Microsoft dropped the largest monthly security update in its history on July 14, 2026, shipping fixes for a staggering 570 vulnerabilities—a number that demolishes the previous high of 206 set just a month earlier. Buried inside that mountain of patches are three zero-day flaws: two already under active attack against on-premises SharePoint Server and Active Directory Federation Services, and a third that lets anyone with physical access bypass BitLocker drive encryption.
The sheer scale redefines what IT teams should expect from a Patch Tuesday. This was not a routine maintenance window; it was a stress test for vulnerability management processes that will now become the norm.
What actually landed on your machines
The canonical client-side update is KB5101650, available for Windows 11 24H2 and 25H2. Installing it advances systems to builds 26100.8875 and 26200.8870 respectively. Microsoft’s support documentation confirms this cumulative package also includes the non‑security fixes from June’s preview release, but the security story is what demands attention.
The overall CVE count depends on who’s counting. BleepingComputer and others tallied 570; SecurityWeek and the Zero Day Initiative counted 622. The difference is methodological: researchers sometimes bundle related advisories, product variant fixes, Chromium‑related patches, or shared CVEs differently. For IT pros, the practical takeaway is unchanged—July is a monumental cycle, not a routine one.
Among the hundreds of fixes, 61 were rated critical. That alone would be a busy month. On top of that sit the three zero‑days that shift the urgency from important to immediate.
The two actively exploited flaws target enterprise infrastructure, not generic Active Directory
CVE-2026-56155 is an elevation-of-privilege vulnerability in Active Directory Federation Services. AD FS is often casually lumped into “Active Directory” talk, but it’s a distinct federation role that signs and issues authentication tokens for applications that trust it. If an attacker compromises an AD FS server, they can forge tokens and impersonate users across a whole ecosystem of integrated apps. It is not just another domain controller problem.
CVE-2026-56164 lives in Microsoft Office SharePoint Server, also an elevation-of-privilege bug. Both were marked “exploitation detected” before the July release, according to reports from BleepingComputer and The Hacker News. Organizations operating on‑premises SharePoint farms—particularly those reachable from the internet or woven into sensitive document workflows—should treat this as an emergency.
Microsoft hasn’t published step-by-step attack details, standard practice when exploitations are ongoing. That doesn’t lower the risk; it signals that active attacks are still possible. The “exploited” label alone is enough to push both patches to the front of the deployment line.
There’s an extra complication: SharePoint Server 2016 and SharePoint Server 2019 reached end of support on July 14, 2026—the same day the patch arrived. NHS England’s cyber advisory flagged this. Any organization still running those versions now faces a perfect storm: a high‑priority zero‑day fix that officially doesn’t exist for their installed software. Migration or extended support contracts become urgent.
The BitLocker bypass rewrites the physical‑access threat model
The third zero‑day, CVE-2026-50661, is a Windows BitLocker security feature bypass vulnerability. Unlike the other two, Microsoft says it isn’t aware of active exploitation—but the bug was publicly disclosed before a fix existed, meaning attackers had a head start. The attack requires physical access, but that’s precisely the scenario BitLocker is designed to protect against.
For a desktop bolted under a receptionist’s desk, the risk might be manageable through ordinary physical security. For a corporate laptop left in a hotel room, a tablet on a retail floor, a field technician’s portable machine, or a device headed for disposal, the exposure is real. Once someone can touch the hardware, this bypass lets them read encrypted drives as if they were unlocked. Organizations should patch it quickly, verify that BitLocker recovery keys are properly escrowed, and never treat encryption as a replacement for physical controls.
What it means for you
The impact splits along user roles:
For home users and small businesses: Install KB5101650 via Windows Update now. The BitLocker fix matters if you store sensitive personal files on a laptop that travels. The AD FS and SharePoint zero‑days are enterprise‑only concerns; if you don’t run those servers, they don’t affect your desktop. The update also brings welcome quality‑of‑life fixes: Windows Widgets will no longer fly open when you hover over the taskbar icon, File Explorer mounts virtual drives faster and handles network paths with double backslashes correctly, Bluetooth pairing with Apple AirPods is quicker, and printer setup now defaults to the more reliable Internet Printing Protocol. You can also pause updates until a specific date using a new calendar picker—handy if you need to delay a restart without guessing generic timeframes.
For IT administrators and enterprises: This is a risk‑based sequencing exercise, not an all‑or‑nothing panic.
- AD FS owners: Identify every federation server immediately. Patch them first, then audit exposure and privileged‑access pathways. An exploited AD FS server can issue forged tokens silently; you may not know you’re compromised until long after the fact.
