Manage Intune Windows 11 25H2 Settings to Block Recall, Remove Bloatware, and Control Copilot

Windows 11 version 25H2 brings new management options to Microsoft Intune, giving administrators more control over privacy, AI features, and the overall user experience.

This article explains how to use Intune Windows 11 25H2 settings to block the Recall feature tenant-wide, remove unwanted Microsoft Store apps, disable Copilot, and configure a consistent Start menu layout.

If you’re new to Intune or setting up these policies for the first time, the following guide walks through each setting with context, reasoning, and deployment guidance to help you configure it confidently.

Never miss an article and subscribe, and don’t forget to check out my YouTube channel, Control Alt Delete Tech Bits

Intune Windows 11 25H2 Settings

The Intune Settings Catalog is the central location for managing Windows policies. It brings together thousands of configuration options for Windows, macOS, iOS, iPadOS, and Android, all within a graphical interface that eliminates the need for custom OMA-URI entries or complex scripts.

For Windows 11 25H2, Microsoft has expanded the catalog with 36 new settings, grouped under categories such as Windows AI, Privacy, and User Experience.
These new Intune Windows 11 25H2 settings let you control modern AI features like Recall and Copilot as soon as devices upgrade, avoiding any management delays or security gaps.

To access the catalog:

• Sign in to https://intune.microsoft.com
• Go to Devices > Configuration profiles > + Create
• Select Windows 10 and later > Settings catalog

You can then search by keyword (for example, Windows AI) and toggle settings directly through a clean interface.

Blocking Recall Using Intune Windows 11 25H2 Settings

Recall is one of the most discussed additions to Windows 11 25H2. It continuously captures snapshots of your screen, indexing content so users can “recall” what they’ve seen previously.
While useful for individuals, this creates potential compliance and privacy concerns for organisations, particularly in education, healthcare, or regulated industries.

Recall is blocked by default on managed devices

On Microsoft-managed endpoints (Entra joined, Intune or Group Policy managed), Recall is off by default. Users can’t switch it on unless you explicitly allow it with policy. Microsoft’s guidance states that the Allow Recall Enablement setting controls this behaviour:

• Not configured / Disabled > Recall remains unavailable to the user.
• Enabled > Recall becomes available on eligible Copilot+ PCs, and the user can turn it on in Settings or during OOBE.
• You can also set optional controls such as maximum snapshot storage and a deny URI list to exclude sensitive sites and apps.

This default “off” posture is important for compliance: even if your estate includes Copilot+ hardware, Recall won’t activate unless you decide to enable it, and you can enforce “Recall is not available” to make that state auditable.

More information from Microsoft learn here

To control it safely, Microsoft provides two main Recall policies in the Intune Settings Catalog under Windows AI:

• Allow Recall Enablement
• Maximum Storage Space For Recall Snapshots

You’ll find these under Settings Catalog > Windows AI.

Configuring the Block Recall Policy

To disable Recall completely across managed devices:

• Open Intune Admin Centre > Devices > Configuration profiles > + Create
• Select Windows 10 and later as the platform and Settings catalog as the profile type
• Give the profile a name such as Windows AI – Block Recall (25H2)
• Select Add settings and search for Windows AI
• Enable Allow Recall Enablement and set the value to Recall is not available

This ensures Recall is unavailable to users and cannot be enabled from the Windows settings page.

If you’re testing Recall in a limited pilot, you could instead leave Recall available but set a maximum snapshot size using Maximum Storage Space For Recall Snapshots. For example, setting a 10 GB cap limits the local storage Recall uses, preventing it from consuming excess disk space.

Verifying the Deployment

After deployment, go to Devices > Select a device > Device configuration and check the status column. The configuration profile should show Succeeded once it has applied.
It can take one or two Intune sync cycles for the setting to appear on the device.

Why This Matters:
Blocking Recall through Intune Windows 11 25H2 settings helps meet data-handling requirements and ensures sensitive on-screen information, such as emails, student data, or finance systems—cannot be indexed or captured unintentionally.

By default, Microsoft disables Recall on managed enterprise devices unless administrators explicitly allow it, but enforcing this policy guarantees consistent behaviour across your environment.

Disabling Copilot in Windows 11 25H2 Using Intune Settings

Microsoft Copilot integrates AI directly into Windows. It can be launched from the taskbar, Start menu, or using the Windows +C shortcut.
For managed environments, you may wish to disable the consumer version of Copilot while still allowing Microsoft 365 Copilot within apps such as Word and Excel.

To disable it, use the Turn Off Copilot in Windows (User) policy under the Windows AI category in the Intune Windows 11 25H2 settings.

