What to Do Before Disposing of a Windows PC — A Practical Checklist for Data Erasure, Account Unlinking, and Backups

1. The First Thing to Understand

When disposing of a Windows PC, it is tempting to think “just reset it” or “just delete the files.” But the practical risks go beyond that — an old PC holds far more information than you expect.

Personal files
Business files
Browser sign-in state
Saved passwords
Email
Synced folders such as OneDrive and Dropbox
SSH private keys
Git credentials
API keys for cloud services
VPN configurations
Certificates
Wi-Fi passwords
BitLocker recovery keys
WSL and Docker data
Virtual machines
Local databases
Data from accounting software and business apps

What needs to happen before disposing of a PC breaks down into four big things:

Don't lose the data you need
Don't let data be recovered from the PC you no longer need
Unlink accounts and licenses
Be able to explain, later, that and how the PC was disposed of

In other words, PC disposal is not “tidying up before taking out the trash” — it is a small information security operation.

This article covers what to check before disposing of, transferring, selling, trading in, or returning a leased Windows PC, with personal PCs, developer PCs, and small-office business PCs in mind.

2. Distinguish What “Disposal” Means

First, “disposal” in this article is not limited to throwing the machine away entirely.

In practice, there are cases like these:

The required rigor changes depending on “where the PC ends up.” For example, if it merely becomes a test machine within your own home, full physical destruction may be unnecessary. On the other hand, if a PC that handled business data is going to an external vendor, you should think all the way through erasure certificates and physical destruction.

The first thing to decide is the answer to these questions:

After disposal, whose hands will this PC end up in?
How sensitive was the information this PC held?
Will the storage in this PC be reused or destroyed?
Will you need to explain the disposal procedure later?

If you “just reset it” while these answers are vague, you may delete data you needed — or leave behind data you should have erased.

3. What PC Disposal Really Protects

What you want to protect in PC disposal is not the PC itself, but these three things:

Data
Accounts
Trust

Data is the obvious one: documents, photos, email, source code, databases, credentials, and so on.

Accounts also matter. If the PC remains tied to a Microsoft account, a work or school account, OneDrive, browsers, cloud storage, developer services, VPNs, or Remote Desktop, a third party could potentially abuse them.

And the one that tends to be overlooked is trust.

If an information leak ever occurs, you are in trouble if you cannot explain the following:

When was that PC disposed of?
Who approved the disposal?
Which storage devices were inside it?
By what method was the data erased?
Was the erasure or destruction verified?
Which vendor was it handed to?
Are certificates and records retained?

For a personal PC, you may not need this level of strictness. But for business PCs, disposal records are part of your security measures.

4. The Overall Flow

The standard flow before disposing of a Windows PC looks like this:

1. Decide the disposal method
2. Take stock of what is on the PC
3. Back up the data you need
4. Verify you can restore from the backup
5. Review apps, licenses, development environments, and secrets
6. Stop OneDrive and other cloud sync
7. Sort out ties to Microsoft accounts and work accounts
8. Check the state of BitLocker and device encryption
9. Choose a data erasure method
10. Run the Windows reset, a dedicated erasure tool, or physical destruction
11. Confirm you reached the initial setup screen, or that destruction is complete
12. Remove the device from the Microsoft account and management portals
13. Retain disposal records, erasure certificates, and collection slips

The key point is to verify before you erase.

If you reset before backing up, there is no going back. If the PC stops booting before accounts are unlinked, cleaning up the management portal and cloud side becomes a pain. If you clear the TPM without checking the BitLocker state, you can lock yourself out of your own data.

Disposal work should not be started on impulse.

5. Back Up First

The first task is not data erasure.

It is backup.

Windows has a mechanism called Windows Backup, which can back up files, themes, settings, some apps, and Wi-Fi information — the things that ease migration to a new PC.

But relying solely on this is dangerous, for simple reasons:

Not all app data is necessarily covered
Business files may not be allowed on a personal OneDrive
Huge VMs and Docker data tend to be out of scope
Local databases and development secrets are easily overlooked
Things that look cloud-synced may actually be stuck in sync errors

The safe flow is a two-layer approach:

Keep normal migration data via Windows Backup and cloud sync
Additionally evacuate important working data to an external SSD or company storage

What matters most is not that you backed up, but that you can restore.

Files may appear to exist at the backup destination yet be stale, be shortcuts only, or be cloud placeholders.

