| Windows Secure Boot certificate expiration |
|---|
| Important Secure Boot certificates used by most Windows devices were set to expire starting in June 2026. Microsoft has been updating these certificates on PCs and non-managed business devices for the past months. Devices that haven’t received the newer certificates will continue to start, and standard Windows updates will continue to install. We will continue to install the newer certificates via Windows updates in the coming months. |
Summary
This article lists the security issues and quality improvements included in this cumulative security update.
Applies to: Windows Server 2019
This security update includes fixes and quality improvements that are part of the following update:
The following is a summary of the issues that this update addresses when you install this update. The bold text within the brackets indicates the item or area of the change we are documenting.
[Input] This update changes hotkey unregister and cleanup behavior. In rare cases, some built-in Windows experiences that rely on previous hotkey lifecycle behavior might temporarily stop responding to certain keyboard shortcuts. This issue can typically be resolved by restarting the app affected. If the issue is not resolved, report it through the Feedback Hub.
[Secure Boot]
- This update enables dynamic status reporting for Secure Boot states in Windows Security App.
- This update includes additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Certificate deployment via Windows updates continues across supported PCs and non-managed business devices in the coming months.
[File Explorer (known issue)] Fixed: An issue where the OneDrive shortcut in File Explorer stops working when File Explorer is run with administrative mode.
[Networking] This update introduces a security hardening change that enforces TDI transport registration requirements. As a result, applications that use sockets over unregistered third-party TDI transports might stop working after installing this update. Registered TDI transports are not affected. For more information, see Third-party TDI transports might stop working after installing Windows security updates released on or after July 14, 2026.
[OLE Automation (known issue)] Fixed: Addresses a compatibility issue in OLE Automation (oleaut32.dll) that was introduced by the June 2026 security update. Some applications that use the IDispatch::Invoke method to call COM methods with BYREF parameters that share the same underlying storage might fail. These failures can include parameter marshaling errors or automation call failures. This update corrects how parameter ownership is handled and restores expected application behavior.
[Recycle Bin (known issue)] Fixed: This update addresses an issue where the confirmation dialog might display an internal Recycle Bin file name instead of the original file name when permanently deleting a file.
[Authentication] This update improves auditing for NT LAN Manager (NTLM) authentication by enhancing logging to provide more detailed information for security monitoring and analysis.
[Distributed Key Manager (DKM)] This update introduces automatic detection of insecure DKM container ACL configurations in AD FS and provides an opt-in remediation mechanism to help administrators strengthen DKM container permissions. For more information about how to manage this change, see CVE-2026-56155: AD FS Distributed Key Manager container ACL hardening.
[Remote Desktop (RDP) Security] Support for SHA-2 certificate thumbprints has been added for trusted RDP publishers, with SHA-1 support retained only for backward compatibility and planned for future removal. New guidance is available for managing RDP file security through Group Policy to help organizations reduce phishing risks by controlling which .rdp files users can open. We recommend IT administrators migrate to SHA-256 thumbprints or a stronger algorithm as soon as possible to avoid disruption.
If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
For more information about security vulnerabilities, please refer to the new Security Update Guide website and the July 2026 Security Updates.
For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page.
Known issues in this update
We are currently not aware of any issues with this update.
Servicing stack update (KB5104020) - 17763.9015
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improves the reliability of the update process and includes fixes to the servicing stack, the component that installs Windows updates.
Note This servicing stack update (SSU) includes enhanced logic to verify whether a device is hosted on Azure, leveraging an updated certificate chain for validation. To ensure that the device can access the required certificate update domains to successfully download and install certificate updates, see Certificate downloads and revocation lists and Azure Certificate Authority details. To learn more about SSUs, see Servicing stack updates.
How to get this update
Before you install this update
You must have installed the August 10, 2021 SSU (KB5005112) before installing this cumulative update.
Deployment
If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file might prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.
Note The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.
To ensure the boot.stl file is included as part of the installation media, do one of the following:
- Use the Update WinPE script to update an existing Windows image. (Recommended)
- Manually copy the boot.stl file from the devices Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.
For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.
Get and install this update
To get and install this update, use one of the following Windows or Microsoft release channels.
| Available | Next Step |
|---|---|
|
This update will be downloaded and installed automatically from Windows Update. |
File information
A list of the files that are included in this update are provided in a CSV (Comma delimited) (*.csv) file. The file can be opened in a text editor such as Notepad or in Microsoft Excel.
Note The English (United States) version of this software update might contain files for additional languages.
Download the file information for cumulative update KB5099538.
Download the file information for the SSU (KB5104020) - version 17763.9015 update.
Related topics
Microsoft Store application updates
Windows updates do not install Microsoft Store application updates. If you are an enterprise user, see Microsoft Store apps - Configuration Manager. If you are a consumer user, see Get updates for apps and games in Microsoft Store.
Note
- Windows Secure Boot certificate expiration
- Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the past months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. We will continue to install the newer certificates via Windows updates in the coming months.
- You can check your PC status on the Windows Security app. If you are an IT administrator, follow the guidance on the Secure Boot Playbook for Windows clients and Windows Server.
Note
- Windows Server 2019 and Windows 10 Enterprise LTSC 2019 end of support
- Microsoft will no longer provide free software updates from Windows Update, technical assistance, or security fixes on the following end dates:
- ♦ Windows 10 Enterprise LTSC 2019: January 9, 2029
- ♦ Windows Server 2019: January 9, 2029
- We recommend that you upgrade to a later version of Windows Server.