Best Of
Top 5 Endpoint Strategies You Can’t Ignore in 2026
With 2026 around the corner, it is time to plan ahead and your endpoints are the centre of it all! Organisations that fail to adapt risk falling behind in security, productivity, and cost efficiency. Here are five essential moves every IT leader should prioritise this year:
1. Say Goodbye to Entra ID Hybrid Join
Hybrid Join has served its purpose, but it’s time to embrace the future: Entra ID Join. Start small—run a proof of concept with a subset of devices. This shift simplifies management, strengthens security, and aligns with a cloud-first strategy. The sooner you begin, the smoother the transition.
2. Windows 365 Reserve: Your Rapid Response Lifeline
Announced at Microsoft Ignite 2026 and now GA, Windows 365 Reserve is a game-changer. It’s a cost-effective way to keep Cloud PCs ready on standby, enabling you to deploy a temporary device in minutes when a user’s laptop fails. No downtime, no disruption—just seamless productivity. The cost of a Windows 365 Reserve Cloud PC is roughly $20 per year. Having a host of these at your disposal just makes sense.
3. Agents Aren’t Coming. They’re Here.
Welcome to the era of AI Agents. Microsoft’s Security Copilot is now free for M365 E5 customers, delivering 400 SCUs per 1000 users enabling organisations to use intelligent automation and proactive threat response. If you haven’t explored these yet, you’re missing out on a major leap forward in security operations.
4. Zero Trust Is Non-Negotiable
Endpoints are often the weakest link as historically EUC teams do not have to think about security. Enforce Zero Trust principles by ensuring every device is enrolled, compliant, and meets your security standards before connecting to corporate resources. In 2026, Zero Trust isn’t a buzzword it's the fundamental.
5. Unlock the Power of Intune Suite
The Intune Suite is now included in Microsoft 365 E3 and E5 licenses. For E3 customers, Remote Help can replace costly third-party tools. For E5 customers, Endpoint Privilege Management (EPM) is a game-changer for reducing risk without sacrificing productivity.
Endpoints are the front line of your organisation’s security and productivity. These five strategies will help you reduce risk, cut costs, and empower your workforce in 2026 and beyond.
Understanding and controlling Shadow AI
In some of our earlier AI governance, risk and compliance content, I've briefly mentioned Shadow AI risks. I've always been conscious that there is a lot ambiguity surrounding this topic, and ultimately once we get to the heart of the matter, we find that getting it under control is one of the more straight-forward AI security problem spaces. But it takes some dissection to arrive there. I'll do my best to get you there in 14 minutes of your time.
📢Major Microsoft 365 Licensing News: Intune Suite & More 📢
Hot off the press! Microsoft have announced major licencing changings in the Microsoft 365 E3 and E5 licences!
In the near future Defender for Office 365 p1 alongside Remote Help and Advanced Analytics in the Microsoft 365 E3 licence bringing greater value to the SKU.
Alongside this Intune Suite has now been announced to be included in Microsoft 365 E5! As you may have seen my previous announcement from Ignite, this means as a Microsoft 365 E5 customer, you will now get Intune Suite and 0.4 Security Copilot SCUs per user.
This of course will mean an increase in cost for both licences with Microsoft 365 E5 increasing by $3 per user per month. You can see the new pricing matrix below:
For me, the value of the licence makes Microsoft Intune an absolute no brainer for any organisation. Here is a round up of the new features in each licence:
If you have any questions about Intune Suite, please reach out to me!
Jon Jarvis
Moving from MDT/WDS to Autopilot – Real-World Lessons, Wins & Gotchas
Hi all,
We’ve been moving away from an ageing WDS + MDT setup and over to Windows Autopilot, and I thought I’d share a few key lessons and experiences from the journey. In case anyone else is working through the same transition (...or about to).
Why the change? MDT was becoming unreliable, drivers/apps would randomly fail to install, WDS is on the way out, and we needed a more remote-friendly approach. We also wanted to simplify things for our small IT team and shift from Hybrid Azure AD Join to Azure AD Join only.
We’re doing this as a phased rollout. I harvested existing device hashes using a script from a central server, and manually added machines that weren’t online at the time (most of which were just unused spares, we haven't introduced new hardware yet).
If you want a copy of this auto-harvest, please see my next post, this script is useful as it'll just go off and import the hardware hashes into Intune, and can run against multiple computers at a time. (I will add the link to the post once made).
