News

For years, Outlook users had a simple safety net against sending email to the wrong person. If a stale, mistyped or outdated address appeared in the suggestions under To, Cc or Bcc, many users could click the small “X” beside it and stop that suggestion appearing again. But following Microsoft’s 31 March 2026 retirement of “Contact Masking”, and recent changes to how Outlook generates recipient suggestions, that familiar control is no longer behaving consistently across Outlook clients. Microsoft says the AutoComplete list is not affected. Many users say the experience tells a different story.

Contact Masking was one of the features users experienced through that familiar “X”. It allowed a user to hide a specific suggested recipient, so that the address would no longer appear when they composed a new message. Microsoft says it had become a recurring source of customer confusion and support escalations, because contacts could be hidden for one user but remain visible to others, and the behaviour was inconsistent across Outlook, Teams and Microsoft 365 Search. In its retirement notice (MC1234566), Microsoft says no replacement is planned for Contact Masking, and that previously hidden contacts may now reappear in addressing fields.

On paper, that should not affect the separate AutoComplete list, the locally cached suggestions Outlook builds up from addresses you have sent to before. In its own retirement notice, Microsoft is at pains to say that the AutoComplete list for Outlook will not be impacted by this change, and that users can still remove entries from their autocomplete history. Microsoft’s published guidance on the AutoComplete list still tells users they can remove an individual entry by selecting the X beside a name, or by highlighting it and pressing Delete. In theory, the X for Contact Masking is gone, but the X for AutoComplete should remain. Continue reading →

As Microsoft pushes Copilot deeper into Microsoft 365, owners and managers of small and medium-sized businesses face a confusing licensing landscape, shifting product names and price rises taking effect on 1 July 2026. Here is what has changed, what is on offer now, and the controls every administrator should understand.

---

For most UK small and medium-sized businesses, Microsoft 365 has quietly become the backbone of daily operations: email in Outlook, files in SharePoint and OneDrive, meetings in Teams, and documents in Word, Excel and PowerPoint. Over the past three years, Microsoft has been layering an artificial intelligence assistant — Copilot — on top of that stack. What started as a single premium add-on has fragmented into a confusing patchwork of free tiers, paid tiers, bundles and admin controls. And the rules keep changing.

With significant pricing changes due on 1 July 2026, a new SME-friendly licence already on the shelves, and free Copilot features being pulled from Office apps for unlicensed users at larger firms, now is the moment for business owners to take stock.

A short history of moving goalposts

Microsoft 365 Copilot was first unveiled in March 2023 as a glimpse of “AI for work”. When it became generally available on 1 November 2023, the terms were eye-watering for smaller firms: a substantial per-user add-on on top of an existing Microsoft 365 Enterprise licence, with a minimum commitment of 300 seats. The Register reported at the time that small businesses “need not apply”.

That barrier did not last long. In January 2024, Microsoft removed the 300-seat minimum and extended eligibility to Office 365 E3 and E5 customers. At the same time, the company launched Copilot Pro for individuals and began folding its various AI products — including the old Bing Chat and Bing Chat Enterprise — under the single “Copilot” brand.

A further rebrand arrived in January 2025: the work-account version of Microsoft Copilot, previously known as Bing Chat Enterprise, was renamed Microsoft 365 Copilot Chat and positioned as a free “freemium” entry point for any user signed in with an Entra ID. The branding distinction was, and remains, easy to miss — the free product (Microsoft 365 Copilot Chat) is not the same as the paid product (Microsoft 365 Copilot), and neither is the same as the consumer Copilot Pro or the older “Microsoft 365 Chat” feature.

Through 2025, Microsoft kept tinkering. Role-based products such as Copilot for Sales, Service and Finance were retired and folded into the main Microsoft 365 Copilot licence at no extra cost. The “messages” consumption unit for autonomous agents was rebranded as “credits”. The Microsoft 365 desktop app itself was renamed to the “Microsoft 365 Copilot app”, regardless of whether the user actually had a Copilot licence.

The most significant shift for SMEs came on 1 December 2025 with the launch of Microsoft 365 Copilot Business, a new SKU aimed squarely at companies with fewer than 300 users.

Where things stand in 2026

There are four Copilot options UK SMEs are likely to encounter: Continue reading →

Deadline Fixed, Legacy Prices Rising, and Copper Broadband Must Be Migrated Properly

With the PSTN switch-off now close, this is no longer something businesses can leave on the to-do list for “later”.

