Microsoft delivered cumulative update KB5099539 to Windows 10 Extended Security Updates (ESU) and LTSC systems on July 14, 2026—the July Patch Tuesday—patching a disruptive OLE Automation regression from June and enforcing registration requirements for legacy networking transports. The update brings Windows 10 22H2 to build 19045.7548 and Windows 10 21H2 to 19044.7548, with fixes for File Explorer, the Recycle Bin, and a play for stronger Remote Desktop trust.
What’s Inside KB5099539
The update lands with a broad set of repairs and security hardening, as detailed in Microsoft’s support bulletin and first reported by Windows Report. Here’s a breakdown of what changed.
OLE Automation regression fixed. The June 2026 security update introduced a compatibility issue in oleaut32.dll. Applications using IDispatch::Invoke to call COM methods with BYREF parameters sharing the same underlying storage could fail—producing parameter-marshaling errors or outright automation call failures. KB5099539 corrects parameter ownership handling, restoring expected behavior for legacy line-of-business software, Office integrations, and scripting tools.
File Explorer and OneDrive. The OneDrive shortcut stopped working when File Explorer ran with administrative privileges. This unusual but legitimate scenario—often needed for troubleshooting or file-management tasks—now functions correctly again.
Recycle Bin confirmation dialog. A persistent annoyance is squashed: When permanently deleting a file, the dialog used to display an internal Recycle Bin name instead of the original filename. That confusion is over.
Hotkey lifecycle changes. Windows now unregisters and cleans up hotkeys differently. In rare cases, built-in experiences may temporarily ignore certain keyboard shortcuts after the update. Restarting the affected app typically solves it; if not, Microsoft asks users to file feedback via the Feedback Hub.
Transport Driver Interface (TDI) enforcement. The update introduces security hardening that demands registration for third-party TDI transports. Applications using sockets over an unregistered transport may stop working. Registered transports are unaffected, but organizations relying on old security products, industrial software, or specialized network appliances should test immediately.
Remote Desktop (RDP) trusted publishers. Support for SHA-2 certificate thumbprints is here, with SHA-1 retained only for backward compatibility and flagged for future removal. IT admins should migrate to SHA-256 or stronger algorithms for .rdp file trust policies to avoid disruptions.
Secure Boot certificate delivery. Dynamic status reporting for Secure Boot states now appears in the Windows Security app. The update also expands high-confidence targeting data so more devices automatically receive replacement certificates, part of Microsoft’s ongoing rollout to handle expiring Secure Boot certificates that began in June 2026.
The cumulative package includes servicing stack update KB5104021 (version 19041.7546). Microsoft lists no known issues at release time.
Who Gets This Update
KB5099539 is not a universal Windows 10 fix. Free support for Windows 10 22H2 ended on October 14, 2025. Only devices enrolled in the Extended Security Updates program, or those running Windows 10 Enterprise LTSC 2021 or IoT Enterprise LTSC 2021, receive it. The 21H2 build (19044.7548) similarly applies only to supported LTSC editions.
If you’re on Windows 10 Home or Pro without ESU, this update won’t appear in Windows Update. For eligible systems, the update arrives through Windows Update, Windows Update for Business, WSUS, or the Microsoft Update Catalog.
How June’s Update Broke Automation
The OLE regression is more than a cosmetic bug. OLE and COM are embedded in countless business applications, from Excel macros to industrial control systems. After the June security update, organizations reported automation failures that ground workflows to a halt. Microsoft hasn’t shared the internal root cause, but the fix in KB5099539 indicates the parameter-sharing model was mishandled—a subtle change that cascaded into calling code.
Admins who patched quickly in June and got burned should validate this update against their affected workflows. If your testing shows the problem resolved, you can safely deploy. If not, you’ll need to dig deeper into application compatibility.
Legacy Networking Gets Locked Down
The TDI transport registration enforcement is the headline risk for specialized environments. TDI is an older Windows networking architecture. While modern software uses newer stacks, custom or legacy applications—often found on LTSC machines attached to manufacturing equipment, lab instruments, or proprietary appliances—may still install unregistered third-party transports.
After KB5099539, those apps will likely lose network access. The change is intentional: Microsoft wants to close a pathway that could be exploited. But for an administrator who didn’t even know a 20-year-old driver was lurking, the resulting outage could be a shock.
What to check
- Identify applications that install third-party network filters, transport drivers, or socket providers.
- Pilot the update on a representative device and verify network connectivity for critical apps.
- If a specialized tool stops working, review event logs and vendor documentation. The transport must be registered correctly—simply allowing it no longer works.
- Don’t assume that because a system appears up-to-date, it has no legacy networking. LTSC boxes often run ancient but essential software.
RDP Moves Toward Stronger Certificates
Trusted RDP publishers help control which .rdp files users can open without prompts. Phishing attacks often use malicious RDP files, so this is a security boundary, not just a convenience. KB5099539 now supports SHA-2 thumbprints for publisher trust; SHA-1 is deprecated but still works for now.
If your Group Policy Objects reference SHA-1 thumbprints, you should replace them with SHA-256 thumbprints. Microsoft plans to remove SHA-1 support entirely, and when that happens, only the new algorithm will keep your trusted publishers working. Organizations that distribute signed .rdp files internally need to update signing and trust processes in tandem.
Immediate Steps for Administrators
For those managing ESU or LTSC fleets, treat KB5099539 as a critical servicing event—not just another Patch Tuesday rollup. Here’s a practical checklist:
- Validate the OLE fix against applications broken by the June update. Deploy to pilot first.
- Audit legacy networking dependencies. Use tools like
sc query type= driver group= “NDIS”and review third-party filters. Check with vendors of industrial or scientific software. - Review RDP trusted publisher policies. Replace SHA-1 thumbprints with SHA-256. Test with updated .rdp files.
- Check Secure Boot status. The new reporting in Windows Security helps, but verify that your devices are receiving replacement certificates, especially if you maintain offline images.
- For offline imaging, ensure
boot.stlis present in installation media when applying dynamic updates, or you’ll face error 0xc0430001.
Windows 10 Enterprise LTSC 2021 is supported until January 12, 2027; IoT Enterprise LTSC 2021 extends into 2032. ESU subscriptions need renewal, so keep licensing current. KB5099539 is a reminder that Windows 10 security servicing continues—but only through explicitly paid channels.
The Road Ahead
Microsoft is narrowing Windows 10’s servicing footprint while still patching high-severity issues for paying customers. The TDI enforcement signals that more networking hardening is likely in future updates. The RDP SHA-1 deprecation timeline remains vague, but admins should act now rather than scramble later. For organizations stuck on Windows 10 due to legacy dependencies, each Patch Tuesday will bring a mix of fixes and new restrictions. Testing before deployment has never been more important.