Microsoft Roadmap, messagecenter and blogs updates from 15-04-2026

Updated April 14, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

We’re introducing the SharePoint page agent, a declarative Copilot agent that enables users to create and refine SharePoint pages directly within Microsoft 365 Copilot experiences. Declarative agents respond to user intent expressed in natural language—users describe what they want, and the agent handles how to do it. This update allows users to generate structured content like meeting recaps, announcements, and project updates without switching apps or manually opening SharePoint.

Screenshot 1: SharePoint page agent

Screenshot 2: SharePoint page agent in Microsoft 365 Copilot

Screenshot 3: SharePoint page agent – page card

[When this will happen:]

• Public Preview (Worldwide): Begins mid-November 2025, expected to complete by mid-February 2026.
• General Availability (Worldwide): Begins mid-May 2026 (previously mid-November 2025), expected to complete by early June 2026 (previously mid-March).

• Who is affected: 
  • Users with access to Microsoft 365 Copilot experiences, including Copilot Chat in supported apps such as Teams, Outlook, and Word.
  • A Microsoft 365 Copilot license is required to use this feature.
• What will happen:
  • Users will be able to create SharePoint pages or news posts directly from within supported Copilot-enabled apps.
  • The agent supports structured content creation such as meeting summaries, announcements, and project updates.
  • The feature is available as a Frontier Public Preview and requires opt-in.
  • Admins can disable the agent via the Microsoft 365 admin center.
  • No changes to existing SharePoint authoring workflows unless the agent is enabled.

• Review whether your organization wants to participate in the Frontier Public Preview.
• Communicate this new capability to helpdesk and support teams.
• Update internal documentation if you provide guidance on SharePoint page creation.
• To disable the agent, use the admin toggle in the Microsoft 365 admin center (path: Settings > Org Settings > Copilot Agents > SharePoint page agent).

Learn more:

• Bring the power of SharePoint page creation into Microsoft 365 Copilot
• SharePoint showcase

[Compliance considerations:]

Updated April 14, 2026: We have updated the timing of this change below. Thank you for your patience.

[Introduction]

Microsoft Purview Communication Compliance is undergoing an infrastructure upgrade from January 5 to April 30, 2026, causing temporary processing delays, intermittent errors, and possible outdated report data. Although this migration is planned outside of normal business hours, some production clusters may experience higher loads, potentially causing brief delays in downstream processing. Brief delays in processing may occur during this migration, but no data will be lost.

No action is required, but admins should inform teams about these short-term impacts.

[When this will happen:]

This migration will begin January 5, 2026, and end April 30, 2026 (previously April 15).

[How this affects your organization:]

Who is affected:
Admins managing Microsoft Purview Communication Compliance policies and review workflows.

What will happen:

• Updates to policy insights and aggregated counts (New pending today, Total pending, Total resolved) may occur at a slower pace than usual.
• Intermittent errors may occur when reviewing flagged messages.
• Brief delays may be observed between receiving an alert notification and accessing messages for review.
• Certain report views may display outdated data until backlog processing is complete.
• Some export functions, such as exporting reports and files, might be temporarily unavailable.
• No data loss will occur—only temporary slowdowns in processing times.
• Users may experience reduced responsiveness and intermittent instability in the experience.

This maintenance is scheduled outside of normal business hours to minimize impact. However, global organizations may experience some overlap with active hours.

[What you can do to prepare:]

• No action is required from administrators; the upgrade will be implemented automatically.
• We recommend informing your administrative and compliance teams about these possible short-term delays.
• If needed, update internal documentation to reflect potential temporary limitations.
• Learn about Communication Compliance.

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.

Updated April 14, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

Today, admins must manually review trust and compliance information for Teams apps and agents to determine whether they meet their organization’s security, privacy, and compliance requirements. To make this process more scalable and consistent, Teams will introduce a centralized evaluation experience. Admins will define their organization’s trust requirements once, and the system will generate a score and detailed evaluation report for each app and agent based on those requirements. This will help organizations make faster, more consistent approval decisions.

