Starting in April 2026, Windows updates will change the default Kerberos ticket issuance behavior to AES-SHA1 for accounts without explicit encryption settings, while RC4 can still be used where explicitly enabled. This change, driven by CVE-2026-20833, affects every Windows Server environment where service accounts or devices still rely on RC4. Any service account, NAS device, or legacy application not explicitly configured for AES-SHA1 encryption may lose authentication capability. This article explains what Kerberos and RC4 are, what will break in April 2026, and what you must do to prevent outages.

Source

Exchange Online now lets you choose, per outbound connector, whether SMTP DANE and MTA-STS are enforced opportunistically, mandatorily (for DANE), or not at all. These new connector modes give you granular control over how strictly Exchange Online enforces modern email security standards when sending mail to external domains.

Source

Microsoft has introduced external Multi-Factor Authentication (MFA) as the new, fully integrated OpenID Connect (OIDC)-based way to connect third-party MFA providers, replacing the Custom Controls mechanism that previously enabled external MFA in a more limited way. Custom Controls will be deprecated on September 30, 2026.

Source

Microsoft's original Secure Boot certificates from 2011 begin expiring in June 2026. Windows devices that still rely on these certificates will no longer receive security updates for boot components, leaving them out of compliance. To address this, Microsoft is rolling out new 2023 certificates for the UEFI Secure Boot Signature Database (DB). Administrators can deploy these certificates to domain-joined machines using Group Policy, PowerShell, or the Windows Configuration System (WinCS). This article covers the technical background, the registry-based deployment mechanism, and Microsoft's sample automation framework for enterprise rollouts.

Source

Microsoft Secure Boot certificates issued by the 2011 Certificate Authorities (CAs) are expiring starting June 2026. Every Windows device with Secure Boot enabled must be updated to trust the 2023 certificates before expiration to retain security update support. Microsoft provides a monitoring-only approach using Intune Remediations that runs a PowerShell detection script on enrolled devices and reports Secure Boot and certificate status back to the Intune admin center — without making any changes to devices. This article explains the prerequisites, deployment steps, data collected, and how to read the results.

Source

Microsoft's original Secure Boot certificates — issued in 2011 — begin expiring in June 2026. Unlike Windows 11, Windows Server does not receive these updates automatically via Windows Update. Administrators must manually deploy the 2023 replacement certificates to all applicable servers and Generation 2 virtual machines before the deadline. Systems that remain on the 2011 certificates after expiration enter a degraded security posture and cannot receive future Secure Boot updates.

Source

Microsoft Cloud PKI for Intune automates certificate management for enrolled devices, but you must manually handle the expiration of the certification authority (CA). When your Cloud PKI issuing CA approaches its expiration date, you need to create a new CA and update your SCEP certificate profiles to maintain uninterrupted service. This guide explains the expiration process, potential impacts, and the steps required to transition to a new issuing CA.

Source