Microsoft dropped KB5105752 on June 18, 2026, warning that JScript’s global variables, polyfills, and execution context may fail to persist when multiple scripts are loaded, breaking workflows on Windows 11 24H2, Windows 11 25H2, and Windows Server 2025. The knowledge base article surfaced as an out-of-band advisory on a Thursday, catching IT administrators and developers off guard with its blunt acknowledgment of a regression that can silently corrupt script behavior.

The bug strikes at the heart of JScript’s runtime model. Global variables declared in one script block are supposed to remain accessible to subsequent script blocks within the same process. Think of a session where a login script sets a user token, only for a downstream automation script to see an empty value. That’s the nightmare scenario Microsoft’s KB5105752 describes — and it’s reproducible consistently on the latest Windows releases.

JScript, Microsoft’s legacy scripting engine, still powers countless line-of-business applications, administrative tools, and embedded web views. Despite the rise of PowerShell, many enterprises lean on JScript for logon scripts, HTA applications, and classic ASP pages. The engine has been in maintenance mode for years, but its ubiquity means any breakage ripples across supply chains, manufacturing floors, and government systems that haven’t modernized.

A Regression in Runtime State Management

The technical details are sparse but pointed. According to the KB article, after installing the security updates that shipped in June 2026 (or possibly an earlier cumulative update), JScript no longer correctly shares its global environment across distinct script invocations. In practice, that means:

  • A variable defined with var at the top level of one <script> tag may be undefined in the next.
  • Polyfills loaded first — such as Array.prototype.includes or Promise shims — vanish before the application logic runs.
  • Objects stored on this or in the global scope of a JScript runtime become ephemeral, existing only during the execution of the file that created them.

Developers on the Windows Server 2025 forums reported that even ActiveXObject instances, often used to bridge WMI queries or file system operations, were mysteriously null when accessed from a second script block. “It’s like every script now runs in its own fresh interpreter,” one sysadmin noted. “Our entire web-based management console broke overnight.”

Affected Platforms

The scope is deliberately narrow but hits three high-profile releases:

  • Windows 11, version 24H2 — the first Windows 2024 feature update, still widely deployed on consumer and enterprise PCs.
  • Windows 11, version 25H2 — the forthcoming feature update, suggesting the bug already lives in preview builds.
  • Windows Server 2025 — the current Long-Term Servicing Channel (LTSC) release, a mainstay of on-premises data centers.

Microsoft’s documentation clarifies that earlier versions (Windows 10, Server 2022, etc.) are unaffected. The root cause is tied to security hardening changes in the scripting engine introduced alongside the 2025-06 cumulative updates. Those updates improved memory isolation for JScript objects but inadvertently severed the cross-script persistence mechanism that legacy apps depend on.

The Registry Mitigation

KB5105752 does not deliver a traditional patch. Instead, it walks administrators through a registry-based policy that can restore the old behavior while Microsoft engineers craft a proper fix. The article outlines a simple DWORD value:

  1. Open regedit and navigate to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl.
  2. Create a new subkey named FEATURE_ENABLE_LEGACY_JSCRIPT_GLOBALS.
  3. Inside it, add a DWORD (32-bit) value named * with value 1. This applies the mitigation to all processes running JScript.

Alternatively, admins can target specific executables by listing their names (like dllhost.exe or mshta.exe) as separate DWORD values with 1. A restart isn’t required for new processes, but existing applications using the scripting host or Internet Explorer rendering engine need to be relaunched.

The registry key, in essence, re-enables a pre-hardening path where the JScript engine maintains a single trusted global scope across script contexts. Microsoft warns that this reverts some security isolation improvements, so it’s a stopgap, not a long-term solution. “Apply this mitigation only if the issue prevents your business-critical applications from functioning,” the KB stresses.

Enterprise Impact and Frustration

The timing couldn’t be worse for organizations entrenched in hybrid work patterns. Many rely on internally developed HTML applications (HTAs) for frontline worker tools, warehouse scanners, or even VPN client helpers. When those HTAs involve multiple inline <script> blocks — a common pattern for modular JavaScript — the sudden loss of global variables can crash the entire application.

A financial services firm running a loan origination dashboard on Windows Server 2025 reported that their legacy ASP.NET Web Forms application, which uses JScript for client-side validation, started throwing “object expected” errors after the monthly patching cycle. The IT team traced the failure to a polyfill for Number.isNaN that loaded in the page header but disappeared by the time the form’s submit handler ran. Rolling back the update wasn’t an option because the same patch closed a critical remote code execution vulnerability in the Windows Graphics component.

