July 14, 2026—KB5101649 (OS Build 28000.2525)

Si applica a
Windows 11 version 26H1, all editions

This cumulative update for Windows 11, version 26H1 (KB5101649) includes the latest security fixes and improvements, along with non-security updates from last month's optional preview release. Visit the Windows release health dashboard for the latest status on this release.

Improvements

This update includes new features and quality improvements that were part of the following update:

This update addresses security vulnerabilities documented in the following guide:

The following summary outlines key quality improvements addressed by this update. The bold text within the brackets indicates the item or area of the change.

  • [Secure Boot] This update includes additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Certificate deployment via Windows updates continues across supported PCs and non-managed business devices in the coming months.
  • [Apps (Known issue)] Fixed: This update addresses an issue that affects certain third-party apps that use OLE Automation to interact with Microsoft Office. After installing the June 2026 security update (KB5095091), these apps might fail to launch Office or open documents.
  • [Input] This update changes hotkey unregister and cleanup behavior. In rare cases, some built-in Windows experiences that rely on previous hotkey lifecycle behavior might temporarily stop responding to certain keyboard shortcuts. This issue can typically be resolved by restarting the app affected. If the issue is not resolved, report it through the Feedback Hub.
  • [Management] With this update, at.exe and schedcli.dll can no longer be used to administer "AT Time" or ATSvc servers. Microsoft recommends discontinuing use of ATServer, which has been disabled by default since Windows Server 2012. Developers and system administrators should expect AT.exe and ATServer to be removed in future versions of Windows. The AT Client, at.exe is replaced by "schtasks.exe", PowerShell ScheduledTasks commands, and the ITaskSchedulerService interface.
  • [Networking] This update introduces a security hardening change that enforces TDI transport registration requirements. As a result, applications that use sockets over unregistered third-party TDI transports might stop working after installing this update. Registered TDI transports are not affected. For more information, see Third-party TDI transports might stop working after installing Windows security updates released on or after July 14, 2026.
  • [Remote Desktop (RDP) Security] Support for SHA-2 certificate thumbprints has been added for trusted RDP publishers, with SHA-1 support retained only for backward compatibility and planned for future removal. New guidance is available for managing RDP file security through Group to help organizations reduce phishing risks by controlling which .rdp files users can open. We recommend IT administrators migrate to SHA-256 thumbprints or a stronger algorithm as soon as possible to avoid disruption.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

Components updates

AI components

This release updates the following AI components to version 1.2605.856.0: Image Search, Content Extraction, Semantic Analysis, and Settings Model.

To learn more, see Release information for AI components.​​​​​​​

Servicing stack update ​​​​​​​​​​​ ​​​Includes KB5121292 (Build 28000.2524), which improves the reliability of the Windows update installation process. To learn more about SSUs, see [Simplifying on-premises deployment of servicing stack updates](https://learn.microsoft.com/windows/deployment/update/servicing-stack-updates#simplifying-on-premises-deployment-of-servicing-stack-updates).

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Deployment

If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file might prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.

Note

The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.

To ensure the boot.stl file is included as part of the installation media, do one of the following:

  • Use the Update WinPE script to update an existing Windows image. (Recommended)
  • Manually copy the boot.stl file from the device Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.

For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.


Available Next Step
Included This update downloads and installs automatically from Windows Update and Microsoft Update.

File information

For a list of the files provided in this update, download the file information for cumulative update 5101649​​​​​​​​​.

For a list of the files provided in the servicing stack update, download the file information for the SSU (5121292) - version 28000.2524.

Windows monthly updates explained

Description of the standard terminology used for Microsoft software updates

Windows release health