⚙️🪟💻CP - User Experience - Windows AI

What this policy is about 🤖

Microsoft is pushing AI features hard. Recall, Click to Do, and whatever comes next.

But here's the uncomfortable truth: AI features often mean screenshots, data analysis, and local storage of potentially sensitive information.

And in a managed enterprise environment? That's a conversation you need to have before these features start capturing your users' screens.

This policy gives you control over Windows AI features — specifically:

Recall (the screenshot-everything-you-do feature)
Click to Do (AI-powered actions on screen content)
Storage limits and retention policies

Think of it as the "AI governance baseline" for Windows devices.

The Recall elephant in the room 🐘

Let's talk about Recall.

Microsoft's pitch: "Find anything you've seen on your PC by searching snapshots of your screen."

Reality check:

It takes periodic screenshots of your desktop
Stores them locally in a database
Uses OCR and AI to make them searchable

Sounds cool? Sure.

Sounds like a compliance nightmare? Also yes.

Because imagine:

Screenshots of confidential emails
Customer data visible in apps
Financial dashboards, HR systems, legal docs — all captured
Local storage that could be exfiltrated or forensically recovered

By default on managed devices, Recall is disabled. And that's intentional.

But with this policy, you can:

Keep it disabled (the safe default)
Enable it conditionally with strict controls (storage limits, retention periods)
Document your decision so compliance/legal/management knows what's happening

Our configuration: secure by default 🔒

We've configured this policy with security in mind, not convenience.

Here's the philosophy:

Recall is available (not blocked entirely) — so users can enable it if needed
Data analysis (snapshots) is allowed — but with strict limits
Click to Do is enabled — it's less invasive (only takes screenshots when invoked)
Storage is capped at 25GB — no unlimited hoarding of screenshots
Retention is limited to 30 days — old snapshots are automatically deleted

This strikes a balance: ✅ AI features are available when needed ✅ But with hard limits on data collection and storage ✅ Compliance-friendly retention policies ✅ No surprises for legal/security teams

🛠️ Configuration Settings

Setting	Value	Why
Allow Recall Enablement	`Enabled (Recall is available)`	Recall is available for users to enable, but not enabled by default. Users must opt-in.
Disable AI Data Analysis	`Disabled (Allow snapshots)`	Allows saving snapshots if Recall is enabled. Without this, Recall can't function.
Disable Click To Do	`Enabled (Click to Do is enabled)`	Click to Do is less invasive than Recall — it only screenshots when the user explicitly invokes it.
Set Maximum Storage Duration For Recall Snapshots	`30 days`	Snapshots older than 30 days are automatically deleted. Limits retention exposure.
Set Maximum Storage Space For Recall Snapshots	`25 GB`	Caps storage at 25GB (suitable for 256GB devices). Prevents unlimited data accumulation.

Deep dive: what each setting does 🔍

1. Allow Recall Enablement

Value: Recall is available

This controls whether Recall is even an option on the device.

Three states:

Not available (0) → Recall is completely blocked, bits are removed from the device
Available (1) → Recall is available, but disabled by default — user can enable it
Not configured → Default behavior (disabled on managed devices)

Why we chose "Available":

Flexibility — some users may legitimately need it (developers, researchers, power users)
Control — we can restrict it with storage/retention limits (see below)
Transparency — better than silently blocking it without documentation

Important: Even when "available", Recall is off by default. Users must explicitly enable it.

2. Disable AI Data Analysis

Value: Disabled (meaning: snapshots are allowed)

Confusing naming, right? Let's clarify:

Enabled → No snapshots allowed (Recall can't function)
Disabled → Snapshots are allowed (Recall can function if enabled by user)

Why we allow snapshots: Because if Recall is available (setting #1), users need to be able to actually use it.

But here's the catch: We limit storage and retention (settings #4 and #5), so even if snapshots are saved, they:

Can't exceed 25GB
Are deleted after 30 days
Are stored locally (encrypted with BitLocker, assuming you have that configured)

Risk mitigation:

BitLocker encryption protects the snapshot database
Short retention (30 days) limits exposure
Storage cap prevents runaway disk usage

3. Disable Click To Do

Value: Enabled (meaning: Click to Do is enabled for users)

Yes, the naming is backwards. Welcome to Microsoft policy CSPs.

