Microsoft Recall: How to Disable It and What It Already Captured (2026 Guide)
Microsoft Recall takes a screenshot of your screen every few seconds, runs it through an on-device AI model, and stores a searchable timeline of everything you've ever looked at — emails, bank statements, Slack DMs, NDA-protected client files, the works. It ships enabled by default on new Copilot+ PCs. If you have one, or you're about to buy one, here's how to check whether it's running, turn it off, and remove what it's already captured.
This isn't a theoretical privacy concern. Recall's snapshot database lives in a folder on your local disk, and security researchers have repeatedly shown that anything with local access to your machine — malware, a shared account, a stolen laptop with weak disk encryption — can potentially read it. For tech workers handling client data, source code, or anything under an NDA, that's a real exposure, not a hypothetical one.
What Microsoft Recall Actually Does
Recall is a feature built into Copilot+ PCs (Windows machines with a qualifying neural processing unit, mostly Snapdragon X, Intel Lunar Lake, and AMD Ryzen AI chips released from 2024 onward). It works like this:
- Every few seconds, Recall takes a full-screen screenshot.
- An on-device AI model (not cloud-based) runs OCR and image analysis on the screenshot to extract text and context.
- That data gets indexed into a local SQLite database, encrypted at rest, tied to your Windows Hello credentials.
- You can later search your "timeline" in plain language — "find the spreadsheet I had open last Tuesday" — and Recall surfaces the matching screenshot.
Microsoft's pitch is a kind of perfect memory for your PC. The privacy problem is that it's a perfect memory of everything, including things you never intended to keep a record of: a password briefly visible in a terminal, a medical portal, a private message, a contract under NDA.
Microsoft says the data stays local and isn't used for AI training or sent to the cloud. That's true as designed. The risk isn't Microsoft's servers — it's that you now have a forensic-grade screenshot archive of your entire digital life sitting on your own disk, and disk-level access is a much lower bar to clear than a cloud breach.
Why This Matters More If You Work With Client or Company Data
If you're a developer, consultant, freelancer, or anyone under an NDA, Recall creates a new category of exposure that didn't exist before:
- E-discovery and legal risk. A Recall database is effectively an automatic, granular log of every screen you've ever viewed. If your device is ever subject to legal discovery, that's a much larger surface than your file system alone.
- Shared or managed devices. On a work laptop with IT-managed accounts or shared logins, Recall's snapshots can capture far more than the task at hand — including things colleagues or clients didn't consent to being recorded.
- Theft and physical access. Windows Hello protects the Recall database behind biometric or PIN auth, but no local encryption scheme is bulletproof against a sufficiently motivated attacker with physical access to an unlocked or weakly secured machine.
- Screen-shared secrets. If you've ever had a password manager autofill, an API key in a terminal, or a tax document open — even briefly — Recall likely captured it as a readable screenshot.
None of this requires Microsoft to be malicious. It just requires Recall to exist as a standing target.
Step 1: Check If Recall Is Already Running
Recall only ships on Copilot+ PCs, but Microsoft has expanded eligible hardware over time, and it's been turned on by default in some regional rollouts. Don't assume — verify.
Check via Settings:
- Open Settings → Privacy & security → Recall & snapshots
- If you see this menu at all, your device supports Recall
- Check whether "Save snapshots" is toggled on
Check via PowerShell (more reliable):
```powershell
Get-WindowsOptionalFeature -Online -FeatureName "Recall"
```
If the State returns Enabled, Recall is active on your machine right now.
Check if it's already collected data:
```powershell
dir "$env:LOCALAPPDATA\CoreAIPlatform.00\UKP" -Recurse
```
If this path contains files, Recall has been capturing and storing snapshots.
Step 2: Disable Recall Completely
Turning off the toggle in Settings stops new snapshots but doesn't always fully remove the feature or guarantee background processes stay off after updates. For a clean disable, do both the Settings change and the optional-feature removal.
Disable via Settings (do this first):
- Settings → Privacy & security → Recall & snapshots
- Toggle Save snapshots to off
- Restart your machine
Fully remove the Recall feature (recommended for sensitive work):
```powershell
Run PowerShell as Administrator
Disable-WindowsOptionalFeature -Online -FeatureName "Recall" -NoRestart
```
Restart after this completes. This removes the feature rather than just pausing it, which matters because Windows updates have occasionally re-enabled toggled-off features.
For managed/enterprise devices, Recall can also be blocked via Group Policy:
```
Computer Configuration → Administrative Templates → Windows Components → Windows AI →
"Turn off saving snapshots for use with Recall"
```
Set this to Enabled to block it at the policy level — useful if you manage devices for a team and want Recall off by default across the fleet.
Step 3: Delete What's Already Been Captured
Disabling Recall going forward doesn't delete the snapshots it already took. Clear the existing archive separately.
Via Settings:
- Settings → Privacy & security → Recall & snapshots
- Under "Snapshots," select Delete all snapshots
- Confirm — this requires Windows Hello re-authentication
Manual verification the data is gone:
```powershell
dir "$env:LOCALAPPDATA\CoreAIPlatform.00\UKP" -Recurse
```
This directory should now be empty or absent. If files remain, the deletion didn't complete and you should retry through Settings rather than deleting the folder manually — manual deletion can leave index fragments behind that a forensic tool could still partially reconstruct.
One more thing worth knowing: standard deletion removes the files from the visible file system, but it doesn't securely wipe the underlying disk sectors. If you've had Recall running on a machine with genuinely sensitive client or legal material, treat the drive as having held that data permanently, not just temporarily — full disk encryption going forward is the real mitigation, not after-the-fact deletion.
What to Do Instead, If You Want AI Search Without the Risk
The appeal of Recall — fast, AI-powered search across your own activity — is legitimate. You don't have to give that up. You just need it to not live as an unencrypted forensic log on a single device.
Use encrypted, zero-knowledge storage for anything you'd be uncomfortable in a Recall-style archive. Tresorit is end-to-end encrypted cloud storage where even Tresorit can't read your files. If client documents, contracts, or financial records live in Tresorit instead of sitting open on your desktop, a screen-capture tool like Recall has nothing sensitive to grab in the first place — the files are decrypted only momentarily, in memory, when you're actively working in them.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.
Locking Down the Rest of Your Windows AI Surface
Recall isn't the only Copilot+ feature worth auditing. A few related settings to check while you're in there:
Windows Copilot data access. Copilot (the assistant, separate from Recall) can be granted access to files and apps. Review what it's connected to under Settings → Apps → Installed apps → Copilot → Advanced options.
Click to Do and other on-screen AI features. Newer Copilot+ features analyze on-screen content for quick actions. They're generally lower-risk than Recall since they don't persist a database, but they still process screen content through an AI model — worth knowing what's enabled.
Network-level protection for any cloud AI you do use. Local AI features like Recall stay on-device, but the moment you use cloud Copilot, ChatGPT, or any hosted AI tool from the same machine, that traffic leaves your network. Routing it through Proton VPN keeps your ISP and network observers from correlating your AI usage patterns, and Proton's no-logs policy has been independently audited rather than just claimed.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.
Last updated: 2026-06-30