This message is associated with Microsoft 365 Roadmap ID 532720.

[When this will happen]

Targeted release/Preview: We will begin rollout in late February 2026 and expect to complete by the end of March 2026.
General Availability (Worldwide and GCC): We will begin rollout in early July 2026 (previously early May) and expect to complete by the end of July 2026 (previously end of May).

[How this will affect your organization]

Who is affected: Admins who manage apps and agents in the Teams admin center.

What will happen:

• A new evaluation score settings tab will appear in Teams admin center > Teams apps.
• Admins will be able to configure approval requirements—such as GDPR compliance, SOC 2 certification, and data residency—one time for their organization.
• The system will automatically calculate an evaluation score for each app and agent based on how many requirements are met.
• A new evaluation score column will appear in Teams admin center > Teams apps > Manage apps, with options to sort and filter by score.
• A detailed evaluation report will be available on the App details page, providing requirement-by-requirement detail.
• This feature will not change app enablement or blocking behavior and will not modify any underlying metadata.
• The feature will be enabled by default and will not require admin action to activate.

[What you can do to prepare]

No action is required. This feature will be available automatically in the Teams admin center.

Admins may choose to review their approval workflows once the feature becomes available.

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Updated April 14, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

We’re simplifying the Microsoft Teams app bar to create a cleaner, more focused workspace and help users spend less time navigating and more time collaborating. This update reduces visual clutter and gives users more control over how much screen space the app bar uses.

Screenshot: The new Teams app bar

This message is associated with Roadmap ID 557169.

[When this will happen:]

• Targeted Release: We will begin rolling out this change in mid‑March 2026 and expect to complete rollout by end of April 2026 (previously early April).
• General Availability (Worldwide): We will begin rolling out this change in early April 2026 and expect to complete rollout by end of April 2026 (previously early April).

[How this affects your organization:]

Who is affected:

• All users of Microsoft Teams on Windows and macOS desktops.

What will happen:

• The Teams app bar will appear simplified with fewer visible elements by default.
• Overflow apps will move to a cleaner, easier‑to‑scan View more apps list.
• The overflow menu will be less cluttered and easier to navigate.
• Users can show or hide the app bar to create more space for their work.
• The feature is enabled by default for all tenants.
• No existing admin policies are changed or overridden.

[What you can do to prepare:]

No admin action is required.

• Inform users that they can show or hide the app bar using keyboard shortcuts:
• Windows: Ctrl + \
• Mac: Cmd + \
• Update internal help documentation or onboarding materials that reference the Teams app bar layout.
• Brief helpdesk staff ahead of rollout.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Updated April 14, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

Starting in the last week of April 2026, Always-on diagnostics for Endpoint Data Loss Prevention (DLP) will be turned on by default for onboarded Windows devices in Microsoft Purview. Endpoint DLP diagnostic traces including policy evaluation logs, file classification results, enforcement actions, and error states are stored locally on the device in a secure, compressed proprietary format for up to 90 days. This collection helps eliminate the need to reproduce issues during Microsoft Support investigations. The ability to request that Microsoft collects critical diagnostic data as part of a support case will also be enabled. Endpoint diagnostic logs that you choose can then be securely shared with Microsoft for troubleshooting, reducing investigation effort and accelerating time to resolution for Endpoint DLP issues.

[When this will happen:]

General Availability (Worldwide): This change will go into effect late April 2026 (previously mid-April)

[How this affects your organization:]

Who is affected:

• Organizations using Endpoint Data Loss Prevention (DLP) on Windows devices
• Admins managing Endpoint DLP settings in Microsoft Purview

What will happen:

• From the date of this Message Center post through the last week of April 2026, admins may choose to opt out of this setting in the Microsoft Purview portal. If an admin opts out during this period, their selection will be respected, and the setting will remain unchanged.
• If no action is taken, diagnostics will be automatically enabled in the last week of April 2026, after which admins can opt out at any time via the existing settings.

