Categories
Intune

Copilot in Windows – How to turn it off using MS Intune

As everyone knows by now, Copilot is coming to Windows. For people in some parts of the world (e.g. USA) this is already a reality. But for us in Europe, we are still waiting for it to be made available.

I rarely write posts about how to disable things, I’m a fan of giving the power to the end-user to use the new awesome tools made available for them. But Copilot is a massive thing, and for many organizations this is both a legal/policy issue, and a technical readiness issue. We need to be able to provide our users with services in a controlled way.

Many of the larger organizations I’ve been working with over the years take this approach, enabling new services in a controlled way.

So, let’s look at how we can control this using Microsoft Intune. In this post, we will not dig into what Copilot for Windows is.

Creating a policy

As usual, my focus is on cloud solutions so we will look into how you can do this using Microsoft Intune and not GPOs.

Today, there is no Settings Catalog, so we need to rely on a Custom policy which we create by heading into the Device blade, choosing Windows > Configuration Profiles and select “+ Create” > “New policy“. Then we select Windows 10 and later as platform, and use Template > Custom as profile type.

As usual, start of by giving your profile a good name based on your naming convention.

Now, lets add a custom setting by pressing the “Add” button.

Add the following information to your custom entry:

Name: Disable Windows Copilot
Description: 
OMA-URI: ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
Data type: Integer
Value: 1

Should look something like this and then hit save at the bottom of the fly out.

You have now successfully added a custom CSR setting.

Hit Next at the bottom of the screen and assign your policy to a user/device group. As always, if you are doing this in production, start with a test group before going for broad deployment.

For this demo purpose, I’ve added the built in “All users” group.

Skip the “Applicability rules” and head to “Review + Create” and review your profile before creating it. Once the profile has been created, the waiting game starts for the policy to apply. As usual, you can speed this up by pressing “Sync” on any of your devices that will be targeted.

When the policy has been applied, the Copilot icon will be removed from the task bar.

Doing a controlled roll-out

We have currently removed Copilot for all the users in your environment, but how do we start enabling it again?

Well, we need to do two things:

  • Create a group for our allowed users/devices
  • Exclude them from the policy we just created

Since the default value for the Windows Copilot feature is to be enabled, we don’t really need to add a new policy. We can just exclude our targeted users/devices. This also makes broad deployment easy since we can gradually just exclude users/devices until we want to enable it for everyone.

Please be aware that the change is not instant, the device needs to check-in before the policy is updated (but it’s fast when you do a forced sync).

Take away

So, would we disable this for all users and do a controlled roll-out? Well new features are not always easy for end-users to gasp or even understand that they have. People within IT tend to always want the latest and greatest and be early adopters. But “real” end-users are not always like that. We need to make sure that we can get information out to our end-users about this awesome new feature.

There might also be that we need to do some assessments around the service before we can enable it in our environment, this could be both legal and internal policy that is controlling this.

But as always, I really encourage you to enable this for your end-users once it’s available in your region. For us in Europe, we will have to wait a bit longer, but looking at the recent announcements around a Copilot-button on all Windows keyboards, I think we can really tell where we are heading with this.

So please, don’t just disable this for the sake of disabling. And if you do disable it, have a plan to enable it. It will bring awesome value to your end-users (especially if you have Microsoft 365 Copilot licenses).

Categories
Modern Workplace

Microsoft Ignite 2023 recap

It’s that time of the year again. Not Christmas. Microsoft Ignite time!

This year I decided not to go to Seattle, but instead follow it virtually from home. I can say now when Microsoft Ignite is over that I’ve had a severe case of FOMO the last couple of days, by just seeing all the pictures it looked like it was a really awesome event!

But since MS Ignite is over, it means that it’s time for a recap. What did I find most interesting?

For starters. There was a clear theme this year. AI, AI, Copilot, Copilot and Copilot. 😂

Oh, and the picture in the top of this post is of course created using AI!

