The July 14, 2026 cumulative update for Windows 11 version 23H2, KB5099414, arrived with a solid list of security fixes and targeted repairs for some bothersome bugs that slipped in with June’s patches. The build bumps to 22631.7376, and while it’s mandatory, its scope is narrower than many headlines have suggested. If you were looking forward to a quieter Widgets panel or a new screen tint feature, you won’t find them here—those improvements belong to a different Windows release.

What’s Actually Inside KB5099414

This update is first and foremost a security release, delivering the July 2026 Patch Tuesday protections for Windows 11 23H2. Microsoft’s broader Patch Tuesday this month was unusually large, with BleepingComputer counting 570 corrected vulnerabilities across the company’s product portfolio, including three zero-days, two of which were reportedly under active exploit. The specific fixes bundled into KB5099414 cover the Windows components relevant to version 23H2, but the full 570 figure does not apply to this update alone.

More conspicuously, KB5099414 rolls up the quality fixes from the June 9 update KB5093998 while quietly mopping up several regressions that the June patch introduced itself. The most disruptive of these involved OLE Automation. Third-party applications that use OLE to launch Microsoft Office or open documents began failing after June’s update. KB5099414 corrects that failure, potentially restoring document workflows used by line-of-business software and legacy integrations.

File Explorer receives a targeted OneDrive repair. After the June update, the OneDrive shortcut could stop working when File Explorer was launched with administrative privileges. That’s now fixed. Microsoft also straightened out a confusing Recycle Bin bug: when a user permanently deleted a file, the confirmation dialog was displaying an internal Recycle Bin filename rather than the file’s original name—cosmetic, but making it hard to verify what was about to vanish.

Under the hood, Microsoft changed hotkey unregistering and cleanup behavior. The company warns that, in rare cases, built-in Windows experiences depending on the old lifecycle may temporarily stop responding to certain shortcuts. Restarting the affected application should normally restore them; persistent cases should be reported through Feedback Hub.

Networking hardening is more likely to trip up admins. The update enforces new requirements around Transport Driver Interface (TDI) registration. Applications that use sockets over unregistered third-party TDI transports may stop working after KB5099414 is installed. Properly registered transports are unaffected. TDI is a legacy interface, but older security agents, network filters, and specialized enterprise software can retain dependencies. Administrators should include networking and endpoint tooling in their validation rings, particularly where vendors supply kernel-level components.

Microsoft also bumped the in-box curl version to 8.21.0, reducing exposure to issues in older builds without requiring users to maintain a separate copy. For Remote Desktop, the update adds support for SHA-2 certificate thumbprints for trusted RDP publishers, with SHA-1 remaining available only for backward compatibility and planned for eventual removal. Organizations that sign or distribute .rdp files should begin moving trusted publisher configurations to SHA-256 or stronger algorithms.

The Secure Boot certificate transition continues. KB5099414 adds more device-targeting data so that Microsoft can distribute replacement certificates to a broader set of consumer PCs and non-managed business devices gradually. Computers that have not yet received the newer certificates should continue to boot normally. However, deployment teams servicing Windows installation media must ensure that dynamically updated images include the appropriate boot.stl file, which participates in Secure Boot validation. Omitting it may lead to boot failure with error 0xc0430001. Microsoft recommends using its Update WinPE script or copying boot.stl manually from the corresponding Windows\Boot\EFI directory into the installation media.

The Missing Feature List—and Why It Matters

Some initial reports, including those from WinCentral, suggested that KB5099414 brought a host of new features: a redesigned, less intrusive Widgets experience; a new Screen Tint accessibility option; direct Magnifier zoom controls; File Explorer quick actions when hovering over files; Bluetooth reliability improvements; and changes to Phone Link calling behavior. But if you’ve installed the update on a 23H2 machine, you won’t see any of these. According to Microsoft’s official release notes for KB5099414, none of these features are part of the package.

The confusion stems from Microsoft’s multi-branch update cadence. Those headline features were documented in the June 23 preview update KB5095093, which applies to Windows 11 versions 24H2 and 25H2—not to the aging 23H2. The two releases have now diverged significantly. While the preview notes often preview what will later land in the next month’s security update for the same version, different Windows 11 versions now receive separate cumulative packages and do not necessarily gain features on the same schedule. So a KB number, OS build, and supported version must be considered together to determine what actually changes.

For anyone still on Windows 11 23H2, this means July’s update is a security and reliability release, not a late feature expansion. The Widgets, accessibility, and File Explorer enhancements remain exclusive to newer Windows 11 builds.

Who Needs to Act, and How

Most home users on Windows 11 23H2 are already past end of servicing—Home and Pro editions reached end of updates on November 11, 2025. Only Enterprise and Education editions remain supported, and they have until November 10, 2026. If you’re an individual still running 23H2 Home or Pro, you won’t even receive KB5099414 through Windows Update unless you’re on a managed enterprise ring. Upgrading to a supported version (24H2 or newer) should be your priority.

For IT administrators managing Enterprise or Education fleets, the clock is ticking. With less than four months until the 23H2 end-of-support date, migration planning is just as important as deploying July’s patch. As you test KB5099414, focus on:
- OLE Automation and Office integration in line-of-business apps.
- TDI-dependent security or networking tools.
- Custom Windows installation images: ensure boot.stl is present to avoid boot failures.
- RDP publisher configurations: plan a move to SHA-256 certificates.

Microsoft says it is not currently aware of any issues specifically affecting KB5099414, but that status can change. Managed environments should continue monitoring Windows release health and their own telemetry after rollout.

How We Got Here: A Rocky June and a Critical July

June’s security update, KB5093998, introduced several regressions that visibly disrupted workflows—Office OLE failures, OneDrive shortcut glitches, and the Recycle Bin naming bug. Those sparked user reports and eventually forced corrective action in July. The sheer volume of Patch Tuesday fixes this month underscores a broader security scramble. As BleepingComputer reported, the 570 total vulnerabilities across Microsoft products included three zero-days, with two actively exploited. While most of those flaws didn’t affect Windows 11 23H2 directly, the cumulative effect puts pressure on organizations to patch swiftly.

Meanwhile, the Windows 11 version landscape has become more fragmented. 23H2 is now in its final months; 24H2, 25H2, and even 26H1 are on newer codebases with different update schedules. That’s why the same KB number can mean very different things depending on which version you’re running.

What To Do After Installing KB5099414

  1. Verify installation. Head to Settings > Windows Update > Update history, or run winver and confirm build 22631.7376.
  2. Test critical workflows. If your organization depends on OLE Automation for Office, run through document-launching scenarios. For networking, check any legacy security software that might rely on TDI.
  3. Update deployment images. If you service offline media or task sequences, include the correct boot.stl file for Secure Boot. Use Microsoft’s Update WinPE script or manually place the file from Windows\\Boot\\EFI.
  4. Configure RDP settings. Start migrating RDP publisher certificates to SHA-256 and apply Group Policy to control which .rdp files users can open, reducing phishing risks.
  5. If hotkey issues appear, restart the affected application. If problems persist, file a report through Feedback Hub.
  6. For home users on unsupported versions, move to Windows 11 24H2, 25H2, or later via a clean install or upgrade path.

What Comes Next

With Windows 11 23H2 support ending on November 10, 2026, this is one of the last cumulative updates for the edition. Future patches for Enterprise and Education will likely remain security-only, with no feature additions. The spotlight now shifts to the newer 24H2 and 25H2 branches, which are set to receive the features that users may have wrongly expected this month. Organizations still clinging to 23H2 have a shrinking window to validate and migrate—and Patch Tuesday won’t wait.