Microsoft is shutting down Exchange Web Services (EWS) — the nearly 20-year-old API that Exchange uses for hybrid coexistence — in Exchange Online in two phases: a soft block on October 1, 2026, and a permanent hard shutdown on April 1, 2027. If you run Exchange in hybrid mode, meaning some mailboxes are on-premises and some are in Microsoft 365, this requires a two-step migration. The first step should already be complete; the second step must be finished before October 2026 and requires Exchange Server Subscription Edition (SE). Microsoft has confirmed there will be no exceptions past April 2027.

Source

Microsoft now offers Windows Server 2025 hotpatching through Azure Arc at no additional charge for eligible Azure Arc-enabled servers. Hotpatching installs Windows security updates without restarting the server in most months, but it does not eliminate all reboots. You still need Azure Arc, the Azure Connected Machine agent, Virtualization-based Security, and a supported Windows Server 2025 edition. This article explains what those requirements mean, how to enable the feature, and where its limits are.

Source

Admin Insights for Windows 365 is a feature, currently in public preview, that surfaces prioritized health and performance signals for your Cloud PCs directly in the Microsoft Intune admin center. Instead of hunting through separate reports, you see dynamically generated insight cards on a single overview page. The feature covers connectivity, provisioning, performance, and utilization issues. It requires Windows 365 Enterprise or Windows 365 Flex licensing and appropriate read permissions.

Source

In hybrid Exchange environments, organizations have long been forced to keep an on-premises Exchange Server running just to manage Exchange-related settings for mailboxes already hosted in Exchange Online. Microsoft has been addressing this with the Cloud-Managed Remote Mailboxes feature, and its latest addition — writeback — entered public preview on May 15, 2026. Writeback automatically pushes Exchange attribute changes made in Exchange Online back to your on-premises Active Directory, so internal line-of-business applications that read from AD stay in sync. This article explains what writeback does, what you need to configure it, and how it supports decommissioning your last on-premises Exchange Server.

Source

Windows Autopatch in the Intune admin center now includes an updated Secure Boot status report that provides device-level visibility into certificate readiness ahead of the 2026 expiry deadline. The report shows which devices have Secure Boot enabled, whether their certificates are up to date, and whether automatic or manual deployment applies. New columns for trust configuration, confidence level, and alerts help you make targeted decisions instead of broad deployments.

Source

The May 2026 cumulative update KB5089549 added a new C:\Windows\SecureBoot\ExampleRolloutScripts folder containing seven PowerShell scripts. These scripts are part of Microsoft's sample toolkit for managing Secure Boot certificate migration across enterprise environments. This article explains what each script does, how to run it, and its limitations.

Source

Microsoft has made Platform Single Sign-On (PSSO) during Automated Device Enrollment (ADE) generally available for macOS. The new EnableRegistrationDuringSetup setting in Microsoft Intune completes device registration and SSO configuration automatically during Setup Assistant — the initial macOS setup wizard — before the user ever reaches the desktop. This article explains what PSSO is, why the new setting matters, what you need to configure it, and what limitations to expect.

Source

Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3) became generally available on May 14, 2026, after an initial release in late March 2026 that Microsoft quietly withdrew without public explanation. SP3 is primarily a platform compatibility update: it adds support for SQL Server 2022, SharePoint Subscription Edition (SE), and Exchange Server SE. The most technically significant additions are Azure SQL Database support for the Synchronization Service using managed identities and claims-based authentication via Active Directory Federation Services (AD FS) for the MIM Portal. MIM 2016 remains supported until January 9, 2029.

Source

Microsoft Desired State Configuration (DSC) v3.2.0 reached general availability on April 29, 2026. DSC is a tool that lets you describe how a Windows or Linux system should be configured — services running, firewall rules in place, features installed — and then automatically apply or verify that configuration. Version 3.2.0 adds built-in resources for services, firewall rules, and SSH settings; extends the --what-if preview mode to individual resources; introduces version pinning; and includes experimental Bicep integration via gRPC. This article covers what changed, the limitations, and how to install the update.

