The Week at a Glance
- 🔴 High — Exchange Server OWA vulnerability (CVE-2026-42897) requires immediate patching. Any organization still running Exchange Server 2016, 2019, or Subscription Edition on-premises is exposed to a remote JavaScript execution attack delivered by email. Exchange Online customers are not affected, but hybrid environments must act now.
- 🔴 High — Secure Boot certificates begin expiring in June. Windows devices that have not been updated for the new certificate chain may fail to boot or be blocked from updates. Organizations should verify device readiness before June 30.
- 🟡 Medium — Teams Live Events retire June 30, 2026. Any scheduled town halls, all-hands, or external broadcasts using the legacy Teams Live Events platform must be migrated to the new Teams Events experience or rescheduled on a supported platform before the cutover date.
- 🟡 Medium — Exchange ActiveSync certificate-based authentication retires by end of 2026. Mobile devices using legacy certificate-based email authentication will lose access. IT and security teams need to inventory affected devices and plan re-enrollment through Microsoft Entra ID before the hard deadline.
Sources: Exchange Team Blog – CVE-2026-42897 · Windows IT Pro Blog – Secure Boot AMA · Teams Blog – Live Events Retirement
Why This Week Matters
Three converging deadlines — an active Exchange vulnerability, expiring Secure Boot certificates, and the Teams Live Events retirement — mean that organizations with any on-premises infrastructure or legacy authentication methods face real risk of service disruption or compliance exposure before the end of June. At the same time, Microsoft is accelerating its push to retire older protocols and authentication flows across Exchange and mobile email, creating a narrow window to avoid forced outages rather than planned migrations. The one thing leadership must understand: “we’ll get to it” is no longer a safe posture for on-premises Exchange or legacy authentication — the timelines are now measured in weeks, not quarters.
Sources: Exchange Team Blog – CVE-2026-42897 · Exchange Team Blog – EAS CBA Retirement · Windows IT Pro Blog – Secure Boot Status Report
Risk & Compliance
| Change | Business Risk | Regulatory Angle | Act By |
|---|---|---|---|
| Exchange Server CVE-2026-42897 – OWA JavaScript Injection | An attacker can execute malicious code in a user’s browser simply by sending a crafted email. Affects all on-premises Exchange 2016, 2019, and SE versions. Exchange Online is not impacted. | HIPAA Security Rule, CMMC Level 2, SOC 2 CC6, NIST CSF Respond. Unpatched known vulnerabilities are a leading trigger for cyber insurance claim denials. | Immediately |
| Secure Boot Certificate Expiration – June 2026 | Devices not updated for new Secure Boot certificates may fail to boot correctly or be unable to receive future Windows updates, creating compliance gaps and potential fleet-wide outages. | CMMC Level 1+, NIST CSF Protect, SOC 2 CC7. Devices outside patch compliance violate most cyber insurance policy requirements. | Before June 30, 2026 |
| Teams Live Events Retirement | No new Live Events can be scheduled after June 30, 2026. Events already scheduled will be honored through February 28, 2027. Organizations using Live Events for regulated communications (e.g., investor relations, all-hands) must migrate workflows. | SEC disclosure controls, internal communications governance policies. | June 30, 2026 |
| Exchange ActiveSync CBA Retirement | Mobile email clients using certificate-based authentication directly to Exchange Online will lose connectivity. New tenants are already blocked; existing tenants must migrate to Entra ID authentication before end of 2026. | HIPAA, CMMC, SOC 2 — enforced MFA and modern auth are baseline requirements in most frameworks. | End of 2026 (plan now) |
| Legacy TLS (1.0/1.1) Deprecation for POP3/IMAP4 | Email clients or automation using older encryption protocols for POP or IMAP access to Exchange Online will stop working. Finance systems, shared mailboxes, and monitoring tools are common hidden users of these protocols. | NIST CSF Protect, SOC 2 CC6, PCI DSS TLS requirements, HIPAA transmission security. | Per Microsoft timeline (review now) |
| Exchange 2016/2019 ESU Period 2 – Final Extension | Microsoft extended the paid security update program for Exchange 2016/2019 through end of October 2026. Organizations still on these versions must treat this as a final runway — no further extensions are anticipated. | HIPAA, CMMC, SOC 2, FedRAMP — running software past vendor support is an audit finding. | October 2026 (final deadline) |
Sources: Exchange Team Blog – CVE-2026-42897 · Exchange Team Blog – EAS CBA Retirement · Exchange Team Blog – Legacy TLS Deprecation
What Your Employees Will Notice
- Teams Phone users assigned to multiple lines of business will now see up to 10 phone numbers within a single Teams interface — no more juggling accounts or devices for different roles or regions.
