Copilot Blocked on Windows 11? Route Microsoft and Copilot Domains in Clash (2026)

1. Why “One Microsoft Rule” Fails for Copilot on Windows 11

A blunt DOMAIN-SUFFIX,microsoft.com line is tempting until you remember how large that suffix really is: Windows Update, Store, Defender intelligence, telemetry endpoints, and developer tooling all share the same namespace family. Stuffing every Microsoft hostname into one overseas proxy group can slow unrelated downloads, trigger captchas on benign services, or mask the fact that Copilot also talks to Bing-branded edgeservices and WebView surfaces that do not always present as *.microsoft.com in your first packet capture.

The Windows shell experience routes user-visible Copilot UI through components that feel “local,” but the data plane still reaches networked hosts for models, orchestration, and account checks. If your Clash profile proxies “AI sites” based on a static community list built for OpenAI or Anthropic, you will miss copilot.microsoft.com, newer *.cloud.microsoft entry patterns, and the Bing services stack that backs conversational features. That mismatch is not moral failure; it is a hostname inventory problem.

This article therefore separates three concerns: (a) product endpoints that identify as Copilot or modern Microsoft cloud fronts, (b) Bing and edgeservices traffic that still underpins retrieval and orchestration in many builds, and (c) Microsoft identity and account flows that must stay consistent across sign-in, token refresh, and profile sync. Your mihomo graph should express that separation with explicit rows placed above broad GEOIP shortcuts—consistent with how we explain matcher ordering in the routing and rules reference.

2. Symptoms: Sidebar Spinners, Edge Panels, and Mixed Errors

Users rarely see a single error string that says “your YAML is wrong.” More commonly, the Windows 11 Copilot sidebar opens but never finishes loading, while Edge inline panels partially render with broken images or stalled chat turns. Sometimes authentication succeeds for Microsoft account pages yet conversational calls fail because different hostnames exit through different policies and the service interprets that as unstable geography.

Another frequent pattern is “works in the browser, fails in the shell.” That split often points to Edge using one resolver path while the WebView-hosted shell uses another, or to system proxy mode missing certain sockets that TUN would catch. Before you chase HTTP/3 quirks, confirm whether failures correlate with specific hostnames in mihomo debug logs—names beat vibes.

Treat any “region not supported” style message as two hypotheses: genuine product policy for your account, versus inconsistent egress that makes the service think you changed countries between token issuance and model calls. The second hypothesis is testable by unifying hostnames under one stable outbound for the session and re-checking logs. Jumping straight to “buy another node” without hostname evidence burns money and time.

3. Copilot and Bing Backends to Route Explicitly

Start with the consumer-facing Copilot surfaces. In 2026, product documentation and live traffic commonly reference hosts such as copilot.microsoft.com and cloud-oriented patterns under cloud.microsoft for Microsoft 365–aligned experiences. These names should appear as explicit DOMAIN-SUFFIX rows in your profile rather than being left to a catch-all “foreign sites” bucket that flaps between cities.

Conversational features still lean on Bing infrastructure in many configurations. Community captures repeatedly show traffic to www.bing.com, edgeservices.bing.com, and related *.bing.com subdomains during retrieval, configuration, or feature gating. A profile that routes copilot.microsoft.com but leaves edgeservices.bing.com on DIRECT is a classic split-tunnel bug: the UI shell loads while backend calls stall or time out.

Because hostnames shift with product experiments, treat the list below as a starting inventory, not scripture. Open DevTools in Edge, filter by domain, reproduce the failing flow, and add any recurring names you see during sign-in, chat, and attachment uploads. If your organization uses private gateways or sovereign clouds, mirror those hostnames literally in YAML instead of assuming the public suffix list still applies.

IP-only rules age poorly for globally anycast CDNs. Prefer domain rules and let the core choose consistent outbounds per name; reserve IP rules for surgical troubleshooting when logs prove a static endpoint misbehaves.

4. Identity, Account, and Edge Update Hosts

Microsoft account flows typically touch login.microsoftonline.com, login.live.com, and account.microsoft.com. Token and profile continuity matter: if Copilot calls ride a stable overseas path while sign-in refresh traffic exits DIRECT through a different region, you can observe bizarre half-working sessions that look like “AI outage” from the outside.

Edge updates and component downloads add another parallel graph: edge.microsoft.com, microsoftedge.microsoft.com, and update channels that may not share the same policy as conversational endpoints. You do not necessarily want every update host on the same aggressive proxy group you use for model traffic; you do want predictable routing so partial upgrades do not leave the browser in a mismatched state relative to the shell WebView.

Enterprise tenants may also see Microsoft Graph–adjacent calls to graph.microsoft.com or Office substrate hosts such as *.office.com when Copilot integrates with Microsoft 365 data. If your workplace uses conditional access or split tunnels mandated by IT, align with those policies first—this guide helps personal devices where you control the Clash profile end to end.

5. Policy Groups and Rule Order in Mihomo

Create dedicated select groups instead of one giant “Microsoft” bucket. Practical labels might separate “Copilot + Bing services” from “Identity / account” from “Edge update,” depending on how aggressively you want to optimize latency. Avoid ultra-flappy auto url-test groups that rotate exit cities during OAuth—assistant products are sensitive to rapid geography changes while cookies and tokens are in flight.

