Source: Microsoft: Resetting Windows devices might not wipe all data – cobaltstrike.net
Microsoft says Windows customers might find that some of their files are not deleted after resetting their Windows devices with the “Remove everything” option.
This is caused by a newly acknowledged known issue impacting the company’s OneDrive file hosting service.
“When attempting to reset a Windows device with apps which have folders with reparse data, such as OneDrive or OneDrive for Business, files which have been downloaded or synced locally from OneDrive might not be deleted when selecting the ‘Remove everything’ option,” Microsoft explains on the Windows health dashboard.
“This issue might be encountered when attempting a manual reset initiated within Windows or a remote reset. Remote resets might be initiated from Mobile Device Management (MDM) or other management applications, such as Microsoft Intune or third-party tools.”
Depending on the vendor, the option to reset a Windows device may also be known as Push Button Reset, PBR, Reset This PC, Reset PC, or Fresh Start.
The issue was first spotted by Microsoft MVP Rudy Ooms last week, who noticed that remote or local wipes of Windows 10 systems would still leave the user data readable in the Windows.old folder.
Ooms added in a separate blog post further detailing the issue that Bitlocker-encrypted data will also be moved in non-encrypted and readable form to the same folder on some systems after a Windows reset.
(2/2) with windows 21h2 and a wipe the data just sits there in the windows.old to be copied… i know the best option is reimage and overwrite the data with zeros but not “hiding/removing” the data is way worse as i am explaining in the blog
— Rudy Ooms | MVP (@Mister_MDM) February 21, 2022
Affects all supported Windows versions
The bug impacts all Windows versions under support, including Windows 11 21H2 and Windows 10 20H2 up to 21H2.
Microsoft says the originating update for this newly acknowledged issue on Windows 10 systems is the October KB5006670 cumulative update that also triggered printing issues. Redmond did not provide info on what would cause these reset problems on Windows 11 machines.
It affects only files that have been opened or downloaded on the Windows device that gets reset since cloud-only files are not downloaded or synced locally.
Microsoft is working on a fix for this known issue and will address this bug in an upcoming Windows update.
Meanwhile, the company provides customers affected by this issue with a workaround to ensure that no user data is left behind when trying to completely wipe a system by resetting a Windows device.
“This issue can be prevented by signing out or unlinking OneDrive before resetting your Windows device. For instructions, see the “Unlink OneDrive” section in, Turn off, disable, or uninstall OneDrive,” Microsoft said.
The company added that customers could also remove any remaining files on already reset devices using the Storage sense feature in the Settings app.
“This issue can be mitigated on devices that have already been reset by following the steps in KB5012334—Delete the Windows.old folder using Storage sense in the Settings app.”