Windows administrators have a number of options when it comes to resetting a system locally or remotely. The option to keep data or have it removed is provided, but a new report by Microsoft MVP Rudy Ooms suggests that wiping does not delete user data anymore in Windows 10 and Windows 11 version 21H2.
Resetting a Windows device and deleting the data that is on it can be useful in some circumstances. Devices may be passed around to other company employees, they may be handed over to family members or friends, or sold on marketplaces such as eBay.
The wiping option is designed to remove personal data from the device. Most users keep personal data on their laptops and PCs, and it is clear that this data should not be handed over to the new owner of the device.
Ooms discovered that Windows’ wipe feature left user data behind in the latest versions of Windows 10 and Windows 11. Remote and local wiping as well as Fresh Start on devices running version 21H2 of the operating system would leave user data behind in the Windows.old folder. The same procedures on Windows 10 version 21H1 cleared all user data from Windows.old like expected.
Ooms describes how he received a phone call from a CFO his company worked for to delete data on the CFO’s old device so that it could be passed on to another employee. Since the company was “a couple of 100 miles away”, Ooms decided to remotely wipe the device.
He made sure to select none of the options to retain user data after the wiping and discovered that user data was retained on Windows 11 after the operation completed successfully. Tests confirmed that wiping was affected on version 21H2 devices (Windows 10 and 11), and that the issue affected all forms of wiping and resetting functionality on these devices.
While Ooms used Intune to wipe the device remotely, he conducted local tests as well and discovered that data was retained as well.
Ooms created a PowerShell script that fixes the issue by deleting the Windows.old folder from wiped devices. It can be downloaded from the linked blog post.
The issue affects version 21H2 of Windows 10 and 11 only. The number of users affected by this wiping issue is unknown, but it could cause data leaks. Windows users who need to wipe a device without retaining the user data need to make sure that the windows.old folder is removed after the operation completes to eliminate any chance of data leaking into the wrong hands.
(via Günther Born)