Microsoft acknowledged on June 16, 2026, that Windows 11 update KB5094126, released June 9, 2026, for versions 24H2 and 25H2, causes Microsoft Office applications to fail when launched through third-party automation tools. The bug sent shockwaves through enterprise IT departments that depend on unattended Office processes for document generation, data extraction, and email distribution.
Initial reports hit Windows Sysadmin forums and Reddit within hours of the patch's rollout. Administrators described overnight batch jobs crashing, RPA workflows stalling, and critical business processes grinding to a halt. "Our entire invoice pipeline runs on an RPA tool that opens Excel templates via COM. After KB5094126, the Excel process just hangs and never appears," wrote one IT manager. The root cause: a security hardening change that altered how COM/OLE objects are activated in non‑interactive sessions.
The update is a mandatory cumulative patch addressing multiple vulnerabilities, including a critical remote code execution flaw in the Windows Print Spooler (CVE‑2026‑3178). Ironically, the security fix meant to protect systems has disrupted the very automation that keeps many businesses running.
The Technical Breakdown: OLE Automation Under Fire
Object Linking and Embedding (OLE) automation has been a cornerstone of Windows office integration since the 1990s. It allows scripts, .NET applications, and RPA platforms to create instances of Word, Excel, or Outlook and manipulate them programmatically. Under the hood, OLE relies on the Component Object Model (COM) and its distributed variant, DCOM, for inter‑process communication.
When a client application attempts to start an Office program via COM (e.g., Set objExcel = CreateObject("Excel.Application")), Windows checks launch and activation permissions based on the calling identity and the target session. Prior to KB5094126, an automation tool running as a service or under the SYSTEM account could successfully launch Office in a non‑interactive session—typically session 0, the isolated environment for system services. The update appears to have tightened these permissions, likely to prevent malicious lateral movement via DCOM, a technique favored by ransomware operators.
The result: launch requests from session 0 or from processes lacking an interactive window station now fail. Users report errors such as "Server execution failed" (0x80080005), "The remote procedure call failed and did not execute" (0x800706BF), or simply a hung process that never creates a Window. Crucially, launching Office interactively—by double‑clicking an icon or running a script in a logged‑in session—continues to work normally. The problem is confined to unattended execution, the backbone of enterprise automation.
Affected Windows Versions and Office Products
The bug explicitly impacts Windows 11 24H2 (build 26100) and 25H2 (the 2025 feature update, build 26600). For 24H2, KB5094126 bumps the build number to 26100.2400; for 25H2, it is 26600.1729. Windows 10 and older Windows 11 releases like 23H2 are not affected because the update was not offered to those versions, and the security hardening code likely targets the newer OS kernel.
Affected Office products span both subscription‑based Microsoft 365 Apps and perpetual versions (Office 2016, 2019, 2021). Both Click‑to‑Run and MSI installations are vulnerable, indicating the change is not in Office itself but in the Windows COM infrastructure. Popular automation platforms known to suffer include UiPath, Automation Anywhere, Blue Prism, Power Automate Desktop (when using UI automation to launch Office), and custom PowerShell or VBScript solutions.
Immediate Business Impact
The fallout has been swift and severe. A mid‑sized manufacturing company reported that its automatic packing‑slip generator—an Excel COM automation that had run flawlessly for five years—failed, delaying shipments by two days. A healthcare provider’s patient‑record merging system, which populates Word templates via OLE, ceased functioning, postponing appointment letters. A law firm’s document‑assembly scripts required staff to manually copy data, leading to overtime expenses.
One IT consultant described the scramble: "We have a dozen servers that run SQL Agent jobs calling SSIS packages which in turn use Excel automation to produce reports. After the patch, everything red‑lined. We had to roll back the update on those servers immediately, but doing so removes critical security patches." That precise dilemma—security versus productivity—defines the current state of the incident.
Official Acknowledgment and Limited Workarounds
Microsoft’s known‑issues note for KB5094126 reads: "After you install this update, you might have problems when you use certain non‑Microsoft automation tools to open Microsoft Office apps. This issue occurs because the update changes how COM objects are activated to improve security." The company suggests shifting to Office JavaScript APIs or Microsoft Graph API, or temporarily uninstalling the update.
Uninstalling KB5094126 is straightforward via Settings > Windows Update > Update History > Uninstall Updates, or with the command wusa /uninstall /kb:5094126. However, doing so re‑exposes systems to the vulnerabilities the patch addressed. For regulated industries, this is a non‑starter. Other makeshift workarounds are emerging from the community, but none are officially endorsed.
