Point-in-time restore for Windows is generally available

🚨 The Signal: Windows Point-in-time restore, a local recovery feature, is now generally available. It allows rolling back devices to a previous state, storing OS, app, and configuration data locally. This can aid recovery from system issues but introduces local data exposure risks.

The Impact

Managed Windows 11 devices are affected, with a security risk of local data exposure and potential circumvention of data sanitisation policies.

  • Security Teams: Risk of sensitive data persistence on local drives after user deletion.
  • IT Admins: Need to manage policy for enabling/disabling and configuring restore points.
  • End Users: Can restore systems, potentially recovering sensitive data thought to be deleted.
  • Incident Responders: Local restore points may complicate forensic analysis and data sanitisation.

The Action

  1. Review existing data retention and sanitisation policies for local device data.
  2. Evaluate the security implications of enabling Point-in-time restore on managed devices.
  3. Configure Point-in-time restore via Group Policy or Intune (when available) to align with organisational policy.
  4. Communicate to users the implications of local restore points on data privacy and recovery.

Domain: Intune · Impact: medium · Workload: Intune