Bring Your Own Recall

Before I dive into the meat and potatoes, a quick update on Office Hours and Scripting Session this week.

• Tuesday, 4/29/2025 3pm - 5pm Eastern: Office Hours
• Thursday, 5/1/2025 12pm - 2pm Eastern: Scripting Sessions

We'll have the full Office Hours/Scripting Sessions calendar for May sent out before next week.

You've heard of Microsoft Recall, right? It's a somewhat controversial feature that Microsoft is making another attempt at rolling out.

In managed environments, like the corporate domains many of you utilize, Recall will be an opt-in choice:

By default, Recall is disabled and removed on managed devices. IT admins can choose if they want to allow Recall to be used in their organizations and users, on their own, won't be able to enable it on their managed device if the Allow Recall policy is disabled.

Specifically, this is going to apply to:

• Domain-joined desktops and laptops at your office(s)
• Domain-joined (or Entra managed) desktops and laptops for your remotes

Essentially, if you provide a managed device to your employee, it's likely that you'll have control over how Recall is utilized.

But for everyone who relies on their agents to supply their own computer: you might need to audit your approach.

BYOD Is A Liability...For Employees?

With many organizations requiring specific software to be installed on "work computers" the concept of BYOD has lost it's appeal to those who care about their own privacy and security.

For example, it's pretty common to see "Activity Monitoring" features that provide screen monitoring, application usage, and keystroke logging in workforce management. Heck, even some LOB (Line of Business) applications do similar things.

This is a pretty direct opinion of mine: If you want you to utilize this type of software (nannyware, stalkerware, bossware, etc) for remote users, you should supply them with dedicated at-home work equipment.

Would you accept a job that required you to install monitoring software on your own device? I would fight it tooth-and-nail.

However, Microsoft Recall may introduce scenarios where the employee can now spy on your systems when used in a BYOD scenario.

BYOD Is A Liability...for Employers?

The funny thing to me was how sure some people are that there aren't any companies doing BYOD without MDM. It's like they've never worked with a small business? Sadly, our industry routinely asks employees to use their personal devices with little-to-no oversight, despite the ongoing guidance against it.

As most things, it largely comes down to cost. Turnover is difficult in our industry, and nobody wants to lose an employee: the training effort, payroll, and time put into them – and a $700+ laptop.

Need help with these terms? BYOD means Bring Your Own Device, and MDM means Mobile Device Management. When discussed together, it's essentially the practice of installing some sort of management software on the personal devices of your employees to ensure it meets security, compliance, and risk requirements.

If you rely on BYOD, you risk potential security issues like:

• Unwanted or malicious software installation
• Minimal control over effective security policy
• Remote monitoring & management limitations
• Performance becomes your problem
• Home computers shared by many users and generations
• Unwanted surveillance or shoulder-surfing

You also run into scenarios where your IT staff are unclear on the boundaries between "work" and "personal" support for your remote agents.

In my experience, this leads to a lot of wasted effort.

And now, on top of everything else, with Microsoft Recall you have to worry about if their personal computer is recording the complete, searchable, indexed history of every call they took.

The Advice You've Been Waiting For

If BYOD is a liability for both employees and employers, why are we still doing it?

That's my advice: don't do it.

If you have the option (and budget) I highly recommend providing managed computers for your remote staff. This solves many of the security issues with BYOD, negates a majority of push-back remote staff will have about installing nannyware on their computers, and ensures you can effectively manage Microsoft Recall (and future monstrosities) when it comes out.

That being said, there are some other things you can and should do if you are in a BYOD environment and don't think you can transition out anytime soon.

• Setup a dedicated profile on their BYOD computer for use with remote work. Microsoft Recall history is limited to the user who generates it.
• Preemptively disable Recall through the Windows registry, Group Policy, or manually. This article from Texas A&M walks you through those steps.
• Don't buy Copilot+ compatible PCs so it can't be enabled at all
• Add your Line of Business applications to the Recall filter

But none of this is full-proof. The computer owner (i.e., the remote employee) could just turn it back on and start data-mining until your monitoring (or lack of) picks it up again.

So this brings us back to my recommendation that companies provide the equipment remote employees need to work remotely.

The Overall Impact? Be Careful

You really, really don't want to deal with the implications of Microsoft Recall on devices you don't control if you're in any sort of privacy or medical related field that has HIPAA or GDPR implications.

While it's easy enough for established IT departments to handle this new feature, small businesses might not be paying attention enough to understand the implications of the feature being turned on.

Additional Reading

• Ars Technica: In depth with Windows 11 Recall – and what Microsoft has (and hasn't) fixed
• BBC: Microsoft rolls out AI screenshot tool dubbed 'privacy nightmare'
• DoublePulsar: Microsoft Recall on Copilot+ PC: testing the security and privacy implications