Microsoft has pushed the button on a long-dreaded rollout: as of mid-June 2026, the company resumed automatically installing the Microsoft 365 Copilot app on eligible commercial Windows 10 and Windows 11 machines, triggering immediate blowback from enterprise IT administrators and sparking a formal investigation by Italy’s competition authority. The move, which catches many organizations off guard, revives fears over user consent, software bundling, and the creeping AI-ification of workplace tools without proper governance.

For months, enterprise customers had been bracing for this moment. Microsoft initially paused a similar automatic installation push in late 2025 after widespread complaints that admins were losing control over their managed environments. Now, with the broadest wave yet hitting Microsoft 365 Apps enterprise channels, IT teams are scrambling to assess the impact on system performance, licensing compliance, and data sovereignty.

The auto-install is not a silent background trickle. Affected users on Windows 10 22H2 and Windows 11 23H2 and 24H2 report suddenly finding a new Copilot icon pinned to their taskbars and a full-blown Progressive Web App (PWA) appearing in their Start menus. The app, which connects to Microsoft’s cloud AI services, consumes additional disk space and, critically, prompts users to sign in with a work account—potentially exposing sensitive organizational data to AI processing without explicit administrator approval.

How the auto-install works

Microsoft is delivering the Copilot app through its standard Microsoft 365 update channels, including Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel (Preview). The deployment is tied to a feature update within the Microsoft 365 Apps suite, meaning that customers who have automatic updates enabled for Office are most likely to see the new app appear. According to internal Microsoft documentation seen by WindowsNews.ai, the rollout began on June 18, 2026, with a gradual ramp targeting all eligible tenants with Microsoft 365 E3, E5, Business Premium, and Business Standard licenses.

The installation does not require local administrator privileges. It runs under the system context as part of the Click-to-Run servicing pipeline, which has long been used for Office updates. This design effectively bypasses traditional software deployment controls like Group Policy or Microsoft Intune unless specific policies have been configured in advance to block it. Microsoft did provide a set of administrative templates in early 2026 to let organizations opt out, but many IT departments either missed the announcement or found the controls cumbersome to implement across hybrid environments.

Once installed, Copilot latches onto Microsoft Edge WebView2, meaning it shares a runtime with many line-of-business apps. Early adopters report that the browser-based AI assistant consumes between 200 MB and 400 MB of RAM when idle—not dramatic, but enough to tip older machines with 8 GB of memory into uncomfortable territory during multitasking. More worrying, the app’s sign-in flow encourages users to authenticate with their Azure AD credentials, which could inadvertently grant Copilot access to user-level Microsoft Graph data such as emails, calendar entries, and files unless tenant-wide consent settings have been locked down.

Enterprise IT governance frameworks, from NIST to ISO 27001, depend on the principle of explicit, informed consent before software changes are pushed to managed endpoints. Microsoft’s decision to bundle Copilot into routine Office updates—often classified as “security and feature updates” in one undifferentiated stream—has left admins feeling ambushed. On community forums and social media, sysadmins describe scenarios where hundreds of workstations gained the app overnight, triggering help desk calls from confused users who didn’t know what Copilot was or whether they should use it.

“We have strict policies about which AI tools can touch our intellectual property. Seeing Copilot appear without a change request is a nightmare for compliance,” one IT director at a midsize financial firm told WindowsNews.ai on condition of anonymity. “We had to issue an emergency configuration profile to remove it, and we’re still not sure if any user inadvertently consented to data sharing during the first hours.”

The consent issue extends to end-user license terms. The Copilot app presents a click-through agreement that includes data processing terms governed by Microsoft’s Privacy Statement. For enterprises subject to GDPR, the appearance of such terms on a managed device—especially without prior data protection impact assessments—could constitute a compliance violation. Regulators are taking note.

Italy’s antitrust probe

On July 3, 2026, the Italian Competition Authority (AGCM) announced a formal investigation into Microsoft’s auto-install practices, alleging possible abuse of dominant position and unfair commercial practices. The probe, which falls under Italy’s Consumer Code and competition law, focuses on whether Microsoft leveraged its near-ubiquitous Office install base to force the adoption of Copilot, thereby foreclosing rivals in the rapidly growing enterprise AI assistant market.

The AGCM’s statement, obtained by WindowsNews.ai, says investigators are examining whether “the automatic and unrequested installation of Microsoft 365 Copilot on millions of Windows devices constitutes an aggressive practice that deprives IT administrators and end users of the ability to make a free and informed choice.” The authority has also signaled interest in how user data flows from the Copilot app to Microsoft’s servers, raising the specter of parallel privacy investigations.

Italy has been a thorn in Microsoft’s side before. In 2023, the AGCM fined the company for bundling Teams with Microsoft 365 without giving customers an opt-out. That case eventually led to Microsoft unbundling Teams in European markets. The Copilot probe follows a similar playbook, and legal experts suggest that if the AGCM finds against Microsoft, the company could be forced to offer a clean, AI-free version of Microsoft 365 Apps in the same way it now offers a Teams‑less EEA package.