Before disposal, verify at minimum:

Can you open the backup destination from another PC?
Can you actually open the important files?
Do you remember the passwords for password-protected files?
Are the archive files intact?
Are there folders that slipped out of the backup scope?

6. Backup Scope Checklist

Here are the items easily overlooked in a pre-disposal backup.

User Folders

The basics first:

Desktop
Documents
Downloads
Pictures
Videos
Music
Folders under OneDrive

Downloads tends to be used as a temporary dropzone, but in practice it often holds important PDFs, invoices, certificates, installers, and received files.

Email and Calendars

Even when email lives in the cloud, check for data that exists only locally:

Outlook PST files
Old email archives
Mail client-specific local data
Exported calendars
Contacts

In particular, environments that used PSTs with older Outlook versions may have archives left in places like Documents\Outlook Files.

Browsers

Browsers hold more than you might think:

Bookmarks
Saved passwords
Extensions
Autofill data
Session data
Cookies
Certificates
Developer tools workspace settings

If migrating to a new PC, check the browser’s sync status. If not needed, sign out and disable sync before disposal. That said, if you will ultimately wipe the entire storage, do not settle for piecemeal in-browser deletion as your assurance.

Business Apps

Business apps often store data in non-obvious locations:

Accounting software
Payroll software
Sales management software
Greeting card software
Software bundled with scanners
Apps that use digital certificates
Proprietary-format databases

Unless you run the backup or export from within the app’s own UI, a simple folder copy may not be restorable.

Certificates and Private Keys

On the PCs of developers and business staff, certificates matter:

Client certificates
Code signing certificates
VPN certificates
Certificates for electronic filings
Private key files
PFX files

Certificates may live not only as files but in the Windows certificate store. If needed, confirm with your organization’s administrator whether they can be exported with the private key.

Development Environments

Developer PCs have more blind spots than ordinary office PCs:

Git repositories
Unpushed commits
Uncommitted changes
Local branches
SSH private keys
GPG keys
NuGet.config
npmrc
pip configuration
Docker volumes
WSL distributions
Virtual machines
Local databases
.env files
Cloud CLI credentials
IDE settings
Snippets
Design notes that exist only locally

The most dangerous are unpushed commits and .env.

.env files tend to contain connection strings, API keys, and test passwords. Decide separately what needs to be kept as backup and what should be discarded and reissued.

7. Additional Checks for Developer PCs

For developer PCs, moving files alone is sometimes not enough.

Running checks like the following before disposal saves trouble after migration.

Check Git State

# Example: find Git repositories under the working folder
Get-ChildItem -Path C:\Work -Directory -Recurse -Force -ErrorAction SilentlyContinue |
    Where-Object { Test-Path (Join-Path $_.FullName ".git") } |
    Select-Object FullName

For each repository, check:

git status
git branch --show-current
git remote -v
git log --oneline --decorate -5

If local changes remain, either commit and push them, or evacuate them as patches:

git diff > changes.patch
git diff --staged > staged.patch

Check WSL

If you use WSL, check the distributions:

wsl --list --verbose

Export if needed:

wsl --export Ubuntu D:\Backup\wsl-ubuntu.tar

Note that WSL may contain Linux-side SSH keys, cloud credentials, .env files, and database data. Take care with where the export is stored, too.

Check Docker Desktop

Docker images can usually be re-pulled, but volumes may hold local data:

docker volume ls
docker ps -a
docker images

If there are database volumes, uploaded files from test environments, or development MinIO data, decide on a backup or disposal policy.

Take Stock of Cloud CLI Credentials

Folders like these may hold credentials and configuration:

%USERPROFILE%\.aws
%USERPROFILE%\.azure
%USERPROFILE%\.kube
%USERPROFILE%\.docker
%USERPROFILE%\.ssh
%USERPROFILE%\.gnupg
%APPDATA%\NuGet\NuGet.Config
%USERPROFILE%\.npmrc
%USERPROFILE%\pip\pip.ini

If you wipe the entire storage before disposal, locally stored credentials disappear with it. But if you copy them as backups, the copies need managing too.

For tokens and keys you no longer need, reissuing them is sometimes safer than carrying them to the new PC.

8. Record the App List and Licenses

What bites you after wiping a PC is reinstalling the apps.

