This blog will be about my experience when performing a remote wipe of Windows 10 and 11 devices in Intune! I noticed some weird and awful behavior when remote wiping Windows 10 and 11 devices in Intune.
Please Note: If you want to skip the introduction and just want to know how to “fix” it…for now: Part 7!
I will divide this blog into multiple parts.
- Remote Wiping Windows 10 21H1
- Remote Wiping Windows 11
- Remote Wiping Windows 10 21H2
- Wiping a not enrolled Windows Device
- The Complete summary
- The Fix!!!
- Explaining the Fix
- Windows.Old Folder and Windows 8.1?
- KB5011493 and KB5011487
Before I am going to show you the differences between remote wiping a Windows 10 device and a Windows 11 device I need to give you a little introduction to Remote Wiping a device in Intune.
Some time ago I did a blog about all the remote options you have in Intune to remote wipe, refresh or reset a device.
Imagine the day you receive a Phone call from a CFO for a company you work for. She tells you, she just received her brand new notebook and wanted to pass her old device (almost brand new) to a colleague of hers.
Luckily she is using OneDrive with Known Folder Move activated, so setting up her old notebook is going to be a piece of cake but what about her old device?
This company is located a couple of 100 miles away so sending someone in to reimage the device was a no-go at this time. But as explained in the blog above we have multiple options to perform a remote wipe.
So you decide to perform a remote wipe to make sure the device is wiped clean!
As shown above, when performing a remote wipe you will be prompted with multiple options. Let me explain them a little bit more.
So what happens when we DIDN’T select anything and DIDN’T select the option to retain enrollment and the user data? Microsoft is telling us:
“All data, apps and settings will be removed”
So we made sure we didn’t select anything, let me show what happened! I will show you what happens and of course, the differences when you perform a remote wipe on Windows 10 and Windows 11.
2. Remote Wiping Windows 10 21H1
When performing a remote wipe from Intune on a Windows 10 21H1 device and we don’t select the retain data option, your device will be reinstalled and “wiped” as expected. After taking a look at what’s left on the hard disk we will notice it is no longer encrypted with Bitlocker. Also, we could notice a Windows.old folder in the root. Luckily this folder is very empty when performing a remote wipe from Intune on a Windows 10 Device!
Looking at the picture above, that is what you expect to happen when performing a remote WIPE!
3.Remote Wiping Windows 11
But the device in question was installed with Windows 11. So what happens when we execute the same Remote Wipe from Intune on a Windows 11 device? We will notice something different! Of course, we are making sure we don’t select the option to retain the user data option
I will divide this part into multiple subparts because I wanted to know what happens when performing a Remote Wipe on a Windows 11 VM in different kinds of situations. Each time the Virtual Machine was 100% done enrolling with Bitlocker
3.1. Locally opening the VHDX
After wiping the device which was installed with Window 11 21H2 and previously encrypted with Bitlocker, we noticed that the old personal user data folder was moved to Windows. Old folder. But that’s not a big deal if BitLocker was still enabled but we all know what happens when we perform a remote wipe of the device….. Bitlocker protection is also removed! So we end up with some sensitive data on a non-encrypted hard Disk?
Let’s take a look first at how it looks when we mount the VHDX from a VM in which I tested this Remote Wipe. I am opening this VHDX from my HyperV 2016 test server
As shown above… in the Windows.old folder there is still old user data with all our OneDrive KFM data left in it? I guess the warning that Microsoft gives us: “This removes all personal and company data and settings from this device” is not totally true with Windows 11“
But let’s find out if we are able to open those files? Because having those files still on the device is 1 but having the possibility to open it is 2.
With this first attempt, it really looked like the files couldn’t be opened because copying gave use the error: 0x80070780
Opening the file gave us this message: “The System couldn’t get access to the file”
But I am not done yet, let’s see what happens when we fire up the VM itself and start opening the file with the use of Shift+F10 at the login screen or just attach the VHDX to a different VM.
3.2. Using Shift+F10 at the sign in screen
Let’s continue because the errors I got when locally opening the VHDX were a little bit weird in my opinion. Of course, I took over the permissions. But I didn’t trust the outcome!
