IT teams race to disable built-in AI features across Microsoft, Google, Apple

AI is no longer knocking before it walks into the office. It is already embedded in word processors, browsers, email clients, and operating systems, often without anyone asking for it. For IT administrators and corporate security teams trying to disable built-in AI features corporate software environments now ship by default, the challenge is not just technical. It is a moving target across Microsoft, Google, and Apple, each with its own logic, policies, and exceptions.

This guide, based on research by security author Stan Kaminsky, breaks down how to detect and shut down AI assistants inside Microsoft, Google, and Apple products on corporate devices. In practice, the job usually takes more than one layer: policy settings, network blocking, and sometimes executable restrictions.

Why companies want built-in AI turned off

The AI integrations appearing in everyday tools are not inherently malicious. However, they raise real concerns for security-conscious organizations. Data processed by AI assistants can leave the corporate perimeter, while employees may also share sensitive information through prompts without meaning to. In regulated industries such as finance, healthcare, and legal services, compliance rules often demand tighter control over data flows.

That is why blocking built-in AI has become a priority for a growing number of IT teams. The approach usually starts with policy configuration, then adds network-level domain blocking, and in some cases executable-level restrictions as well.

How to detect and disable Microsoft 365 Copilot

Microsoft 365 Copilot sits near the top of the list for many enterprise environments because it is deeply embedded across Teams, Outlook, Word, and other Office tools. As a result, Microsoft 365 Copilot disable efforts often begin with visibility before restriction.

Detecting Copilot usage through admin logs

Before blocking anything, admins need to understand what is actually running. Microsoft 365 Copilot usage can be detected through the admin portal by navigating to Microsoft 365 Admin → Copilot Usage Report. That report shows which users are actively using the tool and how often.

Blocking Copilot with policies and SKU management

To block Microsoft 365 Copilot, admins can go to the Microsoft 365 Admin Center, then Settings → Integrated Apps, locate Copilot in the Available Apps list, and select Block. More granular control is available under Customization → Policy Management, which contains more than two thousand policy entries, so filtering by the keyword “Copilot” is the practical approach.

There is also a financial angle. Since Copilot is a paid add-on, not assigning users the SKUs that include Copilot prevents access while also saving money.

One often-overlooked element is Copilot Chat, which is available separately across Teams, Edge, and Outlook. It needs to be blocked independently using a dedicated process, because the main Copilot block will not catch it on its own.

Using domain blocking as a secondary layer

For an extra layer of protection, admins can block copilot.cloud.microsoft and m365.cloud.microsoft/chat at the web filter or next-generation firewall level. However, Microsoft explicitly warns that this approach may break other Microsoft 365 features, so it should be treated as a secondary measure rather than the primary one.

Turning off Windows Copilot and the Edge Copilot sidebar

Windows Copilot disablement through Group Policy

Windows Copilot operates at the operating system level, which means detection relies on monitoring network logs for traffic hitting copilot.microsoft.com, bing.com/chat, or edgeservices.bing.com. To disable it, admins need to use Group Policy at Computer Config → Admin Templates → Windows Components → Windows Copilot.

In the Microsoft 365 Group Policy admin center, the setting “Block consumer Copilot for organizational accounts” adds another layer of control. If policy alone is not enough, blocking the Copilot.exe executable prevents it from running.

Disabling the Copilot sidebar in Microsoft Edge

The Copilot sidebar in Microsoft Edge is a separate issue. Detection works the same way through NGFW and network log traffic to the domains above. To disable it, admins need to configure several Edge Group Policy settings specifically:

• HubsSidebarEnabled = false
• EdgeShoppingAssistantEnabled = false
• CopilotPageContext = Disabled (false)
• CopilotNewTabPageEnabled = false
• Microsoft365CopilotChatIconEnabled = false
• GenAILocalFoundationalModelSettings = 1

That last setting is worth noting: disabling this feature requires a value of 1, not 0. The same domain-blocking approach covering copilot.cloud.microsoft and m365.cloud.microsoft/chat also applies here, with the same caveat about possible disruption to other Microsoft services.

How to block Google Gemini Assistant and Chrome AI features

Disabling Gemini Assistant in Google Workspace

Google’s AI footprint in enterprise environments runs mainly through Gemini Assistant in Workspace and through Gemini features built into Chrome. For Workspace, admins can check the Gemini usage report section inside the Admin Console at admin.google.com. That makes Google Gemini Assistant block decisions easier to track before changes go live.

To turn off Gemini Assistant in Google Workspace, the path is Admin Console → Apps → Additional Google services → Gemini app → set to OFF. Admins should also go to Manage Workspace Smart Feature Settings → Smart Features in Google Workspace and set that to OFF as well. Both steps are needed for complete coverage.

At the network level, blocking traffic to gemini.google.com, bard.google.com, and aistudio.google.com adds another barrier.

Blocking Gemini in Google Chrome with enterprise policies

For Chrome, admins can detect AI activity through Chrome Enterprise reports under Chrome Management → Reports, or by watching for network connections to the same Google AI domains. Disabling Gemini features in Chrome requires configuring these Chrome Enterprise policy settings: GenAILocalFoundationalModelSettings = 0, HelpMeWriteSettings = 2, TabOrganizerSettings = 2, CreateThemesSettings = 2, and DevToolsGenAiSettings = 2.

The same AI domain blocks apply here. Organizations should also consider blocking unauthorized Chrome or Chromium installations outside policy management using host-based application control tools such as EPP, EDR solutions, or AppLocker.

Apple Intelligence AI management through MDM profiles

Disabling Apple Intelligence features one by one

Apple Intelligence creates a different kind of challenge. Unlike Microsoft and Google, Apple does not provide a master switch that turns off all AI features at once. Instead, every capability has to be disabled individually through MDM profile settings. That makes Apple Intelligence AI management more manual, but it also gives administrators precise control.

In MDM profiles, admins need to set the following keys to false: allowWritingTools, allowMailSummary, allowGenmoji, allowImagePlayground, allowImageWand, allowPersonalizedHandwritingResults, allowExternalIntelligenceIntegrations, allowExternalIntelligenceIntegrationsSignIn, allowNotesTranscription, and allowNotesTranscriptionSummary. Each key covers a distinct Apple Intelligence capability, so missing even one leaves a gap. Notably, despite Apple’s broader move toward declarative device management, these AI features still require traditional MDM payload configuration.

Why network blocking is harder on mobile Apple devices

On the detection side, traffic hitting apple-relay.apple.com and *.apple-cloudkit.com at the firewall or web filter level signals that Apple Intelligence is active. Blocking those domains adds another layer of protection.

However, mobile devices complicate the picture. Network-level domain blocking only works while devices are connected to the corporate network. Once an employee’s iPhone or iPad moves to a personal network, those blocks disappear. Because of this, MDM profiles are not just helpful for Apple devices that move between work and personal connectivity; they are the only reliable mechanism.

What IT and security teams should keep in mind

Disabling built-in AI features is hard because no single step solves the problem. Multiple tools now carry their own AI components, effective blocking usually requires several layers, and aggressive domain blocking can disrupt unrelated functionality.

The multi-platform reality is not slowing down. Microsoft, Google, and Apple are all moving fast to embed AI across their ecosystems, which means IT teams are not dealing with a one-time governance decision. Instead, they are managing AI control as an ongoing operational task that will need revisiting whenever major updates land. For organizations in highly regulated industries, treating this as a set-and-forget configuration would be a mistake.