Skip to content

Control 4.16: Microsoft Scout Governance

Control ID: 4.16 Pillar: Operations & Monitoring Regulatory Reference: FFIEC IT Examination Handbook, GLBA §501(b), Sarbanes-Oxley §§302/404 (where applicable to ICFR), OCC Heightened Standards (12 CFR part 30, appendix D), FINRA Rule 3110, SEC Rule 17a-4 (for required broker-dealer records) Last Verified: 2026-07-10 Governance Levels: Baseline / Recommended / Regulated


Scope boundary: FSI-CopilotGov vs FSI-AgentGov

This control governs the Microsoft 365 Copilot surface only — tenant-level configuration, data-source posture, audit/eDiscovery, and admin-managed extensibility. Governance of the agents themselves (Copilot Studio agents, declarative agents, Agent Builder, custom pro-code agents) — including agent registration, risk tiering, environment zoning, model-card review, and lifecycle promotion — lives in the companion FSI-AgentGov framework. See Relationship to FSI-AgentGov for the full boundary map.

Objective

Establish governance over Microsoft Scout — an endpoint-installed, agentic Copilot experience delivered through the Frontier preview program that can read and write local workspace files, execute shell commands, drive a browser through Playwright, call Work IQ and other M365 sources, invoke skills, subagents, MCP servers, and run scheduled or triggered automations. This control helps organizations decide whether, for whom, and under what supervision Scout is enabled, and it identifies where existing M365 protections do and do not extend to Scout activity so adoption proceeds under documented governance rather than default entitlement.

Why This Matters for FSI

Scout is delivered through Microsoft's Frontier preview program as a native application for Windows 11 or later and macOS 12 or later, and its capability surface is materially different from a browser-hosted Copilot experience. Scout operates on the endpoint: it can read and modify files in a user's workspace, execute shell commands (subject to per-command permission modes), navigate and interact with web pages through Playwright, reach into Microsoft 365 and Work IQ, load skills and subagents, connect to Model Context Protocol (MCP) servers, and schedule or trigger automations that run on the user's behalf. Some inference is processed through GitHub Copilot and third-party model providers, under those providers' separate terms, and outside the Microsoft 365 data residency, retention, sensitivity-label enforcement, eDiscovery, and other M365 protections that FSI organizations rely on for the rest of the Copilot surface.

For a regulated financial institution, that mixed boundary raises supervision, books-and-records, third-party-risk, and operational-risk considerations that should be assessed before Scout is enabled. The FFIEC IT Examination Handbook expects change control, third-party risk management, and ongoing monitoring for enterprise technology — expectations that apply directly to adopting a preview endpoint agent that executes local code and calls external inference providers. FINRA Rule 3110 supervisory-system expectations may cover Scout outputs that contribute to client-facing communications or recordkeeping. Sarbanes-Oxley §§302/404 expectations apply where Scout is used in finance, reporting, or control-support workflows. The OCC Heightened Standards (12 CFR part 30, appendix D) reinforce board-level risk governance for covered institutions considering a preview agentic capability. GLBA §501(b) safeguarding expectations remain relevant because Scout can act on any content the user is already permitted to access, so existing oversharing weaknesses can be amplified by automated, multi-step retrieval and file writes. SEC Rule 17a-4 record-retention obligations may apply to Scout artifacts that constitute required broker-dealer records, and organizations should evaluate whether Scout activity — session content in OneDrive, and automation instructions and MCP output stored locally — is captured by their books-and-records program.

No single control satisfies these obligations on its own. This control is intended to be applied alongside readiness, endpoint-management, data-protection, extensibility, and supervision controls rather than as a standalone assurance. Organizations should verify that their own legal, compliance, endpoint-security, and third-party-risk functions have reviewed Scout before enabling it for any regulated population.

Disclaimer

This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.

Frontier preview — capability and boundary may change

Microsoft Scout is a Frontier preview capability. Preview features may have restricted functionality, are subject to preview terms, and may change before general availability. Scout's inference path, storage boundaries, permission model, admin-attestation flow, and endpoint policy schema have changed during preview and are expected to continue changing. Re-verify every step of this control against current Microsoft documentation before relying on it in production governance, and treat any governance decision as provisional until Scout reaches general availability and has been re-assessed.

