N&P: Pros and cons of using Windows Reset instead of a boot ISO

[Diggs]

With machines getting harder to easily boot from a 3ard party media I've started to use Windows reset more than a bootable ISO for N&P situations. Had another one today that allowed a scammer on their computer remotely. I pulled the customer data and sent his laptop into a full, clean Windows Reset instead of trying to boot an ISO. I can't see this is any less safe but does present a bit of extra work for stripping all the OEM bloatware and takes a bit more updating. Thoughts?

@add - What are the warranty issues if you N&P a new machine (under warranty) with an ISO that includes none of the manufacturer's spyware assistance programs, anti-virus, etc.

 

[britechguy]

I do not believe the Reset process does anything as far as reformatting the system drive. And in the case of any infection I always use diskpart during the N&P to wipe the drive before reinstalling Windows.

I can't honestly say that this definitely matters, but it does give me peace of mind. I also, and you've noted this, like the cleanest version of Windows that can be hand, and Reset using the original OEM utility/image to do it doesn't get you that.

I'm curious to hear what difficulty you're having booting from USB? I haven't yet encountered a machine that doesn't do so, with ease, if I tweak the boot order to look at USB first.

 

[Porthos]

With machines getting harder to easily boot from a 3ard party media

A properly created ISO will always work if the computer will boot from USB. Finding out how to boot from USB is the hard part for some.

I've started to use Windows reset more than a bootable ISO for N&P situations.

Reset and refresh are different. you also have a choice when doing a reset to wipe fully.

There is a difference as well if using the OEM reset. Bloatware is included and restores back to the way it came out of the box new.

 

[carmen617]

I've been doing Windows resets after a FABS backup with the "clean my drive" option. I find it faster and more automated, and I don't have to then track down a bunch of drivers. In my experience, with the Dells and HPs I typically work with, I get a factory image but with the latest version of Windows. I don't mind the bloatware, I just treat the same way I would a system migration and uninstall the 3 month trial of McAfee.

 

[Diggs]

Woa! The computer I just reset is in S-Mode and no way out of S-Mode without creating an online MS account. Pffft! You used to be able to jump out of S-Mode without an account but now it appears mandatory.

 

[Porthos]

Woa! The computer I just reset is in S-Mode and no way out of S-Mode without creating an online MS account. Pffft! You used to be able to jump out of S-Mode without an account but now it appears mandatory.

You have always had to have an account to do that. Use the client's account.
I charge accordingly for the extra hassle.

 

[Diggs]

And in the case of any infection I always use diskpart during the N&P to wipe the drive before reinstalling Windows.

I'm not aware of any infection common in the wild that goes outside of Windows file system but feel free to point out my fallacy.

I'm curious to hear what difficulty you're having booting from USB?

I've fought a few machines and even switching in and out of the BIOS and then getting it to boot from USB is more of a hassle than just asking for a clean reset in the Activation section.

you also have a choice when doing a reset to wipe fully.

..and if it's going back to the same customer I don't so a secure wipe. If the machine is going to new owners I do a secure wipe.

What are the warranty issues?

I'm assuming a N&P from ISO voids any warranties still in place.

 

[Diggs]

You have always had to have an account to do that.

Not in the early days of S-Mode (you can still see the discussions on the net). I did a bunch of them out of the box with no account but it's been a while.

I'm not going to get started on a S-Mode rant here as this customer is probably a good fit but S-Mode won't even run Windows Update Assistant because it didn't come for the Store.

 

[Porthos]

I'm assuming a N&P from ISO voids any warranties still in place.

Warranties cover hardware, not software.

 

[Rigo]

getting harder to easily boot from a 3ard party media

Lenovos are definitely in a class of their own in that difficulty.
Then there are the cases when the recovery partition stuff has a serious problem and can't do it.
Most other cases would require disabling secure boot to allow access to external media.
Don't know how it's going to be with Win11 that apparently mandates secure boot or nothing

 

[fincoder]

doing Windows resets after a FABS backup with the "clean my drive" option.

I don't see why you'd choose the "clean my drive" option. If the computer's going back to the same user, why would you need to write zeros to the entire drive? In most cases, reset without keeping anything is all you need to do.

 

[cypress]

Honestly, I haven't use the Reset option in quite some time. Maybe because the last time I did use it was years ago and the PC was on a spinner drive and it took a bit to finally re-install. I prefer the USB clean install. After the clean install I have a folder with a set a programs I all fire off to get it back up and running on how I need it.

