Microsoft 365 Copilot App Auto-Install (June–July 2026): The Complete IT Admin Block & Removal Guide

Published June 27, 2026  ·  10 min read  ·  Windows Management, Microsoft 365

1. What Microsoft is doing — and why

Starting June 15 2026, Microsoft began automatically deploying the Microsoft 365 Copilot desktop application to enterprise Windows devices as part of what it calls a "value-add installation" to drive Copilot awareness. The rollout is phased by update channel and mirrors the same playbook Microsoft used when it pushed the Teams consumer app and Edge browser onto managed devices — a move that earned significant community backlash at the time.

Unlicensed users who receive the app will see a "Get Copilot" upsell prompt on first launch rather than a functional AI assistant. This is a deliberate commercial tactic: get the app icon on the desktop, lower the friction for an eventual licence purchase. The app installs to the user profile (no elevation required), which means standard application control policies that target %ProgramFiles% are ineffective without additional configuration.

Official Microsoft deployment documentation: learn.microsoft.com — Microsoft 365 Copilot App Deployment and the Microsoft 365 Copilot Tech Community Blog.

Rollout phase timeline

2. Who is affected

The deployment targets any Windows device that meets all three of these criteria simultaneously:

• Running Microsoft 365 Apps for Enterprise or Business, version 2308 or later
• On Windows 10 22H2 or Windows 11 (any supported feature update)
• Enrolled in a commercial Microsoft 365 tenant (any SKU — E1, E3, E5, Business Basic, etc.)

Critically, Copilot licence ownership is irrelevant. A device with only an M365 E1 licence and no Copilot add-on will still receive the app. The install is driven by the M365 Apps update mechanism (Click-to-Run), not by licence assignment in Entra ID.

Affected vs. exempt configuration matrix

3. Who is exempt — and why EEA gets a pass

The European Economic Area exemption is not a courtesy — it is a regulatory requirement. Under the EU's Digital Markets Act (DMA) and related interoperability obligations, Microsoft must not use its dominant platform position to pre-install or auto-distribute first-party software that competes with third-party alternatives without a clear user consent mechanism. The EEA carve-out also covers the same Windows 11 browser choice and widget restrictions that made headlines in 2024.

If your tenant's billing country is within the EEA, Microsoft's own backend logic suppresses the deployment. You can verify your tenant region in the Microsoft 365 admin centre under Settings → Org settings → Organisation profile. If the country field shows a non-EEA jurisdiction, you are in scope and must act.

Semi-Annual Enterprise Channel (SAC) devices are technically exempt from this specific wave, but Microsoft's own roadmap documentation suggests SAC will be targeted in a subsequent phase. Admins managing SAC fleets should implement the block controls now rather than waiting.

4. How to block the install BEFORE it happens — 3 methods

Check whether the app is already installed

Before deploying a block policy, audit your estate. Run this from an admin PowerShell prompt or push it as a detection script in Intune:

# Checks both per-user and per-machine WinGet / AppX registrations
# Run as the logged-on user OR as SYSTEM for device-wide results

$appName = "Microsoft.MicrosoftCopilot"

# Method 1 — WinGet package registry
$wingetResult = Get-AppxPackage -Name "Microsoft.Copilot*" -AllUsers -ErrorAction SilentlyContinue

# Method 2 — Known install path under user profile
$userPath   = Join-Path $env:LOCALAPPDATA "Microsoft\WindowsApps\MicrosoftCopilot.exe"
$systemPath = Join-Path $env:ProgramFiles "WindowsApps\Microsoft.Copilot*"

$found = $false

if ($wingetResult) {
    Write-Output "[FOUND] Copilot AppX package detected:"
    $wingetResult | Select-Object Name, Version, PackageUserInformation | Format-Table -AutoSize
    $found = $true
}

if (Test-Path $userPath) {
    Write-Output "[FOUND] Copilot.exe present at user profile path: $userPath"
    $found = $true
}

if (-not $found) {
    Write-Output "[CLEAN] Microsoft 365 Copilot app not detected on this device."
}

Method A — Group Policy (ADMX)

Microsoft published an ADMX-backed policy to suppress the auto-install. This is the recommended enterprise control for domain-joined devices managed via traditional GPO or Intune's ADMX ingestion path. The Office ADMX templates version 5421 or later are required. Download the latest templates from the Office Deployment Tool documentation page.