- Teams call management: Copilot can now answer incoming calls and schedule follow-up appointments on a user’s behalf when they are unavailable (available through the Frontier early access program — not broadly deployed yet).
- Meeting recaps and notes now include visual references (images shared during the meeting) and support custom format templates, making AI-generated summaries more useful and contextually complete.
- Viva Engage communities are rolling into Teams — employees who used Engage for company-wide discussions and leader communications will begin seeing those communities appear directly in the Teams sidebar.
- New Microsoft 365 Copilot design is rolling out — a cleaner, faster interface for Copilot across Microsoft 365 apps. Expect questions from users noticing a visual refresh.
- Frontline workers will see new smart scheduling (auto-fill open shifts) and a new Communicator app for official operational updates — relevant for retail, healthcare, manufacturing, and hospitality sectors.
- Windows 11 devices may have pre-installed apps removed via policy as IT teams use new dynamic app removal capabilities. Users may notice fewer pre-loaded Microsoft Store applications on provisioned devices.
Sources: Teams Blog – April 2026 What’s New · Teams Blog – Multi-Line Phone · Teams Blog – Frontline Innovations
What Your Help Desk Should Expect
- “My email stopped working on my phone” — Expect a spike in mobile email tickets as legacy Exchange ActiveSync certificate-based authentication is blocked for new tenants and communications about end-of-2026 retirement reach users. IT teams should proactively identify affected devices before users call in.
- “I can’t find Live Events” — Users who regularly scheduled or attended Teams Live Events will begin receiving communications about the June 30 retirement. Expect confusion about the difference between Live Events, Webinars, and the new Teams Events experience.
- Secure Boot / device won’t start or update — As June certificate expiration approaches, devices that have not received the certificate update may exhibit boot issues or failed Windows Update attempts. Admins should use the updated Secure Boot Status Report in Windows Autopatch to identify at-risk devices proactively.
- Copilot interface questions — The redesigned Microsoft 365 Copilot experience will prompt “where did X go?” questions from regular Copilot users. A short internal communication and updated quick-reference guide will reduce ticket volume.
- Teams community/Engage overlap confusion — As Viva Engage communities appear in Teams, users may be unsure whether to use Teams channels or communities for specific discussions. Guidance from internal communications teams will help.
- Multi-line Teams Phone configuration requests — Managers or executives with responsibility across multiple business lines may request the new multi-line phone feature; IT will need to configure assignments in the Teams Admin Center.
Sources: Teams Blog – Live Events Retirement · Exchange Team Blog – EAS CBA Retirement · Windows IT Pro Blog – Secure Boot Status Report
Cost & Licensing
- Microsoft 365 Business with Copilot launches July 1, 2026. Microsoft is introducing new small business SKUs with Copilot built in. Organizations currently purchasing separate Copilot add-on licenses for Business Basic, Standard, or Premium users should review the new bundled pricing before July 1 — there may be a cost optimization or simplification opportunity, and existing renewals may be affected.
- Advanced Intune capabilities added to Microsoft 365 at scale (CY26 Q3). Microsoft is bundling advanced endpoint management capabilities (previously part of the Intune Suite add-on) into broader Microsoft 365 plans. Organizations currently paying for the Intune Suite separately should watch for Message Center notifications — tenants will receive 30-day advance notice before capabilities appear. This may reduce add-on costs or change budget line items.
- High Volume Email (HVE) for Exchange Online is now generally available with its own pricing model. Organizations sending bulk operational email (notifications, alerts, reports) through shared mailboxes or SMTP relays should evaluate whether HVE is a better fit than current approaches — it may reduce abuse risk and improve deliverability at lower operational overhead.
- Exchange 2016/2019 ESU Period 2 is a paid extension program running through October 2026. Organizations enrolled are incurring ongoing licensing cost for a product on a hard end-of-life path. Budget owners should confirm migration timelines are funded to avoid a third extension cycle — which Microsoft has not indicated will be offered.