Note: Opting out of Always-on diagnostics may hinder your ability to effectively troubleshoot issues that arise in Endpoint Data Loss Prevention scenarios. Without this feature, organizations may experience prolonged investigation times, reduced visibility into policy behavior, and increased difficulty identifying and resolving Endpoint DLP issues. Keeping Always-on diagnostics enabled helps support the security, reliability, and operational stability of your environment.

[What you can do to prepare:]

• No action is required if you want to keep the default behavior.
• Review your organization’s diagnostic and data collection policies.
• If you want to opt out before the default change:
  • Go to Microsoft Purview portal
  • Navigate to Endpoint DLP settings
  • Disable Always-on diagnostics
• Communicate this change to security, compliance, and helpdesk teams

Learn more:

• Always-on diagnostics for endpoint DLP | Microsoft Learn
• Always-on diagnostics troubleshooting blog
• Always-on diagnostics blog

[Compliance considerations:]

Updated April 14, 2026: We have updated the content. Thank you for your patience. 

[Introduction]

Microsoft Agent 365 will become Generally Available (GA) on May 1, 2026 for commercial customers. This milestone reflects extensive customer feedback and validation through the Frontier early-access program, where participating organizations have helped improve product quality, readiness, and overall experiences. GA enables broader adoption of Agent 365 while allowing Frontier participants to continue shaping future innovations.

[When this will happen:]

• General availability: May 1, 2026
• Frontier program: Continues without interruption

[How this affects your organization:]

Who is affected:

• Customer tenants currently enrolled in the Agent 365 Frontier program
• Administrators planning or evaluating Agent 365 deployment.

What will happen:

• Agent 365 will be Generally Available starting May 1, 2026 for commercial customers only.
• Customers already participating in Frontier will retain their access and continue to receive early-access features.
• Frontier will remain the channel for piloting new capabilities and providing feedback before features reach GA.
• Trial and paid options for Agent 365 will be introduced, with transition guidance shared prior to GA.

[What you can do to prepare:]

• No immediate action is required for customers currently participating in Frontier.
• Learn about today’s announcements https://aka.ms/AIBuiltforWork
• Review Agent 365 deployment guidance and technical documentation to prepare for GA rollout: Getting Started with Microsoft Agent 365
• Plan internal readiness activities (for example, admin training or helpdesk awareness) ahead of May 1, 2026.
• Watch for upcoming communications detailing trial availability, licensing, and paid options

Updated April 14, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

We’re introducing a new Follow option for meetings in Outlook Mobile.  This feature helps users stay informed when they cannot attend by prompting organizers to record the meeting and by ensuring followers receive key updates and follow‑up items.

[When this will happen]

General Availability (Worldwide): Rollout will begin in mid-May 2026 (previously mid-April) and is expected to complete by end of May 2026 (previously end of April).

[How this affects your organization]

Who is affected

• All users who schedule or respond to meetings in Outlook Mobile. Attendees will only see the option to respond with Follow if a meeting has two or more participants and when the organizer has requested responses.

What will happen

• A new Follow option will appear as the third option in the mobile RSVP menu. To select “Maybe,” tap the three dots … : 

  

• The Maybe RSVP option will move into the overflow menu:  

  

• The No response option will move to the second position in the RSVP list.
• The feature will be on by default for all tenants.
• Organizers may receive prompts to record the meeting or address follow‑up items when attendees choose to Follow.
• No changes to existing Outlook or Exchange Online admin policies.

[What you can do to prepare]

No admin action is required.

Optional steps:

• Notify helpdesk and support teams about the updated RSVP options and UI behavior.
• Update internal end‑user documentation if your organization provides guidance for meeting responses.

Learn more: Follow a meeting in Outlook | Microsoft Support

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Updated April 14, 2026: After further review, we have decided not to move forward with this change at this time. You can refer to MC1279092 for updates. We apologize for any inconvenience this may cause and appreciate your understanding.

