Microsoft has delayed the roll-out of its controversial Windows Recall feature for a third time as security concerns continue to plague its public release.
Recall, slated to be exclusively available for the new Copilot+ PC ecosystem, captures screenshots locally on the device to enable users to search back through their activities.
But confusion arising due to unclear messaging on how secure the captured data would be, and how vulnerable it would be to attacks by malicious actors, led to the software giant walking back the feature’s release earlier this year.
After first being announced in May 2024, the roll out of the much-maligned capability has been tweaked and changed over the last six months.
It was initially scheduled for members of the Windows Insider Program (WIP) weeks after the announcement, but after an uproar from security industry stakeholders it revised this limited release to Insiders in October.
The full release of Recall was then set to be November, after Microsoft went back to the drawing board. These changes were aimed to make it easier for users that were still unsure about the feature to uninstall Recall, including the AI models that underpin the system.
But Microsoft has now delayed the roll out once again, stating that it needs more time to get the feature ready and iron out remaining security issues.
In a statement to given to ITPro, Brandon LeBlanc, senior product manager on the Windows Insider Program, said Microsoft is “taking additional time to refine the experience before previewing it with Windows Insiders”.
LeBlanc added that Recall will now be available for members in December.
"We are committed to delivering a secure and trusted experience with Recall. We recently shared updates to the security and privacy architecture for Recall in a Windows Blog post," LeBlanc said.
Windows Recall is the problem that never ends for Microsoft
At the time of its unveiling, security experts were quick to call out a number of glaring questions surrounding the security of the Recall feature.
Much of the concern surrounded what information Microsoft was storing and how it was protecting it.
Microsoft has subsequently stated that Recall will not be active by default and users will need to opt in to use it, and clarified that the tool will never collect images from private browsing sessions.
Users will also be able to choose exactly which apps and websites they want Recall to ignore, and how long the data is stored.
The topic around the integrity of the stored information has been fraught, namely due to Microsoft’s unclear messaging, suggesting the information was encrypted and invulnerable to remote access.
A detailed blog post published by Kevin Beaumont shortly after Recall’s announcement outlined the core concerns Microsoft needed to address, namely clearing up confusion around whether or not the information was encrypted on the device.
Beaumont revealed that captured information could be accessed remotely by a malicious actor, despite widespread reporting to the contrary.
The data, if accessed by which would provide a veritable treasure trove to any threat actor who could compromise the system.
In a blog post published in September 2024, David Weston, VP of Enterprise and OS Security at Microsoft clarified how Recall information is secured, stating it leverages Windows Hello Enhanced Sign-In Security to authorize Recall-related operations.
Weston revealed the snapshot system used by Recall is enclosed inside a virtualization-based security enclave, which a user would need to have permissions granted through Windows Hello in order to access.
