In this post I will explain how to use Microsoft Intune or Active Directory Group Policy to disable Windows Copilot for one or more users.
Introduction
On 26th September 2023, Microsoft released optional update KB5030310, one of the most ground breaking updates to Windows in recent times. With it comes Windows Copilot, which for millions of users worldwide will serve as an introduction to using an AI powered chat interface to enhance their day to day productivity.
Many organisations are still adjusting to the march to an AI enabled workplace and so need some time to test and understand before unleashing it for their workforce.
Disable with Intune
A recent addition to the Policy CSP is the TurnOffWindowsCopilot setting, documented here. At the time of publishing this post there is no built-in setting in Intune to manage Windows Copilot. So we will create a custom OMA-URI policy:
- In Intune, select Devices > Windows > Configuration Profiles > Create profile.
- Under Platform select Windows 10 and later.
- Under Profile type select Templates.
- Under Template Name select Custom > select Create.
- Name the profile something meaningful.
- Under Configuration Settings select Add.
- Set the name to something meaningful.
- Under OMA-URI enter the below text:
./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
- Set Data type to Integer.
- Set the Value to 1 (setting it to 0 will enable Windows Copilot which is the default setting).
- Save the policy and assign it to a security group containing users for whom you wish to disable Windows Copilot.
- No reboot is required. When the user next signs in, the Windows Copilot icon in the taskbar will have been removed.
The Administrative Template that is used in the Group Policy version below cannot be imported in to Intune as a Custom Administrative Template. When you come to apply it to a device it will fail because it tries to modify a protected part of the registry.
Disable with Group Policy
Pre-Requisites
- Obtain the WindowsCopilot.admx and WindowsCopilot.adml files from the C:\Windows\PolicyDefinitions file of a Windows 11 device that has the KB5030310 installed on it.
- When Windows 11 23H2 is released it will include the same files.
- Alternatively, you can download the files from my Github here.
Implement Group Policy
- Import the WindowsCopilot.admx file to the PolicyDefinitions folder in your domain. This will either be C:\Windows\PolicyDefinitions on your Domain Controllers or if you have a central store configured (which you should do), it will be in a location like:
\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions
- Import the WindowsCopilot.adml file to the PolicyDefinitions\en-US folder.
- On a Domain Controller or from a device with the AD DS management tools installed, open Group Policy Management console.
- Create a new Group Policy Object and name it something meaningful.
- Edit the GPO, expand User Configuration > Administrative Templates > Windows Components > Windows Copilot
- Open the setting Turn off Windows Copilot.
- Set it to Enabled.
- Select OK. The policy will now look like this:
- Link the GPO to an Organisational Unit that contains users for whom you wish to disable Windows Copilot.
- No reboot is required. When the user next signs in, the Windows Copilot icon in the taskbar will have been removed.
Summary
Windows Copilot provides an opportunity for users to begin experimenting with a new way to command their computers. In a production environment, it is important to use deployment rings such as Test, Pilot and Broad to prepare for and understand the impact of any change to the environment. An ability to roll back for individual users is most welcome. Fortunately, Microsoft have made it easy to switch Windows Copilot on and off on a targeted basis.