Microsoft shipped July's cumulative update for Windows 10 on the 14th, but there is a catch: KB5099539 will not show up on most PCs. The patch is exclusively for systems enrolled in the Extended Security Updates program, along with Enterprise LTSC 2021 and IoT Enterprise LTSC 2021 editions. It reverses an application-breaking COM regression introduced last month and begins enforcing years-old warnings that organizations must move away from SHA-1 in Remote Desktop trusted publisher certificates.
The build numbers tell the story — 22H2 devices move to 19045.7548, and 21H2 LTSC editions land on 19044.7548. If your machine is running standard Windows 10 22H2 without an ESU license, this update is not meant for you, and Windows Update will not offer it.
The June COM Nightmare Gets Undone
The most consequential fix inside KB5099539 targets a regression that arrived with June's security update. Applications relying on OLE Automation's IDispatch::Invoke method began failing when COM method calls involved BYREF parameters sharing the same underlying storage. The result was parameter-marshaling errors or outright automation call failures that broke line-of-business apps, scripting integrations, and older software built around COM.
Microsoft says this update corrects how parameter ownership is managed, restoring the behavior applications expected before June. For enterprise administrators who pulled last month's update after discovering broken workflows, this will likely be the first patch they test. Organizations with custom COM-based tools or older ERP clients should prioritize validation of those workloads.
Two smaller but visible shell problems also get patched. The OneDrive shortcut inside File Explorer no longer stops responding when Explorer runs with elevated privileges, and the confirmation dialog for permanent file deletion once again displays the original file name rather than an internal Recycle Bin identifier. The latter was mostly a presentation glitch, but it made destructive actions confusing for anyone who looked closely.
RDP Trust Moves Past SHA-1 — Finally
Remote Desktop receives a forward-looking security change that has been recommended for years. KB5099539 adds support for SHA-2 certificate thumbprints for trusted RDP publishers, though SHA-1 remains available for backward compatibility. Microsoft says that fallback will be removed in a future update.
Trusted publisher controls let administrators determine which signed .rdp files users can open, cutting off a common phishing vector where attackers distribute files pointing to hostile servers. The immediate task is not simply to confirm that Remote Desktop still launches. IT teams must review Group Policy settings that specify SHA-1 thumbprints and replace them with SHA-256 or stronger before Microsoft removes the legacy option. Organizations that centrally sign and distribute .rdp files need to verify their signing pipeline produces SHA-2-compatible certificates now, not later.
Networking Hardening That Might Break Legacy Stacks
Security hardening also arrives for the Transport Driver Interface. The update enforces TDI transport registration requirements, meaning applications using sockets over unregistered third-party TDI transports may stop working. Correctly registered transports should be unaffected.
TDI is a legacy networking model, so most modern software will sail through. But older VPN clients, endpoint security agents, specialist communications tools, and industrial software that bring their own networking stack are candidates for breakage. Microsoft frames this as intentional security hardening, not an accidental regression. For products that fail, the answer is to fix the transport registration, not to skip the cumulative update indefinitely.
Administrators should inventory network filter drivers and test connectivity-dependent workflows — VPNs, security tools, management agents — before broad deployment. A pilot group that includes each unique networking stack is the safest approach.
Hotkey handling also changes slightly. New cleanup logic can, in rare cases, cause built-in Windows experiences to temporarily stop responding to some keyboard shortcuts. Restarting the affected application normally restores functionality. Persistent issues should be reported through Feedback Hub, but first confirm the problem isn't hardware, accessibility software, or group policy.
Secure Boot Rollout Continues, Now With Better Visibility
Microsoft is using the July update to push newer Secure Boot certificates to more devices, expanding eligibility through additional targeting data. The Windows Security app gains dynamic status reporting, so users and support staff can see exactly where a machine stands in the certificate transition.
This process began after many Secure Boot certificates neared expiration in June 2026. Microsoft chose a staged rollout to avoid bricking systems with incompatible firmware. Machines that haven't received the replacement certificates will still start and receive normal updates, but IT teams managing disk encryption, custom boot media, or recovery environments should not assume the transition is complete.
A critical note for those maintaining offline installation media: updated Windows images must include a matching boot.stl file for Secure Boot validation. Without it, the media fails to start with error 0xc0000431. The supported fix is to update WinPE using Microsoft's documented process; manually copying boot.stl from the Windows\Boot\EFI directory works too, provided the file matches the Windows version and architecture.
Who Actually Gets This Update
Eligibility is the story's sharpest edge. Windows 10 22H2 standard support ended on October 14, 2025. Version 21H2 ended support even earlier, though Enterprise LTSC 2021 remains supported until January 12, 2027, and IoT Enterprise LTSC 2021 until January 13, 2032. The Extended Security Updates program is the only route for 22H2 devices to receive patches like KB5099539, and it comes with a price tag.
For consumers and small businesses still running Windows 10 without an ESU license, this update will not appear in Windows Update. The same goes for any machine not explicitly enrolled. Eligible PCs can pull the update through Settings, though standalone packages are available on the Microsoft Update Catalog for manual installation. WSUS and Windows Update for Business also deliver it, with the servicing stack update KB5104021 (version 19041.7546) bundled inside the cumulative package.
Microsoft currently lists no known issues with this release. That does not eliminate the need for staged deployment — especially because the TDI enforcement and hotkey changes can alter behavior even when the update is working as designed.
The Bigger Picture: Windows 10's Long Tail
This update is a practical reminder that Windows 10's remaining user base is bifurcated. Enterprises with ESU agreements receive fixes that keep legacy applications functional, while others on the same OS version are left with an unpatched machine unless they pay up. The COM regression fix is a vivid example: a problem Microsoft itself introduced is now corrected only for those maintaining a subscription.
For administrators managing ESU fleets, the checklist is clear: validate COM-dependent applications that broke in June, inspect legacy TDI networking components, migrate RDP publisher thumbprints to SHA-2, verify Secure Boot status on critical machines, and review offline media creation processes. For everyone else, July 2026 is another month of asking whether it's finally time to complete the migration to Windows 11.