Your monthly digest from Guardian 365: what’s changing in M365, what it means for your environment, and what to do before enforcement hits.
If you manage IT or cybersecurity for a school district, college, university, or state and local government agency, this month’s Microsoft 365 update cycle includes changes that demand attention before the fall semester — and before several hard enforcement dates arrive.
Guardian 365, Forsyte’s managed detection and response platform built natively on Microsoft’s security stack, monitors the M365 Admin Message Center on behalf of our customers each month. Below is our July 2026 summary, written for IT directors, CISOs, and technology coordinators in the education and government space.
1. BitLocker Vulnerability on Windows 11 and Windows Server 2025: New Mitigation Script Available
CVE-2026-45585 | Affected: Windows 11 (26H1, 25H2, 24H2) and Windows Server 2025
School districts and government agencies that rely on BitLocker to protect sensitive data on endpoints — student records, personnel files, constituent data — should take note of an updated mitigation for a recently disclosed Windows BitLocker security feature bypass vulnerability.
Microsoft has released a simplified mitigation script to reduce exposure to CVE-2026-45585 while a full security patch is developed. This matters for your environment if:
- Staff or faculty take district- or agency-issued laptops home or on travel
- You manage devices running Windows 11 24H2 or later
- Your Windows Server 2025 infrastructure uses BitLocker-encrypted volumes
What IT teams should do:
- Audit BitLocker usage across affected Windows versions using your endpoint management platform (Microsoft Intune or Configuration Manager)
- Review the updated Microsoft Security Update Guide entry for CVE-2026-45585
- Deploy the mitigation script to unprotected devices
- Notify device management and endpoint security teams
This is especially relevant for K–12 districts with 1:1 device programs, higher education institutions managing large laptop fleets for students and faculty, and government agencies with remote or hybrid workforces handling sensitive data.
2. Teams Live Events Retires June 30, 2026 — Transition Now
Deadline: June 30, 2026 (no new events schedulable after this date)
Microsoft Teams Live Events will retire on June 30, 2026. This platform has been widely used by educational institutions and government agencies for virtual town halls, board meetings, all-staff communications, community outreach events, and legislative hearings.
After June 30:
- No new Teams Live Events can be scheduled
- Events already scheduled will continue to run through February 28, 2027
- Any integrations built on the isBroadcast Graph API property will stop functioning
The replacement is Microsoft Teams events, which supports webinars, town halls, and large-scale meetings with expanded capabilities.
What IT teams and event coordinators should do:
- Audit your upcoming event calendar and migrate any remaining planned events to Teams events now
- Identify and update workflows or integrations that reference Teams Live Events or the isBroadcast Graph API
- Notify event organizers, producers, and communications teams — this is often a change that catches non-technical staff off guard
- Update training materials and internal knowledge bases that document event production procedures
For higher education institutions running large virtual events (graduation ceremonies, faculty senate meetings, community forums) and government agencies hosting public hearings or board sessions, this transition should be a top priority this week.
3. Microsoft Entra ID SSPR Authentication Method Enforcement — September 7, 2026
Deadline: September 7, 2026 | Affects: All tenants with SSPR enabled, including GCC and GCC High
This is one of the most important changes in this month’s bulletin for K–12 districts, higher education institutions, and state and local government agencies — many of which operate on Microsoft 365 Government (GCC or GCC High) tenants.
Starting September 7, 2026, Microsoft Entra ID Self-Service Password Reset (SSPR) will only accept explicitly registered authentication methods for identity verification. Currently, SSPR can use contact information stored in directory attributes — mobile phone, business phone, alternate email — even if a user never registered those methods. That behavior ends in September.
Why this matters for education and government:
- Large organizations with high staff turnover (school districts onboarding new educators each fall, government agencies with seasonal workers) often have significant populations of users who have never registered authentication methods
- Microsoft estimates approximately 14% of SSPR verifications today rely on unregistered directory attributes — those users will be unable to reset their own passwords after enforcement
- For districts opening in August or September, a wave of locked-out users at the start of the school year is a preventable but disruptive scenario
- GCC and GCC High tenants are explicitly included in enforcement scope
A registration campaign begins July 6, 2026, automatically prompting users and administrators who lack registered methods. Enforcement begins September 7, 2026.
What IT teams should do:
- Immediately audit authentication method registration coverage: in the Microsoft Entra admin center, navigate to Authentication methods > User registration details
- Identify users — especially staff onboarded in the past year — who have no registered methods
- Enable the SSPR registration campaign and communicate proactively to end users
- Plan helpdesk-assisted registration pathways for users who won’t self-serve
- Prepare your helpdesk team for increased SSPR-related tickets through August and early September
- Update internal IT documentation and helpdesk scripts to reflect the new enforcement behavior
For government IT teams managing GCC or GCC High environments, coordinate with your agency security officer to ensure this change aligns with your identity security policies.
4. Microsoft Defender for Endpoint Advanced Hunting: SMB Signature Inspection Events Removed
Effective: July 1, 2026 | Affects: Security teams using custom hunting queries or automated detections
Starting July 1, 2026, Microsoft Defender for Endpoint will no longer generate SMB signature inspection events in Advanced Hunting. Specifically, events with ActionType = “NetworkSignatureInspected” and SignatureName = “SMB_Client” will stop populating.
This change is most relevant for security operations teams — including those at larger school districts, community colleges, universities, and government agencies running custom threat hunting programs or automated detection pipelines on top of Defender for Endpoint.
What security teams should do:
- Search your custom detection rules, saved hunting queries, scheduled queries, and automated workflows for references to ActionType = “NetworkSignatureInspected” with SignatureName = “SMB_Client”
- Replace affected queries with port-based filtering on port 445 in the DeviceNetworkEvents table:
- | where RemotePort == 445 or LocalPort == 445
- Validate updated queries return expected results before July 1
- Notify SOC analysts and threat hunters of the change
If your organization uses Guardian 365 for managed detection and response, your Guardian 365 team will handle this query update on your behalf. Reach out to your Guardian 365 representative if you have questions about your detection coverage.
Stay Ahead of Microsoft Changes with Guardian 365
Managing the M365 Admin Message Center across hundreds of update messages per month is time-consuming — and missing one critical change can create real risk for your students, faculty, constituents, or agency operations.
Guardian 365 performs this review for you every month, surfacing only the changes that matter for your environment, with plain-language guidance on what to do and when.
Is your Microsoft 365 environment prepared for what’s coming this fall?
Our Data Security Assessment — powered by Microsoft Purview — gives K–12 districts, colleges, universities, and government agencies a clear picture of where sensitive data lives in your environment and where your security posture needs attention.
