21H2) system.
This behavior also occurs when resetting a system locally with Windows 10/11 21H2. Rudy Ooms has documented and prepared his findings in the blog post THE DARK AND THE WINDOWS "REMOTE" WIPE. In a nutshell: it is not possible to wipe user data under 21H2 on either Windows 10 or Windows 11. But Ooms has provided a PowerShell script that can be used to delete the Windows.old folder on the target devices. Then the user files are gone (although they could also be recovered at this point with forensic measures). Maybe the information is of interest for one or the other user, though.
Advertising
Addendum: There were comments within my German blog that it could not be reproduced. It looks like OneDrive has to be used on the machine for the effect to occur. Rudy Ooms has since added this to his article.
Addendum 2: The issue has been confirmed by Microsoft. See my blog post Microsoft confirms wipe issue on resetting Windows 10/11 (20H2 – 21H2)
Advertising