So I wanted to see what happens when we performed a Remote wipe on a device that was previously Bitlocker Enabled and just used Shift+f10 to get a system CMD?
As shown below. *It’s possible to open all of the files!!!! How the hell should that be possible? I am wiping the device and choosing to NOT retain data!!!!!, so why is there still sensitive data on it?
*Please note: When using OneDrive Files on-demand functionality, only the files that are marked as “Always Keep on this device” are accessible. Otherwise, you could end up with 0 kb files
Also attaching the VHDX to another VM I had on that same Hyper-V server gives us the possibility to open those files!!!! That’s very very very bad! we can copy that sensitive information to our own device!
3.3 “Wipe device, and continue to wipe…..AKA DoWipeProtected”
Philip Cumiskey asked me what would happen when selecting the bottom checkbox: “Wipe device, even continue to wipe if the device loses power” aka DoWipeProtected Method.
Actually, that was a very good question as I didn’t test it yet. Looking at those options, the actual difference between selecting the bottom checkbox and not selecting it would be choosing between DoWipeMethod and DoWipeProtectedMethod.
Some time ago I created a PowerShell script to wipe your device without Intune… and I explained the DoWipeProtectedMethod in it
But let’s continue and take a look at what happens when we select the bottom option to start the remote wipe!
You could guess what happened… Just like with the DoWipeMethod… the windows.old folder is still there and the data is also readable from a different VM
4.Remote Wiping Windows 10 21H2
Okay, so when performing a remote wipe, Windows 21H1 wipes the device just like we expect but Windows 11 totally screws things up! I still wanted to know what happens with an up-to-date Windows 10 21H2 build. I made sure I downloaded the latest 21H2 Windows 10 build and started the whole enroll and wipe process again.
As shown below…. also with the latest Windows 10 Build, there is still sensitive data left when performing a remote wipe! That’s pretty awful because at first I only thought this issue was only on Windows 11 devices.
Please Note: This issue is only occurring when you have a fresh installed Windows 10 21H2 device! When your device is upgraded from 21H1 to 21H2 the folder is removed! Strange?
5. Wiping a not Enrolled Windows 10 21H2 Device
Remote wiping a Windows 10 21H2 or Windows 11 device will leave some sensitive data on the device but what happens when we enroll a new stand-alone/not enrolled VM and just perform a local wipe?
When resetting your local PC, you have got 2 options as shown below. Of course, we will choose the “Remove Everything” to be sure everything will be removed….. right?
Credits Alena Šeflová-Poulová to test out this idea with all possible outcomes!
I guess it’s pretty obvious, even when performing a local wipe on a Windows 10 21H2 device it will leave the user data in the Windows.old folder… this is worse than I thought at first!
Alena also did a test drive with the “Cloud Download” option
You could guess the outcome by now!!
6. The Complete Summary
The Wipe functionality (DoWipe and DoWipeProtected method) is having the same issue in Windows 10 21H2 and Windows 11 when performing a local or remote wipe or even a Fresh Start. All of them just trigger the DoWipeMethod and when using OneDrive and offline files you are up for a challenge!
|Remote Wipe 21H2||User Data NOT removed from Windows.old|
|Remote Protected Wipe 21H2||User Data NOT removed from Windows.old|
|Local Wipe 21H2||User Data NOT removed from Windows.old|
|Local Wipe Cloud Download 21H2||User Data NOT removed from Windows.old|
|Local Protected Wipe 21H2||User Data NOT removed from Windows.old|
|Remote Fresh Start 21H2||User Data NOT removed from Windows.old|
|All Wipe /Fresh Start actions with 21H1||User data REMOVED from Windows.old|
|Upgraded Windows 10 21H1 to 21H2||User data REMOVED from Windows.old|
So it’s definitely NOT an Intune Issue, it looks like something changed in the 21H2 update with the DoWipeMethod and in combination with OneDrive and its Mount Points/Reparse Points!
Please note: I am not saying the “wipe” option is the safest or the best option out there but when Microsoft Docs is telling us the data will be removed you would expect all of the data to be “wiped/removed“.
