M365 Roundup, February 2025: Microsoft Writes Your Conditional Access Now
TL;DR
- Starting February 2025, Microsoft rolls out two managed Conditional Access policies limiting device code flow and legacy authentication, created in report-only mode with at least 45 days before auto-enforcement.
- Microsoft Skype interoperability in Teams retires on May 1, 2025, after which Teams users cannot communicate with Skype accounts.
- WSUS driver synchronization is deprecated on April 18, 2025, pushing driver updates toward cloud-based services like Intune.
- Windows 11 Hotpatch is in public preview, requiring 24H2 with the January 2025 security update and Virtualization-Based Security enabled.
- Copilot Chat integrates with SafeLinks for time-of-click URL protection, and the note-taking Facilitator agent arrives on by default in Teams.
February 2025 is the month Microsoft started writing Conditional Access policy for you: two managed policies arrive in report-only mode and switch themselves on after 45 days. Add a hard retirement date for Skype interop in Teams, a WSUS deprecation, and Hotpatch finally reaching public preview, and this cycle is unusually deadline-driven.
Everything from the February 2025 updates, ordered by how soon it can bite.
Mark the calendar: three dates with consequences
Microsoft-managed Conditional Access policies, enforced after 45 days
Microsoft is rolling out two new Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows. The rollout begins in February 2025. The policies are created in report-only mode so you can review their impact, and once created you have at least 45 days to evaluate and configure them before they are automatically moved to the On state.
Full announcement: New Microsoft-managed policies to raise your identity security posture (opens in new tab)
Skype interoperability in Teams retires May 1, 2025
Microsoft retires Skype interoperability from Microsoft Teams on May 1, 2025. After the change, Teams users can no longer communicate with Skype accounts.

WSUS driver synchronization deprecated April 18, 2025
If you synchronize driver updates through Windows Server Update Services, that service is scheduled for deprecation on April 18, 2025. Plan the transition to cloud-based driver services; from that date you can use other means, such as Device Driver Packages, to import updates from the Microsoft Update catalog.
- Original deprecation announcement (opens in new tab)
- Device Driver Packages (opens in new tab) for on-premises contexts
- Windows driver update management in Microsoft Intune (opens in new tab)
Identity: QR codes for the frontline
The public preview of QR code authentication in Microsoft Entra ID (opens in new tab) targets a persistent frontline-worker pain point: cumbersome sign-in to apps on shared devices. The feature provides quick access to essential applications on shared work devices with simple, secure authentication, no usernames and passwords to remember or type.

Full announcement: Simplify frontline workers' sign-in experience with QR code authentication (opens in new tab)
Intune: Hotpatch opens its public preview
Hotpatch, restarts-optional patching for Windows 11, is in public preview and Microsoft welcomes production testing. Enrollment begins in the Intune admin center, and devices must meet these prerequisites:
- Operating system: Windows 11 24H2 with the January 2025 Windows monthly security update KB5050009 (OS Build 26100.2894) (opens in new tab) as baseline
- Virtualization-Based Security (VBS): must be enabled for secure installation of Hotpatch updates; see Memory integrity and VBS enablement (opens in new tab)
Arm64 devices only: disable compiled hybrid PE usage (CHPE) with a registry change, then restart. The setting persists once set:
Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
DWORD: HotPatchRestrictions = 1Prerequisite documentation: Windows Autopatch Hotpatch updates (opens in new tab)


Copilot: link protection in, an agent on by default
Copilot Chat gets SafeLinks and time-of-click checks
M365 Copilot Chat picks up three link safety changes, rolling out late March 2025 and completing by late May 2025:
- SafeLinks integration. Copilot Chat integrates with SafeLinks in Defender for Office 365 (opens in new tab) for time-of-click URL protection on hyperlinks in chat responses. Applies to users with Defender for Office 365 Plan 1 or Plan 2; no SafeLinks policy configuration needed. The URL protection report (opens in new tab) in the Defender Security Center shows summary and trend views for detected threats and actions taken.
- Native time-of-click reputation checks. Users without SafeLinks get a native URL reputation check on links in Copilot Chat responses.
- Less redaction. Copilot Chat stops redacting hyperlinks found in the grounding data used to generate responses.
Facilitator agent takes the minutes, on by default
The Facilitator agent takes notes during Teams meetings and chats, synthesizing key information so users can catch up quickly; in meetings, everyone can co-author the real-time notes. After the rollout, the Facilitator app is on by default unless all apps are blocked by the organization. Admins control availability for the whole organization or specific groups: Set up Facilitator in Microsoft Teams (opens in new tab). Early April 2025, completing late April 2025.
Smaller Copilot items
Hide Copilot in Outlook. Starting March 2025, a new Outlook setting lets users hide Copilot entry points such as "Summarize this email."