[Introduction]

As previously announced in MC1221452, Microsoft Registration Campaigns will support Passkeys (FIDO2) as an additional authentication method starting in early April 2026. This update helps organizations accelerate adoption of phishing‑resistant credentials by allowing administrators to opt users into Passkeys and deliver Passkey registration nudges during sign‑in.

Please refer to MC1279092 for updates. 

[When this will happen] 

General Availability (Worldwide): We will begin rolling out in early April 2026 and expect to complete in late May 2026.

[How this affects your organization]

Who is affected

• Microsoft 365 tenants using Microsoft Registration Campaigns
• Tenants configured in either Microsoft‑managed or Enabled states
• Users who are MFA‑capable and eligible for Passkeys (FIDO2)

What will happen

Microsoft‑managed state

Your tenant will be impacted when all of the following conditions are met:

• The Passkeys (FIDO2) authentication method policy is enabled.
• Allow self‑service setup is enabled.
• Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
• The Authentication Methods Registration Campaign state is set to Microsoft‑managed.

When these conditions are met, the following settings will update automatically:

• The targeted authentication method will change from Microsoft Authenticator to Passkeys (FIDO2).
• Days allowed to snooze will change from three days to one day. (This setting will no longer be configurable.)
• Limit number of snoozes will be disabled. (This setting will no longer be configurable.)
• Targeting will expand to all MFA‑capable users. (This setting will no longer be configurable.)
• Default user targeting will change from voice call or text message users to all multifactor authentication (MFA)–capable users.

Affected users will receive Passkey registration nudges at sign‑in after completing MFA.

We will roll out these changes incrementally over time to in‑scope tenants.

Enabled state

Passkey (FIDO2) can be selected as the Targeted Authentication Method when Microsoft Registration Campaigns are in the Enabled state. 

Note: Registration Campaigns support targeting only one authentication method at a time—either Microsoft Authenticator or Passkeys (FIDO2), but not both simultaneously.

[What you can do to prepare]

Opting into Passkey Registration Nudges:

• The user is MFA‑capable
  • They have at least one registered MFA method
  • They can successfully complete MFA at sign‑in
• Under Authentication methods > Policies, the user is in scope for Passkeys (FIDO2)
• Under Authentication methods > Policies > Passkeys (FIDO2) > Configure, make sure you have Allow self-service set up checked. 

Important Guidance:

We will roll out these changes incrementally to in-scope tenants starting in early April. This rollout will take time, and even if your tenant meets the eligibility criteria, you may not see the changes immediately. 

Enabled State 

Over time, we will incrementally refine the logic for Passkeys nudges in Microsoft Registration Campaigns to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for every edge‑case scenario, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, AAGUID restrictions), the registration experience triggered by the nudge may not be optimal.   

Using Passkeys Despite Restrictions

You can still set Passkeys as the target authentication method in Microsoft Registration Campaigns. However, users may encounter a poor or confusing experience if they have passkey profile restrictions.

Example: 

If a user is scoped into specific AAGUID synced passkeys only, they may see a Passkey nudge at sign‑in. If they attempt to register a device‑bound passkey, the registration will fail because they are not in scope for that passkey type. 

Recommended next steps

• Review your Registration Campaign state by early April 2026.
• Communicate this change to helpdesk or support teams.
• Update internal documentation on authentication method enrollment.
• If you prefer to continue targeting Microsoft Authenticator, verify this configuration before rollout.

Learn more: How to enable passkey (FIDO2) profiles in Microsoft Entra ID (preview) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn

Updated April 14, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

We are improving the Microsoft Teams meeting experience when the active meeting window is minimized. This update helps users stay engaged in meetings while multitasking across other apps. With this change, users can perform key in-meeting actions—such as raising their hand and sending reactions—without restoring the full Teams meeting window. Users can also choose between two different minimized views, depending on how much meeting context they want to keep visible while they work.

This change does not affect the experience when users are sharing their screen in a Teams meeting.

This message applies to Teams for Windows desktop and Teams for Mac desktop. It is associated with Microsoft 365 Roadmap ID 557179.

