Every technology company is putting AI into everything, and whatever your opinions whether they should, it is unarguably going to have an impact on security. Focussing on Microsoft 365, this blog covers how you can use Intune to configure what Copilot and Recall are doing on managed Windows computers.
Introduction
I’m not going to add to the litany of blogs that discuss the merits of LLM-based applications in the workplace. In this context it doesn’t matter, as what is clear is that they are appearing in everything. Often without an administrator process to enable or configure them, which is clearly a potential threat to both security and privacy.
Microsoft is putting Copilot and now agents into everything they build, including Windows computers and all Microsoft 365 services and applications. By design, it will thereforce have access to company laptops, data and configuration.
And now we have the much reported-on Recall, which has been mooted for over a year. According to all the reporting, that’s arriving to screenshot all of our private applications and activities.
Thankfully all the Microsoft AI features can be controlled with Intune, their device management software that is part of Microsoft 365 (assuming you have Business Premium, A/E tier, or device add-on licenses). Below we detail how to use Intune to disable and control all the latest features.
Recall
Recall let’s you “retrace your steps” on a Windows computer, and it does this by taking screenshots of everything you’ve been doing. This is the functionality that has created such criticism, but crucially it’s only if you’ve first consented to screenshots.
For concerned admins and security folks, there’s a key line in this Microsoft documentation:
By default, Recall is removed on commercially managed devices.
Given this, and the screenshot function being off by default, it does seem like some of the early doom mongering doesn’t apply to the Recall app that now exists.
The above documentation also states:
If you want to allow Recall to be available for users in your organization and allow them to choose to save snapshots, you need to configure both the Allow Recall to be enabled and Turn off saving snapshots for Recall policies.
So actually, admins don’t need a Recall policy unless they actually want to enable Recall. So nothing to do, for most people.
How to Manage Windows Recall Using Intune
Let’s pretend you want to enable Recall on your corporate devices. Which could happen. Maybe? For some reason. It takes all types. More seriously, if you’re concerned that the off-by-default setting may change, it’s good to have it blocked anyway.
To configure it, you’ll need to import the latest Windows admin templates (admx files) into Intune. These contain the latest configuration options for Windows. All of these options do turn up natively in Intune after a little while.
First, download them from here. Unzip it, and make sure you can see WindowsCopilot.admx. Then you’ll need to upload it to Intune, from the Import ADMX tab under the Windows configuration.
If you haven’t already done so, you first need to upload the Windows.admx and corresponding .adml files. These set the namespace for the following config. Then go ahead and upload WindowsCopilot.admx.
When uploaded you should see them both in that second tab:
Having imported the templates, you can now use them to configure a policy. So create a new one, select Windows, Templates, and Imported Administrative templates (Preview):
Give your policy a name, and then click Next. You’ll want Windows Components, then Windows AI (the search box is your friend). The key setting is Allow Recall to be enabled:
Select this option, and Disabled. Then set the scope and assignments for the new policy, save it, and you should be done.
Copilot
Microsoft are insistent that everything needs a Copilot. It makes sense in planes, at least.
We’ll ignore the Copilot that’s in all the Microsoft 365 admin centres, including Intune1, and focus on the user-facing apps. Let’s detail the user apps, and show how they can be configured from Intune.
Windows Copilot
Firstly let’s cover Windows Copilot, which is a Windows application that started getting auto-installed on all Windows machines in late 2023. It can help with local computer things, like recent files (but without the work context) and settings, and it can do web Copilot queries for you.
That sounds kindof useful, but personally I won’t switch how I work, which is broadly to use the Windows button/start menu to load apps and recent documents. Maybe that’d be different if I had a Copilot button instead, but that’d need me to replace my laptop and USB keyboard. So, no thanks. Now that we’ve thoroughly covered its pros and cons, let’s just disable it for all our managed Windows machines!
To uninstall it, create a new Intune Windows configuration profile using the settings catalog. The settings are all under Windows Components > App Package Deployment, which since Windows 11 25H2 allows you to disable what default packages are removed by default.
The top-level settings is Remove Default Microsoft Store packages from the system.; that needs to be toggled to then get the per-app configuration.
As per the usual wonderful Intune UX design, setting a given app to True in this interface means that that app will be removed, and False means it’ll be left in place. We can use this to remove Windows Copilot,
Alternatively, you can disable it with a policy using the settings catalog:
Although that setting can be overridden by a user, hence the “(User)” annotation.
Microsoft 365 Copilot Windows App
Then there’s Microsoft 365 Copilot, which is a paid-for addition for Microsoft 365. It is predominantly the LLM functionality in the Office suite, but it is also a web application, and somewhat confusingly when on a laptop, a Windows app that sits alongside regular Copilot:
At least it has a different name and a slightly different logo. So what’s the difference to the Microsoft Copilot app that was already installed for us? Let’s see what it says about itself, in answer to what's the difference between windows copilot and windows Microsoft 365 copilot?:
Quick Answer:
Windows Copilot is the free, built-in AI assistant in Windows 11 and Microsoft Edge for everyday tasks, while Microsoft 365 Copilot is a paid, enterprise-grade AI that integrates directly into apps like Word, Excel, PowerPoint, and Outlook to work with your organization’s data.
If you want a second opinion that was (probably) written by humans, there’s a nice table comparing all the user-app Copilots (all the variants of Microsoft Copilot) on Wikipedia.
This app is installed by default if you already have the Office apps installed via Microsoft 365 (as per this documentation). That same page details how you can prevent it being auto-installed, but there’s no easily found documentation on any further configuration.
Copilot itself did have a useful suggestion for configuration; on the Office apps configuration panel you can create a new policy to control certain options:
Copilot online
Just to confuse things further, if you’re using Microsoft Copilot on the web, then it’ll prompt you to pick the personal version or login with your work account:
The two versions look a little different, at least. The personal one is dark blue (left), and the work one is black. Plus the work one has suggestions based on your colleagues, documents and meetings (with a Microsoft 365 Copilot license, that is):
Plus, if you choose the latter you at least get a nice green shield to guarantee that your work data is safe:
Edge Browser Plugin
Finally there’s Copilot in Edge, which was called Bing Chat. There are a few configuration settings that only affect users signed into Edge with their corporate account. By default, it can access page content for queries and responses. That said, it’s interesting to see that this is disabled by default in EU countries.
With the Intune settings catalog, you can control how much access it gets:
You can read more on these policies in the Microsoft documentation.
GitHub Copilot
Finally, if you’re using Visual Studio Code for development, you’ll be pushed to sign into your GitHub account for GitHub Copilot, Microsoft’s code writing LLM thing.
There are three settings to configure it via Intune:
Follow Up
If you need help securely implementing an LLM application, or implementing or testing device protections, then get in touch with our services team.
-
There’s now Copilot in Intune, which you can presumably use to help you manage Copilot on Windows and on Windows 365 from Microsoft 365. Which feels like the Microsoft equivalent of Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo. ↩︎
Related Posts
