We are excited to announce the General Availability (GA) of the AWS IoT Device SDK for Swift. This release gives Swift developers a production-ready SDK with stable APIs and integrated service clients to connect applications to AWS IoT Core.

What’s New

The GA release now provides easy-to-configure service clients for three essential AWS IoT Core services:

• AWS IoT Device Shadow: Synchronize and share data between devices, apps, and other cloud services.
• AWS IoT Jobs: Manage remote operations that can run on devices connected to AWS IoT Core.
• Device provisioning: Automatically create the certificates and policies needed for secure communication, eliminating manual certificate management.

The SDK supports macOS, iOS, tvOS, and Linux, with X.509 certificate-based authentication and TLS 1.3 encryption on iOS and tvOS. For a detailed overview of platform and security capabilities, see Introducing the AWS IoT Device SDK for Swift (Developer Preview).

Getting Started

The SDK provides service client samples (Device Shadow, Jobs, and Device provisioning) on the GitHub website. The following walkthrough demonstrates how to set up a Shadow client and retrieve a shadow state.

Prerequisites

Before you start with the service client, set up the required AWS IoT resources: For more information, see What is AWS IoT? and Create AWS IoT resources.

After you complete these steps, you will have three items required for client configuration:

• Your IoT endpoint
• Your X.509 certificate file
• Your associated private key file

Use AWS IoT Shadow client

Step 1: Add the SDK dependency

The IoT Shadow client is a product within the aws-iot-device-sdk-swift package. Add the package as a dependency and reference the Shadow client in your target’s Package.swift file:

let package = Package(
    name: "MyApp",
    dependencies: [
        .package(
            url: "https://github.com/aws/aws-iot-device-sdk-swift.git", 
            from: "1.0.0"
        ),
    ],
    targets: [
        .executableTarget(
            name: "MyApp",
            dependencies: [
                .product(name: "IotShadowClient", package: "aws-iot-device-sdk-swift"),
            ]
        )
    ]
)

Step 2: Create an MQTT 5 client

Before you create a Shadow client, create an MQTT 5 client. This example uses the endpoint and certificate files from the Prerequisites section.

// Create an Mqtt5ClientBuilder configured using a certificate and private key
let clientBuilder = try Mqtt5ClientBuilder.mtlsFromPath(
         endpoint: self.endpoint, 
         certPath: self.cert, 
         keyPath: self.key)

// Create the MQTT5 client using the Mqtt5ClientBuilder and start a connection session
let client = try builder.build()        
client.start()

For more information about the certificates, see X.509 client certificates.

Step 3: Create the Shadow client

After you start the MQTT 5 client, configure the client options and create the Shadow client. These options to cap the client’s subscription usage and reserve capacity for other parts of your IoT application.

Configure the following options based on your application’s subscription needs:

• maxRequestResponseSubscription: Maximum number of concurrent subscriptions that request-response client uses. Each request usually uses 1-2 subscriptions until completion.
• maxStreamingSubscription: Maximum number of concurrent streaming operation subscriptions that the client will allow. Set based on the number of streaming operations you plan to use simultaneously.
• operationTimeout: Request timeout in seconds.

The following example creates a Shadow client with values that work well for applications that use a single shadow with limited streaming operations. Adjust these values based on your application’s needs:

// Set up options for the MqttRequestResponseClient
let options = MqttRequestResponseClientOptions(
        maxRequestResponseSubscription: 3,
        maxStreamingSubscription: 2,
        operationTimeout: 5)
 
// Create a Shadow client using the MQTT5 client and the options created above
let shadowClient = try IotShadowClient(mqttClient: client, options: options)

Step 4: Perform Shadow Operations

With the Shadow client ready, you can perform operations such as retrieving, updating, or deleting a shadow state. The following example retrieves a named shadow state:

let request: GetShadowRequest = GetShadowRequest(thingName: inputThingName)
do {
       let response = try await shadowClient.getShadow(request: request)
} catch {
       // Log errors
}

For more information, see the Shadow sample on the GitHub website. Additional service client samples are also available on GitHub:

• JobsSandbox
• Basic Fleet Provisioning
• CSR-based Fleet Provisioning

Known Limitations

The SDK has the following known limitations:

• TLS 1.3 on macOS: While TLS 1.3 is not currently supported on macOS, we are actively developing support and will add it in a future release. This limitation does not affect iOS, tvOS, or Linux platforms.
• HTTP Proxy Support: HTTP proxy support is available on macOS and Linux only; it is not currently supported on iOS and tvOS.