[When this will happen:]

• Targeted Release: Rollout begins early May 2026 (previously mid-April) and is expected to complete by early May 2026 (previously mid-April).
• General Availability (Worldwide): Rollout begins mid-May 2026 (previously late April) and is expected to complete by late May 2026 (previously early May).

[How this affects your organization:]

Who is affected:

• All users who join and participate in Microsoft Teams meetings.

What will happen:

• When users minimize a Teams meeting window, a new minimized meeting experience appears automatically.
• Users can raise their hand and send reactions without restoring the full Microsoft Teams meeting window.
• Users can choose between two minimized views:
• Expanded view: Displays up to four participant videos.



• Compact view: Does not display participant video and takes up less screen space.



• The feature is enabled by default and does not require any admin configuration.
• There is no change to the meeting experience while screen sharing.

[What you can do to prepare:]

• No action is required.
• Consider notifying users and helpdesk staff about the new minimized meeting views in Microsoft Teams.
• Update internal training or support documentation if it references Teams meeting window behavior.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

[Introduction]

To provide a more consistent and predictable file viewing experience, we’re updating the user interface for text, image and zip file previewers in Outlook for Android. These changes align text, image and zip previewers with the existing preview experience for Word, Excel, and PowerPoint files.

[When this will happen:]

• General Availability (Worldwide): Rollout begins late April 2026 and completes by mid-May 2026

[How this affects your organization:]

Who is affected:

• All users viewing text, image and zip file attachments in Outlook for Android

What will happen:

• Users will see updated styling in text, image and zip file previewers to match other Office file previewers.
• The overflow action menu will:
  • Display updated icons
  • Use a revised action order consistent with Word, Excel, and PowerPoint previewers
• A new Expand button will appear in the action bar, making it easier to enter full-screen mode.
• The feature is enabled by default and does not change existing policies or workflows.

[What you can do to prepare:]

• No action is required; the update is enabled automatically
• Optionally notify users and helpdesk staff of the UI refresh
• Update internal documentation or screenshots if applicable

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Updated April 14, 2026: We have updated the content. Thank you for your patience. 

[Introduction]

We’re enhancing the events experience in Engage to provide a more comprehensive and interactive platform for enterprise events across web and mobile. Engage events will support broadcasts connected to Teams Town halls for one-to-many style events, Meetings for more collaborative sessions powered by Teams webinar, and async events that are best for in-person or text-only discussions like ask-me-anything (AMA). A new events landing page will unify the engagement before, during, and after events. Rollout begins late April 2026 and will be enabled by default for all Engage customers.

As a user, you can now create events on your storyline and as a community admin, you can create events within a community you are an admin of. Across both storyline and community you can create three event types:

• Broadcast (powered by Teams town hall): This experience is an upgrade from the current community live events and offers a richer attendee engagement experience. Broadcast events are best for one to many communications where a presenter or leadership team shares information with a broad audience at scale. Broadcasts are designed for structured delivery, clarity, and reach, with controlled interaction rather than open collaboration.
• Meeting: This event type combines the Teams webinar meeting experience with Engage’s event page and conversation layer. Engage meetings are best suited for live, collaborative sessions where groups learn together, ask questions of one another, and interact in real time.
• Async: Use async events to conduct an event without a Teams online experience. They’re best suited for an in-person event or a text-only discussion like an ask-me-anything (AMA).

The new event landing page delivers new engagements features, which are fully customizable by the event organizer across all event types. These include moderated posts that require organizer approval, anonymous posting capabilities, and private replies. Engagement across the event page remains in sync before, during, and after the event across both Engage and Teams. Further, the organizing team has advanced insights and simple update recording flow.

Screenshot: Broadcast user interface:

This message is associated with Roadmap ID 537280.

[When this will happen:]

General Availability (Worldwide): Rollout will begin in late April 2026 and is expected to complete by early May 2026.

