Microsoft privacy and MDM fallout
Microsoft's Recall feature and a mass‑wipe via Intune after the Stryker breach have reignited concerns about automated data capture and MDM security — investigators flagged exposed screenshots and urged tighter controls. U.S. agencies and security teams are now pushing orgs to harden MDM configs and audit automated capture/retention features. (bankinfosecurity.com) (techcrunch.com)
Alexander Hagenah, the Zurich-based researcher behind the TotalRecall demo, reported a new exploitable flaw in Windows Recall on March 19, 2026 and said he will publish a full technical write-up after coordinating with Microsoft. (bankinfosecurity.com) Independent tests have repeatedly shown Recall can capture plaintext passwords, payment card numbers, and other sensitive on-screen data despite Microsoft's "sensitive information filtering" controls, with PCWorld and other outlets documenting live captures during testing. (pcworld.com) Microsoft's enterprise guidance confirms admins can configure Recall policies but that snapshot storage and user opt-in semantics leave local recall data accessible unless tenants apply additional controls. (learn.microsoft.com) Stryker disclosed a cybersecurity incident on March 11, 2026 that disrupted its Microsoft environment in a global outage, and multiple investigators reported the attackers leveraged access to Intune to remotely wipe tens of thousands of corporate devices. (sec.gov) The U.S. Cybersecurity and Infrastructure Security Agency issued an alert on March 18, 2026 urging organizations to harden Microsoft Intune configurations and explicitly pointed admins to Microsoft's hardening checklist and Multi‑Admin Approval controls. Security teams and post‑incident analyses are prescribing scoped RBAC, time‑bound elevation via Entra PIM, phishing‑resistant MFA, Conditional Access for privileged operations, and Intune multi‑admin approval workflows as immediate mitigations against weaponized MDM consoles. (techcommunity.microsoft.com)