Sources: Microsoft 365 Blog – Business with Copilot · Intune Blog – Advanced Capabilities at Scale · Exchange Team Blog – High Volume Email GA
Planning Horizon
Next 30 Days (Act by July 2026)
| Item | Decision Required | Owner |
|---|---|---|
| CVE-2026-42897 – Patch on-premises Exchange | Approve emergency patching window for Exchange Server 2016/2019/SE. No budget required; requires change management approval and downtime scheduling. | IT Director / CISO |
| Teams Live Events – Inventory and migrate | Identify all scheduled Live Events. Approve migration to new Teams Events experience. Confirm whether Communications or HR teams have planned events that need to be rescheduled. | IT Director / Communications Lead |
| Secure Boot Certificate Readiness | Review updated Secure Boot Status Report in Windows Autopatch. Approve targeted remediation for non-compliant devices before June 30. | IT Director |
| Microsoft 365 Business with Copilot – Licensing Review | Assess whether new bundled SKUs launching July 1 affect current licensing agreements, renewals, or add-on costs for small business segments. | IT Director / Finance |
Next 60 Days (Act by August 2026)
| Item | Decision Required | Owner |
|---|---|---|
| Exchange ActiveSync CBA – Device Inventory | Commission inventory of all mobile devices using certificate-based Exchange ActiveSync authentication. Approve re-enrollment plan through Entra ID before end-of-2026 hard deadline. | IT Director / Security |
| Legacy TLS Deprecation for POP/IMAP – Application Audit | Identify any systems, applications, or automation using POP3/IMAP4 with TLS 1.0 or 1.1 to Exchange Online. Approve remediation or application upgrade plans. | IT Director / Application Owners |
| Intune Advanced Capabilities – License Impact Review | Review Message Center for 30-day notice of Intune Suite capability additions to existing M365 plans. Confirm budget impact and avoid duplicate licensing. | IT Director / Finance |
Next 90 Days (Act by September 2026)
| Item | Decision Required | Owner |
|---|---|---|
| Exchange 2016/2019 Migration – Final Runway | ESU Period 2 ends October 2026. Confirm migration to Exchange SE or Exchange Online is funded and on track. No further extension programs have been announced. | CIO / IT Director |
| AI Agent Governance – Policy Decision | As Copilot agents proliferate across SharePoint, Teams, and custom workflows, organizations need a formal governance policy covering who can create agents, what data they can access, and how they are reviewed. Approve policy framework and ownership. | CISO / Compliance Officer |
| Sentinel Migration to Unified Defender Portal – Planning | Microsoft will retire the standalone Azure Sentinel experience on March 31, 2027. Security operations teams should begin architecture review and migration planning to avoid a rushed cutover in early 2027. | CISO / Security Operations |
Sources: Exchange Team Blog – CVE-2026-42897 · Teams Blog – Live Events Retirement · Entra Blog – Agent Sprawl Governance
If You Take No Action
CVE-2026-42897 (on-premises Exchange vulnerability): An attacker needs only to send a crafted email to a user on your Exchange system. If that user opens the message in Outlook Web Access, malicious code executes in their browser — potentially stealing credentials, session tokens, or enabling further lateral movement inside your network. This is a low-effort, high-impact attack vector. Leaving on-premises Exchange unpatched after a publicly disclosed vulnerability is a documented trigger for cyber insurance claim denials and will appear as a critical finding in any SOC 2, HIPAA, or CMMC audit conducted after the disclosure date.
Secure Boot Certificate Expiration: Devices that miss the certificate update window may be unable to start correctly or receive future Windows security updates, creating a growing gap in your patch compliance posture. In a fleet of hundreds or thousands of devices, even a fraction of non-booting machines creates significant help desk burden, lost employee productivity, and a compliance exposure that accumulates silently until audit time. Windows Autopatch customers have the tooling to identify at-risk devices today — the cost of running the report now is far lower than emergency remediation after devices begin failing.
Teams Live Events Retirement (June 30, 2026): Organizations that have not migrated scheduled large-scale broadcasts — investor briefings, all-employee town halls, partner events — will find those event types unavailable to schedule after June 30 with no fallback. Events already on the calendar will be honored through February 2027, but any new events must use the replacement platform. Communications, HR, and executive teams who own these events may not be aware that the scheduling window closes at the end of this month.
Sources: Exchange Team Blog – CVE-2026-42897 · Windows IT Pro Blog – Secure Boot Status Report · Teams Blog – Live Events Retirement