Rule order remains the silent killer. Insert explicit DOMAIN-SUFFIX and DOMAIN rows for the hostnames you enumerated above broad GEOIP shortcuts and above lazy MATCH fallbacks. If a domestic direct rule wins because an anycast IP was classified unexpectedly, you will troubleshoot the wrong continent. The same structural advice appears across our Claude DNS and Discord TUN articles—different products, identical discipline.

When you import upstream rule providers, know whether your GUI prepends or appends them. A remote update that reorders rows can make yesterday’s stable profile today’s roulette. Keep a small owned merge for Copilot-critical domains and treat community lists as overlays you verify after each refresh.

6. Example YAML: Copilot + Microsoft Rows

The snippet below is illustrative. Rename proxy groups, extend hostnames from live logs, and insert these rules before broad GEOIP blocks—consistent with our routing and rules reference.

proxy-groups:
  - name: 🪟 Copilot
    type: select
    proxies:
      - US-01
      - US-02
      - DIRECT
  - name: 🔑 Microsoft ID
    type: select
    proxies:
      - US-01
      - DIRECT

rules:
  - DOMAIN-SUFFIX,copilot.microsoft.com,🪟 Copilot
  - DOMAIN-SUFFIX,cloud.microsoft,🪟 Copilot
  - DOMAIN-SUFFIX,bing.com,🪟 Copilot
  - DOMAIN-SUFFIX,edgeservices.bing.com,🪟 Copilot
  - DOMAIN-SUFFIX,microsoft.com,🪟 Copilot
  - DOMAIN-SUFFIX,login.microsoftonline.com,🔑 Microsoft ID
  - DOMAIN-SUFFIX,login.live.com,🔑 Microsoft ID
  - DOMAIN-SUFFIX,account.microsoft.com,🔑 Microsoft ID
  - DOMAIN-SUFFIX,live.com,🔑 Microsoft ID
  # Narrow microsoft.com if your LAN/Update traffic should stay DIRECT; split by subdomain from logs
  # ... GEOIP and MATCH follow ...

7. DNS, Fake-IP, and Edge Secure DNS

No routing article is complete without DNS. If the operating system resolves copilot.microsoft.com outside the core’s DNS pipeline, your domain rules may never see the names you expect—especially under fake-ip configurations where mapping between queried name and evaluated flow must stay coherent. Enable the core’s DNS feature, choose upstreams you trust, and stop mixing ISP resolvers for “just these two Microsoft sites.”

Edge can bypass system DNS when Secure DNS is enabled. Chromium’s encrypted DNS path may answer names your mihomo stack never observes, which produces the classic symptom: curl through the tunnel looks fine while the browser misbehaves. For debugging sessions, align secure DNS with your tunnel policy or temporarily disable encrypted DNS to remove a variable—then re-enable once matches stabilize.

When debugging fake-ip, revisit the hostname at the layer where mihomo evaluates rules. If packet captures show one SNI while applications pinned another name, you will see correct-looking YAML and wrong-looking outcomes simultaneously. Align fake-ip-filter and nameserver-policy entries with the domains you rely on for sign-in and chat calls, and retest with a single capture mode while you iterate. For subscription or TLS noise unrelated to Copilot, see subscription update errors on Windows.

8. TUN vs System Proxy on Windows 11

System proxy mode is easy to reason about until you meet applications that ignore it or split TCP and QUIC in ways rules do not expect. On Windows 11, TUN mode often yields more predictable hostname visibility for store apps, WebView hosts, and services that do not honor the WinHTTP proxy catalog. If the shell Copilot experience fails while Edge works, compare modes before you rewrite half your profile.

First-time setup for Verge-class clients on Windows—including Wintun installation and permission prompts—is covered in our Clash Verge Rev on Windows 11 guide. Use that article to establish a clean baseline, then return here to layer Copilot-specific domain rows and DNS alignment.

Corporate VPNs and endpoint agents can also steal routes or DNS. If you must stack tools, document which interface owns the default route during tests; otherwise you will blame Clash for a policy your security client enforced upstream.

9. Verification Checklist (2026 Field Notes)

Walk through this list after subscription refreshes, client upgrades, or mysterious “it worked yesterday” reports:

When every box passes but the product still declines you, step back to account status, tenant policy, and regional product availability. Technology clears the path in front of a legitimate request—it does not manufacture entitlements you were never granted.

Closing Thoughts

Microsoft Copilot on Windows 11 is not “just another chat tab.” It is a shell-adjacent workload that crosses Copilot fronts, Bing services, and Microsoft identity in the same minute. Treating it that way—explicit mihomo rows, resolver discipline, and mode-aware testing on Edge—turns vague frustration into logs you can share and diffs you can review.

Compared with one-size “global mode” advice, structured Clash routing keeps unrelated downloads fast while stabilizing the small set of names assistant features actually need. That separation matters because cross-border access debugging is expensive enough without proxying your entire OS through a single exit by accident.

When you want a maintained installer and a client aligned with the Meta ecosystem, start from our download center rather than scattered mirrors—then layer DNS, domain rules, and verification in that order. Compared with other tools in this space, Clash pairs approachable GUIs with rule transparency that makes this kind of troubleshooting feel fair instead of mystical. → Download Clash for free and experience the difference