The deadline is fixed at 31 January 2027. Openreach has already confirmed 2026 price rises for legacy WLR (Wholesale Line Rental — the traditional phone-line product Openreach sells to communications providers, who then resell it to you as your line rental) services, and the biggest remaining area of confusion is broadband: if you still have a copper DSL service, the right migration path depends on whether FTTP is available at your premises.

If your business still relies on analogue lines, ISDN, or broadband tied to a traditional phone service, now is the time to review every circuit and every connected device.

The Deadline Is 31 January 2027

All users of the Openreach PSTN must be migrated to new services by 31 January 2027.

This is not only about voice calls. It also affects legacy services built around the old WLR/PSTN model, including analogue lines, ISDN and broadband services that still depend on a traditional phone line.

In practice, that means many older services now need to be replaced with digital alternatives such as FTTP or SOGEA.

Openreach Is Increasing Legacy Line Prices in 2026

Openreach has announced a series of WLR price increases during 2026 to push the remaining migrations through: Continue reading →

Britain’s cyber security authority has, for the first time, told the public to choose passkeys over passwords wherever they can. Here’s what that actually means for the businesses still running on “Summer2025!” and a sticky note.

Last week at CYBERUK 2026 in Glasgow, the National Cyber Security Centre — the part of GCHQ that issues the UK’s official cyber guidance — formally recommended that passkeys should be the default way of logging in to online services where they are available. It’s a striking departure from decades of advice telling us to pick longer, stranger, more memorable strings of characters, and it follows a similar move by the UK government to roll passkeys out across GOV.UK services in place of SMS verification, a change expected to save several million pounds a year.

The NCSC still recommends a good password manager paired with two-step verification for the many services that have not yet added passkey support. But where the option exists, the message is clear: take it.

For small business owners, that translates into something simple: if your suppliers, banks and cloud platforms support passkeys — and most of the big ones now do — it is time to start switching over.

This week’s passkey checklist

If you read no further, do these five things:

1. Turn on passkeys for your Microsoft 365 or Google Workspace admin accounts first, then your standard user accounts.
2. Register passkeys on at least two devices per account (typically a phone and a laptop).
3. Set up a working fallback for every account — recovery codes where offered, a second registered passkey where they’re not, and a Recovery Key on your Apple ID if you use iCloud Keychain.
4. Review the registered passkeys and sign-in methods on your critical accounts and remove anything you don’t recognise.
5. Make sure your IT provider has documented the recovery process before someone loses a phone — not after.

The rest of this article explains why, and what to do when things go wrong.

So what actually is a passkey?

Continue reading →

A humorous explainer on bits, bytes, storage, and the strange unit system that still confuses modern computing.

Our technology correspondent descends into the microscopic society living inside your laptop and returns with troubling news.

You may not be aware of this, but at this very moment there is a bustling society of microscopic workers living inside your laptop, your phone, and that suspiciously warm router in the hallway. They have a rigid class system. They have internal squabbles that were settled by committees decades ago and have never been revisited. And they are, almost without exception, much smaller than you’d think.

Allow me to introduce them.

The Bit: A Humble Beginning

At the bottom of the digital food chain lives the bit – the smallest employee in computing, paid in either a 0 or a 1 and nothing in between. Bits have exactly two moods and have shown no interest in developing a third. They have been asked, repeatedly, over the course of seventy-plus years, whether they might like to try being a 2. They have declined every time.

A single bit is, frankly, useless on its own. It can tell you whether the light is on or off, and that’s about it. This is why bits are never seen alone in polite society. They travel in packs.

The Nibble: A Unit Nobody Takes Seriously

Continue reading →

We get asked a lot of the same questions by businesses looking to move their IT to a proper managed provider. Here are the ones that come up most often, with straight answers.

Why would you use Trichromic?

If you value IT in your business and want a provider who actually cares about keeping things running smoothly, we’re a good fit. We’re passionate about what we do, genuinely pro-active, and we insist on getting to the root of chronic problems rather than patching the same issue month after month.

Why would you NOT use Trichromic?

If IT is just a cost you want to minimise — or you’d rather only hear from your IT provider when something’s broken — we’re probably not for you. We work best with businesses who see reliable, secure IT as an investment in their own productivity and reputation.

What makes Trichromic different?

Two things. First, our pro-active approach — we’re not content to just fix what’s in front of us, we want to stop issues recurring. Second, we run our own infrastructure and apply the same security standards we recommend to our clients, including the principles behind Cyber Essentials.

How long has Trichromic been in business?

Since 2006. Trichromic LLP is owned by Alex Bailey and Lloyd Reid, who still run the business day to day. Continue reading →

We’ve seen three successful attacks this year where users had MFA enabled and still got compromised. Here’s how it works and what you can do about it.

