Microsoft Details How it Made Windows 11’s Recall Feature More Secure

Recall was supposed to be the big new AI feature on Copilot+ PCs, helping users find specific information on their PC using a new timeline feature or a more straightforward search box. Unfortunately for Microsoft, Recall wasn’t fully baked for the first Copilot+ PCs that launched in June, as security researchers found that local Recall databases were not encrypted.

Microsoft quickly apologized, disabled the feature and promised to bring back Recall later this year. Today, the company finally detailed the changes it made to make Recall more secure before the public testing starts next month with Windows Insiders on Copilot+ PCs.

First of all, Recall will be off by default on all Copilot+ PCs, and users will need to opt-in to enable it. To improve security, enabling Recall will require users to use Windows Hello to confirm their identity.

Recall snapshots are still stored locally, but they will now be encrypted and isolated in a VBS enclave. “The encryption keys are protected via the Trusted Platform Module (TPM), tied to a user’s Windows Hello Enhanced Sign-in Security identity, and can only be used by operations within a secure environment called a Virtualization-based Security Enclave,” explained David Weston, Vice President Enterprise and OS Security at Microsoft. “This means that other users cannot access these keys and thus cannot decrypt this information.”

Microsoft also added sensitive information filters, which will be on by default to exclude highly confidential data from snapshots, including credit card details, personal identification numbers, passwords, and financial or health information. With these new filters, users will also be able to add or remove apps and websites to filter out of their snapshots. By default, all private browsing activity in supported browsers will also be automatically filtered.

Users will also be able to delete local snapshots entirely or just pick some within a specific time range. Last but not least, Microsoft will also make it possible to uninstall Recall completely via the optional features settings in Windows.

Overall, it looks like Microsoft listened to the criticism, and the fact that Recall will be off by default on Copilot+ PCs and uninstallable is a good thing. For people interested in Recall, the strong encryption for snapshots and sensitivity filters are also welcome additions. It probably won’t be enough to make Recall a killer feature on Copilot+ PCs, but the new AI capability should no longer be a source of concern for Windows 11 users.