Check software like the following in advance:

Paid software
Perpetual-license software
Software with seat limits
Software requiring old installers
Internally distributed apps
Drivers and peripheral utilities
VPN clients
Apps that require certificates

On Windows 11 / Windows 10, if winget is available, you can list the installed apps:

winget list > installed-apps.txt
winget export -o winget-export.json

winget export is not a magic spell that fully restores every app, but it serves well as notes when building the new PC.

For licenses, check:

Have you recorded the license keys?
Is the license tied to an account?
Does the old PC require sign-out or deactivation?
Can you obtain the installers?
Should end-of-support software keep being migrated at all?

Disposal is also a good opportunity to reassess old software.

9. Check BitLocker and Device Encryption Status

Recent Windows PCs often have BitLocker or device encryption enabled.

BitLocker is the Windows feature that encrypts the entire drive to reduce the risk of data exposure from loss, theft, or improper disposal of the PC. Device encryption is the mechanism that automatically enables BitLocker-based encryption on Windows devices meeting certain conditions.

Before disposal, check the encryption status:

manage-bde -status

In PowerShell, you can also check with:

Get-BitLockerVolume

What you want to confirm:

Is the C drive encrypted?
Are the data drives encrypted?
Is encryption complete, not in progress?
Do you or your organization control the recovery key?
Is this PC tied to a personal account, or a work / school account?

You cannot simply say “BitLocker is on, so we’re safe.”

If the entire drive was encrypted from the start and the recovery key is properly managed, you are in a good position for data protection. But if encryption was enabled only just before disposal, it can be hard to judge whether previously deleted data and unencrypted regions are sufficiently protected.

Also, the recovery key may be stored in a Microsoft account or a work / school account. Around disposal time, check where the recovery keys are kept as well, if relevant.

10. Sort Out OneDrive and Cloud Sync

On a PC using cloud sync such as OneDrive, Dropbox, or Google Drive, think about these separately:

Data to keep on the cloud side
Data to delete from this PC
Data for which only the sync with this PC should be disconnected

A common misconception: deleting files inside the OneDrive folder on the PC can also delete them on the cloud side.

Before disposal, do not start by deleting files — start by checking the sync state:

Has sync completed?
Are there sync errors?
Are there files that exist only locally?
Can they be opened on the cloud side?

Then disconnect the PC.

For OneDrive, open Settings from the OneDrive icon in the notification area and use Unlink this PC on the Account tab.

That said, if you will ultimately reset Windows and wipe the drive, there is no need to obsess over the cloud-sync unlinking alone. What matters is to confirm the data you need exists in the cloud or at the backup destination before wiping the PC side.

11. Unlink the Microsoft Account

When you sign in to a Windows PC with a Microsoft account, that PC is registered in the Microsoft account’s device list.

For a PC being disposed of, sold, or transferred, remove it from the Microsoft account’s device list after the work is done.

The rough flow:

1. Sign in at account.microsoft.com/devices
2. Find the target PC
3. Perform "Remove device" or the applicable unlinking operation
4. Confirm it is no longer subject to Microsoft Store device limits or Find My Device

Note that removing the PC from the Microsoft account’s device list does not wipe the PC’s storage. Conversely, merely resetting the PC does not necessarily tidy up the device list on the Microsoft account side. Treat local data erasure and cloud-side device cleanup as separate tasks.

If the PC is lost, stolen, or otherwise not in your possession, also look into Find my device and the account’s sign-out features. For disposing of a PC you have in hand, the clear order is: data backup and erasure first, then clean up the cloud-side registration.

12. Disconnect Work or School Accounts

A PC that was signed in with a company or school account deserves more caution than a personal PC.

In Windows, a work or school account can be connected via Settings. That connection may grant access to email, files, apps, and organizational resources.

Before disposal, check:

Is this PC company-owned or personally owned?
Is it managed by MDM such as Intune?
Is it joined to Microsoft Entra ID?
Is it registered with Windows Autopilot?
Is the BitLocker recovery key stored on the organization side?
Is it registered as a leased or company asset?

If a work account was connected on a personally owned PC, you may be able to disconnect it from Settings > Accounts > Access work or school.

However, on company-owned PCs, users sometimes must not reset the machine on their own.

For example, on Intune-managed PCs, administrators choose among device actions such as Retire, Wipe, and Delete. And a PC registered with Windows Autopilot may, even after a plain Windows reset, return to its original organization during re-setup.

For company PC disposal, the safe path is for the user not to decide alone, but to follow the IT department’s or administrator’s procedure.

13. Also Confirm PC Recycling and Collection Methods

Beyond the Windows reset, confirm the actual disposal route.

