Microsoft shipped the July 2026 cumulative update for Windows 11 on Tuesday, delivering a fix for a widely reported Office automation bug while simultaneously removing the safety net from organizations that have not yet migrated away from RC4-based Kerberos authentication. The update, KB5101650, brings Windows 11 25H2 to build 26200.8870 and 24H2 to build 26100.8875, and includes the month’s security patches along with several quality-of-life changes. For IT administrators, the biggest headline isn’t the bug fix—it’s the fact that Microsoft has ended the audit mode for RC4 Kerberos hardening, meaning legacy systems that still rely on the deprecated encryption will now start failing.
What’s Inside KB5101650
The July update bundles a wide range of fixes and enhancements. Here’s a quick look at what’s new:
- Office automation regression fixed: Third-party apps that use OLE Automation to control Word, Excel, or other Office programs will work again after being broken by the June security update.
- RC4 Kerberos audit mode removed: Active Directory environments that still depend on RC4-based Kerberos service tickets may encounter authentication failures because the temporary fallback is gone.
- TDI transport registration enforced: Unregistered third-party Transport Driver Interface (TDI) transports are now blocked, which could break old security software or industrial applications.
- RDP trusted publishers move to SHA-2: SHA-256 thumbprint support is now required; SHA-1 remains only for backward compatibility and will disappear in a future release.
- Curl tool upgraded: The built-in curl utility jumps to version 8.21.0, which may affect scripts that parse its output.
- Secure Boot certificate rollout continues: More devices are now eligible to receive replacement Secure Boot certificates automatically, addressing the June 2026 certificate expirations.
- AI components updated: Copilot+ PCs get updates to Image Search, Content Extraction, Semantic Analysis, and Settings Model (version 1.2605.856.0).
- Lifecycle reminder: Windows 11 24H2 Home and Pro editions reach end of servicing on October 13, 2026.
Microsoft says the update is available through Windows Update, Windows Update for Business, the Microsoft Update Catalog, and WSUS. The company currently reports no known issues, but administrators have several compatibility changes to assess before broad deployment.
RC4 Kerberos Audit Mode Is Gone — What That Means for Your Network
The most consequential change sits outside the desktop-facing fixes. According to a Windows message center post, Microsoft’s July 2026 security updates complete the enforcement phase for CVE-2026-20833. Since January, administrators were warned to audit their environments for RC4-based Kerberos tickets. In April, Microsoft changed the default ticket encryption behavior, but kept an audit mode available as a temporary safety valve. July’s update removes that audit mode entirely.
Organizations that still run services relying on RC4 for Kerberos authentication will now face hard failures after domain controllers are updated. This isn’t limited to old Windows systems—storage appliances, Unix or Linux services joined to Active Directory, Java applications, identity products, and any non-Windows Kerberos implementation could be affected. Service accounts that lack explicit encryption type settings are particularly vulnerable.
For IT teams, the clock has already run out. You need to check the System event log for Kerberos events and identify accounts that still request RC4 tickets. Setting AES encryption types for those accounts and testing with affected applications is urgent. If you haven’t done this audit yet, July’s update will make the problem visible the hard way.
The Office Automation Fix: Why Your Business Apps Broke (and How to Unbreak Them)
The June 9, 2026 security update (KB5094126) introduced a nasty regression: third-party applications using OLE Automation to launch or control Microsoft Office suddenly stopped working. That broke countless line-of-business tools that generate Word reports, populate Excel workbooks, produce invoices, or open Office documents programmatically. Users could still open Word from the Start menu, but the automation workflows behind the scenes failed silently.
KB5101650 fixes this issue. Organizations that put a hold on the June update because of the Office problem can now test and deploy July’s cumulative update instead. Microsoft recommends installing KB5101650 as the supported resolution. If you’re maintaining custom code or vendor apps that depend on OLE Automation, plan to roll out this update as soon as testing confirms the fix.
Hardening That Could Catch You Off Guard: TDI Transports, RDP Thumbprints, and Curl
Beyond the headline changes, KB5101650 includes three hardening improvements that may disrupt older software or configuration habits.
