Remote diagnosing a Win 11 Pro machine reset: what might have happened?

Jump to latest Follow Reply
D

Demani

Ars Praefectus
5,318
Subscriptor++
  • #1
    I got a call from someone I work tangentially with (while I was out of town and not able to really assist) that one of their Dell XPS workstations was wiped and reset.
    Allegedly, they shut down on Friday, and when they came in on Monday they turned on the machine and it was reset: asked for new account set up etc.
    Now, it seems like the machine must have been reset somehow, not just randomly wiped like they swear, but I'm not aware of any updates that spontaneously cause a reset. All data is on the single drive (and no work data of significance is on there, so it's mostly the issue of unexpected downtime during a busy time). I can't find any way to do it other than to do that other than to manually initiate it either from Within Windows 11 or by booting into recovery mode. When it came back up it was running 22H2 so I assume it went back to a default recovery image (but I don't have any hands or eyes on this). Just wondering what I might tell them to look at to make sure other similar machines don't fall victim to the same thing. Nothing is in place for management of the machines (will probably nudge them towards Intune I guess).

    Pretty much has to be user error, right?
     
    SplatMan_DK

    SplatMan_DK

    Ars Tribunus Angusticlavius
    7,794
    Subscriptor++
  • #3
    Check local folders and see if the local account folder is still there.

    Sometimes updates will initiate a new setup-wizard, but as mentioned by continuum, that's not a complete wipe.

    Microsoft does this hoping that people accept their default settings, which is "let's track everything you do, set your browser to Edge (with even more tracking), and set your search engine to Bing".

    Also, two things could happen to produce the error you describe:

    1.) An error during the update which affected the domain enrollment could produce an error where a new setup was required. But the original account folders would still be there, and manually re-joining the domain would fix it.

    2.) Loss of a license. If the current license was issued through a local license server or a cloud policy, and it was later revoked or expired, the machine might revert to a non-pro license. That would render the OS unable to maintain its domain connection, and the result would be a perceived "wipe".

    Example: the machine was issued a Windows Enterprise license through M365 E5 license, but this license has been revoked with a package that doesn't include the OS (or it expired completely for this user).

    That's all speculation on my part; I haven't actually seen such errors before. But, as you said, machines don't usually get wiped by themselves.

    You need to dig a little deeper.

    See if the Windows event logs offer any clues. Are they all timestamped "this morning" after the alleged wipe? Or do they go further back?
     
    • Like
    Reactions: Demani
    D

    Demani

    Ars Praefectus
    5,318
    Subscriptor++
  • #6
    On the machine: no files or any evidence of prior use.
    No log events before last night at 8pm. And I see some entries for OOBE so it was the initial set up process. Dell utilities were installed so it looks like it’s restoring from the local recovery volume.

    Offline Defender scan was clean.

    No idea what else to check. Really weird. Possibly a hardware issue-maybe the SSD is jacked a bit, throws a corrupting error and it attempts to recover from the partition? Only thing I can come up with other than someone explicitly walking up to screw with the end user.
    But it’s odd that the first reset was also Monday night.
     
    You must log in or register to reply here.
    Jump to latest Follow Reply
    Jump to latest Follow Reply