Configuring the Disable Copilot Policy

• In Intune, go to Devices > Configuration profiles > + Create
• Choose Windows 10 and later > Settings catalog
• Enter a name such as UX – Disable Copilot (User)
• Select Add settings and search for Windows AI
• Enable Turn Off Copilot in Windows (User)

Once applied:

• The Copilot icon disappears from the taskbar
• The Windows + C shortcut stops working
• The Copilot toggle in Settings > Personalisation > Taskbar becomes greyed out
• Users cannot launch Copilot from the Start menu or Search

If you previously used a custom OMA-URI (e.g. ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot), migrate to the new Settings Catalog option. Microsoft is gradually deprecating the older CSP-based path.

Why Disable Copilot?
For schools and businesses, Copilot may introduce unwanted AI functionality that could capture sensitive information. Disabling it with Intune Windows 11 25H2 settings maintains consistency and avoids end-user confusion between Copilot in Windows and Microsoft 365 Copilot.

Removing Bloatware Using Intune Windows 11 25H2 Settings

Default Microsoft Store apps can clutter the Start menu and distract users. Windows 11 25H2 adds a long-requested option to remove them through Intune, without scripts or provisioning packages.

The policy RemoveDefaultMicrosoftStorePackages removes pre-installed apps like Xbox, Solitaire, and Copilot (preview).

To configure it:

• Open Intune > Devices > Configuration profiles > + Create
• Choose Windows 10 and later > Settings catalog
• Search for RemoveDefaultMicrosoftStorePackages
• Set the value to True
• Assign it to your device group and deploy

Once the profile applies, unnecessary Microsoft Store packages are uninstalled automatically. This helps maintain a clean, professional experience across your fleet.

Always test app removal on a small set of devices before deploying to everyone. Some inbox apps, like Photos or Calculator, are widely used, and removing them could cause user friction.

By using this feature within Intune Windows 11 25H2 settings, you ensure your base image stays lean and consistent while relying on supported configuration rather than custom scripts.

Improving Privacy and User Experience

Alongside Recall and Copilot, Windows 11 25H2 introduces user experience controls that can simplify the interface and reduce distractions.
Two of the most useful settings to include in your Intune profiles are Disable Widgets and Always Show Notification Icon (User).

Disabling Widgets

Widgets can display personalised content from MSN and other online sources. While useful for personal devices, they may be distracting or raise privacy issues in corporate and educational environments.

You can turn them off by configuring:

• Disable Widgets Board
• Disable Widgets On Lock Screen

Both are found under the News and Interests or Widgets category in the Intune Windows 11 25H2 settings.

Always Show the Notification Icon

This policy ensures the notification (Action Centre) icon is always visible on the taskbar. It helps support teams ensure users don’t miss system or policy messages.

Search for Always Show Notification Icon (User) in the catalog and set it to Enabled.

These small adjustments improve user focus and create a consistent experience across classrooms, offices, and shared devices.

Configuring the Start Menu Layout with Intune Windows 11 25H2 Settings

The Start menu plays a key role in user productivity. With 25H2, the Configure Start Pins (User) setting makes it easier to control what appears on it.

This policy lets you deploy a JSON layout that defines which apps are pinned by default. You can include core tools like Microsoft Edge, Settings, and Company Portal.

Applying the Policy

• Go to Devices > Configuration profiles > + Create
• Choose Windows 10 and later > Settings catalog
• Search for Configure Start Pins (User)
• Upload your JSON layout file containing your chosen pinned apps
• Use the applyOnce property to choose behaviour:
  • applyOnce: true – applies the layout only at first sign-in, allowing users to customise afterwards
  • applyOnce: false – enforces the layout every sync, locking the Start menu layout permanently
• Assign to your test group and deploy

Best Practice:
Use applyOnce: true for flexible environments such as staff devices, and applyOnce: false for controlled setups like kiosks, exam rooms, or shared computers.

When the policy applies, the Start menu instantly reflects your chosen design—helping your organisation maintain a professional, predictable layout.

Deployment Best Practices for Intune Windows 11 25H2 Settings

Deploying configuration profiles correctly is key to avoiding conflicts and ensuring smooth rollouts.

Test group First:
Start with a small test group before applying tenant-wide. This lets you confirm compatibility with existing configurations.

Use Filters:
Filters target only Windows 11 25H2 devices, preventing policies from applying to older versions that may not support them.

Monitor Results:
Check Device status under each configuration profile. Look for the state “Succeeded.” If any show as “Error” or “Pending,” review logs in the Intune portal or on the device under Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider.

Microsoft continues to refine Intune’s Settings Catalog with each Windows release. By adopting the Intune Windows 11 25H2 settings, you benefit from secure defaults, simplified deployment, and easier compliance management.

You avoid reliance on legacy templates or registry-based controls and instead use policies that are fully supported, updated automatically, and designed for cloud management.

Whether you’re managing a few devices in a school or hundreds across an enterprise, these settings let you tailor the Windows 11 experience while maintaining governance and control

Feel free to buy me a coffee to keep this website up and running

Checkout this article How to Use Intune Device Cleanup Rules and Audit Logs to Manage Stale Devices