TDI Transport Registration Enforcement
TDI is a legacy networking architecture that hasn’t seen mainstream use in years, but it still lurks in some industrial control systems, old security agents, and proprietary protocol stacks. With this update, Windows blocks sockets that use an unregistered third-party TDI transport. If an application stops working after patching, this enforcement could be the culprit. Registered transports are fine, but anything that survived through in-place upgrades without proper registration is now at risk.
RDP Publishers: Time to Ditch SHA-1
Windows now supports SHA-2 certificate thumbprints for trusted Remote Desktop publishers, while SHA-1 support remains strictly for backward compatibility—and it’s scheduled for removal. If your organization distributes signed .rdp files or uses Group Policy to control trusted publishers, you need to update those policies to SHA-256 thumbprints. Waiting means your connection files could generate warnings or get blocked entirely once SHA-1 support is dropped.
Curl Upgrade
The bundled curl tool moves to version 8.21.0. Because curl is used by scripts, installers, and automation pipelines, any tooling that parses its output or relies on a specific version will need regression testing. This is a low-risk change for most, but it’s worth noting in patch validation checklists.
A Checklist for IT Administrators
If you manage Windows 11 endpoints or domain controllers, here’s what you should do now:
- Audit Kerberos for RC4 dependencies. Scan event logs, check service account encryption types, and migrate to AES. Test all non-Windows Kerberos clients.
- Triage TDI-dependent software. If you run legacy security agents, network clients, or custom protocol stacks, verify they still work after the update. Contact vendors if they break.
- Update RDP publisher thumbprints. Replace any SHA-1 thumbprints in Group Policy or .rdp files with SHA-256. Test distributed connection files.
- Rebuild deployment media with correct boot.stl. If you maintain Windows installation images, ensure the boot.stl file from the same update is present; otherwise, media may fail with error 0xc0430001.
- Validate curl-dependent scripts. Check automation that parses curl output for compatibility with version 8.21.0.
- Lift the June update hold. If you paused KB5094126 due to the Office automation bug, KB5101650 contains the fix. Test your Office-dependent applications and deploy.
- Plan for Windows 11 24H2 Home/Pro end of life. Those editions stop receiving updates on October 13, 2026. Begin migrating to 25H2 now.
Home and Pro Users: Your Windows 11 24H2 Clock Is Ticking
While the Kerberos and TDI changes mainly affect enterprises, there’s a critical deadline for consumers and small businesses running Windows 11 24H2 Home or Pro. After October 13, 2026, Microsoft will stop delivering security updates, bug fixes, and time zone updates for these editions. Enterprise and Education versions are safe until October 2027, but Home and Pro users have about three months to move to an in-support release like Windows 11 25H2.
Microsoft’s advice is straightforward: upgrade to the latest version of Windows 11. The July update doesn’t force that move, but it’s a timely reminder to check your edition and plan accordingly. The upgrade should appear automatically through Windows Update for eligible devices once you’re ready.
Secure Boot Certificates and AI Components
Two other under-the-hood changes round out the July release. First, Microsoft is expanding the pool of devices that automatically receive replacement Secure Boot certificates. The original certificates started expiring in June 2026, but unpatched devices still boot and receive updates. The risk is long-term: recovery media or boot components could eventually fail validation. The rollout remains gradual, so this update adds more “high confidence” targeting data to the deployment logic.
Second, Copilot+ PCs get updated AI components to version 1.2605.856.0. These packages—covering Image Search, Content Extraction, Semantic Analysis, and the Settings Model—only apply to that specific hardware and are silently installed as part of the cumulative update. Conventional Windows PCs won’t see them.
What to Watch Next
July’s update is a clear signal: Microsoft is done with temporary grace periods on legacy cryptography and networking interfaces. The October 13 deadline for 24H2 Home and Pro will force a large wave of upgrades, and future cumulative updates will almost certainly continue the push away from SHA-1 and RC4. IT administrators should treat this cycle as a dress rehearsal for the next round of hardening—audit, test, automate, and never rely on a fallback that’s on the removal list.