Microsoft Confirms Windows Eraser Tool Leaves User Data On Disk (Update)

Updated 02/25/2022 06:57 PDT:

Microsoft has now confirmed data persistence issues after a wipe with Windows 10 and Windows 11 in an official article. Additional details have been added to the bottom of this story.

Updated story

Microsoft MVP Rudy Ooms discovered that Windows built-in data erasing features weren’t doing their job. In other words, let’s say you want to resell or recycle a PC system, and you carefully use the “Reset PC > Remove everything” option. This should be a good way to wipe your drive, but there will still be personal data left behind on the old system. This error applies to both local and remote wipe of PCs running Windows 10 version 21H2 and Windows 11 version 21H2.

See more

Ooms first discovered that there were issues with the disk wipe functionality provided by Microsoft when performing a remote wipe through Microsoft Intune system management. However, he tested several versions of Windows and local and remote wipe over the weekend to compile the following summary table.

Action Windows 10/11


21H2 Remote Wipe

User data NOT deleted from Windows.old

21H2 Remote Protected Erase

User data NOT deleted from Windows.old

Local erasure 21H2

User data NOT deleted from Windows.old

Download 21H2 Local Cleansing Cloud

User data NOT deleted from Windows.old

Local Protected Wipe 21H2

User data NOT deleted from Windows.old

New remote start 21H2

User data NOT deleted from Windows.old

All Wipe/Fresh Start actions with 21H1

User data DELETED from Windows.old

At the bottom of the table, you can see that the Wipe and Fresh Start options seem to work as expected in Windows 10 and 11 version 21H1, but are ineffective in 21H2 versions. Ooms installed and tested these four operating systems, with local and remote wipe operations, then verified the results.

The most common problem was the loss of user data in a folder called Windows.old on the “cleaned” or “fresh start” disk. This is despite Microsoft warning users before the action that “This deletes all personal and corporate data and settings on this device.”

Windows cleanup warnings

(Image credit: Rudy Ooms)

Bitlocker protection is also removed

In its blog post, Oooms notes that some users might feel assured that their personal data has always been stored on a Bitlocker drive. However, when a device is wiped, Bitlocker is removed and it discovered that the Windows.old folder contained previously encrypted, now unencrypted data. It was also noted that OneDrive files, which had been marked as “Always keep on this device” in Windows before, also remained in Windows.old.

Ooms has kindly put together a PowerShell script to fix this security error from Microsoft. You need to run the script before erasing/resetting your old device. Hopefully Microsoft steps up and fixes this faulty behavior in the coming weeks, so you don’t have to remember to run third-party scripts.

If you need to reset or refresh a PC soon, you can simply restart the reset/refreshed device and go to Windows to find and remove Windows.old files manually. Next, a non-erasing space utility can be useful to ensure that sensitive data cannot be recovered using restore-style utilities. Always check the contents of the drive after erasing, as you might not only find your old files in Windows.old, but also in other storage hardware installed in your PC/Laptop.

Microsoft confirms file deletion bug

“When you attempt to reset a Windows device with apps containing folders containing scan data, such as OneDrive or OneDrive for Business, files that were downloaded or synced locally from OneDrive may not be deleted during the reset. selecting the “Delete All” option”, Microsoft explained. “This issue can occur during a manual reset attempt initiated in Windows or a remote reset. Remote resets can be initiated from Mobile Device Management (MDM) or other management applications, such as Microsoft Intune or third-party tools.”

Microsoft goes on to say that “cloud-only” OneDrive files are unaffected by this particular bug. Microsoft says it is currently working on a fix that will ship in a future update for Windows 10 and Windows 11, but for now here are two workarounds:

Source link

Steven L. Nielsen