 

[Sky-Knight]

I always do a fresh install from known good media. There is malware out there that subverts the local reset process and can survive it.

That being said, if I don't suspect malware and I need to wipe personal data before I move a machine to a new office, a reset is pretty quick. And it's nice to not need the media... but I'm always wearing my media... so it's not a huge deal for me.

 

[Diggs]

There is malware out there that subverts the local reset process and can survive it.

This is the first I've heard of it. I'd be interested in references.

 

[Diggs]

I prefer the USB clean install.

BTW - How do you do S-Mode on a clean install? I've never crossed that bridge.

@add - Been doing some Googling and a S-Mode install is not as easy as it could be unless you have Win10 Pro installed. I guess S-Mode is based off of Pro(?).

 

[Sky-Knight]

@Diggs

It's like this but for Windows: https://fossbytes.com/android-malware-that-survives-factory-reset-works/

And yes... it happens.

These techniques work too, and require a BIOS reflash before reinstall to fix: https://thehackernews.com/2021/09/new-finspy-malware-variant-infects.html

But the reset process relies on the recovery partition, which is just another partition on the disk. All malware has to do is mount it, and add itself as a device driver. I'm not aware of any malware that does this off the top of my head, but I have had EMOTET survive a reset on a machine. It didn't survive a full reinstall.

THAT BEING SAID. Emotet is a pernicious bugger, and infects machines in various ways not the least of which is via email links. So it's entirely possible the user reinfected the unit himself clicking on something he shouldn't. Or, it simply remotely accessed the unit and installed itself via any number of means available thanks to the fact it also collects logins and passwords... So much so that his Gotomypc account was used to reinfect the unit in one of my attempts to zap it. It took me six months to finally remove that mess, and another six before I was sure it was "gone".

I still read their web filtration logs with a paranoid eye and it's been two years!

So no, I'm not aware of a bug that infests the recovery partition, but considering how easy it is to make changes in there I'm honestly rather shocked it hasn't happened yet.

 

[Diggs]

And yes... it happens.

Then I guess I will rely more on disk formats and USB ISOs. (Hence the reason for this thread.)

 

[Sky-Knight]

Then I guess I will rely more on disk formats and USB ISOs. (Hence the reason for this thread.)

That's what I've been doing. Not so much that this sort of thing is overly common as just building into myself a set of habits that cover all potential bases. It means I can standardize the time consumed to do certain things.

Yes, reset is there and tempting. But these new systems Gen8 and younger? USB 3.0 installs happen in less than 5min! On an Dell Optiplex, with my USB stick and the cmd script I use to prestage things I can do a complete nuke and page, with a BIOS update, and a complete driver refresh in less than 30min.

Reset takes that long on the hardware I've used it on and does far less. The only real problem with my process is I have to maintain and modify that script on the fly to suit the client I'm servicing. So that's a bit of know how on my end that's easy for me to do, whereas reset keeps drivers and such but blows everything else away.

So... the reset process is more compatible with someone inexperienced pushing the big red button, under direction my someone that knows what's going on.

So I wind up reserving resets for emergency remote support actions, which I actively attempt to avoid at all costs. But your mileage may vary.

I've only had the one infection I talked about above require the full "proper" nuke and pave process of, fresh USB that's never seen that machine before, said machine is powered off, said machine is booted into its BIOS, forcibly flashed with a known good BIOS, boot to USB device to install windows, delete all partitions and install from scratch, deploy drivers, deploy all updates.

It's a SLOG! As I said it took me six months to clear that one network, and here's the scary bit... that one network only had 6 machines! If it had hit my whale client at the time that had 90... I think it would have forcibly retired me.

 

[fincoder]

I'm not aware of a bug that infests the recovery partition, but considering how easy it is to make changes in there I'm honestly rather shocked it hasn't happened yet.

Maybe it hasn't happened because Microsoft had thought of that, the integrity of the recovery partition could be checked before install.

 

[Sky-Knight]

Maybe it hasn't happened because Microsoft had thought of that, the integrity of the recovery partition could be checked before install.

As far as I know it downloads fresh stuff on every install, but that's still only a software vuln away from not happening. I agree it's a highly trust-able thing, it's just not to me as good as a USB install. Which oddly is faster for me most of the time.