For updates on these limitations, see GitHub Discussions.

Conclusion

In this post, we showed you how to get started with the AWS IoT Device SDK for Swift from adding the SDK dependency to performing shadow operations. The SDK also includes clients for Jobs and Device Provisioning. Use the Jobs client to manage remote device operations or the Device Provisioning client to automate certificate creation at scale.

For more information, see Getting started with AWS IoT Core tutorials and connect your first device to AWS IoT Core.

Let us know how you’re using the SDK in the comments. You can also:

• Share ideas and ask questions in GitHub Discussions.
• Report issues through GitHub Issues.

Hello Champions!

Here’s a recap and top Q+A from our May M365 Champions monthly call of 2026, featuring Agents 365 with Samer Baroudi ,Microsoft Senior Product Marketing Manager and Jessie Hwang, Microsoft Customer Experience PM II. 

We kicked off the call by announcing the digital premiere of More Than Code: The SharePoint Community Film — a documentary-style experience that highlights the passion, innovation, and collaboration behind the global SharePoint community. Featuring stories and perspectives from MVPs, customers, and Microsoft leaders. Click here to check out the digital premiere and experience the story for yourself!

First, Samer Baroudi presented Microsoft Agent 365 as the control plane for agents, focused on helping organizations safely scale AI agent adoption through three pillars: observability, governance, and security. He explained that as AI agents rapidly expand across SaaS platforms, endpoints, and cloud environments, organizations need centralized visibility into what agents exist, who is using them, what data they can access, and how to manage risks like oversharing, shadow AI, and unmanaged “ownerless” agents. His demo walked through the Agent 365 experience in the Microsoft 365 admin center, including the centralized agent registry, shadow AI detection, agent maps, lifecycle management rules, policy templates tied to Entra/Purview/Defender, MCP tool controls, analytics dashboards, and conditional access policies for agents. He emphasized that Agent 365 extends existing Microsoft security and governance infrastructure—such as Entra, Intune, Defender, and Purview—to AI agents so organizations can adopt agents responsibly while maintaining visibility, compliance, and security controls at scale. 

Jessie Hwang introduced the redesigned Copilot Adoption Hub on adoption.microsoft.com, describing it as a simplified and more approachable onboarding experience intended to help organizations accelerate Microsoft 365 Copilot adoption. She explained that the redesign focuses on foundational “L100” learning content for AI users, champions, and leaders. The new hub includes streamlined navigation, role-based resource filtering, embedded overview and demo videos, prompt galleries with direct “Open in Copilot” functionality, translated HTML-based content, leadership resources, community links, featured events, and curated adoption guidance. Jessie also highlighted ongoing investments including prompt deep linking, expanded multilingual support, new AI champion and admin resources, and a reorganized “Advanced Resources” section that still preserves deeper technical readiness and implementation materials for more experienced practitioners.

Q+A from this month's session:

1. I don't have admin access, but I work on agent governance, I made my own dashboard in streamlit that's now entirely redundant by Agent 365. My org will be hesitant to give me admin access, is there a role with minimal permissions that gives Agent 365 access but not all the other admin tools?

Answer: Today either AI Admin (read only) or Global Admin is required for end to end. I acknowledge your feedback however, and this is something our engineering teams are working on.

2. How does Agents 365 determine the risks of an agent?

Answer: Agent 365 determines risk using security telemetry and behavioral signals from Defender (identity signals), Purview (data signals), defender (threat signals). Together these provide a holistic view of agent risk posture.

3. If i have 10000 users in my tenant.. i have 3000 users are having permium license.. we have some enterprise agents published. how many additional agent 365 license i need to buy? 

Answer: We recommend customers license for Agent 365, users that interact with agents, managers or sponsors of agents.

4. How is Microsoft balancing the needs of admins and the spirit of innovation for builders with A365 without requiring every E5 user to have A365 as well?