In Japan, used PCs are disposed of under schemes such as manufacturer collection and small home appliance recycling. Household PCs and business PCs may be handled differently.

For individuals, the options include:

The manufacturer's PC recycling service
Municipal or certified small home appliance collection
Used-goods buyers or trade-in
Transfer to family or friends

For companies, perspectives like these are required:

Retirement from the company asset register
Return to the leasing company
Processing as industrial waste
Data erasure certificates or destruction certificates
Contracts and NDAs with the contractor
Countermeasures against loss in transit

Even when handing off to a collection vendor, it is unsafe to assume “the vendor will erase it, so we need do nothing.”

On your own or your organization’s responsibility, decide which of these to do:

Erase or destroy it yourselves before handing it over
Outsource to a vendor that can issue erasure certificates

14. How to Think About Data Erasure

Data erasure has levels.

NIST SP 800-88 Rev. 2 lays out media sanitization broadly as Clear, Purge, and Destroy. Roughly, the breakdown is:

Which level you need depends on the data’s sensitivity and where the device goes after disposal.

If you are sending a personal, old PC to recycling, choosing Remove everything with Clean data in Windows’ Reset this PC can reduce the typical risks.

But for a PC that handled customer information, credentials, or medical / financial / confidential design data, that alone may be insufficient. In such cases, consider dedicated erasure tools, the storage manufacturer’s sanitize features, cryptographic erase, or physical destruction.

The essential points:

"Thinking it's erased" and "unrecoverable" are different things
"Windows won't boot" and "the data can't be read" are different things
"Reset" and "meets industry-standard erasure" are different things

15. “Delete” and “Quick Format” Alone Are Not Enough

Deleting files and emptying the Recycle Bin does not necessarily wipe the underlying data completely.

A normal delete merely marks the region as “free” in the file system; until the actual data is overwritten, recovery may be possible.

The same goes for quick format. It only rebuilds the management structures — it does not fully overwrite the entire storage.

The following measures are weak as pre-disposal data erasure:

Only emptying the Recycle Bin
Only deleting the user folder
Only clearing browser history
Only deleting the Windows user
Only quick-formatting
Only deleting the partitions

These have meaning as “hide it from view” operations in daily use. But as erasure before handing a PC to a third party, they are insufficient.

16. What Windows’ “Reset This PC” Can Do

For personal PC disposal and transfer, the most accessible tool is Windows’ Reset this PC.

On Windows 11, you generally run it from here:

Settings > System > Recovery > Reset this PC

On Windows 10, here:

Settings > Update & Security > Recovery > Reset this PC

For disposal or transfer, choose Remove everything as a rule.

In the subsequent options, these perspectives matter:

Don't keep personal files
Don't restore apps and settings
Clean the drive
Include all drives if needed

According to Microsoft’s documentation, enabling Clean data deletes the files and cleans the drive, making it harder for someone else to recover deleted files. However, this data erasure feature is described as consumer-grade and does not meet government or industry data erasure standards.

This is the crucial point: the Windows reset is convenient, but not omnipotent.

Easy to use for typical personal transfer and disposal
Can fall short as evidence of erasure for highly sensitive data
SSDs and failed drives may require dedicated sanitization or destruction

17. The Standard Procedure for Personal PCs

A realistic procedure for selling, transferring, or sending a personal PC to collection looks like this:

1. Back up the data you need
2. Verify you can open the backup from another PC or a phone
3. Check the sync state of OneDrive and the like
4. Check account state in browsers and apps
5. Check the state of BitLocker or device encryption
6. Open Windows' "Reset this PC"
7. Choose "Remove everything"
8. Enable "Clean data"
9. If there are multiple drives, confirm which drives are included
10. Run the reset
11. When the initial setup screen appears, power off without creating a new user
12. Remove the PC from the Microsoft account's device list

The initial setup screen is the one where you choose country or region, keyboard, network, and so on. If the machine reaches this screen, the next user can set it up with their own account.

If you create a new user at this point, you will have to wipe that user’s information all over again. For sales and transfers, powering off at the initial setup screen is the clean approach.

18. Don’t Overlook “All Drives”

What deserves special attention in a Windows reset is multiple drives.