Control Description

Scout is not a tenant-only surface — it is an endpoint application whose access depends on two independent admin gates plus a per-user entitlement, with configuration mechanics that live outside the Microsoft 365 admin center. Installing the Scout application alone grants nothing; the app becomes usable only when all of the following are in place:

Gate Where Governed Governance Use
Frontier scoping Microsoft 365 admin center — Copilot > Settings > View all > Copilot Frontier Scopes which users and admins in the tenant have Frontier access (No access / All users / Specific users). Scout admin surfaces and user entitlement resolve only after Frontier is enabled and change propagation completes (Microsoft cites up to about three hours)
Endpoint policy + admin attestation Intune (or equivalent MDM) — Windows ADMX/ADML (microsoft-scout.admx / .adml) with the Allow Microsoft Scout Frontier access setting (the AllowScoutFrontierAccess capability) plus additional ADMX admin controls, or macOS .mobileconfig custom device profile — combined with an admin attestation and opt-in step (Microsoft's Frontier organization sign-up form) Governs whether Scout is allowed to run on managed endpoints, records that an authorized admin has attested to routing data to third-party inference paths (for example, GitHub), and gives IT admins policy-level control over MCP servers, permission types, models, providers, Heartbeat, Automations, workspace scoping, browser egress, and forced approval prompts
Per-user entitlement GitHub — user must hold a GitHub Copilot Business or Enterprise entitlement on a linked GitHub account, paired with an active Microsoft 365 Copilot license on the user's work or school account Determines whether an individual user can sign in to Scout after policy is in place; both licenses are per-user user-requirements documented by Microsoft, and Microsoft states that a GitHub Copilot license alone does not grant Frontier access, nor does Frontier access alone work without a Copilot license (business or enterprise)

Because these three gates are independently owned (M365 admin center, endpoint management, GitHub) and the per-user entitlement itself has two license dependencies (M365 Copilot and GitHub Copilot Business/Enterprise), an organization should treat Scout enablement as a joint decision across Copilot admin, endpoint management, identity, license administration, and (where in scope) GitHub administration. A gap in any one gate or either license can either block a pilot silently or, worse, entitle users the organization did not intend to enable. Sign-in failures do not always show a clear in-product indication of the cause — Microsoft directs troubleshooting to the admin gates first.

Per-User Prerequisites and Endpoint Install Privilege

Microsoft's get-started documentation lists the per-user prerequisites required in addition to the three admin gates. Governance should distinguish install-time privilege from ongoing use privilege:

Prerequisite Scope Governance Consideration
Windows 11 or macOS 12 (Monterey) or later Endpoint Confirm platform coverage before deploying endpoint policy; exclude out-of-support endpoints from the pilot device group
Microsoft 365 work or school account (personal Microsoft accounts unsupported) Identity Reconcile pilot users to organizational identities; enforce Conditional Access on Scout sign-in as with other M365 apps
Active Microsoft 365 Copilot license assigned to the user's account License Reconcile Scout pilot users against Microsoft 365 Copilot license assignment (Control 1.9); treat license absence as a blocked-at-sign-in gate rather than as a silent partial-entitlement path
Microsoft Visual C++ redistributable (Windows only) Endpoint Include the current redistributable in the managed-app baseline so users are not tempted to install prerequisites from unmanaged sources
Local Administrator permissions for installation, including an Intune-enabled account Endpoint See below — required only to complete installation, not for ongoing use; permanent local admin should not be granted for Scout adoption
GitHub Copilot Business or Enterprise license on a linked GitHub account GitHub Third admin gate; reconciled monthly against the pilot list

Install privilege vs ongoing use privilege. Microsoft states that installing Microsoft Scout requires local Administrator permissions on the endpoint. This install-time requirement is distinct from ongoing use of the app, which does not require permanent local admin. Granting standing local Administrator rights to end users to install Scout would exceed least-privilege posture for regulated populations and should not be adopted as a default. Instead, governance should prefer one of the following managed-deployment patterns:

  • Package and deploy the Microsoft Scout installer as a managed Win32 or macOS app through Intune (or equivalent MDM), installed in system context so the end user does not need any local admin rights at any point.
  • Use a just-in-time local admin elevation mechanism (for example, Endpoint Privilege Management or an equivalent) so the elevation is time-bound, purpose-scoped, and audited, and is not left in place after installation.
  • Do not permanently add end users to the local Administrators group solely to enable Scout adoption.