Answer: We don’t require every user to be licensed, Agent 365 is designed to let builders innovate freely, while giving admins centralized visibility, governance, and risk management at scale. Agent 365 is recommended for any user that interacts with agents, manager or sponsor of agents.

5. Wow so as things evolve I see having to have a paid license for this that and the other control or safeguard. Will MS in the future consider one license for all? Seems as though it can get very unaffordable fast the way it is trending.

Answer: Microsoft 365 E7 is the unified license that brings together Microsoft 365 E5, Entra suite, M365 Copilot and Agent 365.

6. Is the GCC implementation for Agent 365 on the Roadmap?

Answer: Currently no timelines we can share on this.

7. How granular is Agent 365 governance and RBAC?

Answer: The AI Administrator role was introduced to avoid overusing Global Admin permissions. Permissions dynamically update if an agent’s scope changes over time.

Agent 365 now supports expanded role-based access controls for:

• AI administrators
• Security admins
• Security readers
• Reports readers
• User experience success managers

8. Are permissions shown in Agent 365 reflect only original developer scopes or also evolving runtime scopes?

Answer: They are dynamic and update as agent capabilities evolve.

9. Can organizations automatically archive or govern inactive agents?

Answer: Agent management rules currently ship with:ownerless agent reassignment auto deployment of Microsoft-built agentsother out-of-box lifecycle rules. Full “if this then that” conditional automation is planned for a future summer release. Samer specifically called the retention/archive scenario “a fantastic suggestion” and said he would relay it to the PM team.

10. Why are so many duplicate Dynamics 365 agents appearing?

Answer: Please file a bug if duplicates are confirmed.

11. Should organizations that cannot afford Agent 365 should simply block agent creation altogether?

Answer: Blocking users does not prevent shadow AI usage and positioned Agent 365 as Microsoft’s recommended solution for scaling governance through centralized inventory, lifecycle management, and risk visibility.

12. Is a limited-access role for Agent 365 that would allow visibility without granting full admin rights?

Answer: Microsoft expanded RBAC capabilities through the existing AI Administrator role and introduced an AI Reader role for read-only access to agents, metadata, and reporting without edit permissions.

Join us on June 23rd for our next community call.

• Haven't joined the program yet? It's free! Join here: https://aka.ms/M365Champion.
• Bring your questions to our discussion forum: https://aka.ms/DriveAdoption.

Microsoft Advertising is evolving its API platform to better meet modern developer needs. As part of this shift, we’re transitioning from the SOAP API to a REST-based architecture that offers improved performance, flexibility, and ease of use.

If you’re currently using the SOAP API, now is the time to start planning your migration.

What’s changing

We’re standardizing on REST APIs as the foundation for all future Microsoft Advertising API development.

• Beginning October 1, 2026, new API features and enhancements will be available only through the REST API.
• The SOAP API will be fully deprecated on January 31, 2027.

During the transition period, your existing SOAP integrations will continue to run without interruption. This gives you time to plan, test, and complete your migration.

If you have a complex or large-scale integration and need additional time, contact your account team or Microsoft Advertising support to discuss an extended migration plan.

Why move to the REST API

The REST API provides a more modern and efficient integration experience:

• Access to new features and ongoing enhancements
• HTTP/JSON architecture aligned with industry standards
• Simpler integration and debugging
• Support across a wide range of programming languages
• Smaller message sizes with HTTP compression, reducing latency and traffic

How to get started

The best migration approach depends on how you’re currently integrated.

If you use an SDK

Start with the SDK migration guide to move from SOAP to REST while staying aligned with future updates.

If you call the SOAP API directly

Update your implementation to use REST endpoints and request formats. You can find endpoint details and request examples in the API reference documentation.

Not using an SDK today? This is a good opportunity to adopt one. SDKs simplify migration now and make future updates easier.

Plan your migration now

While there’s no immediate impact to existing SOAP integrations, key milestones are approaching quickly:

• October 1, 2026 → New features become REST-only
• January 31, 2027 → SOAP API is fully deprecated

Starting early will help ensure a smooth transition and uninterrupted access to the latest capabilities.

We appreciate your partnership and are committed to supporting you through this transition. The REST API unlocks new possibilities, and we’re excited to help you take advantage of them.

