By Susan Bradley (AKA The Microsoft patch lady)
This week offers a perfect example of why I don’t rush to update.
Ultimately, I want to understand the changes coming to my desktop and ensure that I know exactly what they do.
A little over a week ago, Microsoft announced Copilot for Windows. What that means is complicated, and we don’t really know all the details; it seems we will learn more, based upon what Microsoft dribbles out.
That’s reason enough to elevate MS-DEFCON to 1, its highest level.
The main problem is that Windows 11 23H2 is right around the corner — guesses vary about exactly when. But Copilot for Windows is coming sooner, with the October security updates. Thus the foundation and plumbing will come first, followed by the more visible manifestations in various features. This means that 23H2 will be a relatively minor update because the core will have already been installed — 23H2 will simply enable features based upon Copilot. That could be construed as good news, but it obscures what problems might come up in the foundational pieces in the security update.
Those of you intending to ride Windows 10 into the sunset will be delighted to learn that Copilot is for Windows 11 only. You won’t be subject to problems that come up for Windows 11 users.
But wait, there’s more! This is another dribble scenario — Copilot won’t be deployed for everyone at the same time. Anyone with multiple PCs, or even someone like me, acting as the network administrator at my office, will need to manage this staggered release and deal with differences in PCs until all receive the updates.
To be fair, what we will see in the operating system will be only part of the features that we may hear being discussed. This release will not be seen in Outlook, Word, Excel, or PowerPoint because Copilot for those applications will require a subscription expected to cost $30 per user per month. If you read any articles about how this release will be able to complete your emails or summarize interesting data in Excel, be aware that this is not what is releasing in October. Instead, the release will beef up Windows Help and overcome the weaknesses of Windows Search. It remains to be seen whether it will help me find that letter I wrote several months ago. You know — the one whose name and location I can’t remember.
For those with Windows 11 22H2 Professional, Education, or Enterprise editions, Group Policy can be used to control these “moments.” Launch Group Policy Editor on your local computer (Windows Pro and above) and go to Computer Configuration | Administrative Templates; then go to Windows Components | Windows Update | Manage end user experience and find Enable features introduced via servicing that are off by default. Make sure this item is disabled (see Figure 1). I have more links and information on the Master Patch List page to better control this release, including Intune instructions.
Figure 1. Control Moments with Group Policy Editor.
In order to better control the upcoming Windows 11 23H2 release, I recommend pausing updates and using InControl to keep your computer on 22H2 for now. After downloading InControl, run it to see the existing status or to take control of the version (Figure 2).
Figure 2. InControl, Gibson Research’s app, allows you to Take Control of OS upgrades by setting a specific version number and release (left). It may also indicate that you are already in control (right).
Another handy use of InControl is to see whether your system has been set to a specific version and release by another process, such as manually setting Registry keys. For example, if you were wondering why Windows update was not offering 22H2, InControl will show you the actual setting. You can then Release Control, edit the Version/Release fields as desired, and Take Control.
For those on the Windows 11 Home edition, I’ve not been able to determine whether there is an equivalent Registry key that delays these “moment” updates. This is a key reason why I always recommend upgrading to Windows Professional edition. It’s very easy to do this. In Settings, navigate to System | About and click Change product key or upgrade your edition of Windows. You’ll be able to see the edition for which you are currently licensed. You can then acquire a Pro-edition upgrade license key from your preferred online vendor or by buying it through the Microsoft store, using your Microsoft account. In most cases, you will be able to initiate the upgrade from within Settings.
Once you’ve upgraded, your PC will in effect become a managed PC rather than a Microsoft guinea pig over which you have little control.
I tend to drag my feet on changes, primarily because I have a business/productivity perspective not only at the office, but also at home. But if you want these new Windows 11 features as soon as possible, having Windows 11 Pro allows you to control your version/release. Of course, you can live on the edge by signing up for the Insider program and get the new stuff really early.
Businesses can use Group Policy to ensure that machines remain on Windows 11 22H2 and to defer these Moment updates. Consider using some sort of update-management tool, whether it be an old-school tool such as Windows Software Update Services, or the more modern Windows Update for Business or Intune. If you don’t use a managed environment, instead leaving machines to update on their own, you may not know whether a machine has received an update. You will therefore spend extra time diagnosing problems while you determine a machine’s state. I always opt for a managed solution.
Consultants may need to review their client’s policies before these artificial intelligence additions are rolled out. In my own profession, we must always be aware (and make sure our employees are equally aware) that sensitive client information should not be transmitted or used in ChatGPT or other AI platforms. AI, as a side effect, is introducing new privacy challenges into our businesses.
The October security update will include the following features, although they may not be enabled at first. Most of these changes are related to AI.
- The previous behavior of WinKey+C, which launched Cortana, is being changed because Cortana has been deprecated. Other means of searching will be used, probably Copilot. (Good thing Cortana and Copilot both begin with the letter C.)
- AI support will be added to the new versions of Paint and Photos. For example, Paint will provide AI-supported background removal.
- Clipchamp and Notepad will provide AI-based composition support.
- File Explorer is getting a refresh.
- Outlook for Windows will replace Windows’ Mail and Calendar apps. It will not match the capabilities of the desktop version of Outlook.
If you don’t want Windows Copilot released to your users, there are several ways to block the use of the application completely. On a Windows 11 22H2 PC that has the October (or later) updates, there will be a new local group policy setting. See Figure 3.
- Open the Group Policy Editor (gpedit.exe).
- Navigate to User Configuration | Administrative Templates | Windows Components | Windows Copilot.
- Double-click the Turn off Windows Copilot policy.
- Select the Enabled option.
- Click Apply.
Figure 3. Enabling Windows Copilot with the Group Policy Editor
Did Microsoft deliberately make this one confusing? Instead of enabling or disabling Windows Copilot, you must enable or disable Turn off Windows Copilot. I can see folks accidentally getting this wrong.
Want an ADMX file? I’ve uploaded it here. The ADML file is here.
Want a registry key to turn this off?
- Windows Registry Editor Version 5.00
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsCopilot]
- “TurnOffWindowsCopilot”=dword:00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot]
- “TurnOffWindowsCopilot”=dword:00000001
Copy the above into a text file and save it as a .reg file. Alternatively, you can run regedit, browse to these locations, and add these registry keys.
For those of you purchasing new phones this fall, keep in mind that you may need to keep that older phone around until you migrate your two-factor applications to your new phone. Duo Restore makes it easy to migrate from one phone to another. With Google Authenticator, you can export configurations from one phone to another. With Microsoft Authenticator, however, you must authenticate the new device and thus go through the entire setup all over again.
Plan ahead: Don’t turn inyour old phone until you’ve fully moved your authentication applications to your new phone.
Resources
- Susan’s Master Patch List
- The MMS-DEFCON System explained
- BlockAPatch — Tools to help you hide or block updates
- Steve Gibson’s excellent InControl to manage feature releases
- BobikH
- 1
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.