Beware: Windows 11 data wipe can leave personal info on disk [updated]

News
By Alex Wawro
published

Windows' Reset feature leaves data behind, says researcher

The Windows 11 logo seen through a digital magnifying glass
(Image credit: Shutterstock)

UPDATE: Microsoft has fixed this problem in Windows 10 and Windows 11 with the March 2022 Patch Tuesday round of software updates, released March 8.

One of my favorite things about Windows 11 is how easy it is to reset a PC back to factory default settings. I have to do this all the time for work, and I love that I can just hit the Start button, type "reset" and quickly hop into the "Reset this PC" section of the Windows Recovery settings. A few clicks later, and Windows is wiping the drive and reinstalling itself from scratch.

However, it appears that resetting your Windows PC in this way often leaves behind traces of personal data in an easily accessible "Windows.old" folder, even though Windows claims it will remove all your personal files during the process. That's a significant problem, especially if you plan to sell an old PC and assume that resetting it back to factory defaults eliminates all trace of your personal information.

This news comes to us courtesy of IT professional and Microsoft MVP (Most Valuable Professional) Rudy Ooms, who tested different permutations of the Windows 11 and Windows 10 data wiping tool. 

Ooms found that in most cases Windows fails to remove everything, and instead preserves at least some user data in a Windows.old folder it creates on your hard drive. Microsoft's OneDrive is a big culprit here, as based on testing it appears that if you ever sign into OneDrive on your Windows PC and allow it to save files on your hard drive, some trace of those files will be left behind even after Windows wipes the PC.

Screenshot of a text message to developer Rudy Ooms detailing developer Sandy Zeng's research on how Microsoft OneDrive being present interferes with Windows' disk wipe.

Ooms collaborated with colleagues like Microsoft MVP Sandy Zeng to research how Windows' data-wiping tools work. Zeng confirmed that if you log into Microsoft OneDrive on your PC and allow it to put files on your hard drive, those files will likely remain even after a disk wipe. (Image credit: Rudy Ooms)

Ooms conducted his testing by repeatedly performing different permutations of data wipes on Windows PCs running in virtual machines, both locally and remotely via Microsoft's Intune remote device management toolset. He also got some help from fellow devs, and documented the results of all this testing and investigation in a multi-part series on his personal blog.

It's an interesting read, and here's the big takeaway: most of the time, Windows doesn't actually eliminate all your personal data, even though it says it will. Worse, if you have files encrypted with Bitlocker, it's possible to wipe the PC and have the Bitlocker encryption removed, yet have the files still hanging around un-encrypted on the hard drive.

It's not just Windows 11, either; up-to-date versions of Windows 10 also appear to have the same issue. After testing many permutations of Windows' data-wiping tool in action (both remotely and on local PCs), Ooms created the following chart to show which Windows data wipe methods still leave data behind in the Windows.old folder.  

Swipe to scroll horizontally
Windows data wipe actionResults
Remote Wipe 21H2User Data NOT removed from Windows.old
Remote Protected Wipe 21H2 User Data NOT removed from Windows.old
Local Wipe 21H2 User Data NOT removed from Windows.old
Local Wipe Cloud Download 21H2 User Data NOT removed from Windows.old
Local Protected Wipe 21H2 User Data NOT removed from Windows.old
Remote Fresh Start 21H2 User Data NOT removed from Windows.old
All Wipe /Fresh Start actions with 21H1 User data REMOVED from Windows.old

As you can see, most methods of wiping a Windows 11 PC will leave some easily-accessible user data behind. The only way he reliably wiped a Windows PC was if it was running the older 21H1 version of Windows 10. Ooms believes this is due to a relatively recent change to Windows' data wiping toolset that rolled out alongside the 21H2 update in November 2021. 

Ooms made the problem known to Microsoft and the world at large, so there's good reason to hope a meaningful fix will be rolled out to Windows PCs in the near future. As it stands, Ooms was told my a Microsoft Intune rep that Windows does automatically delete the Windows.old folder 10 days after it gets created...which is nice if you realize you need a file you accidentally deleted, but less nice if a stranger can access the files you thought you deleted.

So if you hate the idea of old data sitting around on your freshly-wiped Windows PC for up to 10 days, what can you do? 

If you're comfortable using Microsoft PowerShell, Ooms has released a PowerShell script you can run before resetting your Windows PC that should ensure it leaves no easily-accessible personal data behind. You can download the script from his blog, or directly via this link

If you're not ready to start messing around with PowerShell, hang tight: Microsoft is likely to address this issue in a future patch, as it seems like a significant oversight that could lead to big problems for Windows users who pass along their PCs. 

Alex Wawro
Alex Wawro
Senior Editor Computing

Alex Wawro is a lifelong tech and games enthusiast with more than a decade of experience covering both for outlets like Game Developer, Black Hat, and PC World magazine. A lifelong PC builder, he currently serves as a senior editor at Tom's Guide covering all things computing, from laptops and desktops to keyboards and mice.