Multi-factor authentication is one of the most important security controls you can implement. Microsoft says it blocks over 99% of credential-based attacks. We enforce MFA for every user, on every account, with no exceptions.

But MFA isn’t bulletproof. This year alone, we’ve seen three successful attacks against Microsoft 365 accounts where the users had MFA enabled and working correctly. They entered their password, they completed the MFA challenge, and the attackers still got in.

This isn’t a theoretical vulnerability. It’s happening right now, and many IT professionals don’t fully understand how it works. This article explains the attack, why it succeeds, and what we’re doing to protect against it.

How Microsoft 365 Authentication Actually Works

To understand the attack, you need to understand what happens when you log into Microsoft 365. Continue reading →

For many SMEs across the UK, Remote Desktop remains a practical and cost-effective way to access private cloud desktops, line-of-business applications and hosted Windows environments.

Microsoft’s latest Windows 11 security update has now changed how that experience works when users open an .rdp file. From Microsoft’s 14 April 2026 cumulative update (KB5083769, builds 26100.8246 and 26200.8246), Remote Desktop shows the requested connection settings before connecting, with each setting turned off by default, and a one-time security warning appears the first time an .rdp file is opened on a device. The change is tied to CVE-2026-26151, a Remote Desktop spoofing vulnerability.

At first glance, that may sound like a minor interface change. In practice, it is a significant shift in how trust is handled for remote access. Microsoft has not removed digital signatures from signed .rdp files, and signatures still help verify who published the file and whether it has been altered. What has changed is the default behaviour at connection time: regardless of whether an .rdp file is signed or unsigned, every redirection it requests is now off by default, and the user must explicitly allow access to items such as clipboard, local drives, printers and other attached devices. The signature now determines which dialog banner the user sees, and whether a publisher name is shown, rather than granting automatic redirection trust. Continue reading →

If you’re an MSP or private cloud provider managing 3CX phone systems — or similar nginx-based platforms — there’s a good chance your certificate renewal process has changed in the last year or two. Certificate Authorities have been tightening up their issuance practices, and what used to be a simple “drop the new PEM in and restart” job now usually involves dealing with a full chain back to the root CA. The exact details vary by product, but the underlying patterns are similar wherever nginx is doing the TLS termination.

We recently went through this on a customer’s 3CX system and hit a few of the common pitfalls. Sharing them here in case it saves someone else half an hour of head scratching.

What Changed

In the past, many CAs would issue a single PEM file containing just the server certificate. Modern browsers and clients had the intermediate certificates cached or could fetch them via AIA (Authority Information Access), so an incomplete chain often worked anyway.

These days, when you renew you’ll typically end up with:

• Your private key — generated locally on your server as part of the CSR (Certificate Signing Request) process. The CA never sees this; it only receives the public key embedded in the CSR.
• A server certificate (.pem or .crt) — issued by the CA in response to your CSR.
• A bundle file (.bundle, .ca-bundle, or similar) — supplied by the CA alongside the certificate, containing the intermediate certificates and sometimes the root.

In a typical nginx deployment, the ssl_certificate file should contain the server certificate followed by the intermediate certificate(s) — and that’s what nginx (or anything sitting on top of nginx, like 3CX) wants to see.

The Right Order Matters

When you concatenate the server certificate with the bundle, the order is critical:

1. Server certificate first
2. Intermediate certificate(s) next
3. Root certificate — usually omitted. Clients already trust the root, so including it just adds bytes to the handshake. Only include it if a specific vendor or product requires it.

Get this wrong and nginx will either refuse to start or will serve a chain that fails validation on stricter clients. The TLS handshake expects the leaf certificate first. Continue reading →

When nothing is broken, it is easy to wonder what you are paying for. Here is what happens behind the scenes to keep it that way.

If your IT is working properly, you probably do not think about it very much. Email works. Files are where they should be. You can log in. The internet is fast enough. Everything just works.

And when that is the case, it is natural to wonder what your IT provider is actually doing. You are paying a monthly fee, but there are no engineers on site, no major incidents, and no obvious signs of activity.

That is the point.

The purpose of managed IT is to stop you having to think about IT at all. But “nothing happening” on your side usually means a great deal is happening on ours. Here is what a typical month really looks like behind the scenes.

Every morning

Our day starts by checking what happened overnight.

Backup reports. Most client backups run overnight, so every morning we check that they completed successfully. Did the job finish? Were there warnings or failures? A backup that fails silently is often worse than no backup at all, because you only discover the problem when you need to restore data, and by then it is too late. Continue reading →