condemnation Microsoft’s Recall feature Copilot+ AI was fast and damn good for PCs. While it’s meant to let you find everything you’ve ever done on your computer, it also involves taking constant screenshots of your computer, and critics have noted that information was not stored securely. Microsoft delayed its launch for Windows Insider beta testers and announced in June more stringent security measures: Selects Recall by default; it will require Windows Hello biometric authentication; and the screenshot will encrypt the database.
Today, ahead of the expected launch of the next big Windows 11 in November, Microsoft provided more details About Recall’s security and privacy measures. Recall snapshots and associated data will be protected by VBS Enclaves, the company says. describes as “a software-based trusted execution environment (TEE) within a host application”. Users will have to actively enable Rollback during Windows installation, and they can also remove the feature entirely. Microsoft also reiterated that encryption will be a core part of the entire Recall experience, and that it will use Windows Hello to interact with all aspects of the feature, including changing settings.
“Recall also protects against malware with speed-limiting and anti-hammer measures,” said David Weston, vice president of OS and enterprise security at Microsoft. he wrote in a blog post today. “Recall currently only supports PIN as a backup method after Configuring Recall, and this is to prevent data loss if the secure sensor is damaged.”
As for privacy controls, Weston reiterates that “you’re always in control.” By default, Recall will not save private browsing data on supported browsers such as Edge, Chrome, and Firefox. The feature will also have sensitive content filtering by default to prevent things like passwords and credit card numbers from being saved.
Microsoft says that Recall was also reviewed by an unnamed third-party vendor, which reviewed penetration testing and security design. Microsoft’s Offense Research and Security Engineering (MORSE) team has also been testing this feature for months.
Given the near-instant backlash, it’s not too surprising to see Microsoft take extra caution with the latest release of Recall. The real question is how the company didn’t anticipate the initial criticisms, which included that the Recall database could be easily accessed from other local accounts. Thanks to encryption and the use of additional security, this shouldn’t be a problem anymore, but it makes me wonder what else Microsoft missed early on.
This article contains affiliate links; we may earn a commission if you click on such a link and make a purchase.