Unsigned CoPilot Executable

Question

Unsigned CoPilot Executable

Anthony Mitchell 60

Hi CoPilot Team, I’m investigating the Microsoft Copilot experience in our environment and noticed that the WebViewHost.exe used by Microsoft.MicrosoftOfficeHub_18.2504.31709.0 is unsigned. Behaviorally, it launches outbound connections to onedscolprdwus08.westus.cloudapp.azure.com:443 and then switches to onedscolprduks04.uksouth.cloudapp.azure.com:443. While these domains seem valid, the lack of a digital signature raises concerns about connection integrity. Is the unsigned nature of thi

Anthony Mitchell 60 Reputation points

2025-04-25T23:21:45.4666667+00:00

....the lack of a digital signature raises concerns about connection integrity. Is the unsigned nature of this executable expected, or is there a signed version available?
Lewis Canfield 45 Reputation points

2025-06-26T10:41:09.31+00:00
We are currently experiencing an issue where Microsoft is providing no communication regarding a resolution or fix.

In our environment, we have Defender Attack Surface Reduction (ASR) Rules enabled. Each update to Microsoft 365 Copilot (formerly OfficeHub) generates a new file hash. As a result, for a subset of users, the Copilot app is being blocked by Defender.

It appears that after some time—once Defender has analyzed the new file hash—it is marked as clean, and subsequent users are able to use Copilot without issue.

We raised a support ticket with Microsoft, which was escalated to the Defender team. They then directed us to submit the file to the WDSI team for analysis. Below is the response we received:

WDSI Analyst Comments:

The blocked webviewhost.exe, SHA-256: 40f2d4abef4ed1acf0cfc2a3f7d5ff1289a9eb4f12a1e5411d55cc9ac6417c69, has been determined to be clean. This will ensure that the file will not be blocked again by the specified rule. However, if the file hash changes frequently, please consider deploying a file path-based exclusion or a certificate-based IoC exclusion. To exclude files and folders from ASR rules, use the following PowerShell cmdlet:

Launch PowerShell as Administrator

Run: Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"

While we appreciate the analysis, it raises a broader concern: Microsoft should be signing its own products and ensuring they are trusted by Defender by default. It is not reasonable to expect customers to implement security workarounds—especially when those same security practices are recommended by Microsoft as best practice.

Why are Microsoft not signing the WebViewHost.exe contained within the Microsoft 365 Copilot App (OfficeHub)????

2 answers

Your answer

Anthony Mitchell 60 Reputation points

2025-04-25T23:21:45.4666667+00:00

....the lack of a digital signature raises concerns about connection integrity. Is the unsigned nature of this executable expected, or is there a signed version available?
Lewis Canfield 45 Reputation points

2025-06-26T10:41:09.31+00:00

We are currently experiencing an issue where Microsoft is providing no communication regarding a resolution or fix.

In our environment, we have Defender Attack Surface Reduction (ASR) Rules enabled. Each update to Microsoft 365 Copilot (formerly OfficeHub) generates a new file hash. As a result, for a subset of users, the Copilot app is being blocked by Defender.

It appears that after some time—once Defender has analyzed the new file hash—it is marked as clean, and subsequent users are able to use Copilot without issue.

We raised a support ticket with Microsoft, which was escalated to the Defender team. They then directed us to submit the file to the WDSI team for analysis. Below is the response we received:

WDSI Analyst Comments:

The blocked webviewhost.exe, SHA-256: 40f2d4abef4ed1acf0cfc2a3f7d5ff1289a9eb4f12a1e5411d55cc9ac6417c69, has been determined to be clean. This will ensure that the file will not be blocked again by the specified rule. However, if the file hash changes frequently, please consider deploying a file path-based exclusion or a certificate-based IoC exclusion. To exclude files and folders from ASR rules, use the following PowerShell cmdlet:

Launch PowerShell as Administrator

Run: Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"

While we appreciate the analysis, it raises a broader concern: Microsoft should be signing its own products and ensuring they are trusted by Defender by default. It is not reasonable to expect customers to implement security workarounds—especially when those same security practices are recommended by Microsoft as best practice.

Why are Microsoft not signing the WebViewHost.exe contained within the Microsoft 365 Copilot App (OfficeHub)????

Answer 1

Charleen Crist 0

You’re absolutely right — having an unsigned executable within a trusted Microsoft service can trigger unnecessary security alerts and complicate ASR policies. It really shows how important consistent code signing and verification are for maintaining system integrity. For a good reference on practical reliability standards, you can click here to see an example of how careful validation helps avoid these kinds of trust issues in other fields.

0 comments

Answer 2

Lewis Canfield 45

We used our MIcrosoft Premier Support to log this issue.

As of version 19.2509.34011.0 released 08/09/2025,

The OfficeHub rebrand to Microsoft 365 Copilot - WebViewHost.exe is now signed and no longer being blocked by Defender ASR.

Microsoft confirmed to us this fix was released Worldwide.

0 comments

Share via

Unsigned CoPilot Executable

2 answers

Your answer