Windows 10 and 11 Wipe Feature leaves data behind in 21H2
Windows administrators have a number of options when it comes to resetting a system locally or remotely. The option to keep data or have it removed is provided, but a new report by Microsoft MVP Rudy Ooms suggests that wiping does not delete user data anymore in Windows 10 and Windows 11 version 21H2.
Resetting a Windows device and deleting the data that is on it can be useful in some circumstances. Devices may be passed around to other company employees, they may be handed over to family members or friends, or sold on marketplaces such as eBay.
The wiping option is designed to remove personal data from the device. Most users keep personal data on their laptops and PCs, and it is clear that this data should not be handed over to the new owner of the device.
Ooms discovered that Windows' wipe feature left user data behind in the latest versions of Windows 10 and Windows 11. Remote and local wiping as well as Fresh Start on devices running version 21H2 of the operating system would leave user data behind in the Windows.old folder. The same procedures on Windows 10 version 21H1 cleared all user data from Windows.old like expected.
Ooms describes how he received a phone call from a CFO his company worked for to delete data on the CFO's old device so that it could be passed on to another employee. Since the company was "a couple of 100 miles away", Ooms decided to remotely wipe the device.
He made sure to select none of the options to retain user data after the wiping and discovered that user data was retained on Windows 11 after the operation completed successfully. Tests confirmed that wiping was affected on version 21H2 devices (Windows 10 and 11), and that the issue affected all forms of wiping and resetting functionality on these devices.
While Ooms used Intune to wipe the device remotely, he conducted local tests as well and discovered that data was retained as well.
Ooms created a PowerShell script that fixes the issue by deleting the Windows.old folder from wiped devices. It can be downloaded from the linked blog post.
Closing Words
The issue affects version 21H2 of Windows 10 and 11 only. The number of users affected by this wiping issue is unknown, but it could cause data leaks. Windows users who need to wipe a device without retaining the user data need to make sure that the windows.old folder is removed after the operation completes to eliminate any chance of data leaking into the wrong hands.
Now You: have you used wipe functionality before? (via Günther Born)
I use one of two options: 1) recover the disk for backup duties; or, 2) Destroy the disk totally.
That’s not always possible (e.g. if you have to hand back a work laptop)
In that case delete your files then use the cipher command to overwrite free space. Example: if your data drive is the f:\drive:
cipher /w:F:\
Funny guy… Did you even read the blog itself? I guess not. I am not saying wipe is the best option I am simply explaining that when using wipe, the device isn’t wipe and that’s one thing we need to beware off. That is called raising awareness for a problem!
A lot of people are using the wipe in Intune, when the device needs to pass to another colluegue.
If the device is located a couple of 100 miles away… you cant tell them to slam a hammer on the hard disk? or do you tell your customers to throw a away a 1 year old device? Probably not..
But calling me incompetent… i guess my MVP status tells me something else. If you don’t believe the story.. that’s fine… a lot of people think otherwise… feel free to send me a PM on twitter or linked in so we can continue your kind story.
The story is BULLSHIT seriously… have anyone of the clueless commenters reset a device in their life?
no, there is no Windows.old when you do it properly, the guy is an idiot and probably a noob at his job if he can’t even properly clear a device full data.
In fact, fully resetting a device takes so long because it wipes the data so it can’t even be recovered.
I mean, I did it recently with a surface computer and after many hours it finally was working fine and fully reset.
I find it funny how clueless people believe some idiot who complains about it on whatever place and people just go with it like if it was the holy word.
I mean, I clean installed my computer, and I made sure to fully remove the folders manually with the CMD recovery from the Windows installation. So I know what it is like because I am not going to format my HDD and remove all data like an idiot. I just move the important files to a new file and let everything be created without a Windows.old folder.
People are really a bunch of lazy dumb people who can’t even install or reinstall or remove an operating system, I am surprised people can even turn a pc or a phone at this point. Instead of being smarter people apparently become dumber.
Again, the story is a lie, the guy is an incompetent and he didn’t do it properly so he is blaming windows. Of course, he is going to say “I am sure I did it” nah, I am not going to believe your word when I have done it couple times a full reset, a reset keeping data, a clean install, upgrades and everything and nothing works out of the ordinary, I know if I will have a Windows.old or not.
Also, only because files don’t show up in File Explorer doesn’t mean they don’t exist, anyone with a decent recovery tool with get those files. So people thinking “it doesn’t leave data behind because I deleted it on Linux partition” or some useless comment like that, are just as incompetent as this guy the post is talking about.
Either wipe it or not, it will take hours but it will be harder for anyone to recover it, if not, you are just hiding it hoping someday it gets overridden.
I agree, the Windows.old is only created during upgrades, not during Wipes, this is a clear case of incompetence.
Did you test it yourself? I guess not :)… microsoft has just acknowledged that this bug will be fixed asap.
At the risk of being considered crude, toilet paper leaves “data” behind too.
And wiping toilet paper is somewhat surrealistic. Better to physically destroy it. Most people destroy it, so much to hide I guess.
Windows leaves stuff behind even if you clean install the operating system. I always either remove the drive and connect it to a linux computer where I delete all windows partitions and then reformat the drive a couple of times to different file systems then just click it away and leave it unallocated ready for the new installation or fire up a linux live system from a usb stick to do the same. Yes, I know that data is still there because I did not overwrite it, but the point is to fresh install windows with no traces of previous installations. A bit of a hassle but better than nothing.
2nd attempt lol
Remedy: during a Linux installation, use LVM/ LUKS2 encryption with the ‘complete drive erase’ box ticked, best of both worlds and a bonus of mental wellbeing going forward :)
How is it wiped, what process? Nowadays elaborated tools exist for recovering wiped data.
I’d agree with @Tachy : “The only way to truly remove the data from a drive is to physically destroy it.”
Most likely, by using the “Reset” option within Windows itself.
@Mike Murphy, I was referring to the quality of the Windows “Reset” wiping process. Obviously it’s more than deleting, but how deep does it perform. Wiping tools include options such as choosing the deletion algorithm (Simple One-Pass, Simple Two-pass, DoD 5220-22M, Secure earsing algorithm with 7 passes, Guttman algorithm 35 passes …), so I am wondering what Windows’ Reset’ “strength” is, so to say. Or is this ‘Reset’ feature completely different than traditional wiping/deletion algorithms?
Funny to see MS’ response in the linked Rudy Ooms article, in typical MS fashion they seem to be utterly tone deaf.
The only way to truly remove the data from a drive is to physically destroy it.
When not needing that level of ‘wiping’ we prefer to just delete all the current partitions during a fresh install of the OS.
I’m not surprised at all.