Microsoft is detailing how it's overhauling its controversial AI-powered Recall feature in response to security concerns. Recall was originally supposed to debut with Copilot Plus PC in June, but Microsoft has redesigned the security behind it over the past few months, making it an optional experience that can now be removed from Windows entirely if you choose.
"I'm actually very excited about our security architecture efforts because I think the security community is going to understand how much work we've advanced in [Recall]," said David Weston, Microsoft's vice president of enterprise and operating system security.
Microsoft's first big change is that the company won't force users to use Recall if they don't want to. "There will no longer be a launch experience at all by default - you have to opt in. That's obviously super important for people who don't want to do that, and we totally understand that," Weston said.
The Recall uninstall option first appeared on Copilot Plus PC earlier this month, which Microsoft said at the time was a bug. It turns out that you can indeed uninstall Recall completely. "If you choose to uninstall, we will remove the relevant content from your machine. This includes the artificial intelligence model Microsoft uses to power Recall," Weston said.
Security researchers initially discovered that the Recall database, which stores computer snapshots taken every few seconds, was not encrypted, making it possible for malware to access the Recall functionality. All Recall-sensitive content, including the screenshot database, is now fully encrypted. Microsoft also relies on Windows Hello to prevent malware tampering.
Encryption in Recall is now tied to Microsoft's Trusted Platform Module (TPM) required by Windows 11, so the keys are stored in the TPM and the only way to access them is to authenticate via Windows Hello. Recall data is only passed to the user interface when the user wants to use the feature and authenticates via face, fingerprint or PIN.
"To turn this feature on, the user actually has to be present," Weston said. "That means you have to use your fingerprint or face to set up Recall before using PIN support. This is all to prevent malware from accessing Recall data in the background because Microsoft requires proof of the user's presence via Windows Hello."
"We moved all the screenshot processing, all the sensitive processes, into a secure enclave based on virtualization, so we actually put it all in the virtual machine. That means the user interface application layer doesn't have access to the raw screenshots or the Recall database, but when a Windows user wants to interact with Recall and do a search, it does into the Windows Hello prompt, querying the virtual machine and returning the data to the application memory. Once the user closes the Recall application, the contents of the memory are destroyed, "Applications outside the virtualization-based enclave run in an anti-malware protected process and essentially require a malicious kernel driver to access it."
Microsoft detailed its Recall security model and how VBSenclave works in today's blog post. It all looks much more secure than what Microsoft plans to roll out, and even hints at how the company might secure Windows apps in the future.
So, how did Microsoft almost release Recall in June despite low security? Weston confirmed that Recall was under review as part of the company's Secure Future Initiative launched last year, but as a preview product it apparently came with some different restrictions. "Our plan has always been to follow Microsoft's fundamental principles, like encryption. But we've also heard people say, 'We're really worried about this issue.' So the company decided to fast-track some of the additional security work planned for Recall so that security concerns don't become a factor in whether people want to use the feature."
Weston hinted: "It's not just about Recall, in my opinion, we now have one of the most powerful platforms for sensitive data processing at the edge, and you can imagine there are a lot of other things we can do with it. I think it makes a lot of sense to move forward with some of the investments we're going to make and then make Recall the premier platform for this."
Recall will also now only run on Copilot Plus PCs, preventing people from sideloading it onto Windows machines like we saw ahead of its planned launch in June. Recall will verify that CopilotPlusPC has BitLocker, virtualization-based security, measure boot and system guard secure boot protection, and kernel DMA protection enabled.
Microsoft has also conducted multiple reviews of the upgraded Recall security. The Microsoft Offensive Research Security Engineering (MORSE) team "conducted several months of design review and penetration testing of Recall," and a third-party security vendor also "engaged in independent security design review" and testing.
Now that Microsoft has had more time to develop Recall, it has made some additional changes to the settings to provide more control over how the AI tool works. You can now filter out specific applications from Recall and also prevent websites from a custom list from appearing in the database. Sensitive content filtering allows Recall to filter out things like passwords and credit cards, and can also block the storage of health and financial websites. Microsoft has also added the ability to delete a time range, all content from an app or website, or all content stored in the Recall database.
Microsoft says it's still on track to preview Recall on Windows Insiders Copilot Plus PC in October, which means Recall won't be available on those new laptops and PCs until the Windows community tests it further.