“We’re stuck between a rock and a hard place,” the firm’s lead architect told us. “We either break security compliance or break the application our underwriters depend on all day.”

Microsoft’s own guidance underscores this dilemma. The KB article links to the security update that introduces the regression — KB5045523 or similar — and notes that the fix for the JScript globals issue won’t land until a later release. The company is exploring a backported update for Windows Server 2025 and Windows 11 24H2, but no concrete date has been shared.

Developer Workarounds Beyond the Registry

While the registry toggle provides immediate relief, some developers are refactoring code to side-step the problem. Patterns seen on forums include:

  • Merging script blocks: Combining all <script> segments into a single block eliminates the cross-script dependency, though it can balloon source control diffs and slow parse times.
  • Using window explicitly: In JScript, the window object is the global scope inside the MSHTML environment. Assigning global variables to window.myVar instead of just myVar has shown inconsistent results, but it’s slightly more resilient in the new hardened mode.
  • Loading polyfills inline: Inlining all necessary shims into the same script block that uses them avoids the context-switch pitfall, at the cost of maintainability.
  • Switching to PowerShell: For entirely new projects, Microsoft recommends moving off JScript altogether. However, rewriting millions of lines of legacy code isn’t feasible overnight.

None of these are elegant, and all require significant testing to ensure they don’t introduce new bugs. The reality is that for most businesses, the registry key is the only practical relief until a permanent code fix arrives.

The Bigger Picture: JScript’s Slow Sunset

KB5105752 is another reminder that JScript, a browser-era relic, is still deeply woven into Windows. Microsoft discontinued JScript in Edge in favor of standard JavaScript in 2015, but the engine remains baked into the OS for backward compatibility. Tiles in the Start menu, HTML help files, and certain inbox diagnostics all use Trident and JScript under the hood.

With each cumulative update, the platform team tightens safety nets that can unwittingly cut sideways through these dependencies. The June 2026 regression is the most disruptive scripting issue since a 2017 update accidentally disabled VBScript in IE11, breaking hundreds of government intranets. That earlier incident forced Microsoft to issue an emergency fix within a week — and stakeholders are now asking why this JScript flaw isn’t receiving the same urgency.

Microsoft’s response to critics is measured. “We’re actively working on a solution for an upcoming release,” a spokesperson told windowsnews.ai. “In the interim, the registry mitigation is the recommended path for impacted customers.” The company pointed to its established process of first disclosing known issues, then providing mitigations, and finally bundling a fix in the next security update. That cadence, however, leaves enterprises to hold the bag for at least a month — and often longer for on-premises servers where patching is deliberate.

What to Expect Next

The next Patch Tuesday falls on July 14, 2026. Insiders suggest that the JScript fix won’t make that cutoff; it’s more likely to appear in the late-July optional update or even September’s preview, given the complexity of reworking the engine’s isolation logic without re-breaking the security boundaries that caused the regression.

In the meantime, IT shops should audit their environment for JScript usage. Common indicators include:

  • HTA files (.hta) opened directly or via shortcuts.
  • Applications hosting the WebBrowser control with FEATURE_DISABLE_SCRIPT_DEBUGV3 enabled.
  • Classic ASP pages running under IIS (though those may be more robust due to separate isolation).
  • Legacy intranet portals that haven’t been updated to use the edge content mode.

Microsoft provides a PowerShell script in KB5105752 to detect processes loading jscript9.dll, but most customers will resort to trial-and-error testing after the registry tweak.

Our Take

KB5105752 is a needed honest disclosure, but it also exposes the fragility of maintaining a 25-year-old scripting engine in a modern operating system. The registry workaround is a classic “big red easy button” — effective, yet it leaves users with a lingering question: is the security degradation worth the application stability? Until Microsoft ships a non-regression fix, the answer depends on which risk keeps you up at night.

The wider lesson for developers is clear: if you haven’t already started migrating off JScript, now is the time. Even if this particular bug gets squashed, the engine’s isolation will only tighten with each Windows release. The future is PowerShell, modern JavaScript in Edge WebView2, or .NET-based solutions. The JScript clock is ticking, and KB5105752 is a loud alarm.