Even laptops can have configurations like:

C: SSD for the OS
D: SSD or HDD for data
SD card
External SSD
Recovery partition
Manufacturer-specific region

Desktop PCs are even more complex:

NVMe SSD
SATA SSD
HDD
Add-on drives
Data disks carried over from an old PC
RAID configurations

If you choose Only the drive where Windows is installed during the Windows reset, data may remain on the D drive and others.

For disposal, sale, or transfer, check with:

Get-Disk | Select-Object Number, FriendlyName, SerialNumber, Size, PartitionStyle
Get-Volume | Select-Object DriveLetter, FileSystemLabel, FileSystem, SizeRemaining, Size

If there are internal drives you no longer need, either include them in the Windows reset, or erase or physically destroy them individually.

The common failure is cleaning only the C drive and handing over the machine with old photos, business files, backups, and virtual machines still sitting on the D drive.

19. HDDs and SSDs Require Different Erasure Thinking

Old HDDs and SSDs differ in how to think about data erasure.

With HDDs, the notion of overwriting specific positions on magnetic platters is relatively straightforward. Tools that overwrite the entire surface have long been common.

SSDs and NVMe SSDs, by contrast, perform wear leveling and over-provisioning internally. The mapping between OS-visible logical addresses and physical cells is not fixed.

As a result, with simple overwriting it can be hard to assert that “all past data has definitely been overwritten.”

NIST SP 800-88 Rev. 2 likewise indicates that for media like SSDs, when additional assurance is needed, stronger Purge or Destroy methods should be used rather than mere overwriting.

In practice, think along these lines:

For SSDs, using the erasure features provided by the storage manufacturer or PC maker is sometimes the more appropriate choice. Some models offer Secure Erase or Sanitize in the BIOS / UEFI.

But similar names do not imply identical features or guarantees across products. For highly sensitive data, prioritize your internal rules and vendors that can issue erasure certificates.

20. Cryptographic Erase with BitLocker

On encrypted storage, the data cannot be read without the encryption key.

So for a drive that was properly encrypted, there is an approach of invalidating or destroying the key to make the actual data unreadable. This is sometimes called cryptographic erase.

With BitLocker, however, caution is needed.

If the following conditions are met, pre-disposal safety is high:

BitLocker was enabled well before disposal
Encryption had completed
Not just the OS drive but the data drives were encrypted too
The recovery keys were properly managed
You understand how the TPM and recovery keys are handled

Conversely, in cases like these, relying on BitLocker alone is dangerous:

Encryption was first enabled just before disposal
It was "encrypt used disk space only"
There was a long period of unencrypted use in the past
The D drive or external disks are not encrypted
The whereabouts of the recovery key are unknown

Do not conclude “we have BitLocker, so no reset is needed.”

In practice, combine the measures:

Keep BitLocker enabled as a matter of routine
At disposal time, run the Windows reset or a dedicated erasure
For highly sensitive data, use erasure certificates or physical destruction

BitLocker is worth enabling not just for disposal, but as everyday protection against loss and theft.

21. Where cipher /w Fits

Windows has a command, cipher /w, which can overwrite unused space on an NTFS volume to make recovering deleted data harder.

Example usage:

cipher /w:C:\

Per Microsoft’s documentation, cipher /w:<directory> overwrites the available unused space on the volume where that directory resides.

But do not over-rely on it as the primary pre-disposal measure.

The reasons:

It does not erase files that currently exist
It targets the volume's unused space, not just the specified folder
Other drives and hidden partitions must be considered separately
On SSDs, the guarantee of simple overwriting can be weak
It takes a long time
It does not constitute an industry-standard erasure certificate

cipher /w can be useful for “making traces of accidentally deleted files harder to read from unused space.”

But if you are disposing of the whole PC, decide first among the Windows reset, dedicated erasure, cryptographic erase, and physical destruction.

22. When to Choose Physical Destruction

Consider physical destruction of the storage in cases like:

It handled customer information or confidential information
It contained medical, financial, legal, R&D, or credential data
The PC is broken and erasure tools cannot run
You cannot verify the SSD's erasure guarantees yourself
It may circulate to third parties after disposal
Internal rules require physical destruction
Erasure or destruction certificates are required

Physical destruction options include:

Remove the storage and keep it in custody
Have a specialist vendor drill or shred it
Have a destruction certificate issued
Request on-site destruction

Smashing it yourself with a hammer or drilling holes carries the risk of injury and battery damage. Laptops in particular are dangerous if the battery is punctured.

For business use, rather than improvised destruction, commission a vendor that can issue certificates.