Source

Microsoft is simplifying how you access Copilot in Word, Excel, and PowerPoint by reducing the number of entry points to just two. A new floating icon sits in the bottom-right corner of the document canvas, and a contextual entry point appears when you interact with content. Proactive suggestions are now surfaced directly from the Copilot button, and keyboard shortcuts have been unified across apps and platforms. These changes also improve access for users who rely on keyboards or screen readers.

Source

Microsoft is introducing Cloud-Initiated Driver Recovery, a mechanism that automatically rolls back a faulty driver on your devices via Windows Update, without requiring any action from you or your hardware vendor. The feature is aimed at closing a gap where a bad driver could linger on devices for weeks before a fixed version became available. It works through the existing Windows Update pipeline and requires no new software on the client side. The feature is currently in a manual testing phase and is targeted for full automation in September 2026.

Source

Microsoft announced two significant updates: Agent 365 reached general availability as a management tool for AI agents in the Microsoft 365 admin center, and Copilot Cowork — a feature that runs multi-step tasks on your behalf in the background — gained mobile support, reusable task templates called skills, and new third-party integrations. Agent 365 is licensed separately per user at $15/month or is included with Microsoft 365 E7; Copilot Cowork requires a Microsoft 365 Copilot license and is currently limited to participants in the Frontier early-access program.

Source

Microsoft Discovery is a cloud-based enterprise platform that uses agentic AI — software that can plan and independently execute multi-step research tasks without constant human input — to accelerate research and development (R&D). Announced at Microsoft Build 2025 and now in expanded preview, it combines specialized AI agents, a graph-based knowledge engine, and high-performance computing (HPC — large-scale cloud server clusters for compute-intensive simulations) on Azure. The platform targets organizations in chemistry, pharmaceuticals, materials science, semiconductor design, and general engineering. You interact with it through a conversational interface orchestrated by Microsoft Copilot. General availability has not been announced.

Source

In a blog post titled 'Your Windows Update experience just got updated,' Microsoft has discussed its new mechanism to handle update installation failures on Windows 11: Windows now attempts to repair a failing update in real time during installation rather than rolling back immediately. This feature, called 'automatic recovery for update failures,' reduces the number of devices left in a failed-update state that requires manual troubleshooting. Administrators should note that this feature is distinct from—and should not be confused with—boot-level recovery, which is a separate safety net for devices that fail to start up after Patch Tuesday.

Source

Microsoft Intune's April and May 2026 updates deliver three areas of practical change for administrators: richer and more frequent app inventory for Windows devices, a redesigned single sign-on (SSO) experience for Linux endpoints that replaces an aging authentication component, and automated enrollment support for Apple tvOS and visionOS devices in shared-use scenarios. Hotpatch updates — which apply security fixes without a restart — also become enabled by default for eligible Windows devices in May 2026.

Source

TeamViewer is a remote assistance solution that lets you remotely connect to and control Intune-managed Windows, macOS, Android, and iOS/iPadOS devices directly from the Intune admin center to support your users. Microsoft Intune's April 2026 update (service release 2604) introduces a redesigned TeamViewer connector for remote assistance. The new connector replaces the existing one with a simplified setup process and adds SSO (single sign-on) support, device group synchronization, and granular role-based permissions. If you still use the old connector, you have 12 months to migrate before it stops working. This article explains what changed, what you need, and how to configure the new connector.

Source

Windows 11 version 25H2 introduces a new Group Policy setting, Configure maintenance windows for automatic updates, that lets you define precise time windows for downloading, installing, and restarting after updates. The policy ships with version 3.0 of the ADMX administrative templates and is currently available only in Windows 11 Insider Preview builds. It takes priority over several existing update-related policies, but the interaction rules are only partially documented.

Source

Microsoft is rolling out a long-overdue change to the browser-based versions of Word, Excel, and PowerPoint: you can now apply sensitivity labels with user-defined permissions directly in the web apps without switching to the desktop client. Sensitivity labels are classification tags you attach to a file to control who can read, edit, or print it. They are configured centrally in Microsoft Purview (Microsoft's compliance and information protection platform) and enforced by the Rights Management Service (RMS), which is the encryption engine built into Microsoft 365. This update started rolling out in mid-April 2026 and is expected to be completed worldwide by early May 2026. It requires enabling coauthoring on encrypted files in your tenant beforehand.

Source

The April 2026 Windows update cycle includes several changes that matter to IT administrators.

Source