The Week at a Glance
- 🔴 High — Exchange Server OWA Vulnerability (CVE-2026-42897): Organizations running Exchange Server 2016, 2019, or Subscription Edition on-premises face an active cross-site scripting vulnerability that can execute malicious code when a user simply opens a crafted email in a browser. Patching or applying Microsoft’s mitigation is urgent.
- 🔴 High — Teams Live Events Retire June 30, 2026: Any organization still scheduling large-scale broadcasts using Teams Live Events must act within weeks. After June 30, no new Live Events can be scheduled; only pre-booked events run through February 28, 2027.
- 🟡 Medium — New Microsoft 365 Business with Copilot SKUs launching July 1: Microsoft is restructuring small-business licensing to bundle Copilot by default. Organizations need to evaluate contract and budget implications before the July 1 effective date.
- 🟢 Low — AI Agent Governance Tools Now Generally Available: Microsoft Agent 365, phishing-resistant MFA for Linux, and expanded Entra identity governance reach general availability. No immediate action required, but organizations actively deploying AI agents should begin governance planning this quarter.
Sources: Exchange Team Blog — CVE-2026-42897 · Teams Live Events Retirement · Microsoft 365 Business with Copilot
Why This Week Matters
AI agents are no longer experimental — they are executing real work inside enterprise systems, and the governance, security, and identity infrastructure to manage them is arriving at the same time adoption is accelerating. Leadership must recognize that deploying agents without corresponding governance controls creates audit exposure and data risk that regulators and cyber insurers are beginning to scrutinize. Separately, the on-premises Exchange vulnerability is a concrete, near-term threat that requires a patching decision this week — not this quarter. The one thing leadership must understand: the window between an AI capability becoming available and attackers exploiting the governance gaps around it is shrinking rapidly.
Sources: Microsoft Agent 365 GA · Microsoft Security Blog — AI Brands as Bait · Entra What’s New — June 2026
Risk & Compliance
| Change | Business Risk | Regulatory Angle | Act By |
|---|---|---|---|
| CVE-2026-42897 — Exchange Server OWA Vulnerability | Attackers can execute malicious code in users’ browsers by sending a crafted email — no user action beyond opening the message in Outlook Web Access is required. Exchange Online is not affected; on-premises only. | HIPAA (breach notification), CMMC (patch management), NIST CSF (RS.MI), cyber insurance patch compliance clauses | Immediately — patch or apply mitigation now |
| Teams Live Events Retirement — June 30, 2026 | Any all-hands meetings, investor briefings, or large-scale communications scheduled as Live Events after June 30 will fail to create. Events already on the calendar through Feb 28, 2027 are honored, but no new ones can be booked. | SOC 2 (change management, business continuity), internal communications governance | June 30, 2026 — no new events schedulable after this date |
| EAS Certificate-Based Authentication Retirement | Mobile email clients using legacy certificate-based auth directly to Exchange Online will stop working by end of 2026. New tenants are already blocked; existing tenants must migrate to Entra ID authentication. | HIPAA (access controls), CMMC (multi-factor authentication), NIST CSF identity management | End of 2026 — begin inventory and migration now |
| Legacy TLS (1.0/1.1) Deprecation for POP/IMAP in Exchange Online | Email clients, shared mailbox integrations, and automated systems using outdated encryption protocols will be blocked. Scanning devices, older mobile apps, and legacy line-of-business mail integrations are most at risk. | HIPAA, PCI-DSS, NIST CSF (PR.DS data-in-transit protection), cyber insurance requirements | Plan within 30 days — audit POP/IMAP clients now |
| Microsoft Entra ID Security Updates — Custom Controls & SSPR Changes | Microsoft is retiring Custom Controls in Conditional Access and tightening how self-service password reset (SSPR) works. Organizations with custom MFA configurations need to migrate before enforcement begins. | CMMC (MFA requirements), SOC 2 (access controls), NIST CSF identity management | Plan within 30 days — assess current Conditional Access configurations |
| Secure Boot Certificate Expiry — June 2026 | The first set of Secure Boot certificates begins expiring in June 2026. Devices that are not updated may experience boot issues or fail compliance checks. | CMMC, NIST CSF (device integrity), cyber insurance endpoint compliance | June 2026 — verify device readiness via Windows Autopatch report |
Sources: Exchange Team Blog — CVE-2026-42897 · Entra ID Security Updates · Secure Boot Status Report in Autopatch
What Your Employees Will Notice
- Copilot redesign: The Microsoft 365 Copilot app has a refreshed look and feel. Users may comment on the visual change; this is expected and requires no action.