23. A PC That Won’t Boot Is Not Safe

It is dangerous to assume “it’s broken and won’t boot, so the data probably can’t be read.” Even if the PC itself will not boot, the storage can often be removed and read on another PC.

In particular, with failures like these, the storage itself is often still alive:

The screen shows nothing
The motherboard failed
It won't power on
The keyboard is broken
Windows won't boot
The bootloader is corrupted

When disposing of a PC that won’t boot, do one of the following:

Remove the storage and erase it in another environment
Remove the storage and physically destroy it

If BitLocker was enabled, the storage is highly likely unreadable without the recovery key even when attached to another PC. Even so, for business PCs, “it should have been encrypted” is not good enough — you want a state verifiable from records.

24. Also Tidy Up TPM, BIOS, and UEFI Settings

A Windows PC retains settings beyond the storage.

For example:

BIOS / UEFI passwords
Boot order
Secure Boot settings
TPM state
Windows Hello-related keys
Enrolled fingerprints and facial recognition data
Administrator passwords
Asset management tags

If transferring or selling the PC, remove the BIOS / UEFI passwords and, as needed, restore the firmware settings to defaults.

There is also an operation to clear the TPM. Microsoft’s procedure describes opening Security processor troubleshooting under Device security in Windows Security and choosing Clear TPM.

But clearing the TPM should be done carefully.

The TPM relates to BitLocker and Windows Hello. If you clear the TPM before backing up the data you need, or without knowing the BitLocker recovery key, you may lose access to your own data.

Think of the order like this:

Back up the data first
Confirm where the BitLocker recovery keys are
Run the data erasure or reset
If needed for transfer or sale, tidy up the TPM and firmware settings

If you are unsure, rather than poking at the TPM in isolation, it is safer to follow the Windows reset procedure and the manufacturer’s transfer / reset instructions.

25. Don’t Forget Peripherals and External Storage

If you look only at the PC itself, you forget the external devices. Check whether anything should be disposed of together:

External HDDs
External SSDs
USB flash drives
SD cards
microSD cards
DVDs and Blu-rays
Printer memory
Scanner storage areas
NAS
USB dongles
Smart cards
SIM cards

External HDDs and USB drives in particular tend to retain old backups and personal information.

The situation to avoid is: “the PC was reset, but the bundled external HDD still held all the data.”

Peripherals like Bluetooth mice and keyboards rarely pose major information risks, but USB security keys, smart cards, and tokens containing digital certificates are a different matter. For such authentication devices, always confirm deregistration or revocation.

26. Also Check Phone Link, eSIM, and Mobile Contracts

Recent Windows PCs may be using phone integration or mobile connectivity.

Check before disposal:

Phone companion apps
Bluetooth pairings
Mobile broadband SIM cards
eSIM profiles
VPN profiles
Remote access tools
MDM agents

If a physical SIM is inserted, remove it. If using an eSIM, check with the carrier or in the PC’s settings for the deletion / cancellation procedure.

Remote access tools matter, too:

AnyDesk
TeamViewer
Chrome Remote Desktop
Remote Desktop
VPN clients
Internal remote support tools

A Windows reset usually removes them, but stale device registrations can remain on the account side. Remove the unneeded devices from the management screens of the services you used.

27. On Company PCs, “Don’t Reset on Personal Judgment”

A PC used at work should not be reset with the same casualness as a personal PC.

The reasons:

It is registered in the company asset register
There is a lease contract
It is managed by Intune or the like
The BitLocker recovery key is stored by the organization
It is registered with Windows Autopilot
Erasure certificates may be required
Audit records may be required

If a user resets Windows on their own, problems like these can occur:

Business data that was never backed up gets deleted
The link between asset numbers and physical machines is lost
Stale devices linger in Intune and Entra ID
A remaining Autopilot registration causes trouble when the device enters the used market
No erasure evidence can be retained
Lease return conditions cannot be met

For corporate PC disposal, a flow like this is generally safe:

1. The user evacuates needed data to business storage
2. The administrator confirms the asset number, serial number, and user
3. The administrator confirms the device management state
4. If needed, run Wipe or Retire in Intune
5. Clean up the Autopilot and Entra ID registrations
6. Perform the erasure or destruction
7. Retain the certificates linked to the asset register

Even in a small company, at minimum keep a record of whose PC was erased, when, and by what method.

28. How to Handle Erasure and Destruction Certificates

For business PCs, certificates can become important.