[How this affects your organization:]

• Who is affected: All Engage users.
• What will happen:
  • Broadcast, meeting, and async event creation and consumption in communities and storylines becomes available.
  • Broadcast events are supported by Teams town hall and will respect Teams town hall admin policies.
  • Meeting events are supported by Teams webinars and will respect Teams webinar admin policies.
  • A new Events Landing Page will provide a single location for event engagement before, during, and after the event
  • No changes to existing workflows; these features will be enabled by default for Engage customers.
  • The current community live events experience will continue to be available during this transition to the new community broadcast

[What you can do to prepare:]

• No immediate action is required for most customers.
• Review internal documentation and update helpdesk guidance if needed.
• Learn more: What’s New with Events in Viva Engage | Microsoft Community Learning YouTube

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.

[Introduction]

We are making an update to Passkeys (FIDO2) support within Microsoft Entra Authentication Methods Registration Campaigns.

Based on ongoing improvements to passkey registration nudge logic and user experience behavior, Passkeys (FIDO2) will no longer move forward to General Availability as the targeted authentication method for Registration Campaigns in the Enabled state as previously communicated in MC1253746. 

Instead, we are continuing to refine the eligibility logic that determines when users receive passkey registration nudges during sign-in. In the interim, Passkey (FIDO2) will move forward as the targeted authentication method for Registration Campaigns in the Microsoft Managed state for tenants that meet our in-scope criteria. 

[When this will happen]

• General Availability (Worldwide): Rollout will begin in mid‑May 2026 to Microsoft Managed state and is expected to complete by late June 2026.

[How this affects your organization]

Who is affected

• Microsoft Entra tenants using Authentication Methods Registration Campaigns
• Tenants with Passkeys (FIDO2) enabled
• Only tenants that meet the Microsoft‑managed eligibility criteria described below

What will happen

Enabled state

• Passkeys (FIDO2) will not be supported as the targeted authentication method for Registration Campaigns in the Enabled state at this time.
• We are continuing to improve registration campaign nudge behavior and eligibility logic to better align with passkey configuration and profile scope.
• Further updates will be shared when support for the Enabled state becomes available.

Microsoft‑managed state

• Passkeys (FIDO2) will be introduced as the targeted authentication method in the Microsoft‑managed state for eligible tenants.

Tenants are impacted when all of the following conditions are met:

• The Passkeys (FIDO2) authentication method policy is Enabled.
• Allow self‑service setup is Enabled.
• Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
• The Authentication Methods Registration Campaign state is set to Microsoft‑managed.
• The tenant has at least one user enabled for both synced passkeys and device‑bound passkeys.

Only users who are enabled for both synced and device‑bound passkeys, with no passkey profile restrictions configured (for example, attestation enforcement or AAGUID restrictions), will receive a passkey registration nudge during sign‑in.

For impacted tenants, the following Registration Campaign settings will be automatically updated:

• Targeted authentication method changes from Microsoft Authenticator to Passkeys (FIDO2).
• Days allowed to snooze changes from 3 days to 1 day (no longer configurable).
• Limited number of snoozes changes from Enabled to Disabled (no longer configurable).
• Default user targeting changes from voice call or text message users to all MFA‑capable users.

After these changes take effect, targeted users will begin receiving passkey registration nudges during sign‑in after completing multifactor authentication.

Rollout will occur incrementally across eligible Microsoft Entra tenants.

[What you can do to prepare]

No action is required at this time.

If you plan to enable passkey registration nudges in the future:

• Ensure users are enabled for both synced and device‑bound passkeys.
• Remove any passkey profile restrictions (such as AAGUID or attestation requirements).
• Set your Authentication Methods Registration Campaign to Microsoft‑managed.

[Compliance considerations]

[Introduction]

We are enhancing how Microsoft Defender for Office 365 identifies and manages promotional email. Promotional messages will be tagged as “promotions” (previously “Bulk” in preview) and can be moved automatically to a new Promotions folder. The system learns from user actions, such as moving messages into or out of the Promotions folder and applies those preferences to future messages. These improvements reduce inbox clutter and help users stay focused while still receiving promotional content they want.

