Edit

Manage Copilot in Windows

Looking for consumer information? See Welcome to Copilot in Windows.

Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop and is designed to help users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based Copilot in Edge. However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it's possible for users to copy and paste sensitive information into the chat.

Note

  • Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
  • Copilot in Windows (in preview) is available in select global markets and will be rolled out to additional markets over time. Learn more.

Configure Copilot in Windows for commercial environments

At a high level, managing and configuring Copilot in Windows for your organization involves the following steps:

  1. Understand the available chat provider platforms for Copilot in Windows
  2. Configure the chat provider platform used by Copilot in Windows
  3. Ensure the Copilot in Windows user experience is enabled
  4. Verify other settings that might affect Copilot in Windows and its underlying chat provider

Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the Turn off Windows Copilot policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them.

  Setting
CSP ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
Group policy User Configuration > Administrative Templates > Windows Components > Windows Copilot > Turn off Windows Copilot

Chat provider platforms for Copilot in Windows

Copilot in Windows can use either Microsoft Copilot, Copilot with commercial data protection, or Copilot with Graph-grounded chat as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections.

Copilot

Copilot is a consumer experience and has a daily limit on the number of chat queries per user when not signed in with a Microsoft account. It doesn't offer the same data protection as Copilot with commercial data protection.

Copilot with commercial data protection

Copilot with commercial data protection is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Copilot with commercial data protection:

  • User and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models (LLMs). Because of this protection, chat history, 3rd-party plugins, and the Bing app for iOS or Android aren't currently supported. Copilot with commercial data protection is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Copilot with commercial data protection privacy statement.

  • Copilot with commercial data protection is available, at no additional cost, for the following licenses:

    • Microsoft 365 E3 or E5
    • Microsoft 365 F3
    • Microsoft 365 A1, A3, or A5
      • Copilot with commercial data protection is limited to faculty and higher education students over 18 years of age
    • Office 365 A1, A3, or A5
      • Copilot with commercial data protection is limited to faculty and higher education students over 18 years of age
    • Microsoft 365 Business Standard
    • Microsoft 365 Business Premium

    Note

    Copilot with commercial data protection doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike Microsoft Copilot with Graph-grounded chat.

Microsoft Copilot with Graph-grounded chat

Copilot with Graph-grounded chat enables you to use your work content and context in Copilot for Windows. With Graph-grounded chat, you can draft content and get answers to questions, all securely grounded in your Microsoft Graph data such as user documents, emails, calendar, chats, meetings, and contacts. When you use the Work toggle in Copilot in Windows to query Graph-grounded chat, the following high-level privacy and security protections apply:

  • Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundational LLMs.
  • It only surfaces organizational data to which individual users have at least view permissions.
  • The information contained within your prompts, the data retrieved, and the generated responses remain within your tenant's service boundary. For more information about privacy and security for Graph-grounded chat, see Data, Privacy, and Security for Microsoft Copilot for Microsoft 365
  • Copilot with Graph-grounded chat is part of Copilot for Microsoft 365. Copilot for Microsoft 365 is an add-on plan. For more information about prerequisites and license requirements, see Microsoft Copilot for Microsoft 365 requirements.

Configure the chat provider platform that Copilot in Windows uses

Configuring the correct chat provider platform for Copilot in Windows is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections. Once you select the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.

Microsoft Copilot as the chat provider platform

Copilot is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:

  • Commercial data protection isn't configured for the user.
  • Commercial data protection is turned off.
  • The user isn't assigned a license that includes Copilot with commercial data protection.
  • The user isn't signed in with a Microsoft Entra account that's licensed for Copilot with commercial data protection.

To verify that Copilot with commercial data protection is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:

  1. Sign into the Microsoft 365 admin center.
  2. In the admin center, select Users > Active users and verify that users are assigned a license that includes Copilot. Copilot with commercial data protection is included and enabled by default for users that are assigned one of the following licenses:
    • Microsoft 365 E3 or E5
    • Microsoft 365 F3
    • Microsoft 365 A1, A3, or A5
      • Copilot with commercial data protection is limited to faculty and higher education students over 18 years of age
    • Office 365 A1, A3, or A5
      • Copilot with commercial data protection is limited to faculty and higher education students over 18 years of age
    • Microsoft 365 Business Standard
    • Microsoft 365 Business Premium
  3. To verify that commercial data protection is enabled for the user, select the user's Display name to open the flyout menu.
  4. In the flyout, select the Licenses & apps tab, then expand the Apps list.
  5. Verify that Copilot is enabled for the user.
  6. If you prefer to view a user's licenses from the Azure portal, you'll find it under Microsoft Entra ID > Users. Select the user's name, then Licenses. Select a license that includes Copilot, and verify that it's listed as On. If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise), see Manage Copilot for verifying that commercial data protection is enabled for your users.
  7. Copilot with commercial data protection is used as the chat provider platform for users when the following conditions are met:
    • Users have an eligible license, commercial data protection in Copilot is enabled, and the Copilot in Windows user experience is enabled.
    • Users are signed in with their Microsoft Entra ID (work accounts)
      • Users can sign into Windows with their Microsoft Entra ID
      • For Active Directory users on Windows 11, a Microsoft Entra ID in the Web Account Manager (WAM) authentication broker can be used. Entra IDs in Microsoft Edge profiles and Microsoft 365 Apps would both be in WAM.

