Windows Recall Security: Enterprise CISO Guide 2026

Windows Recall enterprise security is the most urgent endpoint AI governance question for CISOs managing Copilot+ PC fleet rollouts in 2026. Microsoft has positioned Copilot+ PCs as the new enterprise standard, with NPU-equipped hardware from Qualcomm, AMD, and Intel now shipping across every major OEM. Recall, the AI feature that captures full-screen snapshots every few seconds and builds a searchable timeline of everything a user has seen, sits at the center of a genuine security debate. This guide covers the real threat model, the specific attack path researchers have demonstrated, the MDM controls that matter, and a 12-point hardening checklist your team can apply before fleet rollout.

What Copilot+ PC Is and Why It Matters for Security Teams

Copilot+ PC is Microsoft's hardware certification for devices equipped with a Neural Processing Unit (NPU) capable of at least 40 TOPS (Tera Operations Per Second). As of mid-2026, qualifying hardware includes Qualcomm Snapdragon X series, AMD Ryzen AI 300 series, and Intel Core Ultra 200V series processors. The certification enables a suite of on-device AI features that run locally without cloud round-trips.

The security distinction from previous generations is significant. These AI features process content directly on the endpoint: screen captures, audio streams, and camera input. The data does not leave the device for model inference. This is architecturally different from cloud AI features like Microsoft 365 Copilot, which sends data to Azure OpenAI endpoints. Local processing keeps data on-device, but it also means the attack surface is entirely on the endpoint, where existing malware and insider access apply.

CISOs managing Copilot+ PC fleet rollouts face five AI features that require governance decisions:

Recall: Captures full-screen snapshots every few seconds, runs OCR, and builds a semantic search index of everything the user has seen.

Click-to-Do: Analyzes current screen content and suggests contextual actions, such as copying text, translating, or summarizing visible content.

Live Captions: Transcribes audio in real time using on-device speech recognition, including audio from calls and media.

Cocreator: Generative image creation integrated into Paint, using on-device diffusion models.

Windows Studio Effects: AI processing of webcam and microphone input for background blur, eye contact correction, and noise suppression.

Each feature processes sensitive content. Recall is the highest-risk feature. The sections below focus on Recall's threat model, but the governance framework applies to all five.

Windows Recall Technical Architecture: What Gets Captured

Recall captures snapshots of the active display at intervals determined by significant visual changes, typically every few seconds during active use. The captures cover every visible application: web browsers, email clients, document editors, terminals, messaging apps, and video calls. There is no application-aware selective capture in the default configuration; Recall sees everything the user sees.

Snapshots are processed on-device by the NPU using optical character recognition (OCR) to extract visible text. The resulting data, including image thumbnails and extracted text, is indexed in a SQLite database stored at %LocalAppData%\CoreAIPlatform.00\UKP\{GUID}\ukg.db and related files. This database is readable without administrator rights; standard user account access is sufficient.

Microsoft's security architecture for Recall uses VBS Enclaves (Virtualization Based Security), the same hypervisor isolation technology underlying Hyper-V and Azure confidential computing. The SQLite database is encrypted. Decryption requires Windows Hello Enhanced Sign-in Security: biometric (face or fingerprint) or PIN authentication gates all Recall access, including changing settings and opening the timeline view.

The VBS Enclave itself is cryptographically solid. Security researchers, including Alexander Hagenah, have described the enclave as "rock solid" in isolation. The architectural weakness is at the handoff point.

The AIXHost.exe Attack Path: The Real Threat Model

When a user authenticates with Windows Hello to view their Recall timeline, the VBS Enclave decrypts the database and passes rendered content to a process called AIXHost.exe. This process displays the visual timeline in the user interface.

AIXHost.exe operates outside the VBS Enclave boundary. It has no AppContainer sandbox for process isolation. It has no code integrity enforcement to prevent unsigned code from running in its context. This means any process running as the same user can inject code into AIXHost.exe or intercept data flowing through it, after Windows Hello authentication has occurred.

In April 2026, Alexander Hagenah published TotalRecall Reloaded, a proof-of-concept demonstrating this attack path. The tool does not bypass Windows Hello or the VBS Enclave. It waits for the user to authenticate (or silently triggers authentication), then intercepts decrypted screenshots, OCR text, and metadata flowing through AIXHost.exe. No elevated privileges are required.