Some of the biggest hurdles:
• 0x80070002 / 0x80070643 errors (typically due to incomplete registration or app deployment failures)
• Enrollment Status Page (ESP) hangs due to app targeting issues (user vs device) and BitLocker config conflicts
• Wi-Fi setup with RADIUS (NPS) was complex, Enterprise Certificates and we're still using internal AD for authentication, so user accounts exist there and sync over to Azure.
• Legacy GPOs had to be rebuilt manually in Intune, lots of trial and error
• Some software (like SolidWorks) wouldn’t install silently via Intune, so I used NinjaOne to handle these, along with remediation scripts in Intune where needed
We also moved from WSUS to Windows Autopatch, which improved update reliability and even helped with driver delivery via Windows Update.
What’s gone well: Device provisioning is more consistent, updates are more reliable, build time per machine has dropped, and remote users get systems faster. It’s also reduced our reliance on legacy infrastructure.
What I’m still working on: Tightening up compliance and reporting, improving detection/remediation coverage, figuring out new errors that may occur, and automating as much manual processes as possible.
Ask me anything or share your own experience! I’m happy to help anyone dealing with similar issues or just curious about the move. Feel free to reply here or message me. Always happy to trade lessons learned, especially if you’re in the middle of an Autopilot project yourself.
Cheers,
Timothy Jeens
timjeens
What’s new in Microsoft 365 November 2025
Our Microsoft 365 Proactive Adoption and Change Expertise (PACE) team offers tailored insights into the latest features that you need to know about coming to the Microsoft 365 Roadmap - this is invaluable to ensuring you’re getting value out of your investment in Microsoft 365.
In this Keeping PACE With Microsoft newsletter, you’re getting a free taster of the updates our experts provide as part of the PACE service, ensuring you can stay ahead of change in Microsoft 365.
In this month’s newsletter, our team gives a comprehensive overview of a number of key updates announced in October 2025, including retirements in Exchange Online in relation to Basic Authentication with SMTP AUTH and Exchange Web Services (EWS), and important information on HTTP and Teams webhook trigger flows in Power Automate.
We also have news on new audio features – Voice in Microsoft Copilot, Audio recap in Teams.
Retirement action required: Basic Authentication with SMTP AUTH, April 30, 2026
Basic auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. To improve the protection Microsoft are retiring Basic auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure.
In October 2024, Microsoft updated the SMTP AUTH Clients Submission Report in the Exchange Admin Centre to help identify which clients are still using Basic auth.
After April 2026, Microsoft will remove support for Basic auth with the Client Submission (SMTP AUTH) endpoints:
Impact: Applications and devices using Basic authentication for SMTP AUTH will no longer be able to send email. Affected clients will receive the error:
- 550 5.7.30 Basic authentication is not supported for Client Submission
Timelines:
- March 1, 2026: Microsoft will begin rejecting a small percentage of SMTP AUTH submissions using Basic authentication.
- April 30, 2026: Full deactivation - 100% of Basic auth submissions will be rejected.
Alternatives:
- OAuth is the recommended replacement. More information on how to use OAuth authentication to connect with IMAP, POP, or SMTP protocols and to access email data for Office 365 users: Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Learn
- For internal-only email, Microsoft suggests High Volume Email for Microsoft 365: Manage high volume emails for Microsoft 365 in Exchange Online Public preview | Microsoft Learn
- For internal and external email, Azure Communication Services Email is recommended: Email SMTP support in Azure Communication Services - An Azure Communication Services concept article | Microsoft Learn
Next steps:
- Organisations still using Basic Authentication will have recently received an updated tenant message.
- Identify if your organisation still has clients using Basic Auth: SMTP AUTH clients report in the new EAC in Exchange Online | Microsoft Learn
- You can read the full announcement and guidance directly from Microsoft here: Exchange Online to retire Basic auth for Client Submission (SMTP AUTH) | Microsoft Community Hub
Retirement action required: Exchange Web Services (EWS), October 1, 2026
In July 2018, Microsoft announced that they were no longer making feature updates to Exchange Web Services (EWS) in Exchange Online, and advised developers to move to Microsoft Graph: Upcoming changes to Exchange Web Services (EWS) API for Office 365 | Microsoft Community Hub.
In September 2023, we announced that on October 1, 2026, we will start blocking EWS requests to Exchange Online. With less than 12 months to go until EWS in Exchange Online begins to be blocked, Microsoft have published updated messaging to those organisations with EWS applications – with a list of application IDs of those using EWS.
