Copilot enterprise completely disabled via CSP

Luuk Meijer 0 Reputation points
2026-06-25T13:30:08.66+00:00

Our legal team has asked us to turn off all AI features on company devices because of defense industry regulations. Just removing the Copilot icon from the taskbar isn't enough. How can we use an Intune policy, CSP setting, or OMA-URI to completely disable Microsoft Copilot and any related AI features across all of our managed Windows devices?

Windows for business | Windows 365 Enterprise
0 comments No comments

1 answer

Sort by: Most helpful
  1. Harry Phan 23,995 Reputation points Independent Advisor
    2026-06-25T14:35:06.91+00:00

    Hi Luuk,

    On current Windows builds you need a layered control because “Copilot” is no longer a single feature; it’s a mix of a legacy OS policy, a packaged app, and separate service integrations. Relying only on the old CSP will not fully meet your compliance requirement.

    For policy-based disablement, use the native Intune Settings Catalog setting Windows AI → “Turn off Copilot in Windows (User)” = Enabled, which is Microsoft’s supported replacement for the deprecated CSP and fully disables the OS-level Copilot entry points (taskbar UI, Win+C, invocation APIs). The legacy OMA-URI ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot with value 1 still maps to the same control but is explicitly deprecated and should not be your primary enforcement going forward.

    On Windows 11 24H2 and later, Copilot is delivered as a packaged app, so you must additionally block execution; the clean enterprise method is an AppLocker or App Control for Business deny rule targeting publisher CN=MICROSOFT CORPORATION and package name MICROSOFT.COPILOT to prevent launches even if provisioned or reinstalled. For stronger control, deploy the newer RemoveMicrosoftCopilotApp policy (available via recent Windows updates) through Intune or GPO to uninstall the provisioned Copilot app where eligible, noting it only removes non-user-installed instances and may require ongoing enforcement.

    Finally, understand this only disables the Windows Copilot shell; AI features in Microsoft 365 apps, Edge sidebar Copilot, or web endpoints are governed by separate policies and must be disabled independently (Edge administrative templates, M365 Copilot service controls), otherwise users still retain access via those channels.

    Harry.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.