Microsoft's latest June 2026 security update, KB5094126, is breaking OLE automation scenarios where third-party applications launch or control Microsoft Office. The company has placed targeted deployment holds on affected devices, advising IT administrators to pause the update if their environments depend on such integrations.

The advisory, first confirmed through update management channels, warns that applications using OLE (Object Linking and Embedding) to interact with Word, Excel, or other Office programs may fail to start, freeze, or encounter runtime errors after installing the patch. Microsoft has not yet issued an official public acknowledgment outside of its administrative release health dashboard.

What the update changes—and what breaks

KB5094126 is a cumulative security update for multiple Windows versions, addressing several vulnerabilities, including an elevation-of-privilege flaw in the Windows Kernel and a remote code execution bug in the Print Spooler. The patch also hardens OLE marshaling interfaces as part of ongoing efforts to close DCOM-related attack surfaces.

That hardening is precisely what disrupts legacy automation. Many line-of-business applications, custom scripts, and enterprise tools use COM/OLE calls to instantiate Office applications—generating a report in Excel, merging a document in Word, or sending data via Outlook. After installing KB5094126, these calls may return error codes like 0x80010105 (RPC_E_SERVERFAULT) or simply hang indefinitely.

Microsoft’s health dashboard notes: “After installing this update, you might experience problems with applications that launch or control Microsoft Office through OLE automation. Affected apps might not start or might work unexpectedly.” The company has applied a compatibility hold—also known as a safeguard hold—preventing the update from being offered to devices detected as potentially affected. However, detection is heuristic and may miss some custom installations.

What this means for you—by audience

For everyday users

If you use Windows Update to install patches on a personal device, you likely won’t see KB5094126 appear until Microsoft lifts the safeguard hold. The hold targets devices with known OLE-dependent software, but if you’re running a niche accounting program or a custom macro-heavy Access database, you might still get the update inadvertently. Be cautious: manual checks via Settings > Windows Update could bypass the hold and install the patch.

Should you install it? Unless you’re certain none of your applications automate Office, hold off. If you’ve already installed it and notice Office-related crashes when opening files from other programs, you can uninstall the update via Settings > Windows Update > Update history > Uninstall updates. Microsoft is working on a fix, but no timeline has been provided.

For IT administrators

The implications are immediate and operational. If your organization packages and deploys updates via WSUS, Microsoft Configuration Manager, or Intune, you must explicitly approve KB5094126. Microsoft’s instructional documentation for June 2026 recommends deploying the update only to managed devices “that do not depend on third-party applications launching or controlling Microsoft Office through OLE automation.”

This means:
- Inventory which line-of-business apps use OLE. Common culprits include ERP systems, document management suites, and legacy Visual Basic macros.
- Use the safeguard hold ID (likely viewable in your update deployment console) to identify blocked devices.
- Deploy to a test group first. Even if a device doesn’t show the hold, it may still be affected.
- If your organization relies heavily on such automation, consider deferring the update until a newer revision or out-of-band fix is released.
- Monitor Microsoft’s known issues rollback (KIR) announcements—sometimes a configuration change can be pushed without requiring a full patch uninstall.

For developers

If you maintain software that interacts with Office via OLE, immediately test your applications against KB5094126 in an isolated environment. The breaking change likely stems from stricter security checks on COM interface pointers or altered activation permissions. You may need to refactor your code to use newer APIs like Office JavaScript APIs or Microsoft Graph for automation tasks. In the short term, running your application with elevated privileges or adjusting DCOM security settings might mitigate the issue, but this is not a recommended long-term strategy.

How we got here: a history of OLE hardening

This isn’t the first time Office OLE automation has broken after a security update. In 2021, a cumulative update caused Excel to crash when invoked programmatically from certain third-party tools. In 2022, DCOM hardening changes in Windows forced administrators to enable authentication for all COM components, breaking countless unattended scripts. Microsoft’s security push, motivated by threats like the ‘Friday the 13th’ malware that abused Office macros, has often collided with real-world workflows.

KB5094126 appears to be the next step in that hardening journey. The patch notes, though not yet publicly detailed at the time of writing, indicate modifications to the ole32.dll and combase.dll libraries, which fundamentally alter how OLE activation requests are validated. The goal is to prevent malicious objects from hijacking OLE calls to execute code in the context of a privileged Office process. The side effect—blocking legitimate automation—has become a recurring pattern.

Admins who remember the DCOM authentication nightmare will find the approach familiar: deploy the update with holds, gather telemetry, then release a revised fix or a group policy workaround. Microsoft’s advisory mentions that a revised update is in development but offers no ETA.

What to do now

  1. Check your update management console. In Microsoft Configuration Manager or Intune, look for KB5094126 under the “Security Updates” classification. Verify if the safeguard hold ID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (exact ID will be published) is active for your devices.
  2. Audit your automation footprint. Run a script that scans for processes using Office automation objects. PowerShell cmdlets like Get-Process can reveal instances of Winword.exe or Excel.exe launched by non-desktop services. Also, review any scheduled tasks or services that might invoke Office COM objects.
  3. Pilot the update. On a small, non-critical set of machines representative of your environment, manually install KB5094126 and verify core business applications for two full operational cycles.
  4. Prepare a rollback plan. Uninstalling the update is straightforward via the standard Windows Update UI or DISM command line: dism /online /remove-package /packagename:Package_for_RollupFix~31bf3856ad364e35~amd64~~~26231.xxxx.x.x. Document the exact removal procedure for your deployment tool.
  5. Look for temporary workarounds. While limited, some organizations have reported that disabling the “Block Office activation through OLE automation” Group Policy setting (not yet officially recommended by Microsoft) restores functionality. This is high-risk and should only be tested in isolated environments.
  6. Stay informed. Monitor the Windows release health dashboard (https://docs.microsoft.com/en-us/windows/release-health/) and the @WindowsUpdate Twitter handle for the official solution.

What to watch next

Microsoft’s pattern suggests a resolution will arrive either as a revised version of KB5094126 or as a separate out-of-band update within the next two to four weeks. In some cases, the company deploys a Known Issue Rollback (KIR) that automatically reverses the OLE hardening without requiring action. If that happens, devices configured to receive optional updates will be remediated first, with a forced rollout later.

Longer term, this incident reinforces the need for organizations to modernize their Office integration methods. Dependence on OLE automation is fragile and increasingly unsupported. Investing in Office add-ins built on web technologies or moving to Microsoft 365-powered automation will reduce exposure to such disruptive patches.

For now, the safest course is patience. If your business runs on scripts that open Excel in the background, delay KB5094126. Microsoft’s hold is doing the same for millions of devices automatically.