Preserve the deployment decision (system-context managed deployment, just-in-time elevation, or a documented exception) and the associated approval as evidence. Where a documented exception is required, capture the compensating endpoint controls (least-privilege workspace, endpoint DLP, endpoint monitoring) and the duration of the exception.

Windows ADMX Governance Surface (documented policy settings)

Microsoft documents the Scout Windows ADMX/ADML template as a device-scoped policy stored under HKLM\SOFTWARE\Policies\Scout; standard users can't modify it. The single Allow Microsoft Scout Frontier access capability listed in Set up Microsoft Scout with Intune is the sign-in gate. In addition, Manage admin controls in Intune for Microsoft Scout documents ten policy settings that give admins policy-level control over Scout behavior. Verify names and defaults against current documentation before treating any of these as configured evidence.

Policy setting (documented name) Registry value Type What it governs
Policy version PolicyVersion REG_DWORD Policy schema version stored on the device for diagnostics and future migrations
Disabled MCP servers DisabledServers REG_SZ Comma-separated list of MCP server keys to block (Microsoft's examples: filesystem, playwright, WorkIQ)
Disabled permission kinds DisabledPermissions REG_SZ Comma-separated list of permission types to deny (Microsoft's examples: shell, write, mcp, url, custom-tool)
Force human approval for all non-read actions ForcePrompt REG_DWORD Requires user approval for every non-read tool action regardless of local approval settings — a policy-level override of any local auto-approve
Disabled AI models DisabledModels REG_SZ Comma-separated list of model IDs to block
Disabled AI model providers DisabledProviders REG_SZ Comma-separated list of provider names to block (Microsoft's examples: anthropic, openai) — the most direct policy-level lever for the third-party inference boundary
Disable Heartbeat DisableHeartbeat REG_DWORD Disables Scout's Heartbeat monitoring feature
Disable Automations DisableWorkflows REG_DWORD Prevents users from creating or running automations (Scout's scheduled/triggered workflows)
Restrict file system access to workspace RestrictToWorkspace REG_DWORD Limits file system and shell access to the current workspace directory — a policy-level workspace-scoping control
Blocked browser egress origins BrowserEgressBlockedOrigins REG_SZ Comma-separated list of HTTP or HTTPS origins that are blocked from Playwright browser traffic

macOS deployment uses the Microsoft-provided .mobileconfig custom device profile in Intune. Where an equivalent macOS policy exists for any of the above ADMX settings, confirm the specific payload keys against current Microsoft documentation before treating them as configured evidence — do not assume ADMX names map identically. Do not invent registry values or defaults; where a documented default is not stated by Microsoft, capture the observed value with a citation to the current Learn article and the date verified.

Capability Surface and Boundary

Scout's capability surface is best governed by understanding what it can do on the endpoint, where its data lives, and where inference is processed:

Capability Description Governance Consideration
Local file access Reads and writes files in a user's workspace Endpoint DLP, sensitivity-label discovery, and least-privilege workspace scoping apply; generated or modified files may not reliably inherit sensitivity labels from source content
Shell command execution Executes shell commands with per-command permission modes (auto-approve, prompt, deny) Default posture and the specific auto-approve list are governance decisions with material blast-radius implications; treat auto-approve as an elevated permission
Browser control (Playwright) Navigates and interacts with web pages through Playwright Web content is treated as untrusted by Scout; prompt-injection resistance is a Microsoft platform responsibility, not a customer-configurable control
Microsoft 365 and Work IQ access Retrieves and acts on content the user is already permitted to access Existing oversharing risk is amplified by automated multi-step retrieval; Work IQ scoping remains governed by its own controls
Skills, subagents, memory, heartbeat Composes multi-step work through skills, delegated subagents, persistent memory, and periodic heartbeat checks Autonomous multi-step behavior expands the supervision and evidence surface beyond a single user prompt
Scheduled and triggered automations Runs on a schedule or in response to triggers, without the user being present Unattended execution should be a distinct, explicit governance decision — do not treat it as included by default
MCP servers Connects to Model Context Protocol servers to extend tools MCP servers are third-party extensibility; treat as connectors under Control 4.13 and add MCP-specific approval criteria
Third-party inference Some inference is processed via GitHub Copilot and third-party model providers under their separate terms Inference of that content is outside M365 data residency, retention, sensitivity-label enforcement, eDiscovery, and other M365 protections