- On‑premises SharePoint admins: Prioritize CVE-2026-56164, especially for internet‑facing farms or ones holding sensitive data. If you’re still on SharePoint Server 2016 or 2019, immediately assess your migration path or extended support options—these products are now unsupported, and the July patch does not apply.
- Client deployment teams: Roll out KB5101650 through normal pilot rings, but add targeted testing for legacy applications that use unregistered third‑party TDI transports. Microsoft now enforces TDI registration rules, and some old security tools, industrial software, or internally built apps that hook into the Windows network stack may break. This is exactly the kind of thing a staging group catches.
- Endpoint security teams: Treat the BitLocker bypass as a priority for mobile and remote devices. Run a spot check to confirm recovery keys are accessible in Active Directory or Azure AD, and review physical‑asset handoffs for decommissioned drives.
Microsoft also noted that KB5101650 may be temporarily unavailable for a subset of Dell PCs with Intel processors due to potential shutdowns, heat, and battery drain. If a target machine doesn’t offer the update, don’t force‑install it—wait for the safeguard removal.
How we got here: AI‑speed discovery and a shifting patch cadence
July’s record didn’t materialize overnight. In May, Microsoft’s security blog introduced MDASH—a “multi‑model agentic scanning harness” that uses AI to hunt for real vulnerabilities, reduce false positives, and handfindings to engineers faster. That system helped researchers uncover 16 vulnerabilities in Windows networking and authentication components then, and it’s now ramping up.
This has encouraged a simple narrative: AI found hundreds more bugs, so Patch Tuesday exploded. The evidence isn’t that tidy. Microsoft hasn’t said MDASH alone produced the 570‑count haul. A massive CVE total can also reflect expanded code review, broader product coverage, coordinated disclosures from third parties, and differences in how CVEs are counted. Still, the operational direction is unmistakable. If Microsoft’s discovery capacity rises, enterprises must accept that vulnerability management will become more continuous, not easier. Larger patch volumes mean denser update packages, heavier validation workloads, and less room for a “wait and see” posture.
Just look at the trajectory: 164 CVEs in April, 206 in June, and now 570 (or 622) in July. Even without AI, the trend was upward. With AI‑assisted scanning fully integrated, Patch Tuesday is becoming a serial event rather than a monthly chore.
What to do now
1. Prioritize the actively exploited zero‑days.
- AD FS servers: Patch immediately. If you can’t patch right away, reduce the server’s attack surface—disable unused endpoints, restrict network access, and review token‑signing certificate hygiene.
- SharePoint Server: Apply the update to all farms. If you’re still on 2016 or 2019, prioritize migration or purchase extended security updates (ESUs) if available; without them, those versions remain exposed indefinitely.
2. Deploy the Windows client cumulative update.
- Home users: Windows Update, check for updates, install KB5101650. Reboot.
- Businesses: Phased rollout. Pilot group first, test TDI‑compatible applications (legacy networking tools, old VPN clients, industrial software). Watch for reports of Bluetooth or File Explorer regressions, though Microsoft lists no known issues as of publication.
3. Harden BitLocker protections.
- Push the update to portable devices with elevated priority.
- Verify recovery keys are backed up in Active Directory or Azure AD.
- Remind staff to physically secure laptops and tablets in public spaces.
4. Audit and remediate any Dell Intel blocks.
- Check Windows Update for affected Dell systems. If the update is missing, don’t force it. Wait for Microsoft and Dell to resolve the safeguard.
5. Revisit your patch management cadence.
- The era of deferring patches for weeks of testing is shrinking. Build the muscle for faster validation and deployment. Use the new “pause until date” picker strategically to schedule reboots around critical business hours, but don’t let it become a permanent snooze button.
Outlook
July 2026 isn’t an anomaly; it’s a preview. Microsoft’s AI‑driven vulnerability discovery is producing more findings, and that translates into larger, more frequent security updates. For IT teams, this means accepting a faster heartbeat for patch deployment, with less time between validation and rollout. The upside is that bugs are getting fixed before criminals find them—the MDASH system is shortening the window for zero‑day exploitation. The trade‑off is a heavier operational burden that requires smarter automation and risk‑based prioritization.
Watch for the next Patch Tuesday: if the numbers stay high, the industry will need to rethink traditional deployment cycles. For now, focus on the two exploited zero‑days and the BitLocker bypass, and treat the rest of July’s record haul as a drill for what’s coming next.