In response to security concerns, Microsoft explains how it has overhauled its controversial AI-powered Recall feature, which takes screenshots of almost everything you see or do on a computer. Recall was originally scheduled to launch with Copilot Plus PCs in June, but Microsoft has spent the last few months overhauling the security behind it to make it an opt-in experience that you can now remove from Windows entirely if you want .
“I'm really excited about how nerdy we've gotten about security architecture,” said David Weston, vice president of enterprise and operating system security at Microsoft, in an interview with The edge. “I'm excited because I think the security community will understand how much progress we've made [into Recall].”
One of Microsoft's first big changes is that the company won't force users to use Recall if they don't want to. “There is no standard experience at all anymore – you have to choose it,” says Weston. “That’s obviously super important for people who just don’t want to do that, and we completely understand that.”
A Recall uninstall option first appeared on Copilot Plus PCs earlier this month, and Microsoft said at the time that it was a bug. It turns out that you can actually uninstall Recall completely. “If you choose to uninstall, we will remove the parts from your computer,” says Weston. This includes the AI models that Microsoft uses for Recall.
Security researchers initially discovered that the recall database – which stores snapshots taken by your computer every few seconds – was not encrypted and malware may have accessed the recall function. Everything sensitive to Recall, including the database of screenshots, is now fully encrypted. Microsoft also relies on Windows Hello to protect itself from malware manipulation.
The encryption in Recall is now tied to the Trusted Platform Module (TPM), which Microsoft requires for Windows 11, so the keys are stored in the TPM and the only way to gain access is to authenticate via Windows Hello. Callback data is only passed to the interface if the user wants to use the feature and authenticates using their face, fingerprint or PIN.
“To even turn it on, you have to actually be present as a user,” says Weston. This means you have to use a fingerprint or your face to set up Recall before you can use PIN support. This is all intended to prevent malware from accessing recall data in the background, as Microsoft requires proof of presence via Windows Hello.
“We moved all screenshot processing and all sensitive processes into a virtualization-based security enclave, so we actually put everything in a virtual machine,” explains Weston. This means that there is a UI app layer that does not have access to raw screenshots or the Recall database, but when a Windows user wants to interact and search with Recall, it generates the Windows Hello prompt, asks the virtual machine and returns the data to the app's memory. As soon as the user closes the Recall app, the memory contents are destroyed.
“The app outside the virtualization-based enclave runs in an anti-malware protected process that would essentially require a malicious kernel driver to access,” says Weston. Microsoft explains in detail its recall security model and exactly how its VBS enclave works in a blog post today. It all looks a lot more secure than what Microsoft had planned, and there are even hints at how the company might secure Windows apps in the future.
So how did Microsoft almost manage to ship Recall without a high level of security in June? I'm still not entirely sure and Microsoft isn't revealing much. Weston confirms that Recall was reviewed as part of the company's Secure Future Initiative launched last year, but since it was a preview product there were apparently some other limitations. “The plan was always to follow Microsoft basics like encryption. But we also heard from people who were like, 'We're really worried about this,'” so the company decided to accelerate some of the additional security work it was planning for Recall so that security concerns wouldn't play a role in anyone wanting to use the feature.
“It’s not just about recall. “I think we now have one of the strongest platforms for processing sensitive data at the edge, and you can imagine we can do a lot of other things with it,” Weston suggests. “I think it made a lot of sense to bring forward some of the investments we wanted to make and then make Recall the leading platform for that.”
Callback will also be made now only runs on a Copilot Plus PC, preventing people from sideloading it onto Windows machines like we saw before its planned debut in June. Recall checks whether a Copilot Plus PC has BitLocker, virtualization-based security enabled, measures boot and system protection security boot protection, and has kernel DMA protection.
Microsoft has also conducted a series of reviews of improved recall security. The Microsoft Offensive Research Security Engineering (MORSE) team “conducted months of design reviews and penetration testing for Recall,” and a third-party security provider was hired “to conduct an independent security design review” and testing.
Now that Microsoft has had more time to work on Recall, there are some additional settings changes to allow even more control over how the AI-powered tool works. You can now filter out specific apps from Recall while blocking a custom list of websites from appearing in the database. Sensitive content filtering, which allows Recall to filter out things like passwords and credit cards, also blocks health and financial websites from storing them. Microsoft is also adding the ability to delete a time period, all content of an app or website, or everything stored in Recall's database.
Microsoft says it remains on track to pre-test Recall with Windows Insiders on Copilot Plus PCs in October, meaning Recall will not ship on these new laptops and PCs until further approval from the Windows community was tested.