Data Storage and M365 Protection Boundary

Scout stores data in two locations with different protection profiles. Organizations should map this boundary before enabling Scout:

Data Category Where Stored Under M365 Protections?
Session and memory data OneDrive (subject to tenant controls) Yes — subject to existing OneDrive tenant controls, retention, and eDiscovery, per Microsoft documentation
Automation instructions Local endpoint No — outside the Microsoft 365 Data Protection Addendum (DPA)
MCP server output Local endpoint No — outside the M365 DPA
Content processed through third-party inference Third-party provider systems No — outside M365 residency, retention, label enforcement, eDiscovery

A governance program that assumes "Copilot activity is captured by M365 audit and eDiscovery" will not accurately describe the Scout surface. Organizations should document which categories of Scout activity fall outside M365 protections and either accept the risk with compensating endpoint controls or defer Scout for populations where that risk is unacceptable.

Sensitive Actions, Approvals, and Autonomous Modes

Scout requires user approval for sensitive actions by default. Optional autonomous modes relax that friction and should be treated as a separate, higher-risk governance decision requiring low-risk scoping (limited workspace, restricted shell permissions, restricted browser/network access, restricted M365 scopes) documented and approved before enablement. Autonomous modes should not be enabled tenant-wide by default.

External content — whether retrieved from the web, from files outside the workspace, or from MCP servers — is tagged untrusted by Scout. Scout can display Purview sensitivity labels for items in its responses and citations, but generated or modified content may not reliably inherit sensitivity labels from its sources. Organizations should not rely on automatic label inheritance for Scout outputs as a compensating control.

Copilot Surface Coverage

Scout is endpoint-bound, not a Copilot Chat surface. The coverage below describes where Scout's capabilities intersect governance boundaries rather than where a chat surface is present.

Surface / Boundary Coverage Notes
Scout desktop app (Windows 11+, macOS 12+) Full Primary Scout runtime; governed through Frontier + Intune + user entitlement
Microsoft 365 / Work IQ data path Partial Scout reads and acts on M365 content the user can already access; Work IQ scoping governed by its own controls
GitHub Copilot inference path Partial Some inference is processed through GitHub Copilot under separate terms; outside M365 protections
Third-party model providers Partial Some inference is processed through third-party providers under separate terms; outside M365 protections
Local shell and file system Full Governed on the endpoint through permission modes and workspace scoping; not visible to M365 admin surfaces
Browser (Playwright) Full Controlled from Scout on the endpoint; web content is untrusted
MCP servers Full Third-party extensibility; treat under Control 4.13 with MCP-specific approvals
Automations (scheduled / triggered) Full Endpoint-executed; unattended execution is a distinct governance decision
Purview audit and eDiscovery Partial Coverage limited to M365-sourced activity; local automation and MCP output are outside M365 DPA and not captured
Sensitivity-label enforcement on generated content Partial Scout can display labels; inheritance on generated or modified content is not reliable