Welcome to the June edition of our monthly newsletter, summarizing the latest news and developments in the exciting, ever-evolving world of Microsoft Entra.

What went into General Availability (GA) since May 2026?

Enable Phish‑Resistant MFA for Linux Desktops with Microsoft Entra - Microsoft Entra extends Phish Resistant Multi-Factor Authentication support to Linux desktops through the Microsoft identity broker, closing a long-standing gap in cross-platform identity. This update brings Linux to parity with Windows and macOS, enabling secure, modern authentication using phishing-resistant credentials. Support is now available for Ubuntu 24.04 and 26.04, as well as RHEL 8, 9, and 10, helping organizations consistently enforce strong authentication across all major desktop platforms.

Enable improved B2C-to-External ID migration with High Scale Compatibility (HSC) mode – HSC mode is a new tenant-level migration option that lets Azure AD B2C customers transition their applications to Microsoft Entra External ID without re-registering users or resetting passwords, by keeping existing B2C credentials in place during coexistence. It's intended for high-scale tenants - generally those with 5 million or more objects - where the standard bulk migration with JIT password sync isn't practical. Tenants below the 5M threshold should continue to use the standard migration path, and even eligible high-scale tenants should carefully evaluate both options before choosing. Customers can run the B2C Policy Analyzer to assess migration readiness, and account teams and partners should engage the EEID migration team to guide eligible Azure Active Directory B2C customers toward the right migration path.

Enable system-preferred authentication for first and second factors - Microsoft Entra ID updates system-preferred authentication to apply to both first-factor and second-factor authentication in Microsoft Managed state. The system evaluates registered credentials for the user and selects the highest-ranked method for each authentication step. This update applies automatically in the Microsoft managed state, ensuring seamless and secure authentication experiences.

Modernize account management with redesigned My Account pages - Microsoft Entra introduces redesigned Devices, Security Info, and Organizations pages in the My Account portal. The Devices page simplifies registered device management and prominently surfaces BitLocker recovery keys, reducing IT helpdesk dependency. The Security Info page in Settings & Privacy centralizes profile information, language, and region settings for easier updates. The Organizations page resolves issues with end users leaving organizations and delivers a streamlined experience. These updates automatically roll out to Microsoft Entra ID customers by the end of June 2026, requiring no administrator action.

Cross-tenant group synchronization in Microsoft Entra - This enables organizations to synchronize security groups and memberships across tenants for centralized management and consistent access control. This simplifies cross-tenant collaboration by allowing groups managed in a source tenant to be used in one or more target tenants for scenarios like shared application access and resource authorization. Beyond collaboration, this enables more seamless cross-tenant administration by allowing organizations to extend governance and access control consistently across tenant boundaries.

Account discovery for connected applications in Microsoft Entra ID Governance - Administrators gain visibility into all accounts within connected applications, including orphan accounts not assigned to the enterprise application in Microsoft Entra. Generate discovery reports directly from the provisioning experience to identify access gaps and simplify application onboarding. This capability requires a Microsoft Entra ID Governance or Microsoft Entra Suite license.

Automate agent identity sponsorship transitions - Microsoft Entra ID Governance ensures agent identities always have a delegated human sponsor accountable for their access and lifecycle. With Lifecycle Workflows, when a sponsor leaves the organization, sponsorship automatically transfers to their manager, maintaining continuity. Lifecycle workflows can also notify cosponsors and managers of impending sponsorship changes, streamlining the process and reducing manual oversight.

Drive Passkey Adoption with Microsoft Entra Registration Campaigns - Microsoft Entra Registration Campaigns now supports Passkeys such as Fast Identity Online (FIDO2), as an authentication method. Administrators can configure registration campaigns to nudge users to register passkeys during sign-in, helping organizations drive passkey adoption. This first rollout experience is optimized for users in a passkey profile without restrictions.

