Toggling Recall off in Settings leaves the feature installed and eligible for re-enablement via future updates. Removing it at the DISM level is cleaner and sticks.
Requires: Copilot+ PC, elevated prompt.
DISM /online /Disable-Feature /FeatureName:”Recall”
Reboot if prompted, then verify:
DISM /online /Get-FeatureInfo /FeatureName:”Recall”
You want State : Disabled with Payload Removed — anything less and the binaries are still on disk.
Enterprise Deployment
Drop this into your Intune remediation, GPO startup script, or Autopilot provisioning flow:
powershell
$state = (DISM /online /Get-FeatureInfo /FeatureName:”Recall” | Select-String “State”).ToString()
if ($state -notlike “*Disabled*”) {
DISM /online /Disable-Feature /FeatureName:”Recall” /NoRestart
}
For offline image prep, swap /online for /image:<mount_path> to bake it out of your WIM before deployment.
Why Bother?
Recall snapshots everything — banking portals, healthcare apps, credentials mid-entry — and indexes it in a local SQLite database. On-device storage is the current model, but any LPE or physical access scenario turns that database into a full activity log handed to an attacker. For environments under HIPAA, GDPR, or SOC 2, disabling it isn’t optional.
To reverse: DISM /online /Enable-Feature /FeatureName:”Recall” — though if the payload was removed, expect a reach-out to Windows Update or installation media.