Governance Levels

Baseline

  • Document Frontier enrollment for the tenant and for admin accounts that will govern Scout
  • Document the endpoint-policy posture — whether Windows ADMX (microsoft-scout.admx/.adml, including the Allow Microsoft Scout Frontier access setting) and macOS .mobileconfig profiles are deployed, and to which device groups
  • Record the deployment pattern used for the Scout installer (system-context managed deployment through Intune, just-in-time elevation, or a documented local-admin exception) so end users are not granted standing local Administrator rights to install Scout
  • Confirm and record that the admin attestation and opt-in step required for Scout (Microsoft's Frontier organization sign-up form) has been completed by an authorized admin, with the record retained as evidence
  • Restrict initial availability to an approved pilot security group; do not rely on "installing the app grants nothing" as a compensating control
  • Reconcile pilot users against active Microsoft 365 Copilot license assignment (per Control 1.9) and maintain an inventory of users who additionally hold GitHub Copilot Business or Enterprise entitlement with linked GitHub accounts
  • Set a documented default posture for shell command permissions (auto-approve / prompt / deny) and, for the pilot, keep the default at prompt unless a specific low-risk auto-approve list is approved; where feasible, back the pilot default with the ADMX Force human approval for all non-read actions (ForcePrompt) setting so a policy-level override applies
  • Document that autonomous modes are not enabled during the pilot unless a separate low-risk scoping decision has been approved
  • Document the initial ADMX policy posture for the pilot for each of the documented Scout policy settings that materially reduce blast radius — Disabled MCP servers (DisabledServers), Disabled permission kinds (DisabledPermissions), Disabled AI model providers (DisabledProviders), Disable Automations (DisableWorkflows), Restrict file system access to workspace (RestrictToWorkspace), and Blocked browser egress origins (BrowserEgressBlockedOrigins) — even where the pilot posture is "unset / verify against current Microsoft default"
  • Maintain an approved-MCP-server inventory and require documented approval before any MCP server is added
  • Document that some Scout inference and some Scout storage (automation instructions, MCP output) fall outside M365 protections, and record the residual risk acceptance
  • Manage Frontier scoping, endpoint policy, admin attestation, Microsoft 365 Copilot license assignment, and GitHub Copilot entitlement decisions through a documented change register with a named approver for each gate
  • Separate approval from implementation across the three gates so no single administrator can unilaterally enable Scout for a population
  • Restrict Scout workspaces to a defined scope (for example, project-specific folders) rather than the user's entire profile, and document the workspace-scoping standard; where the documented Restrict file system access to workspace (RestrictToWorkspace) ADMX setting is available, back the workspace-scoping standard with policy
  • Where the pilot's third-party inference posture excludes specific providers or models, back the decision with the documented ADMX policy settings — Disabled AI model providers (DisabledProviders) and Disabled AI models (DisabledModels) — rather than relying on a user-mode preference
  • Require MCP-server approvals to include the server's data path (local vs remote), authentication mechanism, and any external egress; where the pilot's approved-MCP inventory excludes specific servers, back the decision with the documented Disabled MCP servers (DisabledServers) ADMX setting
  • Confirm that Scout session and memory data stored in OneDrive is subject to existing OneDrive tenant controls, retention, and eDiscovery — and document coverage gaps for automation instructions and MCP output stored locally
  • Coordinate Scout enablement decisions with endpoint-security, DLP, and identity governance so shell execution and browser control align with existing endpoint controls; where the pilot restricts browser destinations, back the decision with the documented Blocked browser egress origins (BrowserEgressBlockedOrigins) ADMX setting
  • Prefer system-context managed deployment of the Scout installer through Intune (or a just-in-time elevation mechanism) so users are not granted standing local Administrator rights; where an exception is required, document the compensating endpoint controls and duration
  • Define a preview-change review cadence to re-assess Frontier, endpoint policy, ADMX schema, and permission-model changes as Microsoft updates Scout
  • Include Scout in the incident-response runbook with explicit steps for revoking each of the three gates (Frontier scope, endpoint policy, GitHub entitlement) and, where applicable, removing the Microsoft 365 Copilot license