Copilot Actions in Targeted Release. Actions combine Copilot prompts, triggers (file modifications, daily schedules), and user-defined rules to automate and delegate common information-worker tasks. Early March 2025.
Prioritize my inbox. Copilot-licensed users can opt in to inbox prioritization in new Outlook for Windows and web (English) from April 2025. A setup wizard appears under the Copilot dropdown. Limits to know: it works only on the main inbox, not folders, and not on shared or group mailboxes. Availability is first-come, first-served during rollout, and admins cannot choose which users get it.

Copilot Studio: SharePoint as a knowledge source. When an agent lacks a topic for an answer, it can search a SharePoint URL and all subpaths, with generative answers summarizing the content into a targeted response. Generally available February 28, 2025.


Teams: eight features, two for admins
App security and compliance info in the admin center. The security and compliance tab now surfaces an app's posture, including assessments for data security, vulnerability scanning, SOC, PCI, and more, to support informed trust decisions. Late February 2025, completing early April 2025 (previously mid-March).

Client health dashboards. The new Teams client health page in the admin center monitors Windows and Mac desktop clients: crashes, launch failures, and update failures, plus version adoption, version health, and granular device and user detail. Admins get top issues, insights, and tools to address problems, and can proactively fix whatever blocks automatic updates to the most secure client version. Late March 2025, completing late April 2025.
Queues app adds Monitor, Whisper, Barge, and Takeover. Authorized users can enter a monitoring session for private coaching: listen to customer calls, whisper private messages to agents, or barge into and take over the call. Late April 2025, completing early May 2025.
Mic volume indicator. Real-time visual feedback on audio levels in the user bar ends the "can you hear me?" era. Mid-April 2025 (previously late March), completing late April 2025.

Chat while screen sharing. Presenters get a compact, presenter-only view of meeting chat via the Chat icon on the presenter toolbar. Mid-May 2025 (previously mid-April), completing early June 2025 (previously late May).

Faster file sharing. Files can be shared from a chat conversation, Chat Shared tab, or channel post to 1:1 chats, group chats, or channels in fewer clicks. Mid-April 2025, completing early May 2025 (previously late April).


Participants can request annotation. Non-presenting participants can request an annotation session; the presenter accepts or denies. Mid-April 2025, completing early May 2025.

Scheduled channel messages. Like delayed chat messages and Outlook emails, channel posts and replies can now be scheduled: click the plus icon, select schedule message, pick the date and time. Generally available.

Outlook and OneDrive
Outlook Newsletters. Users on new Outlook for Windows and web can create professional email newsletters with rich elements and built-in engagement management; readers discover and subscribe through a new Explore page in the Newsletters module. Documentation (opens in new tab). Early August 2025, completing early September 2025.

Delivery and read receipts on iOS and Android. Users can request receipts while composing, respond to read receipt requests, and set preferences for future ones. Mid-March 2025, completing mid-April 2025.

Password-protected PDFs in OneDrive for web. Users can set a User Password to control who opens a PDF, or an Owner Password to gate operations like printing, copying, or modifying. The flow: open the PDF, click Set password in the upper-left toolbar, set the User Password under Security and the Owner Password under Protection with the chosen permission levels. Mid-March 2025, completing late March 2025.
Governance odds and ends
Retention by last access. Purview Data Lifecycle Management lets admins apply a retention policy or label in OneDrive and SharePoint based on files not accessed by anyone in the organization for a specified period. Mid-March 2025, completing late March 2025.

Quality updates during OOBE. By mid-2025, a new policy lets you choose whether new Windows 11 devices (22H2 and higher) install the latest applicable quality update during the out-of-box experience, configurable via Windows Autopilot and Autopilot device preparation as an MDM policy and Group Policy.
New Outlook migration report. A usage report tracks active users who have moved from classic Outlook for Windows to new Outlook, supporting the phase-out of the classic client. Early March 2025, completing late March 2025.

Frequently asked questions
What happens if nobody reviews the new Microsoft-managed Conditional Access policies?
They turn themselves on. The policies are created in report-only mode so you can review their impact, and once created you have at least 45 days to evaluate and configure them before they are automatically moved to the On state. Tenants with legitimate device code flow or legacy authentication use need exclusions configured before that window closes.
What are the prerequisites for Hotpatch updates?
Devices must run Windows 11 24H2 with the January 2025 security update KB5050009 (OS Build 26100.2894) as baseline, and Virtualization-Based Security must be enabled. Arm64 devices additionally require disabling compiled hybrid PE usage via the HotPatchRestrictions registry key, followed by a restart. Enrollment starts in the Intune admin center.
Is the Teams Facilitator AI agent opt-in?
No. After the rollout, the Facilitator app is on by default unless all apps are blocked by the organization. Admins control whether it is available to the entire organization or only certain groups, so tenants that want it off need to act.
45-day windows close whether you watched or not
Report-only policies flip to enforced, defaults turn on, and deprecations land mid-quarter. CloudCapsule checks 250+ controls per tenant in 60 seconds so February's changes surface as findings on a report, not tickets in a queue.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