App Deactivation for Microsoft Entra applications - App Deactivation introduces a safe, reversible, and self-service way for app owners and admins to turn off applications that are unused, deprecated, or under investigation - without deleting them or breaking tenant-level governance. Deactivating an app registration provides a reversible way to prevent the application from accessing protected resources without permanently removing it from your tenant. When you deactivate an application, it immediately stops receiving new access tokens, but existing tokens remain valid until they expire. This approach is useful for security investigations, temporary suspension of suspicious applications, or when you need to maintain application configuration data. Unlike permanently deleting an application, deactivation preserves all application metadata, permissions, and configuration settings, making it easy to reactivate the application if needed. The application remains visible in your tenant's enterprise applications list, but users can't sign in and no new tokens are issued.

Enable phishing-resistant sign-in with Microsoft Entra passkeys on Windows - Users register device-bound passkeys in the local Windows Hello container and use them for secure sign-in with Windows Hello biometrics or PIN. These passkeys function as FIDO2 credentials and work without requiring the device to be Microsoft Entra joined or registered. This capability is automatically available in tenants where passkey profiles permit Windows Hello as a provider, supporting phishing-resistant authentication for Entra-protected cloud resources. Interactive Windows console sign-in is not supported.

New in Public Preview

Support domain-less SAML Federation on workforce tenants - Domainless SAML federation with a SAML Identity Provider allows external users to authenticate into your apps or workforce resources using their IdP-managed credentials, regardless of their email domain. Domainless federation removes the need for domain matching between the user's email and pre-configured IdP domains during sign-in or invitation redemption.

Sensitivity labels for Entra security groups - Microsoft Entra ID supports applying Microsoft Purview sensitivity labels to Entra cloud security groups in public preview. This enables administrators to use the same labels and policies already used for Microsoft 365 groups to govern security group behaviors such as guest access and other controls. Sensitivity labels are managed in Microsoft Purview and can be applied through the Entra Admin Center, Azure portal, and Microsoft Graph, helping organizations apply consistent governance across identities and access.

Safely remove and restore devices with Device Soft Delete - This enables administrators to move device objects to a recoverable state instead of permanently deleting them. Organizations can restore devices within a defined retention period while preserving critical data like device identity and associated security artifacts. The feature supports Microsoft Entra joined, registered, and hybrid joined devices, reducing risks from accidental deletions and improving device lifecycle management.

Move SAP SuccessFactors Provisioning to Workload Identity-based authentication - Microsoft Entra introduces Workload Identity-based authentication for SAP SuccessFactors provisioning, replacing long-lived usernames and passwords with Entra-managed credentials and short‑lived, standards‑based access tokens. This update allows customers to perform this authentication upgrade in-place on their existing provisioning jobs, without recreating or restarting them. This will switch their Entra or SuccessFactors integrations to a more secure model that is aligned with SAP SuccessFactors' plan to deprecate basic authentication for SAP SuccessFactors' APIs by November 2026. The new option applies to SAP SuccessFactors inbound provisioning to Active Directory and Microsoft Entra ID, as well as writeback scenarios, and improves security by eliminating the need to manually handle credentials and rotate them periodically.

Govern Azure role assignments with access packages - Microsoft Entra enables governance of eligible and active assignments to Azure roles at the Management Group, Subscription, and Resource Group levels through access packages. Role assignments now follow the same request, approval, and lifecycle governance model as apps and groups. This simplifies managing access to Azure resources at scale while supporting least privilege and just-in-time access principles.

Automate user attribute updates in Lifecycle Workflows - Microsoft Entra introduces the User Attribute Updates task in Lifecycle Workflows, enabling automated attribute changes directly within workflows. Administrators can set or clear attribute values including custom attributes with a secure, consistent, and auditable process. This feature reduces manual effort, enhances governance, and scales identity automation with confidence.

Improve privileged identity response for Security Operations Center (SOC) – Microsoft is extending the Entra Security Operator role so SOC analysts can take identity response actions such as disable users, revoke sessions, mark users compromised, force password resets (including cloud-only accounts), and delete individual authentication methods , directly from the Microsoft Defender unified role-based access control (RBAC) experience, without broad Entra admin roles or identity and access management (IAM) escalation during active incidents. Permissions are scoped to non-admin users enabling faster containment, least-privilege boundaries, and auditability.

