Windows 10 may be past its mainstream support era, but Microsoft is still shipping security fixes for devices enrolled in Extended Security Updates. The July 2026 cumulative update, KB5099539, is an important one for organizations and enthusiasts who have chosen to keep Windows 10 in production. It raises Windows 10 version 22H2 to build 19045.7548 and brings the platform in line with Microsoft’s broader July Patch Tuesday security work.
The headline is not a flashy user-interface change. It is risk reduction. This update focuses on Remote Desktop hardening, transport-layer registration enforcement, Secure Boot certificate reporting, and several practical reliability fixes. For IT teams, the takeaway is straightforward: if a Windows 10 machine is eligible for ESU, this is a patch to prioritize rather than defer.
Who can install KB5099539
KB5099539 is part of the Windows 10 Extended Security Updates program. That matters because the offline installer is not a workaround for unsupported machines. Even if an administrator downloads the Microsoft Update Catalog package, the device still needs to be properly enrolled and licensed for ESU before the update will apply.
For most users, Windows Update remains the safest path. Offline .msu packages are useful for administrators managing multiple PCs, isolated systems, or machines where Windows Update is unreliable, but they do not replace the ESU requirement. Enterprise LTSC 2021 systems receive the related build 19044.7548, while standard Windows 10 version 22H2 systems move to build 19045.7548.
If you manage a small fleet, this is also a good moment to check which devices are truly covered. Windows 10 machines that are not enrolled in ESU should no longer be expected to receive normal security updates, which changes the risk calculation for any device still connected to business services, VPNs, RDP gateways, or Microsoft 365 accounts.
Remote Desktop gets the most important security change
For many environments, the RDP trust model is the part administrators should review first. KB5099539 adds support for SHA-2 certificate thumbprints for trusted Remote Desktop publishers. SHA-1 remains available for compatibility today, but Microsoft’s direction is clear: SHA-1 is being phased out, and administrators should move trusted publisher configurations to SHA-256 or stronger certificate thumbprints before compatibility support disappears.
This is not just a cryptography housekeeping item. Remote Desktop files can be abused in phishing and social-engineering workflows. A user may be convinced to open a malicious .rdp file that appears to connect to a legitimate resource but actually changes connection behavior or sends the user toward an attacker-controlled endpoint. Stronger publisher trust, combined with Group Policy controls over which .rdp files can be opened, gives administrators a better way to reduce that exposure.
A practical action list is short but important: inventory trusted RDP publisher settings, identify any SHA-1 thumbprints, update documentation and Group Policy objects, and test the change with help-desk and remote-access workflows before enforcing it broadly. If your organization distributes .rdp files through portals, file shares, or onboarding packages, review that pipeline too.
Networking hardening may expose old software
The update also enforces registration requirements for TDI transport components. In plain English, older networking, VPN, filtering, or security software that relies on unregistered third-party TDI transports may stop working after installation. Properly registered transports should not be affected.
Most home users will never notice this change. The risk is higher on older business images where legacy VPN clients, packet inspection tools, or line-of-business networking components have survived multiple Windows servicing cycles. Before deploying KB5099539 everywhere, administrators should test it on representative machines that include remote-access clients, endpoint security agents, and any specialized network middleware.
If something breaks, treat that as a signal rather than just an update problem. Software depending on outdated or improperly registered transport behavior is likely to be fragile in other security contexts as well.
Reliability fixes: OneDrive, Recycle Bin, and automation
KB5099539 includes several smaller fixes that will still matter in daily use. A OneDrive shortcut problem in File Explorer, triggered when File Explorer was running with administrative privileges, has been corrected. Microsoft also fixed a Recycle Bin confirmation issue where Windows could display an internal Recycle Bin file name instead of the original file name when permanently deleting a file.
There is also a fix for an OLE Automation compatibility problem involving COM calls through IDispatch::Invoke with BYREF parameters sharing storage. That is a niche description, but it can affect real business applications, scripts, add-ins, and older automation-heavy tools. If June’s update caused unexplained automation failures, KB5099539 is worth testing quickly.
Microsoft also changed hotkey unregistering and cleanup behavior. In rare cases, a Windows component or application may temporarily stop responding to certain keyboard shortcuts. Restarting the affected app should normally clear the condition.
Secure Boot certificate rollout continues
Microsoft is continuing the rollout of updated Secure Boot certificates, a long-running effort tied to certificate expirations that began affecting many Windows devices in 2026. KB5099539 improves Secure Boot state reporting in Windows Security and expands targeting data so more eligible systems can receive the newer certificate set.
For administrators, this is another inventory item. Open Windows Security, check Device Security, and review the Secure Boot section. A machine that has not yet received the updated certificates should still boot and install normal updates, but the status gives IT teams a better view of which devices are fully updated, waiting, or require action.
Deployment guidance
Because KB5099539 includes the latest servicing stack update, most online installations should be routine. Offline image servicing and older WSUS scenarios require more care. Devices or images missing older baseline cumulative updates may need prerequisite servicing stack updates before this July 2026 package can be applied successfully.
The best deployment approach is staged but prompt: patch test machines first, include systems with VPN and RDP dependencies, then expand to the broader fleet. Given the scale of Microsoft’s July security fixes across Windows and related products, delaying this update on ESU-covered Windows 10 systems increases avoidable exposure.
Source: Windows Latest