Policy path in GPMC after importing the ADMX files:

Computer Configuration → Administrative Templates → Microsoft Office 2016 (Machine) → Updates → Prevent Microsoft 365 Copilot app from being installed

Set the policy to Enabled. For Intune ADMX ingestion, the OMA-URI path is:

./Device/Vendor/MSFT/Policy/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_Updates/L_PreventCopilotAppInstall

Value: <enabled/>

Method B — Direct registry key

For devices that cannot receive ADMX policy quickly, set the registry value directly. This is also useful as a Proactive Remediation script in Intune.

# Blocks the M365 Copilot app auto-install via Click-to-Run update mechanism
# Must run as SYSTEM or local Administrator to write HKLM

$regPath  = "HKLM:\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate"
$regName  = "preventcopilotinstall"
$regValue = 1

if (-not (Test-Path $regPath)) {
    New-Item -Path $regPath -Force | Out-Null
    Write-Output "Registry path created: $regPath"
}

New-ItemProperty -Path $regPath `
    -Name $regName `
    -Value $regValue `
    -PropertyType DWord `
    -Force | Out-Null

# Verify
$verify = Get-ItemProperty -Path $regPath -Name $regName -ErrorAction SilentlyContinue
if ($verify.preventcopilotinstall -eq 1) {
    Write-Output "[SUCCESS] Block registry value confirmed: preventcopilotinstall = 1"
} else {
    Write-Error  "[FAILED]  Registry value not set correctly. Check permissions."
}

Method C — Microsoft 365 Apps admin centre cloud policy

For tenants using cloud-based Office policy management (config.office.com), this is the fastest tenant-wide toggle with no GPO infrastructure required. Navigate to:

1. Sign in to config.office.com as a Global Admin or Office Apps Admin
2. Go to Customization → Policy Management
3. Create or edit a policy scoped to your target user/device group
4. Search for the policy setting: "Prevent the Microsoft 365 Copilot (desktop app) from being installed"
5. Set the value to Enabled and save

Cloud policy applies within the next Click-to-Run check-in cycle (typically within 90 minutes for online devices). Devices that are offline or on VPN split-tunnel configurations may take longer — this is why the registry key method provides useful belt-and-suspenders coverage.

5. How to REMOVE the app after it has already installed

# Run as SYSTEM or local Administrator
# Removes the Copilot AppX package from all user profiles on the device
# Apply the registry block AFTER removal to prevent reinstall

$packageName = "Microsoft.Copilot"

Write-Output "Searching for Copilot AppX packages..."
$packages = Get-AppxPackage -Name "$packageName*" -AllUsers -ErrorAction SilentlyContinue

if (-not $packages) {
    Write-Output "No Copilot AppX packages found. Nothing to remove."
    exit 0
}

foreach ($pkg in $packages) {
    Write-Output "Removing: $($pkg.Name) v$($pkg.Version) [$($pkg.PackageFullName)]"
    Remove-AppxPackage -Package $pkg.PackageFullName -AllUsers -ErrorAction SilentlyContinue
}

# Also remove the provisioned package to prevent reinstall for new user profiles
$provisioned = Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -like "*Copilot*" }
if ($provisioned) {
    foreach ($prov in $provisioned) {
        Write-Output "Removing provisioned package: $($prov.PackageName)"
        Remove-AppxProvisionedPackage -Online -PackageName $prov.PackageName -ErrorAction SilentlyContinue
    }
}

# Now apply the block registry key to prevent Click-to-Run from reinstalling
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate"
if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force | Out-Null }
New-ItemProperty -Path $regPath -Name "preventcopilotinstall" -Value 1 -PropertyType DWord -Force | Out-Null
Write-Output "[DONE] Removal complete. Block registry key applied."