Regulated

  • Require dual approval (technology + compliance) before enabling Scout for any regulated or client-facing population
  • Treat Scout outputs that contribute to client communications, correspondence, or recordkeeping as in-scope for supervisory review under FINRA Rule 3110, where applicable
  • Assess whether Scout artifacts subject to SEC Rule 17a-4 (for required broker-dealer records) are captured by existing books-and-records controls, recognizing that automation instructions and MCP output stored locally are outside the M365 DPA
  • Restrict Scout administration using time-bound privileged access (PIM or equivalent) and least-privilege agent-administration roles; do not grant standing local Administrator rights to end users to install the Scout desktop app — deploy through system-context managed deployment (Intune) or a documented just-in-time elevation mechanism
  • Do not enable autonomous modes for regulated populations without a separately approved low-risk scoping decision that documents the workspace, shell, browser, network, and M365 scope restrictions
  • Do not permit unattended (scheduled or triggered) automations for regulated populations without a separately approved unattended-execution decision; where feasible for the pilot, back the "off" posture with the documented Disable Automations (DisableWorkflows) ADMX setting
  • Where feasible for the regulated pilot, back the "prompt" default for non-read tool actions with the documented Force human approval for all non-read actions (ForcePrompt) ADMX setting so a policy-level override applies regardless of local approval settings
  • Document the third-party inference boundary — that some inference occurs outside M365 residency, retention, label enforcement, and eDiscovery — record legal and compliance acceptance before enabling Scout for populations where those protections are relied on, and where a specific provider or model is excluded, back the decision with the documented Disabled AI model providers (DisabledProviders) and Disabled AI models (DisabledModels) ADMX settings
  • Where the regulated pilot restricts extensibility, back the decision with the documented Disabled MCP servers (DisabledServers) and Disabled permission kinds (DisabledPermissions) ADMX settings so unapproved MCP servers and permission types are denied at the policy layer rather than relying on user-mode configuration
  • Preserve Frontier enrollment, endpoint policy (including ADMX policy value snapshots), admin attestation, Microsoft 365 Copilot license assignment, GitHub entitlement, MCP-server approvals, and permission-mode decisions for examination-ready retention periods
  • Maintain a documented exception register for any deviation from the approved Scout governance baseline
  • Identify and document platform-evidence gaps (local MCP output, automation instructions, third-party inference logs, generated-content label inheritance) as known unsupported evidence rather than claiming controls exist

Setup & Configuration

Step 1: Confirm Frontier Enrollment and Scope

Navigate to Copilot > Settings > View all > Copilot Frontier in the Microsoft 365 admin center and record whether access is set to No access, All users, or Specific users and which users and admin accounts are in scope. Scout admin surfaces and user entitlement resolve only when Frontier scoping is in place, and Microsoft cites up to about three hours for propagation before Frontier features become available. Capture the enrollment decision, the approver, and the targeted groups.

Step 2: Deploy Endpoint Policy, Complete Admin Attestation, and Plan Installation Privilege

Deploy the Scout endpoint policy through Intune (or equivalent MDM):

  • Windows 11 or later: Import Microsoft's microsoft-scout.admx and microsoft-scout.adml templates into Intune, create a Windows configuration policy from the imported administrative template, and enable Allow Microsoft Scout Frontier access for the intended device groups. In addition, decide and record the pilot posture for each of the ten documented ADMX admin controls (DisabledServers, DisabledPermissions, ForcePrompt, DisabledModels, DisabledProviders, DisableHeartbeat, DisableWorkflows, RestrictToWorkspace, BrowserEgressBlockedOrigins, and PolicyVersion), even where the pilot posture is "not configured / verify against current Microsoft default." Do not invent values or defaults; capture the decision with a citation to the current Microsoft documentation.
  • macOS 12 or later: Deploy the Microsoft-provided microsoft-scout.mobileconfig as a custom device profile. Where an equivalent macOS payload key exists for any of the Windows ADMX admin controls above, confirm the specific key against current Microsoft documentation before treating it as configured evidence.

Complete the Microsoft-provided admin attestation and opt-in step (the Frontier organization sign-up form) using an authorized admin account, and retain the attestation record as evidence. Microsoft states that this attestation is an additional gating layer beyond Frontier enrollment because Scout can route data outside Microsoft 365 to third-party inference paths — treat it as a separate governance record, not a substitute for policy deployment.

Plan how the Scout installer will be deployed to end-user devices. Microsoft requires local Administrator permissions to install the app, but does not require standing local admin for ongoing use. Prefer a system-context managed deployment through Intune or a just-in-time elevation mechanism so end users are not added to the local Administrators group solely to install Scout. Document the chosen deployment pattern and any local-admin exception, including compensating endpoint controls and duration.

