July 14, 2026—KB5099445 (Monthly Rollup)

Applies To
Windows Server 2012
Important The installation of this Extended Security Update (ESU) might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012. For a successful installation, please make sure all Subset of endpoints for ESU only are met as described in Connected Machine agent network requirements.

Note

  • Windows Secure Boot certificate expiration
  • Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the past months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. We will continue to install the newer certificates via Windows updates in the coming months.
  • You can check your PC status on the Windows Security app. If you are an IT administrator, follow the guidance on the Secure Boot Playbook for Windows clients and Windows Server.
End of support information

Note

  • Support for Windows Server 2012 will end in October 2026
  • Windows Server 2012 reached the end of support (EOS) on October 10, 2023.
  • Extended Security Updates (ESUs) are available for purchase and will continue for three years, renewable on an annual basis, until the final date on October 13, 2026. For information about the procedure to continue receiving security updates, see KB5031043.
  • We recommend that you upgrade to a later version of Windows Server. For more information, see Overview of Windows Server upgrades.

Summary

Learn more about this cumulative security update, including improvements, any known issues, and how to get the update.

Windows Server 2012

This security update includes fixes and quality improvements that are part of the following update:

The following is a summary of the issues that this update addresses. The bold text within the brackets indicates the item or area of the change we are documenting.

  • [Apps (Known issue)] Fixed: This update addresses an issue that affects certain third-party apps that use OLE Automation to interact with Microsoft Office. After installing the June 2026 security update KB5093998, these apps might fail to launch Office or open documents.
  • [Distributed Key Manager (DKM)] This update introduces automatic detection of insecure DKM container ACL configurations in AD FS and provides an opt-in remediation mechanism to help administrators strengthen DKM container permissions. For more information about how to manage this change, see CVE-2026-56155: AD FS Distributed Key Manager container ACL hardening.
  • [Networking] This update introduces a security hardening change that enforces TDI transport registration requirements. As a result, applications that use sockets over unregistered third-party TDI transports might stop working after installing this update. Registered TDI transports are not affected. For more information, see Third-party TDI transports might stop working after installing Windows security updates released on or after July 14, 2026.
  • [Recycle Bin (known issue)] Fixed: This update addresses an issue where the confirmation dialog might display an internal Recycle Bin file name instead of the original file name when permanently deleting a file. This issue might occur after installing the June 2026 security update KB5094042.
  • [Remote Desktop (RDP) Security] Support for SHA-2 certificate thumbprints has been added for trusted RDP publishers, with SHA-1 support retained only for backward compatibility and planned for future removal. New guidance is available for managing RDP file security through Group to help organizations reduce phishing risks by controlling which .rdp files users can open. We recommend IT administrators migrate to SHA-256 thumbprints or a stronger algorithm as soon as possible to avoid disruption.

For more information about the resolved security vulnerabilities, please refer to the Deployments | Security Update Guide and the July 2026 Security Update.

For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, see Description of the standard terminology that is used to describe Microsoft software updates.

To view other notes and messages, see the Windows Server 2012 update history home page.

Known issues in this update

Microsoft Office applications might fail to open from certain third-party apps

Symptoms

Microsoft has received reports of an issue in which certain third-party applications might be unable to launch Microsoft Office applications or open documents after installing the Windows updates released on or after June 9, 2026. This issue affects certain third-party applications that use OLE automation to interact with Microsoft Office applications. In some cases, the Office application or document might fail to open without displaying an error message.

Affected Microsoft Office applications might include Word, Excel, PowerPoint, Access, and other Microsoft Office applications when launched from within the affected third-party application.

Reports indicate that this issue may affect applications such as CCH Engagement, Workpaper Manager, dental software (such as Dentrix and Softdent), and Zotero; other similar applications might also be impacted.

Third-party information disclaimer

The third-party products listed are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

Resolution

This issue is resolved in Windows updates released on and after July 14, 2026 such as KB5099445. We recommend you install the latest Windows update for your device as it contains important improvements and issue resolutions, including this one.

OneDrive shortcut in File Explorer might not work in administrator mode

Symptoms

After installing this update, the OneDrive shortcut in File Explorer might not work when File Explorer is running with administrative privileges. Symptoms include an unresponsive shortcut, blank OneDrive properties, and missing sync status icons. No error message is displayed.

This issue affects only the built-in Administrator account or applications run using Run as administrator.

Workaround

The following workarounds are available and do not require any system changes:

  1. Navigate directly to the OneDrive folder, commonly found under C:\Users\<username>\OneDrive.
  2. Create a desktop shortcut to the OneDrive folder and use that shortcut to access files when using elevated applications or the built-in Administrator account.

A more comprehensive mitigation is available for IT administrators. If you are affected by this issue, contact Microsoft Support for Business.

How to get this update

Before installing this update

To install any Windows Server 2012 Monthly Rollup released on or after January 14, 2025, we recommend you first install the latest Servicing Stack Update (SSU). If your device or offline image does not have the latest SSU installed, you might not be able to install this update.

Caution

Until you install the latest SSU, this update might not be offered to your device. To reduce your security risk, install the latest SSU as soon as possible.

  • If you use Windows Update, the latest SSU KB5106414 will be offered to you automatically. If the latest SSU is not installed, you might not be able to install this update.
  • If you use the Update Catalog, we recommend you download and install the latest SSU KB5106414 If the latest SSU is not installed, you might not be able to install this update.
  • If you are a Windows Server Update Services (WSUS) administrator, you must approve SSU KB5106414 and this update KB5099444.

Deployment

If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file may prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.

Note

The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.

To ensure the boot.stl file is included as part of the installation media, do one of the following:

  • Use the Update WinPE script to update an existing Windows image. (Recommended)
  • Manually copy the boot.stl file from the devices Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.

For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Language packs

If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Learn about adding a language pack to Windows.

Install this update

To install this update, use one of the following release channels.


Available Next step
Available This update will be downloaded and installed automatically from Windows Update.

File information

A list of the files that are included in this update are provided in a CSV (Comma delimited) (*.csv) file. The file can be opened in a text editor such as Notepad or in Microsoft Excel.

Download Icon Download the file information for cumulative update KB5099445 now.