The following sample PowerShell script connects to Microsoft Graph and lists which users that have Copilot with commercial data protection enabled and disabled:

# Install Microsoft Graph module
if (-not (Get-Module Microsoft.Graph.Users)) {
    Install-Module Microsoft.Graph.Users
}

# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'User.Read.All'

# Get all users
$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans

# Users with Copilot with commercial data protection enabled
$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table

# Users without Copilot with commercial data protection enabled
$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table

When Copilot with commercial data protection is the chat provider platform, the user experience clearly states that Your personal and company data are protected in this chat. There's also a shield symbol labeled Protected at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed in this scenario:

Screenshot of the Copilot in Windows user experience when Copilot with commercial data protection is the chat provider.

Copilot with Graph-grounded chat as the chat provider platform

When users are assigned Microsoft Copilot for Microsoft 365 licenses, they're automatically presented with a Work toggle in Copilot for Windows. When Work is selected, Copilot with Graph-grounded chat is the chat provider platform used by Copilot in Windows. When using Graph-grounded chat, user prompts can securely access Microsoft Graph content, such as emails, chats, and documents.

Screenshot of the Copilot in Windows user experience when the work toggle is selected and the chart provider is Copilot with Graph-grounded chat.

Ensure the Copilot in Windows user experience is enabled

Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version.

Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients

Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a temporary enterprise control. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or Windows Server Update Services (WSUS). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.

To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind temporary enterprise control can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions:

  1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the Configure the chat provider platform that Copilot in Windows uses section.

  2. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with KB5022845 and later:

    • Group Policy: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Enable features introduced via servicing that are off by default

    • CSP: ./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl

      • In the Intune settings catalog, this setting is named Allow Temporary Enterprise Feature Control under the Windows Update for Business category.

    Important

    For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or Windows Server Update Services (WSUS). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.

  3. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to enable optional updates with one of the following policies:

    • Group Policy: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Allow updates to Windows optional features
    • CSP: ./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalUpdates
      • In the Intune settings catalog, this setting is named Allow optional updates under the Windows Update for Business category.

    The optional updates policy applies to Windows 11, version 22H2 with KB5029351 and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs:

    • Automatically receive optional updates (including CFRs)
      • This selection places devices into an early CFR phase
    • Users can select which optional updates to receive

  4. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves.

Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients

Once a managed device installs the version 23H2 update, the temporary enterprise control for Copilot in Windows is removed. This means that Copilot in Windows is enabled by default for these devices.

While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort is made to ensure that Copilot with commercial data protection is the default chat provider for commercial organizations, it's still possible that Copilot might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:

Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy:

  • CSP: ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
  • Group Policy: User Configuration\Administrative Templates\Windows Components\Windows Copilot\Turn off Windows Copilot

Other settings that might affect Copilot in Windows and its underlying chat provider

Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. This also means that some settings that affect Copilot, Copilot with commercial data protection, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:

Bing settings

  • If SafeSearch is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Edge:

    • Mapping www.bing.com to strict.bing.com
    • Mapping edgeservices.bing.com to strict.bing.com
    • Blocking bing.com

  • If Copilot with commercial data protection is turned on for your organization, users can access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an Intune Mobile Application Management (MAM) policy for Microsoft Edge to remove it:

    Key Value
    com.microsoft.intune.mam.managedbrowser.Chat true (default) shows the interface
    false hides the interface

Microsoft Edge policies

  • If HubsSidebarEnabled is set to disabled, it blocks Copilot in Edge from being displayed.
  • If DiscoverPageContextEnabled is set to disabled, it blocks Copilot from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.

Search settings

Account settings

Microsoft's commitment to responsible AI

Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see Responsible AI.