- New AI models in Copilot: Employees with Copilot licenses will notice the addition of Anthropic’s Claude Opus 4.8 and OpenAI’s GPT-5.5 Instant as available model options. Responses may feel faster or different in character.
- Teams Phone multi-line calling: Users assigned multiple phone numbers can now manage all lines in one Teams experience — relevant to customer-facing roles, regional managers, and executive assistants.
- Meeting recap app coming in July: A consolidated recap experience will appear in Teams, making it easier to catch up on missed meetings. Users should expect the new interface in July.
- SharePoint link previews in Teams: Shared SharePoint page links in Teams chats will automatically expand into rich visual cards — a small but noticeable improvement to daily collaboration.
- Copilot Learning Agent: Employees with Copilot licenses will begin receiving personalized, role-based AI skill recommendations within the apps they already use. Proactively communicate this as a benefit, not surveillance.
- Teams Live Events going away June 30: Communicate now to event organizers, communications teams, and executive assistants that Live Events will no longer be available for new scheduling after June 30. Point them to the new Teams Events experience as the replacement.
Sources: What’s New in Microsoft 365 Copilot — May 2026 · What’s New in Microsoft Teams — May 2026 · Learning Agent GA
What Your Help Desk Should Expect
- Secure Boot device questions: As Secure Boot certificate expiry begins in June, expect tickets from users whose devices flag compliance warnings or behave unexpectedly at startup. IT teams should proactively use the updated Autopatch Secure Boot Status Report to identify affected devices before users call.
- Teams Live Events migration confusion: Event organizers who attempt to schedule a new Live Event after June 30 will hit an error. Expect escalations from communications teams, HR (for all-hands meetings), and executive staff. Prepare a one-page guidance document pointing users to the new Teams Events experience.
- Copilot model choice questions: With multiple AI models now available (GPT-5.5 Instant, Claude Opus 4.8), some users will ask which to use and why. A simple internal FAQ noting that the default model is appropriate for most work will reduce ticket volume.
- Exchange POP/IMAP connectivity failures: Automated systems, shared mailboxes, and older mobile devices that rely on POP or IMAP with legacy TLS encryption may begin failing as deprecation is enforced. Map these connections now to avoid reactive outage calls.
- Mobile email auth failures (EAS CBA): Users on older mobile email apps using certificate-based authentication to Exchange Online may suddenly lose email access. Inventory mobile device profiles managed through Intune to identify exposure before enforcement hits.
- Copilot redesign disorientation: Some users will notice the Copilot app looks different and open tickets asking if something is wrong. A brief communication confirming the redesign is intentional will preempt most of these.
Sources: Intune What’s New — May 2026 · Exchange TLS Deprecation · EAS CBA Retirement
Cost & Licensing
New Microsoft 365 Business with Copilot SKUs — Effective July 1, 2026 Microsoft is introducing new small-business SKUs that bundle Copilot into the base Microsoft 365 plan. Organizations currently on Business Basic, Standard, or Premium plans should review whether this changes their per-seat cost and what happens to existing standalone Copilot add-on licenses at renewal. Budget owners and procurement teams should engage Microsoft or their licensing partner before July 1 to understand renewal pricing, avoid double-billing, and confirm whether Copilot commitments change.
Microsoft 365 Advanced Intune Solutions Included in M365 Plans — CY26 Q3 Microsoft is adding advanced Intune endpoint management capabilities (previously sold separately as the Intune Suite add-on) into core Microsoft 365 plans at no additional cost, rolling out in Q3 2026. Organizations currently paying for Intune Suite add-ons should flag this with their licensing team. A 30-day Message Center notice will precede tenant enablement. This represents a potential cost reduction worth reviewing at next renewal.
