Microsoft: the Patch Day cinematic universe
Licensing, patches, email blocking, Copilot, Recall, Windows replacement. Every subplot lands on the same sysadmin's desk.
Every major Microsoft problem is someone else’s problem until it isn’t. Licensing is procurement’s. Outlook is the messaging team’s. Copilot is whoever drew the short straw on the AI pilot. Patch Tuesday is yours. But they all route to the same place eventually, which is the desk of the person who keeps the infrastructure running. And right now, every subplot is running simultaneously.
The licensing arc
On November 1, 2025, Microsoft eliminated volume discount levels B, C, and D from Enterprise Agreements. Every customer now pays Level A list pricing. An organization that was spending $10M on an EA is looking at $12.5M for the same software. Unified Support costs rose in lockstep.
That wasn’t the only change. Core CAL pricing went up 15% in mid-2025. Enterprise CAL went up 20%. A further M365 price increase of up to 33% is announced for July 2026.
Then there’s Teams. After unbundling it to satisfy EU antitrust regulators, Microsoft re-offered bundled SKUs on the same date. The result is two parallel SKU paths in a single tenant. Your licensing contact will explain the distinction. Bring lunch.
None of this is a patch. None of it is a vulnerability. But the budget it consumes is the same budget that funds your maintenance windows, your test environments, and your headcount.
The Copilot bait-and-switch
On April 15, 2026, Microsoft reversed free Copilot Chat availability in Word, Excel, and PowerPoint for enterprises with 2,000 or more users. The feature now requires a $30/user/month paid license. Smaller organizations still get access, but with degraded quality at peak hours.
Only about 3% of M365 customers pay for the full Copilot tier. Disabling it for the other 97% requires per-app rejection across Outlook, Excel, PowerPoint, Visual Studio, and Notepad. There’s no single toggle.
UK consultants are charging between 5,000 and 15,000 pounds to safely configure a 50-person Copilot deployment. Consultants call this a “governance tax.” The more descriptive term is that Microsoft shipped a feature with org-wide data access implications and left the scoping work to the customer.
PDQ’s year-in-review put it plainly: sysadmins are frustrated by vendors, particularly Microsoft, baking AI into products and raising prices for features many companies never asked for.
The patch quality arc
KB5082063 in April 2026 sent domain controllers into reboot loops via LSASS crashes. A subset of Server 2025 machines booted into BitLocker recovery. Microsoft shipped an emergency out-of-band fix.
This was not a novel failure mode. In September 2025, a cumulative update broke Entra Connect Sync, severing hybrid identity for affected tenants. There was no automatic rollback.
Platform reliability is part of this arc. On October 29, 2025, Azure Front Door went down for over eight hours globally. M365, Outlook, and Teams were unavailable. Starbucks, Capital One, Vodafone, and Heathrow were affected. SLA credits came out to roughly $25,000 against actual customer impact estimated between $4M and $10M.
Windows Central reported that Microsoft formed an internal task force called “Windows K2” in late 2025 to address what the publication called “infuriating bugs and constant unwanted features.” The existence of an internal quality task force is not reassuring in the way Microsoft probably intended. It confirms the problem is visible enough to name.
The email blocking arc
On May 5, 2025, Microsoft’s high-volume sender mandate took effect, requiring SPF, DKIM, and DMARC for anyone sending more than 5,000 emails per day to Outlook.com addresses. The mandate itself was reasonable. The execution was not. Six days before the deadline, Microsoft skipped the promised Junk folder grace period and went straight to hard rejection: 550 errors, code 5.7.15. Square receipts bounced. Salesforce-routed mail bounced.
Between January and March 2026, Outlook.com mass-rejected legitimate senders, citing blocklisted ISP subnets. The Register described the situation as “carnage.” There was no self-service remediation path for non-enterprise customers.
The Recall arc
Recall takes continuous screenshots of your desktop for AI indexing. If your org hasn’t disabled it, Recall indexes whatever is on screen: credentials in a terminal, patient data in an EHR, salary numbers in a spreadsheet. Kevin Beaumont published a detailed writeup under the name DoublePulsar. Signal, Brave, and AdGuard built blockers. The University of Pennsylvania issued a formal warning.