A certificate typically records information such as:

PC manufacturer
Model
Serial number
Asset number
Storage manufacturer
Storage serial number
Erasure or destruction method
Date and time performed
Performed by
Verification method
Vendor name
Certificate number

The point to remember: record not just the PC’s serial number but the storage’s serial number as well. If the storage had ever been swapped, the PC-level information alone leaves “which disk was actually erased” ambiguous.

If possible, record the following before disposal:

Get-Disk | Select-Object Number, FriendlyName, SerialNumber, Size
Get-PhysicalDisk | Select-Object FriendlyName, SerialNumber, MediaType, Size

In some environments, serial numbers cannot be retrieved. In that case, compensate with multiple sources: photos, asset management numbers, the vendor’s report, and so on.

29. For Sale or Transfer, Also Consider “Usable by the Recipient”

When selling or transferring rather than scrapping, verify not just security but that the next user can actually use the machine:

Will Windows activation succeed?
Is a BIOS password left behind?
Will it demand a BitLocker recovery key?
Is it stopped at the initial setup screen?
Is it still tied to a Microsoft account?
Is it still registered with Autopilot or organizational management?
Is the AC adapter included?
If selling with the storage removed, is that clearly stated?

What causes problems most often with used PCs is organizational management registration. A PC still registered with Windows Autopilot may demand a sign-in to the original organization when the next user tries to set it up.

If releasing a company PC into the used market, the checks should extend to deregistration from Autopilot, Entra ID, and Intune.

Even when handing a personally purchased PC to family, tidy up the Microsoft account, OneDrive, Find My Device, BitLocker, and BIOS passwords.

30. Keep a Work Log

For a personal PC, a simple note is enough:

2026-06-10
Prepared Surface Laptop XX for disposal
Backed up data to an external SSD
Ran Windows reset with "Remove everything" and "Clean data"
Confirmed the initial setup screen
Removed it from the Microsoft account device list
Shipped it to manufacturer collection

For a business PC, record a bit more detail:

Asset number
Manufacturer
Model
Serial number
User
Department
Storage information
BitLocker state
Backup verifier
Erasure method
Erasure performed by
Date and time performed
Verification result
Collection vendor
Slip number
Erasure certificate number

This looks tedious, but in a leak incident or an audit, saying “we must have done it” after the fact carries no weight. Once disposal is done, the physical machine is gone — which is exactly why the work log matters.

31. Typical Failure Cases

Finally, a roundup of common failures.

Failure 1: Reset Before Backing Up

The most common failure.

Assumed an old PC held nothing important
After the reset, realized photos and documents existed only locally
Thought it was on OneDrive, but sync had failed

The countermeasure is to actually open the backup from another device and verify.

Failure 2: Left the D Drive Behind

Resetting only the C drive and leaving the D drive’s data.

C: was reset
D: still held old backups, photos, virtual machines, business data

The countermeasure is to check all drives with Get-Disk and Get-Volume.

Failure 3: Mixed Development Secrets into the Backup

Copying .aws, .ssh, .npmrc, and .env wholesale “for migration,” then leaving that backup unencrypted on an external disk.

Even if it is gone from the disposed PC, leaking from the backup destination defeats the purpose.

For secrets, separate what to migrate from what to reissue.

Failure 4: Reset a Company PC Without Authorization

A user resets it in good faith, and as a result the administrators can no longer obtain the evidence trail.

For company PCs, confirm the disposal / return / transfer procedure with the administrators.

Failure 5: Assumed a Reset Alone Erased Highly Sensitive Data

The Windows reset is convenient, but it is not an industry-standard erasure certificate.

For highly sensitive data, consider dedicated erasure, cryptographic erase, physical destruction, and certificate issuance.

32. Checklist for Personal PCs

A checklist before disposing of, selling, or transferring a personal PC:

□ Decided among disposal, sale, transfer, or reuse
□ Backed up the files you need
□ Verified the backup opens from another device
□ Confirmed there are no sync errors in OneDrive and the like
□ Migrated browser bookmarks and passwords
□ Confirmed the handling of paid apps and licenses
□ Removed external storage and SD cards
□ Checked the state of BitLocker or device encryption
□ Chose "Remove everything" in Windows
□ Enabled "Clean data"
□ Checked for multiple drives
□ Reached the initial setup screen
□ Removed the device from the Microsoft account device list
□ Kept a record of the collection, sale, or transfer

For personal use, this checklist alone prevents a great many accidents.

