deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/manage-windows-copilot.md
Meghan Stewart b411a76568 meta-tweak
2023-12-05 11:56:28 -08:00

20 KiB
Raw Blame History

title, description, ms.topic, ms.technology, ms.date, ms.author, author, appliesto
title description ms.topic ms.technology ms.date ms.author author appliesto
Manage Copilot in Windows Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. conceptual itpro-windows-copilot 11/06/2023 mstewart mestew
<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>

Manage Copilot in Windows

Looking for consumer information? See Welcome to Copilot in Windows.

Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based Copilot in Edge. However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it is possible for users to copy and paste sensitive information into the chat provider.

Note

  • Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
  • Copilot in Windows is being released in preview to select global markets as part of our latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. It is our intention to add additional markets over time.

Configure Copilot in Windows for commercial environments

At a high level, managing and configuring Copilot in Windows for your organization involves the following steps:

  1. Understand the available chat provider platforms for Copilot in Windows
  2. Configure the chat provider platform used by Copilot in Windows
  3. Ensure the Copilot in Windows user experience is enabled
  4. Verify other settings that might affect Copilot in Windows and its underlying chat provider

Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the Turn off Windows Copilot policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them.

  Setting
CSP ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
Group policy User Configuration > Administrative Templates > Windows Components > Windows Copilot > Turn off Windows Copilot

Chat provider platforms for Copilot in Windows

Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections.

Bing Chat:

Bing Chat is a consumer experience and if a user isn't signed in with their Microsoft account, the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat:

Bing Chat Enterprise:

Bing Chat Enterprise is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise:

  • With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Bing Chat Enterprise is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Bing Chat Enterprise privacy statement.

  • Bing Chat Enterprise is available, at no additional cost, for the following licenses:

    • Microsoft 365 E3 or E5
    • Microsoft 365 A3 or A5 for faculty
    • Microsoft 365 Business Standard
    • Microsoft 365 Business Premium

    Note

    Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike Microsoft 365 Copilot which can be used in the Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files.

Configure the chat provider platform that Copilot in Windows uses

Configuring the correct chat provider platform for Copilot in Windows is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.

Bing Chat as the chat provider platform

Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:

  • Bing Chat Enterprise isn't configured for the user
  • The user isn't assigned a license that includes Bing Chat Enterprise
  • Bing Chat Enterprise is turned off
  • The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise

Bing Chat Enterprise as the chat provider platform (recommended for commercial environments)

To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:

  1. Sign into the Microsoft 365 admin center.

  2. In the admin center, select Users > Active users and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses:

    • Microsoft 365 E3 or E5
    • Microsoft 365 A3 or A5 for faculty
      • Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see Manage Bing Chat Enterprise.
    • Microsoft 365 Business Standard
    • Microsoft 365 Business Premium

  3. To verify that Bing Chat Enterprise is enabled for the user, select the user's Display name to open the flyout menu.

  4. In the flyout, select the Licenses & apps tab, then expand the Apps list.

  5. Verify that Bing Chat Enterprise is enabled for the user.

  6. If you prefer to view a user's licenses from the Azure portal, you will find it under Microsoft Entra ID > Users. Select the user's name, then Licenses. Select a license that includes Bing Chat Enterprise, and verify that it's listed as On.

    Note

    If you previously disabled Bing Chat Enterprise using the URL, https://aka.ms/TurnOffBCE, see Manage Bing Chat Enterprise for verifying that Bing Chat Enterprise is enabled for your users.

The following sample PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled:

# Install Microsoft Graph module
if (-not (Get-Module Microsoft.Graph.Users)) {
    Install-Module Microsoft.Graph.Users
}

# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'User.Read.All'

# Get all users
$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans

# Users with Bing Chat Enterprise enabled
$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table

# Users without Bing Chat Enterprise enabled
$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table

When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that Your personal and company data are protected in this chat. There's also a shield symbol labeled Protected at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows:

:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png":::

Ensure the Copilot in Windows user experience is enabled

Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version.

Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients

Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a temporary enterprise control. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or Windows Server Update Services (WSUS). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.

To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind temporary enterprise control can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions:

  1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the Configure the chat provider platform that Copilot in Windows uses section.

  2. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with KB5022845 and later:

    • Group Policy: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Enable features introduced via servicing that are off by default

    • CSP: ./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl

      • In the Intune settings catalog, this setting is named Allow Temporary Enterprise Feature Control under the Windows Update for Business category.

    Important

    For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or Windows Server Update Services (WSUS). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.

  3. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to enable optional updates with one of the following policies:

    • Group Policy: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Allow updates to Windows optional features
    • CSP: ./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalUpdates
      • In the Intune settings catalog, this setting is named Allow optional updates under the Windows Update for Business category.

    The optional updates policy applies to Windows 11, version 22H2 with KB5029351 and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs:

    • Automatically receive optional updates (including CFRs)
      • This selection places devices into an early CFR phase
    • Users can select which optional updates to receive

  4. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves.

Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients

Once a managed device installs the version 23H2 update, the temporary enterprise control for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices.

While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:

Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy:

  • CSP: ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
  • Group Policy: User Configuration\Administrative Templates\Windows Components\Windows Copilot\Turn off Windows Copilot

Other settings that might affect Copilot in Windows and its underlying chat provider

Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:

Bing settings

  • If SafeSearch is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge:

    • mapping www.bing.com to strict.bing.com
    • mapping edgeservices.bing.com to strict.bing.com
    • blocking bing.com

  • If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an Intune Mobile Application Management (MAM) policy for Microsoft Edge to remove it:

    Key Value
    com.microsoft.intune.mam.managedbrowser.Chat true (default) shows the interface
    false hides the interface

Microsoft Edge policies

  • If HubsSidebarEnabled is set to disabled, it blocks Copilot in Edge from being displayed.
  • If DiscoverPageContextEnabled is set to disabled, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.

Search settings

Account settings

Microsoft's commitment to responsible AI

Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see Responsible AI.