Step 3: Restrict Availability to an Approved Pilot

Coordinate Frontier scoping, endpoint policy targeting, Microsoft 365 Copilot license assignment (per Control 1.9), and GitHub Copilot Business or Enterprise entitlement so all gates align to the approved pilot security group. Document each gate's decision, approver, and target group, and reconcile the four sources of truth (M365 admin center, Intune, M365 license assignment, GitHub administration) before opening the pilot.

Step 4: Set the Default Permission Posture

Set the shell command permission default to prompt for the pilot unless a specific low-risk auto-approve list has been approved. Where feasible, back the pilot default with the documented Force human approval for all non-read actions (ForcePrompt) ADMX setting so the pilot decision is enforced at the policy layer rather than relying on user-mode configuration. Explicitly document that autonomous modes are not enabled unless a separate low-risk scoping decision has been made covering workspace, shell, browser, network, and M365 scope restrictions. Explicitly document that unattended (scheduled or triggered) automations are not enabled unless a separate decision has been made; where the pilot posture is "off," back it with the documented Disable Automations (DisableWorkflows) ADMX setting.

Step 5: Govern MCP Servers, Skills, Providers, and Models

Establish an approved-MCP-server inventory with a documented approval workflow that captures the server's data path, authentication mechanism, and external egress. Treat MCP servers as connectors under Control 4.13. Apply the same approval discipline to any skills added to the pilot. Where the pilot excludes specific MCP servers, permission types, providers, or models, back the decisions with the documented ADMX admin controls — Disabled MCP servers (DisabledServers), Disabled permission kinds (DisabledPermissions), Disabled AI model providers (DisabledProviders), and Disabled AI models (DisabledModels) — rather than relying on user-mode configuration.

Step 6: Map the Storage and Inference Boundary

Document, for the pilot, which Scout data lives in OneDrive (session, memory) versus locally on the endpoint (automation instructions, MCP output), and where inference is processed (Microsoft, GitHub Copilot, third-party model providers). Record what falls outside M365 protections and the compensating endpoint controls (DLP, endpoint monitoring, workspace scoping) that apply. Where the pilot restricts workspace file access or browser egress, back the decisions with the documented Restrict file system access to workspace (RestrictToWorkspace) and Blocked browser egress origins (BrowserEgressBlockedOrigins) ADMX settings.

Step 7: Define Supervision, Evidence, and Incident-Response

Define the supervision cadence for Scout outputs, the evidence set collected during the pilot, and the incident-response playbook. Ensure the incident-response steps include revoking each of the three gates independently (Frontier scoping, endpoint policy, GitHub Copilot entitlement) and preserving locally stored automation and MCP output for investigation.

Financial Sector Considerations

Broker-dealers: Before enabling Scout for registered representatives, evaluate whether Scout outputs that contribute to client communications or correspondence fall within supervisory review under FINRA Rule 3110 and whether Scout artifacts constitute required records under SEC Rule 17a-4. Recognize that automation instructions and MCP output stored locally are outside the M365 DPA and require compensating capture if they are treated as records.

Banking institutions: Treat adoption of a preview endpoint agentic capability as a change-control and third-party-risk event consistent with FFIEC IT Examination Handbook expectations. Reflect Frontier scoping, endpoint policy, admin attestation, GitHub entitlement, and MCP-server approval decisions in enterprise technology governance records. The third-party inference boundary should be reflected in vendor management artifacts.

SOX-reporting entities: Where Scout is used in finance, reporting, or control-support workflows, retain configuration and approval evidence in a form that supports internal and external audit review under Sarbanes-Oxley §§302/404 where applicable to ICFR. Recognize that Scout can write to local files, so its role in any control-support workflow should be documented explicitly.

Covered institutions under OCC Heightened Standards: Reflect Scout adoption within the firm's risk governance framework, per 12 CFR part 30, appendix D, so introduction of a preview endpoint agentic capability with third-party inference and local execution is subject to board-appropriate risk oversight.

GLBA §501(b): Scout amplifies existing oversharing risk because automated multi-step retrieval and local file writes can exercise the user's underlying access more aggressively than manual work. Verify least-privilege posture across the sources Scout can reach before enabling it for populations that access customer NPI.