One method involves modifying DCOM configuration for each Office COM server using the Component Services console (dcomcnfg). By navigating to DCOM Config and finding entries like "Microsoft Excel Application" or "Microsoft Word 97-2003 Document," administrators can change the identity to "The interactive user" and adjust launch permissions. While this can restore functionality in some non‑interactive scenarios, it is complex, error‑prone, and may introduce security holes. Moreover, on servers without an interactive user, this does not help.
Another band‑aid is to ensure that an interactive session is always logged on and to schedule automation to run in that session’s context using tools like AutoLogon or third‑party session managers. This is brittle, consumes resources, and breaks if the session is disrupted. Some admins report limited success by pre‑launching the Office app manually after reboot to "prime" the COM server, but this is unreliable for service‑hosted automation.
Historical Context and a Pattern of DCOM Hardening
KB5094126 is not the first update to trip up legacy COM automations. Microsoft has been hardening DCOM for years, often with disruptive side effects. The series of DCOM hardening updates rolled out between 2021 and 2023 (starting with KB5004442) broke many COM‑based applications, requiring registry keys or GPOs to restore previous behavior. That effort ultimately aimed to mitigate PetitPotam and other NTLM‑relay attacks. The current change seems to target the activation path itself, possibly to prevent attackers from remotely launching Office to run malicious macros.
The security improvements are real: the fixed vulnerabilities in KB5094126 include privilege‑escalation and remote‑code‑execution flaws that could allow an attacker to take over a system if left unpatched. Microsoft’s stance is understandable—but the lack of granular control over the new restrictions leaves organizations with an all‑or‑nothing choice.
Community Response and Diagnostic Tools
Affected users are not staying idle. System administrators have shared PowerShell scripts that test COM activation from both logged‑in and background sessions, helping teams identify which automation will break before deploying the update. One such script:
$excel = New-Object -ComObject Excel.Application
if ($excel) {
Write-Host "COM activation succeeded"
$excel.Quit()
} else {
Write-Host "COM activation failed"
}
Running this from a scheduled task that executes whether the user is logged on or not quickly reveals the impact.
Event logs also provide clues. When a COM activation fails, the System log records Event ID 10016 (distributed COM) with details about the CLSID of the Office app. The Excel CLSID, for example, is {00024500-0000-0000-C000-000000000046}. Correlating these events with the update installation time confirms the culprit.
IT pros are actively sharing their findings on Microsoft’s Q&A forum and the Windows Health Dashboard comments. A common theme is frustration: “We understand the need for security, but offering no official opt‑out key or group policy for a legacy technology that millions still use is hard to accept,” wrote a veteran admin.
The Path Forward: Patches and Pitfalls
Microsoft is investigating the issue, and a fix is expected. Given the broad business disruption, an out‑of‑band release is possible, though such hotfixes are rare for cumulative updates. A more likely scenario is that the resolution arrives with the July 2026 Patch Tuesday update on July 14. In the interim, expect a featured‑flag or registry‑based rollback mechanism, similar to the RequireIntegrityActivationAuthenticationLevel keys used for earlier DCOM hardening.
For enterprises that cannot wait, the safest path is to block the update via WSUS, Intune, or other patch‑management tools, and then carefully test automation against a pilot group before redeploying once a fix is available. Meanwhile, organizations should catalog all existing Office COM automations and begin planning a migration to modern alternatives. Microsoft Graph API, Office Scripts, and Power Automate cloud flows provide robust, server‑less alternatives that avoid local COM issues entirely—but the transition is rarely trivial.
Security vs. Productivity: An Ongoing Tension
The KB5094126 incident underscores the precarious balance between security hardening and backward compatibility. Office COM automation, often dismissed as legacy tech, still powers mission‑critical processes across industries. When security updates abruptly break these automations, the immediate cost—in lost productivity, overtime, and customer impact—can outweigh the mitigated risk.
“It’s the classic push‑vs‑pull. Microsoft wants customers to move to Graph, but the cost and risk of rewriting decades‑old automation are enormous. Updates like this force the issue, often painfully,” remarked a senior systems architect who has worked with Fortune 500 companies.
For now, affected organizations are operating in triage mode, rolling back updates on critical servers while racing to implement stopgap measures. The coming days will reveal whether Microsoft accelerates a fix or leaves businesses navigating this dilemma for weeks.
We will continue to follow this story and provide updates as more information becomes available. Affected readers are encouraged to monitor the official KB5094126 support page and the Windows release health dashboard for the latest status.