Microsoft's AI push in the enterprise comes with two distinct but related data collection stories. The first is Windows 11 Recall — an on-device AI feature that treats your screen like a searchable journal. The second is Microsoft 365 Copilot — a cloud-side AI assistant that reads your organisation's email, chats, and documents to answer questions and draft content. Neither is inherently sinister, but both have architectural properties that IT and security teams need to understand before they show up in production at scale.
These aren't hypothetical concerns. One year after its launch on Copilot+ PCs, security researchers keep finding vulnerabilities in Recall — the tool that promises to give Windows users a "photographic memory" of everything they do on their computer. And on the cloud side, Microsoft's own privacy documentation reveals that some data transmission cannot be fully suppressed, even by enterprise administrators.
Recall is the AI feature Microsoft built into Copilot+ PCs that takes periodic screenshots of the user's screen, runs OCR on them, and stores the results in an encrypted local SQLite database that users can search by natural language. After Microsoft pulled the original 2024 release in response to a security backlash, the company rebuilt Recall around Virtualization-Based Security (VBS) enclaves, AES-256-GCM encryption, Windows Hello biometric authentication, and a Protected Process Light host for keys, and relaunched it in April 2025.
Those are meaningful improvements. The problem, as researchers keep pointing out, is structural: the fundamental architecture of continuous screenshot monitoring creates multiple potential attack surfaces — the screenshot capture mechanism, the local storage system, the AI analysis engine, and the user interface for accessing stored data. Each component represents a potential vulnerability that malicious actors could exploit to gain access to sensitive user information.
Microsoft's stated position is that sensitive data is filtered at capture time. Microsoft says Recall blurs images of credit-card numbers, bank passwords, and other personal data — or doesn't store them at all. But security experts are still not convinced. After testing the latest version of Recall, Swiss technologist Hagenah recently issued a new proof-of-concept demonstrating the gap between Microsoft's claims and what the filter actually catches. Independent testing in August 2025 confirmed the filter still misses categories of data it was designed to catch.
For an enterprise user, a single eight-hour session with Recall active could snapshot a CRM full of client records, a Teams call showing unreleased financials, and a VPN credential prompt that the filter missed. That data lives locally — but "locally encrypted" is not the same as "inaccessible to a post-compromise attacker."
Microsoft 365 Copilot is a sophisticated processing and orchestration engine that provides AI-powered productivity capabilities by coordinating content in Microsoft Graph — such as emails, chats, and documents that you have permission to access — and the Microsoft 365 productivity apps that you use every day, such as Word and PowerPoint.
The data boundary story is more reassuring here than with Recall. Data isolation means prompts, grounding data from Microsoft Graph, and responses are processed entirely within the Microsoft 365 service boundary. Microsoft also commits to standard compliance frameworks: Microsoft 365 Copilot supports GDPR, ISO/IEC 27018, and its Data Protection Addendum. Copilot respects your identity model and permissions, inherits your sensitivity labels, applies your retention policies, supports audit of interactions, and follows your administrative settings.
The practical concern for enterprise admins isn't that Microsoft is selling your data — it's about the blast radius if Copilot surfaces something it shouldn't. With enterprise data protection, prompts and responses in Copilot Chat are logged, and the same retention policies used for Microsoft 365 Copilot can be used for Copilot Chat. That means your existing e-discovery and DLP policies apply — but only if they've been configured to do so.
Microsoft gives enterprise admins meaningful controls over diagnostic data from Office apps. Some diagnostic data is required, while some diagnostic data is optional. Microsoft gives organisations the ability to choose whether to send required or optional diagnostic data through the use of privacy controls, such as policy settings.
However, there is a hard floor. If you choose "Neither," no diagnostic data about Office client software running on the user's device is sent to Microsoft — but even if you choose "Neither," required service data will still be sent from the user's device to Microsoft. "Required service data" covers the telemetry Microsoft considers necessary to keep the service functional: licence validation, service health signals, and feature usage metadata. Admins can reduce the telemetry surface but cannot eliminate it entirely.
| Control | What It Does | What It Doesn't Do |
|---|---|---|
| Diagnostic data → Required only | Stops optional telemetry (feature usage detail, inking data, etc.) | Does not stop required service data |
| Diagnostic data → Neither | Stops all optional and required diagnostic data | Does not stop required service data; limits Microsoft support capability |
| Connected Experiences → Disabled | Disables AI-powered features (Editor, Designer, Copilot suggestions) | Does not disable core productivity telemetry |
| Recall → Disabled via Group Policy | Prevents Recall from running on managed Copilot+ PCs | Does not retroactively purge existing snapshot databases |
For security-conscious IT shops — particularly those in regulated industries or handling client-confidential work — the arrival of Copilot+ hardware on standard refresh cycles is a policy forcing function, not a future problem. Journalist Zac Bowden reported in January 2026 that Microsoft is "pulling back its Windows 11 AI push with a major Copilot and Recall rethink," which suggests some internal acknowledgement that the rollout has been bumpy. But hardware doesn't wait for feature rethinks, and Copilot+ NPU requirements are already baked into OEM product lines.
Microsoft is threading a genuinely difficult needle: building AI features that are useful enough to justify the premium hardware and licensing costs, while keeping enterprise security teams on-side. Recall's repeated security stumbles suggest the needle isn't threaded yet. The M365 Copilot story is more mature, but it inherits whatever hygiene problems already exist in your tenant — and amplifies them.
The core issue isn't that Microsoft is acting maliciously. It's that AI features optimised for convenience create data aggregation points that weren't on last year's threat model. A screenshot database that reconstructs your last 90 days of screen activity is a valuable forensic artefact — and valuable forensic artefacts attract adversaries.