Paul Thurrott has published the first deep-dive documentation of Windows 11’s Click to Do feature on Copilot+ PCs, revealing exactly how the contextual AI tool splits its intelligence between on-device processing and Microsoft’s cloud servers. The page, added to his Windows 11 Field Guide on July 12, 2026, walks through the interface with screenshots and screen recordings, clarifying for the first time which actions run entirely on the Neural Processing Unit (NPU) and which require an internet connection—and, by extension, share your selected content with Microsoft.

Click to Do debuted alongside Copilot+ PCs in 2024 as a tap-and-hold gesture that surfaces AI-powered suggestions over text or images. But until now, Microsoft’s public messaging painted a blurry picture of where that intelligence happens. Thurrott’s guide fills the gaps with a granular look at each action’s privacy footprint, giving users the information they need to make informed choices about their data.

What the Field Guide Uncovers

Thurrott’s entry in the Field Guide breaks Click to Do into two tiers: fast, private actions that execute on-device, and advanced actions that reach out to the cloud. The split isn’t always obvious from the menu itself—a “Summarize” suggestion might be local or cloud-based depending on the length and complexity of the selected content.

Actions That Stay on Your PC

According to the guide, these tasks are processed entirely by the NPU and require no internet:
- Short summaries (under about 400 words) of text selections.
- Rewrite (simple) – basic tonality changes like making text more formal or casual.
- Explain (basic) – generating a plain-language explanation of a selected term or concept.
- Visual suggestions over images, such as identifying objects, text extraction (OCR), and generating descriptive alt-text.
- Local search – using the selected text to search your own files and settings via Windows Search.

All local processing occurs within a secure enclave on the Qualcomm Snapdragon X series or equivalent Copilot+ processor, and the data never leaves the device.

Actions That Send Data to Microsoft Servers

Thurrott flags the following as cloud-reliant:
- Summarize (long text) – anything over ~400 words triggers a server-side model.
- Rewrite (creative or nuanced) – when you ask for a specific tone or style beyond simple formality.
- Explain (extended) – deeper context that requires pulling in web-based knowledge.
- Generate – creating completely new text or image variations from a prompt.
- Search with Bing – automatically sending the selection to the Bing search engine.
- Translate – while basic translation can run locally on supported NPUs, the guide notes that the current implementation defaults to cloud translation services.

For any cloud action, the selected text or image metadata is transmitted to Microsoft servers. Thurrott’s screenshots show a subtle cloud icon next to these options—a visual cue that was inconsistently present in earlier preview builds but now appears standardized. The guide also confirms that Microsoft logs cloud-processed requests for “service improvement” unless you’ve opted out of diagnostic data collection.

What It Means for Everyday Users

If you’re using a Copilot+ PC and you’ve ever long-pressed on a paragraph or an image, you’ve probably seen the Click to Do pop-up. The convenience is real: summarize a meeting transcript, rewrite an email, or search for a product without leaving your app. But the privacy trade-off matters.

For home users: The distinction between local and cloud actions is critical if you handle sensitive documents—tax returns, medical records, legal papers. The guide shows you can stick to local-only modes by avoiding long summaries and complex rewrites. However, the threshold of ~400 words for summarization means even moderately sized emails will trigger a cloud request. And if you use Translate frequently, be aware it’s likely sending your text off-device unless you’ve manually changed a setting (more on that below).

For privacy-conscious professionals: The “visual suggestions” and OCR are a bright spot—they run entirely on-device, so you can extract text from an image of a confidential whiteboard without worry. But pasting that extracted text into a long summarization immediately shifts you to the cloud. It’s a workflow trap that Thurrott’s guide explicitly warns about.

For parents and family PC administrators: Children’s accounts may inadvertently trigger cloud actions. The guide mentions that child accounts have restricted cloud access by default, but the setting isn’t bulletproof—a child could still select a large chunk of text and tap “Summarize.” Monitoring the activity is possible via privacy dashboards, but not obvious.

What It Means for IT and System Administrators

Enterprise environments get a sharper toolset. Thurrott notes that the Click to Do privacy behavior is manageable via group policies and MDM configurations introduced in the Windows 11 24H2 update and refined through 2026. Key controls include:
- Disable cloud actions entirely – forcing all Click to Do features to run locally (or fail gracefully if not possible).
- Per-app restrictions – allow cloud actions in Microsoft Edge but block them in proprietary line-of-business apps.
- Data boundary enforcement – ensure that if cloud actions are allowed, they route through your tenant’s designated data boundary region.

