Don't Let Copilot Become Your Biggest Attack Surface
01 What is Windows Copilot, Really?
Microsoft's Windows 11 Copilot is more than a chatbot widget in your taskbar. It is a deep-system AI assistant powered by the same underlying models as Microsoft 365 Copilot, connected to Bing, and — depending on how it's configured — it can read your screen, browse on your behalf, modify system settings, summarise documents, and send data to Microsoft's cloud.
In 2024 Microsoft also introduced Recall, a feature that takes periodic screenshots of your screen and uses AI to make your activity searchable. Although Recall was delayed after public backlash and security criticism, it is still planned as a Copilot+ PC feature. Together, these capabilities create a brand-new attack surface that most security guides haven't caught up with yet.
This guide is for home power users, IT administrators, and small-business owners who want to get the benefits of AI features without handing over the keys to the kingdom.
02 The Risk Landscape
Let's be direct: Copilot is not malware. But it introduces risks that traditional security hardening guides don't address. Here's an honest breakdown:
Recall Screenshot Database
Stores encrypted screenshots of everything on your screen. If an attacker gains local access, this becomes a goldmine of sensitive data.
Prompt Injection Attacks
Malicious content in a webpage or document can issue hidden instructions to Copilot, tricking it into exfiltrating data or taking unintended actions.
Cloud Data Transmission
Queries, context snippets, and screen data are sent to Microsoft's servers. On a misconfigured network, this traffic may be intercepted or logged.
Excessive App Permissions
Copilot plugins and third-party extensions can request broad OS permissions — calendar, contacts, file system — that far exceed what they need.
Oversharing in Prompts
Users habitually paste sensitive data (passwords, PII, financial info) into Copilot chat. That content leaves your device.
Telemetry Overreach
Diagnostic and usage telemetry is enabled by default and includes AI interaction metadata that cannot be fully audited by the end user.
Copilot+ Elevated Hardware Trust
Copilot+ PCs ship with an NPU and relaxed Secure Boot requirements in some configurations, potentially weakening the firmware trust chain.
Social Engineering Amplification
A convincing AI voice dramatically lowers user suspicion of phishing attempts that impersonate Copilot-style interfaces.
03 Data Privacy Concerns
The single biggest privacy concern is what leaves your machine and when. Here's what Microsoft collects by default when Copilot features are active:
- Your Copilot chat prompts and conversation history (stored for up to 30 days in Microsoft's cloud)
- Recall snapshots — encrypted locally, but the encryption key is tied to your Windows Hello / TPM credentials
- Bing search context when Copilot searches the web on your behalf
- App usage patterns to improve Copilot's contextual suggestions
"We are essentially training users to hand their entire digital memory to a system they cannot audit, running on servers they do not control."
— Kevin Beaumont, Security Researcher, on Recall (2024)04 Network & Telemetry Traffic
Even with privacy settings tightened, a standard Windows 11 install with Copilot enabled communicates with dozens of Microsoft endpoints. Key ones to know:
copilot.microsoft.com → Main Copilot API
bing.com / bingapis.com → Web search integration
settings-win.data.microsoft.com → Telemetry pipeline
vortex.data.microsoft.com → Diagnostic data (Level 1–4)
inference.location.live.net → Location inference for Copilot context
cognitiveservices.azure.com → AI model inference (varies by feature)
On a corporate network or a home network with a capable firewall (pfSense, OPNsense, Pi-hole), you can selectively block telemetry endpoints while keeping core Copilot features functional. Blocking all Microsoft AI endpoints wholesale will break features including OneDrive sync and Microsoft Defender cloud protection — so be surgical.
05 Disabling & Scoping Copilot
The first step is deciding your threat model: Do you want Copilot off entirely, or do you want it scoped to a safe subset of functionality? Here are both paths.
Option A — Disable Copilot Completely (Windows Settings)
-
1Go to Settings → Personalization → Taskbar and toggle Copilot (preview) to Off. This removes the taskbar button and the Win+C shortcut.
-
2Go to Settings → Privacy & Security → Search Permissions. Disable Cloud content search for both Microsoft account and Work/School account.
-
3Disable Recall: Settings → Privacy & Security → Recall & Snapshots → toggle Recall Off. Delete any existing snapshot history.
Option B — Disable via Group Policy (Pro / Enterprise)
Computer Configuration
└── Administrative Templates
└── Windows Components
└── Windows Copilot
→ "Turn off Windows Copilot" [ENABLED]
User Configuration
└── Administrative Templates
└── Windows Components
└── Windows Copilot
→ "Turn off Windows Copilot" [ENABLED]
Option C — Disable via Registry (Home Edition)
# Disable Copilot system-wide
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot" /v TurnOffWindowsCopilot /t REG_DWORD /d 1 /f
# Disable Recall snapshots
reg add "HKCU\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
# Reduce Telemetry to Security level (0)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
06 Hardening the OS Layer
Copilot security is meaningless if the underlying OS is weak. These are the non-negotiable baseline controls — and yes, several of them are off by default.
Enable & Enforce BitLocker
If an attacker gets physical access to your machine, BitLocker is the only thing standing between them and your Recall snapshots, your credentials, and your documents.
Enable-BitLocker -MountPoint "C:" `
-EncryptionMethod XtsAes256 `
-UsedSpaceOnly `
-TpmAndPinProtector `
-Pin (ConvertTo-SecureString "YourPIN" -AsPlainText -Force)
Credential Guard & Memory Integrity
These features prevent credential theft attacks (Pass-the-Hash, Pass-the-Ticket) that can escalate to full system compromise — exactly the scenario where an attacker then pivots to your Recall database.
