Microsoft shipped its July 2026 Patch Tuesday update for Windows 10 on Tuesday, and the cumulative package carries an urgent fix for a regression that has been breaking applications since June. KB5099539 also introduces SHA-2 support for Remote Desktop publisher certificates, expands deployment of new Secure Boot certificates, and hardens the operating system against outdated network transports.

What Actually Changed

The update pushes Windows 10 version 22H2 to build 19045.7548 and version 21H2 to 19044.7548. It bundles servicing stack update KB5104021, which bumps that component to 19041.7546 and refines Azure hosting detection.

The most significant repair targets an OLE Automation issue introduced by the June 2026 security update KB5094127. Applications using IDispatch::Invoke to call COM methods with BYREF parameters that pointed to the same memory location could fail with marshalling errors or automation call failures. According to Microsoft’s advisory, the problem stemmed from incorrect parameter ownership handling in oleaut32.dll. The July update corrects that logic, restoring expected behavior for affected programs.

Other reliability fixes include a correction for File Explorer’s OneDrive shortcut, which would break when Explorer ran with administrative privileges. The Recycle Bin no longer shows internal file names in the permanent-delete confirmation prompt—a confusing glitch that could make users doubt what they were removing. Hotkey handling has been tightened, with Microsoft warning that some built-in Windows experiences may temporarily stop responding to certain keyboard shortcuts after installation. Restarting the app usually clears that up, and the company asks users to report persistent problems via Feedback Hub.

On the security side, Secure Boot gets dynamic status reporting inside Windows Security, giving users and admins a clearer view of certificate trust states. Microsoft has added “high confidence” targeting data, which means more PCs are now eligible to receive the replacement Secure Boot certificates automatically. Deployment will continue across consumer and non-managed business devices over the coming months. The company also flagged a potential pitfall for IT teams maintaining installation media: dynamically serviced images must include a correct boot.stl file that matches the Windows version and architecture. Omitting it can prevent media from booting and trigger error 0xc0430001.

The update enforces registration requirements for Transport Driver Interface transports. Applications that rely on sockets over unregistered third-party TDI transports may lose network access. Microsoft frames this as security hardening, not an optional compatibility tweak, so the onus is on organizations to verify that legacy network software uses properly registered transports. Registered TDI transports are unaffected.

Remote Desktop gets support for SHA-2 certificate thumbprints for trusted RDP publishers. SHA-1 remains available for backward compatibility, but its removal is now on Microsoft’s roadmap. Admins can manage RDP file trust through Group Policy, and the company recommends migrating to SHA-256 thumbprints as soon as possible to guard against phishing attacks that use malicious .rdp files.

What It Means for You

For home users and small businesses, the update mostly fixes nagging annoyances: the OneDrive shortcut works again in elevated File Explorer, the Recycle Bin confirmation is sane, and COM-based applications that suddenly stopped working in June should recover. If you rely on an older finance app, a custom ERP system, or an Office macro that broke last month, KB5099539 is likely the cure.

The TDI transport lockdown is a bigger deal in industrial environments or anywhere an ancient network driver or security product still runs. After installing the update, an application might simply lose its network connection. This won’t affect modern software, but it could blindside administrators who haven’t audited their TDI dependencies. The hotkey change is unlikely to cause widespread trouble, but power users and IT pros who notice a keyboard shortcut refusing to work should restart the problematic app before escalating.

For Windows 10 users on version 22H2, there’s an important gate: Microsoft ended free support for that edition on October 14, 2025. To receive KB5099539 through Windows Update, a consumer or business PC must now be enrolled in the Extended Security Updates (ESU) program. Without an active ESU license, the update won’t appear. However, Windows 10 Enterprise LTSC 2021 and IoT Enterprise LTSC 2021 are still in support (until January 12, 2027 and January 13, 2032, respectively) and receive the update automatically through normal channels.

The RDP SHA-2 move is a forward-looking change that mainly affects enterprises managing signed .rdp files. If your organization distributes RDP configuration files with trusted publisher settings, you should inventory any SHA-1 thumbprints in use and plan a transition. Microsoft hasn’t set a date for removing SHA-1, but the announcement is a clear signal that a deadline is coming.

How We Got Here

The June 2026 security update, KB5094127, made changes to OLE Automation that inadvertently broke BYREF parameter handling. The exact cause? Microsoft’s advisory says Windows wasn’t correctly managing parameter ownership. The fallout rippled through COM-dependent applications—a large and quiet category that includes many line-of-business tools, scripting environments, and even some Office integrations. The July update is essentially a rollback of that specific behavioral change.

Secure Boot certificate renewal has been unfolding since mid-2026, as original signing certificates neared expiration. Microsoft has been methodically expanding the pool of devices that can auto-magically get the new certs, and KB5099539 is another step in that campaign. The boot.stl warning stems from the fact that that file is checked during Secure Boot; if it’s missing or mismatched, the system refuses to start.

TDI transport hardening is part of a broader push to prune ancient networking APIs that can be exploited. TDI dates from the Windows NT 4.0 era, and any application still relying on an unregistered transport has been running on borrowed time for years. The July update simply calls that debt.

RDP’s pivot from SHA-1 to SHA-2 follows the same pattern as other Windows components: the older hashing algorithm is now too weak to trust against sophisticated phishing. Signed .rdp files are used by IT departments to give employees one-click access to session hosts, so ensuring those signatures resist tampering is critical.

What to Do Now

First, confirm your eligibility. If you’re on Windows 10 22H2 and not in the ESU program, you will not get this update through Windows Update. Microsoft’s ESU documentation explains how to enroll. For LTSC users, the update should arrive automatically unless your update policies block it.

Before deploying, especially in business environments, test on a representative sample of machines. Pay special attention to:

  • Legacy line-of-business applications that use COM automation. If June’s patch broke something, this update should fix it; but testing is still prudent.
  • Software that depends on third-party TDI transports. Use netstat or network monitoring to see if any application’s connectivity vanishes.
  • Your RDP publisher infrastructure. Check existing .rdp file signatures. Start adding SHA-256 thumbprints to Group Policy.
  • Secure Boot status. Review Windows Security to ensure your devices are on track for certificate renewal. If you maintain custom installation images, verify that boot.stl is present and correct.

For home users, the simplest path is to let Windows Update handle it, assuming your PC is enrolled in ESU. If OneDrive in File Explorer or COM apps were broken, you should notice immediate improvement.

The update is available through Windows Update for eligible devices, the Microsoft Update Catalog for standalone download, and WSUS/Windows Update for Business for managed fleets. WSUS admins should sync the “Windows 10, version 1903 and later” product category for version 22H2, or “Windows 10 LTSB” for 21H2 LTSC.

Microsoft currently lists no known issues with KB5099539, which is a clean bill of health—but the TDI and hotkey caveats constitute de facto known behaviors, so treat them as such.

Outlook

KB5099539 is a mid-summer maintenance package that fixes more than it breaks—assuming you’re still in the Windows 10 ESU lane. The OLE Automation repair will be welcome relief for IT shops that spent a month wrangling broken automations. The RDP SHA-2 support plants a flag for a future where weaker hash algorithms are blocked, and the TDI hardening reminds everyone that Windows 10’s long tail still carries legacy risk.

Looking ahead, the Secure Boot certificate rollout will continue in stages, and Microsoft will likely announce a concrete SHA-1 deprecation date for RDP within the next several months. For now, the advice is consistent: patch, test, and start retiring SHA-1 thumbprints and unregistered TDI transports while you still have time.