What is Click to Do?

User presses Win + Shift + S (or similar)
Windows takes a screenshot
AI analyzes it locally and suggests actions (e.g., "Call this number", "Open this URL", "Search for this text")

Why we allow it:

User-initiated only → No background capturing
Ephemeral → Screenshot is analyzed and discarded (not stored long-term)
Locally processed → No cloud upload
Actually useful → Less invasive than Recall, more practical

Risk assessment: Low. It's essentially a smarter screenshot tool.

4. Set Maximum Storage Duration For Recall Snapshots

Value: 30 days

This is your retention policy.

Options:

0 → No time limit (snapshots deleted only when storage limit is hit)
30, 60, 90, 180 days → Snapshots auto-deleted after X days

Why 30 days?

Balances usability (users can search recent history)
Limits compliance exposure (old snapshots don't linger forever)
Aligns with typical "short-term data retention" policies

Example: A snapshot taken on January 1st is automatically deleted on January 31st, regardless of available storage.

Compliance benefit: When legal/audit asks "how long do we store AI-captured screenshots?", you have a clear answer: 30 days, max.

5. Set Maximum Storage Space For Recall Snapshots

Value: 25 GB

This is your storage cap.

Options:

0 → OS decides (25GB for 256GB devices, 75GB for 512GB, 150GB for 1TB+)
10, 25, 50, 75, 100, 150 GB → Manual limit

Why 25GB?

Suitable for most 256GB devices (typical laptop config)
Prevents Recall from eating disk space
Provides ~3-4 weeks of snapshots for typical usage

Example math:

Average snapshot size: ~50-100 KB (text-heavy screens)
Snapshots taken every ~5 seconds when active
~1000-2000 snapshots per day
25GB = ~30-40 days of retention (at which point the 30-day policy kicks in anyway)

The two limits work together:

Time-based (30 days) → Deletes old snapshots
Space-based (25GB) → Deletes oldest snapshots if storage is full

Whichever hits first, data is deleted. No surprises.

👥 Group Assignments

✅ Included groups:

All Devices

❌ Excluded groups:

None

Why apply to everyone? Because AI features are system-wide and should have consistent governance.

You don't want some devices with Recall hoarding 150GB of unmanaged screenshots while others are locked down.

Consistency = security.

Risk assessment: should we allow this at all? ⚖️

Fair question.

Arguments for blocking Recall entirely:

Screenshots may capture sensitive data (PII, financial info, trade secrets)
Local storage is still a risk (device theft, forensics, malware exfiltration)
Compliance frameworks (GDPR, HIPAA, etc.) may frown on automated data capture
Legal discovery could subpoena Recall databases

Arguments for allowing it (with limits):

Some users genuinely benefit (developers, researchers, creatives)
It's local-only (no cloud upload)
BitLocker + retention limits mitigate risk
Users must opt-in (not forced)

Our stance: We allow it with strict controls. If your organization is subject to strict data regulations (healthcare, finance, legal), consider:

Setting Allow Recall Enablement to Not available (0) → Blocks it entirely
Or creating an exception group for approved users (e.g., IT, dev teams)

Document your decision. Make sure compliance/legal/management sign off.

Compliance & legal considerations ⚖️

If you're in a regulated industry, ask yourself:

Data classification: Does Recall capture data that's classified as sensitive/confidential?
Retention requirements: Do regulations require shorter retention than 30 days (e.g., GDPR's "data minimization")?
Right to be forgotten: If a user requests data deletion, does that include Recall snapshots?
Discovery obligations: If you're in litigation, are Recall databases in scope for e-discovery?
Cross-border data: If devices travel internationally, are local snapshots subject to local data laws?

No universal answer. It depends on your industry, region, and risk appetite.

Pro tip: Loop in your legal/compliance team before deploying this. Show them this doc. Get sign-off in writing.