The demonstration results were concrete: in a test scenario, researchers recovered six months of an executive's Slack conversations, banking session content, and passwords from encrypted applications, all within three minutes. The data was presented in the clear.

Microsoft's Security Response Center reviewed the research and issued a formal response: "the behavior observed operates within the current, documented security design of Recall" and "the access patterns demonstrated are consistent with intended protections and existing controls." No CVE has been assigned. No patch is forthcoming.

This is the correct threat model to operate from: the VBS Enclave provides strong protection for the database at rest, but the rendering pipeline is exploitable by any malware or process running in the user's session after authentication.

For enterprise threat modeling, the relevant scenarios are:

Malware targeting AIXHost.exe: Information-stealing malware adapted to monitor the AIXHost.exe process can harvest Recall content without requiring database access. The malware waits for the user to open Recall, or triggers silent background rendering, and collects whatever is decrypted. Existing infostealer families such as Lumma and Vidar have already been updated with Recall targeting capability.

Device theft with enrolled Windows Hello: A stolen device with a registered face or fingerprint is protected. A stolen device where an attacker can register a new biometric (requiring local administrator access to the enrolled account) could unlock the Recall timeline.

Insider access: A user with physical access to an unlocked device and access to the Windows Hello credential can browse the target's full Recall history. Employees accessing executives' devices for technical support represent a realistic insider scenario.

Credential harvesting from screenshots: Recall captures everything visible, including password manager autofill popups, one-time codes on screen, API keys in terminal windows, and credentials typed in applications that do not mask input before it renders. A three-minute review of a developer's Recall timeline can yield significant credential material.

Notable exception: Signal implemented a DRM-based screen capture block in its Windows client that prevents Recall from capturing Signal conversation content. This approach is available to any application using the Windows SetWindowDisplayAffinity API, but adoption across enterprise software is limited.

Enterprise MDM Controls: Disabling and Restricting Recall via Intune

Microsoft's default behavior for Copilot+ PCs joined to an enterprise tenant is to disable Recall. This is important context: the highest-risk scenario is consumer or BYOD devices where the user enables Recall during Windows setup without enterprise policy enforcement.

For managed fleet governance, the relevant policy controls are in the WindowsAI Policy CSP, available in the Microsoft Intune Settings Catalog and via Group Policy (Computer Configuration > Administrative Templates > Windows AI):

AllowRecallEnablement OMA-URI: ./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowRecallEnablement

• Value 0: Recall is disabled. The feature binaries are removed from the device. Any previously captured snapshots are deleted. A device restart is required.
• Value 1: Recall is available for users to enable at their discretion.
• Default for managed devices: 0 (disabled and removed).

This is the correct policy for high-sensitivity roles: finance, legal, HR, executive staff, and any role handling regulated data under HIPAA, PCI DSS, or EU GDPR.

DisableAIDataAnalysis OMA-URI: ./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis

• Value 1: Recall is present on the device but snapshot capture is disabled. Users can enable Recall from Settings, but capturing will not start until they explicitly turn it on and restart.
• Value 0: Snapshot saving is permitted.

This setting is appropriate for user populations where Recall may have legitimate uses but where the organization wants capture disabled by default and opt-in enabled only for specific use cases with managerial approval.

Application exclusions: Within Recall settings, administrators can configure specific applications to be excluded from capture. For organizations that choose to allow Recall for some users, configuring exclusions for enterprise productivity applications that handle sensitive data (email clients, HR systems, financial applications, document management platforms) reduces the exposure surface. This configuration is user-side only and cannot be centrally enforced via MDM as of mid-2026.

To implement these in Intune: navigate to Devices > Configuration > Create > New Policy > Windows 10 and later > Settings Catalog. Search for "Windows AI" to find the AllowRecallEnablement and DisableAIDataAnalysis settings.

For Group Policy: import the latest Windows 11 ADMX templates (available from Microsoft's Security Compliance Toolkit), then navigate to Computer Configuration > Administrative Templates > Windows Components > Windows AI.

