Microsoft has released KB5099539 for Windows 10, an extended security update that folds in fixes from this month’s record-setting July 2026 Patch Tuesday, which addressed 570 vulnerabilities including two exploited flaws and one publicly disclosed zero-day.
The update is available to devices enrolled in the consumer or commercial Extended Security Updates (ESU) program and to Windows 10 Enterprise LTSC systems. Microsoft recently extended free consumer ESU coverage by an additional year, pushing the cutoff to October 12, 2027. Eligible users can install KB5099539 through Settings > Windows Update by running a manual check. After installation, Windows 10 moves to build 19045.7548, and Enterprise LTSC 2021 moves to build 19044.7548.
Fixes and known issues
Since Microsoft no longer ships new features to Windows 10, KB5099539 is limited to security patches and bug fixes. Notable items include:
- A fix for an OLE Automation compatibility bug introduced by the June 2026 update that broke some COM calls using BYREF parameters.
- A repair for the OneDrive shortcut in File Explorer failing when Explorer runs in administrative mode.
- A correction to Recycle Bin delete-confirmation dialogs that were showing internal file names instead of the original file name.
- Changes to hotkey unregister and cleanup behavior that may cause some built-in Windows features to briefly stop responding to keyboard shortcuts, generally resolved by restarting the affected app.
- Expanded dynamic status reporting for Secure Boot states in the Windows Security app, with broader device targeting for automatic Secure Boot certificate deployment.
Networking and RDP changes worth attention
The update enforces TDI transport registration requirements as a security hardening measure. Applications using sockets over unregistered third-party TDI transports may stop functioning after installation; registered transports are unaffected. Administrators can check Event Viewer under Windows > System for AFD Event ID 16003, which flags an unregistered TDI provider.
KB5099539 also adds SHA-2 certificate thumbprint support for trusted RDP publishers, while retaining SHA-1 only for backward compatibility ahead of its eventual removal. Microsoft has published new Group Policy guidance for controlling which .rdp files users can open, aimed at reducing phishing risk, and recommends administrators migrate to SHA-256 or stronger thumbprints promptly to avoid disruption.
Outside of the TDI transport and hotkey behavior notes, Microsoft reports no other known issues with this release.
