diff --git a/windows/client-management/manage-recall.md b/windows/client-management/manage-recall.md index 3eb1e0c7b9..7594f092cd 100644 --- a/windows/client-management/manage-recall.md +++ b/windows/client-management/manage-recall.md @@ -42,7 +42,7 @@ Privacy and security are built into Recall's design. With Copilot+ PCs, you get Recall doesn't share snapshots with other users that are signed into Windows on the same device and IT admins can't access or view the snapshots on end-user devices. Microsoft can't access or view the snapshots. Recall requires users to confirm their identity with [Windows Hello](https://support.microsoft.com/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0) before it launches and before accessing snapshots. At least one biometric sign-in option must be enabled for Windows Hello, either facial recognition or a fingerprint, to launch and use Recall. Before snapshots start getting saved to the device, users need to open Recall and authenticate. Recall takes advantage of just in time decryption protected by [Hello Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). Snapshots and any associated information in the vector database are always encrypted. Encryption keys are protected via Trusted Platform Module (TPM), which is tied to the user's Windows Hello ESS identity, and can be used by operations within a secure environment called a [Virtualization-based Security Enclave (VBS Enclave)](/windows/win32/trusted-execution/vbs-enclaves). This means that other users can't access these keys and thus can't decrypt this information. Device Encryption or BitLocker are enabled by default on Windows 11. For more information, see [Recall security and privacy architecture in the Windows Experience Blog](https://blogs.windows.com/windowsexperience/?p=179096). -When using Recall, the [**Sensitive information filtering**](#user-controlled-settings-for-recall) setting is enabled by default to help ensure your data's confidentiality. Recall leverages the libraries that [power Microsoft's Purview information protection product](/purview/sit-learn-about-exact-data-match-based-sits), which is deployed in enterprises globally. When this setting is enabled, snapshots won't be saved when potentially sensitive information is detected. Most importantly, the sensitive information remains on the device at all times, regardless of whether the Sensitive Information Filtering setting is enabled or disabled. For more information about the types of potentially sensitive information, see [Reference for sensitive information filtering in Recall](recall-sensitive-information-filtering.md). +When using Recall, the **Sensitive information filtering** setting is enabled by default to help ensure your data's confidentiality. Recall leverages the libraries that [power Microsoft's Purview information protection product](/purview/sit-learn-about-exact-data-match-based-sits), which is deployed in enterprises globally. When this setting is enabled, snapshots won't be saved when potentially sensitive information is detected. Most importantly, the sensitive information remains on the device at all times, regardless of whether the Sensitive Information Filtering setting is enabled or disabled. For more information about the types of potentially sensitive information, see [Reference for sensitive information filtering in Recall](recall-sensitive-information-filtering.md). In keeping with Microsoft's commitment to data privacy and security, all captured images and processed data are kept on the device and processed locally. However, Click to Do allows users to choose if they want to perform additional actions on their content. @@ -127,7 +127,7 @@ You can define how long snapshots can be retained on the device by using the **S ### App and website filtering policies -You can filter both apps and websites from being saved in snapshots. Users are able to add to these filter lists from the **Recall & Snapshots** settings page. Some applications are automatically excluded from snapshots. For more information, see the [Applications that are automatically excluded from snapshots](#applications-that-are-automatically-excluded-from-snapshots) section. +You can filter both apps and websites from being saved in snapshots. Users are able to add to these filter lists from the **Recall & Snapshots** settings page. Some remote desktop connection clients are filtered by default from snapshots. For more information, see the [Remote desktop connection clients filtered from snapshots](#remote-desktop-connection-clients-filtered-from-snapshots) section. To filter apps from being saved in snapshots, use the **Set a list of URIs to be filtered from snapshots for Recall** policy. Define the list using a semicolon to separate URIs. Make sure you include the URL scheme such as `http://`, `file://`, `https://www.`. Sites local to a supported browser like `edge://`, or `chrome://`, are filtered by default. For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com` @@ -151,7 +151,7 @@ To filter apps from being saved in snapshots, use the **Set a list of URIs to be #### Remote desktop connection clients filtered from snapshots -Snapshots won't be saved when supported remote desktop connection clients are used. The following remote desktop connection clients are filtered from snapshots: +Snapshots won't be saved when some remote desktop connection clients are used. The following remote desktop connection clients are filtered by default from snapshots: - [mstsc.exe](/windows-server/administration/windows-commands/mstsc) - [VMConnect.exe](/windows-server/virtualization/hyper-v/learn-more/hyper-v-virtual-machine-connect)