The Italian move is not isolated. EU competition regulators in Brussels are said to be “monitoring the situation closely,” according to a leaked internal memo. Meanwhile, a coalition of German and French enterprise IT associations has issued a joint statement condemning “the erosion of IT autonomy by multinational software vendors” and calling for clear opt-in mechanisms for any AI features.

Microsoft’s response

Microsoft has not stayed silent. In a statement released the day after the AGCM announcement, the company insisted that the Copilot auto-install is “a feature update designed to help businesses discover and evaluate new productivity tools, with robust controls for IT administrators to manage deployment.” The company pointed to documentation on Group Policy settings, Intune configuration profiles, and the Office Deployment Tool that can prevent the installation.

But many administrators argue that these controls are poorly implemented. The Group Policy setting, for instance, is hidden under Computer Configuration > Administrative Templates > Microsoft Office 2016 (Machine) > Updates and requires setting “Enable automatic installation of Microsoft 365 Copilot” to Disabled. In organizations that have not yet transitioned to cloud-native policy management, deploying this across thousands of devices is a non-trivial task. Furthermore, the setting did not exist in the ADMX templates until February 2026; any organization on an older template revision would have been wide open.

Microsoft also emphasized that Copilot does not “process any organizational data unless a user explicitly interacts with the assistant and grants consent.” However, that assurance misses the point: the installation itself is the violation of consent. And because the app appears with a “Sign in” button, users may be nudged into consent without understanding the implications—a dark pattern that could run afoul of the EU’s Digital Markets Act and Data Act.

A broader pattern of AI bundling

The Copilot auto-install saga is part of a larger trend where tech giants are embedding AI deep into their platforms, often using update mechanisms originally reserved for security patches. Microsoft has already integrated Copilot into Windows 11 as a sidebar (though that remains a preview and is not force-installed), into Edge, and into Bing. The company’s strategy is clear: get Copilot onto as many screens as possible, make it the default AI layer, and collect the usage data needed to train better models and upsell premium subscriptions.

For enterprises, the bundling raises uncomfortable questions. If Microsoft can push Copilot today, what will it push tomorrow? A full-blown AI agent with access to local files? A background service that continuously indexes intranet content? Without clear separations between feature updates and AI software, IT departments risk becoming mere administrators of Microsoft’s product decisions rather than stewards of their own digital workplaces.

Regulators appear to be connecting the dots. In the United States, the Federal Trade Commission has been investigating AI partnerships and acquisitions, and Microsoft’s deepening integration of Copilot into Office and Windows could eventually draw antitrust scrutiny. The European Commission’s upcoming AI Act implementation guidelines, expected later this year, may also address automated software changes that alter the data-processing profile of installed applications.

What enterprises should do now

In the immediate term, IT administrators must audit their Microsoft 365 update channels and enforce the Copilot opt-out if it aligns with their policies. The key settings are:

  • Group Policy: Enable the “Enable automatic installation of Microsoft 365 Copilot” policy and set it to Disabled.
  • Intune: Deploy a configuration profile under Microsoft 365 Apps for enterprise that sets the same value.
  • Office Deployment Tool: Amend the configuration.xml to include <Property Name="AUTOINSTALL_COPILOT" Value="0" /> in the Add section.
  • Registry: For unmanaged devices, navigate to HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate and create a DWORD “autoinstallcopilot” with value 0.

But beyond the technical workaround, organizations need a strategic conversation. Accepting Copilot as just another Office update sets a precedent that could erode software governance permanently. Enterprises should consider moving to Long-Term Servicing Channel (LTSC) versions of Office, which do not include feature updates, or negotiating explicit terms in their Enterprise Agreements that give them control over AI component installation.

Legal departments should also review Microsoft’s data protection addendum relative to Copilot’s data flows. Even if the app is not used, its telemetry settings may be on by default, sending some metadata to Microsoft. For regulated industries, a preemptive data protection impact assessment is advisable.

Looking ahead

The Italy probe is unlikely to conclude quickly, but its impact could ripple far beyond the peninsula. If the AGCM compels Microsoft to offer an opt-out, the company may preemptively apply the remedy globally, as it did with the Teams unbundling. That would give enterprise customers worldwide a cleaner Microsoft 365 experience—at least for a while.

Yet the AI wave will not be held back by a single investigation. Microsoft, Google, and others are betting their futures on AI subscriptions, and getting those tools in front of users is an existential priority. The real question is whether enterprise IT can reclaim its role as gatekeeper, or whether the desktop will become a direct pipeline from Silicon Valley’s servers to employees’ fingers, with consent reduced to a legal fiction.

For now, the June 2026 auto-install marks a turning point. It has awakened regulators, infuriated IT pros, and given every enterprise a stark reminder: in the AI era, the default is no longer your choice.