VBS, TPM, and Secured-Core PC: What the Hardware Requirements Mean

Copilot+ PCs require TPM 2.0, Secure Boot, and Virtualization Based Security to be enabled. Secured-core PC certification (available on many Copilot+ models) adds HVCI (Hypervisor-Protected Code Integrity), which prevents unsigned kernel drivers from loading and hardens the system against firmware-level attacks.

These requirements are meaningful for the threat model:

• TPM 2.0 + VBS: Recall's VBS Enclave uses the TPM to bind the encryption key to the device. The Recall database cannot be decrypted by moving the storage drive to another machine. Device theft without the enrolled Windows Hello biometric does not expose Recall content.
• HVCI: Prevents kernel-mode malware from disabling VBS. Attackers cannot take down the enclave from a kernel rootkit without compromising the hypervisor itself.
• Secure Boot: Prevents bootloader-level tampering that could undermine the VBS trust chain.

The hardware baseline is genuinely strong for the "database at rest" scenario. The AIXHost.exe attack path operates entirely in user space, above all of these hardware protections. Hardware security does not address the rendering pipeline weakness.

Click-to-Do and Other Copilot+ Features: Secondary Attack Surface

Click-to-Do analyzes the current screen in real time to suggest contextual actions. It uses the same NPU-based vision pipeline as Recall. The attack surface is narrower because Click-to-Do does not store a persistent history, but it does process whatever is currently on screen. Malicious content displayed on screen, such as a document containing adversarial image instructions, could potentially influence Click-to-Do suggestions in ways that have not been fully characterized by independent security researchers.

Live Captions processes audio locally and does not transmit content to Microsoft. The on-device model captures all audio, including conference calls containing confidential business discussions, customer calls that may be subject to recording consent laws in multiple jurisdictions, and legal or HR discussions with specific confidentiality requirements. CISOs should audit whether existing call recording policies cover AI-based transcription on endpoints.

Cocreator (generative image creation in Paint) and Windows Studio Effects (webcam processing) have smaller enterprise security footprints. The primary governance question for both is acceptable use rather than confidentiality exposure.

Compliance Considerations: GDPR, EU AI Act, and Regulated Industries

GDPR: Recall captures personal data visible on screen, including data subjects' names, contact details, health information, and financial records visible in enterprise applications. Under GDPR Article 5, personal data must be processed with a lawful basis and be limited to what is necessary. Recall's default capture of everything visible raises questions about data minimization that each organization's DPO should assess. The data stays on-device, which limits cross-border transfer issues, but the processing of personal data without data subject awareness may require DPIA evaluation.

EU AI Act (effective August 2026): Recall's ongoing screen monitoring could be classified as a general-purpose AI system used in a workplace context. Article 52 transparency obligations require that users be informed when AI systems interact with them. This is arguably satisfied by Microsoft's disclosure during Windows setup, but organizations deploying Recall at scale for productivity monitoring should confirm their legal basis with their data protection counsel.

HIPAA and PCI DSS: Any Copilot+ PC used to access PHI (Protected Health Information) or cardholder data is a concern if Recall is enabled. Screenshots of EHR systems, payment processing interfaces, or clinical documentation would be captured and stored locally. The Recall database, while encrypted, represents an additional copy of regulated data on the endpoint. Covered entities and PCI-scoped organizations should treat Recall as a new data store requiring classification under their existing data governance frameworks.

For a full assessment of your endpoint AI attack surface under these regulatory frameworks, BeyondScale's AI Security Assessment maps Copilot+ PC exposure to your specific compliance obligations.

CISO Decision Framework: Block, Restrict, or Allow

Three positions are defensible for Copilot+ PC fleet governance:

Position 1: Block All (High-Sensitivity Roles) Apply AllowRecallEnablement = 0 via Intune for all device groups in finance, legal, HR, executive, and any role processing regulated data. This eliminates Recall from the device entirely. The productivity tradeoff is minimal: Recall is an optional convenience feature with legitimate alternatives (search, browser history, document versioning).

Position 2: Restrict with Application Exclusions (General Workforce) Allow Recall on devices where data sensitivity is moderate, but configure application exclusions for all enterprise applications that handle sensitive content. Combine with endpoint DLP monitoring of the AppData path used by Recall. This position requires ongoing maintenance as the application portfolio changes.