Windows 365

There was a bunch of new things released within Windows 365 at Ignite, and Windows 365 actually got time in the main keynotes!

New Windows app – A preview of a new app to support not only Windows 365 and Cloud PC, but to also give you all your Azure Virtual Desktops, DevBox and published apps in the same place. The cool thing is that it’s also platform independed so we will see the same experiance on all major platforms going forward. You be able to have a “Windows” app on your iPad.

Windows 365 GPU support – Microsoft announced that GPU support for graphic design work is coming to Windows 365, and this will really be great for a lot of customer scenarios! It will be really interesting to see the pricetag on the GPU SKU, I would kind of guess that you really need to have a good business case and not just have it’s because GPUs are cool…

Windows 365 AI capabilities – It was also announced that you as an IT admin will be able to get AI based recommendation on sizing the Cloud PCs. This to help improving cost efficiency and user sattisfaction. Preview will be released soon.

Single-sign on (SSO) and passwordless authentication – SSO and passwordless has for quite some time now been in preview in the Intune portal, but it’s not in general availability. This also applies to approved AVD providers!

Watermarking, screen capture protection, and tamper protection – in order to increase security and prevent dataloss, these features which have been in public preview for a while are now in general availablity on both Windows 365 and AVD.

Windows 365 Customer Lockbox – To ensure that Microsoft support engineers can’t access content to do service operations without explicit approval, you can use Customer Lockbox. This is similar to other Customer Lockbox within the Microsoft ecosystem. This is in public preview.

Windows 365 Customer Managed Keys – I think this is a pretty cool update. You will soon be able to use your own encryption keys for encrypting the Windows 365 Cloud PC disk.

Windows

Eventhough Microsoft Build is usually where we see most Windows news, there were a couple during Ignite this year.

Copilot in Windows – This was actually announced at the event earlier this fall and went in to public preview for selected markets on the 1st of November. During Ignite Microsot announced that it will go into general availablity in December, so let’s cross out fingers Europe is included!

Windows Autopatch for frontline workers– Windows Autopatch is not new, but Windows Autopatch is now included in the Microsoft 365 F3 subscription to ensure frontline workers are kept up to date.

Windows Autopilot and Windows Update for Business merging – Microsoft is streamlining the interface to handle updates

Microsoft Intune

There were a few big announcements for Microsoft Intune, and I would say the two biggest were around macOS management, Security Copilot in Intune and the Intune Suite.

MacOS management – Microsoft has for a while now been very loud about their story around macOS and Intune, and we are now starting to see the outcome of this. I wouldn’t say that there were that much news related to Ignite around this, but they were pushing for that Intune is now in the forefront of device management for Mac, which means that you no longer need to have Jamf or such to have extensive macOS management.

Security Copilot for Intune – As part of the Copilot and Ai journey we are on, Security Copilot will help you dentify annomolies or issues in your environment. It will help you analyze big chunks of data in no time to find security related events. But Security Copilot is more than that, it will also integrate in Microsoft Intune to help you create new policies or figure out how to solve issues that arrises. This will be such a great feature for many admins out there!

Microsoft Intune suite updates – Microsoft Intune Suite was announced back in March this year and has so far mostly been focues on Endpoint Privilegde Management and Remote Help. Microsoft has now announced three more features that are coming; Enterprise App Management, Advanced Analytics and Cloud PKI. These three additional services will make the Intune Suite bundle even better and are expected to all be available in February of 2024.

Summary

To be honest, this years focus at Ignite was Copilot. The word “Copilot” is mentioned 289 times in the book of news. That kind of set the tone for Ignite. Don’t get me wrong, I’m super excited for Copilot but this year was crazy!

Any how, lot of cool stuff coming out of Ignite this year and I think we will see things moving even faster now around AI since post-Ignite there has been some news around people from OpenAI joining Microsoft… What a time to be alive!

One thing that I take with me is that next year, I want to go to Seattle and be there in person. My feeds has been filled with Ignite related pictures and the FOMO has been real!