Next Steps:
- Organisations can review those applications impacted by reviewing the EWS Usage Reports in the EXO Admin Centre, and working with vendors in order to update these applications
- Once migrations are complete, it is recommended that EWS is disabled: Control access to EWS in Exchange | Microsoft Learn
- More details, including a roadmap for parity gaps, and the EWS deprecation timeline can be found in the following article: Deprecation of Exchange Web Services in Exchange Online | Microsoft Learn
Microsoft will continue to publish regular communications to those organisations still using applications that depend upon EWS.
Major Update: Power Automate - HTTP and Teams webhook trigger flows are moving to new URLs, November 30, 2025
Beginning August 2025, Power Automate flows and Agent flows (Copilot Studio) with HTTP triggers or Teams Webhook triggers that have logic.azure.com in the URL moved to a new URL as a part of a critical infrastructure upgrade to improve execution speed and provide new features.
To ensure that existing flows using these triggers continue to work, organisations should update URL references by November 30, 2025. Before November 30, 2025, both the old and new URLs will be supported; after that, the old URLs will no longer work, and flows will fail to trigger.
Warning banner: A warning banner will appear on your flow details page or within the designer, displaying the old URL that has been replaced. This serves as a reminder to update any references to the outdated URL with the new URL.
Next steps:
In order to ensure flows continue to function as expected, organisations must:
- Update URL references
- Validate the new URL
- Check the relative path parameter
For full details: Changes to HTTP or Teams Webhook trigger flows - required actions
Admins can use the Microsoft.PowerApps.Administration.PowerShell package to list all flows whose trigger URLs will be migrated.
Need assistance migrating to new URL references? Get in touch with our Microsoft 365 Proactive Adoption and Change Expertise experts now.
New: Voice – real-time chat in Microsoft 365 Copilot
Realtime voice chat is now available in Microsoft 365 Copilot. This new release enables users to interact with Copilot using voice, offering a more natural, hands-free experience.
Now you can talk to Copilot, interrupt naturally, and get real-time spoken responses grounded in your work and web data—just click “Start a new voice chat” in the input box.
When interrupted, Copilot will stop speaking, listen to the new input, and respond accordingly.
You can also adjust how Copilot speaks by just asking it to make it faster, slower, louder, more energetic. To mute, select the “Mute” button. To end the conversation, select “End voice chat” and Copilot will leave the voice chat and stop listening.
Availability
Voice chat in Microsoft 365 Copilot is available now in the Microsoft 365 Copilot app on mobile (iOS and Android) and is currently rolling out to desktop and web.
In the next few months Microsoft will bring the voice capability to Copilot users without a Microsoft 365 Copilot license.
New: Audio recap in Teams
Audio recap is now generally available as part of Teams meetings recaps. Audio recaps are available in three different styles of podcast:
- Executive: Dual-host style focused on strategic insights, critical decisions, and essential context that matters most
- Newscast: Single newscast style focused on delivering key facts for fast, no-frills catch-up
- Casual: Dual-host style focused on conversational summaries with a lighter touch
How it works
On Windows, Mac, or the web simply open Teams and navigate to a meeting chat.
Select Meeting details > Recap > Audio recap.
Select a timeframe, the meeting transcripts you’d like to use (you can include up to 8 meetings), and your preferred style (executive, newscast, or casual).
Select Generate to receive an audio recap. From here, you can pause, skip forward or backward, and change the speed of the audio. You can also view the podcast’s transcript.
Teams meetings audio recaps can also be accessed from the Meet app, then selecting the Audio recaps tab.
Read the full Microsoft support article: Listen to audio recaps of your meetings - Microsoft Support
Instructions on how to access and use audio recaps on mobile devices: How to use meeting audio recaps on mobile devices - Microsoft Support
Audio recap retention
The generated audio recap is exclusively accessible to you and will expire after 60 days. You can manage your audio recaps in OneDrive (My files – Recordings – AudioRecaps), where you have the option to delete any audio recap that is no longer needed. Once an audio recap is deleted from OneDrive, it's no longer available on your Teams Audio recap listing page.
Are you finding it challenging for your organisation to keep up with change in Microsoft 365? Our M365 PACE service provides you with tailored insights and expert guidance to help you focus on what’s most valuable in the roadmap of updates and new features. Sign up for a free consultation to find out more about staying ahead of change in Microsoft 365 for your organisation.