Alternative: winget uninstall (single device / quick remediation)

For a quick single-device removal or for devices enrolled in the Windows Package Manager ecosystem:

# winget removal — run in user context or as Administrator
winget uninstall --id Microsoft.Copilot --silent --accept-source-agreements

# ── Verify removal ──────────────────────────────────────────────────────────
$postCheck = Get-AppxPackage -Name "Microsoft.Copilot*" -AllUsers -ErrorAction SilentlyContinue

if ($postCheck) {
    Write-Warning "Package still detected after removal attempt. Manual review required."
    $postCheck | Select-Object Name, Version, PackageUserInformation | Format-Table
} else {
    Write-Output "[VERIFIED CLEAN] Microsoft.Copilot package is not present."
}

# Check provisioned package too
$provCheck = Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -like "*Copilot*" }
if ($provCheck) {
    Write-Warning "Provisioned package still present — new user profiles will receive the app."
} else {
    Write-Output "[VERIFIED CLEAN] No provisioned Copilot package found."
}

6. Governance controls for tenants that DO want Copilot

If your organisation has licensed Microsoft 365 Copilot and wants to allow the app but still maintain governance, the priority controls are:

• Licence assignment via Entra ID groups — only assign the Copilot licence to groups that have completed a data classification and acceptable-use review. Use dynamic Entra groups based on department or job function attributes to keep assignments clean.
• Copilot usage reporting — in the Microsoft 365 admin centre under Reports → Usage → Microsoft 365 Copilot, monitor active user counts and feature utilisation to validate ROI against licence spend before broader rollout.
• Sensitivity label inheritance in Copilot responses — if your tenant uses Microsoft Purview Information Protection, verify that Copilot respects and inherits sensitivity labels from source documents. This is enabled by default for E5 Compliance SKUs but requires policy configuration.
• Copilot Pages governance — Copilot Pages (collaborative AI-generated pages stored in OneDrive) require a separate sharing and retention policy review if your tenant has strict data residency requirements.
• Audit log retention — Copilot interaction logs are retained in the Microsoft Purview audit log. Ensure your audit log retention policy (minimum 90 days recommended; 1 year for regulated industries) covers Copilot-sourced events.

7. The r/sysadmin community reaction

The r/sysadmin subreddit threads on this rollout have been predictably incandescent. The top-voted comment in the primary thread — which reached 2,800+ upvotes within 48 hours of Phase 2 going live — read simply: "At this point Microsoft just owns our desktops and we pay rent."

The dominant comparison across the community has been to the Teams consumer app push in 2021 and the Edge browser forced-default change in 2023 — both of which required sustained admin effort to remediate and both of which Microsoft eventually provided policy controls for only after significant backlash. The consensus is that this is the same playbook: ship first, ask for forgiveness later, provide a policy control only after it has already landed on millions of devices.

Key community concerns, distilled from the thread discussions:

• Bypassed application control policies. Multiple admins reported that their existing AppLocker and WDAC policies did not block the install because the app installs to a per-user AppData path that many policies do not explicitly target. Admins had to add explicit publisher-based rules for the Microsoft.Copilot publisher certificate.
• No prior MCM (Message Centre notification) with adequate lead time. The Message Centre post (MC-xxxxxx) appeared with less than three weeks' notice before Phase 2, which admins managing large distributed estates found insufficient for change management approvals and ring-based testing.
• Zero-licence upsell on managed devices. Admins whose orgs hold zero Copilot licences are particularly annoyed — users are being shown a commercial upsell prompt on corporate-managed hardware and software, without the IT department having any say in the messaging.
• End user confusion and helpdesk tickets. Multiple reports of users opening what they assume is the AI assistant they have been hearing about in all-hands meetings, only to be shown a "Get Copilot" purchase prompt, and then raising helpdesk tickets asking why AI is broken.

8. Official Microsoft references

• Microsoft Learn — Microsoft 365 Copilot App Deployment (Admin) — primary documentation covering the rollout scope, opt-out policy configuration, and licence behaviour.
• Tech Community — Microsoft 365 Copilot Blog — official announcement posts covering Phase 2 and Phase 3 timelines.
• Microsoft Learn — Office Deployment Tool Overview — reference for managing Click-to-Run deployments, including the ExcludeApp element which can be used in ODT XML to exclude the Copilot app at deployment time for fresh installs.

For tenants managing the M365 Apps deployment via the Office Deployment Tool (ODT), add the following element to your configuration.xml to prevent the Copilot app from being included in new installations:

Summary — your action checklist

Information current as of June 27 2026. Microsoft rollout timelines are subject to change — always verify against the official Message Centre post in your tenant admin centre. Registry key names and ADMX policy paths are validated against Office 365 ADMX template version 5421.