As everyone knows by now, Copilot is coming to Windows. For people in some parts of the world (e.g. USA) this is already a reality. But for us in Europe, we are still waiting for it to be made available.
I rarely write posts about how to disable things, I’m a fan of giving the power to the end-user to use the new awesome tools made available for them. But Copilot is a massive thing, and for many organizations this is both a legal/policy issue, and a technical readiness issue. We need to be able to provide our users with services in a controlled way.
Many of the larger organizations I’ve been working with over the years take this approach, enabling new services in a controlled way.
So, let’s look at how we can control this using Microsoft Intune. In this post, we will not dig into what Copilot for Windows is.
Creating a policy
As usual, my focus is on cloud solutions so we will look into how you can do this using Microsoft Intune and not GPOs.
Today, there is no Settings Catalog, so we need to rely on a Custom policy which we create by heading into the Device blade, choosing Windows > Configuration Profiles and select “+ Create” > “New policy“. Then we select Windows 10 and later as platform, and use Template > Custom as profile type.
As usual, start of by giving your profile a good name based on your naming convention.
Now, lets add a custom setting by pressing the “Add” button.
Add the following information to your custom entry:
Name: Disable Windows Copilot
Data type: Integer
Should look something like this and then hit save at the bottom of the fly out.
You have now successfully added a custom CSR setting.
Hit Next at the bottom of the screen and assign your policy to a user/device group. As always, if you are doing this in production, start with a test group before going for broad deployment.
For this demo purpose, I’ve added the built in “All users” group.
Skip the “Applicability rules” and head to “Review + Create” and review your profile before creating it. Once the profile has been created, the waiting game starts for the policy to apply. As usual, you can speed this up by pressing “Sync” on any of your devices that will be targeted.
When the policy has been applied, the Copilot icon will be removed from the task bar.
Doing a controlled roll-out
We have currently removed Copilot for all the users in your environment, but how do we start enabling it again?
Well, we need to do two things:
- Create a group for our allowed users/devices
- Exclude them from the policy we just created
Since the default value for the Windows Copilot feature is to be enabled, we don’t really need to add a new policy. We can just exclude our targeted users/devices. This also makes broad deployment easy since we can gradually just exclude users/devices until we want to enable it for everyone.
Please be aware that the change is not instant, the device needs to check-in before the policy is updated (but it’s fast when you do a forced sync).
So, would we disable this for all users and do a controlled roll-out? Well new features are not always easy for end-users to gasp or even understand that they have. People within IT tend to always want the latest and greatest and be early adopters. But “real” end-users are not always like that. We need to make sure that we can get information out to our end-users about this awesome new feature.
There might also be that we need to do some assessments around the service before we can enable it in our environment, this could be both legal and internal policy that is controlling this.
But as always, I really encourage you to enable this for your end-users once it’s available in your region. For us in Europe, we will have to wait a bit longer, but looking at the recent announcements around a Copilot-button on all Windows keyboards, I think we can really tell where we are heading with this.
So please, don’t just disable this for the sake of disabling. And if you do disable it, have a plan to enable it. It will bring awesome value to your end-users (especially if you have Microsoft 365 Copilot licenses).