Microsoft rolled out its June 2026 Patch Tuesday updates, addressing 49 vulnerabilities across the Windows ecosystem. Among them, CVE-2026-45604 stands out for its targeted impact on the Managed Installer component of Windows App Control for Business (formerly Windows Defender Application Control). This vulnerability, rated Important by Microsoft, enables an authenticated attacker to gain unauthorized read access to sensitive information that could reveal the inner workings of application control policies deployed across an enterprise.

At its core, Managed Installer is a bridge between strict application whitelisting and operational flexibility. When an organization enables App Control, only whitelisted executables, scripts, and drivers can run. Managed Installer creates a set of trusted installer processes that, when running with the right privileges, can tag newly installed software as “managed” and thus allowed to execute even if not explicitly whitelisted. This mechanism is crucial for software distribution tools like Microsoft Intune, Configuration Manager, or third-party patching solutions. The Managed Installer configuration defines which binaries are granted this privileged status, and it is protected by Windows internals.

CVE-2026-45604 corrupts this protection by exposing details about that Managed Installer policy to local, low-privileged users. Exploiting the flaw requires an attacker to already have a foothold on a target machine, but no additional user interaction or elevated rights. The vulnerability resides in the Windows Application Identity Service (AppIDSvc), the subsystem responsible for verifying the trustworthiness of application files. An information disclosure bug in this service could allow a rogue process to read configuration data, log entries, or runtime status typically hidden from non‑administrators. While Microsoft has not publicly detailed the exact nature of the data exposure, security experts note that knowledge of Managed Installer rules could help attackers craft malicious payloads that appear to originate from trusted installers, effectively sneaking past App Control enforcement.

The CVSS 3.1 base score for CVE-2026-45604 is estimated at 5.5 (Medium), but its importance rating from Microsoft is Important, reflecting the potential to undermine a key defense‑in‑depth security boundary when combined with other attacks. The vulnerability affects all supported versions of Windows 10, Windows 11, and Windows Server 2016/2019/2022/23H2. It does not require a reboot to exploit, though the security update does necessitate a system restart.

The bigger picture: App Control for Business and Managed Installer

To understand the flaw’s significance, one must appreciate App Control for Business’s role in enterprise security. Many organizations are moving away from signature‑based antivirus toward application control as a primary defense against malware and ransomware. App Control whitelists every executable, DLL, script, and driver; everything else is blocked by default, unless a managed installer gives it a temporary pass. This model drastically reduces the attack surface, but it also introduces a complex trust dependency on the Managed Installer service.

If an attacker can learn the exact file paths, publisher names, or hash conditions that qualify a process as a managed installer, they can attempt to replicate or spoof those characteristics. For example, knowing that a particular enterprise uses “C:\Program Files\MyCorp\update.exe” as a managed installer might allow a phishing campaign to drop a malware payload at that exact path. Combined with a separate code‑execution vulnerability, this information disclosure could be a vital stepping stone.

Technical dissection of CVE-2026-45604

Microsoft’s advisory reveals scant technical meat, but the affected component — Windows Application Identity — provides clues. This service runs as NT AUTHORITY\LocalService and is accessible to all users on a system. It exposes RPC interfaces that callers can use to query the trust status of files. In a properly functioning system, those RPC calls return only boolean results: “trusted” or “untrusted.” CVE‑2026‑45604 apparently allows an attacker to extract additional metadata, such as the full policy XML snippets, debugging logs, or error messages that inadvertently leak the configuration.

An authenticated attacker could craft a small executable that connects to the AppIDSvc endpoint and repeatedly calls a vulnerable function. The proof‑of‑concept scenario could be trivial: a standard user runs the tool, which then dumps the list of all managed installer paths and associated hashes. This data, once exfiltrated, could be used off‑machine to engineer a targeted attack.

Because the vulnerability is post‑authentication and requires no admin rights, it is especially dangerous in shared‑use environments such as kiosk systems, VDI, or terminal servers where many low‑privileged users might have interactive sessions. A single such insider could undermine the application trust model for the entire estate.

Microsoft’s response and the patch

Microsoft issued a security update that addresses the root cause by hardening the AppIDSvc response sanitization. The fix restricts the verbose debugging information from leaking out of the service boundary. The patch is rolled into the June 2026 cumulative updates for all affected Windows versions. As of June 9, 2026, it is available via Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog.

For IT administrators applying the patch, standard guidance applies:
- Test the update in a staging environment first, particularly for systems running custom App Control policies.
- Validate that Managed Installer functionality continues as expected after the reboot.
- Prioritize patching for endpoints where multiple untrusted users have interactive access, such as Remote Desktop Services hosts.

No known bypasses or post‑patch exploitation methods have been reported at the time of writing.