[When this will happen]

• Public Preview (Worldwide): We will begin rolling out in mid-April 2026 and expect to complete by late April 2026.
• General Availability (Worldwide): We will begin rolling out in early July 2026 and expect to complete by late July 2026.
• General Availability (DoD, GCC, GCC High): We will begin rolling out in early July 2026 and expect to complete by mid-August 2026.

[How this affects your organization]

Who is affected

• All organizations that use Microsoft Defender for Office 365 across Worldwide, GCC, GCC High, and DoD clouds

What will happen

• Incoming promotional messages will be tagged as “promotions.”
• If the Bulk Moves Enabled setting is turned on, tagged messages will automatically move to a Promotions folder created in user mailboxes.
• The system will learn from user actions when they move messages into or out of the Promotions folder. Future messages will follow the learned behavior.
• Users will be able to create inbox rules that reference the promotions tag.
• During the Public Preview: 
  • Tagging will be opt-in and configured using Exchange transport rules.
  • Folder routing will be enabled through anti-spam policy settings (“Bulk moves enabled”).
  • Both features will be able to be scoped to pilot security groups for a staged rollout.
• At Worldwide General Availability, tagging will be enabled by default for all tenants.

Figure one – Admin configuration for tagging using exchange transport rule (required for public preview opt-In):

Figure two – Admin configuration for Bulk moves enabled to provision the promotions folder:

Figure three – System tagging of “Promotions” in outlook client and promotions folder:

Figure four – User inbox rules using the promotions” tag:

[What you can do to prepare]

• No action is required at this time.
• Review your internal mailbox and message handling guidance and update training materials if needed.
• If you plan to participate in the Public Preview, review your Exchange transport rule and anti-spam policy configurations to determine if you want to opt-in.
• Monitor the product documentation. A link will be added to this post when it becomes available.

[Compliance considerations]

• This security update includes fixes and quality improvements from KB5079391 (released March 26, 2026 – no longer offered) and KB5086672 (released March 31, 2026).
• This update makes quality improvements to the servicing stack, which is the component that installs Windows updates.
• This update expands high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
• This update improves reliability for SMB compression over QUIC, reducing timeouts and enabling more consistent and dependable performance.
• This update enhances protection against phishing attacks that use Remote Desktop (.rdp) files by showing all requested connection settings before connecting, with settings turned off by default and a one‑time security warning on first use.

• Windows 11, version 26H1: KB5083768
• Windows 11, versions 25H2 and 24H2: KB5083769
• Windows 11, version 23H2: KB5082052
• Windows 11 Enterprise LTSC 2024: Baseline KB5083769
• Windows 10, versions 22H2 and 21H2: KB5082200
• Windows 10 Enterprise LTSC 2019 and Windows Server 2019: KB5082123
• Windows 10 LTSB 2016 and Windows Server 2016: KB5082198
• Windows Server 2025: KB5082063
• Windows Server 2025 Datacenter: Azure Edition: Baseline KB5082063
• Windows Server 2022: KB5082142
• Windows Server 2022 Datacenter: Azure Edition: Baseline KB5082142
• Windows Server 2012 R2: KB5082126
• Windows Server 2012: KB5082127

• April 2026 – Enforcement Phase with manual rollback: With installation of the April 2026 Windows security update, default Kerberos behavior changes so domain controllers use AES‑SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026.
• July 2026 – Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option.

• Read the full hardening guidance: How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833.
• Learn about RC4 usage in Windows and its risks: Detect and remediate RC4 usage in Kerberos.
• Learn more about the related vulnerability: CVE-2026-20833.

• Understanding security warnings when opening Remote Desktop (RDP) files
• Remote Desktop ActiveX control
• IMsRdpExtendedSettings Property property – Win32 apps | Microsoft Learn

• Learn more about the Scan Cab process: Announcing a smaller WSUS Scan Cab 
• Use Windows Update Agent (WUA) to scan computers for security updates without connecting to Windows Update: Using WUA to Scan for Updates Offline – Win32 apps 
• Documentation on the Catalog Site used to import updates and drivers: WSUS and the Catalog Site