This is the product Microsoft chose to ship while the K2 task force was trying to fix the quality problems users already had.
The exit arc
France announced in April 2026 that 2.5 million government seats would migrate to Linux over the next five to seven years. The stated rationale: “Regain control of our digital destiny.” Estimated cost: 1.5 to 3 billion euros.
Schleswig-Holstein has migrated roughly 80% of its 30,000 workstations, saving an estimated 15 million euros in licensing costs in 2026 alone.
When Windows 10 hit end of life on October 14, 2025, somewhere between 35% and 40% of the installed base couldn’t meet Windows 11 hardware requirements. Zorin OS 18 got 100,000 downloads in its first two days. That’s not a Linux revolution. But it’s also not nothing.
The shared timeline
The person patching KB5082063 is also the person fielding questions about Copilot licensing. They’re the one troubleshooting email deliverability after the Outlook.com rejections. They’re explaining to procurement why the EA renewal costs 25% more for the same software. They’re writing the Recall risk assessment because security asked and nobody else volunteered. They’re fielding tickets about the forced New Outlook migration breaking COM add-ins and advanced search, then explaining to users why .PST files no longer work the way they did last month.
These are not separate storylines. They share a resource pool: the time, patience, and institutional trust of the people who keep these systems running.
Microsoft can afford to treat licensing, product quality, email infrastructure, and AI features as independent business units with independent roadmaps. The sysadmin absorbing the output of all four cannot.
Every day PatchDay Alert triages the CVEs so you can spend your morning on the patches that matter instead of the vendor’s full advisory matrix. But the patch list is only one of the tabs open on that desk. The rest of them say Microsoft too.
The crossover event already happened. It’s the job.
Sources
- Microsoft EA Price Reset: How a $10M Enterprise Agreement Becomes $12.5M (US Cloud)
- Microsoft Online Services: Pricing Consistency Update (Microsoft)
- Licensing and pricing updates for on-premises server products coming July 2025 (Microsoft Community Hub)
- Microsoft sidesteps hefty EU fine with Teams unbundling deal (CNBC)
- Microsoft backtracks on Copilot Chat access in M365 apps (Computerworld)
- Microsoft Copilot Security & Pricing 2026: Why UK IT is Pushing Back
- What 2025 taught sysadmins and what to expect in 2026 (PDQ)
- Microsoft: Some Windows servers enter reboot loops after April patches (Bleeping Computer)
- What is Windows K2? Inside Microsoft's big plan to save Windows 11 (Windows Central)
- Microsoft Azure Front Door Outage Analysis: October 29, 2025 (ThousandEyes)
- Strengthening Email Ecosystem: Outlook's New Requirements for High-Volume Senders (Microsoft)
- Users fume at Outlook.com email 'carnage' (The Register)
- Microsoft Recall on Copilot+ PC: testing the security and privacy implications (Kevin Beaumont / DoublePulsar)
- Warnings on Microsoft's Recall Tool (University of Pennsylvania ISC)
- France orders all government ministries to ditch Windows for Linux (TNW)
- Schleswig-Holstein waves auf Wiedersehen to Microsoft stack (The Register)
- Zorin OS Hits 2 Million Downloads as Windows 10 Support Ends (TechRepublic)
Share
Related field notes
-
Cerdigent was a false positive. Check what Defender actually removed.
Defender definition 1.449.424.0 flagged two legitimate DigiCert root CA certificates as a high-severity trojan. The alert was a false positive — but if auto-remediation ran before the fix shipped, your certificate store may now be missing trust anchors that TLS depends on.
-
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited. APT28 had been using it since at least December. The gap between those two facts is where triage models break.
-
Hotpatch goes default in Autopatch. You have 10 days.
Microsoft flips hotpatch on by default for all Autopatch tenants May 11. If you haven't inventoried your fleet against the requirements, you're about to get a split patching model you didn't plan for.