Monitoring & auditing 📊

How do you know if users are enabling Recall?

Currently, there's no built-in Intune report for "Recall usage". But you can:

Proactive Remediations (Intune) → Script to check if Recall is enabled
Log Analytics → Query for Recall-related events (if any)
User surveys → Ask if anyone is using it (low-tech but effective)

Sample PowerShell check:

# Check if Recall snapshots database exists
$recallDbPath = "$env:LOCALAPPDATA\Microsoft\Windows\Recall\Snapshots"
if (Test-Path $recallDbPath) {
    Write-Output "Recall snapshots found"
    # Optionally: check database size, last modified date, etc.
} else {
    Write-Output "Recall not in use"
}

Why audit?

Compliance reporting ("How many devices have Recall enabled?")
Risk management (identify high-usage devices for closer scrutiny)
User education (if usage is widespread, maybe training is needed)

When to revisit this policy 🔄

AI features are evolving fast. Microsoft will add more (Copilot integrations, new AI tools, etc.).

Revisit this policy when:

New AI features are announced (Windows Insider builds are your friend)
Regulatory requirements change (new GDPR guidance, industry standards, etc.)
Security incidents occur (data breaches involving AI-captured data)
User feedback indicates the limits are too strict/loose

Set a calendar reminder: Review this policy every 6 months.

Alternative configurations 🛠️

Depending on your organization's risk appetite, here are some tweaks:

More restrictive (high security):

Allow Recall Enablement → Not available (blocks it entirely)
Set Maximum Storage Duration → Not applicable (since Recall is blocked)
Set Maximum Storage Space → Not applicable

More permissive (low security):

Set Maximum Storage Duration → 90 days (longer retention)
Set Maximum Storage Space → 50-75 GB (more storage)

Exception-based (hybrid):

Create a group-based exception (e.g., "AI Feature Testers")
Apply the restrictive policy to All Devices (excluding the exception group)
Apply a permissive policy to the exception group

Document your reasoning for any deviations.

The big picture 🖼️

AI in Windows is here to stay. Microsoft will keep adding features.

Your job as an admin/security professional is to:

Understand what these features do (and don't blindly enable them)
Assess the risk (data capture, storage, retention, compliance)
Configure with intent (not just "default = fine")
Document your decisions (so future-you and auditors know why)
Monitor usage and impact (features are only as secure as their implementation)

This policy is a baseline. Adjust it to fit your organization's needs.

But whatever you do:

Don't ignore AI features (they're not going away)
Don't blindly enable them (convenience ≠ security)
Don't forget to document (compliance is a paper trail, not a checkbox)

Final thoughts 🧠

Windows AI features are powerful. And powerful features are security-sensitive by definition.

Recall captures your screen. Click to Do analyzes it. Future features will do even more.

So:

Control what you can (this policy does that)
Limit what you allow (storage, retention, opt-in)
Monitor what happens (auditing, compliance checks)

Because when legal/compliance/management asks "What's our AI data policy?", you want to have an answer better than:

"Uh... Windows has AI features? I didn't know."

You do know. You configured it. You documented it. You're good.

🔗 Documentation & References

Configure with intent. Document with clarity. And remember: AI features are tools, not magic. Treat them accordingly. 🤖

What this policy is about 🤖​

The Recall elephant in the room 🐘​

Our configuration: secure by default 🔒​

🛠️ Configuration Settings​

Deep dive: what each setting does 🔍​

1. Allow Recall Enablement​

2. Disable AI Data Analysis​

3. Disable Click To Do​

4. Set Maximum Storage Duration For Recall Snapshots​

5. Set Maximum Storage Space For Recall Snapshots​

👥 Group Assignments​

✅ Included groups:​

❌ Excluded groups:​

Risk assessment: should we allow this at all? ⚖️​

Compliance & legal considerations ⚖️​

Monitoring & auditing 📊​

When to revisit this policy 🔄​

Alternative configurations 🛠️​

More restrictive (high security):​

More permissive (low security):​

Exception-based (hybrid):​

The big picture 🖼️​

Final thoughts 🧠​

🔗 Documentation & References​