Announcements

Require registered methods for Self-Service Password Reset - Microsoft Entra Self-Service Password Reset (SSPR) will only accept explicitly registered authentication methods for identity verification starting September 7, 2026. Directory-sourced contact information, such as phone numbers and email addresses stored as user object properties, will no longer be accepted unless registered as authentication methods. This change applies to all users, including administrators, across Public cloud, GCC, GCC High, and DoD. Beginning July 6, 2026, Microsoft will automatically launch a registration campaign prompting affected users to register authentication methods after sign-in. Administrators should ensure users have at least one registered method to meet SSPR policy requirements before enforcement to avoid disruptions.

Enforce conditional Access during credential registration - Starting July 6, 2026, Entra ID Conditional Access policies scoped to the Register security information user action will be evaluated during credential registration for Windows Hello for Business and macOS Platform SSO .This ensures registration policies apply consistently across all registration flows. Users must satisfy policy controls, such as multifactor authentication (MFA), network restrictions, device compliance, or other tenant defined requirement before completing registration. Organizations without Conditional Access policies targeting this user action are unaffected, and MFA remains required by default for all passwordless credential registrations. Enforcement completes by July 13, 2026.

Expand passkey policy size and profiles in authentication methods policy - Microsoft Entra increases the passkey (Fast Identity Online 2, FIDO2) policy size limit to a dedicated 20 KB allocation within the authentication methods policy. Previously, all authentication methods shared a single 20 KB limit. This update ensures passkey policies have their own allocation, simplifying adoption and advanced targeting scenarios. Additionally, the maximum number of passkey profiles per tenant increases from 3 to 10, allowing greater flexibility in managing passkey configurations.

New guidance and information

Global Secure Access Operations Guide - The new GSA Operations Guide is your post-deployment companion for running Global Secure Access reliably at scale. It covers alerting, health checks, change management, metrics, and recovery playbooks, with ready-to-use KQL queries and templates you can adopt on day one. Capability-specific guides are included for Private Access, Internet Access, Remote Networks, and Microsoft Traffic. 

Tell us what you think!

If you have feedback on this newsletter, fill out the dedicated Microsoft Form.

Blogs

Check out the latest blog posts on our Microsoft Entra Blog and our Microsoft Entra Identity Developer Blog.

What's new in Microsoft Entra?

Learn what is new with Microsoft Entra, such as the latest release notes, known issues, bug fixes, deprecation functionality, and upcoming changes. You can find releases specific for Sovereign Clouds on a dedicated release notes page.

Become a certified Microsoft Identity and Access Administrator

Check out the certification and related training for the Microsoft Identity and Access Administrator available for customers and partners.

-Martin Coetzer

Principal Product Manager, Identity and Network Access, Customer Experience Engineering (CXE)

Microsoft Entra Community | LinkedIn

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• Microsoft Entra blog | Tech Community
• Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community 

First, as we head into June and the first set of Secure Boot certificates start to expire, there will be another Secure Boot Ask Microsoft Anything (AMA) on Thursday, June 4. Do save the date and post your questions early or at any time during the live stream if you need assistance. You can also watch the May edition on demand.

For more general questions around Windows deployment, updates, and management, you can join the chat-based Windows Office Hours every third Thursday. The next event will be June 18 at 8:00 AM PDT.

Now let's dive in to more Windows news you can use you might have missed this past month.

New in Windows update and device management

• [AUTOPATCH] [GCC] – Windows Autopatch is now included automatically for Government Community Cloud (GCC) customers using Microsoft 365 G3 GCC, Microsoft 365 GCC G5, or Microsoft 365 GCC G5 without WDATP/CAS Unified. The $0 Windows Enterprise (OLS) activation SKU is no longer required. For guidance on how to get started, read Windows Autopatch for the US government.
• [HOTPATCH] – Starting with the May 2026 Windows security update, hotpatch updates are now on by default for those using Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph. The default tenant setting; however, is only applied to devices that aren't members of a quality update policy. Windows Autopatch respects your configuration of quality update policies.
• [BACKUP] – Start managing Enterprise State Roaming (ESR) through Windows Backup for Organizations policies. By the end of June, you'll no longer be able to access ESR policies through the Microsoft Entra portal and will instead need to use Microsoft Intune.
• [W365] – Admin Insights for Windows 365, now in public preview, brings together important signals from existing reporting, monitoring, and alerting from Intune. Quickly understand what's happening in your environment and where to focus.
• [ARM] – Does your organization use, or plan to adopt, Arm-based Windows devices? Check out a snapshot of companies that have recently delivered or expanded print solutions supporting Windows on Arm.
• [SKILLING] – Still have devices running Windows 10? Need advice on optimizing how you roll out new versions of Windows and Microsoft 365 apps in your organization? Use the updated Stay current with Windows learning path to plan, prepare for, and deploy for updates across your organization.