Admins can also audit which users and devices trigger cloud requests through the Microsoft 365 compliance center, though Thurrott cautions that the audit trail can get noisy in large orgs.

The guide also highlights that device settings themselves might trigger a cloud call: when you first open Click to Do, a mandatory “feature setup” handshake with Microsoft’s licensing servers verifies your Copilot+ entitlement. That’s a one-time event, but it underscores that even the feature’s existence dances with the cloud.

How We Got Here: The Road to Click to Do Transparency

Click to Do was announced in May 2024 as part of the original Copilot+ PC launch, standing alongside Recall and Cocreator as flagship AI experiences. Early demos showed the feature suggesting actions based on what you selected, but privacy specifics were vague. Stories from The Verge and Ars Technica in late 2024 raised concerns about data handling, echoing broader AI privacy debates.

Microsoft responded in early 2025 with a support article stating that “most” Click to Do features used local processing, but the lack of specificity frustrated users. A subsequent Windows Insider build added informational tooltips mentioning cloud involvement, but they were inconsistent and often only in English.

Paul Thurrott has been tracking Windows AI features since the beginning. His Field Guide update is significant because it’s the first independent, screenshot-backed documentation that catalogs the behavior based on production builds. Unlike official documentation, which tends to gloss over edge cases, Thurrott’s guide includes real-world examples like “Summarize a 500-word email” and shows which AI model kicks in.

The timing coincides with a broader push for AI transparency: the EU AI Act’s transparency provisions came into force for general-purpose AI systems in mid-2025, and while Microsoft isn’t forced to disclose every function, the regulatory pressure likely made an informal guide like Thurrott’s possible without legal pushback.

What to Do Right Now

If you’re using a Copilot+ PC today (or planning to), here are concrete steps based on Thurrott’s findings:

1. Check Your Click to Do Settings

Head to Settings > Privacy & security > Click to Do (the path may vary slightly by build). You’ll find toggles for:
- Allow cloud-based suggestions – turning this off disables all actions that require internet. If you try to summarize a long text, you’ll get an error instead.
- Contribute data for service improvement – separate from overall Windows diagnostic data, this specifically controls whether your cloud-processed content can be reviewed by humans. Turn it off if you want maximum privacy.

2. Use Visual Cues

When the Click to Do menu pops up, look for the small cloud icon next to any action. If you see it, proceeding will send data off-device. On some builds, a confirmation dialog appears before the first cloud action; you can check “Don’t ask again” to bypass it, but that’s risky if you share your PC.

3. For Sensitive Work, Stick to Short Selections

If you must summarize or rewrite sensitive text, break it into chunks under 400 words. Thurrott’s guide shows the system respects a hard cutoff—401 words triggers the cloud model. It’s clumsy, but effective for occasional use.

4. Enterprise Admins: Deploy Policies Now

If you manage Copilot+ PCs, enforce the following CSP policies (available in ADMX templates updated as of Windows 11 24H2):
- Experience/AllowCloudBasedClickToDo (set to 0 to disable).
- Privacy/ConfigureClickToDoDiagnosticSettings (set to 1 to prevent data sharing).
Test them on a pilot group before broad deployment, as some line-of-business apps may expect cloud actions to function.

5. Keep Windows Updated

Build updates frequently tweak how Click to Do handles data. Thurrott’s guide was written against build 26100.xxxx (July 2026 cumulative update). Check your build, and monitor Thurrott’s site or official release notes for changes.

What’s Next for Click to Do

Paul Thurrott’s documentation isn’t just a one-time peek; it sets the stage for a more informed conversation about AI on Windows. We should expect Microsoft to evolve the feature’s privacy UI based on feedback like this. Already, rumors from Windows Central suggest a “Privacy Dashboard” revamp in late 2026 that will give per-action controls for all AI features, including Click to Do and Recall.

For now, the Field Guide serves as a user manual that Microsoft never quite provided—practical, pixel-specific, and free of marketing. The ball is in Redmond’s court to see whether they’ll match that clarity inside Windows itself.