You configured the Connected Experiences policy for Microsoft 365 apps, but Copilot still shows data or features that should be blocked. The setting appears correct in Group Policy, yet users can still access online content through Copilot. This problem occurs because the policy controls two separate layers: the Microsoft 365 Apps for enterprise client and the Microsoft 365 cloud service. This article explains the root cause and provides the exact steps to enforce the setting across both layers.
Key Takeaways: Enforcing the Copilot Connected Experiences Policy
- Group Policy: Computer Configuration > Administrative Templates > Microsoft Office 2016 > Privacy > Trust Center: Set “Allow the use of connected experiences in Office that analyze content” to Disabled to block Copilot’s online content analysis.
- Cloud Policy service for Microsoft 365: Apply the same setting via the Microsoft 365 admin center > Health > Policy settings to override local Group Policy and enforce the restriction on cloud-connected features.
- Registry key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Privacy\DisableContentAnalysis: Verify this DWORD value is set to 1 to confirm the policy is applied on the client machine.
Why the Connected Experiences Setting Does Not Block Copilot
The Connected Experiences setting in Microsoft 365 Apps for enterprise controls whether the Office client can connect to Microsoft servers for features like grammar checking, translation, or image recognition. When set to Disabled, the client is supposed to prevent Copilot from sending content to the Microsoft Graph for analysis. However, Copilot is not a single feature. It consists of a client-side component in Word, Excel, PowerPoint, and Outlook, and a cloud-side service that runs on Microsoft 365 servers. The Group Policy setting only affects the client-side component. If the cloud service is still enabled, Copilot may continue to generate responses by pulling data from the Microsoft Graph, ignoring the local policy.
Another layer involves the Microsoft 365 Copilot license. When a user has a Copilot for Microsoft 365 license, the tenant-level settings in the Microsoft 365 admin center can override local Group Policy. The admin center includes a policy called “Copilot in Microsoft 365 Apps” that controls whether the Copilot pane appears and whether it can access Microsoft Graph data. If this tenant policy is set to On, it overrides the local DisableContentAnalysis setting, causing Copilot to function despite the connected experiences policy being disabled.
The Registry Key That Matters
The Group Policy setting writes a DWORD value named DisableContentAnalysis to the registry path HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Privacy. When set to 1, the Office client should block all connected experiences that analyze content, including Copilot. If this value is 0 or missing, the client allows content analysis. Even when the value is 1, the cloud service may still respond to queries if the tenant policy permits it. This dual-control architecture is the most common reason the setting does not apply as expected.
Steps to Enforce the Connected Experiences Setting for Copilot
To ensure the Connected Experiences setting blocks Copilot completely, you must configure both the local Group Policy and the Microsoft 365 admin center policy. Follow these steps in order.
- Open the Local Group Policy Editor
Press Windows key + R, type gpedit.msc, and press Enter. Navigate to Computer Configuration > Administrative Templates > Microsoft Office 2016 > Privacy > Trust Center. - Enable the Connected Experiences Policy
Double-click “Allow the use of connected experiences in Office that analyze content.” Select Disabled, then click OK. This prevents the Office client from sending content to Microsoft servers for analysis. The policy applies to Word, Excel, PowerPoint, and Outlook. - Verify the Registry Key
Open Registry Editor by pressing Windows key + R, typing regedit, and pressing Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Privacy. Confirm the DWORD DisableContentAnalysis exists and has a value of 1. If it does not exist, create a new DWORD with that name and value 1. - Sign In to the Microsoft 365 Admin Center
Go to admin.microsoft.com and sign in with a Global Admin or Compliance Admin account. Navigate to Health > Policy settings. - Create a New Cloud Policy
Click Create policy. Enter a name like “Block Copilot Content Analysis.” Under Settings, search for “Allow the use of connected experiences in Office that analyze content.” Set it to Disabled. Under Scope, select the security group or all users. Click Create. - Confirm the Policy Priority
In the Policy settings page, ensure the cloud policy has a higher priority than any conflicting policies. Cloud policies override local Group Policy when both are configured. If a tenant policy for Copilot is set to On, it will still allow Copilot to function. You must also set the tenant policy for Copilot to Off to fully block it. - Set the Copilot Tenant Policy to Off
In the Microsoft 365 admin center, go to Settings > Org settings > Copilot in Microsoft 365 Apps. Set the toggle to Off. This prevents the Copilot pane from appearing in Office apps and stops the cloud service from responding to queries. - Force a Policy Refresh on Client Machines
On a test machine, open a command prompt as administrator and run gpupdate /force. Restart the Office apps. Open a document and try to use Copilot. The Copilot pane should not load, and typing /copilot should produce no response.
If Copilot Still Works After Applying the Policy
Copilot Pane Still Appears in Word or Excel
If the Copilot pane still appears after setting the tenant policy to Off, check the user’s license. Users with a Copilot for Microsoft 365 license may see the pane even when the tenant policy is Off if they have not signed out and back in. Ask the user to sign out of all Office apps, close them, and sign in again. The pane should disappear within 15 minutes.
Copilot Returns Generic Output Instead of Tenant-Specific Data
If Copilot returns generic responses but not tenant data, the DisableContentAnalysis policy is working on the client side, but the cloud service still has access to Microsoft Graph. To fix this, go to the Microsoft 365 admin center > Settings > Org settings > Copilot in Microsoft 365 Apps and set the toggle to Off. Also remove the user from any Copilot license assignment in the Microsoft 365 admin center > Billing > Licenses.
Policy Applies to Some Users but Not Others
If the setting applies to some users but not others, check whether the cloud policy scope includes all target users. In the Microsoft 365 admin center > Health > Policy settings, open the policy you created and verify the security group assignment. If the group is empty or incorrect, edit the policy and select the correct group. Also ensure that no other cloud policy with a higher priority is overriding your setting.
| Item | Local Group Policy | Cloud Policy in Microsoft 365 Admin Center |
|---|---|---|
| Description | Controls the Office client’s ability to send content for analysis | Overrides local policy and controls the cloud service behavior |
| Configuration location | gpedit.msc > Computer Configuration > Administrative Templates > Microsoft Office 2016 > Privacy > Trust Center | admin.microsoft.com > Health > Policy settings |
| Registry key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Privacy\DisableContentAnalysis | No local registry key; stored in Microsoft 365 tenant |
| Requires license | No | Yes, Microsoft 365 E3 or E5 with Copilot add-on |
| Overrides the other | No, cloud policy overrides local policy | Yes, when both are configured |
| Blocks Copilot completely | No, only blocks client-side content analysis | Yes, when set to Off for the Copilot tenant policy |
Now you can enforce the Connected Experiences setting across both the Office client and the Microsoft 365 cloud service. Start by applying the local Group Policy and verifying the registry key. Then create the cloud policy and set the Copilot tenant policy to Off. Test with a user who has a Copilot license to confirm the pane does not appear. For additional control, consider using the Microsoft 365 Apps admin center to deploy the cloud policy to specific security groups only.