(Updated) Microsoft 365 Copilot Apps installation on devices with Microsoft 365 Apps

🚨 The Signal: Microsoft 365 Copilot app will automatically install on eligible Windows devices with M365 Apps from June 2026. This simplifies access but requires administrator opt-out to prevent deployment, impacting device security posture.

The Impact

All Windows devices with Microsoft 365 Apps are affected, posing a security risk if unmanaged software installations are not aligned with organisational policy.

• Security Teams: Risk of unapproved software deployment and potential attack surface expansion.
• IT Administrators: Need to manage automatic installations and potential opt-out requirements.
• End Users: Automatic access to Copilot, potentially without prior awareness or training.
• Compliance Teams: Challenge in maintaining software baselines and attestation for application control.

The Action

1. Identify all Windows devices with Microsoft 365 Apps that are eligible for Copilot installation.
2. Review existing software deployment policies and determine if automatic Copilot installation aligns with your organisation's security posture.
3. If opting out, configure the appropriate Group Policy or Intune setting to prevent automatic installation of the Microsoft 365 Copilot app.
4. Communicate the change to end-users and provide guidance on Copilot usage, if applicable.
5. Update security baselines and documentation to reflect the presence or absence of the Copilot application.

Domain: M365-Apps · Impact: high · Workload: M365 Apps · Essential Eight: Application Control, User Application Hardening · ISM: ISM-0843, ISM-1412, ISM-1485, ISM-1486, ISM-1490, ISM-1542, ISM-1544, ISM-1582, ISM-1585, ISM-1656, ISM-1657, ISM-1658, ISM-1659, ISM-1660, ISM-1667, ISM-1668, ISM-1669, ISM-1670, ISM-1823, ISM-1824, ISM-1859, ISM-1860, ISM-1870, ISM-1871