33. Checklist for Developer PCs

For developer PCs, also confirm:

□ No unpushed Git commits
□ Processed uncommitted changes
□ Reviewed local-only branches
□ Decided the handling of SSH private keys
□ Decided the handling of GPG keys
□ Reviewed .env files
□ Reviewed NuGet.config, .npmrc, pip.ini
□ Reviewed AWS/Azure/GCP/Kubernetes credentials
□ Reviewed Docker volumes
□ Reviewed WSL distributions
□ Decided to back up or discard local databases
□ Reviewed virtual machine disks
□ Migrated IDE settings and snippets
□ Revoked unneeded API keys and tokens
□ Verified the backup destination is encrypted

On a developer PC, the credentials can be more dangerous than the files.

We recommend cleaning out old keys and tokens while you are at it.

34. Checklist for Corporate PCs

For corporate PCs, use a checklist like this:

□ Confirmed the asset number of the PC being disposed of
□ Recorded the manufacturer, model, and serial number
□ Confirmed the user and department
□ Confirmed the backup owner
□ Business data evacuated to company storage
□ Confirmed BitLocker state and where recovery keys are managed
□ Confirmed Intune / MDM management state
□ Confirmed Entra ID join state
□ Confirmed Autopilot registration state
□ Decided the erasure method
□ Decided who performs the erasure or destruction
□ Recorded the storage serial numbers
□ Obtained the erasure or destruction certificate
□ Recorded the collection vendor and slip number
□ Updated the asset register
□ Cleaned up accounts, licenses, and device registrations

Even in a small company, once PC counts grow, memory cannot manage it. Excel or a spreadsheet is fine at first — just build a mechanism that keeps disposal records.

35. Summary

What needs to happen before disposing of a Windows PC is not simply pressing the reset button.

What you need is this order:

Keep what should be kept
Unlink what should be unlinked
Erase what should be erased
Retain the evidence

First, back up the data you need and verify it restores. Next, sort out the ties to the Microsoft account, OneDrive, work accounts, development credentials, licenses, and MDM management. Then choose among Windows’ Reset this PC, dedicated erasure tools, cryptographic erase, and physical destruction.

For a personal PC, a Windows reset using Remove everything with Clean data is the realistic option. Note, however, that Microsoft itself explains this erasure feature is consumer-grade and does not meet government or industry data erasure standards.

For SSDs, business PCs, highly sensitive data, and broken PCs, consider dedicated sanitization, erasure certificates, and physical destruction.

The key understanding in PC disposal:

Deleting files is not data erasure
A Windows reset is not omnipotent
A PC that won't boot still holds data
The real work is sorting out the storage and the accounts

A PC slated for disposal is an accumulation of past work. A slightly careful final stocktake makes it much easier to avoid both data loss and information leaks.

Before discarding a Windows PC, look not at the machine, but at the storage, the accounts, and the evidence trail.

Keep this in mind, and the judgment calls in disposal work become much harder to get wrong.

References

• Before you recycle, sell, or gift your Xbox or Windows PC - Microsoft Support
• Reset your PC - Microsoft Support
• Back up and restore with Windows Backup - Microsoft Support
• BitLocker overview - Microsoft Learn
• Device Encryption in Windows - Microsoft Support
• Find your BitLocker recovery key - Microsoft Support
• Manage devices used with your Microsoft account - Microsoft Support
• Unlink and re-link OneDrive - Microsoft Support
• Manage User Accounts in Windows - Microsoft Support
• Troubleshoot the TPM - Microsoft Learn
• Use Cipher.exe to overwrite deleted data - Microsoft Learn
• NIST SP 800-88 Rev. 2 Guidelines for Media Sanitization
• PC Recycling (Act on the Promotion of Effective Utilization of Resources) - Ministry of Economy, Trade and Industry
• About Data Erasure - PC 3R Promotion Association
• Device action: Retire - Microsoft Intune
• Device action: Wipe - Microsoft Intune
• Windows Autopilot registration overview - Microsoft Learn

Related Articles

Recent articles sharing the same tags. Deepen your understanding with closely related topics.

Related Topics

These topic pages place the article in a broader service and decision context.

Where This Topic Connects

This article connects naturally to the following service pages.

Author Profile

Profile page for the article author.

Go Komura

Representative of KomuraSoft LLC

Focused on Windows software development, technical consulting, and investigations into failures that are difficult to reproduce.