Position 3: Allow with Monitoring (Low-Sensitivity Roles) Permit Recall for roles with low data sensitivity. Implement Purview Audit (E5) to capture Recall access events. Configure Intune compliance policies that flag devices where Recall is enabled outside of approved device groups.

The governance gap across all three positions: Recall captures application content regardless of Purview sensitivity labels applied to files. A document labeled "Confidential" in SharePoint can still be captured in a Recall screenshot while it is open on screen. Sensitivity labels do not propagate to Recall's capture exclusion logic.

12-Point Hardening Checklist Before Copilot+ PC Fleet Rollout

Apply these controls before deploying Copilot+ PCs to your organization:

Audit your Intune baseline: Confirm AllowRecallEnablement is set to 0 for all managed device groups, not just new enrollments. Existing Copilot+ PCs joined to your tenant may not have received the policy if it was added after initial deployment.

Segment by role sensitivity: Create separate Intune device groups for high-sensitivity roles and apply the most restrictive Recall policy (AllowRecallEnablement = 0) to those groups.

Set DisableAIDataAnalysis = 1 as the fleet default: Even where AllowRecallEnablement = 1 is allowed for some users, ensure snapshot collection is off by default and requires explicit opt-in via the Settings app.

Deploy Windows Hello for Business, not convenience PIN: Windows Hello PIN without biometric enrollment is weaker. Require face or fingerprint authentication as the Recall unlock method via Intune Endpoint Security policies.

Enable Purview Audit Premium for Recall events: E5 licensing provides Recall access event logging in Purview Audit, giving you a record of when Recall databases were accessed.

Review application exclusion candidates: Identify enterprise applications that handle the most sensitive content in your environment and document which ones should be excluded from Recall capture if Recall is permitted.

Update your acceptable use policy: Include explicit language covering Recall and other Copilot+ AI features. Address: what is permitted, which roles may use Recall, and data handling obligations.

Assess your infostealer detection coverage: Modern infostealers target Recall data. Verify your EDR solution detects AIXHost.exe process injection and anomalous access patterns in the CoreAIPlatform AppData path.

Conduct a DPIA for GDPR-scoped organizations: If your organization is subject to GDPR and you are considering permitting Recall for any users, document the data minimization and lawful basis analysis.

Evaluate audio capture implications for Live Captions: If your organization uses Live Captions, assess whether any call recording consent obligations in your operating jurisdictions apply to on-device AI transcription.

Test your imaging pipeline: If you reimage devices during fleet rollout, verify that your base image includes the latest ADMX templates so Group Policy settings for Windows AI are available in your GPO.

Establish a review cadence: Microsoft updates Copilot+ PC features with each Windows 11 cumulative update. Assign ownership of the Windows AI policy CSP to a specific team member who reviews the Microsoft Learn Manage Recall page after each Patch Tuesday.

Conclusion

Windows Recall enterprise security comes down to one architectural fact: the VBS Enclave protecting the Recall database is strong, and the rendering pipeline (AIXHost.exe) is not. Microsoft has accepted this as a design boundary. Security teams cannot wait for a patch that is not coming.

The practical response for most enterprise environments is straightforward: disable Recall entirely for sensitive roles using AllowRecallEnablement = 0 in Intune, apply DisableAIDataAnalysis as the default for general fleet devices, and build application exclusions for any deployment where Recall is permitted. The 12-point checklist above covers the full governance surface.

If you are uncertain about your Copilot+ PC fleet's current Recall configuration or want an independent assessment of your endpoint AI governance posture, book a BeyondScale AI Security Assessment. We review your Intune policy baseline, identify Recall exposure gaps, and map your Copilot+ PC attack surface to your specific compliance obligations.

For organizations also managing Microsoft 365 Copilot alongside Copilot+ PC deployments, our Microsoft 365 Copilot Security Guide covers the cloud-side AI attack surface, including data oversharing, prompt injection via documents, and audit logging requirements.

Sources and further reading:

• Microsoft Learn: Manage Recall for Windows clients
• Kevin Beaumont: Microsoft Recall security and privacy implications, DoublePulsar
• Alex Hagenah: TotalRecall tool, GitHub
• GovInfoSecurity: Microsoft Recall Again Spills Secrets to TotalRecall Tool
• Microsoft Windows Experience Blog: Update on Recall security and privacy architecture
• OWASP LLM Top 10