Skip to main content

Managing Copilot in Windows

  • Audience: IT administrators
  • Assumed knowledge: Microsoft Intune, Microsoft Entra ID, Group Policy Management, Microsoft 365 licensing
  • Scope / Out of scope: This guide provides procedures for enabling and disabling the Copilot in Windows feature on university-managed devices. It also clarifies the distinction between this OS-level feature and Copilot for Microsoft 365. It covers the user authentication experience and data protection when using a TAMU Entra ID account.
TL;DR
  • Two Copilots: It is critical to distinguish between Copilot in Windows (the AI chat sidebar in the OS, controlled by policy) and Copilot for Microsoft 365 (the AI integrated into Word, Excel, Teams, etc., controlled by licensing).
  • Default State: Copilot in Windows is enabled by default in recent Windows versions but can be centrally disabled.
  • Data Protection is Key: When users sign in with a TAMU Entra ID account, Copilot in Windows automatically provides commercial data protection, meaning prompts and responses are not saved or used to train the underlying AI models.
  • Central Management: The primary method for disabling Copilot in Windows is through Group Policy or an Intune Settings Catalog profile.
  • User Experience: Even on an Entra ID-joined device, the user may be prompted to select their "Connected to Windows" account on first use to ensure the correct identity and data protection policies are applied.

Background & context

Copilot in Windows is an AI-powered assistant integrated directly into the Windows desktop, designed to enhance user productivity. For Texas A&M University, its deployment requires careful management to ensure that organizational data is protected and that the feature is used in compliance with university policies.

When a user is signed in with their TAMU Entra ID account, Copilot operates with commercial data protection. This is a critical security feature that ensures chat data is not retained by Microsoft or used to train the large language models (LLMs). This guide provides IT administrators with the necessary procedures to manage the availability of Copilot in Windows and educate users on the secure authentication experience.

Clarification: Copilot in Windows vs. Copilot for Microsoft 365

It is essential to understand the two distinct products:

FeatureCopilot in WindowsCopilot for Microsoft 365
What it isAn AI assistant integrated into the Windows OS, accessible from the taskbar.An AI productivity tool embedded within Microsoft 365 Apps (Word, Excel, PowerPoint, Teams, Outlook).
How to get itIncluded with supported versions of Windows 11 (and backported to some Windows 10 versions).A premium add-on license (e.g., "Copilot for Microsoft 365") assigned to users with a base license (A3/A5).
How to manage itEnabled or disabled via Group Policy or Intune.Enabled or disabled by assigning or unassigning a license in the Microsoft 365 admin center.
Primary FunctionGeneral web queries, summarizing web pages, changing Windows settings, generating text/images.Works with your organizational data within the M365 ecosystem (e.g., summarizing documents, drafting emails, analyzing data in Excel).

This guide primarily focuses on managing Copilot in Windows.

Prerequisites

RequirementMinimum / versionNotes
Operating SystemWindows 11 (recommended) or Windows 10 (version 22H2 with recent updates).Functionality and availability may vary.
IdentityMicrosoft Entra IDRequired for commercial data protection.
LicensesM365 A3 or A5 for TAMU users.Required for the secure, integrated experience.
Management ToolsMicrosoft Intune or Group Policy Management Console (GPMC).For centralized policy enforcement.

User Authentication Experience with a TAMU Account

For users on university devices, the authentication flow is designed to be seamless while ensuring the correct security context is applied. This experience applies to both Intune-managed and non-managed devices where a user signs in with their TAMU Entra ID.

When first launching Copilot in Windows on a device where you are signed into Windows with your TAMU Entra ID, you will be prompted to confirm your account. This is a one-time step to ensure the correct identity is used.

  • "Connected to Windows": This option represents your TAMU Entra ID account used to sign into the device. Selecting this will seamlessly sign you into Copilot with commercial data protection, typically without requiring re-authentication or MFA due to Single Sign-On (SSO).
  • "Currently Signed-In": This option may appear if you are signed into other Microsoft apps (like Edge) with a different account (e.g., a personal Microsoft Account). Using a personal account will not provide commercial data protection.

This SSO behavior is consistent across the Microsoft 365 ecosystem (OneDrive, Teams, Outlook), where your Windows session authenticates you automatically into the applications.