Preview-feature risk: Scout is prerelease software whose capability, inference path, storage boundaries, and admin surfaces may change. Avoid embedding Scout in critical or unsupervised workflows until it reaches general availability and has been re-assessed under this control.

Verification Criteria

# Verification Step Expected Result
1 Review Frontier scoping for Scout Frontier scope for the tenant and admin accounts is documented (No access / All users / Specific users); matches the approved pilot; propagation time acknowledged
2 Inspect Intune endpoint policy — Allow Microsoft Scout Frontier access Windows configuration profile built from the imported microsoft-scout administrative template enables Allow Microsoft Scout Frontier access (the AllowScoutFrontierAccess capability) only for approved device groups
3 Inspect Intune endpoint policy — ADMX admin controls The pilot posture is recorded for each of the documented ADMX admin controls (DisabledServers, DisabledPermissions, ForcePrompt, DisabledModels, DisabledProviders, DisableHeartbeat, DisableWorkflows, RestrictToWorkspace, BrowserEgressBlockedOrigins, PolicyVersion); values that materially reduce blast radius (for example, DisabledServers, DisabledProviders, ForcePrompt, RestrictToWorkspace, BrowserEgressBlockedOrigins) match the approved pilot decision or are documented as "not configured" with a citation to current Microsoft documentation
4 Inspect macOS .mobileconfig device profile Microsoft-provided microsoft-scout.mobileconfig is deployed to approved macOS device groups; equivalent payload keys for the Windows ADMX admin controls are verified against current Microsoft documentation before being treated as configured evidence
5 Verify local policy application on a sampled Windows device Values under HKLM\SOFTWARE\Policies\Scout match the intended pilot posture; the ADMX namespace and value names have been re-verified against current Microsoft documentation
6 Confirm admin attestation and opt-in record Microsoft-provided Frontier organization sign-up (admin attestation) record exists, is retained as evidence, and names an authorized admin
7 Reconcile Microsoft 365 Copilot license assignment Pilot users hold an active Microsoft 365 Copilot license per Control 1.9; users outside the pilot are not assigned the license as a Scout prerequisite
8 Reconcile GitHub Copilot entitlement Users entitled through GitHub Copilot Business or Enterprise match the approved pilot list; users outside the pilot are not entitled
9 Review install-privilege posture Scout installer is deployed through system-context managed deployment (Intune) or a just-in-time elevation mechanism; end users are not granted standing local Administrator rights to install Scout, or a documented exception with compensating controls exists
10 Review shell permission default Default posture is documented (recommended: prompt during pilot); any auto-approve list is explicitly approved and low-risk; where feasible, the pilot default is backed by the documented ForcePrompt ADMX setting
11 Review autonomous-mode posture Autonomous modes are disabled unless a separately approved low-risk scoping decision exists
12 Review unattended automation posture Scheduled or triggered automations are disabled for regulated populations unless separately approved; where feasible, the "off" posture is backed by the documented DisableWorkflows ADMX setting
13 Review MCP-server inventory Approved-MCP-server inventory exists, matches configured servers, and captures data path, authentication, and egress; where the inventory excludes servers, the exclusion is reflected in the documented DisabledServers ADMX setting
14 Review third-party inference exclusions Where specific providers or models are excluded for the pilot, the exclusion is reflected in the documented DisabledProviders and/or DisabledModels ADMX settings, and the decision is reconciled with the storage-and-inference boundary documentation
15 Review storage/inference boundary documentation Documentation identifies OneDrive-stored vs locally stored data, and identifies third-party inference as outside M365 protections
16 Confirm audit and supervision coverage assessment Documented assessment identifies which Scout activity is captured by Purview and which is a known gap (local automation, MCP output, third-party inference)
17 Confirm incident-response coverage Incident-response playbook covers independent revocation of Frontier scope, endpoint policy, and GitHub entitlement, plus Microsoft 365 Copilot license removal where applicable, plus preservation of local artifacts
18 Confirm review cadence A documented cadence exists for reviewing Scout Frontier scope, endpoint policy (including ADMX admin controls), M365 Copilot license reconciliation, GitHub entitlement, MCP inventory, and Microsoft preview-feature changes

Additional Resources