Security updates cover Windows, Copilot, Exchange, Defender, Azure, and other enterprise platforms.
Key Takeaways:
Microsoft has released the July 2026 Patch Tuesday updates for Windows 11 versions 26H1, 26H2, and 24H2. This month, the company has fixed 621 vulnerabilities in Windows, Office, Microsoft Edge, Azure, Github Copilot, Defender, Exchange Server, and Hyper-V.
As pointed out by the Zero Day Initiative, Microsoft’s July 2026 Patch Tuesday is “The Mother of All Releases. To call this record-breaking is an understatement. I looked at the last 20 years of Microsoft releases. The CVE count year-to-date exceeds all other years’ totals.”
Microsoft’s latest Patch Tuesday updates bring fixes for several flaws, including 63 rated Critical, six rated Moderate, one rated Low, with the rest rated Important in severity. Two of these vulnerabilities are already being exploited by attackers. Here’s what you need to know about the critical vulnerabilities Microsoft fixed this month:
You can find below the full list of security patches Microsoft released this month:
| Product Family | Distinct Updates | Vulnerabiliities Addressed | Updates per Product/Version | Type of Update |
| Azure | 13 | 11 | 1 | Individual |
| Defender | 2 | 5 | 1 | Cumulative |
| Developer Tools | 36 | 27 | 1 | Cumulative |
| Exchange Server | 4 | 5 | 1 | Cumulative |
| Microsoft Edge | 1 | 46 | 1 | Cumulative |
| Office | 10 | 82 | 1 | Cumulative (except 2016) |
| Office 2016 | 18 | 82 | 1 | Individual |
| Other | 4 | 5 | 1 | Individual |
| SharePoint Server | 3 | 17 | 1 | Cumulative |
| SQL Server | 8 | 8 | 1 | Cumulative |
| Windows | 35 | 416 | 1 | Cumulative |
On Windows 11, this month’s Patch Tuesday update also marks the release of a new feature that allows users to roll back their PCs to a recent automatic restore point. This update also brings another feature that lets users pause updates for up to 35 days and re‑pause them as needed.
For Windows 11 versions 25H2 and 24H2, the KB5101650 update fixes an issue that affects certain third-party apps that use OLE Automation to interact with Microsoft Office. Moreover, this release introduces a security hardening change, which could cause apps that use sockets over unregistered third-party TDI transports to stop working.
Microsoft says RDP security has been enhanced with support for SHA-2 certificate thumbprints for trusted publishers. Organizations are encouraged to adopt SHA-256 or stronger algorithms and use the new Group Policy guidance to control .rdp file access, which helps reduce phishing and security risks.
Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.
A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.
There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.