deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 21:33:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
a3a0bb83b27d9cf35ca2dab882c53b280008a472
windows-itpro-docs/windows/client-management/manage-windows-copilot.md
Meghan Stewart bdc0bb7b57 tweaks
2023-10-17 15:40:36 -07:00

18 KiB
Raw Blame History

title, description, ms.topic, ms.date, appliesto
title description ms.topic ms.date appliesto
Manage Copilot in Windows Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. article 10/18/2023
<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>

What is Copilot in Windows?

Looking for consumer information? See Welcome to Copilot in Windows.

Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from Bing Chat Enterprise in the Microsoft Edge sidebar (and Bing Chat in the Microsoft Edge sidebar), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider.

Manage Copilot in Windows for commercial environments

At a high level, managing and configuring Copilot in Windows for your organization involves the following steps:

  1. Understand the available chat provider platforms for Copilot in Windows
  2. Configure the chat provider platform used by Copilot in Windows
  3. Ensure the Copilot in Windows user experience is enabled
  4. Verify other settings that might affect Copilot in Windows and its underlying chat provider

Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the Turn off Windows Copilot policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them.

  Setting
CSP ./User/Vendor/MSFT/WindowsAI/TurnOffWindowsCopilot
Group policy User Configuration > Administrative Templates > Windows Components > Windows Copilot > Turn off Windows Copilot

Chat provider platforms for Copilot in Windows

Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections.

Bing Chat:

Bing Chat is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat:

Bing Chat Enterprise:

Bing Chat Enterprise is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise:

  • With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise privacy statement.

  • Bing Chat Enterprise is available, at no additional cost, for the following licenses:

    • Microsoft 365 E3 or E5
    • Microsoft 365 A3 or A5 for faculty
    • Business Standard
    • Business Premium

    Note

    Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike Microsoft 365 Copilot which is used in Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files.

Configure the chat provider platform that Copilot in Windows uses

Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.

Bing Chat as the chat provider platform

Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:

  • Bing Chat Enterprise isn't configured for the user
  • The user isn't assigned a license that includes Bing Chat Enterprise
  • Bing Chat Enterprise is turned off
  • The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise

Bing Chat Enterprise as the chat provider platform (recommended for commercial environments)

To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:

  1. Sign into the Microsoft 365 admin center.

  2. In the admin center, select Users > Active users and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses:

    • Microsoft 365 E3 or E5
    • Microsoft 365 A3 or A5 for faculty
      • Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see Manage Bing Chat Enterprise.
    • Business Standard
    • Business Premium

  3. To verify that Bing Chat Enterprise is enabled for the user, select the user's Display name to open the flyout menu.

  4. In the flyout, select the Licenses & apps tab, then expand the Apps list.

  5. Verify that Bing Chat Enterprise is enabled for the user.

    Note

    If you previously disabled Bing Chat Enterprise using the URL, https://aka.ms/TurnOffBCE, see Manage Bing Chat Enterprise for verifying that Bing Chat Enterprise is enabled for your users.

*would be nice to have a Graph query that lists users that do/do not have BCE app enabled*
*licensedetails does output BCE, so its a matter of just getting the query right*
**powershell or http preferably**
Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails
{
    "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba",
    "servicePlanName": "Bing_Chat_Enterprise",
    "provisioningStatus": "Success",
    "appliesTo": "User"
},
https://learn.microsoft.com/graph/api/resources/licensedetails

When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that Your personal and company data are protected in this chat. There's also a shield symbol labeled Protected at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows:

:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png":::

Ensure the Copilot in Windows user experience is enabled

Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version.

Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients

Copilot in Windows isn't technically enabled by default for manged Windows 11, version 22H2 devices because it's behind a temporary enterprise control. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or Windows Server Update Services (WSUS). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.

To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling temporary enterprise control can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions:

  1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the Configure the chat provider platform that Copilot in Windows uses section.

  2. Apply a policy to disable temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with KB5022845 and later:

    • Group Policy: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Enable features introduced via servicing that are off by default

    • CSP: ./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl

      • In the Intune settings catalog, this setting is named Allow Temporary Enterprise Feature Control under the Windows Update for Business category.

    Important

    For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or Windows Server Update Services (WSUS). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.

  3. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to enable optional updates with one of the following policies:

    • Group Policy: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Allow updates to Windows optional features
    • CSP: ./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalUpdates
      • In the Intune settings catalog, this setting is named Allow optional updates under the Windows Update for Business category.

    The optional updates policy applies to Windows 11, version 22H2 with KB5029351 and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs:

    • Automatically receive optional updates (including CFRs)
      • This selection places devices into an early CFR phase
    • Users can select which optional updates to receive

  4. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves.

Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients (coming soon)

One a managed device installs the version 23H2 update, the temporary enterprise control for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices.

While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:

Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy:

  • CSP: ./User/Vendor/MSFT/WindowsAI/TurnOffWindowsCopilot
  • Group Policy: User Configuration\Administrative Templates\Windows Components\Windows Copilot\Turn off Windows Copilot

Other settings that might affect Copilot in Windows and its underlying chat provider

Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:

Bing SafeSearch settings:

If SafeSearch is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, Bing Chat Enterprise in the Microsoft Edge sidebar, and Bing Chat in the Microsoft Edge sidebar:

  • mapping www.bing.com to strict.bing.com
  • mapping edgeservices.bing.com to strict.bing.com
  • mapping www.bing.com to nochat.bing.com
  • blocking bing.com

Microsoft Edge policies:

  • If HubsSidebarEnabled is set to disabled, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed.
  • If DiscoverPageContextEnabled is set to disabled, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.

Search settings:

  • Setting ConfigureSearchOnTaskbarMode to Hide might interfere with the Copilot in Windows user experience.
  • Setting AllowSearchHighlights to disabled might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences.

Account settings