Memory Integrity → ON
Credential Guard → ON (Enterprise/Pro only)
Kernel DMA Protection → Verify it shows "ON" — requires hardware support
Windows Hello & Passwordless Auth
Since the Recall encryption key is tied to Windows Hello credentials, weak Windows Hello setup = weak Recall protection. Enforce a strong PIN (6+ digits) or biometrics. Disable password-only sign-in as a fallback if possible.
Attack Surface Reduction (ASR) Rules
ASR rules are part of Microsoft Defender and specifically block techniques used to compromise AI-integrated apps through malicious Office documents, scripts, and process injection — the exact attack vectors most likely to weaponize Copilot via prompt injection.
# Block Office apps from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
# Block credential stealing from LSASS
Set-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B0 -AttackSurfaceReductionRules_Actions Enabled
# Block untrusted and unsigned processes from USB
Set-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
07 Network Hardening
Windows Firewall Outbound Rules
By default, Windows Firewall allows all outbound traffic. Flipping this is one of the highest-impact changes you can make, but it does require some careful allow-listing or you'll break things.
# Block outbound by default — then allow-list what you need
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultOutboundAction Block
# Example: Allow HTTPS outbound for browsers and Windows Update only
New-NetFirewallRule -DisplayName "Allow HTTPS Out" -Direction Outbound `
-Action Allow -Protocol TCP -RemotePort 443 `
-Program "C:\Program Files\Google\Chrome\Application\chrome.exe"
DNS Filtering with Pi-hole or NextDNS
A DNS sinkhole is the simplest way to block Copilot telemetry and AI endpoints at the network level, without touching individual machine configs. It also protects every device on your network simultaneously.
Use the OISD blocklist (oisd.nl) combined with a custom blocklist targeting Microsoft telemetry domains. NextDNS offers a ready-made "Microsoft" block category in its dashboard — usable in under 5 minutes.
TLS Inspection Considerations
If you're running a corporate firewall that does TLS inspection, be aware that Microsoft Copilot endpoints use certificate pinning in some configurations, which will cause connection failures if your CA chain isn't correctly deployed. This is a common source of broken Copilot in enterprise environments — not a security bug, but worth knowing.
08 Enterprise & Policy Controls
If you manage a fleet of Windows 11 devices, you have much more powerful tools available — and much more at stake.
Microsoft Intune / MDM Policies
Intune provides dedicated CSP (Configuration Service Provider) policies for Copilot and AI features. Key policies to configure via Intune or Endpoint Manager:
- Experience/AllowCopilot — 0 to disable entirely
- WindowsAI/DisableAIDataAnalysis — Disables Recall
- WindowsAI/SetCopilotHardwareKey — Forces Recall to use TPM-bound keys only
- DataCollection/AllowTelemetry — Set to 1 (Required only) or 0 (Security, Enterprise only)
Microsoft Purview & Data Loss Prevention
If your users are on Microsoft 365 with Copilot enabled, configure Purview DLP policies to prevent Copilot from accessing documents labelled as Confidential or Highly Confidential. This prevents the common scenario where Copilot helpfully summarises a sensitive document and emails that summary to the wrong person.
Privileged Access Workstations (PAWs)
For admin accounts and privileged users: disable Copilot entirely on PAWs. The risk of prompt injection or accidental data disclosure is simply too high on a machine that has domain admin or global admin credentials cached.
09 Quick-Reference Hardening Checklist
Use this as your go-to reference. Sorted by category and difficulty.
| Control | Where to Apply | Difficulty |
|---|---|---|
| Disable Copilot taskbar button | Settings → Personalization → Taskbar | Easy |
| Disable Recall / Snapshots | Settings → Privacy → Recall | Easy |
| Set telemetry to minimum level | Registry / Group Policy | Easy |
| Enable BitLocker with TPM + PIN | PowerShell / Settings | Medium |
| Enable Memory Integrity (HVCI) | Windows Security → Core Isolation | Easy |
| Enable Attack Surface Reduction rules | PowerShell / Intune | Medium |
| Deploy DNS sinkhole (Pi-hole/NextDNS) | Network / Router | Medium |
| Restrict Copilot via Group Policy | gpedit.msc / Intune | Medium |
| Audit M365 / SharePoint permissions | Microsoft Purview | Advanced |
| Configure Intune Copilot CSP policies | Endpoint Manager | Advanced |
| Enable Credential Guard | Group Policy / Registry | Advanced |
| Default-deny outbound firewall rules | Windows Firewall / NGFW | Advanced |
| Disable Copilot on PAWs / Admin machines | Group Policy / Intune | Medium |
| Deploy DLP policies for Copilot in M365 | Microsoft Purview | Advanced |
10 Final Verdict
Windows Copilot is genuinely useful — I use it myself. But Microsoft's default configuration prioritises convenience and feature adoption over security and privacy. That's a business decision, not malice. And it means the burden falls on us — the users, the IT admins, the engineers — to make deliberate choices.
The good news: every risk outlined in this post has a mitigation. None of them require you to give up AI features entirely (unless you want to). What they require is about two hours of careful configuration, and a basic understanding of your own threat model.
Ask yourself these three questions:
- Who has physical access to this machine? → BitLocker + Recall disabled
- Is sensitive work data on this machine? → Scope Copilot access, disable cloud content search
- Am I managing multiple machines for others? → Intune policies + Purview DLP are non-negotiable