Procedure / Implementation

Step 1 – Disable Copilot in Windows (Recommended Default)

For environments where access should be restricted by default, use the following policy settings.

Method A: Using Group Policy

  1. Open the Group Policy Management Console (GPMC).
  2. Create or edit a Group Policy Object (GPO) that applies to your target computers.
  3. Navigate to: User Configuration > Administrative Templates > Windows Components > Windows Copilot.
  4. Find the setting Turn off Windows Copilot.
  5. Set the policy to Enabled.
  6. Link the GPO to the appropriate Organizational Units (OUs) and wait for the policy to apply.
Note

After this policy is enabled, the Copilot icon will be removed from the taskbar, and users will not be able to launch it.

Method B: Using Microsoft Intune

  1. Open the Microsoft Intune admin center.
  2. Navigate to Devices > Configuration Profiles.
  3. Create a new profile:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  4. Give the profile a name (e.g., "Disable Windows Copilot").
  5. In the Configuration settings, click + Add settings.
  6. Search for "Windows Copilot" and select the Windows Copilot category.
  7. Check the box for Turn off Windows Copilot (User).
  8. Close the settings picker and configure the setting to Enabled.
  9. Assign the profile to the appropriate user or device groups.

Verification: On a target machine, after the policy has synced, confirm that the Copilot icon is no longer visible on the taskbar and that the feature cannot be launched using the Windows Key + C shortcut.

Step 2 – Enable Copilot in Windows for Specific Users

To enable Copilot for a pilot group or for all users, you must ensure the policies from Step 1 are not applied to them.

  1. Policy Configuration:
    • In Group Policy, set the "Turn off Windows Copilot" policy to Disabled or Not Configured.
    • In Intune, either exclude the target user/device group from the "Disable" policy or create a new policy with the setting configured to Disabled and assign it with a higher priority.
  2. User Sign-in: Instruct users to sign into Windows with their TAMU Entra ID account to ensure commercial data protection is active.

Security & Compliance Considerations

  • Commercial Data Protection: This is the most critical security feature for an enterprise. It is automatically enabled when a user signs into Copilot in Windows with an Entra ID account. You must communicate to users that signing in with a personal Microsoft Account does not offer this protection.
  • Tenant Restrictions: To prevent data exfiltration or use of unapproved AI tools, consider implementing tenant restrictions through your network proxy or firewall. This can block users from signing into Copilot (or other Microsoft services) with personal or non-TAMU accounts on university-managed devices.
  • Data Governance: While chat history is not saved with commercial data protection, users can still copy/paste sensitive information into prompts. Remind users of existing data handling policies. The built-in Microsoft Purview tools can help classify and protect data that might be used in Copilot prompts.

Best Practices & Recommendations

  • Communicate Clearly: Inform users about the availability of Copilot, the benefits of using their TAMU account (security), and the risks of using a personal account (no data protection).
  • Start with a Pilot: Before a broad rollout, enable Copilot for a pilot group of users (e.g., IT staff or a specific department) to gather feedback and identify potential issues.
  • Monitor Usage: While individual prompts are not logged, you can monitor the overall adoption and usage of Microsoft 365 services to understand the impact of Copilot on productivity.

References & FAQs

FAQs

  • Q: If we disable Copilot in Windows, does that also disable Copilot in Word, Excel, etc.?

    • A: No. The two are managed independently. Disabling Copilot in Windows via policy has no effect on Copilot for Microsoft 365, which is controlled by license assignment.

  • Q: What happens if a user is signed into Edge with a personal account but into Windows with a TAMU account?

    • A: Copilot in Windows will prompt the user to choose an account. They must select their "Connected to Windows" (TAMU) account to receive commercial data protection.

Responsibilities

  • IT Administrators: Responsible for the configuration, deployment, and enforcement of Copilot policies via Intune and Group Policy.
  • End-User Support Teams: Communicate the proper usage of Copilot to users and assist with authentication or access issues.
  • Texas A&M Technology Services: Monitor policy compliance and update configurations in response to new features or security guidance from Microsoft.

This article was collaboratively developed by a human subject matter expert and an AI assistant to ensure it is both comprehensive and easy to understand.