Destroying Data - Retiring Windows Devices and Dealing with Lost Devices

How do you prepare Windows devices for a new home or destruction? What if the device is lost? A lot of outdated information regarding the best way to retire SSD devices exists, so let's take a look at the best methods in 2024 by use case. Recommendations are based on NIST SP 800-88r1.

Device is end of life and headed for resale or recycle:

1. Trigger the system or drive sanitize or secure erase function.
2. Rotate the BitLocker recovery password and delete the BitLocker TPM keys.
3. Execute a diskpart "clean all" command from Windows PE environment.
4. Use third-party software like Gparted Live USB.
5. Destroy the disk. See the FAQ below for recommended destruction methods.
6. Use a service that provides certificates of destruction.

Device will be reused in the same environment:

1. Reset the system from Windows: Give your PC a Fresh Start
2. Fresh install from media: Create installation media for Windows - Microsoft Support
3. Reset from Intune: Reset Windows 10 and 11 devices with Microsoft Intune | Microsoft Learn

*NOTE: enable BitLocker again as soon as possible, don't leave the device in the OOBE state if there is a risk of unauthorized access or theft.

Device is lost or stolen:

1. Setup an Intune remediation script assigned to the computer to rotate the BitLocker recovery password and delete the BitLocker TPM keys.
2. Allow Intune to manage the device removal - processing it as a stale device. Disable the device in Entra and delete in accordance with your stale device policy.
3. Use third-party software to execute the BitLocker recovery password rotation and TPM key deletion when the device checks in via installed agent.

Here is a way to handle the BitLocker recovery password rotation with TPM key deletion: Bitlocker-Lost-Device.ps1.

*Do not delete the device from Intune or execute any of the Intune wipe/retire/reset functions.

Frequently Asked Questions:

What media sanitization operations are represented by each recommended method?

• Drive sanitize / secure erase: Clear, purge, or cryptographic erase depending on how the drive or system executes the operation.
• Delete BitLocker keys: Cryptographic erase.
• Diskpart clean all: Partial clear*.
• Third-party software: Partial clear*.
• Destruction: Destroy or partial destroy.

*NOTE: SSD wear leveling may leave data behind in user inaccessible regions.

What is SSD wear leveling and why does it affect the overwrite operations?

• SSD's have a limited number of read/write cycles, so SSD controllers store data across the entire drive to prolong the useful life of the drive. See this blog post by Oleg Afonin: Life after Trim: Using Factory Access Mode for Imaging SSD Drives | ElcomSoft blog.

What is cryptographic erase?

• Cryptographic erase is destroying the encryption key. Assuming the whole disk was encrypted, loss of a strong encryption key is equivalent to a purge operation. See NIST SP 800-88r1 for cryptographic erase considerations.

What's the difference between sanitize and secure erase?

• This is manufacturer dependent. For Western Digital / SanDisk both operations delete the mapping tables, but the sanitize operation also erases all written blocks. SeaGate offers a mixture of clear, purge, and cryptographic erase options.
• Some drives execute secure erase by changing the drive encryption key. This is an effective means of data destruction provided the old encryption key was unique to the drive and is not escrowed or backed up.
• If the entire drive was encrypted with BitLocker prior to triggering the drive manufacturer's erase, and the BitLocker keys and passwords are destroyed, end result is data purge regardless of the drive erase method used.

What about the SSD Trim operation, doesn't that automatically remove the data?

• Eventually the drive's garbage collection will destroy the residual data. However, as Oleg noted in his blog post, trimmed data is accessible before this happens via an SSD's factory access mode.

Why not remove all BitLocker protectors?

• Removing all BitLocker protectors will suspend BitLocker protection. By rotating the recovery password at the time of retirement you ensure there isn't a physical copy of the current recovery password with the device. Removing the TPM protectors means the drive will boot to the BitLocker recovery screen.

Why diskpart clean all?

• This writes 0's to the entire drive, which makes the data extremely hard to recover.
• Due to SSD wear leveling, all data may not be touched, but it should be enough to prevent most recovery via user accessible means.
• This is a good way to remove data from HDDs. Multiple writes are not necessary.

Isn't writing a lot of data to an SSD bad for it?

• Yes. But you are recycling or selling the device. Don't overwrite the drive if you plan to reuse it yourself.

Why not use Intune to wipe the lost or stolen drive?

• Intune device wipe will decrypt the drive when the reset is completed, which may allow file recovery software to restore data. See this blog post by Rudy Ooms : Wipe Tool | Intune delete object | Clean the Drive (call4cloud.nl).

Why shouldn't I delete the device from Intune? And why is Intune stale device removal different than deleting the device?

• If the device checks in with Intune after manual deletion, BitLocker will be suspended.
• If the device attempts to check in after stale device removal, BitLocker will not be suspended. See the note here: Retire or wipe devices using Microsoft Intune | Microsoft Learn.

What destruction methods are recommended?

• It depends on the drive type, see the NSA's guidance for current recommended products and methods: NSA Evaluated Products List
• Hard disk drives must be degaussed before they are physically destroyed unless the shredder reduces the hard disk to particles of 2 millimeters or less.
• Solid state drives are considered destroyed when particles are reduced to 2 millimeters or less.
• Incineration at temperatures greater than 500 degrees Celsius. Note: this is not a do-it-yourself fire.

What, no hammer? No drill?

• If you insist on physical destruction performed yourself, be sure to destroy all of the chips.
• If you are using a drill, one or two holes drilled through the outside case is NOT a good way to ensure data is unrecoverable.
• Make sure you are using proper protective equipment too.

Why is a drive destruction service listed last?

• I subscribe to security-in-depth. A certified destruction company by itself is probably fine. On the other hand, people thought their deceased family members were actually getting cremated too: Colorado funeral home discovered with 189 decaying bodies.