Another note to add: After talking with Sandy Zeng, I realized I didn’t explain the “OneDrive” part well enough.
This issue only occurs when you are using OneDrive (tested it with the Production and Deferred Ring) and of course, you need to have been signed in at some point. Also when using files on demand, it’s pretty obvious when the file isn’t on the device it can’t be opened from the Windows.old folder!
If you are interested in the whole technical flow behind this remote wipe, you must definitely need to read part 2!
7. The Fix?
Just after posting the first version of this blog, I realized we could solve this weird issue just like I did with the Shift+F10 Nightmare. In this blog, I used the resetconfig.xml to configure Windows Recovery Environment (Windows RE) Push-button reset features
Please download the whole PowerShell Script to fix the Windows 11 Remote Wipe Nightmare!
8. Explaining the Fix
Before I am showing you what I changed in the PowerShell script I need to explain, what happens when “Wiping” your device and the Extensibility Points
As shown above we have 2 Extensibility Points to choose from “FactoryReset_AfterDiskFormat” and “FactoryReset_AfterImageApply” when we want to apply some additional configuration.
Looking at the resetconfig.xml that is created in the PowerShell script, you will notice it will be executed after applying the Image.
Of course, it would be better it would run FactoryReset_AfterDiskFormat but at that point in time the Windows.Old folder is not yet restored (even while we don’t want to retain data!). Believe me, I tried.
Now we know what the resetconfig.xml looks like, let us take a look at the PowerShell script itself. Comparing it with the Shift+F10 version, the only adjustment I made, was adding: rmdir /s /q c:\windows.old\users. I guess you know what it is going to do!
After you made sure this PowerShell script is deployed to your devices you can wipe your devices and the evil Windows.old folder is also removed. As there is no spoon…. uhhh folder, it’s hard to show you, but you know what I mean.
Please Note: I am writing an additional blog about the “wipe” option itself, it will explain how fragile this “wipe” function is….even with Windows 21H1! If it sounds secure, it has to be secure…. right?
9. Windows.Old folder and Windows 8.1
Why on earth is there still sensitive OneDrive data on it after a “Wipe” without selecting the retaining data option? Of course, I tagged the Intune Support Team to get some response.
Again… this is not what we want!!!! we don’t want a disk cleanup to delete that folder after 10 days!. Is Microsoft referring to the Windows 8.1 good old days 🙂 ?
Please Note: Microsoft isn’t ignoring us and isn’t ignoring this issue!!! They are working hard to provide a fix as soon as possible. Hopefully, Microsoft will release this fix very very soon! I will keep this blog up to date when stuff changes!
Today I noticed a new Incident in the service health and message center: IT336291. It’s telling us some “users may notice some files persisting after resetting a Windows Device“
Looking at the above incident, it is telling us to take a look KB5012334
And this article:
These articles are showing us some pre and post solutions.
Unlink the OneDrive Account before Wiping the device, to make sure it isn’t going to end up in the Windows.Old folder after the wipe!
Remove the windows.old folder ourselves by opening settings –> system –> storage
But I guess my fix works a little bit more automated… because normally (when not using Shift+f10) you would need to login after your device has been wiped to remove this folder manually. But what happens when you log in with your username on a device whose 4k HH hash was uploaded to Intune? Indeed… When configured, OneDrive would launch and starts syncing your files back to your device!!.. Sound like a Chicken or the Egg situation?
11. KB5011493 and KB5011487
Luckily Microsoft released their official fix in the March Updates, KB5011493, and KB5011487. I decided to dedicate a separate blog to these updates as they do deserve a blog on their own!
Maybe I am too critical at this point and maybe I am getting “Banned”….
But ….Microsoft is telling us “Otherwise, All data will be removed” as shown below
The contents of that folder shouldn’t even be there in the first place! So please make sure when performing a remote wipe on a device before you hand it over to someone else please remove that folder manually..
.or use my fix until Microsoft deployed the fix.
p.s: I only wrote this blog to create some awareness about this issue…Not to speak evil 🙂