Watch out when handing an old Windows PC to a new owner after resetting it. Some of your files could still be on there.
Microsoft has warned Windows 10 and Windows 11 users that files might not be deleted after resetting the device using the “Remove everything” option.
The issue stems from Microsoft’s OneDrive cloud file service and could mean files that were synced locally remain on a computer after a local or remote reset, which admins might do before handing the device to a new owner.
This issue can occur when attempting a manual reset from Windows or a remote reset from Intune or other mobile device management platforms, Microsoft warns.
“When attempting to reset a Windows device with apps which have folders with reparse data, such as OneDrive or OneDrive for Business, files which have been downloaded or synced locally from OneDrive might not be deleted when selecting the “Remove everything” option,” Microsoft says in an update to its known issues for Windows 11 21H2.
“OneDrive files which are “cloud only” or have not been downloaded or opened on the device are not affected and will not persist, as the files are not downloaded or synced locally.”
Microsoft notes that some device manufacturers and some documentation might call the feature to reset a device, “Push Button Reset”, “PBR”, “Reset This PC”, “Reset PC”, or “Fresh Start”.
Via BleepingComputer, the issue was discovered by Microsoft MVP Rudy Ooms, who found that user data was still readable in the “Windows.old” folder after completing a remote or local wipe of a Windows 10 device. Ooms details his findings in a blog post, including that data encrypted with Bitlocker is moved in clear form to the Windows.old folder after a Windows reset.
Windows.old is a folder containing the previous version of Windows on a device.
The issue affects Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; and Windows 10, version 20H2, according to Microsoft.
The company is working on a fix for an upcoming release but in the mean time it does have a workaround for the file-persisting issue.
Admins can prevent the issue by by signing out or unlinking OneDrive before resetting a Windows device. Microsoft provides instructions to do this in the “Unlink OneDrive” section in the support page, Turn off, disable, or uninstall OneDrive.
Users can also mitigate the issue on devices that have been reset by using the Windows feature Storage Sense in the Settings app. Storage Sense can be used to delete the Windows.old folder. Microsoft provides instructions for doing that in the support page KB5012334.
You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022
- Chrome Update: Exploited Zero-Day Vulnerability fixed by Google, the 8th this year - 25 November 2022
- RESEARCH: analytics information related to iPhones include a Directory Services Identifier (DSID) that may be used to identify users - 24 November 2022