Employee Offboarding Checklist: How to Wipe and Redeploy a Returned Laptop

When an employee leaves, the laptop they hand back is a small bag of risk. It has their email cached, browser passwords saved, possibly company data synced to the local disk, and likely a BitLocker recovery key that nobody wrote down. The window between “employee is leaving” and “laptop is wiped and ready for the next hire” is when small businesses lose data, miss license recovery, and accidentally let former staff keep access to systems for weeks.

Here is a checklist that covers the technical and process steps without requiring an enterprise IT department to run it.

Before the Last Day: Coordinate, Do Not Improvise

Most offboarding mistakes come from rushing on the final day. If you know the date in advance, do the planning work now.

Confirm the last working date with HR or the manager in writing
List every system the employee has access to (email, shared drives, payroll, CRM, password manager, VPN, hardware tokens, code repos, billing portals, SaaS apps, social media accounts)
Identify any company-owned data on personal devices (BYOD phone with the work email app, home computer with a Dropbox sync)
Decide whether email and Slack history should be preserved, forwarded, or archived
Schedule the device pickup so the laptop arrives back the same day access is revoked

The list of systems is the part that always grows. Make it a living document — every time you onboard someone, add the access they got to the offboarding checklist template.

On the Last Day: Sequence Matters

Access removal has a correct order. Cutting email before backing it up loses messages. Wiping the laptop before retrieving its recovery key bricks it for the next user.

A good sequence:

Back up what you need to keep — email mailbox export, files from personal OneDrive or Google Drive folders, any local-only files on the laptop
Transfer ownership of shared documents, calendar events, and SaaS objects the employee owned
Revoke active sessions in Microsoft 365 or Google Workspace (forces logout everywhere)
Disable accounts rather than delete (you may need to read mail or shared files for weeks after)
Remove from SaaS apps that bill per seat
Collect hardware (laptop, phone, hardware MFA token, badge, monitor, dock)
Wipe and redeploy the laptop only after you have what you need from it

Disable first, delete later. Most platforms charge nothing for a disabled mailbox for at least 30 days, and you will be glad you can read it when someone asks where the contract draft went.

Securing the Returned Laptop

Once you have the device in hand, get it off the network and into your work area before anything else. Power it on while still on a clean network only long enough to retrieve any locally-stored data you need.

Retrieve the BitLocker (or FileVault) Recovery Key

If the laptop is encrypted — and it should be — you must have the recovery key before you wipe. Without it, a corrupted Windows install can lock you out of the drive for good.

For Windows with BitLocker, the key is stored in one of these places depending on how it was set up:

The user’s Microsoft account (recoverable at account.microsoft.com/devices/recoverykey)
Your Microsoft Entra (Azure AD) tenant if the device is Entra-joined
A printed sheet in the original onboarding folder (rare)

For macOS with FileVault, the key was either saved to the user’s iCloud account or to a local recovery key the admin recorded.

If the device is part of an MDM solution like Intune, Kandji, or Jamf, the recovery key is in the admin console. Pull it before you start.

Pull the Local Files

Sign in as an admin and copy anything not already in the cloud — desktop files, the user’s Downloads folder, anything in Documents not synced to OneDrive or Google Drive. Browser bookmarks and saved passwords are usually not worth keeping (they were the user’s, not the company’s), but check whether any business credentials live only in the browser.

Compress the copied folder, label it with the user’s name and offboarding date, and put it on your secure archive. Most small businesses set a 90-day retention on this before deletion.

Wiping the Laptop Properly

You have three reasonable choices for wiping a returned laptop. Pick based on what comes next.

Option 1: Reset Windows (Cloud Download)

For a laptop that is going back to the same business with the same OS and software stack:

Go to Settings → System → Recovery → Reset this PC → Remove everything → Cloud download
Choose “Clean data” when prompted — this overwrites the drive instead of just deleting the index
Let it run; the laptop will reinstall Windows from Microsoft’s image and remove all user accounts

Cloud download pulls a fresh image from Microsoft instead of using the local recovery partition, so you avoid inheriting any corruption from the old install. Allow 60–90 minutes including post-install updates.

Option 2: Full Reimage From USB

For a laptop that is going to a new role with different software, or where you want a guaranteed-clean baseline:

Boot from a Windows install USB built with Microsoft’s Media Creation Tool
Delete every partition on the system drive during setup (this is the actual wipe)
Install Windows fresh
Drop your standard software image, MDM enrollment profile, and OEM drivers on top

This is slower but bulletproof. It also resets the OEM “first-run” wizard, which is helpful if you assign the next user via Autopilot or Apple Business Manager.

Option 3: Drive Replacement and Physical Destruction

For a laptop that handled highly sensitive data (financial records, regulated PII, customer payment information):

Remove the NVMe or SATA drive
Replace with a new drive
Physically destroy the old one (drill press, certified shredder, or paid destruction service that returns a certificate)

Software wipes on modern self-encrypting NVMe drives are generally fine, but in regulated industries the audit trail of physical destruction is what auditors actually want.

Redeployment Checklist

Before the next user sees the device:

Latest Windows or macOS feature update applied
All firmware and OEM driver updates installed
BIOS / UEFI admin password set (and recorded in the IT password vault)
Secure Boot enabled, TPM 2.0 active
Disk encryption enabled, recovery key escrowed to your MDM or admin Microsoft account
Antivirus / EDR agent installed and showing healthy in the console
MDM enrollment confirmed
New user account created with least-privilege role
Local admin account renamed and password rotated
Asset tag updated in your inventory with new assignee, deployment date, and condition notes

The last item is the one that quietly saves you. An IT asset inventory that gets updated every time a laptop changes hands is the single most useful document a small business IT function maintains. It pays back the small effort the first time you have to answer a security questionnaire, plan a hardware refresh, or trace down where a particular laptop ended up.

What to Do With What You Cannot Wipe

A few items deserve special handling. Hardware MFA tokens (YubiKey, Titan Key) should be unregistered from the user’s account, not just collected — anyone holding a still-registered key can still authenticate. SIM cards in mobile broadband-equipped laptops should be wiped or removed before redeployment. Custom dongles licensed per-user (CAD software, AutoCAD, some accounting tools) need to be returned to their license pool in the vendor portal, not just unplugged.

Run the checklist top to bottom. The cost is an hour or two per offboarding. The cost of skipping it shows up months later, when the former employee’s still-valid SaaS login appears in an audit log, or when their old laptop turns up in a closet with a customer database on it.