Win Update KB5101649 Windows 11 Cumulative Update build 28000.2525 (26H1) - July 14



 Microsoft Support:

This cumulative update for Windows 11, version 26H1 (KB5101649) includes the latest security fixes and improvements, along with non-security updates from last month's optional preview release. Visit the Windows release health dashboard for the latest status on this release.

Improvements

This update includes new features and quality improvements that were part of the following update:
This update addresses security vulnerabilities documented in the following guide:
The following summary outlines key quality improvements addressed by this update. The bold text within the brackets indicates the item or area of the change.
  • [Secure Boot] This update includes additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Certificate deployment via Windows updates continues across supported PCs and non-managed business devices in the coming months.
  • [Apps (Known issue)] Fixed: This update addresses an issue that affects certain third-party apps that use OLE Automation to interact with Microsoft Office. After installing the June 2026 security update (KB5095091), these apps might fail to launch Office or open documents.
  • [Input] This update changes hotkey unregister and cleanup behavior. In rare cases, some built-in Windows experiences that rely on previous hotkey lifecycle behavior might temporarily stop responding to certain keyboard shortcuts. This issue can typically be resolved by restarting the app affected. If the issue is not resolved, report it through the Feedback Hub.
  • [Management] With this update, at.exe and schedcli.dll can no longer be used to administer "AT Time" or ATSvc servers. Microsoft recommends discontinuing use of ATServer, which has been disabled by default since Windows Server 2012. Developers and system administrators should expect AT.exe and ATServer to be removed in future versions of Windows. The AT Client, at.exe is replaced by "schtasks.exe", PowerShell ScheduledTasks commands, and the ITaskSchedulerService interface.
  • [Networking] This update introduces a security hardening change that enforces TDI transport registration requirements. As a result, applications that use sockets over unregistered third-party TDI transports might stop working after installing this update. Registered TDI transports are not affected. For more information, see Third-party TDI transports might stop working after installing Windows security updates released on or after July 14, 2026.
  • [Remote Desktop (RDP) Security] Support for SHA-2 certificate thumbprints has been added for trusted RDP publishers, with SHA-1 support retained only for backward compatibility and planned for future removal. New guidance is available for managing RDP file security through Group to help organizations reduce phishing risks by controlling which .rdp files users can open. We recommend IT administrators migrate to SHA-256 thumbprints or a stronger algorithm as soon as possible to avoid disruption.
If you've already installed previous updates, your device will download and install only the new updates included in this package.

Components updates

AI components
This release updates the following AI components to version 1.2605.856.0: Image Search, Content Extraction, Semantic Analysis, and Settings Model.

To learn more, see Release information for AI components.

Servicing stack update
Includes KB5121292 (Build 28000.2524), which improves the reliability of the Windows update installation process. To learn more about SSUs, see [Simplifying on-premises deployment of servicing stack updates](https://learn.microsoft.com/windows/deployment/update/servicing-stack-updates#simplifying-on-premises-deployment-of-servicing-stack-updates).

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Deployment​

If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file might prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.

Note
The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.


To ensure the boot.stl file is included as part of the installation media, do one of the following:
  • Use the Update WinPE script to update an existing Windows image. (Recommended)
  • Manually copy the boot.stl file from the device Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.
For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.

Install this update​

To install this update, use one of the following Windows and Microsoft release channels.

Available​
Next Step​
Included
This update downloads and installs automatically from Windows Update and Microsoft Update.
Included
To install this release from the Microsoft Update Catalog, follow these instructions:

File information

For a list of the files provided in this update, download the file information for cumulative update 5101649.

For a list of the files provided in the servicing stack update, download the file information for the SSU (5121292) - version 28000.2524.


 Source:



Check Windows Updates


UUP Dump:

64-bit ISO download:

ARM64 ISO download:

 
Got it! Runs great!
 

My Computer My Computer

At a glance

Win 11 Insider Release Preview and Beta chann...i5 Core [email protected] (Unsupported for Win 11)12GBGeneric PnP Monitor (1920x1080@60Hz) Intel HD...
OS
Win 11 Insider Release Preview and Beta channels.
Computer type
Laptop
Manufacturer/Model
HP ENVY Bought: March 2017
CPU
i5 Core [email protected] (Unsupported for Win 11)
Motherboard
HP 81AD (U3E1)
Memory
12GB
Graphics Card(s)
Generic PnP Monitor (1920x1080@60Hz) Intel HD Graphics 620 (HP)
Sound Card
Conexant ISST audio
Monitor(s) Displays
Generic PnP Monitor
Screen Resolution
1536x864 pixels
Hard Drives
HGST HTS721010A9E630
PSU
Well...PSU you too!! What's this mean?
Case
HP ENVY SILVER
Cooling
A fan.
Keyboard
USA
Mouse
Logitec Anywhere 2
Internet Speed
Good enough for me! Fast!
Browser
Edge/Waterfox
Antivirus
Windows Defender
Other Info
No 'mo.

Latest Support Threads

Back
Top Bottom