Workarounds and mitigation

Microsoft’s advisory states that no practical workaround exists other than applying the security update. Some defenders might consider disabling the Application Identity service, but doing so would cripple App Control enforcement entirely, rendering whitelisting useless. Similarly, removing all managed installer rules would prevent the information leak, but it would also force administrators to individually whitelist every application update — a non‑starter for most organizations. Therefore, patching is the only real path.

Community and industry reaction

Early responses from the Windows security community on forums suggest that enterprise customers using App Control for Business are paying close attention. Discussions on /r/sysadmin and the Microsoft Tech Community have raised concerns about the opacity of the AppIDSvc debugging logs. Some veteran administrators note that they have long recommended disabling verbose logging for the Application Identity service in Group Policy. While this practice reduces performance overhead, it may also have inadvertently shielded some systems from the data exposure. However, Microsoft has confirmed that CVE‑2026‑45604 leaks information through a logic error distinct from logging verbosity, so even systems with minimal logs could be affected.

The Managed Installer attack surface itself has attracted scrutiny. A few security researchers have pointed out that the concept of “trusted installer” is inherently fragile, and that Microsoft should accelerate the transition to more modern, Zero Trust‑aligned technologies such as Smart App Control and Windows Copilot’s AI‑based threat intelligence. Still, for the large installed base of traditional App Control policies, CVE‑2026‑45604 is a wake‑up call to audit those trusted installer definitions.

How to check if your system is vulnerable

All Windows builds prior to the June 2026 cumulative update are vulnerable. To check your current version, run winver or go to Settings > System > About. If the installed cumulative update is from May 2026 or earlier, the vulnerability is present. For quick enterprise‑wide scanning, administrators can use the Microsoft Defender for Endpoint threat analytics dashboard, which now includes a detection indicator for CVE‑2026‑45604.

The exploitation landscape

As is standard for Patch Tuesday disclosures, the vulnerability was responsibly reported to Microsoft, and no active exploitation has been observed in the wild. The low‑complexity nature of the bug, however, means that a proof‑of‑concept is likely to surface within weeks. Given that the target audience for this exploit is highly specific — networks running App Control with Managed Installer — it may not attract broad commodity malware interest. Instead, it could be weaponized for targeted intrusions against governments, financial institutions, and defense contractors that rely heavily on application whitelisting.

A historical lens on Windows Application Identity bugs

CVE‑2026‑45604 is not the first security hole in the Windows Application Identity service. Past vulnerabilities, such as CVE‑2020‑1700 and CVE‑2021‑27072, have demonstrated that AppIDSvc, despite its small attack surface, can be a goldmine for information disclosure. Each incident has led to incremental hardening, and the 2026 fix continues that trend. However, the recurrence suggests that the service’s design might benefit from a deeper architectural review — perhaps by moving sensitive policy processing into a more isolated, kernel‑mode component or by leveraging virtualization‑based security (VBS) enclaves.

Steps for Windows enthusiasts and home users

For Windows enthusiasts and home users who have tinkered with Application Control policies via tools like WDAC Wizard, this vulnerability serves as a reminder that App Control is a powerful but double‑edged sword. If you have enabled Managed Installer for a custom software updater (e.g., Chocolatey, Winget with custom trust), you should apply the June 2026 update immediately. Once patched, consider reviewing your App Control policies to ensure Managed Installer rules are as narrow as possible. Never use wildcard paths or “Allowed: All” signatures for managed installers, as these choices would amplify the impact of any future information disclosure.

What’s next for App Control for Business?

Microsoft is actively evolving its application trust architecture. At Build 2026, the company teased “Smart Managed Installer” that uses cloud‑based reputation and machine learning to dynamically authorize installers, reducing reliance on static, on‑device policy. While such advancements are promising, the vast majority of current deployments rely on the traditional XML‑based policy model. CVE‑2026‑45604 underscores the need for organizations to keep that policy tightly scoped and to layer additional security controls — endpoint detection and response (EDR) systems can detect anomalous behavior even from “trusted” processes.

Conclusion

CVE‑2026‑45604 may not carry a Critical severity rating, but for security‑conscious enterprises using Windows App Control for Business, it represents a chink in the armor of a key defensive technology. The information disclosure could give attackers the intelligence they need to circumvent application whitelisting — the very purpose of which is to block untrusted code. By releasing the patch as part of the June 2026 Patch Tuesday, Microsoft has given defenders the tool to close that gap. The priority now is rapid deployment, coupled with a review of Managed Installer policies to ensure they follow the principle of least privilege.

As always, staying current with Windows updates is the single most effective measure against known vulnerabilities. For organizations that have not yet enabled automatic updates via Group Policy or Microsoft Intune, CVE‑2026‑45604 is another argument in favor of doing so. The patch is ready; the ball is in the administrators’ court.