Exchange 2016/2019 Extended Security Updates — Period 2 Active Through October 2026 Organizations that did not complete migration to Exchange Server Subscription Edition before April 2026 can enroll in the Period 2 ESU program, which runs May through October 2026. This is a paid program — confirm with your vendor whether you are enrolled if you are still running Exchange 2016 or 2019 on-premises, or you will receive no security patches.
Sources: Microsoft 365 Business with Copilot Announcement · Advanced Intune Solutions in M365 · Exchange ESU Period 2
Planning Horizon
| Timeframe | Item | Decision Required | Who Owns It |
|---|---|---|---|
| Now | CVE-2026-42897 Exchange OWA Patch | Authorize emergency patching or mitigation for on-premises Exchange servers | CISO / IT Director |
| By June 30, 2026 | Teams Live Events Retirement | Identify all scheduled Live Events; migrate future broadcasts to new Teams Events; communicate to event owners | IT Director / Communications Lead |
| By June 30, 2026 | Secure Boot Certificate Expiry | Review Autopatch Secure Boot Status Report; authorize remediation for non-compliant devices | IT Director |
| 30 days | Microsoft 365 Business with Copilot SKU Change — July 1 | Assess licensing impact; engage Microsoft or partner on renewal pricing; update budget forecasts | CFO / IT Director / Procurement |
| 30 days | EAS Certificate-Based Auth Retirement | Inventory mobile devices using legacy certificate auth; plan migration to Entra ID authentication | IT Director / Identity Team |
| 30 days | Legacy TLS Deprecation for POP/IMAP | Audit all POP/IMAP connections including scanners, shared mailboxes, and line-of-business systems; plan remediation | IT Director |
| 30 days | Entra ID Custom Controls / SSPR Migration | Assess Conditional Access policies using Custom Controls; begin migration planning to External MFA | Identity Team / CISO |
| 60 days | Microsoft Sentinel Retirement in Azure Portal — March 31, 2027 | Begin planning migration of Sentinel to the unified Defender portal; this is an architectural decision, not just a portal change | CISO / Security Operations |
| 90 days | Advanced Intune Suite Included in M365 — CY26 Q3 | Review Intune Suite add-on licenses for potential cost savings; prepare for 30-day Message Center notice before tenant enablement | IT Director / Procurement |
| By end of 2026 | Agent Governance Framework | Establish policy for AI agent deployment, identity assignment, and lifecycle management before agent sprawl becomes an audit finding | CISO / CIO / Compliance Officer |
Sources: Microsoft Agent 365 GA · Entra What’s New — June 2026 · Sentinel Migration Guidance
If You Take No Action
CVE-2026-42897 — On-Premises Exchange Vulnerability If your organization runs Exchange Server 2016, 2019, or Subscription Edition and does not apply the patch or Microsoft’s published mitigation, any employee who opens a specially crafted email in Outlook Web Access could inadvertently execute attacker-controlled code in their browser session. This could lead to credential theft, session hijacking, or a foothold for broader network compromise. Given that this vulnerability is publicly disclosed, exploit code development by threat actors is likely underway. A breach originating from an unpatched, known vulnerability will draw heightened scrutiny from cyber insurers, auditors, and — depending on the data involved — regulators under HIPAA, state privacy laws, or CMMC.
Teams Live Events — June 30 Hard Stop If your communications, HR, or leadership teams attempt to schedule a town hall, all-hands meeting, or investor event as a Teams Live Event after June 30, the scheduling interface will not allow it. Events that were not migrated to the new Teams Events experience will simply not exist. For organizations with recurring quarterly all-hands meetings or regular large-scale broadcasts, failure to act will create a visible communications gap with no workaround available at the last minute.
EAS Certificate-Based Authentication and Legacy TLS Deprecation If POP/IMAP clients using TLS 1.0/1.1 or mobile devices using certificate-based authentication directly to Exchange Online are not remediated before enforcement, those connections will silently stop working. The impact is felt first by employees who can no longer receive email on their mobile devices, and by automated systems — including invoice processing, HR integrations, and multi-function printers — that route through those protocols. Diagnosing the cause after the fact is time-consuming; proactive inventory now costs a fraction of an emergency response.
Sources: Exchange Team Blog — CVE-2026-42897 · Teams Live Events Retirement · Exchange TLS Deprecation