Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

Controversial Windows Recall AI Search Tool Returns With Proof-of-Presence Encryption, Data Isolation

Microsoft reboots controversial Windows Recall with proof-of-presence encryption, anti-tampering checks, and secure enclave data management.

Microsoft Copilot Risks

Three months after pulling previews of the controversial Windows Recall feature due to public backlash, Microsoft says it has completely overhauled the security architecture with proof-of-presence encryption, anti-tampering and DLP checks, and screenshot data managed in secure enclaves outside the main operating system.

The feature, which uses artificial intelligence to create a searchable digital memory of everything ever done on a Windows computer, will also be turned off by default and fitted with tools to delete it forever from the Windows operating system.

The Windows Recall security makeover is meant to quell fears that the technology is a major security and privacy risk because it takes snapshots of a user’s Windows screen every five seconds and stores it locally for AI-powered semantics search.

In an interview with SecurityWeek, Microsoft vice president David Weston said the company’s engineers rewrote the security model of Windows Recall to reduce attack surface on Copilot+ PCs and minimize the risk of malware attackers targeting the screenshot data store.

“We’ve never built anything on the client side this significant,” Weston said of the security and privacy models, security architecture, and technical controls implemented in the new-look Windows Recall. “It’s now fully encrypted, and tied to the user’s physical presence.”

Weston said Recall will now be an “opt-in experience” during setup. “If a user doesn’t proactively choose to turn it on, it will be off, and snapshots will not be taken or saved,” he explained, noting that Windows users can remove the feature entirely.

“You can remove it completely, never be turned on in future,” Weston said. 

Under the hood, the Microsoft VP said snapshots and any associated information in the vector database are always encrypted with keys that are protected by the TPM (Trusted Platform Module), tied to a user’s Windows Hello Enhanced-Sign-in Security identity.

Advertisement. Scroll to continue reading.

“You have to have proof-of-presence to turn it on,” Weston said. 

He said Recall’s services that handle snapshots and sensitive data will now operate within secure Virtualization-Based Security (VBS) enclaves, ensuring that no information leaves the enclave unless actively requested by the user. 

Windows Recall Security Architecture

The revamped Windows Recall security architecture. Source: Microsoft.

Access to Recall’s settings or user interface is controlled by Windows Hello Enhanced Sign-in Security, and actions like changing settings or accessing data require user presence verification via camera or fingerprint sensor.

Weston argues that this design protects against malware and unauthorized access through rate-limiting, anti-hammering measures, and PIN fallback mechanisms. Sensitive data, including screenshots and extracted text, is encrypted and isolated so that even a system administrator cannot access it. 

The system leverages a just-in-time authorization model — similar to password managers — where access is granted temporarily, and all data is removed from memory when the session ends or times out.

Weston said Windows Recall is designed to never save data from in-private browsing sessions and users will have tools to filter out specific apps or websites viewed in supported browsers. Additionally, users can determine how long Recall retains data and limit the amount of disk space allocated to snapshots.

Weston said DLP technology from the Microsoft Purview enterprise product is running in the background to proactively block private information like passwords, national ID numbers, and credit card data from being stored in Recall. 

If users find content in Recall that they didn’t intend to save, Weston said they can easily delete data from a specific time range, remove content from individual apps or websites, or clear all stored information. A system tray icon provides real-time visibility into when snapshots are being saved and allows users to pause the feature at any time.

Related: Microsoft’s Windows Recall: Cutting-Edge Search Tech or Creepy Overreach?

Related: Researchers Show How Malware Could Steal Windows Recall Data

Related: Microsoft Bows to Pressure, Disables Controversial Windows Recall by Default

Related: Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report

Related: Microsoft’s Security Chickens Have Come Home to Roost 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.