How Microsoft Handles Enterprise Recall Cases

End users, please use PowerShell to manage Recall.

It’s far from the norm, but there remains at least one scenario in which this requirement may arise. It concerns devices that run:

• A Windows edition Enterprise or Education
• Any premium SKU, and which have a volume license key or are joined to a domain

Reflecting its sensitivity, Recall is, on these devices, bound by a multi-layered set of administration policies and consents. Its activation indeed requires:

• On the admin side, enabling the AllowRecallEnablement policy and not enabling the DisableAIDataAnalysis policy (which prohibits saving screenshots needed for Recall)
• On the user side, explicit acceptance of this same backup (either on first launch, or subsequently in Windows settings), followed by the use of Recall itself

If AllowRecallEnablement is not configured, Recall is not accessible. The same applies if the policy is set to “Disabled”; but, in addition, all associated content — notably the previously captured snapshots — is deleted.

If the end user wishes to perform such a deletion after an admin has authorized Recall activation, for the moment they must go through PowerShell.

From Web Browsing to Remote Desktops, Gaps in the Net

Microsoft has begun a global rollout of the Recall preview. It is doing the same for another “special PC Copilot+ feature”: Click to Do. In its current state, it is wrapped in the “temporary control of enterprise features.” This means that on devices where updates are managed with Windows Autopatch or WSUS, it is automatically disabled until the next annual feature update. Or until activated via the AllowTemporaryEnterpriseFeatureControl policy—which enables all features installed through the latest monthly quality update.

Various policies allow finer control over Recall, but they cannot be applied to devices running Windows 11 Pro:

• SetDenyAppListForRecall
  Definition of a list of applications excluded from screenshots. It can include AUMID values (User-Mode App IDs) and/or executable file names. The end user can add items.
• SetDenyUriListForRecall
  Definition of a list of URIs excluded in supported browsers (Edge, Firefox, Opera, Chrome and Chromium-based browsers in version 124 or later).
• SetMaximumStorageDurationForRecallSnapshots
  Control of the maximum retention duration of screenshots (30, 60, 90 or 180 days). If not set, when the storage quota allocated to Recall is reached, the oldest snapshots are deleted.
• SetMaximumStorageSpaceForRecallSnapshots
  Six options: 10, 25, 50, 75, 100 or 150 GB. By default, 25 GB are allocated on systems with 256 GB disks; 75 GB on those with 512 GB; 150 GB on those with 1 TB or more.

Once installed, Click to Do, unlike Recall, is enabled by default. It can be managed at both the device and the user levels.

Currently, on unmanaged devices, there are no Recall conditional access policies in Intune or Entra. This is a BYOD policy constraint to consider. Also beware of remote desktop sessions: the client must implement screen capture protection. As for websites, they are filtered only when they are in the foreground. Open but inactive tabs can therefore end up in the snapshots.