New in Windows security

• [SECURE BOOT] – The updated Secure Boot status report in Windows Autopatch provides better device-level visibility into certificate status, trust configuration, and readiness for Secure Boot certificate updates. New interactive certificate-level details fit directly into your certificate rollout workflow.
• [SECURE BOOT] – Microsoft Defender now provides centralized visibility into Secure Boot 2023 certificate readiness across your device fleet. A new assessment categorizes your devices automatically as exposed, compliant, and not applicable.
• [FIREWALL] [NETWORKING] – Have devices that experience difficulties receiving updates? New guidance is available to help you identify potential causes and implement solutions to ensure updates roll out smoothly moving forward.
• [PRINTING] – A new icon appears on the Printers & scanners settings page. It helps you easily understand which devices support a more secure printing experience with Windows protected print mode.
• [PASSKEYS] – World Passkey Day was May 7. Learn how Microsoft is Advancing passwordless authentication.

To explore what's new in security across the Microsoft platform, see What's new in Microsoft Security: May 2026.

New in AI

• [DEVELOPERS] – Microsoft Build runs June 2-3! It features sessions on building, modernizing, and optimizing Windows apps and developer experiences. Check out especially AI-powered capabilities, cloud integration, and next‑gen tooling like Copilot, WinUI, and GitHub Copilot.
• [AGENTS] – Windows is adding a new way to monitor your agents from the taskbar. This experience supports agents across first- and third-party apps, with Researcher in the Microsoft 365 Copilot appas the first adopter.
• [COPILOT] [M365] – The Copilot app has been redesigned to be faster and more responsive. What do you think about the way Copilot shows up across Microsoft 365 apps?
• [COPILOT] [M365] – New Microsoft 365 Copilot resources are now available to help you get started with adopting Copilot capabilities across your organization.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by “Copilot+ PC Exclusives.”

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

• [HOTPATCH] – Hotpatch updates enabled by Azure Arc are now available at no additional cost for Windows Server 2025. Read the announcement for details on eligibility and guidance on how to get started.
• [SKILLING] – All 19 sessions from Windows Server Summit 2026 are now available on demand. Learn and improve your skills on your schedule.

New in productivity and collaboration

Install the May 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities, which will be rolling out gradually:

• [FILE EXPLORER] – View and Sort preferences are now preserved in folders such as Downloads and Documents when apps launch File Explorer directly to those locations. File Explorer also now supports uu, cpio, xar, and NuGet Packages (nupkg) archive formats.
• [INPUT] – Voice typing on the touch keyboard now looks simpler and more intuitive. The updated design removes the full‑screen overlay and shows voice typing animations directly on the dictation key.

New features and improvements are coming in the June 2026 security update. You can preview them by installing the May 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

• [AUDIO] – Shared audio enables two people to listen to the same audio from a single Windows 11 PC at the same time.
• [CAMERA] – Windows 11's Multi-App Camera feature allows multiple applications to access your camera stream at the same time.
• [MAGNIFIER] – Magnifier now provides clearer and more consistent announcements when working with a screen reader. You'll hear helpful announcements when you zoom in or out, switch views, turn color inversion on or off, or turn Magnifier on or off. In addition, Magnifier now supports magnification of permitted protected content.
• [SEARCH] – Windows Search will now find and prioritize files with as few as two characters.
• [PERFORMANCE] – Task Manager now provides enhanced visibility into NPU usage, including new metrics and AI activity insights.

Lifecycle reminders

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

• Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
• Microsoft 365 Copilot release notes for latest features and improvements
• Windows Insider Blog for what's available in the Beta and Experimental channels
• Windows Server Insider for feature preview opportunities
• Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

We are always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.