Microsoft has released its July 2026 security updates, addressing 622 Microsoft-assigned CVEs and 428 Chromium vulnerabilities across Windows, Office, and Azure. Organizations should prioritize immediate patching for critical flaws under active exploitation, including the BitLocker security bypass and Active Directory Federation Services privilege escalation. This release also brings generally available hotpatching for Windows Server on Azure, TDI transport hardening, and a bundled curl upgrade to version 8.21.0. Administrators can deploy the fixes via Windows Update or the Microsoft Update Catalog, though Office 2016 users must manage 18 individual patches rather than a single cumulative update.
Microsoft Drops July 2026 Security Updates, But Active Exploits Demand Immediate Attention
The monthly release brings over 1,000 fixes, yet critical AD FS and BitLocker flaws push patching to the top of your queue.
Microsoft has published its July 2026 security updates, addressing 622 Microsoft-assigned CVEs and republishing 428 Chromium vulnerabilities. That pushes the total fix count past 1,000 across 154 distinct updates. If you manage Windows endpoints or run SharePoint, you'll want to review this release before your Friday afternoon hits.
Patch Tuesday is usually a numbers game. This month, the volume hasn't changed the urgency. Microsoft flagged two critical flaws under active exploitation. CVE-2026-56155 targets Active Directory Federation Services and SharePoint Server, while CVE-2026-50661 bypasses BitLocker protections. Researchers already have public proof-of-concepts for the BitLocker flaw. Any organization that treats data-at-rest encryption as a baseline control needs to patch this one first.
Windows and the Core Stack
Windows takes the heaviest hit this month. You are looking at 416 vulnerabilities split across 35 cumulative updates. Windows 10 versions 21H2 and 22H2 receive KB5099539, while Windows 11 splits between KB5101650 for 24H2 and 25H2, and KB5099414 for 23H2. Microsoft bundled the usual non-security tweaks alongside the security fixes, so don't assume these are bare-bones releases.
Keep in mind that Microsoft is hardening TDI transport registration this month. Applications relying on unregistered third-party transport drivers will stop working once you install the update. The advisory states that "applications using sockets over unregistered third-party TDI transports may stop working after this update." Registered transports remain unaffected, but if your environment runs niche enterprise software that bypasses standard socket registration, test it before you push the update.
Remote desktop publishers finally get SHA-2 certificate support, though Microsoft is keeping SHA-1 around for backward compatibility until further notice. You can manage RDP file security through new Group Policy guidance to reduce phishing risks. The bundled curl tool also jumped to version 8.21.0. If your automation scripts parse curl output, give those pipelines a quick sanity check before you deploy.
Office, Edge, and the Cloud Side
Office got a split treatment this month. Modern versions of the Microsoft 365 stack and Office 2021 each received 10 cumulative updates covering 82 flaws. Office 2016 is on its own, requiring 18 individual patches for the exact same vulnerability count. Edge landed one cumulative update for 46 Chromium-backed issues. You'll want to push those out through your browser management policies before they drift.
On the cloud side, Hotpatching is now generally available for Windows Server on Azure Edition virtual machines. This means you can apply security updates without rebooting your workload, which matters a lot if you are running stateful applications in production. Microsoft has also shipped 13 individual updates for Azure Linux and cloud components, addressing 11 vulnerabilities.
I remember when Microsoft first demoed hotpatching back in 2023, the goal was always to eliminate the Friday night reboot anxiety for sysadmins. It took a couple of years to mature the backend and iron out the kernel hooking quirks. Watching it hit general availability for Azure Windows Server VMs this month feels like the payoff is finally arriving. If you have been holding back on Windows updates due to downtime constraints, this changes the calculus considerably.
There is another wrinkle you should know about. Mozilla raised concerns that a default configuration change in Windows 11 26H2 limits user choice on certain security policies. Microsoft reports no active issues for the 24H2 or 25H2 builds right now, but if you are planning a 26H2 migration, review the policy shifts in the Windows Message Center before you commit.
What You Need to Do Now
Prioritize the AD FS and SharePoint patches for CVE-2026-56155 if you run those services. Deploy the BitLocker fix to all encrypted endpoints as soon as you can. Install the latest servicing stack update before touching your cumulative Windows patches, and test Office 2016 individual patches in a staging environment first. You can grab the updates through Windows Update or pull the offline packages from the Microsoft Update Catalog. Microsoft's Security Update Guide has a dedicated deployment tab if you need to cross-reference known issues before you run the installers. Head here to review the full patch notes and update schedules.
